I suppose you could try"

if sender matches "*pkginfo@ups.com*" AND body matches  "*<my company name>*" weight -100 TAG "likely genuine UPS message"

I'm not sure why your rule wouldn't work but I kind of remember having some kind of problem with the contains rule myself which is why I only use matches - don't forge that you need the * at the start and end of whatever you want to match

I think I am familiar with the Mercury content control rule language. I also read the pdf documentation many times.

Configuration -> Content Control: Using a single control set here.

My problem: Spammers like to send ZIP attachments using mails looking like original mails from known services, e.g. UPS. I am UPS customer, and in this case we receive notification on a regular base. These mails use to have in the header:

From: "UPS Quantum View" <pkginfo@ups.com>

Subject: UPS Delivery Notification, Tracking Number xxxxxxxxxxxxxx

To detect faked mails I use rule #1:

if subject contains "UPS Delivery Notification" weight 50

However, genuine messages always contain our company name somwhere in the body. So, rule #2 is:

if sender contains "pkginfo@ups.com" AND content contains "<my company name>" weight -100 TAG "likely genuine UPS message"

Rule #2 appears before rule #1 in the ruleset, if this is of importance. So what happens; all genuine messages are filtered out to the spam folder.

X-CC-Diagnostic: Subject contains "UPS Delivery Notification" (50)

Seems like rule #1 always takes effect, and rule #2 is never obeyed. I checked it again and again. The body contains

At the request of <my company name>, , this notice alerts you that ... bla bla

and +50 - 100 should result in -50. The CONTAINS operator simply looks for a group of characters anywhere in the specified location (from the docs).

Any ideas?

Hi bmpan,

I have no solution for your Content Control. Only a general recommendation:

I have also used the content control of Mercury for sorting out spam for a long time. But you have to spend so much time for permanently develop the content control rules. And finally the result is bad nevertheless. You have to always chase after the spammers.

But since I have activated SPAMHALTER within Mercury the amount of spam is significantly decreased. Any spam mails, which nevertheless come through, will be manually forwarded to the local IS_SPAM account of Spamhalter for learning purposes. They come back never again.

By the way, we are also customer of UPS and have no problem with such spam. The genuine mails pass the Spamhalter while the UPS spam is being sorted out.

Cheers

Jorg

I agree with Joerg.  I use POPFile instead of Spamhalter but the results are similar.  I also block .zip attachments.  Users have been advised to tell senders to rename .zip to .txt to bypass that block.  It expect pushback from users but have not received any.  Not enough .zip files coming in anymore for it to be a problem.

My rules for ups are

if header "from" matches "*@ups.com*" weight 51 tag "UPS"
if header "received" matches "*.rightnowtech.com (74.117.2*) by mercurymailsystem.ca*" weight -52 tag "UPS_uses_this"
if header "received" matches "*ups.com (153.2.232.*) by mercurymailsystem.ca*" weight -300
if header "received" matches "*ups.com (153.2.234.*) by mercurymailsystem.ca*" weight -300

mercurymailsystem.ca is the name of MY server.

This again is another example of why I wish David would embrace SPF - I'd like to be able to pick certain domains like ups, banks, etc and just set a rule that it has to pass spf or gets tagged as spam. It would certainly make things a lot easier for me.  I know some people have argued that spammers will and have started using spf but they can't impersonate a bank if you are using it to identify banks.  So I guess I'm saying I would only rely on SPF for important domains of my choosing.    My rules are kind of a loose SPF implementation.   I do the same for all the national banks in Canada.

I don't block zip file over 5 megs but anything under is sent to the postmaster account for review before being sent on.  The person sending the email gets a message back advising them that it might take up to 4 hours before their message is delivered or they can rename .zip to something else and tell the user to rename it back to .zip

@jbanks,

and you get results of -249 in weight sometimes? My impression was that my rule #2 never triggers, for what reason ever. Seems like as soon as one rule triggers, all others are ignored. Thats why I placed rule #2 before rule #1 but it did not help.

I will try your "header matches" rules instead of my "contains" rule.

@all others:

I have a quite effective ruleset (except attachment filtering which is sometimes a problem), so I never considered Spamhalter. As it seems, Spamhalter is switched between Mercury and the internet on the server machine, using its own POP3 client, right? So is it possible to do the training from a client machine, or do I have to log on to the server machine?

Alltough situated at the server machine you could train it from any client. You have to create additional local user accounts for spam, and no spam (in our case they are named "spam", "is_spam" and "no_spam"). In case a user receives spam, he could simply bounce this mail to the local mailbox "is_spam". Spamhalter is checking the is_spam account for learning.

Spamhalter has no separated POP client running. It is directly integrated in Mercury and must only switched on. It is checking the entire inbound and outbound mail traffic. At the end spamhalter is sorting out spam into our local SPAM account. Here the spam mails remain until a predefined age is reached. Anybody has access to that SPAM account, in case he is missing a mail. But normally the users forget very fast, that such an account exist. [8-)]  Finally the admin could check the SPAM account regularly for false positives.

In case Spamhalter has filtered out a false positive, I bounce the mail to the NO_SPAM account to train spamhalter. And in case a user has nevertheless received spam, he is bouncing the mail to the IS_SPAM account.