Hi, I've been using SA plugged into postfix via in-line filters (allowing me to reject at the session level, instead of after-the-fact), and am pretty happy with the results. My next step is to start applying transport-type rules to the session data -- HELO gets spam score versus EHLO, do the forward and reverse domain names match, etc. -- but I need to apply these rules specifically to the top-most Received header only. I've done some simple rules so far (checking for non-existent Message-ID, for example) but can't see an easy way to snarf this specific data.
Any rule that already does this that I should be looking for? or do I need to get into regex IF testing (I do this with PCRE inside postfix for a couple of tests already). Thanks for any pointers. -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
