Hi.
I'm trying to write a rule that matches on a mail that has the following
headers:
X-Spam-Reasons: {'verdict': 'phishing',
'spamcause':
'gggruggvucftvghtrhhoucdtuddrgedvtddruddvgddugecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfkpffvgfftoffgfffktedpqfgfvfenuceurghilhhouhhtmecufedttdenucgorfhhihhshhhinhhgqdfkphfpvghtfihorhhkucdlfedttddmnecujfgurhephffvufffkfggtghisehrtdefvcdttddtnecuhfhrohhmpegtohhmphhlvghtvghtvghnuggvrhhsrdgtohhmucfuvghrvhgvrhcukffvuceouggrnhesshhhihhptghsuddrtghomheqnecuggftrfgrthhtvghrnhepleeiudeikeejffetgeetleeggfegteeghfdtveduvdekhedvlefgvedtueeiffejnecuffhomhgrihhnpeifvggsrdgrphhpnecukfhppeegtddrjeegrdduudefrddvgeeinecurfhhihhshhhinhhgkfhppfgvthifohhrkhepgedtrdejgedruddufedrvdegieenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpefpohhnvgdpmhgrihhlfhhrohhmpegurghnsehshhhiphgtshdurdgtohhmpdhrtghpthhtohepmhgrthhthhgvfiestghomhhplhgvthgvthgvnhguvghrshdrtghomh',
'elapsed': '4ms'}
X-AES-Category: SPAM
X-Spam-Category: PHISHING
This is the rules i have so far:
header __HDR_XSPAM_CAT X-Spam-Category =~ /^(spam|phishing)$/i
header __HDR_XSPAM_REASONS X-Spam-Reasons =~
/['"](spam|phishing)['"]/i
header __HDR_XAES_CAT X-AES-Category =~ /^(spam|phishing)$/i
meta SENDER_SPAM (__HDR_XSPAM_CAT ||
__HDR_XSPAM_REASONS || __HDR_XAES_CAT)
describe SENDER_SPAM Message contains headers from sender
indicating this is spam or phishing
scores SENDER_SPAM 1
The only one that i can get working is the _HDR_XAES_CAT, both
__HDR_XSPAM rules aren't hitting anything:
$ spamassassin -t -p ~/.spamassassin/mx teKbdz1W.txt -D 2>&1 | grep __HDR
Jul 22 17:00:53.480 [967777] dbg: rules: ran header rule __HDR_XAES_CAT
======> got hit: "SPAM"
Jul 22 17:00:54.439 [967777] dbg: check:
subtests=__ANY_IMAGE_ATTACH,__ANY_TEXT_ATTACH,__ANY_TEXT_ATTACH_DOC,__BODY_INVOICE_EN,__BODY_TEXT_LINE(3),__CT,__CTYPE_HAS_BOUNDARY,__CTYPE_MULTIPART_ANY,__DKIM_DEPENDABLE,__DKIM_EXISTS,__DOS_HAS_ANY_URI,__DOS_RCVD_MON,__DOS_RELAYED_EXT,__ENV_AND_HDR_FROM_MATCH,__E_LIKE_LETTER(55),__FORGED_RCVD_TRAIL,__FROM_ADMIN,__FROM_DOM_ADMIN,__HAS_ANY_EMAIL,__HAS_ANY_URI,__HAS_DATE,__HAS_DKIM_SIGHD,__HAS_FROM,__HAS_MESSAGE_ID,__HAS_MSGID,__HAS_RCVD,__HAS_SUBJECT,__HAS_TO,__HAS_URI,__HDR_XAES_CAT,__HTML_IMG_ONLY,__JM_REACTOR_DATE,__KAM_MAILSPLOIT2,__KHOP_NO_FULL_NAME,__LAST_EXTERNAL_RELAY_NO_AUTH,__LAST_UNTRUSTED_RELAY_NO_AUTH,__LCL__ENV_AND_HDR_FROM_MATCH,__LOCAL_PP_NONPPURL,__LOWER_E(55),__MIME_BASE64,__MIME_HTML,__MIME_VERSION,__MISSING_REF,__MISSING_REPLY,__MSGID_OK_DIGITS,__NONEMPTY_BODY,__NOT_SPOOFED,__ONE_IMG,__PDS_FROM_NAME_TO_DOMAIN,__PNG_ATTACH_1,__RATWARE_0_TZ_DATE,__RBODY_MAILBOX,__SANE_MSGID,__SUBJ_NOT_SHORT,__TAG_EXISTS_BODY,__TAG_EXISTS_HEAD,__TAG_EXISTS_HTML,__TAG_EXISTS_META,__TAG_EXISTS_STYLE,__TOCC_EXISTS,__URI_MAILTO,__URI_WEBAPP
(Total Subtest Hits: 172 / Deduplicated Total Hits: 62)
The rule will work because it's matching on __HDR_XAES_CAT, but i'm
still wondering why the two X-Spam rules aren't hitting anything.
Initial thought was that the X-Spam-Reasons header not being wrapped
correctly was causing the issue, but since it's matching on the
X-AES-Category header which comes after, and removing that
X-Spam-Reasons header doesn't change anything for the X-Spam-Category
header, so that doesn't seem to be the issue.
Is there a limitation to SpamAssassin so it doesn't accept looking for
the two X-Spam-headers, or can you spot why this rule isn't matching?
Currently i'm testing it on:
SpamAssassin version 3.4.6
running on Perl version 5.32.1
on a machine running Manjaro.
