Thanks John, that was exactly the feedback I was requesting. Yes, that is my MTA's header and I'll add the qualification you suggest. I was assuming (oops, shouldn't do that) that "Received =~" meant the first, non-local Recieved line. Evidently (from your comment about forgeries), SA uses ALL received headers for these checks.
Dan -----Original Message----- From: John D. Hardin [mailto:[EMAIL PROTECTED] Sent: Thursday, February 08, 2007 3:52 PM To: Dan Barker Cc: users@spamassassin.apache.org Subject: RE: Blackberry email On Thu, 8 Feb 2007, Dan Barker wrote: > How's this? Too loose? > > header CRACKBERRY Received =~ /blackberry.com\b/i /\.blackberry\.com\b/i It'll trust forgeries, though. > Example header: > > Received: from smtp01.bis.na.blackberry.com [216.9.248.48] by > mail.visioncomm.net with ESMTP (SMTPD32-13.5) id AC3534020148; Thu, 08 Feb > 2007 10:05:25 -0500 Better would be to only consider the one *your* MTA adds: /\sfrom \S{1,30}\.blackberry\.com\s\S+\sby mail\.visioncomm\.net\s/i (assuming the header above is indeed the one your MTA added...) -- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ [EMAIL PROTECTED] FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- Gun control is marketed to the public with the idea that violent criminals will obey the law. This is an appealing delusion. ----------------------------------------------------------------------- 4 days until Abraham Lincoln's and Charles Darwin's 198th Birthdays
