Thanks Bill. I know very little about Perl, so while I saw the reference
to Mail::SpamAssassin::Conf without the "perldoc" in front of it, I had
no clue what to do with that information.
On 2020-12-20 00:18, Bill Cole wrote:
On 19 Dec 2020, at 23:39, Alan wrote:
Please forgive me if these are easy/common questions. I have done
some searching and haven't found any clear answers.
I'm running SpamAssassin 3.4.4 in a cPanel environment.
1. What is the smallest increment for a rule score? I see some
indications that it's 0.1, others seem to say it is 0.01. Can I go to
0.001? Lower?
Any number that Perl understands will work but very small scores are
pointless. So if you really want to score a rule at 12.34e-56 you can.
The reason for asking is that I want to use SpamAssassin to flag some
things that are suspicious but only when other conditions are met for
specific users. I'd like to have SA insert the rule text, eg.
LOCAL_SOME_RULE so that I can have an exim filter check for a
specific form of to address plus this rule match before removing the
message. But at the same time I don't want messages that match this
rule generate false positives for other users.
Generally 0.01 or -0.01 is adequately small for such purposes.
2. I would like to match against some suspicious URLs that contain
long sequences of random characters, but only have the rule match if
I find multiple URLs that follow the same pattern. Normally I would
use /(some-regex){5}/ but it seems that the rawbody command only
looks at smaller chunks of the message (in this case the spammer is
sending messages that are in the 11KB range and I have adjusted exim
to pass enough in $message_body to capture enough URLs to fire a rule).
Is it possible to configure SA to look at bigger chunks? 8 KB or even
16 KB would work. If not, is there a way to write a rule that counts
the total number of matches of a regex against the raw body?
A rule can be allowed to match multiple times, as described in the
documentation (perldoc Mail::SpamAssassin::Conf.) Here's the example
provided there:
uri __KAM_COUNT_URIS /^./
tflags __KAM_COUNT_URIS multiple maxhits=16
describe __KAM_COUNT_URIS A multiple match used to count
URIs in a message
meta __KAM_HAS_0_URIS (__KAM_COUNT_URIS == 0)
meta __KAM_HAS_1_URIS (__KAM_COUNT_URIS >= 1)
meta __KAM_HAS_2_URIS (__KAM_COUNT_URIS >= 2)
meta __KAM_HAS_3_URIS (__KAM_COUNT_URIS >= 3)
meta __KAM_HAS_4_URIS (__KAM_COUNT_URIS >= 4)
meta __KAM_HAS_5_URIS (__KAM_COUNT_URIS >= 5)
meta __KAM_HAS_10_URIS (__KAM_COUNT_URIS >= 10)
meta __KAM_HAS_15_URIS (__KAM_COUNT_URIS >= 15)
