You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by "emailitis.com" <in...@emailitis.com> on 2013/11/07 16:40:27 UTC

custom rules header check please

I am getting lots of Spam which shows on the maillog as:

Nov  7 10:50:39 plesk3 qmail-scanner-queue.pl: qmail-scanner[6974]:
Clear:RC:0(217.92.121.114):SA:1(5.9/5.0): 9.209114 16127 fraud@aexp.com
<ma...@aexp.com> 

Or

Nov  7 10:15:36 plesk3 spamdyke[26254]: ALLOWED from:
administrator+98453-927172@dcbltd.exvm.com to: user@domain.com origin_ip:
193.133.125.41 origin_rdns: mta18.evmailer.com auth: (unknown) encryption:
(none) reason:

250_ok_1383819336_qp_26270

 

I want to write some custom rules that can capture part of this (because on
the actual emails, the sender often purports to be from someone totally
different).  Will the following work in my custom_rules.cf?:

 

header AEXP_ALL  ALL =~ /aexp\.com/i

score AEXP_ALL 4

 

header EXVM_ALL ALL =~ /exvm\.com/i

score AEXP_ALL 4

 

Grateful to the combined brains for advice

Kind regards, 

Christoph

Re: custom rules header check please

Posted by Benny Pedersen <me...@junc.eu>.

emailitis.com skrev den 2013-11-07 16:40:

> header AEXP_ALL ALL =~ /aexp.com/i
> header EXVM_ALL ALL =~ /exvm.com/i

why not blacklist_from ?

blacklist_from *@aexp.com
blacklist_from *@exvm.com

olso remember . needs excapeing \. in header

but not as blacklist_from :)

does your real name contain a . ? :=)

Re: custom rules header check please

Posted by Bowie Bailey <Bo...@BUC.com>.

On 11/8/2013 6:59 AM, emailitis.com wrote:
>
> Thank you and Benny for your help.
>
> I put those in place and all looks well.  We had one captured this 
> morning but wondered if you can explain in the log below which seems 
> as if it has been deleted, yet then allowed:
>
> Nov  8 10:05:04 plesk3 spamd[11926]: spamd: result: Y 9 - 
> *AEXP_ALL*,DCC_CHECK,RCVD_IN_HOSTKARMA_BL,UNPARSEABLE_RELAY 
> scantime=0.7,size=18986,user=qscand,uid=10002,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=47
>
> 653,mid=<SH...@gateway.gov.local>,autolearn=disabled
>
> Nov  8 10:05:04 plesk3 qmail-scanner-queue.pl: qmail-scanner[18522]: 
> SA:*SPAM-DELETED*:RC:0(41.215.42.242):SA:1(9.1/5.0): 0.874234 18933 
> gateway.confirmation@gateway.gov.uk user@domain.com 
> Could_not_process_Online_Submission_for_Reference_475/RA1997980 
> <SH...@gateway.gov.local> 
> Submission_RA1997980.zip:10086
>
> Nov  8 10:05:04 plesk3 spamdyke[18489]: *ALLOWED*from: 
> gateway.confirmation@gateway.gov.uk to: user@domain.com origin_ip: 
> 41.215.42.242 origin_rdns: mail.domain.com auth: (unknown) encryption: 
> (none) reason: 250_ok_1383905104_qp_18522
>

Can't really help you with that one.  Spamd marked it as spam.  Then it 
looks like qmail-scanner-queue.pl deleted it.  And then spamdyke allowed it.

I'm not familiar with either qmail-scanner-queue.pl or spamdyke, so I 
don't know how they work or exactly how to interpret their log entries.  
I'm assuming the spamdyke entry is referring to the same message, but 
I'm not sure since that log line doesn't give the message id.

There is something in the qmail-scanner-queue.pl line that says 
"Could_not_process_Online_Submission_for_Reference_475/RA1997980". That 
might be relevant.

-- 
Bowie

RE: custom rules header check please

Posted by "emailitis.com" <in...@emailitis.com>.

Thank you and Benny for your help.

