Mailing List Archive: SpamAssassin: users

typo in 20_vbounce.cf?

Index | Next | Previous | View Threaded

rmueller at thinxsolutions

May 6, 2008, 3:01 PM

Post #1 of 11 (205 views)
Permalink

typo in 20_vbounce.cf?

Hi all,
as I'm facing raising amount of bounces on my mailserver in the last 2
months, I tried to use the vbounce ruleset to identify the ones caused
by UBE faking the sender address.
This was generally successful, but surprisingly there are a lot of
UBE-bounces which are not recognized by vbounce.
After digging a little bit into this (I'm not a SA-expert), it showed
that the body-rule " __HAVE_BOUNCE_RELAYS" is giving a "1", but often no
header rule "__BOUNCE*" seems to give a hit.
One of the most likely rules to be IMHO true is the
"__BOUNCE_FROM_DAEMON" one, but this one nearly never gives a hit.
Looking at the regexp in this line, the "+" after the \S seems not to be
correct from my point of view, I would suggest a "*" here, as it is in
"__BOUNCE_RPATH_MD".
So for testing purposes I modified the line
old:
header __BOUNCE_FROM_DAEMON From =~
/(?:(?:daemon|deamon|majordomo|postmaster|virus|scanner|devnull|automated-response|SMTP.gateway|mailadmin|mailmaster|surfcontrol|You_Got_Spammed)\S+\@|<>)/i

to new:
header __BOUNCE_FROM_DAEMON From =~
/(?:(?:daemon|deamon|majordomo|postmaster|virus|scanner|devnull|automated-response|SMTP.gateway|mailadmin|mailmaster|surfcontrol|You_Got_Spammed)\S*\@|<>)/i

and now, also the bounces formerly not recognized are correctly identified.
Can someone confirm that this is a "typo"? Or have I misunderstood
something?

THX,
Robert

jm at jmason

May 6, 2008, 3:10 PM

Post #2 of 11 (198 views)
Permalink

Re: typo in 20_vbounce.cf? [In reply to]

=?ISO-8859-15?Q?Robert_M=FCller?= writes:
> Hi all,
> as I'm facing raising amount of bounces on my mailserver in the last 2
> months, I tried to use the vbounce ruleset to identify the ones caused
> by UBE faking the sender address.
> This was generally successful, but surprisingly there are a lot of
> UBE-bounces which are not recognized by vbounce.
> After digging a little bit into this (I'm not a SA-expert), it showed
> that the body-rule " __HAVE_BOUNCE_RELAYS" is giving a "1", but often no
> header rule "__BOUNCE*" seems to give a hit.
> One of the most likely rules to be IMHO true is the
> "__BOUNCE_FROM_DAEMON" one, but this one nearly never gives a hit.
> Looking at the regexp in this line, the "+" after the \S seems not to be
> correct from my point of view, I would suggest a "*" here, as it is in
> "__BOUNCE_RPATH_MD".
> So for testing purposes I modified the line
> old:
> header __BOUNCE_FROM_DAEMON From =~
> /(?:(?:daemon|deamon|majordomo|postmaster|virus|scanner|devnull|automated-response|SMTP.gateway|mailadmin|mailmaster|surfcontrol|You_Got_Spammed)\S+\@|<>)/i
>
> to new:
> header __BOUNCE_FROM_DAEMON From =~
> /(?:(?:daemon|deamon|majordomo|postmaster|virus|scanner|devnull|automated-response|SMTP.gateway|mailadmin|mailmaster|surfcontrol|You_Got_Spammed)\S*\@|<>)/i
>
> and now, also the bounces formerly not recognized are correctly identified.
> Can someone confirm that this is a "typo"? Or have I misunderstood
> something?

yep, you're quite right -- thanks!

--j.

rmueller at thinxsolutions

May 7, 2008, 1:12 AM

Post #3 of 11 (191 views)
Permalink

Re: typo in 20_vbounce.cf? [In reply to]

Fine - thanks for the quick reply. I assume there's no need for a bug
report regarding this issue, correct?
So I'll do nothing more but waiting for the fix via sa-update :-)

Robert

Justin Mason schrieb:
> =?ISO-8859-15?Q?Robert_M=FCller?= writes:
>
>> Hi all,
>> as I'm facing raising amount of bounces on my mailserver in the last 2
>> months, I tried to use the vbounce ruleset to identify the ones caused
>> by UBE faking the sender address.
>> This was generally successful, but surprisingly there are a lot of
>> UBE-bounces which are not recognized by vbounce.
>> After digging a little bit into this (I'm not a SA-expert), it showed
>> that the body-rule " __HAVE_BOUNCE_RELAYS" is giving a "1", but often no
>> header rule "__BOUNCE*" seems to give a hit.
>> One of the most likely rules to be IMHO true is the
>> "__BOUNCE_FROM_DAEMON" one, but this one nearly never gives a hit.
>> Looking at the regexp in this line, the "+" after the \S seems not to be
>> correct from my point of view, I would suggest a "*" here, as it is in
>> "__BOUNCE_RPATH_MD".
>> So for testing purposes I modified the line
>> old:
>> header __BOUNCE_FROM_DAEMON From =~
>> /(?:(?:daemon|deamon|majordomo|postmaster|virus|scanner|devnull|automated-response|SMTP.gateway|mailadmin|mailmaster|surfcontrol|You_Got_Spammed)\S+\@|<>)/i
>>
>> to new:
>> header __BOUNCE_FROM_DAEMON From =~
>> /(?:(?:daemon|deamon|majordomo|postmaster|virus|scanner|devnull|automated-response|SMTP.gateway|mailadmin|mailmaster|surfcontrol|You_Got_Spammed)\S*\@|<>)/i
>>
>> and now, also the bounces formerly not recognized are correctly identified.
>> Can someone confirm that this is a "typo"? Or have I misunderstood
>> something?
>>
>
> yep, you're quite right -- thanks!
>
> --j.
>
>

--
Robert Müller
Thinxsolutions Müller,Bender,Guth GbR
Maarweg 139
50825 Köln

Fon: +49 221 3550353 0
Fax: +49 221 3550353 99
Mob: +49 179 5303775

rmueller[at]thinxsolutions.de
http://www.thinxsolutions.de

jm at jmason

May 7, 2008, 2:32 AM

Post #4 of 11 (189 views)
Permalink

Re: typo in 20_vbounce.cf? [In reply to]

actually, if you could open a bug that'd be great -- I wasn't
planning on backporting the fix to 3.2.x updates.

--j.

=?ISO-8859-15?Q?Robert_M=FCller?= writes:
> Fine - thanks for the quick reply. I assume there's no need for a bug
> report regarding this issue, correct?
> So I'll do nothing more but waiting for the fix via sa-update :-)
>
> Robert
>
> Justin Mason schrieb:
> > =?ISO-8859-15?Q?Robert_M=FCller?= writes:
> >
> >> Hi all,
> >> as I'm facing raising amount of bounces on my mailserver in the last 2
> >> months, I tried to use the vbounce ruleset to identify the ones caused
> >> by UBE faking the sender address.
> >> This was generally successful, but surprisingly there are a lot of
> >> UBE-bounces which are not recognized by vbounce.
> >> After digging a little bit into this (I'm not a SA-expert), it showed
> >> that the body-rule " __HAVE_BOUNCE_RELAYS" is giving a "1", but often no
> >> header rule "__BOUNCE*" seems to give a hit.
> >> One of the most likely rules to be IMHO true is the
> >> "__BOUNCE_FROM_DAEMON" one, but this one nearly never gives a hit.
> >> Looking at the regexp in this line, the "+" after the \S seems not to be
> >> correct from my point of view, I would suggest a "*" here, as it is in
> >> "__BOUNCE_RPATH_MD".
> >> So for testing purposes I modified the line
> >> old:
> >> header __BOUNCE_FROM_DAEMON From =~
> >> /(?:(?:daemon|deamon|majordomo|postmaster|virus|scanner|devnull|automated-response|SMTP.gateway|mailadmin|mailmaster|surfcontrol|You_Got_Spammed)\S+\@|<>)/i
> >>
> >> to new:
> >> header __BOUNCE_FROM_DAEMON From =~
> >> /(?:(?:daemon|deamon|majordomo|postmaster|virus|scanner|devnull|automated-response|SMTP.gateway|mailadmin|mailmaster|surfcontrol|You_Got_Spammed)\S*\@|<>)/i
> >>
> >> and now, also the bounces formerly not recognized are correctly identified.
> >> Can someone confirm that this is a "typo"? Or have I misunderstood
> >> something?
> >>
> >
> > yep, you're quite right -- thanks!
> >
> > --j.
> >
> >
>
> --
> Robert Müller
> Thinxsolutions Müller,Bender,Guth GbR
> Maarweg 139
> 50825 Köln
>
> Fon: +49 221 3550353 0
> Fax: +49 221 3550353 99
> Mob: +49 179 5303775
>
> rmueller[at]thinxsolutions.de
> http://www.thinxsolutions.de

jm at jmason

May 7, 2008, 2:32 AM

Post #5 of 11 (189 views)
Permalink

Re: typo in 20_vbounce.cf? [In reply to]

jm at jmason

May 7, 2008, 2:32 AM

Post #6 of 11 (189 views)
Permalink

Re: typo in 20_vbounce.cf? [In reply to]

listuser at jpkvideo

May 7, 2008, 11:15 AM

Post #7 of 11 (187 views)
Permalink

Re: typo in 20_vbounce.cf? [In reply to]

listuser at jpkvideo

May 7, 2008, 11:17 AM

Post #8 of 11 (187 views)
Permalink

Re: typo in 20_vbounce.cf? [In reply to]

jarif at iki

May 7, 2008, 11:42 AM

Post #9 of 11 (187 views)
Permalink

Re: typo in 20_vbounce.cf? [In reply to]

rmueller at thinxsolutions

May 7, 2008, 1:19 PM

Post #10 of 11 (184 views)
Permalink

Re: typo in 20_vbounce.cf? [In reply to]

I've opened bug 5901.

Thanks,
Robert

Justin Mason schrieb:
> actually, if you could open a bug that'd be great -- I wasn't
> planning on backporting the fix to 3.2.x updates.
>
> --j.
>
> =?ISO-8859-15?Q?Robert_M=FCller?= writes:
>
>> Fine - thanks for the quick reply. I assume there's no need for a bug
>> report regarding this issue, correct?
>> So I'll do nothing more but waiting for the fix via sa-update :-)
>>
>> Robert
>>
>> Justin Mason schrieb:
>>
>>> =?ISO-8859-15?Q?Robert_M=FCller?= writes:
>>>
>>>
>>>> Hi all,
>>>> as I'm facing raising amount of bounces on my mailserver in the last 2
>>>> months, I tried to use the vbounce ruleset to identify the ones caused
>>>> by UBE faking the sender address.
>>>> This was generally successful, but surprisingly there are a lot of
>>>> UBE-bounces which are not recognized by vbounce.
>>>> After digging a little bit into this (I'm not a SA-expert), it showed
>>>> that the body-rule " __HAVE_BOUNCE_RELAYS" is giving a "1", but often no
>>>> header rule "__BOUNCE*" seems to give a hit.
>>>> One of the most likely rules to be IMHO true is the
>>>> "__BOUNCE_FROM_DAEMON" one, but this one nearly never gives a hit.
>>>> Looking at the regexp in this line, the "+" after the \S seems not to be
>>>> correct from my point of view, I would suggest a "*" here, as it is in
>>>> "__BOUNCE_RPATH_MD".
>>>> So for testing purposes I modified the line
>>>> old:
>>>> header __BOUNCE_FROM_DAEMON From =~
>>>> /(?:(?:daemon|deamon|majordomo|postmaster|virus|scanner|devnull|automated-response|SMTP.gateway|mailadmin|mailmaster|surfcontrol|You_Got_Spammed)\S+\@|<>)/i
>>>>
>>>> to new:
>>>> header __BOUNCE_FROM_DAEMON From =~
>>>> /(?:(?:daemon|deamon|majordomo|postmaster|virus|scanner|devnull|automated-response|SMTP.gateway|mailadmin|mailmaster|surfcontrol|You_Got_Spammed)\S*\@|<>)/i
>>>>
>>>> and now, also the bounces formerly not recognized are correctly identified.
>>>> Can someone confirm that this is a "typo"? Or have I misunderstood
>>>> something?
>>>>
>>>>
>>> yep, you're quite right -- thanks!
>>>
>>> --j.
>>>
>>>
>>>

rmueller at thinxsolutions

May 7, 2008, 1:26 PM

Post #11 of 11 (185 views)
Permalink

Re: typo in 20_vbounce.cf? [In reply to]

Sorry for missing the most important part of the information in the body
- I fully agree with you.
On the other side, I learned at school to carefully read all parts of
the document - seems also to be true :-)

Robert

Jari Fredriksson schrieb:
>> doh!
>> I guess if I read the subject line that would have helped.
>>
>
> You are not alone with this ;D It's a good practise to include all data in the body of the message, and not to refer to the subject. I once learned that in school and it seems to be true..
>
> jarif
>
>
>
>
>> On May 7, 2008, at 11:15 AM, JP Kelly wrote:
>>
>>
>>> where is this line found?
>>>
>>> On May 6, 2008, at 3:01 PM, Robert Müller wrote:
>>>
>>>
>>>> So for testing purposes I modified the line
>>>> old:
>>>> header __BOUNCE_FROM_DAEMON From =~
>>>> /(?:(?:daemon|deamon|
>>>> majordomo|postmaster|virus|scanner|devnull|automated-response|
>>>> SMTP.gateway|mailadmin|mailmaster|surfcontrol|You_Got_Spammed)\S+\@|
>>>> <>)/i
>>>>
>>>> to new:
>>>> header __BOUNCE_FROM_DAEMON From =~
>>>> /(?:(?:daemon|deamon|
>>>> majordomo|postmaster|virus|scanner|devnull|automated-response|
>>>> SMTP.gateway|mailadmin|mailmaster|surfcontrol|You_Got_Spammed)\S*\@|
>>>> <>)/i
>>>>
>
>

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com