blacklist_subject

Use this forum for discussions about SpamAssassin and anti-spam in general.
Post Reply
User avatar
mattg
Moderator
Moderator
Posts: 21919
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

blacklist_subject

Post by mattg » 2022-05-10 02:48

blacklist_subject

In Thunderbird I see a subject as

Re:Fallen Empire (Get in NOW!)

When I look at the headers the Subject header has the Re Capitalised so that the subject is

RE:Fallen Empire (Get in NOW!)

My SpamAssassin rule for blacklist subject was using the Capitalised version, and the rule was skipped, allowing the message through to my spam filter in hMailserver.

How can a subject be different case than the subject message header?
Attachments
Screenshot 2022-05-10 104728.png
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
katip
Senior user
Senior user
Posts: 1047
Joined: 2006-12-22 07:58
Location: Istanbul

Re: blacklist_subject

Post by katip » 2022-05-10 07:36

mattg wrote:
2022-05-10 02:48
blacklist_subject

In Thunderbird I see a subject as

Re:Fallen Empire (Get in NOW!)
TB tends to display always "Re:" in list view whatever case it is in message source.
but this doesn't explain your case as SA checks message source.
what is your blacklist_subject line exactly? i think this plugin works case-insensitive BTW..
Katip
--
HMS 5.7, MariaDB 10.4.10, SA 3.4.4, ClamAV 0.103.5

User avatar
mattg
Moderator
Moderator
Posts: 21919
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: blacklist_subject

Post by mattg » 2022-05-10 08:47

You may be correct about TB
I have some with a capital RE, but only when there is a space following

So it looks like RE: gets shown as Re:

My rule was an exact match, with the capitalised RE:

Code: Select all

blacklist_subject RE: Fallen Empire (Get in NOW!)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
katip
Senior user
Senior user
Posts: 1047
Joined: 2006-12-22 07:58
Location: Istanbul

Re: blacklist_subject

Post by katip » 2022-05-10 09:30

mattg wrote:
2022-05-10 08:47
So it looks like RE: gets shown as Re:
yes, i found this : https://bugzilla.mozilla.org/show_bug.cgi?id=321236

Code: Select all

blacklist_subject RE: Fallen Empire (Get in NOW!)
strange, rule looks ok. text encoding, line endings etc??
i never used this plugin.
Katip
--
HMS 5.7, MariaDB 10.4.10, SA 3.4.4, ClamAV 0.103.5

User avatar
mattg
Moderator
Moderator
Posts: 21919
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: blacklist_subject

Post by mattg » 2022-05-10 11:08

I have an aa_reject_list.cf that includes this and some blacklisted TDLs and few other addresses

I also use the subject starts in RE and end in .or ? rule you helped with a little back.
It works well

I think the blacklist_subject and blacklist_from are both meant to trigger the 'shortcut', ie instant rejection
I don't reject, I just delete

