You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Zinski, Steve" <sz...@richmond.edu> on 2017/01/31 15:45:34 UTC
Custom rule problem
Hello, I have a problem that I hope someone can help me with.
I’m trying to write a custom rule to block a certain type of spam. When I view the message source, the very last lines of the spam look like this:
</table>
<img src="http://trc.spammersdomain.com/redirect.php?email=redacted@richmond.edu">
</body>
</html>
Every single rule that I’ve written fails to detect that redirect.php URI. I’ve even tried a rule that simply reads:
Full my_rule /redirect/is
Score my_rule 10.0
No match. I’ve tried full, rawbody, uri, and body, all to no avail. I’ve even shortened the search string to “redi” (it’s a unique word) and still no match. I’ve been writing rules for many years and this is the first time I’ve seen this behavior. Any ideas?
Re: Custom rule problem
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 1/31/2017 10:45 AM, Zinski, Steve wrote:
>
> Hello, I have a problem that I hope someone can help me with.
>
> I\u2019m trying to write a custom rule to block a certain type of spam.
> When I view the message source, the very last lines of the spam look
> like this:
>
> </table>
>
> <img
> src="http://trc.spammersdomain.com/redirect.php?email=redacted@richmond.edu">
>
> </body>
>
> </html>
>
> Every single rule that I\u2019ve written fails to detect that redirect.php
> URI. I\u2019ve even tried a rule that simply reads:
>
> Full my_rule /redirect/is
>
> Score my_rule 10.0
>
> No match. I\u2019ve tried full, rawbody, uri, and body, all to no avail.
> I\u2019ve even shortened the search string to \u201credi\u201d (it\u2019s a unique word)
> and still no match. I\u2019ve been writing rules for many years and this is
> the first time I\u2019ve seen this behavior. Any ideas?
>
So I use some old school methods for custom rule development.
I always use my initials and then I like to use mutt as my mail client
and bind ctrl y (as in why is this spam) with something like this:
macro index \cy "<pipe-message>spamassassin -t -D 2>&1 | grep -e KAM -e
Content\\ analysis<enter>\n" "Test Message with Apache SpamAssassin for KAM"
mutt is very old school and let's me see if the message format is
something odd. Perhaps the issue you are seeing. Throw the email up on
pastebin in mbox format and I'll tell you what I see at least.
Regards,
KAM
Re: Custom rule problem
Posted by Joe Quinn <he...@gmail.com>.
On 1/31/2017 3:22 PM, Zinski, Steve wrote:
> Sorry for the trouble, everyone\u2026 I had been forwarding the spam through my personal IMAP account (to test my rule) which was apparently blocking it. I forwarded it using my gmail account and my new rule fired. I feel like an idiot.
>
> Steve
>
I suggest you work on setting things up so you can break down each part
individually. Mail flow is not always simple thing to keep track of,
even when you have good tools.
Re: Custom rule problem
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 1/31/2017 3:22 PM, Zinski, Steve wrote:
> Sorry for the trouble, everyone\u2026 I had been forwarding the spam through my personal IMAP account (to test my rule) which was apparently blocking it. I forwarded it using my gmail account and my new rule fired. I feel like an idiot.
No worries. Rookie mistake. Just keep fighting the bastard spammers.
Re: Custom rule problem
Posted by "Zinski, Steve" <sz...@richmond.edu>.
Sorry for the trouble, everyone… I had been forwarding the spam through my personal IMAP account (to test my rule) which was apparently blocking it. I forwarded it using my gmail account and my new rule fired. I feel like an idiot.
Steve
On 1/31/17, 2:53 PM, "John Hardin" <jh...@impsec.org> wrote:
On Tue, 31 Jan 2017, Zinski, Steve wrote:
> Here’s the “view source” of the message in question.
>
> http://pastebin.com/AnwkAf9t
>
> Again, it’s line 88 that I’m trying to match.
...let's try this again...
A uri rule hits that here:
Jan 31 09:21:07.423 [21842] dbg: rules: ran uri rule __ALL_URI ======> got hit: "http://trc.spam_domain_redacted.com/redirect.php?email=redacted@uronline.net"
It also hits an existing rule:
Jan 31 09:21:07.525 [21842] dbg: rules: ran rawbody rule __BUGGED_IMG ======> got hit: "<img src="http://trc.spam_domain_redacted.com/redirect.php?email=re"
> On 1/31/17, 11:36 AM, "John Hardin" <jh...@impsec.org> wrote:
>
> On Tue, 31 Jan 2017, Zinski, Steve wrote:
>
> > I’m trying to write a custom rule to block a certain type of spam. When I view the message source, the very last lines of the spam look like this:
> >
> > </table>
> > <DEFANGED_IMG src="http://trc.spammersdomain.com/redirect.php?email=redacted@richmond.edu">
> > </body>
> > </html>
> >
> > Every single rule that I’ve written fails to detect that redirect.php URI. I’ve even tried a rule that simply reads:
> >
> > Full my_rule /redirect/is
> > Score my_rule 10.0
> >
> > No match. I’ve tried full, rawbody, uri, and body, all to no avail. I’ve even shortened the search string to “redi” (it’s a unique word) and still no match. I’ve been writing rules for many years and this is the first time I’ve seen this behavior. Any ideas?
