Thank you and Benny for your help. I put those in place and all looks well. We had one captured this morning but wondered if you can explain in the log below which seems as if it has been deleted, yet then allowed:
Nov 8 10:05:04 plesk3 spamd[11926]: spamd: result: Y 9 - AEXP_ALL,DCC_CHECK,RCVD_IN_HOSTKARMA_BL,UNPARSEABLE_RELAY scantime=0.7,size=18986,user=qscand,uid=10002,required_score=5.0,rhost=local host,raddr=127.0.0.1,rport=47 653,mid=<shov1hc5576j48ym3pyut8fb2ak1d...@gateway.gov.local>,autolearn=disab led Nov 8 10:05:04 plesk3 qmail-scanner-queue.pl: qmail-scanner[18522]: SA:SPAM-DELETED:RC:0(41.215.42.242):SA:1(9.1/5.0): 0.874234 18933 gateway.confirmat...@gateway.gov.uk u...@domain.com Could_not_process_Online_Submission_for_Reference_475/RA1997980 <shov1hc5576j48ym3pyut8fb2ak1d...@gateway.gov.local> Submission_RA1997980.zip:10086 Nov 8 10:05:04 plesk3 spamdyke[18489]: ALLOWED from: gateway.confirmat...@gateway.gov.uk to: u...@domain.com origin_ip: 41.215.42.242 origin_rdns: mail.domain.com auth: (unknown) encryption: (none) reason: 250_ok_1383905104_qp_18522 Kind Regards, Christoph From: Bowie Bailey [mailto:bowie_bai...@buc.com] Sent: 07 November 2013 15:50 To: users@spamassassin.apache.org Subject: Re: custom rules header check please On 11/7/2013 10:40 AM, emailitis.com wrote: I am getting lots of Spam which shows on the maillog as: Nov 7 10:50:39 plesk3 qmail-scanner-queue.pl: qmail-scanner[6974]: Clear:RC:0(217.92.121.114):SA:1(5.9/5.0): 9.209114 16127 fr...@aexp.com <mailto:fr...@aexp.com> Or Nov 7 10:15:36 plesk3 spamdyke[26254]: ALLOWED from: administrator+98453-927...@dcbltd.exvm.com <mailto:administrator+98453-927...@dcbltd.exvm.com> to: u...@domain.com <mailto:u...@domain.com> origin_ip: 193.133.125.41 origin_rdns: mta18.evmailer.com auth: (unknown) encryption: (none) reason: 250_ok_1383819336_qp_26270 I want to write some custom rules that can capture part of this (because on the actual emails, the sender often purports to be from someone totally different). Will the following work in my custom_rules.cf?: header AEXP_ALL ALL =~ /aexp\.com/i score AEXP_ALL 4 header EXVM_ALL ALL =~ /exvm\.com/i score AEXP_ALL 4 That will work, but you should watch for false positives. I would suggest anchoring it a bit as a first step. header AEXP_ALL ALL =~ /\baexp\.com\b/i This will catch any emails that have the string "aexp.com" anywhere in the header. The "\b" represents a word boundary so that <mailto:u...@aexp.com> "u...@aexp.com" or "blah.aexp.com" will match, but "naexp.com" will not. -- Bowie
