You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Abhijeet Rastogi <ab...@gmail.com> on 2013/09/16 07:23:49 UTC
How do I find a parent rule for a test?
Hi all,
I wanted to disable few RBLs & while doing that I observed that if I
want to just disable spamhaus, I've to actually disable
"__RCVD_IN_ZEN" after disabling the other spamhaus related checks like
"check_rbl_sub"..
How do I know that __RCVD_IN_ZEN is related to a check like
"RCVD_IN_SBL"? I don't see how these two are related, except the
hostname being used?
Is there a good doc that tells me how to write these tests? May be,
that'll give me some insight. Thanks
--
Regards,
Abhijeet Rastogi (shadyabhi)
http://blog.abhijeetr.com
Re: How do I find a parent rule for a test?
Posted by Axb <ax...@gmail.com>.
http://spamassassin.apache.org/full/3.3.x/doc/
All spamd options documented in:
http://spamassassin.apache.org/full/3.3.x/doc/spamd.txt
You'll have to go thru your .pre files to disable a bunch of plugins
Those rule hits your seeing now are very cheap and low scored.
On 09/16/2013 11:14 PM, Abhijeet Rastogi wrote:
> On Tue, Sep 17, 2013 at 1:58 AM, Kris Deugau <kd...@vianet.ca> wrote:
>> John Hardin wrote:
>>
>>
>> Key arguments for spamd are -C (to specify the "default" rules path
>> (overrides and combines DEF_RULES_DIR and LOCAL_STATE_DIR) and
>> --siteconfig for your "site" config (could probably be pointed somewhere
>> empty but we found it simpler to put a minimal local.cf and local.pre
>> there). I can't speak to running "spamassassin" but IIRC it takes much
>> the same arguments for this as spamd.
>>
>> If you build a local rules channel for this custom ruleset, use
>> --updatedir with sa-update with the same path as you specified for spamd
>> with -C.
>
> I think you're quite there to the point I want but however I'm not
> able to accomplish that. I tried starting spamassassin with the
> following options:
>
> /usr/bin/vendor_perl/spamd -d --pidfile /var/run/spamd.pid -c -c -x
> --virtual-config-dir=/etc/mail/spamassassin -C /etc/mail/spamassassin
> -u nobody -D
>
> I also tried adding --siteconfigpath=/etc/mail/spamassassin. Thing is,
> I'm not really sure about the difference between --siteconfigpath,
> --configpath and --virtual-config-dir.
>
> I could still see checks like
> "HTML_IMAGE_RATIO_02,HTML_MESSAGE,MIME_HTML_ONLY" in 'X-Spam-Status:'
> header. These checks are essentially defined in /var/lib/spamassassin
> only.
>
Re: How do I find a parent rule for a test?
Posted by Abhijeet Rastogi <ab...@gmail.com>.
On Tue, Sep 17, 2013 at 1:58 AM, Kris Deugau <kd...@vianet.ca> wrote:
> John Hardin wrote:
>
>
> Key arguments for spamd are -C (to specify the "default" rules path
> (overrides and combines DEF_RULES_DIR and LOCAL_STATE_DIR) and
> --siteconfig for your "site" config (could probably be pointed somewhere
> empty but we found it simpler to put a minimal local.cf and local.pre
> there). I can't speak to running "spamassassin" but IIRC it takes much
> the same arguments for this as spamd.
>
> If you build a local rules channel for this custom ruleset, use
> --updatedir with sa-update with the same path as you specified for spamd
> with -C.
I think you're quite there to the point I want but however I'm not
able to accomplish that. I tried starting spamassassin with the
following options:
/usr/bin/vendor_perl/spamd -d --pidfile /var/run/spamd.pid -c -c -x
--virtual-config-dir=/etc/mail/spamassassin -C /etc/mail/spamassassin
-u nobody -D
I also tried adding --siteconfigpath=/etc/mail/spamassassin. Thing is,
I'm not really sure about the difference between --siteconfigpath,
--configpath and --virtual-config-dir.
I could still see checks like
"HTML_IMAGE_RATIO_02,HTML_MESSAGE,MIME_HTML_ONLY" in 'X-Spam-Status:'
header. These checks are essentially defined in /var/lib/spamassassin
only.
--
Regards,
Abhijeet Rastogi (shadyabhi)
http://blog.abhijeetr.com
Re: How do I find a parent rule for a test?
Posted by Kris Deugau <kd...@vianet.ca>.
John Hardin wrote:
> If you want to override the default behavior of SA to that degree, it's
> easier to change the config directory that SpamAssassin and spamd use
> with the -c option,
You mean -C (note capital). -c (lower-case) is to autocreate userprefs
files. <g>
> so that none of the base rule files are read in the
> first place. You'll need to provide some minimal set of config files in
> whatever custom config directory you specify in order to get SA to run,
> but that will avoid all the extra default stuff you don't seem to want.
>
> I've never customized SA to that degree so there may be some pitfalls in
> this that I'm not aware of - somebody else will probably say something
> if there's other stuff you need to be aware of.
I've done this here; we run a stripped-down SA instance with a bunch of
DNSBL rules (local and Spamhaus datafeed) and a handful of miscellaneous
high-scoring stock rules (hand-picked based on local mail flow and stock
scores).
Key arguments for spamd are -C (to specify the "default" rules path
(overrides and combines DEF_RULES_DIR and LOCAL_STATE_DIR) and
--siteconfig for your "site" config (could probably be pointed somewhere
empty but we found it simpler to put a minimal local.cf and local.pre
there). I can't speak to running "spamassassin" but IIRC it takes much
the same arguments for this as spamd.
If you build a local rules channel for this custom ruleset, use
--updatedir with sa-update with the same path as you specified for spamd
with -C.
-kgd
Re: How do I find a parent rule for a test?
Posted by Bowie Bailey <Bo...@BUC.com>.
On 9/16/2013 4:55 PM, Abhijeet Rastogi wrote:
>> If you don't want to use the rules in the updates directory, why would you
>> even need to run sa-update?
> I wish I could. SpamAssassin dies with the message as below if I don't
> run sa-update or move the directory '/var/lib/spamassassin'.
>
> die "config: no rules were found! Do you need to run 'sa-update'?\n";
Right. You have to run it once to get the rules. After that, you can
do whatever you need to do to disable the rules. You don't need to
worry about your changes being overwritten by sa-update because if
you're not using the rules, there's no point in updating them, so just
make sure sa-update doesn't run again.
--
Bowie
Re: How do I find a parent rule for a test?
