You are viewing a plain text version of this content. The canonical link for it is here.
Posted to ruleqa@spamassassin.apache.org by Paul Stead <pa...@gmail.com> on 2019/04/27 11:47:09 UTC
Weekly Masscheck, net and reuse and T_ rules
Hiya,
I was surprised today to find that the fresh.fmb.la rules I've added didn't
match much on the weekly masscheck on my box..
After some investigation I've found some weirdness and I'm not sure if I've
found a bug?
I ran mass-check manually against one email with debug enabled to try and
figure out what's going on. The rule in question is T_FROM_FMBLA_NEWDOM
The message in question matched the following tags, this is in place in the
email header :
X-Spam-Status: No, score=12.486 tagged_above=-999 required=999
tests=[BAYES_50=0.8, DKIMWL_BL=1.414, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FSL_HELO_NON_FQDN_1=0.001,
HTML_FONT_LOW_CONTRAST=0.001, HTML_IMAGE_RATIO_06=0.001,
HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, PYZOR_CHECK=1.392,
RCVD_IN_SBL_CSS=3.335, T_FROM_FMBLA_NEWDOM=-0.01,
URIBL_ABUSE_SURBL=1.25, URIBL_BLACK=1.7, URIBL_CSS=0.1,
URIBL_CSS_A=0.1, URIBL_DBL_SPAM=2.5] autolearn=no autolearn_force=no
As you can see this email matched the rule T_FROM_FMBLA_NEWDOM
With net but without reuse this rule is matched in the output logs from
masscheck - see attached net-spam.log
With net and reuse the rule isn't matched - see attached net-reuse-spam.log
Running masscheck in --net --reuse --debug shows that the header is found
during the reuse stage:
Apr 27 14:21:37.513 [25341] dbg: message: _decode_header x-spam-status: No,
score=12.486 tagged_above=-999 required=999 tests=[BAYES_50=0.8,
DKIMWL_BL=1.414, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
FSL_HELO_NON_FQDN_1=0.001, HTML_FONT_LOW_CONTRAST=0.001,
HTML_IMAGE_RATIO_06=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001,
PYZOR_CHECK=1.392, RCVD_IN_SBL_CSS=3.335, T_FROM_FMBLA_NEWDOM=-0.01,
URIBL_ABUSE_SURBL=1.25, URIBL_BLACK=1.7, URIBL_CSS=0.1, URIBL_CSS_A=0.1,
URIBL_DBL_SPAM=2.5] autolearn=no autolearn_force=no
I just don't understand why the rule isn't output in the resulting log when
net and reuse are in use. This leads me to think this rule, and possibly
others aren't getting scored properly.
The domain currently still matches on fresh.fmb.la (rhubarbdnd.world) but
may expire soon - give me a shout offlist for an up to date spample which
matches the rules.
Hope you can help!
Paul
Re: Weekly Masscheck, net and reuse and T_ rules
Posted by Giovanni Bechis <gi...@paclan.it>.
Il 27 aprile 2019 16:32:38 CEST, "Kevin A. McGrail" <km...@apache.org> ha scritto:
>On 4/27/2019 10:17 AM, Paul Stead wrote:
>> I have a little tweak to the mass-check script to allow for both
>style
>> of X-Spam-Status headers - I'll raise a bug and a pull for this, but
>> before I do - do we feel this is valid?
>
>I would say it makes sense to me so I'm a +0.5 on it.
makes sense to me, +1
Giovanni
Re: Weekly Masscheck, net and reuse and T_ rules
Posted by "Kevin A. McGrail" <km...@apache.org>.
On 4/27/2019 10:17 AM, Paul Stead wrote:
> I have a little tweak to the mass-check script to allow for both style
> of X-Spam-Status headers - I'll raise a bug and a pull for this, but
> before I do - do we feel this is valid?
I would say it makes sense to me so I'm a +0.5 on it.
--
Kevin A. McGrail
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
Re: Weekly Masscheck, net and reuse and T_ rules
Posted by Paul Stead <pa...@gmail.com>.
