[BlueOnyx:26328] Re: negative AV-Spam score

[Michael Stauber via Blueonyx]

Hi Chris,


Am I the only person who emails myself things from time to time?


Nope. :o)

I've also fallen into that trap and SPF is hitting me hard on this, too. 
Worse: I have an aggregator email account, which gets the forwards from 
all business and project related emails via email forwarding.


The BlueOnyx email forwarding keeps the original sender address, which 
is a bad idea when the originating account has strict SPF rules configured.


It's on my to-do list for next week: To overhaul the email forwarder in 
BlueOnyx to change the FROM in forwarded emails to the recipients 
address and to set the original FROM address into the REPLY-TO field 
instead.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26327] Re: issues after php 8 updates

[Michael Stauber via Blueonyx]

Hi Juerg,

Remi PHP 8.x offers a zip-module also on EL8 (but also updates libzip to 
"libzip-1.9.2-1.el8.remi.x86_64"). Maybe you could use this module or 
updated libzip library from there.


Yeah, we also bring another (more modern) libzip aboard, which is 
installed under /home/solarspeed/libzip/ and PHP was specifically 
compiled against it with ...


./configure [...] --with-zip=/home/solarspeed/libzip

Yet the result is still this:

# ldd /home/solarspeed/php-8.2/bin/php-cgi|grep zip
libzip.so.5 => /lib64/libzip.so.5 (0x7ff2b72ef000)

It still links against the old onboard libzip and that's then missing 
some symbols and what not. Tried various compiler options and flags, set 
library paths and the usual stuff, but PHP has always been a bit hard 
headed about what it compiles and links against.


So back to the drawing board on this. I guess I'll try the Zip extension 
from PECL again.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26326] Re: negative AV-Spam score

[Lew Berry via Blueonyx]

In a word, Yes
It's nothing more than a TXT record that spells out authorized servers for the 
domain
There's 2 options (really 4 but nobody uses the other 2) tag or deny depending 
on if you use ~all (soft fail/tag) or -all (hard fail/deny) at the end. 
You can check the record at MXToolbox.com
I usually recommend start with soft and switch to hard after you've worked out 
any kinks.


Lew Berry, 
LCB Consulting Inc.

-Original Message-
From: Blueonyx  On Behalf Of Ken Hohhof via 
Blueonyx
Sent: Thursday, June 22, 2023 4:30 PM
To: 'Chris Gebhardt - VIRTBIZ Internet' ; 'BlueOnyx 
General Mailing List' 
Subject: [BlueOnyx:26325] Re: negative AV-Spam score

Is this a problem that SPF is designed to solve?

-Original Message-
From: Blueonyx  On Behalf Of Chris Gebhardt 
- VIRTBIZ Internet via Blueonyx
Sent: Thursday, June 22, 2023 3:08 PM
To: blueonyx@mail.blueonyx.it
Subject: [BlueOnyx:26322] Re: negative AV-Spam score


On 6/22/2023 2:42 PM, Meaulnes Legler @ MailList via Blueonyx wrote:
> Can someone help me to set up a rule that recognizes *the same from 
> and to address* in the header? I'm not very skilled for this...
>
Oh man.  Am I the only person who emails myself things from time to time?

Also, a lot of my IoT devices that send email are configured to send from/to 
the same address.   So for my purposes that rule would not be good.

That said, I do have a customer complaining today that he is getting a lot of 
messages about “I recorded you!" being sent from his own email address.I 
wonder if the efforts are better spent on analyzing other aspects of the 
messages for detection.

