Re: Lots of comment in mail, how to score
On Wed, 2012-02-08 at 03:04 +, Martin Gregorie wrote: If you cut and paste this example as a file and feed it to your browser, you should see the first body line in bold red letters. I've tested this with FireFox and Lynx, which work as I expected. Correction: FireFox and Opera. Lynx ignores style specs and shows plain text. Martin
Getting high spam score for email server hosted on AWS instance
Hi, I have a mail server setup on an AWS instance. When I am sending mails via this setup to a test spamassassin setup that acts as an email receiver server, I am getting high spam scores as follows: [FROM_LOCAL_HEX=0.331, HTML_IMAGE_ONLY_24=1.282, HTML_MESSAGE=0.001, RCVD_ILLEGAL_IP=3.399, T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=no As can be seen, the highest contributor is RCVD_ILLEGAL_IP=3.399 My investigation leads me to the spamassassin tests wiki (http://wiki.apache.org/spamassassin/Rules/RCVD_ILLEGAL_IP), that states the my AWS machines IP has been identified as invalid or not a mail source. Is there a whitelist kind of thing that I need to notify to get my AWS email server IP out of the invalid IP list? Please suggest. Thanks Ashish
Re: Getting high spam score for email server hosted on AWS instance
On 2/8/12 6:41 AM, Sharma, Ashish wrote: Hi, I have a mail server setup on an AWS instance. When I am sending mails via this setup to a test spamassassin setup that acts as an email receiver server, I am getting high spam scores as follows: [FROM_LOCAL_HEX=0.331, HTML_IMAGE_ONLY_24=1.282, HTML_MESSAGE=0.001, RCVD_ILLEGAL_IP=3.399, T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=no As can be seen, the highest contributor is RCVD_ILLEGAL_IP=3.399 no, since the ip address in question is, by definition, an unroutable ip, and should never be seen in a received list (I am just guessing: Received: from G9W0725.americas.hpqcorp.net ([169.254.8.28]) by You have a microsoft cluster, where microsoft thought it would be a good idea to use 169.254.0.0/16 ip addresses?) Bring this up with microsoft, have them 'fix' this. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 *| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Getting high spam score for email server hosted on AWS instance
On 02/08/2012 08:57 AM, Michael Scheidell wrote: On 2/8/12 6:41 AM, Sharma, Ashish wrote: Hi, I have a mail server setup on an AWS instance. When I am sending mails via this setup to a test spamassassin setup that acts as an email receiver server, I am getting high spam scores as follows: [FROM_LOCAL_HEX=0.331, HTML_IMAGE_ONLY_24=1.282, HTML_MESSAGE=0.001, RCVD_ILLEGAL_IP=3.399, T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=no As can be seen, the highest contributor is RCVD_ILLEGAL_IP=3.399 no, since the ip address in question is, by definition, an unroutable ip, and should never be seen in a received list (I am just guessing: Received: from G9W0725.americas.hpqcorp.net ([169.254.8.28]) by That should not be a problem in and of itself... 169.254.0.0/16 is intended for link-local.. (see RFCs 5735 and 3330) It might or might not be less than ideal to use addresses in 169.254.0.0/16 for the communication between one machine and a smarthost on a LAN, but far from illegal. 169.254.0.0/16 is also notably *not* mentioned in the wiki for RCVD_ILLEGAL_IP: http://wiki.apache.org/spamassassin/Rules/RCVD_ILLEGAL_IP All that said, RCVD_ILLEGAL_IP _used to_ hit on IPs 169.254.0.0/16, but AFAIK that changed with 3.3. See also: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6460 And: http://svn.apache.org/viewvc/spamassassin/branches/3.3/rules/20_head_tests.cf?view=markup#l423 # must keep it in sync with http://www.iana.org/assignments/ipv4-address-space/ header RCVD_ILLEGAL_IP X-Spam-Relays-Untrusted =~ / (?:by|ip)=(?=\d+\.\d+\.\d+\.\d+ )(?:0|2(?:2[4-9]|[3-5]\d)|192\.0\.2|198\.51\.100|203\.0\.113)\./ describe RCVD_ILLEGAL_IP Received: contains illegal IP address IOW, 196.254.0.0/16 no longer matches as of 3.3 You have a microsoft cluster, where microsoft thought it would be a good idea to use 169.254.0.0/16 ip addresses?) Its really not that horrible an idea.. Bring this up with microsoft, have them 'fix' this. Or better yet, the OP should bring it up with whoever is running the test spamassassin instance and get them to upgrade it. -- Joe Sniderman joseph.snider...@thoroquel.org