I put those in place and all looks well.  We had one captured this morning
but wondered if you can explain in the log below which seems as if it has
been deleted, yet then allowed:

 

Nov  8 10:05:04 plesk3 spamd[11926]: spamd: result: Y 9 -
AEXP_ALL,DCC_CHECK,RCVD_IN_HOSTKARMA_BL,UNPARSEABLE_RELAY
scantime=0.7,size=18986,user=qscand,uid=10002,required_score=5.0,rhost=local
host,raddr=127.0.0.1,rport=47

653,mid=<SH...@gateway.gov.local>,autolearn=disab
led

Nov  8 10:05:04 plesk3 qmail-scanner-queue.pl: qmail-scanner[18522]:
SA:SPAM-DELETED:RC:0(41.215.42.242):SA:1(9.1/5.0): 0.874234 18933
gateway.confirmation@gateway.gov.uk user@domain.com
Could_not_process_Online_Submission_for_Reference_475/RA1997980
<SH...@gateway.gov.local>
Submission_RA1997980.zip:10086

Nov  8 10:05:04 plesk3 spamdyke[18489]: ALLOWED from:
gateway.confirmation@gateway.gov.uk to: user@domain.com origin_ip:
41.215.42.242 origin_rdns: mail.domain.com auth: (unknown) encryption:
(none) reason: 250_ok_1383905104_qp_18522

 

Kind Regards,

 

Christoph 

 

From: Bowie Bailey [mailto:Bowie_Bailey@BUC.com] 
Sent: 07 November 2013 15:50
To: users@spamassassin.apache.org
Subject: Re: custom rules header check please

 

On 11/7/2013 10:40 AM, emailitis.com wrote:



I am getting lots of Spam which shows on the maillog as:

Nov  7 10:50:39 plesk3 qmail-scanner-queue.pl: qmail-scanner[6974]:
Clear:RC:0(217.92.121.114):SA:1(5.9/5.0): 9.209114 16127 fraud@aexp.com
<ma...@aexp.com> 

Or

Nov  7 10:15:36 plesk3 spamdyke[26254]: ALLOWED from:
administrator+98453-927172@dcbltd.exvm.com
<ma...@dcbltd.exvm.com>  to: user@domain.com
<ma...@domain.com>  origin_ip: 193.133.125.41 origin_rdns:
mta18.evmailer.com auth: (unknown) encryption: (none) reason:

250_ok_1383819336_qp_26270

 

I want to write some custom rules that can capture part of this (because on
the actual emails, the sender often purports to be from someone totally
different).  Will the following work in my custom_rules.cf?:

 

header AEXP_ALL  ALL =~ /aexp\.com/i

score AEXP_ALL 4

 

header EXVM_ALL ALL =~ /exvm\.com/i

score AEXP_ALL 4


That will work, but you should watch for false positives.  I would suggest
anchoring it a bit as a first step.

header AEXP_ALL  ALL =~ /\baexp\.com\b/i

This will catch any emails that have the string "aexp.com" anywhere in the
header.  The "\b" represents a word boundary so that  <ma...@aexp.com>
"user@aexp.com" or "blah.aexp.com" will match, but "naexp.com" will not.

-- 
Bowie

Re: custom rules header check please

Posted by Bowie Bailey <Bo...@BUC.com>.

On 11/7/2013 10:40 AM, emailitis.com wrote:
>
> I am getting lots of Spam which shows on the maillog as:
>
> Nov  7 10:50:39 plesk3 qmail-scanner-queue.pl: qmail-scanner[6974]: 
> Clear:RC:0(217.92.121.114):SA:1(5.9/5.0): 9.209114 16127 
> fraud@aexp.com <ma...@aexp.com>
>
> Or
>
> Nov  7 10:15:36 plesk3 spamdyke[26254]: ALLOWED from: 
> administrator+98453-927172@dcbltd.exvm.com to: user@domain.com 
> origin_ip: 193.133.125.41 origin_rdns: mta18.evmailer.com auth: 
> (unknown) encryption: (none) reason:
>
> 250_ok_1383819336_qp_26270
>
> I want to write some custom rules that can capture part of this 
> (because on the actual emails, the sender often purports to be from 
> someone totally different).  Will the following work in my 
> custom_rules.cf?:
>
> header AEXP_ALL  ALL =~ /aexp\.com/i
>
> score AEXP_ALL 4
>
> header EXVM_ALL ALL =~ /exvm\.com/i
>
> score AEXP_ALL 4
>

That will work, but you should watch for false positives.  I would 
suggest anchoring it a bit as a first step.

header AEXP_ALL  ALL =~ /\baexp\.com\b/i

This will catch any emails that have the string "aexp.com" anywhere in 
the header.  The "\b" represents a word boundary so that "user@aexp.com" 
or "blah.aexp.com" will match, but "naexp.com" will not.

-- 
Bowie