SA Bugzilla – Bug 7794
maxhits is not always honored for body rules
Last modified: 2020-04-10 14:52:21 UTC
Case documentation is below. I do not have the original message. I will attempt to generate a test case or capture a more recent example and redact any private info. This is a story of 2 similar rules: describe CIPH_HTML_LONGURL Very long URL rawbody CIPH_HTML_LONGURL /href="http:[^"]{300}[^"]/ score CIPH_HTML_LONGURL 0.3 tflags CIPH_HTML_LONGURL multiple maxhits=8 describe CIPH_HTML_LONGURL_2 Very long URL body CIPH_HTML_LONGURL_2 /http:[^" ]{300}[^"]/ score CIPH_HTML_LONGURL_2 0.3 tflags CIPH_HTML_LONGURL_2 multiple maxhits=8 These together just barely doomed a message: # bzgrep DM5PR08MB244 /var/log/maillog.12.bz2 Jan 23 02:48:50 be01 spamd[8407]: spamd: checking message <DM5PR08MB24420E5009C09E4556B00D24850F0@DM5PR08MB2442.namprd08.prod.outlook.com> for (unknown):58 Jan 23 02:48:53 be01 spamd[8407]: spamd: result: Y 5 - AWL,BAYES_00,CIPH_BODY_FORMAT3,CIPH_DEBUG,CIPH_HTML_LONGURL,CIPH_HTML_LONGURL,CIPH_HTML_LONGURL,CIPH_HTML_LONGURL,CIPH_HTML_LONGURL,CIPH_HTML_LONGURL,CIPH_HTML_LONGURL,CIPH_HTML_LONGURL,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_RAWBODY_DEBUG,DKIM_SIGNED,DKIM_VALID,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_PASS,TRACKER_ID scantime=3.2,size=165124,user=(unknown),uid=58,required_score=4.5,rhost=localhost,raddr=127.0.0.1,rport=/var/run/spam,mid=<DM5PR08MB24420E5009C09E4556B00D24850F0@DM5PR08MB2442.namprd08.prod.outlook.com>,bayes=0.000000,autolearn=no autolearn_force=no,shortcircuit=no NOTE: CIPH_HTML_LONGURL matched 8 times, implying that its maxhits=8 setting is honored. CIPH_HTML_LONGURL_2 matches 37 times, overpowering the AWL and BAYES_00 safety net. There's no doubt that the local.cf matches what spamd is using: # ls -l /usr/local/etc/mail/spamassassin/local.cf -rw-r--r-- 1 root mail 16421 Jul 24 2019 /usr/local/etc/mail/spamassassin/local.cf # uptime 2:21PM up 83 days, 7:58, 2 users, load averages: 0.26, 0.16, 0.10 In addition, there's a daily cron job running sa-update, sa-compile, and 'service sa-spamd reload.' I have confirmed with 'spamassassin --lint -D config' that none of the config files being loaded other than /usr/local/etc/mail/spamassassin/local.cf contain any reference to CIPH_HTML_LONGURL_2.
Are you sure you were running 3.4.4 which has the sa-compile fix for maxhits?
(In reply to Henrik Krohns from comment #1) > Are you sure you were running 3.4.4 which has the sa-compile fix for maxhits? Excellent catch. I was unaware of that fix and the incident occurred one day prior to the release of 3.4.4, so it was definitely not with 3.4.4.