You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Robert Boyl <ro...@gmail.com> on 2016/08/26 13:46:31 UTC
Possible ignore CRLF?
Hi, everyone!
Just curious if anyone has had this issue before.
We have a customer SA rule that catches certain text "se voce nao deseja
mais receber..."
We have an icewarp mail server where our rule hits just fine, DESPITE a
CRLF after word "SE".
See imagem showing that CRLF http://screenpresso.com/=e406e
But our qmail with SA does not hit the rule due to the CRLF.
I removed CRLF, refed the message as such http://screenpresso.com/=6Zqke
Then I got the hit...
So question is, is there a way to make SA ignore CRLF?
Thanks!
Rob
Re: Possible ignore CRLF?
Posted by RW <rw...@googlemail.com>.
On Fri, 26 Aug 2016 12:07:48 -0700 (PDT)
John Hardin wrote:
> On Fri, 26 Aug 2016, Robert Boyl wrote:
>
> > Rule
> >
> > describe BRF_TEST123 test
> > body BRF_TEST123 \bSe você não deseja mais receber nossos
> > e-mails, cancele\b/i
>
> That's missing a leading slash. Is that a copy+paste error? Do you
> run lint checks before restarting SA? That shouldn't have passed lint.
>
> It should look like:
>
> body BRF_TEST123 /\bSe você não deseja mais receber nossos
> e-mails, cancele\b/i
>
> > score BRF_TEST123 0.1
> >
> > See here the message that qmail cant catch due to a CRLF in middle
> > of text (right after word "se") but icewarp can catch even with the
> > CR LF.
> >
> > If I remove the CR LF my qmail catches it (SA).
>
> That's odd, as SA should normalize that into a single body paragraph
> in both cases.
It worked for me with it left in. I don't think we've actually
established that it was tested with and without the CR LF with
everything else identical.
The rule might fail because of the character set. For rules like this to
work best the rule file has to be edited as UTF-8 and SA should be
configured with
normalize_charset 1
Re: Possible ignore CRLF?
Posted by John Hardin <jh...@impsec.org>.
On Fri, 26 Aug 2016, John Hardin wrote:
> body __ALL_BODY /./
Oops.
body __ALL_BODY /.+/
{blush}
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
2 days until Exercise Your Rights day
Re: Possible ignore CRLF?
Posted by John Hardin <jh...@impsec.org>.
On Fri, 26 Aug 2016, Robert Boyl wrote:
> Rule
>
> describe BRF_TEST123 test
> body BRF_TEST123 \bSe voc no deseja mais receber nossos e-mails, cancele\b/i
That's missing a leading slash. Is that a copy+paste error? Do you run
lint checks before restarting SA? That shouldn't have passed lint.
It should look like:
body BRF_TEST123 /\bSe voc no deseja mais receber nossos e-mails, cancele\b/i
> score BRF_TEST123 0.1
>
> See here the message that qmail cant catch due to a CRLF in middle of text
> (right after word "se") but icewarp can catch even with the CR LF.
>
> If I remove the CR LF my qmail catches it (SA).
That's odd, as SA should normalize that into a single body paragraph in
both cases.
> http://pastebin.com/gyeDcA3H
It looks like the encoding is corrupted at that point:
130. caixa de entrada,<br/>adicione o e-mail <strong>buddhaspa@buddhaspa.com.br<=
131. /strong> ao seu catálogo de endereços.<br/><br/>A Buddha Spa =
132. respeita a sua privacidade e é contra o spam na rede.<br />Se=20
133. você não deseja mais receber nossos e-mails, <a href=3D"http:/=
134. /trk.virtualtarget.com.br/index.dma/DmaOptOut?22125,438,29198,66c2087320c2e=
The end of line 132 doesn't look correct.
Maybe that's causing it to think there are *two* line breaks after the
"Se", thus putting that into a separate paragraph?
It's interesting that the two platforms behave differently. Are they
running the same version of SA? How is SA glued onto them (how do they
pass messages to SA)?
If you have a test environment set up where yon can run SA against a test
message and see the text that rules hit, you might want to add this rule:
body __ALL_BODY /./
That would make it clear whether or not SA was breaking the paragraph at
that point.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Windows and its users got mentioned at home today, after my wife the
psych major brought up Seligman's theory of "learned helplessness."
-- Dan Birchall in a.s.r
-----------------------------------------------------------------------
2 days until Exercise Your Rights day
Re: Possible ignore CRLF?
Posted by Axb <ax...@gmail.com>.
