Michael Scheidell wrote:
On 4/28/10 3:13 PM, Kris Deugau wrote:
0.0 TO_EQ_FM_HTML_ONLY To == From and HTML only
0.0 TO_EQ_FM_DIRECT_MX To == From and direct-to-MX
1.7 TO_EQ_FM_HTML_DIRECT To == From and HTML only, direct-to-MX
so. its also obviously bulk email.
I don't know how these rules positively identify a message as "bulk".
Taking them at face value, they certainly represent "not following
best-practices".
<checking> Hmm. I'm not even sure how they fired; the From and To are
bare email addresses, and most certainly do NOT match. Those rules also
seem to be relatively recent (within ~1 month), since my
workstation/test system didn't have them until I ran sa-update. Our
live systems get updated much more frequently (SOUGHT rules daily,
others usually as I roll out updates for local rules).
I don't see anything obviously wrong with the root From == To meta subrules:
header __TO_EQ_FROM_1 ALL =~
/\nFrom:[^\n<]{0,80}<?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:[^\n]+\1/ism
header __TO_EQ_FROM_2 ALL =~
/\nTo:[^\n<]{0,80}<?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:[^\n]+\1/ism
but they (_1 in this case) still match on:
From: mortga...@ingdirect.ca
To: u...@vianet.ca
.... sometimes. Eeep. I tried a minimal hand-created test message,
with a Received header, and those two lines above; it didn't match. I
copy-pasted the customer's address, and it matched. I replaced the
domain, and it still matched. I replace the username, and it failed to
match. There's nothing funky in a hex dump of the original header.
I really hope I can get permission from the customer to at least pass
the original on to one of the SA devs; copy-pasting the headers into an
empty file, and slowly removing one at a time caused some very *odd*
changes in behaviour. For instance, removing the original Subject: line
(or altering it in certain ways) apparently controlled whether the
relevant subrule above matched or not, no matter *what* was in the To or
From (mostly).
I managed to reduce it to a suitably-anonymized example:
http://pastebin.com/X2ZUNAYM
I've tried that test message on four different SA3.3.1 systems (Centos 4
and 5, 32bit, local RPM; Centos 5 64-bit, local RPM; Debian lenny
64-bit, local scripted source install) and all four hit
TO_EQ_FM_DIRECT_MX (implying one or the other of __TO_EQ_FROM_1 or
__TO_EQ_FROM_2 hit). As you can plainly see, To does *not* equal From
on that message...
if img direct wants to be stupid about the emails they send, let them be
blocked, or whitelist them.
(or they can pay return path for more credit points.. as long as their
bulk email is double opt in)
Actually, it appeared to be a specific reminder to that specific
customer (certainly something likely to be sent in bulk in the sense
that they'll send quite a few of them, but not "bulk" in sense you seem
to mean).
-kgd
