You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by nobswolf <no...@nobswolf.info> on 2015/03/21 11:30:34 UTC
check a x-spam field
Hello,
I use SpamAssassin for quite some time and now I'd like to fine-tune a
little.
Lately I got a message that was already examined by another instance of
a spam-filter that is not under my control. This message was not
auto-learned because the score was too low for that.
So I got the idea I could check the X-Spam-Flag of this other instance
and give some more score. I thought this is a good idea because nobody
would tag mail as spam without a reason (the other way round is another
piece of cake of course).
But it just did not work. I guess it is because the X-Spam-Fields in the
original header are ignored? How can I force SpamAssassin to force
checking the X-Spam-fields in the header of the original mail?
Header of test-mail:
X-SPAM-FLAG: YES
entry in local.cf:
header ALLREADY_MARKED ALL =~ /^X-SPAM-FLAG:\s+YES/mi
describe ALLREADY_MARKED wurde schon mal markiert
score ALLREADY_MARKED 3
I also tried the "normal" header test, also with not success.
$ spamassassin --version
SpamAssassin version 3.3.2
running on Perl version 5.14.2
# cat /etc/debian_version
7.8
Any hints for me?
Thanks in advance
Emil
Re: check a x-spam field
Posted by nobswolf <no...@nobswolf.info>.
Am 21.03.2015 um 12:25 schrieb Axb:
>
> If you can live without the "attached" original msg add to local.cf
>
> report_safe 0
The report is added AFTER the checks are done, right?
I have a rule that is not working.
How can change the behavior of the reporting help me here?
And: I definitely do like and want the reporting as it is.
Re: check a x-spam field
Posted by nobswolf <no...@nobswolf.info>.
To show my point that this is related to all X-Spam header-fields that
are already in the original mail I added a new rule and a similar header
to my test-mail:
Email-Header:
X-SPAM-FLAG: YES
X-SPOM-FLAG: YES
Rules:
header ALLREADY X-SPAM-FLAG:raw =~ /YES/
describe ALLREADY wurde schon mal markiert
score ALLREADY 4
header OLLREADY X-SPOM-FLAG:raw =~ /YES/
describe OLLREADY wurde schon mal markiert
score OLLREADY 4
Result:
4.0 OLLREADY wurde schon mal markiert
So again my first question:
How do I force SA to check X-Spam-* fields in the header of the original
mail?
Re: check a x-spam field
Posted by Axb <ax...@gmail.com>.
On 03/21/2015 12:13 PM, nobswolf wrote:
> Am 21.03.2015 um 11:47 schrieb Axb:
>
>> This didn't work? :
>>
>> header ALLREADY_MARKED X-SPAM-FLAG =~ /^YES\b/
>> describe ALLREADY_MARKED wurde schon mal markiert
>> score ALLREADY_MARKED 3
>
> Nope. Just tried.
>
> I also tried --lint which gave no results. and I checked with vi :set
> list for strange chars.
>
>> after passing your SA, do these msgs have 2 sets of X-SPAM-* headers?
>>
>> can you post such a header section?
>
> After SA there is the original one left in the message which is an
> attachment now. And there is the new one with the check-results:
>
> X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on nobswolf.info
> X-Spam-Flag: YES
> X-Spam-Level: *************
> X-Spam-Status: Yes, score=13.3 required=5.0 tests=AXB_X_AOL_SEZ_S,BAYES_99,
> BAYES_999,BNM,BNM_IP,DKIM_SIGNED,DKIM_VALID,DUMMY,FREEMAIL_FROM,
>
> FREEMAIL_REPLYTO,HTML_IMAGE_ONLY_12,HTML_MESSAGE,HTML_SHORT_LINK_IMG_1,
> OBFU_TEXT_ATTACH,RCVD_IN_DNSWL_NONE,T_REMOTE_IMAGE,URIBL_BLOCKED
> autolearn=no
> version=3.3.2
>
>
> (The line-wrapping in the original header is ok.)
If you can live without the "attached" original msg add to local.cf
report_safe 0
as per:
report_safe ( 0 | 1 | 2 ) (default: 1)
if this option is set to 1, if an incoming message is tagged as
spam, instead of modifying the original message, SpamAssassin will
create a new report message and attach the original message as a
message/rfc822 MIME part (ensuring the original message is
completely preserved, not easily opened, and easier to recover).
