You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alex <my...@gmail.com> on 2014/01/11 01:55:39 UTC
Debugging rule help
HI,
I have an FP that has hit on a few rules, but one of them was a rule
for short URLs, but I can't figure out which one it's hitting. How can
I have it show me which pattern triggered a specific rule?
It seems some rules already show this, for example:
Jan 10 19:38:29.919 [2393] dbg: rules: ran rawbody rule __BUGGED_IMG
======> got hit: "<img src="http://emanage1.com/open.php"
but my rule doesn't. I've run SA as "spamassassin -t -D < myfp" and
below is the rule:
body __RB_GT_200 /^.{201}/s
meta __BODY_LE_200 (__RB_LE_200 == 1) && !__RB_GT_200
meta __RB_LE_200 !__RB_GT_200 # less or equal IFF not greater
mimeheader __MIME_IMAGE Content-Type =~ /^image\/./
mimeheader __MIME_ATTACH Content-Disposition =~ /^attachment/
meta LOC_SHORT ((__BODY_LE_200 && __HAS_HTTP_URI) &&
(!(__MIME_IMAGE || __MIME_ATTACH || BAYES_00 || USER_IN_WHITELIST ||
KHOP_RCVD_TRUST)))
describe LOC_SHORT Has URI and short body
score LOC_SHORT 1.1
The false-positive is here
http://pastebin.com/yRbH3fWr
Thanks so much,
Alex
Re: Debugging rule help
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 1/11/2014 9:05 AM, Alex wrote:
>
> Hi,
>
> On Fri, Jan 10, 2014 at 10:32 PM, Kevin A. McGrail <KMcGrail@pccc.com
> <ma...@pccc.com>> wrote:
>
> I checked in basic and I didn't get very far just looking at the
> first rule using your pastebin example. It didn't appear to hit
> your rules.
>
> Might be something lost via pastebin but it's late and I'm tired
> so could be my mistake as well. However, spamassassin -t -D <
> /tmp/2.mbox 2>&1 | grep __RB_GT showed nothing.
>
>
> It hit all of the subrules and LOC_SHORT here, but I don't understand
> why it doesn't detail the specifics of what triggered each of them.
>
>
> So you might want to look at 3.4.0 from SVN and look at using
> these rules:
>
> body __KAM_BODY_LENGTH_LT_128 eval:check_body_length('128')
> describe __KAM_BODY_LENGTH_LT_128 The length of the
> body of the email is less than 128 bytes.
>
> body __KAM_BODY_LENGTH_LT_256 eval:check_body_length('256')
> describe __KAM_BODY_LENGTH_LT_256 The length of the
> body of the email is less than 256 bytes.
>
> body __KAM_BODY_LENGTH_LT_512 eval:check_body_length('512')
> describe __KAM_BODY_LENGTH_LT_512 The length of the
> body of the email is less than 512 bytes.
>
> body __KAM_BODY_LENGTH_LT_1024 eval:check_body_length('1024')
> describe __KAM_BODY_LENGTH_LT_1024 The length of the
> body of the email is less than 1024 bytes.
>
>
> I have v3.4 running on a few of the systems now. My rule (one you
> helped me write, actually) detects a body with a short URL, not just
> the body length, although this looks helpful.
>
> Thanks,
> Alex
>
Here's an example of a short email rule I've been working on if it helps:
#NEWS!
header __KAM_NEWS1 Subject =~ /^(?:Fwd:
?)?(?:NEWS|WEBSITE|ARTICLE)$/i
body __KAM_NEWS2 /(?:Hello|hey|hi)!/i
meta KAM_NEWS (__KAM_NEWS1 + __KAM_NEWS2 +
__KAM_BODY_LENGTH_LT_128 + __HAS_ANY_URI >= 3)
describe KAM_NEWS Forged Emails with NEWS!
score KAM_NEWS 9.0
Though I've also considered using these rules as well:
#URI COUNT - REQUIRES 3.3 OR LATER
if (version >= 3.003000)
uri __KAM_COUNT_URIS /^./
tflags __KAM_COUNT_URIS multiple maxhits=16
describe __KAM_COUNT_URIS A multiple match used to count URIs in a
message, including http:// and email@email.com - use one of the meta
rules below instead of directly using this one
meta __KAM_HAS_0_URIS (__KAM_COUNT_URIS == 0)
meta __KAM_HAS_1_URIS (__KAM_COUNT_URIS >= 1)
meta __KAM_HAS_2_URIS (__KAM_COUNT_URIS >= 2)
meta __KAM_HAS_3_URIS (__KAM_COUNT_URIS >= 3)
meta __KAM_HAS_4_URIS (__KAM_COUNT_URIS >= 4)
meta __KAM_HAS_5_URIS (__KAM_COUNT_URIS >= 5)
meta __KAM_HAS_10_URIS (__KAM_COUNT_URIS >= 10)
meta __KAM_HAS_15_URIS (__KAM_COUNT_URIS >= 15)
endif
Regards,
KAM
Re: Debugging rule help
Posted by Alex <my...@gmail.com>.
