RE: FW: Tons of spam getting through

2014-08-22 Thread Greg Ledford 
Changed and Amavis has been restarted. I’ll check the headers on the next 
piece of spam to come through. Thanks

I’m still trying to figure out how illegitimate stuff like this is getting 
through. It’s obviously a virus (which was caught) but then why did the email 
get through? I see the flag was for 4.0 so it wasn’t enough to kick it out 
based on wording but wouldn’t something in the headers be forged and catch this?

Received: from smtp.phhwtechnology.com (10.0.1.7) by mail.phhwtechnology.com
(10.0.1.5) with Microsoft SMTP Server id 14.3.195.1; Fri, 22 Aug 2014
15:12:59 -0500
Received: from localhost (localhost [127.0.0.1]) by smtp.phhwtechnology.com
(Postfix) with ESMTP id DCC4C194998E for gledf...@phhwtechnology.com; Fri,
22 Aug 2014 15:01:50 -0500 (CDT)
X-Quarantine-ID: NDBldcOJqsG1
X-Virus-Scanned: Debian amavisd-new at smtp.phhwtechnology.com
X-Amavis-Alert: BAD HEADER SECTION, Non-encoded 8-bit data (char C2 hex):
From: Janna

\021\303\202\302\261N\303\203\302\276\303\203\302\267\022\303\202\302\256\303\202\302\270\303\203\302\230\303\203\302\273[...]
X-Spam-Flag: NO
X-Spam-Score: 4.803
X-Spam-Level: 
X-Spam-Status: No, score=4.803 tagged_above=-100 required=5
tests=[DCC_CHECK=1.1, FROM_ILLEGAL_CHARS=2.059,
RCVD_IN_BRBL_LASTEXT=1.644] autolearn=no autolearn_force=no
Received: from smtp.phhwtechnology.com ([127.0.0.1])  by localhost
(smtp.phhwtechnology.com [127.0.0.1]) (amavisd-new, port 10024)  with ESMTP 
id
NDBldcOJqsG1 for gledf...@phhwtechnology.com; Fri, 22 Aug 2014 15:01:49
-0500 (CDT)
Received-SPF: none (smtp.1-800-optisource.com: No applicable sender policy 
available) receiver=spamfilter; identity=mailfrom; 
envelope-from=dqyf...@smtp.1-800-optisource.com; 
helo=smtp.1-800-optisource.com; client-ip=96.56.14.106
Received: from smtp.1-800-optisource.com (smtp.1-800-optisource.com
[96.56.14.106]) by smtp.phhwtechnology.com (Postfix) with ESMTP id
4BDCC194998A for gledf...@phhwtechnology.com; Fri, 22 Aug 2014 15:01:48
-0500 (CDT)
From:
Janna 
??N??{|r???@??}W^-??#??|jQZ??+??c??_1R??cK??|
/]8'+%??5????u??,

Rw??d}?jh@smtp.phhwtechnology.com,
zS]??? dqyf...@smtp.1-800-optisource.com
To: gledf...@phhwtechnology.com
Subject: inovice_AUG_7831915.pdf
Date: Fri, 22 Aug 2014 16:01:06 -0400
Message-ID: 5921d510-35dc-be7b-ad00-8655a7347...@mail.phhwtechnology.com
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary==_NextPart_000_0025_01CFBE22.48401B00
Return-Path: dqyf...@smtp.1-800-optisource.com
X-MS-Exchange-Organization-AuthSource: WEBSERVER01.mail.phhwtechnology.com
X-MS-Exchange-Organization-AuthAs: Anonymous

Re: FW: Tons of spam getting through

2014-08-20 Thread Matus UHLAR - fantomas 

On Tue, 19 Aug 2014, Greg Ledford wrote:

What exactly are SA headers supposed to look like?


On 19.08.14 13:05, John Hardin wrote:

SA headers look like this:



X-Spam-Status: No, score=0.138 tagged_above=-100 required=5
  tests=[MISSING_MID=0.14, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
  autolearn=no autolearn_force=no


This one is actually amavisd header, which means that the MTA uses
spamassassin indirectly. Just FYI.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!

RE: FW: Tons of spam getting through

2014-08-19 Thread Greg Ledford 
What exactly are SA headers supposed to look like? I’m still getting quite a 
bit of spam coming through. It’s blocking quite a bit but I’m not so sure SA is 
even doing its job. Is there maybe a way to just block everything from anything 
.us?  Stuff like this is being missed (what’s really amusing is this list 
blocked my original response because IT sure seems to know what spam is!) :

