Some emails that I'm getting have no subject lines in them at all. I would like to build a SA filter where:
header NOSUBJECT_LINE !/Subject: / score NOSUBJECT_LINE 5.0
but will ! act as a negator?
The above is quite invalid, regardless of the effects of !
proper format would be:
header NOSUBJECT_LINE ALL !~ /Subject\:/i
Header rules always specify a header to look at, or ALL to indicate the whole header blocks. They aren't quite like body rules in this respect, as body rules can immediately start off with a regex. Header rules cannot.
The standard SA 3.0 ruleset does this same rule in a much better and more efficient manner:
header __HAS_SUBJECT exists:Subject meta MISSING_SUBJECT !__HAS_SUBJECT describe MISSING_SUBJECT Missing Subject: header
This only has to do a text match of the first token of each line, not the entire text block of the headers. It's not radically faster, but it is less work.
