Re: is spamassassin scoring too high points

2015-03-12 Thread Reindl Harald 


Am 13.03.2015 um 00:06 schrieb Chris:

they definitely not aggressive, I am actually struggling to reach 5
points on most spam.


train your bayes and adjust scores in "local.cf"

we reject above 8.0 points and 99% of all junk making it through 
postscreen and other filters before SA are rejected with way higher scores


tagging between 5.5 and 7.9 and per day there are 10-15 messages tagged
the rest has a BAYES_00 and/or is abcked by DNSWL scoring


On 12 March 2015 at 12:10, Reindl Harald  wrote:

please don't top post

Am 12.03.2015 um 13:06 schrieb Sujit Acharyya-choudhury:


I don't have any custom rules nor I am using sought.cf. I have chosen
the standard installation without any tweaks.  I am just worried,
whether I am being too aggressive in blocking messages which are not
blocked by MessageLabs.



the default SA rules are for sure not too aggresive
why premature worries without any indication?

and even if you reject a message which would have made it through
MessageLabs that means *nothing* as long it's not a *real* false positive

we block each days a lot of forwardings from different mail services all
having their own spamfilter and at the end of the day it turns out they are
indeed spam


-Original Message-
From: Reindl Harald [mailto:h.rei...@thelounge.net]
Sent: 12 March 2015 11:51
To: users@spamassassin.apache.org
Subject: Re: is spamassassin scoring too high points

you can't compare scores between differernt setups beause they are
likely different and using also a different reject score

* you can give each rule a non-default score
* much depends on bayes and how bayes hits are scored
* custom rules

you need at *least* all the hitting rules
your message here hitted these ones:

BAYES_00,CUST_DNSWL_10,CUST_DNSWL_3,CUST_DNSWL_8,CUST_MOST_SPAM_TO,HEADE
R_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_W
L,SPF_PASS,T_MIME_MALF,T_RP_MATCHES_RCVD




signature.asc
Description: OpenPGP digital signature

Re: is spamassassin scoring too high points

2015-03-12 Thread Chris 
they definitely not aggressive, I am actually struggling to reach 5
points on most spam.

On 12 March 2015 at 12:10, Reindl Harald  wrote:
> please don't top post
>
> Am 12.03.2015 um 13:06 schrieb Sujit Acharyya-choudhury:
>>
>> I don't have any custom rules nor I am using sought.cf. I have chosen
>> the standard installation without any tweaks.  I am just worried,
>> whether I am being too aggressive in blocking messages which are not
>> blocked by MessageLabs.
>
>
> the default SA rules are for sure not too aggresive
> why premature worries without any indication?
>
> and even if you reject a message which would have made it through
> MessageLabs that means *nothing* as long it's not a *real* false positive
>
> we block each days a lot of forwardings from different mail services all
> having their own spamfilter and at the end of the day it turns out they are
> indeed spam
>
>> -Original Message-
>> From: Reindl Harald [mailto:h.rei...@thelounge.net]
>> Sent: 12 March 2015 11:51
>> To: users@spamassassin.apache.org
>> Subject: Re: is spamassassin scoring too high points
>>
>> you can't compare scores between differernt setups beause they are
>> likely different and using also a different reject score
>>
>> * you can give each rule a non-default score
>> * much depends on bayes and how bayes hits are scored
>> * custom rules
>>
>> you need at *least* all the hitting rules
>> your message here hitted these ones:
>>
>> BAYES_00,CUST_DNSWL_10,CUST_DNSWL_3,CUST_DNSWL_8,CUST_MOST_SPAM_TO,HEADE
>> R_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_W
>> L,SPF_PASS,T_MIME_MALF,T_RP_MATCHES_RCVD
>
>

Re: whitelist_from in user_prefs is not being processed.

2015-03-12 Thread Benny Pedersen 
On March 12, 2015 11:10:13 PM "Rick Hantz \(TirNanOg\)" 
 wrote:



In my user_prefs file, I have: (see resulting header below)

whitelist_from mailto:*@sailthru.com


read perldoc Mail::SpamAssassin::Conf

note whitelist_from allows forged senders, if possible use whitelist_auth 
instaed

Re: spamass filter blocked yahoo, but why?

2015-03-12 Thread Benny Pedersen 

On March 12, 2015 9:57:37 PM "@lbutlr"  wrote:

Since the message was rejected, no, I do not have the actual message. I am 
relying, at this point, on my bother having given me correct information. 
Like all bothers, this is a risky assumption.


adjust reject score higther then, atleast temporary to see whats going on

Re: spamass filter blocked yahoo, but why?

