Re: Debugging rule help

Sat, 11 Jan 2014 08:03:56 -0800 

On 1/11/2014 9:05 AM, Alex wrote:


Hi,


On Fri, Jan 10, 2014 at 10:32 PM, Kevin A. McGrail <kmcgr...@pccc.com 
<mailto:kmcgr...@pccc.com>> wrote:


    I checked in basic and I didn't get very far just looking at the
    first rule using your pastebin example.  It didn't appear to hit
    your rules.

    Might be something lost via pastebin but it's late and I'm tired
    so could be my mistake as well. However, spamassassin -t -D <
    /tmp/2.mbox 2>&1 | grep __RB_GT showed nothing.



It hit all of the subrules and LOC_SHORT here, but I don't understand 
why it doesn't detail the specifics of what triggered each of them.



    So you might want to look at 3.4.0 from SVN and look at using
    these rules:

            body __KAM_BODY_LENGTH_LT_128 eval:check_body_length('128')
            describe __KAM_BODY_LENGTH_LT_128        The length of the
    body of the email is less than 128 bytes.

            body __KAM_BODY_LENGTH_LT_256 eval:check_body_length('256')
            describe __KAM_BODY_LENGTH_LT_256        The length of the
    body of the email is less than 256 bytes.

            body __KAM_BODY_LENGTH_LT_512 eval:check_body_length('512')
            describe __KAM_BODY_LENGTH_LT_512        The length of the
    body of the email is less than 512 bytes.

            body __KAM_BODY_LENGTH_LT_1024 eval:check_body_length('1024')
            describe __KAM_BODY_LENGTH_LT_1024       The length of the
    body of the email is less than 1024 bytes.



I have v3.4 running on a few of the systems now. My rule (one you 
helped me write, actually) detects a body with a short URL, not just 
the body length, although this looks helpful.


Thanks,
Alex



Here's an example of a short email rule I've been working on if it helps:

#NEWS!

header          __KAM_NEWS1     Subject =~ /^(?:Fwd: 
?)?(?:NEWS|WEBSITE|ARTICLE)$/i

body            __KAM_NEWS2     /(?:Hello|hey|hi)!/i


meta            KAM_NEWS        (__KAM_NEWS1 + __KAM_NEWS2 + 
__KAM_BODY_LENGTH_LT_128 + __HAS_ANY_URI >= 3)

describe        KAM_NEWS        Forged Emails with NEWS!
score           KAM_NEWS        9.0

Though I've also considered using these rules as well:

#URI COUNT - REQUIRES 3.3 OR LATER
if (version >= 3.003000)
  uri      __KAM_COUNT_URIS /^./
  tflags   __KAM_COUNT_URIS multiple maxhits=16

  describe __KAM_COUNT_URIS A multiple match used to count URIs in a 
message, including http:// and em...@email.com - use one of the meta 
rules below instead of directly using this one


  meta __KAM_HAS_0_URIS (__KAM_COUNT_URIS == 0)
  meta __KAM_HAS_1_URIS (__KAM_COUNT_URIS >= 1)
  meta __KAM_HAS_2_URIS (__KAM_COUNT_URIS >= 2)
  meta __KAM_HAS_3_URIS (__KAM_COUNT_URIS >= 3)
  meta __KAM_HAS_4_URIS (__KAM_COUNT_URIS >= 4)
  meta __KAM_HAS_5_URIS (__KAM_COUNT_URIS >= 5)
  meta __KAM_HAS_10_URIS (__KAM_COUNT_URIS >= 10)
  meta __KAM_HAS_15_URIS (__KAM_COUNT_URIS >= 15)
endif

Regards,
KAM






















					Reply via email to