Re: Matching on X-Spam headers doesn't get a hit

Fri, 23 Jul 2021 07:52:12 -0700 

Martin,

most MTA should have some filter capabilities. Maybe not all MTA have
same powerful and efficient ways to perform such checks as postfix has ;-)
iirc something like this should work for exim

acl_smtp_data = check_message
check_message:
  deny message = 'Outscatter detected'
  regex = ^X-Spam-Status:: YES
  accept

But I would expect that check going over the whole message (same a the
full check in SA) and not so targeted as a postfix header rule

Cheers

tobi

On 7/23/21 11:23 AM, Martin Flygenring wrote:
> We don't run Postfix here, but we can probably look for it elsewhere
> in our stack instead.
>
>
> Thanks to everyone that answered :)
>
>
> On 23/07/2021 10.43, Laurent S. wrote:
>> Hi,
>>
>> I know we are on the spamassassin mailing list, but another more radical
>> way to block those is directly in postfix with a header_check before
>> giving it to spamassassin
>>
>> /^X-Spam-Flag: Yes/ REJECT  Outscatter
>> /^X-(Spam|AES)-Category: (SPAM|PHISHING)/ REJECT  Outscatter
>>
>> But as a forewarning, the rare FPs can get quite frustrating if you use
>> this method.
>>
>> Cheers,
>> Laurent
>>
>> On 22.07.21 21:31, RW wrote:
>>> On Thu, 22 Jul 2021 20:09:19 +0300
>>> Henrik K wrote:
>>>
>>>> On Thu, Jul 22, 2021 at 08:06:15PM +0300, Henrik K wrote:
>>>>> On Thu, Jul 22, 2021 at 05:15:54PM +0200, Martin Flygenring wrote:
>>>>>> Is there a limitation to SpamAssassin so it doesn't accept
>>>>>> looking for the two X-Spam-headers, or can you spot why this rule
>>>>>> isn't matching?
>>>>> SA removes all X-Spam-* headers from the message, it's not possible
>>>>> to match on them.
>>>> ... except with a kludgy full rule that matches the whole pristine
>>>> message:
>>>>
>>>> full X_SPAM_FOOBAR /^X-Spam-Foobar: xyz/m
>>> There's no perfect way of doing this. The above has the problem of
>>> going through the whole email, including big attachment. It can also
>>> match falsely inside the body.
>>>
>>> The test can be constrained within the headers, but that causes
>>> problems
>>> with the debug capture.
>>>
>>> This version captures a lot too much:
>>>
>>>    full X_SPAM_FOOBAR /^(?:.+
> )*X-Spam-Foobar: xyz/
>>>
>>> This version capture nothing:
>>>
>>>    full X_SPAM_FOOBAR /^(?=(?:.+
> )*X-Spam-Foobar: xyz)/
>>>
>>> I'd go for the latter.
>>>
>>> All of the above is untested.
>>>

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Reply via email to