It seems that my rule using "Received" instead of "From" did the trick, the rule is working now.
Thanks! Regards, Sergio On Tue, Jul 8, 2014 at 10:43 PM, Sergio <sec...@gmail.com> wrote: > Hi all, > long time not bother you with my doubts, sorry if this has been posted > before and your help is appreciated. > > I have been hammered with a lot of spam that comes like this in the from: > > Example list: > bounces+974322-5ea9-user=domain....@sendgrid.info > harprefinancelender-user=domain....@formmobily.com > fldelitylife-user=domain....@bajarvideos.net > whoswho-user=domain....@bayangpinoy.com > garanciacambogia-user=domain....@mymedcases.com > oceansbounty-user=domain....@myivr.com > amazoncoupons-user=domain....@lastawhdak.com > > These are the headers from amazoncoupons-user=domain....@lastawhdak.com: > > Message Headers:Received: from tech.lastawhdak.com ([23.254.130.183]:5780) > by server.domain.com with esmtp (Exim 4.82) > (envelope-from <AmazonCoupons-user=domain....@lastawhdak.com>) > id 1X4VcB-004Aw1-EW > for u...@domain.com; Tue, 08 Jul 2014 08:39:23 -0500 > DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d= > LASTAWHDAK.COM; > h=Mime-Version:Content-Type:Message-Id:Date:From:To:Subject; i= > amazoncoup...@lastawhdak.com; > bh=VixSKqSnPl10ughWH0h+w7BHHVg=; > > b=fSr1ulVa9jHHrl9uO6cwHVfcn/7XO1trKlZqYwyWjhB0QF19t7mkqx8GeF9j6eA6N7gAqTL+EyXA > > 5ZIEPBli4fsSqced4ZwhNnc3SCFzGk+V6dqZCbVYsfUcO9hxFybv/YsHq00aiU7tbxbagvX96c/W > B7/2YgktkeAXy/D6aos= > Received: by tech.LASTAWHDAK.COM id hnfq3o0001gp for <u...@domain.com>; > Tue, 8 Jul 2014 13:18:07 +0000 (envelope-from <AmazonCoupons-user= > domain....@lastawhdak.com>) > Mime-Version: 1.0 > Content-Type: multipart/alternative; > boundary="becf-9486-0840-97dd-1672-cc2d-bab3-5594" > Message-Id: < > 49553babd2cc2761dd7904806849fceb.10158442971ce...@lastawhdak.com> > Date: Tue, 8 Jul 2014 13:18:07 +0000 > *From: *Amazon Coupons <amazoncoup...@lastawhdak.com> > To: u...@domain.comt > Subject: > =?utf-8?B?Q29uZ3JhdHVsYXRpb25zIG9uIHlvdXIgQW1hem9uIFN1cnZleSBSZXdhcmQ=?= > *From:*amazoncoupons-user=domain....@lastawhdak.com > > I have created the following rule, because I thought that I could block > any "From" that includes a domain name with the extensions .com or .net or > .org or .biz before @ > > header BLACKLIST_REGEX From:address =~ /\=.*\.(com|net|org|biz)\@/i > score BLACKLIST_REGEX 5 > > But it is not working, the rule is not catching any of the "From" from > above example list. > > I have also tried but with no luck: > > header BLACKLIST_REGEX From =~ /\=.*\.(com|net|org|biz)\@/i > score BLACKLIST_REGEX 5 > > So, my question is, Do I have to go and better check for the "Received" ? > Something like: > > header BLACKLIST_REGEX Received =~ /\\=.*.(com|net|org|biz)\@/i > score BLACKLIST_REGEX 5 > > Or if you have a better way on doing this, your advice is appreciated. > > Best Regards, > > Sergio >