Please keep list mail on the list.
On 08/26/2016 08:41 PM, Robert Boyl wrote:
> Hi,
>
> Thanks for reply. Hehe, sorry :))
>
> Rule
>
> describe BRF_TEST123 test
> body BRF_TEST123 \bSe você não deseja mais receber nossos e-mails,
> cancele\b/i
> score BRF_TEST123 0.1
>
> See here the message that qmail cant catch due to a CRLF in middle of text
> (right after word "se") but icewarp can catch even with the CR LF.
>
> If I remove the CR LF my qmail catches it (SA).
>
> http://pastebin.com/gyeDcA3H
>
> Thanks
> Rob
>
>
>
> 2016-08-26 10:50 GMT-03:00 Axb <ax...@gmail.com>:
>
>> On 08/26/2016 03:46 PM, Robert Boyl wrote:
>>
>>> Hi, everyone!
>>>
>>> Just curious if anyone has had this issue before.
>>>
>>> We have a customer SA rule that catches certain text "se voce nao deseja
>>> mais receber..."
>>>
>>> We have an icewarp mail server where our rule hits just fine, DESPITE a
>>> CRLF after word "SE".
>>>
>>> See imagem showing that CRLF http://screenpresso.com/=e406e
>>>
>>> But our qmail with SA does not hit the rule due to the CRLF.
>>>
>>> I removed CRLF, refed the message as such http://screenpresso.com/=6Zqke
>>>
>>> Then I got the hit...
>>>
>>> So question is, is there a way to make SA ignore CRLF?
>>>
>>> Thanks!
>>> Rob
>>>
>>>
>> And where is the rule you created?
>>
>> can you pastebin the sample message?
>> Tests on a screenshot don't work .-)
>>
>> Guys - screenshots are for grannies!!!!
>> Use copy/paste & pastebin!!!
>>
>
Re: Possible ignore CRLF?
Posted by Robert Boyl <ro...@gmail.com>.
Hi,
Thanks for reply. Hehe, sorry :))
Rule
describe BRF_TEST123 test
body BRF_TEST123 \bSe você não deseja mais receber nossos e-mails,
cancele\b/i
score BRF_TEST123 0.1
See here the message that qmail cant catch due to a CRLF in middle of text
(right after word "se") but icewarp can catch even with the CR LF.
If I remove the CR LF my qmail catches it (SA).
http://pastebin.com/gyeDcA3H
Thanks
Rob
2016-08-26 10:50 GMT-03:00 Axb <ax...@gmail.com>:
> On 08/26/2016 03:46 PM, Robert Boyl wrote:
>
>> Hi, everyone!
>>
>> Just curious if anyone has had this issue before.
>>
>> We have a customer SA rule that catches certain text "se voce nao deseja
>> mais receber..."
>>
>> We have an icewarp mail server where our rule hits just fine, DESPITE a
>> CRLF after word "SE".
>>
>> See imagem showing that CRLF http://screenpresso.com/=e406e
>>
>> But our qmail with SA does not hit the rule due to the CRLF.
>>
>> I removed CRLF, refed the message as such http://screenpresso.com/=6Zqke
>>
>> Then I got the hit...
>>
>> So question is, is there a way to make SA ignore CRLF?
>>
>> Thanks!
>> Rob
>>
>>
> And where is the rule you created?
>
> can you pastebin the sample message?
> Tests on a screenshot don't work .-)
>
> Guys - screenshots are for grannies!!!!
> Use copy/paste & pastebin!!!
>
Re: Possible ignore CRLF?
Posted by Axb <ax...@gmail.com>.
On 08/26/2016 03:46 PM, Robert Boyl wrote:
> Hi, everyone!
>
> Just curious if anyone has had this issue before.
>
> We have a customer SA rule that catches certain text "se voce nao deseja
> mais receber..."
>
> We have an icewarp mail server where our rule hits just fine, DESPITE a
> CRLF after word "SE".
>
> See imagem showing that CRLF http://screenpresso.com/=e406e
>
> But our qmail with SA does not hit the rule due to the CRLF.
>
> I removed CRLF, refed the message as such http://screenpresso.com/=6Zqke
>
> Then I got the hit...
>
> So question is, is there a way to make SA ignore CRLF?
>
> Thanks!
> Rob
>
And where is the rule you created?
can you pastebin the sample message?
Tests on a screenshot don't work .-)
Guys - screenshots are for grannies!!!!
Use copy/paste & pastebin!!!