You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Oliver Thalmann <Ol...@hospvd.ch> on 2004/11/22 17:31:46 UTC
can a regexp test spawn over multiple headers ?
hi,
lately, i see more and more spam which have a X-Message-Info: header
embedded between Received: headers, like
Received: from ...blah blah...
X-Message-Info: 31iOCamNW4Lqooq4inEUndCY4PC6uZOOmrZ53
Received: from ...blah blah...
from what i see on my site corpus, i'd say we don't receive legitimate
mail which has such an embedded X-Message-Info.
there could (not verifiable) however be legitimate mail which have a
X-Message-Info header, but then it is not embedded between Received headers
is it possible in spamassassin (via regexp ?) to test for a "sandwiched"
X-Message-Info: header between Received: headers ?
or more globally, can a regexp test spawn over multiple header lines ?
Thanks
Re: can a regexp test spawn over multiple headers ?
Posted by Fred <sp...@freddyt.com>.
Oliver Thalmann wrote:
> is it possible in spamassassin (via regexp ?) to test for a
> "sandwiched" X-Message-Info: header between Received: headers ?
There is a default rule since 3.0 which looks for X-Message-Info, it's
scored pretty high too, which version of SA are you using?
Re: can a regexp test spawn over multiple headers ?
Posted by Matt Kettler <mk...@evi-inc.com>.
At 11:31 AM 11/22/2004, Oliver Thalmann wrote:
>Received: from ...blah blah...
>X-Message-Info: 31iOCamNW4Lqooq4inEUndCY4PC6uZOOmrZ53
>Received: from ...blah blah...
>
>from what i see on my site corpus, i'd say we don't receive legitimate
>mail which has such an embedded X-Message-Info.
>there could (not verifiable) however be legitimate mail which have a
>X-Message-Info header, but then it is not embedded between Received headers
>
>is it possible in spamassassin (via regexp ?) to test for a "sandwiched"
>X-Message-Info: header between Received: headers ?
>
>or more globally, can a regexp test spawn over multiple header lines ?
Yes, you need to use the special header ALL for this, and your trailing
regex / needs a /m to make it multiline, or /s.
For example. from SA 3.0.1:
20_head_tests.cf:header __MSGID_BEFORE_RECEIVED ALL =~
/\nMessage-Id:.*\nReceived:/si
you might try something like:
header SANDWICH_INFO ALL =~ /\n
Received:.*\nX-Message-Info:.*\nReceived:/si
or:
header SANDWICH_INFO ALL =~ /\n
Received:.*\nX-Message-Info:.*\nReceived:/mi
The first rule will allow other headers to also be between the Received:
headers. The second will match if X-Message-Info is the only header between
two Received: headers. (/m won't allow . to match newlines, thus it has to
be a match of 3 consecutive headers. /s will allow it, so extra headers can
be swallowed by the .*)