Spam Action rules: first match vs. all match?

Jay Berkenbilt ejb at QL.ORG
Mon Jul 28 17:22:10 IST 2003 

My MailScanner version is 4.21-9, but, based on NEWS, I don't think
this issue has been addressed by 4.22-5.  I'm using SpamAssassin
2.55.  These are both installed on an Intel RedHat 9 box.  I have no
virus scanners activated and am using this only as a spam filter (for
which it is fabulous, by the way!).

The spammer technique of making putting the recipient of a message in
both the To and From fields of a message seems to be increasing in
popularity lately.  I've seen an explosion of these in the last two
weeks or so.  I'm talking about something like this (with : replaced
by ; in the headers below to avoid confusing any mail readers):

  To; Some Local User <someuser at some.domain>
  From; Random Spammer <someuser at some.domain>

We have the spam action "bounce" set for all spam.  This means that
our own users get a lot of bounce notices from MailScanner from spam
it looks like they sent to themselves.  A surprising number of users
get confused by this and think that they are getting notified of a
blocked message TO them instead.  Besides, it's annoying.

I tried to stop this from happening by having the following rules in
my spam actions rules file:

FromAndTo:      *@primary.domain        forward zzz at yyy
To:             *@primary.domain        bounce forward zzz at yyy
FromOrTo:       default                 deliver forward zzz at yyy

Note that our mail server handles mail for multiple domains, and I
only want bounces for primary.domain.  (primary.domain and zzz at yyy
are, of course, substitutions for the actual values.)

This doesn't work as hoped.  Our internal users are still getting
bounces.  After groveling through the code, it appears that rules
files can be configured as first match or all match.  In the "first"
match case, actions associated with the first matching rule are taken.
In the "all" match case, if any rules other than the default match,
the union of the actions in all matching rules other than the default
rule are taken, and if no rule (i.e., only the default rule) matches,
then the default rule's actions are used.  This would certainly
explain why the above rules don't work.  In fact, a FromAndTo rule
with any domain matched by any other rule can never have fewer actions
than a From or To rule.  It seems to me that I would either need
something like a FromAndNotTo rule or a different matching scheme.

I suppose I could just modify ConfigDefs.pl and move the SpamActions
line to a different category such as [First,YesNo], but I'm reluctant
to do that without studying the code a bit more to ensure that this
won't have any surprising side effects.

My questions:

 1.  Would it be safe for me to just move SpamActions into
     [First,YesNo] as I'm guessing?

 2.  With regular expressions, it seems like anything that you can do
     with an All rule you could do with a First rule, though it may be
     more cumbersome in some cases.  Maybe I could think of a
     counterexample, but I haven't so far.  Is there a compelling
     reason why SpamActions isn't a First rule or can't be configured
     at run-time to be a First rule?  (I could see backward
     compatibility as a significant factor here since previously valid
     files would remain valid but do something completely different.)

 3.  Is anyone thinking about making the rule specification more
     general to avoid this kind of problem?

 4.  Is having a special case to match the case of the From and the
     To address matching worth even considering?  This could open a
     Pandora's box of special cases, but it does seem possibly worthy
     of consideration, especially since you can't create a regular
     expression that says From = To.

Thanks for any assistance.

--
Jay Berkenbilt <ejb at ql.org>
http://www.ql.org/q/

More information about the MailScanner mailing list