You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Matus UHLAR - fantomas <uh...@fantomas.sk> on 2008/10/13 15:29:57 UTC
conditionally zero score of a rule
Hello,
so the spammers got it. my required_score is 3.5 (the same as for BAYES_99)
and SPF_PASS is -0.001. So, even clear spam (I haven't seen FP for BAYES_99
for a LONG LONG time) is passed because of SPF (which teoretically should
not happen.
Now I have a question: Should I zero score of SPF_PASS (I don't want
SPA_PASS to score positively) or just a create meta rule of
meta BAYESPAM_SPFOK (BAYES_99 && SPF_PASS)
score BAYESPAM_SPFOK 0.001
Is it possible to score
score BAYESPAM_SPFOK -$(SPF_PASS) ?
which means, clear the effect of one rule if
or can I do this?
meta SPF_PASS (SPF_PASS && !BAYES_99)
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...
Re: conditionally zero score of a rule
Posted by John Hardin <jh...@impsec.org>.
On Wed, 15 Oct 2008, Matus UHLAR - fantomas wrote:
> On 14.10.08 12:17, John Hardin wrote:
>> You're using BAYES_99 as a poison pill rule, right?
>
> Well, no - that wsas just an example. However I met this one most often.
Ah. Okay, I misinterpreted your initial post, then.
>> If you're not willing
>> to add enough fractional points to BAYES_99 to overcome SPF_PASS and other
>> similar rules, then why not do this:
>>
>> meta CANCEL_SPF_PASS SPF_PASS
>> score CANCEL_SPF_PASS 0.001
>
> I thought of that, but I'd like to have score negate SPF_PASS even if
> that one changes...
Given that SPF_PASS is only intended to detect a characteristic and not
alter the score (well, not materially) I doubt its score will change.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
We are now seeing the disastrous consequences of government
dictating behavior to the mortgage lending industry over the past
two decades. Why do some think government dictating behavior to
the health care industry would be any less disastrous?
-----------------------------------------------------------------------
20 days until the Presidential Election
Re: conditionally zero score of a rule
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> On Tue, 14 Oct 2008, Matus UHLAR - fantomas wrote:
>
> >>so, change it to (+) 0.001. how likely is it to change ham to spam?
> >
> >the same chance, I'd say, for cases someone uses e.g. DKIM...
> >That's why I search for different solution...
> >
> >Well, this was not the first time I'd like to clear effect of a rule if
> >different rule(s) match.
On 14.10.08 12:17, John Hardin wrote:
> You're using BAYES_99 as a poison pill rule, right?
Well, no - that wsas just an example. However I met this one most often.
> If you're not willing
> to add enough fractional points to BAYES_99 to overcome SPF_PASS and other
> similar rules, then why not do this:
>
> meta CANCEL_SPF_PASS SPF_PASS
> score CANCEL_SPF_PASS 0.001
I thought of that, but I'd like to have score negate SPF_PASS even if
that one changes...
> Can we close this thread?
if there's nothing more to say...
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Nothing is fool-proof to a talented fool.
Re: conditionally zero score of a rule
Posted by John Hardin <jh...@impsec.org>.
On Tue, 14 Oct 2008, Matus UHLAR - fantomas wrote:
>> so, change it to (+) 0.001. how likely is it to change ham to spam?
>
> the same chance, I'd say, for cases someone uses e.g. DKIM...
> That's why I search for different solution...
>
> Well, this was not the first time I'd like to clear effect of a rule if
> different rule(s) match.
You're using BAYES_99 as a poison pill rule, right? If you're not willing
to add enough fractional points to BAYES_99 to overcome SPF_PASS and other
similar rules, then why not do this:
meta CANCEL_SPF_PASS SPF_PASS
score CANCEL_SPF_PASS 0.001
Can we close this thread?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Mine eyes have seen the horror of the voting of the horde;
They've looted the fromagerie where guv'ment cheese is stored;
If war's not won before the break they grow so quickly bored;
Their vote counts as much as yours. -- Tam
-----------------------------------------------------------------------
21 days until the Presidential Election
Re: conditionally zero score of a rule
Posted by Henrik K <he...@hege.li>.
On Tue, Oct 14, 2008 at 11:24:35AM -0500, Daniel J McDonald wrote:
>
> On Tue, 2008-10-14 at 18:17 +0200, Matus UHLAR - fantomas wrote:
> > On 14.10.08 11:05, Daniel J McDonald wrote:
> > > On Tue, 2008-10-14 at 16:55 +0100, Martin Gregorie wrote:
> > > > On Tue, 2008-10-14 at 17:31 +0200, Matus UHLAR - fantomas wrote:
> > > > >
> > > > > On 14.10.08 16:20, Martin Gregorie wrote:
> > > > > > Why not change its name to __SPF_PASS and only use it in meta-rules?