Code: Select all

score SUBJECT_IN_BLACKLIST 25
blacklist_subject “KETO COMPLETE is revolutionizing losing weight medicine” 
blacklist_subject *takes low paying job as a cleaner and quits after becoming a millionaire.
blacklist_subject Affordable websites that generate customers
blacklist_subject Are you the right person to send this report to
blacklist_subject Bestsellers
blacklist_subject Dating in Australia
blacklist_subject FREE AUDIT
blacklist_subject Games For PC {Windows & Mac} Full Version
blacklist_subject Google Cloud role update for \"CRYPTO PLATFORM*
blacklist_subject I would love to share you report for your website without any charge
blacklist_subject LogoCarpet - AU
blacklist_subject Make Money Fast
blacklist_subject Mobile App Development
blacklist_subject Re: And it is free of cost report.
blacklist_subject Re: Are you paying lots of money?
blacklist_subject Re: Are you the right person to send this report to?
blacklist_subject Re: Are you the right person to send this to?
blacklist_subject RE: Are you the right person to send this FREE report to?
blacklist_subject RE: Business Score Alert (your FREE Report)
blacklist_subject RE: Fallen Empire (Get in NOW!)
blacklist_subject Re: Fallen Empire (Get in NOW!)
blacklist_subject Re: free-of-charge SEO suggestions.
blacklist_subject Re: FREE Report.
blacklist_subject Re: FREE Social Media Proposal.
blacklist_subject Re: FREE Suggestions?
blacklist_subject Re: FREE Video Audit
blacklist_subject RE: Full pay on performance Proposal.
blacklist_subject RE: “go for it”
blacklist_subject Re: Have you been burnt before and are very distrustful?
blacklist_subject Re: I would love to share you report for your website without any charge.
blacklist_subject Re: I'd be happy to send you a "Pay on Performance" proposal.
blacklist_subject Re: I found you on page #11 of Google.
blacklist_subject Re: May i send it to you?
blacklist_subject Re: May I send over some free SEO suggestions?
blacklist_subject RE: May I send over some free suggestions?
blacklist_subject Re: Need any help with social media management?
blacklist_subject Re: Packages & Proposal.
blacklist_subject Re: "Pay on Performance" Campaign.
blacklist_subject Re: Pay On Our Performance.
blacklist_subject Re: Pay On Performance.
blacklist_subject Re: Performance based SEO Model guarantee.
blacklist_subject Re: Please email back for full pay on performance Proposal.
blacklist_subject Re: Please reply and we will be happy to send you a pay on performance SEO proposal.
blacklist_subject RE: Quick FREE Video AUDIT
blacklist_subject Re: Qucik Video Audit.
blacklist_subject Re: Ranking Issue.
blacklist_subject Re: Reply “1” for a FREE custom proposal.
blacklist_subject Re: Respond back simply stating “1” for a FREE custom proposal.
blacklist_subject Re: Simply reply “go for it”
blacklist_subject Re: Social Media Ads.
blacklist_subject Re: Social Media Management.
blacklist_subject Re: Social Media.
blacklist_subject RE: The report is free, no cost or obligation.
blacklist_subject Re: unique pay for performance model
blacklist_subject Re: Video Audit.
blacklist_subject Re: Video.
blacklist_subject Re: We work based on a unique pay for performance model.
blacklist_subject Re: Website Error Lists.
blacklist_subject Re: Website proposal in greater detail.
blacklist_subject Re: Website.
blacklist_subject Re: Would like any help with social media management?
blacklist_subject RE: Would you like to fix your web errors?
blacklist_subject RE : May I send you a quote?
blacklist_subject Re: Yes? ok?
blacklist_subject Re: You never showed up AGAIN
blacklist_subject REMOVE ONLINE NEGATIVE REVIEWS & CONTENTS
blacklist_subject send you a "Pay on Performance" proposal
blacklist_subject The report is free, no cost or obligation
blacklist_subject Web Design, Development & Digital.
blacklist_subject You need "explainer videos" not WORDS
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
mattg
Moderator
Moderator
Posts: 21919
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: blacklist_subject

Post by mattg » 2022-05-12 00:34

Another one just got through - perhaps the brackets trick this one up

Code: Select all

Return-Path: 	eileen@thedailyhatsskyauther.biz
Delivered-To: 	spam@***my client ***
X-Spam-Checker-Version: 	SpamAssassin 3.4.4-mx.example.com (2020-01-24) on webserver.example.com
X-Spam-Flag: 	YES
X-Spam-Level: 	*************
X-Spam-Status: 	Yes, score=13.3 required=-500.0 tests=ADD_TO_SCORE,DMARC_QUAR, FREEMAIL_FORGED_REPLYTO,FREEMAIL_REPLYTO_END_DIGIT, KAM_DMARC_QUARANTINE,KAM_DMARC_STATUS,KAM_INFOUSMEBIZ, MSGID_FROM_MTA_HEADER,RCVD_IN_HOSTKARMA_BL,RCVD_WEE_HOURS, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE shortcircuit=no autolearn=disabled version=3.4.4-mx.example.com
X-Spam-Report: 	* 0.0 RCVD_WEE_HOURS Received by mx.example.com between 8:00pm and 6:00am * 1.5 RCVD_IN_HOSTKARMA_BL RBL: Sender listed in HOSTKARMA-BLACK * [155.94.218.23 listed in hostkarma.junkemailfilter.com] * 0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit * [eileenrobertson031[at]gmail.com] * -0.1 SPF_PASS SPF: sender matches SPF record * 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record * 2.2 ADD_TO_SCORE FULL: This simply adds 2.2 to score to match hMailserver * 0.2 DMARC_QUAR DMARC fail with quarantine policy * 1.5 KAM_DMARC_QUARANTINE DKIM has Failed or SPF has failed on the message and the domain has a DMARC quarantine policy * 0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay * 2.5 KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict Alignment * 0.8 KAM_INFOUSMEBIZ Prevalent use of .info|.us|.me|.me.uk|.biz|xyz|id|rocks|life domains in spam/malware * -0.0 T_SCC_BODY_TEXT_LINE No description available. * 4.5 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From
X-Spam-Relay-Country: 	US US
X-Spam-Languages: 	en
X-Spam-Score: 	13.3
Received: 	from goat.thedailyhatsskyauther.biz (goat.thedailyhatsskyauther.biz [155.94.218.23]) by example.com with ESMTPS (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256) ; Thu, 12 May 2022 05:04:59 +1000
Message-ID: 	<540625F0-6CD7-4ABA-9A32-F1181200B6E1@example.com>
Received: 	from [96.47.230.83] (unknown [96.47.230.83]) by goat.thedailyhatsskyauther.biz (Postfix) with ESMTPA id A10A21367B; Wed, 11 May 2022 11:13:57 -0400 (EDT)
Content-Type: 	text/plain; charset="utf-8"
MIME-Version: 	1.0
Content-Transfer-Encoding: 	quoted-printable
Content-Description: 	Mail message body
Subject: 	RE: Fallen Empire (Get in NOW!)
To: 	Recipients <eileen@thedailyhatsskyauther.biz>
From: 	Eileen Robertson <eileen@thedailyhatsskyauther.biz>
Date: 	Wed, 11 May 2022 08:13:55 -0700
Reply-To: 	eileenrobertson031@gmail.com
X-hMailServer-Spam: 	YES
X-hMailServer-Reason-1: 	Rejected by HostKarma - for removal see http://ipadmin.junkemailfilter.com/remove.php - (Score: 1)
X-hMailServer-Reason-3: 	Tagged as Spam by SpamAssassin - (Score: 13)
X-hMailServer-Reason-Score: 	14
X-Envelope-To: 	bookings@***my client ***
X-Envelope-OriginalTo: 	bookings@***my client ***
X-Envelope-From: 	eileen@thedailyhatsskyauther.biz
X-Spam-Report-01: 	* 0.0 RCVD_WEE_HOURS Received by mx.example.com between 8:00pm and 6:00am
X-Spam-Report-02: 	* 1.5 RCVD_IN_HOSTKARMA_BL RBL: Sender listed in HOSTKARMA-BLACK [155.94.218.23 listed in hostkarma.junkemailfilter.com]
X-Spam-Report-03: 	* 0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit [eileenrobertson031[at]gmail.com]
X-Spam-Report-04: 	* -0.1 SPF_PASS SPF: sender matches SPF record
X-Spam-Report-05: 	* 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
X-Spam-Report-06: 	* 2.2 ADD_TO_SCORE FULL: This simply adds 2.2 to score to match hMailserver
X-Spam-Report-07: 	* 0.2 DMARC_QUAR DMARC fail with quarantine policy
X-Spam-Report-08: 	* 1.5 KAM_DMARC_QUARANTINE DKIM has Failed or SPF has failed on the message and the domain has a DMARC quarantine policy
X-Spam-Report-09: 	* 0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
X-Spam-Report-10: 	* 2.5 KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict Alignment
X-Spam-Report-11: 	* 0.8 KAM_INFOUSMEBIZ Prevalent use of .info|.us|.me|.me.uk|.biz|xyz|id|rocks|life domains in spam/malware
X-Spam-Report-12: 	* -0.0 T_SCC_BODY_TEXT_LINE No description available.
X-Spam-Report-13: 	* 4.5 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From
X-hMailServer-LoopCount: 	1
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 3546
Joined: 2017-09-12 17:57

Re: blacklist_subject

Post by palinka » 2022-05-12 00:52

mattg wrote:
2022-05-12 00:34
Another one just got through - perhaps the brackets trick this one up
You might be better off with this: viewtopic.php?f=20&t=33602

Also, I noticed your list has a lot of these:

Code: Select all

“ ”
Those are not "regular" quotation marks. I don't know what affect they might have on getting found.

User avatar
katip
Senior user
Senior user
Posts: 1047
Joined: 2006-12-22 07:58
Location: Istanbul

Re: blacklist_subject

Post by katip » 2022-05-12 05:46

mattg wrote:
2022-05-12 00:34
Another one just got through - perhaps the brackets trick this one up
no clue why blacklist_subject fails here but this header rule will nail it for good, even with no or up to 3 exclamation marks and a malformed "RE:etc.." (without space after : )

Code: Select all

header FALLEN_EMPIRE_SUBJ Subject =~ /\bRE\:(|\s)Fallen\sEmpire\s\(Get\sin\sNOW\!{0,3}\)/i
Katip
--
HMS 5.7, MariaDB 10.4.10, SA 3.4.4, ClamAV 0.103.5

Post Reply