On Tue, 29 Sep 2015, Philip Prindeville wrote:
On Sep 29, 2015, at 10:44 AM, John Hardin <jhar...@impsec.org> wrote:
On Tue, 29 Sep 2015, Philip Prindeville wrote:
Can you use something like:
header __L_X_NO_RELAY exists:X-No-Relay
Are you seeing empty X-No-Relay headers? How about:
No, not empty. Typically they say:
X-No-Relay: not in my network
Yeah, multiples of that is what I was seeing too.
Memories are reviving. I don't think the tflags multiple for a
single-header rule will work, as SA collapses identical headers. It has to
be a header ALL rule. That's why I did DUP_SUSP_HDR. Unfortunately that's
not seen enough in the masscheck corpus to be scored and published.
The "collapse multiple identical headers" is probably why the multiple
exists doesn't work.
No, that ends up matching once per character… But /.*/ works.
Yeah, oops.
/^./ would be a bit more efficient.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Any time law enforcement becomes a revenue center, the system
becomes corrupt.
-----------------------------------------------------------------------
