I think I am familiar with the Mercury content control rule language. I also read the pdf documentation many times.
Configuration -> Content Control: Using a single control set here.
My problem: Spammers like to send ZIP attachments using mails looking like original mails from known services, e.g. UPS. I am UPS customer, and in this case we receive notification on a regular base. These mails use to have in the header:
From: "UPS Quantum View" <pkginfo@ups.com>
Subject: UPS Delivery Notification, Tracking Number xxxxxxxxxxxxxx
To detect faked mails I use rule #1:
if subject contains "UPS Delivery Notification" weight 50
However, genuine messages always contain our company name somwhere in the body. So, rule #2 is:
if sender contains "pkginfo@ups.com" AND content contains "<my company name>" weight -100 TAG "likely genuine UPS message"
Rule #2 appears before rule #1 in the ruleset, if this is of importance. So what happens; all genuine messages are filtered out to the spam folder.
X-CC-Diagnostic: Subject contains "UPS Delivery Notification" (50)
Seems like rule #1 always takes effect, and rule #2 is never obeyed. I checked it again and again. The body contains
At the request of <my company name>, , this notice alerts you that ... bla bla
and +50 - 100 should result in -50. The CONTAINS operator simply looks for a group of characters anywhere in the specified location (from the docs).
Any ideas?