spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kris Deugau <>
Subject Re: ING Direct mail FPing on TVD_ rules - also TO_EQ_FROM root subrules
Date Wed, 28 Apr 2010 20:47:08 GMT
Michael Scheidell wrote:
> On 4/28/10 3:13 PM, Kris Deugau wrote:
>>  0.0 TO_EQ_FM_HTML_ONLY     To == From and HTML only
>>  0.0 TO_EQ_FM_DIRECT_MX     To == From and direct-to-MX
>>  1.7 TO_EQ_FM_HTML_DIRECT   To == From and HTML only, direct-to-MX 
> so.  its also obviously bulk email.

I don't know how these rules positively identify a message as "bulk". 
Taking them at face value, they certainly represent "not following 

<checking>  Hmm.  I'm not even sure how they fired; the From and To are 
bare email addresses, and most certainly do NOT match.  Those rules also 
seem to be relatively recent (within ~1 month), since my 
workstation/test system didn't have them until I ran sa-update.  Our 
live systems get updated much more frequently (SOUGHT rules daily, 
others usually as I roll out updates for local rules).

I don't see anything obviously wrong with the root From == To meta subrules:

header         __TO_EQ_FROM_1       ALL =~ 
header         __TO_EQ_FROM_2       ALL =~ 

but they (_1 in this case) still match on:


....   sometimes.  Eeep.  I tried a minimal hand-created test message, 
with a Received header, and those two lines above;  it didn't match.  I 
copy-pasted the customer's address, and it matched.  I replaced the 
domain, and it still matched.  I replace the username, and it failed to 
match.  There's nothing funky in a hex dump of the original header.

I really hope I can get permission from the customer to at least pass 
the original on to one of the SA devs;  copy-pasting the headers into an 
empty file, and slowly removing one at a time caused some very *odd* 
changes in behaviour.  For instance, removing the original Subject: line 
(or altering it in certain ways) apparently controlled whether the 
relevant subrule above matched or not, no matter *what* was in the To or 
 From (mostly).

I managed to reduce it to a suitably-anonymized example:

I've tried that test message on four different SA3.3.1 systems (Centos 4 
and 5, 32bit, local RPM;  Centos 5 64-bit, local RPM;  Debian lenny 
64-bit, local scripted source install) and all four hit 
TO_EQ_FM_DIRECT_MX (implying one or the other of __TO_EQ_FROM_1 or 
__TO_EQ_FROM_2 hit).  As you can plainly see, To does *not* equal From 
on that message...

> if img direct wants to be stupid about the emails they send, let them be 
> blocked, or whitelist them.
> (or they can pay return path for more credit points.. as long as their 
> bulk email is double opt in)

Actually, it appeared to be a specific reminder to that specific 
customer (certainly something likely to be sent in bulk in the sense 
that they'll send quite a few of them, but not "bulk" in sense you seem 
to mean).


View raw message