--
Chris Gebhardt
VIRTBIZ Internet Services
Access, Web Hosting, Colocation, Dedicated 
https://url.emailprotection.link/?b1QTTNWvUAi172uAx_aAuwNbiBjTFbOQzlYauSTs8jYot8CPRDbsmgyMymb4l-DeASuQ7PNWw-zvbLVksZW6EuQ~~
 | toll-free (866) 4 VIRTBIZ

___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
https://url.emailprotection.link/?bX5juBUt_5KbR9A2JgSVRDsFncRckdkPaYYl52ND6CApIYtBHd9KCgu70KmpHdAafyodw6VCDO1ShJtC3MvUZ5dFkLP0dPiSgRaN7iBRjX0B4HbfuA4LOveg6TTTn3MI-



___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
https://url.emailprotection.link/?bX5juBUt_5KbR9A2JgSVRDsFncRckdkPaYYl52ND6CApIYtBHd9KCgu70KmpHdAafyodw6VCDO1ShJtC3MvUZ5dFkLP0dPiSgRaN7iBRjX0B4HbfuA4LOveg6TTTn3MI-

___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26325] Re: negative AV-Spam score

[Ken Hohhof via Blueonyx]

Is this a problem that SPF is designed to solve?

-Original Message-
From: Blueonyx  On Behalf Of Chris Gebhardt 
- VIRTBIZ Internet via Blueonyx
Sent: Thursday, June 22, 2023 3:08 PM
To: blueonyx@mail.blueonyx.it
Subject: [BlueOnyx:26322] Re: negative AV-Spam score


On 6/22/2023 2:42 PM, Meaulnes Legler @ MailList via Blueonyx wrote:
> Can someone help me to set up a rule that recognizes *the same from 
> and to address* in the header? I'm not very skilled for this...
>
Oh man.  Am I the only person who emails myself things from time to time?

Also, a lot of my IoT devices that send email are configured to send from/to 
the same address.   So for my purposes that rule would not be good.

That said, I do have a customer complaining today that he is getting a lot of 
messages about “I recorded you!" being sent from his own email address.I 
wonder if the efforts are better spent on analyzing other aspects of the 
messages for detection.

--
Chris Gebhardt
VIRTBIZ Internet Services
Access, Web Hosting, Colocation, Dedicated www.virtbiz.com | toll-free (866) 4 
VIRTBIZ

___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx



___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26324] Re: issues after php 8 updates

[Juerg Sommer via Blueonyx]

Hi Michael,


Until recently the PHP-8.X versions of PHP for BlueOny 5210R were
missing the "Zip" extension, as there were issues building it against
the ancient libzip that ships with EL8.

I eventually managed to build it just fine, but according to the
error
messages you see there it errors out when someone actually tries
to use it.

I'll look into it again and will rebuild all PHP-8.X packages for
5210R.
Either with Zip support (if I can solve the issue) or without.
However,
this is a somewhat complex issue, so it'll take me a few days to
solve it.



Remi PHP 8.x offers a zip-module also on EL8 (but also updates libzip to 
"libzip-1.9.2-1.el8.remi.x86_64"). Maybe you could use this module or 
updated libzip library from there.


Best regards,
Juerg
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26323] Re: negative AV-Spam score

[Juerg Sommer via Blueonyx]

Hi Meaulnes

Can someone help me to set up a rule that recognizes *the same from 
and to address* in the header? I'm not very skilled for this...


  From: 
  To: 
  Subject: Your account is hacked. Your data is stolen. Learn how to 
regain access.


I don't want to take @waveweb.ch out of the Welcomelist/Whitelist, 
it's where the users on my servers write to. A rule that would catch 
if from and to addresses are the same and then set a very high score 
would fix my problem.


This is not a good idea, I REALLY recommend you to define SPF and/or 
DKIM. This mailing list mails for example have also same from and to and 
would be affected too.


Google says for your rule:

header    FROM_SAME_AS_TO   ALL=~/\nFrom: 
([^\n]+)\n.*To: \1/sm

describe  FROM_SAME_AS_TO   identical from and to
score FROM_SAME_AS_TO   10

header    FROM_SAME_AS_TO2  ALL=~/\nTo: 
([^\n]+)\n.*From: \1/sm

describe  FROM_SAME_AS_TO2  identical from and to
score FROM_SAME_AS_TO2  10

not perfect (doesn't work if the is defined a different name like
From: "sender" 
To: "recipient" 

or there's more than one recipient. But once again: if you give that 
rule so many points, so that's more than the whitelist negative score, 
this rule is very dangerous and will filter wanted mails like this. 
There are better possibilities, if you don't wan't to use spf for 
example create rules with negative score for your firstname (if it's not 
part of the mail), trusted networks, part of your signature (ex. 
"Zurich, Switzerland"), so that all replies to your mails get's negative 
score, ...


