On Mon, 2020-08-24 at 11:51 -0700, John Hardin wrote: > Might want some \b in there, just to be safe. The from check would > also > hit domains like "amazon-river.org". Perhaps: > > header SUBRULE13a From:name =~ /\bAmazon\b/ > header SUBRULE13b From:addr =~ /\bamazon\.com$/ > Indeed > > > meta SUBRULE13 (SUBRULE13a != SUBRULE13b) > > That seems too broad, you're assuming mail from amazon.com always has > "amazon" in the sender name. Perhaps: > > meta SUBRULE13 SUBRULE13a && !SUBRULE13b > Also true.
What I *thought* I was doing was: * firstly, to show the OP how to write a rule that examined a From header and would only fire if there was a match on the name part and no match on the address part - a very common spam feature (as is the From Address not containing the same domain as the Message-ID). * to give some guidance that testing is essential (i.e. keep some known spam to be looked at when writing the rules and for testing the new rules) AND to remind the OP that the significant parts of name and address strings may differ, should be copied from known spam, and may need further tweaks as the rules are tested * trying to explain that this type of rule cannot and will only work reliably if its written against a single spamming domain. Martin
