Mailing List Archive

Certain rules with zero value
Greetings -

I'm finalizing my ansible playbook for building up a nice mail system
with all the goodies, with spamassassin being very central to it all. I
have a test server set up in Azure that I run tests with using swaks
(great tool). I push both ham and spam to it, with and without the old
system spamassassin markup.

The spamassassin on the test box is only trained with my current Inbox
(3k) and spam (13k) folders, not yet with Trash (15k non-spam) or older
Inbox (5k).

I just noticed a few rules that are firing, but have zero value, and
they seem like fairly important rules ... For example, this is a spam
with no markup, where NO_DNS_FOR_FROM and SPF_NONE have zero.

> ==== ====================== ==================================================
> pts rule name description
> ---- ---------------------- --------------------------------------------------
> 2.5 BAYES_50 BODY: Bayes spam probability is 40 to 60%
> [score: 0.4998]
> 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
> mail domains are different
> 3.3 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
> [46.2.54.2 listed in zen.spamhaus.org]
> 3.3 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
> 0.4 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
> 0.0 NO_DNS_FOR_FROM DNS: ENVELOPE SENDER HAS NO MX OR A DNS RECORDS
> -0.5 FROM_IS_REPLY_TO From and REPPLY-TO is the same
> 0.0 SPF_NONE SPF: SENDER DOES NOT PUBLISH AN SPF RECORD
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 1.0 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any
> anti-forgery methods
> 0.0 KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict
> Alignment

I tested against the old tired system, and the same two rules fire, also
with zero value. Is this something I should be setting a value for
myself ? I'm not sure what values to put, but it feels like if someone
doesn't bother to set up SPF, or their sending domain has no MX/A
records then they don't deserve to be sending ...

What is the KAM_DMARC_STATUS rule for ? Also zero.

Heh, the FROM_IS_REPLY_TO description has a slight typo ...

--
Dean Carpenter
deano is at areyes dot com
Re: Certain rules with zero value [ In reply to ]
On 18 Nov 2020, at 9:44, Dean Carpenter wrote:

> Greetings -
>
> I'm finalizing my ansible playbook for building up a nice mail system
> with all the goodies, with spamassassin being very central to it all.
> I
> have a test server set up in Azure that I run tests with using swaks
> (great tool). I push both ham and spam to it, with and without the old
> system spamassassin markup.
>
> The spamassassin on the test box is only trained with my current Inbox
> (3k) and spam (13k) folders, not yet with Trash (15k non-spam) or
> older
> Inbox (5k).
>
> I just noticed a few rules that are firing, but have zero value, and
> they seem like fairly important rules ... For example, this is a spam
> with no markup, where NO_DNS_FOR_FROM and SPF_NONE have zero.

Scores in the rule-per-line report are truncated to a single decimal
place. Those rules have trivial non-zero scores to assure that they get
checked but they are not in themselves very meaningful. For example,
NO_DNS_FOR_FROM should probably never hit in SA, because any
well-configured MTA will reject that before the SMTP DATA phase.
SPF_NONE is also not a useful rule on its own but it may be of interest
for developing meta rules. Both of those are DNS-based so they are more
likely to hit when running an old mail corpus rather than live mail.



--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: Certain rules with zero value [ In reply to ]
On Wed, 18 Nov 2020 09:44:21 -0500
Dean Carpenter wrote:

>

> > 0.0 NO_DNS_FOR_FROM DNS: ENVELOPE SENDER HAS NO MX OR A DNS RECORDS
> > -0.5 FROM_IS_REPLY_TO From and REPPLY-TO is the same
> > 0.0 SPF_NONE SPF: SENDER DOES NOT PUBLISH AN SPF RECORD

> Heh, the FROM_IS_REPLY_TO description has a slight typo ...



FROM_IS_REPLY_TO is neither a standard rule nor a KAM rule.

Also the descriptions for a couple of the rules have been converted to
upper case.
Re: Certain rules with zero value [ In reply to ]
On 2020-11-18 1:45 pm, RW wrote:

> On Wed, 18 Nov 2020 09:44:21 -0500
> Dean Carpenter wrote:
> 0.0 NO_DNS_FOR_FROM DNS: ENVELOPE SENDER HAS NO MX OR A DNS RECORDS -0.5 FROM_IS_REPLY_TO From and REPPLY-TO is the same 0.0 SPF_NONE SPF: SENDER DOES NOT PUBLISH AN SPF RECORD

> Heh, the FROM_IS_REPLY_TO description has a slight typo ...

