Re: Sender needs help with false positive
Avoid marketing mass-mailers when sending administrative messages. Sent from ProtonMail Mobile On Tue, Aug 8, 2017 at 12:56 AM, Jacek Osuchowski wrote: > We use emails to allow users to reset their passwords to our website. We send > very brief emails containing the reset password. Example between : > >> > > Your password to access your account is: > > S]U3bC7k > > Upon successful login you may change your password by going to Modify Account > / Change Your Password. > >> > > The emails are marked as spam. Sample report from IsnotSpam.com: > > SpamAssassin check details: > > -- --- > > * 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% > > * [score: 0.9995] > > * -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) > > * [50.31.63.50 listed in wl.mailspike.net] > > * -0.0 SPF_PASS SPF: sender matches SPF record > > * 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% > > * [score: 0.9995] > > * 2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words > > * 0.1 HTML_MESSAGE BODY: HTML included in message > > * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's > > * domain > > * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily > > * valid > > * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature > > * -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders > > X-Spam-Status: Yes, hits=5.7 required=-20.0 tests=BAYES_99,BAYES_999, > > DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_IMAGE_ONLY_12,HTML_MESSAGE, > > RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_PASS autolearn=no autolearn_force=no > > version=3.4.0 > > X-Spam-Score: 5.7 > > I understand you trying to provide great software to fight email spam but you > are making my live miserable. I am having more problems with our emails > marked as spam then from the spam itself. Any help on how avoid being marked > as spam would help. Is there a way to be whitelisted by SpamAssasin globally. > Most emails are blocked by internet providers like Cablevision or comcast and > getting them to help is IMPOSSIBLE. They just install the software and let it > run as it is. > > Thank You
Re: Sender needs help with false positive
On Tue, 8 Aug 2017, Benny Pedersen wrote: Jacek Osuchowski skrev den 2017-08-08 00:56: I understand you trying to provide great software to fight email spam stop using bad amavisd.conf, ask for help on amavisd maillist since your issue is not spamassassin if you like to get a better life use spampd instaed of amavisd, amavisd is so simple to configure to bad results, where spampd is following spamassassin rule on tag only and do nothing more ...none of which helps him get his messages through **other people's** MTAs... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...we talk about creating "millions of shovel-ready jobs" for a society that doesn't really encourage people to pick up a shovel. -- Mike Rowe, testifying before Congress --- 8 days until the 72nd anniversary of the end of World War II
Re: Sender needs help with false positive
On Mon, 2017-08-07 at 19:15 -0400, Alex wrote: > > version=3.4.0 > > Version 3.4.0 is like ten years old. I also don't recall BAYES_999 > being available in that version, so one thing or the other is not > correct. Minor nitpick: 3.4.0 was released in Feb 2014, slightly less than 10 years ago. ;) But that's code only anyway, with sa-update rules' version and age are kept up-to-date independently. Similarly the BAYES_999 test indeed is not part of the original 3.4.0 release. It has been published via sa-update though, and even older 3.3.x installations with sa-update have that rule today. The check_bayes() eval rule always supported the 99.9% variant, it's just a float number less than 1.0... -- char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RE: Sender needs help with false positive
David, Thanks a lot. I will try to modify the email text to have more 'meat on the bone'. I am just surprised email with no links, no adds, no attempts to sell anything can be interpreted as a spam. That img in the email is a tag from SendGrid email services used to trace the emails. I don't know if I can get rid of it. Dianne, I have the same concerns with links in the email. We do train our people how to spot 'funny' emails and to avoid clicking links in the emails unless they are absolutely sure of what they are doing and they still do stupid things. Thank you all. -Original Message- From: David B Funk [mailto:dbf...@engineering.uiowa.edu] Sent: Monday, August 07, 2017 7:54 PM To: users@spamassassin.apache.org Subject: Re: Sender needs help with false positive On Mon, 7 Aug 2017, David Jones wrote: [snip..] > This IP is listed on SORBS and Spamhaus ZEN which are going to cause > problems with delivery to many receiving mail filters, not just SpamAssassin. > > http://multirbl.valli.org/lookup/68.192.71.191.html > That's his PC which is the MSA. As it's the first hop, it's not surprising it hits Zen PBL (it should, given a host name like ool-44c047bf.dyn.optonline.net). That shouldn't score against him except in broken SA installations. His problem is the small amount of text that looks like a phish spam and the embedded image. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
RE: Sender needs help with false positive
