Ensuring Custom Rules Are Scored Properly

[Andrew Wilkinson <aj...@charter.net>]

I'm experimenting with Fedora 8 and a miltered sendmail configuration 
running as a mail gateway (smf-sav, smf-spf, milter-greylist, 
clamav-milter, spamass-milter).  I've configured spamassassin's local.cf 
with a custom rule.  It's a simple regex which checks the 'Received' 
header on inbound mail for any  IP in a specific Class C range, and 
negatively scores the message with -100 (probably extreme).  I'm just 
trying to ensure these messages are never tagged as spam.  I've 
--lint-ed the rule and I receive no syntax errors.  However, messages 
coming in from an IP in the specified range don't appear to be 
negatively scored.  In fact, the test messages being sent were scored 
as, say, 2.8 before AND after the rule was put into place.  Spamass and 
spamassassin (as I'm running spamassassin daemonized) were both 
restarted after rule creation.  I've verified the regex is correct, 
running it though a couple regex testers. 

So, I guess I'd be expecting the X-Spam header on these messages to 
indicate a score of -97.2.  Am I assuming incorrectly?

thanks

Re: Ensuring Custom Rules Are Scored Properly

[Kris Deugau <kd...@vianet.ca>]

Andrew Wilkinson wrote:
> I'm experimenting with Fedora 8 and a miltered sendmail configuration 
> running as a mail gateway (smf-sav, smf-spf, milter-greylist, 
> clamav-milter, spamass-milter).  I've configured spamassassin's local.cf 
> with a custom rule.  It's a simple regex which checks the 'Received' 
> header on inbound mail for any  IP in a specific Class C range,

You may be trying to check a header that doesn't exist by the time the 
message reaches SA.  A stock sendmail/milter setup will not pass in the 
Received: header that would be generated on that machine;  that header 
is added *after* milter processing.  Several smarter milters generate a 
pseudoheader to work around this.

IP-based whitelisting like this is usually best done at higher levels; 
I'm not sure what criteria you can use to limit which messages get 
passed to SA.

-kgd

Re: Ensuring Custom Rules Are Scored Properly

[Matt Kettler <mk...@verizon.net>]

Andrew Wilkinson wrote:
> I'm experimenting with Fedora 8 and a miltered sendmail configuration 
> running as a mail gateway (smf-sav, smf-spf, milter-greylist, 
> clamav-milter, spamass-milter).  I've configured spamassassin's 
> local.cf with a custom rule.  It's a simple regex which checks the 
> 'Received' header on inbound mail for any  IP in a specific Class C 
> range, and negatively scores the message with -100 (probably 
> extreme).  I'm just trying to ensure these messages are never tagged 
> as spam.  I've --lint-ed the rule and I receive no syntax errors.  
> However, messages coming in from an IP in the specified range don't 
> appear to be negatively scored.  In fact, the test messages being sent 
> were scored as, say, 2.8 before AND after the rule was put into 
> place.  Spamass and spamassassin (as I'm running spamassassin 
> daemonized) were both restarted after rule creation.  I've verified 
> the regex is correct, running it though a couple regex testers.
> So, I guess I'd be expecting the X-Spam header on these messages to 
> indicate a score of -97.2.  Am I assuming incorrectly?
Well, first, stop looking at total score, and start looking at the list 
of rules that hit. Is your rule in the list? If not, it didn't match.

After all, if the message matched your rule, and matched 
USER_IN_BLACKLIST (which scores +100), they'd offset completely.

However, generally speaking I would expect that to be a rare 
combination, so I'd expect it to be low scoring.

My guess is your rule is in error in some way.

Did you run spamassassin --lint? (this should run quietly if all is 
well, otherwise it will complain)

If you use spamd, did you restart it (local.cf is only parsed when spamd 
starts).

if yes to both above or if addressing both doesn't help:

What does your rule look like? (change the numbers of the IPs if you 
like..)?

What does the header you're trying to match look like (again, change the 
numbers if you like.. but be consistent.. )?