On Wednesday 23 March 2016 17:59:07 Gene Heskett wrote: > On Wednesday 23 March 2016 10:11:39 Michele Calgaro wrote: > > On 03/23/2016 11:03 PM, Gene Heskett wrote: > > > Thats great as I can remove about 1/2 of the rules by combining > > > them so. > > > > > > Thank you Michelle. > > > > Well, > > you should thanks E. Liddell for this one ;-) > > Cheers > > Michele > > Ohhhkaay, thanks Mr. E. Liddell. :) I am getting a little schmardter, but not enough. On thing that stands out is that the spams that it misses, have had another one line, first line header line inserted: ================================= From gene Thu Mar 24 09:11:22 2016 Received: from localhost by coyote.coyote.den with SpamAssassin (version 3.4.0); Thu, 24 Mar 2016 09:11:23 -0400 From: "Alliance Security" <AllianceSecurity@...> To: <gheskett@...> Subject: Alliance security Solution Date: Thu, 24 Mar 2016 06:10:52 -0700 ================================== It should have triggered on the _real_ "From:" line, but didn't. Yet it did trigger on several others from that same tld. And thats the whole thing, next is the spamassassin stuff. And except for the the real From: line, it is totally bogus, unless some A.H. has figured out how to compromize a linux email system that is NOT built like the usual linux email chain. I'll do some more system snooping, but the two rootkit finders we have, haven't been updated in years that I'm aware of. Thanks folks. Cheers, Gene Heskett -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Genes Web page <http://geneslinuxbox.net:6309/gene>