On Thu, 12 May 2016, Alex wrote:
I'm trying to match some Apple/iTunes fraud and would like to use the lack of the email having been passed through anything relating to Apple (contains apple.com, etc), and having some difficulty with this header:Received: from 56.119.233.220.static.exetel.com.au ([220.233.119.56] helo=smtp.vic.exemail.com.au) by pecan.exetel.com.au with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.84) (envelope-from <[email protected]>) id 1b0RAr-0003bC-72 for [email protected]; Wed, 11 May 2016 20:15:43 +1000 This rule apparently matches due to the envelope-from line above. header __LOC_APPLE_RCVD Received =~ /apple\.com/ How can I get it to only match on the server name in that line?
Try matching on the external relays pseudo-header where that all gets normalized.
-- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ [email protected] FALaholic #11174 pgpk -a [email protected] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- 142 days since the first successful real return to launch site (SpaceX)
