Mailing List Archive

Matching on X-Spam headers doesn't get a hit
Hi.

I'm trying to write a rule that matches on a mail that has the following
headers:
X-Spam-Reasons: {'verdict': 'phishing',
 'spamcause':
'gggruggvucftvghtrhhoucdtuddrgedvtddruddvgddugecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfkpffvgfftoffgfffktedpqfgfvfenuceurghilhhouhhtmecufedttdenucgorfhhihhshhhinhhgqdfkphfpvghtfihorhhkucdlfedttddmnecujfgurhephffvufffkfggtghisehrtdefvcdttddtnecuhfhrohhmpegtohhmphhlvghtvghtvghnuggvrhhsrdgtohhmucfuvghrvhgvrhcukffvuceouggrnhesshhhihhptghsuddrtghomheqnecuggftrfgrthhtvghrnhepleeiudeikeejffetgeetleeggfegteeghfdtveduvdekhedvlefgvedtueeiffejnecuffhomhgrihhnpeifvggsrdgrphhpnecukfhppeegtddrjeegrdduudefrddvgeeinecurfhhihhshhhinhhgkfhppfgvthifohhrkhepgedtrdejgedruddufedrvdegieenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpefpohhnvgdpmhgrihhlfhhrohhmpegurghnsehshhhiphgtshdurdgtohhmpdhrtghpthhtohepmhgrthhthhgvfiestghomhhplhgvthgvthgvnhguvghrshdrtghomh',
 'elapsed': '4ms'}
X-AES-Category: SPAM
X-Spam-Category: PHISHING


This is the rules i have so far:
header      __HDR_XSPAM_CAT         X-Spam-Category =~ /^(spam|phishing)$/i
header      __HDR_XSPAM_REASONS      X-Spam-Reasons =~
/['"](spam|phishing)['"]/i
header      __HDR_XAES_CAT          X-AES-Category =~ /^(spam|phishing)$/i
meta        SENDER_SPAM             (__HDR_XSPAM_CAT ||
__HDR_XSPAM_REASONS || __HDR_XAES_CAT)
describe    SENDER_SPAM             Message contains headers from sender
indicating this is spam or phishing
scores      SENDER_SPAM             1


The only one that i can get working is the _HDR_XAES_CAT, both
__HDR_XSPAM rules aren't hitting anything:
$ spamassassin -t -p ~/.spamassassin/mx teKbdz1W.txt -D 2>&1 | grep __HDR
Jul 22 17:00:53.480 [967777] dbg: rules: ran header rule __HDR_XAES_CAT
======> got hit: "SPAM"
Jul 22 17:00:54.439 [967777] dbg: check:
subtests=__ANY_IMAGE_ATTACH,__ANY_TEXT_ATTACH,__ANY_TEXT_ATTACH_DOC,__BODY_INVOICE_EN,__BODY_TEXT_LINE(3),__CT,__CTYPE_HAS_BOUNDARY,__CTYPE_MULTIPART_ANY,__DKIM_DEPENDABLE,__DKIM_EXISTS,__DOS_HAS_ANY_URI,__DOS_RCVD_MON,__DOS_RELAYED_EXT,__ENV_AND_HDR_FROM_MATCH,__E_LIKE_LETTER(55),__FORGED_RCVD_TRAIL,__FROM_ADMIN,__FROM_DOM_ADMIN,__HAS_ANY_EMAIL,__HAS_ANY_URI,__HAS_DATE,__HAS_DKIM_SIGHD,__HAS_FROM,__HAS_MESSAGE_ID,__HAS_MSGID,__HAS_RCVD,__HAS_SUBJECT,__HAS_TO,__HAS_URI,__HDR_XAES_CAT,__HTML_IMG_ONLY,__JM_REACTOR_DATE,__KAM_MAILSPLOIT2,__KHOP_NO_FULL_NAME,__LAST_EXTERNAL_RELAY_NO_AUTH,__LAST_UNTRUSTED_RELAY_NO_AUTH,__LCL__ENV_AND_HDR_FROM_MATCH,__LOCAL_PP_NONPPURL,__LOWER_E(55),__MIME_BASE64,__MIME_HTML,__MIME_VERSION,__MISSING_REF,__MISSING_REPLY,__MSGID_OK_DIGITS,__NONEMPTY_BODY,__NOT_SPOOFED,__ONE_IMG,__PDS_FROM_NAME_TO_DOMAIN,__PNG_ATTACH_1,__RATWARE_0_TZ_DATE,__RBODY_MAILBOX,__SANE_MSGID,__SUBJ_NOT_SHORT,__TAG_EXISTS_BODY,__TAG_EXISTS_HEAD,__TAG_EXISTS_HTML,__TAG_EXISTS_META,__TAG_EXISTS_STYLE,__TOCC_EXISTS,__URI_MAILTO,__URI_WEBAPP
(Total Subtest Hits: 172 / Deduplicated Total Hits: 62)

