You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alex <my...@gmail.com> on 2014/08/15 03:03:59 UTC
AXB_X_FF_SEZ_S not fired
Hi,
AXB_X_FF_SEZ_S is a rule that fires when the X-Forefront-Antispam-Report
header is found. I have a sample which has this header, yet the rule
doesn't fire, and wondered if someone could help me figure out why:
http://pastebin.com/vRQXxgJH
I'm using spamassassin-3.4, and I tested it on another spam (from the
quarantine, where it had already fired) and it was triggered there just
fine.
##{ AXB_X_FF_SEZ_S
header AXB_X_FF_SEZ_S X-Forefront-Antispam-Report =~
/^SFV\:SPM/
describe AXB_X_FF_SEZ_S Forefront sez this is spam
##} AXB_X_FF_SEZ_S
##{ AXB_X_FF_SEZ_S if (version >= 3.004000)
if (version >= 3.004000)
tflags AXB_X_FF_SEZ_S autolearn_force
endif
##} AXB_X_FF_SEZ_S if (version >= 3.004000)
This is also one of those short-body URI spams, so I hoped it would have
been caught just based on that, so ideas on what else is missing would also
be appreciated...
Thanks,
Alex
Re: AXB_X_FF_SEZ_S not fired
Posted by Alex <my...@gmail.com>.
Hi,
>> This is a sandbox rule which was autopromoted/published by sa-update.
>> Due to lack of hits I removed it and re-added back yesterday.
>> It may be republished if masschecks decide it is worth it.
>
>
> Ok. I didn't recognize the prefix and didn't find it in my rules
directory, so I assumed it was custom.
>
> Since you removed it, it is possible that the rule wasn't hitting for the
OP because he ran sa_update
> and the rule was removed.
Thanks for your help. There was in fact a difference in rules on two
separate systems. It also helped me find a potential configuration issue
with updates, so appreciate that.
Thanks,
Alex
Re: AXB_X_FF_SEZ_S not fired
Posted by Bowie Bailey <Bo...@BUC.com>.
On 8/15/2014 4:19 PM, Axb wrote:
> On 08/15/2014 10:07 PM, Bowie Bailey wrote:
>> On 8/15/2014 3:05 PM, Alex wrote:
>>> Hi,
>>>
>>>>> AXB_X_FF_SEZ_S is a rule that fires when the
>>> X-Forefront-Antispam-Report header is found. I have a sample which has
>>> this header, yet the rule doesn't fire, and wondered if someone could
>>> help me figure out why:
>>>>> http://pastebin.com/vRQXxgJH
>>>>>
>>>>> I'm using spamassassin-3.4, and I tested it on another spam (from
>>> the quarantine, where it had already fired) and it was triggered there
>>> just fine.
>>>>> ##{ AXB_X_FF_SEZ_S
>>>>> header AXB_X_FF_SEZ_S X-Forefront-Antispam-Report =~
>>> /^SFV\:SPM/
>>>>> describe AXB_X_FF_SEZ_S Forefront sez this is spam
>>>>> ##} AXB_X_FF_SEZ_S
>>>>> ##{ AXB_X_FF_SEZ_S if (version >= 3.004000)
>>>>> if (version >= 3.004000)
>>>>> tflags AXB_X_FF_SEZ_S autolearn_force
>>>>> endif
>>>>> ##} AXB_X_FF_SEZ_S if (version >= 3.004000)
>>>>>
>>>>> This is also one of those short-body URI spams, so I hoped it would
>>> have been caught just based on that, so ideas on what else is missing
>>> would also be appreciated...
>>>>
>>>> Works for me. I added your rule and tested it against your sample...
>>>>
>>>> * 1.0 AXB_X_FF_SEZ_S Forefront sez this is spam
>>>>
>>>> Are you sure you put the rule in the right place and reloaded spamd?
>>> Thanks for checking for me. This is even when running spamassassin -t
>>> directly.
>>>
>>> Hmm.. I'm looking at it more closely, and even the rule as it appears
>>> above, and it has no score.
>>>
>>> What file is the score supposed to be in, 72_scores.cf
>>> <http://72_scores.cf>? My 72_scores.cf <http://72_scores.cf> is dated
>>> Jul 28th.
>>>
>>> # ls -l 72_scores.cf <http://72_scores.cf>
>>> -rw-r--r-- 1 root root 8174 Jul 28 04:49 72_scores.cf
>>> <http://72_scores.cf>
>>> # md5sum 72_scores.cf <http://72_scores.cf>
>>> 9f82b967a373e44a373c3be30ad21e23 72_scores.cf <http://72_scores.cf>
>> This isn't one of the stock rules, so it shouldn't be in that file (or
>> directory). The files there (/var/lib/spamassassin/3.004000/ on my
>> system) are stock rules and any manual changes will be squashed by
>> sa_update.
>>
>> Custom rules (and their scores) should go in local.cf (or another *.cf
>> file) in your local rules directory (/etc/mail/spamassassin/ on my system).
