[BlueOnyx:26364] Re: AV-Spam rule expression
Michael Stauber
mstauber at blueonyx.it
Wed Jul 19 10:14:13 -05 2023
Hi Chris,
> My question is in the expression, should I be using the subject as it > appears (I RECORDED YOU) or should I be attempting regex >
(I\sRECORDED\sYOU)?
You want the rule to trigger on the subject (not body) and generally I
also would throw a /i at the end of the rule to make it case
insensitive. So it'll even trigger if some or all parts of the search
text are capitalized. In that case the complete rule would look like this:
header BTC_EXT0815 Subject =~ /I recorded you/i
describe BTC_EXT0815 Bitcoin extortion scam
score BTC_EXT0815 100
That "BTC_EXT0815" is a unique identifier for that rule and it can be
anything. But it must the the same in all three lines.
In this example I gave that rule a score of 100, so it'll get tagged no
matter what - unless the sender address is specifically whitelisted in
the AV-SPAM. A score this high will also reject the message at the MTA
if that feature is enabled (it usually is enabled by default).
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list