I am getting lots of Spam which shows on the maillog as: Nov 7 10:50:39 plesk3 qmail-scanner-queue.pl: qmail-scanner[6974]: Clear:RC:0(217.92.121.114):SA:1(5.9/5.0): 9.209114 16127 fr...@aexp.com <mailto:fr...@aexp.com>
Or Nov 7 10:15:36 plesk3 spamdyke[26254]: ALLOWED from: administrator+98453-927...@dcbltd.exvm.com to: u...@domain.com origin_ip: 193.133.125.41 origin_rdns: mta18.evmailer.com auth: (unknown) encryption: (none) reason: 250_ok_1383819336_qp_26270 I want to write some custom rules that can capture part of this (because on the actual emails, the sender often purports to be from someone totally different). Will the following work in my custom_rules.cf?: header AEXP_ALL ALL =~ /aexp\.com/i score AEXP_ALL 4 header EXVM_ALL ALL =~ /exvm\.com/i score AEXP_ALL 4 Grateful to the combined brains for advice Kind regards, Christoph
