On Tue, Sep 23, 2003 at 03:58:04PM -0500, Yackley, Matt wrote:
> Do you have an example of what you are trying to search for that would
> require searching the email as a whole instead of a line at a time?
Here's an example of the kind of double bounces I want to match:
From [EMAIL PROTECTED] Tue Sep 23 20:36:26 2003
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: from mail.kelloseppakoulu.fi [194.100.26.129]
by localhost with IMAP (fetchmail-6.2.0)
for [EMAIL PROTECTED] (single-drop); Tue, 23 Sep 2003 20:36:26 +0300 (EEST)
Received: (qmail 21043 invoked by alias); 23 Sep 2003 17:35:40 -0000
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 21040 invoked by alias); 23 Sep 2003 17:35:40 -0000
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 21037 invoked for bounce); 23 Sep 2003 17:35:40 -0000
Date: 23 Sep 2003 17:35:40 -0000
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: failure notice
Status: RO
Hi. This is the qmail-send program at mail.kelloseppakoulu.fi.
I tried to deliver a bounce message to this address, but the bounce bounced!
<[EMAIL PROTECTED]>:
212.20.96.234 does not like recipient.
Remote host said: 550 5.1.1 <[EMAIL PROTECTED]>... User unknown
Giving up on 212.20.96.234.
--- Below this line is the original bounce.
Return-Path: <>
Received: (qmail 21028 invoked for bounce); 23 Sep 2003 17:35:35 -0000
Date: 23 Sep 2003 17:35:35 -0000
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: failure notice
Hi. This is the qmail-send program at mail.kelloseppakoulu.fi.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<[EMAIL PROTECTED]>:
Sorry, no mailbox here by that name. (#5.1.1)
--- Below this line is a copy of the message.
Return-Path: <[EMAIL PROTECTED]>
Received: (qmail 21024 invoked by uid 72); 23 Sep 2003 17:35:35 -0000
Received: from [EMAIL PROTECTED] by nauris by uid 70 with qmail-scanner-1.16
(spamassassin: 2.55. Clear:SA:1(13.4/8.0):.
Processed in 5.240393 secs); 23 Sep 2003 17:35:35 -0000
Received: from localhost [127.0.0.1] by nauris
with SpamAssassin (2.55 1.174.2.19-2003-05-19-exp);
Tue, 23 Sep 2003 20:35:35 +0300
From: "Adan W. Sanders" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Get your spouses EMAIL Password with SPYWARE!
oo pymqyb3m46
Date: Tue, 23 Sep 2003 15:39:15 +0000
Message-Id: <[EMAIL PROTECTED]>
X-Spam-Flag: YES
X-Spam-Status: Yes, hits=13.4 required=8.0
tests=DCC_CHECK,HTML_70_80,HTML_FONT_BIG,HTML_FONT_COLOR_RED,
HTML_MESSAGE,MIME_HTML_ONLY,RAZOR2_CHECK,
RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_OSIRUSOFT_COM,RCVD_IN_RFCI,
RCVD_IN_UNCONFIRMED_DSBL,SUBJ_HAS_SPACES
version=2.55
X-Spam-Level: *************
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_3F708467.03FB13C5"
This is a multi-part message in MIME format.
------------=_3F708467.03FB13C5
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
This mail is probably spam. The original message has been attached...
[ SA test report removed from here ]
...it, it may be safer to save it to a file and open it with an editor.
------------=_3F708467.03FB13C5
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit
[ a spam message removed from here ]
My idea is to match these messages by checking if it has for instance the
following lines _in that order_ (this check can ofcourse be made more
elaborate):
Hi. This is the qmail-send program at mail\.kelloseppakoulu\.fi
I tried to deliver a bounce message to this address, but the bounce bounced!
--- Below this line is the original bounce
From: [EMAIL PROTECTED]
Subject: failure notice
Sorry, no mailbox here by that name\. \(#5\.1\.1\)
X-Spam-Status: Yes, hits=\d+\.\d+ required=\d+.\d+
> How about setting up a meta rule to check multiple items within a message?
That would probably be the best solution with SA's current functionality.
And likely sufficient.
--
Samuli Kärkkäinen |\ _,,,---,,_
[EMAIL PROTECTED] ---------ZZZzz /,`.-'`' -. ;-;;,_------
http://www.woods.iki.fi |,4- ) )-,_. ,\ ( `'-'
'---''(_/--' `-'\_)
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