Hi,
On Fri, Jan 10, 2014 at 10:32 PM, Kevin A. McGrail <KM...@pccc.com>wrote:
> I checked in basic and I didn't get very far just looking at the first
> rule using your pastebin example. It didn't appear to hit your rules.
>
> Might be something lost via pastebin but it's late and I'm tired so could
> be my mistake as well. However, spamassassin -t -D < /tmp/2.mbox 2>&1 |
> grep __RB_GT showed nothing.
>
It hit all of the subrules and LOC_SHORT here, but I don't understand why
it doesn't detail the specifics of what triggered each of them.
> So you might want to look at 3.4.0 from SVN and look at using these rules:
>
> body __KAM_BODY_LENGTH_LT_128
> eval:check_body_length('128')
> describe __KAM_BODY_LENGTH_LT_128 The length of the
> body of the email is less than 128 bytes.
>
> body __KAM_BODY_LENGTH_LT_256
> eval:check_body_length('256')
> describe __KAM_BODY_LENGTH_LT_256 The length of the
> body of the email is less than 256 bytes.
>
> body __KAM_BODY_LENGTH_LT_512
> eval:check_body_length('512')
> describe __KAM_BODY_LENGTH_LT_512 The length of the
> body of the email is less than 512 bytes.
>
> body __KAM_BODY_LENGTH_LT_1024
> eval:check_body_length('1024')
> describe __KAM_BODY_LENGTH_LT_1024 The length of the
> body of the email is less than 1024 bytes.
>
I have v3.4 running on a few of the systems now. My rule (one you helped me
write, actually) detects a body with a short URL, not just the body length,
although this looks helpful.
Thanks,
Alex
Re: Debugging rule help
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
I checked in basic and I didn't get very far just looking at the first
rule using your pastebin example. It didn't appear to hit your rules.
Might be something lost via pastebin but it's late and I'm tired so
could be my mistake as well. However, spamassassin -t -D < /tmp/2.mbox
2>&1 | grep __RB_GT showed nothing.
So you might want to look at 3.4.0 from SVN and look at using these rules:
body __KAM_BODY_LENGTH_LT_128
eval:check_body_length('128')
describe __KAM_BODY_LENGTH_LT_128 The length of
the body of the email is less than 128 bytes.
body __KAM_BODY_LENGTH_LT_256
eval:check_body_length('256')
describe __KAM_BODY_LENGTH_LT_256 The length of
the body of the email is less than 256 bytes.
body __KAM_BODY_LENGTH_LT_512
eval:check_body_length('512')
describe __KAM_BODY_LENGTH_LT_512 The length of
the body of the email is less than 512 bytes.
body __KAM_BODY_LENGTH_LT_1024
eval:check_body_length('1024')
describe __KAM_BODY_LENGTH_LT_1024 The length of
the body of the email is less than 1024 bytes.
Otherwise your rules below seem to build on rules I don't have perhaps?
Regards,
KAM
On 1/10/2014 7:55 PM, Alex wrote:
> HI,
>
> I have an FP that has hit on a few rules, but one of them was a rule
> for short URLs, but I can't figure out which one it's hitting. How can
> I have it show me which pattern triggered a specific rule?
>
> It seems some rules already show this, for example:
>
> Jan 10 19:38:29.919 [2393] dbg: rules: ran rawbody rule __BUGGED_IMG
> ======> got hit: "<img src="http://emanage1.com/open.php"
>
> but my rule doesn't. I've run SA as "spamassassin -t -D < myfp" and
> below is the rule:
>
> body __RB_GT_200 /^.{201}/s
> meta __BODY_LE_200 (__RB_LE_200 == 1) && !__RB_GT_200
> meta __RB_LE_200 !__RB_GT_200 # less or equal IFF not greater
> mimeheader __MIME_IMAGE Content-Type =~ /^image\/./
> mimeheader __MIME_ATTACH Content-Disposition =~ /^attachment/
> meta LOC_SHORT ((__BODY_LE_200 && __HAS_HTTP_URI) &&
> (!(__MIME_IMAGE || __MIME_ATTACH || BAYES_00 || USER_IN_WHITELIST ||
> KHOP_RCVD_TRUST)))
> describe LOC_SHORT Has URI and short body
> score LOC_SHORT 1.1
>
> The false-positive is here
> http://pastebin.com/yRbH3fWr
>
> Thanks so much,
> Alex
--
*Kevin A. McGrail*
President
Peregrine Computer Consultants Corporation
3927 Old Lee Highway, Suite 102-C
Fairfax, VA 22030-2422
http://www.pccc.com/
703-359-9700 x50 / 800-823-8402 (Toll-Free)
703-359-8451 (fax)
KMcGrail@PCCC.com <ma...@pccc.com>