On Sat, 27 Apr 2019 at 15:17, Paul Stead <pa...@gmail.com> wrote:
>
> I have a little tweak to the mass-check script to allow for both style of
> X-Spam-Status headers - I'll raise a bug and a pull for this, but before I
> do - do we feel this is valid?
>
>
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7709
Re: Weekly Masscheck, net and reuse and T_ rules
Posted by Steven Ihde <st...@x2.hamachi.us>.
I have Amavis-format headers as well. I haven't tried --reuse yet, but
am interested and would help to verify the fix.
On 4/27/19 07:17, Paul Stead wrote:
> I think I've figured it out, in short my X-Spam-Status header is in
> the amavis format, d'oh.
>
> I have a little tweak to the mass-check script to allow for both style
> of X-Spam-Status headers - I'll raise a bug and a pull for this, but
> before I do - do we feel this is valid?
>
> Should I be producing masscheck reuse scores based on the Amavis
> headers? How many other people have amavis insert the X-Spam-Status
> header into the mail they use on the masscheck?
>
> The format of the SA and Amavis X-Spam-Status header are similar, just
> that the Amavis one shows the score along with the rule name -
>
> T_FROM_FMBLA_NEWDOM
> vs
> T_FROM_FMBLA_NEWDOM=0.001
>
> Thoughts?
>
>
> On Sat, 27 Apr 2019 at 12:47, Paul Stead <paul.stead@gmail.com
> <ma...@gmail.com>> wrote:
>
> Hiya,
>
> I was surprised today to find that the fresh.fmb.la
> <http://fresh.fmb.la> rules I've added didn't match much on the
> weekly masscheck on my box..
>
> After some investigation I've found some weirdness and I'm not
> sure if I've found a bug?
>
> I ran mass-check manually against one email with debug enabled to
> try and figure out what's going on. The rule in question is
> T_FROM_FMBLA_NEWDOM
>
> The message in question matched the following tags, this is in
> place in the email header :
>
> X-Spam-Status: No, score=12.486 tagged_above=-999 required=999
> tests=[BAYES_50=0.8, DKIMWL_BL=1.414, DKIM_SIGNED=0.1,
> DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
> FSL_HELO_NON_FQDN_1=0.001,
> HTML_FONT_LOW_CONTRAST=0.001, HTML_IMAGE_RATIO_06=0.001,
> HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001,
> PYZOR_CHECK=1.392,
> RCVD_IN_SBL_CSS=3.335, T_FROM_FMBLA_NEWDOM=-0.01,
> URIBL_ABUSE_SURBL=1.25, URIBL_BLACK=1.7, URIBL_CSS=0.1,
> URIBL_CSS_A=0.1, URIBL_DBL_SPAM=2.5] autolearn=no
> autolearn_force=no
>
> As you can see this email matched the rule T_FROM_FMBLA_NEWDOM
>
> With net but without reuse this rule is matched in the output logs
> from masscheck - see attached net-spam.log
>
> With net and reuse the rule isn't matched - see attached
> net-reuse-spam.log
>
> Running masscheck in --net --reuse --debug shows that the header
> is found during the reuse stage:
>
> Apr 27 14:21:37.513 [25341] dbg: message: _decode_header
> x-spam-status: No, score=12.486 tagged_above=-999 required=999
> tests=[BAYES_50=0.8, DKIMWL_BL=1.414, DKIM_SIGNED=0.1,
> DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FSL_HELO_NON_FQDN_1=0.001,
> HTML_FONT_LOW_CONTRAST=0.001, HTML_IMAGE_RATIO_06=0.001,
> HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, PYZOR_CHECK=1.392,
> RCVD_IN_SBL_CSS=3.335, T_FROM_FMBLA_NEWDOM=-0.01,
> URIBL_ABUSE_SURBL=1.25, URIBL_BLACK=1.7, URIBL_CSS=0.1,
> URIBL_CSS_A=0.1, URIBL_DBL_SPAM=2.5] autolearn=no autolearn_force=no
>
>
> I just don't understand why the rule isn't output in the resulting
> log when net and reuse are in use. This leads me to think this
> rule, and possibly others aren't getting scored properly.
