On Fri, 29 Jan 2016, Olivier Coutu wrote:
To: Aa
To: Bb
To: Cc
To: Dd
To: Ee
Here are the rules to test:
# tests for SA list
body T_BODY_TO_NOMULTI /(^|\n|\r)To: \S/i #Should hit "To : " at
start of line
rawbody T_RAWBODY_TO_NOMULTI /(^|\n|\r)To: \S/i #I am unsure
how rawbody changes things
The object of these rules is to detect the "To" in a body at the start of a
line as to check if this e-mail might be a reply. When run on the e-mail
above, I expected the following result for all rules:
To: A
To: B
To: C
Here are the actual results for all rules:
spamassassin -D 2>&1 < t2.eml | grep BODY_TO
jan 29 10:56:14.310 [11274] dbg: rules: ran body rule T_BODY_TO_NOMULTI
======> got hit: "To: A"
jan 29 10:56:14.310 [11274] dbg: rules: ran body rule T_BODY_TO_NOMULTI
======> got hit: "To: D" #should be B
"body" rules work on a "cleaned-up" version of the body. HTML markup is
removed, and paragraphs are collapsed into a single line.
Therefore, what a "body" rule sees for the first part of your test email
is:
To: Aa To: Bb To: Cc
A rule anchored at the beginning of the line will only match that once.
What you want can only be done as a rawbody rule.
You don't need the linebreak stuff; just do this:
rawbody __BODY_LINE_TO_PREFIX /^To:\s/i
tflags __BODY_LINE_TO_PREFIX multiple maxhits=3
meta BODY_MANY_TO_PREFIX __BODY_LINE_TO_PREFIX > 2
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Activist: Someone who gets involved.
Unregistered Lobbyist: Someone who gets involved
with something the MSM doesn't approve of. -- WizardPC
-----------------------------------------------------------------------
3 days until the 13th anniversary of the loss of STS-107 Columbia
