How would i write this rule?

[Pete Russell <pe...@enitech.com.au>]

We have a parent company that uses a completely different domain name. 
We are on the same network (and therefore trusted_networks).

Some of the users in sub company have email addresses in the parwent 
company and these are forwarded to email acocunts in the sub company.

When spam is sent the parent company email address they ahve a rule of 
not scanning for spam, it is then forwarded onto the sub companys 
gateway and scanned - but since its from a trusted network none of the 
network tests fire and we end up with heaps of spam being forwarded.

The from address one these spam is always an external one.

I have no control over the mail routing affairs. I have to deal with the 
mail that arrives at the sub company.

How do i write a rule that says;

if mail is recieved from parent company email gateway/s AND the from 
address is not from the parent company domain THEN give XX score.

Appreciate any help/tips/suggestions
Many thanks
Pete

Re: How would i write this rule?

[Adam Lanier <ad...@krusty.madoff.com>]

Peter Russell wrote:

>
> Sorry last question - seems the parent company is doing spam checks 
> and adds the spam score to the headers.
>
> How could i add/change the second condition for a spam score greater 
> than 10.00 ?
>
> the header is X-Spam-Score: *********** (11.507)
>
> Many thanks
> Pete

To ask the obvious question, why are you doing spam checks if the 
upstream relay is also doing them?

Based on my performance yesterday, there's almost assuredly something 
wrong with the following but...

header    __HIGH_SA_SCORE    X-Spam-Score =~ /\*{10,}/
meta SPAM_FROM_RELAY    __GATEWAY_RELAY && __NOT_PAR_DOMAIN  && 
__HIGH_SA_SCORE

Re: How would i write this rule?

[Peter Russell <pe...@enitech.com.au>]

adam lanier wrote:
> On Tue, 2007-04-03 at 16:06 +0000, Duane Hill wrote:
>> On Tue, 3 Apr 2007, adam lanier wrote:
>> Shouldn't it be:
>>
>>    From !~ /\@mydomain\.com$/i
>>
>>> meta SPAM_FROM_RELAY	__GATEWAY_RELAY && __NOT_PAR_DOMAIN
> 
> yep, i'm 0 for 2 today, time to keep quiet.


Sorry last question - seems the parent company is doing spam checks and 
adds the spam score to the headers.

How could i add/change the second condition for a spam score greater 
than 10.00 ?

the header is X-Spam-Score: *********** (11.507)

Many thanks
Pete

Re: How would i write this rule?

[adam lanier <ad...@krusty.madoff.com>]

On Tue, 2007-04-03 at 16:06 +0000, Duane Hill wrote:
> On Tue, 3 Apr 2007, adam lanier wrote:
> Shouldn't it be:
> 
>    From !~ /\@mydomain\.com$/i
> 
> > meta SPAM_FROM_RELAY	__GATEWAY_RELAY && __NOT_PAR_DOMAIN

yep, i'm 0 for 2 today, time to keep quiet.

Re: How would i write this rule?

[Duane Hill <d....@yournetplus.com>]

On Tue, 3 Apr 2007, adam lanier wrote:

> On Wed, 2007-04-04 at 00:37 +1000, Pete Russell wrote:
>>
>> How do i write a rule that says;
>>
>> if mail is recieved from parent company email gateway/s AND the from
>> address is not from the parent company domain THEN give XX score.
>
> Something like?
>
> header __GATEWAY_RELAY	Received =~ /\[111\.222\.333\]/
> header__NOT_PAR_DOMAIN	From =! /\@mydomain\.com$/i

Shouldn't it be:

   From !~ /\@mydomain\.com$/i

> meta SPAM_FROM_RELAY	__GATEWAY_RELAY && __NOT_PAR_DOMAIN
>
>
>

Re: How would i write this rule?

[adam lanier <ad...@krusty.madoff.com>]

On Wed, 2007-04-04 at 00:55 +1000, Pete Russell wrote:
> 
> adam lanier wrote:
> > On Wed, 2007-04-04 at 00:37 +1000, Pete Russell wrote:
> >> How do i write a rule that says;
> > header __GATEWAY_RELAY	Received =~ /\[111\.222\.333\]/
> so in this line the ip address is only the 1st 3 sections. Will it match 
> anything in the 4th? eg 111.222.333.xxx?
> 
> > header__NOT_PAR_DOMAIN	From =! /\@mydomain\.com$/i
> I know . are important in regexp, the domain is .com.au can i just 
> change the above line to /\@mydomain\.com.au$/i
> 
> > meta SPAM_FROM_RELAY	__GATEWAY_RELAY && __NOT_PAR_DOMAIN
> and score SPAM_FROM_RELAY 5 ?
> > 

Sorry, trying to dash off a response while doing ten other things.  

The ip address should probably match exactly if you only have one relay
machine:

header __GATEWAY_RELAY	Received =~ /\[111\.222\.333\.444\]/

If you have multiple relays/ip addresses:

header __GATEWAY_RELAY	Received =~ /(?:\[111\.222\.333\]|\[444\.555\.666
\.777\])/

You should probably escape all the '.' in a domain literal just to be
safe:

/\@my\.domain\.com\.au$/i

Re: How would i write this rule?

[Pete Russell <pe...@enitech.com.au>]

adam lanier wrote:
> On Wed, 2007-04-04 at 00:37 +1000, Pete Russell wrote:
>> How do i write a rule that says;
>>
>> if mail is recieved from parent company email gateway/s AND the from 
>> address is not from the parent company domain THEN give XX score.
> 
> Something like?
> 

> header __GATEWAY_RELAY	Received =~ /\[111\.222\.333\]/
so in this line the ip address is only the 1st 3 sections. Will it match 
anything in the 4th? eg 111.222.333.xxx?

> header__NOT_PAR_DOMAIN	From =! /\@mydomain\.com$/i
I know . are important in regexp, the domain is .com.au can i just 
change the above line to /\@mydomain\.com.au$/i

> meta SPAM_FROM_RELAY	__GATEWAY_RELAY && __NOT_PAR_DOMAIN
and score SPAM_FROM_RELAY 5 ?
> 
> 


many thanks for taking the time to response in that much detail for me.
Regards
Pete

Re: How would i write this rule?

[adam lanier <ad...@krusty.madoff.com>]

On Wed, 2007-04-04 at 00:37 +1000, Pete Russell wrote:
> 
> How do i write a rule that says;
> 
> if mail is recieved from parent company email gateway/s AND the from 
> address is not from the parent company domain THEN give XX score.

Something like?

header __GATEWAY_RELAY	Received =~ /\[111\.222\.333\]/
header__NOT_PAR_DOMAIN	From =! /\@mydomain\.com$/i
meta SPAM_FROM_RELAY	__GATEWAY_RELAY && __NOT_PAR_DOMAIN