Clean up X-Spam-Report

Use this forum if you have problems with a hMailServer script, such as hMailServer WebAdmin or code in an event handler.
User avatar
mattg
Moderator
Moderator
Posts: 22491
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Clean up X-Spam-Report

Post by mattg » 2021-03-06 03:42

This is what I currently get

Code: Select all


-------- Forwarded Message --------
Return-Path: 	jacobbiggsdigitalservice@gmail.com
Delivered-To: 	spam@example.com
X-Spam-Checker-Version: 	SpamAssassin 3.4.2-mx.example.com (2018-09-13) on webserver.example.com.au
X-Spam-Flag: 	YES
X-Spam-Level: 	************
X-Spam-Status: 	Yes, score=12.5 required=-500.0 tests=ADD_TO_SCORE, DIRECT_SPF_SOFTFAIL,DKIM_ADSP_CUSTOM_MED,FORGED_GMAIL_RCVD, FREEMAIL_FROM,HTML_MESSAGE,KAM_ADVERT2,KAM_DMARC_NONE,KAM_DMARC_STATUS, MSGID_FROM_MTA_HEADER,NML_ADSP_CUSTOM_MED,RCVD_IN_NERDS_IN, SPF_HELO_NONE,SPF_SOFTFAIL shortcircuit=no autolearn=disabled version=3.4.2-mx.examlpe.com
X-Spam-Report: 	* 3.0 RCVD_IN_NERDS_IN RBL: Received from India (Republic of India) * [103.62.94.187 listed in zz.countries.nerd.dk] * 0.8 KAM_ADVERT2 BODY: This is probably an unwanted commercial email... * 0.1 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) * 1.5 FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received' headers * 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record * 0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is CUSTOM_MED * 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (jacobbiggsdigitalservice[at]gmail.com) * 0.0 HTML_MESSAGE BODY: HTML included in message * 2.2 ADD_TO_SCORE FULL: This simply adds 2.2 to score to match hMailserver * 1.0 DIRECT_SPF_SOFTFAIL Message SPF softfail and NOT downloaded through External Account * 0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay * 0.2 KAM_DMARC_NONE DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy * 2.5 KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict Alignment * 1.2 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list
X-Spam-Relay-Country: 	US IN
X-Spam-Languages: 	en
Received: 	from msg1.spotexactorlight.live (msg1.spotexactorlight.live [63.141.225.162]) by example.com with ESMTP ; Thu, 4 Mar 2021 08:04:20 +1000
Message-ID: 	<8F3DA7D9-1F55-48C6-8310-C82203A8FA3D@example.com>
Received: 	from [192.168.0.109] (unknown [103.62.94.187]) by msg1.spotexactorlight.live (Postfix) with ESMTPA id AF4103D0DC45 for <info@example.com>; Wed, 3 Mar 2021 21:55:49 -0600 (CST)
Content-Type: 	multipart/alternative; boundary="===============1304312267=="
MIME-Version: 	1.0
Subject: 	Want to be on page 1?
To: 	info@example.com
From: 	Jacob Biggs <jacobbiggsdigitalservice@gmail.com>
Date: 	Thu, 04 Mar 2021 03:25:35 +0530
Reply-To: 	jacobbiggsdigitalservice@gmail.com
X-hMailServer-Spam: 	YES
X-hMailServer-Reason-1: 	Tagged as Spam by SpamAssassin - (Score: 12)
X-hMailServer-Reason-Score: 	12
X-Envelope-To: 	info@example.com
X-Envelope-OriginalTo: 	info@example.com
X-Envelope-From: 	jacobbiggsdigitalservice@gmail.com
X-Spam-Report-01: 	* 3.0 RCVD_IN_NERDS_IN RBL: Received from India (Republic of India) [103.62.94.187 listed in zz.countries.nerd.dk]
X-Spam-Report-02: 	* 0.8 KAM_ADVERT2 BODY: This is probably an unwanted commercial email...
X-Spam-Report-03: 	* 0.1 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
X-Spam-Report-04: 	* 1.5 FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received' headers
X-Spam-Report-05: 	* 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
X-Spam-Report-06: 	* 0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is CUSTOM_MED
X-Spam-Report-07: 	* 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (jacobbiggsdigitalservice[at]gmail.com)
X-Spam-Report-08: 	* 0.0 HTML_MESSAGE BODY: HTML included in message
X-Spam-Report-09: 	* 2.2 ADD_TO_SCORE FULL: This simply adds 2.2 to score to match hMailserver
X-Spam-Report-10: 	* 1.0 DIRECT_SPF_SOFTFAIL Message SPF softfail and NOT downloaded through External Account
X-Spam-Report-11: 	* 0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
X-Spam-Report-12: 	* 0.2 KAM_DMARC_NONE DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy
X-Spam-Report-13: 	* 2.5 KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict Alignment
X-Spam-Report-14: 	* 1.2 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list
X-hMailServer-LoopCount: 	1

Below is added to the oMessage.htmltext

Code: Select all

CAUTION: This email was flagged as potential SPAM.

This message is FROM :- "Jacob Biggs"
The reply to address is :- jacobbiggsdigitalservice@gmail.com
The return address is :- jacobbiggsdigitalservice@gmail.com
Do NOT click links or open attachments unless you recognize the sender, were expecting the email, and know the content is safe.

The spam score of this message is :- 12

There are around 1200 rules checked and below are the high SPAM scores for this message
* 3.0 RCVD_IN_NERDS_IN RBL: Received from India (Republic of India) [103.62.94.187 listed in zz.countries.nerd.dk]
* 0.8 KAM_ADVERT2 BODY: This is probably an unwanted commercial email...
* 1.5 FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received' headers
* 1.0 DIRECT_SPF_SOFTFAIL Message SPF softfail and NOT downloaded through External Account
* 2.5 KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict Alignment
* 1.2 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
katip
Senior user
Senior user
Posts: 1209
Joined: 2006-12-22 07:58
Location: Istanbul

Re: Clean up X-Spam-Report

Post by katip » 2021-03-06 08:35

this is my output with only 2 tweaks on RCVD_IN_UCEPROTECT and SPF_HELO_FAIL prior to final VbCrLf & " *" with default report_wrap_width 70
it looks quite good, but still not perfect. appearantly some rules feed one or more spaces less (or more) before * within description which breaks alignment.
sure it is possible to cope with all this. but not worth it IMO. all in all we're talking about minor cosmetic tweaks.

Code: Select all

X-Spam-Report: 
 *  4.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% 
 *      [score: 1.0000] 
 *  0.6 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% 
 *      [score: 1.0000] 
 *  2.5 BH_XMAILER_FOXMAIL No description available. 
 *  5.0 BH_CHINESE_CHARSET No description available. 
 *  5.0 BH_FROM_CN_ISP No description available. 
 *  1.0 RCVD_IN_UCEPROTECT1 RBL: Listed in dnsbl-1.uceprotect.net (open 
 *       relay/proxy/dialup)  <-- ******* HERE **********
 *      [IP 183.131.116.2 is UCEPROTECT-Level 1 listed.] 
 *      [See <http://www.uceprotect.net/rblcheck.php?ipr=183.131.116.2>] 
 *  1.0 RCVD_IN_WPBL RBL: Listed in wpbl 
 *      [183.131.116.2 listed in db.wpbl.info] 
 *  2.7 RCVD_IN_PSBL RBL: Received via a relay in PSBL 
 *      [183.131.116.2 listed in psbl.surriel.com] 
 *  3.3 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS 
 *      [183.131.116.2 listed in zen.spamhaus.org] 
 *  0.4 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL 
 *  3.3 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL 
 *  1.5 RCVD_IN_NIX_SPAM RBL: Listed in NIX-SPAM DNSBL (heise.de) 
 *      [183.131.116.2 listed in ix.dnsbl.manitu.net] 
 *  0.0 RCVD_IN_MSPIKE_L5 RBL: Very bad reputation (-5) 
 *      [183.131.116.2 listed in bl.mailspike.net] 
 *  1.5 RCVD_IN_HOSTKARMA_BL RBL: Sender listed in HOSTKARMA-BLACK 
 *      [183.131.116.2 listed in hostkarma.junkemailfilter.com] 
 *  1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL, 
 *      https://senderscore.org/blacklistlookup/ 
 *      [183.131.116.2 listed in bl.score.senderscore.com] 
 *  3.0 RCVD_IN_NERDS_CN RBL: Received from China (People's Republic of 
 *       China)  <-- ******* HERE **********
 *      [183.131.116.2 listed in zz.countries.nerd.dk] 
 *  0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail 
 *      provider (lanxifa02[at]163.com) 
 *  0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) 
 *      [SPF failed: Please see http://www.openspf.org/Why? 
 *      s=helo;id=163.com;ip=183.131.116.2; 
 *      r=servername.domain.local] 
 *  0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in 
 *     digit (lanxifa02[at]163.com)  <-- ******* HERE **********
 *  0.1 JAM_PHARMACY_BD BODY: Body contains pharmacy, medication etc 
 *  0.0 T_OBFU_JPG_ATTACH BODY: JPG attachment with generic MIME type 
 *  0.8 RDNS_NONE Delivered to internal network by a host with no rDNS 
 *  0.2 KAM_DMARC_NONE DKIM has Failed or SPF has failed on the message 
 *       and the domain has no DMARC policy  <-- ******* HERE **********
 *  0.0 KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict 
 *      Alignment 
 *  0.0 RCVD_IN_MSPIKE_BL Mailspike blacklisted 
 *  0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay 
 *  0.0 SPOOFED_FREEMAIL_NO_RDNS From SPOOFED_FREEMAIL and no rDNS
X-Spam-Virus: No
Katip
--
HMS 5.7, MariaDB 10.4.10, SA 4.0.0, ClamAV 0.103.8

User avatar
SorenR
Senior user
Senior user
Posts: 6408
Joined: 2006-08-21 15:38
Location: Denmark

