Mailing List Archive

On 11.05.23 10:58, Greg Troxel wrote:
>I am seeing a lot of "claim your prize from X", where X is a known
>company, coming from fresh foo.autos domains. I bet y'all are seeing
>this too. Until these get on blocklists they don't score that high.
>
>One rule that does hit is
>
> OBFU_UNSUB_UL
>
>which is defined in 72_active.cf as meta, and does not seem to have a
>score defined.
>
>I put in local.cf (not knowing where it was defined)
>
>score OBFU_UNSUB_UL (1)
>
>to bump it up, but I got an error that I can't adjust an undefined
>score. However, scoring gives it 1 point.

the default score for any rule is 1 poing, unless that rule starts with T_
(0.01) or __ (0, used for meta rules)
so, you have changed nothing.

>I wonder if there is a default 1 point for rules with no score, but the
>adjustment process doesn't respect that default, or if not what is going
>on.

https://spamassassin.apache.org/full/4.0.x/doc/Mail_SpamAssassin_Conf.html

>Should all meta rules in the default ruleset have a score, 0.001 if they
>are meant to be 0, vs something explicit? What's the intent for this
>one?
>
>(I defined a meta rule with just OBFU_UNSUB_UL as the underlying with a
>score, and that worked fine, as one would expect.)

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I wonder how much deeper the ocean would be without sponges.

Matus UHLAR - fantomas <uhlar@fantomas.sk> writes:

> On 11.05.23 10:58, Greg Troxel wrote:
>>I am seeing a lot of "claim your prize from X", where X is a known
>>company, coming from fresh foo.autos domains. I bet y'all are seeing
>>this too. Until these get on blocklists they don't score that high.
>>
>>One rule that does hit is
>>
>> OBFU_UNSUB_UL
>>
>>which is defined in 72_active.cf as meta, and does not seem to have a
>>score defined.
>>
>>I put in local.cf (not knowing where it was defined)
>>
>>score OBFU_UNSUB_UL (1)
>>
>>to bump it up, but I got an error that I can't adjust an undefined
>>score. However, scoring gives it 1 point.
>
> the default score for any rule is 1 poing, unless that rule starts
> with T_ (0.01) or __ (0, used for meta rules)

ok and not surprising.

But is it good practice for the main distributed rules to rely on this
default? It feels like a lint/pedantic error to define a rule that is
not T_ or __ and does not have an assigned score. But maybe this is
common and normal.

> so, you have changed nothing.

I asked for an additional point over the previous score. I got an error
in the log:

May 11 10:47:46 s1 spamd[11723]: config: score: relative score without previous setting in configuration
May 11 10:47:46 s1 spamd[11723]: config: invalid 'score' value in /usr/pkg/etc/spamassassin/local.cf (line 271): score\tOBFU_UNSUB_UL\t\t(2)

which is what I'm asking about.

>>I wonder if there is a default 1 point for rules with no score, but the
>>adjustment process doesn't respect that default, or if not what is going
>>on.
>
> https://spamassassin.apache.org/full/4.0.x/doc/Mail_SpamAssassin_Conf.html

That says scores in () are relative to the "already set score". So
technically this is not a failure to follow docs, in that no score is
set. But it seems unhelpful to users not to be able to see

FOO_RULE 1

in a report and to decide they like that rule and do

score FOO_RULE (1)

to tell SA to give it one local point plus the score that the official
config gives is.

So maybe that (n) expression should be ok with the implicit 1.

Try something like this if I understand you correctly trying to score is a
__ rule:

meta OBFU_UNSUB_UL ( __OBFU_UNSUB_UL >=1 )

There are plenty of rules that are designed to be conditions in other meta
rules. Now that you've created a rule that relies on that condition you can
score the meta rule and describe it how you feel best.


On Thu, May 11, 2023, 11:21 Greg Troxel <gdt@lexort.com> wrote:

> Matus UHLAR - fantomas <uhlar@fantomas.sk> writes:
>
> > On 11.05.23 10:58, Greg Troxel wrote:
> >>I am seeing a lot of "claim your prize from X", where X is a known
> >>company, coming from fresh foo.autos domains. I bet y'all are seeing
> >>this too. Until these get on blocklists they don't score that high.
> >>
> >>One rule that does hit is
> >>
> >> OBFU_UNSUB_UL
> >>
> >>which is defined in 72_active.cf as meta, and does not seem to have a
> >>score defined.
> >>
> >>I put in local.cf (not knowing where it was defined)
> >>
> >>score OBFU_UNSUB_UL (1)
> >>
> >>to bump it up, but I got an error that I can't adjust an undefined
> >>score. However, scoring gives it 1 point.
> >
> > the default score for any rule is 1 poing, unless that rule starts
> > with T_ (0.01) or __ (0, used for meta rules)
>
> ok and not surprising.
>
> But is it good practice for the main distributed rules to rely on this
> default? It feels like a lint/pedantic error to define a rule that is
> not T_ or __ and does not have an assigned score. But maybe this is
> common and normal.
>
> > so, you have changed nothing.
>
> I asked for an additional point over the previous score. I got an error
> in the log:
>
> May 11 10:47:46 s1 spamd[11723]: config: score: relative score without
> previous setting in configuration
> May 11 10:47:46 s1 spamd[11723]: config: invalid 'score' value in
> /usr/pkg/etc/spamassassin/local.cf (line 271):
> score\tOBFU_UNSUB_UL\t\t(2)
>
> which is what I'm asking about.
>
> >>I wonder if there is a default 1 point for rules with no score, but the
> >>adjustment process doesn't respect that default, or if not what is going
> >>on.
> >
> >
> https://spamassassin.apache.org/full/4.0.x/doc/Mail_SpamAssassin_Conf.html
>
> That says scores in () are relative to the "already set score". So
> technically this is not a failure to follow docs, in that no score is
> set. But it seems unhelpful to users not to be able to see
>
> FOO_RULE 1
>
> in a report and to decide they like that rule and do
>
> score FOO_RULE (1)
>
> to tell SA to give it one local point plus the score that the official
> config gives is.
>
> So maybe that (n) expression should be ok with the implicit 1.
>