2015-03-12 Thread Benny Pedersen 

On March 12, 2015 9:23:51 PM "@lbutlr"  wrote:


On Mar 12, 2015, at 2:07 PM, @lbutlr  wrote:
> But it was NOT a junk mail from yahoo, it was a message from my brother’s 
yahoo account that said only “Kill it”.


Just in case I am misinterpreting something here….


try ask sender to disable html

or post output from spamassassin -t msg

if uribl is not spam domain then add the listed domains in 
uridnsbl_skip_domains, at your own risk gething more spam :)

Re: whitelist_from in user_prefs is not being processed.

2015-03-12 Thread Reindl Harald 



Am 12.03.2015 um 23:06 schrieb Rick Hantz (TirNanOg):

In my user_prefs file, I have: (see resulting header below)

whitelist_from mailto:*@sailthru.com

whitelist_from mailto:*@e.washingtonpost.com

Do I also need

whitelist_from mailto:*@*.sailthru.com  ?

Return-path: 


i guess all that "mailto:"; crap comes from sending HTML mails for 
whatever reason, besides that: @sailthru.com surely is not the same as 
@mx.sailthru.com




signature.asc
Description: OpenPGP digital signature

Re: whitelist_from in user_prefs is not being processed.

2015-03-12 Thread Rick Hantz (TirNanOg) 
 

In my user_prefs file, I have: (see resulting header below)

whitelist_from mailto:*@sailthru.com

whitelist_from mailto:*@e.washingtonpost.com

 

Do I also need 

whitelist_from mailto:*@*.sailthru.com  ?

 

Appreciate all the help.

 

-RickH

 

 

Return-path: 

Envelope-to: rickhan!!tirnanog.com

Delivery-date: Thu, 12 Mar 2015 14:21:53 -0700

Received: from mx-washpost-a.sailthru.com ([192.64.237.165]:50811)

   by coeus.lunarmania.com with esmtp (Exim 4.82)

   (envelope-from )

   id 1YWAYA-0004uL-M3

   for rickhan!!tirnanog.com; Thu, 12 Mar 2015 14:21:53 -0700

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; s=mt; d=pmta.sailthru.com;

h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type:List-Unsubscribe
;

bh=/lxmlrJQKq6fl1OmIaekS84ZalE=;

b=Rqtg31H8M0M7AiYslW+Ts/cy/igfo2wn6vw+km/vpsEAUcEi9s+m9aDCfLzoG7L5upSDBWrzwo
83

 
sT7eKPwz4iPAa7fB2PMzLJpDmExu1qv7lN5xKl2JLLrOjlVQQiKhoXAIxRfp/e2KUi4LkdTpSiEr

   y5gMs8tOcZis8Icxo2E=

Received: from nyp1-p-p4136-prd-jma-04.sailthru.pvt (64.34.57.233) by
mx-washpost-a.sailthru.com id h081mu1qqbs6 for ; Thu,
12 Mar 2015 17:21:50 -0400 (envelope-from )

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
t=1426195310;

   s=sailthru; d=e.washingtonpost.com;

 
h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type:List-Unsubscribe
;

   bh=h1kKlRHR3FV/7FTdYTfMs9u9pPrGdkNPKUp05V1qrVk=;

 
b=B/lK29y/CHuHLJ/uY/BZCgCN0XZsku3MaOW/I+KGW/Xqd9NA5jdxyRG3Fz0eq5Cj

 
u5F0C3Q+vuIparPPdGqqBEifv6bCdVWN92wBDOslNf9qHyJeJpn43LatKbWsw3+nvuR

   EEBdWGj2tt1nSrzqNlO64g+TdXMKltQWkxkHCaeA=

Date: Thu, 12 Mar 2015 17:21:50 -0400 (EDT)

From: The Washington Post 

To: rickhan!!tirnanog.com

Message-ID: <20150312212150.3994150.72...@sailthru.com>

Subject: News Alert: American with Ebola to be treated at National

Institutes of Health

MIME-Version: 1.0

Content-Type: multipart/alternative; 

   boundary="=_Part_1695_1383230446.1426195310303"

Precedence: bulk

X-TM-ID: 20150312212150.3994150.72694

X-Info: Message sent by sailthru.com customer The Washington Post

X-Info: We do not permit unsolicited commercial email

X-Info: Please report abuse by forwarding complete headers to

X-Info: ab...@sailthru.com

X-Mailer: sailthru.com

X-JMailer: nyp1-p-p4136-prd-jma-04.sailthru.pvt

X-Unsubscribe-Web:
http://link.washingtonpost.com/oc/54836cd23b35d0d5728c41ca2dlwm.1k3a/a618a63
9

List-Unsubscribe:
, 

X-rpcampaign: sthiq3994150

X-Spam-Subject: ***SPAM*** News Alert: American with Ebola to be treated at
National

Institutes of Health

X-Spam-Status: Yes, score=-0.5

X-Spam-Score: -4

X-Spam-Bar: /

X-Spam-Flag: YES

Re: spamass filter blocked yahoo, but why?

