You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Scott Ostrander <SO...@printronix.com> on 2013/03/06 23:17:45 UTC
Several rules not hitting on 3.4 that do hit on 3.3.2
I am finding several stock rules and a custom rule that are not hitting when used on my SA 3.4 install.
They do hit on the same email on systems with SA 3.2.2 .
Can anyone confirm that these rules hit on their 3.4 install?
I noticed that consumermoneywatch11.net is not in the message.
Why does the URL in the email get translated to consumermoneywatch11.net in 3.2.2? But not in 3.4
I am concerned about what would happen on a lower scoring message if these rules are not firing.
I understand that URIBL rules are time sensitive that is why I ran the scans several times.
Note: URIBL_BLACK does hit on both systems.
These stock rules are not hitting on 3.4:
2.7 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist
[URIs: consumermoneywatch11.net]
2.8 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
[URIs: consumermoneywatch11.net]
3.0 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
[URIs: consumermoneywatch11.net]
This custom rule is not hitting on 3.4:
1.9 SEM_FRESH_15 Contains a domain registered less than 15 days ago
[URIs: consumermoneywatch11.net]
Here is the pastebin of the email message:
http://pastebin.com/4vYEbxiV
Here is the pastebin of the 3.4 Debug output
http://pastebin.com/cBqxjtSB
Here is the pastebin of the 3.2.2 Debug
http://pastebin.com/Cc3arzu8
Here is the custom rule SEM_FRESH_15 that is not hitting on my 3.4 system
#
urirhssub SEM_FRESH_15 fresh15.spameatingmonkey.net. A 2
body SEM_FRESH_15 eval:check_uridnsbl('SEM_FRESH_15')
describe SEM_FRESH_15 Contains a domain registered less than 15 days ago
tflags SEM_FRESH_15 net
score SEM_FRESH_15 1.9
Thanks,
Scott Ostrander
RE: Several rules not hitting on 3.4 that do hit on 3.3.2
Posted by Scott Ostrander <SO...@printronix.com>.
> -----Original Message-----
> Sent: Thursday, March 07, 2013 5:13 AM
> To: users@spamassassin.apache.org
> Subject: Re: Several rules not hitting on 3.4 that do hit on 3.3.2
>
> > > Missing the {hosts} part, which is now required in 3.4.0:
> > > --- DecodeShortURLs.pm~ 2011-07-25 17:56:57.000000000 +0200
> > > +++ DecodeShortURLs.pm 2013-03-07 03:27:24.000000000 +0100
> >
> > What version of the plugin are you patching?
>
> The last I could find in one of my old directories, it claims $VERSION=0.6, was
I can confirm that making the same changes to version 5 of DecodeShortURLs.pm works with SA 3.4
I have not been able to find version 6
Scott Ostrander
Re: Several rules not hitting on 3.4 that do hit on 3.3.2
Posted by Mark Martinec <Ma...@ijs.si>.
> > Missing the {hosts} part, which is now required in 3.4.0:
> > --- DecodeShortURLs.pm~ 2011-07-25 17:56:57.000000000 +0200
> > +++ DecodeShortURLs.pm 2013-03-07 03:27:24.000000000 +0100
>
> What version of the plugin are you patching?
The last I could find in one of my old directories,
it claims $VERSION=0.6, was downloaded in 2011-07.
I couldn't find a current on-line version anywhere.
Mark
Re: Several rules not hitting on 3.4 that do hit on 3.3.2
Posted by Axb <ax...@gmail.com>.
On 03/07/2013 03:32 AM, Mark Martinec wrote:
>> Yes, I am using DecodeShortURLs
>> I have it on both the 3.3.2 and 3.4 systems
>>
>> Both show:
>> 0.0 HAS_SHORT_URL Message contains one or more shortened URLs
>
>> So I guess the question is which one is running DecodeShortURLs correctly
>> 3.4 or 3.3.2
>
> Missing the {hosts} part, which is now required in 3.4.0:
>
> --- DecodeShortURLs.pm~ 2011-07-25 17:56:57.000000000 +0200
> +++ DecodeShortURLs.pm 2013-03-07 03:27:24.000000000 +0100
> @@ -474,5 +474,6 @@
> foreach (@{$info->{cleaned}}) {
> - my $dom = Mail::SpamAssassin::Util::uri_to_domain($_);
> + my($dom,$host) = Mail::SpamAssassin::Util::uri_to_domain($_);
>
> if ($dom && !$info->{domains}->{$dom}) {
> + $info->{hosts}->{$host} = $dom;
> $info->{domains}->{$dom} = 1;
>
Mark,
What version of the plugin are you patching?
Re: Several rules not hitting on 3.4 that do hit on 3.3.2
Posted by Mark Martinec <Ma...@ijs.si>.
> Yes, I am using DecodeShortURLs
> I have it on both the 3.3.2 and 3.4 systems
>
> Both show:
> 0.0 HAS_SHORT_URL Message contains one or more shortened URLs
> So I guess the question is which one is running DecodeShortURLs correctly
> 3.4 or 3.3.2
Missing the {hosts} part, which is now required in 3.4.0:
--- DecodeShortURLs.pm~ 2011-07-25 17:56:57.000000000 +0200
+++ DecodeShortURLs.pm 2013-03-07 03:27:24.000000000 +0100
@@ -474,5 +474,6 @@
foreach (@{$info->{cleaned}}) {
- my $dom = Mail::SpamAssassin::Util::uri_to_domain($_);
+ my($dom,$host) = Mail::SpamAssassin::Util::uri_to_domain($_);
if ($dom && !$info->{domains}->{$dom}) {
+ $info->{hosts}->{$host} = $dom;
$info->{domains}->{$dom} = 1;
Mark
RE: Several rules not hitting on 3.4 that do hit on 3.3.2
Posted by Scott Ostrander <SO...@printronix.com>.
> -----Original Message-----
> Subject: Re: Several rules not hitting on 3.4 that do hit on 3.3.2
>
> On 03/06/2013 11:17 PM, Scott Ostrander wrote:
> > I am finding several stock rules and a custom rule that are not hitting when
> used on my SA 3.4 install.
> >
>
> You're using the third party DecodeShortURLs plugin right?
>
> because the URL is shortened by http://j.mp/
>
> The pulgin is most probably the cause of the hit & miss.
>
Yes, I am using DecodeShortURLs
I have it on both the 3.3.2 and 3.4 systems
Both show:
0.0 HAS_SHORT_URL Message contains one or more shortened URLs
dbg: rules: ran uri rule __URL_SHORTENER ======> got hit: "http: //j.mp/"
So I guess the question is which one is running DecodeShortURLs correctly 3.4 or 3.3.2
Scott
Re: Several rules not hitting on 3.4 that do hit on 3.3.2
Posted by Axb <ax...@gmail.com>.
On 03/06/2013 11:17 PM, Scott Ostrander wrote:
> I am finding several stock rules and a custom rule that are not hitting when used on my SA 3.4 install.
>
>
> Here is the pastebin of the email message:
>
> http://pastebin.com/4vYEbxiV
>
You're using the third party DecodeShortURLs plugin right?
because the URL is shortened by http://j.mp/
The pulgin is most probably the cause of the hit & miss.