Mailing List Archive

MessageLINES_OF_YELLING is probably triggering on the signature. It probably should be smartened up to allow a single line with 2-3 words before triggering, if possible. I don't know why it thought there were 2 lines, unless it is triggering on the 12 pt font. I would hope not!

Chickenpox isn't triggering on anything you showed. I'm assuming that that mail had a lot of table data in it, and that at least some of it probably contained decimal points. It looks like it must have been some sort of code, since it is triggering on letters and dots. Numbers should have made it through.

The uppercase check would also imply that there was a lot of uppercase table text you didn't show.

Offhand, I'd say that probably all of these rules are doing what they are supposed to. You just happen to have a message that trips them all, so technically is an FP. Since that seems to be either a mailing list or maybe from a specific person, I'd just whitelist that particular sender.

Loren
----- Original Message -----
From: JulianM@davenport-industries.com.au
To: spamassassin-users@incubator.apache.org
Sent: Sunday, March 14, 2004 5:23 PM
Subject: False trigger?


I have an email with the following body text:

Attached is the Weekly ASR Vendor Sales Report.

The information pertains to the previous Sunday to Saturday period.

The columns in the report are:
-Vendor No
-Product Number (APN)
-Store Number
-Dept No
-Style
-Colour
-Size
-Active in Basic Stock
-Sales Qty
-Stock on hand
-stock on Order
-Week ending date

The business criteria used to create the report are as follows:
-Extract file is run at the start of the week for the previous week.
-Only contains items that are flagged as basic stock.

-----------------------------------------------------End-Of-Email--------------------------------------------------------------------------------

The SA report I got was that this email contains spam:

From: Jolt2 batch user [mailto:j2_batch@djs102.davidjones.com.au]
Sent: Sunday, 14 March 2004 9:27 am
Subject: * DAV SPAM ALERT * David Jones Sales Information for WARNER'S
AUSTRALIA for week ending 13/Mar/2004

....

Content analysis details: (6.1 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.6 J_CHICKENPOX_12 BODY: {1}Letter - punctuation - {2}Letter
0.6 J_CHICKENPOX_13 BODY: {1}Letter - punctuation - {3}Letter
0.6 J_CHICKENPOX_14 BODY: {1}Letter - punctuation - {4}Letter
0.6 J_CHICKENPOX_21 BODY: {2}Letter - punctuation - {1}Letter
0.6 J_CHICKENPOX_22 BODY: {2}Letter - punctuation - {2}Letter
0.6 J_CHICKENPOX_24 BODY: {2}Letter - punctuation - {4}Letter
0.6 J_CHICKENPOX_33 BODY: {3}Letter - punctuation - {3}Letter
0.6 J_CHICKENPOX_42 BODY: {4}Letter - punctuation - {2}Letter
0.1 LINES_OF_YELLING_2 BODY: 2 WHOLE LINES OF YELLING DETECTED
0.0 LINES_OF_YELLING BODY: A WHOLE LINE OF YELLING DETECTED
1.1 UPPERCASE_50_75 message body is 50-75% uppercase

Since the rules "broken" are all body rules, and looking at the body above, I can not for the life of me figga out why each rule "broke"??? Can u guys see anything I can't?

PS. The email contains an attached ZIP file. Would that, somehow, trigger the rules above?

---------------------------------------------------Header-Of-Original-Email-----------------------------------------------------------

Received: from cust-gateway.ipcx.net (localhost [127.0.0.1]) by davmail.davenport-industries.com.au with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21)
id F2WWZDTM; Sun, 14 Mar 2004 09:30:14 +1100
Received: from localhost by davmail.davenport-industries.com.au
with SpamAssassin (2.63 2004-01-11);
Sun, 14 Mar 2004 09:30:13 +1100
From: Jolt2 batch user <j2_batch@djs102.davidjones.com.au>
Subject: * DAV SPAM ALERT * David Jones Sales Information for WARNER'S AUSTRALIA for week ending 13/Mar/2004
Date: Sun, 14 Mar 2004 09:27:26 +1100 (EST)
Message-Id: <200403132227.JAA0000012961@djs102.davidjones.com.au>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on
davmail.davenport-industries.com.au
X-Spam-Status: Yes, hits=6.1 required=5.0 tests=J_CHICKENPOX_12,
J_CHICKENPOX_13,J_CHICKENPOX_14,J_CHICKENPOX_21,J_CHICKENPOX_22,
J_CHICKENPOX_24,J_CHICKENPOX_33,J_CHICKENPOX_42,LINES_OF_YELLING,
LINES_OF_YELLING_2,UPPERCASE_50_75 autolearn=no version=2.63
X-Spam-Level: ******
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_40538B75.550C0000"

This is a multi-part message in MIME format.

