Re: top and other spammy TLDs

[John Hardin]

On Mon, 20 Feb 2017, Alex wrote:


Hi,

Some time ago I had put together a rule based on comments from this
list, and I've identified a FP that I hoped someone could help me to
correct.

The full domain in the email was http://www.top-1.biz. However, it's
being tagged as if it's "top" as the TLD in one of KAMs rules and one
of mine:

Feb 20 22:34:25.988 [31215] dbg: rules: ran uri rule __KAM_TINYDOMAIN
==> got hit: "-1.biz/"
Feb 20 22:34:25.988 [31215] dbg: rules: ran uri rule LOC_URI_RARE_TLD
==> got hit: "://www.top"

uriLOC_URI_RARE_TLD 
m;://[^/]+\.(?:work|space|club|science|pub|red|blue|green|link|ninja|lol|xyz|faith|review|download|top|global|(?:web)?site|tech|party|pro|bid|trade|win|moda|news|online)(?:/|\b);i

How can this be corrected to specifically only catch top as a TLD?


Re LOC_URI_RARE_TLD:

It's a URI rule, so anchor the end with (?:/|$) - if it's a bare domain 
the TLD will be at the end of the URI. If it's got a path part the domain 
will be followed by a slash.


Thanks for bringing that up, fixed here too.

Dunno about __KAM_TINYDOMAIN

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Homeland Security: Specializing in Tactical Band-aids
  for Strategic Problems. -- Eric K. in Bruce Schneier's blog
---
 2 days until George Washington's 285th Birthday

top and other spammy TLDs

[Alex]

Hi,

Some time ago I had put together a rule based on comments from this
list, and I've identified a FP that I hoped someone could help me to
correct.

The full domain in the email was http://www.top-1.biz. However, it's
being tagged as if it's "top" as the TLD in one of KAMs rules and one
of mine:

Feb 20 22:34:25.988 [31215] dbg: rules: ran uri rule __KAM_TINYDOMAIN
==> got hit: "-1.biz/"
Feb 20 22:34:25.988 [31215] dbg: rules: ran uri rule LOC_URI_RARE_TLD
==> got hit: "://www.top"

uriLOC_URI_RARE_TLD
m;://[^/]+\.(?:work|space|club|science|pub|red|blue|green|link|ninja|lol|xyz|faith|review|download|top|global|(?:web)?site|tech|party|pro|bid|trade|win|moda|news|online)(?:/|\b);i
describe   LOC_URI_RARE_TLD URI refers to rarely-nonspam TLD
score  LOC_URI_RARE_TLD 0.400

How can this be corrected to specifically only catch top as a TLD?

Re: Google anti-phishing code project

[Andrew]

I've not come across these before.. I am too interested in how to integrate
them in to SA thanks.

On 20 February 2017 at 21:56, Alex  wrote:

> Hi,
>
> On Mon, Feb 20, 2017 at 2:32 PM, Dianne Skoll 
> wrote:
> > On Mon, 20 Feb 2017 14:21:08 -0500
> > Alex  wrote:
> >
> >> Maybe we're using something different. This is the link I was using to
> >> download the phishing addresses until the other day, when it became a
> >> dead link:
> >
> >> https://aper.svn.sourceforge.net/svnroot/aper/phishing_reply_addresses
> >
> > That URL works for me.  However, I am currently pulling the SVN repo from
> > svn://svn.code.sf.net/p/aper/code (also can use
> http://svn.code.sf.net/p/aper/code)
> >
> > It looks like the list of addresses has not been updated since
> 2017-02-16, but
> > the list of phishing URLs has an entry dated 2017-02-20.
>
> It looks like the URL has just now become available again. Do you
> happen to know the script that can be used to convert the
> phishing_links file into SA rules in the same way as the
> phishing_reply_addresses are converted?
>
> Thanks,
> Alex
>
>
>
>
> >
> > Regards,
> >
> > Dianne.
>

Re: Google anti-phishing code project

[Alex]

Hi,

On Mon, Feb 20, 2017 at 2:32 PM, Dianne Skoll  wrote:
> On Mon, 20 Feb 2017 14:21:08 -0500
> Alex  wrote:
>
>> Maybe we're using something different. This is the link I was using to
>> download the phishing addresses until the other day, when it became a
>> dead link:
>
>> https://aper.svn.sourceforge.net/svnroot/aper/phishing_reply_addresses
>
> That URL works for me.  However, I am currently pulling the SVN repo from
> svn://svn.code.sf.net/p/aper/code (also can use 
> http://svn.code.sf.net/p/aper/code)
>
> It looks like the list of addresses has not been updated since 2017-02-16, but
> the list of phishing URLs has an entry dated 2017-02-20.

