Jean-Paul Natola wrote:
> Hi all ,
>
> I still consider myself a newbie in the SA world, so bear with me if this
> seems like an ignorant question;
>
> Here's a little background on the setup, Freebsd 5.4 Exim and SA
>
> I use this box simply to filter the mail and hand it off to my mailserver
>
> (no local users/accounts/boxes)
>
> I have this rule that resides in
>
> /usr/local/etc/mail/Spamassassin directory
>
> The rule is called
>
> Local_jp.cf
>
> body L_DRUGS11 /([CVAXP] ){5}/
> header L_DRUGS12 MESSAGEID
> =~/^<[EMAIL PROTECTED]
> meta L_DRUGS1 L_DRUGS11 && L_DRUGS12
> score L_DRUGS1 5
> describe L_DRUGS1 Strange Message-ID and Spam signature in body.
>
> I received an email today with this in the header
> 1.0 L_DRUGS12 L_DRUGS12
>
>
> I'm thinking this rule is NOT where it is supposed to be, or it isnt written
> correclty?
>
If you don't want the sub-parts of the meta rule to show up with their
own scores you must name them starting with a double underscore (__)
Otherwise SA will treat each as an independent rule, and give it the
default score of 1.0.
This was done quite intentionally, as it allows meta rules to make use
of scored rules, as well as unscored rules in any combination you want.
For example, DIGEST_MULTIPLE makes use of scored rules. Each rule it
references is worth having it's own score, and DIGEST_MULTIPLE gives
"bonus points" if more than one digest based test fires off..
meta DIGEST_MULTIPLE RAZOR2_CHECK + DCC_CHECK + PYZOR_CHECK > 1
Whereas MANY_EXCLAMATIONS consists of two rules that aren't worth
scoring on their own:
meta MANY_EXCLAMATIONS (!__ISO_2022_JP_DELIM && __MANY_EXCLS)
Also, a speed tweak recommendation. Unless you're using backrefrences (if you
don't know what \1 does, you aren't)
then use (?: ) instead of ( ). Backreferences are somewhat expensive to create,
and if they're unused it's a
complete waste of time.
So try this instead:
body __L_DRUGS11 /(?:[CVAXP] ){5}/
header __L_DRUGS12 MESSAGEID =~/^<[EMAIL PROTECTED]
meta L_DRUGS1 __L_DRUGS11 && __L_DRUGS12
score L_DRUGS1 5
