[Mimedefang] Re: Rejecting spam

Jim McCullars jim at info.uah.edu
Mon Jul 14 11:33:21 EDT 2008



On Sat, 12 Jul 2008, Nigel Allen wrote:

> Given I'm not a perl accolyte, can anyone tell me exactly what is the
> string we expect to get back in $report? In fact what comes back in
> $names too?

   Let's start with the easy one first.  $names is simply a
comma-separated list of all SA tests that passed.  It might look something
like this:

FORGED_MUA_OUTLOOK,FORGED_OUTLOOK_HTML,FORGED_OUTLOOK_TAGS,HTML_MESSAGE

   $report is basically the same as what you would get if you ran the
spamassassin program from the command line.  It looks something like this:

Content analysis details:   (36.4 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 0.1 UAH_GREET_11           Envelope sender is egreetings.com
 0.0 MISSING_MID            Missing Message-Id: header
 0.0 MISSING_DATE           Missing Date: header
 1.0 SPF_FAIL               SPF: sender does not match SPF record (fail)
[SPF failed: Please see
http://www.openspf.org/why.html?sender=egreeting%40egreetings.com&ip=210.0.78.38&receiver=smtp-in1]
 2.5 MISSING_HB_SEP         Missing blank line between message header and
body
 1.6 MISSING_HEADERS        Missing To: header
 3.0 UAH_GREET_1            BODY: Greeting card phrase
 2.0 URIBL_BLACK            Contains an URL listed in the URIBL blacklist
                            [URIs: linewill.com]
 0.9 URIBL_RHS_DOB          Contains an URI of a new domain (Day Old Bread)
                            [URIs: linewill.com]
 2.9 URIBL_JP_SURBL         Contains an URL listed in the JP SURBL blocklist
                            [URIs: linewill.com]
 1.6 URIBL_AB_SURBL         Contains an URL listed in the AB SURBL blocklist
                            [URIs: linewill.com]
 5.0 URIBL_OB_SURBL         Contains an URL listed in the OB SURBL blocklist
                            [URIs: linewill.com]
 2.5 URIBL_SC_SURBL         Contains an URL listed in the SC SURBL blocklist
                            [URIs: linewill.com]
 2.1 URIBL_WS_SURBL         Contains an URL listed in the WS SURBL blocklist
                            [URIs: linewill.com]
 5.0 URIBL_SBL              Contains an URL listed in the SBL blocklist
                            [URIs: linewill.com]


So if you look at the regexp that I originally posted:

	/URIBL_(SC|WS)_SURBL.+\n\s+\[URIs:\s(.+)]/

It looks for either URIBL_SC_SURBL or URIBL_WS_SURBL followed by some
number of characters, then a linefeed, then the string [URIS: then a
space, then the domain that the hit was on, then the closing bracket.  It
puts the domain in $2 because of the parentheses.

Hmm, now that I look at it, because perl regexps do greedy matching, my
test should probably be putting the entire two lines below URIBL_WS_SURBL
into $2 rather than just the domain (linewill.com, in this case).  It
probably just happens that URIBL_WS_SURBL is usually the last line of the
report and I'm just lucky.  But I digress...

Hope this helps...

Jim McCullars
University of Alabama in Huntsville





More information about the MIMEDefang mailing list