You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Oliver Thalmann <Ol...@hospvd.ch> on 2004/11/22 17:31:46 UTC

can a regexp test spawn over multiple headers ?

hi,

lately, i see more and more spam which have a X-Message-Info: header 
embedded between Received: headers, like

Received: from  ...blah blah...
X-Message-Info: 31iOCamNW4Lqooq4inEUndCY4PC6uZOOmrZ53
Received: from  ...blah blah...

from what i see on my site corpus, i'd say we don't receive legitimate 
mail which has such an embedded X-Message-Info.
there could (not verifiable) however be legitimate mail which have a 
X-Message-Info header, but then it is not embedded between Received headers

is it possible in spamassassin (via regexp ?) to test for a "sandwiched" 
X-Message-Info: header between Received: headers ?

or more globally, can a regexp test spawn over multiple header lines ?

Thanks

Re: can a regexp test spawn over multiple headers ?

Posted by Fred <sp...@freddyt.com>.

Oliver Thalmann wrote:
> is it possible in spamassassin (via regexp ?) to test for a
> "sandwiched" X-Message-Info: header between Received: headers ?

There is a default rule since 3.0 which looks for X-Message-Info, it's
scored pretty high too, which version of SA are you using?

Re: can a regexp test spawn over multiple headers ?

Posted by Matt Kettler <mk...@evi-inc.com>.

At 11:31 AM 11/22/2004, Oliver Thalmann wrote:
>Received: from  ...blah blah...
>X-Message-Info: 31iOCamNW4Lqooq4inEUndCY4PC6uZOOmrZ53
>Received: from  ...blah blah...
>
>from what i see on my site corpus, i'd say we don't receive legitimate 
>mail which has such an embedded X-Message-Info.
>there could (not verifiable) however be legitimate mail which have a 
>X-Message-Info header, but then it is not embedded between Received headers
>
>is it possible in spamassassin (via regexp ?) to test for a "sandwiched" 
>X-Message-Info: header between Received: headers ?
>
>or more globally, can a regexp test spawn over multiple header lines ?

Yes, you need to use the special header ALL for this, and your trailing 
regex / needs a /m to make it multiline, or /s.

For example. from SA 3.0.1:
20_head_tests.cf:header __MSGID_BEFORE_RECEIVED ALL =~ 
/\nMessage-Id:.*\nReceived:/si

you might try something like:

         header SANDWICH_INFO    ALL =~ /\n 
Received:.*\nX-Message-Info:.*\nReceived:/si
or:
         header SANDWICH_INFO    ALL =~ /\n 
Received:.*\nX-Message-Info:.*\nReceived:/mi

The first rule will allow other headers to also be between the Received: 
headers. The second will match if X-Message-Info is the only header between 
two Received: headers. (/m won't allow . to match newlines, thus it has to 
be a match of 3 consecutive headers. /s will allow it, so extra headers can 
be swallowed by the .*)