------------=_40538B75.550C0000
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

------------=_40538B75.550C0000
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Received: from ([203.166.99.125])
by DAVMAIL ([192.168.1.6]) with No Spam Today! Service V1.2.2.8 Trial
for 127.0.0.1; Sun, Mar 14, 2004, 09:30:04 +1100
Received: from djs335.davidjonesdmz.com.au (gateway.davidjones.com.au [202.139.27.46])
by cust-gateway.ipcx.net (8.11.7/8.11.6) with ESMTP id i2DMRYT29305;
Sat, 13 Mar 2004 22:27:34 GMT
Received: from djmail01.davidjones.com.au ([89.18.150.4])
by djs335.davidjonesdmz.com.au (Lotus Domino Release 5.0.8)
with ESMTP id 2004031409265687:107595 ;
Sun, 14 Mar 2004 09:26:56 +1100
Received: from djs102.davidjones.com.au ([89.18.170.7])
by djmail01.davidjones.com.au (Lotus Domino Release 5.0.8)
with ESMTP id 2004031409272854:280896 ;
Sun, 14 Mar 2004 09:27:28 +1000
Received: by djs102.davidjones.com.au (8.8.8/1.1.22.3/10Feb02-1102AM)
id JAA0000012961; Sun, 14 Mar 2004 09:27:26 +1100 (EST)
Date: Sun, 14 Mar 2004 09:27:26 +1100 (EST)
From: Jolt2 batch user <j2_batch@djs102.davidjones.com.au>
Message-Id: <200403132227.JAA0000012961@djs102.davidjones.com.au>
Subject: David Jones Sales Information for WARNER'S AUSTRALIA for week ending 13/Mar/2004
X-MIMETrack: Itemize by SMTP Server on DJMail01/Servers/David Jones(Release 5.0.8 |June
18, 2001) at 14/03/2004 09:27:28,
Serialize by Router on DJMail01/Servers/David Jones(Release 5.0.8 |June 18, 2001) at
14/03/2004 09:27:35,
Serialize complete at 14/03/2004 09:27:35,
Itemize by SMTP Server on DJSMTP01/Servers/DJDMZ(Release 5.0.8 |June 18, 2001) at
14/03/2004 09:26:56 AM,
Serialize by Router on DJSMTP01/Servers/DJDMZ(Release 5.0.8 |June 18, 2001) at
14/03/2004 09:27:00 AM,
Serialize complete at 14/03/2004 09:27:00 AM

------------=_40538B75.550C0000--


Regards,

Julian Milano
IT Manager


Davenport Group
79-81 Coppin Street (PO Box 12) Richmond Victoria 3121
Ph : (613) 8416 6666

Limits of Liability and Disclaimer - Davenport Industries is not liable for any loss, damages, claims, cost demand and expense whatsoever and howsoever arising in connection with this email transmission. The receiver of this transmission shall ascertain the accuracy and suitability of this data for their purposes. Although computer virus scanning software is used by Davenport Industries, the receiver shall be responsible for their own virus protection and Davenport Industries shall not be held liable for and subsequent loss, damage, cost or expense.

This email and any attachment is confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error you are prohibited from disclosing, copying or using the information contained in it and please inform us by reply email and delete.

Sorry Loren,

Which signature are you talking about. The email which generated SPAM rules
doesn't have a signature?

-Julian Milano

-----Original Message-----
From: Loren Wilton [mailto:lwilton@earthlink.net]
Sent: Monday, 15 March 2004 06:55 pm
To: spamassassin-users@incubator.apache.org
Subject: Re: False trigger?


LINES_OF_YELLING is probably triggering on the signature. It probably
should be smartened up to allow a single line with 2-3 words before
triggering, if possible. I don't know why it thought there were 2 lines,
unless it is triggering on the 12 pt font. I would hope not!

Chickenpox isn't triggering on anything you showed. I'm assuming that that
mail had a lot of table data in it, and that at least some of it probably
contained decimal points. It looks like it must have been some sort of
code, since it is triggering on letters and dots. Numbers should have made
it through.

