On 8/15/2014 4:19 PM, Axb wrote:
On 08/15/2014 10:07 PM, Bowie Bailey wrote:
On 8/15/2014 3:05 PM, Alex wrote:
Hi,
AXB_X_FF_SEZ_S is a rule that fires when the
X-Forefront-Antispam-Report header is found. I have a sample which has
this header, yet the rule doesn't fire, and wondered if someone could
help me figure out why:
http://pastebin.com/vRQXxgJH
I'm using spamassassin-3.4, and I tested it on another spam (from
the quarantine, where it had already fired) and it was triggered there
just fine.
##{ AXB_X_FF_SEZ_S
header AXB_X_FF_SEZ_S X-Forefront-Antispam-Report =~
/^SFV\:SPM/
describe AXB_X_FF_SEZ_S Forefront sez this is spam
##} AXB_X_FF_SEZ_S
##{ AXB_X_FF_SEZ_S if (version >= 3.004000)
if (version >= 3.004000)
tflags AXB_X_FF_SEZ_S autolearn_force
endif
##} AXB_X_FF_SEZ_S if (version >= 3.004000)
This is also one of those short-body URI spams, so I hoped it would
have been caught just based on that, so ideas on what else is missing
would also be appreciated...
Works for me. I added your rule and tested it against your sample...
* 1.0 AXB_X_FF_SEZ_S Forefront sez this is spam
Are you sure you put the rule in the right place and reloaded spamd?
Thanks for checking for me. This is even when running spamassassin -t
directly.
Hmm.. I'm looking at it more closely, and even the rule as it appears
above, and it has no score.
What file is the score supposed to be in, 72_scores.cf
<http://72_scores.cf>? My 72_scores.cf <http://72_scores.cf> is dated
Jul 28th.
# ls -l 72_scores.cf <http://72_scores.cf>
-rw-r--r-- 1 root root 8174 Jul 28 04:49 72_scores.cf
<http://72_scores.cf>
# md5sum 72_scores.cf <http://72_scores.cf>
9f82b967a373e44a373c3be30ad21e23 72_scores.cf <http://72_scores.cf>
This isn't one of the stock rules, so it shouldn't be in that file (or
directory). The files there (/var/lib/spamassassin/3.004000/ on my
system) are stock rules and any manual changes will be squashed by
sa_update.
Custom rules (and their scores) should go in local.cf (or another *.cf
file) in your local rules directory (/etc/mail/spamassassin/ on my system).
Rules with no score assigned are automatically scored at 1.0.
This is a sandbox rule which was autopromoted/published by sa-update.
Due to lack of hits I removed it and re-added back yesterday.
It may be republished if masschecks decide it is worth it.
Ok. I didn't recognize the prefix and didn't find it in my rules
directory, so I assumed it was custom.
Since you removed it, it is possible that the rule wasn't hitting for
the OP because he ran sa_update and the rule was removed.
--
Bowie
