Martin Flygenring wrote:
Hi.
I'm trying to write a rule that matches on a mail that has the
following headers:
X-Spam-Reasons: {'verdict': 'phishing',
'spamcause':
'gggruggvucftvghtrhhoucdtuddrgedvtddruddvgddugecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfkpffvgfftoffgfffktedpqfgfvfenuceurghilhhouhhtmecufedttdenucgorfhhihhshhhinhhgqdfkphfpvghtfihorhhkucdlfedttddmnecujfgurhephffvufffkfggtghisehrtdefvcdttddtnecuhfhrohhmpegtohhmphhlvghtvghtvghnuggvrhhsrdgtohhmucfuvghrvhgvrhcukffvuceouggrnhesshhhihhptghsuddrtghomheqnecuggftrfgrthhtvghrnhepleeiudeikeejffetgeetleeggfegteeghfdtveduvdekhedvlefgvedtueeiffejnecuffhomhgrihhnpeifvggsrdgrphhpnecukfhppeegtddrjeegrdduudefrddvgeeinecurfhhihhshhhinhhgkfhppfgvthifohhrkhepgedtrdejgedruddufedrvdegieenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpefpohhnvgdpmhgrihhlfhhrohhmpegurghnsehshhhiphgtshdurdgtohhmpdhrtghpthhtohepmhgrthhthhgvfiestghomhhplhgvthgvthgvnhguvghrshdrtghomh',
'elapsed': '4ms'}
X-AES-Category: SPAM
X-Spam-Category: PHISHING
This is the rules i have so far:
header __HDR_XSPAM_CAT X-Spam-Category =~
/^(spam|phishing)$/i
header __HDR_XSPAM_REASONS X-Spam-Reasons =~
/['"](spam|phishing)['"]/i
header __HDR_XAES_CAT X-AES-Category =~
/^(spam|phishing)$/i
meta SENDER_SPAM (__HDR_XSPAM_CAT ||
__HDR_XSPAM_REASONS || __HDR_XAES_CAT)
describe SENDER_SPAM Message contains headers from
sender indicating this is spam or phishing
scores SENDER_SPAM 1
The only one that i can get working is the _HDR_XAES_CAT, both
__HDR_XSPAM rules aren't hitting anything:
$ spamassassin -t -p ~/.spamassassin/mx teKbdz1W.txt -D 2>&1 | grep __HDR
Jul 22 17:00:53.480 [967777] dbg: rules: ran header rule
__HDR_XAES_CAT ======> got hit: "SPAM"
Jul 22 17:00:54.439 [967777] dbg: check:
subtests=__ANY_IMAGE_ATTACH,__ANY_TEXT_ATTACH,__ANY_TEXT_ATTACH_DOC,__BODY_INVOICE_EN,__BODY_TEXT_LINE(3),__CT,__CTYPE_HAS_BOUNDARY,__CTYPE_MULTIPART_ANY,__DKIM_DEPENDABLE,__DKIM_EXISTS,__DOS_HAS_ANY_URI,__DOS_RCVD_MON,__DOS_RELAYED_EXT,__ENV_AND_HDR_FROM_MATCH,__E_LIKE_LETTER(55),__FORGED_RCVD_TRAIL,__FROM_ADMIN,__FROM_DOM_ADMIN,__HAS_ANY_EMAIL,__HAS_ANY_URI,__HAS_DATE,__HAS_DKIM_SIGHD,__HAS_FROM,__HAS_MESSAGE_ID,__HAS_MSGID,__HAS_RCVD,__HAS_SUBJECT,__HAS_TO,__HAS_URI,__HDR_XAES_CAT,__HTML_IMG_ONLY,__JM_REACTOR_DATE,__KAM_MAILSPLOIT2,__KHOP_NO_FULL_NAME,__LAST_EXTERNAL_RELAY_NO_AUTH,__LAST_UNTRUSTED_RELAY_NO_AUTH,__LCL__ENV_AND_HDR_FROM_MATCH,__LOCAL_PP_NONPPURL,__LOWER_E(55),__MIME_BASE64,__MIME_HTML,__MIME_VERSION,__MISSING_REF,__MISSING_REPLY,__MSGID_OK_DIGITS,__NONEMPTY_BODY,__NOT_SPOOFED,__ONE_IMG,__PDS_FROM_NAME_TO_DOMAIN,__PNG_ATTACH_1,__RATWARE_0_TZ_DATE,__RBODY_MAILBOX,__SANE_MSGID,__SUBJ_NOT_SHORT,__TAG_EXISTS_BODY,__TAG_EXISTS_HEAD,__TAG_EXISTS_HTML,__TAG_EXISTS_META,__TAG_EXISTS_STYLE,__TOCC_EXISTS,__URI_MAILTO,__URI_WEBAPP
(Total Subtest Hits: 172 / Deduplicated Total Hits: 62)
The rule will work because it's matching on __HDR_XAES_CAT, but i'm
still wondering why the two X-Spam rules aren't hitting anything.
I believe header rules look at the whole line anyways with the exception
of header lines that have known syntax. That would NOT be X-Header
checks. I've had trouble there before. Methinks you're pushing the
envelope (and the envelope's giving you a paper cut).
I'd try:
1) Try appending your regex with /im . The "m" has context outside of
normal PERLs /g. But preferably:
2) I'd get rid of delineation for those two Regexes, period.
X-Spam-Category =~ /(SPAM|PHISHING)/
X-AES-Category =~ /(SPAM|PHISHING)/
These are produced by something external with an obviously KNOWN
pattern. How many of those would you expect in a message? That'd be
another problem entirely. SA syntax is PERLish-only and has does it's
own internal sanity-checks and conversions.
$0.02,
-- Jared Hall
