On Wed, 6 Feb 2013, Eliezer Croitoru wrote:
Thanks,
I have checked the suggested rules like this:
header FROM_FORM From =~ /spamadmin\@ngtech.co.il/i
score FROM_FORM -0.1
body __HBRW_ENCODING /charset=\"windows-1255\"/
The fact that the charset= isn't a body part has already been mentioned.
score __HBRW_ENCODING -0.1
Subrules (those beginning with __) are not scored. Those score lines have
no effect, and should probably be removed to avoid confusion that they
actually *do* have an effect.
body __HBRW_CHARS /[\xC0-\xCB\xCD-\xDB\xDF-\xFB]?/
score __HBRW_CHARS -0.1
tflags __HBRW_CHARS multiple
body __TOTAL_CHARS /[\x30-\x39\x41-\x5A\x61-\x7A\x80-\xFF]?/
score __TOTAL_CHARS -0.1
#body __TOTAL_CHARS /\S/
tflags __TOTAL_CHARS multiple
#since there is a possibility of dividing by zero I added the + 1 which
suppose to be harmless in this kind email sizes.
meta __HBRW_PCT ( (__HBRW_CHARS * 100) / (__TOTAL_CHARS + 1 ) )
score __HBRW_PCT -0.1
#tried this to make sure one thing or another dosn't work.
meta HBRW_SPAM FROM_FORM && __HBRW_ENCODING
# disabled after the basic tests didn't worked.
# meta HBRW_SPAM (__HBRW_PCT < 1) && FROM_FROM && __HBRW_ENCODING
score HBRW_SPAM 10.3
Typo. s/b FROM_FORM. Perhaps that's why this version of the rule didn't
work.
Suggestion: when doing rule development, always run a lint test. See the
SpamAssassin man page for details.
That would also tell you whether the math and the less-than comparison are
syntactically valid.
The only part which is being logged by SA in headers is the FROM_FORM rule.
Right. The only way to see whether subrules hit is to run SA in debug mode
with the "--debug area=rules" option
example:
X-Spam-Status: No, score=2.322 tagged_above=2 required=6.2
tests=[FROM_FORM_IL=-0.1, FROM_ILLEGAL_CHARS=2.059,
NORMAL_HTTP_TO_IP=0.001, RDNS_DYNAMIC=0.363, SPF_PASS=-0.001]
autolearn=no
so i'm kind of do not understand what's wrong.
I have tried couple ways to find Hebrew encoding.
I understood it's a part of the body and not a header so, maybe there is
something I dont understand or know about it?
The typo is the most obvious problem. Second is looking for the encoding
in the body, as it *is* a header, either in the main message headers or in
a MIME body part header.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Microsoft is not a standards body.
-----------------------------------------------------------------------
6 days until Abraham Lincoln's and Charles Darwin's 204th Birthdays
