Hi Matija > > So no matter how spamassassin is called, in both cases IMHO it should > > get the full text/rfc822 email with header any body and get the same > > results. > > Agreed. if your mail is indeed in correct format, there are few things that > I'd check: > > - has the MIMEdefang been instructed to reload to pick up new rules?
Absolutely. > - has the reload succeeded, specifically: > - e.g. file permission problem might have "spamassassin -t" running as root > succeed, while MIMEdefang running as unprivileged user might fail) Well, in my understanding, spamassassin only nees read access to rules, and as 'rules' are applied, this is not a generic issue. TO_IN_SUBJ rules exist in 72_active.cf and active.list, both are world readable, so unless I overlooked something weird, I can exclude this. But I will add a shell to my 'defang' user under which the milter is running and run spamassassin as this user, just to make sure. > - syntax error might case MIMEdefang to abort reloading and use old > configuratin filter:~# spamassassin --lint May 12 16:11:45.572 [7633] warn: Found From: [email protected] filter:~# mimedefang.pl -f /etc/mimedefang-filter -test Prototype mismatch: sub main::message_contains_virus: none vs () at /etc/mimedefang-filter line 142. Prototype mismatch: sub main::entity_contains_virus: none vs ($) at /etc/mimedefang-filter line 163. Found From: [email protected] Filter /etc/mimedefang-filter seems syntactically correct. Does not look like severe errors > - you can check by e.g. adding some other always-hitting rule in same > config file and see if that one matches in both cases or also only in cmdline > "spamassassin -t" > - also, check the logs that MIMEdefang might produce MIMEDefang just runs fine and logs what is reported by SpamAssassin. Example from a recent email which should have hit 'to_in_subject' (domain replaced by example.com) From: ADAC <[email protected]> To: "[email protected]" <[email protected]> Subject: (1) Ihr kostenloses Auto-Notfallset wartet auf Sie – [email protected] Date: Tue, 12 May 2026 13:53:41 +0000 Raw: Subject: (1) Ihr kostenloses Auto-Notfallset wartet auf Sie =?utf-8?Q?=E2=80=93?= [email protected] From: ADAC <[email protected]> Reply-To: ADAC <[email protected]> To: "[email protected]" <[email protected]> MIMEDefang Log: May 12 15:53:46 filter mimedefang.pl[7537]: 3708D3F925: SpamAssassin: BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,SNCH_OVH,SPF_HELO_NONE,SPF_PASS May 12 15:53:46 filter mimedefang.pl[7537]: 3708D3F925: MDLOG,3708D3F925,mail_in,2.901,51.83.129.130,<[email protected]>,<[email protected]>,(1) Ihr kostenloses Auto-Notfallset wartet auf Sie – [email protected] I have MIMEDefang put the full report into the headers: X-Spam-Report: ---- Start der SpamAssassin Auswertung 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0004] 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or identical to background -0.0 DMARC_PASS DMARC pass policy 5.0 SNCH_OVH Sent from OVH France [ASN: AS16276] ---- Ende der SpamAssassin Auswertung Ok while we were at it - added bash to 'defang' user: filter:~# su - defang defang@filter:~$ defang@filter:~$ pwd /var/spool/MIMEDefang looks right defang@filter:~$ spamassassin -D -t May 12 16:18:49.871 [7701] dbg: logger: adding facilities: all May 12 16:18:49.871 [7701] dbg: logger: logging level is DBG May 12 16:18:49.872 [7701] dbg: generic: SpamAssassin version 4.0.1 May 12 16:18:49.872 [7701] dbg: generic: Perl 5.040001, PREFIX=/usr, DEF_RULES_DIR=/usr/share/spamassassin, LOCAL_RULES_DIR=/etc/spamassassin, LOCAL_STATE_DIR=/var/lib/spamassassin May 12 16:18:49.872 [7701] dbg: config: timing enabled May 12 16:18:49.873 [7701] dbg: config: score set 0 chosen. May 12 16:18:49.874 [7701] dbg: util: running in taint mode? yes May 12 16:18:49.874 [7701] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH May 12 16:18:49.874 [7701] dbg: util: PATH included '/usr/local/bin', keeping May 12 16:18:49.874 [7701] dbg: util: PATH included '/usr/bin', keeping May 12 16:18:49.874 [7701] dbg: util: PATH included '/bin', keeping May 12 16:18:49.875 [7701] dbg: util: PATH included '/usr/local/games', keeping May 12 16:18:49.875 [7701] dbg: util: PATH included '/usr/games', keeping May 12 16:18:49.875 [7701] dbg: util: final PATH set to: /usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games May 12 16:18:49.878 [7701] dbg: util: secure_tmpfile created a temporary file /tmp/.spamassassin7701fzBpKXtmp => pasting raw email - ctrl-d ---- Start der SpamAssassin Auswertung 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_FAIL SPF: Senderechner entspricht nicht SPF-Datensatz (fail) [SPF failed: Rejected by SPF record.] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -1.9 BAYES_00 BODY: Spamwahrscheinlichkeit nach Bayes-Test: 0-1% [score: 0.0002] 1.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 5.0 SNCH_OVH Sent from OVH France [ASN: AS16276] 0.0 HTML_MESSAGE BODY: Nachricht enth�lt HTML 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML-Schriftfarbe �hnlich der Hintergrundfarbe 1.0 TO_IN_SUBJ To address is in Subject -0.0 DMARC_PASS DMARC pass policy ---- Ende der SpamAssassin Auswertung So even when running with the same use as MIMEdefang is running spamassassin, I only get a TO_IN_SUBJ hin when running from command line. Am I getting crazy? ;-) => Hmm same issue with: HEADER_FROM_DIFFERENT_DOMAINS Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________
