https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6781
--- Comment #9 from Mark Martinec <[email protected]> --- Observed 3800 messages which hit MULTI_FROM_BAD during the last four days. Among these there were three legitimate mail messages with two addresses in a From, and a missing Sender (a conference registration confirmation or paper submissions). These were genuine false positives (of which one was quarantined for exceeding a spam threshold, while the other two were rescued by other rules). Besides the above three, there were three additional false positives, where my version of MULTI_FROM_ADDR misfired. These three were a result of a B64-encoded display name in the iso-2022-jp character set, which happened to contain bytes '@' and ',' in the b64-decoded string. The string that was matched looked like (somewhat obfuscated): _$B:#1xxf_(B _$B@5,_(B <[email protected]> It is most unfortunate that the :addr modifier only returns the first of multiple addresses (in a To, From, Cc, ...), which means it can't be used in counting the number of e-mail addresses in a From. It also seems wrong to do the manual (in-the-rule) parsing *after* the QP or B decoding, so apparently the :raw form must be used, which means having to deal with folding, comments, display names, and a group name. -- You are receiving this mail because: You are the assignee for the bug.