>
> If you have a rule dev environment (vs. testing rules in your live
> install) I've found something like this to be really useful:
>
> uri __ALL_URI /.*/
> tflags __ALL_URI multiple
>
> Then all the detected URIs appear in the rule hits debug output.
>
> Post the full email on Pastebin or similar, we can't meaningfully comment
> on what you provided beyond "uri *should* work for that".
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Tomorrow: the 14th anniversary of the loss of STS-107 Columbia
Re: Custom rule problem
Posted by Martin Gregorie <ma...@gregorie.org>.
On Tue, 2017-01-31 at 11:53 -0800, John Hardin wrote:
> On Tue, 31 Jan 2017, Zinski, Steve wrote:
>
> > Here\u2019s the \u201cview source\u201d of the message in question.
> >
> > http://pastebin.com/AnwkAf9t
> >
> > Again, it\u2019s line 88 that I\u2019m trying to match.
>
> ...let's try this again...
>
> A uri rule hits that here:
>
> Jan 31 09:21:07.423 [21842] dbg: rules: ran uri rule __ALL_URI
> ======> got hit: "http://trc.spam_domain_redacted.com/redirect.php?em
> ail=redacted@uronline.net"
>
> It also hits an existing rule:
>
> Jan 31 09:21:07.525 [21842] dbg: rules: ran rawbody rule __BUGGED_IMG
> ======> got hit: "<img src="http://trc.spam_domain_redacted.com/redir
> ect.php?email=re"
>
Like John, the text you posted hits one of my private rules when fed
through my rule testing and development environment. This is a metarule
that fires if a URI subrule finds a PHP script reference OR a BODY
subrule finds a PHP script reference preceded and followed by O-32 non-
whitespace characters.
So, questions:
- how did you capture the text you posted,�
i.e. is it exactly the same as SA would have seen?
- did you restart SA before running each of the tests you describe?
Every so often I forget that and then waste time with head scratching
until I remember to restart SA.
Martin
Re: Custom rule problem
Posted by John Hardin <jh...@impsec.org>.
On Tue, 31 Jan 2017, Zinski, Steve wrote:
> Here\u2019s the \u201cview source\u201d of the message in question.
>
> http://pastebin.com/AnwkAf9t
>
> Again, it\u2019s line 88 that I\u2019m trying to match.
...let's try this again...
A uri rule hits that here:
Jan 31 09:21:07.423 [21842] dbg: rules: ran uri rule __ALL_URI ======> got hit: "http://trc.spam_domain_redacted.com/redirect.php?email=redacted@uronline.net"
It also hits an existing rule:
Jan 31 09:21:07.525 [21842] dbg: rules: ran rawbody rule __BUGGED_IMG ======> got hit: "<img src="http://trc.spam_domain_redacted.com/redirect.php?email=re"
> On 1/31/17, 11:36 AM, "John Hardin" <jh...@impsec.org> wrote:
>
> On Tue, 31 Jan 2017, Zinski, Steve wrote:
>
> > I\u2019m trying to write a custom rule to block a certain type of spam. When I view the message source, the very last lines of the spam look like this:
> >
> > </table>
> > <DEFANGED_IMG src="http://trc.spammersdomain.com/redirect.php?email=redacted@richmond.edu">
> > </body>
> > </html>
> >
> > Every single rule that I\u2019ve written fails to detect that redirect.php URI. I\u2019ve even tried a rule that simply reads:
> >
> > Full my_rule /redirect/is
> > Score my_rule 10.0
> >
> > No match. I\u2019ve tried full, rawbody, uri, and body, all to no avail. I\u2019ve even shortened the search string to \u201credi\u201d (it\u2019s a unique word) and still no match. I\u2019ve been writing rules for many years and this is the first time I\u2019ve seen this behavior. Any ideas?
>
> If you have a rule dev environment (vs. testing rules in your live
> install) I've found something like this to be really useful:
>
> uri __ALL_URI /.*/
> tflags __ALL_URI multiple
>
> Then all the detected URIs appear in the rule hits debug output.