Posted by Axb <ax...@gmail.com>.
On 09/16/2013 10:55 PM, Abhijeet Rastogi wrote:
>> If you don't want to use the rules in the updates directory, why would you
>> even need to run sa-update?
>
> I wish I could. SpamAssassin dies with the message as below if I don't
> run sa-update or move the directory '/var/lib/spamassassin'.
>
> die "config: no rules were found! Do you need to run 'sa-update'?\n";
After an install one run of sa-update is required.
You point your spamd starting -C and --site-config to whatever path you
want and put whatever rules/.pre you need in those paths.
After that any future sa-update will be ignored.
Remember to edit .pre files and disable any plugin/feature from loading
to help avoid SA complaints and save resources.
Re: How do I find a parent rule for a test?
Posted by John Hardin <jh...@impsec.org>.
On Tue, 17 Sep 2013, Abhijeet Rastogi wrote:
>> If you don't want to use the rules in the updates directory, why would you
>> even need to run sa-update?
>
> I wish I could. SpamAssassin dies with the message as below if I don't
> run sa-update or move the directory '/var/lib/spamassassin'.
>
> die "config: no rules were found! Do you need to run 'sa-update'?\n";
Yes, that's what I meant by "you will have to supply some minimal config
to get SA running if you do that". You'll have to provide a few rules in
the custom config location you specified using -C (d'oh! thanks kgd)
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...wind turbines are not meant to actually be an efficient way to
supply the power grid, rather they're prayer wheels for New Age
iBuddhists, their whirring blades drawing white guilt from the
atmosphere and pumping it safely underground. -- Tam
-----------------------------------------------------------------------
Tomorrow: the 226th anniversary of the signing of the U.S. Constitution
Re: How do I find a parent rule for a test?
Posted by Abhijeet Rastogi <ab...@gmail.com>.
> If you don't want to use the rules in the updates directory, why would you
> even need to run sa-update?
I wish I could. SpamAssassin dies with the message as below if I don't
run sa-update or move the directory '/var/lib/spamassassin'.
die "config: no rules were found! Do you need to run 'sa-update'?\n";
> --
> Bowie
--
Regards,
Abhijeet Rastogi (shadyabhi)
http://blog.abhijeetr.com
Re: How do I find a parent rule for a test?
Posted by Bowie Bailey <Bo...@BUC.com>.
On 9/16/2013 4:19 PM, Abhijeet Rastogi wrote:
> Hi Dave,
>
> Thanks for the revelation. This clears a lot of things now. After I
> disabled all the tests in 50_scores.cf, I was still seeing a lot of
> CPU (a very heavily loaded server). This pretty much clears
> everything.
>
> You guys have been of commendable help. One last thing, so is there a
> way or a hack to disable rules under
> /var/lib/spamassassin/3.003002/updates_spamassassin_org, in a way that
> it survives sa-updates? Is there a patch in the wild that allows me to
> do that?
If you don't want to use the rules in the updates directory, why would
you even need to run sa-update?
--
Bowie
Re: How do I find a parent rule for a test?
Posted by Abhijeet Rastogi <ab...@gmail.com>.
Hi David,
I was able to disable checks defined in /var/lib/spamassassin by
making their score 0 in local.cf. That reduced the CPU usage a lot.
Rate-limiting isn't an option because my inbound servers receive mails
at a very high rate that incoming queue starts to increase
indefinitely.
But, after a day of figuring various options, I was finally able to
find some beefy boxes where I could run spamassassin and it's working
like a charm, exceeded my expectations.
Thanks
On Wed, Sep 18, 2013 at 4:40 AM, David B Funk
<db...@engineering.uiowa.edu> wrote:
> If you want to disable specific rules from the standard rules kit
> just set their score to zero in your local.cf config file.
> A rule with a score of zero isn't run.
>
> As the local.cf file is processed after the /var/lib/spamassassin contents
> that's how to over-ride the standard rules in a way that works regardless
> of updates.
>
> If you want to disable -all- rules, why are you even bothering to run
> sa-update?
>
> Note that CPU is still used even if all tests are disabled as SA needs to
> process the message to create the 'rawbody' 'full' and 'cooked' forms.
> The amount of CPU is dependent upon the size & content of the message
> (EG parsing a HTML message is more work than a plain text message).
>
> So if you're still hitting CPU load limits try limiting the message
> rates (at the MTA) and message sizes processed (skip large messages)
> or get a bigger proc.
>
>
>
> On Tue, 17 Sep 2013, Abhijeet Rastogi wrote:
>
>> Hi Dave,
>>
>> Thanks for the revelation. This clears a lot of things now. After I
>> disabled all the tests in 50_scores.cf, I was still seeing a lot of
>> CPU (a very heavily loaded server). This pretty much clears
>> everything.
>>
>> You guys have been of commendable help. One last thing, so is there a
>> way or a hack to disable rules under
>> /var/lib/spamassassin/3.003002/updates_spamassassin_org, in a way that
>> it survives sa-updates? Is there a patch in the wild that allows me to
>> do that?
>
>
> --
> Dave Funk University of Iowa
> <dbfunk (at) engineering.uiowa.edu> College of Engineering
> 319/335-5751 FAX: 319/384-0549 1256 Seamans Center
> Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
> #include <std_disclaimer.h>
> Better is not better, 'standard' is better. B{
--
Regards,
Abhijeet Rastogi (shadyabhi)
Re: How do I find a parent rule for a test?
Posted by David B Funk <db...@engineering.uiowa.edu>.
If you want to disable specific rules from the standard rules kit
just set their score to zero in your local.cf config file.
A rule with a score of zero isn't run.
As the local.cf file is processed after the /var/lib/spamassassin contents
that's how to over-ride the standard rules in a way that works regardless
of updates.
If you want to disable -all- rules, why are you even bothering to run sa-update?
Note that CPU is still used even if all tests are disabled as SA needs to
process the message to create the 'rawbody' 'full' and 'cooked' forms.
The amount of CPU is dependent upon the size & content of the message
(EG parsing a HTML message is more work than a plain text message).
So if you're still hitting CPU load limits try limiting the message
rates (at the MTA) and message sizes processed (skip large messages)
or get a bigger proc.
On Tue, 17 Sep 2013, Abhijeet Rastogi wrote:
> Hi Dave,
>
> Thanks for the revelation. This clears a lot of things now. After I
> disabled all the tests in 50_scores.cf, I was still seeing a lot of
> CPU (a very heavily loaded server). This pretty much clears
> everything.
