You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "James B. Byrne" <by...@harte-lyne.ca> on 2014/06/02 17:51:38 UTC

Header present but MISSING_FROM triggered

SA 3.3.1 (CentOS-6)

MISSING_FROM rule trigger.

I am curious about the behaviour of this rule.  For example I can see this in
a recently received message:

. . .
> X-Spam-Status: No, score=-101.8 tagged_above=-999 required=2.5
> tests=[ALL_TRUSTED=-1, BAYES_00=-1.9, BDY_DRUG=0.2, DKIM_SIGNED=0.1,
> DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MISSING_FROM=1.5,
> RP_MATCHES_RCVD=-0.5, USER_IN_WHITELIST=-100] autolearn=no

. . . -- much DKIM related stuff here including signature --

> Received: from 216.185.71.69
> (SquirrelMail authenticated user byrnejc)
> by webmail.harte-lyne.ca with HTTP;
> Mon, 2 Jun 2014 10:59:07 -0400
> Message-ID: <6f...@webmail.harte-lyne.ca>
> Date: Mon, 2 Jun 2014 10:59:07 -0400
> Subject: PKTA01453294 Guardian Drug PU#655787
> From: "James Byrne (Exports)" <by...@harte-lyne.ca>
> To: . . .

As far as I can tell this message has a From: header.  Does MISSING_FROM test
for something else?  I cannot tell what it does since all of the explanations
seem to have been removed from https://spamassassin.apache.org/tests.html.

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

Re: Header present but MISSING_FROM triggered

Posted by Axb <ax...@gmail.com>.
On 06/02/2014 05:51 PM, James B. Byrne wrote:
> SA 3.3.1 (CentOS-6)
>
> MISSING_FROM rule trigger.
>
> I am curious about the behaviour of this rule.  For example I can see this in
> a recently received message:
>
> . . .
>> X-Spam-Status: No, score=-101.8 tagged_above=-999 required=2.5
>> tests=[ALL_TRUSTED=-1, BAYES_00=-1.9, BDY_DRUG=0.2, DKIM_SIGNED=0.1,
>> DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MISSING_FROM=1.5,
>> RP_MATCHES_RCVD=-0.5, USER_IN_WHITELIST=-100] autolearn=no
>
> . . . -- much DKIM related stuff here including signature --
>
>> Received: from 216.185.71.69
>> (SquirrelMail authenticated user byrnejc)
>> by webmail.harte-lyne.ca with HTTP;
>> Mon, 2 Jun 2014 10:59:07 -0400
>> Message-ID: <6f...@webmail.harte-lyne.ca>
>> Date: Mon, 2 Jun 2014 10:59:07 -0400
>> Subject: PKTA01453294 Guardian Drug PU#655787
>> From: "James Byrne (Exports)" <by...@harte-lyne.ca>
>> To: . . .
>
> As far as I can tell this message has a From: header.  Does MISSING_FROM test
> for something else?  I cannot tell what it does since all of the explanations
> seem to have been removed from https://spamassassin.apache.org/tests.html.

tried grepping in rules directory? ;-)


header __HAS_FROM		exists:From
meta MISSING_FROM		!__HAS_FROM
describe MISSING_FROM		Missing From: header

rule is so simple it can hardly go wrong...
does it only hit your webmail msgs?

Re: Header present but MISSING_FROM triggered

Posted by John Hardin <jh...@impsec.org>.
On Mon, 2 Jun 2014, James B. Byrne wrote:

>> Received: from 216.185.71.69
>> (SquirrelMail authenticated user byrnejc)
>> by webmail.harte-lyne.ca with HTTP;
>> Mon, 2 Jun 2014 10:59:07 -0400
>> Message-ID: <6f...@webmail.harte-lyne.ca>
>> Date: Mon, 2 Jun 2014 10:59:07 -0400
>> Subject: PKTA01453294 Guardian Drug PU#655787
>> From: "James Byrne (Exports)" <by...@harte-lyne.ca>
>> To: . . .

Is that an accurate verbatim copy-paste from the actual raw message?

If so, the lack of indentation on the header continuation lines may be 
screwing things up.

Any possibility of getting a pastebin of such a message?

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Perfect Security and Absolute Safety are unattainable; beware
   those who would try to sell them to you, regardless of the cost,
   for they are trying to sell you your own slavery.
-----------------------------------------------------------------------
  4 days until the 70th anniversary of D-Day

Re: Header present but MISSING_FROM triggered

Posted by John Hardin <jh...@impsec.org>.
On Mon, 2 Jun 2014, James B. Byrne wrote:

> 	*  1.2 MISSING_HEADERS Missing To: header
> 	*  1.2 MISSING_MID Missing Message-Id: header
> 	*  1.3 MISSING_SUBJECT Missing Subject: header
> 	*  1.5 MISSING_FROM Missing From: header
> 	*  0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines
> 	*  1.8 MISSING_DATE Missing Date: header

Your message headers are badly damaged, or there is a blank line at the 
beginning of the message as passed to SA.