On Mon, 7 Aug 2017, Jacek Osuchowski wrote: This is an email I sent to IsNotSpam.com. They list the whole thing when testing for spam. I am getting a lot of complains from our customers that our emails are not received. Our domain is not blacklisted anywhere so I suspect it is the spam filtering (as IsNotSpam tool indicates). Is there anything in the email we send that could trigger flagging as a spam. THANK YOU https://pastebin.com/J1cdCHAe Try this experiment. Take that same message, add two paragraphs of text describing your business/organization to the end and DELETE that embedded image. Re-test and I'll bet that you get a passing score. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Sender needs help with false positive
On Mon, 7 Aug 2017, David Jones wrote: [snip..] This IP is listed on SORBS and Spamhaus ZEN which are going to cause problems with delivery to many receiving mail filters, not just SpamAssassin. http://multirbl.valli.org/lookup/68.192.71.191.html That's his PC which is the MSA. As it's the first hop, it's not surprising it hits Zen PBL (it should, given a host name like ool-44c047bf.dyn.optonline.net). That shouldn't score against him except in broken SA installations. His problem is the small amount of text that looks like a phish spam and the embedded image. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Sender needs help with false positive
On Mon, 7 Aug 2017 19:28:04 -0400 "Jacek Osuchowski" wrote: > This is an email I sent to IsNotSpam.com. They list the whole thing > when testing for spam. I am getting a lot of complains from our > customers that our emails are not received. Our domain is not > blacklisted anywhere so I suspect it is the spam filtering (as > IsNotSpam tool indicates). Is there anything in the email we send > that could trigger flagging as a spam. THANK YOU Don't send HTML. Just send a plain-text message. That'll knock 2.2 points off the score and bring it to 3.6. Simple fix, no? Regards, Dianne.
Re: Sender needs help with false positive
Jacek Osuchowski skrev den 2017-08-08 00:56: I understand you trying to provide great software to fight email spam stop using bad amavisd.conf, ask for help on amavisd maillist since your issue is not spamassassin if you like to get a better life use spampd instaed of amavisd, amavisd is so simple to configure to bad results, where spampd is following spamassassin rule on tag only and do nothing more
Re: Sender needs help with false positive
On 08/07/2017 06:28 PM, Jacek Osuchowski wrote: This is an email I sent to IsNotSpam.com. They list the whole thing when testing for spam. I am getting a lot of complains from our customers that our emails are not received. Our domain is not blacklisted anywhere so I suspect it is the spam filtering (as IsNotSpam tool indicates). Is there anything in the email we send that could trigger flagging as a spam. THANK YOU https://pastebin.com/J1cdCHAe -Original Message- From: Alex [mailto:mysqlstud...@gmail.com] Sent: Monday, August 07, 2017 7:16 PM To: ja...@osuchowski.net; SA Mailing list Subject: Re: Sender needs help with false positive Hi, On Mon, Aug 7, 2017 at 6:56 PM, Jacek Osuchowski wrote: We use emails to allow users to reset their passwords to our website. We send very brief emails containing the reset password. Example between : Your password to access your account is: S]U3bC7k Upon successful login you may change your password by going to Modify Account / Change Your Password. * 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% * 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% You can't control their bayes training so there's nothing you can do here. * 2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words Are you sending these emails as an image or text? Do you have a text component to your message as well? Are you able to post an entire message that includes the headers to pastebin.com, as it appears when it leaves your network then forward the resulting link to the list? version=3.4.0 Version 3.4.0 is like ten years old. I also don't recall BAYES_999 being available in that version, so one thing or the other is not correct. This IP is listed on SORBS and Spamhaus ZEN which are going to cause problems with delivery to many receiving mail filters, not just SpamAssassin. http://multirbl.valli.org/lookup/68.192.71.191.html -- David Jones
Password reset strategies (was Re: Sender needs help with false positive)
[Just replying to one aspect of the original message.] On Mon, 7 Aug 2017 18:26:00 -0500 David Jones wrote: > First, it's a bad idea for a number of reasons to send passwords via > email. Most modern "lost password" mail loops use a unique URL that > expires after a short period of time. As long as both methods expire, both methods require answering a prearranged question (or some out-of-band method of authentication), and both methods require immediate changing of the password, a link is no more secure than sending the temporary password. In fact, a link may eventually lead to *less* security as it's easier to phish people if legitimate messages include a link rather than not including a link. Encouraging people not to click links in messages like legitimate password recovery emails is a Good Thing, IMO, as it'll make them less likely to click links in fake ones. I realize I'm tilting at windmills. Regards, Dianne.
