You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by John Horne <jo...@plymouth.ac.uk> on 2011/03/09 18:19:39 UTC

Checking Received headers

Hello,

Using SA 3.3.1 can I ask how the 'header' command in a rule treats the
Received: headers? For example, if I have:

  header  LOCAL_HDR_CHECK  Received =~ / from \S+\.plymouth\.ac\.uk /

Does SA concatenate all the Received headers together, and then check
the regex against that?



Thanks,

John.

-- 
John Horne                   Tel: +44 (0)1752 587287
University of Plymouth, UK   Fax: +44 (0)1752 587001

Re: Checking Received headers

Posted by RW <rw...@googlemail.com>.

On Wed, 09 Mar 2011 17:19:39 +0000
John Horne <jo...@plymouth.ac.uk> wrote:

> Hello,
> 
> Using SA 3.3.1 can I ask how the 'header' command in a rule treats the
> Received: headers? For example, if I have:
> 
>   header  LOCAL_HDR_CHECK  Received =~ / from \S+\.plymouth\.ac\.uk /
> 
> Does SA concatenate all the Received headers together, and then check
> the regex against that?
> 

It checks until it finds a match on one of the received header.

Usually it's better to check the metadata see the section "The
'X-Spam-Relays' Pseudo-headers" in 

http://wiki.apache.org/spamassassin/TrustedRelays

Re: Checking Received headers

Posted by Karsten Bräckelmann <gu...@rudersport.de>.

On Wed, 2011-03-09 at 17:19 +0000, John Horne wrote:
> Using SA 3.3.1 can I ask how the 'header' command in a rule treats the
> Received: headers? For example, if I have:
> 
>   header  LOCAL_HDR_CHECK  Received =~ / from \S+\.plymouth\.ac\.uk /
> 
> Does SA concatenate all the Received headers together, and then check
> the regex against that?

Yes. IIRC all headers with multiple occurrences are concatenated, one
header per line (multi-line headers are re-flowed). The following header
rule shows this.

  header FOO  Received =~ /^from .+^from /msi

In your case you might want to use the X-Spam-Relays-* pseudo-headers,
though, which are easy e.g. to anchor tightly at your internal or
trusted network boundaries.

  header BAR  X-Spam-Relays-External =~ /^\[ [^\[]+ from=BAR/

They are single-line, with a static format representing the Received
headers. Excluding opening square-brackets between the very first one
and the data to match prevents deep-parsing of possibly forged headers.

To inspect these pseudo-headers, just grep for them in the debug output.

  spamassassin -D < msg 2>&1 | grep X-Spam-Relays

-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}