Re: MISSING_SUBJECT rule on email with subject
Hi Charles, Yes, it was an incorrectly escaped forward slash in a subject rule. On 2019/06/24 16:12, Charles Amstutz wrote: Hi Charles, My apologies, I forgot to provide feedback to the mailing list. Bad regex was the cause of this problem for us, too. As soon as the custom rule was fixed, the problem went away. If I can ask, was it an incorrectly escaped special character? I think it is the @ symbol breaking mine.
Re: MISSING_SUBJECT rule on email with subject
Hi Charles, My apologies, I forgot to provide feedback to the mailing list. Bad regex was the cause of this problem for us, too. As soon as the custom rule was fixed, the problem went away. Kind Regards, Stephan On 2019/06/24 15:58, Charles Amstutz wrote: But as has already been pointed out it has the combination of MISSING_FROM and HK_RANDOM_FROM, and the latter is based on a From:addr test. I saw this too, however, I thought I noticed a potentially bad regex (from another custom rule) breaking mine. I think this is the case as when I removed the rule, it stopped the missing_subject stopped hitting. However, I'm still testing.
RE: MISSING_SUBJECT rule on email with subject
> But as has already been pointed out it has the combination of > MISSING_FROM and HK_RANDOM_FROM, and the latter is based on a > From:addr test. I saw this too, however, I thought I noticed a potentially bad regex (from another custom rule) breaking mine. I think this is the case as when I removed the rule, it stopped the missing_subject stopped hitting. However, I'm still testing.
Re: MISSING_SUBJECT rule on email with subject
On Tue, 4 Jun 2019 18:10:51 +0300 Savvas Karagiannidis wrote: > Hi, > > my guess is that for some reason an empty line is inserted in the > email somewhere above the headers and before the message is processed > by spamassassin. This will cause all headers below this empty line to > be treated as the actual body of the message, so all missing header > tests will hit and will result in what you actually see. But as has already been pointed out it has the combination of MISSING_FROM and HK_RANDOM_FROM, and the latter is based on a From:addr test.
Re: MISSING_SUBJECT rule on email with subject
Hi, my guess is that for some reason an empty line is inserted in the email somewhere above the headers and before the message is processed by spamassassin. This will cause all headers below this empty line to be treated as the actual body of the message, so all missing header tests will hit and will result in what you actually see. This could be a bug in the software you use for email content filtering... Regards, Savvas Karagiannidis On 04/06/2019 17:29, Stephan Fourie wrote: Hi, My apologies, seems something went wrong with the formatting when it was pasted to the pastebin. Here's a new example with spacing intact: https://pastebin.com/raw/tQtSMQPs In this example some of the other headers were also not 'seen'. Thanks! Stephan On 2019/06/04 10:55, Matus UHLAR - fantomas wrote: On 3 Jun 2019, at 2:20, Stephan Fourie wrote: > We're currently seeing the rule MISSING_SUBJECT sporadically > hitting on emails that have a subject. This issue seems to have > started during last week, which is when clients started complaining > about false positive detections. Please see example headers at the > following link: > > https://pastebin.com/raw/GtnV67Hj On Mon, 03 Jun 2019 11:43:44 -0400 Bill Cole wrote: The headers are all missing the traditional space between the colon and the header content. On 03.06.19 19:11, RW wrote: And this include google headers, so presumably the spaces have been stripped locally. now one question is, if the spaces have been stripped prior to spam checking, another is, if SA does/should expect whitespaces after header fields. if the first answer is true, then SA can't do much about misformatted e-mail. But since FROM_AND_TO_IS_SAME_DOMAIN was hit, I don't think the spaces were stripped, so - we need to see the original message as it was scanned. Anything else, reformated by anyone (e.g. outlook or exchange use to reformat mail), can't help us much finding the issue.
Re: MISSING_SUBJECT rule on email with subject
On 04.06.19 16:29, Stephan Fourie wrote: My apologies, seems something went wrong with the formatting when it was pasted to the pastebin. Here's a new example with spacing intact: https://pastebin.com/raw/tQtSMQPs In this example some of the other headers were also not 'seen'. there's something strange: 1.0 HK_RANDOM_FROM From username looks random 0.5 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (x[at]gmail.com) 1.0 MISSING_FROM Missing From: header 1.8 MISSING_SUBJECTMissing Subject: header so the spam scanner both did and did not see the From: header. What do you use for mail scanning? On 2019/06/04 10:55, Matus UHLAR - fantomas wrote: On 3 Jun 2019, at 2:20, Stephan Fourie wrote: We're currently seeing the rule MISSING_SUBJECT sporadically hitting on emails that have a subject. This issue seems to have started during last week, which is when clients started complaining about false positive detections. Please see example headers at the following link: https://pastebin.com/raw/GtnV67Hj On Mon, 03 Jun 2019 11:43:44 -0400 Bill Cole wrote: The headers are all missing the traditional space between the colon and the header content. On 03.06.19 19:11, RW wrote: And this include google headers, so presumably the spaces have been stripped locally. now one question is, if the spaces have been stripped prior to spam checking, another is, if SA does/should expect whitespaces after header fields. if the first answer is true, then SA can't do much about misformatted e-mail. But since FROM_AND_TO_IS_SAME_DOMAIN was hit, I don't think the spaces were stripped, so - we need to see the original message as it was scanned. Anything else, reformated by anyone (e.g. outlook or exchange use to reformat mail), can't help us much finding the issue. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Microsoft dick is soft to do no harm
Re: MISSING_SUBJECT rule on email with subject
Hi, My apologies, seems something went wrong with the formatting when it was pasted to the pastebin. Here's a new example with spacing intact: https://pastebin.com/raw/tQtSMQPs In this example some of the other headers were also not 'seen'. Thanks! Stephan On 2019/06/04 10:55, Matus UHLAR - fantomas wrote: On 3 Jun 2019, at 2:20, Stephan Fourie wrote: > We're currently seeing the rule MISSING_SUBJECT sporadically > hitting on emails that have a subject. This issue seems to have > started during last week, which is when clients started complaining > about false positive detections. Please see example headers at the > following link: > > https://pastebin.com/raw/GtnV67Hj On Mon, 03 Jun 2019 11:43:44 -0400 Bill Cole wrote: The headers are all missing the traditional space between the colon and the header content. On 03.06.19 19:11, RW wrote: And this include google headers, so presumably the spaces have been stripped locally. now one question is, if the spaces have been stripped prior to spam checking, another is, if SA does/should expect whitespaces after header fields. if the first answer is true, then SA can't do much about misformatted e-mail. But since FROM_AND_TO_IS_SAME_DOMAIN was hit, I don't think the spaces were stripped, so - we need to see the original message as it was scanned. Anything else, reformated by anyone (e.g. outlook or exchange use to reformat mail), can't help us much finding the issue.
Re: MISSING_SUBJECT rule on email with subject
On 3 Jun 2019, at 2:20, Stephan Fourie wrote: > We're currently seeing the rule MISSING_SUBJECT sporadically > hitting on emails that have a subject. This issue seems to have > started during last week, which is when clients started complaining > about false positive detections. Please see example headers at the > following link: > > https://pastebin.com/raw/GtnV67Hj On Mon, 03 Jun 2019 11:43:44 -0400 Bill Cole wrote: The headers are all missing the traditional space between the colon and the header content. On 03.06.19 19:11, RW wrote: And this include google headers, so presumably the spaces have been stripped locally. now one question is, if the spaces have been stripped prior to spam checking, another is, if SA does/should expect whitespaces after header fields. if the first answer is true, then SA can't do much about misformatted e-mail. But since FROM_AND_TO_IS_SAME_DOMAIN was hit, I don't think the spaces were stripped, so - we need to see the original message as it was scanned. Anything else, reformated by anyone (e.g. outlook or exchange use to reformat mail), can't help us much finding the issue. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are...
Re: MISSING_SUBJECT rule on email with subject
On Mon, 03 Jun 2019 11:43:44 -0400 Bill Cole wrote: > On 3 Jun 2019, at 2:20, Stephan Fourie wrote: > > > Hi, > > > > We're currently seeing the rule MISSING_SUBJECT sporadically > > hitting on emails that have a subject. This issue seems to have > > started during last week, which is when clients started complaining > > about false positive detections. Please see example headers at the > > following link: > > > > https://pastebin.com/raw/GtnV67Hj > > The headers are all missing the traditional space between the colon > and the header content. And this include google headers, so presumably the spaces have been stripped locally.
Re: MISSING_SUBJECT rule on email with subject
On 3 Jun 2019, at 2:20, Stephan Fourie wrote: Hi, We're currently seeing the rule MISSING_SUBJECT sporadically hitting on emails that have a subject. This issue seems to have started during last week, which is when clients started complaining about false positive detections. Please see example headers at the following link: https://pastebin.com/raw/GtnV67Hj The headers are all missing the traditional space between the colon and the header content. This is formally allowable (see https://tools.ietf.org/html/rfc5322#appendix-A.5,) but it may be breaking the parsing of the message. More significantly, there are what appear to be continuation parts of folded headers which have no leading whitespace, which is NOT allowable and will definitely break parsing. Is this an artifact of how you copied the message or is it really that way? If the misformatting is being done by something before SpamAssassin sees it, SA will parse the headers incorrectly.
MISSING_SUBJECT rule on email with subject
Hi, We're currently seeing the rule MISSING_SUBJECT sporadically hitting on emails that have a subject. This issue seems to have started during last week, which is when clients started complaining about false positive detections. Please see example headers at the following link: https://pastebin.com/raw/GtnV67Hj Has anyone seen the same or similar issue recently? If not, can anyone offer some advice or guidance? Thanks! Stephan
Re: MISSING_SUBJECT
On Sun, 17 Jun 2018, RW wrote: On Sun, 17 Jun 2018 14:19:25 +0200 Matus UHLAR - fantomas wrote: meta ENCRYPTED_MESSAGE __CT_ENCRYPTED header __CT_ENCRYPTEDContent-Type =~ /^multipart\/(?:x-)?(?:pgp-)?encrypted|application\/(?:x-)?pkcs7-mime/ __CT_ENCRYPTED is for now better solution, mostly because of someone could disable ENCRYPTED_MESSAGE in case of FPs. If it were meta ENCRYPTED_MESSAGE __ENCRYPTED_MESSAGE I'd agree, but the the current definition has clearly been set up to allow additional tests to be added to ENCRYPTED_MESSAGE. Correct. __CT_ENCRYPTED is the basic test for the MIME type and is intended for use in metas. ENCRYPTED_MESSAGE is what score to apply to that, potentially with FP (or in this case spam) avoidance filters. Generally those are added by seeing what else hits in the masscheck results. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- Tomorrow: SWMBO's Birthday
Re: MISSING_SUBJECT
On Sun, 17 Jun 2018 14:19:25 +0200 Matus UHLAR - fantomas wrote: > meta ENCRYPTED_MESSAGE __CT_ENCRYPTED > header __CT_ENCRYPTEDContent-Type > =~ /^multipart\/(?:x-)?(?:pgp-)?encrypted|application\/(?:x-)?pkcs7-mime/ > > __CT_ENCRYPTED is for now better solution, mostly because of someone > could disable ENCRYPTED_MESSAGE in case of FPs. If it were meta ENCRYPTED_MESSAGE __ENCRYPTED_MESSAGE I'd agree, but the the current definition has clearly been set up to allow additional tests to be added to ENCRYPTED_MESSAGE. IMO it's much more important that such changes get picked by any meta rules, than it is to reduce the risk of ENCRYPTED_MESSAGE being carelessly given a zero score. No one should ever zero a score without checking for meta rules anyway. > score ENCRYPTED_MESSAGE -1.000 -1.000 -1.000 > -1.000 > > Note that this doesn't remove the redundancy of EMPTY_MESSAGE and > MISSING_SUBJECT which is the real problem here. If there is a problem there it's that EMPTY_MESSAGE without MISSING_SUBJECT doesn't score highly enough.
