> Looks very interesting. The \1 is a performance-killer, though. This
> really needs to be implemented as an eval rule... something like
>
> sub check_whatever {
> my ($self) = @_;
>
> my $mid = $self->get('MESSAGEID');
> if ($mid =~ m/<[A-Z]{28}\.(.+?)>/) {
> my $from = $self->get('From');
> if ($from =~ m/\"[^\"]+\"\s*<$1>/) {
> return 1;
> }
> }
> return 0;
> }
>
> I tweaked the regular expression a tiny bit. Function is untested and
> probably doesn't work. ;-)
(You do need at least {28,29} to make it work.)
I suspect you may already have the right things lying around internally with
names on them. Just need to compare the right things. A little hard to do
in normal rules, since as far as I know I can't reference internal variables
in tests; but maybe even that is possible.
All we are really checking here is that the tail of the message-id is the
same as the putative sender+hostname. My original analysis comments on this
pattern (which for obvious reasons existed only in my internal
documentation):
# This one is almost too easy. The Message-ID is always 28 or 29 uppercase
alpha characters ending in
# either AA or AB, followed by a dot, followed by the complete sender's
email address including
# the domain. Also, the timezone is always +0000, similar to ratware #2
above.
# Many other details vary, such as the claimed mailer. However, we have
some constants.
#
# Message-ID: <[EMAIL PROTECTED]>
# From: "Cliff Felton" <[EMAIL PROTECTED]>
# Date: Fri, 09 Apr 2004 08:34:51 +0000
#
# Usually the From follows the Message-ID, but not always. So we have to do
this check twice.
