<p>You can't with an SMTP transaction filter as it is the From: address in the message body.</p><p> The SMTP MAIL FROM that you are checking with your rule is <<a href="http://webmail.adslweb.co.uk/src/compose.php?send_to=dobakyluo5078%40telekom.hu">dobakyluo5078@telekom.hu</a>> as reported in the <b>Return-path:</b> header</p><p>From transflt.mer:</p><p>[quote]# "operation" can be: # #    'H' for an expression applied to the client's "HELO" greeting #    'D' for deferred HELO processing; these filters will only be #        applied if the client does not issue a successful AUTH after #        issuing HELO but before issuing any other command. Otherwise, #        these filters are the same as 'H' filters. They allow a user #        on a system that might otherwise be rejected to redeem the #        connection by authenticating his identity. #    'S' for an expression applied to the subject line of the message #    'R' for an expression applied to each SMTP RCPT command #    'M' for an expression applied to the SMTP MAIL FROM: command[/quote]</p><p>You can use a general filter rule during Core Processing to match the From: address in the body and delete it. </p>

<P>Hi</P> <P>I've created these 2 filters:</P> <P>M, "*viagra*", RS, "'Viagra' encountered - connection dropped." S, "*viagra*", RS, "'Viagra' encountered - connection dropped."</P> <P>Yet I still get mail like this:</P> <P> <TABLE class="" cellSpacing=0 cellPadding=2 width="99%" align=center border=0> <TBODY> <TR> <TD class=""><NOBR><TT><B>X-SPAMWALL:</B> Passed through antiSPAM test by Spamhalter 4.5.0.408 on TEST (390) </TT></NOBR><NOBR><TT><B>X-SPAMWALL:</B> probability - 100.0% </TT></NOBR><NOBR><TT><B>X-SPAMWALL:</B> SPAM detected! </TT></NOBR><NOBR><TT><B>X-CLAMWALL:</B> Passed through antiviral test by ClamWall 1.4.0.96 on TEST (87) </TT></NOBR><NOBR><TT><B>Return-path:</B> <<A href="http://webmail.adslweb.co.uk/src/compose.php?send_to=dobakyluo5078%40telekom.hu">dobakyluo5078@telekom.hu</A>> </TT></NOBR><NOBR><TT><B>Received:</B> from telekom.hu (188.36.35.54) by TEST (Mercury/32 v4.72)      with ESMTP ID MG000A84; 26 Jan 2010 19:03:36 -0000 </TT></NOBR><NOBR><TT><B>From:</B> "VIAGRA(c) Brand Store" <<A href="http://webmail.adslweb.co.uk/src/compose.php?send_to=dobakyluo5078%40telekom.hu">dobakyluo5078@telekom.hu</A>> </TT></NOBR><NOBR><TT><STRONG>To:</STRONG> <A href="mailto:User@TEST">User@TEST</A> </TT></NOBR><NOBR><TT><B>Subject:</B> [** SPAM **] User site save 80% now </TT></NOBR><NOBR><TT><B>MIME-Version:</B> 1.0 </TT></NOBR><NOBR><TT><B>Content-Type:</B> text/html; charset="ISO-8859-1" </TT></NOBR><NOBR><TT><B>Content-Transfer-Encoding:</B> 7bit </TT></NOBR><NOBR><TT><B>X-Blocked:</B> SORBS C 10-12 see http://www.dnsbl.us.sorbs.net/ </TT></NOBR><NOBR><TT><B>X-CC-Diagnostic:</B> Not Header "Date" Exists (50) </TT></NOBR><NOBR><TT><B>X-PMFLAGS:</B> 34079360 0 5 06PCFTKB.CNM</TT></NOBR></TD></TR></TBODY></TABLE></P> <P>Why doesn't the filter reject this type of email ??</P>

Your transfilter is looking at the SMTP mail from: & subject, neither of which contain the word viagra. Well, you can't tell from those headers, but the ones I get don't.

<p>What about: <b>From:</b> "VIAGRA(c) Brand Store" <<a href="http://webmail.adslweb.co.uk/src/compose.php?send_to=dobakyluo5078%40telekom.hu">dobakyluo5078@telekom.hu</a>> </p><p>How do I match against that ? </p>