Re: MISSING_SUBJECT
On Tue, 12 Jun 2018, micah anderson wrote: > I had a message marked with: > > 2.3 EMPTY_MESSAGE Message appears to have no textual parts and no > Subject: > > It did not have a subject, but it did have content (although only > encrypted) On Wed, 13 Jun 2018 16:36:02 -0700 (PDT) John Hardin wrote: It may not be considering an encrypted message part to be a text body part. What was the MIME type of that part? On 16.06.18 21:12, RW wrote: The rule is: meta EMPTY_MESSAGE !__MIME_ATTACHMENT && !__NONEMPTY_BODY where body __NONEMPTY_BODY /\S/ i.e. it's looking for an attachment or body text. It needs to be something like: !__MIME_ATTACHMENT && !__NONEMPTY_BODY && !ENCRYPTED_MESSAGE ENCRYPTED_MESSAGE already exists. meta ENCRYPTED_MESSAGE __CT_ENCRYPTED header __CT_ENCRYPTEDContent-Type =~ /^multipart\/(?:x-)?(?:pgp-)?encrypted|application\/(?:x-)?pkcs7-mime/ __CT_ENCRYPTED is for now better solution, mostly because of someone could disable ENCRYPTED_MESSAGE in case of FPs. score ENCRYPTED_MESSAGE -1.000 -1.000 -1.000 -1.000 Note that this doesn't remove the redundancy of EMPTY_MESSAGE and MISSING_SUBJECT which is the real problem here. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fighting for peace is like fucking for virginity...
Re: MISSING_SUBJECT
On Wed, 13 Jun 2018 16:36:02 -0700 (PDT) John Hardin wrote: > On Tue, 12 Jun 2018, micah anderson wrote: > > > I had a message marked with: > > > > 2.3 EMPTY_MESSAGE Message appears to have no textual parts and no > > Subject: > > > > It did not have a subject, but it did have content (although only > > encrypted) > > It may not be considering an encrypted message part to be a text body > part. What was the MIME type of that part? The rule is: meta EMPTY_MESSAGE !__MIME_ATTACHMENT && !__NONEMPTY_BODY where body __NONEMPTY_BODY /\S/ i.e. it's looking for an attachment or body text. It needs to be something like: !__MIME_ATTACHMENT && !__NONEMPTY_BODY && !ENCRYPTED_MESSAGE ENCRYPTED_MESSAGE already exists.
Re: MISSING_SUBJECT
On 15.06.18 09:04, Matus UHLAR - fantomas wrote: On Tue, 12 Jun 2018, micah anderson wrote: I had a message marked with: 2.3 EMPTY_MESSAGE Message appears to have no textual parts and no Subject: It did not have a subject, but it did have content (although only encrypted) John Hardin writes: It may not be considering an encrypted message part to be a text body part. What was the MIME type of that part? On 14.06.18 12:17, micah anderson wrote: pgp/mime and wat is an attachment or just the e-mail came with mime type pgp/mime;2~? OK, again: was it an attachment or just the e-mail came with mime-type PGP/mime ? please show us headers of that message (pastebin for example) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "One World. One Web. One Program." - Microsoft promotional advertisement "Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler
Re: MISSING_SUBJECT
On Tue, 12 Jun 2018, micah anderson wrote: I had a message marked with: 2.3 EMPTY_MESSAGE Message appears to have no textual parts and no Subject: It did not have a subject, but it did have content (although only encrypted) John Hardin writes: It may not be considering an encrypted message part to be a text body part. What was the MIME type of that part? On 14.06.18 12:17, micah anderson wrote: pgp/mime and wat is an attachment or just the e-mail came with mime type pgp/mime;2~? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. LSD will make your ECS screen display 16.7 million colors
Re: MISSING_SUBJECT
John Hardin writes: > On Tue, 12 Jun 2018, micah anderson wrote: > >> I had a message marked with: >> >> 2.3 EMPTY_MESSAGE Message appears to have no textual parts and no >> Subject: >> >> It did not have a subject, but it did have content (although only >> encrypted) > > It may not be considering an encrypted message part to be a text body > part. What was the MIME type of that part? pgp/mime -- micah
Re: MISSING_SUBJECT
On Wed, 13 Jun 2018, Matus UHLAR - fantomas wrote: On 12.06.18 19:37, micah anderson wrote: 2.3 EMPTY_MESSAGE Message appears to have no textual parts and no Subject: It did not have a subject, but it did have content (although only encrypted) it also hit: * 1.8 MISSING_SUBJECT Missing Subject: header which makes sense, because the mail did not have one, but have you looked in your Spam folder lately? All spam has a subject, pretty much always an informal survey of my trash heap showed 4 messages out of 400 did not have a Subject, and two of them were repeats. and what is your point? MISSING_SUBJECT is here because when message has no Subject:, it is highly probably spam. it's useless to count how many of spams hit the rule. there are many rules who hit only small percentage of spam, but all of them hit most of spam. what is important is: - how much of mails hitting MISSING_SUBJECT is spam - how much of mails hitting MISSING_SUBJECT is ham. if the percentage is very different in there two cases, the rule gets high positive (or negative) score. S/O = .826 http://ruleqa.spamassassin.org/20180613-r1833448-n/MISSING_SUBJECT/detail -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- As a Turkish general once remarked, the trouble with having the Americans as friends is that you can never be sure when they will turn around and stab themselves in the back. -- Bernard Lewis --- 5 days until SWMBO's Birthday
Re: MISSING_SUBJECT
On Tue, 12 Jun 2018, micah anderson wrote: I had a message marked with: 2.3 EMPTY_MESSAGE Message appears to have no textual parts and no Subject: It did not have a subject, but it did have content (although only encrypted) It may not be considering an encrypted message part to be a text body part. What was the MIME type of that part? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- As a Turkish general once remarked, the trouble with having the Americans as friends is that you can never be sure when they will turn around and stab themselves in the back. -- Bernard Lewis --- 5 days until SWMBO's Birthday
Re: MISSING_SUBJECT
On 12.06.18 19:37, micah anderson wrote: 2.3 EMPTY_MESSAGE Message appears to have no textual parts and no Subject: It did not have a subject, but it did have content (although only encrypted) it also hit: * 1.8 MISSING_SUBJECT Missing Subject: header which makes sense, because the mail did not have one, but have you looked in your Spam folder lately? All spam has a subject, pretty much always an informal survey of my trash heap showed 4 messages out of 400 did not have a Subject, and two of them were repeats. Matus UHLAR - fantomas writes: and what is your point? On 13.06.18 07:55, micah anderson wrote: The point is EMPTY_MESSAGE scores even though it did have content. so, why did you complain about subjects? But I guess the point is that it had no 'text' parts, because the content was only pgp/mime? Most probably yes. spamassassin -D would show us. The MISSING_SUBJECT and EMPTY_MESSAGE are kind of redundant, since they both catch empty mail. meta MISSING_SUBJECT !__HAS_SUBJECT header __HAS_SUBJECTexists:Subject meta EMPTY_MESSAGE !__MIME_ATTACHMENT && !__NONEMPTY_BODY body __NONEMPTY_BODY/\S/ note that body rules check subject too. I can guess that the mail did NOT include an attachment since it was purely PGP-encrypted mail. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "The box said 'Requires Windows 95 or better', so I bought a Macintosh".
Re: MISSING_SUBJECT
On Wed, Jun 13, 2018 at 10:38, Matus UHLAR - fantomas wrote: > MISSING_SUBJECT is here because when message has no Subject:, it is highly > probably spam. Right. Well, my new accountant, being an external company of 16 people, insists in sending messages without a subject, "because we always did, and you are the only one complaining". These are the same people who cannot bother reading the bounched message that says "your e-mail was rejected because it does not contain a subject" and, when interrogated, they respond that "the e-mail was rejected". This reminds me of a common practice in both UK and CH where people anticipate by phone call that an e-mail is coming and then they call again to make sure it arrived, with some wanting a subject line that says "From to : ". The take-away is: if you manage a company, make sure your employees know their ABCs, and if you are a company, insist on best practices with both your clients and providers. To close, I think we need standard leaflets to pass around stubborn employees.
Re: MISSING_SUBJECT
Matus UHLAR - fantomas writes: > On 12.06.18 19:37, micah anderson wrote: >>2.3 EMPTY_MESSAGE Message appears to have no textual parts and no >>Subject: >> >>It did not have a subject, but it did have content (although only >>encrypted) it also hit: >> >>* 1.8 MISSING_SUBJECT Missing Subject: header >> >>which makes sense, because the mail did not have one, but have you >>looked in your Spam folder lately? All spam has a subject, pretty much >>always an informal survey of my trash heap showed 4 messages out of >>400 did not have a Subject, and two of them were repeats. > > and what is your point? The point is EMPTY_MESSAGE scores even though it did have content. But I guess the point is that it had no 'text' parts, because the content was only pgp/mime? -- micah
Re: MISSING_SUBJECT
On 12.06.18 19:37, micah anderson wrote: 2.3 EMPTY_MESSAGE Message appears to have no textual parts and no Subject: It did not have a subject, but it did have content (although only encrypted) it also hit: * 1.8 MISSING_SUBJECT Missing Subject: header which makes sense, because the mail did not have one, but have you looked in your Spam folder lately? All spam has a subject, pretty much always an informal survey of my trash heap showed 4 messages out of 400 did not have a Subject, and two of them were repeats. and what is your point? MISSING_SUBJECT is here because when message has no Subject:, it is highly probably spam. it's useless to count how many of spams hit the rule. there are many rules who hit only small percentage of spam, but all of them hit most of spam. what is important is: - how much of mails hitting MISSING_SUBJECT is spam - how much of mails hitting MISSING_SUBJECT is ham. if the percentage is very different in there two cases, the rule gets high positive (or negative) score. Some scores are tuned for safety reasons. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
Re: MISSING_SUBJECT
Reindl Harald writes: > Am 13.06.2018 um 01:37 schrieb micah anderson: >> I had a message marked with: >> >> 2.3 EMPTY_MESSAGE Message appears to have no textual parts and no >> Subject: >> >> It did not have a subject, but it did have content (although only >> encrypted).... it also hit: >> >> * 1.8 MISSING_SUBJECT Missing Subject: header >> >> which makes sense, because the mail did not have one, but have you >> looked in your Spam folder lately? All spam has a subject, pretty much >> always > > no - there is ton of junk without a subject and sometimes even floods > with no subject and no body at all I believe you, however the message was not empty, it had encrypted contents (and in fact was scored -1 because of that).
