ietf-mta-filters
[Top] [All Lists]

spamtest/virustest "NIL" behaviour

2003-04-30 05:30:05

In the spamtest/virustest draft there is the following example:

        if spamtest :value "ge" :comparator "i;ascii-numeric" "3"
        {
            fileinto "INBOX.spam-trap";
        }
        elsif spamtest :is "NIL"
        {
            fileinto "INBOX.unclassified";
        }

When the virus scanner or the anti spam scanner fail, I presume we give the
spamtest/virustest a "NIL" value as though it never even passed through the
scanner.  So according to RFC2244, when we use ascii-numeric, that seems to
imply that "NIL" turns into a very large number.  Is that right?

RFC 2244                          ACAP                     November 1997
      i;ascii-numeric
           Operations: Ordering, Equality

           The i;ascii-numeric comparator interprets strings as decimal
           positive integers represented as US-ASCII digits.  All values
           which do not begin with a US-ASCII digit are considered equal
           with an ordinal value higher than all non-NIL single-valued
           attributes.  Otherwise, all US-ASCII digits (octet values
           0x30 to 0x39) are interpreted starting from the beginning of
           the string to the first non-digit or the end of the string.

That being said, we would never file anything to the "unclassified" folder
as "a very large number" is greater than "3".  Also If we define the
spamtest/virustest values as:

Internet Draft    SIEVE Spamtest and Virustest Extensions    April 2003
    The spamtest result is a string starting with a numeric value in the
    range "0" (zero) through "10", with "0" meaning the message is
    definitely clear of spam, and "10" meaning the message is definitely
    spam.  The underlying SIEVE implementation will map whatever spam
    check is done into this numeric range, as appropriate.  If the
    message has not been categorised by any spam checking tools, then
    the spamtest result is "NIL".

Does that mean that the "NIL" value gets a score of higher than 10 and is
therefore really really really definately spam/a virus?

Is the example therefore not better written as:

        if spamtest :is "NIL"
        {
            fileinto "INBOX.unclassified";
        }
        elsif spamtest :value "ge" :comparator "i;ascii-numeric" "3"
        {
            fileinto "INBOX.spam-trap";
        }

I'd also suggest that we use a different value to "NIL", perhaps "5 NIL" so
that the 5 is mid range 50/50 spam/virus and the "NIL" as the string to say
that scanning failed to protect users from making the fairly subtle mistake
of treating scan failures as either "definately not spam" or "definately
spam".

Or did I misunderstand somewhere.... :o/

Nigel