Re: FROM_IN_TO_AND_SUBJ hits on emails with empty subject
On Wed, 30 Jan 2019, Olivier Coutu wrote:
meta FROM_IN_TO_AND_SUBJ (__TO_EQ_FROM && __SUBJ_HAS_FROM_1)
header __SUBJ_HAS_FROM_1 ALL =~
/\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*Subject:\s+[^\n]{0,100}\1[>,\s\n]/ism
If the from and the to are identical and the subject is empty, this rule
hits, e.g.
From: custo...@example.com
Subject:
To: "Scan PC"
Since there is no restriction for \n in the \s+ after the subject, the /to/
in the next line is matched. An easy fix would be to change \s+ by [ \t]+ or
something similar. The rule could also be cancelled by __SUBJECT_EMPTY
Thanks for the report, I will fix that tonight.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
So Microsoft's invented the ASCII equivalent to ugly ink spots that
appear on your letter when your pen is malfunctioning.
-- Greg Andrews, about Microsoft's way to encode apostrophes
---
2 days until the 16th anniversary of the loss of STS-107 Columbia
FROM_IN_TO_AND_SUBJ hits on emails with empty subject
meta FROM_IN_TO_AND_SUBJ (__TO_EQ_FROM && __SUBJ_HAS_FROM_1)
header __SUBJ_HAS_FROM_1 ALL =~
/\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*Subject:\s+[^\n]{0,100}\1[>,\s\n]/ism
If the from and the to are identical and the subject is empty, this rule
hits, e.g.
From: custo...@example.com
Subject:
To: "Scan PC"
Since there is no restriction for \n in the \s+ after the subject, the
/to/ in the next line is matched. An easy fix would be to change \s+ by
[ \t]+ or something similar. The rule could also be cancelled by
__SUBJECT_EMPTY
Re: MISSING_SUBJECT versus empty subject
Hello Reindl, Wednesday, November 19, 2014, 6:01:32 PM, you wrote: RH should there not be a SUBJECT_EMPTY rule header __NH_BLANK_SUB Subject =~ /^\s*$/ describe__NH_BLANK_SUB Subject is blank metaNH_EMPTY_SUB(__HAS_SUBJECT __NH_BLANK_SUB) score NH_EMPTY_SUB1.5 describeNH_EMPTY_SUBSubject: is empty -- Best regards, Niamhmailto:ni...@fullbore.co.uk pgpYR90Tq9N8P.pgp Description: PGP signature
Re: MISSING_SUBJECT versus empty subject
On 19.11.14 19:01, Reindl Harald wrote: i have here a message hitting BAYES_95, CUST_DNSWL_2, CUST_DNSWL_5, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_MSPIKE_H2, SPF_NONE but *not* MISSING_SUBJECT most likely because Subject: in the headers is that intentional? should there not be a SUBJECT_EMPTY rule in that case which maybe makes a lot of sense to penalty that case different (not that high as if the header don't exist at all) I remember I have asked the same some years ago. http://www.gossamer-threads.com/lists/spamassassin/users/104646 the explanation was that the current rule detects empty subject the same as no subject at all. IIRC it was in fact the same rule as it is now: header __HAS_SUBJECT exists:Subject -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Eagles may soar, but weasels don't get sucked into jet engines.