The uppercase check would also imply that there was a lot of uppercase table
text you didn't show.

Offhand, I'd say that probably all of these rules are doing what they are
supposed to. You just happen to have a message that trips them all, so
technically is an FP. Since that seems to be either a mailing list or maybe
from a specific person, I'd just whitelist that particular sender.

Loren

----- Original Message -----
From: JulianM@davenport-industries.com.au
<mailto:JulianM@davenport-industries.com.au>
To: spamassassin-users@incubator.apache.org
<mailto:spamassassin-users@incubator.apache.org>
Sent: Sunday, March 14, 2004 5:23 PM
Subject: False trigger?

I have an email with the following body text:

Attached is the Weekly ASR Vendor Sales Report.

The information pertains to the previous Sunday to Saturday period.

The columns in the report are:
-Vendor No
-Product Number (APN)
-Store Number
-Dept No
-Style
-Colour
-Size
-Active in Basic Stock
-Sales Qty
-Stock on hand
-stock on Order
-Week ending date

The business criteria used to create the report are as follows:
-Extract file is run at the start of the week for the previous week.
-Only contains items that are flagged as basic stock.

-----------------------------------------------------End-Of-Email-----------
---------------------------------------------------------------------

The SA report I got was that this email contains spam:

From: Jolt2 batch user [mailto:j2_batch@djs102.davidjones.com.au]
Sent: Sunday, 14 March 2004 9:27 am
Subject: * DAV SPAM ALERT * David Jones Sales Information for WARNER'S
AUSTRALIA for week ending 13/Mar/2004

....

Content analysis details: (6.1 points, 5.0 required)

pts rule name description
---- ----------------------
--------------------------------------------------
0.6 J_CHICKENPOX_12 BODY: {1}Letter - punctuation - {2}Letter
0.6 J_CHICKENPOX_13 BODY: {1}Letter - punctuation - {3}Letter
0.6 J_CHICKENPOX_14 BODY: {1}Letter - punctuation - {4}Letter
0.6 J_CHICKENPOX_21 BODY: {2}Letter - punctuation - {1}Letter
0.6 J_CHICKENPOX_22 BODY: {2}Letter - punctuation - {2}Letter
0.6 J_CHICKENPOX_24 BODY: {2}Letter - punctuation - {4}Letter
0.6 J_CHICKENPOX_33 BODY: {3}Letter - punctuation - {3}Letter
0.6 J_CHICKENPOX_42 BODY: {4}Letter - punctuation - {2}Letter
0.1 LINES_OF_YELLING_2 BODY: 2 WHOLE LINES OF YELLING DETECTED
0.0 LINES_OF_YELLING BODY: A WHOLE LINE OF YELLING DETECTED
1.1 UPPERCASE_50_75 message body is 50-75% uppercase

Since the rules "broken" are all body rules, and looking at the body above,
I can not for the life of me figga out why each rule "broke"??? Can u guys
see anything I can't?

PS. The email contains an attached ZIP file. Would that, somehow, trigger
the rules above?

---------------------------------------------------Header-Of-Original-Email-
----------------------------------------------------------

Received: from cust-gateway.ipcx.net (localhost [127.0.0.1]) by
davmail.davenport-industries.com.au with SMTP (Microsoft Exchange Internet
Mail Service Version 5.5.2650.21)
id F2WWZDTM; Sun, 14 Mar 2004 09:30:14 +1100
Received: from localhost by davmail.davenport-industries.com.au
with SpamAssassin (2.63 2004-01-11);
Sun, 14 Mar 2004 09:30:13 +1100
From: Jolt2 batch user < <mailto:j2_batch@djs102.davidjones.com.au>
j2_batch@djs102.davidjones.com.au>
Subject: * DAV SPAM ALERT * David Jones Sales Information for WARNER'S
AUSTRALIA for week ending 13/Mar/2004
Date: Sun, 14 Mar 2004 09:27:26 +1100 (EST)
Message-Id: < <mailto:200403132227.JAA0000012961@djs102.davidjones.com.au>
200403132227.JAA0000012961@djs102.davidjones.com.au>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on
davmail.davenport-industries.com.au
X-Spam-Status: Yes, hits=6.1 required=5.0 tests=J_CHICKENPOX_12,
J_CHICKENPOX_13,J_CHICKENPOX_14,J_CHICKENPOX_21,J_CHICKENPOX_22,
J_CHICKENPOX_24,J_CHICKENPOX_33,J_CHICKENPOX_42,LINES_OF_YELLING,
LINES_OF_YELLING_2,UPPERCASE_50_75 autolearn=no version=2.63
X-Spam-Level: ******
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_40538B75.550C0000"

This is a multi-part message in MIME format.