>
> You guys have been of commendable help. One last thing, so is there a
> way or a hack to disable rules under
> /var/lib/spamassassin/3.003002/updates_spamassassin_org, in a way that
> it survives sa-updates? Is there a patch in the wild that allows me to
> do that?
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: How do I find a parent rule for a test?
Posted by Abhijeet Rastogi <ab...@gmail.com>.
Hi Dave,
Thanks for the revelation. This clears a lot of things now. After I
disabled all the tests in 50_scores.cf, I was still seeing a lot of
CPU (a very heavily loaded server). This pretty much clears
everything.
You guys have been of commendable help. One last thing, so is there a
way or a hack to disable rules under
/var/lib/spamassassin/3.003002/updates_spamassassin_org, in a way that
it survives sa-updates? Is there a patch in the wild that allows me to
do that?
On Tue, Sep 17, 2013 at 12:57 AM, Dave Funk
<db...@engineering.uiowa.edu> wrote:
> That's because SA no longer ships with rules in the source kit.
> First thing you do after a new install is run sa-update to download
> a set of rules and those go into a seperate directory.
>
> Do this:
>
> spamassassin --lint -D 2>&1 | grep dir
>
> And you should see things like:
>
> Sep 16 14:21:39.457 [27354] dbg: config: using
> "/var/lib/spamassassin/3.003001" for default rules dir
> Sep 16 14:21:39.460 [27354] dbg: config: using "/etc/mail/spamassassin" for
> site rules dir
>
> That will tell you what directory trees contain the rules files
> that -your- SA kit is using.
>
> Now if you do:
> spamassassin --lint -D 2>&1 | grep 'config:'
>
> it will tell you all the rules files that it's processing
> (and a bunch of other stuff too).
>
>
>
> On Mon, 16 Sep 2013, Abhijeet Rastogi wrote:
>
>> Hi John,
>>
>> Did a
>>
>> $grep -inr __HAS_SENDER ./
>>
>> in the source. No hits, what-so-ever.
>>
>> On Mon, Sep 16, 2013 at 11:37 PM, John Hardin <jh...@impsec.org> wrote:
>>>
>>> On Mon, 16 Sep 2013, Abhijeet Rastogi wrote:
>>>
>>>> Hi John,
>>>>
>>>> I'm sure you're pretty clear on explaining it but as a newbie I'm
>>>> facing issues. My concern still exists. I could see loglines like:
>>>>
>>>> Sep 16 14:41:51.607 [3999] dbg: rules: ran header rule __HAS_SENDER
>>>> ======> got hit: "<YES>"
>>>> Sep 16 14:41:51.606 [3999] dbg: rules: ran header rule __HAS_TO
>>>> ======> got hit: "<YES>"
>>>> Sep 16 14:41:51.605 [3999] dbg: rules: ran header rule __HAS_ERRORS_TO
>>>> ======> got hit: "<YES>"
>>>> Sep 16 14:41:51.604 [3999] dbg: rules: ran header rule __HAS_XMAIL
>>>> ======> got hit: "<YES>"
>>>>
>>>> But, I don't see that defined anywhere (grepped them against 3.3
>>>> version from svn). Also, in the install (CentOS5), I couldn't find it
>>>> either (Checked both /usr/share/spamassassin and
>>>> /etc/mail/spamassassin). So, what's the deal with these, where are
>>>> these defined?
>>>
>>>
>>>
>>> Did you search subdirectories as well? sa-update updates rules into
>>> subdirectories.
>>>
>>>
>>>> I would really appreciate a reply here. Thanks
>>>>
>>>>
>>>> On Mon, Sep 16, 2013 at 10:46 PM, John Hardin <jh...@impsec.org>
>>>> wrote:
>>>>>
>>>>>
>>>>> On Mon, 16 Sep 2013, Abhijeet Rastogi wrote:
>>>>>
>>>>>> Hi John,
>>>>>>
>>>>>> Thanks for the reply. I could get the above said rule as a "meta" one.
>>>>>> Thanks for that.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Apologies if that came across as condescending, I was just trying to be
>>>>> thorough.
>>>>>
>>>>>
>>>>>> One more thing I was hoping you could help me with.
>>>>>>
>>>>>> Can you explain as to what's the difference between rules under
>>>>>> "./rules" and under "./rulesrc/sandbox/" directory?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> The "rules" directory is rules that are published no matter what.
>>>>> That's
>>>>> the
>>>>> "static" ruleset, the base rules that everything can depend on to be
>>>>> present, and rules that have always performed well.
>>>>>
>>>>> The stuff under the sandbox directories is more dynamic. The rules
>>>>> there
>>>>> are
>>>>> run through the nightly masscheck process, and if they perform well
>>>>> enough
>>>>> they get published. They're more "dynamic", in that older rules that
>>>>> stop
>>>>> performing well against current spam (as represented by the masscheck
>>>>> corpora) may stop being published, and may automatically start being
>>>>> published again if the corpora starts containing that type of spam
>>>>> again.
>>>>>
>>>>>
>>>>>> The reason I want to know this is because I've a requirement where I
>>>>>> want
>>>>>> to disable everything (meaning *all* rules) except a locally hosted
>>>>>> URIBL).
>>>>>> I was hoping that I could do this by adding the output of the below
>>>>>> command.
>>>>>> (running in the source code).
>>>>>>
>>>>>> cat rules/*.cf | grep -E '^(header|body)' | awk '{print $2}' | sed
>>>>>> 's/^/score /' | sed 's/$/ 0/'
>>>>>>
>>>>>> But, to my surprise, it didn't help. I still had various checks stull
>>>>>> getting applied like __HAS_TO, __HAS_ERRORS_TO etc etc. Any idea as to
>>>>>> what can be done about that?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> As __subrules don't have a score, their execution cannot be disabled by
>>>>> setting their score to zero.
>>>>>
>>>>> If you want to override the default behavior of SA to that degree, it's
>>>>> easier to change the config directory that SpamAssassin and spamd use
>>>>> with
>>>>> the -c option, so that none of the base rule files are read in the
>>>>> first
>>>>> place. You'll need to provide some minimal set of config files in
>>>>> whatever
>>>>> custom config directory you specify in order to get SA to run, but that
>>>>> will
>>>>> avoid all the extra default stuff you don't seem to want.
>>>>>
>>>>> I've never customized SA to that degree so there may be some pitfalls
>>>>> in
>>>>> this that I'm not aware of - somebody else will probably say something
>>>>> if
>>>>> there's other stuff you need to be aware of.
