|Main Archive Page > Month Archives > spamassassin-users archives|
Matus UHLAR - fantomas wrote:
> I have made a few rules to match bodies of e-mail forwarded to our abuse
> account. they should match if IP from our range appears in the abuse
> body __GTSSK_IP04 /\b213\.215\.(6[4-9]|[7-9][0-9]|1[0-9]|12[0-7])\.\d/
> should match any IP from range 184.108.40.206/18
Only if this content is in the normal message body; if it's in an
attachment or in the outer message headers this won't match.
> I have received a complaint containing RFC822 attachment with this line
> in headers of the attachment:
> Received: from a43.pbi.bn.cust.gts.sk ([220.127.116.11]
> helo=smtp.pbi.sk) by mail.kontaktco.at with esmtp (Exim 4.72)
> (envelope-from <firstname.lastname@example.org>) id 1RUaIh-0000zs-8d for
> email@example.com; Sun, 27 Nov 2011 09:41:28 +0100
> Neither the body rule above, neither rule changed to header matched:
> header __GTSSK_IP04 Received =~
If you're trying to match on RFC822 attached emails, you'll need to use
the "mimeheader" rule type, with some negating rules to prevent hits on
the outer message's headers. *sigh*
mimeheader __GTSSK_IP04_MH Received =~ /ip.ad.dr.ess/
header __GTSSK_IP04_OUTER Received =~ /ip.ad.dr.ess/
meta __GTSSK_IP04 __GTSSK_IP04_MH && !__GTSSK_IP04_OUTER
> I have tried to use "rawbody" rule but still no match.
> I have SA 3.3.1 with perl 5.8.8 on gentoo linux...
> can either of those cause the problem?
I've had the same sort of trouble matching the rejected message header
in backscatter bounces. (If someone can explain to me why I should
allow structurally legitimate postmaster notices responding to fake
Twitter, Facebook, Linked, etc messages into customer's email accounts,
I've found I need to have a rawbody rule *and* mimeheader+(!header) in
order to catch all of the variations assorted mail systems and mail
clients generate. :(