The rule will work because it's matching on __HDR_XAES_CAT, but i'm
still wondering why the two X-Spam rules aren't hitting anything.
Initial thought was that the X-Spam-Reasons header not being wrapped
correctly was causing the issue, but since it's matching on the
X-AES-Category header which comes after, and removing that
X-Spam-Reasons header doesn't change anything for the X-Spam-Category
header, so that doesn't seem to be the issue.

Is there a limitation to SpamAssassin so it doesn't accept looking for
the two X-Spam-headers, or can you spot why this rule isn't matching?


Currently i'm testing it on:
SpamAssassin version 3.4.6
  running on Perl version 5.32.1
on a machine running Manjaro.


--
Martin Flygenring (maf)
Systems Engineer, One.com
Re: Matching on X-Spam headers doesn't get a hit [ In reply to ]
Martin Flygenring wrote:
> Hi.
>
> I'm trying to write a rule that matches on a mail that has the
> following headers:
> X-Spam-Reasons: {'verdict': 'phishing',
>  'spamcause':
> 'gggruggvucftvghtrhhoucdtuddrgedvtddruddvgddugecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfkpffvgfftoffgfffktedpqfgfvfenuceurghilhhouhhtmecufedttdenucgorfhhihhshhhinhhgqdfkphfpvghtfihorhhkucdlfedttddmnecujfgurhephffvufffkfggtghisehrtdefvcdttddtnecuhfhrohhmpegtohhmphhlvghtvghtvghnuggvrhhsrdgtohhmucfuvghrvhgvrhcukffvuceouggrnhesshhhihhptghsuddrtghomheqnecuggftrfgrthhtvghrnhepleeiudeikeejffetgeetleeggfegteeghfdtveduvdekhedvlefgvedtueeiffejnecuffhomhgrihhnpeifvggsrdgrphhpnecukfhppeegtddrjeegrdduudefrddvgeeinecurfhhihhshhhinhhgkfhppfgvthifohhrkhepgedtrdejgedruddufedrvdegieenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpefpohhnvgdpmhgrihhlfhhrohhmpegurghnsehshhhiphgtshdurdgtohhmpdhrtghpthhtohepmhgrthhthhgvfiestghomhhplhgvthgvthgvnhguvghrshdrtghomh',
>  'elapsed': '4ms'}
> X-AES-Category: SPAM
> X-Spam-Category: PHISHING
>
>
> This is the rules i have so far:
> header      __HDR_XSPAM_CAT         X-Spam-Category =~
> /^(spam|phishing)$/i
> header      __HDR_XSPAM_REASONS      X-Spam-Reasons =~
> /['"](spam|phishing)['"]/i
> header      __HDR_XAES_CAT          X-AES-Category =~
> /^(spam|phishing)$/i
> meta        SENDER_SPAM             (__HDR_XSPAM_CAT ||
> __HDR_XSPAM_REASONS || __HDR_XAES_CAT)
> describe    SENDER_SPAM             Message contains headers from
> sender indicating this is spam or phishing
> scores      SENDER_SPAM             1
>
>
> The only one that i can get working is the _HDR_XAES_CAT, both
> __HDR_XSPAM rules aren't hitting anything:
> $ spamassassin -t -p ~/.spamassassin/mx teKbdz1W.txt -D 2>&1 | grep __HDR
> Jul 22 17:00:53.480 [967777] dbg: rules: ran header rule
> __HDR_XAES_CAT ======> got hit: "SPAM"
> Jul 22 17:00:54.439 [967777] dbg: check:
> subtests=__ANY_IMAGE_ATTACH,__ANY_TEXT_ATTACH,__ANY_TEXT_ATTACH_DOC,__BODY_INVOICE_EN,__BODY_TEXT_LINE(3),__CT,__CTYPE_HAS_BOUNDARY,__CTYPE_MULTIPART_ANY,__DKIM_DEPENDABLE,__DKIM_EXISTS,__DOS_HAS_ANY_URI,__DOS_RCVD_MON,__DOS_RELAYED_EXT,__ENV_AND_HDR_FROM_MATCH,__E_LIKE_LETTER(55),__FORGED_RCVD_TRAIL,__FROM_ADMIN,__FROM_DOM_ADMIN,__HAS_ANY_EMAIL,__HAS_ANY_URI,__HAS_DATE,__HAS_DKIM_SIGHD,__HAS_FROM,__HAS_MESSAGE_ID,__HAS_MSGID,__HAS_RCVD,__HAS_SUBJECT,__HAS_TO,__HAS_URI,__HDR_XAES_CAT,__HTML_IMG_ONLY,__JM_REACTOR_DATE,__KAM_MAILSPLOIT2,__KHOP_NO_FULL_NAME,__LAST_EXTERNAL_RELAY_NO_AUTH,__LAST_UNTRUSTED_RELAY_NO_AUTH,__LCL__ENV_AND_HDR_FROM_MATCH,__LOCAL_PP_NONPPURL,__LOWER_E(55),__MIME_BASE64,__MIME_HTML,__MIME_VERSION,__MISSING_REF,__MISSING_REPLY,__MSGID_OK_DIGITS,__NONEMPTY_BODY,__NOT_SPOOFED,__ONE_IMG,__PDS_FROM_NAME_TO_DOMAIN,__PNG_ATTACH_1,__RATWARE_0_TZ_DATE,__RBODY_MAILBOX,__SANE_MSGID,__SUBJ_NOT_SHORT,__TAG_EXISTS_BODY,__TAG_EXISTS_HEAD,__TAG_EXISTS_HTML,__TAG_EXISTS_META,__TAG_EXISTS_STYLE,__TOCC_EXISTS,__URI_MAILTO,__URI_WEBAPP
> (Total Subtest Hits: 172 / Deduplicated Total Hits: 62)
>
> The rule will work because it's matching on __HDR_XAES_CAT, but i'm
> still wondering why the two X-Spam rules aren't hitting anything.
>

I believe header rules look at the whole line anyways with the exception
of header lines that have known syntax.  That would NOT be X-Header
checks.  I've had trouble there before.  Methinks you're pushing the
envelope (and the envelope's giving you a paper cut).

I'd try:

1) Try appending your regex with /im .  The "m" has context outside of
normal PERLs /g.  But preferably:
2) I'd get rid of delineation for those two Regexes, period.

X-Spam-Category =~ /(SPAM|PHISHING)/
X-AES-Category =~ /(SPAM|PHISHING)/

These are produced by something external with an obviously KNOWN
pattern.  How many of those would you expect in a message?  That'd be
another problem entirely.  SA syntax is PERLish-only and has does it's
own internal sanity-checks and conversions.

$0.02,

-- Jared Hall
Re: Matching on X-Spam headers doesn't get a hit [ In reply to ]
On Thu, Jul 22, 2021 at 05:15:54PM +0200, Martin Flygenring wrote:
>
> Is there a limitation to SpamAssassin so it doesn't accept looking for the
> two X-Spam-headers, or can you spot why this rule isn't matching?