Re: Getting high spam score for email server hosted on AWS instance
On 02/08/2012 12:22 PM, Joe Sniderman typed hurriedly: IOW, 196.254.0.0/16 no longer matches as of 3.3 Well, I meant to type 169.254.0.0/16... but then.. obvious typo is obvious. -- Joe Sniderman joseph.snider...@thoroquel.org
Re: Spamassassin 3.3.2 for Ubuntu LTS
aptitude install python-software-properties add-apt-repository ppa:patrickdk/general-lucid aptitude update aptitude install spamassassin spamc sa-update sa-compile /etc/init.d/spamassassin restart sa-compile needs Mail::SpamAssassin::Plugin::Rule2XSBody in v320.pre else sa-compile is wasted cpu time :-)
Re: blacklist_from exceptions
It's not exactly what I need ... I'll try to be clearer (sorry by poor english) I need something like this: blacklist a entire @somedomain but accept when the *recipient * (not the sender) is certain user of *my* domain Or ... blacklist_from *@somedomain.com except when destination is myuser@mydomain i tried this: blacklist_from *@somedomain.com whitelist_to myu...@mydomain.com I tried this but it didn't work (for obvious reasons): content analysis details: (98 points, 5.0 required) pts rule name description -- -- 100 USER_IN_BLACKLIST From: address is in the user's black-list -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to' Em 02-02-2012 17:45, Benny Pedersen escreveu: On Thu, 02 Feb 2012 16:51:51 -0200, Rejaine Monteiro wrote: Example: blacklist_from @orig.com except when rcpt_to is myb...@mydomain.com freemail_domain example.org freemail_whitelist non-spam-u...@example.org untested, but its what i think is the nearest to what you asked
Re: blacklist_from exceptions
On 2/8/2012 3:07 PM, Rejaine Monteiro wrote: It's not exactly what I need ... I'll try to be clearer (sorry by poor english) I need something like this: blacklist a entire @somedomain but accept when the *recipient * (not the sender) is certain user of *my* domain Or ... blacklist_from *@somedomain.com except when destination is myuser@mydomain i tried this: blacklist_from *@somedomain.com whitelist_to myu...@mydomain.com I tried this but it didn't work (for obvious reasons): content analysis details: (98 points, 5.0 required) pts rule name description -- -- 100 USER_IN_BLACKLIST From: address is in the user's black-list -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to' You could use blacklist_from in the main config and then in the user_prefs use unblacklist_from to override it for this particular user. -- Bowie
Re: blacklist_from exceptions
solved.. (maybe, I will do more tests ...) I made this way: blacklist_from @domain.com and then, i create a meta test , like this: header __FROM_BADDOMAIN From =~ /some\.com/i header __FROM_BADDOMAIN_GOOD_TO To =~ /myser\@mydomain\.com/i meta FROM_BADDOMAIN_UNBLACKLIST_TO (__FROM_BADDOMAIN __FROM_BADDOMAIN_GOOD_TO) score FROM_BADDOMAIN_UNBLACKLIST_TO -100 (tips obtained in http://markmail.org/message/7dz5ez2en442n6t5#query:+page:1+mid:ydrr57kl2msbprcc+state:results) Em 08-02-2012 18:38, Bowie Bailey escreveu: On 2/8/2012 3:07 PM, Rejaine Monteiro wrote: It's not exactly what I need ... I'll try to be clearer (sorry by poor english) I need something like this: blacklist a entire @somedomain but accept when the *recipient * (not the sender) is certain user of *my* domain Or ... blacklist_from *@somedomain.com except when destination is myuser@mydomain i tried this: blacklist_from *@somedomain.com whitelist_to myu...@mydomain.com I tried this but it didn't work (for obvious reasons): content analysis details: (98 points, 5.0 required) pts rule name description -- -- 100 USER_IN_BLACKLIST From: address is in the user's black-list -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to' You could use blacklist_from in the main config and then in the user_prefs use unblacklist_from to override it for this particular user.