>>
>> Rules with no score assigned are automatically scored at 1.0.
>
> This is a sandbox rule which was autopromoted/published by sa-update.
> Due to lack of hits I removed it and re-added back yesterday.
> It may be republished if masschecks decide it is worth it.
Ok. I didn't recognize the prefix and didn't find it in my rules
directory, so I assumed it was custom.
Since you removed it, it is possible that the rule wasn't hitting for
the OP because he ran sa_update and the rule was removed.
--
Bowie
Re: AXB_X_FF_SEZ_S not fired
Posted by Axb <ax...@gmail.com>.
On 08/15/2014 10:07 PM, Bowie Bailey wrote:
> On 8/15/2014 3:05 PM, Alex wrote:
>> Hi,
>>
>> >> AXB_X_FF_SEZ_S is a rule that fires when the
>> X-Forefront-Antispam-Report header is found. I have a sample which has
>> this header, yet the rule doesn't fire, and wondered if someone could
>> help me figure out why:
>> >>
>> >> http://pastebin.com/vRQXxgJH
>> >>
>> >> I'm using spamassassin-3.4, and I tested it on another spam (from
>> the quarantine, where it had already fired) and it was triggered there
>> just fine.
>> >>
>> >> ##{ AXB_X_FF_SEZ_S
>> >> header AXB_X_FF_SEZ_S X-Forefront-Antispam-Report =~
>> /^SFV\:SPM/
>> >> describe AXB_X_FF_SEZ_S Forefront sez this is spam
>> >> ##} AXB_X_FF_SEZ_S
>> >> ##{ AXB_X_FF_SEZ_S if (version >= 3.004000)
>> >> if (version >= 3.004000)
>> >> tflags AXB_X_FF_SEZ_S autolearn_force
>> >> endif
>> >> ##} AXB_X_FF_SEZ_S if (version >= 3.004000)
>> >>
>> >> This is also one of those short-body URI spams, so I hoped it would
>> have been caught just based on that, so ideas on what else is missing
>> would also be appreciated...
>> >
>> >
>> > Works for me. I added your rule and tested it against your sample...
>> >
>> > * 1.0 AXB_X_FF_SEZ_S Forefront sez this is spam
>> >
>> > Are you sure you put the rule in the right place and reloaded spamd?
>>
>> Thanks for checking for me. This is even when running spamassassin -t
>> directly.
>>
>> Hmm.. I'm looking at it more closely, and even the rule as it appears
>> above, and it has no score.
>>
>> What file is the score supposed to be in, 72_scores.cf
>> <http://72_scores.cf>? My 72_scores.cf <http://72_scores.cf> is dated
>> Jul 28th.
>>
>> # ls -l 72_scores.cf <http://72_scores.cf>
>> -rw-r--r-- 1 root root 8174 Jul 28 04:49 72_scores.cf
>> <http://72_scores.cf>
>> # md5sum 72_scores.cf <http://72_scores.cf>
>> 9f82b967a373e44a373c3be30ad21e23 72_scores.cf <http://72_scores.cf>
>
> This isn't one of the stock rules, so it shouldn't be in that file (or
> directory). The files there (/var/lib/spamassassin/3.004000/ on my
> system) are stock rules and any manual changes will be squashed by
> sa_update.
>
> Custom rules (and their scores) should go in local.cf (or another *.cf
> file) in your local rules directory (/etc/mail/spamassassin/ on my system).
>
> Rules with no score assigned are automatically scored at 1.0.
This is a sandbox rule which was autopromoted/published by sa-update.
Due to lack of hits I removed it and re-added back yesterday.
It may be republished if masschecks decide it is worth it.
Axb
Re: AXB_X_FF_SEZ_S not fired
Posted by Bowie Bailey <Bo...@BUC.com>.
On 8/15/2014 3:05 PM, Alex wrote:
> Hi,
>
> >> AXB_X_FF_SEZ_S is a rule that fires when the
> X-Forefront-Antispam-Report header is found. I have a sample which has
> this header, yet the rule doesn't fire, and wondered if someone could
> help me figure out why:
> >>
> >> http://pastebin.com/vRQXxgJH
> >>
> >> I'm using spamassassin-3.4, and I tested it on another spam (from
> the quarantine, where it had already fired) and it was triggered there
> just fine.
> >>
> >> ##{ AXB_X_FF_SEZ_S
> >> header AXB_X_FF_SEZ_S X-Forefront-Antispam-Report =~
> /^SFV\:SPM/
> >> describe AXB_X_FF_SEZ_S Forefront sez this is spam
> >> ##} AXB_X_FF_SEZ_S
> >> ##{ AXB_X_FF_SEZ_S if (version >= 3.004000)
> >> if (version >= 3.004000)
> >> tflags AXB_X_FF_SEZ_S autolearn_force
> >> endif
> >> ##} AXB_X_FF_SEZ_S if (version >= 3.004000)
> >>
> >> This is also one of those short-body URI spams, so I hoped it would
> have been caught just based on that, so ideas on what else is missing
> would also be appreciated...