SA removes all X-Spam-* headers from the message, it's not possible to match
on them.
Re: Matching on X-Spam headers doesn't get a hit [ In reply to ]
On Thu, Jul 22, 2021 at 08:06:15PM +0300, Henrik K wrote:
> On Thu, Jul 22, 2021 at 05:15:54PM +0200, Martin Flygenring wrote:
> >
> > Is there a limitation to SpamAssassin so it doesn't accept looking for the
> > two X-Spam-headers, or can you spot why this rule isn't matching?
>
> SA removes all X-Spam-* headers from the message, it's not possible to match
> on them.

... except with a kludgy full rule that matches the whole pristine message:

full X_SPAM_FOOBAR /^X-Spam-Foobar: xyz/m
Re: Matching on X-Spam headers doesn't get a hit [ In reply to ]
On Thu, 22 Jul 2021 20:09:19 +0300
Henrik K wrote:

> On Thu, Jul 22, 2021 at 08:06:15PM +0300, Henrik K wrote:
> > On Thu, Jul 22, 2021 at 05:15:54PM +0200, Martin Flygenring wrote:
> > >
> > > Is there a limitation to SpamAssassin so it doesn't accept
> > > looking for the two X-Spam-headers, or can you spot why this rule
> > > isn't matching?
> >
> > SA removes all X-Spam-* headers from the message, it's not possible
> > to match on them.
>
> ... except with a kludgy full rule that matches the whole pristine
> message:
>
> full X_SPAM_FOOBAR /^X-Spam-Foobar: xyz/m

There's no perfect way of doing this. The above has the problem of
going through the whole email, including big attachment. It can also
match falsely inside the body.

The test can be constrained within the headers, but that causes problems
with the debug capture.

This version captures a lot too much:

full X_SPAM_FOOBAR /^(?:.+\n)*X-Spam-Foobar: xyz/

This version capture nothing:

full X_SPAM_FOOBAR /^(?=(?:.+\n)*X-Spam-Foobar: xyz)/

I'd go for the latter.

All of the above is untested.
Re: Matching on X-Spam headers doesn't get a hit [ In reply to ]
Hi,

I know we are on the spamassassin mailing list, but another more radical
way to block those is directly in postfix with a header_check before
giving it to spamassassin

/^X-Spam-Flag: Yes/ REJECT Outscatter
/^X-(Spam|AES)-Category: (SPAM|PHISHING)/ REJECT Outscatter

But as a forewarning, the rare FPs can get quite frustrating if you use
this method.

Cheers,
Laurent

On 22.07.21 21:31, RW wrote:
> On Thu, 22 Jul 2021 20:09:19 +0300
> Henrik K wrote:
>
>> On Thu, Jul 22, 2021 at 08:06:15PM +0300, Henrik K wrote:
>>> On Thu, Jul 22, 2021 at 05:15:54PM +0200, Martin Flygenring wrote:
>>>>
>>>> Is there a limitation to SpamAssassin so it doesn't accept
>>>> looking for the two X-Spam-headers, or can you spot why this rule
>>>> isn't matching?
>>>
>>> SA removes all X-Spam-* headers from the message, it's not possible
>>> to match on them.
>>
>> ... except with a kludgy full rule that matches the whole pristine
>> message:
>>
>> full X_SPAM_FOOBAR /^X-Spam-Foobar: xyz/m
>
> There's no perfect way of doing this. The above has the problem of
> going through the whole email, including big attachment. It can also
> match falsely inside the body.
>
> The test can be constrained within the headers, but that causes problems
> with the debug capture.
>
> This version captures a lot too much:
>
> full X_SPAM_FOOBAR /^(?:.+\n)*X-Spam-Foobar: xyz/
>
> This version capture nothing:
>
> full X_SPAM_FOOBAR /^(?=(?:.+\n)*X-Spam-Foobar: xyz)/
>
> I'd go for the latter.
>
> All of the above is untested.
>
Re: Matching on X-Spam headers doesn't get a hit [ In reply to ]
We don't run Postfix here, but we can probably look for it elsewhere in
our stack instead.


Thanks to everyone that answered :)


On 23/07/2021 10.43, Laurent S. wrote:
> Hi,
>
> I know we are on the spamassassin mailing list, but another more radical
> way to block those is directly in postfix with a header_check before
> giving it to spamassassin
>
> /^X-Spam-Flag: Yes/ REJECT Outscatter
> /^X-(Spam|AES)-Category: (SPAM|PHISHING)/ REJECT Outscatter
>
> But as a forewarning, the rare FPs can get quite frustrating if you use
> this method.
>
> Cheers,
> Laurent
>
> On 22.07.21 21:31, RW wrote:
>> On Thu, 22 Jul 2021 20:09:19 +0300
>> Henrik K wrote:
>>
>>> On Thu, Jul 22, 2021 at 08:06:15PM +0300, Henrik K wrote:
>>>> On Thu, Jul 22, 2021 at 05:15:54PM +0200, Martin Flygenring wrote:
>>>>> Is there a limitation to SpamAssassin so it doesn't accept
>>>>> looking for the two X-Spam-headers, or can you spot why this rule
>>>>> isn't matching?
>>>> SA removes all X-Spam-* headers from the message, it's not possible
>>>> to match on them.
>>> ... except with a kludgy full rule that matches the whole pristine
>>> message:
>>>
>>> full X_SPAM_FOOBAR /^X-Spam-Foobar: xyz/m
>> There's no perfect way of doing this. The above has the problem of
>> going through the whole email, including big attachment. It can also
>> match falsely inside the body.
>>
>> The test can be constrained within the headers, but that causes problems
>> with the debug capture.
>>
>> This version captures a lot too much:
>>
>> full X_SPAM_FOOBAR /^(?:.+\n)*X-Spam-Foobar: xyz/
>>
>> This version capture nothing:
>>
>> full X_SPAM_FOOBAR /^(?=(?:.+\n)*X-Spam-Foobar: xyz)/
>>
>> I'd go for the latter.
>>
>> All of the above is untested.
>>
--
Martin Flygenring (maf)
Systems Engineer, One.com
Re: Matching on X-Spam headers doesn't get a hit [ In reply to ]
Martin,

most MTA should have some filter capabilities. Maybe not all MTA have
same powerful and efficient ways to perform such checks as postfix has ;-)
iirc something like this should work for exim

acl_smtp_data = check_message
check_message:
  deny message = 'Outscatter detected'
  regex = ^X-Spam-Status:: YES
  accept

But I would expect that check going over the whole message (same a the
full check in SA) and not so targeted as a postfix header rule

Cheers

tobi

On 7/23/21 11:23 AM, Martin Flygenring wrote:
> We don't run Postfix here, but we can probably look for it elsewhere
> in our stack instead.
>
>
> Thanks to everyone that answered :)
>
>
> On 23/07/2021 10.43, Laurent S. wrote:
>> Hi,
>>
>> I know we are on the spamassassin mailing list, but another more radical
>> way to block those is directly in postfix with a header_check before
>> giving it to spamassassin
>>
>> /^X-Spam-Flag: Yes/ REJECT  Outscatter
>> /^X-(Spam|AES)-Category: (SPAM|PHISHING)/ REJECT  Outscatter
>>
>> But as a forewarning, the rare FPs can get quite frustrating if you use
>> this method.
>>
>> Cheers,
>> Laurent
>>
>> On 22.07.21 21:31, RW wrote:
>>> On Thu, 22 Jul 2021 20:09:19 +0300
>>> Henrik K wrote:
>>>
>>>> On Thu, Jul 22, 2021 at 08:06:15PM +0300, Henrik K wrote:
>>>>> On Thu, Jul 22, 2021 at 05:15:54PM +0200, Martin Flygenring wrote:
>>>>>> Is there a limitation to SpamAssassin so it doesn't accept
>>>>>> looking for the two X-Spam-headers, or can you spot why this rule
>>>>>> isn't matching?
>>>>> SA removes all X-Spam-* headers from the message, it's not possible
>>>>> to match on them.
>>>> ... except with a kludgy full rule that matches the whole pristine
>>>> message:
>>>>
>>>> full X_SPAM_FOOBAR /^X-Spam-Foobar: xyz/m
>>> There's no perfect way of doing this. The above has the problem of
>>> going through the whole email, including big attachment. It can also
>>> match falsely inside the body.
>>>
>>> The test can be constrained within the headers, but that causes
>>> problems
>>> with the debug capture.
>>>
>>> This version captures a lot too much:
>>>
>>>    full X_SPAM_FOOBAR /^(?:.+
> )*X-Spam-Foobar: xyz/
>>>
>>> This version capture nothing:
>>>
>>>    full X_SPAM_FOOBAR /^(?=(?:.+
> )*X-Spam-Foobar: xyz)/
>>>
>>> I'd go for the latter.
>>>
>>> All of the above is untested.
>>>
Re: Matching on X-Spam headers doesn't get a hit [ In reply to ]
Yea, it was more meant as a "we don't use postfix specifically". My
fallback idea was also to do the filtering on the MTA we do use, instead
of in SpamAssassin.


That was just bad phrasing on my part. Sorry about that :)


On 23/07/2021 16.51, jahlives@gmx.ch wrote:
> Martin,
>
> most MTA should have some filter capabilities. Maybe not all MTA have
> same powerful and efficient ways to perform such checks as postfix has ;-)
> iirc something like this should work for exim
>
> acl_smtp_data = check_message
> check_message:
>   deny message = 'Outscatter detected'
>   regex = ^X-Spam-Status:: YES
>   accept
>
> But I would expect that check going over the whole message (same a the
> full check in SA) and not so targeted as a postfix header rule
>
> Cheers
>
> tobi
>
> On 7/23/21 11:23 AM, Martin Flygenring wrote:
>> We don't run Postfix here, but we can probably look for it elsewhere
>> in our stack instead.
>>
>>
>> Thanks to everyone that answered :)
>>
>>
>> On 23/07/2021 10.43, Laurent S. wrote:
>>> Hi,
>>>
>>> I know we are on the spamassassin mailing list, but another more radical
>>> way to block those is directly in postfix with a header_check before
>>> giving it to spamassassin
>>>
>>> /^X-Spam-Flag: Yes/ REJECT  Outscatter
>>> /^X-(Spam|AES)-Category: (SPAM|PHISHING)/ REJECT  Outscatter
>>>
>>> But as a forewarning, the rare FPs can get quite frustrating if you use
>>> this method.
>>>
>>> Cheers,
>>> Laurent
>>>
>>> On 22.07.21 21:31, RW wrote:
>>>> On Thu, 22 Jul 2021 20:09:19 +0300
>>>> Henrik K wrote:
>>>>
>>>>> On Thu, Jul 22, 2021 at 08:06:15PM +0300, Henrik K wrote:
>>>>>> On Thu, Jul 22, 2021 at 05:15:54PM +0200, Martin Flygenring wrote:
>>>>>>> Is there a limitation to SpamAssassin so it doesn't accept
>>>>>>> looking for the two X-Spam-headers, or can you spot why this rule
>>>>>>> isn't matching?
>>>>>> SA removes all X-Spam-* headers from the message, it's not possible
>>>>>> to match on them.
>>>>> ... except with a kludgy full rule that matches the whole pristine
>>>>> message:
>>>>>
>>>>> full X_SPAM_FOOBAR /^X-Spam-Foobar: xyz/m
>>>> There's no perfect way of doing this. The above has the problem of
>>>> going through the whole email, including big attachment. It can also
>>>> match falsely inside the body.
>>>>
>>>> The test can be constrained within the headers, but that causes
>>>> problems
>>>> with the debug capture.
>>>>
>>>> This version captures a lot too much:
>>>>
>>>>    full X_SPAM_FOOBAR /^(?:.+
>> )*X-Spam-Foobar: xyz/
>>>> This version capture nothing:
>>>>
>>>>    full X_SPAM_FOOBAR /^(?=(?:.+
>> )*X-Spam-Foobar: xyz)/
>>>> I'd go for the latter.
>>>>
>>>> All of the above is untested.
>>>>
--
Martin Flygenring (maf)
Systems Engineer, One.com