Hi
I've found FP 70_sare_spoof.cf triggering with SARE_FORGED_CITI In the rule header __RCVD_CITIBNK Received =~ /(?:citi(?:bank|cards|corp|bankcards)|acxiom|c2it)\.com/i header __FROM_CITIBNK From =~ /citi(?:bank)?\.com/i uri __URI_CITIBNK /citi(?:bank)?\.com/i meta SARE_FORGED_CITI (__FROM_CITIBNK && __URI_CITIBNK && !__RCVD_CITIBNK) wouldn't it be better with a \b in front of the From (or/and URI) Something like: header __FROM_CITIBNK From =~ /\bciti(?:bank)?\.com/i How is the From field of the legit mails from them? We have domains like for example <string>citiDOTcomDOTar that are triggering False Positives The from is <string>citiDOTcomDOTar, they put an uri on them, but (fortunately) they are not sending mails from the bank. Thanks Saludos -- Leonardo Helman Pert Consultores Argentina
