=?ISO-8859-15?Q?Robert_M=FCller?= writes: > Hi all, > as I'm facing raising amount of bounces on my mailserver in the last 2 > months, I tried to use the vbounce ruleset to identify the ones caused > by UBE faking the sender address. > This was generally successful, but surprisingly there are a lot of > UBE-bounces which are not recognized by vbounce. > After digging a little bit into this (I'm not a SA-expert), it showed > that the body-rule " __HAVE_BOUNCE_RELAYS" is giving a "1", but often no > header rule "__BOUNCE*" seems to give a hit. > One of the most likely rules to be IMHO true is the > "__BOUNCE_FROM_DAEMON" one, but this one nearly never gives a hit. > Looking at the regexp in this line, the "+" after the \S seems not to be > correct from my point of view, I would suggest a "*" here, as it is in > "__BOUNCE_RPATH_MD". > So for testing purposes I modified the line > old: > header __BOUNCE_FROM_DAEMON From =~ > /(?:(?:daemon|deamon|majordomo|postmaster|virus|scanner|devnull|automated-response|SMTP.gateway|mailadmin|mailmaster|surfcontrol|You_Got_Spammed)\S+\@|<>)/i > > to new: > header __BOUNCE_FROM_DAEMON From =~ > /(?:(?:daemon|deamon|majordomo|postmaster|virus|scanner|devnull|automated-response|SMTP.gateway|mailadmin|mailmaster|surfcontrol|You_Got_Spammed)\S*\@|<>)/i > > and now, also the bounces formerly not recognized are correctly identified. > Can someone confirm that this is a "typo"? Or have I misunderstood > something?
yep, you're quite right -- thanks! --j.
