Received: from ...blah blah... X-Message-Info: 31iOCamNW4Lqooq4inEUndCY4PC6uZOOmrZ53 Received: from ...blah blah...
from what i see on my site corpus, i'd say we don't receive legitimate mail which has such an embedded X-Message-Info.
there could (not verifiable) however be legitimate mail which have a X-Message-Info header, but then it is not embedded between Received headers
is it possible in spamassassin (via regexp ?) to test for a "sandwiched" X-Message-Info: header between Received: headers ?
or more globally, can a regexp test spawn over multiple header lines ?
Yes, you need to use the special header ALL for this, and your trailing regex / needs a /m to make it multiline, or /s.
For example. from SA 3.0.1:
20_head_tests.cf:header __MSGID_BEFORE_RECEIVED ALL =~ /\nMessage-Id:.*\nReceived:/si
you might try something like:
header SANDWICH_INFO ALL =~ /\n Received:.*\nX-Message-Info:.*\nReceived:/si
or:
header SANDWICH_INFO ALL =~ /\n Received:.*\nX-Message-Info:.*\nReceived:/mi
The first rule will allow other headers to also be between the Received: headers. The second will match if X-Message-Info is the only header between two Received: headers. (/m won't allow . to match newlines, thus it has to be a match of 3 consecutive headers. /s will allow it, so extra headers can be swallowed by the .*)