MISSING_SUBJECT
I had a message marked with: 2.3 EMPTY_MESSAGE Message appears to have no textual parts and no Subject: It did not have a subject, but it did have content (although only encrypted) it also hit: * 1.8 MISSING_SUBJECT Missing Subject: header which makes sense, because the mail did not have one, but have you looked in your Spam folder lately? All spam has a subject, pretty much always an informal survey of my trash heap showed 4 messages out of 400 did not have a Subject, and two of them were repeats. -- micah
Re: MISSING_SUBJECT not triggered if subject contains whitespace
On 19/09/17 15:05, Kevin A. McGrail wrote: On 9/19/2017 9:11 AM, David Jones wrote: I have had these in place for years. Maybe Kevin can consolidate and integrate this into his KAM.cf so I could remove them or we could eventually get them into the default SA ruleset after some testing. Hi David, Thanks. In addition to KAM.cf, I maintain a nonKAMrules.cf which I've added these attributing them with the idea to test. It's where I throw rules in the PD from lists and things like that so I'm not claiming ownership but like the ideas. Note, I lowered the score on the 1st two. I'm pretty sure those might cause more FPs than intended. https://www.pccc.com/downloads/SpamAssassin/contrib/nonKAMrules.cf That looks like really useful stuff. Is it likely that any of these rules will make their way into SA - or should we include them ourselves in local.cf?
Re: MISSING_SUBJECT not triggered if subject contains whitespace
On Tue, 19 Sep 2017 10:06:58 -0500 David Jones wrote: > >>>> header ENA_SUBJ_IS_SPACE Subject =~ /^ $/ > >>> > >>> The OP said there was a space after 'Subject:', so that rule > >>> wouldn't detect it. > My point was supposed to be a single space should hit > MISSING_SUBJECT and two or more would not. but neither 'Subject: \n' nor 'Subject:\n' triggers MISSING_SUBJECT. There probably is some scope for something like header EMPTY_SUBJECT ALL =~ /^Subject:\s?$/mi it might be more useful in meta rules e.g. combined with DCC.
Re: MISSING_SUBJECT not triggered if subject contains whitespace
On 09/19/2017 09:35 AM, RW wrote:
On Tue, 19 Sep 2017 10:05:44 -0400
Kevin A. McGrail wrote:
On 9/19/2017 9:11 AM, David Jones wrote:
I have had these in place for years. Maybe Kevin can consolidate
and integrate this into his KAM.cf so I could remove them or we
could eventually get them into the default SA ruleset after some
testing.
Hi David,
Thanks. In addition to KAM.cf, I maintain a nonKAMrules.cf which
I've added these attributing them with the idea to test. It's where
I throw rules in the PD from lists and things like that so I'm not
claiming ownership but like the ideas.
Note, I lowered the score on the 1st two. I'm pretty sure those
might cause more FPs than intended.
https://www.pccc.com/downloads/SpamAssassin/contrib/nonKAMrules.cf
The second should be changed to something like
/^\s\s+$/
or
/^\s{2,999}$/
The comment is a bit misleading
"Subject is empty or only spaces commonly used by spammers to get
around subject checks"
since it doesn't check for an empty subject.
The word "empty" in the description was for the mail client showing what
seemed to be a blank or empty subject when it technically wasn't. These
descriptions are shown to our Help Desk which will be less technical
than we are on this list.
Please feel free to update/change anything to make it better or to
follow common conventions. I admit I was doing poor regex years ago and
have gotten better the past year.
--
David Jones
Re: MISSING_SUBJECT not triggered if subject contains whitespace
On 09/19/2017 09:03 AM, RW wrote: On Tue, 19 Sep 2017 08:32:12 -0500 David Jones wrote: On 09/19/2017 08:20 AM, RW wrote: On Tue, 19 Sep 2017 08:11:03 -0500 David Jones wrote: header ENA_SUBJ_IS_SPACE Subject =~ /^ $/ The OP said there was a space after 'Subject:', so that rule wouldn't detect it. Mail headers always have a space after the colon which should not be considered part of the header's value. Obviously, but what I wrote is still true. I didn't mean to sound like a jerk there. My point was supposed to be a single space should hit MISSING_SUBJECT and two or more would not. That ENA rule above would be two spaces after the header's colon. All of those rules I sent last post detect something a little different and combined they cover most of the tricks I have seen to get around the MISSING_SUBJECT rule. I know what they do, I actually wrote the last two. Thank you for those rules. I probably did get them from you on this list a long time ago. By the way, anything that hits ENA_SUBJ_IS_SPACE will also hit ENA_SUBJ_ONLY_SPACES giving 5.4 points. I noticed this too after posting but I have gone back to my reports. I am seeing many hits today on ENA_SUBJ_ONLY_SPACES but no hits on ENA_SUBJ_IS_SPACE. I should and will remove ENA_SUBJ_IS_SPACE. -- David Jones
Re: MISSING_SUBJECT not triggered if subject contains whitespace
On Tue, 19 Sep 2017 10:05:44 -0400
Kevin A. McGrail wrote:
> On 9/19/2017 9:11 AM, David Jones wrote:
> > I have had these in place for years. Maybe Kevin can consolidate
> > and integrate this into his KAM.cf so I could remove them or we
> > could eventually get them into the default SA ruleset after some
> > testing.
>
> Hi David,
>
> Thanks. In addition to KAM.cf, I maintain a nonKAMrules.cf which
> I've added these attributing them with the idea to test. It's where
> I throw rules in the PD from lists and things like that so I'm not
> claiming ownership but like the ideas.
>
> Note, I lowered the score on the 1st two. I'm pretty sure those
> might cause more FPs than intended.
>
> https://www.pccc.com/downloads/SpamAssassin/contrib/nonKAMrules.cf
The second should be changed to something like
/^\s\s+$/
or
/^\s{2,999}$/
The comment is a bit misleading
"Subject is empty or only spaces commonly used by spammers to get
around subject checks"
since it doesn't check for an empty subject.
Re: MISSING_SUBJECT not triggered if subject contains whitespace
On 9/19/2017 9:11 AM, David Jones wrote: I have had these in place for years. Maybe Kevin can consolidate and integrate this into his KAM.cf so I could remove them or we could eventually get them into the default SA ruleset after some testing. Hi David, Thanks. In addition to KAM.cf, I maintain a nonKAMrules.cf which I've added these attributing them with the idea to test. It's where I throw rules in the PD from lists and things like that so I'm not claiming ownership but like the ideas. Note, I lowered the score on the 1st two. I'm pretty sure those might cause more FPs than intended. https://www.pccc.com/downloads/SpamAssassin/contrib/nonKAMrules.cf Regards, KAM
Re: MISSING_SUBJECT not triggered if subject contains whitespace
On Tue, 19 Sep 2017 08:32:12 -0500 David Jones wrote: > On 09/19/2017 08:20 AM, RW wrote: > > On Tue, 19 Sep 2017 08:11:03 -0500 > > David Jones wrote: > >> header ENA_SUBJ_IS_SPACE Subject =~ /^ $/ > > > > The OP said there was a space after 'Subject:', so that rule > > wouldn't detect it. > > > > Mail headers always have a space after the colon which should not be > considered part of the header's value. Obviously, but what I wrote is still true. > That ENA rule above would be > two spaces after the header's colon. All of those rules I sent last > post detect something a little different and combined they cover most > of the tricks I have seen to get around the MISSING_SUBJECT rule. I know what they do, I actually wrote the last two. By the way, anything that hits ENA_SUBJ_IS_SPACE will also hit ENA_SUBJ_ONLY_SPACES giving 5.4 points.
Re: MISSING_SUBJECT not triggered if subject contains whitespace
On 09/19/2017 08:20 AM, RW wrote: On Tue, 19 Sep 2017 08:11:03 -0500 David Jones wrote: On 09/19/2017 07:23 AM, Kevin A. McGrail wrote: Is it purposeful extra space though that might indicate spaminess? Spample? Regards, KAM On September 19, 2017 8:13:09 AM EDT, RW <rwmailli...@googlemail.com> wrote: On Tue, 19 Sep 2017 09:27:13 +0100 Sebastian Arcus wrote: I've had a number of emails with no subject not triggering the MISSING_SUBJECT rule - only to discover that the spammers have added a white space after 'Subject:' - which appears to fool the code into thinking that there is an actual subject. Would it be possible to 'smarten up' the code a bit to recognise this? The space doesn't make a difference. The test is for a missing subject not an empty subject. Some people send emails without setting a subject but the client will normally still add the header. I have had these in place for years. Maybe Kevin can consolidate and integrate this into his KAM.cf so I could remove them or we could eventually get them into the default SA ruleset after some testing. header ENA_SUBJ_IS_SPACE Subject =~ /^ $/ The OP said there was a space after 'Subject:', so that rule wouldn't detect it. Mail headers always have a space after the colon which should not be considered part of the header's value. That ENA rule above would be two spaces after the header's colon. All of those rules I sent last post detect something a little different and combined they cover most of the tricks I have seen to get around the MISSING_SUBJECT rule. -- David Jones
Re: MISSING_SUBJECT not triggered if subject contains whitespace
On Tue, 19 Sep 2017 08:11:03 -0500 David Jones wrote: > On 09/19/2017 07:23 AM, Kevin A. McGrail wrote: > > Is it purposeful extra space though that might indicate spaminess? > > Spample? Regards, > > KAM > > > > On September 19, 2017 8:13:09 AM EDT, RW > > <rwmailli...@googlemail.com> wrote: > > > > On Tue, 19 Sep 2017 09:27:13 +0100 > > Sebastian Arcus wrote: > > > > I've had a number of emails with no subject not triggering > > the MISSING_SUBJECT rule - only to discover that the spammers have > > added a white space after 'Subject:' - which appears to fool the > > code into > > thinking that there is an actual subject. Would it be > > possible to 'smarten up' the code a bit to recognise this? > > > > > > The space doesn't make a difference. > > > > The test is for a missing subject not an empty subject. Some > > people send emails without setting a subject but the client will > > normally still add the header. > > > > I have had these in place for years. Maybe Kevin can consolidate and > integrate this into his KAM.cf so I could remove them or we could > eventually get them into the default SA ruleset after some testing. > > header ENA_SUBJ_IS_SPACE Subject =~ /^ $/ The OP said there was a space after 'Subject:', so that rule wouldn't detect it.
