Re: How to define rule?
On 27 Jan 2020, at 16:21, Joe Acquisto-j4 wrote: Not sure how to phrase the question, but I wonder about creating a rule. In /etc/mail/spamassassin/local.cf I see the following, and believe it is a long forgotten custom rule: header PW_IS_BAD_TLD From =~ /\.pw\b/ describe PW_IS_BAD_TLD PW TLD ABUSE score PW_IS_BAD_TLD 4.0 Could someone describe the basics of this, or point me to a good starting point to figure it out? Running "perldoc Mail::SpamAssassin::Conf" will give you a near-complete rundown of how rules are structured, and what's not there isn't involved here and almost no one needs. (it IS documented in other SA modules) I presume the "header" part defining "From" with a Regex, the assigning a weight with "score". Yes. Each line that is part of a rule definition starts with a keyword stating what type of configuration info the line contains (e.g. a 'header' rule) followed by the name of the rule it is part of (in this case, PW_IS_BAD_TLD) and then the config info itself, which varies depending on the first token. With a "header" rule, the remainder of the line contains a header name (From, in this case) a matching operator (=~ is a positive match, !~ for a negative match) and a Perl regular expression between 2 / characters, which in this case is '/\.pw\b/' which translates to ".pw not immediately followed by a word-type character." And, obviously, the 'score' line gives the PW_IS_BAD_TLD rule a robust score of 4.0. Since the default spam threshold is 5.0, this is not quite an absolute condemnation, but it leaves little space for weaker spam signs to match. The 'describe' line for PW_IS_BAD_TLD contains the obscure quasi-phrase "PW TLD ABUSE" which is, I presume, a reference to the fact that the 'pw' top-level domain was badly abused by spammers when it first opened up with a very cheap price on domains. Hope that helps... -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not For Hire (currently)
Re: How to define rule?
>>> > Not sure how to phrase the question, but I wonder about creating a rule. > > In /etc/mail/spamassassin/local.cf I see the following, and believe it is a > long forgotten custom rule: > > header PW_IS_BAD_TLD From =~ /\.pw\b/ > describe PW_IS_BAD_TLD PW TLD ABUSE > score PW_IS_BAD_TLD 4.0 > > Could someone describe the basics of this, or point me to a good starting > point to figure it out? I presume the "header" part defining "From" with a > Regex, the assigning a weight with "score". > Well, never mind, for now anyway. It was easier to find an easy to follow guide than I feared. -- +++ joea@@j4computers.com https://www.j4computers.com 845-687-3734 +++
How to define rule?
Not sure how to phrase the question, but I wonder about creating a rule. In /etc/mail/spamassassin/local.cf I see the following, and believe it is a long forgotten custom rule: header PW_IS_BAD_TLD From =~ /\.pw\b/ describe PW_IS_BAD_TLD PW TLD ABUSE score PW_IS_BAD_TLD 4.0 Could someone describe the basics of this, or point me to a good starting point to figure it out? I presume the "header" part defining "From" with a Regex, the assigning a weight with "score". -- +++ joea@@j4computers.com https://www.j4computers.com 845-687-3734 +++
Re: Question on Rule
On 27 Jan 2020, at 12:32, jdow wrote: Are you sure it is not the extra space between the routing headers and the "Subject:" line? 100% certain. In the standard rule channel, the file 72_active.cf has these lines: meta FROM_MISSP_DYNIP __FROM_RUNON && RDNS_DYNAMIC header __FROM_RUNON From =~ /\S+<\w+/ i.e. a non-whitespace character immediately preceding a left angle-bracket/less-than symbol. (RDNS_DYNAMIC is a massive meta-rule for rDNS names that match patterns derived from the IP itself) -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: Question on Rule
On 20200127 09:01:10, Charles Amstutz wrote: Hello, Can someone explain what this actually means and maybe provide an example? Rule Name: FROM_MISSP_DYNIP Rule Definition: misspaced + dynamic rDNS Getting a high score on this and having trouble finding an actual real definition and example. I get the dynamic rDNS I believe, but not sure about the misspaced meaning for sure. It means that there is no space between the display name and the '<', e.g. From: John Smith If you are seeing anything very different? Thanks, however, I do see a space between the name and the '<' This is what it looks like: From: =?UTF-8?Q?Name?= Are you sure it is not the extra space between the routing headers and the "Subject:" line? ===8<--- From: =3D?UTF-8?Q?Sender_name?=3D To: =3D?UTF-8?Q?Recipient_name?=3D Subject: =3D?UTF-8?Q?Subject?=3D Date: Sat, 25 Jan 2020 19:35:07 + ===8<--- That spacing is very typical of spam and never seen as ham here. {^_^}
Re: Question on Rule
> Can someone explain what this actually means and maybe provide an > example? > > Rule Name: FROM_MISSP_DYNIP > Rule Definition: misspaced + dynamic rDNS > > Getting a high score on this and having trouble finding an actual real > definition and example. I get the dynamic rDNS I believe, but not sure > about the misspaced meaning for sure. It means that there is no space between the display name and the '<', e.g. From: John Smith If you are seeing anything very different? On 27.01.20 17:01, Charles Amstutz wrote: Thanks, however, I do see a space between the name and the '<' This is what it looks like: From: =?UTF-8?Q?Name?= where do you see it? Especially Micro$oft products (outlook, exchange, ...) tend to reformat mail so you can't see how it looked before. a few years ago I come exactly to this problem, the missing space between fullname and "<" was added by misrosoft product and I couldn't understand why blocking it does not work. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. On the other hand, you have different fingers.
