Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SpamAssassin>
  3. users
Testing for all capital headers, like FROM:, TO:, etc. ?
mrl at psfc
Mar 9, 2004, 2:16 PM
Post #1 of 6 (485 views)
Permalink
Is there a way to test to see if a header is all caps, i.e. a way to tell if a
header line is FROM: rather than From:? Thanks.

Mark
Re: Testing for all capital headers, like FROM:, TO:, etc. ? [ In reply to ]
mkettler at evi-inc
Mar 9, 2004, 2:34 PM
Post #2 of 6 (481 views)
Permalink
At 04:16 PM 3/9/2004, Mark London wrote:
>Is there a way to test to see if a header is all caps, i.e. a way to tell if a
>header line is FROM: rather than From:? Thanks.
>
>Mark


You mean like this standard rule from SA 2.50 and higher?

header FROM_NO_LOWER From !~ /[a-z]/
describe FROM_NO_LOWER 'From' has no lower-case characters
Re: Testing for all capital headers, like FROM:, TO:, etc. ? [ In reply to ]
mkettler at evi-inc
Mar 9, 2004, 2:37 PM
Post #3 of 6 (484 views)
Permalink
At 04:34 PM 3/9/2004, Matt Kettler wrote:
>At 04:16 PM 3/9/2004, Mark London wrote:
> >Is there a way to test to see if a header is all caps, i.e. a way to
> tell if a
> >header line is FROM: rather than From:? Thanks.
> >
> >Mark
>
>
>You mean like this standard rule from SA 2.50 and higher?
>
>header FROM_NO_LOWER From !~ /[a-z]/
>describe FROM_NO_LOWER 'From' has no lower-case characters

Whoops.. my bad, that looks for a no-lower email address..

Let's instead look at a rule from sa 2.30 through sa 2.44:

header ALL_CAPS_HEADER ALL =~ /\n(?:TO|FROM|SUBJECT|DATE):/s
Re: Testing for all capital headers, like FROM:, TO:, etc. ? [ In reply to ]
maillists at conactive
Mar 9, 2004, 3:31 PM
Post #4 of 6 (481 views)
Permalink
Matt Kettler wrote on Tue, 09 Mar 2004 16:34:32 -0500:

> You mean like this standard rule from SA 2.50 and higher?
>
> header FROM_NO_LOWER From !~ /[a-z]/
> describe FROM_NO_LOWER 'From' has no lower-case characters
>

No, he means FROM: instead of the standard From:
It's very typical for several viruses to use FROM:, TO: and SUBJECT: If
you look at those messages, it's the first thing that stands out. I've
never seen that in any other messages, although there may be a few clients
which do this. But it certainly is a good virus sign if you don't use a
virus scanner or want to flag these messages as spam, anyway.


Kai

--

Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org
Re: Testing for all capital headers, like FROM:, TO:, etc. ? [ In reply to ]
shiva at sewingwitch
Mar 9, 2004, 7:20 PM
Post #5 of 6 (481 views)
Permalink
--On Tuesday, March 09, 2004 9:16 PM +0000 Mark London <mrl@psfc.mit.edu>
wrote:

> Is there a way to test to see if a header is all caps, i.e. a way to tell if
> a header line is FROM: rather than From:? Thanks.

I use this procmail rule:


# case-sensitive header search, SWEN uses FROM, TO, SUBJECT
# note that the ^TO macro has to be escaped to match the literal word TO.

:0 D
* ^FROM:
* \^TO:
* ^SUBJECT:
|/usr/local/bin/dmail +mail/IT/SWEN
Re: Testing for all capital headers, like FROM:, TO:, etc. ? [ In reply to ]
lwilton at earthlink
Mar 11, 2004, 8:20 AM
Post #6 of 6 (483 views)
Permalink
My understanding is the header rules need to match on case.
So "From =~" isn't going to match a FROM: header.
A test for "FROM =~" presumably would.

Or probably you could (untested) do something like:

header ALL =~ /^(?:FROM|TO)\:\s/

Loren

----- Original Message -----
From: "Mark London" <mrl@psfc.mit.edu>
To: <spamassassin-users@incubator.apache.org>
Sent: Tuesday, March 09, 2004 1:16 PM
Subject: Testing for all capital headers, like FROM:, TO:, etc. ?


> Is there a way to test to see if a header is all caps, i.e. a way to tell
if a
> header line is FROM: rather than From:? Thanks.
>
> Mark
>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal