It should be possible using a set of meta rules in a compound statement.
Here is a sample for the AOL problem that some people were having. I'm
sure the above is no where near correct as I suck as regexp. But this
was pieced together from the stop rules. But the concept should hold
true. You will need to create a separate rule for the from ebay email
addresses that gives them a positive number but this would override that
with a bigger negative number if the below case is valid as well.
header ONLY_BYCM_FORM From =~ / \bebay.com\b/i
describe ONLY_BYCM_FROM FROM AN EBAY USER
header MSGID_FROM_MTA_EBAY Message-Id =~
/<MC\d{1,2}-F{1,2}\w{21,[EMAIL PROTECTED]>/i
describe MSGID_FROM_MTA_EBAY Message-Id was added by a ebay.com relay
meta VALID_EBAY_EMAIL (ONLY_BYCM_FORM && MSGID_FROM_MTA_EBAY )
describe VALID_EBAY_EMAIL Valid ebay senders
score VALID_EBAY_EMAIL -20
Gary Wayne Smith
-----Original Message-----
From: Dan Bullock [mailto:[EMAIL PROTECTED]
Sent: Saturday, February 21, 2004 7:30 AM
To: [EMAIL PROTECTED]
Subject: Re: Permitting email only from designated domain server
I suppose I could give anything from an ebay mail server +50 points and
score anything from an [EMAIL PROTECTED] email address with say 25 points. I
think that would have the effect I'm looking for. ?
Dan
Matthias Fuhrmann wrote:
>On Sat, 21 Feb 2004, Dan Bullock wrote:
>
>
>
>>My explanation wasn't very well. My intent is to be able to score
those
>>phishing emails that pretend to be ebay emails and ask for their ebay
>>login etc.
>>
>>All ebay emails should come from an ebay email server. So I want to
>>score any email that claims to be from ebay and does not originate
from
>>an ebay email server.
>>
>>Does that explain my intent a bit better?
>>
>>
>
>yes, it does. but SPF (Sender Policy Framework) isnt yet available
within
>SA. so i dont have a clue to get those pseudo ebay spammer.
>maybe you can use trusted_network on those ebay mx servers, preventing
>extra points from these DNS blacklist request.
>
>sorry, not much...
>
>regards,
>Matthias
>
>
>
>
