> From: mezcal
> Date: Tue, 12 Aug 2008 00:22:55 -0700 (PDT)
> To:
> Subject: Add header rule problem
>
>
> Hello,
> I have been trying to add simple rule.
> # eset
> header ESET_SP X-Eset-AntiSpam =~ /^SPAM/
> describe ESET_SP Marked by Eset
> score ESET_SP 0.1


Looks ok what does lint say?
When you run spamassassin on that message with debug, what does it day?
Also, don't do both at the same time.


--
Michael Scheidell, CTO
>|SECNAP Network Security
Winner 2008 Network Products Guide Hot Companies
FreeBSD SpamAssassin Ports maintainer

__________________________________________________ _______________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com
__________________________________________________ _______________________

Thanks for your replay.
spamassassin --lint says nothing

spamassassin -D
[19740] dbg: logger: adding facilities: all
[19740] dbg: logger: logging level is DBG
[19740] dbg: generic: SpamAssassin version 3.1.9
[19740] dbg: config: score set 0 chosen.
[19740] dbg: util: running in taint mode? yes
[19740] dbg: util: taint mode: deleting unsafe environment variables,
resetting PATH
[19740] dbg: util: PATH included '/usr/kerberos/sbin', keeping
[19740] dbg: util: PATH included '/usr/kerberos/bin', keeping
[19740] dbg: util: PATH included '/usr/local/sbin', keeping
[19740] dbg: util: PATH included '/usr/local/bin', keeping
[19740] dbg: util: PATH included '/sbin', keeping
[19740] dbg: util: PATH included '/bin', keeping
[19740] dbg: util: PATH included '/usr/sbin', keeping
[19740] dbg: util: PATH included '/usr/bin', keeping
[19740] dbg: util: PATH included '/root/bin', which doesn't exist, dropping
[19740] dbg: util: final PATH set to:
/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
[19740] dbg: message: ---- MIME PARSER START ----
[19740] dbg: message: main message type: text/plain
[19740] dbg: message: parsing normal part
[19740] dbg: message: added part, type: text/plain
[19740] dbg: message: ---- MIME PARSER END ----
[19740] dbg: dns: is Net:NS::Resolver available? yes
[19740] dbg: dns: Net:NS version: 0.59

spamassassin -t message says:
1.7 SUBJECT_ENCODED_TWICE Subject: MIME encoded twice
3.5 SUBJ_RUSS_CHAR has Russian char encoding
0.1 ESET_SP marked by Eset
2.2 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split
IP)
3.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr
2)
1.5 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO
0.0 HTML_MESSAGE BODY: HTML included in message
3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99%
[score: 0.9761]
2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
address
[84.126.250.89 listed in dnsbl.sorbs.net]
1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see
]
3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[84.126.250.89 listed in sbl-xbl.spamhaus.org]
It works.

But the other messages have not "0.1 ESET_SP marked by Eset"
in header.

Is it possible that this rule works but it isn`t written in header?



Michael Scheidell wrote:
>
>
>> From: mezcal
>> Date: Tue, 12 Aug 2008 00:22:55 -0700 (PDT)
>> To:
>> Subject: Add header rule problem
>>
>>
>> Hello,
>> I have been trying to add simple rule.
>> # eset
>> header ESET_SP X-Eset-AntiSpam =~ /^SPAM/
>> describe ESET_SP Marked by Eset
>> score ESET_SP 0.1
>
>
> Looks ok what does lint say?
> When you run spamassassin on that message with debug, what does it day?
> Also, don't do both at the same time.
>
>
> --
> Michael Scheidell, CTO
>>|SECNAP Network Security
> Winner 2008 Network Products Guide Hot Companies
> FreeBSD SpamAssassin Ports maintainer
>
> __________________________________________________ _______________________
> This email has been scanned and certified safe by SpammerTrap(r).
> For Information please see http://www.spammertrap.com
> __________________________________________________ _______________________
>
>

--
View this message in context: http://www.nabble.com/Add-header-rul...p18940151.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

mezcal wrote:
> Hello,
> I have been trying to add simple rule.
> # eset
> header ESET_SP X-Eset-AntiSpam =~ /^SPAM/
> describe ESET_SP Marked by Eset
> score ESET_SP 0.1
>
> It s the header: X-Eset-AntiSpam: SPAM;95;calc;2008-08-11
> 15:13:18;0808111513189668;B18F
>
Quick suggestion to try:

X-Eset-AntiSpam =~ /^\s*SPAM/


This will match any excessive whitespace before the word "SPAM".

