Weekly Masscheck, net and reuse and T_ rules

Sat, 27 Apr 2019 04:55:27 -0700 

Hiya,

I was surprised today to find that the fresh.fmb.la rules I've added didn't
match much on the weekly masscheck on my box..

After some investigation I've found some weirdness and I'm not sure if I've
found a bug?

I ran mass-check manually against one email with debug enabled to try and
figure out what's going on. The rule in question is T_FROM_FMBLA_NEWDOM

The message in question matched the following tags, this is in place in the
email header :

X-Spam-Status: No, score=12.486 tagged_above=-999 required=999
        tests=[BAYES_50=0.8, DKIMWL_BL=1.414, DKIM_SIGNED=0.1,
        DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FSL_HELO_NON_FQDN_1=0.001,
        HTML_FONT_LOW_CONTRAST=0.001, HTML_IMAGE_RATIO_06=0.001,
        HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, PYZOR_CHECK=1.392,
        RCVD_IN_SBL_CSS=3.335, T_FROM_FMBLA_NEWDOM=-0.01,
        URIBL_ABUSE_SURBL=1.25, URIBL_BLACK=1.7, URIBL_CSS=0.1,
        URIBL_CSS_A=0.1, URIBL_DBL_SPAM=2.5] autolearn=no autolearn_force=no

As you can see this email matched the rule T_FROM_FMBLA_NEWDOM

With net but without reuse this rule is matched in the output logs from
masscheck - see attached net-spam.log

With net and reuse the rule isn't matched - see attached net-reuse-spam.log

Running masscheck in --net --reuse --debug shows that the header is found
during the reuse stage:

Apr 27 14:21:37.513 [25341] dbg: message: _decode_header x-spam-status: No,
score=12.486 tagged_above=-999 required=999 tests=[BAYES_50=0.8,
DKIMWL_BL=1.414, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
FSL_HELO_NON_FQDN_1=0.001, HTML_FONT_LOW_CONTRAST=0.001,
HTML_IMAGE_RATIO_06=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001,
PYZOR_CHECK=1.392, RCVD_IN_SBL_CSS=3.335, T_FROM_FMBLA_NEWDOM=-0.01,
URIBL_ABUSE_SURBL=1.25, URIBL_BLACK=1.7, URIBL_CSS=0.1, URIBL_CSS_A=0.1,
URIBL_DBL_SPAM=2.5] autolearn=no autolearn_force=no


I just don't understand why the rule isn't output in the resulting log when
net and reuse are in use. This leads me to think this rule, and possibly
others aren't getting scored properly.

The domain currently still matches on fresh.fmb.la (rhubarbdnd.world) but
may expire soon - give me a shout offlist for an up to date spample which
matches the rules.

Hope you can help!

Paul

Attachment: net-reuse-spam.log
Description: Binary data

Attachment: net-spam.log
Description: Binary data

Reply via email to