search for: __ru_s3

...its rather a sledgehammer and will certainly FP if your organisation has Russian correspondents. Personally I'd use a meta because its far less likely to FP: describe RU_SPAM Russian spam-bot messages uri __RU_S1 /www\..{1,16}\.ru/ header __RU_S2 From =~ /[a-z]{7,8}[0-9]{4}\@/ header __RU_S3 Reply-To =~ /[a-z]{7,8}[0-9]{4}\@/ meta RU_SPAM (__RU_S1 &&__RU_S2 &&__RU_S3) score RU_SPAM 5.5 Caveat: this hasn't been lint checked or tested. Do both before deploying it. Martin