Hi all, I am afraid I need to get back to this subject again. Long story short: old ASSP works fine - new ASSP bombs good mail with [!empty!] hits.
Currently I am running ASSP 2.0.2-1.0.07 and everything seems alright with BombBlack. Here is some log info for test emails I sent from an gmx.de account: Jul-08-10 07:54:47 68487-01934 [Worker_3] 213.165.64.20 <dummyaddr...@gmx.de> to: recipi...@mydomain Message-Score: added -4 for 213.165.64 in griplist (0.03), total score for this message is now -4 Jul-08-10 07:54:47 68487-01934 [Worker_3] 213.165.64.20 <dummyaddr...@gmx.de> to: recipi...@mydomain Message-Score: added -10 for Home Country Bonus DE (GMX GmbH), total score for this message is now -14 Jul-08-10 07:54:47 68487-01934 [Worker_3] 213.165.64.20 <dummyaddr...@gmx.de> to: recipi...@mydomain PB-IP-Score for '213.165.64.20' is 10, added -10 for HomeCountry-DE Jul-08-10 07:54:47 68487-01934 [Worker_3] 213.165.64.20 <dummyaddr...@gmx.de> to: recipi...@mydomain no Bomb found in header Jul-08-10 07:54:48 68487-01934 [Worker_3] [SPF] 213.165.64.20 <dummyaddr...@gmx.de> to: recipi...@mydomain [scoring] SPF: pass (cache) ip=213.165.64.20 mailfrom=dummyaddr...@gmx.de helo=mail.gmx.net Jul-08-10 07:54:48 68487-01934 [Worker_3] 213.165.64.20 <dummyaddr...@gmx.de> to: recipi...@mydomain Message-Score: added -10 for SPF pass, total score for this message is now -24 Jul-08-10 07:54:48 68487-01934 [Worker_3] 213.165.64.20 <dummyaddr...@gmx.de> to: recipi...@mydomain no Bomb found for 'bombSuspiciousRe' Jul-08-10 07:54:48 68487-01934 [Worker_3] 213.165.64.20 <dummyaddr...@gmx.de> to: recipi...@mydomain no Bomb found for 'bombDataRe' and 'bombRe' Jul-08-10 07:54:48 68487-01934 [Worker_3] 213.165.64.20 <dummyaddr...@gmx.de> to: recipi...@mydomain no Bomb found for 'bombBlack' Jul-08-10 07:54:48 68487-01934 [Worker_3] 213.165.64.20 <dummyaddr...@gmx.de> to: recipi...@mydomain Bayesian Check [scoring] - Prob: 0.00000 => ham Jul-08-10 07:54:48 68487-01934 [Worker_3] [Bayesian][scoring] 213.165.64.20 <dummyaddr...@gmx.de> to: recipi...@mydomain info: Bayesian-Check has taken 0 seconds Jul-08-10 07:54:48 68487-01934 [Worker_3] [Plugin] 213.165.64.20 <dummyaddr...@gmx.de> to: recipi...@mydomain ASSP_OCR: Plugin successful called for runlevel 'complete mail'! Jul-08-10 07:54:48 68487-01934 [Worker_3] [MessageOK] 213.165.64.20 <dummyaddr...@gmx.de> to: recipi...@mydomain message ok [Test7 nochn Gedicht] -> /opt/assp/okmail/Test7_nochn_Gedicht--61958.eml Jul-08-10 07:54:48 68487-01934 [Worker_3] 213.165.64.20 <dummyaddr...@gmx.de> to: recipi...@mydomain info: no (more) data readable from 213.165.64.20 (connection closed by peer) - last command was 'QUIT' But whenever I run newer versions of ASSP (2.0.2-1.1.15 in this case) BombBlack works differently, although I do not touch my assp.cfg or bombre.txt: Jul-08-10 07:40:48 67648-12664 [Worker_3] 213.165.64.20 <dummyaddr...@gmx.de> to: recipi...@mydomain Message-Score: added -4 for 213.165.64 in griplist (0.03), total score for this message is now -4 Jul-08-10 07:40:48 67648-12664 [Worker_3] 213.165.64.20 <dummyaddr...