You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Motty Cruz <mo...@gmail.com> on 2018/04/05 16:12:45 UTC
how to remove T_RP_MATCHES_RCVD
Hello, T_RP_MATCHES_RCVD this rule is allowing spammy emails past
through. Is there a way to disable in local.cf?
Thanks,
Motty
Re: how to remove T_RP_MATCHES_RCVD
Posted by John Hardin <jh...@impsec.org>.
On Fri, 6 Apr 2018, Matus UHLAR - fantomas wrote:
> It's also useless duplicate of __RP_MATCHES_RCVD
>
> header T_RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd()
> header __RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd()
Cleaned that up.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
False is the idea of utility that sacrifices a thousand real
advantages for one imaginary or trifling inconvenience; that would
take fire from men because it burns, and water because one may drown
in it; that has no remedy for evils except destruction. The laws
that forbid the carrying of arms are laws of such a nature. They
disarm only those who are neither inclined nor determined to commit
crime. -- Cesare Beccaria, quoted by Thomas Jefferson
-----------------------------------------------------------------------
6 days until Thomas Jefferson's 275th Birthday
Re: how to remove T_RP_MATCHES_RCVD
Posted by John Hardin <jh...@impsec.org>.
On Fri, 6 Apr 2018, Matus UHLAR - fantomas wrote:
>> On Thu, 5 Apr 2018, Motty Cruz wrote:
>>> Hello, T_RP_MATCHES_RCVD this rule is allowing spammy emails past
>>> through. Is there a way to disable in local.cf?
>
> simply put:
>
> score RP_MATCHES_RCVD 0
> score T_RP_MATCHES_RCVD 0
>
> in case of anyone will try pushing any of these to SA.
>
> On 05.04.18 09:32, John Hardin wrote:
>> The best way to disable it without breaking any meta-rules that may be
>> using it is to set its score to 0.001 in your local config file.
>
> meta rules are supposed to use __RP_MATCHES_RCVD - this is what
> __RP_MATCHES_RCVD is for.
>
> using T_RP_MATCHES_RCVD in meta rules should be considered a bug.
Correct, however that doesn't mean someone hasn't done so locally.
> It's also useless duplicate of __RP_MATCHES_RCVD
>
> header T_RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd()
> header __RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd()
Yeah. I noticed that too but didn't clean it up. If somebody else doesn't
by this weekend I probably will.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
[For Earth Day] Obama flew a 747 all the way to the Everglades
then rode in a massive SUV motorcade to tell you
to cut carbon emissions. -- Twitter satirist @hale_razor
-----------------------------------------------------------------------
7 days until Thomas Jefferson's 275th Birthday
Re: how to remove T_RP_MATCHES_RCVD
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>On Thu, 5 Apr 2018, Motty Cruz wrote:
>>Hello, T_RP_MATCHES_RCVD this rule is allowing spammy emails past
>>through. Is there a way to disable in local.cf?
simply put:
score RP_MATCHES_RCVD 0
score T_RP_MATCHES_RCVD 0
in case of anyone will try pushing any of these to SA.
On 05.04.18 09:32, John Hardin wrote:
>The best way to disable it without breaking any meta-rules that may
>be using it is to set its score to 0.001 in your local config file.
meta rules are supposed to use __RP_MATCHES_RCVD - this is what
__RP_MATCHES_RCVD is for.
using T_RP_MATCHES_RCVD in meta rules should be considered a bug.
It's also useless duplicate of __RP_MATCHES_RCVD
header T_RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd()
header __RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd()
I really wonder that after multiple complaints of RP_MATCHES_RCVD someone
dared push it to rulesets again.
just a simple search:
https://lists.gt.net/spamassassin/users/166185
http://spamassassin.1065346.n5.nabble.com/RP-MATCHES-RCVD-td111557.html
http://spamassassin.1065346.n5.nabble.com/RP-MATCHES-RCVD-td107111.html
https://serverfault.com/questions/628398/spamassassin-filter-systematically-produces-negative-ham-scores-for-spam-messa
>I don't see a score for it in the latest rules update, so it should
>by default be *adding* one point to scores, which won't contribute to
>FNs.
It could to contribute to FPs in such case.
I believe this hasn't been true in the past, since I have already disabled
this on some of systems we maintain in our company.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"The box said 'Requires Windows 95 or better', so I bought a Macintosh".
Re: how to remove T_RP_MATCHES_RCVD
Posted by "Kevin A. McGrail" <km...@apache.org>.
I stand corrected!
On Sun, Apr 8, 2018, 13:22 RW <rw...@googlemail.com> wrote:
> On Thu, 5 Apr 2018 19:56:13 -0400
> Kevin A. McGrail wrote:
>
> > It's pedantic but I am 99.9% sure that a Test Rule (prefix T_) is
> > scored at 0.001 but scores in the report are rounded to a ceiling so
> > it displaces as .01.
> >
>
> Informational rules that do score 0.001 display as 0.00 whereas T_*
> rules display as 0.01.
>
> And
>
> sub set_default_scores {
> ...