>>>>>
>>>>>
>>>>>
>>>>>> On Mon, Sep 16, 2013 at 10:07 PM, John Hardin <jh...@impsec.org>
>>>>>> wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Mon, 16 Sep 2013, Abhijeet Rastogi wrote:
>>>>>>>
>>>>>>>> Problem is, how do I know that a certain rule like __RCVD_IN_NJABL
>>>>>>>> is
>>>>>>>> a base rule for others?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> The two leading underscores in the rule name indicate that the rule,
>>>>>>> by
>>>>>>> itself, is not assigned a score, thus, by itself, does not affect the
>>>>>>> overall score of the message at all. It must appear in a "meta" rule,
>>>>>>> possibly with other rules, before it can be assigned a score and
>>>>>>> affect
>>>>>>> the
>>>>>>> overall message score. So, at the most basic level, any rule having a
>>>>>>> name
>>>>>>> that starts with two underscores is _inherently_ a base for other
>>>>>>> rules.
>>>>>>>
>>>>>>> In order to determine *which* rules it's a base for, you have to look
>>>>>>> for
>>>>>>> that rule name in the config files. This isn't too easy to do online,
>>>>>>> you
>>>>>>> pretty much have to grep the rules files in a local install.
>>>
>>>
>>>
>>> --
>>> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
>>> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
>>> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
>>> -----------------------------------------------------------------------
>>> WSJ on the Financial Stimulus package: "...today there are 700,000
>>> fewer jobs than [the administration] predicted we would have if we
>>> had done nothing at all."
>>>
>>> -----------------------------------------------------------------------
>>> Tomorrow: the 226th anniversary of the signing of the U.S. Constitution
>>
>>
>>
>>
>>
>
> --
> Dave Funk University of Iowa
> <dbfunk (at) engineering.uiowa.edu> College of Engineering
> 319/335-5751 FAX: 319/384-0549 1256 Seamans Center
> Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
> #include <std_disclaimer.h>
> Better is not better, 'standard' is better. B{
--
Regards,
Abhijeet Rastogi (shadyabhi)
http://blog.abhijeetr.com
Re: How do I find a parent rule for a test?
Posted by Dave Funk <db...@engineering.uiowa.edu>.
That's because SA no longer ships with rules in the source kit.
First thing you do after a new install is run sa-update to download
a set of rules and those go into a seperate directory.
Do this:
spamassassin --lint -D 2>&1 | grep dir
And you should see things like:
Sep 16 14:21:39.457 [27354] dbg: config: using "/var/lib/spamassassin/3.003001" for default rules dir
Sep 16 14:21:39.460 [27354] dbg: config: using "/etc/mail/spamassassin" for site rules dir
That will tell you what directory trees contain the rules files
that -your- SA kit is using.
Now if you do:
spamassassin --lint -D 2>&1 | grep 'config:'
it will tell you all the rules files that it's processing
(and a bunch of other stuff too).
On Mon, 16 Sep 2013, Abhijeet Rastogi wrote:
> Hi John,
>
> Did a
>
> $grep -inr __HAS_SENDER ./
>
> in the source. No hits, what-so-ever.
>
> On Mon, Sep 16, 2013 at 11:37 PM, John Hardin <jh...@impsec.org> wrote:
>> On Mon, 16 Sep 2013, Abhijeet Rastogi wrote:
>>
>>> Hi John,
>>>
>>> I'm sure you're pretty clear on explaining it but as a newbie I'm
>>> facing issues. My concern still exists. I could see loglines like:
>>>
>>> Sep 16 14:41:51.607 [3999] dbg: rules: ran header rule __HAS_SENDER
>>> ======> got hit: "<YES>"
>>> Sep 16 14:41:51.606 [3999] dbg: rules: ran header rule __HAS_TO
>>> ======> got hit: "<YES>"
>>> Sep 16 14:41:51.605 [3999] dbg: rules: ran header rule __HAS_ERRORS_TO
>>> ======> got hit: "<YES>"
>>> Sep 16 14:41:51.604 [3999] dbg: rules: ran header rule __HAS_XMAIL
>>> ======> got hit: "<YES>"
>>>
>>> But, I don't see that defined anywhere (grepped them against 3.3
>>> version from svn). Also, in the install (CentOS5), I couldn't find it
>>> either (Checked both /usr/share/spamassassin and
>>> /etc/mail/spamassassin). So, what's the deal with these, where are
>>> these defined?
>>
>>
>> Did you search subdirectories as well? sa-update updates rules into
>> subdirectories.
>>
>>
>>> I would really appreciate a reply here. Thanks
>>>
>>>
>>> On Mon, Sep 16, 2013 at 10:46 PM, John Hardin <jh...@impsec.org> wrote:
>>>>
>>>> On Mon, 16 Sep 2013, Abhijeet Rastogi wrote:
>>>>
>>>>> Hi John,
>>>>>
>>>>> Thanks for the reply. I could get the above said rule as a "meta" one.
>>>>> Thanks for that.
>>>>
>>>>
>>>>
>>>> Apologies if that came across as condescending, I was just trying to be
>>>> thorough.
>>>>
>>>>
>>>>> One more thing I was hoping you could help me with.
>>>>>
>>>>> Can you explain as to what's the difference between rules under
>>>>> "./rules" and under "./rulesrc/sandbox/" directory?
>>>>
>>>>
>>>>
>>>> The "rules" directory is rules that are published no matter what. That's
>>>> the
>>>> "static" ruleset, the base rules that everything can depend on to be
>>>> present, and rules that have always performed well.
>>>>
>>>> The stuff under the sandbox directories is more dynamic. The rules there
>>>> are
>>>> run through the nightly masscheck process, and if they perform well
>>>> enough
>>>> they get published. They're more "dynamic", in that older rules that stop
>>>> performing well against current spam (as represented by the masscheck
>>>> corpora) may stop being published, and may automatically start being
>>>> published again if the corpora starts containing that type of spam again.
>>>>
>>>>
>>>>> The reason I want to know this is because I've a requirement where I
>>>>> want
>>>>> to disable everything (meaning *all* rules) except a locally hosted
>>>>> URIBL).
>>>>> I was hoping that I could do this by adding the output of the below
>>>>> command.
>>>>> (running in the source code).
>>>>>
>>>>> cat rules/*.cf | grep -E '^(header|body)' | awk '{print $2}' | sed
>>>>> 's/^/score /' | sed 's/$/ 0/'
>>>>>
>>>>> But, to my surprise, it didn't help. I still had various checks stull
>>>>> getting applied like __HAS_TO, __HAS_ERRORS_TO etc etc. Any idea as to
>>>>> what can be done about that?