Re: Sender needs help with false positive
On Mon, 7 Aug 2017, Alex wrote: Hi, On Mon, Aug 7, 2017 at 6:56 PM, Jacek Osuchowski wrote: We use emails to allow users to reset their passwords to our website. We send very brief emails containing the reset password. Example between : Your password to access your account is: S]U3bC7k Upon successful login you may change your password by going to Modify Account / Change Your Password. * 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% * 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% You can't control their bayes training so there's nothing you can do here. You -can- control the content of your message. I'm guessing that short password reset message doesn't have very many tokens, and the ones that it does have may be too close a match to things like password phish spams. (something that we train heavily on). Put more text in there that is related to your business/organization which will be unique and thus unlike other spammy message. * 2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words Are you sending these emails as an image or text? Do you have a text component to your message as well? More to the point do you have an image attached/embedded in your message? If so, either drop it altogether or add a few Kbytes of text to balance it out. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Sender needs help with false positive
On 08/07/2017 05:56 PM, Jacek Osuchowski wrote: We use emails to allow users to reset their passwords to our website. We send very brief emails containing the reset password. Example between : Your password to access your account is: S]U3bC7k Upon successful login you may change your password by going to Modify Account / Change Your Password. The emails are marked as spam. Sample report from IsnotSpam.com: SpamAssassin check details: -- --- * 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% * [score: 0.9995] * -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) * [50.31.63.50 listed in wl.mailspike.net] * -0.0 SPF_PASS SPF: sender matches SPF record * 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% * [score: 0.9995] * 2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words * 0.1 HTML_MESSAGE BODY: HTML included in message * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's * domain * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily * valid * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature * -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Spam-Status: Yes, hits=5.7 required=-20.0 tests=BAYES_99,BAYES_999, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_IMAGE_ONLY_12,HTML_MESSAGE, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 X-Spam-Score: 5.7 I understand you trying to provide great software to fight email spam but you are making my live miserable. I am having more problems with our emails marked as spam then from the spam itself. Any help on how avoid being marked as spam would help. Is there a way to be whitelisted by SpamAssasin globally. Most emails are blocked by internet providers like Cablevision or comcast and getting them to help is IMPOSSIBLE. They just install the software and let it run as it is. Thank You Perhaps you should take a little time to figure out what should be changed in that message body to make those emails not score so high. First, it's a bad idea for a number of reasons to send passwords via email. Most modern "lost password" mail loops use a unique URL that expires after a short period of time. Secondly, that text in the body is very commonly used by bad actors trying to phish passwords. Why not change the text a bit and run it through the isnotspam.com site until it doesn't hit such a high Bayesian rule. This won't guarantee the Bayesian score of other SpamAssassin platforms but should give a good hint as to what wording is not good to use. Third, if you could send us complete headers, then we may be able to provide more help. The SPF and DKIM look good and you seem to be doing all of the reputation stuff properly. It comes down to content checks (BAYES) then. -- David Jones
RE: Sender needs help with false positive
This is an email I sent to IsNotSpam.com. They list the whole thing when testing for spam. I am getting a lot of complains from our customers that our emails are not received. Our domain is not blacklisted anywhere so I suspect it is the spam filtering (as IsNotSpam tool indicates). Is there anything in the email we send that could trigger flagging as a spam. THANK YOU https://pastebin.com/J1cdCHAe -Original Message- From: Alex [mailto:mysqlstud...@gmail.com] Sent: Monday, August 07, 2017 7:16 PM To: ja...@osuchowski.net; SA Mailing list Subject: Re: Sender needs help with false positive Hi, On Mon, Aug 7, 2017 at 6:56 PM, Jacek Osuchowski wrote: > We use emails to allow users to reset their passwords to our website. > We send very brief emails containing the reset password. Example between : > >> > Your password to access your account is: > > S]U3bC7k > > Upon successful login you may change your password by going to Modify > Account / Change Your Password. >> > > * 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% > * 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% You can't control their bayes training so there's nothing you can do here. > * 2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of > words Are you sending these emails as an image or text? Do you have a text component to your message as well? Are you able to post an entire message that includes the headers to pastebin.com, as it appears when it leaves your network then forward the resulting link to the list? > version=3.4.0 Version 3.4.0 is like ten years old. I also don't recall BAYES_999 being available in that version, so one thing or the other is not correct.
