On Sat, 5 Oct 2002, Adam Moffett wrote:
> We periodically receive spam messages that seem to contain the entire
> message in their header.
Exactly what do you mean by this? A message's header must conform to the
syntax of RFC 822. Exim will terminate the header and start the body
when it encounters a line that does not mach the header syntax, which is
name: data...
(with possible indented continuations).
> I'm guessing these messages are coming from some poorly written
> spammer software that doesn't put a CRLF between the header and the
> body...or else it's using something other than CRLF at the end of
> each line.
Unless the body looks like header lines, the omission of the blank line
shouldn't matter. Note also that Exim does have a limit on the total
size of the header (though it is quite big - 1Mb by default).
The omission of CRLF altogether could create one enormously long header
line, I suppose. Maybe that's the problem. You could perhaps detect such
a thing using a regular expression like this
[^\r\n]{128,}
which matches at least 128 characters in sequence that are neither CR
nor LF. If applied to $message_header in a filter it might catch what
you want. Just an idea; I haven't tried this.
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
