Matus UHLAR - fantomas wrote:
Hello,
I have made a few rules to match bodies of e-mail forwarded to our abuse
account. they should match if IP from our range appears in the abuse
report:
body __GTSSK_IP04 /\b213\.215\.(6[4-9]|[7-9][0-9]|1[01][0-9]|12[0-7])\.\d/
should match any IP from range 213.215.64.0/18
Only if this content is in the normal message body; if it's in an
attachment or in the outer message headers this won't match.
I have received a complaint containing RFC822 attachment with this line
in headers of the attachment:
Received: from a43.pbi.bn.cust.gts.sk ([213.215.106.107]
helo=smtp.pbi.sk) by mail.kontaktco.at with esmtp (Exim 4.72)
(envelope-from <i...@hi5.com>) id 1RUaIh-0000zs-8d for
gerhard.goll...@kontaktco.at; Sun, 27 Nov 2011 09:41:28 +0100
Neither the body rule above, neither rule changed to header matched:
header __GTSSK_IP04 Received =~
/\b213\.215\.(6[4-9]|[7-9][0-9]|1[01][0-9]|12[0-7])\.\d/
If you're trying to match on RFC822 attached emails, you'll need to use
the "mimeheader" rule type, with some negating rules to prevent hits on
the outer message's headers. *sigh*
Something like:
mimeheader __GTSSK_IP04_MH Received =~ /ip.ad.dr.ess/
header __GTSSK_IP04_OUTER Received =~ /ip.ad.dr.ess/
meta __GTSSK_IP04 __GTSSK_IP04_MH && !__GTSSK_IP04_OUTER
I have tried to use "rawbody" rule but still no match.
I have SA 3.3.1 with perl 5.8.8 on gentoo linux...
can either of those cause the problem?
I've had the same sort of trouble matching the rejected message header
in backscatter bounces. (If someone can explain to me why I should
allow structurally legitimate postmaster notices responding to fake
Twitter, Facebook, Linked, etc messages into customer's email accounts,
I'm listening...)
I've found I need to have a rawbody rule *and* mimeheader+(!header) in
order to catch all of the variations assorted mail systems and mail
clients generate. :(
-kgd