FROM_IS_REPLY_TO is neither a standard rule nor a KAM rule.

Also the descriptions for a couple of the rules have been converted to
upper case.

Ah, I totally forgot I pulled in the eXtremeshok rules to play with.

Hrm - test system status email

> /etc/cron.daily/spamassassin:
> Nov 19 06:30:11.784 [312057] info: rules: meta test KAM_NOTIFY2 has dependency 'KAM_IFRAME' with a zero score
> Nov 19 06:30:11.785 [312057] info: rules: meta test JMQ_CONGRAT has dependency 'KAM_RAPTOR_ALTERED' with a zero score
> Nov 19 06:30:11.790 [312057] info: rules: meta test KAM_BADPDF2 has dependency 'KAM_RPTR_SUSPECT' with a zero score
> Nov 19 06:30:11.794 [312057] info: rules: meta test KAM_CARD has dependency 'KAM_RPTR_SUSPECT' with a zero score
> Nov 19 06:30:11.797 [312057] info: rules: meta test KAM_REALLY_FAKE_DELIVER has dependency 'KAM_RPTR_PASSED' with a zero score
> Nov 19 06:30:11.801 [312057] info: rules: meta test KAM_JURY has dependency 'KAM_RAPTOR_ALTERED' with a zero score
> Nov 19 06:30:11.802 [312057] info: rules: meta test KAM_FAKE_DELIVER has dependency 'KAM_RAPTOR_ALTERED' with a zero score
Re: Certain rules with zero value [ In reply to ]
Those can be ignored. They are by design.
--
Kevin A. McGrail
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171


On Thu, Nov 19, 2020 at 9:26 AM Dean Carpenter <
deano-spamassassin@areyes.com> wrote:

> On 2020-11-18 1:45 pm, RW wrote:
>
> On Wed, 18 Nov 2020 09:44:21 -0500
> Dean Carpenter wrote:
>
> 0.0 NO_DNS_FOR_FROM DNS: ENVELOPE SENDER HAS NO MX OR A DNS RECORDS -0.5
> FROM_IS_REPLY_TO From and REPPLY-TO is the same 0.0 SPF_NONE SPF: SENDER
> DOES NOT PUBLISH AN SPF RECORD
>
> Heh, the FROM_IS_REPLY_TO description has a slight typo ...
>
>
> FROM_IS_REPLY_TO is neither a standard rule nor a KAM rule.
>
> Also the descriptions for a couple of the rules have been converted to
> upper case.
>
> Ah, I totally forgot I pulled in the eXtremeshok rules to play with.
>
> Hrm - test system status email
>
> /etc/cron.daily/spamassassin:
> Nov 19 06:30:11.784 [312057] info: rules: meta test KAM_NOTIFY2 has
> dependency 'KAM_IFRAME' with a zero score
> Nov 19 06:30:11.785 [312057] info: rules: meta test JMQ_CONGRAT has
> dependency 'KAM_RAPTOR_ALTERED' with a zero score
> Nov 19 06:30:11.790 [312057] info: rules: meta test KAM_BADPDF2 has
> dependency 'KAM_RPTR_SUSPECT' with a zero score
> Nov 19 06:30:11.794 [312057] info: rules: meta test KAM_CARD has
> dependency 'KAM_RPTR_SUSPECT' with a zero score
> Nov 19 06:30:11.797 [312057] info: rules: meta test
> KAM_REALLY_FAKE_DELIVER has dependency 'KAM_RPTR_PASSED' with a zero score
> Nov 19 06:30:11.801 [312057] info: rules: meta test KAM_JURY has
> dependency 'KAM_RAPTOR_ALTERED' with a zero score
> Nov 19 06:30:11.802 [312057] info: rules: meta test KAM_FAKE_DELIVER has
> dependency 'KAM_RAPTOR_ALTERED' with a zero score
>
>
>