It looks like the URL has just now become available again. Do you
happen to know the script that can be used to convert the
phishing_links file into SA rules in the same way as the
phishing_reply_addresses are converted?

Thanks,
Alex




>
> Regards,
>
> Dianne.

Re: Google anti-phishing code project

[Dianne Skoll]

On Mon, 20 Feb 2017 14:21:08 -0500
Alex  wrote:

> Maybe we're using something different. This is the link I was using to
> download the phishing addresses until the other day, when it became a
> dead link:

> https://aper.svn.sourceforge.net/svnroot/aper/phishing_reply_addresses

That URL works for me.  However, I am currently pulling the SVN repo from
svn://svn.code.sf.net/p/aper/code (also can use 
http://svn.code.sf.net/p/aper/code)

It looks like the list of addresses has not been updated since 2017-02-16, but
the list of phishing URLs has an entry dated 2017-02-20.

Regards,

Dianne.

Re: Google anti-phishing code project

[Alex]

On Mon, Feb 20, 2017 at 12:16 PM, Dianne Skoll  wrote:
> On Sun, 19 Feb 2017 12:21:14 -0500
> Alex  wrote:
>
>> https://code.google.com/archive/p/anti-phishing-email-reply/
>> It appears to no longer be active, as some time yesterday.
>
> It's still active.  The most recent commit is dated today, and I still
> have commit privileges.

Maybe we're using something different. This is the link I was using to
download the phishing addresses until the other day, when it became a
dead link:

https://aper.svn.sourceforge.net/svnroot/aper/phishing_reply_addresses

Would you otherwise share the links you are using?

Thanks,
Alex

Re: Great spam filtering, until now

[Matus UHLAR - fantomas]

On 20.02.17 08:58, David Niklas wrote:

I have had a wonderful experience filtering spam with spamassassin.
However, within the past few weeks (since feb 7th, I think), I have gotten
a number of messages that have been normal but marked as spam.
It may be those that I am speaking with and what they do to their mail,
then again, maybe not.
I'm attaching a message I got from firefly, a Chinese company. I have
more samples, but I'm not too clear on how to tell which message goes
with which record in my logs.
Ultimately, I aught to be able to figure out on my own which rule(s), if
any, are too harsh, but I've never done this before and could use a hand.

I have not altered the message at all. Here is the log record which I've
edited to remove identifying information:

Feb 18 04:24:46 [spamd] spamd: connection from ulgy_thing
[127.0.0.1]:38282 to port 783, fd 5_ Feb 18 04:24:46 [spamd] spamd:
setuid to me succeeded_ Feb 18 04:24:46 [spamd] spamd: checking message
<201702181220.d3d7dc515...@account.t-firefly.com> for me:1000_ Feb 18
04:24:53 [spamd] spamd: identified spam (6.9/5.0) for me:1000 in 6.7
seconds, 4240 bytes._ Feb 18 04:24:53 [spamd] spamd: result: Y 6 -
AWL,BAYES_00,CHARSET_FARAWAY_HEADER,FROM_EXCESS_BASE64,HTML_MESSAGE,MIME_CHARSET_FARAWAY,MIME_HTML_ONLY,RCVD_IN_MSPIKE_H2,RDN
S_NONE,URIBL_BLOCKED
scantime=6.7,size=4240,user=me,uid=1000,required_score=5.0,rhost=ulgy_thing,raddr=127.0.0.1,rport=38282,mid=<201702181220.d3d7dc515474@ac
count.t-firefly.com>,bayes=0.00,autolearn=no autolearn_force=no_



Return-Path: 
Received: from lucky1.263xmail.com ([211.157.147.135]) by mx.mail.com
(mxgmxus006 [74.208.5.22]) with ESMTPS (Nemesis) id 0Lsgwh-1cGI6L0p8j-012IBS
for ; Sat, 18 Feb 2017 05:24:24 +0100
Received: from mail?t-firefly.com (unknown [192.168.167.239])
by lucky1.263xmail.com (Postfix) with ESMTP id 925056C9
for ; Sat, 18 Feb 2017 12:24:19 +0800 (CST)


1. I don't see X-Spam-Status: here.
what's the score of AWL? (it's different with every mail).
This can be hidden culprit
  
2. confighure your MTA to recolve reverse DNS - 211.157.147.135 DOES have

valid fcrdns, but your MTA did not resolve it.

others said about MIME_CHARSET_FARAWAY amd URIBL_BLOCKED




--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"One World. One Web. One Program." - Microsoft promotional advertisement
"Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler

Re: Great spam filtering, until now

[John Hardin]

On Mon, 20 Feb 2017, David Jones wrote:


From: David Niklas 
However, within the past few weeks (since feb 7th, I think), I have gotten
a number of messages that have been normal but marked as spam.


URIBL_BLOCKED is the problem.


URIBL_BLOCKED is not an indicator for false *positives*.

It should be fixed, and it will improve the OP's spam detection (e.g. 
reduce false *negatives*) but the problem here is something else.


If you're accepting Chinese-language mail, you probably need to tell SA 
that chinese charsets are acceptable (the CHARSET_FARAWAY_HEADER, 
MIME_CHARSET_FARAWAY hits seem problematic here).



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  One difference between a liberal and a pickpocket is that
  if you demand your money back from a pickpocket
  he will not question your motives.-- William Rusher
---
 2 days until George Washington's 285th Birthday

Re: Great spam filtering, until now

[RW]

On Mon, 20 Feb 2017 17:40:15 +
David Jones wrote:

> >From: David Niklas 

> 
> >Feb 18 04:24:46 [spamd] spamd: connection from ulgy_thing
> >[127.0.0.1]:38282 to port 783, fd 5_ Feb 18 04:24:46 [spamd] spamd:
> >setuid to me succeeded_ Feb 18 04:24:46 [spamd] spamd: checking
> >message <201702181220.d3d7dc515...@account.t-firefly.com> for
> >me:1000_ Feb 18 04:24:53 [spamd] spamd: identified spam (6.9/5.0)
> >for me:1000 in 6.7 seconds, 4240 bytes._ Feb 18 04:24:53 [spamd]
> >spamd: result: Y 6 -
> >AWL,BAYES_00,CHARSET_FARAWAY_HEADER,FROM_EXCESS_BASE64,
> >HTML_MESSAGE,MIME_CHARSET_FARAWAY,MIME_HTML_ONLY,
> >RCVD_IN_MSPIKE_H2,RDNS_NONE,URIBL_BLOCKED
> >scantime=6.7,size=4240,user=me,uid=1000,required_score=5.0,
> >rhost=ulgy_thing,raddr=127.0.0.1,rport=38282,mid=<201702181220.d3d7dc515474@ac
> >count.t-firefly.com>,bayes=0.00,autolearn=no
> >autolearn_force=no_  
> 
> URIBL_BLOCKED is the problem. 

URIBL_BLOCKED is *a* problem that may cause FNs, but it didn't cause
this FP.

It's mostly English, but it's written in the GBK character set and it
seems to have been excessively punished for that. It's strange because
GBK encodes characters 0-127 as ASCII, like in UTF8. 

You might want to whitelist this site in some way.
 

Re: Great spam filtering, until now

[David Jones]

>From: David Niklas 
>Sent: Monday, February 20, 2017 7:58 AM
>To: users@spamassassin.apache.org
>Subject: Great spam filtering, until now
    
>Hello,
>I have had a wonderful experience filtering spam with spamassassin.
>However, within the past few weeks (since feb 7th, I think), I have gotten
>a number of messages that have been normal but marked as spam.
>It may be those that I am speaking with and what they do to their mail,
>then again, maybe not.
>I'm attaching a message I got from firefly, a Chinese company. I have
>more samples, but I'm not too clear on how to tell which message goes
>with which record in my logs.
>Ultimately, I aught to be able to figure out on my own which rule(s), if
>any, are too harsh, but I've never done this before and could use a hand.

>I have not altered the message at all. Here is the log record which I've
>edited to remove identifying information:

>Feb 18 04:24:46 [spamd] spamd: connection from ulgy_thing
>[127.0.0.1]:38282 to port 783, fd 5_ Feb 18 04:24:46 [spamd] spamd:
>setuid to me succeeded_ Feb 18 04:24:46 [spamd] spamd: checking message
><201702181220.d3d7dc515...@account.t-firefly.com> for me:1000_ Feb 18
>04:24:53 [spamd] spamd: identified spam (6.9/5.0) for me:1000 in 6.7
>seconds, 4240 bytes._ Feb 18 04:24:53 [spamd] spamd: result: Y 6 -
>AWL,BAYES_00,CHARSET_FARAWAY_HEADER,FROM_EXCESS_BASE64,
>HTML_MESSAGE,MIME_CHARSET_FARAWAY,MIME_HTML_ONLY,
>RCVD_IN_MSPIKE_H2,RDNS_NONE,URIBL_BLOCKED
>scantime=6.7,size=4240,user=me,uid=1000,required_score=5.0,
>rhost=ulgy_thing,raddr=127.0.0.1,rport=38282,mid=<201702181220.d3d7dc515474@ac
>count.t-firefly.com>,bayes=0.00,autolearn=no autolearn_force=no_

URIBL_BLOCKED is the problem.  Comes up on this list all of the time.
Setup a DNS recursor of your own (or point to one that you know for
sure is not forwarding to another DNS server).  The key is to do your
own DNS recursive queries so your DNS lookups don't get aggregated
with other DNS traffic to push you over the free usages threshold.

Search the SA archives for lengthy discussions on this issue.
- Use unbound, PowerDNS Recursor, PowerDNS Recursor, or something
similiar and point your /etc/resolv.conf to 127.0.0.1.
- Don't use dnsmasq since it only forwards and doesn't do full recursive
lookups.

Re: Great spam filtering, until now

[Benny Pedersen]

David Niklas skrev den 2017-02-20 14:58:


AWL,BAYES_00,CHARSET_FARAWAY_HEADER,FROM_EXCESS_BASE64,HTML_MESSAGE,MIME_CHARSET_FARAWAY,MIME_HTML_ONLY,RCVD_IN_MSPIKE_H2,RDN
S_NONE,URIBL_BLOCKED
scantime=6.7,size=4240,user=me,uid=1000,required_score=5.0,rhost=ulgy_thing,raddr=127.0.0.1,rport=38282,mid=<201702181220.d3d7dc515474@ac
count.t-firefly.com>,bayes=0.00,autolearn=no autolearn_force=no_


one thing i see is that uribl_blocked, so possible you miss a dns server 
on 127.0.0.1 ?


http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more 
information


when this is solved you get much better results

minimal sa config is dns server on 127.0.0.1 or ::1 that will recurse 
dns queries localy, if dns is not in that ip, you will be rated for 
using shared ressources

Great spam filtering, until now

[David Niklas]

Hello,
I have had a wonderful experience filtering spam with spamassassin.
However, within the past few weeks (since feb 7th, I think), I have gotten
a number of messages that have been normal but marked as spam.
It may be those that I am speaking with and what they do to their mail,
then again, maybe not.
I'm attaching a message I got from firefly, a Chinese company. I have
more samples, but I'm not too clear on how to tell which message goes
with which record in my logs.
Ultimately, I aught to be able to figure out on my own which rule(s), if
any, are too harsh, but I've never done this before and could use a hand.

I have not altered the message at all. Here is the log record which I've
edited to remove identifying information:

Feb 18 04:24:46 [spamd] spamd: connection from ulgy_thing
[127.0.0.1]:38282 to port 783, fd 5_ Feb 18 04:24:46 [spamd] spamd:
setuid to me succeeded_ Feb 18 04:24:46 [spamd] spamd: checking message
<201702181220.d3d7dc515...@account.t-firefly.com> for me:1000_ Feb 18
04:24:53 [spamd] spamd: identified spam (6.9/5.0) for me:1000 in 6.7
seconds, 4240 bytes._ Feb 18 04:24:53 [spamd] spamd: result: Y 6 -
AWL,BAYES_00,CHARSET_FARAWAY_HEADER,FROM_EXCESS_BASE64,HTML_MESSAGE,MIME_CHARSET_FARAWAY,MIME_HTML_ONLY,RCVD_IN_MSPIKE_H2,RDN
S_NONE,URIBL_BLOCKED
scantime=6.7,size=4240,user=me,uid=1000,required_score=5.0,rhost=ulgy_thing,raddr=127.0.0.1,rport=38282,mid=<201702181220.d3d7dc515474@ac
count.t-firefly.com>,bayes=0.00,autolearn=no autolearn_force=no_

Thanks,
David
Return-Path: 
Received: from lucky1.263xmail.com ([211.157.147.135]) by mx.mail.com
 (mxgmxus006 [74.208.5.22]) with ESMTPS (Nemesis) id 0Lsgwh-1cGI6L0p8j-012IBS
 for ; Sat, 18 Feb 2017 05:24:24 +0100
Received: from mail?t-firefly.com (unknown [192.168.167.239])
by lucky1.263xmail.com (Postfix) with ESMTP id 925056C9
for ; Sat, 18 Feb 2017 12:24:19 +0800 (CST)
X-263anti-spam:KSV:0;BIG:0;Original-ABS:0;
X-MAIL-GRAY:1
X-MAIL-DELIVERY:0
X-KSVirus-check:0
X-ADDR-CHECKED:0
X-ABS-CHECKED:0
X-ANTISPAM-LEVEL:2
Received: from uchome (localhost [127.0.0.1])
by smtp.263.net (Postfix) with ESMTP id 879E33A0
for ; Sat, 18 Feb 2017 12:24:19 +0800 (CST)
X-RL-SENDER:m...@t-firefly.com
X-FST-TO:do...@mail.com
X-SENDER-IP:121.40.141.164
X-LOGIN-NAME:m...@t-firefly.com
X-UNIQUE-TAG:<56350341b91b9b14ebd84ec744417965>
X-ATTACHMENT-NUM:0
X-SENDER:m...@t-firefly.com
X-DNS-TYPE:0
Received: from uchome (unknown [121.40.141.164])
by smtp.263.net (Postfix) whith ESMTP id 1460582EH4N;
Sat, 18 Feb 2017 12:24:19 +0800 (CST)
Date: Sat, 18 Feb 2017 12:24:20 +0800
To:  
Subject: =?gbk?B?W0ZpcmVmbHkgVGVhbV0gRW1haWwgQWRkcmVzcyBWZXJpZnk=?=
From: =?gbk?B?RmlyZWZseSBUZWFt?= 
X-Priority: 3
X-Mailer: account.t-firefly.com X3.1 
MIME-Version: 1.0
Content-type: text/html; charset=gbk
Content-Transfer-Encoding: base64
Message-ID: <201702181220.d3d7dc515...@account.t-firefly.com>
Envelope-To: 
X-GMX-Antispam: 0 (Mail was not recognized as spam); Detail=V3;
X-GMX-Antivirus: 0 (no virus found)
X-UI-Filterresults: notjunk:1;V01:K0:tVherNjLfYU=:aBiMm6OAxh/BqcSnliDanV+SYl
 uj+5Wy8GywcCVLJTTcQz1bVsX9I0SIQIsuqXwhAacoKf+1uN1cEW36vYRNWAkyrfPIcdLKWDQ
 e8FLmLugVtjrOCxfyNuzZHAvWvj4C/KJAWxND0sdN3kSMV2TzJI3GQeiUUOiNJVCanZW95MAv
 UoJKY8VYTb9FUfdLlbAoShCl0BDeOxg89QG9cDg1gtbwRx6PwcqpIeykRRH2tD3oEWuo8G5Xw
 bFbOLgNdTEhRsbEI31apRQ/sO0k2C9iWKDkwQD9cu4lQdPgfdI+Nr3Ja0AWXa4NlHFe/XAkrL
 ol1nV/T2XJMQOZ6ejQf36ppkH8l2S85pNUWE/ijS1DMnwOaT1lEF1QoUE1Hzp6orycCS7wXi+
 +32aB161A4U+dOHa6GAlsUY4oF6Ce4mVW4jZ88Vt3gK5qBQCuczNHL2SrlK0SAxRZrTq9RcT7
 DoL+SoMtKVl9U0tHoVfzhMNOWGEEJ23LMHUj3k0b1MJIWpvX4lVOOlSfUb0p3gdmcTr7MHs2Y
 WYLGQp+mi9SEcLqASnRGSyP09UJ3hD21vAfjsKtJGrF7BDA9JyA/utTrVQ/z115IQNOf/hf8P
 KguWeKk1CiMFFj6FIRtQwzLbUvu5vi1/gl6ly5fNq7pfoZl1jOQYgxjLY9BuyjPnT8AreyIeG
 D6ZMYOqoPFEtWnVdvzw6o4uT8Kx+UKlqInjA6aYVjgZ91QPC/Ngxq/d5Q/YVLcGF7XorIISnr
 N76tTgBF4Vf/Znu6WqM/1wTm0HprQMaSlp//IDlpDPwc+YagEKLJ+Y2sNzbLdZ47j4HfQXKM2
 BbwwKgMbp1y/VduX2+MI/9Y6GfKSXFt41DjXaov6VtkcoY4ZwP6dvIPU3rZ4uki92ffkE9rsH
 7edIiH369XUB8idCGEzpNUhhfP6q2/SMr0xIlFGTOHSWoQ0AZY3bF+zPvMflv4A1EW9h6rxRe
 piES/oI+XmJ+qQ5IFeNAk09YUUGy527PlQ90mGMo5Te8dxXrUPrJTC2nNn7HJUN/B8RAs++ly
 DU4JtkPpxKuHI+oJ32z3DU7IlCqQPC96WYVFY0yRsZ5UsZvCxLSiM9ZnSbDKdrQvxp05wkgPL
 uUYh0PkkGX+hJxcF4gzDfj5nWrr/RAeRQkT2ABWFLt2xIMfvzq8xI7zYNT3KXuriyvomzGa9N
 Ca5qrNonUAQJrRbMmVX5LYaUX2dRnvxfk+uONL44kdA7FckYGlCx+XWp6M4+BY7jOBkJJk9rH
 Nut9yuPJFIk1Q91Efv+VneM8fsSABMwymAr7o/zTxrctPzVcgvRCbUc3ppLPvrqgxgNrsngQu
 icyP/BujC19hNhdXoCZjmg4SES2eJbZ8mFagRQD0gDYf8mYMrHwrnH7a0vVMZVSo8MdiVUkyN
 UStmDPiopvNd8m0CRhbfAg1ccpzcn+Pzymh3A24ZGDYWW0GUtfPGXsOj6y5Sp95NvaSilBYaG
 vP8OpHVkEaSsp52pQzkkdKKTt3n15zKag65w5s64W3tjDzKgY4PwXXz/EIBVc2XJTrZV0gGuQ
 ri4zIzn+0waPLqhN3cz+ofrY2aauywhKHDjxFF2c0p4JaQySWy7Zkoo6ING1bpTsRtfQaGmY8
 ArALYHmHg9utdu43VZ836h661ozlOxiQ

Re: Google anti-phishing code project

[Dianne Skoll]

On Sun, 19 Feb 2017 12:21:14 -0500
Alex  wrote:

> https://code.google.com/archive/p/anti-phishing-email-reply/
> It appears to no longer be active, as some time yesterday.

It's still active.  The most recent commit is dated today, and I still
have commit privileges.

Regards,

Dianne.

Re: Custom rule not applied when running Postfix + SA

[Joe Quinn]

On 2/20/2017 6:54 AM, aquilinux wrote:
Hi all, i noticed that a custom rule i created (in 
/etc/spamassassin/local.cf ) is not applied in the 
regular postfix + spamassassin flow but it is when i pipe the mail to 
spamc or spamassassin.