>
> The domain currently still matches on fresh.fmb.la
> <http://fresh.fmb.la> (rhubarbdnd.world) but may expire soon -
> give me a shout offlist for an up to date spample which matches
> the rules.
>
> Hope you can help!
>
> Paul
>
Re: Weekly Masscheck, net and reuse and T_ rules
Posted by Paul Stead <pa...@gmail.com>.
I think I've figured it out, in short my X-Spam-Status header is in the
amavis format, d'oh.
I have a little tweak to the mass-check script to allow for both style of
X-Spam-Status headers - I'll raise a bug and a pull for this, but before I
do - do we feel this is valid?
Should I be producing masscheck reuse scores based on the Amavis headers?
How many other people have amavis insert the X-Spam-Status header into the
mail they use on the masscheck?
The format of the SA and Amavis X-Spam-Status header are similar, just that
the Amavis one shows the score along with the rule name -
T_FROM_FMBLA_NEWDOM
vs
T_FROM_FMBLA_NEWDOM=0.001
Thoughts?
On Sat, 27 Apr 2019 at 12:47, Paul Stead <pa...@gmail.com> wrote:
> Hiya,
>
> I was surprised today to find that the fresh.fmb.la rules I've added
> didn't match much on the weekly masscheck on my box..
>
> After some investigation I've found some weirdness and I'm not sure if
> I've found a bug?
>
> I ran mass-check manually against one email with debug enabled to try and
> figure out what's going on. The rule in question is T_FROM_FMBLA_NEWDOM
>
> The message in question matched the following tags, this is in place in
> the email header :
>
> X-Spam-Status: No, score=12.486 tagged_above=-999 required=999
> tests=[BAYES_50=0.8, DKIMWL_BL=1.414, DKIM_SIGNED=0.1,
> DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FSL_HELO_NON_FQDN_1=0.001,
> HTML_FONT_LOW_CONTRAST=0.001, HTML_IMAGE_RATIO_06=0.001,
> HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, PYZOR_CHECK=1.392,
> RCVD_IN_SBL_CSS=3.335, T_FROM_FMBLA_NEWDOM=-0.01,
> URIBL_ABUSE_SURBL=1.25, URIBL_BLACK=1.7, URIBL_CSS=0.1,
> URIBL_CSS_A=0.1, URIBL_DBL_SPAM=2.5] autolearn=no
> autolearn_force=no
>
> As you can see this email matched the rule T_FROM_FMBLA_NEWDOM
>
> With net but without reuse this rule is matched in the output logs from
> masscheck - see attached net-spam.log
>
> With net and reuse the rule isn't matched - see attached net-reuse-spam.log
>
> Running masscheck in --net --reuse --debug shows that the header is found
> during the reuse stage:
>
> Apr 27 14:21:37.513 [25341] dbg: message: _decode_header x-spam-status:
> No, score=12.486 tagged_above=-999 required=999 tests=[BAYES_50=0.8,
> DKIMWL_BL=1.414, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
> FSL_HELO_NON_FQDN_1=0.001, HTML_FONT_LOW_CONTRAST=0.001,
> HTML_IMAGE_RATIO_06=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001,
> PYZOR_CHECK=1.392, RCVD_IN_SBL_CSS=3.335, T_FROM_FMBLA_NEWDOM=-0.01,
> URIBL_ABUSE_SURBL=1.25, URIBL_BLACK=1.7, URIBL_CSS=0.1, URIBL_CSS_A=0.1,
> URIBL_DBL_SPAM=2.5] autolearn=no autolearn_force=no
>
>
> I just don't understand why the rule isn't output in the resulting log
> when net and reuse are in use. This leads me to think this rule, and
> possibly others aren't getting scored properly.
>
> The domain currently still matches on fresh.fmb.la (rhubarbdnd.world) but
> may expire soon - give me a shout offlist for an up to date spample which
> matches the rules.
>
> Hope you can help!
>
> Paul
>