On Thu, May 11, 2023 at 11:21:20AM -0400, Greg Troxel wrote:
>
> But is it good practice for the main distributed rules to rely on this
> default? It feels like a lint/pedantic error to define a rule that is
> not T_ or __ and does not have an assigned score. But maybe this is
> common and normal.

It's common and normal.

> That says scores in () are relative to the "already set score". So
> technically this is not a failure to follow docs, in that no score is
> set. But it seems unhelpful to users not to be able to see
>
> FOO_RULE 1
>
> in a report and to decide they like that rule and do
>
> score FOO_RULE (1)

From what I've seen, it's very uncommon to use this format. Why rely on
some vague previously defined score, which can change at any time? Just set
a static score you like and fits your system.

> So maybe that (n) expression should be ok with the implicit 1.

Parser processes config files and lines in order, it's not possible to know
in advance if the static rule score referred to would actually be defined at
a later stage. It would require lots of logic changes.

Henrik K <hege@hege.li> writes:

> From what I've seen, it's very uncommon to use this format. Why rely on
> some vague previously defined score, which can change at any time? Just set
> a static score you like and fits your system.

It's not vague; it's the score which is defined by the distributed
rules.

My intent is to say that I want 1 point more than what the rules say,
and I mean that to float with rule changes.

Perhaps you are arguing that all uses of () are confused and thus we
should lean to removing that facility.

Anyway, once I figured out that () will confusingly fail with some rules
(that just show up as if they are normal in score reports), it was easy
to fix. Thank you all for the comments and explanations.

On Fri, May 12, 2023 at 07:12:35AM -0400, Greg Troxel wrote:
> Henrik K <hege@hege.li> writes:
>
> > From what I've seen, it's very uncommon to use this format. Why rely on
> > some vague previously defined score, which can change at any time? Just set
> > a static score you like and fits your system.
>
> It's not vague; it's the score which is defined by the distributed
> rules.
>
> My intent is to say that I want 1 point more than what the rules say,
> and I mean that to float with rule changes.

It _is_ vague. It's either an educated static score the developer gave, or
a corpus generated score, both which might not reflect your personal
mailflow at all.

> Perhaps you are arguing that all uses of () are confused and thus we
> should lean to removing that facility.

I just think it's much more common to create meta that checks if the rule
you are interested in hit, and add to scoring that way. Yes I realize by
that logic things are vague as well, *shrug*. But if you use a non-common
method, it's possible that there are bugs and strangness as we now found
out.

Henrik K <hege@hege.li> writes:

> On Fri, May 12, 2023 at 07:12:35AM -0400, Greg Troxel wrote:
>> Henrik K <hege@hege.li> writes:
>>
>> > From what I've seen, it's very uncommon to use this format. Why rely on
>> > some vague previously defined score, which can change at any time? Just set
>> > a static score you like and fits your system.
>>
>> It's not vague; it's the score which is defined by the distributed
>> rules.
>>
>> My intent is to say that I want 1 point more than what the rules say,
>> and I mean that to float with rule changes.
>
> It _is_ vague. It's either an educated static score the developer gave, or
> a corpus generated score, both which might not reflect your personal
> mailflow at all.

It seems we disagree what vague means; I think it means that it lacks a
precise meaning, and I find "the score that spamassassin would assign
before I try to change it" to be precise, even if that might change with
a rule update. But in general we believe that users using the score in
an updated ruleset is a good thing; that's they the scores were changed.

Of course distributed scores might not fit my own mail. But that's true
of all people, all the time and it isn't specially true because I want
to adjust one.

>> Perhaps you are arguing that all uses of () are confused and thus we
>> should lean to removing that facility.
>
> I just think it's much more common to create meta that checks if the rule
> you are interested in hit, and add to scoring that way. Yes I realize by
> that logic things are vague as well, *shrug*. But if you use a non-common
> method, it's possible that there are bugs and strangness as we now found
> out.

It might be more common, but it's very surprising to me, because the
manual page documents that () works, even if it technically leaves out
default scores. I've been adjusting scores this way for years and this
is the first time I hit a rule with an implicit 1.

And, a user that is not authorized to create rules can adjust scores,
but can't create meta rules.

Yes, I realize that such a user can just set the score to 2, instead of
(1).

On Fri, May 12, 2023 at 08:31:19AM -0400, Greg Troxel wrote:
>
> It might be more common, but it's very surprising to me, because the
> manual page documents that () works

Let's face it, lot of the stuff in SA including documentation is probably
over decade old. And documentation is always the last thing someone cares
to fix. :-)

I remember atleast one similar bug:
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7721