Re: MISSING_SUBJECT not triggered if subject contains whitespace
On Tue, 19 Sep 2017 13:13:09 +0100 RW wrote: > On Tue, 19 Sep 2017 09:27:13 +0100 > Sebastian Arcus wrote: > > > I've had a number of emails with no subject not triggering the > > MISSING_SUBJECT rule - only to discover that the spammers have added > > a white space after 'Subject:' > Some people send emails without setting a subject but the client will > normally > still add the header. I checked that and some do and some don't. gmail adds a Subject header with a space.
Re: MISSING_SUBJECT not triggered if subject contains whitespace
On 09/19/2017 07:23 AM, Kevin A. McGrail wrote:
Is it purposeful extra space though that might indicate spaminess? Spample?
Regards,
KAM
On September 19, 2017 8:13:09 AM EDT, RW <rwmailli...@googlemail.com> wrote:
On Tue, 19 Sep 2017 09:27:13 +0100
Sebastian Arcus wrote:
I've had a number of emails with no subject not triggering the
MISSING_SUBJECT rule - only to discover that the spammers have added
a white space after 'Subject:' - which appears to fool the code
into
thinking that there is an actual subject. Would it be possible to
'smarten up' the code a bit to recognise this?
The space doesn't make a difference.
The test is for a missing subject not an empty subject. Some people
send emails without setting a subject but the client will normally
still add the header.
I have had these in place for years. Maybe Kevin can consolidate and
integrate this into his KAM.cf so I could remove them or we could
eventually get them into the default SA ruleset after some testing.
header ENA_SUBJ_IS_SPACE Subject =~ /^ $/
describeENA_SUBJ_IS_SPACE Subject is a space
score ENA_SUBJ_IS_SPACE 3.2
header ENA_SUBJ_ONLY_SPACESSubject =~ /^\s+$/
describeENA_SUBJ_ONLY_SPACESSubject is empty or only spaces
commonly used by spammers to get around subject checks
score ENA_SUBJ_ONLY_SPACES2.2
header ENA_SUBJ_ONLY_FWD Subject =~
/(^Fw:\s+$|^Fw\s+$|^Fwd:\s+$|^Fwd\s+$|^Fwd: \(\d\)$|^Fwd: \[\d\]$)/i
describeENA_SUBJ_ONLY_FWD Subject is only "Fwd:"
score ENA_SUBJ_ONLY_FWD 2.2
header ENA_SUBJ_ONLY_RESubject =~
/(^Re:\s+$|^Re\s+$|^Re: \(\d\)$|^Re: \[\d\]$)/i
describeENA_SUBJ_ONLY_RESubject is only "Re:"
score ENA_SUBJ_ONLY_RE2.2
header ENA_SUBJ_LONG_WORD Subject =~
/\b[^[:space:][:punct:]]{30}/
describeENA_SUBJ_LONG_WORD Subject has a very long word
score ENA_SUBJ_LONG_WORD 2.2
header ENA_SUBJ_ODD_CASE Subject =~
/(?:[[:lower:]][[:upper:]].{0,15}){3}/
describeENA_SUBJ_ODD_CASE Subject has odd case
score ENA_SUBJ_ODD_CASE 3.2
--
David Jones
Re: MISSING_SUBJECT not triggered if subject contains whitespace
Is it purposeful extra space though that might indicate spaminess? Spample? Regards, KAM On September 19, 2017 8:13:09 AM EDT, RW <rwmailli...@googlemail.com> wrote: >On Tue, 19 Sep 2017 09:27:13 +0100 >Sebastian Arcus wrote: > >> I've had a number of emails with no subject not triggering the >> MISSING_SUBJECT rule - only to discover that the spammers have added >> a white space after 'Subject:' - which appears to fool the code into >> thinking that there is an actual subject. Would it be possible to >> 'smarten up' the code a bit to recognise this? > >The space doesn't make a difference. > >The test is for a missing subject not an empty subject. Some people >send emails without setting a subject but the client will normally >still add the header.
Re: MISSING_SUBJECT not triggered if subject contains whitespace
On Tue, 19 Sep 2017 09:27:13 +0100 Sebastian Arcus wrote: > I've had a number of emails with no subject not triggering the > MISSING_SUBJECT rule - only to discover that the spammers have added > a white space after 'Subject:' - which appears to fool the code into > thinking that there is an actual subject. Would it be possible to > 'smarten up' the code a bit to recognise this? The space doesn't make a difference. The test is for a missing subject not an empty subject. Some people send emails without setting a subject but the client will normally still add the header.
MISSING_SUBJECT not triggered if subject contains whitespace
I've had a number of emails with no subject not triggering the MISSING_SUBJECT rule - only to discover that the spammers have added a white space after 'Subject:' - which appears to fool the code into thinking that there is an actual subject. Would it be possible to 'smarten up' the code a bit to recognise this?
MISSING_SUBJECT misfiring?
This morning I had 4 messages in my folder for >=1 and < 2 points. (Yes, I get it that this deviates from the >= 5 recommendation.) I'm not complaining about that per se, but in scanning the rules that fired, I found a lot + and -, and they seemed correct. All four were mailinglist mail and I consider them ham. This is normal so far. All four had MISSING_SUBJECT, but when I looked at the headers they had valid subjects. I checked a message from a colleague in my inbox, and it too had MISSING_SUBJECT, but enough - points to So I wonder if there is some recent breakage in the MISSING_SUBJECT rule. SpamAssassin version 3.4.1 running on Perl version 5.22.0 and I have rules from 12/21 - hmm. And I can't see that the rule looks different or how one could make it not work. Is anyone else seeing this? signature.asc Description: PGP signature
Re: MISSING_SUBJECT versus empty subject
Hello Reindl, Wednesday, November 19, 2014, 6:01:32 PM, you wrote: RH should there not be a SUBJECT_EMPTY rule header __NH_BLANK_SUB Subject =~ /^\s*$/ describe__NH_BLANK_SUB Subject is blank metaNH_EMPTY_SUB(__HAS_SUBJECT __NH_BLANK_SUB) score NH_EMPTY_SUB1.5 describeNH_EMPTY_SUBSubject: is empty -- Best regards, Niamhmailto:ni...@fullbore.co.uk pgpYR90Tq9N8P.pgp Description: PGP signature
Re: MISSING_SUBJECT versus empty subject
On 19.11.14 19:01, Reindl Harald wrote: i have here a message hitting BAYES_95, CUST_DNSWL_2, CUST_DNSWL_5, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_MSPIKE_H2, SPF_NONE but *not* MISSING_SUBJECT most likely because Subject: in the headers is that intentional? should there not be a SUBJECT_EMPTY rule in that case which maybe makes a lot of sense to penalty that case different (not that high as if the header don't exist at all) I remember I have asked the same some years ago. http://www.gossamer-threads.com/lists/spamassassin/users/104646 the explanation was that the current rule detects empty subject the same as no subject at all. IIRC it was in fact the same rule as it is now: header __HAS_SUBJECT exists:Subject -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Eagles may soar, but weasels don't get sucked into jet engines.
Re: MISSING_SUBJECT versus empty subject
Matus UHLAR - fantomas wrote: I remember I have asked the same some years ago. http://www.gossamer-threads.com/lists/spamassassin/users/104646 the explanation was that the current rule detects empty subject the same as no subject at all. IIRC it was in fact the same rule as it is now: header __HAS_SUBJECT exists:Subject In a 2007 posting: | The header exists:header_name test really converts into: | header_data =~ /./ It was true years ago, but is no longer the case. The 'exists:' now tests for a presence of a header field (regardless of its header body - empty or not). A test like: header L_EMPTY_SUBJECT Subject !~ /\S/ triggers on both cases: missing or empty Subject header field. Its counterpart: header L_NONEMPTY_SUBJECT Subject =~ /\S/ Mark
MISSING_SUBJECT versus empty subject
Hi i have here a message hitting BAYES_95, CUST_DNSWL_2, CUST_DNSWL_5, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_MSPIKE_H2, SPF_NONE but *not* MISSING_SUBJECT most likely because Subject: in the headers is that intentional? should there not be a SUBJECT_EMPTY rule in that case which maybe makes a lot of sense to penalty that case different (not that high as if the header don't exist at all) signature.asc Description: OpenPGP digital signature
Re: MISSING_SUBJECT versus empty subject
back to list :-) Am 19.11.2014 um 19:13 schrieb Kevin A. McGrail: On 11/19/2014 1:01 PM, Reindl Harald wrote: Hi i have here a message hitting BAYES_95, CUST_DNSWL_2, CUST_DNSWL_5, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_MSPIKE_H2, SPF_NONE but *not* MISSING_SUBJECT most likely because Subject: in the headers is that intentional? should there not be a SUBJECT_EMPTY rule in that case which maybe makes a lot of sense to penalty that case different (not that high as if the header don't exist at all) I don't thin it will help because a blank subject doesn't show a Ham vs. Spam differential. I show the issue in both Ham and Spam. correct but here that's the same for MISSING_SUBJECT no joke, looked at the maillog and there is communication where i know the sending server, sender address and rcpt in person hitting that tag but sadly not which broken MUA Statistically, I only have 12 spams out of 602 in my current stuff that was FNs folder that might meet that criteria Checking a ham folder, I have 27 emails out of ~18K that meet the same criteria. 12/602 spam versus 27/18000 ham - hmmm - more likely spam And thinking about all the emails the fly around for mailing list moderation with no subjects, for example. Anyway, if useful, it will only be in a meta is my immediate thought i thought about a by default 0 scored rule enabled and scored only via local.cf by the admin or very low scored (0.001) which might make the difference FN/caught and should not hurt a legit message anything with else OK signature.asc Description: OpenPGP digital signature
Re: MISSING_SUBJECT versus empty subject
On 11/19/2014 1:20 PM, Reindl Harald wrote: back to list :-) Sorry about that. i thought about a by default 0 scored rule enabled and scored only via local.cf by the admin or very low scored (0.001) which might make the difference FN/caught and should not hurt a legit message anything with else OK If you write the rule, it can go into a sandbox and ruleqa will grade it and we can see, but based on my corporate and no other rules to tie it to for a meta, it's unlikely to be promoted.
