Hi,
Spamassassin 3.4.0-4.el7_5 on centos 7, updated from Base Repo.
My regex rules are not always matching spammers from outside. Please help me
understan why it's happening sometimes.
All not matched emails has multipart info in header:
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0012_6D4A727D.1A2015BF" This is a multi-part
message in MIME format. ------=_NextPart_000_0012_6D4A727D.1A2015BF
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0013_6D4A727D.1A2015BF"
Spamassassin Rules:
blacklist_from *@example.com*
blacklist_from *@example.com
blacklist_from *@example.com*
blacklist_from *@example.com
blacklist_from *@example.com.pl*
blacklist_from *@example.com.pl
blacklist_from *@example.com.pl*
blacklist_from *@example.com.pl
header BLOKOWANIE_EXAMPLE_COM From =~ /example.com\.pl/i
score BLOKOWANIE_EXAMPLE_COM 100.0
header BLOKOWANIE_EXAMPLE_COM1 From =~ /.*example.com.pl\.*/i
score BLOKOWANIE_EXAMPLE_COM1 100.0
header BLOKOWANIE_EXAMPLE_COM2 From =~ /example\.com/i
score BLOKOWANIE_EXAMPLE_COM2 100.0
header BLOKOWANIE_EXAMPLE_COM3 From =~ /.*example\.com\.pl.*/i
score BLOKOWANIE_EXAMPLE_COM3 100.0
01 Not matching rules
-----------------------------------------------------------------------
Return-Path: <>
X-Original-To: mail...@srv01.example.com.pl
Delivered-To: mail...@srv01.example.com.pl
Received: from localhost (localhost [127.0.0.1])
by srv01.example.com.pl (Postfix) with ESMTP id 01E8A400748ED
for <mail...@srv01.example.com.pl>; Tue, 12 Mar 2019 09:34:57 +0100 (CET)
X-Envelope-From: <glo...@koreaunicom.co.kr>
X-Envelope-To: <marketin...@example.com>
X-Envelope-To-Blocked: <marketin...@example.com>
X-Quarantine-ID: <OM22wOiFBUgK>
X-Spam-Flag: YES
X-Spam-Score: 23.329
X-Spam-Level: ***********************
X-Spam-Status: Yes, score=23.329 tag=-888 tag2=6 kill=6 tests=[AM.WBL=1.6,
BAYES_999=0.2, BAYES_99=7, DATE_IN_FUTURE_06_12=4.897,
FREEMAIL_FORGED_REPLYTO=2.095, HTML_MESSAGE=0.001,
RCVD_IN_SORBS_DUL=0.001, RDNS_NONE=0.793, SPF_HELO_SOFTFAIL=0.732,
SPF_SOFTFAIL=6, T_ISO_ATTACH=0.01] autolearn=no autolearn_force=no
Received: from srv01.example.com.pl ([127.0.0.1])
by localhost (srv01.example.com.pl [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id OM22wOiFBUgK for <marketin...@example.com>;
Tue, 12 Mar 2019 09:34:53 +0100 (CET)
Received: from koreaunicom.co.kr (unknown [178.128.125.68])
by srv01.example.com.pl (Postfix) with ESMTP id 7BDC44011BBB0
for <marketin...@example.com>; Tue, 12 Mar 2019 09:34:50 +0100 (CET)
Reply-To: misain.nc...@gmail.com
From: ko...@example.com.pl, u...@example.com.pl, c...@example.com.pl,
"Co."@example.com.pl, Ltd. <glo...@koreaunicom.co.kr>
To: marketin...@example.com
Subject: FW: Wrong Transfer Payment - Chk Clip Copy
Date: 12 Mar 2019 08:33:58 -0700
Message-ID: <20190312083358.f138725cb6bf0...@koreaunicom.co.kr>
02 Not matching rules
-----------------------------------------------------------------------
Return-Path: <>
X-Original-To: mail...@srv01.example.com.pl
Delivered-To: mail...@srv01.example.com.pl
Received: from localhost (localhost [127.0.0.1])