Re: MISSING_SUBJECT versus empty subject
Matus UHLAR - fantomas wrote: I remember I have asked the same some years ago. http://www.gossamer-threads.com/lists/spamassassin/users/104646 the explanation was that the current rule detects empty subject the same as no subject at all. IIRC it was in fact the same rule as it is now: header __HAS_SUBJECT exists:Subject In a 2007 posting: | The header exists:header_name test really converts into: | header_data =~ /./ It was true years ago, but is no longer the case. The 'exists:' now tests for a presence of a header field (regardless of its header body - empty or not). A test like: header L_EMPTY_SUBJECT Subject !~ /\S/ triggers on both cases: missing or empty Subject header field. Its counterpart: header L_NONEMPTY_SUBJECT Subject =~ /\S/ Mark
MISSING_SUBJECT versus empty subject
Hi i have here a message hitting BAYES_95, CUST_DNSWL_2, CUST_DNSWL_5, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_MSPIKE_H2, SPF_NONE but *not* MISSING_SUBJECT most likely because Subject: in the headers is that intentional? should there not be a SUBJECT_EMPTY rule in that case which maybe makes a lot of sense to penalty that case different (not that high as if the header don't exist at all) signature.asc Description: OpenPGP digital signature
Re: MISSING_SUBJECT versus empty subject
back to list :-) Am 19.11.2014 um 19:13 schrieb Kevin A. McGrail: On 11/19/2014 1:01 PM, Reindl Harald wrote: Hi i have here a message hitting BAYES_95, CUST_DNSWL_2, CUST_DNSWL_5, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_MSPIKE_H2, SPF_NONE but *not* MISSING_SUBJECT most likely because Subject: in the headers is that intentional? should there not be a SUBJECT_EMPTY rule in that case which maybe makes a lot of sense to penalty that case different (not that high as if the header don't exist at all) I don't thin it will help because a blank subject doesn't show a Ham vs. Spam differential. I show the issue in both Ham and Spam. correct but here that's the same for MISSING_SUBJECT no joke, looked at the maillog and there is communication where i know the sending server, sender address and rcpt in person hitting that tag but sadly not which broken MUA Statistically, I only have 12 spams out of 602 in my current stuff that was FNs folder that might meet that criteria Checking a ham folder, I have 27 emails out of ~18K that meet the same criteria. 12/602 spam versus 27/18000 ham - hmmm - more likely spam And thinking about all the emails the fly around for mailing list moderation with no subjects, for example. Anyway, if useful, it will only be in a meta is my immediate thought i thought about a by default 0 scored rule enabled and scored only via local.cf by the admin or very low scored (0.001) which might make the difference FN/caught and should not hurt a legit message anything with else OK signature.asc Description: OpenPGP digital signature
Re: MISSING_SUBJECT versus empty subject
On 11/19/2014 1:20 PM, Reindl Harald wrote: back to list :-) Sorry about that. i thought about a by default 0 scored rule enabled and scored only via local.cf by the admin or very low scored (0.001) which might make the difference FN/caught and should not hurt a legit message anything with else OK If you write the rule, it can go into a sandbox and ruleqa will grade it and we can see, but based on my corporate and no other rules to tie it to for a meta, it's unlikely to be promoted.
Re: MISSING_SUBJECT versus empty subject
On Wed, 19 Nov 2014, Reindl Harald wrote: i thought about a by default 0 scored rule enabled and scored only via local.cf by the admin or very low scored (0.001) which might make the difference FN/caught and should not hurt a legit message anything with else OK It's more useful to do that as a subrule so that any cases where it + another rule are a good sign can be scored as a meta. If the admin wanted to score on that alone, then they'd add a meta where the only member rule was the subrule, and score that. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Vista is at best mildly annoying and at worst makes you want to rush to Redmond, Wash. and rip somebody's liver out. -- Forbes --- 902 days since the first successful private support mission to ISS (SpaceX)
Re: MISSING_SUBJECT versus empty subject
