spamassassin-users December 2011 archive
Main Archive Page > Month Archives  > spamassassin-users archives
spamassassin-users: Re: matching headers/body of rfc822 attachme

Re: matching headers/body of rfc822 attachment

From: Kris Deugau <kdeugau_at_nospam>
Date: Fri Dec 02 2011 - 15:31:44 GMT
To: users@spamassassin.apache.org

Matus UHLAR - fantomas wrote:
> Hello,
>
> I have made a few rules to match bodies of e-mail forwarded to our abuse
> account. they should match if IP from our range appears in the abuse
> report:
>
> body __GTSSK_IP04 /\b213\.215\.(6[4-9]|[7-9][0-9]|1[01][0-9]|12[0-7])\.\d/
>
> should match any IP from range 213.215.64.0/18

Only if this content is in the normal message body; if it's in an
attachment or in the outer message headers this won't match.

> I have received a complaint containing RFC822 attachment with this line
> in headers of the attachment:
>
> Received: from a43.pbi.bn.cust.gts.sk ([213.215.106.107]
> helo=smtp.pbi.sk) by mail.kontaktco.at with esmtp (Exim 4.72)
> (envelope-from <info@hi5.com>) id 1RUaIh-0000zs-8d for
> gerhard.gollner@kontaktco.at; Sun, 27 Nov 2011 09:41:28 +0100
>
> Neither the body rule above, neither rule changed to header matched:
>
> header __GTSSK_IP04 Received =~
> /\b213\.215\.(6[4-9]|[7-9][0-9]|1[01][0-9]|12[0-7])\.\d/

If you're trying to match on RFC822 attached emails, you'll need to use
the "mimeheader" rule type, with some negating rules to prevent hits on
the outer message's headers. *sigh*

Something like:

mimeheader __GTSSK_IP04_MH Received =~ /ip.ad.dr.ess/
header __GTSSK_IP04_OUTER Received =~ /ip.ad.dr.ess/
meta __GTSSK_IP04 __GTSSK_IP04_MH && !__GTSSK_IP04_OUTER

> I have tried to use "rawbody" rule but still no match.
>
> I have SA 3.3.1 with perl 5.8.8 on gentoo linux...
> can either of those cause the problem?

I've had the same sort of trouble matching the rejected message header
in backscatter bounces. (If someone can explain to me why I should
allow structurally legitimate postmaster notices responding to fake
Twitter, Facebook, Linked, etc messages into customer's email accounts,
I'm listening...)

I've found I need to have a rawbody rule *and* mimeheader+(!header) in
order to catch all of the variations assorted mail systems and mail
clients generate. :(

-kgd