I'm trying to create a rule to count the number of instances of a particular
header.
IE in email messages there could be zero or more instances of a particular
header and I want to know how many there are so I can use that info in a meta to
detect a spam sign.
I first crafted a rule:
header L_MY_HEADER X-My-Header !~ /^UNSET$/ [if-unset: UNSET]
describe L_MY_HEADER has X-My_header
score L_MY_HEADER 0.1
Which did correctly detect the existence of 'X-My-Header'. Then to count the
number of them I added a 'tflags':
tflags L_MY_HEADER multiple maxhits=10
But that would always fire 10 times if there were any instances of 'X-My-Header'
(even if there was only one).
So I modified the pattern match part of the rule:
header L_MY_HEADER X-My-Header =~ /./
Which had the same effect as the first form (IE either zero or 10 firings).
As the header would have at least 6 characters but less than 150 I then tried:
header L_MY_HEADER X-My-Header =~ /^.{5,200}/
Which would fire only once, even if there were 5 or more instances of the
header.
What am I doing wrong? How should I craft a rule to count the number of
instances of that header?
Thanks,
Dave
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
header.
IE in email messages there could be zero or more instances of a particular
header and I want to know how many there are so I can use that info in a meta to
detect a spam sign.
I first crafted a rule:
header L_MY_HEADER X-My-Header !~ /^UNSET$/ [if-unset: UNSET]
describe L_MY_HEADER has X-My_header
score L_MY_HEADER 0.1
Which did correctly detect the existence of 'X-My-Header'. Then to count the
number of them I added a 'tflags':
tflags L_MY_HEADER multiple maxhits=10
But that would always fire 10 times if there were any instances of 'X-My-Header'
(even if there was only one).
So I modified the pattern match part of the rule:
header L_MY_HEADER X-My-Header =~ /./
Which had the same effect as the first form (IE either zero or 10 firings).
As the header would have at least 6 characters but less than 150 I then tried:
header L_MY_HEADER X-My-Header =~ /^.{5,200}/
Which would fire only once, even if there were 5 or more instances of the
header.
What am I doing wrong? How should I craft a rule to count the number of
instances of that header?
Thanks,
Dave
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{