Re: Sender needs help with false positive
Hi, On Mon, Aug 7, 2017 at 6:56 PM, Jacek Osuchowski wrote: > We use emails to allow users to reset their passwords to our website. We > send very brief emails containing the reset password. Example between : > >> > Your password to access your account is: > > S]U3bC7k > > Upon successful login you may change your password by going to Modify > Account / Change Your Password. >> > > * 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% > * 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% You can't control their bayes training so there's nothing you can do here. > * 2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words Are you sending these emails as an image or text? Do you have a text component to your message as well? Are you able to post an entire message that includes the headers to pastebin.com, as it appears when it leaves your network then forward the resulting link to the list? > version=3.4.0 Version 3.4.0 is like ten years old. I also don't recall BAYES_999 being available in that version, so one thing or the other is not correct.
Sender needs help with false positive
We use emails to allow users to reset their passwords to our website. We send very brief emails containing the reset password. Example between : > Your password to access your account is: S]U3bC7k Upon successful login you may change your password by going to Modify Account / Change Your Password. > The emails are marked as spam. Sample report from IsnotSpam.com: SpamAssassin check details: -- --- * 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% * [score: 0.9995] * -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) * [50.31.63.50 listed in wl.mailspike.net] * -0.0 SPF_PASS SPF: sender matches SPF record * 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% * [score: 0.9995] * 2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words * 0.1 HTML_MESSAGE BODY: HTML included in message * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's * domain * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily * valid * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature * -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Spam-Status: Yes, hits=5.7 required=-20.0 tests=BAYES_99,BAYES_999, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_IMAGE_ONLY_12,HTML_MESSAGE, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 X-Spam-Score: 5.7 I understand you trying to provide great software to fight email spam but you are making my live miserable. I am having more problems with our emails marked as spam then from the spam itself. Any help on how avoid being marked as spam would help. Is there a way to be whitelisted by SpamAssasin globally. Most emails are blocked by internet providers like Cablevision or comcast and getting them to help is IMPOSSIBLE. They just install the software and let it run as it is. Thank You
Re: Random word spams and wiki spams
On 08/07/2017 02:53 PM, Scott wrote: David: re: Postscreen weighted RBLs I've got my postscreen setup with some weighted RBL's. But I was curious what others did here. I searched for that subject and didn't get any specific hits. Any particular thread you know of? See the bottom of this page. https://lists.gt.net/spamassassin/users/199423?search_string=senderscore;#199423 Postwhite perfectly complements a well-tuned RBL list and is a must to prevent false positives: https://github.com/stevejenkins/postwhite I add trusted senders and freemail domains to the "custom_hosts=" entry to allow them past Postscreen and into SA for primarily content-based filtering. custom_hosts="comcast.net rr.com bluehost.com mxlogic.net messagelabs.com messagegears.net authsmtp.com eventbrite.com trendmicro.com spf.mandrillapp.com amazonses.com radware.com embarqmail.com mailer.surveygizmo.com app.sgizmo.com spf.ess.barracudanetworks.com" Postwhite now handles Yahoo IPs to work around their odd SPF record. -- David Jones
Re: Results of Individual Tests on spamd "CHECK"
On Mon, 2017-08-07 at 14:17 -0500, Jerry Malcolm wrote: > I tried SYMBOLS. You are correct that it lists the tests, but not the > results: > > BAYES_95,HTML_IMAGE_ONLY_32,HTML_MESSAGE,JAM_DO_STH_HERE,LOTS_OF_MONEY,MIME_HTML_ONLY, > [...] > > But I saw this line in a forum discussion... So I'm sure there is some > way to generate it. > > >>> tests=[AWL=-1.103, BAYES_00=-2.599, > HTML_MESSAGE=0.001,URIBL_BLACK=1.955, URIBL_GREY=0.25] > > Any ideas? That particular one appears to be part of the Amavisd-new generated headers. You can get the same rules with individual scores in stock SA using the _TESTSSCORES(,)_ Template Tag with the add_header config option. See M::SA::Conf docs [1]. For ad-hoc testing without adding this to your general SA / spamd