1) normal flow with postfix

spamassassinunix-   n   n   -   30   pipe
flags=Rq user=spamd argv=/usr/bin/spamc -u ${recipient} -e 
/usr/sbin/sendmail -oi -f ${sender} ${recipient}


X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on myserver
X-Spam-Level:
X-Spam-Status: No, score=-1.0 required=5.0 tests=RCVD_IN_DNSWL_LOW
autolearn=ham autolearn_force=no version=3.4.0
X-Spam-Report:
* -1.0 RCVD_IN_DNSWL_LOW RBL: Sender listed at 
http://www.dnswl.org/, low

*  trust
*  [108.59.11.79 listed in list.dnswl.org 
]



2) cat 1487115381.M993470P12484.ne254\,S\=4827\,W\=4936\:2\,S | spamc

X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on myserver
X-Spam-Flag: YES
X-Spam-Level: ***
X-Spam-Status: Yes, score=7.0 required=5.0 tests=MDSPAM,RCVD_IN_DNSWL_LOW
autolearn=no autolearn_force=no version=3.4.0
X-Spam-Report:
* -1.0 RCVD_IN_DNSWL_LOW RBL: Sender listed at 
http://www.dnswl.org/, low

*  trust
*  [108.59.11.79 listed in list.dnswl.org 
]

*  8.0 MDSPAM No description available.

3) spamassassin -t < 
1487115381.M993470P12484.ne254\,S\=4827\,W\=4936\:2\,S


Content analysis details:   (7.0 points, 5.0 required)

 pts rule name  description
 -- 
--
-1.0 RCVD_IN_DNSWL_LOW  RBL: Sender listed at 
http://www.dnswl.org/, low

trust
[108.59.11.79 listed in list.dnswl.org 
]

 8.0 MDSPAM No description available.


What is happening here?

Thanks for helping.
Regards,

--
"Madness, like small fish, runs in hosts, in vast numbers of instances."

Nessuno mi pettina bene come il vento.R


Make sure you restart spamd after changing the rule, perhaps?

Custom rule not applied when running Postfix + SA

[aquilinux]

Hi all, i noticed that a custom rule i created (in /etc/spamassassin/
local.cf) is not applied in the regular postfix + spamassassin flow but it
is when i pipe the mail to spamc or spamassassin.

1) normal flow with postfix

spamassassinunix-   n   n   -   30   pipe
flags=Rq user=spamd argv=/usr/bin/spamc -u ${recipient} -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}

X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on myserver
X-Spam-Level:
X-Spam-Status: No, score=-1.0 required=5.0 tests=RCVD_IN_DNSWL_LOW
autolearn=ham autolearn_force=no version=3.4.0
X-Spam-Report:
* -1.0 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/,
low
*  trust
*  [108.59.11.79 listed in list.dnswl.org]


2) cat 1487115381.M993470P12484.ne254\,S\=4827\,W\=4936\:2\,S | spamc

X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on myserver
X-Spam-Flag: YES
X-Spam-Level: ***
X-Spam-Status: Yes, score=7.0 required=5.0 tests=MDSPAM,RCVD_IN_DNSWL_LOW
autolearn=no autolearn_force=no version=3.4.0
X-Spam-Report:
* -1.0 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/,
low
*  trust
*  [108.59.11.79 listed in list.dnswl.org]
*  8.0 MDSPAM No description available.

3) spamassassin -t < 1487115381.M993470P12484.ne254\,S\=4827\,W\=4936\:2\,S

Content analysis details:   (7.0 points, 5.0 required)

 pts rule name  description
 --
--
-1.0 RCVD_IN_DNSWL_LOW  RBL: Sender listed at http://www.dnswl.org/,
low
trust
[108.59.11.79 listed in list.dnswl.org]
 8.0 MDSPAM No description available.


What is happening here?

Thanks for helping.
Regards,

-- 
"Madness, like small fish, runs in hosts, in vast numbers of instances."

Nessuno mi pettina bene come il vento.R