Re: Custome rule problem.
On Thu, February 19, 2009 15:50, Nigel Frankcom wrote: Am I missing something stupid? (Wouldn't be the 1st time) read 25_uribl.cf (google.com is in there) spamassassin 21 -D -t spammsg | less see skib domains header __NFheader ALL =~ /live\.com/i score __NFheader 0.1 uri __NFuri /www\.google\.com\/groups\// score __NFuri 0.1 meta NFheader_Details (__NFheader __NFuri) describe NFheader_Details live dot com spam score NFheader_Details 5.0 another reason for use uribl.com actively -- http://localhost/ 100% uptime and 100% mirrored :)
Custome rule problem.
Hi All, I've written the following rule to deal with spam a particular set of users are getting hit by that very few of my rules are hitting. Using --lint the rule come back clean but on testing it appears to be ignored. It's in the spamassassin directory. Am I missing something stupid? (Wouldn't be the 1st time) header __NFheader ALL =~ /live\.com/i score __NFheader 0.1 uri __NFuri /www\.google\.com\/groups\// score __NFuri 0.1 meta NFheader_Details (__NFheader __NFuri) describe NFheader_Details live dot com spam score NFheader_Details 5.0 Any help greatly received. Kind regards Nigel
Re: Custome rule problem.
On Thu, 2009-02-19 at 14:50 +, Nigel Frankcom wrote: Using --lint the rule come back clean but on testing it appears to be ignored. It's in the spamassassin directory. Am I missing something stupid? (Wouldn't be the 1st time) You're missing a lot of details. How do you test your rules? Try using the -D debugging, to see if the sub-rules actually hit. No sample, so we can't tell if your rules are correct. header __NFheader ALL =~ /live\.com/i score __NFheader 0.1 Meta-match sub-rules don't score. uri __NFuri /www\.google\.com\/groups\// score __NFuri 0.1 meta NFheader_Details (__NFheader __NFuri) describe NFheader_Details live dot com spam score NFheader_Details 5.0 -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RE: Custome rule problem.
Nigel Frankcom wrote: Hi All, I've written the following rule to deal with spam a particular set of users are getting hit by that very few of my rules are hitting. Using --lint the rule come back clean but on testing it appears to be ignored. It's in the spamassassin directory. Am I missing something stupid? (Wouldn't be the 1st time) header __NFheader ALL =~ /live\.com/i score __NFheader 0.1 uri __NFuri /www\.google\.com\/groups\// score __NFuri 0.1 meta NFheader_Details (__NFheader __NFuri) describe NFheader_Details live dot com spam score NFheader_Details 5.0 I would make the URI rule case-insensitive. Also, you do not need to have a score for the sub-rules. Other than that, I don't see anything obviously wrong. Post a sample spam email somewhere so we can see what you are trying to match. (Don't send the sample to the list, put it on pastebin or your webserver) -- Bowie
Re: Custome rule problem.
On Thu, 19 Feb 2009 16:16:48 +0100, Karsten Bräckelmann guent...@rudersport.de wrote: On Thu, 2009-02-19 at 14:50 +, Nigel Frankcom wrote: Using --lint the rule come back clean but on testing it appears to be ignored. It's in the spamassassin directory. Am I missing something stupid? (Wouldn't be the 1st time) You're missing a lot of details. How do you test your rules? Try using the -D debugging, to see if the sub-rules actually hit. No sample, so we can't tell if your rules are correct. header __NFheader ALL =~ /live\.com/i score __NFheader 0.1 Meta-match sub-rules don't score. uri __NFuri /www\.google\.com\/groups\// score __NFuri 0.1 meta NFheader_Details (__NFheader __NFuri) describe NFheader_Details live dot com spam score NFheader_Details 5.0 Testing was done through spamassassin --lint and with debug. I used a mail that *should* have hit the rules. Tried it with and without scores for meta's... just in case. I'll post up a sample of a test mail once the current round of other network screw ups are resolved. TIA Nigel
Re: Custome rule problem.
On Thu, 2009-02-19 at 15:21 +, Nigel Frankcom wrote: On Thu, 19 Feb 2009 16:16:48 +0100, Karsten Bräckelmann wrote: Am I missing something stupid? (Wouldn't be the 1st time) You're missing a lot of details. How do you test your rules? Try using the -D debugging, to see if the sub-rules actually hit. No sample, so we can't tell if your rules are correct. Testing was done through spamassassin --lint and with debug. I used a mail that *should* have hit the rules. Tried it with and without scores for meta's... just in case. Still missing the details. :) Like pasting the exact command you used for testing. Anyway, seeing that and above -- you didn't happen to try testing while still keeping the --lint? -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Custome rule problem.
