Richard Ozer wrote: > Greetings, > > We've been getting quite a bit of spam with the following header: > > Message-ID: <[EMAIL PROTECTED]> > From: David Samuels <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Subject: New Job! -2UigK > Date: Wed, 15 Oct 2008 13:16:03 +0000 > > I've been trying to write a rule that looks at the From: line in the header. > I've tried the following with no success... > > header DAVID_SAMUELS From =~ /David Samuels/ > describe DAVID_SAMUELS From: Contains David Samuels > score DAVID_SAMUELS 10 > > What am I missing here...
When used alone like that "from" is a bit magic in SA. SA pre-processes the "from" header (and actually mixes in other "from" like headers, such as Return-Path, X-Sender, etc) and IIRC it only reports email address portions to the rules. Try this instead: header DAVID_SAMUELS From:name =~ /David Samuels/ describe DAVID_SAMUELS From: Contains David Samuels score DAVID_SAMUELS 10 the :name specifier should extract the name part, and only the name part, of the From: header.
