Mailing List Archive

Mailspike rules all return 0.0
Hello,

I have noticed that the mailspike rules are enabled in SpamAssasin but
all return zero values:

0.0 RCVD_IN_MSPIKE_BL Mailspike blacklisted
0.0 RCVD_IN_MSPIKE_L5 RBL: Very bad reputation (-5)

etc.

Please can you tell me where in the SpamAssassin configuration I find
the setting(s) that need to be changed such that non-zero values are
returned.
I have been receiving large quantities of spam that instead of just
being flagged as spam would have met the conditions for being rejected
completely if either of the mailspike values had been 0.1 or greater.

Thanks in advance,
Simon
Re: Mailspike rules all return 0.0 [ In reply to ]
On Debian based systems these rules are probably in
/usr/share/spamassassin. However you should not modify these rules but
rather overwrite the scoring.

You can do this in */etc/spamassassin/local.cf <http://local.cf>*, just add
something like this:

score RCVD_IN_MSPIKE_BL 0 4 0 4
score RCVD_IN_MSPIKE_L5 0 4 0 4

This would add 4 points to the scoring when these rules matched.

On Wed, Jul 29, 2020 at 3:28 PM Simon Harwood <simon@simonharwood.co.uk>
wrote:

> Hello,
>
> I have noticed that the mailspike rules are enabled in SpamAssasin but
> all return zero values:
>
> 0.0 RCVD_IN_MSPIKE_BL Mailspike blacklisted
> 0.0 RCVD_IN_MSPIKE_L5 RBL: Very bad reputation (-5)
>
> etc.
>
> Please can you tell me where in the SpamAssassin configuration I find
> the setting(s) that need to be changed such that non-zero values are
> returned.
> I have been receiving large quantities of spam that instead of just
> being flagged as spam would have met the conditions for being rejected
> completely if either of the mailspike values had been 0.1 or greater.
>
> Thanks in advance,
> Simon
>
>
Re: Mailspike rules all return 0.0 [ In reply to ]
Thank you.
I will give that a go.


On 29/07/2020 02:43 pm, Claudio Kuenzler wrote:
> On Debian based systems these rules are probably in
> /usr/share/spamassassin. However you should not modify these rules but
> rather overwrite the scoring.
>
> You can do this in */etc/spamassassin/local.cf <http://local.cf>*, just add
> something like this:
>
> score RCVD_IN_MSPIKE_BL 0 4 0 4
> score RCVD_IN_MSPIKE_L5 0 4 0 4
>
> This would add 4 points to the scoring when these rules matched.
>
> On Wed, Jul 29, 2020 at 3:28 PM Simon Harwood <simon@simonharwood.co.uk>
> wrote:
>
>> Hello,
>>
>> I have noticed that the mailspike rules are enabled in SpamAssasin but
>> all return zero values:
>>
>> 0.0 RCVD_IN_MSPIKE_BL Mailspike blacklisted
>> 0.0 RCVD_IN_MSPIKE_L5 RBL: Very bad reputation (-5)
>>
>> etc.
>>
>> Please can you tell me where in the SpamAssassin configuration I find
>> the setting(s) that need to be changed such that non-zero values are
>> returned.
>> I have been receiving large quantities of spam that instead of just
>> being flagged as spam would have met the conditions for being rejected
>> completely if either of the mailspike values had been 0.1 or greater.
>>
>> Thanks in advance,
>> Simon
>>
>>
>
Re: Mailspike rules all return 0.0 [ In reply to ]
On Wed, 29 Jul 2020 15:43:09 +0200
Claudio Kuenzler wrote:

> On Debian based systems these rules are probably in
> /usr/share/spamassassin. However you should not modify these rules but
> rather overwrite the scoring.
>
> You can do this in */etc/spamassassin/local.cf <http://local.cf>*,
> just add something like this:
>
> score RCVD_IN_MSPIKE_BL 0 4 0 4
> score RCVD_IN_MSPIKE_L5 0 4 0 4
>
> This would add 4 points to the scoring when these rules matched.

Note that RCVD_IN_MSPIKE_BL is implied by RCVD_IN_MSPIKE_L5.
Re: Mailspike rules all return 0.0 [ In reply to ]
On 29 Jul 2020, at 9:27, Simon Harwood wrote:

> Hello,
>
> I have noticed that the mailspike rules are enabled in SpamAssasin but
> all return zero values:
>
> 0.0 RCVD_IN_MSPIKE_BL Mailspike blacklisted
> 0.0 RCVD_IN_MSPIKE_L5 RBL: Very bad reputation (-5)

This is actually a rounding issue: all RCVD_IN_MSPIKE_* rules are being
scored at +/- 0.001 by RuleQA so the score report rounds it to 0.0. They
are rescored that way because they are not hitting anything in the
submitted corpora but have scores set in the static scores list.

That MAY indicate a bug in RuleQA, since I don't believe that "net"
rules like these should be rescored by RuleQA. Perhaps someone more
familiar with the mechanics of RuleQA will correct me...


> Please can you tell me where in the SpamAssassin configuration I find
> the setting(s) that need to be changed such that non-zero values are
> returned.
> I have been receiving large quantities of spam that instead of just
> being flagged as spam would have met the conditions for being rejected
> completely if either of the mailspike values had been 0.1 or greater.

As Claudio said, local.cf is the place. Where your local.cf should be
depends on how your SpamAssassin was built, but there should be a
baseline version in the site rules directory. You can find that with:

spamassassin --lint -D config 2>&1 |grep 'site rules dir'


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)
Re: Mailspike rules all return 0.0 [ In reply to ]
Bill Cole wrote:
> On 29 Jul 2020, at 9:27, Simon Harwood wrote:
>
>> Hello,
>>
>> I have noticed that the mailspike rules are enabled in SpamAssasin but
>> all return zero values:
>>
>> 0.0 RCVD_IN_MSPIKE_BL      Mailspike blacklisted
>> 0.0 RCVD_IN_MSPIKE_L5      RBL: Very bad reputation (-5)
>
> This is actually a rounding issue: all RCVD_IN_MSPIKE_* rules are being
> scored at +/- 0.001 by RuleQA so the score report rounds it to 0.0. They
> are rescored that way because they are not hitting anything in the
> submitted corpora but have scores set in the static scores list.
>
> That MAY indicate a bug in RuleQA, since I don't believe that "net"
> rules like these should be rescored by RuleQA. Perhaps someone more
> familiar with the mechanics of RuleQA will correct me...

I can't say about a RuleQA bug, but when these were first added I
investigated to see if they'd be worth a datafeed.

For our mail flow, they hit on a fair bit of mail.... but nearly all of
the messages were pretty strongly ham or spam without the MailSpike
hits, and they weren't hitting the intermediate mail, so I disabled them
all.

A quick crude eyeball through my personal domain's mail log (runs nearly
pure stock SA modulo minor Debianisms) shows plenty of hits, but the ham
is already strongly hammy (scores 0 to -10 or so) and the spam is
strongly spammy (only a light sprinkling at 9, and most of them close to
or over 20).

-kgd