--
Martin Flygenring (maf)
Systems Engineer, One.com
I'm trying to write a rule that matches on a mail that has the following
headers:
X-Spam-Reasons: {'verdict': 'phishing',
'spamcause':
'gggruggvucftvghtrhhoucdtuddrgedvtddruddvgddugecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfkpffvgfftoffgfffktedpqfgfvfenuceurghilhhouhhtmecufedttdenucgorfhhihhshhhinhhgqdfkphfpvghtfihorhhkucdlfedttddmnecujfgurhephffvufffkfggtghisehrtdefvcdttddtnecuhfhrohhmpegtohhmphhlvghtvghtvghnuggvrhhsrdgtohhmucfuvghrvhgvrhcukffvuceouggrnhesshhhihhptghsuddrtghomheqnecuggftrfgrthhtvghrnhepleeiudeikeejffetgeetleeggfegteeghfdtveduvdekhedvlefgvedtueeiffejnecuffhomhgrihhnpeifvggsrdgrphhpnecukfhppeegtddrjeegrdduudefrddvgeeinecurfhhihhshhhinhhgkfhppfgvthifohhrkhepgedtrdejgedruddufedrvdegieenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpefpohhnvgdpmhgrihhlfhhrohhmpegurghnsehshhhiphgtshdurdgtohhmpdhrtghpthhtohepmhgrthhthhgvfiestghomhhplhgvthgvthgvnhguvghrshdrtghomh',
'elapsed': '4ms'}
X-AES-Category: SPAM
X-Spam-Category: PHISHING
This is the rules i have so far:
header __HDR_XSPAM_CAT X-Spam-Category =~ /^(spam|phishing)$/i
header __HDR_XSPAM_REASONS X-Spam-Reasons =~
/['"](spam|phishing)['"]/i
header __HDR_XAES_CAT X-AES-Category =~ /^(spam|phishing)$/i
meta SENDER_SPAM (__HDR_XSPAM_CAT ||
__HDR_XSPAM_REASONS || __HDR_XAES_CAT)
describe SENDER_SPAM Message contains headers from sender
indicating this is spam or phishing
scores SENDER_SPAM 1
The only one that i can get working is the _HDR_XAES_CAT, both
__HDR_XSPAM rules aren't hitting anything:
$ spamassassin -t -p ~/.spamassassin/mx teKbdz1W.txt -D 2>&1 | grep __HDR
Jul 22 17:00:53.480 [967777] dbg: rules: ran header rule __HDR_XAES_CAT
======> got hit: "SPAM"
Jul 22 17:00:54.439 [967777] dbg: check:
subtests=__ANY_IMAGE_ATTACH,__ANY_TEXT_ATTACH,__ANY_TEXT_ATTACH_DOC,__BODY_INVOICE_EN,__BODY_TEXT_LINE(3),__CT,__CTYPE_HAS_BOUNDARY,__CTYPE_MULTIPART_ANY,__DKIM_DEPENDABLE,__DKIM_EXISTS,__DOS_HAS_ANY_URI,__DOS_RCVD_MON,__DOS_RELAYED_EXT,__ENV_AND_HDR_FROM_MATCH,__E_LIKE_LETTER(55),__FORGED_RCVD_TRAIL,__FROM_ADMIN,__FROM_DOM_ADMIN,__HAS_ANY_EMAIL,__HAS_ANY_URI,__HAS_DATE,__HAS_DKIM_SIGHD,__HAS_FROM,__HAS_MESSAGE_ID,__HAS_MSGID,__HAS_RCVD,__HAS_SUBJECT,__HAS_TO,__HAS_URI,__HDR_XAES_CAT,__HTML_IMG_ONLY,__JM_REACTOR_DATE,__KAM_MAILSPLOIT2,__KHOP_NO_FULL_NAME,__LAST_EXTERNAL_RELAY_NO_AUTH,__LAST_UNTRUSTED_RELAY_NO_AUTH,__LCL__ENV_AND_HDR_FROM_MATCH,__LOCAL_PP_NONPPURL,__LOWER_E(55),__MIME_BASE64,__MIME_HTML,__MIME_VERSION,__MISSING_REF,__MISSING_REPLY,__MSGID_OK_DIGITS,__NONEMPTY_BODY,__NOT_SPOOFED,__ONE_IMG,__PDS_FROM_NAME_TO_DOMAIN,__PNG_ATTACH_1,__RATWARE_0_TZ_DATE,__RBODY_MAILBOX,__SANE_MSGID,__SUBJ_NOT_SHORT,__TAG_EXISTS_BODY,__TAG_EXISTS_HEAD,__TAG_EXISTS_HTML,__TAG_EXISTS_META,__TAG_EXISTS_STYLE,__TOCC_EXISTS,__URI_MAILTO,__URI_WEBAPP
(Total Subtest Hits: 172 / Deduplicated Total Hits: 62)
The rule will work because it's matching on __HDR_XAES_CAT, but i'm
still wondering why the two X-Spam rules aren't hitting anything.
Initial thought was that the X-Spam-Reasons header not being wrapped
correctly was causing the issue, but since it's matching on the
X-AES-Category header which comes after, and removing that
X-Spam-Reasons header doesn't change anything for the X-Spam-Category
header, so that doesn't seem to be the issue.
Is there a limitation to SpamAssassin so it doesn't accept looking for
the two X-Spam-headers, or can you spot why this rule isn't matching?
Currently i'm testing it on:
SpamAssassin version 3.4.6
running on Perl version 5.32.1
on a machine running Manjaro.
--
Martin Flygenring (maf)
Systems Engineer, One.com