You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Dan Mahoney, System Admin" <da...@prime.gushi.org> on 2010/06/28 11:33:36 UTC
Autoreplies from RT are hitting on ANY_BOUNCE_MESSAGE
Hey there,
Perhaps this is by design, but rt replies are, strictly speaking, not
bounce messages.
Message attached, let me know if it looks "normal".
-Dan
--
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
Re: [sa-list] Re: Autoreplies from RT are hitting
on ANY_BOUNCE_MESSAGE
Posted by Yet Another Ninja <sa...@alexb.ch>.
On 2010-06-29 10:39, Dan Mahoney, System Admin wrote:
> On Mon, 28 Jun 2010, Yet Another Ninja wrote:
>
>> On 2010-06-28 11:33, Dan Mahoney, System Admin wrote:
>> > Hey there,
>> > > Perhaps this is by design, but rt replies are, strictly speaking,
>> not > bounce messages.
>> > > Message attached, let me know if it looks "normal".
>> > > -Dan
>> >
>> from what I see it looks normal if someone really makes an effort to
>> "tune" SA scores.
>>
>>
>> my 50_scores.cf deault says:
>>
>> score ANY_BOUNCE_MESSAGE 0.1
>> score SHORTCIRCUIT 0
>
> Even so, why is it matching, when it's not a bounce. It's either
> something inaccurate in spamassassin, or something RT is doing that it
> shouldn't be. It it's the latter, I'll attempt to fix rt. If the
> former, perhaps SA should.
Either I'm blind or your sample is missing important header information.
suggest you use:
report_safe 0
in local.cf and post a new sample in pastebin
Re: Autoreplies from RT are hitting on ANY_BOUNCE_MESSAGE
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Wed, 2011-02-23 at 14:34 +1100, Con Tassios wrote:
> On Tue, 29 Jun 2010, Karsten Bräckelmann wrote:
[ Rather large *snip*, mostly me asking the OP for info that he never
provided. ]
> > Lastly, as Alex hinted, stock SA would *not* have classified the mail as
> > spam. That is due to your incredibly high custom score.
> >
> > The vbounce rule-set is meant to identify backscatter, and action is
> > supposed to be taken on the rules hit. It is not meant and better not be
> > used to classify these spam. See the vbounce rule-set cf file for proper
> > usage.
>
> Sorry to be replying to such an old message, but SA 3.3.1 seems to be hitting
A new post probably would have been better. Some of us do read the list
in threaded view, and I wouldn't have found this post if it wasn't for
you "helpfully" Cc'ing me privately. (Since it's been another week, I'll
Cc you too, despite my habit.)
BTW, I hope you didn't notice this because, like the OP of the original
thread, you assigned bounces a high spam score. That would be wrong to
do.
> these rules simply when a message has the word 'AutoReply' in the subject
> header. As such, it would be difficult to accurately identify mail as
> backscatter, as some web sites (Dell, for example) send emails that contain the
> word 'AutoReply' in the subject after a web form is submitted.
Almost. It also depends on actually configuring the VBounce plugin, and
not hitting the rules to protect real bounces. To be precise, this is
the logic, stripped down from the larger meta rule -- where the last
sub-rule is the Subject header RE.
meta BOUNCE_MESSAGE __HAVE_BOUNCE_RELAYS && (!__MY_SERVERS_FOUND && !ALL_TRUSTED && !__NONBOUNCE_READ_RECEIPT && (... || __BOUNCE_AUTO_REPLY))
If you want a quick fix, re-define __BOUNCE_AUTO_REPLY in your site
config local.cf to not include the offending string, or disable that
particular OR-ed sub-rule altogether.
meta __BOUNCE_AUTO_REPLY (0)
If you believe that particular string and sub-rule doesn't help much in
detecting bounces, and thus should either be constrained further or
possibly removed from the set, please file a bug.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Autoreplies from RT are hitting on ANY_BOUNCE_MESSAGE
Posted by Con Tassios <ct...@ct.cc.swin.edu.au>.
On Tue, 29 Jun 2010, Karsten Br�ckelmann wrote:
> On Tue, 2010-06-29 at 04:39 -0400, Dan Mahoney, System Admin wrote:
> > On Mon, 28 Jun 2010, Yet Another Ninja wrote:
>
> > > > Perhaps this is by design, but rt replies are, strictly speaking, not
> > > > bounce messages.
>
> > > from what I see it looks normal if someone really makes an effort to
> > > "tune" SA scores.