> > > > >
> > > > > because that's SA rule, even if I changed it, after first update it would be
> > > > > lost :)
> > >
> > > > Is it forbidden for SA rules to have names starting with __ or merely
> > > > unconventional?
> > >
> > > so, disable it and create a new one"
> > > score SPF_PASS 0
> > > header __SPF_PASS eval:check_for_spf_pass()
> > > describe __SPF_PASS SPF: sender matches SPF record
> > > tflags __SPF_PASS nice userconf
> >
> > ... this way I can manually re-write every rule that ever depends on SPF_PASS
>
> I grepped /var/lib/spamassassin/3.002005/updates.spamassassin.org and
> found no rules relying on SPF_PASS
How do you know there won't be in the future? Don't do kludges. There are
already bunch of solutions.
Re: conditionally zero score of a rule
Posted by Daniel J McDonald <da...@austinenergy.com>.
On Tue, 2008-10-14 at 18:17 +0200, Matus UHLAR - fantomas wrote:
> On 14.10.08 11:05, Daniel J McDonald wrote:
> > On Tue, 2008-10-14 at 16:55 +0100, Martin Gregorie wrote:
> > > On Tue, 2008-10-14 at 17:31 +0200, Matus UHLAR - fantomas wrote:
> > > >
> > > > On 14.10.08 16:20, Martin Gregorie wrote:
> > > > > Why not change its name to __SPF_PASS and only use it in meta-rules?
> > > >
> > > > because that's SA rule, even if I changed it, after first update it would be
> > > > lost :)
> >
> > > Is it forbidden for SA rules to have names starting with __ or merely
> > > unconventional?
> >
> > so, disable it and create a new one"
> > score SPF_PASS 0
> > header __SPF_PASS eval:check_for_spf_pass()
> > describe __SPF_PASS SPF: sender matches SPF record
> > tflags __SPF_PASS nice userconf
>
> ... this way I can manually re-write every rule that ever depends on SPF_PASS
I grepped /var/lib/spamassassin/3.002005/updates.spamassassin.org and
found no rules relying on SPF_PASS
do you have rules that depend on it?
>
--
Daniel J McDonald <da...@austinenergy.com>
Re: conditionally zero score of a rule
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 14.10.08 11:05, Daniel J McDonald wrote:
> On Tue, 2008-10-14 at 16:55 +0100, Martin Gregorie wrote:
> > On Tue, 2008-10-14 at 17:31 +0200, Matus UHLAR - fantomas wrote:
> > >
> > > On 14.10.08 16:20, Martin Gregorie wrote:
> > > > Why not change its name to __SPF_PASS and only use it in meta-rules?
> > >
> > > because that's SA rule, even if I changed it, after first update it would be
> > > lost :)
>
> > Is it forbidden for SA rules to have names starting with __ or merely
> > unconventional?
>
> so, disable it and create a new one"
> score SPF_PASS 0
> header __SPF_PASS eval:check_for_spf_pass()
> describe __SPF_PASS SPF: sender matches SPF record
> tflags __SPF_PASS nice userconf
... this way I can manually re-write every rule that ever depends on SPF_PASS
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fighting for peace is like fucking for virginity...
Re: conditionally zero score of a rule
Posted by Daniel J McDonald <da...@austinenergy.com>.
On Tue, 2008-10-14 at 16:55 +0100, Martin Gregorie wrote:
> On Tue, 2008-10-14 at 17:31 +0200, Matus UHLAR - fantomas wrote:
> >
> > On 14.10.08 16:20, Martin Gregorie wrote:
> > > Why not change its name to __SPF_PASS and only use it in meta-rules?
> >
> > because that's SA rule, even if I changed it, after first update it would be
> > lost :)
> Is it forbidden for SA rules to have names starting with __ or merely
> unconventional?
so, disable it and create a new one"
score SPF_PASS 0
header __SPF_PASS eval:check_for_spf_pass()
describe __SPF_PASS SPF: sender matches SPF record
tflags __SPF_PASS nice userconf
then you can make meta-rules to your heart's content.
Re: conditionally zero score of a rule
Posted by Martin Gregorie <ma...@gregorie.org>.
