On Sat, 21 Feb 2004, Odhiambo G. Washington wrote:
> Hello all,
>
> I'd like to request for some help with this condition:
> Sp far it doesn't seem to work at all.
>
> condition = ${if and { \
> {eq {$sender_helo_name}{outblaze.com}}\
> {match {$h_Received:}{.*mr.outblaze.com}} \
> }\
> {yes}{no}}
>
> Is it correct, especially with regard to the $h_Received?
> Is it wise to AND or OR the two sub conditions? I am think now that they
> may not always be true so OR-ing is much likely to work better than
> AND-ing.
Well, given that Suresh originally wrote
> > 1. If you see ".mr.outblaze.com" in any Received: header --> forged spam.
> >
> > 2. If you see HELO mail.com, HELO email.com etc --> forged spam
then yes, you should use OR so that either condition will trigger it.
To make the 'match' fit Suresh' condition exactly, I think you would need
{match {$h_Received:} {\N\.mr\.outblaze\.com\N}} \
(The \N...\N prevents string expansion, which saves you messing around
with doubling the other backslashes).
Of course, you will get false positives on things like
somehost.mr.outblaze.compost.com
- you need to decide how much that would matter to you.
Untested, YMMV, HTH, etc
Richard
