You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by up...@3.am on 2005/02/07 18:28:49 UTC
Custom rule not being recognized
I just created a rule for the most common spams that have been making it
through SA, but for some reason, it's not showing up in the tests:
body SEE_ATTACH /See attachment message.html/i
describe SEE_ATTACH body contains See attachment message.html
score SEE_ATTACH 5.0
--lint shows no problems....
James Smallacombe PlantageNet, Inc. CEO and Janitor
up@3.am http://3.am
=========================================================================
Re: Custom rule not being recognized
Posted by up...@3.am.
On Mon, 7 Feb 2005, Matt Kettler wrote:
> I suspect the message in question has the "see attachment" text directly
> after a Content-Transfer-Encoding: section header with no line break. I've
> seen some floating around like that, and they are intentionally creating a
> malformed message knowing many mime parsers will treat it as a header, not
> a body text.
I suspected that as well, which is why I tried the "header" type rule.
> I'd suggest trying your rule as a "full" type rule, instead of body,
> rawbody, or header type.
>
> Full should be run on the whole message, without any mime-stripping.
That did it, thanks!
James Smallacombe PlantageNet, Inc. CEO and Janitor
up@3.am http://3.am
=========================================================================
Re: Custom rule not being recognized
Posted by Matt Kettler <mk...@evi-inc.com>.
At 02:49 PM 2/7/2005, up@3.am wrote:
>I found out what the problem is, and it seems like it should be considered
>a bug in SA. The text in question is in the second line of the body of
>the message, and it seems it is being ignored by SA, because if I insert a
>couple of LFs to move it down, the rule kicks in. I had tried changing it
>from "body" to "header" (also tried "rawbody) and that didn't work. Here
>is a look at the offending message, sans the html attachment:
Erm... That part looks all kinds of mangled... Any chance you can show us
the REAL raw message, sans the HTML attachment.
Note that by "REAL raw" I mean with real headers, inclusive of mime boundaries.
I suspect the message in question has the "see attachment" text directly
after a Content-Transfer-Encoding: section header with no line break. I've
seen some floating around like that, and they are intentionally creating a
malformed message knowing many mime parsers will treat it as a header, not
a body text.
I'd suggest trying your rule as a "full" type rule, instead of body,
rawbody, or header type.
Full should be run on the whole message, without any mime-stripping.
Re: Custom rule not being recognized
Posted by Andy Jezierski <aj...@stepan.com>.
up@3.am wrote on 02/07/2005 11:28:49 AM:
>
> I just created a rule for the most common spams that have been making it
> through SA, but for some reason, it's not showing up in the tests:
>
> body SEE_ATTACH /See attachment message.html/i
> describe SEE_ATTACH body contains See attachment
message.html
> score SEE_ATTACH 5.0
>
> --lint shows no problems....
>
> James Smallacombe PlantageNet, Inc. CEO and Janitor
> up@3.am http://3.am
>
=========================================================================
>
Have you restarted spamd/amavis/whatever you use to invoke SA?
Andy
Re: Custom rule not being recognized
Posted by up...@3.am.
On Mon, 7 Feb 2005, Alex Broens wrote:
> up@3.am wrote:
> > On Mon, 7 Feb 2005 up@3.am wrote:
> >
> >>I just created a rule for the most common spams that have been making it
> >>through SA, but for some reason, it's not showing up in the tests:
> >>
> >>body SEE_ATTACH /See attachment message.html/i
> >>describe SEE_ATTACH body contains See attachment message.html
> >>score SEE_ATTACH 5.0
> >>
> >>--lint shows no problems....
> >
> >
> > (replying to my own post)
> > I found out what the problem is, and it seems like it should be considered
> > a bug in SA. The text in question is in the second line of the body of
> > the message, and it seems it is being ignored by SA, because if I insert a
> > couple of LFs to move it down, the rule kicks in. I had tried changing it
> > from "body" to "header" (also tried "rawbody) and that didn't work. Here
> > is a look at the offending message, sans the html attachment:
>
>
> have you tried escaping the period?
>
> body SEE_ATTACH /See attachment message\.html/i
Yes, I did...that didn't fix the problem....only inserting the LFs worked.
It was like SA did not recognize the first two lines of the body at all.
James Smallacombe PlantageNet, Inc. CEO and Janitor
up@3.am http://3.am
=========================================================================
Re: Custom rule not being recognized
Posted by Alex Broens <sa...@alexb.ch>.
up@3.am wrote:
> On Mon, 7 Feb 2005 up@3.am wrote:
>
>>I just created a rule for the most common spams that have been making it
>>through SA, but for some reason, it's not showing up in the tests:
>>
>>body SEE_ATTACH /See attachment message.html/i
>>describe SEE_ATTACH body contains See attachment message.html
>>score SEE_ATTACH 5.0
>>
>>--lint shows no problems....
>
>
> (replying to my own post)
> I found out what the problem is, and it seems like it should be considered
> a bug in SA. The text in question is in the second line of the body of
> the message, and it seems it is being ignored by SA, because if I insert a
> couple of LFs to move it down, the rule kicks in. I had tried changing it
> from "body" to "header" (also tried "rawbody) and that didn't work. Here
> is a look at the offending message, sans the html attachment:
have you tried escaping the period?
body SEE_ATTACH /See attachment message\.html/i
h2h
Alex
Re: Custom rule not being recognized
Posted by up...@3.am.
On Mon, 7 Feb 2005 up@3.am wrote:
>
> I just created a rule for the most common spams that have been making it
> through SA, but for some reason, it's not showing up in the tests:
>
> body SEE_ATTACH /See attachment message.html/i
> describe SEE_ATTACH body contains See attachment message.html
> score SEE_ATTACH 5.0
>
> --lint shows no problems....
(replying to my own post)
I found out what the problem is, and it seems like it should be considered
a bug in SA. The text in question is in the second line of the body of
the message, and it seems it is being ignored by SA, because if I insert a
couple of LFs to move it down, the rule kicks in. I had tried changing it
from "body" to "header" (also tried "rawbody) and that didn't work. Here
is a look at the offending message, sans the html attachment:
Return-Path: <ma...@yahoo.com>
Delivered-To: james@pil.net
Received: (qmail 47948 invoked from network); 6 Feb 2005 07:17:59 -0000
Received: by simscan 1.0.7 ppid: 47553, pid: 47562, t: 29.0736s
scanners:none
Received: from unknown (HELO localhost) (213.98.12.243)
by richard2.pil.net with SMTP; 6 Feb 2005 07:17:30 -0000
Message-ID: <85...@tstbhawi.com>
From: "Halpern Helen"<ma...@yahoo.com>
To: <ja...@pil.net>
Reply-To: "Halpern Helen"<ma...@yahoo.com>
Subject: 75% Off for All New Software.
Date: dom, 06 feb 2005 08:17:22 +0100
MIME-Version: 1.0
X-MimeOLE: Produced By Microsoft MimeOLE V4.71.2730.2
X-Sender: "Halpern Helen"<ma...@yahoo.com>
Content-Type: multipart/mixed;
boundary="------------56L352DTUJU4N2"
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on mail.pil.net
X-Spam-Status: No, score=3.8 required=6.0
tests=BAYES_00,FORGED_YAHOO_RCVD,
INVALID_DATE,RCVD_IN_BL_SPAMCOP_NET autolearn=no version=3.0.2
X-Spam-Level: ***
Parts/Attachments:
1 Shown 1 lines Text
2 OK ~23 KB Text
----------------------------------------
See attachment message.html
[ Part 2, Text/HTML (Name: "message.html") 1 lines. ]
[ Not Shown. Use the "V" command to view or save this part. ]