If that doesn't work, you might want to try a much simpler rule that
will be a sure-fire match:

header ESET_SP X-Eset-AntiSpam =~ /SPAM/
describe ESET_SP Marked by Eset
score ESET_SP 0.1

header ESET_EXISTS X-Eset-AntiSpam =~ /^SPAM/
describe ESET_EXISTS Seen by Eset
score ESET_EXISTS 0.1

Those will help you test to make sure SA even sees the X-Eset-AntiSpam header at all.


As always, be sure to run a spamassassin --lint, to make sure it says nothing, and if you're using spamd (or an API level tool like MailScanner) be sure to restart it. (or do your tests using spamassassin on the command line, which will read the whole config without using spamd at all)

Hello,
thanks for your sugesstions.
spamassassin works in commad line so I think it isn`t syntax problem of the
config file. I restarted server. I updated SpamAssassin to verison 3.2.4.
The spamd doesn`t work. I`m not spamassassin specialist. Maybe it`s a bug.


Matt Kettler-3 wrote:
>
> mezcal wrote:
>> Hello,
>> I have been trying to add simple rule.
>> # eset
>> header ESET_SP X-Eset-AntiSpam =~ /^SPAM/
>> describe ESET_SP Marked by Eset
>> score ESET_SP 0.1
>>
>> It s the header: X-Eset-AntiSpam: SPAM;95;calc;2008-08-11
>> 15:13:18;0808111513189668;B18F
>>
> Quick suggestion to try:
>
> X-Eset-AntiSpam =~ /^\s*SPAM/
>
>
> This will match any excessive whitespace before the word "SPAM".
>
> If that doesn't work, you might want to try a much simpler rule that
> will be a sure-fire match:
>
> header ESET_SP X-Eset-AntiSpam =~ /SPAM/
> describe ESET_SP Marked by Eset
> score ESET_SP 0.1
>
> header ESET_EXISTS X-Eset-AntiSpam =~ /^SPAM/
> describe ESET_EXISTS Seen by Eset
> score ESET_EXISTS 0.1
>
> Those will help you test to make sure SA even sees the X-Eset-AntiSpam
> header at all.
>
>
> As always, be sure to run a spamassassin --lint, to make sure it says
> nothing, and if you're using spamd (or an API level tool like MailScanner)
> be sure to restart it. (or do your tests using spamassassin on the command
> line, which will read the whole config without using spamd at all)
>
>
>
>
>
>
>
>

--
View this message in context: http://www.nabble.com/Add-header-rul...p18958663.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

mezcal wrote:
> Hello,
> thanks for your sugesstions.
> spamassassin works in commad line so I think it isn`t syntax problem of the
> config file. I restarted server. I updated SpamAssassin to verison 3.2.4.
> The spamd doesn`t work. I`m not spamassassin specialist. Maybe it`s a bug.
>

Well, if "spamassassin" works on the command line, have you tried spamc
on the command line? That will test if spamd is doing the right thing or
not.

In general, what's your setup for calling SA when mail is delivered?

It s my mistake. :blush:

It was caused by my spam delivery setup. I thought that nod32 was first and
spamfilter was second.
The spamfilter tested emails which were not tagged by nod32.

Thanks for all.


Matt Kettler-3 wrote:
>
> mezcal wrote:
>> Hello,
>> thanks for your sugesstions.
>> spamassassin works in commad line so I think it isn`t syntax problem of
>> the
>> config file. I restarted server. I updated SpamAssassin to verison
>> 3.2.4.
>> The spamd doesn`t work. I`m not spamassassin specialist. Maybe it`s a
>> bug.
>>
>
> Well, if "spamassassin" works on the command line, have you tried spamc
> on the command line? That will test if spamd is doing the right thing or
> not.
>
> In general, what's your setup for calling SA when mail is delivered?
>
>
>

--
View this message in context: http://www.nabble.com/Add-header-rul...p18963506.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.