Re: rule to catch fake bounce messages (need regex help)

[Kevin Peuhkurinen]

Hmmm.... try
body   __M8RAM_FAKE_BOUNCE   /From\:\s".*"\s*<[EMAIL PROTECTED]>/i
body   __M8RAM_FAKE_BOUNCE1  
/From\:\s"(?:bram\smertens|mertens,{0,1}\s{0,1}bram)"\s*<[EMAIL PROTECTED]>/i
meta   M8RAM_FAKE_BOUNCE2   (__M8RAM_FAKE_BOUNCE && !__M8RAM_FAKE_BOUNCE1)
describe   M8RAM_FAKE_BOUNCE2      Spoofed bounce to me
score   M8RAM_FAKE_BOUNCE2   0.01


Bram Mertens wrote:
Hi
I have several spam messages that look like bounced messages only I
never sent the message it's bouncing.
In the body of the message there's a line that looks like:
From: "optometric" <[EMAIL PROTECTED]>
I'd like to write a rule that looks for this but I can't figure it out. 
Here's what the rule should catch:
"From: " NOT followed by "Bram Mertens " or "Mertens Bram " followed by
"<[EMAIL PROTECTED]>"

Here's what I've got so far:
this rule catches the above:
body          M8RAM_FAKE_BOUNCE /from\:\s\"optometric\"\s<[EMAIL PROTECTED]>/i
These don't work:
body      M8RAM_FAKE_BOUNCE 
/From\:\s(?:(?:Bram\sMertens\s)|(?:Mertens\sBram\s))<[EMAIL PROTECTED]>/i
body      M8RAM_FAKE_BOUNCE 
/from\:\s(?!(?:Bram\sMertens\s)|(?:Mertens\sBram\s))<[EMAIL PROTECTED]>/i
body      M8RAM_FAKE_BOUNCE 
/from\:\s(?<!(?:Bram\sMertens\s)|(?:Mertens\sBram\s))<[EMAIL PROTECTED]>/i
body      M8RAM_FAKE_BOUNCE 
/from\:\s(^(?:Bram\sMertens\s)|(?:Mertens\sBram\s))<[EMAIL PROTECTED]>/i
body      M8RAM_FAKE_BOUNCE 
/from\:\s[^(?:Bram\sMertens\s)|(?:Mertens\sBram\s)]<[EMAIL PROTECTED]>/i
this partly works:
body          M8RAM_FAKE_BOUNCE 
/from\:\s(?!(?:Bram\sMertens\s)|(?:Mertens\sBram\s)<[EMAIL PROTECTED]>)/i
Only this look for "From: " NOT followed by "Bram Mertens
<[EMAIL PROTECTED]>" or "Mertens Bram <[EMAIL PROTECTED]>"
Can anybody explain how to achieve this?
TIA