Mailing List Archive

why are not all rules run all the time
Hi All

I run SA 3.4.2 on Debian GNU/Linux 10 (buster)

If I look at incomming mails after SA has processed the incomming mail
then the list of SA rules that have been run is not the same for all mails.

Below are to examples:

X-Spam-Status: No, score=-2.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,

DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,

T_KAM_HTML_FONT_INVALID autolearn=ham autolearn_force=no version=3.4.2

X-Spam-Status: No, score=2.9 required=3.0 tests=BAYES_50,HTML_MESSAGE,

HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLACK

autolearn=no autolearn_force=no version=3.4.2

For instance, rule RCVD_IN_DNSWL_NONE is run for the first mail but not
for the second.

Why is that?

Thanks

Thomas S
Re: why are not all rules run all the time [ In reply to ]
On 08.10.21 11:18, Thomas Seilund wrote:
>I run SA 3.4.2 on Debian GNU/Linux 10 (buster)
>
>If I look at incomming mails after SA has processed the incomming mail
>then the list of SA rules that have been run is not the same for all
>mails.
>
>Below are to examples:
>
>X-Spam-Status: No, score=-2.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
>
>DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,
>
>T_KAM_HTML_FONT_INVALID autolearn=ham autolearn_force=no version=3.4.2
>
>X-Spam-Status: No, score=2.9 required=3.0 tests=BAYES_50,HTML_MESSAGE,
>
>HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLACK
>
>autolearn=no autolearn_force=no version=3.4.2
>
>For instance, rule RCVD_IN_DNSWL_NONE is run for the first mail but
>not for the second.
>
>Why is that?

perhaps the rule did not match, that's how spam score is evaluated.
did those mails come from the same host?

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
If Barbie is so popular, why do you have to buy her friends?
Re: why are not all rules run all the time [ In reply to ]
On 10/8/21 11:38 AM, Matus UHLAR - fantomas wrote:
> On 08.10.21 11:18, Thomas Seilund wrote:
>> I run SA 3.4.2 on Debian GNU/Linux 10 (buster)
>>
>> If I look at incomming mails after SA has processed the incomming
>> mail then the list of SA rules that have been run is not the same for
>> all mails.
>>
>> Below are to examples:
>>
>> X-Spam-Status: No, score=-2.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
>>
>> DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,
>>
>> T_KAM_HTML_FONT_INVALID autolearn=ham autolearn_force=no version=3.4.2
>>
>> X-Spam-Status: No, score=2.9 required=3.0 tests=BAYES_50,HTML_MESSAGE,
>>
>> HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLACK
>>
>> autolearn=no autolearn_force=no version=3.4.2
>>
>> For instance, rule RCVD_IN_DNSWL_NONE is run for the first mail but
>> not for the second.
>>
>> Why is that?
>
> perhaps the rule did not match, that's how spam score is evaluated.
> did those mails come from the same host?
>
Thanks.

No mails did not come from the same host.

I am a little in the dark here!

Why does it matter where the mails came from? In my
/etc/spamassassin/local.cf I have nothing about trusted networks.

Is it so that the list of rules only show rules that contribute to the
score?

What do you mean by a rule did not match?
Re: why are not all rules run all the time [ In reply to ]
DNSWL is a whitelist for mailservers. So the tests based on that use the
IP that handed your trusted_networks the email.

Several tests are based on the transmitting server instead of just the
email contents, since contents can be convincing or not, if the server
is notorious for sending spam it will end up on blocklists for example.


On 8/10/2021 11:57, Thomas Seilund wrote:
>
> On 10/8/21 11:38 AM, Matus UHLAR - fantomas wrote:
>> On 08.10.21 11:18, Thomas Seilund wrote:
>>> I run SA 3.4.2 on Debian GNU/Linux 10 (buster)
>>>
>>> If I look at incomming mails after SA has processed the incomming
>>> mail then the list of SA rules that have been run is not the same
>>> for all mails.
>>>
>>> Below are to examples:
>>>
>>> X-Spam-Status: No, score=-2.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
>>>
>>> DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,
>>>
>>> T_KAM_HTML_FONT_INVALID autolearn=ham autolearn_force=no version=3.4.2
>>>
>>> X-Spam-Status: No, score=2.9 required=3.0 tests=BAYES_50,HTML_MESSAGE,
>>>
>>> HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLACK
>>>
>>> autolearn=no autolearn_force=no version=3.4.2
>>>
>>> For instance, rule RCVD_IN_DNSWL_NONE is run for the first mail but
>>> not for the second.
>>>
>>> Why is that?
>>
>> perhaps the rule did not match, that's how spam score is evaluated.
>> did those mails come from the same host?
>>
> Thanks.
>
> No mails did not come from the same host.
>
> I am a little in the dark here!
>
> Why does it matter where the mails came from? In my
> /etc/spamassassin/local.cf I have nothing about trusted networks.
>
> Is it so that the list of rules only show rules that contribute to the
> score?
>
> What do you mean by a rule did not match?
>
>
Re: why are not all rules run all the time [ In reply to ]
On 10/8/21 12:00 PM, Reindl Harald wrote:
>
>
> Am 08.10.21 um 11:18 schrieb Thomas Seilund:
>> Hi All
>>
>> I run SA 3.4.2 on Debian GNU/Linux 10 (buster)
>>
>> If I look at incomming mails after SA has processed the incomming
>> mail then the list of SA rules that have been run is not the same for
>> all mails.
>>
>> Below are to examples:
>>
>> X-Spam-Status: No, score=-2.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
>>
>> DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,
>>
>> T_KAM_HTML_FONT_INVALID autolearn=ham autolearn_force=no version=3.4.2
>>
>> X-Spam-Status: No, score=2.9 required=3.0 tests=BAYES_50,HTML_MESSAGE,
>>
>> HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,SPF_HELO_PASS,URIBL_BLACK
>>
>> autolearn=no autolearn_force=no version=3.4.2
>>
>> For instance, rule RCVD_IN_DNSWL_NONE is run for the first mail but
>> not for the second.
>
> why do you expect that the same rules hit?
>
> these are two different senders and two different mails given the
> difference in BAYES_* and SPF_HELO_NONE versus SPF_HELO_PASS

Thanks. It was my understanding that the list showed the rules that have
been run. No matter if the rule contribute to the score or not.

When you say a rule hits do you then mean that the rule contribute to
the score? Can a rule hit and contribute with a value of zero to the score?

I am a new to SA so please bear over with the basic questions.

Again thanks a lot!
Re: why are not all rules run all the time [ In reply to ]
> Is it so that the list of rules only show rules that contribute to the
score?

Yes, only rules that contributed to the spam score are listed.
> What do you mean by a rule did not match?

SpamAssassin has hundreds/thousands of rules, each one looking at some
aspect of the email message. If the rule finds what it's looking for, it
"matches" the message, and its score is added to the total spam score.

Anthony
--
www.fonant.com - Quality web sites
Tel. 01903 867 810
Fonant Ltd is registered in England and Wales, company No. 7006596
Registered office: Amelia House, Crescent Road, Worthing, West Sussex, BN11
1QR
Re: why are not all rules run all the time [ In reply to ]
--On Friday, October 08, 2021 2:04 PM +0200 Thomas Seilund
<tps@netmaster.dk> wrote:

> When you say a rule hits do you then mean that the rule contribute to the
> score? Can a rule hit and contribute with a value of zero to the score?

Setting a rule's score to zero (eg. in local.cf) disables the rule. This is
how you "turn off" the rules you don't want.

If you want a rule to be run to see if it hits but you don't want it to
affect the score, set its score to a very tiny non-zero value, like 0.01.