Return-Path: 
 <users-return-95329-apmail-spamassassin-users-archive=spamassassin.apache.org@spamassassin.apache.org>
X-Original-To: apmail-spamassassin-users-archive@www.apache.org
Delivered-To: apmail-spamassassin-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id C829B76E9
	for <apmail-spamassassin-users-archive@www.apache.org>;
 Tue,  4 Oct 2011 09:10:19 +0000 (UTC)
Received: (qmail 93066 invoked by uid 500); 4 Oct 2011 09:10:17 -0000
Delivered-To: apmail-spamassassin-users-archive@spamassassin.apache.org
Received: (qmail 93020 invoked by uid 500); 4 Oct 2011 09:10:17 -0000
Mailing-List: contact users-help@spamassassin.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:users-help@spamassassin.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@spamassassin.apache.org>
List-Post: <mailto:users@spamassassin.apache.org>
List-Id: <users.spamassassin.apache.org>
Delivered-To: mailing list users@spamassassin.apache.org
Received: (qmail 93013 invoked by uid 99); 4 Oct 2011 09:10:17 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 04 Oct 2011 09:10:17 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: local policy)
Received: from [84.45.41.196] (HELO bs1.fjl.org.uk) (84.45.41.196)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 04 Oct 2011 09:10:07 +0000
Received: from [192.168.1.31] (mux.fjl.org.uk [62.3.120.246])
	(authenticated bits=0)
	by bs1.fjl.org.uk (8.14.4/8.14.4) with ESMTP id p9499jRc031790
	(version=TLSv1/SSLv3 cipher=DHE-DSS-CAMELLIA256-SHA bits=256 verify=NO)
	for <users@spamassassin.apache.org>; Tue, 4 Oct 2011 10:09:45 +0100 (BST)
	(envelope-from frank1@extremecomputing.org.uk)
Message-ID: <4E8ACD5C.5060006@extremecomputing.org.uk>
Date: Tue, 04 Oct 2011 10:09:48 +0100
From: Frank Leonhardt <frank1@extremecomputing.org.uk>
User-Agent: Mozilla/5.0 (Windows NT 5.1;
 rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: users@spamassassin.apache.org
Subject: Re: Rule matching in a wrapped header
References: <4E8A3369.7000902@extremecomputing.org.uk>
 <20111004015824.52252efa@gumby.homeunix.com>
In-Reply-To: <20111004015824.52252efa@gumby.homeunix.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on bs1.fjl.org.uk
X-Virus-Checked: Checked by ClamAV on apache.org
X-Old-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham
	version=3.3.2

On 04/10/2011 01:58, RW wrote:
> On Mon, 03 Oct 2011 23:12:57 +0100
> Frank Leonhardt wrote:
>
>> I'm having a great deal of trouble writing a rule to match something
>> in a Received: header. The problem is that sendmail(?) is whitespace
>> wrapping the header. In other words, instead of:
> Headers are converted into a single line before the header rules are
> run against them. I think you've probably just made a silly mistake
> somewhere.
>
>
> <snip>
> $ spamc -u test<  /tmp/test.txt | grep " TEST_RULE"
> 	*  0.0 TEST_RULE TEST_RULE

Thanks - that's exactly what I thought should happen. I was starting to 
think I was going crazy. I didn't think of running from the command line 
- good idea. I'd tried everything else.

So, doing this using the actual rule and an actual header it *does* 
work. It's only when its run through the milter that it fails to match.

If we're right about wrapped headers not mattering, the only explanation 
is that spamd isn't seeing the the same headers as those that appear on 
the final email. This sort-of makes sense - sendmail calls the milter 
BEFORE adding the final header IIRC. It's also supposed to fake-up the 
header before it goes to the milter, to allow that to function (I 
believe). It's not something that's every gone wrong so I've never 
looked at it.

Stuff on the first line of the header is detectable. Stuff on subsequent 
lines (as they appear in the final message) isn't. I haven't messed up 
the perl regex because (a) the test is so trivial I even I couldn't get 
confused by it; and (b) your suggestion of proving it using spamc works. 
It's configured and the rule is "seen" - I know this because it does 
detect patterns in the first line.

What's going wrong?

I should have mentioned the versions:

SpamAssassin 3.3.2 (2011-06-06)

sendmail Version 8.14.4
  Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
                 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2
                 SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG

FreeBSD 8.2-RELEASE


What might help is a way to see what the spamd is seeing as a headers 
when it's "live", but I can't see an easy way to do this.


Thanks, Frank.




-- 
--------------
Sent from my Cray XT5