[Rspamd-Users] Custom subject.map ignoring certain regexp

[Valentijn Sessink]

Hi,


On 02-02-2025 07:26, Richard Klingler wrote:
 > In the subject.map I have this line:
 > /^.*SPENDE.*$/
 > So it should match then this subject in the spam:
 >
 > Subject: SPENDE
 >
 > Can someone explain why the spam slips through?

As far as I experienced, rspamd seems to (somewhat?) normalize headers, 
at least I'm seeing <LF> 0x0a between multiline headers and <CR><LF> 
0x0d 0x0a between headers. At least that is what I'm seeing in the logs. 
I could be wrong though.

Please also note that SMTP has strict CRLF rules, but that they're not 
enforced and that all combinations of CRLF seem to exist, be it for 
sloppy mail senders or as result of deliberate mail poisoning.

Your regexp matches:

^ beginning of line
.* zero or more characters EXCEPT newline
SPENDE
.* zero or more characters except newline
$ end of string

This could mean that a subject that has SPENDE<LF> or SPENDE<CR> for 
subject escapes your regexp.

In your case, I'd switch to only have "SPENDE" for regexp, without the 
^$ markers, because that is functionally the same but evades the 
<CR><LF> mine field:
/SPENDE/

Should you really, really want to include the $ modifier, I suggest you 
explicitly state how you want to match newlines and/or weird multiline 
headers. Having something like
/(*ANYCRLF)^.*SPENDE.*$/m
- but then still: SPENDE could be on another line and I'm not sure how 
the matching is done.

Best regards,

Valentijn