On Fri, 2011-02-18 at 14:04 -0800, Adam Katz wrote: > On 02/18/2011 01:46 PM, Michelle Konzack wrote: > > Since three weeks the Debian Mailinglist are hit be several 1000 russian > > DOTinfo spams and spamassassin score this crap with -4
Spam scoring -4. The .info URI is not your problem, neither the full solution. It might help in the end, but for now I'd bark up the other tree... > > Does someone have a working rule for this crap? At the very least, you should provide the rules hit. There's something wrong with that already. > > I tried : > > > > describe TD_INFO dot info spam > > body __TD_INFO /http:\/\/.*\.info/i > > score TD_INFO 4.0 > > > > but it does not work. > > And thank goodness for that, your rule is WAAAAAY too broad to be useful > as it blocks the ENTIRE .info top-level domain (a very bad idea). It is even a lot worse than that. *boggle* The reason that blob doesn't work is simple. The actual rule is not even defined -- but at least you documented your code by giving it a description. ;) The non-scoring (double underscore) sub-rule is defined, but essentially useless. Unless you actually meta it somewhere outside the blob you pasted. Anyway, there are some fundamental problems with that rule, which seriously needs to be fixed first. It is a *body* rule, not limited to URIs. And there's a runaway wildcard that happily makes the rule accept any 'http://' with the string '.info' following in the same paragraph. It accepts *anything* between these two strings, including whitespace. Not even mentioning the missing bounds at the beginning and end of the RE. > If you really want to do something that bold, at least limit it to the > debian list (note, that list-id is a guess, check your headers): > > header __TD_DEB_LIST List-Id =~ /<debian-user.lists.debian.org>/ > uri __TD_DOT_INFO m'^http://[^/]*\.info[/:?#]'i Way better. And actually a uri rule. :) It's missing a bare domain URI, though. The "end of the domain part" sub-RE alternatively should accept the end of the string. / ... \.info(?:[/:?#]|$)/ > meta TD_DEB_INFO __TD_DEB_LIST && __TD_DOT_INFO > score TD_DEB_INFO 1.0 > > Check the SA rules it hits and add them as dependencies to that meta if > you want to increase the score; if it previously got a -4 score, it had > to hit some rule to do that. > > Again, even this safer rule seems to be the wrong approach. I suspect > you have a custom rule that is the source of the problem. Can you post > the offending message to a pastebin? The scoring breakdown would also > be useful (re-run the message with `spamassassin -t <filename`) -- char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}