Stephen, Thanks. I am pretty sure that the only thing I deleted was the sender name so not sure which header fields you think are missing.
I will forward this info on to the consultant that built and maintains both my spam-assassin and mailman builds and see what he can figure out. Thanks again for the help. Glen > On Dec 20, 2016, at 11:09 AM, Stephen J. Turnbull > <turnbull.stephen...@u.tsukuba.ac.jp> wrote: > > Glen Page writes: > >> We are a Google Apps for Education school so most of our employees >> and students are using gmail but with our own thet.net >> <http://thet.net/> domain. We have mx records for gmails servers >> and for our in house mailman server. Recently edited our DNS zones >> due to SPF record check failures. Also, recently had to change out >> IP block due to changes at our ISP. Here is the header info from a >> message that I got from our Dean. It got flagged as Spam somewhere >> along the way. > > You've deleted a bunch of header fields, it seems. That doesn't hurt > this time -- it seems pretty clear that a misconfigured SpamAssassin > is the problem. But you should tell us about it, and also consider > leaving in the fields while redacting specific personal information > such as mailboxes and IP addresses if you consider them sensitive. > > To the analysis. This appears to be the subject: > >> {Spam?} [TA Admin] {Spam?} [Employees] {Spam?} [Claws] {Spam?} SNOWBALL IS >> CANCELLED FOR TONIGHT > > SpamAssassin ignores the parenthesized tags, and finds that the > subject is all uppercase. 1.5 spam points. Tell your people not to > use all uppercase, especially not in the subject, but also not in the > body. This is a very good indicator of spam. > > This is your addressee list in the "To" field, right? > >> To: cl...@lists.thet.net students2...@lists.thet.net > > It happens to be sorted. 2.5 spam points, total 4. You're already > almost busted! If you have control over SpamAssassin, this is a > stupid rule unless you've got more than 5 addressees, and you should > be giving that a lot of points anyway. Take that rule down to 1 > point, or disable it. > >> X-Thetnet-Mailscanner-Spamcheck: >> spam, SORBS-SPAM, > > Dunno what the above line means. > >> SpamAssassin (cached, score=7.315, required 5, >> BAYES_00 -1.90, > > Content is extremely unspam-like. Congratulate the author. :-) > >> DNS_FROM_AHBL_RHSBL 2.70, > > Ouch. Appears you are on a blacklist ... no, AHBL and RHSBL are > deprecated and may not even be operating any more, lots of "too many > false positives, how can I disable this rule?" on Google. See this > URL: > > http://www.emailquestions.com/threads/how-to-disable-dns_from_ahbl_rhsbl-rbl-envelope-sender-listed-in-dnsbl-ahbl-org.10342/ > >> HTML_MESSAGE 0.00, > > Yeah! "Friends don't let friends send HTML mail." > >> RCVD_IN_DNSWL_NONE -0.00, > > Good. > >> SORTED_RECIPS 2.50, >> SUBJ_ALL_CAPS 1.51, > > As mentioned above. > >> SUSPICIOUS_RECIPS 2.51), > > I have no idea why you're getting that. Maybe somebody else has an > idea, but if not you'll have to ask somebody with access to your > SpamAssassin rule base. Anyway, the total above is already 8.2 (then > you get 1.9 back for high-value content), you're busted. > >> Received: from dispatch.thet.net ([104.219.98.14]) by mx.google.com >> with ESMTPS id n185si342354qke.282.2016.12.17.08.50.32 >> (version=TLS1 cipher=AES128-SHA bits=128/128); Sat, 17 Dec 2016 >> 08:50:32 -0800 (PST) >> Received: from dispatch.thet.net (dispatch.thet.net [172.16.0.18]) >> by dispatch.thet.net (Postfix) with ESMTP id A1013E6103A; Sat, 17 >> Dec 2016 11:49:56 -0500 (EST) >> Received: from dispatch.thet.net (dispatch.thet.net [172.16.0.18]) >> by dispatch.thet.net (Postfix) with ESMTP id BA586E61035; Sat, 17 >> Dec 2016 11:49:04 -0500 (EST) >> Received: from dispatch.thet.net (dispatch.thet.net [172.16.0.18]) >> by dispatch.thet.net (Postfix) with ESMTP id 12323E60FF7; Sat, 17 >> Dec 2016 11:48:05 -0500 (EST) > > I guess this is the chain of umbrella lists. You might want to see if > you can get the addressees put in the logs so the you can figure out > what's actually happening here. > >> Received: from mail-yw0-f177.google.com (mail-yw0-f177.google.com >> [209.85.161.177]) by dispatch.thet.net (Postfix) with ESMTPS id 0F6F3E60FF7 >> for <cl...@lists.thet.net>; Sat, 17 Dec 2016 11:47:29 -0500 (EST) >> Received: by mail-yw0-f177.google.com with SMTP id i145so46776688ywg.2 for >> <cl...@lists.thet.net>; Sat, 17 Dec 2016 08:47:29 -0800 (PST) >> Received: by 10.37.30.86 with HTTP; Sat, 17 Dec 2016 08:47:28 -0800 (PST) >> Content-Type: multipart/mixed; boundary="===============0140925220==" >> X-Thetnet-Mailscanner-Id: A1013E6103A.A0BA7 >> Delivered-To: glen.p...@thet.net.test-google-a.com >> Delivered-To: ad...@lists.thet.net >> Delivered-To: employ...@lists.thet.net >> Delivered-To: cl...@lists.thet.net >> X-Beenthere: cl...@lists.thet.net >> X-Beenthere: employ...@lists.thet.net >> X-Beenthere: ad...@lists.thet.net >> Received-Spf: fail (google.com: domain of admin-boun...@lists.thet.net does >> not designate 104.219.98.14 as permitted sender) client-ip=104.219.98.14; > > This is misconfigured, I think. lists.thet.net doesn't permit > dispatch.thet.net to send for it? > >> Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; >> d=thet-net.20150623.gappssmtp.com; s=20150623; >> h=mime-version:from:date:message-id:subject:to; >> bh=8F82G0kwQs0BGWAs4rc0JlbGrQ5jSEAp9BGHHsLlJGQ=; >> b=z4aCN7tqgI6/fqyUS0996YyJ3h9vBdciKFZDMciilUXU1d1VzpD9MPEw5iFzTvTiBk >> JboPNIV4zE41HWJcMRL3FIJ2A9ahgpkAD+p48PIxjqveclm4BM92Ioj3LXqrXg6lLs+Q >> SkqLIEl6DQLzWigaixP49UmPqbQjSbfxLvxq32MXFVldcOF7n/5Q1SfFQkErRq8S14x8 >> U1Keu94MZCSi2xp7bXj4ARdtdOsOOemWCRRSzrAd0nR+uqsW+aOKPHmqYZqHHz3Ct328 >> XH+wBOs/CUSe7sOrQCM/RlHb2IQg0rTS0t3V3jhZkYaquDF59rgTYsNyo7BEToSeXDfV QuOg== > > This is going to fail, since the subject is signed but you're adding > tags all over the place. This is the safest available configuration, > so it is not a problem (that you can do anything about), but you will > DoS yourself if you ever set a DMARC policy of p=quarantine or > p=reject. Just a word to the wise for the future. > > Hope this helps, > > Steve > > -- > Associate Professor Department of Policy and Planning Science > http://turnbull/sk.tsukuba.ac.jp/ Faculty of Systems and Information > Email: turnb...@sk.tsukuba.ac.jp University of Tsukuba > Tel: 029-853-5175 Tennodai 1-1-1, Tsukuba 305-8573 JAPAN Glen Page Director of Information Technology ThetNet - Thetford Academy 802.785.4805.x231 "If a guy can dream up a way to cause an explosion, it will happen." — Newton's Seventh Corrolary of Physics ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
