Anti-spear-phishing, round 2

Mark Sapiro mark at msapiro.net
Tue Jan 13 04:54:25 GMT 2009 

Mark Sapiro wrote:

>On Mon, Jan 12, 2009 at 12:14:14PM +0000, Drew Marshall wrote:
>> 
>> I have now got as far as implementing this excellent feature but I  
>> have bumped in to an interesting error.
>> 
>> Jan 12 10:58:25 in1-b MailScanner[78431]: SpamAssassin Rule Actions:  
>> rule anti_phish caused action not-deliver in message 7FAB84BE3B4.94CF3
>> Jan 12 10:58:25 in1-b MailScanner[78431]: SpamAssassin Rule Actions:  
>> rule anti_phish caused action store in message 7FAB84BE3B4.94CF3
>> Jan 12 10:58:25 in1-b MailScanner[78431]: SpamAssassin Rule Actions:  
>> rule anti_phish caused action header in message 7FAB84BE3B4.94CF3
>> Jan 12 10:58:25 in1-b MailScanner[78431]: SpamAssassin Rule Actions:  
>> rule anti_phish caused action "X-Anti-Phish: in message  
>> 7FAB84BE3B4.94CF3
>> Jan 12 10:58:25 in1-b MailScanner[78431]: SpamAssassin Rule Actions:  
>> rule anti_phish caused action Yes" in message 7FAB84BE3B4.94CF3
>> Jan 12 10:58:25 in1-b MailScanner[78431]: Message 7FAB84BE3B4.94CF3  
>> produced illegal Non-Spam Actions " Yes" "X-Anti-Phish:", so message  
>> is being delivered
>> 
>> The SpamAssassin Rule Action that generated this log  
>> is ...ANTI_PHISH=>not-deliver,store,header "X-Anti-Phish: Yes" (I  
>> slightly changed the header in case there was a problem with the _TO_  
>> special command, which has made no difference).
>> 
>> So what have I done wrong (The actual creation of the SA rule etc is  
>> fine as MailScanner is seeing the rule hit as can be seen in the log)?
>
>
>
>Jules has indicated that the parsing of these is 'delicate'. It looks
>like the quotes are confusing it into thinking that there are two rules/
>actions:
>
>ANTI_PHISH=>not-deliver,store,header
>
>and
>
>X-Anti-Phish: Yes
>
>Remove the quotes. I think that will fix it.


Sorry! Brain cramp...

It's not the quotes since I have a similar rule with quotes that works:

>.. X_GPC_PHISHING_ADDRESS=>store,not-deliver,forward msapiro+phish at sbh16.songbird.com,header "X-GPC-MailScanner-Originally-To: _TO_"

Your rule looks good to me, but clearly MailScanner is parsing " Yes"
and "X-Anti-Phish:" as actions for the ANTI_PHISH rule rather than as
the header string. Maybe someone else has an idea.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the MailScanner mailing list