> >
> >
> > Works for me. I added your rule and tested it against your sample...
> >
> > * 1.0 AXB_X_FF_SEZ_S Forefront sez this is spam
> >
> > Are you sure you put the rule in the right place and reloaded spamd?
>
> Thanks for checking for me. This is even when running spamassassin -t
> directly.
>
> Hmm.. I'm looking at it more closely, and even the rule as it appears
> above, and it has no score.
>
> What file is the score supposed to be in, 72_scores.cf
> <http://72_scores.cf>? My 72_scores.cf <http://72_scores.cf> is dated
> Jul 28th.
>
> # ls -l 72_scores.cf <http://72_scores.cf>
> -rw-r--r-- 1 root root 8174 Jul 28 04:49 72_scores.cf
> <http://72_scores.cf>
> # md5sum 72_scores.cf <http://72_scores.cf>
> 9f82b967a373e44a373c3be30ad21e23 72_scores.cf <http://72_scores.cf>
This isn't one of the stock rules, so it shouldn't be in that file (or
directory). The files there (/var/lib/spamassassin/3.004000/ on my
system) are stock rules and any manual changes will be squashed by
sa_update.
Custom rules (and their scores) should go in local.cf (or another *.cf
file) in your local rules directory (/etc/mail/spamassassin/ on my system).
Rules with no score assigned are automatically scored at 1.0.
--
Bowie
Re: AXB_X_FF_SEZ_S not fired
Posted by Alex <my...@gmail.com>.
Hi,
>> AXB_X_FF_SEZ_S is a rule that fires when the X-Forefront-Antispam-Report
header is found. I have a sample which has this header, yet the rule
doesn't fire, and wondered if someone could help me figure out why:
>>
>> http://pastebin.com/vRQXxgJH
>>
>> I'm using spamassassin-3.4, and I tested it on another spam (from the
quarantine, where it had already fired) and it was triggered there just
fine.
>>
>> ##{ AXB_X_FF_SEZ_S
>> header AXB_X_FF_SEZ_S X-Forefront-Antispam-Report =~ /^SFV\:SPM/
>> describe AXB_X_FF_SEZ_S Forefront sez this is spam
>> ##} AXB_X_FF_SEZ_S
>> ##{ AXB_X_FF_SEZ_S if (version >= 3.004000)
>> if (version >= 3.004000)
>> tflags AXB_X_FF_SEZ_S autolearn_force
>> endif
>> ##} AXB_X_FF_SEZ_S if (version >= 3.004000)
>>
>> This is also one of those short-body URI spams, so I hoped it would have
been caught just based on that, so ideas on what else is missing would also
be appreciated...
>
>
> Works for me. I added your rule and tested it against your sample...
>
> * 1.0 AXB_X_FF_SEZ_S Forefront sez this is spam
>
> Are you sure you put the rule in the right place and reloaded spamd?
Thanks for checking for me. This is even when running spamassassin -t
directly.
Hmm.. I'm looking at it more closely, and even the rule as it appears
above, and it has no score.
What file is the score supposed to be in, 72_scores.cf? My 72_scores.cf is
dated Jul 28th.
# ls -l 72_scores.cf
-rw-r--r-- 1 root root 8174 Jul 28 04:49 72_scores.cf
# md5sum 72_scores.cf
9f82b967a373e44a373c3be30ad21e23 72_scores.cf
Thanks,
Alex
Re: AXB_X_FF_SEZ_S not fired
Posted by Bowie Bailey <Bo...@BUC.com>.
On 8/14/2014 9:03 PM, Alex wrote:
> Hi,
>
> AXB_X_FF_SEZ_S is a rule that fires when the
> X-Forefront-Antispam-Report header is found. I have a sample which has
> this header, yet the rule doesn't fire, and wondered if someone could
> help me figure out why:
>
> http://pastebin.com/vRQXxgJH
>
> I'm using spamassassin-3.4, and I tested it on another spam (from the
> quarantine, where it had already fired) and it was triggered there
> just fine.
>
> ##{ AXB_X_FF_SEZ_S
> header AXB_X_FF_SEZ_S X-Forefront-Antispam-Report =~ /^SFV\:SPM/
> describe AXB_X_FF_SEZ_S Forefront sez this is spam
> ##} AXB_X_FF_SEZ_S
> ##{ AXB_X_FF_SEZ_S if (version >= 3.004000)
> if (version >= 3.004000)
> tflags AXB_X_FF_SEZ_S autolearn_force
> endif
> ##} AXB_X_FF_SEZ_S if (version >= 3.004000)
>
> This is also one of those short-body URI spams, so I hoped it would
> have been caught just based on that, so ideas on what else is missing
> would also be appreciated...
Works for me. I added your rule and tested it against your sample...
* 1.0 AXB_X_FF_SEZ_S Forefront sez this is spam
Are you sure you put the rule in the right place and reloaded spamd?
--
Bowie