Bug 7794 - maxhits is not always honored for body rules
Summary: maxhits is not always honored for body rules
Status: RESOLVED FIXED
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (show other bugs)
Version: 3.4.3
Hardware: PC FreeBSD
: P2 normal
Target Milestone: Undefined
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-05 16:07 UTC by Bill Cole
Modified: 2020-04-10 14:52 UTC (History)
2 users (show)


Attachment Type Modified Status Actions Submitter/CLA Status
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Bill Cole 2020-02-05 16:07:00 UTC 
Case documentation is below. I do not have the original message. I will attempt to generate a test case or capture a more recent example and redact any private info.  

This is a story of 2 similar rules:

  describe CIPH_HTML_LONGURL Very long URL
  rawbody CIPH_HTML_LONGURL  /href="http:[^"]{300}[^"]/
  score CIPH_HTML_LONGURL 0.3
  tflags CIPH_HTML_LONGURL multiple maxhits=8

  describe CIPH_HTML_LONGURL_2 Very long URL
  body CIPH_HTML_LONGURL_2  /http:[^" ]{300}[^"]/
  score CIPH_HTML_LONGURL_2 0.3
  tflags CIPH_HTML_LONGURL_2 multiple maxhits=8

These together just barely doomed a message: 

  # bzgrep DM5PR08MB244  /var/log/maillog.12.bz2
  Jan 23 02:48:50 be01 spamd[8407]: spamd: checking message <DM5PR08MB24420E5009C09E4556B00D24850F0@DM5PR08MB2442.namprd08.prod.outlook.com> for (unknown):58
   Jan 23 02:48:53 be01 spamd[8407]: spamd: result: Y 5 - AWL,BAYES_00,CIPH_BODY_FORMAT3,CIPH_DEBUG,CIPH_HTML_LONGURL,CIPH_HTML_LONGURL,CIPH_HTML_LONGURL,CIPH_HTML_LONGURL,CIPH_HTML_LONGURL,CIPH_HTML_LONGURL,CIPH_HTML_LONGURL,CIPH_HTML_LONGURL,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_HTML_LONGURL_2,CIPH_RAWBODY_DEBUG,DKIM_SIGNED,DKIM_VALID,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_PASS,TRACKER_ID scantime=3.2,size=165124,user=(unknown),uid=58,required_score=4.5,rhost=localhost,raddr=127.0.0.1,rport=/var/run/spam,mid=<DM5PR08MB24420E5009C09E4556B00D24850F0@DM5PR08MB2442.namprd08.prod.outlook.com>,bayes=0.000000,autolearn=no autolearn_force=no,shortcircuit=no

NOTE: CIPH_HTML_LONGURL matched 8 times, implying that its maxhits=8 setting is honored. CIPH_HTML_LONGURL_2 matches 37 times, overpowering the AWL and BAYES_00 safety net. 

There's no doubt that the local.cf matches what spamd is using:

  # ls -l  /usr/local/etc/mail/spamassassin/local.cf
  -rw-r--r--  1 root  mail  16421 Jul 24  2019 /usr/local/etc/mail/spamassassin/local.cf
  # uptime
   2:21PM  up 83 days,  7:58, 2 users, load averages: 0.26, 0.16, 0.10

In addition, there's a daily cron job running sa-update, sa-compile, and 'service sa-spamd reload.' I have confirmed with 'spamassassin --lint -D config' that none of the config files being loaded other than /usr/local/etc/mail/spamassassin/local.cf contain any reference to CIPH_HTML_LONGURL_2.
Comment 1 Henrik Krohns 2020-04-10 08:13:24 UTC 
Are you sure you were running 3.4.4 which has the sa-compile fix for maxhits?
Comment 2 Bill Cole 2020-04-10 14:52:21 UTC 
(In reply to Henrik Krohns from comment #1)
> Are you sure you were running 3.4.4 which has the sa-compile fix for maxhits?

Excellent catch. I was unaware of that fix and the incident occurred one day prior to the release of 3.4.4, so it was definitely not with 3.4.4.