On 11/19/2014 07:25 PM, Kevin A. McGrail wrote: On 11/19/2014 1:20 PM, Reindl Harald wrote: back to list :-) Sorry about that. i thought about a by default 0 scored rule enabled and scored only via local.cf by the admin or very low scored (0.001) which might make the difference FN/caught and should not hurt a legit message anything with else OK If you write the rule, it can go into a sandbox and ruleqa will grade it and we can see, but based on my corporate and no other rules to tie it to for a meta, it's unlikely to be promoted. If it got promoted, I promise I'd nuke it .-)
Re: MISSING_SUBJECT versus empty subject
Am 19.11.2014 um 19:25 schrieb Kevin A. McGrail: On 11/19/2014 1:20 PM, Reindl Harald wrote: back to list :-) Sorry about that no problem i thought about a by default 0 scored rule enabled and scored only via local.cf by the admin or very low scored (0.001) which might make the difference FN/caught and should not hurt a legit message anything with else OK If you write the rule, it can go into a sandbox and ruleqa will grade it and we can see, but based on my corporate and no other rules to tie it to for a meta, it's unlikely to be promoted thanks for feedback it's still on my todo-list learn more about write SA rules besides RBL and i will come back with a example (after have it very low scored in production) as soon i find some spare time besides my 3 fulltime jobs i guess the time around christmas will be dedicated to study SpamAssassin and the away from IT is scheduled again for the next year :-) signature.asc Description: OpenPGP digital signature
Re: MISSING_SUBJECT versus empty subject
On 11/19/2014 07:29 PM, Axb wrote: On 11/19/2014 07:25 PM, Kevin A. McGrail wrote: On 11/19/2014 1:20 PM, Reindl Harald wrote: back to list :-) Sorry about that. i thought about a by default 0 scored rule enabled and scored only via local.cf by the admin or very low scored (0.001) which might make the difference FN/caught and should not hurt a legit message anything with else OK If you write the rule, it can go into a sandbox and ruleqa will grade it and we can see, but based on my corporate and no other rules to tie it to for a meta, it's unlikely to be promoted. If it got promoted, I promise I'd nuke it .-) but if anybody wants to use it for a meta: header __EMPTY_SUBJECTSubject =~ /^\s*$/
Re: Rule to delete emails with empty subject.
Please keep mailing-list threads on-list. Do not reply personally.
On Sat, 2013-11-09 at 09:02 -0600, Sergio wrote:
Thank you for your kind answers.
Well, I am using cpanel with MailScanner and added this rule to my MCP
set of rules, that are the same as SpamAssassin, the score is because
the way I configured MS and the rule is not working, I have sent a few
emails with an empty subject and all the emails comes in.
SA does not block, delete or reject mail. SA classifies mail, assigning
it a score reflecting the spam level. Any action whatsoever taken based
on that score is outside the scope of SA, and done by third-party tools
in your mail processing chain -- MailScanner in your case, I believe.
Thus, mail coming in is not an indicator of working or not, even less
so for a single rule. In particular, mail sent by yourself via your own
server is prone to get scored low -- countering the rule's score you are
testing.
The indicator whether a rule works or not is in the X-Spam headers added
by SA. Most notably the X-Spam-Status header listing all rules hit.
Since you're using MailScanner, the headers might be different. Not a MS
user here.
That's the kind of info we need.
In addition, a raw test message might help, too, uploaded to a pastebin.
Sorry to bother, but, If I have to add this rule directly to
SpamAssassin where will this be added in what file/directory?
I have plenty of MCP rules and all of them work as expected, this is
the only one that I have that didn't work.
Once again, thanks for you inputs.
On Fri, Nov 8, 2013 at 4:39 PM, Karsten Bräckelmann wrote:
On Fri, 2013-11-08 at 00:10 -0600, Sergio wrote:
I tried this rule to stop emails with an empty subject, but it didn't
work:
The rule is fine, though the score is a tiiiny bit excessive.
You'll have to elaborate on trying and doesn't work.
--
char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Rule to delete emails with empty subject.
On Fri, 8 Nov 2013 00:10:01 -0600 Sergio wrote: Hi all, I tried this rule to stop emails with an empty subject, but it didn't work: header SUBJECT_EMPTY SUBJECT =~ /^$/i describe SUBJECT_EMPTY EMPTY SUBJECT scoreSUBJECT_EMPTY 11 Any hint on what is wrong? I pasted this into my local.cf and it worked for me.
