Re: matching headers/body of rfc822 attachment

From: Matus UHLAR - fantomas <uhlar_at_nospam>
Date: Thu Dec 08 2011 - 13:25:39 GMT
To: users@spamassassin.apache.org

>Matus UHLAR - fantomas wrote:
>>I have made a few rules to match bodies of e-mail forwarded to our abuse
>>account. they should match if IP from our range appears in the abuse
>>report:
>>
>>body __GTSSK_IP04 /\b213\.215\.(6[4-9]|[7-9][0-9]|1[01][0-9]|12[0-7])\.\d/
>>
>>should match any IP from range 213.215.64.0/18

On 02.12.11 10:31, Kris Deugau wrote:
>Only if this content is in the normal message body; if it's in an
>attachment or in the outer message headers this won't match.

>>header __GTSSK_IP04 Received =~
>>/\b213\.215\.(6[4-9]|[7-9][0-9]|1[01][0-9]|12[0-7])\.\d/
>
>If you're trying to match on RFC822 attached emails, you'll need to
>use the "mimeheader" rule type,

I am afraid this does not apply to Received: headers.

At least this rule:

mimeheader T_BLAH Received =~ /62\.168\.116\.69/

did not match this line:

Received: from [62.168.116.69] (helo=ns.nitranet.sk)

> with some negating rules to prevent
>hits on the outer message's headers. *sigh*

well, that is something I would like to avoid...

It's quite possible that received messages will have ouy IP ranges in
their headers.

>>I have tried to use "rawbody" rule but still no match.
>>
>>I have SA 3.3.1 with perl 5.8.8 on gentoo linux...
>>can either of those cause the problem?
>
>I've had the same sort of trouble matching the rejected message
>header in backscatter bounces. (If someone can explain to me why I
>should allow structurally legitimate postmaster notices responding to
>fake Twitter, Facebook, Linked, etc messages into customer's email
>accounts, I'm listening...)
>
>I've found I need to have a rawbody rule *and* mimeheader+(!header)
>in order to catch all of the variations assorted mail systems and
>mail clients generate. :(

which SA version?
-- Matus UHLAR - fantomas, uhlar_at_fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are...

This message: [ Message body ]
Next message: John Hardin: "Re: matching headers/body of rfc822 attachment"
Previous message: RW: "Re: Why not trust that header? And ALL_TRUSTED wrong?"
In reply to: Kris Deugau: "Re: matching headers/body of rfc822 attachment"
Next in thread: John Hardin: "Re: matching headers/body of rfc822 attachment"
Reply: John Hardin: "Re: matching headers/body of rfc822 attachment"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]