Re: Clean up X-Spam-Report

Post by SorenR » 2021-03-06 14:17

Code: Select all

X-Spam-ASN: AS12876 51.15.0.0/16
X-Spam-Virus: No
X-Spam-Report: 
 *  3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
 *      [score: 1.0000]
 *  0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
 *      [score: 1.0000]
 * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
 *  0.0 HTML_MESSAGE BODY: HTML included in message
 * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
 *      domain
 * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
 *      valid
 *  0.9 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
 *  1.9 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
 *      [cf: 100]
 *  0.1 PLING_QUERY Subject has exclamation mark and question mark
 *  0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors
 *      in HTML
 *  3.5 JH_SPAMMY_HEADERS Has unusual message header(s) seen primarily in
 *      spam
Envelope-Sender: info@recruitic.com

Code: Select all

If oMessage.HeaderValue("X-Spam-Report") <> "" Then
    Dim strReport, ECFlag : ECFlag = oMessage.EncodeFields
    oMessage.EncodeFields = False
    With CreateObject("VBScript.RegExp")
        .Global = True
        .Pattern = "([\x0D]?[\x0A]){1,}"
        strReport = .Replace(oMessage.HeaderValue("X-Spam-Report"), "")
        .Pattern = "([\x20]?[\x2A])"
        strReport = .Replace(strReport, vbCrLf & " *")
        .Pattern = "([\x2A][\x20]{1,7})(?=[\x2D]\d[\x2E]\d)"
        strReport = .Replace(strReport, "* ")   ' 1 x space
        .Pattern = "([\x2A][\x20]{1,7})(?=(\d[\x2E]\d)|(\d{3})[\x20])"
        strReport = .Replace(strReport, "*  ")   ' 2 x space
        .Pattern = "([\x2A][\x20]{1,})(?=[a-z]|[\x5B])"
        oMessage.HeaderValue("X-Spam-Report") = .Replace(strReport, "*      ")   ' 6 x space
    End With
    oMessage.EncodeFields = ECFlag
    oMessage.Save
End If
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

palinka
Senior user
Senior user
Posts: 4754
Joined: 2017-09-12 17:57

Re: Clean up X-Spam-Report

Post by palinka » 2021-03-06 16:48

katip wrote:
2021-03-06 08:35
sure it is possible to cope with all this. but not worth it IMO. all in all we're talking about minor cosmetic tweaks.
I agree. Put a fork in it.

Before: indecipherable.
After: readable.

I'm good with keeping it simple.

User avatar
katip
Senior user
Senior user
Posts: 1209
Joined: 2006-12-22 07:58
Location: Istanbul

Re: Clean up X-Spam-Report

Post by katip » 2021-03-06 17:28

palinka wrote:
2021-03-06 16:48
katip wrote:
2021-03-06 08:35
sure it is possible to cope with all this. but not worth it IMO. all in all we're talking about minor cosmetic tweaks.
I agree. Put a fork in it.

Before: indecipherable.
After: readable.

I'm good with keeping it simple.
to avoid misunderstanding: i meant all the work for such as 1 or 2 char left/right alignment
otherwise initial concept is very useful and i'm using it.
Katip
--
HMS 5.7, MariaDB 10.4.10, SA 4.0.0, ClamAV 0.103.8

User avatar
katip
Senior user
Senior user
Posts: 1209
Joined: 2006-12-22 07:58
Location: Istanbul

Re: Clean up X-Spam-Report

Post by katip » 2021-03-06 17:44

SorenR wrote:
2021-03-06 14:17

Code: Select all

If oMessage.HeaderValue("X-Spam-Report") <> "" Then
    Dim strReport, ECFlag : ECFlag = oMessage.EncodeFields
    oMessage.EncodeFields = False
    With CreateObject("VBScript.RegExp")
        .Global = True
        .Pattern = "([\x0D]?[\x0A]){1,}"
        strReport = .Replace(oMessage.HeaderValue("X-Spam-Report"), "")
        .Pattern = "([\x20]?[\x2A])"
        strReport = .Replace(strReport, vbCrLf & " *")
        .Pattern = "([\x2A][\x20]{1,7})(?=[\x2D]\d[\x2E]\d)"
        strReport = .Replace(strReport, "* ")   ' 1 x space
        .Pattern = "([\x2A][\x20]{1,7})(?=(\d[\x2E]\d)|(\d{3})[\x20])"
        strReport = .Replace(strReport, "*  ")   ' 2 x space
        .Pattern = "([\x2A][\x20]{1,})(?=[a-z]|[\x5B])"
        oMessage.HeaderValue("X-Spam-Report") = .Replace(strReport, "*      ")   ' 6 x space
    End With
    oMessage.EncodeFields = ECFlag
    oMessage.Save
End If
trying since an hour or so. UCEPROTECT is ok:

Code: Select all

 *  1.0 RCVD_IN_UCEPROTECT1 RBL: Listed in dnsbl-1.uceprotect.net (open
 *      relay/proxy/dialup)
 *      [IP 58.212.43.144 is UCEPROTECT-Level 1 listed.] [See <http://www.uceprotect.net/rblcheck.php?ipr=58.212.43.144>]
BUT

Code: Select all

 *  3.0 RCVD_IN_NERDS_CN RBL: Received from China (People's Republic of
 *       China)
 *      [58.212.43.144 listed in zz.countries.nerd.dk]
and

Code: Select all

 *  0.9 DKIM_ADSP_NXDOMAIN No valid author signature and domain not in
 *    DNS 
still not yet encountered an SPF_HELO_FAIL with a string such as:

Code: Select all

http://www.openspf.org/Why?s=helo;id=cr.mufg.jp;ip=160.251.138.241;r=xxxxxxxx.xxxxxxxxxx.local]
i'll report back as soon as i get one.
Katip
--
HMS 5.7, MariaDB 10.4.10, SA 4.0.0, ClamAV 0.103.8

User avatar
RvdH
Senior user
Senior user
Posts: 3561
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Clean up X-Spam-Report

Post by RvdH » 2021-03-06 22:25

.Pattern = "([\x2A][\x20]{1,})(?=[a-zA-Z]|[\x5B])"

China and DNS are written with Capital(s)
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
SorenR
Senior user
Senior user
Posts: 6408
Joined: 2006-08-21 15:38
Location: Denmark

Re: Clean up X-Spam-Report

Post by SorenR » 2021-03-06 22:30

RvdH wrote:
2021-03-06 22:25
.Pattern = "([\x2A][\x20]{1,})(?=[a-zA-Z]|[\x5B])"

China and DNS are written with Capital(s)
.IgnoreCase = True

:mrgreen:
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

User avatar
RvdH
Senior user
Senior user
Posts: 3561
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Clean up X-Spam-Report

Post by RvdH » 2021-03-06 22:32

SorenR wrote:
2021-03-06 22:30
RvdH wrote:
2021-03-06 22:25
.Pattern = "([\x2A][\x20]{1,})(?=[a-zA-Z]|[\x5B])"

China and DNS are written with Capital(s)
.IgnoreCase = True

:mrgreen:
Mine is shorter (normally nothing to be proud off, but in this case i stick with it :lol: :mrgreen: )
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
SorenR
Senior user
Senior user
Posts: 6408
Joined: 2006-08-21 15:38
Location: Denmark

Re: Clean up X-Spam-Report

Post by SorenR » 2021-03-06 22:33

RvdH wrote:
2021-03-06 22:32
SorenR wrote:
2021-03-06 22:30
RvdH wrote:
2021-03-06 22:25
.Pattern = "([\x2A][\x20]{1,})(?=[a-zA-Z]|[\x5B])"

China and DNS are written with Capital(s)
.IgnoreCase = True

:mrgreen:
Mine is shorter (normally nothing to be proud off, but in this case :lol: :mrgreen: )
:mrgreen:
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

User avatar
katip
Senior user
Senior user
Posts: 1209
Joined: 2006-12-22 07:58
Location: Istanbul

Re: Clean up X-Spam-Report

Post by katip » 2021-03-07 09:23

SorenR wrote:
2021-03-06 22:30
RvdH wrote:
2021-03-06 22:25
.Pattern = "([\x2A][\x20]{1,})(?=[a-zA-Z]|[\x5B])"

China and DNS are written with Capital(s)
.IgnoreCase = True

:mrgreen:
nice!
thanks guys. all looks perfect now.
Katip
--
HMS 5.7, MariaDB 10.4.10, SA 4.0.0, ClamAV 0.103.8

User avatar
RvdH
Senior user
Senior user
Posts: 3561
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Clean up X-Spam-Report

Post by RvdH » 2021-03-07 10:28

katip wrote:
2021-03-06 17:44
trying since an hour or so. UCEPROTECT is ok:

Code: Select all

 *  1.0 RCVD_IN_UCEPROTECT1 RBL: Listed in dnsbl-1.uceprotect.net (open
 *      relay/proxy/dialup)
 *      [IP 58.212.43.144 is UCEPROTECT-Level 1 listed.] [See <http://www.uceprotect.net/rblcheck.php?ipr=58.212.43.144>]
I got my UCEPROTECT listing little different, eg:

Code: Select all

 *  0.2 RCVD_IN_UCEPROTECT3 RBL: Network listed in
 *      dnsbl-3.uceprotect.net
 *      [Your ISP OVH, FR/AS16276 is UCEPROTECT-Level3]
 *      [listed because of a spamscore of 97.9. See:]
 *      [<http://www.uceprotect.net/rblcheck.php?ipr=51.195.90.187>]
responsible replace

Code: Select all

.Pattern = "(?=.+)([\x5D][\x20][\x5B])"
strReport = .Replace(strReport, "] * [")
complete code, the placement of above lines is important here as the linebreak is added in the rule/replace after