Re: blacklist_from exceptions
On Wed, 2012-02-08 at 18:07 -0200, Rejaine Monteiro wrote: It's not exactly what I need ... I'll try to be clearer (sorry by poor english) I need something like this: blacklist a entire @somedomain but accept when the *recipient * (not the sender) is certain user of *my* domain I have this running. However its almost a parallel process that happens to be implemented through an SA plugin. The plugin queries the archive and whitelists anybody in the archive who has received mail from me and is not manually marked as 'undesirable'. By and large it does exactly what I want and requires little or no effort to maintain because the archive is automatically updated via a BCC feed from my mail server. The only situation where I've found this simple approach breaks down is dealing with a mailing list that's linked to a forum. The problem is that spam gets onto the mailing list via the forum and, because the list and forum use a common mail recipient address, the whitelister can't distinguish between spammers and others. Martin
Re: blacklist_from exceptions
got better keeping the original version, only using de meta test... (without blacklist_fom ) header __FROM_DOMAIN From =~ /some\.com/i header __FROM_DOMAIN_TO To =~ /myuser\@mydomain\.com/i meta FROM_DOMAIN_IN_BLACKLIST (__FROM_DOMAIN ! __FROM_DOMAIN_TO) score FROM_DOMAIN_IN_BLACKLIST 100 Em 08-02-2012 18:56, Rejaine Monteiro escreveu: solved.. (maybe, I will do more tests ...) I made this way: blacklist_from @domain.com and then, i create a meta test , like this: header __FROM_BADDOMAIN From =~ /some\.com/i header __FROM_BADDOMAIN_GOOD_TO To =~ /myser\@mydomain\.com/i meta FROM_BADDOMAIN_UNBLACKLIST_TO (__FROM_BADDOMAIN __FROM_BADDOMAIN_GOOD_TO) score FROM_BADDOMAIN_UNBLACKLIST_TO -100 (tips obtained in http://markmail.org/message/7dz5ez2en442n6t5#query:+page:1+mid:ydrr57kl2msbprcc+state:results) Em 08-02-2012 18:38, Bowie Bailey escreveu: On 2/8/2012 3:07 PM, Rejaine Monteiro wrote: It's not exactly what I need ... I'll try to be clearer (sorry by poor english) I need something like this: blacklist a entire @somedomain but accept when the *recipient * (not the sender) is certain user of *my* domain Or ... blacklist_from *@somedomain.com except when destination is myuser@mydomain i tried this: blacklist_from *@somedomain.com whitelist_to myu...@mydomain.com I tried this but it didn't work (for obvious reasons): content analysis details: (98 points, 5.0 required) pts rule name description -- -- 100 USER_IN_BLACKLIST From: address is in the user's black-list -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to' You could use blacklist_from in the main config and then in the user_prefs use unblacklist_from to override it for this particular user.
Re: blacklist_from exceptions
On 2/8/2012 3:56 PM, Rejaine Monteiro wrote: solved.. (maybe, I will do more tests ...) I made this way: blacklist_from @domain.com and then, i create a meta test , like this: header __FROM_BADDOMAIN From =~ /some\.com/i header __FROM_BADDOMAIN_GOOD_TO To =~ /myser\@mydomain\.com/i meta FROM_BADDOMAIN_UNBLACKLIST_TO (__FROM_BADDOMAIN __FROM_BADDOMAIN_GOOD_TO) score FROM_BADDOMAIN_UNBLACKLIST_TO -100 (tips obtained in http://markmail.org/message/7dz5ez2en442n6t5#query:+page:1+mid:ydrr57kl2msbprcc+state:results) What about CC or BCC? If you do what I suggested, it should work for all mail regardless of how it is addressed. Put this in local.cf: blacklist_from *@domain.com And put this in the users's user_prefs file: unblacklist_from *@domain.com This will blacklist the domain for everyone except the one recipient. -- Bowie
Re: blacklist_from exceptions
Den 2012-02-08 21:07, Rejaine Monteiro skrev: blacklist_from *@somedomain.com whitelist_to myu...@mydomain.com when you use blacklist_from you must use unblacklist_from not whitelist_to perldoc Mail::SpamAssassin::Conf everyone can write email to a to addr and thus the whitelist is not working well blacklist_from *@example.org unblacklist_from myu...@example.org untested :)
Re: blacklist_from exceptions
header __FROM_BADDOMAIN From =~ /some\.com/i header __FROM_BADDOMAIN_GOOD_TO To =~ /myser\@mydomain\.com/i meta FROM_BADDOMAIN_UNBLACKLIST_TO (__FROM_BADDOMAIN __FROM_BADDOMAIN_GOOD_TO) score FROM_BADDOMAIN_UNBLACKLIST_TO -100 not solved it blocks usernames some.com add :addr after From and To so its limited to email not usernames From:addr To:addr the above rule did not need blacklist_from, and best of all it did not test envelope sender, good ?
SPF and DKIM tests by default?
Hello, I have a server where I never customized any of the SA rules/tests (SA v.3.3.1). The server does run sa-update every day. Is this the right place to look to know what tests the server should be running? https://spamassassin.apache.org/tests_3_0_x.html From that page, it seems that SPF checks are normal but DKIM is not. Is this right? Contrary to that, this page suggests that DKIM test are enabled by default in version 3.3: https://wiki.apache.org/spamassassin/Plugin/DKIM Also, where can I look to verify the tests/rules currently in place on the server? (per-user rules are not implemented) I looked in /usr/share/spamassassin and there are a few files with spf and dkim in their names. Does that mean those tests are active? ls *spf* -rw-r--r-- 1 root root 3100 Mar 15 2010 25_spf.cf -rw-r--r-- 1 root root 3584 Mar 15 2010 60_whitelist_spf.cf ls *dkim* -rw-r--r-- 1 root root 4407 Mar 15 2010 25_dkim.cf -rw-r--r-- 1 root root 9288 Mar 15 2010 60_adsp_override_dkim.cf -rw-r--r-- 1 root root 6455 Mar 15 2010 60_whitelist_dkim.cf
