Great!
Using your example and the website I'm able to understand this much
better.
My idea is to start small and make sure it works.
So I simply added this:
header L_FROM Received =~ /server24/
score L_FROM -1.0
If the received line contains server24 then score it as -1.0. I know
this is easy to fib, but like I said, it's just for testing :)
I go ahead and look at the headers and see the following:
Microsoft Mail Internet Headers Version 2.0
Received: from server24.ctg.com (unknown [192.168.50.11])
by spamfilter.lastar.com (Postfix) with ESMTP id 9EACAEFCC1
for <[EMAIL PROTECTED]>; Fri, 31 Dec 2004 16:09:23 -0500
(EST)
The originating server is server24, then it hits "spamfilter".
As you can see "server24" is contained in that string.
But looking below, I see spam_scan is scored as 0.28.
Dec 31 16:09:24 spamfilter amavis[8276]: (08276-02) spam_scan: hits=0.28
tests=ALL_TRUSTED,AWL,HTML_90_100,HTML_MESSAGE,HTML_SHORT_COMMENT
I looked at the headers and I don't see the X-Spam-* headers at all, (I
set it to -999), so I'm not sure why amavisd-new didn't add the headers.
> -----Original Message-----
> From: Matt Kettler [mailto:[EMAIL PROTECTED]
> Sent: Friday, December 31, 2004 3:07 PM
> To: users@spamassassin.apache.org
> Subject: RE: Training SA with postfix
>
> At 02:45 PM 12/31/2004, Jason Gauthier wrote:
> >Thanks for the tip. Due to my "newbie-ness" with these
> products I'm a
> >little uncertain were to start. Amavis seems to build many
> rules, and
> >interface with SA where it actually has options in it.
> >
> >Would I build this rule within amavis or SA?
>
>
> I'd do the rule as a SA rule, since it's SA's autolearner you
> want to affect.
>
>
>
> >And of course, could you (or someone) point me to some
> documentation or
> >example?
>
> http://wiki.apache.org/spamassassin/WritingRules
>
>
> So for this header:
>
> Received: from mattk-801-567.evi-inc.com
> (mattk-801-567.evitechnology.com
> [10.0.6.249])
> by xanadu.evi-inc.com (8.12.8/8.12.8) with ESMTP id
> iBV0gIZP031926
>
> Assuming my "internal machines" are 10.0.6.0/24, and all RDNS to
> evitechnology.com names, I might write:
>
> header L_OUTBOUND_MAIL Received =~ /from .{1,60}\.evitechnology.com
> \[10\.0\.6\.\d{1,3}\]\).{0,10}by xanadu\.evi\-inc\.com
> .{1,50} with ESMTP id/s
> score L_OUTBOUND_MAIL -1.0
>
> Other, less specific variants:
> header L_OUTBOUND_MAIL0 Received =~ /from .{1,60}\.evitechnology.com
> \[10\.0\.6\.\d{1,3}\]\).{0,10}by xanadu\.evi\-inc\.com/s
> score L_OUTBOUND_MAIL0 -1.0
>
> Caution: these last two are easily forged:
>
> header L_OUTBOUND_MAIL2 Received =~ /from .{1,60}\.evitechnology.com
> \[10\.0\.6\.\d{1,3}\]\)/
> score L_OUTBOUND_MAIL2 -1.0
>
> header L_OUTBOUND_MAIL3 Received =~ /from .{1,60}\.evitechnology.com/
> score L_OUTBOUND_MAIL3 -1.0
>
>
