help with a sintax rule appreciated

Tue, 08 Jul 2014 21:44:32 -0700 

Hi all,
long time not bother you with my doubts, sorry if this has been posted
before and your help is appreciated.

I have been hammered with a lot of spam that comes like this in the from:

Example list:
bounces+974322-5ea9-user=domain....@sendgrid.info
harprefinancelender-user=domain....@formmobily.com
fldelitylife-user=domain....@bajarvideos.net
whoswho-user=domain....@bayangpinoy.com
garanciacambogia-user=domain....@mymedcases.com
oceansbounty-user=domain....@myivr.com
amazoncoupons-user=domain....@lastawhdak.com

These are the headers from amazoncoupons-user=domain....@lastawhdak.com:

Message Headers:Received: from tech.lastawhdak.com ([23.254.130.183]:5780)
     by server.domain.com with esmtp (Exim 4.82)
     (envelope-from <AmazonCoupons-user=domain....@lastawhdak.com>)
     id 1X4VcB-004Aw1-EW
     for u...@domain.com; Tue, 08 Jul 2014 08:39:23 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d=LASTAWHDAK.COM
;
h=Mime-Version:Content-Type:Message-Id:Date:From:To:Subject; i=
amazoncoup...@lastawhdak.com;
bh=VixSKqSnPl10ughWH0h+w7BHHVg=;
b=fSr1ulVa9jHHrl9uO6cwHVfcn/7XO1trKlZqYwyWjhB0QF19t7mkqx8GeF9j6eA6N7gAqTL+EyXA
5ZIEPBli4fsSqced4ZwhNnc3SCFzGk+V6dqZCbVYsfUcO9hxFybv/YsHq00aiU7tbxbagvX96c/W
B7/2YgktkeAXy/D6aos=
Received: by tech.LASTAWHDAK.COM id hnfq3o0001gp for <u...@domain.com>;
Tue, 8 Jul 2014 13:18:07 +0000 (envelope-from <AmazonCoupons-user=
domain....@lastawhdak.com>)
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="becf-9486-0840-97dd-1672-cc2d-bab3-5594"
Message-Id: <
49553babd2cc2761dd7904806849fceb.10158442971ce...@lastawhdak.com>
Date: Tue, 8 Jul 2014 13:18:07 +0000
*From: *Amazon Coupons <amazoncoup...@lastawhdak.com>
To: u...@domain.comt
Subject:
=?utf-8?B?Q29uZ3JhdHVsYXRpb25zIG9uIHlvdXIgQW1hem9uIFN1cnZleSBSZXdhcmQ=?=
*From:*amazoncoupons-user=domain....@lastawhdak.com

I have created the following rule, because I thought that I could block any
"From" that includes a domain name with the extensions .com or .net or .org
or .biz before @

header    BLACKLIST_REGEX    From:address =~ /\=.*\.(com|net|org|biz)\@/i
score      BLACKLIST_REGEX    5

But it is not working, the rule is not catching any of the "From" from
above example list.

I have also tried but with no luck:

header    BLACKLIST_REGEX    From =~ /\=.*\.(com|net|org|biz)\@/i
score      BLACKLIST_REGEX    5

So, my question is, Do I have to go and better check for the "Received" ?
Something like:

header    BLACKLIST_REGEX    Received =~ /\\=.*.(com|net|org|biz)\@/i
score      BLACKLIST_REGEX    5

Or if you have a better way on doing this, your advice is appreciated.

Best Regards,

Sergio

Reply via email to