Best regards,
Juerg
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26322] Re: negative AV-Spam score

[Chris Gebhardt - VIRTBIZ Internet via Blueonyx]

On 6/22/2023 2:42 PM, Meaulnes Legler @ MailList via Blueonyx wrote:
Can someone help me to set up a rule that recognizes *the same from 
and to address* in the header? I'm not very skilled for this...



Oh man.  Am I the only person who emails myself things from time to time?

Also, a lot of my IoT devices that send email are configured to send 
from/to the same address.   So for my purposes that rule would not be good.


That said, I do have a customer complaining today that he is getting a 
lot of messages about “I recorded you!" being sent from his own email 
address.    I wonder if the efforts are better spent on analyzing other 
aspects of the messages for detection.


--
Chris Gebhardt
VIRTBIZ Internet Services
Access, Web Hosting, Colocation, Dedicated
www.virtbiz.com | toll-free (866) 4 VIRTBIZ

___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26321] Re: negative AV-Spam score

[Meaulnes Legler @ MailList via Blueonyx]

Michael and Juerg, thanks for the replies.

But I think my previously exposed solution doesn't resolve the problem 
sustainably, it won't work anymore if the hacker changes his bitcoin address.

Can someone help me to set up a rule that recognizes *the same from and to 
address* in the header? I'm not very skilled for this...

  From: 
  To: 
  Subject: Your account is hacked. Your data is stolen. Learn how to regain 
access.

I don't want to take @waveweb.ch out of the Welcomelist/Whitelist, it's where 
the users on my servers write to. A rule that would catch if from and to 
addresses are the same and then set a very high score would fix my problem.

Thank you and best regards

で⊃ Meaulnes Legler
Zurich, Switzerland
+41¦0 44 260-1660


On 22.06.23 19:05, Michael Stauber via Blueonyx wrote:

Hi Juerg and Meaulnes,


Rules are documented in the files Larry told you, maybe in another directory,  
but you can search for the filenames. Do not change the score in this file, 
because this files will be replaced after an update. You can create new score 
in the file you create your own rules (because I don't use the plugin I don't 
know it's location). Simple add a line:

score BAYES_00  -4

to overwrite score for BAYES_00.


Basically it works like this:

You can place your own (server wide) rules or score changes in a new file the 
directory /etc/mail/spamassassin/

Make sure the file name ends with *.cf and then do a "systemctl restart 
spamassassin" to put it into effect.

As long as you don't modify an existing file your own changes will survive 
through AV-SPAM and SpamAssassin updates.

User rules (which apply only to a single specific user) are located in 
~username/.spamassassin/user_rules and there is a GUI editor to modify them.



___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26320] Re: issues after php 8 updates

[oldcabin webmaster via Blueonyx]

Its a virtbiz  5210R

No rush on my end since I have a work around (switch to 7.4 do my stuff and
flip in back to 8x)

Thanks

-Tim



On Thu, Jun 22, 2023, 1:29 PM Michael Stauber via Blueonyx <
blueonyx@mail.blueonyx.it> wrote:

> Hi Tim,
>
> > Below are errors that I see for one plugin.
> > (It's not just related to this one plugin. I get them when working with
> > Elementor and others. Some plugins are just fine.)
> >
> >   [client 75.135.86.221:49756 ]
> > /home/solarspeed/php-8.2/bin/php-cgi: symbol lookup error:
> > /home/solarspeed/php-8.2/bin/php-cgi: undefined symbol:
> > zip_compression_method_supported, referer:
> >
> > I tried various versions of php 8 and all throw this error.
>
> This is on a BlueOnyx 5210R, right?
>
> Until recently the PHP-8.X versions of PHP for BlueOny 5210R were
> missing the "Zip" extension, as there were issues building it against
> the ancient libzip that ships with EL8.
>
> I eventually managed to build it just fine, but according to the error
> messages you see there it errors out when someone actually tries to use it.
>
> I'll look into it again and will rebuild all PHP-8.X packages for 5210R.
> Either with Zip support (if I can solve the issue) or without. However,
> this is a somewhat complex issue, so it'll take me a few days to solve it.
>
> --
> With best regards
>
> Michael Stauber
> ___
> Blueonyx mailing list
> Blueonyx@mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
>
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26319] Re: issues after php 8 updates

[Michael Stauber via Blueonyx]

Hi Tim,


Below are errors that I see for one plugin.
(It's not just related to this one plugin. I get them when working with 
Elementor and others. Some plugins are just fine.)


