Re: tflags publish <= What is this good for? (Re: Rule for: Subject contains email address from To: header?)

Mon, 01 Jun 2026 07:51:35 -0700 

On Mon, 1 Jun 2026, Benoit Panizzon wrote:


TO_IN_SUBJ itself is yet another meta involving __TO_IN_SUBJ and some
other negated rules.



That is intentional. The negated rules are intended to remove ham-only or 
mostly-ham hits observed in masscheck so that the rule performs more 
reliably - IN ISOLATION.



Note that the patterns of ham and spam change over time so it's entirely 
possible those exclusions have rotted and become a problem rather than a 
benefit. That approach of rule tuning _does_ require periodic review and 
retuning.


I'll try to review and retune TO_IN_SUBJ sometime this week.


Turned out, the issue most probably never was __TO_IN_SUBJ this was
probably always producing a hit (which I could see by manually calling
spamassassin on the command line).

The issue most probably is one of the other negated rules which disable
TO_IN_SUBJ despite __TO_IN_SUBJ being true.


Right.


If you're doing fresh metarules for local conditions, start with the 
unfiltered subrule __TO_IN_SUBJ and add other conditions based on local 
observed spam.



meta            IMP_TO_IN_SUBJ          __TO_IN_SUBJ
describe        IMP_TO_IN_SUBJ          Empfaengeradresse in Betreff
score           IMP_TO_IN_SUBJ          2


Useful to gauge the impact of the masscheck-based FP avoidance exclusions.


header  __IMP_SHOP_IN_SUBJ      Subject 
=~/(UPS|Rossmann|Lidl|Hermes|DPD|GLS|ADAC)/i

meta            IMP_SHOP_PHISH          (__TO_IN_SUBJ + __IMP_SHOP_IN_SUBJ > 1)
describe        IMP_SHOP_PHISH          Empfaengeradresse in Betreff + 
Firmenname
score           IMP_SHOP_PHISH          8


Like that, yes.


Style note: the "> 1" is not needed (and can be confusing) for rules that 
do not have "tflags multiple". Single-match rules either hit or they 
don't, so it's less confusing in most cases to use non-score boolean logic 
in metarules.


Recommend instead:

  meta    IMP_SHOP_PHISH    __TO_IN_SUBJ && __IMP_SHOP_IN_SUBJ



--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 [email protected]                         pgpk -a [email protected]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
 5 days until the 82nd anniversary of D-Day





























					Reply via email to