I'm seeing some amount traffic with obfuscated content in To: lines,
where the display name is shown as a angled bracket. For example:
To: "<"<u...@example.com>
I've been playing with a rule to identify this particular pattern (and
score in metas):
header LR_OBSC_RECIPS To =~ /\"\<\"/
When run this one in testing, I'm getting scores on the messages I feed
to it, but when live mail with this pattern comes through, the rule
isn't hitting.
As far as I'm aware, my testing methodology is working correctly, and I
do pass samples of received messages against test copies of new rules
for nearly all of my new rules before applying them to my working servers.
In my testing setup (running Debian), I have a working directory, where
I have symlinks to all the rulesets in /usr/share/spamassassin. I also
have a .cf file in the working directory where I copy a new rule. When
I test a rule, I use a script that pipes a message through spamassassin:
spamassassin -t -D -C . 2> ./debug.log
When I'm satisfied from my testing that the rule is working correctly,
then I apply it to my production servers.
Any ideas as to why my rule is hitting in testing, but not on live mail?
Is there something I'm missing in my rule syntax, or something that
I'm not doing correctly in my testing methodology?
Smith
