Mailing List Archive

On 20.07.22 09:29, Alex wrote:
>I have a number of rules that match on the To field, but what to do if the
>To field is missing?

10_hasbase.cf:header __HAS_TO exists:To

define:

meta MISSING_TO !__HAS_TO

>Received: from test.com (wsip-72-214-24-18.sd.sd.cox.net [72.214.24.18])
> by mail01.example.com (Postfix) with SMTP id 12425B9B
> for <jim@gooddom.com>; Fri, 15 Jul 2022 18:50:34 -0400 (EDT)
>
>I realize I can match on the Received header here, but that would require
>creating an additional rule for each corresponding To rule. Perhaps there's
>a way to combine them, or a tag that can be used for both?

the main question is what do you want to match.


>I'm also aware of using ALL, but I think that may be too broad and may
>catch instances that shouldn't be. Can someone explain how this rule works
>and if something similar would apply to my situation?
>
>header __HDRS_MISSP ALL:raw =~
>/^(?:Subject|From|To|Reply-To):\S/ism



--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759

On Wed, 20 Jul 2022, Alex wrote:

> Hi,
>
> I have a number of rules that match on the To field, but what to do if the To field is missing?
>
> Received: from test.com (wsip-72-214-24-18.sd.sd.cox.net [72.214.24.18])
>         by mail01.example.com (Postfix) with SMTP id 12425B9B
>         for <jim@gooddom.com>; Fri, 15 Jul 2022 18:50:34 -0400 (EDT)
>
> I realize I can match on the Received header here, but that would require creating an additional rule for each corresponding To rule. Perhaps
> there's a way to combine them, or a tag that can be used for both?

Depending on your MTA and the message, that 'for <jim@gooddom.com>' element may
be completely missing (for example if there's multiple recipients of a message).

Can you configure your "glue" to synthesize an addtional header from the
envelope-to address of the message? Envelope recipient addrs must always exist,
it's just a question of what you need to do to get it visable to SA.
Look at the "envelope_sender_header" entry in the SA docs, apply the same
concept to the envelope recipient data.

In the milter I use, I create both envelope-From & envelope-To headers.

> I'm also aware of using ALL, but I think that may be too broad and may catch instances that shouldn't be. Can someone explain how this rule
> works and if something similar would apply to my situation?
>
> header         __HDRS_MISSP          ALL:raw =~ /^(?:Subject|From|To|Reply-To):\S/ism

That rule just says: look at all the raw header data and match if there's none
of Subject, From, To, Reply-To entries.
IE a really malformed message.

Dave

>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

>>
>> header __HDRS_MISSP ALL:raw =~ /^(?:Subject|From|To|Reply-To):\S/ism
>
> That rule just says: look at all the raw header data and match if there's
> none
> of Subject, From, To, Reply-To entries.
> IE a really malformed message.

Hum. As I read it, that is "headers misspelled" (not "headers missing") and
it is checking for any of the listed words at the start of a line, followed
by a colon, and NOT followed by a space.

Loren

On 2022-07-20 at 12:07:04 UTC-0400 (Wed, 20 Jul 2022 09:07:04 -0700)
Loren Wilton <lwilton@earthlink.net>
is rumored to have said:

>>>
>>> header __HDRS_MISSP ALL:raw =~ /^(?:Subject|From|To|Reply-To):\S/ism
>>
>> That rule just says: look at all the raw header data and match if there's none
>> of Subject, From, To, Reply-To entries.
>> IE a really malformed message.
>
> Hum. As I read it, that is "headers misspelled" (not "headers missing") and it is checking for any of the listed words at the start of a line, followed by a colon, and NOT followed by a space.

Correct. Headers mis-spaced.


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

On Wed, 20 Jul 2022, Loren Wilton wrote:

>>>
>>> header __HDRS_MISSP ALL:raw =~ /^(?:Subject|From|To|Reply-To):\S/ism
>>
>> That rule just says: look at all the raw header data and match if there's
>> none
>> of Subject, From, To, Reply-To entries.
>> IE a really malformed message.
>
> Hum. As I read it, that is "headers misspelled" (not "headers missing")

MISSP = misspaced

> and it is checking for any of the listed words at the start of a line,
> followed by a colon, and NOT followed by a space.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
What the hell is an "Aluminum Falcon"?? -- Emperor Palpatine
-----------------------------------------------------------------------
Today: the 53rd anniversary of Apollo 11 landing on the Moon