If this option is set to 2, then original messages will be attached
with a content type of text/plain instead of message/rfc822. This
setting may be required for safety reasons on certain broken mail
clients that automatically load attachments without any action by
the user. This setting may also make it somewhat more difficult to
extract or view the original message.
If this option is set to 0, incoming spam is only modified by adding
some "X-Spam-" headers and no changes will be made to the body. In
addition, a header named X-Spam-Report will be added to spam. You
can use the remove_header option to remove that header after setting
report_safe to 0.
See report_safe_copy_headers if you want to copy headers from the
original mail into tagged messages.
Re: check a x-spam field
Posted by nobswolf <no...@nobswolf.info>.
Am 21.03.2015 um 12:18 schrieb Reindl Harald:
>
>
> Am 21.03.2015 um 12:13 schrieb nobswolf:
>>> can you post such a header section?
>>
>> After SA there is the original one left in the message which is
>> an attachment now. And there is the new one with the
>> check-results:
>>
>> X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
>> nobswolf.info X-Spam-Flag: YES X-Spam-Level: *************
>> X-Spam-Status: Yes, score=13.3 required=5.0
>> tests=AXB_X_AOL_SEZ_S,BAYES_99,
>> BAYES_999,BNM,BNM_IP,DKIM_SIGNED,DKIM_VALID,DUMMY,FREEMAIL_FROM,
>>
>> FREEMAIL_REPLYTO,HTML_IMAGE_ONLY_12,HTML_MESSAGE,HTML_SHORT_LINK_IMG_1,
>>
>>
OBFU_TEXT_ATTACH,RCVD_IN_DNSWL_NONE,T_REMOTE_IMAGE,URIBL_BLOCKED
>> autolearn=no version=3.3.2
>>
>>
>> (The line-wrapping in the original header is ok.)
>
> you can disable that attachment behavior with "report_safe 0"
>
That's not the point here. I need help in writing rules, not in
reporting. Please read the first post in this thread.
Can someone check this in a more recent version? Maybe this is just
borken in 3.3 of debian?
Re: check a x-spam field
Posted by Reindl Harald <h....@thelounge.net>.
Am 21.03.2015 um 12:13 schrieb nobswolf:
>> can you post such a header section?
>
> After SA there is the original one left in the message which is an
> attachment now. And there is the new one with the check-results:
>
> X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on nobswolf.info
> X-Spam-Flag: YES
> X-Spam-Level: *************
> X-Spam-Status: Yes, score=13.3 required=5.0 tests=AXB_X_AOL_SEZ_S,BAYES_99,
> BAYES_999,BNM,BNM_IP,DKIM_SIGNED,DKIM_VALID,DUMMY,FREEMAIL_FROM,
>
> FREEMAIL_REPLYTO,HTML_IMAGE_ONLY_12,HTML_MESSAGE,HTML_SHORT_LINK_IMG_1,
> OBFU_TEXT_ATTACH,RCVD_IN_DNSWL_NONE,T_REMOTE_IMAGE,URIBL_BLOCKED
> autolearn=no
> version=3.3.2
>
>
> (The line-wrapping in the original header is ok.)
you can disable that attachment behavior with "report_safe 0"
Re: check a x-spam field
Posted by Benny Pedersen <me...@junc.eu>.
On March 21, 2015 12:15:46 PM nobswolf <no...@nobswolf.info> wrote:
> X-Spam-Status: Yes, score=13.3 required=5.0 tests=AXB_X_AOL_SEZ_S,BAYES_99,
> BAYES_999,BNM,BNM_IP,DKIM_SIGNED,DKIM_VALID,DUMMY,FREEMAIL_FROM,
>
> FREEMAIL_REPLYTO,HTML_IMAGE_ONLY_12,HTML_MESSAGE,HTML_SHORT_LINK_IMG_1,
> OBFU_TEXT_ATTACH,RCVD_IN_DNSWL_NONE,T_REMOTE_IMAGE,URIBL_BLOCKED
> autolearn=no
> version=3.3.2
install a local dns resolver makes overall better results then uribl_blocked
and note that spamassassin removes sa headers when prossesing, so if it
exists when recieved, you have to preserve that header in mta stage
Re: check a x-spam field
Posted by nobswolf <no...@nobswolf.info>.
