Sieve help - simple code to discard spam not working

[Mr David]

Many years ago I began receiving spam from a source that always uses the same email address name but each new message is sent from different compromised email account.

At the time it first became a problem rules for FM accounts permitted dodgy messages to be discarded. FM changed its tune on that policy and henceforth it became necessary to create sieve rules to achieve the same effect.

I created sieve code to discard messages from this sender in May 2021 and tested it successfully with FM's sieve tester. Today a message from the same spammer got through to my account. I tried the code again in FM's sieve tester but the result was "keeping message", not "discard".

I suspect FM's handing of user account sieve code has changed. I'd like to alter the sieve code to get it working again.

The from line of the spam messages in question consistently have the following format:
"Flypaper Media & Publicity" <compromisedemailacct@company.tld>

The sieve code that used to work but now does not is:

Code:

if header :matches "From" "Flypaper Media*" {
  discard;
  stop;
}

Hopefully this raw snippet from the message received today is relevant to any guidance offered (personal details edited):

Quote:

Received: from PSAPR04MB4261.apcprd04.prod.outlook.com
([fe80::e882:704d:5174:cd32]) by PSAPR04MB4261.apcprd04.prod.outlook.com
([fe80::e882:704d:5174:cd32%5]) with mapi id 15.20.4909.010; Thu, 20 Jan 2022
06:16:13 +0000
To: "myFMaddress" <myFMaddress@FM.tld>
From: "Flypaper Media & Publicity" <compromisedaccount@outlook.com>
User-Agent: ProfiMailGo/4.30.34
Date: Wed, 19 Jan 2022 23:16:21 -0700
Message-ID:
<PSAPR04MB42618A8D19445A93D672F71DB25A9@PSAPR04MB4261.apcprd04.prod.outlook.com>
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_6E72_2D58879B.1C148181"
X-TMN: [iZo3YKoR4iM8AoGVmwZr1wpazy9Q9pvm]

Assistance to create sieve code that would discard these messages would be appreciated.

[BritTim]

The first thing I would definitely check is whether changes elsewhere in the sieve script (either yours or FM's) means that the sieve snippet in question is no longer being processed. What happens in your script if a message has an intermediate spam score? Could that cause some of your code to be bypassed?

[JeremyNicoll]

The Sieve condition

if header :matches "From" "Flypaper Media*" {

is testing for a From header value that starts with an 'F' but in this example

From: "Flypaper Media & Publicity" <compromisedaccount@outlook.com>

the first character is a double-quote. I would think you either need to use eg

if header :matches "From" "*Flypaper Media*" {

ie look for 'Flypaper Media' preceded or followed by other characters, or
explicitly look for the double quote at the start with

if header :matches "From" "\"Flypaper Media*" {


I checked this assumption by temporarily changing an existing condition that's defined via the GUI in my rule set so it contained a double-quote, then using the "browse sieve rules" option to see how FM's code generated the sieve test for that rule. If you want a literal double-quote in the condition it needs to be 'escaped' with a leading backslash so it's not confused with the double-quotes that enclose a test value.

Maybe previously the mails that you think were filtered ok didn't enclose the sender's name in double quotes?

[Mr David]

Thank you BritTim and JeremyNicoll for your quick replies.

In this instance JeremyNicoll was on the money. I tried both suggested edits to the sieve script in FM's sieve tester and each of them achieved the "discarding message" result I seek.

I'm sure I would have tested the sieve script shown in my first post to this thread to be certain it would discard messages. Maybe I'm mistaken. One way or the other FM's sieve is currently very fussy about making allowances for double-quotes.

For example:

if header :matches "From" "*Flypaper Media*" {
==> discarding message

if header :matches "From" "*Flypaper Media & Publicity" {
==> keeping message

if header :matches "From" "*Flypaper Media & Publicity*" {
==> discarding message

Thank you for this solution. I'm a complete novice with sieve and without help from this forum there's no way I would have noticed the important detail I'd overlooked. Using FM's rules GUI to reveal how FM auto-generates its script was clever.

[xyzzy]

Why not just use :contains "Flypaper Media" instead of :matches?

[JeremyNicoll]

Quote:

Originally Posted by Mr David

One way of the other FM's sieve is currently very fussy about making allowances for double-quotes.

For example:

if header :matches "From" "*Flypaper Media*" {
==> discarding message

if header :matches "From" "*Flypaper Media & Publicity" {
==> keeping message

if header :matches "From" "*Flypaper Media & Publicity*" {
==> discarding message

The first example discards because the value that's matched against starts and ends with asterisk which, in the "matches" test, matches arbitrary characters. So the test there is that the value of the "From" header is 'Flypaper Media' preceded or followed (or both) by other chars.

The second example keeps the message because the condition does not match. It's nothing to do with whether there's a double-quote at the start of the From header's value. It's because the righthand end of the test value has no asterisk and therefore means 'Publicity' followed by nothing else. The actual header has a space then an email address enclosed in angle brackets after the stuff in quotes.

[Mr David]

Quote:

Originally Posted by xyzzy

Why not just use :contains "Flypaper Media" instead of :matches?

Yes, that works too.

I'm getting an overdue lesson on sieve syntax.