>
> Post the full email on Pastebin or similar, we can't meaningfully comment
> on what you provided beyond "uri *should* work for that".
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Tomorrow: the 14th anniversary of the loss of STS-107 Columbia
Re: Custom rule problem
Posted by "Zinski, Steve" <sz...@richmond.edu>.
Here’s the “view source” of the message in question.
http://pastebin.com/AnwkAf9t
Again, it’s line 88 that I’m trying to match.
Thanks.
On 1/31/17, 11:36 AM, "John Hardin" <jh...@impsec.org> wrote:
On Tue, 31 Jan 2017, Zinski, Steve wrote:
> I’m trying to write a custom rule to block a certain type of spam. When I view the message source, the very last lines of the spam look like this:
>
> </table>
> <img src="http://trc.spammersdomain.com/redirect.php?email=redacted@richmond.edu">
> </body>
> </html>
>
> Every single rule that I’ve written fails to detect that redirect.php URI. I’ve even tried a rule that simply reads:
>
> Full my_rule /redirect/is
> Score my_rule 10.0
>
> No match. I’ve tried full, rawbody, uri, and body, all to no avail. I’ve even shortened the search string to “redi” (it’s a unique word) and still no match. I’ve been writing rules for many years and this is the first time I’ve seen this behavior. Any ideas?
If you have a rule dev environment (vs. testing rules in your live
install) I've found something like this to be really useful:
uri __ALL_URI /.*/
tflags __ALL_URI multiple
Then all the detected URIs appear in the rule hits debug output.
Post the full email on Pastebin or similar, we can't meaningfully comment
on what you provided beyond "uri *should* work for that".
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The promise of nuclear power: electricity too cheap to meter
The reality of nuclear power: FUD too cheap to meter
-----------------------------------------------------------------------
Tomorrow: the 14th anniversary of the loss of STS-107 Columbia
Re: Custom rule problem
Posted by John Hardin <jh...@impsec.org>.
On Tue, 31 Jan 2017, Zinski, Steve wrote:
> I\u2019m trying to write a custom rule to block a certain type of spam. When I view the message source, the very last lines of the spam look like this:
>
> </table>
> <img src="http://trc.spammersdomain.com/redirect.php?email=redacted@richmond.edu">
> </body>
> </html>
>
> Every single rule that I\u2019ve written fails to detect that redirect.php URI. I\u2019ve even tried a rule that simply reads:
>
> Full my_rule /redirect/is
> Score my_rule 10.0
>
> No match. I\u2019ve tried full, rawbody, uri, and body, all to no avail. I\u2019ve even shortened the search string to \u201credi\u201d (it\u2019s a unique word) and still no match. I\u2019ve been writing rules for many years and this is the first time I\u2019ve seen this behavior. Any ideas?
If you have a rule dev environment (vs. testing rules in your live
install) I've found something like this to be really useful:
uri __ALL_URI /.*/
tflags __ALL_URI multiple
Then all the detected URIs appear in the rule hits debug output.
Post the full email on Pastebin or similar, we can't meaningfully comment
on what you provided beyond "uri *should* work for that".
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The promise of nuclear power: electricity too cheap to meter
The reality of nuclear power: FUD too cheap to meter
-----------------------------------------------------------------------
Tomorrow: the 14th anniversary of the loss of STS-107 Columbia
Re: Custom rule problem
Posted by Antony Stone <An...@spamassassin.open.source.it>.
On Tuesday 31 January 2017 at 16:45:34, Zinski, Steve wrote:
> Hello, I have a problem that I hope someone can help me with.
>
> I’m trying to write a custom rule to block a certain type of spam. When I
> view the message source, the very last lines of the spam look like this:
How are you seeing this? Asking your mail client to "show source", or looking
at the email as it appears whilst going through your mail server?
> </table>
> <img
> src="http://trc.spammersdomain.com/redirect.php?email=redacted@richmond.ed
> u"> </body>
> </html>
>
> Every single rule that I’ve written fails to detect that redirect.php URI.
> I’ve even tried a rule that simply reads:
>
> Full my_rule /redirect/is
> Score my_rule 10.0
>
> No match. I’ve tried full, rawbody, uri, and body, all to no avail. I’ve
> even shortened the search string to “redi” (it’s a unique word) and still
> no match. I’ve been writing rules for many years and this is the first
> time I’ve seen this behavior. Any ideas?
Is the email as seen by SpamAssassin Base-64 encoded?
Antony.
--
APL [is a language], in which you can write a program to simulate shuffling a
deck of cards and then dealing them out to several players, in four
characters, none of which appear on a standard keyboard.
- David Given
Please reply to the list;
please *don't* CC me.