Re: "Received" headers for rules?
On Mon, 26 Oct 2015 14:37:52 -0500 (CDT) sha...@shanew.net wrote: > On Mon, 26 Oct 2015, RW wrote: > > I had a quick look at the code and the only mention of ezmlm was > > related to gated_through_received_hdr_remover() which looks for > > signs that the email passed through something that might have > > stripped headers. It tests the received headers, but doesn't modify > > them. > > In my sleuthing, I found the part of Received.pm that looks for > "received" headers that don't actually start with "Received:" and adds > them on to the @hdrs array. I thought I'd tracked down that one of > those alternate "received" headers was the ezmlm, which is related to > the email's path through various systems, so it made sense. FWIW Received.pm is concerned with parsing-out metadata from the received headers. @hdrs is a temporary working copy of the received headers, so any synthetic headers added to it wont affect header rules.
Re: "Received" headers for rules?
On Mon, 26 Oct 2015, RW wrote: On Mon, 26 Oct 2015 11:37:58 -0500 (CDT) Shane Williams wrote: I've created a header rule with "Received =~ /blahblahblah/", and I just got a false positive on it when none of the Received headers in the mail actually match. I had a similar situation last week, and (I think) found in the SA code where it will treat ezmlm headers as if they were Received headers (which explained why it hit). I had a quick look at the code and the only mention of ezmlm was related to gated_through_received_hdr_remover() which looks for signs that the email passed through something that might have stripped headers. It tests the received headers, but doesn't modify them. In my sleuthing, I found the part of Received.pm that looks for "received" headers that don't actually start with "Received:" and adds them on to the @hdrs array. I thought I'd tracked down that one of those alternate "received" headers was the ezmlm, which is related to the email's path through various systems, so it made sense. Unfortunately, with a weekend between when I looked at it and now, I no longer see what led me to think that, nor can I remember which email started my search, so it seems likely that I came to the wrong conclusion. Instead, I think what was throwing me off is the fact that the envelope-from gets checked as part of the Received header it appears in, but then sendmail tears that out and puts it in the Return-Path: header. Add the fact that I'm running SA from a milter, and basically I had no way to know exactly what the email looked like at the point SA was analyzing it. John Hardin's __ALL_RECEIVED rule suggestion created the entries in the debug log that let me have a better idea what SA was actually seeing and running rules against. -- Public key #7BBC68D9 at| Shane Williams http://pgp.mit.edu/| System Admin - UT CompSci =--+--- All syllogisms contain three lines | sha...@shanew.net Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
Re: "Received" headers for rules?
On Mon, 26 Oct 2015, Reindl Harald wrote: Am 26.10.2015 um 17:37 schrieb Shane Williams: I've created a header rule with "Received =~ /blahblahblah/", and I just got a false positive on it when none of the Received headers in the mail actually match. I had a similar situation last week, and (I think) found in the SA code where it will treat ezmlm headers as if they were Received headers (which explained why it hit). Is there anywhere, other than the code, where I can see what all headers might be checked as part of a "Recevied =~" rule? what about posting details like the headers of said message and the whole rule instead hope for readers crystal balls? Because the question I asked is not specific to any one email or rule, but rather about how SpamAssassin processes mail (specifically headers) in general. Thanks to John Hardin for pointing out a way to determine (on a per email basis even) what headers count as Received. -- Public key #7BBC68D9 at| Shane Williams http://pgp.mit.edu/| System Admin - UT CompSci =--+--- All syllogisms contain three lines | sha...@shanew.net Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
Re: "Received" headers for rules?
On 26/10/15 17:46, sha...@shanew.net wrote: Thanks to John Hardin for pointing out a way to determine (on a per email basis even) what headers count as Received. The following page might be of use to build a few rules too: https://wiki.apache.org/spamassassin/TrustedRelays -- Paul Stead Systems Engineer Zen Internet
Re: "Received" headers for rules?
Am 26.10.2015 um 17:37 schrieb Shane Williams: I've created a header rule with "Received =~ /blahblahblah/", and I just got a false positive on it when none of the Received headers in the mail actually match. I had a similar situation last week, and (I think) found in the SA code where it will treat ezmlm headers as if they were Received headers (which explained why it hit). Is there anywhere, other than the code, where I can see what all headers might be checked as part of a "Recevied =~" rule? what about posting details like the headers of said message and the whole rule instead hope for readers crystal balls? signature.asc Description: OpenPGP digital signature
Re: "Received" headers for rules?
On Mon, 26 Oct 2015, Shane Williams wrote: I've created a header rule with "Received =~ /blahblahblah/", and I just got a false positive on it when none of the Received headers in the mail actually match. I had a similar situation last week, and (I think) found in the SA code where it will treat ezmlm headers as if they were Received headers (which explained why it hit). Is there anywhere, other than the code, where I can see what all headers might be checked as part of a "Recevied =~" rule? Try adding this to your tesbed ruleset: header __ALL_RECEIVED Received =~ /.*/ tflags __ALL_RECEIVED multiple -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...the Fates notice those who buy chainsaws... -- www.darwinawards.com --- 5 days until Halloween
Re: "Received" headers for rules?
On Mon, 26 Oct 2015 11:37:58 -0500 (CDT) Shane Williams wrote: > I've created a header rule with "Received =~ /blahblahblah/", and I > just got a false positive on it when none of the Received headers in > the mail actually match. I had a similar situation last week, and > (I think) found in the SA code where it will treat ezmlm headers as > if they were Received headers (which explained why it hit). I had a quick look at the code and the only mention of ezmlm was related to gated_through_received_hdr_remover() which looks for signs that the email passed through something that might have stripped headers. It tests the received headers, but doesn't modify them.