2015-03-12 Thread @lbutlr 
On Mar 12, 2015, at 2:29 PM, Reindl Harald  wrote:
> FORGED_YAHOO_RCVD: that is suspect - sure that you internal networks and 
> trusted networks are configured correctly?

I don’t get a lot of Yahoo mail. But I do get some on the server. It doesn’t 
normally hit that.

For example, a couple of minutes later:

Mar 11 22:30:31 mail spamd[70438]: spamd: result: . 2 - 
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FORGED_YAHOO_RCVD,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RDNS_NONE,SPF_PASS,UNPARSEABLE_RELAY
 
scantime=0.3,size=3607,user=kr...@kreme.com,uid=58,required_score=5.0,rhost=localhost,raddr=::1,rport=25312,mid=,autolearn=disabled
 


> FREEMAIL_ENVFROM_END_DIGIT: typical spammy "anything678@freemaildomain"

My brother’s email ends in a number triple.


On Mar 12, 2015, at 2:29 PM, Bowie Bailey  wrote:

> Can you show us the actual message that you received (headers and all)?  Post 
> it to pastebin and give us the link.

Since the message was rejected, no, I do not have the actual message. I am 
relying, at this point, on my bother having given me correct information. Like 
all bothers, this is a risky assumption.

-- 
'Does he have people put to death?' said Mort. SOMETIMES. THERE ARE
SOME THINGS YOU HAVE TO DO, WHEN YOU'RE A KING.

Re: spamass filter blocked yahoo, but why?

2015-03-12 Thread Bowie Bailey 

On 3/12/2015 4:23 PM, @lbutlr wrote:

On Mar 12, 2015, at 2:07 PM, @lbutlr  wrote:

But it was NOT a junk mail from yahoo, it was a message from my brother’s yahoo 
account that said only “Kill it”.

Just in case I am misinterpreting something here….

Mar 11 22:28:33 mail postfix/smtpd[79324]: connect from 
nm20-vm5.bullet.mail.ne1.yahoo.com[98.138.91.242]
Mar 11 22:28:33 mail postfix/smtpd[79324]: Anonymous TLS connection established 
from nm20-vm5.bullet.mail.ne1.yahoo.com[98.138.91.242]: TLSv1 with cipher 
ECDHE-RSA-RC4-SHA (128/128 bits)
Mar 11 22:28:34 mail policyd-spf[79325]: None; identity=helo; 
client-ip=98.138.91.242; helo=nm20-vm5.bullet.mail.ne1.yahoo.com; 
envelope-from=*brother*@yahoo.com; receiver=kr...@kreme.com
Mar 11 22:28:34 mail policyd-spf[79325]: Pass; identity=mailfrom; 
client-ip=98.138.91.242; helo=nm20-vm5.bullet.mail.ne1.yahoo.com; 
envelope-from=*brother*@yahoo.com; receiver=kr...@kreme.com
Mar 11 22:28:34 mail postfix/smtpd[79324]: 3l2cbk5MbNzJMhn: 
client=nm20-vm5.bullet.mail.ne1.yahoo.com[98.138.91.242]
Mar 11 22:28:34 mail postfix/cleanup[79271]: 3l2cbk5MbNzJMhn: 
message-id=<2c89470b-6522-413d-813b-a7e6f242c...@yahoo.com>
Mar 11 22:28:34 mail spamd[70438]: spamd: connection from localhost [::1]:39788 
to port 783, fd 6
Mar 11 22:28:34 mail spamd[70438]: spamd: handle_user (userdir) unable to find 
user: 'kr...@kreme.com'
Mar 11 22:28:34 mail spamd[70438]: spamd: processing message 
<2c89470b-6522-413d-813b-a7e6f242c...@yahoo.com> for kr...@kreme.com:58
Mar 11 22:28:38 mail spamd[70438]: spamd: identified spam (10.6/5.0) for 
kr...@kreme.com:58 in 3.5 seconds, 8168 bytes.
Mar 11 22:28:38 mail spamd[70438]: spamd: result: Y 10 - 
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FORGED_YAHOO_RCVD,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RDNS_NONE,SPF_PASS,UNPARSEABLE_RELAY,URIBL_BLACK,URIBL_DBL_SPAM,URIBL_JP_SURBL,URIBL_RHS_DOB,URIBL_SBL_A,URIBL_SC_SURBL,URIBL_WS_SURBL
 
