You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by NFN Smith <wo...@mail.com> on 2011/04/29 19:29:18 UTC

Header handling question

One of my spamtraps is getting a lot of traffic of messages with 
Facebook and Twitter URLs.  This is content that is coming from Yahoo 
servers, although shows non-Yahoo return addresses, and some portion 
have missing subject lines.

On further inspection, I find that the MISSING_SUBJECT, and in turn, I 
see by inspecting the message headers, that the subject header is 
rendered as "subject:" (with lower-case "s"), rather than "Subject:"

Is case-sensitivity causing that particular rule to miss, and is there a 
way to set a regexp to look specifically for that particular pattern?

I think I've found enough other rules hits to make for a distinct 
fingerprint, so that I can go after this stuff with a local rule, but to 
me, the case error in the header coming from a misconfigured robomailer 
seems to be a pretty reliable indicator.

Smith

Re: Header handling question

Posted by John Hardin <jh...@impsec.org>.

On Fri, 29 Apr 2011, NFN Smith wrote:

> is there a way to set a regexp to look specifically for that particular 
> pattern?

Three is a rule in my sandbox that fires if more than one header in a 
short list (including subject:) is oddly capitalized, including 
all-lowercase for the one-word headers.

Unfortunately a lot of ham (> 4.5% of the corpus) appears to be sloppy 
this way, so this is only useful in a meta with other tests.

http://ruleqa.spamassassin.org/?rule=%2FHDRS_LCASE&srcpath=jhardin

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Taking my gun away because I *might* shoot someone is like cutting
   my tongue out because I *might* yell "Fire!" in a crowded theater.
                                                   -- Peter Venetoklis
-----------------------------------------------------------------------
  9 days until the 66th anniversary of VE day