Re: Help with constructing a rule for MCP

Sat, 19 Nov 2011 11:28:23 -0800 

On Sat, 19 Nov 2011, Sergio wrote:


this is one header of the emails that I received:

*******************************
Received: from 90.red-217-126-251.staticip.rima-tde.net ([217.126.251.90])
    by MY-SERVER with smtp (Exim 4.69)
    (envelope-from <plaintiveo...@dhl-usa.com>)
    id 1RQNQZ-0002Q1-QD
    for my-u...@domain.com; Tue, 15 Nov 2011 12:08:15 -0600
Received: from [116.54.126.71] (helo=mflmo.gquvpofbkojyxb.ua)
    by 90.Red-217-126-251.staticIP.rima-tde.net with esmtpa (Exim 4.69)
    (envelope-from )
    id 1MMQJ8-3051eb-TY
    for <my-u...@domain.com>; Tue, 15 Nov 2011 19:08:13 +0100
Message-ID: <1232210117.3q65wy5i448...@azbvbczcdgxeoq.mqfphqgytobofv.com>
From: UPS Support <auto-not...@ups.com>
To: <pa...@macred.com>
Subject: UPS Delivery Notification, Tracking Number B2HVYOSTJB101NXOM5
Date: Tue, 15 Nov 2011 19:08:13 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0006_01CCA3C9.EBFEF390"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2919.6600
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
*******************************


Your rules:

        header   __VIRUS_DHL1        FROM =~ /dhl-usa.com/i
        header   __VIRUS_DHL2        ALL =~ /CommuniGate Pro SMTP 5.2.3/i

__VIRUS_DHL1 won't hit on this, it's from UPS.COM. Perhaps:

        header   __VIRUS_DHL1        FROM =~ /\b(?dhl-usa|ups)\.com/i

No "CommuniGate Pro", so _that_ won't hit on this.
I note that the envelope-from _is_ dhl-usa.com; Are DHL and UPS affiliated? If not, and if that appears regularly, then perhaps this (off the top of my head, untested) would help: 

  header  __ENV_FROM_DHL  Received =~ /envelope-from [^ @]+@dhl[^ .]+\.com/i
  header  __FROM_DHL      From =~ /\bdhl[^ .]+\.com/i

  header  __ENV_FROM_UPS  Received =~ /envelope-from [^ @]+@ups\.com/i
  header  __FROM_UPS      From =~ /\bups\.com/i

  meta    DHL_UPS_MISMATCH  (__ENV_FROM_DHL && __FROM_UPS) || (__ENV_FROM_UPS 
&& __FROM_DHL)

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhar...@impsec.org    FALaholic #11174     pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Microsoft is not a standards body.
-----------------------------------------------------------------------
 346 days since the first successful private orbital launch (SpaceX)

Reply via email to