> :0 > * "gone.scr" > /var/spool/infectedmail > I tried manually egreping the message (I saw a mention of procmail passing > the recipe string to egrep in the manpage), and the second one matched two > lines, so why doesn't procmail match at least the second rule?
I see three problems with the rule: 1. You need to remove the quotation marks. The actual mail doesn't include the quotation marks (at least not on both sides of the filename), and egrep filters out the quotation marks when it finds a matching pair at the start and end of a regexp. 2. You are egrepping the header. By default, the rules only scan the headers for information (this is a whole lot faster, and most of the time this is what you want). You need to add the 'B' flag to the rule to say 'egrep the body'. 3. In addition to that, you need to prepend the '.' with a '\'. The dot is the 'any' key of regexp which will match anything. The string "gone.scr" will match, but so will the string "goneascr". Try this for a rule: :0 B : * name=gone\.scr" /var/spool/infectedmail Hint: 'man procmailrc' gives lots of tips, 'man procmailex' gives lots of examples. // J