  [client 75.135.86.221:49756 ] 
/home/solarspeed/php-8.2/bin/php-cgi: symbol lookup error: 
/home/solarspeed/php-8.2/bin/php-cgi: undefined symbol: 
zip_compression_method_supported, referer: 


I tried various versions of php 8 and all throw this error.


This is on a BlueOnyx 5210R, right?

Until recently the PHP-8.X versions of PHP for BlueOny 5210R were 
missing the "Zip" extension, as there were issues building it against 
the ancient libzip that ships with EL8.


I eventually managed to build it just fine, but according to the error 
messages you see there it errors out when someone actually tries to use it.


I'll look into it again and will rebuild all PHP-8.X packages for 5210R. 
Either with Zip support (if I can solve the issue) or without. However, 
this is a somewhat complex issue, so it'll take me a few days to solve it.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26318] issues after php 8 updates

[oldcabin webmaster via Blueonyx]

All,

I updated php a few days ago when the updates came out.

After these updates wordpress started acting wonky.

Some plugins won't update without errors.

Some plugins won't install at all.

If I switch to php 7.4 the errors go away and I can install.

Once installed I CAN switch back to versions of php8 and the SITES run
properly but throw errors when I try to do "some" wordpress admin stuff.

Below are errors that I see for one plugin.
(It's not just related to this one plugin. I get them when working with
Elementor and others. Some plugins are just fine.)

 [client 75.135.86.221:49756] /home/solarspeed/php-8.2/bin/php-cgi: symbol
lookup error: /home/solarspeed/php-8.2/bin/php-cgi: undefined symbol:
zip_compression_method_supported, referer:
https://www.foreverjoy.net/wp-admin/admin.php?page=cerber-security=main

[Wed Jun 21 11:44:44.959609 2023] [core:error] [pid 2875305] [client
75.135.86.221:49756] End of script output before headers: admin.php,
referer:
https://www.foreverjoy.net/wp-admin/admin.php?page=cerber-security=main

I tried various versions of php 8 and all throw this error.

Any ideas?

--Tim
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26317] Re: negative AV-Spam score

[Michael Stauber via Blueonyx]

Hi Juerg and Meaulnes,

Rules are documented in the files Larry told you, maybe in another 
directory,  but you can search for the filenames. Do not change the 
score in this file, because this files will be replaced after an update. 
You can create new score in the file you create your own rules (because 
I don't use the plugin I don't know it's location). Simple add a line:


score BAYES_00  -4

to overwrite score for BAYES_00.


Basically it works like this:

You can place your own (server wide) rules or score changes in a new 
file the directory /etc/mail/spamassassin/


Make sure the file name ends with *.cf and then do a "systemctl restart 
spamassassin" to put it into effect.


As long as you don't modify an existing file your own changes will 
survive through AV-SPAM and SpamAssassin updates.


User rules (which apply only to a single specific user) are located in 
~username/.spamassassin/user_rules and there is a GUI editor to modify them.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26316] Re: negative AV-Spam score

[Juerg Sommer via Blueonyx]

Hi Meaulnes,

>> This clever jerk managed to send his blackmailing spam *from and to* my
>> server administrator address. And since my server administrator 
address is

>> in the whitelist (sorry! now politically correct: in the welcomelist:-)
>> because I don't want to have my users to be blocklisted when I write 
them

>> something, the e-mail got presumably this high negative score of -61.5

> Believe the modifications to scoring and such are
> kept in /etc/mail/spamassin directory but the rules
> themselvers are located in /usr/share/spamassassin
> and the main scoring file is 50_scores.cf, 72_scores.cf
> and possibly some in 73_sandbox_manual_scores.cf

Thanks for your reply. Glad to read you were able to solve your problem. 
Rules are documented in the files Larry told you, maybe in another 
directory,  but you can search for the filenames. Do not change the 
score in this file, because this files will be replaced after an update. 
You can create new score in the file you create your own rules (because 
I don't use the plugin I don't know it's location). Simple add a line:


score BAYES_00  -4

to overwrite score for BAYES_00.

