Glen Page writes: > We are a Google Apps for Education school so most of our employees > and students are using gmail but with our own thet.net > <http://thet.net/> domain. We have mx records for gmails servers > and for our in house mailman server. Recently edited our DNS zones > due to SPF record check failures. Also, recently had to change out > IP block due to changes at our ISP. Here is the header info from a > message that I got from our Dean. It got flagged as Spam somewhere > along the way.
You've deleted a bunch of header fields, it seems. That doesn't hurt this time -- it seems pretty clear that a misconfigured SpamAssassin is the problem. But you should tell us about it, and also consider leaving in the fields while redacting specific personal information such as mailboxes and IP addresses if you consider them sensitive. To the analysis. This appears to be the subject: > {Spam?} [TA Admin] {Spam?} [Employees] {Spam?} [Claws] {Spam?} SNOWBALL IS > CANCELLED FOR TONIGHT SpamAssassin ignores the parenthesized tags, and finds that the subject is all uppercase. 1.5 spam points. Tell your people not to use all uppercase, especially not in the subject, but also not in the body. This is a very good indicator of spam. This is your addressee list in the "To" field, right? > To: cl...@lists.thet.net students2...@lists.thet.net It happens to be sorted. 2.5 spam points, total 4. You're already almost busted! If you have control over SpamAssassin, this is a stupid rule unless you've got more than 5 addressees, and you should be giving that a lot of points anyway. Take that rule down to 1 point, or disable it. > X-Thetnet-Mailscanner-Spamcheck: > spam, SORBS-SPAM, Dunno what the above line means. > SpamAssassin (cached, score=7.315, required 5, > BAYES_00 -1.90, Content is extremely unspam-like. Congratulate the author. :-) > DNS_FROM_AHBL_RHSBL 2.70, Ouch. Appears you are on a blacklist ... no, AHBL and RHSBL are deprecated and may not even be operating any more, lots of "too many false positives, how can I disable this rule?" on Google. See this URL: http://www.emailquestions.com/threads/how-to-disable-dns_from_ahbl_rhsbl-rbl-envelope-sender-listed-in-dnsbl-ahbl-org.10342/ > HTML_MESSAGE 0.00, Yeah! "Friends don't let friends send HTML mail." > RCVD_IN_DNSWL_NONE -0.00, Good. > SORTED_RECIPS 2.50, > SUBJ_ALL_CAPS 1.51, As mentioned above. > SUSPICIOUS_RECIPS 2.51), I have no idea why you're getting that. Maybe somebody else has an idea, but if not you'll have to ask somebody with access to your SpamAssassin rule base. Anyway, the total above is already 8.2 (then you get 1.9 back for high-value content), you're busted. > Received: from dispatch.thet.net ([104.219.98.14]) by mx.google.com > with ESMTPS id n185si342354qke.282.2016.12.17.08.50.32 > (version=TLS1 cipher=AES128-SHA bits=128/128); Sat, 17 Dec 2016 > 08:50:32 -0800 (PST) > Received: from dispatch.thet.net (dispatch.thet.net [172.16.0.18]) > by dispatch.thet.net (Postfix) with ESMTP id A1013E6103A; Sat, 17 > Dec 2016 11:49:56 -0500 (EST) > Received: from dispatch.thet.net (dispatch.thet.net [172.16.0.18]) > by dispatch.thet.net (Postfix) with ESMTP id BA586E61035; Sat, 17 > Dec 2016 11:49:04 -0500 (EST) > Received: from dispatch.thet.net (dispatch.thet.net [172.16.0.18]) > by dispatch.thet.net (Postfix) with ESMTP id 12323E60FF7; Sat, 17 > Dec 2016 11:48:05 -0500 (EST) I guess this is the chain of umbrella lists. You might want to see if you can get the addressees put in the logs so the you can figure out what's actually happening here. > Received: from mail-yw0-f177.google.com (mail-yw0-f177.google.com > [209.85.161.177]) by dispatch.thet.net (Postfix) with ESMTPS id 0F6F3E60FF7 > for <cl...@lists.thet.net>; Sat, 17 Dec 2016 11:47:29 -0500 (EST) > Received: by mail-yw0-f177.google.com with SMTP id i145so46776688ywg.2 for > <cl...@lists.thet.net>; Sat, 17 Dec 2016 08:47:29 -0800 (PST) > Received: by 10.37.30.86 with HTTP; Sat, 17 Dec 2016 08:47:28 -0800 (PST) > Content-Type: multipart/mixed; boundary="===============0140925220==" > X-Thetnet-Mailscanner-Id: A1013E6103A.A0BA7 > Delivered-To: glen.p...@thet.net.test-google-a.com > Delivered-To: ad...@lists.thet.net > Delivered-To: employ...@lists.thet.net > Delivered-To: cl...@lists.thet.net > X-Beenthere: cl...@lists.thet.net > X-Beenthere: employ...@lists.thet.net > X-Beenthere: ad...@lists.thet.net > Received-Spf: fail (google.com: domain of admin-boun...@lists.thet.net does > not designate 104.219.98.14 as permitted sender) client-ip=104.219.98.14; This is misconfigured, I think. lists.thet.net doesn't permit dispatch.thet.net to send for it? > Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; > d=thet-net.20150623.gappssmtp.com; s=20150623; > h=mime-version:from:date:message-id:subject:to; > bh=8F82G0kwQs0BGWAs4rc0JlbGrQ5jSEAp9BGHHsLlJGQ=; > b=z4aCN7tqgI6/fqyUS0996YyJ3h9vBdciKFZDMciilUXU1d1VzpD9MPEw5iFzTvTiBk > JboPNIV4zE41HWJcMRL3FIJ2A9ahgpkAD+p48PIxjqveclm4BM92Ioj3LXqrXg6lLs+Q > SkqLIEl6DQLzWigaixP49UmPqbQjSbfxLvxq32MXFVldcOF7n/5Q1SfFQkErRq8S14x8 > U1Keu94MZCSi2xp7bXj4ARdtdOsOOemWCRRSzrAd0nR+uqsW+aOKPHmqYZqHHz3Ct328 > XH+wBOs/CUSe7sOrQCM/RlHb2IQg0rTS0t3V3jhZkYaquDF59rgTYsNyo7BEToSeXDfV QuOg== This is going to fail, since the subject is signed but you're adding tags all over the place. This is the safest available configuration, so it is not a problem (that you can do anything about), but you will DoS yourself if you ever set a DMARC policy of p=quarantine or p=reject. Just a word to the wise for the future. Hope this helps, Steve -- Associate Professor Department of Policy and Planning Science http://turnbull/sk.tsukuba.ac.jp/ Faculty of Systems and Information Email: turnb...@sk.tsukuba.ac.jp University of Tsukuba Tel: 029-853-5175 Tennodai 1-1-1, Tsukuba 305-8573 JAPAN ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org