On 11/7/2013 10:40 AM, emailitis.com wrote:
I am getting lots of Spam which shows on the maillog as:
Nov 7 10:50:39 plesk3 qmail-scanner-queue.pl: qmail-scanner[6974]:
Clear:RC:0(217.92.121.114):SA:1(5.9/5.0): 9.209114 16127
fr...@aexp.com <mailto:fr...@aexp.com>
Or
Nov 7 10:15:36 plesk3 spamdyke[26254]: ALLOWED from:
administrator+98453-927...@dcbltd.exvm.com to: u...@domain.com
origin_ip: 193.133.125.41 origin_rdns: mta18.evmailer.com auth:
(unknown) encryption: (none) reason:
250_ok_1383819336_qp_26270
I want to write some custom rules that can capture part of this
(because on the actual emails, the sender often purports to be from
someone totally different). Will the following work in my
custom_rules.cf?:
header AEXP_ALL ALL =~ /aexp\.com/i
score AEXP_ALL 4
header EXVM_ALL ALL =~ /exvm\.com/i
score AEXP_ALL 4
That will work, but you should watch for false positives. I would
suggest anchoring it a bit as a first step.
header AEXP_ALL ALL =~ /\baexp\.com\b/i
This will catch any emails that have the string "aexp.com" anywhere in
the header. The "\b" represents a word boundary so that "u...@aexp.com"
or "blah.aexp.com" will match, but "naexp.com" will not.
--
Bowie