@gmx.de> to: recipi...@mydomain Message-Score: added -10 for Home Country Bonus DE (GMX GmbH), total score for this message is now -14 Jul-08-10 07:40:48 67648-12664 [Worker_3] 213.165.64.20 <dummyaddr...@gmx.de> to: recipi...@mydomain PB-IP-Score for '213.165.64.20' is 10, added -10 for HomeCountry-DE Jul-08-10 07:40:48 67648-12664 [Worker_3] 213.165.64.20 <dummyaddr...@gmx.de> to: recipi...@mydomain no Bomb found in header Jul-08-10 07:40:48 67648-12664 [Worker_3] [SPF] 213.165.64.20 <dummyaddr...@gmx.de> to: recipi...@mydomain [scoring] SPF: pass (cache) ip=213.165.64.20 mailfrom=dummyaddr...@gmx.de helo=mail.gmx.net Jul-08-10 07:40:48 67648-12664 [Worker_3] 213.165.64.20 <dummyaddr...@gmx.de> to: recipi...@mydomain Message-Score: added -10 for SPF pass, total score for this message is now -24 Jul-08-10 07:40:49 67648-12664 [Worker_3] 213.165.64.20 <dummyaddr...@gmx.de> to: recipi...@mydomain no Bomb found for 'bombSuspiciousRe' Jul-08-10 07:40:49 67648-12664 [Worker_3] 213.165.64.20 <dummyaddr...@gmx.de> to: recipi...@mydomain no Bomb found for 'bombDataRe', 'bombRe' and 'bombCharSets' Jul-08-10 07:40:49 67648-12664 [Worker_3] 213.165.64.20 <dummyaddr...@gmx.de> to: recipi...@mydomain Regex:BlackRe 'PB 20: for [!empty!]' Jul-08-10 07:40:49 67648-12664 [Worker_3] 213.165.64.20 <dummyaddr...@gmx.de> to: recipi...@mydomain [!empty!] : (l:0) 20 , count : 1 , sum : 20 , time : 0 s Jul-08-10 07:40:49 67648-12664 [Worker_3] [BombBlack] 213.165.64.20 <dummyaddr...@gmx.de> to: recipi...@mydomain (BombBlack '(l:0) (l:0) '[!empty!] (20)'') Jul-08-10 07:40:49 67648-12664 [Worker_3] 213.165.64.20 <dummyaddr...@gmx.de> to: recipi...@mydomain Message-Score: added 20 for BombBlack '(l:0) (l:0) '[!empty!] (20)'', total score for this message is now -4 Jul-08-10 07:40:49 67648-12664 [Worker_3] 213.165.64.20 <dummyaddr...@gmx.de> to: recipi...@mydomain PB-IP-Score for '213.165.64.20' is 20, added 20 for BombBlack Jul-08-10 07:40:49 67648-12664 [Worker_3] [BombBlack] 213.165.64.20 <dummyaddr...@gmx.de> to: recipi...@mydomain [spam found] (BombBlack '(l:0) (l:0) '[!empty!] (20)'') [Test4 mit pdf] -> /opt/assp/discarded/12664.eml; Jul-08-10 07:40:52 67648-12664 [Worker_3] 213.165.64.20 <dummyaddr...@gmx.de> to: recipi...@mydomain [SMTP Error] 554 5.7.1 Delivery not authorized, message refused -- . (reason: BombBlack '(l:0) (l:0) '[!empty!] (20)'') Jul-08-10 07:40:52 67648-12664 [Worker_3] 213.165.64.20 <dummyaddr...@gmx.de> to: recipi...@mydomain finished message - received size: 0 Byte - sent size: 2.26 MByte I use bombre.txt for ... bombHeaderRe:=file:files/bombre.txt bombSubjectRe:=file:files/bombre.txt bombRe:=file:files/bombre.txt bombDataRe:=file:files/bombre.txt Can anyone tell, what causes this difference in behavior? How can I find out why newer versions of ASSP get [!empty!] hits, where 2.0.2-1.0.07 does not? Any config variables I should look at? TIA Dirk > -----Ursprüngliche Nachricht----- > Von: Thomas Eckardt [mailto:thomas.ecka...