You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by John Horne <jo...@plymouth.ac.uk> on 2011/03/09 18:19:39 UTC
Checking Received headers
Hello,
Using SA 3.3.1 can I ask how the 'header' command in a rule treats the
Received: headers? For example, if I have:
header LOCAL_HDR_CHECK Received =~ / from \S+\.plymouth\.ac\.uk /
Does SA concatenate all the Received headers together, and then check
the regex against that?
Thanks,
John.
--
John Horne Tel: +44 (0)1752 587287
University of Plymouth, UK Fax: +44 (0)1752 587001
Re: Checking Received headers
Posted by RW <rw...@googlemail.com>.
On Wed, 09 Mar 2011 17:19:39 +0000
John Horne <jo...@plymouth.ac.uk> wrote:
> Hello,
>
> Using SA 3.3.1 can I ask how the 'header' command in a rule treats the
> Received: headers? For example, if I have:
>
> header LOCAL_HDR_CHECK Received =~ / from \S+\.plymouth\.ac\.uk /
>
> Does SA concatenate all the Received headers together, and then check
> the regex against that?
>
It checks until it finds a match on one of the received header.
Usually it's better to check the metadata see the section "The
'X-Spam-Relays' Pseudo-headers" in
http://wiki.apache.org/spamassassin/TrustedRelays
Re: Checking Received headers
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Wed, 2011-03-09 at 17:19 +0000, John Horne wrote:
> Using SA 3.3.1 can I ask how the 'header' command in a rule treats the
> Received: headers? For example, if I have:
>
> header LOCAL_HDR_CHECK Received =~ / from \S+\.plymouth\.ac\.uk /
>
> Does SA concatenate all the Received headers together, and then check
> the regex against that?
Yes. IIRC all headers with multiple occurrences are concatenated, one
header per line (multi-line headers are re-flowed). The following header
rule shows this.
header FOO Received =~ /^from .+^from /msi
In your case you might want to use the X-Spam-Relays-* pseudo-headers,
though, which are easy e.g. to anchor tightly at your internal or
trusted network boundaries.
header BAR X-Spam-Relays-External =~ /^\[ [^\[]+ from=BAR/
They are single-line, with a static format representing the Received
headers. Excluding opening square-brackets between the very first one
and the data to match prevents deep-parsing of possibly forged headers.
To inspect these pseudo-headers, just grep for them in the debug output.
spamassassin -D < msg 2>&1 | grep X-Spam-Relays
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}