Code: Select all

If oMessage.HeaderValue("X-Spam-Report") <> "" Then
	Dim strReport, ECFlag : ECFlag = oMessage.EncodeFields
	oMessage.EncodeFields = False
	With CreateObject("VBScript.RegExp")
		.Global = True
		.Pattern = "([\x0D]?[\x0A]){1,}"
		strReport = .Replace(oMessage.HeaderValue("X-Spam-Report"), vbCrLf)
		.Pattern = "(?=.+)([\x5D][\x20][\x5B])"
		strReport = .Replace(strReport, "] * [")
		.Pattern = "([\x20]?[\x2A])"
		strReport = .Replace(strReport, vbCrLf & " *")
		.Pattern = "([\x2A][\x20]{1,7})(?=[\x2D]\d[\x2E]\d)"
		strReport = .Replace(strReport, "* ")  ' 1x space
		.Pattern = "([\x2A][\x20]{1,7})(?=(\d[\x2E]\d)|(\d{3})[\x20])"
		strReport = .Replace(strReport, "*  ")  ' 2x space
		.Pattern = "([\x2A][\x20]{1,})(?=[a-zA-Z]|[\x5B])"
		oMessage.HeaderValue("X-Spam-Report") = .Replace(strReport, "*      ")  ' 6x space
	End With
	oMessage.EncodeFields = ECFlag
	oMessage.Save
End If
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
katip
Senior user
Senior user
Posts: 1209
Joined: 2006-12-22 07:58
Location: Istanbul

Re: Clean up X-Spam-Report

Post by katip » 2021-03-07 13:03

RvdH wrote:
2021-03-07 10:28
responsible replace

Code: Select all

.Pattern = "(?=.+)([\x5D][\x20][\x5B])"
strReport = .Replace(strReport, "] * [")
good. will make also these look tidy:

Code: Select all

* -2.0 RCVD_IN_RP_SAFE RBL: Sender in ReturnPath Safe - Contact
 *      safe-sa@returnpath.net
 *      [Return Path SenderScore Safe List (formerly] [Habeas Safelist) - <http://www.senderscorecertified.com>]
 * -3.0 RCVD_IN_RP_CERTIFIED RBL: Sender in ReturnPath Certified -
 *      Contact cert-sa@returnpath.net
 *      [Return Path SenderScore Certified {formerly] [Bonded Sender} - <http://www.senderscorecertified.com>]
Katip
--
HMS 5.7, MariaDB 10.4.10, SA 4.0.0, ClamAV 0.103.8

User avatar
RvdH
Senior user
Senior user
Posts: 3561
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Clean up X-Spam-Report

Post by RvdH » 2021-03-07 14:16

Maybe change

Code: Select all

.Pattern = "(?=.+)([\x5D][\x20][\x5B])"
to

Code: Select all

.Pattern = "([\x5D][\x20][\x5B])"
Old regex didn't make much sense, nor difference
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
katip
Senior user
Senior user
Posts: 1209
Joined: 2006-12-22 07:58
Location: Istanbul

Re: Clean up X-Spam-Report

Post by katip » 2021-03-07 20:38

RvdH wrote:
2021-03-07 14:16
Maybe change

Code: Select all

.Pattern = "(?=.+)([\x5D][\x20][\x5B])"
to

Code: Select all

.Pattern = "([\x5D][\x20][\x5B])"
Old regex didn't make much sense, nor difference
yes, works fine either way.
BTW i came across to this:

Code: Select all

 *  0.0 HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam
 *   (FTSDMCXX/boundary variant) + direct-to-MX
and added left paranthesis to:

Code: Select all

.Pattern = "([\x2A][\x20]{1,})(?=[a-zA-Z]|[\x5B]|[\x28])"
just in case..
Katip
--
HMS 5.7, MariaDB 10.4.10, SA 4.0.0, ClamAV 0.103.8

User avatar
RvdH
Senior user
Senior user
Posts: 3561
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Clean up X-Spam-Report

Post by RvdH » 2021-03-09 09:46

Splendid 👌
haven't received a single spam mail where the report was messed up (yet)
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
RvdH
Senior user
Senior user
Posts: 3561
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Clean up X-Spam-Report

Post by RvdH » 2022-03-24 18:22

Also noticed some weird stuff happening with the X-Spam-Status Header, this should fix this

Code: Select all

If oMessage.HeaderValue("X-Spam-Status") <> "" Then	
	Dim ECFlag : ECFlag = oMessage.EncodeFields
	oMessage.EncodeFields = False
	With CreateObject("VBScript.RegExp")
		.Global = True
		.IgnoreCase = True
		.Pattern = "tests=(.*) autolearn=.*"
		Dim oMatches : Set oMatches = .Execute(oMessage.HeaderValue("X-Spam-Status"))
		If oMatches.Count = 1 Then
			.Pattern = "([\x2C][\x20]){1,}"
			Dim strStatus : strStatus = .Replace(oMatches(0).Submatches(0), "," & VbCrLf & " ")
			.Pattern = "(.*tests=).*( autolearn=.*)"
			oMessage.HeaderValue("X-Spam-Status") = .Replace(oMessage.HeaderValue("X-Spam-Status"), "$1" & strStatus & "$2")
		End If
		Set oMatches = Nothing
	End With
	oMessage.EncodeFields = ECFlag
	oMessage.Save
End If
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

mk148a
New user
New user
Posts: 16
Joined: 2020-01-17 03:39

Re: Clean up X-Spam-Report

Post by mk148a » 2022-06-14 08:49

Hello dear friends,
In which file do we write these settings? EventHandlers.vbs?

palinka
Senior user
Senior user
Posts: 4754
Joined: 2017-09-12 17:57

Re: Clean up X-Spam-Report

Post by palinka » 2022-06-14 13:00

mk148a wrote:
2022-06-14 08:49
Hello dear friends,
In which file do we write these settings? EventHandlers.vbs?
Yes. I'm still using the simple one. Formatting issues are very rare for me.

Code: Select all

Sub OnDeliverMessage(oMessage)
	
	REM - Make X-Spam-Report Readable Again 
	If oMessage.HeaderValue("X-Spam-Report") <> "" Then
		oMessage.HeaderValue("X-Spam-Report") = Replace(oMessage.HeaderValue("X-Spam-Report"), "*", vbCrLf & " *") 
		oMessage.Save
	End If

End Sub

User avatar
RvdH
Senior user
Senior user
Posts: 3561
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Clean up X-Spam-Report

Post by RvdH » 2023-06-24 18:08

Looks like i finally found the reason why (ALL) the headers are FU when a message get saved within hmailserver (standard headers & script/api added headers)

https://github.com/hmailserver/hmailser ... #L820-L823
2008-12-04
Before we used to fold using \t. Now we fold with a whitespace instead.
This change was made as a workaround to Thunderbird bug
https://bugzilla.mozilla.org/show_bug.cgi?id=460443
Bit shocked martin back in the day preferred to neglect the default and use spaces instead of tabs, especially as the bug was externally, eg in thunderbird and since, long fixed
If it where tabs our SA headers would look excellent and wouldn't need a script to format it

Anyone knows what the code looked like before 2008-12-04? Love to revert that change!
https://github.com/hmailserver/hmailserver/issues/115
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
SorenR
Senior user
Senior user
Posts: 6408
Joined: 2006-08-21 15:38
Location: Denmark

Re: Clean up X-Spam-Report

Post by SorenR » 2023-06-25 05:31

SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

User avatar
RvdH
Senior user
Senior user
Posts: 3561
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Clean up X-Spam-Report

Post by RvdH » 2023-06-25 06:16

Tried that....but to no avail, blocked by HTST
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
SorenR
Senior user
Senior user
Posts: 6408
Joined: 2006-08-21 15:38
Location: Denmark

Re: Clean up X-Spam-Report

Post by SorenR » 2023-06-25 12:33

RvdH wrote:
2023-06-25 06:16
Tried that....but to no avail, blocked by HTST
Used the Ubuntu WSL on my Windows Server 2019. :mrgreen:

rsync -ai a.cvs.sourceforge.net::cvsroo ... /dest/dir/
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

User avatar
RvdH
Senior user
Senior user
Posts: 3561
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Clean up X-Spam-Report

Post by RvdH » 2023-06-25 13:23

Managed to get the source with TurquoiseCVS, a bit to many diffs to make sense unfortunately

Testing this, in void FieldCodeBase::Encode(AnsiString &output) const: (and maybe also in void MimeCode7bit::Encode(AnsiString &output) const ???)

Code: Select all

                  int charsSinceSpace = (int) output.size() - lastSpacePos;
                  output.Insert(lastSpacePos, "\r\n");

Code: Select all

                  int charsSinceSpace = (int) output.size() - lastSpacePos;
                  output.Insert(lastSpacePos, "\r\n\t");
Now waiting for spam :)
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
SorenR
Senior user
Senior user
Posts: 6408
Joined: 2006-08-21 15:38
Location: Denmark

Re: Clean up X-Spam-Report

Post by SorenR » 2023-06-26 12:57

RvdH wrote:
2023-06-25 13:23
Managed to get the source with TurquoiseCVS, a bit to many diffs to make sense unfortunately

Testing this, in void FieldCodeBase::Encode(AnsiString &output) const: (and maybe also in void MimeCode7bit::Encode(AnsiString &output) const ???)

Code: Select all

                  int charsSinceSpace = (int) output.size() - lastSpacePos;
                  output.Insert(lastSpacePos, "\r\n");

Code: Select all

                  int charsSinceSpace = (int) output.size() - lastSpacePos;
                  output.Insert(lastSpacePos, "\r\n\t");
Now waiting for spam :)
I had a good look through the old code and I believe the only place to use "\r\n\t" is FieldCodeBase::Encode.
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

User avatar
RvdH
Senior user
Senior user
Posts: 3561
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Clean up X-Spam-Report

Post by RvdH » 2023-06-27 07:35

space or tabs seems unrelated to the X-Spam-Report formatting issues
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
SorenR
Senior user
Senior user
Posts: 6408
Joined: 2006-08-21 15:38
Location: Denmark

Re: Clean up X-Spam-Report

Post by SorenR » 2023-06-27 10:06

RvdH wrote:
2023-06-27 07:35
space or tabs seems unrelated to the X-Spam-Report formatting issues
Yes and no... hMail may decode before encoding and thus break report...

Thats a task for today as it is wet, windy and cold outside here ;-)
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

User avatar
RvdH
Senior user
Senior user
Posts: 3561
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Clean up X-Spam-Report

Post by RvdH » 2023-06-27 11:04

?

if both, eg: spaces and tabs make the report look like gibberish, using spaces vs. tabs is not the reason
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
SorenR
Senior user
Senior user
Posts: 6408
Joined: 2006-08-21 15:38
Location: Denmark

Re: Clean up X-Spam-Report

Post by SorenR » 2023-06-27 12:39

I found that when I send mail from my server to my development server I can use this for body text to trigger a spam-report

Code: Select all

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
:mrgreen:

Code: Select all

Return-Path: <soren@acme.inc>
Delivered-To: root@home.arpa
X-Envelope-From: soren@acme.inc
X-Envelope-To: root@home.arpa
X-Spam-Flag: YES
X-Spam-Level: **************************************************
X-Spam-Status: Yes, score=997.3 required=3.0 tests=ALL_TRUSTED,BAYES_00, DKIM_INVALID,DKIM_SIGNED,GTUBE,HTML_MESSAGE,SPF_PASS,TVD_SPACE_RATIO,
	 T_SCC_BODY_TEXT_LINE autolearn=disabled version=3.4.2
X-Spam-Virus: No
X-Spam-Checker-Version: SpamAssassin 3.4.2 (svnunknown) Powered by @Rathje on mailserver.acme.inc
X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * -1.9
	 BAYES_00 BODY: Bayes spam probability is 0 to 1% *      [score: 0.0014] *
	 -0.0 SPF_PASS SPF: sender matches SPF record * 1000 GTUBE BODY: Generic
	 Test for Unsolicited Bulk Email *  0.0 HTML_MESSAGE BODY: HTML included in
	 message *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
	 necessarily *       valid * -0.0 T_SCC_BODY_TEXT_LINE No description
	 available. *  0.0 TVD_SPACE_RATIO No description available. *  0.1
	 DKIM_INVALID DKIM or DK signature exists, but is not valid
X-Spam-ASN: 
Received-SPF: Pass (mx.home.arpa: domain of soren@acme.inc designates 192.168.0.5 as
	 permitted sender) identity=mailfrom; client-ip=192.168.0.5; helo=mx.acme.inc;
	 envelope-from=<soren@acme.inc>;
Received: from mx.acme.inc (mx.acme.inc [192.168.0.5]) by mx.home.arpa with ESMTPS (envelope-from
	 <soren@acme.inc>) for <root@home.arpa>	(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384
	 bits=256) ; Tue, 27 Jun 2023 12:20:24 +0200
dkim-signature: v=1; a=rsa-sha256; d=acme.inc; s=default; c=relaxed/relaxed; q=dns/txt; h=From:Reply-To:Subject:Date:Message-ID:To:MIME-Version:Content-Type;
	 bh=2ZK2bMrrSZRzj2UYgeICH2qhcr9bl71UA8zXhjzGZUk=; b=o0NVZdWHSDna1icP8e3EUypDpyVKcxdPFp0OUqDbR0iXMtr8kHxItJZ9kch3O4UcisOczcJ2I2W/wh8Jy+sTZ/EujjCOsPhDmr+k6UDwGSOA71ZSQ/E4P2on8SiqpLAD7ZqKL9lVAM+RwvEYj7x8sHTjdmVRAM6QXUkNhPDo798=
Received: by mx.acme.inc with ESMTPSA (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384
	 bits=256) ; Tue, 27 Jun 2023 12:20:24 +0200
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

User avatar
RvdH
Senior user
Senior user
Posts: 3561
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Clean up X-Spam-Report

Post by RvdH » 2023-06-27 13:01

I have written (spam) message(s) to file(s) using FSO the earliest possible, eg; OnAcceptMessage
At that point the X-Spam-Report is already gibberish, in both cases, eg: spaces and tabs

Code: Select all

'
' Save HAM/SPAM messages not autolearned
'
Dim datetime
datetime = getTimeStamp()
strRegEx = "autolearn\=(ham|spam)"
If Not Lookup(strRegEx, oMessage.HeaderValue("X-Spam-Status")) Then
    Call SaveMessages(oMessage, datetime, CBool(oMessage.HeaderValue("X-hMailServer-Spam") <> ""))
End If

'Function for getting date, time with milliseconds
Function getTimeStamp()
	Dim myNow, intSeconds, intMilliseconds, strMilliseconds, intDatePart, intTimePart
	myNow = Now
	
	intSeconds = (Hour(myNow) * 3600) + (Minute(myNow) * 60) + Second(myNow)
	intMilliseconds = Timer() - intSeconds
	intMilliseconds = Fix(intMilliseconds * 100)
	
	intDatePart = (Year(myNow) * 10000) + (Month(myNow) * 100) + Day(myNow)
	intTimePart = (Hour(myNow) * 1000000) + (Minute(myNow) * 10000) + (Second(myNow) * 100) + intMilliseconds
	
	getTimeStamp = intDatePart & intTimePart 
End Function

Sub SaveMessages(oMessage, ByVal sDateTime, ByVal bIsSpam)
    Const SPAM_DIRECTORY = "E:\Email\Spam\"
    Const HAM_DIRECTORY = "E:\Email\Ham\"
    Dim objFile
    Dim objFSO
    Set objFSO = CreateObject("Scripting.FileSystemObject")
    If bIsSpam Then
        On Error Resume Next
        Set objFile = objFSO.GetFile(oMessage.Filename)
        Rem objFSO.CopyFile oMessage.Filename, SPAM_DIRECTORY, True
        objFSO.CopyFile oMessage.Filename, objFSO.BuildPath(SPAM_DIRECTORY, "{" & sDateTime & "}_" & objFSO.GetFileName(objFile)), True
        If Err.Number <> 0 Then
            EventLog.Write "SaveSpam: File copy operation for " & oMessage.Filename & " failed."
        End If
        Err.Clear
        On Error GoTo 0
    Else
        On Error Resume Next
        Set objFile = objFSO.GetFile(oMessage.Filename)
        Rem objFSO.CopyFile oMessage.Filename, HAM_DIRECTORY, True
        objFSO.CopyFile oMessage.Filename, objFSO.BuildPath(HAM_DIRECTORY, "{" & sDateTime & "}_" & objFSO.GetFileName(objFile)), True
        If Err.Number <> 0 Then
            EventLog.Write "SaveHam: File copy operation for " & oMessage.Filename & " failed."
        End If
        Err.Clear
        On Error GoTo 0
    End If
    Set objFile = Nothing
    Set objFSO = Nothing
End Sub
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
RvdH
Senior user
Senior user
Posts: 3561
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Clean up X-Spam-Report

Post by RvdH » 2023-06-27 13:11

Code: Select all

'
'   Fix X-Spam-Status Formatting
'   
Dim ECFlag
ECFlag = oMessage.EncodeFields
If oMessage.HeaderValue("X-Spam-Status") <> "" Then
    oMessage.EncodeFields = False
    With CreateObject("VBScript.RegExp")
        .Global = True
        .IgnoreCase = True
        .Pattern = "tests=([\w\s\,]+) autolearn=.*"
        Dim oMatches
        Set oMatches = .Execute(oMessage.HeaderValue("X-Spam-Status"))
        If oMatches.Count = 1 Then
            .Pattern = "([\x2C][\x20])"
            Dim strStatus
            strStatus = .Replace(oMatches(0).Submatches(0), "," & vbCrLf & " ")
            .Pattern = "(.*tests=)[\w\s\,]+( autolearn=.*)"
            oMessage.HeaderValue("X-Spam-Status") = .Replace(oMessage.HeaderValue("X-Spam-Status"), "$1" & strStatus & "$2")
        End If
        Set oMatches = Nothing
    End With
    oMessage.EncodeFields = ECFlag
    oMessage.Save
End If

'
'   Fix X-Spam-Report Formatting
'   
If oMessage.HeaderValue("X-Spam-Report") <> "" Then
    Dim strReport
    oMessage.EncodeFields = False
    With CreateObject("VBScript.RegExp")
        .Global = True
        .IgnoreCase = True
        .Pattern = "([\x0D]?[\x0A])"
        strReport = .Replace(oMessage.HeaderValue("X-Spam-Report"), vbCrLf)
        Rem .Pattern = "(?=.+)([\x5D][\x20][\x5B])"
        .Pattern = "([\x5D][\x20][\x5B])"
        strReport = .Replace(strReport, "] * [")
        .Pattern = "([\x20]?[\x2A])"
        strReport = .Replace(strReport, vbCrLf & " *")
        .Pattern = "([\x2A][\x20]{1,7})(?=[\x2D]\d[\x2E]\d)"
        strReport = .Replace(strReport, "* ")  ' 1x space
        .Pattern = "([\x2A][\x20]{1,7})(?=(\d[\x2E]\d)|(\d{3})[\x20])"
        strReport = .Replace(strReport, "*  ")  ' 2x space
        .Pattern = "([\x2A][\x20]{1,})(?=[a-zA-Z]|[\x5B]|[\x28])"
        oMessage.HeaderValue("X-Spam-Report") = .Replace(strReport, "*      ")  ' 6x space
    End With
    oMessage.EncodeFields = ECFlag
    oMessage.Save
End If

Code: Select all

X-Spam-Checker-Version: SpamAssassin 4.0.0-r1906050 (2022-12-17) on mail.domain.nl
X-Spam-Flag: YES
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.8 required=4.0 tests=ARC_SIGNED,ARC_VALID,BAYES_99,
 DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,
 DNSWL_DWL_NONE,FREEMAIL_FROM,HTML_MESSAGE,LOCAL_SCAM_15,
 RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,RELAYCOUNTRY_JP,SPF_HELO_PASS,
 SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=4.0.0-r1906050
X-Spam-ASN: AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
X-Spam-Relay-Country: JP US **
X-Spam-Report: 
 * -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no
 *      trust
 *      [40.92.98.48 listed in list.dnswl.org]
 * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
 * -0.0 SPF_PASS SPF: sender matches SPF record
 * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
 *      domain
 * -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
 *      envelope-from domain
 * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
 *      valid
 *  0.0 ARC_SIGNED Message has a ARC signature
 *  0.0 ARC_VALID Message has a valid ARC signature
 * -0.5 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
 *      [40.92.98.48 listed in wl.mailspike.net]
 * -0.2 DNSWL_DWL_NONE ASKDNS: dwl.dnswl.org listed, but no particular trust
 *      information available
 *      [outlook.com.dwl.dnswl.org A:127.0.3.0]
 * -0.1 DMARC_PASS DMARC pass policy
 *  3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
 *      [score: 0.9949]
 *  3.0 RELAYCOUNTRY_JP Relayed through Japan at some point
 *  0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
 *      [chelsea.webworld(at)outlook.com]
 *  0.0 HTML_MESSAGE BODY: HTML included in message
 *  0.3 LOCAL_SCAM_15 RAW: Keyword used of scams
 * -0.0 T_SCC_BODY_TEXT_LINE No description available.
Received-SPF: Pass (mail.domain.nl: domain of Chelsea.webworld@Outlook.com
 designates 40.92.98.48 as permitted sender) identity=mailfrom; client-ip=40.92.98.48;
 helo=JPN01-OS0-obe.outbound.protection.outlook.com; envelope-from=<Chelsea.webworld@Outlook.com>;
Received: from JPN01-OS0-obe.outbound.protection.outlook.com (mail-os0jpn01olkn2048.outbound.protection.outlook.com
 [40.92.98.48]) by mail.domain.nl (envelope-from <Chelsea.webworld@Outlook.com>)
 with ESMTPS for <info@recipient.nl> (version=TLSv1.2
 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256); Tue, 27 Jun 2023 13:24:23
 +0200
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
SorenR
Senior user
Senior user
Posts: 6408
Joined: 2006-08-21 15:38
Location: Denmark

Re: Clean up X-Spam-Report

Post by SorenR » 2023-06-27 14:13

Well...

Code: Select all

   void 
   SpamAssassinClient::Cleanup_()
   {
      if (result_ != nullptr)
      {
         result_->Close();
         //FileUtilities::DeleteFile(result_->GetName());  <===== !!!!!
         result_ = nullptr;
      }
   }
produced this file in C:\hMailServer\Temp (redacted text ;-) )

Code: Select all

Return-Path: <soren@acme.inc>
X-Spam-Flag: YES
X-Spam-Level: **************************************************
X-Spam-Status: Yes, score=997.3 required=3.0 tests=ALL_TRUSTED,BAYES_00,
	DKIM_INVALID,DKIM_SIGNED,GTUBE,HTML_MESSAGE,SPF_PASS,TVD_SPACE_RATIO,
	T_SCC_BODY_TEXT_LINE autolearn=disabled version=3.4.2
X-Spam-Virus: No
X-Spam-Checker-Version: SpamAssassin 3.4.2 (svnunknown) Powered by @Rathje on
	mailserver.acme.inc
X-Spam-Report: 
	* -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
	* -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
	*      [score: 0.0014]
	* -0.0 SPF_PASS SPF: sender matches SPF record
	* 1000 GTUBE BODY: Generic Test for Unsolicited Bulk Email
	*  0.0 HTML_MESSAGE BODY: HTML included in message
	*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
	*       valid
	* -0.0 T_SCC_BODY_TEXT_LINE No description available.
	*  0.0 TVD_SPACE_RATIO No description available.
	*  0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid
X-Spam-ASN:  
Received-SPF: Pass (mx.home.arpa: domain of
	soren@acme.inc designates
	192.168.0.5 as permitted sender)
	identity=mailfrom;
	client-ip=192.168.0.5;
	helo=mx.acme.inc;
	envelope-from=<soren@acme.inc>;
Received: from mx.acme.inc (mx.acme.inc [192.168.0.5])
	by mx.home.arpa with ESMTPS
 (envelope-from
	<soren@acme.inc>)
	 for <root@home.arpa>	(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256)
	; Tue, 27 Jun 2023 14:06:04 +0200
dkim-signature: v=1; a=rsa-sha256; d=acme.inc; s=default;
	c=relaxed/relaxed; q=dns/txt; h=From:Reply-To:Subject:Date:Message-ID:To:MIME-Version:Content-Type;
	bh=z0zsTWxuyJ9/wXhqaLOh9lbDgFug40VCB9gnFyrQVQ4=;
	b=iZgVrR1S13+Evc2McGpiZE0ILtVOhj/Pm983EskOhd6pIIF5oVYivxKTuEFqIq15OalMt7XJvGCUj37LguocjOE+UHWQ8iOkpDJfJie9MIPzpC1L36jfEkowoDnlA5suhNoQ65eYyqvv4TKIWNPHlJ+Uw4WkvICmPjv7Sx0+uLI=
X-Envelope-From: soren@acme.inc
X-Envelope-To: root@home.arpa
Received: by mx.acme.inc with ESMTPSA (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384
 bits=256) ; Tue, 27 Jun 2023 14:06:03 +0200
So yes, somewhere hMailServer is f'ing the format up completely!
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

User avatar
RvdH
Senior user
Senior user
Posts: 3561
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Clean up X-Spam-Report

Post by RvdH » 2023-06-27 14:44

Has to be somewhere within MimeCode.cpp, that is where every 'Save' operation ends up right before writing the actual file
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

palinka
Senior user
Senior user
Posts: 4754
Joined: 2017-09-12 17:57

Re: Clean up X-Spam-Report

Post by palinka » 2023-06-27 15:11

Guys, I don't know if this is relevant or not, or if it might give a clue or whatever, but I noticed something.

1) Spam comes in and script "fixes" X-Spam-Report
2) Spam gets forwarded to spam@spam.local for review ("fixed" report remains intact)
3) Message gets moved from spam account inbox to spam account spam folder VIA API [i.e. Copy(oMessage.ID)]
4) X-Spam-Report is scrambled again after copying message via API.

User avatar
RvdH
Senior user
Senior user
Posts: 3561
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Clean up X-Spam-Report

Post by RvdH » 2023-06-27 15:19

palinka wrote:
2023-06-27 15:11
Guys, I don't know if this is relevant or not, or if it might give a clue or whatever, but I noticed something.

1) Spam comes in and script "fixes" X-Spam-Report
2) Spam gets forwarded to spam@spam.local for review ("fixed" report remains intact)
3) Message gets moved from spam account inbox to spam account spam folder VIA API [i.e. Copy(oMessage.ID)]
4) X-Spam-Report is scrambled again after copying message via API.
3a) Do you do that by (global) rule?
3b) Why move it to spam folder if it is a account dedicated to review/filter spam mails?
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

palinka
Senior user
Senior user
Posts: 4754
Joined: 2017-09-12 17:57

Re: Clean up X-Spam-Report

Post by palinka » 2023-06-27 15:35

RvdH wrote:
2023-06-27 15:19
3a) Do you do that by (global) rule?
No, its part of a php thing I'm working on. Click a button "move to spam" and it finds the user's spam folder by ID (can be any user - not locked to the spam review account), then copies the message to spam, then deletes the original message. The copied version now located in the spam folder is the one with X-Spam-Report messed up.
3b) Why move it to spam folder if it is a account dedicated to review/filter spam mails?
The account is for review. Sometimes I get false positives that I don't want scanned by bayes as spam. Messages to any user marked as spam get forwarded to the spam account inbox regardless of score. Everything with score > 0 gets reviewed. Then I decide if its spam or ham and place it into either spam folder (will get picked up by bayes as spam) or ham folder (will get picked up by bayes as ham).

A and B are virtually unrelated. In fact, I'm trying to replace B with A. My point earlier was that the report goes haywire when moved via API. I guess what that really means is that the vbCrLf's that were inserted by the "Make X-Spam-Report Readable Again" script are all removed after Copy(Folder.ID) [FYI, I mis-wrote oMessage.ID above].

User avatar
RvdH
Senior user
Senior user
Posts: 3561
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Clean up X-Spam-Report

Post by RvdH » 2023-06-27 15:52

palinka wrote:
2023-06-27 15:35
RvdH wrote:
2023-06-27 15:19
3a) Do you do that by (global) rule?
No, its part of a php thing I'm working on. Click a button "move to spam" and it finds the user's spam folder by ID (can be any user - not locked to the spam review account), then copies the message to spam, then deletes the original message. The copied version now located in the spam folder is the one with X-Spam-Report messed up.
3b) Why move it to spam folder if it is a account dedicated to review/filter spam mails?
The account is for review. Sometimes I get false positives that I don't want scanned by bayes as spam. Messages to any user marked as spam get forwarded to the spam account inbox regardless of score. Everything with score > 0 gets reviewed. Then I decide if its spam or ham and place it into either spam folder (will get picked up by bayes as spam) or ham folder (will get picked up by bayes as ham).

A and B are virtually unrelated. In fact, I'm trying to replace B with A. My point earlier was that the report goes haywire when moved via API. I guess what that really means is that the vbCrLf's that were inserted by the "Make X-Spam-Report Readable Again" script are all removed after Copy(Folder.ID) [FYI, I mis-wrote oMessage.ID above].
Considering you are making a copy and save it as a new message the same flaw gets triggered in (likely) MimeCode.cpp when saving, resulting in the formatting being FU again
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

palinka
Senior user
Senior user
Posts: 4754
Joined: 2017-09-12 17:57

Re: Clean up X-Spam-Report

Post by palinka » 2023-06-27 16:14

RvdH wrote:
2023-06-27 15:52
palinka wrote:
2023-06-27 15:35
RvdH wrote:
2023-06-27 15:19
3a) Do you do that by (global) rule?
No, its part of a php thing I'm working on. Click a button "move to spam" and it finds the user's spam folder by ID (can be any user - not locked to the spam review account), then copies the message to spam, then deletes the original message. The copied version now located in the spam folder is the one with X-Spam-Report messed up.
3b) Why move it to spam folder if it is a account dedicated to review/filter spam mails?
The account is for review. Sometimes I get false positives that I don't want scanned by bayes as spam. Messages to any user marked as spam get forwarded to the spam account inbox regardless of score. Everything with score > 0 gets reviewed. Then I decide if its spam or ham and place it into either spam folder (will get picked up by bayes as spam) or ham folder (will get picked up by bayes as ham).

A and B are virtually unrelated. In fact, I'm trying to replace B with A. My point earlier was that the report goes haywire when moved via API. I guess what that really means is that the vbCrLf's that were inserted by the "Make X-Spam-Report Readable Again" script are all removed after Copy(Folder.ID) [FYI, I mis-wrote oMessage.ID above].
Considering you are making a copy and save it as a new message the same flaw gets triggered in (likely) MimeCode.cpp when saving, resulting in the formatting being FU again
One thing is for sure - forwarding message by global rule (e.g. forwarding spam message to spam review account) does NOT wreck the "fix". That's weird because in both cases - forwarding or copying via API - a new message is created with a new message ID.

User avatar
RvdH
Senior user
Senior user
Posts: 3561
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Clean up X-Spam-Report

Post by RvdH » 2023-06-27 16:21

Where is the Formatting Fix located? Likely in OnDeliverMessage, not? eg: Forwarding is delivered again, where only making a copy isn't :idea: :lol:
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

palinka
Senior user
Senior user
Posts: 4754
Joined: 2017-09-12 17:57

Re: Clean up X-Spam-Report

Post by palinka » 2023-06-27 16:45

RvdH wrote:
2023-06-27 16:21
Where is the Formatting Fix located? Likely in OnDeliverMessage, not? eg: Forwarding is delivered again, where only making a copy isn't :idea: :lol:
Makes sense, I guess. I just assumed copy means copy without adding or changing headers or anything else.

User avatar
RvdH
Senior user
Senior user
Posts: 3561
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Clean up X-Spam-Report

Post by RvdH » 2024-10-27 15:53

Above i posted something that (should) fix both X-Spam-Status as X-Spam-Report values, but the way it posted there is wrong
the second call to X-Spam-Report .Save() cripples the X-Spam-Status entry again, so you better should do:

Code: Select all

    '
    '   Fix SpamAssassin Formatting
    '  
    Dim ECFlag, oMatches, strStatus, strReport
    If oMessage.HeaderValue("X-Spam-Status") <> "" Then
        ECFlag = oMessage.EncodeFields
        oMessage.RefreshContent()
        oMessage.EncodeFields = False
        '
        '   Fix X-Spam-Status Formatting
        '  
        With CreateObject("VBScript.RegExp")
            .Global = True
            .IgnoreCase = True
            .Pattern = "tests=([\w\s\,]+)(?=(?: shortcircuit=.*)? autolearn=.*)"
            Set oMatches = .Execute(oMessage.HeaderValue("X-Spam-Status"))
            If oMatches.Count > 0 Then
                .Pattern = "([\x2C][\x20])"
                strStatus = .Replace(oMatches(0).Submatches(0), "," & vbCrLf & " ")
                .Pattern = "(.*tests=)[\w\s\,]+((?: shortcircuit=.*)? autolearn=.*)"
                oMessage.HeaderValue("X-Spam-Status") = .Replace(oMessage.HeaderValue("X-Spam-Status"), "$1" & strStatus & "$2")
            End If
            Set oMatches = Nothing
        End With
        '
        '   Fix X-Spam-Report Formatting
        '   
        If oMessage.HeaderValue("X-Spam-Report") <> "" Then
            With CreateObject("VBScript.RegExp")
                .Global = True
                .IgnoreCase = True
                .Pattern = "([\x0D]?[\x0A]){1,}"
                strReport = .Replace(oMessage.HeaderValue("X-Spam-Report"), vbCrLf)
                .Pattern = "([\x5D][\x20][\x5B])"
                strReport = .Replace(strReport, "] * [")
                .Pattern = "([\x20]?[\x2A])"
                strReport = .Replace(strReport, vbCrLf & " *")
                .Pattern = "([\x2A][\x20]{1,7})(?=[\x2D]\d[\x2E]\d)"
                strReport = .Replace(strReport, "* ")  ' 1x space
                .Pattern = "([\x2A][\x20]{1,7})(?=(\d[\x2E]\d)|(\d{3})[\x20])"
                strReport = .Replace(strReport, "*  ")  ' 2x space
                .Pattern = "([\x2A][\x20]{1,})(?=[a-zA-Z]|[\x5B]|[\x28])"
                oMessage.HeaderValue("X-Spam-Report") = .Replace(strReport, "*      ")  ' 6x space
            End With
        End If 
        oMessage.EncodeFields = ECFlag
        oMessage.Save()
    End If

The biggest issue seems to be the Header value is checked against the 76 char line limit, but for a folded header value the first line should keep in mind the header name length and subtract that of header value when calculating the line limit, this seems to be ignored and is exactly the reason why the first lines in X-Spam-Status and also for Example DKIM signatures are to long (eg > 76 chars) when saved.
Ideally encoding the header value should keep in mind the header name, those together shouldn't be longer then 76 chars, in particular for the 1st line, and is exactly what makes the X-Spam-Status reset itself with every call to .Save()

As for the X-Spam-Report header, sequential spaces are stripped when calling .Save() sequential, 1st save everything is fine, but if you later call .Save() again it fu again

FYI, If you change a folded header from within scripts all line breaks in the source are stripped (Unfolded internally) in the value returned in oMessage.HeaderValue("header name") so once you save it again hms internally calculates and folds the header value against the line char limit, and not against (header value - header name) < line char limit
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
katip
Senior user
Senior user
Posts: 1209
Joined: 2006-12-22 07:58
Location: Istanbul

Re: Clean up X-Spam-Report

Post by katip » 2024-10-27 17:55

JAM SA puts * between scores. At least it's a clue.
SA of ProxmoxMG inserts exactly like this:

Code: Select all

X-Spam-Test-Scores: Spam detection results:  31 BAYES_99                  4.5 Bayes spam
 probability is 99 to 100% BAYES_999                   1 Bayes spam
 probability is 99.9 to 100% BH_BAD_HELO_CTLD          2.5 Bad country TLD
 in HELO/EHLO BH_FROM_COUNTRY_1         3.5 High risk dubious countries
 DKIM_INVALID              0.1 DKIM or DK signature exists, but is not
 valid DKIM_SIGNED               0.1 Message has a DKIM or DK signature,
 not necessarily valid DMARC_NONE                0.1 DMARC none policy
 ENA_SUBJ_LONG_WORD        2.2 Subject has a very long word GB_SUBJ25      
 0.5 Subject with no Spaces HTML_FONT_LOW_CONTRAST  0.001 HTML font color
 similar or identical to background HTML_IMAGE_RATIO_02     0.001 HTML has
 a low ratio of text to image area HTML_MESSAGE            0.001 HTML
 included in message KAM_DMARC_NONE           0.25 DKIM has Failed or SPF
 has failed on the message and the domain has no DMARC policy
 KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with
 Strict Alignment MIXED_HREF_CASE         1.999 Has href in mixed case
 RCVD_IN_BL_SPAMCOP_NET  1.347 Received via a relay in bl.spamcop.net
 RCVD_IN_HOSTKARMA_BL      1.5 Sender listed in HOSTKARMA-BLACK
 RCVD_IN_MSPIKE_BL         0.8 Mailspike blocklisted RCVD_IN_MSPIKE_L5     
 0.001 Very bad reputation (-5) RCVD_IN_SBL_CSS         3.335 Received via
 a relay in Spamhaus SBL-CSS RCVD_IN_XBL             0.375 Received via a
 relay in Spamhaus XBL T_REMOTE_IMAGE           0.01 Message contains an
 external image T_SPF_HELO_TEMPERROR     0.01 SPF: test of HELO record
 failed (temperror) T_SPF_TEMPERROR          0.01 SPF: test of record
 failed (temperror) URIBL_ABUSE_SURBL        3.25 Contains an URL listed in
 the ABUSE SURBL blocklist [service.cegwkb80.cn,aeoncardaone.co.jp.dldlk.com]
 URIBL_DBL_PHISH           3.5 Contains a Phishing URL listed in the
 Spamhaus DBL blocklist [service.cegwkb80.cn] URIBL_PH_SURBL           0.61
 Contains an URL listed in the PH SURBL blocklist [aeoncardaone.co.jp.dldlk.com,service.cegwkb80.cn]
Total garbage, it simply drove me mad. Not to mention parsing problems, there were other complications such as seen:

Code: Select all

URIBL_PH_SURBL           0.61 Contains an URL listed in the PH SURBL blocklist [aeoncardaone.co.jp.dldlk.com,service.cegwkb80.cn]
where the part in brackets can be much longer with some more domains AND no space after commas.
Finally I decided to save whole initial X-Spam-Test-Scores to a temp txt, parse, hack and format it there and replace the header with the result. Here an example:

Code: Select all

X-Spam-Test-Scores: 
 *    4.5   BAYES_99 - Bayes spam probability is 99 to 100%
 *    1.9   BAYES_999 - Bayes spam probability is 99.9 to 100%
 *    3.5   BH_LIST_UNSUBSCRIBE - Mailing List Unsubscribe
 *    0.1   DKIM_SIGNED - Message has a DKIM or DK signature, not
            necessarily valid
 *   -0.001 DKIM_VALID - Message has at least one valid DKIM or DK
            signature
 *    0.1   DMARC_MISSING - Missing DMARC policy
 *    0.17  HEADER_FROM_DIFFERENT_DOMAINS - From and EnvelopeFrom 2nd
            level mail domains are different
 *    0.001 HTML_IMAGE_RATIO_02 - HTML has a low ratio of text to image
            area
 *    0.001 HTML_MESSAGE - HTML included in message
 *    0.5   KAM_REALLYHUGEIMGSRC - Spam with image tags with ridiculously
            huge http urls
 *    5     KAM_VERY_BLACK_DBL - Email that hits both URIBL Black and
            Spamhaus DBL
 *    0.1   MIME_HTML_MOSTLY - Multipart message mostly text/html MIME
 *    0.79  MPART_ALT_DIFF - HTML and text parts are different
 *    1.886 RAZOR2_CF_RANGE_51_100 - Razor2 gives confidence level above
            50%
 *    0.922 RAZOR2_CHECK - Listed in Razor2 (http://razor.sf.net/)
 *    3.335 RCVD_IN_SBL_CSS - Received via a relay in Spamhaus SBL-CSS
 *    0.001 SPF_HELO_NONE - SPF: HELO does not publish an SPF Record
 *   -0.001 SPF_PASS - SPF: sender matches SPF record
 *    3.25  URIBL_ABUSE_SURBL - Contains an URL listed in the ABUSE SURBL
            blocklist [info.maileffective.net.pl, maileffective.net.pl,
            system.maileffective.net.pl]
 *    2.5   URIBL_BLACK - Contains an URL listed in the URIBL blacklist
            [maileffective.net.pl]
 *    3.5   URIBL_DBL_SPAM - Contains a spam URL listed in the Spamhaus DBL
            blocklist [info.maileffective.net.pl, maileffective.net.pl,
            system.maileffective.net.pl]
 *    1.55  URIBL_SBL_A - Contains URL's A record listed in the Spamhaus
            SBL blocklist [185.243.30.42]
not bad eh?

And when I was coping with tests, a mistake I made started to trigger endless loop (and as a result high CPU) with certain mails, caused me to post below silly assumption which in fact was totally irrelevant: viewtopic.php?f=10&t=42445
My confession by this opportunity.. :oops:
Katip
--
HMS 5.7, MariaDB 10.4.10, SA 4.0.0, ClamAV 0.103.8

User avatar
RvdH
Senior user
Senior user
Posts: 3561
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Clean up X-Spam-Report

Post by RvdH » 2024-10-27 20:33

katip wrote:
2024-10-27 17:55
JAM SA puts * between scores. At least it's a clue.
SA of ProxmoxMG inserts exactly like this:

Code: Select all

X-Spam-Test-Scores: Spam detection results:  31 BAYES_99                  4.5 Bayes spam
 probability is 99 to 100% BAYES_999                   1 Bayes spam
 probability is 99.9 to 100% BH_BAD_HELO_CTLD          2.5 Bad country TLD
 in HELO/EHLO BH_FROM_COUNTRY_1         3.5 High risk dubious countries
 DKIM_INVALID              0.1 DKIM or DK signature exists, but is not
 valid DKIM_SIGNED               0.1 Message has a DKIM or DK signature,
 not necessarily valid DMARC_NONE                0.1 DMARC none policy
 ENA_SUBJ_LONG_WORD        2.2 Subject has a very long word GB_SUBJ25      
 0.5 Subject with no Spaces HTML_FONT_LOW_CONTRAST  0.001 HTML font color
 similar or identical to background HTML_IMAGE_RATIO_02     0.001 HTML has
 a low ratio of text to image area HTML_MESSAGE            0.001 HTML
 included in message KAM_DMARC_NONE           0.25 DKIM has Failed or SPF
 has failed on the message and the domain has no DMARC policy
 KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with
 Strict Alignment MIXED_HREF_CASE         1.999 Has href in mixed case
 RCVD_IN_BL_SPAMCOP_NET  1.347 Received via a relay in bl.spamcop.net
 RCVD_IN_HOSTKARMA_BL      1.5 Sender listed in HOSTKARMA-BLACK
 RCVD_IN_MSPIKE_BL         0.8 Mailspike blocklisted RCVD_IN_MSPIKE_L5     
 0.001 Very bad reputation (-5) RCVD_IN_SBL_CSS         3.335 Received via
 a relay in Spamhaus SBL-CSS RCVD_IN_XBL             0.375 Received via a
 relay in Spamhaus XBL T_REMOTE_IMAGE           0.01 Message contains an
 external image T_SPF_HELO_TEMPERROR     0.01 SPF: test of HELO record
 failed (temperror) T_SPF_TEMPERROR          0.01 SPF: test of record
 failed (temperror) URIBL_ABUSE_SURBL        3.25 Contains an URL listed in
 the ABUSE SURBL blocklist [service.cegwkb80.cn,aeoncardaone.co.jp.dldlk.com]
 URIBL_DBL_PHISH           3.5 Contains a Phishing URL listed in the
 Spamhaus DBL blocklist [service.cegwkb80.cn] URIBL_PH_SURBL           0.61
 Contains an URL listed in the PH SURBL blocklist [aeoncardaone.co.jp.dldlk.com,service.cegwkb80.cn]
Total garbage, it simply drove me mad. Not to mention parsing problems, there were other complications such as seen:

Code: Select all

URIBL_PH_SURBL           0.61 Contains an URL listed in the PH SURBL blocklist [aeoncardaone.co.jp.dldlk.com,service.cegwkb80.cn]
where the part in brackets can be much longer with some more domains AND no space after commas.
Finally I decided to save whole initial X-Spam-Test-Scores to a temp txt, parse, hack and format it there and replace the header with the result. Here an example:

Code: Select all

X-Spam-Test-Scores: 
 *    4.5   BAYES_99 - Bayes spam probability is 99 to 100%
 *    1.9   BAYES_999 - Bayes spam probability is 99.9 to 100%
 *    3.5   BH_LIST_UNSUBSCRIBE - Mailing List Unsubscribe
 *    0.1   DKIM_SIGNED - Message has a DKIM or DK signature, not
            necessarily valid
 *   -0.001 DKIM_VALID - Message has at least one valid DKIM or DK
            signature
 *    0.1   DMARC_MISSING - Missing DMARC policy
 *    0.17  HEADER_FROM_DIFFERENT_DOMAINS - From and EnvelopeFrom 2nd
            level mail domains are different
 *    0.001 HTML_IMAGE_RATIO_02 - HTML has a low ratio of text to image
            area
 *    0.001 HTML_MESSAGE - HTML included in message
 *    0.5   KAM_REALLYHUGEIMGSRC - Spam with image tags with ridiculously
            huge http urls
 *    5     KAM_VERY_BLACK_DBL - Email that hits both URIBL Black and
            Spamhaus DBL
 *    0.1   MIME_HTML_MOSTLY - Multipart message mostly text/html MIME
 *    0.79  MPART_ALT_DIFF - HTML and text parts are different
 *    1.886 RAZOR2_CF_RANGE_51_100 - Razor2 gives confidence level above
            50%
 *    0.922 RAZOR2_CHECK - Listed in Razor2 (http://razor.sf.net/)
 *    3.335 RCVD_IN_SBL_CSS - Received via a relay in Spamhaus SBL-CSS
 *    0.001 SPF_HELO_NONE - SPF: HELO does not publish an SPF Record
 *   -0.001 SPF_PASS - SPF: sender matches SPF record
 *    3.25  URIBL_ABUSE_SURBL - Contains an URL listed in the ABUSE SURBL
            blocklist [info.maileffective.net.pl, maileffective.net.pl,
            system.maileffective.net.pl]
 *    2.5   URIBL_BLACK - Contains an URL listed in the URIBL blacklist
            [maileffective.net.pl]
 *    3.5   URIBL_DBL_SPAM - Contains a spam URL listed in the Spamhaus DBL
            blocklist [info.maileffective.net.pl, maileffective.net.pl,
            system.maileffective.net.pl]
 *    1.55  URIBL_SBL_A - Contains URL's A record listed in the Spamhaus
            SBL blocklist [185.243.30.42]
not bad eh?

And when I was coping with tests, a mistake I made started to trigger endless loop (and as a result high CPU) with certain mails, caused me to post below silly assumption which in fact was totally irrelevant: viewtopic.php?f=10&t=42445
My confession by this opportunity.. :oops:

Script above produces:

Code: Select all

X-Spam-Checker-Version: SpamAssassin 4.0.2-r1919157 (2024-07-12) on mail.mydomain.nl
X-Spam-Flag: YES
X-Spam-Level: ****
X-Spam-Status: Yes, score=4.9 required=4.0 tests=BAYES_00,CUSTOM_MANY_EXTRA_BL,
 DKIMWL_WL_MED,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
 DMARC_PASS,HEADER_FROM_DIFFERENT_DOMAINS,HTML_IMAGE_ONLY_12,
 HTML_MESSAGE,KAM_BODY_MARKETINGBL_PCCC,KAM_FROM_MARKETINGBL_PCCC,
 KAM_MARKETINGBL_PCCC,LOCAL_URI_TRACKINGURI,PCCC_HDR_MARKETINGBL,
 RCVD_IN_DNSWL_NONE,RCVD_IN_JUSTSPAM,RCVD_IN_ZEROSPAM,SPF_HELO_PASS,
 SPF_PASS,TXREP,T_REMOTE_IMAGE,URIBL_GREY shortcircuit=no autolearn=no
 autolearn_force=no version=4.0.2-r1919157
X-Spam-ASN: AS14782 THEROCKETSCIENCEGROUP
X-Spam-Relay-Country: US ** NL
X-Spam-Report: 
 * -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no
 *      trust
 *      [198.2.145.20 listed in list.dnswl.org]
 * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
 * -0.0 SPF_PASS SPF: sender matches SPF record
 *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
 *      valid
 * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 * -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
 *      envelope-from domain
 * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
 *      domain
 *  0.4 URIBL_GREY Contains an URL listed in the URIBL greylist
 *      [URI: mandrillapp.com]
 *  0.0 KAM_FROM_MARKETINGBL_PCCC RBL: From address associated with
 *      mass-marketing (https://raptor.pccc.com/RBL)
 *      [listed in mandrillapp.com.wild.pccc.com]
 *  0.0 PCCC_HDR_MARKETINGBL RBL: Address in email headers associated with
 *      mass-marketing (https://raptor.pccc.com/RBL)
 *      [listed in mandrillapp.com.wild.pccc.com]
 *  0.0 KAM_BODY_MARKETINGBL_PCCC Body contains URI associated with
 *      mass-marketing (https://raptor.pccc.com/RBL)
 *      [URI: mandrillapp.com]
 *  0.2 RCVD_IN_ZEROSPAM RBL: Listed in Zero Spam DNSBL
 *      [198.2.145.20 listed in bl.0spam.org]
 * -0.1 DMARC_PASS DMARC pass policy
 *  1.0 KAM_MARKETINGBL_PCCC Message contains URI associated with
 *      mass-marketing (https://raptor.pccc.com/RBL)
 * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
 *      [score: 0.0000]
 *  0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
 *      domains are different
 *  0.5 LOCAL_URI_TRACKINGURI URI: tracking
 *  2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words
 *  0.0 HTML_MESSAGE BODY: HTML included in message
 * -0.0 DKIMWL_WL_MED DKIMwl.org - Medium trust sender
 *  0.0 T_REMOTE_IMAGE Message contains an external image
 *  0.1 TXREP TXREP: Score normalizing based on sender's reputation
 *  0.5 RCVD_IN_JUSTSPAM RBL: Listed in dnsbl.justspam.org.
 *      [198.2.145.20 listed in dnsbl.justspam.org]
 *  2.0 CUSTOM_MANY_EXTRA_BL Message received in more than 2 extra RBLs
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
katip
Senior user
Senior user
Posts: 1209
Joined: 2006-12-22 07:58
Location: Istanbul

Re: Clean up X-Spam-Report

Post by katip » 2024-10-27 21:23

RvdH wrote:
2024-10-27 20:33
Script above produces:

Code: Select all

X-Spam-Checker-Version: SpamAssassin 4.0.2-r1919157 (2024-07-12) on mail.mydomain.nl
X-Spam-Flag: YES
X-Spam-Level: ****
X-Spam-Status: Yes, score=4.9 required=4.0 tests=BAYES_00,CUSTOM_MANY_EXTRA_BL,
 DKIMWL_WL_MED,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
 DMARC_PASS,HEADER_FROM_DIFFERENT_DOMAINS,HTML_IMAGE_ONLY_12,
 HTML_MESSAGE,KAM_BODY_MARKETINGBL_PCCC,KAM_FROM_MARKETINGBL_PCCC,
 KAM_MARKETINGBL_PCCC,LOCAL_URI_TRACKINGURI,PCCC_HDR_MARKETINGBL,
 RCVD_IN_DNSWL_NONE,RCVD_IN_JUSTSPAM,RCVD_IN_ZEROSPAM,SPF_HELO_PASS,
 SPF_PASS,TXREP,T_REMOTE_IMAGE,URIBL_GREY shortcircuit=no autolearn=no
 autolearn_force=no version=4.0.2-r1919157
X-Spam-ASN: AS14782 THEROCKETSCIENCEGROUP
X-Spam-Relay-Country: US ** NL
X-Spam-Report: 
 * -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no
 *      trust
 *      [198.2.145.20 listed in list.dnswl.org]
 * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
 * -0.0 SPF_PASS SPF: sender matches SPF record
 *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
 *      valid
 * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 * -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
 *      envelope-from domain
 * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
 *      domain
 *  0.4 URIBL_GREY Contains an URL listed in the URIBL greylist
 *      [URI: mandrillapp.com]
 *  0.0 KAM_FROM_MARKETINGBL_PCCC RBL: From address associated with
 *      mass-marketing (https://raptor.pccc.com/RBL)
 *      [listed in mandrillapp.com.wild.pccc.com]
 *  0.0 PCCC_HDR_MARKETINGBL RBL: Address in email headers associated with
 *      mass-marketing (https://raptor.pccc.com/RBL)
 *      [listed in mandrillapp.com.wild.pccc.com]
 *  0.0 KAM_BODY_MARKETINGBL_PCCC Body contains URI associated with
 *      mass-marketing (https://raptor.pccc.com/RBL)
 *      [URI: mandrillapp.com]
 *  0.2 RCVD_IN_ZEROSPAM RBL: Listed in Zero Spam DNSBL
 *      [198.2.145.20 listed in bl.0spam.org]
 * -0.1 DMARC_PASS DMARC pass policy
 *  1.0 KAM_MARKETINGBL_PCCC Message contains URI associated with
 *      mass-marketing (https://raptor.pccc.com/RBL)
 * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
 *      [score: 0.0000]
 *  0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
 *      domains are different
 *  0.5 LOCAL_URI_TRACKINGURI URI: tracking
 *  2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words
 *  0.0 HTML_MESSAGE BODY: HTML included in message
 * -0.0 DKIMWL_WL_MED DKIMwl.org - Medium trust sender
 *  0.0 T_REMOTE_IMAGE Message contains an external image
 *  0.1 TXREP TXREP: Score normalizing based on sender's reputation
 *  0.5 RCVD_IN_JUSTSPAM RBL: Listed in dnsbl.justspam.org.
 *      [198.2.145.20 listed in dnsbl.justspam.org]
 *  2.0 CUSTOM_MANY_EXTRA_BL Message received in more than 2 extra RBLs
Nice.
I don't remember in detail how JAM SA wrote X-Spam-Report but what if
...Contains a spam URL listed in the Spamhaus DBL blocklist [templates.postmail.net.pl,maileffective.net.pl,info.maileffective.net.pl,system.maileffective.net.pl]
(watch out 102 chars monoblock)
or does it indent/align all cols properly if one score were 103.335 or -1.699 for example?
Just curious, because I can't go back to JAM SA and test.
Katip
--
HMS 5.7, MariaDB 10.4.10, SA 4.0.0, ClamAV 0.103.8

User avatar
RvdH
Senior user
Senior user
Posts: 3561
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Clean up X-Spam-Report

Post by RvdH » 2024-10-28 09:32

katip wrote:
2024-10-27 21:23
RvdH wrote:
2024-10-27 20:33
Script above produces:

Code: Select all

X-Spam-Checker-Version: SpamAssassin 4.0.2-r1919157 (2024-07-12) on mail.mydomain.nl
X-Spam-Flag: YES
X-Spam-Level: ****
X-Spam-Status: Yes, score=4.9 required=4.0 tests=BAYES_00,CUSTOM_MANY_EXTRA_BL,
 DKIMWL_WL_MED,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
 DMARC_PASS,HEADER_FROM_DIFFERENT_DOMAINS,HTML_IMAGE_ONLY_12,
 HTML_MESSAGE,KAM_BODY_MARKETINGBL_PCCC,KAM_FROM_MARKETINGBL_PCCC,
 KAM_MARKETINGBL_PCCC,LOCAL_URI_TRACKINGURI,PCCC_HDR_MARKETINGBL,
 RCVD_IN_DNSWL_NONE,RCVD_IN_JUSTSPAM,RCVD_IN_ZEROSPAM,SPF_HELO_PASS,
 SPF_PASS,TXREP,T_REMOTE_IMAGE,URIBL_GREY shortcircuit=no autolearn=no
 autolearn_force=no version=4.0.2-r1919157
X-Spam-ASN: AS14782 THEROCKETSCIENCEGROUP
X-Spam-Relay-Country: US ** NL
X-Spam-Report: 
 * -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no
 *      trust
 *      [198.2.145.20 listed in list.dnswl.org]
 * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
 * -0.0 SPF_PASS SPF: sender matches SPF record
 *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
 *      valid
 * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 * -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
 *      envelope-from domain
 * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
 *      domain
 *  0.4 URIBL_GREY Contains an URL listed in the URIBL greylist
 *      [URI: mandrillapp.com]
 *  0.0 KAM_FROM_MARKETINGBL_PCCC RBL: From address associated with
 *      mass-marketing (https://raptor.pccc.com/RBL)
 *      [listed in mandrillapp.com.wild.pccc.com]
 *  0.0 PCCC_HDR_MARKETINGBL RBL: Address in email headers associated with
 *      mass-marketing (https://raptor.pccc.com/RBL)
 *      [listed in mandrillapp.com.wild.pccc.com]
 *  0.0 KAM_BODY_MARKETINGBL_PCCC Body contains URI associated with
 *      mass-marketing (https://raptor.pccc.com/RBL)
 *      [URI: mandrillapp.com]
 *  0.2 RCVD_IN_ZEROSPAM RBL: Listed in Zero Spam DNSBL
 *      [198.2.145.20 listed in bl.0spam.org]
 * -0.1 DMARC_PASS DMARC pass policy
 *  1.0 KAM_MARKETINGBL_PCCC Message contains URI associated with
 *      mass-marketing (https://raptor.pccc.com/RBL)
 * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
 *      [score: 0.0000]
 *  0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
 *      domains are different
 *  0.5 LOCAL_URI_TRACKINGURI URI: tracking
 *  2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words
 *  0.0 HTML_MESSAGE BODY: HTML included in message
 * -0.0 DKIMWL_WL_MED DKIMwl.org - Medium trust sender
 *  0.0 T_REMOTE_IMAGE Message contains an external image
 *  0.1 TXREP TXREP: Score normalizing based on sender's reputation
 *  0.5 RCVD_IN_JUSTSPAM RBL: Listed in dnsbl.justspam.org.
 *      [198.2.145.20 listed in dnsbl.justspam.org]
 *  2.0 CUSTOM_MANY_EXTRA_BL Message received in more than 2 extra RBLs
Nice.
I don't remember in detail how JAM SA wrote X-Spam-Report but what if
...Contains a spam URL listed in the Spamhaus DBL blocklist [templates.postmail.net.pl,maileffective.net.pl,info.maileffective.net.pl,system.maileffective.net.pl]
(watch out 102 chars monoblock)
or does it indent/align all cols properly if one score were 103.335 or -1.699 for example?
Just curious, because I can't go back to JAM SA and test.

X-Spam-Report != X-Spam-Test-Scores, no 2 digit scores in reports (these values are rounded)
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

Post Reply