On Tue, 2008-10-14 at 17:31 +0200, Matus UHLAR - fantomas wrote:
> > On Tue, 2008-10-14 at 16:36 +0200, Matus UHLAR - fantomas wrote:
> > > On 14.10.08 07:12, Daniel J McDonald wrote:
> > > > On Tue, 2008-10-14 at 08:55 +0200, Matus UHLAR - fantomas wrote:
> > > > > > On Mon, October 13, 2008 16:39, Henrik K wrote:
> > > > > >
> > > > > > >> meta SPF_PASS (SPF_PASS && !BAYES_99)
> > > > > > > Obviously you can't redefine SPF_PASS on the fly.
> > > > >
> > > > > On 13.10.08 21:08, Benny Pedersen wrote:
> > > > > > olso that SPF_PASS was newer meant to let any msg throught it was just a
> > > > > > pointer that SPF is not fail
> > > > >
> > > > > I know, and so it should have zero score... unluckily that causes SA not to
> > > > > apply the rule.unluckily even the -0.001 can change spam to ham...
> > > >
> > > > so, change it to (+) 0.001. how likely is it to change ham to spam?
> > >
> > > the same chance, I'd say, for cases someone uses e.g. DKIM...
> > > That's why I search for different solution...
> > >
> > > Well, this was not the first time I'd like to clear effect of a rule if
> > > different rule(s) match.
>
> On 14.10.08 16:20, Martin Gregorie wrote:
> > Why not change its name to __SPF_PASS and only use it in meta-rules?
>
> because that's SA rule, even if I changed it, after first update it would be
> lost :)
>
Is it forbidden for SA rules to have names starting with __ or merely
unconventional?
Just checking.... :-)
Martin
Re: conditionally zero score of a rule
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> On Tue, 2008-10-14 at 16:36 +0200, Matus UHLAR - fantomas wrote:
> > On 14.10.08 07:12, Daniel J McDonald wrote:
> > > On Tue, 2008-10-14 at 08:55 +0200, Matus UHLAR - fantomas wrote:
> > > > > On Mon, October 13, 2008 16:39, Henrik K wrote:
> > > > >
> > > > > >> meta SPF_PASS (SPF_PASS && !BAYES_99)
> > > > > > Obviously you can't redefine SPF_PASS on the fly.
> > > >
> > > > On 13.10.08 21:08, Benny Pedersen wrote:
> > > > > olso that SPF_PASS was newer meant to let any msg throught it was just a
> > > > > pointer that SPF is not fail
> > > >
> > > > I know, and so it should have zero score... unluckily that causes SA not to
> > > > apply the rule.unluckily even the -0.001 can change spam to ham...
> > >
> > > so, change it to (+) 0.001. how likely is it to change ham to spam?
> >
> > the same chance, I'd say, for cases someone uses e.g. DKIM...
> > That's why I search for different solution...
> >
> > Well, this was not the first time I'd like to clear effect of a rule if
> > different rule(s) match.
On 14.10.08 16:20, Martin Gregorie wrote:
> Why not change its name to __SPF_PASS and only use it in meta-rules?
because that's SA rule, even if I changed it, after first update it would be
lost :)
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows 2000: 640 MB ought to be enough for anybody
Re: conditionally zero score of a rule
Posted by Martin Gregorie <ma...@gregorie.org>.
On Tue, 2008-10-14 at 16:36 +0200, Matus UHLAR - fantomas wrote:
> On 14.10.08 07:12, Daniel J McDonald wrote:
> > On Tue, 2008-10-14 at 08:55 +0200, Matus UHLAR - fantomas wrote:
> > > > On Mon, October 13, 2008 16:39, Henrik K wrote:
> > > >
> > > > >> meta SPF_PASS (SPF_PASS && !BAYES_99)
> > > > > Obviously you can't redefine SPF_PASS on the fly.
> > >
> > > On 13.10.08 21:08, Benny Pedersen wrote:
> > > > olso that SPF_PASS was newer meant to let any msg throught it was just a
> > > > pointer that SPF is not fail
> > >
> > > I know, and so it should have zero score... unluckily that causes SA not to
> > > apply the rule.unluckily even the -0.001 can change spam to ham...
> >
> > so, change it to (+) 0.001. how likely is it to change ham to spam?
>
> the same chance, I'd say, for cases someone uses e.g. DKIM...
> That's why I search for different solution...
>
> Well, this was not the first time I'd like to clear effect of a rule if
> different rule(s) match.
>
Why not change its name to __SPF_PASS and only use it in meta-rules?
Martin
Re: conditionally zero score of a rule
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 14.10.08 07:12, Daniel J McDonald wrote:
> On Tue, 2008-10-14 at 08:55 +0200, Matus UHLAR - fantomas wrote:
> > > On Mon, October 13, 2008 16:39, Henrik K wrote:
> > >
> > > >> meta SPF_PASS (SPF_PASS && !BAYES_99)
> > > > Obviously you can't redefine SPF_PASS on the fly.
