I wonder if it might not be more effective to check the received from header for paypal.com instead of the message-id. My thought there is, although this rule holds true for paypal, it does not for ebay. Where as matching the domain in both the from and received from fields you should always have the valid smtp address for the domain.
Basically, SA's version of emailler ID. Which can be incorporated into any domain. Would be nice if you could make variables to discover the from domain and pass that to a check to received from line, would make one rule universal for all domains. Then you could assign a couple of pts for domain spoofing. james -----Original Message----- From: Dan Bullock [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 02, 2004 1:05 PM To: [EMAIL PROTECTED] Subject: Re: Custom Rule Help James Nelson wrote: >Greetings, > I am trying to create a custom rule that will take away x pts if an >email is sent from a particular domain. Can someone please let me know if >this is correct syntax? If not, please correct me. > >describe DOMAIN_CHECK Mail from a particular domain >header DOMAIN_CHECK From =~ /[EMAIL PROTECTED]/i >score DOMAIN_CHECK -2.0 > >james > > Someone else on the list helped me with an identical rule. This should get you what you are looking for. It will subtract points if the mail is from the domain and the message is delivered my an MTA of the same domain. Change the message-id to the correct domain name if it isn't the same domain name as the email address. Dan ## PAYPAL header ONLY_PAYPAL_FROM From =~ /paypal\.com\b/i describe ONLY_PAYPAL_FROM FROM AN PAYPAL ADDRESS # header MSGID_FROM_MTA_PAYPAL Message-Id =~ /<[EMAIL PROTECTED]>/i describe MSGID_FROM_MTA_PAYPAL Message-Id was added by an paypal.com relay # meta VALID_PAYPAL_EMAIL (ONLY_PAYPAL_FROM && MSGID_FROM_MTA_PAYPAL ) describe VALID_PAYPAL_EMAIL Valid address and matching sender score VALID_PAYPAL_EMAIL -10.0 In my rules I've actually added a score for the from address, so the score will remain increased if the FROM is PAYPAL but the message-id is not (possible phishing). In this case the score is +5 otherwise the ruleset adds (5)+(-10)=(-5). ## PAYPAL header ONLY_PAYPAL_FROM From =~ /paypal\.com\b/i describe ONLY_PAYPAL_FROM FROM AN PAYPAL ADDRESS score ONLY_PAYPAL_FROM 5.0 # header MSGID_FROM_MTA_PAYPAL Message-Id =~ /<[EMAIL PROTECTED]>/i describe MSGID_FROM_MTA_PAYPAL Message-Id was added by an paypal.com relay # meta VALID_PAYPAL_EMAIL (ONLY_PAYPAL_FROM && MSGID_FROM_MTA_PAYPAL ) describe VALID_PAYPAL_EMAIL Valid address and matching sender score VALID_PAYPAL_EMAIL -10.0