> > >
> > > score ANY_BOUNCE_MESSAGE 0.1
> > > score SHORTCIRCUIT 0
> >
> > Even so, why is it matching, when it's not a bounce. It's either
> > something inaccurate in spamassassin, or something RT is doing that it
> > shouldn't be. It it's the latter, I'll attempt to fix rt. If the former,
> > perhaps SA should.
>
> You didn't provide the necessary information to determine, why the
> vbounce rules fire. A full, raw message would be good, and of course
> your whitelist_bounce_relays setting. Ideally you would further provide
> the relevant sub-tests hit.
>
> Moreover, you didn't mention your SA version, though from another post
> of yours we know it to be 3.2.3. There have been quite some changes to
> the vbounce rule-set since -- does 3.3.x also hit?
>
>
> Lastly, as Alex hinted, stock SA would *not* have classified the mail as
> spam. That is due to your incredibly high custom score.
>
> The vbounce rule-set is meant to identify backscatter, and action is
> supposed to be taken on the rules hit. It is not meant and better not be
> used to classify these spam. See the vbounce rule-set cf file for proper
> usage.
Sorry to be replying to such an old message, but SA 3.3.1 seems to be hitting
these rules simply when a message has the word 'AutoReply' in the subject
header. As such, it would be difficult to accurately identify mail as
backscatter, as some web sites (Dell, for example) send emails that contain the
word 'AutoReply' in the subject after a web form is submitted.
Re: Autoreplies from RT are hitting on ANY_BOUNCE_MESSAGE
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Tue, 2010-06-29 at 04:39 -0400, Dan Mahoney, System Admin wrote:
> On Mon, 28 Jun 2010, Yet Another Ninja wrote:
> > > Perhaps this is by design, but rt replies are, strictly speaking, not
> > > bounce messages.
> > from what I see it looks normal if someone really makes an effort to
> > "tune" SA scores.
> >
> > score ANY_BOUNCE_MESSAGE 0.1
> > score SHORTCIRCUIT 0
>
> Even so, why is it matching, when it's not a bounce. It's either
> something inaccurate in spamassassin, or something RT is doing that it
> shouldn't be. It it's the latter, I'll attempt to fix rt. If the former,
> perhaps SA should.
You didn't provide the necessary information to determine, why the
vbounce rules fire. A full, raw message would be good, and of course
your whitelist_bounce_relays setting. Ideally you would further provide
the relevant sub-tests hit.
Moreover, you didn't mention your SA version, though from another post
of yours we know it to be 3.2.3. There have been quite some changes to
the vbounce rule-set since -- does 3.3.x also hit?
Lastly, as Alex hinted, stock SA would *not* have classified the mail as
spam. That is due to your incredibly high custom score.
The vbounce rule-set is meant to identify backscatter, and action is
supposed to be taken on the rules hit. It is not meant and better not be
used to classify these spam. See the vbounce rule-set cf file for proper
usage.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: [sa-list] Re: Autoreplies from RT are hitting on
ANY_BOUNCE_MESSAGE
Posted by "Dan Mahoney, System Admin" <da...@prime.gushi.org>.
On Mon, 28 Jun 2010, Yet Another Ninja wrote:
> On 2010-06-28 11:33, Dan Mahoney, System Admin wrote:
> > Hey there,
> >
> > Perhaps this is by design, but rt replies are, strictly speaking, not
> > bounce messages.
> >
> > Message attached, let me know if it looks "normal".
> >
> > -Dan
> >
>
> from what I see it looks normal if someone really makes an effort to
> "tune" SA scores.
>
>
> my 50_scores.cf deault says:
>
> score ANY_BOUNCE_MESSAGE 0.1
> score SHORTCIRCUIT 0
Even so, why is it matching, when it's not a bounce. It's either
something inaccurate in spamassassin, or something RT is doing that it
shouldn't be. It it's the latter, I'll attempt to fix rt. If the former,
perhaps SA should.
-Dan
--
"You recreate the stars in the sky with cows?"
-Furrball, March 7 2005, on Katamari Damacy
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
Re: Autoreplies from RT are hitting on ANY_BOUNCE_MESSAGE
Posted by Yet Another Ninja <sa...@alexb.ch>.
On 2010-06-28 11:33, Dan Mahoney, System Admin wrote:
> Hey there,
>
> Perhaps this is by design, but rt replies are, strictly speaking, not
> bounce messages.
>
> Message attached, let me know if it looks "normal".
>
> -Dan
>
from what I see it looks normal if someone really makes an effort to
"tune" SA scores.
my 50_scores.cf deault says:
score ANY_BOUNCE_MESSAGE 0.1
score SHORTCIRCUIT 0