Am 21.03.2015 um 11:47 schrieb Axb:
> This didn't work? :
>
> header ALLREADY_MARKED X-SPAM-FLAG =~ /^YES\b/
> describe ALLREADY_MARKED wurde schon mal markiert
> score ALLREADY_MARKED 3
Nope. Just tried.
I also tried --lint which gave no results. and I checked with vi :set
list for strange chars.
> after passing your SA, do these msgs have 2 sets of X-SPAM-* headers?
>
> can you post such a header section?
After SA there is the original one left in the message which is an
attachment now. And there is the new one with the check-results:
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on nobswolf.info
X-Spam-Flag: YES
X-Spam-Level: *************
X-Spam-Status: Yes, score=13.3 required=5.0 tests=AXB_X_AOL_SEZ_S,BAYES_99,
BAYES_999,BNM,BNM_IP,DKIM_SIGNED,DKIM_VALID,DUMMY,FREEMAIL_FROM,
FREEMAIL_REPLYTO,HTML_IMAGE_ONLY_12,HTML_MESSAGE,HTML_SHORT_LINK_IMG_1,
OBFU_TEXT_ATTACH,RCVD_IN_DNSWL_NONE,T_REMOTE_IMAGE,URIBL_BLOCKED
autolearn=no
version=3.3.2
(The line-wrapping in the original header is ok.)
Re: check a x-spam field
Posted by Axb <ax...@gmail.com>.
On 03/21/2015 11:30 AM, nobswolf wrote:
> Hello,
>
> I use SpamAssassin for quite some time and now I'd like to fine-tune a
> little.
>
> Lately I got a message that was already examined by another instance of
> a spam-filter that is not under my control. This message was not
> auto-learned because the score was too low for that.
>
> So I got the idea I could check the X-Spam-Flag of this other instance
> and give some more score. I thought this is a good idea because nobody
> would tag mail as spam without a reason (the other way round is another
> piece of cake of course).
>
> But it just did not work. I guess it is because the X-Spam-Fields in the
> original header are ignored? How can I force SpamAssassin to force
> checking the X-Spam-fields in the header of the original mail?
>
>
> Header of test-mail:
>
> X-SPAM-FLAG: YES
>
>
> entry in local.cf:
>
> header ALLREADY_MARKED ALL =~ /^X-SPAM-FLAG:\s+YES/mi
> describe ALLREADY_MARKED wurde schon mal markiert
> score ALLREADY_MARKED 3
>
>
> I also tried the "normal" header test, also with not success.
>
>
> $ spamassassin --version
> SpamAssassin version 3.3.2
> running on Perl version 5.14.2
> # cat /etc/debian_version
> 7.8
>
>
>
> Any hints for me?
This didn't work? :
header ALLREADY_MARKED X-SPAM-FLAG =~ /^YES\b/
describe ALLREADY_MARKED wurde schon mal markiert
score ALLREADY_MARKED 3
after passing your SA, do these msgs have 2 sets of X-SPAM-* headers?
can you post such a header section?
Re: check a x-spam field
Posted by nobswolf <no...@nobswolf.info>.
Am 21.03.2015 um 16:14 schrieb RW:
> You need to rewrite the header name before SA sees it so it doesn't
> start with X-Spam-. You may want to configure Bayes to ignore the new
> header name.
ok, this works for me:
http://stackoverflow.com/questions/29182749/define-header-rule-for-x-spam-flag-in-spamassassin/29187604#29187604
I guess in this case it is ok for Bayes to read this header.
Re: check a x-spam field
Posted by RW <rw...@googlemail.com>.
On Sat, 21 Mar 2015 11:30:34 +0100
nobswolf wrote:
> Hello,
>
> I use SpamAssassin for quite some time and now I'd like to fine-tune a
> little.
>
> Lately I got a message that was already examined by another instance
> of a spam-filter that is not under my control. This message was not
> auto-learned because the score was too low for that.
>
> So I got the idea I could check the X-Spam-Flag of this other instance
> and give some more score. I thought this is a good idea because nobody
> would tag mail as spam without a reason (the other way round is
> another piece of cake of course).
>
> But it just did not work. I guess it is because the X-Spam-Fields in
> the original header are ignored? How can I force SpamAssassin to force
> checking the X-Spam-fields in the header of the original mail?
You need to rewrite the header name before SA sees it so it doesn't
start with X-Spam-. You may want to configure Bayes to ignore the new
header name.