I recommend you to check and/or create a SPF record or DKIM and reject 
mails from your domain(s) from outside your mailservers to protect you 
from this spam. Some time ago same sender address was often used, with 
SPF/DKIM it's it is now rarely used. Maybe you also would put your 
mailservers and not your mail adress to the welcome list. There's an 
ALL_TRUSTED rule if mail is sent from localhost or networks listed in an 
trusted_networks.


Best regards,
Juerg
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26315] Re: negative AV-Spam score

[Larry Smith via Blueonyx]

Meaulnes,

  Believe the modifications to scoring and such are
kept in /etc/mail/spamassin directory but the rules
themselvers are located in /usr/share/spamassassin
and the main scoring file is 50_scores.cf, 72_scores.cf
and possibly some in 73_sandbox_manual_scores.cf

-- 
Larry Smith
lesm...@ecsis.net

On Thu June 22 2023 09:31, Meaulnes Legler @ MailList via Blueonyx wrote:
> thank you Jürg, now I found the catch:
>
> This clever jerk managed to send his blackmailing spam *from and to* my
> server administrator address. And since my server administrator address is
> in the whitelist (sorry! now politically correct: in the welcomelist:-)
> because I don't want to have my users to be blocklisted when I write them
> something, the e-mail got presumably this high negative score of -61.5
>
> You might have noticed this HackersBitcoinAddress rule in the
> X-Spam-Status, it's a rule I created with this cool BO «SpamAssassin Rule
> Editor» in AV-Spam. In this rule, I inserted the long bitcoin wallet
> address (as Expression) to be searched in the message body. I gave it a
> score of 9. Now I increased the score to 100, hope that works out.
>
> Do you know where all those rules and their dedicated scores are listed?
> Can they be edited?
>
> Thank you and best regards
>
> で⊃ Meaulnes Legler
> Zurich, Switzerland
>
> On 22.06.23 12:57, Juerg Sommer via Blueonyx wrote:
> > Hi Meaulnes
> >
> >> I'm confronted with a peculiar situation: spam slips untagged thru with
> >> a *negative* score
> >>
> >> X-Spam-Status: No, score=-61.5 required=5.0 tests=BITCOIN_DEADLINE,
> >> BITCOIN_MALF_HTML,BITCOIN_SPAM_07,DCC_CHECK,DIGEST_MULTIPLE,
> >> DOS_OUTLOOK_TO_MX,FSL_BULK_SIG,HTML_EXTRA_CLOSE,HTML_MESSAGE,
> >> HackersBitcoinAddress,NO_FM_NAME_IP_HOSTN,PDS_BTC_ID,PYZOR_CHECK,
> >> RATS_NOPTR,RATWARE_NO_RDNS,RCVD_IN_PBL,RCVD_IN_SBL_CSS,RCVD_IN_XBL,
> >> RDNS_NONE,SBLXBL_SPAM,SPF_SOFTFAIL,TO_EQ_FM_DIRECT_MX,TXREP,
> >> T_SCC_BODY_TEXT_LINE,USER_IN_WELCOMELIST,USER_IN_WHITELIST
> >> autolearn=no autolearn_force=no version=3.4.2
> >> X-Spam-Relay-Country: TN
> >>
> >> what's wrong here? I set the Required Reject Hits to 9 instead of 10 and
> >> that mail shouldn't have appeared at all if the score had been 61.5, but
> >> positive! How does it turn negative?
> >
> > That's normal. SpamAssasin gives positive and negative points based on
> > rules. There are some rules that indicates harmless mails (ex. BAYES
> > score 1-10%), in your case USER_IN_WELCOMELIST  and USER_IN_WHITELIST.
> > And some other rules, hat indicates spam like BITCOIN_DEADLINE. If the
> > sum of all affected rules is greater than the defined score, the mail is
> > marked as spam.
> >
> > I don't know/use the BlueOnyx plugin for spam scanning. Perhaps you can
> > define your Welcome-List Addresses in the gui and should check if this
> > sender address is whitelisted. There's maybe a missconfiguration, but
> > negative points are not generally a problem.
> >
> > BTW: SpamAssassin has changed their wording (like many other companies).
> > Whitelist is now welcomelist, blacklist is blocklist. So one of the rules
> > above would be an alias of the other and I don't know how it's named in
> > the GUI.
> >
> > Best regards,
> > Juerg
> > ___
> > Blueonyx mailing list
> > Blueonyx@mail.blueonyx.it
> > http://mail.blueonyx.it/mailman/listinfo/blueonyx
>
> ___
> Blueonyx mailing list
> Blueonyx@mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx

___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26314] Re: negative AV-Spam score

[Meaulnes Legler @ MailList via Blueonyx]

thank you Jürg, now I found the catch:

This clever jerk managed to send his blackmailing spam *from and to* my server 
administrator address. And since my server administrator address is in the 
whitelist (sorry! now politically correct: in the welcomelist:-) because I 
don't want to have my users to be blocklisted when I write them something, the 
e-mail got presumably this high negative score of -61.5

You might have noticed this HackersBitcoinAddress rule in the X-Spam-Status, 
it's a rule I created with this cool BO «SpamAssassin Rule Editor» in AV-Spam. 
In this rule, I inserted the long bitcoin wallet address (as Expression) to be 
searched in the message body. I gave it a score of 9. Now I increased the score 
to 100, hope that works out.

Do you know where all those rules and their dedicated scores are listed? Can 
they be edited?

Thank you and best regards

で⊃ Meaulnes Legler
Zurich, Switzerland


On 22.06.23 12:57, Juerg Sommer via Blueonyx wrote:

Hi Meaulnes


I'm confronted with a peculiar situation: spam slips untagged thru with a 
*negative* score

X-Spam-Status: No, score=-61.5 required=5.0 tests=BITCOIN_DEADLINE,
BITCOIN_MALF_HTML,BITCOIN_SPAM_07,DCC_CHECK,DIGEST_MULTIPLE,
DOS_OUTLOOK_TO_MX,FSL_BULK_SIG,HTML_EXTRA_CLOSE,HTML_MESSAGE,
HackersBitcoinAddress,NO_FM_NAME_IP_HOSTN,PDS_BTC_ID,PYZOR_CHECK,
RATS_NOPTR,RATWARE_NO_RDNS,RCVD_IN_PBL,RCVD_IN_SBL_CSS,RCVD_IN_XBL,
RDNS_NONE,SBLXBL_SPAM,SPF_SOFTFAIL,TO_EQ_FM_DIRECT_MX,TXREP,
T_SCC_BODY_TEXT_LINE,USER_IN_WELCOMELIST,USER_IN_WHITELIST
autolearn=no autolearn_force=no version=3.4.2
X-Spam-Relay-Country: TN

what's wrong here? I set the Required Reject Hits to 9 instead of 10 and that 
mail shouldn't have appeared at all if the score had been 61.5, but positive! 
How does it turn negative?


That's normal. SpamAssasin gives positive and negative points based on rules. 
There are some rules that indicates harmless mails (ex. BAYES score 1-10%), in 
your case USER_IN_WELCOMELIST  and USER_IN_WHITELIST. And some other rules, hat 
indicates spam like BITCOIN_DEADLINE. If the sum of all affected rules is 
greater than the defined score, the mail is marked as spam.

I don't know/use the BlueOnyx plugin for spam scanning. Perhaps you can define 
your Welcome-List Addresses in the gui and should check if this sender address 
is whitelisted. There's maybe a missconfiguration, but negative points are not 
generally a problem.

