On Sep 8, 2014, at 4:09 PM, Karsten Bräckelmann <guent...@rudersport.de> wrote:
> Pulled the sample from pastebin and fed to spamassassin -D with your > custom rule added as additional configuration. That rule hits. It does not hit on mine, and I think I've figured out why. I'm using SA 3.3.2 with perl 5.8.8 on CentOS 5.10. Yes, I know I should be using 3.4, but I haven't yet had a chance to try the RPM that a couple of people have built. Nonetheless, with SA 3.3.2, it appears that the URI engine doesn't like the .club TLD. See below. > Did you grep the -D debug output for the hostname? Also try grepping for > URIHOSTS (SA 3.4, without -L local only mode), which lists all hostnames > found in the message. Since I'm not running 3.4, this particular grep doesn't work for me, but with John Hardin's advice I set up the following rule, which should catch all URIs: uri ALL_URI /.*/ tflags ALL_URI multiple Debug output shows the following: Sep 8 20:02:58.896 [9267] dbg: rules: ran uri rule AC_ALL_URI ======> got hit: "http://iMotors.com"; Sep 8 20:02:58.897 [9267] dbg: rules: ran uri rule AC_ALL_URI ======> got hit: "negative match" Sep 8 20:02:58.897 [9267] dbg: rules: ran uri rule AC_ALL_URI ======> got hit: "mailto:u...@domain.com"; Sep 8 20:02:58.897 [9267] dbg: rules: ran uri rule AC_ALL_URI ======> got hit: "negative match" Sep 8 20:02:58.897 [9267] dbg: rules: ran uri rule AC_ALL_URI ======> got hit: "u...@domain.com" Sep 8 20:02:58.897 [9267] dbg: rules: ran uri rule AC_ALL_URI ======> got hit: "negative match" So, for some reason, the URI engine is not picking out these .club URIs, it's getting "negative match." Is it because the engine in 3.3.2 doesn't like that TLD? To test this, I manually changed the TLD of the second spam URI (out.blah) to .us or .org, and then the engine picked it out just fine: Sep 8 20:03:43.151 [9197] dbg: rules: ran uri rule AC_ALL_URI ======> got hit: "http://out.dosearchcarsonsale.us"; Sep 8 20:04:35.578 [9227] dbg: rules: ran uri rule AC_ALL_URI ======> got hit: "http://out.dosearchcarsonsale.org"; So, it seems to me that the URI engine is barfing on the TLD, and that's the problem... > The URI is at the very end of a line with a CRLF delimiter following and > the next line beginning with a word character. If you inject a space > after the URI, does that make the rule match? Nope. However, if I manually change the URI to a .us or .org, for example, then it DOES hit. Per above, I think the TLD is the issue. > Also I noticed the headers are CRLF delimited, too. How did you get that > sample? Any chance it has been modified or re-formatted by a text editor > and does not equal the raw, original message? The spample was from Apple Mail using "view raw source," and copy/pasted into pastebin. > Does the pastebin uploaded file still not trigger the rule for you? Nope, it does not. Per above, it seems that SA 3.3.2 doesn't like the TLD. Is there a patch I can apply that would fix this, until I can upgrade to 3.4? Thanks. --- Amir