------------=_40538B75.550C0000
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

------------=_40538B75.550C0000
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Received: from ([203.166.99.125])
by DAVMAIL ([192.168.1.6]) with No Spam Today! Service V1.2.2.8 Trial
for 127.0.0.1; Sun, Mar 14, 2004, 09:30:04 +1100
Received: from djs335.davidjonesdmz.com.au (gateway.davidjones.com.au
[202.139.27.46])
by cust-gateway.ipcx.net (8.11.7/8.11.6) with ESMTP id i2DMRYT29305;
Sat, 13 Mar 2004 22:27:34 GMT
Received: from djmail01.davidjones.com.au ([89.18.150.4])
by djs335.davidjonesdmz.com.au (Lotus Domino Release 5.0.8)
with ESMTP id 2004031409265687:107595 ;
Sun, 14 Mar 2004 09:26:56 +1100
Received: from djs102.davidjones.com.au ([89.18.170.7])
by djmail01.davidjones.com.au (Lotus Domino Release 5.0.8)
with ESMTP id 2004031409272854:280896 ;
Sun, 14 Mar 2004 09:27:28 +1000
Received: by djs102.davidjones.com.au (8.8.8/1.1.22.3/10Feb02-1102AM)
id JAA0000012961; Sun, 14 Mar 2004 09:27:26 +1100 (EST)
Date: Sun, 14 Mar 2004 09:27:26 +1100 (EST)
From: Jolt2 batch user < <mailto:j2_batch@djs102.davidjones.com.au>
j2_batch@djs102.davidjones.com.au>
Message-Id: < <mailto:200403132227.JAA0000012961@djs102.davidjones.com.au>
200403132227.JAA0000012961@djs102.davidjones.com.au>
Subject: David Jones Sales Information for WARNER'S AUSTRALIA for week
ending 13/Mar/2004
X-MIMETrack: Itemize by SMTP Server on DJMail01/Servers/David Jones(Release
5.0.8 |June
18, 2001) at 14/03/2004 09:27:28,
Serialize by Router on DJMail01/Servers/David Jones(Release 5.0.8 |June 18,
2001) at
14/03/2004 09:27:35,
Serialize complete at 14/03/2004 09:27:35,
Itemize by SMTP Server on DJSMTP01/Servers/DJDMZ(Release 5.0.8 |June 18,
2001) at
14/03/2004 09:26:56 AM,
Serialize by Router on DJSMTP01/Servers/DJDMZ(Release 5.0.8 |June 18, 2001)
at
14/03/2004 09:27:00 AM,
Serialize complete at 14/03/2004 09:27:00 AM

------------=_40538B75.550C0000--


Regards,

Julian Milano
IT Manager


Davenport Group
79-81 Coppin Street (PO Box 12) Richmond Victoria 3121
Ph : (613) 8416 6666

Limits of Liability and Disclaimer - Davenport Industries is not liable for
any loss, damages, claims, cost demand and expense whatsoever and howsoever
arising in connection with this email transmission. The receiver of this
transmission shall ascertain the accuracy and suitability of this data for
their purposes. Although computer virus scanning software is used by
Davenport Industries, the receiver shall be responsible for their own virus
protection and Davenport Industries shall not be held liable for and
subsequent loss, damage, cost or expense.

This email and any attachment is confidential and intended solely for the
use of the individual or entity to whom they are addressed. If you have
received this email in error you are prohibited from disclosing, copying or
using the information contained in it and please inform us by reply email
and delete.

<mumble><mumble> I just had a thought. The attachment may in some circles
be considered to be part of the body. With that in mind did the attached
report possibly contain information that might have triggered these rules?

{^_^}
----- Original Message -----
From: <JulianM@davenport-industries.com.au>
To: <spamassassin-users@incubator.apache.org>
Sent: Monday, 2004 March, 15 01:52
Subject: RE: False trigger?


