Matus UHLAR - fantomas wrote:
On Tue, Apr 26, 2022 at 02:35:25PM +0200, Matus UHLAR - fantomas wrote:
> is it possible to match message headers in rfc822 atttachments?
>
> from what I know, "header" rules only apply to mail headers and
mimeheader
> only apply to mime headers.
>
> body and rawbody afaik only search in bodies of messages or included
> messages.
On 26.04.22 16:11, Henrik K wrote:
Maybe a bit safer version that doesn't log huge strings and run wild
full FOO /^(?=.*?\nContent-Type:
message\/rfc822.{0,1024}?\nReceived:(?:[^\n]{1,100}\n\s{1,100}){0,3}[^\n]{0,100}\b1\.2\.3\.4\b)/s
Doesn't this requires mime headers in specific order that may not be
fullfilled?
If your attached message has headers that are mixed in with the MIME
headers then it's badly (arguably maliciously) structured and probably
not sanely parseable.
Pulling a quick sample from the spam reporting account here:
====
------=_NextPart_000_0011_01D858C3.7B7DAB10
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment
Received: from vmsa103.odn.ne.jp by cmsa103.odn.ne.jp with ESMTP id
<20220425222911188.omlg.51715.cmsa103.odn.ne...@msa103.odn.ne.jp> for
[...and the rest of the attached message...]
====
However, Henrik's {0,1024} safety barrier is unfortunately likely to
skip intended matches because of huge/multiple DKIM signatures and other
odds and ends that certain mail clients or platforms take delight in
stuffing into email headers. I've lost count of the ones I've seen with
~40-50k+ characters just in the message headers, never mind all the
Stupid found in the message body. (I think the record has to be
something like 200k+ for a one-line message with no embedded images.
Yay progress?)
Can you expand some more on your use case? You may be better off
splitting the attached message off outside of SA (which is relatively
simple[0]) and processing it directly. If there are attributes from the
parent message needed when processing the child, your splitter could add
them as pseudoheaders on the child message passed to SA. Looking back
at your previous post this seems likely to be easier than trying to
wedge things fully inside SA.
-kgd
[0] I'm slightly terrified by how many abuse departments at companies
that should really know better, and be able to afford more and better
talent than me at this kind of mail-mangling, do not seem to know what
to do with an RFC822 attachment. It took me less than a week to
implement a fairly solid on-delivery splitter like this for FN and FP
reporting, and I've since extended it to handle several mangled
variations to the tune of maybe 5 hours or so each.