>>>>
>>>>
>>>>
>>>> As __subrules don't have a score, their execution cannot be disabled by
>>>> setting their score to zero.
>>>>
>>>> If you want to override the default behavior of SA to that degree, it's
>>>> easier to change the config directory that SpamAssassin and spamd use
>>>> with
>>>> the -c option, so that none of the base rule files are read in the first
>>>> place. You'll need to provide some minimal set of config files in
>>>> whatever
>>>> custom config directory you specify in order to get SA to run, but that
>>>> will
>>>> avoid all the extra default stuff you don't seem to want.
>>>>
>>>> I've never customized SA to that degree so there may be some pitfalls in
>>>> this that I'm not aware of - somebody else will probably say something if
>>>> there's other stuff you need to be aware of.
>>>>
>>>>
>>>>
>>>>> On Mon, Sep 16, 2013 at 10:07 PM, John Hardin <jh...@impsec.org>
>>>>> wrote:
>>>>>>
>>>>>>
>>>>>> On Mon, 16 Sep 2013, Abhijeet Rastogi wrote:
>>>>>>
>>>>>>> Problem is, how do I know that a certain rule like __RCVD_IN_NJABL is
>>>>>>> a base rule for others?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> The two leading underscores in the rule name indicate that the rule, by
>>>>>> itself, is not assigned a score, thus, by itself, does not affect the
>>>>>> overall score of the message at all. It must appear in a "meta" rule,
>>>>>> possibly with other rules, before it can be assigned a score and affect
>>>>>> the
>>>>>> overall message score. So, at the most basic level, any rule having a
>>>>>> name
>>>>>> that starts with two underscores is _inherently_ a base for other
>>>>>> rules.
>>>>>>
>>>>>> In order to determine *which* rules it's a base for, you have to look
>>>>>> for
>>>>>> that rule name in the config files. This isn't too easy to do online,
>>>>>> you
>>>>>> pretty much have to grep the rules files in a local install.
>>
>>
>> --
>> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
>> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
>> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
>> -----------------------------------------------------------------------
>> WSJ on the Financial Stimulus package: "...today there are 700,000
>> fewer jobs than [the administration] predicted we would have if we
>> had done nothing at all."
>>
>> -----------------------------------------------------------------------
>> Tomorrow: the 226th anniversary of the signing of the U.S. Constitution
>
>
>
>
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: How do I find a parent rule for a test?
Posted by Martin Gregorie <ma...@gregorie.org>.
On Mon, 2013-09-16 at 23:50 +0530, Abhijeet Rastogi wrote:
> Hi John,
>
> Did a
>
> $grep -inr __HAS_SENDER ./
>
> in the source. No hits, what-so-ever.
>
In my installation its in:
/var/lib/spamassassin/3.003002/updates_spamassassin_org/10_hasbase.cf
Martin
Re: How do I find a parent rule for a test?
Posted by Abhijeet Rastogi <ab...@gmail.com>.
Hi John,
Did a
$grep -inr __HAS_SENDER ./
in the source. No hits, what-so-ever.
On Mon, Sep 16, 2013 at 11:37 PM, John Hardin <jh...@impsec.org> wrote:
> On Mon, 16 Sep 2013, Abhijeet Rastogi wrote:
>
>> Hi John,
>>
>> I'm sure you're pretty clear on explaining it but as a newbie I'm
>> facing issues. My concern still exists. I could see loglines like:
>>
>> Sep 16 14:41:51.607 [3999] dbg: rules: ran header rule __HAS_SENDER
>> ======> got hit: "<YES>"
>> Sep 16 14:41:51.606 [3999] dbg: rules: ran header rule __HAS_TO
>> ======> got hit: "<YES>"
>> Sep 16 14:41:51.605 [3999] dbg: rules: ran header rule __HAS_ERRORS_TO
>> ======> got hit: "<YES>"
>> Sep 16 14:41:51.604 [3999] dbg: rules: ran header rule __HAS_XMAIL
>> ======> got hit: "<YES>"
>>
>> But, I don't see that defined anywhere (grepped them against 3.3
>> version from svn). Also, in the install (CentOS5), I couldn't find it
>> either (Checked both /usr/share/spamassassin and
>> /etc/mail/spamassassin). So, what's the deal with these, where are
>> these defined?
>
>
> Did you search subdirectories as well? sa-update updates rules into
> subdirectories.
>
>
>> I would really appreciate a reply here. Thanks
>>
>>
>> On Mon, Sep 16, 2013 at 10:46 PM, John Hardin <jh...@impsec.org> wrote:
>>>
>>> On Mon, 16 Sep 2013, Abhijeet Rastogi wrote:
>>>
>>>> Hi John,
>>>>
>>>> Thanks for the reply. I could get the above said rule as a "meta" one.
>>>> Thanks for that.
>>>
>>>
>>>
>>> Apologies if that came across as condescending, I was just trying to be
>>> thorough.
>>>
>>>
>>>> One more thing I was hoping you could help me with.
>>>>
>>>> Can you explain as to what's the difference between rules under
>>>> "./rules" and under "./rulesrc/sandbox/" directory?
>>>
>>>
>>>
>>> The "rules" directory is rules that are published no matter what. That's
>>> the
>>> "static" ruleset, the base rules that everything can depend on to be
>>> present, and rules that have always performed well.
>>>
>>> The stuff under the sandbox directories is more dynamic. The rules there
>>> are
>>> run through the nightly masscheck process, and if they perform well
>>> enough
>>> they get published. They're more "dynamic", in that older rules that stop
>>> performing well against current spam (as represented by the masscheck
>>> corpora) may stop being published, and may automatically start being
>>> published again if the corpora starts containing that type of spam again.
>>>
>>>
>>>> The reason I want to know this is because I've a requirement where I
>>>> want
>>>> to disable everything (meaning *all* rules) except a locally hosted
>>>> URIBL).
>>>> I was hoping that I could do this by adding the output of the below
>>>> command.
>>>> (running in the source code).
>>>>
>>>> cat rules/*.cf | grep -E '^(header|body)' | awk '{print $2}' | sed
>>>> 's/^/score /' | sed 's/$/ 0/'
>>>>
>>>> But, to my surprise, it didn't help. I still had various checks stull
>>>> getting applied like __HAS_TO, __HAS_ERRORS_TO etc etc. Any idea as to
>>>> what can be done about that?