Re: Rule to delete emails with empty subject.
On Fri, 2013-11-08 at 00:10 -0600, Sergio wrote:
I tried this rule to stop emails with an empty subject, but it didn't
work:
The rule is fine, though the score is a tiiiny bit excessive.
You'll have to elaborate on trying and doesn't work.
--
char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Rule to delete emails with empty subject.
Hi all, I tried this rule to stop emails with an empty subject, but it didn't work: header SUBJECT_EMPTY SUBJECT =~ /^$/i describe SUBJECT_EMPTY EMPTY SUBJECT scoreSUBJECT_EMPTY 11 Any hint on what is wrong? Best Regards to all, Sergio
Re: Empty Subject
On Tue, Apr 10, 2007 at 08:23:15PM +0100, Paul Hurley wrote: I've received a couple of Spam recently similar to the attached. They all get through, and all trigger on Empty_Message, except the message body isn't empty, and it contains some phrases that I would expect to score off the scale I'm running Spamassassin V3.1.7.0 on Windows 32 via SAWin32 (http://sourceforge.net/projects/sawin32/) with all rules, network tests and some of the common SARE rules. Any ideas ??? I would guess that SAWin32 is not sending things validly to SA. Something like a blank line at the top of the header, etc. -- Randomly Selected Tagline: There are all of these warnings and incantations and unnatural rituals and everything's veiled in this threat of you mess with the mayo, the mayo mess with you, man. - Alton Brown, Good Eats, Mayo Clinc pgp7Jl7kqivHr.pgp Description: PGP signature
Re: Nigerian Connection Spam was: [***SPAM***Empty Subject] [signed]
Am/On Tue, 10 Apr 2007 20:23:15 +0100 schrieb/wrote Paul Hurley: I've received a couple of Spam recently similar to the attached. They all get through, and all trigger on Empty_Message, except the message body isn't empty, and it contains some phrases that I would expect to score off the scale Here's the spamassassin report No, score=4.0 required=6.0 tests=BAYES_50=0.001, EMPTY_MESSAGE=2.308, HTML_40_50=0.496, HTML_MESSAGE=0.1, RM_rb_ANCHOR=0.001, RM_rb_BREAK=0.001, RM_rb_FONT=0.001, RM_rb_PARA=0.001, SUBJ_ALL_CAPS=0.997, cust_LOCAL_TO_RCVD=0.1 autolearn=no version=3.1.7 I'm running Spamassassin V3.1.7.0 on Windows 32 via SAWin32 (http://sourceforge.net/projects/sawin32/) with all rules, network tests and some of the common SARE rules. Nigerian Connection Spam. They get rejected here becaue there domain is usualy invalid. Thanks and all the best Matthias -- - [ SECURITY NOTICE ] - To: [EMAIL PROTECTED], [EMAIL PROTECTED] For your security, [EMAIL PROTECTED] digitally signed this message on 11 April 2007 at 01:40:00 UTC. Verify this digital signature at http://www.ciphire.com/verify. [ CIPHIRE DIGITAL SIGNATURE ] Q2lwaGlyZSBTaWcuAjhwYXVsQHBhdWxodXJsZXkuY28udWssIHVzZXJzQHNwYW1h c3Nhc3Npbi5hcGFjaGUub3JnAGJldGFAYWRtaWxvbi5uZXQAZW1haWwgYm9keQAK AwAAfAB8AQAAAHA8HEYKAwAAmAEAAgACAAIAIP0CLbVXygN8FBmbKstMB6Jc Udhet15IFf/4MQhzNWDdAQAOv7grZzUb4WQMq69DnEJONRUGHRTIcfvZQaPqa3Pm dm4b4Bm+V6n6NWLb47GK0rK19oGWm3wR45PhHKNM5taXuD6LU2lnRW5k -- [ END DIGITAL SIGNATURE ] --