configuration, feed the sample message to the plain spamassassin script with additional --cf configuration: spamassassin --cf="add_header all TestsScores tests=_TESTSSCORES(,)_" < message Also see 10_default_prefs.cf for more informational detail in the stock Status header. > On 8/7/2017 1:13 PM, Daniel J. Luke wrote: > > On Aug 7, 2017, at 2:00 PM, Jerry Malcolm wrote: > > > I'm invoking spamd using: > > > > > > CHECK SPAMC/1.2\r\n > > > Not your best option for ad-hoc tests... ;) > > > Can someone tell me what I need to add to the spamd call (and the > > > syntax) in order to get the results of the individual tests > > > returned as part of the status? You will need SA configuration. The spamd protocol itself does not allow such fine grained configuration. [1] http://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html -- char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Random word spams and wiki spams
David: re: Postscreen weighted RBLs I've got my postscreen setup with some weighted RBL's. But I was curious what others did here. I searched for that subject and didn't get any specific hits. Any particular thread you know of? -- View this message in context: http://spamassassin.1065346.n5.nabble.com/Random-word-spams-and-wiki-spams-tp134792p137999.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Results of Individual Tests on spamd "CHECK"
David, Thanks, I'll try REPORT . I am indeed using the full spamd invocation as you described. I just abbreviated it in my orig post. It has been working for a couple of years. I'm just seeing a few spams that I can't seem to get rid of. I've tried training BAYES with them. But I'm still getting negative scores on them. So I simply wanted to be able to do a bit of research disecting the score to see why the score is what it is. Thanks again. Jerry On 8/7/2017 1:33 PM, David B Funk wrote: On Mon, 7 Aug 2017, Jerry Malcolm wrote: I'm invoking spamd using: CHECK SPAMC/1.2\r\n I'm getting the expected response such as: Spam: False ; -1.8 / 4.0 I am trying to figure out how to get the TESTS= results of the individual tests returned as well. (e.g.tests=[AWL=-1.103, BAYES_00=-2.599, HTML_MESSAGE=0.001,URIBL_BLACK=1.955, URIBL_GREY=0.25]) I see there's an option in spamc that appears to do that. But I can't figure out how to make that happen when I do a direct socket invoke of spamd. Can someone tell me what I need to add to the spamd call (and the syntax) in order to get the results of the individual tests returned as part of the status? Thanks, Jerry Jerry, the spamd 'CHECK' command just returns the status+score, nothing else. the spamd 'REPORT' command returns the status+score and report. So replace 'CHECK' with 'REPORT' in your spamd call. Then be ready to read an arbitrary number of additonal lines in the return connection. Note that it will not return any part of the original message. If you want to use any of the SA report features that add additional headers (such as the relays header) you will need to use a different spamd command: 'HEADERS'. BTW, I cannot tell from your posting if you have one detail correct; you need the command, (and any addtional optional arguments) then a blank line, then the message. EG: REPORT SPAMC/1.2\r\n User: joe-blow\r\n \r\n
Re: Results of Individual Tests on spamd "CHECK"
I tried SYMBOLS. You are correct that it lists the tests, but not the results: BAYES_95,HTML_IMAGE_ONLY_32,HTML_MESSAGE,JAM_DO_STH_HERE,LOTS_OF_MONEY,MIME_HTML_ONLY,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_SBL_CSS,SUBJ_DOLLARS,T_HTML_TAG_BALANCE_CENTER,URIBL_BLOCKED,URIBL_DBL_SPAM,URIBL_SBL_A But I saw this line in a forum discussion... So I'm sure there is some way to generate it. >>> tests=[AWL=-1.103, BAYES_00=-2.599, HTML_MESSAGE=0.001,URIBL_BLACK=1.955, URIBL_GREY=0.25] Any ideas? Thx On 8/7/2017 1:13 PM, Daniel J. Luke wrote: On Aug 7, 2017, at 2:00 PM, Jerry Malcolm wrote: I'm invoking spamd using: CHECK SPAMC/1.2\r\n I'm getting the expected response such as: Spam: False ; -1.8 / 4.0 I am trying to figure out how to get the TESTS= results of the individual tests returned as well. did you try SYMBOLS? spamd/PROTOCOL says: "SYMBOLS command returns the same as CHECK, followed by a line listing all the rule names, separated by commas." (that will give you the names of all the tests hit, but I don't think you get their scores). (e.g.tests=[AWL=-1.103, BAYES_00=-2.599, HTML_MESSAGE=0.001,URIBL_BLACK=1.955, URIBL_GREY=0.25]) I see there's an option in spamc that appears to do that. But I can't figure out how to make that happen when I do a direct socket invoke of spamd. Can someone tell me what I need to add to the spamd call (and the syntax) in order to get the results of the individual tests returned as part of the status?