>>>
>>>
>>>
>>> As __subrules don't have a score, their execution cannot be disabled by
>>> setting their score to zero.
>>>
>>> If you want to override the default behavior of SA to that degree, it's
>>> easier to change the config directory that SpamAssassin and spamd use
>>> with
>>> the -c option, so that none of the base rule files are read in the first
>>> place. You'll need to provide some minimal set of config files in
>>> whatever
>>> custom config directory you specify in order to get SA to run, but that
>>> will
>>> avoid all the extra default stuff you don't seem to want.
>>>
>>> I've never customized SA to that degree so there may be some pitfalls in
>>> this that I'm not aware of - somebody else will probably say something if
>>> there's other stuff you need to be aware of.
>>>
>>>
>>>
>>>> On Mon, Sep 16, 2013 at 10:07 PM, John Hardin <jh...@impsec.org>
>>>> wrote:
>>>>>
>>>>>
>>>>> On Mon, 16 Sep 2013, Abhijeet Rastogi wrote:
>>>>>
>>>>>> Problem is, how do I know that a certain rule like __RCVD_IN_NJABL is
>>>>>> a base rule for others?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> The two leading underscores in the rule name indicate that the rule, by
>>>>> itself, is not assigned a score, thus, by itself, does not affect the
>>>>> overall score of the message at all. It must appear in a "meta" rule,
>>>>> possibly with other rules, before it can be assigned a score and affect
>>>>> the
>>>>> overall message score. So, at the most basic level, any rule having a
>>>>> name
>>>>> that starts with two underscores is _inherently_ a base for other
>>>>> rules.
>>>>>
>>>>> In order to determine *which* rules it's a base for, you have to look
>>>>> for
>>>>> that rule name in the config files. This isn't too easy to do online,
>>>>> you
>>>>> pretty much have to grep the rules files in a local install.
>
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> WSJ on the Financial Stimulus package: "...today there are 700,000
> fewer jobs than [the administration] predicted we would have if we
> had done nothing at all."
>
> -----------------------------------------------------------------------
> Tomorrow: the 226th anniversary of the signing of the U.S. Constitution
--
Regards,
Abhijeet Rastogi (shadyabhi)
http://blog.abhijeetr.com
Re: How do I find a parent rule for a test?
Posted by John Hardin <jh...@impsec.org>.
On Mon, 16 Sep 2013, Abhijeet Rastogi wrote:
> Hi John,
>
> I'm sure you're pretty clear on explaining it but as a newbie I'm
> facing issues. My concern still exists. I could see loglines like:
>
> Sep 16 14:41:51.607 [3999] dbg: rules: ran header rule __HAS_SENDER
> ======> got hit: "<YES>"
> Sep 16 14:41:51.606 [3999] dbg: rules: ran header rule __HAS_TO
> ======> got hit: "<YES>"
> Sep 16 14:41:51.605 [3999] dbg: rules: ran header rule __HAS_ERRORS_TO
> ======> got hit: "<YES>"
> Sep 16 14:41:51.604 [3999] dbg: rules: ran header rule __HAS_XMAIL
> ======> got hit: "<YES>"
>
> But, I don't see that defined anywhere (grepped them against 3.3
> version from svn). Also, in the install (CentOS5), I couldn't find it
> either (Checked both /usr/share/spamassassin and
> /etc/mail/spamassassin). So, what's the deal with these, where are
> these defined?
Did you search subdirectories as well? sa-update updates rules into
subdirectories.
> I would really appreciate a reply here. Thanks
>
>
> On Mon, Sep 16, 2013 at 10:46 PM, John Hardin <jh...@impsec.org> wrote:
>> On Mon, 16 Sep 2013, Abhijeet Rastogi wrote:
>>
>>> Hi John,
>>>
>>> Thanks for the reply. I could get the above said rule as a "meta" one.
>>> Thanks for that.
>>
>>
>> Apologies if that came across as condescending, I was just trying to be
>> thorough.
>>
>>
>>> One more thing I was hoping you could help me with.
>>>
>>> Can you explain as to what's the difference between rules under
>>> "./rules" and under "./rulesrc/sandbox/" directory?
>>
>>
>> The "rules" directory is rules that are published no matter what. That's the
>> "static" ruleset, the base rules that everything can depend on to be
>> present, and rules that have always performed well.
>>
>> The stuff under the sandbox directories is more dynamic. The rules there are
>> run through the nightly masscheck process, and if they perform well enough
>> they get published. They're more "dynamic", in that older rules that stop
>> performing well against current spam (as represented by the masscheck
>> corpora) may stop being published, and may automatically start being
>> published again if the corpora starts containing that type of spam again.
>>
>>
>>> The reason I want to know this is because I've a requirement where I want
>>> to disable everything (meaning *all* rules) except a locally hosted URIBL).
>>> I was hoping that I could do this by adding the output of the below command.
>>> (running in the source code).
>>>
>>> cat rules/*.cf | grep -E '^(header|body)' | awk '{print $2}' | sed
>>> 's/^/score /' | sed 's/$/ 0/'
>>>
>>> But, to my surprise, it didn't help. I still had various checks stull
>>> getting applied like __HAS_TO, __HAS_ERRORS_TO etc etc. Any idea as to
>>> what can be done about that?
>>
>>
>> As __subrules don't have a score, their execution cannot be disabled by
>> setting their score to zero.
>>
>> If you want to override the default behavior of SA to that degree, it's
>> easier to change the config directory that SpamAssassin and spamd use with
>> the -c option, so that none of the base rule files are read in the first
>> place. You'll need to provide some minimal set of config files in whatever
>> custom config directory you specify in order to get SA to run, but that will
>> avoid all the extra default stuff you don't seem to want.
>>
>> I've never customized SA to that degree so there may be some pitfalls in
>> this that I'm not aware of - somebody else will probably say something if
>> there's other stuff you need to be aware of.
>>
>>
>>
>>> On Mon, Sep 16, 2013 at 10:07 PM, John Hardin <jh...@impsec.org> wrote:
>>>>
>>>> On Mon, 16 Sep 2013, Abhijeet Rastogi wrote:
>>>>
>>>>> Problem is, how do I know that a certain rule like __RCVD_IN_NJABL is
>>>>> a base rule for others?
>>>>
>>>>
>>>>
>>>> The two leading underscores in the rule name indicate that the rule, by
>>>> itself, is not assigned a score, thus, by itself, does not affect the
>>>> overall score of the message at all. It must appear in a "meta" rule,
>>>> possibly with other rules, before it can be assigned a score and affect
>>>> the
>>>> overall message score. So, at the most basic level, any rule having a
>>>> name
>>>> that starts with two underscores is _inherently_ a base for other rules.
