How to view logs for a particular SpamAssassin Rule

Questions and answers about how to do stuff
Post Reply
curibe
Posts: 74
Joined: 26 Feb 2014 22:38

How to view logs for a particular SpamAssassin Rule

Post by curibe »

Here is my story.

I notice a message been marked as spam. i clicked on it to see why it was marked as spam. this is what it showed:
Score Matching Rule Description
2.02 HELO_NO_DOMAIN
0.00 HTML_MESSAGE
1.00 ImageCerberusPLG1
1.27 RDNS_NONE
0.16 SHORT_HELO_AND_INLINE_IMAGE
3.00 SPOOF_COM2OTH

anyway to see the logs on why SPOOF_COM2OTH score was high for this particular message?


NOTE: Life would be a lot easier if the Matching Rule would have its Description ;)

BTW To the EFA guys. Thanks for all the help you guys have giving me on this FORUM... :D
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: How to view logs for a particular SpamAssassin Rule

Post by pdwalker »

You'll need to examine the Spamassassin rule sets, find the rule and then work out yourself why it was triggered

(in 3.0.0.7, built from scratch)

Code: Select all

cd /var/lib/spamassassin/3.004000/updates.spamassassin_org
[root@efa updates_spamassassin_org]# grep SPOOF_COM2OTH *
20_uri_tests.cf:uri SPOOF_COM2OTH	m{^https?://(?:\w+\.)+?com\.(?!(?:[a-z]{2}\.)?s3\.amazonaws\.com)(?:\w+\.){2}}i
20_uri_tests.cf:describe SPOOF_COM2OTH	URI contains ".com" in middle
50_scores.cf:score SPOOF_COM2OTH 2.999 2.999 2.877 2.723
Without me trying to parse the regex, it looks like there's a funny url in the message trying to disguise itself as coming from somewhere else.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: How to view logs for a particular SpamAssassin Rule

Post by shawniverson »

You can run "Update Spammassassin Rule Descriptions" under tools to update the descriptions on the SA rules, if they have them.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: How to view logs for a particular SpamAssassin Rule

Post by pdwalker »

And that's much easier.

You only need to look at the spam assassin rules if you want to find out exactly what that condition is, assuming you can parse the regexes that is. :lol:
Post Reply