by srv01.example.com.pl (Postfix) with ESMTP id 0A4ED40118229
for <mail...@srv01.example.com.pl>; Mon, 11 Mar 2019 19:47:59 +0100 (CET)
X-Envelope-From: <i...@puresmileborehamwood.co.uk>
X-Envelope-To: <aaa....@example.com>
X-Envelope-To-Blocked: <aaa....@example.com>
X-Quarantine-ID: <3gOmOfFwP2Re>
X-Spam-Flag: YES
X-Spam-Score: 8.8
X-Spam-Level: ********
X-Spam-Status: Yes, score=8.8 tag=-888 tag2=6 kill=6 tests=[AM.WBL=1.6,
BAYES_999=0.2, BAYES_99=7] autolearn=no autolearn_force=no
Received: from srv01.example.com.pl ([127.0.0.1])
by localhost (srv01.example.com.pl [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 3gOmOfFwP2Re for <aaa....@example.com>;
Mon, 11 Mar 2019 19:47:57 +0100 (CET)
Received: from 495011.vps-10.com (495011.vps-10.com [212.67.214.132])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by srv01.example.com.pl (Postfix) with ESMTPS id E5672400748E8
for <aaa....@example.com>; Mon, 11 Mar 2019 19:47:56 +0100 (CET)
Received: from [192.10.19.6] (unknown [146.83.109.33])
by 495011.vps-10.com (Postfix) with ESMTPSA id 002DD283695
for <aaa....@example.com>; Mon, 11 Mar 2019 17:45:37 +0000 (GMT)
Date: Mon, 11 Mar 2019 15:42:39 -0400
From: b...@example.com.pl, Martin <i...@puresmileborehamwood.co.uk>
To: aaa....@example.com
Message-Id: <nlhvhaih6v6vebbbipkdqgbhsk8ncjb0mvcygegdtssurgsx...@example.com>
Subject: facture
MIME-Version: 1.0
03 Not matching rules
-----------------------------------------------------------------------
Return-Path: <>
X-Original-To: mail...@srv01.example.com.pl
Delivered-To: mail...@srv01.example.com.pl
Received: from localhost (localhost [127.0.0.1])
by srv01.example.com.pl (Postfix) with ESMTP id 6B27740008232
for <mail...@srv01.example.com.pl>; Wed, 13 Mar 2019 10:21:58 +0100 (CET)
X-Envelope-From: <kha...@premiersintl.com>
X-Envelope-To: <john2.d...@example.com>
X-Envelope-To-Blocked: <john2.d...@example.com>
X-Quarantine-ID: <QE9zm4o-7hou>
X-Spam-Flag: YES
X-Spam-Score: 22.919
X-Spam-Level: **********************
X-Spam-Status: Yes, score=22.919 tag=-888 tag2=6 kill=6
tests=[ADVANCE_FEE_3_NEW=2.967, BAYES_999=0.2, BAYES_99=7,
DATE_IN_FUTURE_06_12=4.897, DEAR_SOMETHING=1.973, FROM_ADDR_WS=2.999,
HTML_MESSAGE=0.001, RDNS_NONE=0.793, SUBJ_ALL_CAPS=1.506,
T_ISO_ATTACH=0.01, URG_BIZ=0.573] autolearn=no autolearn_force=no
Received: from srv01.example.com.pl ([127.0.0.1])
by localhost (srv01.example.com.pl [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id QE9zm4o-7hou for <john2.d...@example.com>;
Wed, 13 Mar 2019 10:21:56 +0100 (CET)
Received: from premiersintl.com (unknown [128.199.215.46])
by srv01.example.com.pl (Postfix) with ESMTP id 4D5E34000823A
for <john2.d...@example.com>; Wed, 13 Mar 2019 10:21:49 +0100 (CET)
From: do...@example.com.pl, Perry|account...@example.com.pl,
mana...@example.com.pl, kha...@premiersintl.com
To: john2.d...@example.com
Subject: BANK TRANSFER COPY/ WIRE
Date: 13 Mar 2019 09:21:46 -0700
Message-ID: <20190313092142.bcf2307693a2c...@premiersintl.com>
MIME-Version: 1.0
04 Not matching rules
------------------------------------------------------------------------
