antispam at khopis
May 14, 2012, 1:46 PM
Post #2 of 3
On 05/03/2012 10:02 AM, Mike Grau wrote:
> The meta rule in 72_active.cf "KB_FAKED_THE_BAT" is getting
> circumvented here because the meta rule component
> header __KB_DATE_CONTAINS_TAB Date:raw =~ /^\t
> is being evaded by spam that now has a space character before the tab:
> # grep Date: HEADERS | od -a
> 0000000 D a t e : sp ht T h u , sp 3 sp M a
> 0000020 y sp 2 0 1 2 sp 1 6 : 5 3 : 5 9 sp
> 0000040 + 0 7 0 0 nl
> 0000046vi H*
> This has been Russian language spam (charset koi8-r) with various
> flavors of X-Mailer: The Bat!
What version of SpamAssassin are you running? Here's a note from that
rule's definition (rulesrc/sandbox/kb/20_header.cf):
# NOTE Depends on some header rule code fixes for 3.3.x to remove
# the leading space that was showing up in header rules. For
# 3.2.x releases the pattern must be changed to /^ \t/.
Karsten: Maybe change it to /^ ?\t/ as a workaround?
(Yes, I know we've stopped supporting sa3.2.x)