On 2021-04-27 03:03 PM, Dave Wreski wrote:
Invalid List-ID. You can then use that with other weirdness in a
meta.
header __LIST_ID_DOMAIN_IN_BRACKETS List-id =~
/<([\w-]+)(\.[\w-]+)+>/
meta LIST_ID_IMPROPER_FORMAT __HAS_LIST_ID &&
!__LIST_ID_DOMAIN_IN_BRACKETS
score LIST_ID_IMPROPER_FORMAT 0.001
describe LIST_ID_IMPROPER_FORMAT List-id has improper format
You lost me here. The spam has this:
List-Id: MzY3NDAxMi01Nzg2LTU=
<MzY3NDAxMi01Nzg2LTU=.list-id.mailin.fr>
That's not legit? It's in brackets.
It's matching on the text before the brackets.
I meant to say that it's not matching the __LIST_ID_DOMAIN_IN_BRACKETS
because of the text before the brackets, so the rule
matches/triggered.
OK, gotcha. But now I gotta ask: I see the host tacked onto the random
bit of text in the brackets, but why is it significant that the part
outside the brackets doesn't exactly match the part inside? How does
that let us know the email is bogus?