Re: MISSING_SUBJECT versus empty subject
On Wed, 19 Nov 2014, Reindl Harald wrote: i thought about a by default 0 scored rule enabled and scored only via local.cf by the admin or very low scored (0.001) which might make the difference FN/caught and should not hurt a legit message anything with else OK It's more useful to do that as a subrule so that any cases where it + another rule are a good sign can be scored as a meta. If the admin wanted to score on that alone, then they'd add a meta where the only member rule was the subrule, and score that. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Vista is at best mildly annoying and at worst makes you want to rush to Redmond, Wash. and rip somebody's liver out. -- Forbes --- 902 days since the first successful private support mission to ISS (SpaceX)
Re: MISSING_SUBJECT versus empty subject
On 11/19/2014 07:25 PM, Kevin A. McGrail wrote: On 11/19/2014 1:20 PM, Reindl Harald wrote: back to list :-) Sorry about that. i thought about a by default 0 scored rule enabled and scored only via local.cf by the admin or very low scored (0.001) which might make the difference FN/caught and should not hurt a legit message anything with else OK If you write the rule, it can go into a sandbox and ruleqa will grade it and we can see, but based on my corporate and no other rules to tie it to for a meta, it's unlikely to be promoted. If it got promoted, I promise I'd nuke it .-)
Re: MISSING_SUBJECT versus empty subject
Am 19.11.2014 um 19:25 schrieb Kevin A. McGrail: On 11/19/2014 1:20 PM, Reindl Harald wrote: back to list :-) Sorry about that no problem i thought about a by default 0 scored rule enabled and scored only via local.cf by the admin or very low scored (0.001) which might make the difference FN/caught and should not hurt a legit message anything with else OK If you write the rule, it can go into a sandbox and ruleqa will grade it and we can see, but based on my corporate and no other rules to tie it to for a meta, it's unlikely to be promoted thanks for feedback it's still on my todo-list learn more about write SA rules besides RBL and i will come back with a example (after have it very low scored in production) as soon i find some spare time besides my 3 fulltime jobs i guess the time around christmas will be dedicated to study SpamAssassin and the away from IT is scheduled again for the next year :-) signature.asc Description: OpenPGP digital signature
Re: MISSING_SUBJECT versus empty subject
On 11/19/2014 07:29 PM, Axb wrote: On 11/19/2014 07:25 PM, Kevin A. McGrail wrote: On 11/19/2014 1:20 PM, Reindl Harald wrote: back to list :-) Sorry about that. i thought about a by default 0 scored rule enabled and scored only via local.cf by the admin or very low scored (0.001) which might make the difference FN/caught and should not hurt a legit message anything with else OK If you write the rule, it can go into a sandbox and ruleqa will grade it and we can see, but based on my corporate and no other rules to tie it to for a meta, it's unlikely to be promoted. If it got promoted, I promise I'd nuke it .-) but if anybody wants to use it for a meta: header __EMPTY_SUBJECTSubject =~ /^\s*$/
Why rule MISSING_SUBJECT is fired?
Hello! I'd like to ask you if this rule works correctly? I've sended email from thunderbird and roundcube and in both cases this rule scores email. Here is sample email: http://pastebin.com/rVTwNp5X (with little mungled recipient). Rules are in version: 1162027, spamassassin-3.3.2 Thanks for help. Regards.
Re: Why rule MISSING_SUBJECT is fired?
On 26.09.11 15:37, Marcin Mirosław wrote: I'd like to ask you if this rule works correctly? I've sended email from thunderbird and roundcube and in both cases this rule scores email. Here is sample email: http://pastebin.com/rVTwNp5X (with little mungled recipient). Rules are in version: 1162027, spamassassin-3.3.2 I don't see other X-Spam headers there. How are you running spamassassin? Aren't you using amavis ot other software using just spamassassin libraries? Are you sure some 3rd party does not modify mail headers? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fucking windows! Bring Bill Gates! (Southpark the movie)
Re: Why rule MISSING_SUBJECT is fired?
On 9/26/2011 9:37 AM, Marcin Mirosław wrote: Hello! I'd like to ask you if this rule works correctly? I've sended email from thunderbird and roundcube and in both cases this rule scores email. Here is sample email: http://pastebin.com/rVTwNp5X (with little mungled recipient). Rules are in version: 1162027, spamassassin-3.3.2 Thanks for help. Regards. There is nothing in that sample that would cause the rule to fire. I downloaded it and ran it against my SA and did not get a match for MISSING_SUBJECT. The only thing I can think of is that the headers end at the first blank line. If there is a blank line somewhere in the headers, that will cause SA to treat everything below that line as part of the body rather than the header. Download your sample from pastebin and run it through SA to see if it still matches the rule for you. You may have inadvertently fixed the problem when you munged the recipient address prior to uploading the sample. -- Bowie
Re: Why rule MISSING_SUBJECT is fired?
W dniu 26.09.2011 15:52, Matus UHLAR - fantomas pisze: I don't see other X-Spam headers there. How are you running spamassassin? Aren't you using amavis ot other software using just spamassassin libraries? Are you sure some 3rd party does not modify mail headers? No, i don't use any 3rd packages, i'm using exim+spamd. Sorry i didn't start spamd with en_us locales, some headers are translated. All headers from SA are in X-Spam-Report, header X-Szczegoly contains report which rules hitted email.
Re:[SOLVED] Why rule MISSING_SUBJECT is fired?
W dniu 26.09.2011 15:53, Bowie Bailey pisze: There is nothing in that sample that would cause the rule to fire. I downloaded it and ran it against my SA and did not get a match for MISSING_SUBJECT. The only thing I can think of is that the headers end at the first blank line. If there is a blank line somewhere in the headers, that will cause SA to treat everything below that line as part of the body rather than the header. Email doesn't contain body so there is nothing after headers. Download your sample from pastebin and run it through SA to see if it still matches the rule for you. You may have inadvertently fixed the problem when you munged the recipient address prior to uploading the sample. I've downoloaded email from pastebin and nothing changed. Reason: PEBKAC , i've got redundant backslash in own rules. I should use --lint more often. Sorry for noise and thanks for your time! Regards.
SA scores MISSING_SUBJECT, but message _has_ a Subject
I've received a message with a Subject of Be Serious and Have Fun! Looking at the headers Return-Path: [EMAIL PROTECTED] X-Spam-Flag: YES X-Spam-Level: !!! X-Spam-Status: score=7.8/4.0 autolearn=spam X-Spam-Report: * 4.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: howtodothings.com] * 0.0 HTML_MESSAGE BODY: HTML_MESSAGE * 1.5 BODY_8BITS BODY: Body includes 8 consecutive 8-bit characters * 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) * 1.8 MISSING_SUBJECT MISSING_SUBJECT * 1.4 EMPTY_MESSAGE EMPTY_MESSAGE * -0.0 NO_RECEIVED NO_RECEIVED * -3.1 AWL AWL: From: address is in the auto white-list Return-Path: [EMAIL PROTECTED] Date: Wed, 20 Aug 2008 06:53:19 -0400 (EDT) From: TheLadders.com [EMAIL PROTECTED] Reply-To: TheLadders.com [EMAIL PROTECTED] Subject: Be Serious and Have Fun! MIME-Version: 1.0 Spamassassin scores the message * 1.8 MISSING_SUBJECT MISSING_SUBJECT for not having a Subject line. ?? I found an apparently related bug that says RESOLVED MISSING_SUBJECT is wrong https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5207 but I honestly can't understand the resolution. Like in the bug, I've checked the message with spamassassin -LD check 4589 /dev/null and see no errors. Why is SA saying my message has no Subject?
Re: SA scores MISSING_SUBJECT, but message _has_ a Subject
On Wed, 20 Aug 2008, Bob Gereford wrote: Date: Wed, 20 Aug 2008 06:53:19 -0400 (EDT) From: TheLadders.com [EMAIL PROTECTED] Reply-To: TheLadders.com [EMAIL PROTECTED] Subject: Be Serious and Have Fun! MIME-Version: 1.0 Is that blank line actually present within the message headers? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Windows Vista: Windows ME for the XP generation. --- 4 days until the 1929th anniversary of the destruction of Pompeii
Re: SA scores MISSING_SUBJECT, but message _has_ a Subject
On Wed, 20 Aug 2008, Bob Gereford wrote: I've received a message with a Subject of Be Serious and Have Fun! Looking at the headers Return-Path: [EMAIL PROTECTED] X-Spam-Flag: YES X-Spam-Level: !!! X-Spam-Status: score=7.8/4.0 autolearn=spam X-Spam-Report: * 4.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: howtodothings.com] * 0.0 HTML_MESSAGE BODY: HTML_MESSAGE * 1.5 BODY_8BITS BODY: Body includes 8 consecutive 8-bit characters * 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) * 1.8 MISSING_SUBJECT MISSING_SUBJECT * 1.4 EMPTY_MESSAGE EMPTY_MESSAGE * -0.0 NO_RECEIVED NO_RECEIVED * -3.1 AWL AWL: From: address is in the auto white-list Return-Path: [EMAIL PROTECTED] Date: Wed, 20 Aug 2008 06:53:19 -0400 (EDT) From: TheLadders.com [EMAIL PROTECTED] Reply-To: TheLadders.com [EMAIL PROTECTED] Subject: Be Serious and Have Fun! MIME-Version: 1.0 Spamassassin scores the message * 1.8 MISSING_SUBJECT MISSING_SUBJECT for not having a Subject line. ?? Looking down your headers (that is _IF_ they are as you have shown above), there is a blank line just after the X-Spam-Report lines. Once that blank line is hit, all the rest is considered the body of the message. Therefore, SpamAssassin has scored for a missing subject. I found an apparently related bug that says RESOLVED MISSING_SUBJECT is wrong https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5207 but I honestly can't understand the resolution. Like in the bug, I've checked the message with spamassassin -LD check 4589 /dev/null and see no errors. Why is SA saying my message has no Subject? -d
Re: SA scores MISSING_SUBJECT, but message _has_ a Subject
Hi John, On Wed, Aug 20, 2008 at 8:59 AM, John Hardin [EMAIL PROTECTED] wrote: Is that blank line actually present within the message headers? No, just an artifact from my copy paste -- I removed header lines with personally identifiable / account info. If at all relevant, I just received another legit message and, despite having both a Subject Message that are apparently valid, the spam score includes: 1.8 MISSING_SUBJECT MISSING_SUBJECT 1.4 EMPTY_MESSAGE EMPTY_MESSAGE Clearly, something's not right here ... :-(
Re: SA scores MISSING_SUBJECT, but message _has_ a Subject
If you think there's an issue, feel free to pastebot the message somewhere and folks can take a look. Otherwise there's not much people are going to be able to comment on. My guess is that however you're feeding mails into SA is having issues. On Wed, Aug 20, 2008 at 09:18:37AM -0700, Bob Gereford wrote: If at all relevant, I just received another legit message and, despite having both a Subject Message that are apparently valid, the spam score includes: 1.8 MISSING_SUBJECT MISSING_SUBJECT 1.4 EMPTY_MESSAGE EMPTY_MESSAGE Clearly, something's not right here ... :-( -- Randomly Selected Tagline: Cats are smarter than dogs. You can't make eight cats pull a sled through the snow. pgptZC6nLHaE5.pgp Description: PGP signature
Re: SA scores MISSING_SUBJECT, but message _has_ a Subject
Hi Theo, On Wed, Aug 20, 2008 at 9:22 AM, Theo Van Dinter [EMAIL PROTECTED]wrote: If you think there's an issue, feel free to pastebot the message somewhere and folks can take a look. Otherwise there's not much people are going to be able to comment on. My guess is that however you're feeding mails into SA is having issues. Here's the paste of the raw message content from the last message http://pastebin.com/d57d0894d
Re: SA scores MISSING_SUBJECT, but message _has_ a Subject
On Wed, Aug 20, 2008 at 09:34:34AM -0700, Bob Gereford wrote: Here's the paste of the raw message content from the last message http://pastebin.com/d57d0894d Yeah, nothing strange there. Passing it through spamassassin shows what you'd expect: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,RDNS_NONE,SPF_FAIL, SPF_HELO_PASS autolearn=disabled version=3.2.5 I was noticing that the X-Spam headers as posted aren't in the standard format (X-Spam-Status), nor is there a X-Spam-Checker-Version header which makes me think you're not calling SA directly to process the mails. So how are you sending mails to SA? -- Randomly Selected Tagline: Commitment can be illustrated by a breakfast of ham and eggs. The chicken was involved, but the pig was committed - Unknown pgpKy1XviNFCa.pgp Description: PGP signature
Re: SA scores MISSING_SUBJECT, but message _has_ a Subject
Bob Gereford wrote: Hi John, On Wed, Aug 20, 2008 at 8:59 AM, John Hardin [EMAIL PROTECTED] wrote: Is that blank line actually present within the message headers? No, just an artifact from my copy paste -- I removed header lines with personally identifiable / account info. If at all relevant, I just received another legit message and, despite having both a Subject Message that are apparently valid, the spam score includes: 1.8 MISSING_SUBJECT MISSING_SUBJECT 1.4 EMPTY_MESSAGE EMPTY_MESSAGE Clearly, something's not right here ... :-( there may be a CRLF issue (CRLF vs LF vs CR). so even pasting won't help.