On Thu, 19 Feb 2009, Nigel Frankcom wrote: Testing was done through spamassassin --lint and with debug. I used a mail that *should* have hit the rules. --lint is not for testing rule performance, as it uses an internally-generated test message. It's just to check for syntax errors. As has been requested, can you post a complete sample message on pastebin for us to see? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Gun Control laws cannot reduce violent crime, because gun control laws assume a violent criminal will obey the law. --- 3 days until George Washington's 277th Birthday
Re: Custome rule problem.
On Thu, 2009-02-19 at 14:50 +, Nigel Frankcom wrote: Hi All, I've written the following rule to deal with spam a particular set of users are getting hit by that very few of my rules are hitting. Using --lint the rule come back clean but on testing it appears to be ignored. It's in the spamassassin directory. Am I missing something stupid? (Wouldn't be the 1st time) header __NFheader ALL =~ /live\.com/i score __NFheader 0.1 uri __NFuri /www\.google\.com\/groups\// score __NFuri 0.1 meta NFheader_Details (__NFheader __NFuri) describe NFheader_Details live dot com spam score NFheader_Details 5.0 As others have said, meta subrules don't have scores. I prefer to develop a meta rule without adding the __ prefix to the subrules because then you can see which subrules fire. When you're happy that everything is working you can either add the __ prefix (and remember to change the meta rule to match) or simply add low scores to the subrules. I use spamc/spamd for live running and test new rules like this: 1) login as root. Edit local rules, which are in /etc/mail/spamassassin. Check for errors by running spamassassin --lint -D as root. When there are no errors, restart spamd 2) check the new rule by using spamc testmsg to check that the rule does in fact recognise the messag(es) that it should tag as spam. 3) check that the new rule doesn't generate false positives by regression testing against my entire test message collection. If it hits any other messages, see why and correct it as necessary. Feeding test messages through spamc has the advantage that I know that spamd is running in the same environment during testing as it will use for live operation. If I'm concerned that rules being tested might hit the live message stream I can easily enough stop Postfix for 5-10 minutes while I do the tests. A subsidiary benefit is that I can keep the test messages in a standard login directory. Martin
Re: Custome rule problem. Resolved
On Thu, 19 Feb 2009 08:01:48 -0800 (PST), John Hardin jhar...@impsec.org wrote: On Thu, 19 Feb 2009, Nigel Frankcom wrote: Testing was done through spamassassin --lint and with debug. I used a mail that *should* have hit the rules. --lint is not for testing rule performance, as it uses an internally-generated test message. It's just to check for syntax errors. As has been requested, can you post a complete sample message on pastebin for us to see? Many thanks to all... I have the rule working. As usual it was a syntactical error (typo). For anyone else getting the live.com emails with google groups links the following works: # Live.com spam #rev: #Nigel Frankcom: 19/02/2009 12:56:07~ works with 3.0.x, 3.1.x, 3.2.x # Tested on 3.0.4, 3.0.5, 3.1.0, 3.2.x header __NFheader ALL =~ /live\.com/i uri __NFuri m{^https?\://www\.google\.com/groups?}i meta NFheader_Details (__NFheader __NFuri) describe NFheader_Details live dot com spam. score NFheader_Details 7.0 My default is 5.0 but the AWL puts live with a positive score. I'm noting stuff from yahoo as well so will adjust this to suit. Feel free to mangle it, I'd appreciate a copy of any wider ranging working versions though. Kind regards and many thanks to all. Nigel
Re: Custome rule problem. Resolved
On Thu, 2009-02-19 at 16:37 +, Nigel Frankcom wrote: Many thanks to all... I have the rule working. As usual it was a syntactical error (typo). ;) Good to see it fixed. uri __NFuri m{^https?\://www\.google\.com/groups?}i Aha, so it's not m,groups/, with a trailing slash, as in your original post. :) Just as a reminder, that's exactly where you should use -D and check the sub-rules hit. No wild-goose chase, the missing sub is where to look at closer. Anyway, there's another (potential) issue with that RE. If it is a literal question-mark, then it needs to be escaped. And if it isn't, the s *and* the question-mark are useless -- a plain /group/ does the same. guenther -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Custome rule problem. Resolved
Feel free to mangle it, I'd appreciate a copy of any wider ranging working versions though. Here's what I've been using for quite a while. It was written when there was a spate of spam punting LiveSpace websites: header __MG_LSP1 From =~ /spaces\.live\.com/i uri __MG_LSP2 /^http:.{1,40}\.spaces\.live\.com/i describe MG_LIVESP Contains spaces.live.com URI but not from there. meta MG_LIVESP (!__MG_LSP1 __MG_LSP2) scoreMG_LIVESP 2.5 This works for me since I've never seen anything I'd want to read, either e-mail or USENET, that contained a LiveSpace URL. Martin