Hi Bill > As described, this is definitely a bug.
No not a Bug! I guess there were more 'things' which are involved which I overlooked and which now hit me in the face when I attempted to create the 'real' rule, first using TO_IN_SUBJ and hitting the SAME issue again, without tflags. TO_IN_SUBJ itself is yet another meta involving __TO_IN_SUBJ and some other negated rules. Turned out, the issue most probably never was __TO_IN_SUBJ this was probably always producing a hit (which I could see by manually calling spamassassin on the command line). The issue most probably is one of the other negated rules which disable TO_IN_SUBJ despite __TO_IN_SUBJ being true. While testing from my google account and crafting emails which should have caused the hits, I noticed that indeed __TO_IN_SUBJ scored a hit but not TO_IN_SUBJ and when running the same email from command line (even when removing the headers added locally) I did not get the same rules to match and indeed when run that way TO_IN_SUBJ was positive. This below, now works as I expected, hopefully not causing too many false positives - but now I can proceed with additional to fine tune like also adding certain ASN which are mostly the source of those phishing emails with known brands. meta IMP_TO_IN_SUBJ __TO_IN_SUBJ describe IMP_TO_IN_SUBJ Empfaengeradresse in Betreff score IMP_TO_IN_SUBJ 2 header __IMP_SHOP_IN_SUBJ Subject =~/(UPS|Rossmann|Lidl|Hermes|DPD|GLS|ADAC)/i meta IMP_SHOP_PHISH (__TO_IN_SUBJ + __IMP_SHOP_IN_SUBJ > 1) describe IMP_SHOP_PHISH Empfaengeradresse in Betreff + Firmenname score IMP_SHOP_PHISH 8 Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________
