Hi I have several spam messages that look like bounced messages only I never sent the message it's bouncing.
In the body of the message there's a line that looks like: From: "optometric" <[EMAIL PROTECTED]> I'd like to write a rule that looks for this but I can't figure it out. Here's what the rule should catch: "From: " NOT followed by "Bram Mertens " or "Mertens Bram " followed by "<[EMAIL PROTECTED]>" Here's what I've got so far: this rule catches the above: body M8RAM_FAKE_BOUNCE /from\:\s\"optometric\"\s<[EMAIL PROTECTED]>/i These don't work: body M8RAM_FAKE_BOUNCE /From\:\s(?:(?:Bram\sMertens\s)|(?:Mertens\sBram\s))<[EMAIL PROTECTED]>/i body M8RAM_FAKE_BOUNCE /from\:\s(?!(?:Bram\sMertens\s)|(?:Mertens\sBram\s))<[EMAIL PROTECTED]>/i body M8RAM_FAKE_BOUNCE /from\:\s(?<!(?:Bram\sMertens\s)|(?:Mertens\sBram\s))<[EMAIL PROTECTED]>/i body M8RAM_FAKE_BOUNCE /from\:\s(^(?:Bram\sMertens\s)|(?:Mertens\sBram\s))<[EMAIL PROTECTED]>/i body M8RAM_FAKE_BOUNCE /from\:\s[^(?:Bram\sMertens\s)|(?:Mertens\sBram\s)]<[EMAIL PROTECTED]>/i this partly works: body M8RAM_FAKE_BOUNCE /from\:\s(?!(?:Bram\sMertens\s)|(?:Mertens\sBram\s)<[EMAIL PROTECTED]>)/i Only this look for "From: " NOT followed by "Bram Mertens <[EMAIL PROTECTED]>" or "Mertens Bram <[EMAIL PROTECTED]>" Can anybody explain how to achieve this? TIA -- # Mertens Bram "M8ram" <[EMAIL PROTECTED]> Linux User #349737 # # SuSE Linux 8.2 (i586) kernel 2.4.20-4GB i686 256MB RAM # # 7:52pm up 7 days 23:28, 8 users, load average: 0.31, 0.36, 0.29 #