Re: SA scores MISSING_SUBJECT, but message _has_ a Subject
On Wed, Aug 20, 2008 at 10:17 AM, Theo Van Dinter [EMAIL PROTECTED] wrote: I was noticing that the X-Spam headers as posted aren't in the standard format (X-Spam-Status), nor is there a X-Spam-Checker-Version header which makes me think you're not calling SA directly to process the mails. So how are you sending mails to SA? Well, part of the problem is that it's not me doing the calling ... rather Billy, the Mail Admin is 'in charge' (i'm really coming to know love Billy!). He says I call SA with Communicate Pro server's CGPSA perl module. I'm not really sure what that means ... or if it has an effect here. I'm guessing it does :-/
Re: SA scores MISSING_SUBJECT, but message _has_ a Subject
On Wed, 2008-08-20 at 08:33 -0700, Bob Gereford wrote:
X-Spam-Report:
* 4.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
* [URIs: howtodothings.com]
* 0.0 HTML_MESSAGE BODY: HTML_MESSAGE
* 1.5 BODY_8BITS BODY: Body includes 8 consecutive 8-bit characters
* 1.8 MISSING_SUBJECT MISSING_SUBJECT
* 1.4 EMPTY_MESSAGE EMPTY_MESSAGE
So the message body does contain a URL and consecutive chars, but it
is empty nonetheless? Oh, yeah... :)
Spamassassin scores the message
* 1.8 MISSING_SUBJECT MISSING_SUBJECT
for not having a Subject line. ??
And it got a body...
I found an apparently related bug that says RESOLVED
MISSING_SUBJECT is wrong
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5207
but I honestly can't understand the resolution.
Please read the comments carefully. The resolution would be somewhere
between WORKSFORME (see comment 5) and INVALID (see comment 6). The
first one tells that Theo was not able to reproduce the bug, and the
latter clearly explains why it is not a bug -- the reporter had broken
cf files, that lead to this.
Like in the bug, I've checked the message with
spamassassin -LD check 4589 /dev/null
and see no errors.
See comment 6. Carefully check all the output for warnings. Lint test
your config files.
My guess is, there is a problem with your cf or user_prefs files just
like with that report. How else can an empty message contain chars? :)
guenther
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: SA scores MISSING_SUBJECT, but message _has_ a Subject
After finding my reading-glasses, I sat down to read the cgpsa documentation, as well as the Communigate docs. And, found the problem. Nothing to do with SA's cf files (which all were --lint-ing correctly), but rather with the cgpsa perl script. It seems it has two modes: (1) header-only, where the script circumvents the PIPE mechanism, writing its own headers, and (2) full, where the SA functionality is not tampered with, and headers are touched/written ONLY by SA. The server *was* running in mode (1), now it's running in mode (2). So far, no more MISSING_ or EMTPY_ scores of any kind. I'll wait and see a bit ... but, looks like letting SA do its thing is all that was required. Thanks for the comments. (off to have YA-chat w/ 'Billy' ...)
Re: question about MISSING_SUBJECT
MISSING_SUBJECT is, at least in my opinion, incorrect. The Subject header is there, it do EXISTS. It's empty, OK but it's not MISSING. You are in the realm of philosophy. I would agree with you that semantically :exists is not doing what it would imply (by name) that it is doing, since it in fact checks both the existance of the key and at least one non-blank character under that key. The drawback with fixing it at this point to do what it says it does is that it will doubtless break existing rules. And when you come right down to it, in most cases whether the key is completely missing or the value is blank is pretty much the same thing as far as spam detection is concerned. Loren
question about MISSING_SUBJECT
Hello Guys, i got a message that was flagged with MISSING_SUBJECT rule. The message has, among other headers: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Date: Tue, 13 May 2008 17:12:47 -0300 MIME-Version: 1.0 and rules are: header __HAS_SUBJECTexists:Subject meta MISSING_SUBJECT!__HAS_SUBJECT describe MISSING_SUBJECTMissing Subject: header MISSING_SUBJECT is, at least in my opinion, incorrect. The Subject header is there, it do EXISTS. It's empty, OK but it's not MISSING. should this empty subject really triggers MISSING_SUBJECT rule ?? I do sa-update once a day, so yes i'm running with the latest rules. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email [EMAIL PROTECTED] My SPAMTRAP, do not email it smime.p7s Description: S/MIME Cryptographic Signature
Re: question about MISSING_SUBJECT
Leonardo Rodrigues Magalhães wrote: Hello Guys, i got a message that was flagged with MISSING_SUBJECT rule. The message has, among other headers: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Date: Tue, 13 May 2008 17:12:47 -0300 MIME-Version: 1.0 and rules are: header __HAS_SUBJECTexists:Subject meta MISSING_SUBJECT!__HAS_SUBJECT describe MISSING_SUBJECTMissing Subject: header MISSING_SUBJECT is, at least in my opinion, incorrect. The Subject header is there, it do EXISTS. It's empty, OK but it's not MISSING. should this empty subject really triggers MISSING_SUBJECT rule ?? yes. An empty subject is a missing one ;-p I mean that's not better than omitting the subject header at once... while ham sometimes has no subject (or has an empty subject), it doesn't usually trigger other rules. so a 1.3 score isn't a problem (at least in my experience). I do sa-update once a day, so yes i'm running with the latest rules.
RE: warning - score undef for rule 'MISSING_SUBJECT'...
The first time I run sa-update after a v3.2.3 install, I get the following warnings: rules: score undef for rule 'MISSING_SUBJECT' in '' 'MISSING_SUBJECT' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'EMPTY_MESSAGE' in '' 'EMPTY_MESSAGE' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'NO_RECEIVED' in '' 'NO_RECEIVED' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'MISSING_SUBJECT' in '' 'MISSING_SUBJECT' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'EMPTY_MESSAGE' in '' 'EMPTY_MESSAGE' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'NO_RECEIVED' in '' 'NO_RECEIVED' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. ... (repeated several times) The update succeeds anyway. What causes these warnings? Thanks, Larry The score MISSING_SUBJECT is removed from 3.1.x and 3.2.x now. You could check your local.cf (or in some .pre file) for this score and remove it. Regards, Leon Kolchinsky
RE: warning - score undef for rule 'MISSING_SUBJECT'...
From: Leon Kolchinsky [mailto:[EMAIL PROTECTED] The first time I run sa-update after a v3.2.3 install, I get the following warnings: rules: score undef for rule 'MISSING_SUBJECT' in '' 'MISSING_SUBJECT' at ... The score MISSING_SUBJECT is removed from 3.1.x and 3.2.x now. You could check your local.cf (or in some .pre file) for this score and remove it. That's not what grep says: email# grep MISSING_SUBJECT /var/lib/spamassassin/3.002003/updates_spamassassin_org/* /var/lib/spamassassin/3.002003/updates_spamassassin_org/20_head_tests.cf :meta MISSING_SUBJECT !__HAS_SUBJECT /var/lib/spamassassin/3.002003/updates_spamassassin_org/20_head_tests.cf :describe MISSING_SUBJECT Missing Subject: header /var/lib/spamassassin/3.002003/updates_spamassassin_org/30_text_de.cf:la ng de describe MISSING_SUBJECT Betreff (Subject) fehlt /var/lib/spamassassin/3.002003/updates_spamassassin_org/50_scores.cf:sco re MISSING_SUBJECT 2.307 1.285 2.476 1.762 email# grep MISSING_SUBJECT /usr/local/share/spamassassin/*.cf /usr/local/share/spamassassin/20_head_tests.cf:meta MISSING_SUBJECT !__HAS_SUBJECT /usr/local/share/spamassassin/20_head_tests.cf:describe MISSING_SUBJECT Missing Subject: header /usr/local/share/spamassassin/30_text_de.cf:lang de describe MISSING_SUBJECT Betreff (Subject) fehlt /usr/local/share/spamassassin/50_scores.cf:score MISSING_SUBJECT 2.307 1.285 2.476 1.762 email# grep MISSING_SUBJECT /etc/mail/spamassassin/*.cf email#
warning - score undef for rule 'MISSING_SUBJECT'...
The first time I run sa-update after a v3.2.3 install, I get the following warnings: rules: score undef for rule 'MISSING_SUBJECT' in '' 'MISSING_SUBJECT' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'EMPTY_MESSAGE' in '' 'EMPTY_MESSAGE' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'NO_RECEIVED' in '' 'NO_RECEIVED' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'MISSING_SUBJECT' in '' 'MISSING_SUBJECT' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'EMPTY_MESSAGE' in '' 'EMPTY_MESSAGE' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'NO_RECEIVED' in '' 'NO_RECEIVED' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. ... (repeated several times) The update succeeds anyway. What causes these warnings? Thanks, Larry
RE: warning - score undef for rule 'MISSING_SUBJECT'...
The first time I run sa-update after a v3.2.3 install, I get the following warnings: rules: score undef for rule 'MISSING_SUBJECT' in '' 'MISSING_SUBJECT' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'EMPTY_MESSAGE' in '' 'EMPTY_MESSAGE' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'NO_RECEIVED' in '' 'NO_RECEIVED' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'MISSING_SUBJECT' in '' 'MISSING_SUBJECT' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'EMPTY_MESSAGE' in '' 'EMPTY_MESSAGE' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. rules: score undef for rule 'NO_RECEIVED' in '' 'NO_RECEIVED' at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 2140. ... (repeated several times) I got these as well for both upgrades to 3.2.2 and 3.2.3... - Skip
RE: MISSING_SUBJECT and RATWARE_OUTLOOK_NONAME disappeared from 3.1.x tests?
They no longer hit enough spam to be worth keeping, so they were removed. Just remove the scores when you upgrade. Loren Thanks, I've suspected that :) Leon
MISSING_SUBJECT and RATWARE_OUTLOOK_NONAME disappeared from 3.1.x tests?
Hello All, I'm going to upgrade SA from spamassassin-3.1.7-3 to spamassassin-3.2.2-1. In my local.cf I've adjusted some optional scores and now I want to check if these scores are still intact in the new version of SA. So I went to http://spamassassin.apache.org/tests_3_1_x.html and http://spamassassin.apache.org/tests_3_2_x.html I've found that: 1) RATWARE_OUTLOOK_NONAME and MISSING_SUBJECT now missing in both (3.1.x and 3.2.x) These scores were intact for my 3.1.7 installation when I configured it. (spamassassin --lint gives no error) What happened? How these scores disappeared? Should I just remove them from my local.cf before upgrade? Best Regards, Leon Kolchinsky
Re: MISSING_SUBJECT and RATWARE_OUTLOOK_NONAME disappeared from 3.1.x tests?
Leon Kolchinsky wrote on Sat, 11 Aug 2007 18:32:36 +0300: Should I just remove them from my local.cf before upgrade? Run a spamassassin --lint after upgrade (which you should do always, anyway), this will bark about those scores and you can remove them. No need to check each time if they still exist. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: MISSING_SUBJECT and RATWARE_OUTLOOK_NONAME disappeared from 3.1.x tests?
Loren Wilton wrote on Sat, 11 Aug 2007 15:09:34 -0700: They no longer hit enough spam to be worth keeping, so they were removed. Just remove the scores when you upgrade. and MISSING_SUBJECT LOL, there was just a whole rush of no subject spam. ;-) I noticed that because the greylist milter on one of my machines hung and all that stuff went thru. Normally, it doesn't make it thru to SA. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
meaning of MISSING_SUBJECT ?
Hello, what's the real meaning of MISSING_SUBJECT ? should it match without the Subject: header, or even message with empty Subject: header? the description says it's about missing subject header, but it seems to match even when there's empty line containing the string Subject: in headers. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I just got lost in thought. It was unfamiliar territory.
Re: meaning of MISSING_SUBJECT ?
Matus UHLAR - fantomas wrote: what's the real meaning of MISSING_SUBJECT ? should it match without the Subject: header, or even message with empty Subject: header? the description says it's about missing subject header, but it seems to match even when there's empty line containing the string Subject: in headers. On 13.07.07 09:15, Matt Kettler wrote: It should only match a missing header. then it's a bug, the header is there. However, one thing to realize is that your mail client may insert a blank subject if it's missing. So, if you're looking at it after your mail client has read it, it might not have been there at all when SA scanned it. that's why I re-sent that mail by telnetting to SMTP port (both ways) and checked that explicitly over text file. In both cases, there was Subject: header. bug 5207 should be reopened then... -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Despite the cost of living, have you noticed how popular it remains?
Re: meaning of MISSING_SUBJECT ?
Matus UHLAR - fantomas wrote: Hello, what's the real meaning of MISSING_SUBJECT ? should it match without the Subject: header, or even message with empty Subject: header? the description says it's about missing subject header, but it seems to match even when there's empty line containing the string Subject: in headers. It should only match a missing header. However, one thing to realize is that your mail client may insert a blank subject if it's missing. So, if you're looking at it after your mail client has read it, it might not have been there at all when SA scanned it.
Re: meaning of MISSING_SUBJECT ?
On Fri, Jul 13, 2007 at 03:20:12PM +0200, Matus UHLAR - fantomas wrote: On 13.07.07 09:15, Matt Kettler wrote: It should only match a missing header. missing header doesn't mean the header doesn't exist, btw. It's a subtle difference, please see below. bug 5207 should be reopened then... Nope. I'll try to keep it short, but here's what's going on: A header is parsed as: [header_name]:[optional_whitespace][header_data] The header exists:header_name test really converts into: header_data =~ /./ which requires that there be a character in the header_data. MISSING_SUBJECT is the inverse of the exists:Subject rule, made using a meta rule. If the Subject header is actually missing, then there is no header_data, and therefore the /./ test fails. If the Subject header exists, but has nothing but whitespace after the colon ... there's no header_data, and therefore the /./ test fails. I'll put this in the bug for future reference. :) -- Randomly Selected Tagline: Those who do not archive the past are condemned to retype it! - Garfinkel and Spafford pgplIL35cPeFg.pgp Description: PGP signature
Re: meaning of MISSING_SUBJECT ?
On Fri, Jul 13, 2007 at 03:20:12PM +0200, Matus UHLAR - fantomas wrote: On 13.07.07 09:15, Matt Kettler wrote: It should only match a missing header. missing header doesn't mean the header doesn't exist, btw. It's a subtle difference, please see below. bug 5207 should be reopened then... Nope. [...] The header exists:header_name test really converts into: header_data =~ /./ which requires that there be a character in the header_data. aha. On 13.07.07 12:51, Theo Van Dinter wrote: I'll put this in the bug for future reference. :) good, thanks. Could you also please change the description to missing or empty to avoid confusion for next time? (maybe Missing subject would help too, but the Missing Subject: header is really confusing imho) -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The early bird may get the worm, but the second mouse gets the cheese.
Re: MISSING_SUBJECT
Martin Gill-2 wrote: Hi, I've been watching my spam assassin rules for a while and I'm getting a bit confused with a couple of them. The MISSING_SUBJECT rule fires on every email, even though they actually have a Subject: header and spam assassin actually modifies the message to add it's SPAM tag. Also TO_CC_NONE fires all the time, despite a To: header field being present. Anyone able to explain this to me please? Have I misunderstood what those rules are checking for? I'm using spamassassin 3.1.5 running on Mandriva 2007. Martin Mark is 100%. You have misformatted a rule somewhere along the line. Lint your rules and it'll turn up. I went thru the same thing at one point... drove me crazy. -- View this message in context: http://www.nabble.com/MISSING_SUBJECT-tf3149170.html#a8771967 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: MISSING_SUBJECT
On Fri, February 2, 2007 17:56, Rick Vestal wrote: Martin Gill-2 wrote: [snip] Mark is 100%. You have misformatted a rule somewhere along the line. Lint your rules and it'll turn up. I went thru the same thing at one point... drove me crazy. [snip] Yes, that was the problem. I only had one rule.. and i just commented it out and the problem went away. Didn't know about this lint thing.. i'll look into it. I also think my previous reply went directly to someone, instead of to the list. So apologies to whoever that was, and thanks for pointing out the problem :)
MISSING_SUBJECT
Hi, I've been watching my spam assassin rules for a while and I'm getting a bit confused with a couple of them. The MISSING_SUBJECT rule fires on every email, even though they actually have a Subject: header and spam assassin actually modifies the message to add it's SPAM tag. Also TO_CC_NONE fires all the time, despite a To: header field being present. Anyone able to explain this to me please? Have I misunderstood what those rules are checking for? I'm using spamassassin 3.1.5 running on Mandriva 2007. Martin Example: Return-Path: *HIDDEN** X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.5 (2006-08-29) on *HIDDEN** X-Spam-Level: * X-Spam-Status: Yes, score=5.4 required=5.0 tests=BAYES_99,HTML_MESSAGE, MISSING_SUBJECT,NO_RECEIVED,TO_CC_NONE autolearn=no version=3.1.5 X-Spam-Report: * 0.0 HTML_MESSAGE BODY: HTML included in message * 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * [score: 1.] * 1.8 MISSING_SUBJECT Missing Subject: header * -0.0 NO_RECEIVED Informational: message has no Received headers * 0.1 TO_CC_NONE No To: or Cc: header X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from *HIDDEN** (*HIDDEN**[127.0.0.1]) by *HIDDEN**.localdomain (Postfix) with ESMTP id A2379D8A0 for [EMAIL PROTECTED]; Wed, 31 Jan 2007 12:14:07 + (GMT) Envelope-to: [EMAIL PROTECTED] Delivery-date: Wed, 31 Jan 2007 12:13:56 + Received: from martinsgill.co.uk [217.112.82.162] by odin with POP3 (fetchmail-6.3.4) for [EMAIL PROTECTED] (single-drop); Wed, 31 Jan 2007 12:14:07 + (GMT) Received: from [222.137.60.60] (helo=*HIDDEN**) by *HIDDEN** with smtp (Exim 4.63) (envelope-from *HIDDEN**) id 1HCELT-0001Oe-VR for [EMAIL PROTECTED]; Wed, 31 Jan 2007 12:13:56 + Message-ID: *HIDDEN** Reply-To: Oscar *HIDDEN** From: Oscar *HIDDEN** To: Griselda Nelson [EMAIL PROTECTED] Subject: [SPAM] Feeling down Date: Wed, 31 Jan 2007 08:01:52 -0400 MIME-Version: 1.0 Content-Type: multipart/related; type=multipart/alternative; boundary==_NextPart_049_EDA7_D78C015A.3E06BF21 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1158 X-Spam-Prev-Subject: Feeling down
Re: MISSING_SUBJECT
On Wed, Jan 31, 2007 at 02:48:18PM -, Martin Gill wrote: The MISSING_SUBJECT rule fires on every email, even though they actually have a Subject: header and spam assassin actually modifies the message to add it's SPAM tag. Anyone able to explain this to me please? Have I misunderstood what those rules are checking for? If you have a valid sample mail that hits the MISSING_SUBJECT rule while being run through spamassassin -L, please open a bugzilla ticket and attach (not cut/paste) the mail in the ticket. Generally speaking, this issue tends to come up when SA is being called by third party code, and things are not passed in correctly. -- Randomly Selected Tagline: Where as John was much more holmsian, wasn't he... from a very grand and uhh... and he's so shockingly recognized, wasn't he? He's rather like a tall light bulb, isn't he?- Tom Baker pgplZMzDnqm66.pgp Description: PGP signature
Re: MISSING_SUBJECT
Martin, The MISSING_SUBJECT rule fires on every email, even though they actually have a Subject: header If I remember corrently, this effect can be produced by having syntactically incorrect rules. Make sure to run 'spamassassin --lint' before starting with modified rules! Mark
MISSING_SUBJECT always matching