>>>>
>>>> In order to determine *which* rules it's a base for, you have to look for
>>>> that rule name in the config files. This isn't too easy to do online, you
>>>> pretty much have to grep the rules files in a local install.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
WSJ on the Financial Stimulus package: "...today there are 700,000
fewer jobs than [the administration] predicted we would have if we
had done nothing at all."
-----------------------------------------------------------------------
Tomorrow: the 226th anniversary of the signing of the U.S. Constitution
Re: How do I find a parent rule for a test?
Posted by Abhijeet Rastogi <ab...@gmail.com>.
Hi John,
I'm sure you're pretty clear on explaining it but as a newbie I'm
facing issues. My concern still exists. I could see loglines like:
Sep 16 14:41:51.607 [3999] dbg: rules: ran header rule __HAS_SENDER
======> got hit: "<YES>"
Sep 16 14:41:51.606 [3999] dbg: rules: ran header rule __HAS_TO
======> got hit: "<YES>"
Sep 16 14:41:51.605 [3999] dbg: rules: ran header rule __HAS_ERRORS_TO
======> got hit: "<YES>"
Sep 16 14:41:51.604 [3999] dbg: rules: ran header rule __HAS_XMAIL
======> got hit: "<YES>"
But, I don't see that defined anywhere (grepped them against 3.3
version from svn). Also, in the install (CentOS5), I couldn't find it
either (Checked both /usr/share/spamassassin and
/etc/mail/spamassassin). So, what's the deal with these, where are
these defined?
I would really appreciate a reply here. Thanks
On Mon, Sep 16, 2013 at 10:46 PM, John Hardin <jh...@impsec.org> wrote:
> On Mon, 16 Sep 2013, Abhijeet Rastogi wrote:
>
>> Hi John,
>>
>> Thanks for the reply. I could get the above said rule as a "meta" one.
>> Thanks for that.
>
>
> Apologies if that came across as condescending, I was just trying to be
> thorough.
>
>
>> One more thing I was hoping you could help me with.
>>
>> Can you explain as to what's the difference between rules under
>> "./rules" and under "./rulesrc/sandbox/" directory?
>
>
> The "rules" directory is rules that are published no matter what. That's the
> "static" ruleset, the base rules that everything can depend on to be
> present, and rules that have always performed well.
>
> The stuff under the sandbox directories is more dynamic. The rules there are
> run through the nightly masscheck process, and if they perform well enough
> they get published. They're more "dynamic", in that older rules that stop
> performing well against current spam (as represented by the masscheck
> corpora) may stop being published, and may automatically start being
> published again if the corpora starts containing that type of spam again.
>
>
>> The reason I want to know this is because I've a requirement where I want
>> to disable everything (meaning *all* rules) except a locally hosted URIBL).
>> I was hoping that I could do this by adding the output of the below command.
>> (running in the source code).
>>
>> cat rules/*.cf | grep -E '^(header|body)' | awk '{print $2}' | sed
>> 's/^/score /' | sed 's/$/ 0/'
>>
>> But, to my surprise, it didn't help. I still had various checks stull
>> getting applied like __HAS_TO, __HAS_ERRORS_TO etc etc. Any idea as to
>> what can be done about that?
>
>
> As __subrules don't have a score, their execution cannot be disabled by
> setting their score to zero.
>
> If you want to override the default behavior of SA to that degree, it's
> easier to change the config directory that SpamAssassin and spamd use with
> the -c option, so that none of the base rule files are read in the first
> place. You'll need to provide some minimal set of config files in whatever
> custom config directory you specify in order to get SA to run, but that will
> avoid all the extra default stuff you don't seem to want.
>
> I've never customized SA to that degree so there may be some pitfalls in
> this that I'm not aware of - somebody else will probably say something if
> there's other stuff you need to be aware of.
>
>
>
>> On Mon, Sep 16, 2013 at 10:07 PM, John Hardin <jh...@impsec.org> wrote:
>>>
>>> On Mon, 16 Sep 2013, Abhijeet Rastogi wrote:
>>>
>>>> Problem is, how do I know that a certain rule like __RCVD_IN_NJABL is
>>>> a base rule for others?
>>>
>>>
>>>
>>> The two leading underscores in the rule name indicate that the rule, by
>>> itself, is not assigned a score, thus, by itself, does not affect the
>>> overall score of the message at all. It must appear in a "meta" rule,
>>> possibly with other rules, before it can be assigned a score and affect
>>> the
>>> overall message score. So, at the most basic level, any rule having a
>>> name
>>> that starts with two underscores is _inherently_ a base for other rules.
>>>
>>> In order to determine *which* rules it's a base for, you have to look for
>>> that rule name in the config files. This isn't too easy to do online, you
>>> pretty much have to grep the rules files in a local install.
>
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> Where We Want You To Go Today 07/05/07: Microsoft patents in-OS
> adware architecture incorporating spyware, profiling, competitor
> suppression and delivery confirmation (U.S. Patent #20070157227)
> -----------------------------------------------------------------------
> Tomorrow: the 226th anniversary of the signing of the U.S. Constitution
--
Regards,
Abhijeet Rastogi (shadyabhi)
http://blog.abhijeetr.com
Re: How do I find a parent rule for a test?
Posted by John Hardin <jh...@impsec.org>.
On Mon, 16 Sep 2013, Abhijeet Rastogi wrote:
> Hi John,
>
> Thanks for the reply. I could get the above said rule as a "meta" one.
> Thanks for that.
Apologies if that came across as condescending, I was just trying to be
thorough.
> One more thing I was hoping you could help me with.
>
> Can you explain as to what's the difference between rules under
> "./rules" and under "./rulesrc/sandbox/" directory?
The "rules" directory is rules that are published no matter what. That's
the "static" ruleset, the base rules that everything can depend on to be
present, and rules that have always performed well.
The stuff under the sandbox directories is more dynamic. The rules there
are run through the nightly masscheck process, and if they perform well
enough they get published. They're more "dynamic", in that older rules
that stop performing well against current spam (as represented by the
masscheck corpora) may stop being published, and may automatically start
being published again if the corpora starts containing that type of spam
again.
> The reason I want to know this is because I've a requirement where I
> want to disable everything (meaning *all* rules) except a locally hosted
> URIBL). I was hoping that I could do this by adding the output of the
> below command. (running in the source code).