Hi,

>I have a number of rules that match on the To field, but what to do if the
> >To field is missing?
>
> 10_hasbase.cf:header __HAS_TO exists:To
>
> define:
>
> meta MISSING_TO !__HAS_TO
>
> >Received: from test.com (wsip-72-214-24-18.sd.sd.cox.net [72.214.24.18])
> > by mail01.example.com (Postfix) with SMTP id 12425B9B
> > for <jim@gooddom.com>; Fri, 15 Jul 2022 18:50:34 -0400 (EDT)
> >
> >I realize I can match on the Received header here, but that would require
> >creating an additional rule for each corresponding To rule. Perhaps
> there's
> >a way to combine them, or a tag that can be used for both?
>
> the main question is what do you want to match.


The problem I'm having is that my To header rules aren't matching because
there is no To header, and I'm otherwise unsure what to match on. The only
occurrence of the recipient in the entire email is in that Received header.

My reference to the __HDRS_MISSP was to possibly use that as an example for
a new rule that would allow me to match on the jim@gooddom.com using the
same "ALL:raw" idea in some way.

It does match on "ALL", but I think I need to be more specific than that,
to avoid matching on "From:" or Return-Path or EnvelopeFrom./

Thanks,
Alex

> The problem I'm having is that my To header rules aren't matching because there is no To header,
> and I'm otherwise unsure what to match on. The only occurrence of the recipient in the entire email
> is in that Received header.
>

> It does match on "ALL", but I think I need to be more specific than that, to avoid matching on "From:"
> or Return-Path or EnvelopeFrom./

If you want to match on text in Received headers only, then just write a rule to check that header type:

header __TO_FRED_JOHNSON To ~= /\bfred\.johnson@foo\.com\b/
header __RCVD_FRED_JOHNSON Received ~= /\bfred\.johnson@foo\.com\b/
meta TO_FRED_JOHNSON __TO_FRED_JOHNSON || __RCVD_FRED_JOHNSON
meta NOT_TO_ME !TO_FRED_JOHNSON

You could do that with ALL, but this way is probably more efficient, and will be a lot less confusing regex.

Loren

>>I have a number of rules that match on the To field, but what to do if the
>> >To field is missing?
>>
>> 10_hasbase.cf:header __HAS_TO exists:To
>>
>> define:
>>
>> meta MISSING_TO !__HAS_TO
>>
>> >Received: from test.com (wsip-72-214-24-18.sd.sd.cox.net [72.214.24.18])
>> > by mail01.example.com (Postfix) with SMTP id 12425B9B
>> > for <jim@gooddom.com>; Fri, 15 Jul 2022 18:50:34 -0400 (EDT)
>> >
>> >I realize I can match on the Received header here, but that would require
>> >creating an additional rule for each corresponding To rule. Perhaps
>> there's
>> >a way to combine them, or a tag that can be used for both?

>> the main question is what do you want to match.

On 20.07.22 22:40, Alex wrote:
>The problem I'm having is that my To header rules aren't matching because
>there is no To header, and I'm otherwise unsure what to match on.

The problem is if there's no To: header, there is nothing to match.
You did not say what do you want to match, that's why I asked.

> The only
>occurrence of the recipient in the entire email is in that Received header.

Aha, so you want to find the recipient!

While SA parses Received: headers into pseudo-headers X-Spam-Relays-*
https://cwiki.apache.org/confluence/display/SPAMASSASSIN/TrustedRelays
looks like it does not try to parse the envelope recipient:

X-Spam-Relays-Untrusted: [. ip=3.227.148.255 rdns=mxout1-ec2-va.apache.org
helo=mxout1-ec2-va.apache.org by=fantomas.fantomas.sk ident= envfrom= intl=0
id=1AF2FA0012 auth= msa=0 ]


Perhaps you could match the received header with name of your mail server:

Received: from mxout1-ec2-va.apache.org (mxout1-ec2-va.apache.org [3.227.148.255])
by fantomas.fantomas.sk (Postfix) with ESMTPS id 1AF2FA0012
^^^^^^^^^^^^^^^^^^^^
for <uhlar@fantomas.sk>; Thu, 21 Jul 2022 04:40:21 +0200 (CEST)
^^^^^^^^^^^^^^^^^

unless your mailserver adds envelope recipient address to the headers
(common for domain mailboxes, uncommon for others)
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
One OS to rule them all, One OS to find them,
One OS to bring them all and into darkness bind them