Thanks, I haven't tried it yet because I read in a message from Kelson
Vibber a couple of days ago that using .* in a body rule is a bad
idea...
But perhaps this will work?
body __M8RAM_FAKE_BOUNCE_SUB1 /From\:\s.{0,20}\s*<[EMAIL PROTECTED]>/i
body __M8RAM_FAKE_BOUNCE_SUB2
/From\:\s(?:Bram\sMertens\s)|(?:Mertens\sBram\s)\s*<[EMAIL PROTECTED]>/i
meta M8RAM_FAKE_BOUNCE (__M8RAM_FAKE_BOUNCE_SUB1 &&
!__M8RAM_FAKE_BOUNCE_SUB2)
describe M8RAM_FAKE_BOUNCE Spoofed bounce to me
score M8RAM_FAKE_BOUNCE 1.0
It does catch the test-messages I've got and doesn't seem to produce any
FP (only a few messages tested). But before I put it into production
I'd like to know if this is "almost as bad" as ".*"...
Can anybody tell me how "bad" this rule is?
TIA
On Mon, 2004-03-29 at 20:46, Kevin Peuhkurinen wrote:
> Hmmm.... try
>
> body __M8RAM_FAKE_BOUNCE /From\:\s".*"\s*<[EMAIL PROTECTED]>/i
> body __M8RAM_FAKE_BOUNCE1
> /From\:\s"(?:bram\smertens|mertens,{0,1}\s{0,1}bram)"\s*<[EMAIL PROTECTED]>/i
> meta M8RAM_FAKE_BOUNCE2 (__M8RAM_FAKE_BOUNCE && !__M8RAM_FAKE_BOUNCE1)
> describe M8RAM_FAKE_BOUNCE2 Spoofed bounce to me
> score M8RAM_FAKE_BOUNCE2 0.01
[...]
--
# Mertens Bram "M8ram" <[EMAIL PROTECTED]> Linux User #349737 #
# SuSE Linux 8.2 (i586) kernel 2.4.20-4GB i686 256MB RAM #
# 9:00pm up 8 days 0:37, 8 users, load average: 0.25, 0.12, 0.09 #