BTW: SpamAssassin has changed their wording (like many other companies). 
Whitelist is now welcomelist, blacklist is blocklist. So one of the rules above 
would be an alias of the other and I don't know how it's named in the GUI.

Best regards,
Juerg
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx


___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26313] Re: negative AV-Spam score

[Juerg Sommer via Blueonyx]

Hi Meaulnes

I'm confronted with a peculiar situation: spam slips untagged thru 
with a *negative* score


X-Spam-Status: No, score=-61.5 required=5.0 tests=BITCOIN_DEADLINE,
BITCOIN_MALF_HTML,BITCOIN_SPAM_07,DCC_CHECK,DIGEST_MULTIPLE,
DOS_OUTLOOK_TO_MX,FSL_BULK_SIG,HTML_EXTRA_CLOSE,HTML_MESSAGE,
HackersBitcoinAddress,NO_FM_NAME_IP_HOSTN,PDS_BTC_ID,PYZOR_CHECK,
RATS_NOPTR,RATWARE_NO_RDNS,RCVD_IN_PBL,RCVD_IN_SBL_CSS,RCVD_IN_XBL,
RDNS_NONE,SBLXBL_SPAM,SPF_SOFTFAIL,TO_EQ_FM_DIRECT_MX,TXREP,
T_SCC_BODY_TEXT_LINE,USER_IN_WELCOMELIST,USER_IN_WHITELIST
autolearn=no autolearn_force=no version=3.4.2
X-Spam-Relay-Country: TN

what's wrong here? I set the Required Reject Hits to 9 instead of 10 
and that mail shouldn't have appeared at all if the score had been 
61.5, but positive! How does it turn negative?


That's normal. SpamAssasin gives positive and negative points based on 
rules. There are some rules that indicates harmless mails (ex. BAYES 
score 1-10%), in your case USER_IN_WELCOMELIST  and USER_IN_WHITELIST. 
And some other rules, hat indicates spam like BITCOIN_DEADLINE. If the 
sum of all affected rules is greater than the defined score, the mail is 
marked as spam.


I don't know/use the BlueOnyx plugin for spam scanning. Perhaps you can 
define your Welcome-List Addresses in the gui and should check if this 
sender address is whitelisted. There's maybe a missconfiguration, but 
negative points are not generally a problem.


BTW: SpamAssassin has changed their wording (like many other companies). 
Whitelist is now welcomelist, blacklist is blocklist. So one of the 
rules above would be an alias of the other and I don't know how it's 
named in the GUI.


Best regards,
Juerg
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26312] negative AV-Spam score

[Meaulnes Legler @ MailList via Blueonyx]

hello

I'm confronted with a peculiar situation: spam slips untagged thru with a 
*negative* score

X-Spam-Status: No, score=-61.5 required=5.0 tests=BITCOIN_DEADLINE,
BITCOIN_MALF_HTML,BITCOIN_SPAM_07,DCC_CHECK,DIGEST_MULTIPLE,
DOS_OUTLOOK_TO_MX,FSL_BULK_SIG,HTML_EXTRA_CLOSE,HTML_MESSAGE,
HackersBitcoinAddress,NO_FM_NAME_IP_HOSTN,PDS_BTC_ID,PYZOR_CHECK,
RATS_NOPTR,RATWARE_NO_RDNS,RCVD_IN_PBL,RCVD_IN_SBL_CSS,RCVD_IN_XBL,
RDNS_NONE,SBLXBL_SPAM,SPF_SOFTFAIL,TO_EQ_FM_DIRECT_MX,TXREP,
T_SCC_BODY_TEXT_LINE,USER_IN_WELCOMELIST,USER_IN_WHITELIST
autolearn=no autolearn_force=no version=3.4.2
X-Spam-Relay-Country: TN

what's wrong here? I set the Required Reject Hits to 9 instead of 10 and that 
mail shouldn't have appeared at all if the score had been 61.5, but positive! 
How does it turn negative?

Thank you and best regards

で⊃ Meaulnes Legler
Zurich, Switzerland
+41¦0 44 260-1660

I'm on *Wire* as @meaulnes — https://get.wire.com/
/no more Whatzap and so on!/


___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx