Matching on X-Spam headers doesn't get a hit

Thu, 22 Jul 2021 08:14:30 -0700 

Hi.
I'm trying to write a rule that matches on a mail that has the following headers: 
X-Spam-Reasons: {'verdict': 'phishing',
 'spamcause': 'gggruggvucftvghtrhhoucdtuddrgedvtddruddvgddugecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfkpffvgfftoffgfffktedpqfgfvfenuceurghilhhouhhtmecufedttdenucgorfhhihhshhhinhhgqdfkphfpvghtfihorhhkucdlfedttddmnecujfgurhephffvufffkfggtghisehrtdefvcdttddtnecuhfhrohhmpegtohhmphhlvghtvghtvghnuggvrhhsrdgtohhmucfuvghrvhgvrhcukffvuceouggrnhesshhhihhptghsuddrtghomheqnecuggftrfgrthhtvghrnhepleeiudeikeejffetgeetleeggfegteeghfdtveduvdekhedvlefgvedtueeiffejnecuffhomhgrihhnpeifvggsrdgrphhpnecukfhppeegtddrjeegrdduudefrddvgeeinecurfhhihhshhhinhhgkfhppfgvthifohhrkhepgedtrdejgedruddufedrvdegieenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpefpohhnvgdpmhgrihhlfhhrohhmpegurghnsehshhhiphgtshdurdgtohhmpdhrtghpthhtohepmhgrthhthhgvfiestghomhhplhgvthgvthgvnhguvghrshdrtghomh', 
 'elapsed': '4ms'}
X-AES-Category: SPAM
X-Spam-Category: PHISHING


This is the rules i have so far:
header      __HDR_XSPAM_CAT         X-Spam-Category =~ /^(spam|phishing)$/i
header      __HDR_XSPAM_REASONS      X-Spam-Reasons =~ /['"](spam|phishing)['"]/i 
header      __HDR_XAES_CAT          X-AES-Category =~ /^(spam|phishing)$/i
meta        SENDER_SPAM             (__HDR_XSPAM_CAT || __HDR_XSPAM_REASONS || __HDR_XAES_CAT) describe    SENDER_SPAM             Message contains headers from sender indicating this is spam or phishing 
scores      SENDER_SPAM             1
The only one that i can get working is the _HDR_XAES_CAT, both __HDR_XSPAM rules aren't hitting anything: 
$ spamassassin -t -p ~/.spamassassin/mx teKbdz1W.txt -D 2>&1 | grep __HDR
Jul 22 17:00:53.480 [967777] dbg: rules: ran header rule __HDR_XAES_CAT ======> got hit: "SPAM" Jul 22 17:00:54.439 [967777] dbg: check: subtests=__ANY_IMAGE_ATTACH,__ANY_TEXT_ATTACH,__ANY_TEXT_ATTACH_DOC,__BODY_INVOICE_EN,__BODY_TEXT_LINE(3),__CT,__CTYPE_HAS_BOUNDARY,__CTYPE_MULTIPART_ANY,__DKIM_DEPENDABLE,__DKIM_EXISTS,__DOS_HAS_ANY_URI,__DOS_RCVD_MON,__DOS_RELAYED_EXT,__ENV_AND_HDR_FROM_MATCH,__E_LIKE_LETTER(55),__FORGED_RCVD_TRAIL,__FROM_ADMIN,__FROM_DOM_ADMIN,__HAS_ANY_EMAIL,__HAS_ANY_URI,__HAS_DATE,__HAS_DKIM_SIGHD,__HAS_FROM,__HAS_MESSAGE_ID,__HAS_MSGID,__HAS_RCVD,__HAS_SUBJECT,__HAS_TO,__HAS_URI,__HDR_XAES_CAT,__HTML_IMG_ONLY,__JM_REACTOR_DATE,__KAM_MAILSPLOIT2,__KHOP_NO_FULL_NAME,__LAST_EXTERNAL_RELAY_NO_AUTH,__LAST_UNTRUSTED_RELAY_NO_AUTH,__LCL__ENV_AND_HDR_FROM_MATCH,__LOCAL_PP_NONPPURL,__LOWER_E(55),__MIME_BASE64,__MIME_HTML,__MIME_VERSION,__MISSING_REF,__MISSING_REPLY,__MSGID_OK_DIGITS,__NONEMPTY_BODY,__NOT_SPOOFED,__ONE_IMG,__PDS_FROM_NAME_TO_DOMAIN,__PNG_ATTACH_1,__RATWARE_0_TZ_DATE,__RBODY_MAILBOX,__SANE_MSGID,__SUBJ_NOT_SHORT,__TAG_EXISTS_BODY,__TAG_EXISTS_HEAD,__TAG_EXISTS_HTML,__TAG_EXISTS_META,__TAG_EXISTS_STYLE,__TOCC_EXISTS,__URI_MAILTO,__URI_WEBAPP (Total Subtest Hits: 172 / Deduplicated Total Hits: 62)
The rule will work because it's matching on __HDR_XAES_CAT, but i'm still wondering why the two X-Spam rules aren't hitting anything. Initial thought was that the X-Spam-Reasons header not being wrapped correctly was causing the issue, but since it's matching on the X-AES-Category header which comes after, and removing that X-Spam-Reasons header doesn't change anything for the X-Spam-Category header, so that doesn't seem to be the issue.
Is there a limitation to SpamAssassin so it doesn't accept looking for the two X-Spam-headers, or can you spot why this rule isn't matching? 


Currently i'm testing it on:
SpamAssassin version 3.4.6
  running on Perl version 5.32.1
on a machine running Manjaro.


--
Martin Flygenring (maf)
Systems Engineer, One.com

Reply via email to