But matched simple:
blacklist_from *@example.com*
blacklist_from *@example.com
blacklist_from *@example.com*
blacklist_from *@example.com
blacklist_from *@example.com.pl*
blacklist_from *@example.com.pl
blacklist_from *@example.com.pl*
blacklist_from *@example.com.pl
Return-Path: <>
X-Original-To: mail...@srv01.example.com.pl
Delivered-To: mail...@srv01.example.com.pl
Received: from localhost (localhost [127.0.0.1])
by srv01.example.com.pl (Postfix) with ESMTP id A38D540002948
for <mail...@srv01.example.com.pl>; Mon, 11 Mar 2019 19:33:23 +0100 (CET)
X-Envelope-From: <voicemail_sen...@cc-shoretel.example.com.pl>
X-Envelope-To: <john....@example.com>
X-Envelope-To-Blocked: <john....@example.com>
X-Quarantine-ID: <uz_8uQBRiKxN>
X-Spam-Flag: YES
X-Spam-Score: 104.983
X-Spam-Level: ****************************************************************
X-Spam-Status: Yes, score=104.983 tag=-888 tag2=6 kill=6 tests=[BAYES_95=4,
HEADER_FROM_DIFFERENT_DOMAINS=0.001, RDNS_DYNAMIC=0.982,
USER_IN_BLACKLIST=100] autolearn=no autolearn_force=no
Received: from srv01.example.com.pl ([127.0.0.1])
by localhost (srv01.example.com.pl [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id uz_8uQBRiKxN for <john....@example.com>;
Mon, 11 Mar 2019 19:33:22 +0100 (CET)
Received: from CC-ShoreTel.quadra.local (72-24-204-226.cpe.cableone.net
[72.24.204.226])
by srv01.example.com.pl (Postfix) with ESMTP id 29EC4400748EE
for <john....@example.com>; Mon, 11 Mar 2019 19:33:20 +0100 (CET)
Received: from mail pickup service by CC-ShoreTel.quadra.local with Microsoft
SMTPSVC;
Mon, 11 Mar 2019 11:23:38 -0700
thread-index: AdTYN4w7x9VrrKKPQR27vx0vwmcnRA==
Thread-Topic: ShoreTel voice message from Jessica Johnson, 204 for mailbox 145
From: "ShoreWare Voice Mail" <voicemail_sen...@cc-shoretel.example.com.pl>
To: <john....@example.com>
Subject: ShoreTel voice message from Jessica Johnson, 204 for mailbox 145
Date: Mon, 11 Mar 2019 11:23:38 -0700
Keywords:
{"SHORETEL_INFO":"VMSync","DN":"145","ID":"DUI0BUMVM","WAV":true,"GUID":"88f56fab-3461-4a1f-be40-2b8bbb025704"}
Message-ID: <05DF1231CDFF4643B43414C4D9398873@quadra.local>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_003C_01D4D7FC.DFDCFFC0"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.24158
X-OriginalArrivalTime: 11 Mar 2019 18:23:38.0819 (UTC)
FILETIME=[8C3CE930:01D4D837]
###############################
If I try to reproduce the problem by myself, rules are matching, and message
goes to spam with my rules mentioned in header.
Telnet:
220 "EXAMPLE-COM Mail Server"
helo tests
250 srv01.example.com.pl
mail from:<t...@test.pl>
250 2.1.0 Ok
rcpt to:<t...@exapmple.com>
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Date: Mon, 11 Mar 2019 15:42:39 -0400
From: b...@example.com.pl, Martin <i...@puresmileborehamwood.co.uk>
To: aaa....@example.com
Message-Id: <nlhvhaih6v6vebbbipkdqgbhsk8ncjb0mvcygegdtssurgsx...@kghm.com>
Subject: facture
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Part_62714_4267039113.11868653231
007013837"
dd
.
250 2.0.0 Ok: queued as 9D0F440118237
