Re: Debugging rule help

[Kevin A. McGrail]

I checked in basic and I didn't get very far just looking at the first rule using your pastebin example.  It didn't appear to hit your rules. Might be something lost via pastebin but it's late and I'm tired so could be my mistake as well. However, spamassassin -t -D < /tmp/2.mbox 2>&1 | grep __RB_GT showed nothing. So you might want to look at 3.4.0 from SVN and look at using these rules:         body            __KAM_BODY_LENGTH_LT_128        eval:check_body_length('128')         describe        __KAM_BODY_LENGTH_LT_128        The length of the body of the email is less than 128 bytes.         body            __KAM_BODY_LENGTH_LT_256        eval:check_body_length('256')         describe        __KAM_BODY_LENGTH_LT_256        The length of the body of the email is less than 256 bytes.         body            __KAM_BODY_LENGTH_LT_512        eval:check_body_length('512')         describe        __KAM_BODY_LENGTH_LT_512        The length of the body of the email is less than 512 bytes.         body            __KAM_BODY_LENGTH_LT_1024       eval:check_body_length('1024')         describe        __KAM_BODY_LENGTH_LT_1024       The length of the body of the email is less than 1024 bytes. Otherwise your rules below seem to build on rules I don't have perhaps? Regards, KAM On 1/10/2014 7:55 PM, Alex wrote: HI, I have an FP that has hit on a few rules, but one of them was a rule for short URLs, but I can't figure out which one it's hitting. How can I have it show me which pattern triggered a specific rule? It seems some rules already show this, for example: Jan 10 19:38:29.919 [2393] dbg: rules: ran rawbody rule __BUGGED_IMG ======> got hit: "<img src="" class="moz-txt-link-rfc2396E" href="http://emanage1.com/open.php">"http://emanage1.com/open.php" but my rule doesn't. I've run SA as "spamassassin -t -D < myfp" and below is the rule: body __RB_GT_200 /^.{201}/s meta __BODY_LE_200 (__RB_LE_200 == 1) && !__RB_GT_200 meta __RB_LE_200 !__RB_GT_200 # less or equal IFF not greater mimeheader __MIME_IMAGE Content-Type =~ /^image\/./ mimeheader __MIME_ATTACH Content-Disposition =~ /^attachment/ meta LOC_SHORT ((__BODY_LE_200 && __HAS_HTTP_URI) && (!(__MIME_IMAGE || __MIME_ATTACH || BAYES_00 || USER_IN_WHITELIST || KHOP_RCVD_TRUST))) describe LOC_SHORT Has URI and short body score LOC_SHORT 1.1 The false-positive is here http://pastebin.com/yRbH3fWr Thanks so much, Alex -- Kevin A. McGrail President Peregrine Computer Consultants Corporation 3927 Old Lee Highway, Suite 102-C Fairfax, VA 22030-2422 http://www.pccc.com/ 703-359-9700 x50 / 800-823-8402 (Toll-Free) 703-359-8451 (fax) kmcgr...@pccc.com