> # T_ rules (in a testing probationary period) get low, low scores
> my $set_score = ($k =~/^T_/) ? 0.01 : 1.0;
>
>
>
Re: how to remove T_RP_MATCHES_RCVD
Posted by RW <rw...@googlemail.com>.
On Thu, 5 Apr 2018 19:56:13 -0400
Kevin A. McGrail wrote:
> It's pedantic but I am 99.9% sure that a Test Rule (prefix T_) is
> scored at 0.001 but scores in the report are rounded to a ceiling so
> it displaces as .01.
>
Informational rules that do score 0.001 display as 0.00 whereas T_*
rules display as 0.01.
And
sub set_default_scores {
...
# T_ rules (in a testing probationary period) get low, low scores
my $set_score = ($k =~/^T_/) ? 0.01 : 1.0;
Re: how to remove T_RP_MATCHES_RCVD
Posted by "Kevin A. McGrail" <km...@apache.org>.
It's pedantic but I am 99.9% sure that a Test Rule (prefix T_) is scored at
0.001 but scores in the report are rounded to a ceiling so it displaces as
.01.
--
Kevin A. McGrail
Asst. Treasurer & VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
On Thu, Apr 5, 2018 at 7:50 PM, RW <rw...@googlemail.com> wrote:
> On Thu, 5 Apr 2018 10:23:50 -0700 (PDT)
> John Hardin wrote:
>
>
> > Actually, I retract that suggestion, I wasn't aware of the special
> > automatic scoring for T_ rules. Leave it alone.
>
> There's little point in this case, but I don't think there's any harm in
> changing such scores locally. IIRC the "T_" prefix just makes the
> default score 0.01 instead of 1.0 (or -0.01 with the 'nice' flag set).
>
Re: how to remove T_RP_MATCHES_RCVD
Posted by RW <rw...@googlemail.com>.
On Thu, 5 Apr 2018 10:23:50 -0700 (PDT)
John Hardin wrote:
> Actually, I retract that suggestion, I wasn't aware of the special
> automatic scoring for T_ rules. Leave it alone.
There's little point in this case, but I don't think there's any harm in
changing such scores locally. IIRC the "T_" prefix just makes the
default score 0.01 instead of 1.0 (or -0.01 with the 'nice' flag set).
Re: how to remove T_RP_MATCHES_RCVD
Posted by John Hardin <jh...@impsec.org>.
On Thu, 5 Apr 2018, Motty Cruz wrote:
> Thanks for your prompt reply John,
>
> X-Spam-Status: No, score=5.27 tagged_above=-999.9 required=5.7
> tests=[BAYES_50=4.3, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001,
> T_RP_MATCHES_RCVD=-0.01] autolearn=no autolearn_force=no
>
> always the score is -0.01 regardless; I will take your suggestion and set it
> to 0.01, will report back shortly.
Actually, I retract that suggestion, I wasn't aware of the special
automatic scoring for T_ rules. Leave it alone.
Why do you think that a rule scoring -0.01 is responsible for FN scores?
It may be due to its use as a suppressor in some metas, but absent the
full spam we can't check for that.
> Thanks,
>
>
> On 04/05/2018 09:32 AM, John Hardin wrote:
>> On Thu, 5 Apr 2018, Motty Cruz wrote:
>>
>>> Hello, T_RP_MATCHES_RCVD this rule is allowing spammy emails past
>>> through. Is there a way to disable in local.cf?
>>
>> The best way to disable it without breaking any meta-rules that may be
>> using it is to set its score to 0.001 in your local config file.
>>
>> I don't see a score for it in the latest rules update, so it should by
>> default be *adding* one point to scores, which won't contribute to FNs.
>>
>> What is it currently scored in your environment?
>>
>> It is, however, used as a suppressor subrule in some spam meta-rules. Is
>> that why it's causing FNs for you?
>>
>
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Windows and its users got mentioned at home today, after my wife the
psych major brought up Seligman's theory of "learned helplessness."
-- Dan Birchall in a.s.r
-----------------------------------------------------------------------
8 days until Thomas Jefferson's 275th Birthday
Re: how to remove T_RP_MATCHES_RCVD
Posted by Motty Cruz <mo...@gmail.com>.
Thanks Tom,
my scores were definitely a problem.
Thanks again,
Motty
On 04/05/2018 09:48 AM, Tom Hendrikx wrote:
> On 05-04-18 18:40, Motty Cruz wrote:
>> Thanks for your prompt reply John,
>>
>> X-Spam-Status: No, score=5.27 tagged_above=-999.9 required=5.7
>> tests=[BAYES_50=4.3, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001,
>> T_RP_MATCHES_RCVD=-0.01] autolearn=no autolearn_force=no
>>
> BAYES_00 means 'pretty sure it's ham'.
> BAYES_99 means 'pretty sure it's spam'.
> BAYES_50 means 'no idea'.
>
> Scoring BAYES_50 at 4.3 is your scoring issue, nothing's wrong with
> T_RP_MATCHES_RCVD.
