Hi, I know we are on the spamassassin mailing list, but another more radical way to block those is directly in postfix with a header_check before giving it to spamassassin
/^X-Spam-Flag: Yes/ REJECT Outscatter /^X-(Spam|AES)-Category: (SPAM|PHISHING)/ REJECT Outscatter But as a forewarning, the rare FPs can get quite frustrating if you use this method. Cheers, Laurent On 22.07.21 21:31, RW wrote: > On Thu, 22 Jul 2021 20:09:19 +0300 > Henrik K wrote: > >> On Thu, Jul 22, 2021 at 08:06:15PM +0300, Henrik K wrote: >>> On Thu, Jul 22, 2021 at 05:15:54PM +0200, Martin Flygenring wrote: >>>> >>>> Is there a limitation to SpamAssassin so it doesn't accept >>>> looking for the two X-Spam-headers, or can you spot why this rule >>>> isn't matching? >>> >>> SA removes all X-Spam-* headers from the message, it's not possible >>> to match on them. >> >> ... except with a kludgy full rule that matches the whole pristine >> message: >> >> full X_SPAM_FOOBAR /^X-Spam-Foobar: xyz/m > > There's no perfect way of doing this. The above has the problem of > going through the whole email, including big attachment. It can also > match falsely inside the body. > > The test can be constrained within the headers, but that causes problems > with the debug capture. > > This version captures a lot too much: > > full X_SPAM_FOOBAR /^(?:.+\n)*X-Spam-Foobar: xyz/ > > This version capture nothing: > > full X_SPAM_FOOBAR /^(?=(?:.+\n)*X-Spam-Foobar: xyz)/ > > I'd go for the latter. > > All of the above is untested. >
