This is what I use with Exim, spam.sieve is included in from a master.sieve:

thebighonker.lerctr.org /home/ler $ more sieve/spam.sieve require ["fileinto","imap4flags"]; if header :contains ["X-LERCTR-Spam-Flag","X-TNTSCAN-Spam-Flag"] "YES" { redirect "spamtrap@spambouncer.org"; fileinto :flags "\\Seen Junk" "SPAM"; stop; }

thebighonker.lerctr.org /home/ler $ grep -B10 -A10 -- -Spam-Flag /usr/local/etc/exim/configure spam = smmsp:true warn message = X-LERCTR-Spam-Score: $spam_score ($spam_bar) ! authenticated = * spam = smmsp:true warn message = X-Spam-Report: $spam_report ! authenticated = * spam = smmsp:true warn message = X-LERCTR-Spam-Report: $spam_report ! authenticated = * spam = smmsp:true # Add X-Spam-Flag if spam is over system-wide threshold warn message = X-Spam-Flag: YES ! authenticated = * spam = smmsp:true condition = ${if >={$spam_score_int}{50}{1}{0}} warn message = X-LERCTR-Spam-Flag: YES ! authenticated = * spam = smmsp:true condition = ${if >={$spam_score_int}{50}{1}{0}}

#warn message = DomainKey-Status: $dkim_status # !condition = ${if eq{$dkim_status}{}{1}{0}} # Reject spam messages with score over 7, using an extra condition. deny message = This message scored $spam_score points. Congratulations! ! authenticated = * spam = smmsp:true thebighonker.lerctr.org /home/ler $

On 12/14/17, 1:04 PM, "dovecot on behalf of Gao" wrote:

Well I changed the line to
           if header :contains "X-Spam-Status: YES" {

Then I got:
# sievec spam_to_junk.sieve
spam_to_junk: line 3: error: the header test requires 2 positional 
argument(s), but 1 is/are specified.
spam_to_junk: error: validation failed.
sievec(root): Fatal: failed to compile sieve script 'spam_to_junk.sieve'


Should it be:
           if header :contains "X-Spam-Status" "X-Spam-Status: YES" {

???
I need to learn some sieve grammar.

Gao

On 2017-12-14 10:02 AM, Richard wrote:
>
>> Date: Thursday, December 14, 2017 09:47:44 -0800
>> From: Gao <gao@pztop.com>
>>
>> I use a sieve filter to move spam email to user's Junk folder:
>> # cat spam_to_junk.sieve
>> require "fileinto";
>>     if exists "X-Spam-Status" {
>>             if header :contains "X-Spam-Status" "YES" {
>>             fileinto "Junk";
>>             stop;
>>             } else {
>>         }
>>     }
>>     if header :contains "subject" ["SPAM?"] {
>>       fileinto "Junk";
>>       stop;
>>     }
>>
>> Most time this filter works fine but occasionally it move non-spam
>> in to Junk folder. Here is an example, this email is from dovecot
>> mailling list and it end up in my Junk folder. Mailllog and header
>> here. Would someone help me to figure out what went wrong here?
>>
>> Thanks.
>>
>> Gao
>>
>    > X-Spam-Status: No, score=-2.9 required=5.0
>           tests=ALL_TRUSTED,BAYES_00
>
>
> Because of the way you are bounding it, I suspect that the "YES" in
> BAYES_00, at the end of that line, is triggering the mis-filing.
>
> Why not make:
>
>     contains "X-Spam-Status" "YES"
>
> a single string:
>
>     contains "X-Spam-Status: YES"
>
> that would be more precise and avoid this issue.
>
>

Also, I wouldn't use the second rule: if header :contains "subject" ["SPAM?"] { fileinto "Junk"; stop; }

If someone sends you an email with the subject "Can you help me with this spam?" it will get filed into Junk.

Bill

Thanks for all of your help.

Now I modified my sieve script. Three things changes here: 1.   if header :contains "X-Spam-Status" "YES, " { 2.  if header :contains "subject" ["{SPAM?}"] {  ##add the curly brackets 3.  change the order. So send my Mailscanner labeled spam mail directlly to the junk folder.

The first one try to avoid the BAYES_ trigger the rule. The 2nd one is for MailScanner labeled spam mail. So the final script: require "fileinto"; if header :contains "subject" ["{SPAM?}"] { fileinto "Junk"; stop; } if exists "X-Spam-Status" { if header :contains "X-Spam-Status" "YES, " { fileinto "Junk"; stop; } else { } }

I'll see how this works.

Gao

On 2017-12-15 12:38 AM, Steffen Kaiser wrote:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On Fri, 15 Dec 2017, Bill Shirley wrote:

...

This is what I use.  Notice the comma: require "fileinto"; if header :contains "X-Spam-Status" "Yes," { fileinto "SystemFolders.SuspectedSpam"; stop; }

I would even add the space:

if header :contains "X-Spam-Status" "Yes, " {

because the list of tests won't contain a space.

• -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1

iQEVAwUBWjOKB8QnQQNheMxiAQIdeAgAyL+FDM/DE5J1sRkJ6P8MuIAT3Zx8zfPO Mljn/kswG551jyso2FfGqAw6et5uHrab3Wk22NxQVK6yR4ySZstr3RF9ICeuJVvs pNFzyvBf0BivihWZLMWiVum0/B0LfpW6T7B93Yvbl/JXei2C6+uy8Mk2zFo/5jWP lpKdIxWs/SMmsjFE2QccfP7Id1aUw+tYM+9P/fzc0/kGkNRs5UCodeo/e30opdvv tJ8QpwPV/873uhk9p5m2NB/0bi4i9Rg5VMC2ui5trVlyOR2q2WpYVZ1gV2tvVpEA B3QY8vrzDf9xb1zDoVi8hMDCqynZZGQ++nSfIux/7DBDJvvYx5sYKg== =sUdv -----END PGP SIGNATURE-----