> Sorry Loren,
>
> Which signature are you talking about. The email which generated SPAM
rules
> doesn't have a signature?
>
> -Julian Milano
>
> -----Original Message-----
> From: Loren Wilton [mailto:lwilton@earthlink.net]
> Sent: Monday, 15 March 2004 06:55 pm
> To: spamassassin-users@incubator.apache.org
> Subject: Re: False trigger?
>
>
> LINES_OF_YELLING is probably triggering on the signature. It probably
> should be smartened up to allow a single line with 2-3 words before
> triggering, if possible. I don't know why it thought there were 2 lines,
> unless it is triggering on the 12 pt font. I would hope not!
>
> Chickenpox isn't triggering on anything you showed. I'm assuming that
that
> mail had a lot of table data in it, and that at least some of it probably
> contained decimal points. It looks like it must have been some sort of
> code, since it is triggering on letters and dots. Numbers should have
made
> it through.
>
> The uppercase check would also imply that there was a lot of uppercase
table
> text you didn't show.
>
> Offhand, I'd say that probably all of these rules are doing what they are
> supposed to. You just happen to have a message that trips them all, so
> technically is an FP. Since that seems to be either a mailing list or
maybe
> from a specific person, I'd just whitelist that particular sender.
>
> Loren
>
> ----- Original Message -----
> From: JulianM@davenport-industries.com.au
> <mailto:JulianM@davenport-industries.com.au>
> To: spamassassin-users@incubator.apache.org
> <mailto:spamassassin-users@incubator.apache.org>
> Sent: Sunday, March 14, 2004 5:23 PM
> Subject: False trigger?
>
> I have an email with the following body text:
>
> Attached is the Weekly ASR Vendor Sales Report.
>
> The information pertains to the previous Sunday to Saturday period.
>
> The columns in the report are:
> -Vendor No
> -Product Number (APN)
> -Store Number
> -Dept No
> -Style
> -Colour
> -Size
> -Active in Basic Stock
> -Sales Qty
> -Stock on hand
> -stock on Order
> -Week ending date
>
> The business criteria used to create the report are as follows:
> -Extract file is run at the start of the week for the previous week.
> -Only contains items that are flagged as basic stock.
>
> -----------------------------------------------------End-Of-Email---------
--
> ---------------------------------------------------------------------
>
> The SA report I got was that this email contains spam:
>
> From: Jolt2 batch user [mailto:j2_batch@djs102.davidjones.com.au]
> Sent: Sunday, 14 March 2004 9:27 am
> Subject: * DAV SPAM ALERT * David Jones Sales Information for WARNER'S
> AUSTRALIA for week ending 13/Mar/2004
>
> ....
>
> Content analysis details: (6.1 points, 5.0 required)
>
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 0.6 J_CHICKENPOX_12 BODY: {1}Letter - punctuation - {2}Letter
> 0.6 J_CHICKENPOX_13 BODY: {1}Letter - punctuation - {3}Letter
> 0.6 J_CHICKENPOX_14 BODY: {1}Letter - punctuation - {4}Letter
> 0.6 J_CHICKENPOX_21 BODY: {2}Letter - punctuation - {1}Letter
> 0.6 J_CHICKENPOX_22 BODY: {2}Letter - punctuation - {2}Letter
> 0.6 J_CHICKENPOX_24 BODY: {2}Letter - punctuation - {4}Letter
> 0.6 J_CHICKENPOX_33 BODY: {3}Letter - punctuation - {3}Letter
> 0.6 J_CHICKENPOX_42 BODY: {4}Letter - punctuation - {2}Letter
> 0.1 LINES_OF_YELLING_2 BODY: 2 WHOLE LINES OF YELLING DETECTED
> 0.0 LINES_OF_YELLING BODY: A WHOLE LINE OF YELLING DETECTED
> 1.1 UPPERCASE_50_75 message body is 50-75% uppercase
>
> Since the rules "broken" are all body rules, and looking at the body
above,
> I can not for the life of me figga out why each rule "broke"??? Can u guys
> see anything I can't?
>
> PS. The email contains an attached ZIP file. Would that, somehow, trigger
> the rules above?
>
> ---------------------------------------------------Header-Of-Original-Emai
l-
> ----------------------------------------------------------
>
> Received: from cust-gateway.ipcx.net (localhost [127.0.0.1]) by
> davmail.davenport-industries.com.au with SMTP (Microsoft Exchange Internet
> Mail Service Version 5.5.2650.21)
> id F2WWZDTM; Sun, 14 Mar 2004 09:30:14 +1100
> Received: from localhost by davmail.davenport-industries.com.au
> with SpamAssassin (2.63 2004-01-11);
> Sun, 14 Mar 2004 09:30:13 +1100
> From: Jolt2 batch user < <mailto:j2_batch@djs102.davidjones.com.au>
> j2_batch@djs102.davidjones.com.au>
> Subject: * DAV SPAM ALERT * David Jones Sales Information for WARNER'S
> AUSTRALIA for week ending 13/Mar/2004
> Date: Sun, 14 Mar 2004 09:27:26 +1100 (EST)
> Message-Id: <
<mailto:200403132227.JAA0000012961@djs102.davidjones.com.au>
> 200403132227.JAA0000012961@djs102.davidjones.com.au>
> X-Spam-Flag: YES
> X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on
> davmail.davenport-industries.com.au
> X-Spam-Status: Yes, hits=6.1 required=5.0 tests=J_CHICKENPOX_12,
> J_CHICKENPOX_13,J_CHICKENPOX_14,J_CHICKENPOX_21,J_CHICKENPOX_22,
> J_CHICKENPOX_24,J_CHICKENPOX_33,J_CHICKENPOX_42,LINES_OF_YELLING,
> LINES_OF_YELLING_2,UPPERCASE_50_75 autolearn=no version=2.63
> X-Spam-Level: ******
> MIME-Version: 1.0
> Content-Type: multipart/mixed; boundary="----------=_40538B75.550C0000"
>
> This is a multi-part message in MIME format.
>
> ------------=_40538B75.550C0000
> Content-Type: text/plain
> Content-Disposition: inline
> Content-Transfer-Encoding: 8bit
>
> ------------=_40538B75.550C0000
> Content-Type: message/rfc822; x-spam-type=original
> Content-Description: original message before SpamAssassin
> Content-Disposition: inline
> Content-Transfer-Encoding: 8bit
>
> Received: from ([203.166.99.125])
> by DAVMAIL ([192.168.1.6]) with No Spam Today! Service V1.2.2.8 Trial
> for 127.0.0.1; Sun, Mar 14, 2004, 09:30:04 +1100
> Received: from djs335.davidjonesdmz.com.au (gateway.davidjones.com.au
> [202.139.27.46])
> by cust-gateway.ipcx.net (8.11.7/8.11.6) with ESMTP id i2DMRYT29305;
> Sat, 13 Mar 2004 22:27:34 GMT
> Received: from djmail01.davidjones.com.au ([89.18.150.4])
> by djs335.davidjonesdmz.com.au (Lotus Domino Release 5.0.8)
> with ESMTP id 2004031409265687:107595 ;
> Sun, 14 Mar 2004 09:26:56 +1100
> Received: from djs102.davidjones.com.au ([89.18.170.7])
> by djmail01.davidjones.com.au (Lotus Domino Release 5.0.8)
> with ESMTP id 2004031409272854:280896 ;
> Sun, 14 Mar 2004 09:27:28 +1000
> Received: by djs102.davidjones.com.au (8.8.8/1.1.22.3/10Feb02-1102AM)
> id JAA0000012961; Sun, 14 Mar 2004 09:27:26 +1100 (EST)
> Date: Sun, 14 Mar 2004 09:27:26 +1100 (EST)
> From: Jolt2 batch user < <mailto:j2_batch@djs102.davidjones.com.au>
> j2_batch@djs102.davidjones.com.au>
> Message-Id: <
<mailto:200403132227.JAA0000012961@djs102.davidjones.com.au>
> 200403132227.JAA0000012961@djs102.davidjones.com.au>
> Subject: David Jones Sales Information for WARNER'S AUSTRALIA for week
> ending 13/Mar/2004
> X-MIMETrack: Itemize by SMTP Server on DJMail01/Servers/David
Jones(Release
> 5.0.8 |June
> 18, 2001) at 14/03/2004 09:27:28,
> Serialize by Router on DJMail01/Servers/David Jones(Release 5.0.8 |June
18,
> 2001) at
> 14/03/2004 09:27:35,
> Serialize complete at 14/03/2004 09:27:35,
> Itemize by SMTP Server on DJSMTP01/Servers/DJDMZ(Release 5.0.8 |June 18,
> 2001) at
> 14/03/2004 09:26:56 AM,
> Serialize by Router on DJSMTP01/Servers/DJDMZ(Release 5.0.8 |June 18,
2001)
> at
> 14/03/2004 09:27:00 AM,
> Serialize complete at 14/03/2004 09:27:00 AM
>
> ------------=_40538B75.550C0000--
>
>
> Regards,
>
> Julian Milano
> IT Manager
>
>
> Davenport Group
> 79-81 Coppin Street (PO Box 12) Richmond Victoria 3121
> Ph : (613) 8416 6666
>
> Limits of Liability and Disclaimer - Davenport Industries is not liable
for
> any loss, damages, claims, cost demand and expense whatsoever and
howsoever
> arising in connection with this email transmission. The receiver of this
> transmission shall ascertain the accuracy and suitability of this data for
> their purposes. Although computer virus scanning software is used by
> Davenport Industries, the receiver shall be responsible for their own
virus
> protection and Davenport Industries shall not be held liable for and
> subsequent loss, damage, cost or expense.
>
> This email and any attachment is confidential and intended solely for the
> use of the individual or entity to whom they are addressed. If you have
> received this email in error you are prohibited from disclosing, copying
or
> using the information contained in it and please inform us by reply email
> and delete.
>
>
>
>