Re: Results of Individual Tests on spamd "CHECK"
On Mon, 7 Aug 2017, Jerry Malcolm wrote: I'm invoking spamd using: CHECK SPAMC/1.2\r\n I'm getting the expected response such as: Spam: False ; -1.8 / 4.0 I am trying to figure out how to get the TESTS= results of the individual tests returned as well. (e.g.tests=[AWL=-1.103, BAYES_00=-2.599, HTML_MESSAGE=0.001,URIBL_BLACK=1.955, URIBL_GREY=0.25]) I see there's an option in spamc that appears to do that. But I can't figure out how to make that happen when I do a direct socket invoke of spamd. Can someone tell me what I need to add to the spamd call (and the syntax) in order to get the results of the individual tests returned as part of the status? Thanks, Jerry Jerry, the spamd 'CHECK' command just returns the status+score, nothing else. the spamd 'REPORT' command returns the status+score and report. So replace 'CHECK' with 'REPORT' in your spamd call. Then be ready to read an arbitrary number of additonal lines in the return connection. Note that it will not return any part of the original message. If you want to use any of the SA report features that add additional headers (such as the relays header) you will need to use a different spamd command: 'HEADERS'. BTW, I cannot tell from your posting if you have one detail correct; you need the command, (and any addtional optional arguments) then a blank line, then the message. EG: REPORT SPAMC/1.2\r\n User: joe-blow\r\n \r\n -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Logwatch from local machine being flagged as spam
On 2017-08-06 10:37, Scott wrote: > Centos7 > Posftfix 3.2.2 > Amavisd 2.11.0 > spamassassin-3.4.0 > To: r...@mail2.myserver.com > From: logwa...@mail2.myserver.com Since these are locally submitted messages (i.e. not SMTP), IMO the best and cleanest way to deal with it is to tell the MTA not to pass them to amavisd, if you can. This is easy to do with Exim, for example - I'm not sure about Postfix. Then you don't have to care about the IP addresses or domains. -- Please don't Cc: me privately on mailing lists and Usenet, if you also post the followup to the list or newsgroup. Do obvious transformation on domain to reply privately _only_ on Usenet.
Results of Individual Tests on spamd "CHECK"
I'm invoking spamd using: CHECK SPAMC/1.2\r\n I'm getting the expected response such as: Spam: False ; -1.8 / 4.0 I am trying to figure out how to get the TESTS= results of the individual tests returned as well. (e.g.tests=[AWL=-1.103, BAYES_00=-2.599, HTML_MESSAGE=0.001,URIBL_BLACK=1.955, URIBL_GREY=0.25]) I see there's an option in spamc that appears to do that. But I can't figure out how to make that happen when I do a direct socket invoke of spamd. Can someone tell me what I need to add to the spamd call (and the syntax) in order to get the results of the individual tests returned as part of the status? Thanks, Jerry
Re: SA 3.4.1 for Centos 7?
