Re: tflags multiple and header exists:

2015-09-29 Thread Philip Prindeville 

On Sep 29, 2015, at 10:09 AM, Philip Prindeville 
 wrote:

> Can you use something like:
> 
> header __L_X_NO_RELAY exists:X-No-Relay
> tflags __L_X_NO_RELAY multiple

Actually, that should probably be bounded to something like:

tflags __L_X_NO_RELAY   multiple maxhits=10


> 
> meta MULTIPLE_X_NO_RELAY  __L_X_NO_RELAY >= 8
> describe MULTIPLE_X_NO_RELAY  Saw an inordinate number of X-No-Relay: headers
> score MULTIPLE_X_NO_RELAY 10.0
> 
> I couldn’t get the first 2 lines to work together.  I had to resort to:
> 
> header __L_X_NO_RELAY ALL =~ /^x-no-relay:/msi
> 
> instead for the first line.  Is this a known constraint?
> 
> -Philip
>

Re: tflags multiple and header exists:

2015-09-29 Thread John Hardin 

On Tue, 29 Sep 2015, Philip Prindeville wrote:


Can you use something like:

header __L_X_NO_RELAY   exists:X-No-Relay


Are you seeing empty X-No-Relay headers? How about:

  header__HAS_NO_RELAYX-No-Relay =~ /./

...which is in my sandbox, but just for eval, it's not scored yet:

http://ruleqa.spamassassin.org/20150926-r1705400-n/__HAS_NO_RELAY/detail


tflags __L_X_NO_RELAY   multiple

meta MULTIPLE_X_NO_RELAY__L_X_NO_RELAY >= 8


If you're doing that, do TFLAGS multiple, maxhits=9

I'll add this to my sandbox.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  I'm seriously considering getting one of those bright-orange prison
  overalls and stencilling PASSENGER on the back. Along with the paper
  slippers, I ought to be able to walk right through security.
 -- Brian Kantor in a.s.r
---

tflags multiple and header exists:

2015-09-29 Thread Philip Prindeville 
Can you use something like:

header __L_X_NO_RELAY   exists:X-No-Relay
tflags __L_X_NO_RELAY   multiple

meta MULTIPLE_X_NO_RELAY__L_X_NO_RELAY >= 8
describe MULTIPLE_X_NO_RELAYSaw an inordinate number of X-No-Relay: headers
score MULTIPLE_X_NO_RELAY   10.0

I couldn’t get the first 2 lines to work together.  I had to resort to:

header __L_X_NO_RELAY   ALL =~ /^x-no-relay:/msi

instead for the first line.  Is this a known constraint?

-Philip

Re: tflags multiple and header exists:

2015-09-29 Thread John Hardin 

On Tue, 29 Sep 2015, John Hardin wrote:


On Tue, 29 Sep 2015, Philip Prindeville wrote:


 Can you use something like:

 header __L_X_NO_RELAY  exists:X-No-Relay


Are you seeing empty X-No-Relay headers? How about:

 header__HAS_NO_RELAYX-No-Relay =~ /./


Oops. If you're going to multiple that, do this:

  header__HAS_NO_RELAYX-No-Relay =~ /^./


...which is in my sandbox, but just for eval, it's not scored yet:

http://ruleqa.spamassassin.org/20150926-r1705400-n/__HAS_NO_RELAY/detail


 tflags __L_X_NO_RELAY  multiple

 meta MULTIPLE_X_NO_RELAY   __L_X_NO_RELAY >= 8


If you're doing that, do TFLAGS multiple, maxhits=9

I'll add this to my sandbox.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  I'm seriously considering getting one of those bright-orange prison
  overalls and stencilling PASSENGER on the back. Along with the paper
  slippers, I ought to be able to walk right through security.
 -- Brian Kantor in a.s.r
---

Re: tflags multiple and header exists:

2015-09-29 Thread John Hardin 

On Tue, 29 Sep 2015, Philip Prindeville wrote:


Can you use something like:

header __L_X_NO_RELAY   exists:X-No-Relay
tflags __L_X_NO_RELAY   multiple


See also DUP_SUSP_HDR, which is in my sandbox but isn't performing well 
enough against the corpora to get published:


http://ruleqa.spamassassin.org/20150926-r1705400-n/%2FDUP_SUSP_HDR


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Homeland Security: Specializing in Tactical Band-aids for Strategic
  Problems.   -- Eric K. in Bruce Schneier's blog
---

Re: tflags multiple and header exists:

2015-09-29 Thread Philip Prindeville 

On Sep 29, 2015, at 10:44 AM, John Hardin  wrote:

> On Tue, 29 Sep 2015, Philip Prindeville wrote:
> 
>> Can you use something like:
>> 
>> header __L_X_NO_RELAYexists:X-No-Relay
> 
> Are you seeing empty X-No-Relay headers? How about:

No, not empty.  Typically they say:

X-No-Relay: not in my network


> 
>  header__HAS_NO_RELAYX-No-Relay =~ /./
> 
> ...which is in my sandbox, but just for eval, it's not scored yet:


No, that ends up matching once per character…  But /.*/ works.


> 
> http://ruleqa.spamassassin.org/20150926-r1705400-n/__HAS_NO_RELAY/detail
> 
>> tflags __L_X_NO_RELAYmultiple
>> 
>> meta MULTIPLE_X_NO_RELAY __L_X_NO_RELAY >= 8
> 
> If you're doing that, do TFLAGS multiple, maxhits=9
> 
> I'll add this to my sandbox.
> 
> -- 
> John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
> jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79

Re: tflags multiple and header exists:

2015-09-29 Thread John Hardin 

On Tue, 29 Sep 2015, Philip Prindeville wrote:

On Sep 29, 2015, at 10:44 AM, John Hardin  wrote:

On Tue, 29 Sep 2015, Philip Prindeville wrote:


Can you use something like:

header __L_X_NO_RELAY   exists:X-No-Relay


Are you seeing empty X-No-Relay headers? How about:


No, not empty.  Typically they say:

X-No-Relay: not in my network


Yeah, multiples of that is what I was seeing too.

Memories are reviving. I don't think the tflags multiple for a 
single-header rule will work, as SA collapses identical headers. It has to 
be a header ALL rule. That's why I did DUP_SUSP_HDR. Unfortunately that's 
not seen enough in the masscheck corpus to be scored and published.


The "collapse multiple identical headers" is probably why the multiple 
exists doesn't work.



No, that ends up matching once per character…  But /.*/ works.


Yeah, oops.

/^./ would be a bit more efficient.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Any time law enforcement becomes a revenue center, the system
  becomes corrupt.
---