scantime=3.5,size=8168,user=kr...@kreme.com,uid=58,required_score=5.0,rhost=localhost,raddr=::1,rport=39788,mid=<2c89470b-6522-413d-813b-a7e6f242c...@yahoo.com>,autolearn=disabled
Mar 11 22:28:38 mail postfix/cleanup[79271]: 3l2cbk5MbNzJMhn: milter-reject: END-OF-MESSAGE from 
nm20-vm5.bullet.mail.ne1.yahoo.com[98.138.91.242]: 5.7.1 Blocked by SpamAssassin; 
from=<*brother*@yahoo.com> to= proto=ESMTP 
helo=
Mar 11 22:28:38 mail spamd[16674]: prefork: child states: II
Mar 11 22:28:38 mail postfix/smtpd[79324]: disconnect from 
nm20-vm5.bullet.mail.ne1.yahoo.com[98.138.91.242]


These logs just show SA blocking an email containing a URL that is in 
the URIBL blacklist.


Can you show us the actual message that you received (headers and all)?  
Post it to pastebin and give us the link.


--
Bowie

Re: spamass filter blocked yahoo, but why?

2015-03-12 Thread Reindl Harald 



Am 12.03.2015 um 21:23 schrieb @lbutlr:

On Mar 12, 2015, at 2:07 PM, @lbutlr  wrote:

But it was NOT a junk mail from yahoo, it was a message from my brother’s yahoo 
account that said only “Kill it”.

>

Just in case I am misinterpreting something here….

Mar 11 22:28:33 mail postfix/smtpd[79324]: connect from 
nm20-vm5.bullet.mail.ne1.yahoo.com[98.138.91.242]
Mar 11 22:28:33 mail postfix/smtpd[79324]: Anonymous TLS connection established 
from nm20-vm5.bullet.mail.ne1.yahoo.com[98.138.91.242]: TLSv1 with cipher 
ECDHE-RSA-RC4-SHA (128/128 bits)
Mar 11 22:28:34 mail policyd-spf[79325]: None; identity=helo; 
client-ip=98.138.91.242; helo=nm20-vm5.bullet.mail.ne1.yahoo.com; 
envelope-from=*brother*@yahoo.com; receiver=kr...@kreme.com
Mar 11 22:28:34 mail policyd-spf[79325]: Pass; identity=mailfrom; 
client-ip=98.138.91.242; helo=nm20-vm5.bullet.mail.ne1.yahoo.com; 
envelope-from=*brother*@yahoo.com; receiver=kr...@kreme.com
Mar 11 22:28:34 mail postfix/smtpd[79324]: 3l2cbk5MbNzJMhn: 
client=nm20-vm5.bullet.mail.ne1.yahoo.com[98.138.91.242]
Mar 11 22:28:34 mail postfix/cleanup[79271]: 3l2cbk5MbNzJMhn: 
message-id=<2c89470b-6522-413d-813b-a7e6f242c...@yahoo.com>
Mar 11 22:28:34 mail spamd[70438]: spamd: connection from localhost [::1]:39788 
to port 783, fd 6
Mar 11 22:28:34 mail spamd[70438]: spamd: handle_user (userdir) unable to find 
user: 'kr...@kreme.com'
Mar 11 22:28:34 mail spamd[70438]: spamd: processing message 
<2c89470b-6522-413d-813b-a7e6f242c...@yahoo.com> for kr...@kreme.com:58
Mar 11 22:28:38 mail spamd[70438]: spamd: identified spam (10.6/5.0) for 
kr...@kreme.com:58 in 3.5 seconds, 8168 bytes.
Mar 11 22:28:38 mail spamd[70438]: spamd: result: Y 10 - 
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FORGED_YAHOO_RCVD,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RDNS_NONE,SPF_PASS,UNPARSEABLE_RELAY,URIBL_BLACK,URIBL_DBL_SPAM,URIBL_JP_SURBL,URIBL_RHS_DOB,URIBL_SBL_A,URIBL_SC_SURBL,URIBL_WS_SURBL
 
