Re: Running spamassassin only with specific rules
On 2022-04-22 at 09:20:17 UTC-0400 (Fri, 22 Apr 2022 09:20:17 -0400) Michael Grant is rumored to have said: > Is there some way to run spamassassin with only a specific set of rules and > scores? > > I've tried putting the rules in a rules.cf file and running spamassassin like: > > spamassassin -t -p rules.cf < test.eml > > but it runs all the rules including theones in rules.cf Correct. The -p option loads a file in 'user prefs' mode, which is supplementary to the base config and cannot change some settings. > I've tried changing the config path with -C so it doesn't pick up the > other cf files but this breaks things. Correct. The -C flag replaces the "LOCAL_STATE_DIR" setting, which is the top of the versioned tree into which sa-update loads rules channels. Typically something like /var/lib/spamassassin/3.004006/ or /var/db/spamassassin/3.004006/ with $channelname.cf files that contain include directives for files in $channelname/ subdirectories. There MUST be at least one *.cf file in the LOCAL_STATE_DIR or spamassassin will exit with a message telling you to run sa-update. Note that the default config settings and utility subrules are defined in the rules channel, so if you run SA with an empty .cf there, you may have unexpected results. In addition to -C pointing to a directory with some *.cf (maybe empty!) you can use '--siteconfigpath=path' to change where spamassassin looks for your *.pre files and your local.cf file. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire signature.asc Description: OpenPGP digital signature
Re: How to deal with bounce messages
Matus UHLAR - fantomas: > > > and spf is unapplicable since the envelope from is null. > > > > Isn't that the case with all bounce messages? > > usually yes, it should be. But we of course can't guarantee that. > > This also means that SPF can't be used, thus either those messages have DKIM > signatures, or they CAN NOT pass DMARC. In SPF, when the reverse-path is null, the HELO name is instead verified. So a null reverse-path can work fine with relaxed alignment.
Re: Running spamassassin only with specific rules
On Fri, 2022-04-22 at 09:20 -0400, Michael Grant wrote: > Is there some way to run spamassassin with only a specific set of > rules and scores? > If I'm trying to target specific specific sorts of spam I write rules that sort of follow these guidelines: - their rule names all start with my initials followed by an underscore. followed by something specific, e.g XXX_FAKE_INVOICE. Any subrules append a number to this name: XXX_FAKE_INVOICE2 - if a subrule will always be part of a more complex rule, i.e. linked in with a meta-rule it will initially be named as described and only, when debugged and working will its name be changed to, say, __XXX_FAKE_INVOICE2 to stop subriule names from cluttering the header area of processed messages. - these rules don't reference any standard rules The result of the above is that it doesn't matter whether other rules also run because I can see exactly which part(s) of my rules are firing and know they won't be affected by any other rules because there are no references to any standard rules or (usually) to my other self-developed rules: naming rules, if done carefully, is as good a way as any to isolate your own rules from the standard rule set and/or any others you've found or been given. I do all rule development on a separate machine, which also has SA installed. This is configured so it only runs when triggered by a shell script. This starts SA, pipes a set of test messages into it, and stops SA when all test messages have been run. SA's output is sent to stdout so it can be inspected using 'less', filtered with grep to only show output from my rules or however else I want to handle it to make it more readable. When I'm happy with a new rules its gets put live by ftping the .cf file containing it to the live machine's repository and restarting the live SA daemon to pick up the new rule(s). Last, but not least, all my private rules are put under version control in a git repository. HTH Martin
Re: How to deal with bounce messages
>https://pastebin.com/s032ndrA > >It's not only hitting DMARC_REJ_NO_DKIM and DMARC_FAIL_REJECT, but where did you get these from? On 22.04.22 10:02, Alex wrote: I just realized these are from my local rules, put together from a conversation many years ago, apparently from before SA had built-in DMARC support. https://www.mail-archive.com/users@spamassassin.apache.org/msg95643.html now I really wonder why these aren't part of stock SA rules. DMARC is built on header From:, this needs either correct DKIM, or correct SPF with envelope from domain equal to header From: domain. this message has no DKIM signature. policy is reject: _dmarc.deltra.de. 86400 IN TXT "v=DMARC1;p=reject;rua=mailto:postmas...@deltra.de"; Ah yes, thanks. and spf is unapplicable since the envelope from is null. Isn't that the case with all bounce messages? usually yes, it should be. But we of course can't guarantee that. This also means that SPF can't be used, thus either those messages have DKIM signatures, or they CAN NOT pass DMARC. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "The box said 'Requires Windows 95 or better', so I bought a Macintosh".
Re: How to deal with bounce messages
> >https://pastebin.com/s032ndrA > > > >It's not only hitting DMARC_REJ_NO_DKIM and DMARC_FAIL_REJECT, but > > where did you get these from? I just realized these are from my local rules, put together from a conversation many years ago, apparently from before SA had built-in DMARC support. https://www.mail-archive.com/users@spamassassin.apache.org/msg95643.html > DMARC is built on header From:, this needs either correct DKIM, or correct SPF > with envelope from domain equal to header From: domain. > > this message has no DKIM signature. policy is reject: > > _dmarc.deltra.de. 86400 IN TXT > "v=DMARC1;p=reject;rua=mailto:postmas...@deltra.de"; Ah yes, thanks. > and spf is unapplicable since the envelope from is null. Isn't that the case with all bounce messages? > >It's also somehow hitting BAYES_99 - do you train your bounce messages? > > yes. Great, thanks.
Running spamassassin only with specific rules
Is there some way to run spamassassin with only a specific set of rules and scores? I've tried putting the rules in a rules.cf file and running spamassassin like: spamassassin -t -p rules.cf < test.eml but it runs all the rules including theones in rules.cf I've tried changing the config path with -C so it doesn't pick up the other cf files but this breaks things. I'm trying to identify specific types of spam. Michael Grant signature.asc Description: PGP signature
Re: How to deal with bounce messages
On 22.04.22 08:40, Alex wrote: I'm seeing bounce messages being tagged incorrectly and would like some help in how to fix it. This is mail sent from our servers. https://pastebin.com/s032ndrA It's not only hitting DMARC_REJ_NO_DKIM and DMARC_FAIL_REJECT, but where did you get these from? also KAM_DMARC_REJECT, giving it no opportunity to ever get delivered. I'm assuming it's failing DMARC because the envelope sender is the same as the original message but the message body and From address are that of the rejecting server. DMARC is built on header From:, this needs either correct DKIM, or correct SPF with envelope from domain equal to header From: domain. this message has no DKIM signature. policy is reject: _dmarc.deltra.de. 86400 IN TXT "v=DMARC1;p=reject;rua=mailto:postmas...@deltra.de"; and spf is unapplicable since the envelope from is null. so the DMARC reject is correct. How do others deal with this? I'm just now seeing welcomelist_bounce_relays - I don't think I've seen that before or have defined it. The description says the BOUNCE_MESSAGE won't fire if this isn't defined, yet this rule was triggered. It's also somehow hitting BAYES_99 - do you train your bounce messages? yes. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Honk if you love peace and quiet.
How to deal with bounce messages
Hi, I'm seeing bounce messages being tagged incorrectly and would like some help in how to fix it. This is mail sent from our servers. https://pastebin.com/s032ndrA It's not only hitting DMARC_REJ_NO_DKIM and DMARC_FAIL_REJECT, but also KAM_DMARC_REJECT, giving it no opportunity to ever get delivered. I'm assuming it's failing DMARC because the envelope sender is the same as the original message but the message body and From address are that of the rejecting server. How do others deal with this? I'm just now seeing welcomelist_bounce_relays - I don't think I've seen that before or have defined it. The description says the BOUNCE_MESSAGE won't fire if this isn't defined, yet this rule was triggered. It's also somehow hitting BAYES_99 - do you train your bounce messages? Thanks, Alex
