Re: AXB_X_FF_SEZ_S not fired

Fri, 15 Aug 2014 13:08:30 -0700 

On 8/15/2014 3:05 PM, Alex wrote:

Hi,
>> AXB_X_FF_SEZ_S is a rule that fires when the X-Forefront-Antispam-Report header is found. I have a sample which has this header, yet the rule doesn't fire, and wondered if someone could help me figure out why: 
>>
>> http://pastebin.com/vRQXxgJH
>>
>> I'm using spamassassin-3.4, and I tested it on another spam (from the quarantine, where it had already fired) and it was triggered there just fine. 
>>
>> ##{ AXB_X_FF_SEZ_S
>> header AXB_X_FF_SEZ_S X-Forefront-Antispam-Report =~ /^SFV\:SPM/ 
>> describe        AXB_X_FF_SEZ_S          Forefront sez this is spam
>> ##} AXB_X_FF_SEZ_S
>> ##{ AXB_X_FF_SEZ_S if (version >= 3.004000)
>> if (version >= 3.004000)
>> tflags          AXB_X_FF_SEZ_S  autolearn_force
>> endif
>> ##} AXB_X_FF_SEZ_S if (version >= 3.004000)
>>
>> This is also one of those short-body URI spams, so I hoped it would have been caught just based on that, so ideas on what else is missing would also be appreciated... 
>
>
> Works for me.  I added your rule and tested it against your sample...
>
>         *  1.0 AXB_X_FF_SEZ_S Forefront sez this is spam
>
> Are you sure you put the rule in the right place and reloaded spamd?
Thanks for checking for me. This is even when running spamassassin -t directly.
Hmm.. I'm looking at it more closely, and even the rule as it appears above, and it has no score.
What file is the score supposed to be in, 72_scores.cf <http://72_scores.cf>? My 72_scores.cf <http://72_scores.cf> is dated Jul 28th. 

# ls -l 72_scores.cf <http://72_scores.cf>
-rw-r--r-- 1 root root 8174 Jul 28 04:49 72_scores.cf <http://72_scores.cf> 
# md5sum 72_scores.cf <http://72_scores.cf>
9f82b967a373e44a373c3be30ad21e23 72_scores.cf <http://72_scores.cf>
This isn't one of the stock rules, so it shouldn't be in that file (or directory). The files there (/var/lib/spamassassin/3.004000/ on my system) are stock rules and any manual changes will be squashed by sa_update.
Custom rules (and their scores) should go in local.cf (or another *.cf file) in your local rules directory (/etc/mail/spamassassin/ on my system). 

Rules with no score assigned are automatically scored at 1.0.

--
Bowie

Reply via email to