>
> Kind regards,
> Tom
>
>
>> always the score is -0.01 regardless; I will take your suggestion and
>> set it to 0.01, will report back shortly.
>>
>> Thanks,
>>
>>
>> On 04/05/2018 09:32 AM, John Hardin wrote:
>>> On Thu, 5 Apr 2018, Motty Cruz wrote:
>>>
>>>> Hello, T_RP_MATCHES_RCVD this rule is allowing spammy emails past
>>>> through. Is there a way to disable in local.cf?
>>> The best way to disable it without breaking any meta-rules that may be
>>> using it is to set its score to 0.001 in your local config file.
>>>
>>> I don't see a score for it in the latest rules update, so it should by
>>> default be *adding* one point to scores, which won't contribute to FNs.
>>>
>>> What is it currently scored in your environment?
>>>
>>> It is, however, used as a suppressor subrule in some spam meta-rules.
>>> Is that why it's causing FNs for you?
>>>
>
Re: how to remove T_RP_MATCHES_RCVD
Posted by Tom Hendrikx <to...@whyscream.net>.
On 05-04-18 18:40, Motty Cruz wrote:
> Thanks for your prompt reply John,
>
> X-Spam-Status: No, score=5.27 tagged_above=-999.9 required=5.7
> tests=[BAYES_50=4.3, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001,
> T_RP_MATCHES_RCVD=-0.01] autolearn=no autolearn_force=no
>
BAYES_00 means 'pretty sure it's ham'.
BAYES_99 means 'pretty sure it's spam'.
BAYES_50 means 'no idea'.
Scoring BAYES_50 at 4.3 is your scoring issue, nothing's wrong with
T_RP_MATCHES_RCVD.
Kind regards,
Tom
> always the score is -0.01 regardless; I will take your suggestion and
> set it to 0.01, will report back shortly.
>
> Thanks,
>
>
> On 04/05/2018 09:32 AM, John Hardin wrote:
>> On Thu, 5 Apr 2018, Motty Cruz wrote:
>>
>>> Hello, T_RP_MATCHES_RCVD this rule is allowing spammy emails past
>>> through. Is there a way to disable in local.cf?
>>
>> The best way to disable it without breaking any meta-rules that may be
>> using it is to set its score to 0.001 in your local config file.
>>
>> I don't see a score for it in the latest rules update, so it should by
>> default be *adding* one point to scores, which won't contribute to FNs.
>>
>> What is it currently scored in your environment?
>>
>> It is, however, used as a suppressor subrule in some spam meta-rules.
>> Is that why it's causing FNs for you?
>>
>
Re: how to remove T_RP_MATCHES_RCVD
Posted by Motty Cruz <mo...@gmail.com>.
Thanks for your prompt reply John,
X-Spam-Status: No, score=5.27 tagged_above=-999.9 required=5.7
tests=[BAYES_50=4.3, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001,
T_RP_MATCHES_RCVD=-0.01] autolearn=no autolearn_force=no
always the score is -0.01 regardless; I will take your suggestion and
set it to 0.01, will report back shortly.
Thanks,
On 04/05/2018 09:32 AM, John Hardin wrote:
> On Thu, 5 Apr 2018, Motty Cruz wrote:
>
>> Hello, T_RP_MATCHES_RCVD this rule is allowing spammy emails past
>> through. Is there a way to disable in local.cf?
>
> The best way to disable it without breaking any meta-rules that may be
> using it is to set its score to 0.001 in your local config file.
>
> I don't see a score for it in the latest rules update, so it should by
> default be *adding* one point to scores, which won't contribute to FNs.
>
> What is it currently scored in your environment?
>
> It is, however, used as a suppressor subrule in some spam meta-rules.
> Is that why it's causing FNs for you?
>
Re: how to remove T_RP_MATCHES_RCVD
Posted by John Hardin <jh...@impsec.org>.
On Thu, 5 Apr 2018, Motty Cruz wrote:
> Hello, T_RP_MATCHES_RCVD this rule is allowing spammy emails past through.
> Is there a way to disable in local.cf?
The best way to disable it without breaking any meta-rules that may be
using it is to set its score to 0.001 in your local config file.
I don't see a score for it in the latest rules update, so it should by
default be *adding* one point to scores, which won't contribute to FNs.
What is it currently scored in your environment?
It is, however, used as a suppressor subrule in some spam meta-rules. Is
that why it's causing FNs for you?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The first time I saw a bagpipe, I thought the player was
torturing an octopus. I was amazed they could scream so loudly.
-- cat_herder_5263 on Y! SCOX
-----------------------------------------------------------------------
8 days until Thomas Jefferson's 275th Birthday
Re: how to remove T_RP_MATCHES_RCVD
Posted by RW <rw...@googlemail.com>.
On Thu, 5 Apr 2018 09:12:45 -0700
Motty Cruz wrote:
> Hello, T_RP_MATCHES_RCVD this rule is allowing spammy emails past
> through. Is there a way to disable in local.cf?
How's that happening? A T_* rule only scores +/- 0.01.