>
> cat rules/*.cf | grep -E '^(header|body)' | awk '{print $2}' | sed
> 's/^/score /' | sed 's/$/ 0/'
>
> But, to my surprise, it didn't help. I still had various checks stull
> getting applied like __HAS_TO, __HAS_ERRORS_TO etc etc. Any idea as to
> what can be done about that?
As __subrules don't have a score, their execution cannot be disabled by
setting their score to zero.
If you want to override the default behavior of SA to that degree, it's
easier to change the config directory that SpamAssassin and spamd use with
the -c option, so that none of the base rule files are read in the first
place. You'll need to provide some minimal set of config files in whatever
custom config directory you specify in order to get SA to run, but that
will avoid all the extra default stuff you don't seem to want.
I've never customized SA to that degree so there may be some pitfalls in
this that I'm not aware of - somebody else will probably say something if
there's other stuff you need to be aware of.
> On Mon, Sep 16, 2013 at 10:07 PM, John Hardin <jh...@impsec.org> wrote:
>> On Mon, 16 Sep 2013, Abhijeet Rastogi wrote:
>>
>>> Problem is, how do I know that a certain rule like __RCVD_IN_NJABL is
>>> a base rule for others?
>>
>>
>> The two leading underscores in the rule name indicate that the rule, by
>> itself, is not assigned a score, thus, by itself, does not affect the
>> overall score of the message at all. It must appear in a "meta" rule,
>> possibly with other rules, before it can be assigned a score and affect the
>> overall message score. So, at the most basic level, any rule having a name
>> that starts with two underscores is _inherently_ a base for other rules.
>>
>> In order to determine *which* rules it's a base for, you have to look for
>> that rule name in the config files. This isn't too easy to do online, you
>> pretty much have to grep the rules files in a local install.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Where We Want You To Go Today 07/05/07: Microsoft patents in-OS
adware architecture incorporating spyware, profiling, competitor
suppression and delivery confirmation (U.S. Patent #20070157227)
-----------------------------------------------------------------------
Tomorrow: the 226th anniversary of the signing of the U.S. Constitution
Re: How do I find a parent rule for a test?
Posted by Abhijeet Rastogi <ab...@gmail.com>.
Hi John,
Thanks for the reply. I could get the above said rule as a "meta" one.
Thanks for that. One more thing I was hoping you could help me with.
Can you explain as to what's the difference between rules under
"./rules" and under "./rulesrc/sandbox/" directory? The reason I want
to know this is because I've a requirement where I want to disable
everything (meaning *all* rules) except a locally hosted URIBL). I was
hoping that I could do this by adding the output of the below command.
(running in the source code).
cat rules/*.cf | grep -E '^(header|body)' | awk '{print $2}' | sed
's/^/score /' | sed 's/$/ 0/'
But, to my surprise, it didn't help. I still had various checks stull
getting applied like __HAS_TO, __HAS_ERRORS_TO etc etc. Any idea as to
what can be done about that?
On Mon, Sep 16, 2013 at 10:07 PM, John Hardin <jh...@impsec.org> wrote:
> On Mon, 16 Sep 2013, Abhijeet Rastogi wrote:
>
>> Problem is, how do I know that a certain rule like __RCVD_IN_NJABL is
>> a base rule for others?
>
>
> The two leading underscores in the rule name indicate that the rule, by
> itself, is not assigned a score, thus, by itself, does not affect the
> overall score of the message at all. It must appear in a "meta" rule,
> possibly with other rules, before it can be assigned a score and affect the
> overall message score. So, at the most basic level, any rule having a name
> that starts with two underscores is _inherently_ a base for other rules.
>
> In order to determine *which* rules it's a base for, you have to look for
> that rule name in the config files. This isn't too easy to do online, you
> pretty much have to grep the rules files in a local install.
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> Where We Want You To Go Today 07/05/07: Microsoft patents in-OS
> adware architecture incorporating spyware, profiling, competitor
> suppression and delivery confirmation (U.S. Patent #20070157227)
> -----------------------------------------------------------------------
> Tomorrow: the 226th anniversary of the signing of the U.S. Constitution
--
Regards,
Abhijeet Rastogi (shadyabhi)
http://blog.abhijeetr.com
Re: How do I find a parent rule for a test?
Posted by John Hardin <jh...@impsec.org>.
On Mon, 16 Sep 2013, Abhijeet Rastogi wrote:
> Problem is, how do I know that a certain rule like __RCVD_IN_NJABL is
> a base rule for others?
The two leading underscores in the rule name indicate that the rule, by
itself, is not assigned a score, thus, by itself, does not affect the
overall score of the message at all. It must appear in a "meta" rule,
possibly with other rules, before it can be assigned a score and affect
the overall message score. So, at the most basic level, any rule having a
name that starts with two underscores is _inherently_ a base for other
rules.
In order to determine *which* rules it's a base for, you have to look for
that rule name in the config files. This isn't too easy to do online, you
pretty much have to grep the rules files in a local install.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Where We Want You To Go Today 07/05/07: Microsoft patents in-OS
adware architecture incorporating spyware, profiling, competitor
suppression and delivery confirmation (U.S. Patent #20070157227)
-----------------------------------------------------------------------
Tomorrow: the 226th anniversary of the signing of the U.S. Constitution
Re: How do I find a parent rule for a test?
Posted by Abhijeet Rastogi <ab...@gmail.com>.
Hi guys,
I've already gone though the link
http://spamassassin.1065346.n5.nabble.com/Obvious-Disabling-some-RBL-URIBL-checks-td57047.html
which talks briefly about it.
Problem is, how do I know that a certain rule like __RCVD_IN_NJABL is
a base rule for others?
On Mon, Sep 16, 2013 at 10:53 AM, Abhijeet Rastogi
<ab...@gmail.com> wrote:
> Hi all,
>
> I wanted to disable few RBLs & while doing that I observed that if I
> want to just disable spamhaus, I've to actually disable
> "__RCVD_IN_ZEN" after disabling the other spamhaus related checks like
> "check_rbl_sub"..
>
> How do I know that __RCVD_IN_ZEN is related to a check like
> "RCVD_IN_SBL"? I don't see how these two are related, except the
> hostname being used?
>
> Is there a good doc that tells me how to write these tests? May be,
> that'll give me some insight. Thanks
>
> --
> Regards,
> Abhijeet Rastogi (shadyabhi)
> http://blog.abhijeetr.com
--
Regards,
Abhijeet Rastogi (shadyabhi)
http://blog.abhijeetr.com