Again, is that sample of headers a verbatim copy-paste of the raw message? 
The header continuation lines are not indented, but that may be an 
artifact of pasting them into the body of an email. Again, can you provide 
a pastebin of the raw form of that same message?

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   There is no better measure of the unthinking contempt of the
   environmentalist movement for civilization than their call to
   turn off the lights and sit in the dark.            -- Sultan Knish
-----------------------------------------------------------------------
  4 days until the 70th anniversary of D-Day

Re: Header present but MISSING_FROM triggered

Posted by "James B. Byrne" <by...@harte-lyne.ca>.
Headers of test message (no webmail involved in this transmission as far as I
can tell):

Return-Path: <pr...@international.gc.ca>
Authentication-Results: inet08.hamilton.harte-lyne.ca (amavisd-new);
domainkeys=pass (1024-bit key)
header.from=X.Y@international.gc.ca
header.d=international.gc.ca
Received: from inet08.hamilton.harte-lyne.ca ([127.0.0.1])
by localhost (inet08.hamilton.harte-lyne.ca [127.0.0.1]) (amavisd-new, port
10024)
with ESMTP id 2EVW_2VhtCBf; Wed, 14 May 2014 14:04:46 -0400 (EDT)
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
client-ip=198.103.104.106; helo=mail5.international.gc.ca;
envelope-from=prvs=02119b6eb7=X.Y@international.gc.ca;
receiver=byrnejb@harte-lyne.ca
Received: from Mail5.international.gc.ca (mail5.international.gc.ca
[198.103.104.106])
by inet08.hamilton.harte-lyne.ca (Postfix) with ESMTP;
Wed, 14 May 2014 14:04:44 -0400 (EDT)
DomainKey-Signature: a=rsa-sha1; s=mail5; d=international.gc.ca; q=dns; c=simple;
h=From:To:CC:Subject:Thread-Topic:Thread-Index:Date:Message-ID:References:In-Reply-To:Accept-Language:Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator:x-dm-mail-id:Content-Type:Content-Transfer-Encoding:MIME-Version:X-EXCLAIMER-MD-CONFIG;
b=lmAaCU5cd3SdRnGlpBpyNt/pO5t65+QhE2zcJJBRvp9D4rO78i1dp9+wg/oOO6RvJaiZAZoWFZhVJoo0GCQZaucJgSug8H80Prz4z9FCNIFzhISQadNUReGZBrEydgd6Tyi/FxnVSx/bceK93HDdvse7dxgWCyvpXVrctosiYjI=;
From: <X....@international.gc.ca>
To: <by...@harte-lyne.ca>
CC: <A....@harte-lyne.ca>
Subject: RE: EICS certificate recovery
Thread-Topic: EICS certificate recovery
Thread-Index: Ac9uHpqtIVvvPHvpQ9Sp07Y8FHGkPAAIbYmAAAhCWwD//8jEgP/9TqzA
Date: Wed, 14 May 2014 18:04:42 +0000
Message-ID:
<39...@LBP-DMEXM12.d.r.dfait-maeci.gc.ca>
References:
<39...@LBP-DMEXM12.d.r.dfait-maeci.gc.ca>
<46...@webmail.harte-lyne.ca>
<39...@LBP-DMEXM12.d.r.dfait-maeci.gc.ca>
<2c...@webmail.harte-lyne.ca>
In-Reply-To: <2c...@webmail.harte-lyne.ca>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-dm-mail-id: E87C2A5-A5F3-4435-AE91-A09EC7AF621D
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EXCLAIMER-MD-CONFIG: 170369b0-b740-4e85-860b-ed9d5c4fb69a
Received-SPF: none



Results:


spamassassin -D -L < local.test
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	inet08.hamilton.harte-lyne.ca
X-Spam-Flag: YES
X-Spam-Status: Yes, score=5.5 required=4.5 tests=BAYES_00,MISSING_DATE,
	MISSING_FROM,MISSING_HEADERS,MISSING_MID,MISSING_SUBJECT,
	TVD_RCVD_SPACE_BRACKET,UNPARSEABLE_RELAY autolearn=no version=3.3.1
X-Spam-DCC: :
X-Spam-Level: *****
X-Spam-Pyzor:
X-Spam-Report:
	*  0.0 TVD_RCVD_SPACE_BRACKET TVD_RCVD_SPACE_BRACKET
	*  1.2 MISSING_HEADERS Missing To: header
	* -1.5 BAYES_00 BODY: Bayes spam probability is 0 to 1%
	*      [score: 0.0000]
	*  1.2 MISSING_MID Missing Message-Id: header
	*  1.3 MISSING_SUBJECT Missing Subject: header
	*  1.5 MISSING_FROM Missing From: header
	*  0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines
	*  1.8 MISSING_DATE Missing Date: header
;

I do not know why this is happening.  Is there some switch I am supposed to
pass spamassasin when I use it on a message text file?

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3