https://cwiki.apache.org/confluence/display/SPAMASSASSIN/WritingRulesAdvanced
You need m-modifier, matched string is all the header values separated by
newline, so you want to match all of the line starts.
header L_MY_HEADER X-My-Header =~ /^/m
tflags L_MY_HEADER multiple
On Mon, May 03, 2021 at 10:18:51AM -0500, Dave Funk wrote:
> I'm trying to create a rule to count the number of instances of a particular
> header.
> IE in email messages there could be zero or more instances of a particular
> header and I want to know how many there are so I can use that info in a
> meta to detect a spam sign.
>
> I first crafted a rule:
> header L_MY_HEADER X-My-Header !~ /^UNSET$/ [if-unset: UNSET]
> describe L_MY_HEADER has X-My_header
> score L_MY_HEADER 0.1
>
> Which did correctly detect the existence of 'X-My-Header'. Then to count the
> number of them I added a 'tflags':
> tflags L_MY_HEADER multiple maxhits=10
>
> But that would always fire 10 times if there were any instances of
> 'X-My-Header' (even if there was only one).
>
> So I modified the pattern match part of the rule:
> header L_MY_HEADER X-My-Header =~ /./
>
> Which had the same effect as the first form (IE either zero or 10 firings).
>
> As the header would have at least 6 characters but less than 150 I then tried:
> header L_MY_HEADER X-My-Header =~ /^.{5,200}/
>
> Which would fire only once, even if there were 5 or more instances of the
> header.
>
> What am I doing wrong? How should I craft a rule to count the number of
> instances of that header?
>
> Thanks,
> Dave
>
> --
> Dave Funk University of Iowa
> <dbfunk (at) engineering.uiowa.edu> College of Engineering
> 319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St.
> Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
> #include <std_disclaimer.h>
> Better is not better, 'standard' is better. B{