On 08/07/2017 08:37 AM, Scott wrote: spamassassin-3.4.1-14.fc27.src.rpm is available now. When trying to rebuild that src (or the one you mentioned earlier) for my Centos7 box I get these warnings: Is this OK? Is there a fix? spamc/libspamc.c: In function '_try_to_connect_tcp': spamc/libspamc.c:490:19: warning: variable 'family' set but not used [-Wunused-but-set-variable] char *family = NULL; ^ spamc/libspamc.c: In function 'message_filter': spamc/libspamc.c:1217:11: warning: assignment discards 'const' qualifier from pointer target type [enabled by default] meth = TLSv1_client_method(); ^ spamc/libspamc.c:1219:11: warning: assignment discards 'const' qualifier from pointer target type [enabled by default] meth = SSLv3_client_method(); /* default */ ^ spamc/libspamc.c: In function 'message_tell': spamc/libspamc.c:1607:7: warning: assignment discards 'const' qualifier from pointer target type [enabled by default] meth = SSLv3_client_method(); ^ spamc/libspamc.c: In function 'transport_setup': spamc/libspamc.c:1914:35: warning: unused variable 'addrp' [-Wunused-variable] struct addrinfo hints, *res, *addrp; ^ spamc/libspamc.c: In function 'libspamc_log': spamc/libspamc.c:2242:9: warning: ignoring return value of 'write', declared with attribute warn_unused_result [-Wunused-result] (void) write (2, buf, len); ^ I get this too and it still builds fine and works properly. These are only warnings. -- David Jones
Re: Logwatch from local machine being flagged as spam
On Sun, 6 Aug 2017 10:37:36 -0700 (MST) Scott wrote: > Centos7 > Posftfix 3.2.2 > Amavisd 2.11.0 > spamassassin-3.4.0 > > I have a logwatch output that gets mailed to me daily. Spamassassin > is scoring it high enough as exceed my threshold for whacking it as > spam. > > While this is not good, I'm concerned I have something fundamental > misconfigured where it would flag anything internal at all. Bayes is > not being used yet (tokens <200). What is the proper way to allow > messages form the server itself to not get flagged by SA? > > I have the server's IP address (y.y.y.y) in my lists of trusted and > internal as so: > trusted_networks xx.xx.xx.xx > trusted_networks y.y.y.y > trusted_networks z.z.z.z > > internal_networks xx.xx.xx.xx > internal_networks y.y.y.y > internal_networks z.z.z.z > > I don't see that that made any difference. Shouldn't it have? > > Header of intercepted message: > > From MAILER-DAEMON Sun Aug 6 04:02:19 2017 > Return-Path: <> > X-Original-To: s...@myserver.com > Delivered-To: s...@myserver.com > X-Envelope-From: > X-Envelope-To: > X-Envelope-To-Blocked: > X-Quarantine-ID: > X-Spam-Flag: YES > X-Spam-Score: 7.332 > X-Spam-Level: *** > X-Spam-Status: Yes, score=7.332 tag=- tag2=5 kill=6.4 > tests=[NORMAL_HTTP_TO_IP=0.001, NO_RELAYS=-0.001, > URIBL_ABUSE_SURBL=1.948, URIBL_BLACK=1.7, URIBL_DBL_SPAM=2.5, > URIBL_GREY=1.084, URIBL_SBL_A=0.1] autolearn=no What's happening here is that SA is picking-up spammer domains in the text. SA is seeing no Received headers so whitelist_from_rcvd isn't going to work and your internal/trusted networks are irrelevant. What you could do is meta NO_RELAYS with a rule that's a suitable identifier for this kind of mail. Check that you aren't seeing NO_RELAYS in any spam.
Re: Increased spam related to drugs such as medicine and health
On 08/07/2017 08:25 AM, Naisiew Yeak wrote: Hi All, Recently we notice some increased of spam mostly related to drugs, like medication, health and so on. Is that correct? Does anyone of you experiencing the same? The current updated version is 1799552 since June 2017. That is the latest version of rules which are still on hold while we are investigating an issue with the generation of 72_scores.cf. There really haven't been any rule updates anyway so we aren't missing much other than slight score changes from the nightly masscheck processing. There are other things commonly added to SpamAssassin setup that help better with dynamic detection of new spam campaigns such as: - KAM.cf rules - ClamAV UNOFFICIAL sigs - DCC, Razor, Pyzor - RBL additions/tuning (senderscore.org, lashback, etc.) - regular bayesian DB training - local custom rules with header and body content matching I also bump up FREEMAIL rule hits a point or two to trust them a little less since this is a common source of spam. If you need more specific answers, please include details about your SA setup like what is calling it (spamd, amavis, MIMEdefang, MailScanner, etc.), your threshold score for blocking, the MTA used, and any customizations you have done. -- David Jones
Re: SA 3.4.1 for Centos 7?
