How to tag as spam mail already marked as spam?

[Jean-Yves Avenard <jy...@gmail.com>]

Hi

I have spamassassin running on both my primary and secondary mail
servers. Often, some spammers send through the secondary mail server ;
which will then tag them as spam.

When the same message goes through the primary mail server , it is
tagged as spam once again.

Sometimes one server tags it as spam, while the other won't.

So either two things can happen.

Either I get a mail as **** SPAM **** (10.2) **** SPAM *** (10.1) blah

Or I get a mail that isn't tagged as spam, yet got its title changed
by the first mail server so it still looks like **** SPAM **** (5.6)
but isn't considered as spam anymore.

How can I write a rule on the primary server that will automatically
consider the message as spam is the other server detected it as spam.

I tried:
header PREVIOUS_SPAM X-Spam-Flag =~ /YES/,
header PREVIOUS_SPAM X-Spam-Status ~= /Yes/
etc.

None of them seems to make any differences.

Any ideas?
Thank
Jean-Yves

Re: How to tag as spam mail already marked as spam?

[RW <rw...@googlemail.com>]

On Fri, 15 Jan 2010 00:25:59 +1100
Jean-Yves Avenard <jy...@gmail.com> wrote:

> Hi
> 
> 2010/1/14 Mariusz Kruk <kr...@epsilon.eu.org>:
> > BTW, as the check definitions seem to be pretty ok at first glance,
> > did you set scoring for those rules, or did you just add the rules?
> > You should get something like:
> 
> Yes, I do try with score associated. I just posted the regex to
> simplify thing ; I tried all the X-Spam headers, none of them scores
> anything ; just like SA ignored those headers

SA strips all X-Spam-* headers in case they are forged.

Re: How to tag as spam mail already marked as spam?

[Jean-Yves Avenard <jy...@gmail.com>]

Hi

2010/1/14 Mariusz Kruk <kr...@epsilon.eu.org>:
> BTW, as the check definitions seem to be pretty ok at first glance, did
> you set scoring for those rules, or did you just add the rules?
> You should get something like:

Yes, I do try with score associated. I just posted the regex to
simplify thing ; I tried all the X-Spam headers, none of them scores
anything ; just like SA ignored those headers

Re: How to tag as spam mail already marked as spam?

[Mariusz Kruk <kr...@epsilon.eu.org>]

On Thu, 2010-01-14 at 21:55 +1100, Jean-Yves Avenard wrote:
> How can I write a rule on the primary server that will automatically
> consider the message as spam is the other server detected it as spam.
> 
> I tried:
> header PREVIOUS_SPAM X-Spam-Flag =~ /YES/,
> header PREVIOUS_SPAM X-Spam-Status ~= /Yes/
> etc.
> 
> None of them seems to make any differences.

I'd go for marking with different headers on either of the servers. And,
depending on the apropriate approach, just pass the mail already marked
as spam by the first server to user (or his spam folder) or feed it to
SA on the second machine but with scoring based on the header from the
first server.
BTW, as the check definitions seem to be pretty ok at first glance, did
you set scoring for those rules, or did you just add the rules?
You should get something like:

header PREVIOUS_SERVER_SPAM X-Some-Unique-ID-Spam =~ /\bYes\b/i
describe PREVIOUS_SERVER_SPAM Already scored
score PREVIOUS_SERVER_SPAM 2000

-- 
/\-\/\-\/\-\/\-\/\-\/\-\/\ 
\  Kruk@epsilon.eu.org   / 
/ http://epsilon.eu.org/ \ 
\/-/\/-/\/-/\/-/\/-/\/-/\/ 

Re: How to tag as spam mail already marked as spam?

[Mariusz Kruk <kr...@epsilon.eu.org>]

On Thu, 2010-01-14 at 23:58 +1100, Jean-Yves Avenard wrote:
> 2010/1/14 Matus UHLAR - fantomas <uh...@fantomas.sk>:
> > well, you either trust SA on secondary MX - then don't run the mail through
> > SA again.
> 
> But not all mails go through the 2nd MX ; so this is exactly what I
> want to do: don't run SA if it went through the 2nd MX and was tagged
> as spam.

Ahhh... so you want to skip whole scanning process if the mail is
already marked as spam?
You should then set SA on the first machine so it adds a unique header
(and pray that noone starts forging it) and filter on this header
_before_ feeding mail to SA on the second machine. How to do this
filtering depends on how you feed SA there. In my case it'd just be a
simple rule in system-wide procmailrc.
And you could also want to rewrite the header, so you can filter on one
spam status header instead of two.

-- 
\.\.\.\.\.\.\.\.\.\.\.\.\.\ 
.\.Kruk@epsilon.eu.org.\.\. 
\.http://epsilon.eu.org/\.\ 
.\.\.\.\.\.\.\.\.\.\.\.\.\. 

Re: How to tag as spam mail already marked as spam?

[Mariusz Kruk <kr...@epsilon.eu.org>]

On Fri, 2010-01-15 at 00:41 +1100, Jean-Yves Avenard wrote:
> > Your initial question was not "how to not run articular messages thru
> > SA", but "How to score on existing spam headers". That's a different
> > issue.
> I wanted to mark as spam, mais already tagged spam . At the end of the
> day, I achieve the same result.

Yes, you get the same result but you're wasting resources pointlessly.
I already told you what to do with the headers.