@thockar.com] > Gesendet: Montag, 14. Juni 2010 09:25 > An: ASSP development mailing list > Betreff: Re: [Assp-test] BombBlack hits good mail > > >What does [!empty!] > >mean here? > > > > [!empty!] meens - that you regex ist testing for an empty string. like > ^$ > > Thomas > > > > Von: "Dirk Kulmsee" <d.kulm...@netgroup.de> > An: "'ASSP development mailing list'" > <assp-test@lists.sourceforge.net> > Datum: 09.06.2010 10:56 > Betreff: [Assp-test] BombBlack hits good mail > > > > Hi all, > since I upgraded from 2.0.2-1.0.06 to 2.0.2-1.1.10 (same issue with > 2.0.2-1.1.11) I see lots of log entries like these: > > Jun-09-10 08:37:32 65451-05566 [Worker_1] 87.248.110.138 > <sen...@yahoo.de> > to: recipi...@my.domain no Bomb found in header Jun-09-10 08:37:32 > 65451-05566 [Worker_1] 87.248.110.138 <sen...@yahoo.de> > to: recipi...@my.domain no Bomb found for 'bombSuspiciousRe' > Jun-09-10 08:37:32 65451-05566 [Worker_1] 87.248.110.138 > <sen...@yahoo.de> > to: recipi...@my.domain no Bomb found for 'bombDataRe', 'bombRe' and > 'bombCharSets' > Jun-09-10 08:37:32 65451-05566 [Worker_1] 87.248.110.138 > <sen...@yahoo.de> > to: recipi...@my.domain Regex:BlackRe 'PB 20: for [!empty!]' > Jun-09-10 08:37:32 65451-05566 [Worker_1] 87.248.110.138 > <sen...@yahoo.de> > to: recipi...@my.domain [!empty!] : (l:0) 20 , count : 1 , sum : 20 , > time > : > 0 s > Jun-09-10 08:37:32 65451-05566 [Worker_1] [BombBlack] 87.248.110.138 > <sen...@yahoo.de> to: recipi...@my.domain (BombBlack '(l:0) (l:0) > '[!empty!] (20)'') Jun-09-10 08:37:32 65451-05566 [Worker_1] > 87.248.110.138 <sen...@yahoo.de> > to: recipi...@my.domain Message-Score: added 20 for BombBlack '(l:0) > (l:0) '[!empty!] (20)'', total score for this message is now 9 Jun-09- > 10 08:37:32 65451-05566 [Worker_1] 87.248.110.138 <sen...@yahoo.de> > to: recipi...@my.domain PB-IP-Score for '87.248.110.138' is 20, added > 20 for BombBlack Jun-09-10 08:37:32 65451-05566 [Worker_1] [BombBlack] > 87.248.110.138 <sen...@yahoo.de> to: recipi...@my.domain [spam found] > (BombBlack '(l:0) > (l:0) '[!empty!] (20)'') [Alan Wake] -> /opt/assp/discarded/5566.eml; > Jun-09-10 08:37:32 65451-05566 [Worker_1] 87.248.110.138 > <sen...@yahoo.de> > to: recipi...@my.domain [SMTP Error] 554 5.7.1 Delivery not authorized, > message refused -- . (reason: BombBlack '(l:0) (l:0) '[!empty!] (20)'') > > > The mail is not spam. I cannot see why it is discarded. What does > [!empty!] mean here? Where does it come from? A bad regex somewhere? > I use the bombre.txt from the cvs. > > Thanks for your hints. > > Regards > Dirk Kulmsee > > > ----------------------------------------------------------------------- > ------- > ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's > Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the > prize list and enter to win: > http://p.sf.net/sfu/thinkgeek-promo > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, > legally privileged and protected in law and are intended solely for the > use of the > > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
