You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by mgoldey <mg...@goldey.net> on 2008/02/22 21:55:12 UTC

Technical question on header rule matching

I've been through the SA man pages, etc., and can't find a description of
rule matching that answers this question:  when more than one header of a
certain type exists, will a rule requiring a negative match count once per
e-mail, or once per header.

Clear as mud.  

Here's what I mean.  I have a META rule that checks the the From header and,
upon a match, checks for other strings in the Received header that indicate
a valid e-mail.  (In other words, hunting for spoofed From fields).  No
match in Received = spam.  

Here's a schematic of the matching rule:

header LOCAL_EXAMPLE Received !~ /(coffee|tea|sugar)/
score __LOCAL_EXAMPLE 3

The typical e-mail has more than one Received header.  Suppose that there
are 5 Received headers, and one contains the string "coffee" What score does
the e-mail get from this rule?   0? 3? 12?

My goal is to give it a 0.  

In a way, the same question comes up for this filter:  

header LOCAL_EXAMPLE ALL !~ /(coffee|tea|sugar)/
score __LOCAL_EXAMPLE 3

Surely, the ALL filter looks for a single match, or the lack of any match,
and returns a single hit either way, and not one hit for every header that
matches (or doesn't match).  

Perhaps that's a better way to get the 0, but either way, I can find
anything in the documentation that let's me know.

Any help would be appreciated.  TIA.

--mhg
-- 
View this message in context: http://www.nabble.com/Technical-question-on-header-rule-matching-tp15641640p15641640.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Technical question on header rule matching

Posted by Loren Wilton <lw...@earthlink.net>.
> I've been through the SA man pages, etc., and can't find a description of
> rule matching that answers this question:  when more than one header of a
> certain type exists, will a rule requiring a negative match count once per
> e-mail, or once per header.

All headers of the same name are concatenated into a single header for the 
rule match, I believe.
I am not sure whether the headers will be separated by newlines in the 
string, or merely by spaces.
For Received headers specifically, there are also a number of meta-headers 
built by SA that do not appear in the message, but can be used in rule 
matching.  These break the headers out by trusted, untrusted, etc.  The 
format of these headers is I think a little different thant he normal 
Received headers.  The format should be documented somewhere; I haven't 
looked for it.

        Loren