Re: Did the whitelist_from_rcvd semantics change?
> On Apr 28, 2023, at 10:24 AM, Reindl Harald wrote: > > > > Am 28.04.23 um 18:11 schrieb Philip Prindeville: >>> On Apr 25, 2023, at 6:28 AM, Bill Cole >>> wrote: >>> >>> On 2023-04-24 at 16:32:55 UTC-0400 (Mon, 24 Apr 2023 14:32:55 -0600) >>> Philip Prindeville >>> is rumored to have said: >>> I thought the matching included subdomains, and seem to remember that working. >>> >>> It never has. At least not in the past 17 years. >>> >> Then how do pools of servers like *.protection.outbound.outlook.com get >> handled? > > as * is always handeled at globbing > > *.example.com > *@example.com Maybe I'm missing something, but the code brackets ${domain} with \Q and \E so globbing wouldn't work. if ($rdns =~ /(?:^|\.)\Q${domain}\E$/i) { $match=1; last }
Re: Assistance with rule
On 28.04.23 12:11, Joey J wrote: I haven't written many of these with Meta, but wanted to make sure how this works. If the meta FROM_TEST from FROM_TEST_EMAIL && FROM_TEST_IP is false, does that mean the next line score will not be added/executed? In my mind, I feel like (top down logic ) the score will happen all the time. Also, does this look like the right idea? Thanks!! header FROM_TEST_EMAIL From =~ /user@test\.com/i header FROM_TEST_IP Received =~ /from 1\.2\.3\.4/i meta FROM_TEST from FROM_TEST_EMAIL && FROM_TEST_IP score FROM_TEST -1.0 giving negative score to any rule based on headers than can be faked is a bad idea. That's why I advised using X-Spam-Relays-Trusted header (maybe X-Spam-Relays-Internal) FROM_TEST_EMAIL and FROM_TEST_IP have both default positive score 1.0. you should perhaps use __FROM_TEST_EMAIL and __FROM_TEST_IP instead -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux - It's now safe to turn on your computer. Linux - Teraz mozete pocitac bez obav zapnut.
Re: Did the whitelist_from_rcvd semantics change?
On 2023-04-28 at 12:11:02 UTC-0400 (Fri, 28 Apr 2023 10:11:02 -0600) Philip Prindeville is rumored to have said: On Apr 25, 2023, at 6:28 AM, Bill Cole wrote: On 2023-04-24 at 16:32:55 UTC-0400 (Mon, 24 Apr 2023 14:32:55 -0600) Philip Prindeville is rumored to have said: I thought the matching included subdomains, and seem to remember that working. It never has. At least not in the past 17 years. Then how do pools of servers like *.protection.outbound.outlook.com get handled? Subdomains are implicitly included in the relay hostname parameter, NOT in the From address parameter, where simple glob wildcards work. RTFM: perldoc Mail::SpamAssassin::Conf -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: Assistance with rule
I haven't written many of these with Meta, but wanted to make sure how this works. If the meta FROM_TEST from FROM_TEST_EMAIL && FROM_TEST_IP is false, does that mean the next line score will not be added/executed? In my mind, I feel like (top down logic ) the score will happen all the time. Also, does this look like the right idea? Thanks!! header FROM_TEST_EMAIL From =~ /user@test\.com/i header FROM_TEST_IP Received =~ /from 1\.2\.3\.4/i meta FROM_TEST from FROM_TEST_EMAIL && FROM_TEST_IP score FROM_TEST -1.0 On Fri, Apr 28, 2023 at 11:48 AM Matus UHLAR - fantomas wrote: > On 28.04.23 11:04, Joey J wrote: > >I have this rule which I thought looked good, but doesn't seem to ever > kick > >in. > > >header FROM_TEST_IP_AND_EMAIL From =~ /sender@sender\.com/i && Received > =~ /from 138\.193\.30\.7/ > > >I was hoping to find the senders email address, then if it's found, see > the > >sending IP, if that matches gives a negative score. > > > >Is there a better way? > > > >Also is there some kind of rule tester you can use where you put a rule, > >put some headers and see what it evaluates? > > you must create two separate rules and a meta rule for that. > > I also recommend using X-Spam-Relays-Trusted pre-paresed pseudo-header: > > https://spamassassin.apache.org/full/4.0.x/doc/Mail_SpamAssassin_Conf.html > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > You have the right to remain silent. Anything you say will be misquoted, > then used against you. > -- Thanks! Joey
Re: Did the whitelist_from_rcvd semantics change?
