this is a slightly more specific (and logically more consistent) rule: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: (spamd: )?(checking| processing) message <[^[:space:]]+>( aka <[^[:space:]]+>)? for [._[:alnum:]-]+:[0-9]+(\.)?$ cheers, Hp.