MessageSorry, it appeard to me that between the tests you showed triggered and the body you showed, I had assumed you were only showing the first part of what was a very large body containing the actual table that was being described in the part you showed. I can see nothing in that body, if that is the entire body (and both the text and html forks) that would account for those hits.

Either something is broken in ways I don't understand, or that message body is larger than you showed, or the message is html and not plain text and there is a whole lotta stuff hidden in that html that didn't show up on the screen.

The raw message body is what is interesting, since that is what SA works on.

As for a 'bad rule stopping processing of all further rules ... by design', it is my understanding that when SA finds a syntax error in a cf file that it stops processing rules from the file at that point. That seems reasonable to me. SA shouldn't have to work with bad syntax in the rules. It merely needs to report the error during rule development. Which it does if you use --lint.

Loren

Loren,

>....it is my understanding that when SA finds a syntax error in a cf file
that it stops processing rules from the file at that point....

This is the exact confirmation I was after. Thank you!

PS. The email behind my problems is a PLAIN TEXT email, and I *did* show the
whole of the headers. But like JDow said, I recon the attachment, a ZIP file
containing a CSV file, is somehow embedded in the email, in transit, and
thus causing the many unusual rule-firings.

Thanks all.

Regards,

Julian Milano
IT Manager


Davenport Group
79-81 Coppin Street (PO Box 12) Richmond Victoria 3121
Ph : (613) 8416 6666

Limits of Liability and Disclaimer - Davenport Industries is not liable for
any loss, damages, claims, cost demand and expense whatsoever and howsoever
arising in connection with this email transmission. The receiver of this
transmission shall ascertain the accuracy and suitability of this data for
their purposes. Although computer virus scanning software is used by
Davenport Industries, the receiver shall be responsible for their own virus
protection and Davenport Industries shall not be held liable for and
subsequent loss, damage, cost or expense.

This email and any attachment is confidential and intended solely for the
use of the individual or entity to whom they are addressed. If you have
received this email in error you are prohibited from disclosing, copying or
using the information contained in it and please inform us by reply email
and delete.

-----Original Message-----
From: Loren Wilton [mailto:lwilton@earthlink.net]
Sent: Tuesday, March 16, 2004 4:49 AM
To: spamassassin-users@incubator.apache.org
Subject: Re: False trigger?


Sorry, it appeard to me that between the tests you showed triggered and the
body you showed, I had assumed you were only showing the first part of what
was a very large body containing the actual table that was being described
in the part you showed. I can see nothing in that body, if that is the
entire body (and both the text and html forks) that would account for those
hits.

Either something is broken in ways I don't understand, or that message body
is larger than you showed, or the message is html and not plain text and
there is a whole lotta stuff hidden in that html that didn't show up on the
screen.

The raw message body is what is interesting, since that is what SA works on.

As for a 'bad rule stopping processing of all further rules ... by design',
it is my understanding that when SA finds a syntax error in a cf file that
it stops processing rules from the file at that point. That seems
reasonable to me. SA shouldn't have to work with bad syntax in the rules.
It merely needs to report the error during rule development. Which it does
if you use --lint.

Loren