> On Apr 25, 2023, at 6:28 AM, Bill Cole > wrote: > > On 2023-04-24 at 16:32:55 UTC-0400 (Mon, 24 Apr 2023 14:32:55 -0600) > Philip Prindeville > is rumored to have said: > >> I thought the matching included subdomains, and seem to remember that >> working. > > It never has. At least not in the past 17 years. > Then how do pools of servers like *.protection.outbound.outlook.com get handled? -Philip
Re: FROM_RETURNPATH_MISMATCH
Thank you all. Someone internally must have seen that rule and added it, I think I'm going to pull it out as it has way too many false positives. I took the assumption (we know) that it was one of the base rules. On Fri, Apr 28, 2023 at 11:43 AM Matus UHLAR - fantomas wrote: > On 28.04.23 10:58, Joey J wrote: > >I'm trying to understand why SA keeps scoring this rule, when the sender > >only has their from address, no reply to etc, nothing helping me to > >understand why. > > > >I'm guessing here, but this would be where the reply to differs from the > >from? > > > >Any assistance appreciated. > > I don't see FROM_RETURNPATH_MISMATCH in spamassassin rules, perhaps you > fetched it from 3rd > party source? > > maybe from here: > > > https://www.lexo.ch/blog/2018/07/solved-spf-setting-does-not-apply-to-return-path-causing-more-spam-and-phishing-e-mails-spamassassin-postfix/ > > however, that is quite complicated regex and quite possibly wrong,. > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Despite the cost of living, have you noticed how popular it remains? > -- Thanks! Joey
Re: Assistance with rule
On 28.04.23 11:04, Joey J wrote: I have this rule which I thought looked good, but doesn't seem to ever kick in. header FROM_TEST_IP_AND_EMAIL From =~ /sender@sender\.com/i && Received =~ /from 138\.193\.30\.7/ I was hoping to find the senders email address, then if it's found, see the sending IP, if that matches gives a negative score. Is there a better way? Also is there some kind of rule tester you can use where you put a rule, put some headers and see what it evaluates? you must create two separate rules and a meta rule for that. I also recommend using X-Spam-Relays-Trusted pre-paresed pseudo-header: https://spamassassin.apache.org/full/4.0.x/doc/Mail_SpamAssassin_Conf.html -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. You have the right to remain silent. Anything you say will be misquoted, then used against you.
Re: FROM_RETURNPATH_MISMATCH
On 2023-04-28 at 10:58:52 UTC-0400 (Fri, 28 Apr 2023 10:58:52 -0400) Joey J is rumored to have said: Hello All, I'm trying to understand why SA keeps scoring this rule, when the sender only has their from address, no reply to etc, nothing helping me to understand why. I'm guessing here, but this would be where the reply to differs from the from? FROM_RETURNPATH_MISMATCH is not in the current ruleset from the default rule channel nor is it in the widely-used KAM ruleset (maintained by a PMC-member, but not part of the SA Project proper.) Hence, that rule is part of your local customization of SpamAssassin. Any assistance appreciated. Well, my ***GUESS*** based on the name is that a rule called FROM_RETURNPATH_MISMATCH would be when the SMTP envelope sender (RFC5321.MailFrom, in RFC 5598 terminology, often preserved in a Return-Path header during delivery) and the message header From address (RFC5322.From) which are not intrinsically identical but usually are in person-to-person email. The *actual* definition of that rule will be somewhere in your SA config, most likely in /etc/mail/spamassassin/local.cf -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: FROM_RETURNPATH_MISMATCH
On 28.04.23 10:58, Joey J wrote: I'm trying to understand why SA keeps scoring this rule, when the sender only has their from address, no reply to etc, nothing helping me to understand why. I'm guessing here, but this would be where the reply to differs from the from? Any assistance appreciated. I don't see FROM_RETURNPATH_MISMATCH in spamassassin rules, perhaps you fetched it from 3rd party source? maybe from here: https://www.lexo.ch/blog/2018/07/solved-spf-setting-does-not-apply-to-return-path-causing-more-spam-and-phishing-e-mails-spamassassin-postfix/ however, that is quite complicated regex and quite possibly wrong,. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Despite the cost of living, have you noticed how popular it remains?
Assistance with rule
Hello all, I have this rule which I thought looked good, but doesn't seem to ever kick in. header FROM_TEST_IP_AND_EMAIL From =~ /sender@sender\.com/i && Received =~ /from 138\.193\.30\.7/ score FROM_TEST_IP_AND_EMAIL -8.0 I was hoping to find the senders email address, then if it's found, see the sending IP, if that matches gives a negative score. Is there a better way? Also is there some kind of rule tester you can use where you put a rule, put some headers and see what it evaluates? -- Thanks! Joey
FROM_RETURNPATH_MISMATCH
Hello All, I'm trying to understand why SA keeps scoring this rule, when the sender only has their from address, no reply to etc, nothing helping me to understand why. I'm guessing here, but this would be where the reply to differs from the from? Any assistance appreciated. -- Thanks! Joey