Re: What are the T_ rules ?
On Mon, 5 Sep 2016, Ian Zimmerman wrote: I want to use RP_MATCHES_RCVD in a meta rule. I thought I'd check its definition before I plunged in and wrote any code, so I grepped in /usr/share/spamassassin where all the original rules seem to live on my system (debian jessie). But all the hits are either for __RP_MATCHES_RCVD (which I assume is an internal rule not to be used by outsiders) or for T_RP_MATCHES_RCVD. simply use the __RP_MATCHES_RCVD in your metas. It does just what you want but does not score explicitly. On 05.09.16 21:31, Axb wrote: 72_scores.cf published by sa-update sets a score: score RP_MATCHES_RCVD -1.152 -1.653 -1.152 -1.653 Oh, no, again? The only thing it does is causing false positives for gmail spam etc. I have complained about this nonsense already (iirc, repeatedly). And I have turned it off by setting score to 0 - even -0.001 is way too much. score RP_MATCHES_RCVD 0 In what file do you see T_RP_MATCHES_RCVD ? I believe this was defined as test rule for some time. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows found: (R)emove, (E)rase, (D)elete
Re: What are the T_ rules ?
Am 06.09.2016 um 00:14 schrieb @lbutlr: On 05 Sep 2016, at 13:36, li...@rhsoft.net wrote: but -1.653 is just a bad joke because it means every homeuser which manages to get some DNS records fine (as well as every spammer which registers a ton of domains and cheap hosts) get a large benefit compared to any professional mainatained server hosting hundrets of domains with responsibility RP_MATCHES_RCVD scores a -0.1 and T_RP_MATCHES_RCVD scores a -0.0 on my system. I see those scores in emails from 2011. Don’t know where you are finding -1.653, but that is not the score that is getting applied here /var/lib/spamassassin/3.004001/updates_spamassassin_org/72_scores.cf score RP_MATCHES_RCVD -1.152 -1.056 -1.152 -1.056 how about running "sa-update"?
Re: What are the T_ rules ?
On 2016-09-05 16:14, @lbutlr wrote: > > but -1.653 is just a bad joke because it means every homeuser which > > manages to get some DNS records fine (as well as every spammer which > > registers a ton of domains and cheap hosts) get a large benefit > > compared to any professional mainatained server hosting hundrets of > > domains with responsibility > > RP_MATCHES_RCVD scores a -0.1 and T_RP_MATCHES_RCVD scores a -0.0 on > my system. I see those scores in emails from 2011. Don’t know where > you are finding -1.653, but that is not the score that is getting > applied here. FWIW, I see the same score as Mr. rhsoft. And yes, I agree that it is way too strong; my meta rule was meant to neutralize it. But maybe I'll just take the easy way out and disable it. -- Please *no* private Cc: on mailing lists and newsgroups Why does the arrow on Hillary signs point to the right?
Re: What are the T_ rules ?
On 05 Sep 2016, at 13:36, li...@rhsoft.net wrote: > but -1.653 is just a bad joke because it means every homeuser which manages > to get some DNS records fine (as well as every spammer which registers a ton > of domains and cheap hosts) get a large benefit compared to any professional > mainatained server hosting hundrets of domains with responsibility RP_MATCHES_RCVD scores a -0.1 and T_RP_MATCHES_RCVD scores a -0.0 on my system. I see those scores in emails from 2011. Don’t know where you are finding -1.653, but that is not the score that is getting applied here.
Re: What are the T_ rules ?
On Mon, 5 Sep 2016 13:00:14 -0700 Ian Zimmerman wrote: > On 2016-09-05 12:21, John Hardin wrote: > > > header __RP_MATCHES_RCVD > > eval:check_mailfrom_matches_rcvd() > > > > ...which means you'd need to go digging around in the perl code to > > find out what it's doing. > > > > Basically, it's a check that the return-path (the SMTP "MAIL FROM" > > envelope value, if available) matches a received header in the > > message. > > Based on the description string, I think (in fact I hope) that this is > not quite right; it's not "matches _a_ Received header" but "matches > _the_ Received header emitted by my MX host". It's actually two rules in one, either it matches on the first-trusted rDNS or if you have no untrusted received headers it can match on any received header. I suspect you are seeing the latter case. The former is basically a poor mans SPF_PASS, and that only scores -0.001. There is a problem with this rule that it does very well as a ham indicator in rule QA, but does very badly on a lot of real mail servers, causing FNs. At one point RP_MATCHES_RCVD was converted into the unscored __RP_MATCHES_RCVD where it was dubiously allowed into meta rules. IMO it should not have been allowed back as a scored rule. Unless you've established that it does well for you I'd suggest you score RP_MATCHES_RCVD at 0 and avoid it in meta rules.
Re: What are the T_ rules ?
Am 05.09.2016 um 22:03 schrieb Ian Zimmerman: On 2016-09-05 21:31, Axb wrote: In what file do you see T_RP_MATCHES_RCVD ? [1+0]~$ cd /usr/share/spamassassin/ [2+0]spamassassin$ fgrep T_RP_MATCHES_RCVD * 72_active.cf:##{ T_RP_MATCHES_RCVD if version >= 3.003000 ifplugin Mail::SpamAssassin::Plugin::WLBLEval 72_active.cf:header T_RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd() 72_active.cf:describe T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 72_active.cf:tflags T_RP_MATCHES_RCVD nice 72_active.cf:##} T_RP_MATCHES_RCVD if version >= 3.003000 ifplugin Mail::SpamAssassin::Plugin::WLBLEval current socres are not below /usr/share/spamassassin since that is *not* touched by sa-update and the last SA update was a year ago
Re: What are the T_ rules ?
Am 05.09.2016 um 22:00 schrieb Ian Zimmerman: On 2016-09-05 12:21, John Hardin wrote: header __RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd() ...which means you'd need to go digging around in the perl code to find out what it's doing. Basically, it's a check that the return-path (the SMTP "MAIL FROM" envelope value, if available) matches a received header in the message. Based on the description string, I think (in fact I hope) that this is not quite right; it's not "matches _a_ Received header" but "matches _the_ Received header emitted by my MX host". It would be a bit too general for my meta rule to rely on it, were it otherwise it's to general at all or looking from the other side: why should i get a worse score just because i host 100 domains on my outbound mailserver compared to some jerk which registered "new-spamdomain.tld" and have "new-spamdomain.tld" as PTR until the ISP shuts down his crap spreading junk and malware al day long? that's one of the rules which deserves nothing else than a informational tag and that won't change
Re: What are the T_ rules ?
On 2016-09-05 21:31, Axb wrote: > In what file do you see T_RP_MATCHES_RCVD ? [1+0]~$ cd /usr/share/spamassassin/ [2+0]spamassassin$ fgrep T_RP_MATCHES_RCVD * 72_active.cf:##{ T_RP_MATCHES_RCVD if version >= 3.003000 ifplugin Mail::SpamAssassin::Plugin::WLBLEval 72_active.cf:header T_RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd() 72_active.cf:describe T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 72_active.cf:tflags T_RP_MATCHES_RCVD nice 72_active.cf:##} T_RP_MATCHES_RCVD if version >= 3.003000 ifplugin Mail::SpamAssassin::Plugin::WLBLEval -- Please *no* private Cc: on mailing lists and newsgroups Why does the arrow on Hillary signs point to the right?
Re: What are the T_ rules ?
On 2016-09-05 12:21, John Hardin wrote: > header __RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd() > > ...which means you'd need to go digging around in the perl code to find > out what it's doing. > > Basically, it's a check that the return-path (the SMTP "MAIL FROM" > envelope value, if available) matches a received header in the message. Based on the description string, I think (in fact I hope) that this is not quite right; it's not "matches _a_ Received header" but "matches _the_ Received header emitted by my MX host". It would be a bit too general for my meta rule to rely on it, were it otherwise. -- Please *no* private Cc: on mailing lists and newsgroups Why does the arrow on Hillary signs point to the right?
Re: What are the T_ rules ?
Am 05.09.2016 um 21:31 schrieb Axb: 72_scores.cf published by sa-update sets a score: score RP_MATCHES_RCVD -1.152 -1.653 -1.152 -1.653 Ian, In what file do you see T_RP_MATCHES_RCVD? *currently* nowhere but -1.653 is just a bad joke because it means every homeuser which manages to get some DNS records fine (as well as every spammer which registers a ton of domains and cheap hosts) get a large benefit compared to any professional mainatained server hosting hundrets of domains with responsibility hence everybody right in his mind set "score RP_MATCHES_RCVD -0.001" in localf.cf and that isue is *not* new
Re: What are the T_ rules ?
On 09/05/2016 09:21 PM, John Hardin wrote: On Mon, 5 Sep 2016, Ian Zimmerman wrote: I want to use RP_MATCHES_RCVD in a meta rule. I thought I'd check its definition before I plunged in and wrote any code, so I grepped in /usr/share/spamassassin where all the original rules seem to live on my system (debian jessie). But all the hits are either for __RP_MATCHES_RCVD (which I assume is an internal rule not to be used by outsiders) or for T_RP_MATCHES_RCVD. __RP_MATCHES_RCVD is a "subrule", a match that is not scored and which is intended for use in meta-rules. You *do* want to use that in your local meta rule. That rule is defined as: header __RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd() ...which means you'd need to go digging around in the perl code to find out what it's doing. Basically, it's a check that the return-path (the SMTP "MAIL FROM" envelope value, if available) matches a received header in the message. Since I have seen other rules in results with the T_ prefix (for example T_DKIM_INVALID) I think it must be some kind of convention with an accepted meaning. What is this conventional meaning, and how do these rules relate to the ones without the T_ prefix? As others have said, they are "test" rules. They are rules that don't perform well enough in masscheck to be published with meaningful scores, or are explicitly marked or named for testing, but which can't be omitted, probably due to another meta rule in the sandbox that does perform well enough to publish depending on them. 72_scores.cf published by sa-update sets a score: score RP_MATCHES_RCVD -1.152 -1.653 -1.152 -1.653 Ian, In what file do you see T_RP_MATCHES_RCVD ?
Re: What are the T_ rules ?
On Mon, 5 Sep 2016, Ian Zimmerman wrote: I want to use RP_MATCHES_RCVD in a meta rule. I thought I'd check its definition before I plunged in and wrote any code, so I grepped in /usr/share/spamassassin where all the original rules seem to live on my system (debian jessie). But all the hits are either for __RP_MATCHES_RCVD (which I assume is an internal rule not to be used by outsiders) or for T_RP_MATCHES_RCVD. __RP_MATCHES_RCVD is a "subrule", a match that is not scored and which is intended for use in meta-rules. You *do* want to use that in your local meta rule. That rule is defined as: header __RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd() ...which means you'd need to go digging around in the perl code to find out what it's doing. Basically, it's a check that the return-path (the SMTP "MAIL FROM" envelope value, if available) matches a received header in the message. Since I have seen other rules in results with the T_ prefix (for example T_DKIM_INVALID) I think it must be some kind of convention with an accepted meaning. What is this conventional meaning, and how do these rules relate to the ones without the T_ prefix? As others have said, they are "test" rules. They are rules that don't perform well enough in masscheck to be published with meaningful scores, or are explicitly marked or named for testing, but which can't be omitted, probably due to another meta rule in the sandbox that does perform well enough to publish depending on them. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The tree of freedom must be freshened from time to time with the blood of tyrants and tyrannosaurs. -- DW, commenting on the GM6 Lynx .50BMG bullpup --- 12 days until the 229th anniversary of the signing of the U.S. Constitution
Re: What are the T_ rules ?
On 2016-09-05 20:38, li...@rhsoft.net wrote: > > Since I have seen other rules in results with the T_ prefix (for example > > T_DKIM_INVALID) I think it must be some kind of convention with an > > accepted meaning. What is this conventional meaning, and how do these > > rules relate to the ones without the T_ prefix? > > T_ is testing - stff which performans questionable for different reaosns > like T_DKIM_INVALID failing randomly and nobody knows why or rules where > nobody is sure about their impact and if it's ok Ok, thanks! But That still leaves my original problem: >> I want to use RP_MATCHES_RCVD in a meta rule. I thought I'd check >> its definition before I plunged in and wrote any code, so I grepped >> in /usr/share/spamassassin where all the original rules seem to live >> on my system (debian jessie). But all the hits are either for >> __RP_MATCHES_RCVD (which I assume is an internal rule not to be used >> by outsiders) or for T_RP_MATCHES_RCVD. So how is RP_MATCHES_RCVD defined? -- Please *no* private Cc: on mailing lists and newsgroups Why does the arrow on Hillary signs point to the right?
Re: What are the T_ rules ?
On 5 Sep 2016, at 14:30, Ian Zimmerman wrote: I want to use RP_MATCHES_RCVD in a meta rule. I thought I'd check its definition before I plunged in and wrote any code, so I grepped in /usr/share/spamassassin where all the original rules seem to live on my system (debian jessie). But all the hits are either for __RP_MATCHES_RCVD (which I assume is an internal rule not to be used by outsiders) or for T_RP_MATCHES_RCVD. Check wherever sa-update is stashing your rule updates instead. That's likely to be somewhere under /var/ but Debian likes to do its own things... On one of my systems it's here: # grep -r ' RP_MATCHES_RCVD' /var/spamassassin/3.004001/ /var/spamassassin/3.004001/updates_spamassassin_org/72_active.cf:##{ RP_MATCHES_RCVD if version >= 3.003000 ifplugin Mail::SpamAssassin::Plugin::WLBLEval /var/spamassassin/3.004001/updates_spamassassin_org/72_active.cf:header RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd() /var/spamassassin/3.004001/updates_spamassassin_org/72_active.cf:describe RP_MATCHES_RCVD Envelope sender domain matches handover relay domain /var/spamassassin/3.004001/updates_spamassassin_org/72_active.cf:tflags RP_MATCHES_RCVD nice /var/spamassassin/3.004001/updates_spamassassin_org/72_active.cf:##} RP_MATCHES_RCVD if version >= 3.003000 ifplugin Mail::SpamAssassin::Plugin::WLBLEval /var/spamassassin/3.004001/updates_spamassassin_org/72_scores.cf:score RP_MATCHES_RCVD -1.151 -1.508 -1.151 -1.508 Note that apparently there was some change in that rule's handling after 3.3.0 so if you're running a very obsolete SA, your rules could be different... Since I have seen other rules in results with the T_ prefix (for example T_DKIM_INVALID) I think it must be some kind of convention with an accepted meaning. What is this conventional meaning, and how do these rules relate to the ones without the T_ prefix? T_* rules are in testing. From the Mail::SpamAssasin::Conf internal documentation (and man page): If no score is given for a test by the end of the configuration, a default score is assigned: a score of 1.0 is used for all tests, except those who names begin with 'T_' (this is used to indicate a rule in testing) which receive 0.01. I expect that what you see in /usr/share/spamassassin is the base ruleset of the first installation you did on that system of SA, which was probably some time and versions ago.
Re: What are the T_ rules ?
Am 05.09.2016 um 20:30 schrieb Ian Zimmerman: Since I have seen other rules in results with the T_ prefix (for example T_DKIM_INVALID) I think it must be some kind of convention with an accepted meaning. What is this conventional meaning, and how do these rules relate to the ones without the T_ prefix? T_ is testing - stff which performans questionable for different reaosns like T_DKIM_INVALID failing randomly and nobody knows why or rules where nobody is sure about their impact and if it's ok
What are the T_ rules ?
I want to use RP_MATCHES_RCVD in a meta rule. I thought I'd check its definition before I plunged in and wrote any code, so I grepped in /usr/share/spamassassin where all the original rules seem to live on my system (debian jessie). But all the hits are either for __RP_MATCHES_RCVD (which I assume is an internal rule not to be used by outsiders) or for T_RP_MATCHES_RCVD. Since I have seen other rules in results with the T_ prefix (for example T_DKIM_INVALID) I think it must be some kind of convention with an accepted meaning. What is this conventional meaning, and how do these rules relate to the ones without the T_ prefix? -- Please *no* private Cc: on mailing lists and newsgroups Why does the arrow on Hillary signs point to the right?