sieve filter move wrong email to Junk folder

Olaf Hopp Olaf.Hopp at kit.edu
Fri Dec 15 16:35:55 EET 2017


On 12/15/2017 02:36 PM, Alex JOST wrote:
> Am 14.12.2017 um 18:47 schrieb Gao:
>> I use a sieve filter to move spam email to user's Junk folder:
>> # cat spam_to_junk.sieve
>> require "fileinto";
>>    if exists "X-Spam-Status" {
>>            if header :contains "X-Spam-Status" "YES" {
>>            fileinto "Junk";
>>            stop;
>>            } else {
>>        }
>>    }
>>    if header :contains "subject" ["SPAM?"] {
>>      fileinto "Junk";
>>      stop;
>>    }
>>
>> Most time this filter works fine but occasionally it move non-spam in to Junk folder. Here is an example, this email is from dovecot mailling list and it end up in my Junk folder. Mailllog and header here. Would someone help me to figure out what went wrong here?
> 
>> X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00
>>   autolearn=ham version=3.3.2, No
> 
> AFAIK, header matching is case-insensitive. That's why 'YES' matches 'BAYES' and triggers the action.

So any spammer might simply add a Header "X-Spam-Status: No"
and the Mail gets into the INBOX ?

Thats why my exim / spamasssassin combination adds the
header "X-Spam-Status:" with all the various checks and
if and only if the score is above e.g. 5 points it additionally adds
the header "X-Spam-Flag: YES" .
Ham mail is not affected with this "X-Spam-Flag".

My global sieve filter only checks for the existance of
the header line - not the value. I think this can't be
circumvented by the spammers.

Regards, Olaf

-- 
Karlsruher Institut für Technologie (KIT)
ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik

Dipl.-Geophys. Olaf Hopp
- Leitung IT-Dienste -

Am Fasanengarten 5, Gebäude 50.34, Raum 009
76131 Karlsruhe
Telefon: +49 721 608-43973
Fax: +49 721 608-46699
E-Mail: Olaf.Hopp at kit.edu
atis.informatik.kit.edu

www.kit.edu

KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft

Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5304 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://dovecot.org/pipermail/dovecot/attachments/20171215/65cd1857/attachment.p7s>


More information about the dovecot mailing list