> >
> > On 13.10.08 21:08, Benny Pedersen wrote:
> > > olso that SPF_PASS was newer meant to let any msg throught it was just a
> > > pointer that SPF is not fail
> >
> > I know, and so it should have zero score... unluckily that causes SA not to
> > apply the rule.unluckily even the -0.001 can change spam to ham...
>
> so, change it to (+) 0.001. how likely is it to change ham to spam?
the same chance, I'd say, for cases someone uses e.g. DKIM...
That's why I search for different solution...
Well, this was not the first time I'd like to clear effect of a rule if
different rule(s) match.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Your mouse has moved. Windows NT will now restart for changes to take
to take effect. [OK]
Re: conditionally zero score of a rule
Posted by Daniel J McDonald <da...@austinenergy.com>.
On Tue, 2008-10-14 at 08:55 +0200, Matus UHLAR - fantomas wrote:
> > On Mon, October 13, 2008 16:39, Henrik K wrote:
> >
> > >> meta SPF_PASS (SPF_PASS && !BAYES_99)
> > > Obviously you can't redefine SPF_PASS on the fly.
>
> On 13.10.08 21:08, Benny Pedersen wrote:
> > olso that SPF_PASS was newer meant to let any msg throught it was just a
> > pointer that SPF is not fail
>
> I know, and so it should have zero score... unluckily that causes SA not to
> apply the rule.unluckily even the -0.001 can change spam to ham...
so, change it to (+) 0.001. how likely is it to change ham to spam?
--
Dan McDonald, CCIE# 2495, CISSP # 78281, CNX
Austin Energy
Re: conditionally zero score of a rule
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> On Mon, October 13, 2008 16:39, Henrik K wrote:
>
> >> meta SPF_PASS (SPF_PASS && !BAYES_99)
> > Obviously you can't redefine SPF_PASS on the fly.
On 13.10.08 21:08, Benny Pedersen wrote:
> olso that SPF_PASS was newer meant to let any msg throught it was just a
> pointer that SPF is not fail
I know, and so it should have zero score... unluckily that causes SA not to
apply the rule.unluckily even the -0.001 can change spam to ham...
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
(R)etry, (A)bort, (C)ancer
Re: conditionally zero score of a rule
Posted by Benny Pedersen <me...@junc.org>.
On Mon, October 13, 2008 16:39, Henrik K wrote:
>> meta SPF_PASS (SPF_PASS && !BAYES_99)
> Obviously you can't redefine SPF_PASS on the fly.
olso that SPF_PASS was newer meant to let any msg throught it was just a
pointer that SPF is not fail
recipient still need to add sender into local.cf / user_prefs with some of
the WHITELIST_(FROM_SPF|AUTH) or for domain wiese
DEF_WHITELIST_(FROM_SPF|AUTH)
then adjust score to have it throught
newer accept -100 for just SPF :)
--
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: conditionally zero score of a rule
Posted by Henrik K <he...@hege.li>.
On Mon, Oct 13, 2008 at 03:29:57PM +0200, Matus UHLAR - fantomas wrote:
> Hello,
>
> so the spammers got it. my required_score is 3.5 (the same as for BAYES_99)
Pretty low. But I guess it's ok if you only tag.
> and SPF_PASS is -0.001. So, even clear spam (I haven't seen FP for BAYES_99
> for a LONG LONG time) is passed because of SPF (which teoretically should
> not happen.
>
> Now I have a question: Should I zero score of SPF_PASS (I don't want
> SPA_PASS to score positively) or just a create meta rule of
Zeroing will disable it, it's better to have it in logs for analyzing. And
for rules that might depend on it.
It makes no sense to try adjusting other rules when you already know what
you want. Simply shortcircuit BAYES_99 as spam or set it at 4 or higher,
problem solved.
> meta BAYESPAM_SPFOK (BAYES_99 && SPF_PASS)
> score BAYESPAM_SPFOK 0.001
Kludge.
> Is it possible to score
>
> score BAYESPAM_SPFOK -$(SPF_PASS) ?
No. If you feel like testing, I'm not sure what score SPF_PASS (0.001) would
result in. 0 of course, but not sure if it gets disabled at that stage.
> which means, clear the effect of one rule if
>
> or can I do this?
>
> meta SPF_PASS (SPF_PASS && !BAYES_99)
Obviously you can't redefine SPF_PASS on the fly.