Re: Matching on missing To field?
I have a number of rules that match on the To field, but what to do if the >To field is missing? 10_hasbase.cf:header__HAS_TOexists:To define: metaMISSING_TO !__HAS_TO >Received: from test.com (wsip-72-214-24-18.sd.sd.cox.net [72.214.24.18]) >by mail01.example.com (Postfix) with SMTP id 12425B9B >for ; Fri, 15 Jul 2022 18:50:34 -0400 (EDT) > >I realize I can match on the Received header here, but that would require >creating an additional rule for each corresponding To rule. Perhaps there's >a way to combine them, or a tag that can be used for both? the main question is what do you want to match. On 20.07.22 22:40, Alex wrote: The problem I'm having is that my To header rules aren't matching because there is no To header, and I'm otherwise unsure what to match on. The problem is if there's no To: header, there is nothing to match. You did not say what do you want to match, that's why I asked. The only occurrence of the recipient in the entire email is in that Received header. Aha, so you want to find the recipient! While SA parses Received: headers into pseudo-headers X-Spam-Relays-* https://cwiki.apache.org/confluence/display/SPAMASSASSIN/TrustedRelays looks like it does not try to parse the envelope recipient: X-Spam-Relays-Untrusted: [ ip=3.227.148.255 rdns=mxout1-ec2-va.apache.org helo=mxout1-ec2-va.apache.org by=fantomas.fantomas.sk ident= envfrom= intl=0 id=1AF2FA0012 auth= msa=0 ] Perhaps you could match the received header with name of your mail server: Received: from mxout1-ec2-va.apache.org (mxout1-ec2-va.apache.org [3.227.148.255]) by fantomas.fantomas.sk (Postfix) with ESMTPS id 1AF2FA0012 for ; Thu, 21 Jul 2022 04:40:21 +0200 (CEST) ^ unless your mailserver adds envelope recipient address to the headers (common for domain mailboxes, uncommon for others) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. One OS to rule them all, One OS to find them, One OS to bring them all and into darkness bind them
Re: Matching on missing To field?
> The problem I'm having is that my To header rules aren't matching because > there is no To header, > and I'm otherwise unsure what to match on. The only occurrence of the > recipient in the entire email > is in that Received header. > > It does match on "ALL", but I think I need to be more specific than that, to > avoid matching on "From:" > or Return-Path or EnvelopeFrom./ If you want to match on text in Received headers only, then just write a rule to check that header type: header __TO_FRED_JOHNSON To ~= /\bfred\.johnson@foo\.com\b/ header __RCVD_FRED_JOHNSONReceived ~= /\bfred\.johnson@foo\.com\b/ metaTO_FRED_JOHNSON __TO_FRED_JOHNSON || __RCVD_FRED_JOHNSON metaNOT_TO_ME !TO_FRED_JOHNSON You could do that with ALL, but this way is probably more efficient, and will be a lot less confusing regex. Loren
Re: Matching on missing To field?
Hi, >I have a number of rules that match on the To field, but what to do if the > >To field is missing? > > 10_hasbase.cf:header__HAS_TOexists:To > > define: > > metaMISSING_TO !__HAS_TO > > >Received: from test.com (wsip-72-214-24-18.sd.sd.cox.net [72.214.24.18]) > >by mail01.example.com (Postfix) with SMTP id 12425B9B > >for ; Fri, 15 Jul 2022 18:50:34 -0400 (EDT) > > > >I realize I can match on the Received header here, but that would require > >creating an additional rule for each corresponding To rule. Perhaps > there's > >a way to combine them, or a tag that can be used for both? > > the main question is what do you want to match. The problem I'm having is that my To header rules aren't matching because there is no To header, and I'm otherwise unsure what to match on. The only occurrence of the recipient in the entire email is in that Received header. My reference to the __HDRS_MISSP was to possibly use that as an example for a new rule that would allow me to match on the j...@gooddom.com using the same "ALL:raw" idea in some way. It does match on "ALL", but I think I need to be more specific than that, to avoid matching on "From:" or Return-Path or EnvelopeFrom./ Thanks, Alex
Re: Matching on missing To field?
