• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Need help with RegEx in transport rule

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2013] >> Message Routing >> Need help with RegEx in transport rule Page: [1]
Login
Message << Older Topic   Newer Topic >>
Need help with RegEx in transport rule - 31.May2015 6:36:25 AM   
Fermin

 

Posts: 2
Joined: 12.Dec.2002
From: Switzerland
Status: offline
Hello group

I've run into a problem here, and haven't been able to find any documentation how I would go about solving this.

I use Barracuda online antispam for inbound email scan, but it's possible I won't use it for all domains some time in the future. So just restricting inbound SMTP on my firewall to mails from Barracuda won't work. As you can probably guess, I still receive (spam) mails directly instead of through Barracuda.

This is what a mail header sent DIRECTLY to my exchange servers looks like:

Received: from mx1.home.fermin.ch (2001:1620:fb4:abba:df7:69d0:83a7:823b) by
 mx1.home.fermin.ch (2001:1620:fb4:abba:df7:69d0:83a7:823b) with Microsoft
 SMTP Server (TLS) id 15.0.1076.9 via Mailbox Transport; Sun, 31 May 2015
 12:37:39 +0200
Received: from mx2.home.fermin.ch (2001:1620:fb4:abba:1::38) by
 mx1.home.fermin.ch (2001:1620:fb4:abba:df7:69d0:83a7:823b) with Microsoft
 SMTP Server (TLS) id 15.0.1076.9; Sun, 31 May 2015 12:37:38 +0200
Received: from bnl.net (118.238.1.173) by mx2.home.fermin.ch (192.168.200.38)
 with Microsoft SMTP Server id 15.0.1076.9 via Frontend Transport; Sun, 31 May
 2015 12:37:37 +0200
Message-ID: <D1123F43.93160885@bnl.net>
Date: Sun, 31 May 2015 19:37:37 +0900
From: Canadian Pharmacy <admingomvc@bnl.net>
X-Accept-Language: en-us
MIME-Version: 1.0
To: <fermin.sanchez@betterit.ch>
Subject: If your problems with sex make put your family life in danger, you have to do something quickly
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Return-Path: admingomvc@bnl.net
X-MS-Exchange-Organization-Network-Message-Id: 2f32e8aa-e8d3-4006-5fe0-08d269a4f32c
X-MS-Exchange-Organization-AuthSource: mx2.home.fermin.ch
X-MS-Exchange-Organization-AuthAs: Anonymous


And this is what it looks like coming from Barracuda:

Received: from mx2.home.fermin.ch (2001:1620:fb4:abba:1::38) by
 mx1.home.fermin.ch (2001:1620:fb4:abba:1::37) with Microsoft SMTP Server
 (TLS) id 15.0.1076.9 via Mailbox Transport; Sun, 31 May 2015 12:44:46 +0200
Received: from mx1.home.fermin.ch (2001:1620:fb4:abba:1::37) by
 mx2.home.fermin.ch (2001:1620:fb4:abba:1::38) with Microsoft SMTP Server
 (TLS) id 15.0.1076.9; Sun, 31 May 2015 12:44:46 +0200
Received: from mail14.ess.barracuda.com (64.235.154.109) by mx1.home.fermin.ch
 (192.168.200.37) with Microsoft SMTP Server (TLS) id 15.0.1076.9 via Frontend
 Transport; Sun, 31 May 2015 12:44:44 +0200
Received: from mxout017.mail.hostpoint.ch (mxout017.mail.hostpoint.ch [217.26.49.177]) by mx1418.ess.rzc.cudaops.com (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 31 May 2015 10:44:42 +0000
X-BESS-ID: 1433069081-566676-27908-76571-1
X-BESS-VER: 2.7.0-r1505151644
X-BESS-Apparent-Source-IP: 217.26.49.177
X-BESS-Spam-Status: SCORE=0.44 using account:ESS31490 scores of QUARANTINE_LEVEL=5.0 KILL_LEVEL=7.0 tests=HTML_EMBEDS, HTML_MESSAGE
Received-SPF: none (mx1418.ess.rzc.cudaops.com: tobi@sufu.ch does not designate permitted sender hosts)
X-BESS-Spam-Report: Code version 3.2, rules version 3.2.2.161643
	Rule breakdown below
	 pts rule name              description
	---- ---------------------- --------------------------------
	0.44 HTML_EMBEDS            BODY: HTML with embedded plugin 
	object 
	0.00 HTML_MESSAGE           BODY: HTML included in message 
X-BESS-Spam-Score: 0.44
X-BESS-BRTS-Status: 1
Received: from [10.0.2.46] (helo=asmtp013.mail.hostpoint.ch)
	by mxout017.mail.hostpoint.ch with esmtp (Exim 4.84 (FreeBSD))
	(envelope-from <tobi@sufu.ch>)
	id 1Yz0jQ-000J7N-Oa
	for fermin@fermin.ch; Sun, 31 May 2015 12:44:40 +0200
Received: from [2a02:1205:5003:7960:f574:314b:8733:1892] (helo=dynamic.wline.6rd.res.cust.swisscom.ch)
	by asmtp013.mail.hostpoint.ch with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
	(Exim 4.84 (FreeBSD))
	(envelope-from <tobi@sufu.ch>)
	id 1Yz0jQ-0002QL-GT
	for fermin@fermin.ch; Sun, 31 May 2015 12:44:40 +0200
X-Authenticated-Sender-Id: tobi@sufu.ch
From: Tobi Suter <tobi@sufu.ch>
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_69136EA1-A4B9-488D-8FD7-21D20D49885F"
Message-ID: <E56A98B6-BB17-453C-B347-6389678D4A3F@sufu.ch>
MIME-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
Subject: Re: BBZ Krawatte
Date: Sun, 31 May 2015 12:44:24 +0200
References: <5545f7a957e54aa186a41aee82cb9e26@mx1.home.fermin.ch>
To: Sanchez Fermin <fermin@fermin.ch>
In-Reply-To: <5545f7a957e54aa186a41aee82cb9e26@mx1.home.fermin.ch>
X-Mailer: Apple Mail (2.2098)
Return-Path: tobi@sufu.ch
X-MS-Exchange-Organization-Network-Message-Id: e1e8441e-f92d-4da6-55c6-08d269a5f204
X-MS-Exchange-Organization-AuthSource: mx1.home.fermin.ch
X-MS-Exchange-Organization-AuthAs: Anonymous



So my idea was to reject messages based on MISSING headers, for example any mail not having the "X-BESS-SPAM-Report" header with content matching "*rule*" was sent directly to me instead of going through Barracuda and is therefore spam.

My rule looks like this:

Apply this rule if: The sender is located ... outside the organization, and
A message header matches ... 'X-BESS-Spam-Report' header matches '!.rule.'



So far no luck, the rule doesn't work - or to be more precise, my "A message header matches" doesn't do the matching. I thought that '!' was used to negate stuff in RegEx? What am I missing? Any help you can give is greatly appreciated!!

Regards
Fermin
Post #: 1

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2013] >> Message Routing >> Need help with RegEx in transport rule Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter