Spam Action rules: first match vs. all match?

Julian Field mailscanner at ecs.soton.ac.uk
Mon Jul 28 18:02:33 IST 2003 

What I thought about doing was adding a "STOP" entry in any of the "all
matches" rules, so that evaluation of the rules for that recipient/sender
would stop at that point and not carry on trying to match other rules in
the ruleset.

The rules would still be evaluated for all of the recipient(s) and the
sender, but this would enable you to stop the rule checking when you had
matched a previous rule.

Would that solve the problem, or indeed help at all?

At 17:22 28/07/2003, you wrote:
>My MailScanner version is 4.21-9, but, based on NEWS, I don't think
>this issue has been addressed by 4.22-5.  I'm using SpamAssassin
>2.55.  These are both installed on an Intel RedHat 9 box.  I have no
>virus scanners activated and am using this only as a spam filter (for
>which it is fabulous, by the way!).
>
>The spammer technique of making putting the recipient of a message in
>both the To and From fields of a message seems to be increasing in
>popularity lately.  I've seen an explosion of these in the last two
>weeks or so.  I'm talking about something like this (with : replaced
>by ; in the headers below to avoid confusing any mail readers):
>
>   To; Some Local User <someuser at some.domain>
>   From; Random Spammer <someuser at some.domain>
>
>We have the spam action "bounce" set for all spam.  This means that
>our own users get a lot of bounce notices from MailScanner from spam
>it looks like they sent to themselves.  A surprising number of users
>get confused by this and think that they are getting notified of a
>blocked message TO them instead.  Besides, it's annoying.
>
>I tried to stop this from happening by having the following rules in
>my spam actions rules file:
>
>FromAndTo:      *@primary.domain        forward zzz at yyy
>To:             *@primary.domain        bounce forward zzz at yyy
>FromOrTo:       default                 deliver forward zzz at yyy
>
>Note that our mail server handles mail for multiple domains, and I
>only want bounces for primary.domain.  (primary.domain and zzz at yyy
>are, of course, substitutions for the actual values.)
>
>This doesn't work as hoped.  Our internal users are still getting
>bounces.  After groveling through the code, it appears that rules
>files can be configured as first match or all match.  In the "first"
>match case, actions associated with the first matching rule are taken.
>In the "all" match case, if any rules other than the default match,
>the union of the actions in all matching rules other than the default
>rule are taken, and if no rule (i.e., only the default rule) matches,
>then the default rule's actions are used.  This would certainly
>explain why the above rules don't work.  In fact, a FromAndTo rule
>with any domain matched by any other rule can never have fewer actions
>than a From or To rule.  It seems to me that I would either need
>something like a FromAndNotTo rule or a different matching scheme.
>
>I suppose I could just modify ConfigDefs.pl and move the SpamActions
>line to a different category such as [First,YesNo], but I'm reluctant
>to do that without studying the code a bit more to ensure that this
>won't have any surprising side effects.
>
>My questions:
>
>  1.  Would it be safe for me to just move SpamActions into
>      [First,YesNo] as I'm guessing?
>
>  2.  With regular expressions, it seems like anything that you can do
>      with an All rule you could do with a First rule, though it may be
>      more cumbersome in some cases.  Maybe I could think of a
>      counterexample, but I haven't so far.  Is there a compelling
>      reason why SpamActions isn't a First rule or can't be configured
>      at run-time to be a First rule?  (I could see backward
>      compatibility as a significant factor here since previously valid
>      files would remain valid but do something completely different.)
>
>  3.  Is anyone thinking about making the rule specification more
>      general to avoid this kind of problem?
>
>  4.  Is having a special case to match the case of the From and the
>      To address matching worth even considering?  This could open a
>      Pandora's box of special cases, but it does seem possibly worthy
>      of consideration, especially since you can't create a regular
>      expression that says From = To.
>
>Thanks for any assistance.
>
>--
>Jay Berkenbilt <ejb at ql.org>
>http://www.ql.org/q/

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

More information about the MailScanner mailing list