RE: Question on Rule
> > > Hello, > > > > Can someone explain what this actually means and maybe provide an > > example? > > > > Rule Name: FROM_MISSP_DYNIP > > Rule Definition: misspaced + dynamic rDNS > > > > Getting a high score on this and having trouble finding an actual real > > definition and example. I get the dynamic rDNS I believe, but not sure > > about the misspaced meaning for sure. > > It means that there is no space between the display name and the '<', e.g. > >From: John Smith > > If you are seeing anything very different? Thanks, however, I do see a space between the name and the '<' This is what it looks like: From: =?UTF-8?Q?Name?=
Re: Question on Rule
On Mon, 27 Jan 2020 16:22:39 + Charles Amstutz wrote: > Hello, > > Can someone explain what this actually means and maybe provide an > example? > > Rule Name: FROM_MISSP_DYNIP > Rule Definition: misspaced + dynamic rDNS > > Getting a high score on this and having trouble finding an actual > real definition and example. I get the dynamic rDNS I believe, but > not sure about the misspaced meaning for sure. It means that there is no space between the display name and the '<', e.g. From: John Smith If you are seeing anything very different?
RE: Question on Rule
> Am 27.01.20 um 17:22 schrieb Charles Amstutz: > > Can someone explain what this actually means and maybe provide an > example? > > > > Rule Name: FROM_MISSP_DYNIP > > > > Rule Definition: misspaced + dynamic rDNS > > > > Getting a high score on this and having trouble finding an actual real > > definition and example. I get the dynamic rDNS I believe, but not sure > > about the misspaced meaning for sure > > misspaced FROM header which leave sthe question open why you don't > provide any useful information like, well, the headers or better raw-mail at > pastebin >From your explanation, I think I found what might be causing the rule to >trigger. I think it is the Weird characters in subject, from and to? This is redacted a bit, of course. Return-Path: Delivered-To: recipi...@email.com Received: (qmail 4989 invoked by alias); 25 Jan 2020 15:13:45 -0600 Delivered-To: recipi...@email.com Received: (qmail 4975 invoked from network); 25 Jan 2020 15:13:45 -0600 Received: from SMTP Server (HELO SMTP Server) (internal IP) by mailserver with ESMTP; 25 Jan 2020 15:13:45 -0600 Received: (qmail 81888 invoked from network); 25 Jan 2020 15:13:35 -0600 Received: from dynamic RDNS (HELO HP511DF8) (Dynamic IP) by smtp external DNS name with ESMTP; 25 Jan 2020 15:13:35 -0600 Received-SPF: softfail (SMTP Server: transitioning SPF record at domain does not designate dynamic IP as permitted sender) From: =?UTF-8?Q?Sender_name?= To: =?UTF-8?Q?Recipient_name?= Subject: =?UTF-8?Q?Subject?= Date: Sat, 25 Jan 2020 19:35:07 + Message-ID: <1815052843-1579980907@> Content-Type: multipart/mixed; boundary="=_Part_Boundary_004b_6b102fb7.6b102fb7" MIME-Version: 1.0
Question on Rule
Hello, Can someone explain what this actually means and maybe provide an example? Rule Name: FROM_MISSP_DYNIP Rule Definition: misspaced + dynamic rDNS Getting a high score on this and having trouble finding an actual real definition and example. I get the dynamic rDNS I believe, but not sure about the misspaced meaning for sure. Thanks