Hi all. I just started using spamassassin for the first time. It's marking everything as spam, because MISSING_SUBJECT is always matching, although the mail does have Subject: lines. I searched the archives, and found mail from someone else in 2005 with this problem. The suggestion there was that perhaps the headers were garbled so that SA wasn't parsing them properly. I looked at the incoming headers and see nothing wrong -- here are the headers for the mail confirming my subscription to this list (which was marked as spam due to MISSING_SUBJECT and MISSING_TO and other things): From [EMAIL PROTECTED] Mon Aug 21 13:54:02 2006 Return-Path: [EMAIL PROTECTED] Delivered-To: jphekman-arborius:[EMAIL PROTECTED] X-Envelope-To: [EMAIL PROTECTED] From [EMAIL PROTECTED] Mon Aug 21 13:54:02 2006 Return-Path: [EMAIL PROTECTED] Delivered-To: jphekman-arborius:[EMAIL PROTECTED] X-Envelope-To: [EMAIL PROTECTED] Received: (qmail 88561 invoked from network); 21 Aug 2006 13:54:02 - Received: from localhost.pair.com (HELO misilay.pair.com) (127.0.0.1) by localhost.pair.com with SMTP; 21 Aug 2006 13:54:02 - Received: from mail.apache.org (hermes.apache.org [209.237.227.199]) by misilay.pair.com (Postfix) with SMTP id 2F108C9397 for [EMAIL PROTECTED]; Mon, 21 Aug 2006 09:54:02 -0400 (EDT) Received: (qmail 59925 invoked by uid 500); 21 Aug 2006 13:54:01 - Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm List-Help: mailto:[EMAIL PROTECTED] List-Post: mailto:users@spamassassin.apache.org List-Subscribe: mailto:[EMAIL PROTECTED] Date: 21 Aug 2006 13:54:01 - Message-ID: [EMAIL PROTECTED] From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Delivered-To: responder for users@spamassassin.apache.org Received: (qmail 59916 invoked by uid 99); 21 Aug 2006 13:54:01 - Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 21 Aug 2006 06:54:01 -0700 Received: from [66.92.76.133] (HELO pendaran.arborius.net) (66.92.76.133) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 21 Aug 2006 06:53:59 -0700 Received: by pendaran.arborius.net (Postfix, from userid 1001) id 0B547F2D21; Mon, 21 Aug 2006 09:53:39 -0400 (EDT) Received: by pendaran.arborius.net (tmda-sendmail, from uid 1001); Mon, 21 Aug 2006 09:53:38 -0400 (EDT) MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii List-Unsubscribe: mailto:[EMAIL PROTECTED] Subject: WELCOME to users@spamassassin.apache.org SA's headers after processing were: X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on misilay.pair.com X-Spam-Level: X-Spam-Status: Yes, score=4.4 required=3.5 tests=MISSING_HB_SEP, MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS,TO_CC_NONE autolearn=no version=3.1.3 X-Spam-Report: * -0.0 NO_RELAYS Informational: message was not relayed via SMTP * 2.5 MISSING_HB_SEP Missing blank line between message header and body * 1.7 MISSING_SUBJECT Missing Subject: header * -0.0 NO_RECEIVED Informational: message has no Received headers * 0.1 TO_CC_NONE No To: or Cc: header Thanks for any help you can give! Jessica
Re: MISSING_SUBJECT always matching
hi Jessica -- I would suggest checking line endings -- that's a classic symptom of \r\n being used where other parts of the mail delivery pipeline are expecting \n. --j. Jessica Perry Hekman writes: Hi all. I just started using spamassassin for the first time. It's marking everything as spam, because MISSING_SUBJECT is always matching, although the mail does have Subject: lines. I searched the archives, and found mail from someone else in 2005 with this problem. The suggestion there was that perhaps the headers were garbled so that SA wasn't parsing them properly. I looked at the incoming headers and see nothing wrong -- here are the headers for the mail confirming my subscription to this list (which was marked as spam due to MISSING_SUBJECT and MISSING_TO and other things): From [EMAIL PROTECTED] Mon Aug 21 13:54:02 2006 Return-Path: [EMAIL PROTECTED] Delivered-To: jphekman-arborius:[EMAIL PROTECTED] X-Envelope-To: [EMAIL PROTECTED] From [EMAIL PROTECTED] Mon Aug 21 13:54:02 2006 Return-Path: [EMAIL PROTECTED] Delivered-To: jphekman-arborius:[EMAIL PROTECTED] X-Envelope-To: [EMAIL PROTECTED] Received: (qmail 88561 invoked from network); 21 Aug 2006 13:54:02 - Received: from localhost.pair.com (HELO misilay.pair.com) (127.0.0.1) by localhost.pair.com with SMTP; 21 Aug 2006 13:54:02 - Received: from mail.apache.org (hermes.apache.org [209.237.227.199]) by misilay.pair.com (Postfix) with SMTP id 2F108C9397 for [EMAIL PROTECTED]; Mon, 21 Aug 2006 09:54:02 -0400 (EDT) Received: (qmail 59925 invoked by uid 500); 21 Aug 2006 13:54:01 - Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm List-Help: mailto:[EMAIL PROTECTED] List-Post: mailto:users@spamassassin.apache.org List-Subscribe: mailto:[EMAIL PROTECTED] Date: 21 Aug 2006 13:54:01 - Message-ID: [EMAIL PROTECTED] From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Delivered-To: responder for users@spamassassin.apache.org Received: (qmail 59916 invoked by uid 99); 21 Aug 2006 13:54:01 - Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 21 Aug 2006 06:54:01 -0700 Received: from [66.92.76.133] (HELO pendaran.arborius.net) (66.92.76.133) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 21 Aug 2006 06:53:59 -0700 Received: by pendaran.arborius.net (Postfix, from userid 1001) id 0B547F2D21; Mon, 21 Aug 2006 09:53:39 -0400 (EDT) Received: by pendaran.arborius.net (tmda-sendmail, from uid 1001); Mon, 21 Aug 2006 09:53:38 -0400 (EDT) MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii List-Unsubscribe: mailto:[EMAIL PROTECTED] Subject: WELCOME to users@spamassassin.apache.org SA's headers after processing were: X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on misilay.pair.com X-Spam-Level: X-Spam-Status: Yes, score=4.4 required=3.5 tests=MISSING_HB_SEP, MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS,TO_CC_NONE autolearn=no version=3.1.3 X-Spam-Report: * -0.0 NO_RELAYS Informational: message was not relayed via SMTP * 2.5 MISSING_HB_SEP Missing blank line between message header and body * 1.7 MISSING_SUBJECT Missing Subject: header * -0.0 NO_RECEIVED Informational: message has no Received headers * 0.1 TO_CC_NONE No To: or Cc: header Thanks for any help you can give! Jessica
Re: MISSING_SUBJECT always matching
Well, that got me going in the right direction -- it sounded reasonable so I started mucking with some messages that had come in, and what I discovered is that all incoming messages were getting two copies of their From: lines written, one with a preceding . I imagine SA reaches that and decides it's all done with headers. My next step would be to figure out who's putting in that From line -- qmail? procmail? But that wouldn't seem to be this list's problem. Thanks very much! Jessica On Mon, Aug 21, 2006 at 06:57:27PM +0100, Justin Mason wrote: hi Jessica -- I would suggest checking line endings -- that's a classic symptom of \r\n being used where other parts of the mail delivery pipeline are expecting \n. --j. Jessica Perry Hekman writes: Hi all. I just started using spamassassin for the first time. It's marking everything as spam, because MISSING_SUBJECT is always matching, although the mail does have Subject: lines. I searched the archives, and found mail from someone else in 2005 with this problem. The suggestion there was that perhaps the headers were garbled so that SA wasn't parsing them properly. I looked at the incoming headers and see nothing wrong -- here are the headers for the mail confirming my subscription to this list (which was marked as spam due to MISSING_SUBJECT and MISSING_TO and other things): From [EMAIL PROTECTED] Mon Aug 21 13:54:02 2006 Return-Path: [EMAIL PROTECTED] Delivered-To: jphekman-arborius:[EMAIL PROTECTED] X-Envelope-To: [EMAIL PROTECTED] From [EMAIL PROTECTED] Mon Aug 21 13:54:02 2006 Return-Path: [EMAIL PROTECTED] Delivered-To: jphekman-arborius:[EMAIL PROTECTED] X-Envelope-To: [EMAIL PROTECTED] Received: (qmail 88561 invoked from network); 21 Aug 2006 13:54:02 - Received: from localhost.pair.com (HELO misilay.pair.com) (127.0.0.1) by localhost.pair.com with SMTP; 21 Aug 2006 13:54:02 - Received: from mail.apache.org (hermes.apache.org [209.237.227.199]) by misilay.pair.com (Postfix) with SMTP id 2F108C9397 for [EMAIL PROTECTED]; Mon, 21 Aug 2006 09:54:02 -0400 (EDT) Received: (qmail 59925 invoked by uid 500); 21 Aug 2006 13:54:01 - Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm List-Help: mailto:[EMAIL PROTECTED] List-Post: mailto:users@spamassassin.apache.org List-Subscribe: mailto:[EMAIL PROTECTED] Date: 21 Aug 2006 13:54:01 - Message-ID: [EMAIL PROTECTED] From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Delivered-To: responder for users@spamassassin.apache.org Received: (qmail 59916 invoked by uid 99); 21 Aug 2006 13:54:01 - Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 21 Aug 2006 06:54:01 -0700 Received: from [66.92.76.133] (HELO pendaran.arborius.net) (66.92.76.133) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 21 Aug 2006 06:53:59 -0700 Received: by pendaran.arborius.net (Postfix, from userid 1001) id 0B547F2D21; Mon, 21 Aug 2006 09:53:39 -0400 (EDT) Received: by pendaran.arborius.net (tmda-sendmail, from uid 1001); Mon, 21 Aug 2006 09:53:38 -0400 (EDT) MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii List-Unsubscribe: mailto:[EMAIL PROTECTED] Subject: WELCOME to users@spamassassin.apache.org SA's headers after processing were: X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on misilay.pair.com X-Spam-Level: X-Spam-Status: Yes, score=4.4 required=3.5 tests=MISSING_HB_SEP, MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS,TO_CC_NONE autolearn=no version=3.1.3 X-Spam-Report: * -0.0 NO_RELAYS Informational: message was not relayed via SMTP * 2.5 MISSING_HB_SEP Missing blank line between message header and body * 1.7 MISSING_SUBJECT Missing Subject: header * -0.0 NO_RECEIVED Informational: message has no Received headers * 0.1 TO_CC_NONE No To: or Cc: header Thanks for any help you can give! Jessica
Re: MISSING_SUBJECT always matching
Jessica Perry Hekman writes: Hi all. I just started using spamassassin for the first time. It's marking everything as spam, because MISSING_SUBJECT is always matching, although the mail does have Subject: lines. Btw, the last time the very same thing happened to me was because of an unrelated mistake in the local.cf file. Always check the configuration with: spamassassin --lint Mark
MISSING_SUBJECT always firing
Hi everyone, I'm running SA 3.02 for a few weeks now together with amavisd-new-20030616 and it seems that MISSING_SUBJECT is firing on every mail even if there is a Subject: header and it's not empty. Has anyone experienced this problem or have an idea whats going on? I've googled around some, but not found much. -- Shawn Beairsto Network Administrator Data Kinetics Ltd. http://www.dkl.com