Received: from smtp.phhwtechnology.com (10.0.1.7) by mail.phhwtechnology.com
(10.0.1.5) with Microsoft SMTP Server id 14.3.195.1; Mon, 18 Aug 2014
10:56:42 -0500
Received: from localhost (localhost [127.0.0.1]) by smtp.phhwtechnology.com
(Postfix) with ESMTP id 0F1811948379   for 
gledf...@phhwtechnology.commailto:gledf...@phhwtechnology.com; Mon,
18 Aug 2014 10:45:28 -0500 (CDT)
X-Virus-Scanned: Debian amavisd-new at smtp.phhwtechnology.com
X-Spam-Flag: NO
X-Spam-Score: 0.138
X-Spam-Level:
X-Spam-Status: No, score=0.138 tagged_above=-100 required=5
tests=[MISSING_MID=0.14, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
autolearn=no autolearn_force=no
Received: from smtp.phhwtechnology.com ([127.0.0.1])  by localhost
(smtp.phhwtechnology.com [127.0.0.1]) (amavisd-new, port 10024)  with ESMTP 
id
f63HgJVgBWwg for 
gledf...@phhwtechnology.commailto:gledf...@phhwtechnology.com;  
 Mon, 18 Aug 2014 10:45:23
-0500 (CDT)
Received-SPF: pass (onlyfastsloans.us: 107.158.196.226 is authorized to use 
'quick.apprv...@onlyfastslans.us' in 'mfrom' identity (mechanism 'a' matched)) 
receiver=spamfilter; identity=mailfrom; 
envelope-from=quick.approv...@onlyfastslans.usmailto:quick.approv...@onlyfastslans.us;
 helo=onlyfastslans.us; client-ip=107.158.196.226
Received: from onlyfastslans.us (items.onlyfastslans.us [107.158.196.226])
by smtp.phhwtechnology.com (Postfix) with ESMTP id A4EE81948385 
   for
gledf...@phhwtechnology.commailto:gledf...@phhwtechnology.com; Mon, 18 Aug 
2014 10:45:23 -0500 (CDT)
Date: Mon, 18 Aug 2014 08:45:25 -0700
Subject: Fnds Up to 5000dollars on 8-18-2014. Notic #14258781
From: Fast-Funds684 
quick.apprv...@onlyfastslans.usmailto:quick.apprv...@onlyfastslans.us
To: gledf...@phhwtechnology.commailto:gledf...@phhwtechnology.com
Message-ID: 
20140818154528.0f1811948...@smtp.phhwtechnology.commailto:20140818154528.0f1811948...@smtp.phhwtechnology.com
MIME-Version: 1.0
Content-Type: text/plain
Return-Path: 
quick.apprv...@onlyfastslans.usmailto:quick.apprv...@onlyfastslans.us
X-MS-Exchange-Organization-AuthSource: WEBSERVER01.mail.phhwtechnology.com
X-MS-Exchange-Organization-AuthAs: Anonymous

Use sa_tag_level_deflt  = -100;
All your emails will have the SpamAssassin headers.
Changed and Amavis has been restarted. I’ll check the headers on the next 
piece of spam to come through. Thanks

RE: FW: Tons of spam getting through

2014-08-19 Thread John Hardin 

On Tue, 19 Aug 2014, Greg Ledford wrote:


What exactly are SA headers supposed to look like?


SA headers look like this:


X-Spam-Flag: NO
X-Spam-Score: 0.138
X-Spam-Level:
X-Spam-Status: No, score=0.138 tagged_above=-100 required=5
   tests=[MISSING_MID=0.14, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
   autolearn=no autolearn_force=no


I’m still getting quite a bit of spam coming through. It’s blocking 
quite a bit but I’m not so sure SA is even doing its job.


Messages are apparently being scanned, though they don't appear to be 
hitting much in the way of rules...



Is there maybe a way to just block everything from anything .us?


That would probably be easier to do in your MTA before the message is 
even passed to SA.


Stuff like this is being missed (what’s really amusing is this list 
blocked my original response because IT sure seems to know what spam 
is!) :


If that's a spam, then please post the entire message, with all headers 
intact in their raw form, to pastebin and post the URL here. That will let 
us take a look at what rules are hit in our environment and suggest 
possible fixes.


Note: if the headers look like this:


From: Fast-Funds684 
quick.apprv...@onlyfastslans.usmailto:quick.apprv...@onlyfastslans.us


i.e., with mailto:... injected, they probably are not raw. I don't 
know of the best way to get a raw RFC-822-format message out of Exchange, 
but I assume there is a way.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  People think they're trading chaos for order [by ceding more and
  more power to the Government], but they're just trading normal
  human evil for the really dangerous organized kind of evil, the
  kind that simply does not give a shit. Only bureaucrats can give
  you true evil. -- Larry Correia
---
 5 days until the 1935th anniversary of the destruction of Pompeii

FW: Tons of spam getting through

2014-08-12 Thread Greg Ledford 
Take a look at the sa_tag_level_deflt in your amavisd configuration file.

$sa_tag_level_deflt = 5.5;
$sa_tag2_level_deflt= 6.0;
$sa_spam_subject_tag= '***POSSIBLE SPAM***';
$sa_kill_level_deflt= 7.0;

I did. I bumped the levels a bit because they were catching some legitimate 
emails. I may bump them back down some as a test.

Re: FW: Tons of spam getting through

2014-08-12 Thread Karl Johnson 
On Tue, Aug 12, 2014 at 2:50 PM, Greg Ledford gledf...@phhwtechnology.com
wrote:

Take a look at the sa_tag_level_deflt in your amavisd configuration
 file.

 $sa_tag_level_deflt = 5.5;

 $sa_tag2_level_deflt= 6.0;

 $sa_spam_subject_tag= '***POSSIBLE SPAM***';

 $sa_kill_level_deflt= 7.0;



 I did. I bumped the levels a bit because they were catching some
 legitimate emails. I may bump them back down some as a test.


Use sa_tag_level_deflt  = -100;

All your emails will have the SpamAssassin headers.

Karl

RE: FW: Tons of spam getting through

2014-08-12 Thread Greg Ledford 
Use sa_tag_level_deflt  = -100;
All your emails will have the SpamAssassin headers.

Changed and Amavis has been restarted. I’ll check the headers on the next piece 
of spam to come through. Thanks for the great help!