spamassassin-3.4.1-14.fc27.src.rpm is available now. When trying to rebuild that src (or the one you mentioned earlier) for my Centos7 box I get these warnings: Is this OK? Is there a fix? spamc/libspamc.c: In function '_try_to_connect_tcp': spamc/libspamc.c:490:19: warning: variable 'family' set but not used [-Wunused-but-set-variable] char *family = NULL; ^ spamc/libspamc.c: In function 'message_filter': spamc/libspamc.c:1217:11: warning: assignment discards 'const' qualifier from pointer target type [enabled by default] meth = TLSv1_client_method(); ^ spamc/libspamc.c:1219:11: warning: assignment discards 'const' qualifier from pointer target type [enabled by default] meth = SSLv3_client_method(); /* default */ ^ spamc/libspamc.c: In function 'message_tell': spamc/libspamc.c:1607:7: warning: assignment discards 'const' qualifier from pointer target type [enabled by default] meth = SSLv3_client_method(); ^ spamc/libspamc.c: In function 'transport_setup': spamc/libspamc.c:1914:35: warning: unused variable 'addrp' [-Wunused-variable] struct addrinfo hints, *res, *addrp; ^ spamc/libspamc.c: In function 'libspamc_log': spamc/libspamc.c:2242:9: warning: ignoring return value of 'write', declared with attribute warn_unused_result [-Wunused-result] (void) write (2, buf, len); ^ -- View this message in context: http://spamassassin.1065346.n5.nabble.com/SA-3-4-1-for-Centos-7-tp136474p137981.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Increased spam related to drugs such as medicine and health
Hi All, Recently we notice some increased of spam mostly related to drugs, like medication, health and so on. Is that correct? Does anyone of you experiencing the same? The current updated version is 1799552 since June 2017. Thanks. -- Naisiew Yeak
Re: Logwatch from local machine being flagged as spam
On 08/06/2017 05:10 PM, msxc wrote: I have a logwatch output that gets mailed to me daily. Spamassassin is scoring it high enough as exceed my threshold for whacking it as spam. Please subscribe to the list for future posts. However, I would argue that this is expected behavior because your logwatch notice almost certainly contains lots of information about spam emails. You'll want to look at whitelisting/exempting it from scanning. KAM, thanks. Re subscribe, I am, I may have my sending address crossed up as I migrate to a new server. I'll try to get that straightened out. Sorry about that. I understand/agree whit your point. If it smells like spam, tag it if asked to analyze it. Perhaps I incorrectly assumed it shouldn't be smelling for trusted networks. :) Anyway, I found a potential cause, or at least a misconfiguration. I've got Amavisd calling SA and I missed a primary IP in its mynetworks setting. If that doesn't clear it I'll see about whitelisting. As Alex already mentioned, the mynetworks setting isn't about whitelisting. That only controls the ALL_TRUSTED rule hit and some other RBL checks based on last_external. Basically it provides a little trust based on IP reputation and has nothing to do with content-based rules that are most likely the problem with logwatch emails. I would and have setup a whitelist_from_rcvd entry something like: whitelist_from_rcvd root@* [ip.ad.dr.ess] or whitelist_from_rcvd root@* mycompany.com Note the second one is going going to be useful if you have setup correct FCrDNS which is not common on internal RFC 1918 network space so I would recommend the IP address version. -- David Jones
RE: Logwatch from local machine being flagged as spam
>> I have a logwatch output that gets mailed to me daily. Spamassassin is >> scoring it high enough as exceed my threshold for whacking it as spam. >Please subscribe to the list for future posts. > >However, I would argue that this is expected behavior because your >logwatch notice almost certainly contains lots of information about spam >emails. You'll want to look at whitelisting/exempting it from scanning. KAM, thanks. Re subscribe, I am, I may have my sending address crossed up as I migrate to a new server. I'll try to get that straightened out. Sorry about that. I understand/agree whit your point. If it smells like spam, tag it if asked to analyze it. Perhaps I incorrectly assumed it shouldn't be smelling for trusted networks. :) Anyway, I found a potential cause, or at least a misconfiguration. I've got Amavisd calling SA and I missed a primary IP in its mynetworks setting. If that doesn't clear it I'll see about whitelisting. Thanks, Scott