Bowie (and the rest that answered), Thanks for the follow up. I went with your suggestion of adding the additional addr field and fixed the ^ and it’s catching now. The multiple values on the same line were intentional. I actually have different scored for bayes inclusion and network test (just tweaking them a little).
Final is: header HS_BAD_DOMAIN From:addr =~ /\.(top|study|click|party|link|stream|info|trade|bid|xxx)$/i Thanks again, Gary- -----Original Message----- From: Bowie Bailey [mailto:bowie_bai...@buc.com] Sent: Wednesday, November 1, 2017 12:03 PM To: users@spamassassin.apache.org Subject: Re: Looking for assist on a rule On 11/1/2017 2:39 PM, Gary Smith wrote: > We have recently seen a huge uptick in spam from a bunch of different TLD's. > Bayes has been a little whacky with them as well. Our install is 3.3.1 > (we're going to be replacing it soon). > > I'm looking to implement a rule that will assign a higher score to specific > TLD's. I tried the rule below based upon the guidelines from > https://wiki.apache.org/spamassassin/WritingRules. Nothing seems to hit it > though. > > header HS_BAD_DOMAIN From =~ > /^\.(top|study|click|party|link|stream|info|trade|bid|xxx)/i > describe HS_BAD_DOMAIN Contains one of the bad domains that commonly > spams score HS_BAD_DOMAIN 0.1 0.1 0.1 0.1 The problem is the caret (^). That says that the match must START with a period. For example: From: .top What you probably want is to anchor the expression on the other end: header HS_BAD_DOMAIN From:addr =~ /\.(top|study|click|party|link|stream|info|trade|bid|xxx)$/i The ':addr:' part makes sure the match only hits on the first email address in the header to prevent false positives. Also, you don't need to specify multiple scores unless they are different. score HS_BAD_DOMAIN 0.1 This works exactly the same and is a bit easier to read. -- Bowie