On Wed, 20 Jul 2022, Loren Wilton wrote: header __HDRS_MISSP ALL:raw =~ /^(?:Subject|From|To|Reply-To):\S/ism That rule just says: look at all the raw header data and match if there's none of Subject, From, To, Reply-To entries. IE a really malformed message. Hum. As I read it, that is "headers misspelled" (not "headers missing") MISSP = misspaced and it is checking for any of the listed words at the start of a line, followed by a colon, and NOT followed by a space. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- What the hell is an "Aluminum Falcon"??-- Emperor Palpatine --- Today: the 53rd anniversary of Apollo 11 landing on the Moon
Re: Matching on missing To field?
On 2022-07-20 at 12:07:04 UTC-0400 (Wed, 20 Jul 2022 09:07:04 -0700) Loren Wilton is rumored to have said: >>> >>> header __HDRS_MISSP ALL:raw =~ /^(?:Subject|From|To|Reply-To):\S/ism >> >> That rule just says: look at all the raw header data and match if there's >> none >> of Subject, From, To, Reply-To entries. >> IE a really malformed message. > > Hum. As I read it, that is "headers misspelled" (not "headers missing") and > it is checking for any of the listed words at the start of a line, followed > by a colon, and NOT followed by a space. Correct. Headers mis-spaced. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: Matching on missing To field?
header __HDRS_MISSP ALL:raw =~ /^(?:Subject|From|To|Reply-To):\S/ism That rule just says: look at all the raw header data and match if there's none of Subject, From, To, Reply-To entries. IE a really malformed message. Hum. As I read it, that is "headers misspelled" (not "headers missing") and it is checking for any of the listed words at the start of a line, followed by a colon, and NOT followed by a space. Loren
Re: Matching on missing To field?
On Wed, 20 Jul 2022, Alex wrote:
Hi,
I have a number of rules that match on the To field, but what to do if the To
field is missing?
Received: from test.com (wsip-72-214-24-18.sd.sd.cox.net [72.214.24.18])
by mail01.example.com (Postfix) with SMTP id 12425B9B
for ; Fri, 15 Jul 2022 18:50:34 -0400 (EDT)
I realize I can match on the Received header here, but that would require
creating an additional rule for each corresponding To rule. Perhaps
there's a way to combine them, or a tag that can be used for both?
Depending on your MTA and the message, that 'for ' element may
be completely missing (for example if there's multiple recipients of a message).
Can you configure your "glue" to synthesize an addtional header from the
envelope-to address of the message? Envelope recipient addrs must always exist,
it's just a question of what you need to do to get it visable to SA.
Look at the "envelope_sender_header" entry in the SA docs, apply the same
concept to the envelope recipient data.
In the milter I use, I create both envelope-From & envelope-To headers.
I'm also aware of using ALL, but I think that may be too broad and may catch
instances that shouldn't be. Can someone explain how this rule
works and if something similar would apply to my situation?
header __HDRS_MISSP ALL:raw =~
/^(?:Subject|From|To|Reply-To):\S/ism
That rule just says: look at all the raw header data and match if there's none
of Subject, From, To, Reply-To entries.
IE a really malformed message.
Dave
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Matching on missing To field?
On 20.07.22 09:29, Alex wrote: I have a number of rules that match on the To field, but what to do if the To field is missing? 10_hasbase.cf:header__HAS_TOexists:To define: metaMISSING_TO !__HAS_TO Received: from test.com (wsip-72-214-24-18.sd.sd.cox.net [72.214.24.18]) by mail01.example.com (Postfix) with SMTP id 12425B9B for ; Fri, 15 Jul 2022 18:50:34 -0400 (EDT) I realize I can match on the Received header here, but that would require creating an additional rule for each corresponding To rule. Perhaps there's a way to combine them, or a tag that can be used for both? the main question is what do you want to match. I'm also aware of using ALL, but I think that may be too broad and may catch instances that shouldn't be. Can someone explain how this rule works and if something similar would apply to my situation? header __HDRS_MISSP ALL:raw =~ /^(?:Subject|From|To|Reply-To):\S/ism -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759
