You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2004/11/16 02:44:27 UTC

[Bug 3969] New: header checks only check first header

http://bugzilla.spamassassin.org/show_bug.cgi?id=3969

           Summary: header checks only check first header
           Product: Spamassassin
           Version: 3.0.1
          Platform: Other
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P3
         Component: Rules
        AssignedTo: dev@spamassassin.apache.org
        ReportedBy: mike@markley.org


Header checks only seem to check the first instance of a particular header. This
can be demonstrated by creating a message containing just:

Header: Teststring
Header: Test2string

And a rule matching it:
header TESTSTRING       Header =~ /^Teststring/
describe TESTSTRING     Test rule
score TESTSTRING        0.1

With the above configuration, TESTSTRING matches:
madhack@highhopes:~$ spamassassin -t -D rulesrun=255 -L < spamassassin.test 2>&1
| egrep "Header|TESTSTRING"
debug: Ran header regex rule TESTSTRING ======> got hit: match='Teststring'
debug: tokenize: header tokens for Header = " Teststring"
debug: tests=ALL_TRUSTED,MISSING_DATE,MISSING_HEADERS,MISSING_SUBJECT,TESTSTRING
Header: Teststring
Header: Test2string
[...]

However, if you flip the order, the test never matches:
Header: Test2string
Header: Teststring

madhack@highhopes:~$ spamassassin -t -D rulesrun=255 -L < spamassassin.test 2>&1
| egrep "Header|TESTSTRING"
debug: tokenize: header tokens for Header = " Test2string"
Header: Test2string
Header: Teststring

Purely hypthetically, it seems that if you get SpamAssassin to perform the check
on one, say, Subject header while having a reasonable certainty that most MUAs
will display the other, then you have a decent way to get around SA checks of
that type. For example, I can send a message to myself with "Subject: very
urgent" that hits NIGERIAN_SUBJECT1, but I can add another, more innocuous
subject such as "Subject: spoofed" and watch NIGERIAN_SUBJECT1 fail to hit. In
both cases, mutt shows the "very urgent" subject in the message index (though,
interestingly, this happens when the spoofed subject line comes *after* the
original, as well; perhaps there's something deeper that I'm missing).



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.