> > As I wrote before - the apropriate way to achieve what you need (save
> > CPU time by bypassing the SA stage completely) depends on how you feed
> > SA in your server setup.
> > You must think of the way of filtering mail before feeding it into SA.
> I use sendmail with spamass-milter.
> 
> I don't believe spamass-milter can provide that level of flexibility..

It's not the matter of believing but checking the docs ;-)

BTW, could you please just reply to the list?
-- 
/\-\/\-\/\-\/\-\/\-\/\-\/\ 
\  Kruk@epsilon.eu.org   / 
/ http://epsilon.eu.org/ \ 
\/-/\/-/\/-/\/-/\/-/\/-/\/ 

Re: How to tag as spam mail already marked as spam?

[Jean-Yves Avenard <jy...@gmail.com>]

2010/1/15 Mariusz Kruk <kr...@epsilon.eu.org>:

> Your initial question was not "how to not run articular messages thru
> SA", but "How to score on existing spam headers". That's a different
> issue.

I wanted to mark as spam, mais already tagged spam . At the end of the
day, I achieve the same result.

> As I wrote before - the apropriate way to achieve what you need (save
> CPU time by bypassing the SA stage completely) depends on how you feed
> SA in your server setup.
> You must think of the way of filtering mail before feeding it into SA.

I use sendmail with spamass-milter.

I don't believe spamass-milter can provide that level of flexibility..

Re: How to tag as spam mail already marked as spam?

[Mariusz Kruk <kr...@epsilon.eu.org>]

On Fri, 2010-01-15 at 00:24 +1100, Jean-Yves Avenard wrote:
> > that's just what I said - don't run mail through SA _again_.
> Uh Duh!
> 
> Do you think I'll be asking here if I knew how to do it?

Your initial question was not "how to not run articular messages thru
SA", but "How to score on existing spam headers". That's a different
issue.
As I wrote before - the apropriate way to achieve what you need (save
CPU time by bypassing the SA stage completely) depends on how you feed
SA in your server setup.
You must think of the way of filtering mail before feeding it into SA. 

-- 
/\-\/\-\/\-\/\-\/\-\/\-\/\ 
\  Kruk@epsilon.eu.org   / 
/ http://epsilon.eu.org/ \ 
\/-/\/-/\/-/\/-/\/-/\/-/\/ 

Re: How to tag as spam mail already marked as spam?

[Jean-Yves Avenard <jy...@gmail.com>]

2010/1/15 Matus UHLAR - fantomas <uh...@fantomas.sk>:
>
> that's just what I said - don't run mail through SA _again_.


Uh Duh!

Do you think I'll be asking here if I knew how to do it?

>
> Note that primary MX can score differently expecially if your users use
> BAYES, AWL etc. In suich case it may be desired to re-score.

they don't

>
> the best will be not to score in subject but only in X-Spam- headers that
> are replaced by SA.

And once again, none of the rules check X-Spam-xxx are doing anythin

Re: How to tag as spam mail already marked as spam?

[Matus UHLAR - fantomas <uh...@fantomas.sk>]

> 2010/1/14 Matus UHLAR - fantomas <uh...@fantomas.sk>:
> > well, you either trust SA on secondary MX - then don't run the mail through
> > SA again.

On 14.01.10 23:58, Jean-Yves Avenard wrote:
> But not all mails go through the 2nd MX ; so this is exactly what I
> want to do: don't run SA if it went through the 2nd MX and was tagged
> as spam.

that's just what I said - don't run mail through SA _again_.

Note that primary MX can score differently expecially if your users use
BAYES, AWL etc. In suich case it may be desired to re-score.

the best will be not to score in subject but only in X-Spam- headers that
are replaced by SA.

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Two words: Windows survives." - Craig Mundie, Microsoft senior strategist
"So does syphillis. Good thing we have penicillin." - Matthew Alton

Re: How to tag as spam mail already marked as spam?

[Jean-Yves Avenard <jy...@gmail.com>]

2010/1/14 Matus UHLAR - fantomas <uh...@fantomas.sk>:
> well, you either trust SA on secondary MX - then don't run the mail through
> SA again.

But not all mails go through the 2nd MX ; so this is exactly what I
want to do: don't run SA if it went through the 2nd MX and was tagged
as spam.

Re: How to tag as spam mail already marked as spam?

[Matus UHLAR - fantomas <uh...@fantomas.sk>]

On 14.01.10 21:55, Jean-Yves Avenard wrote:
> I have spamassassin running on both my primary and secondary mail
> servers. Often, some spammers send through the secondary mail server ;
> which will then tag them as spam.
> 
> When the same message goes through the primary mail server , it is
> tagged as spam once again.
> 
> Sometimes one server tags it as spam, while the other won't.
> 
> So either two things can happen.
> 
> Either I get a mail as **** SPAM **** (10.2) **** SPAM *** (10.1) blah
> 
> Or I get a mail that isn't tagged as spam, yet got its title changed
> by the first mail server so it still looks like **** SPAM **** (5.6)
> but isn't considered as spam anymore.

well, you either trust SA on secondary MX - then don't run the mail through
SA again.
Or, if you don't trust SA there, don't let the secondary tag the e-mail.

I think you shoudl prefer the latter, since usually only the destination MX
has access to users' homedirs and configs there.

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Emacs is a complicated operating system without good text editor.