scantime=3.5,size=8168,user=kr...@kreme.com,uid=58,required_score=5.0,rhost=localhost,raddr=::1,rport=39788,mid=<2c89470b-6522-413d-813b-a7e6f242c...@yahoo.com>,autolearn=disabled
Mar 11 22:28:38 mail postfix/cleanup[79271]: 3l2cbk5MbNzJMhn: milter-reject: END-OF-MESSAGE from 
nm20-vm5.bullet.mail.ne1.yahoo.com[98.138.91.242]: 5.7.1 Blocked by SpamAssassin; 
from=<*brother*@yahoo.com> to= proto=ESMTP 
helo=
Mar 11 22:28:38 mail spamd[16674]: prefork: child states: II
Mar 11 22:28:38 mail postfix/smtpd[79324]: disconnect from 
nm20-vm5.bullet.mail.ne1.yahoo.com[98.138.91.242]


there are URL's - no matter from where they are comming
any message with *that* amount of URIBL hits has to be rejected
URIBL_BLACK,URIBL_DBL_SPAM,URIBL_JP_SURBL,URIBL_RHS_DOB,URIBL_SBL_A,URIBL_SC_SURBL,URIBL_WS_SURBL

FORGED_YAHOO_RCVD: that is suspect - sure that you internal networks and 
trusted networks are configured correctly?


FREEMAIL_ENVFROM_END_DIGIT: typical spammy "anything678@freemaildomain"




signature.asc
Description: OpenPGP digital signature

Re: spamass filter blocked yahoo, but why?

2015-03-12 Thread Antony Stone 
On Thursday 12 March 2015 at 21:07:43 (EU time), @lbutlr wrote:

> On Mar 12, 2015, at 3:36 AM, Reindl Harald  wrote:
> > what's the problem?
> > that a junk mail from yahoo is blocked?
> 
> But it was NOT a junk mail from yahoo, it was a message from my brother’s
> yahoo account that said only “Kill it”.
> 
> As far as I know, since he then sent me the message via gmail, there were
> no URLs in the email. Just the aforementioned text and his name and phone
> number.
> 
> If there were URLS in it, they were URLs added by Yahoo (do they do that?)

I don't tend to get emails from Yahoo accounts, but the last one which 
appeared on this list (29th January, subject "duplicate key value violates 
unique constraint 'bayes_seen_pkey'") had no added URLs.

Regards,


Antony.

-- 
"Linux is going to be part of the future. It's going to be like Unix was."

 - Peter Moore, Asia-Pacific general manager, Microsoft

   Please reply to the list;
 please *don't* CC me.

Re: spamass filter blocked yahoo, but why?

2015-03-12 Thread @lbutlr 
On Mar 12, 2015, at 2:07 PM, @lbutlr  wrote:
> But it was NOT a junk mail from yahoo, it was a message from my brother’s 
> yahoo account that said only “Kill it”.

Just in case I am misinterpreting something here….

Mar 11 22:28:33 mail postfix/smtpd[79324]: connect from 
nm20-vm5.bullet.mail.ne1.yahoo.com[98.138.91.242]
Mar 11 22:28:33 mail postfix/smtpd[79324]: Anonymous TLS connection established 
from nm20-vm5.bullet.mail.ne1.yahoo.com[98.138.91.242]: TLSv1 with cipher 
ECDHE-RSA-RC4-SHA (128/128 bits)
Mar 11 22:28:34 mail policyd-spf[79325]: None; identity=helo; 
client-ip=98.138.91.242; helo=nm20-vm5.bullet.mail.ne1.yahoo.com; 
envelope-from=*brother*@yahoo.com; receiver=kr...@kreme.com 
Mar 11 22:28:34 mail policyd-spf[79325]: Pass; identity=mailfrom; 
client-ip=98.138.91.242; helo=nm20-vm5.bullet.mail.ne1.yahoo.com; 
envelope-from=*brother*@yahoo.com; receiver=kr...@kreme.com 
Mar 11 22:28:34 mail postfix/smtpd[79324]: 3l2cbk5MbNzJMhn: 
client=nm20-vm5.bullet.mail.ne1.yahoo.com[98.138.91.242]
Mar 11 22:28:34 mail postfix/cleanup[79271]: 3l2cbk5MbNzJMhn: 
message-id=<2c89470b-6522-413d-813b-a7e6f242c...@yahoo.com>
Mar 11 22:28:34 mail spamd[70438]: spamd: connection from localhost [::1]:39788 
to port 783, fd 6 
Mar 11 22:28:34 mail spamd[70438]: spamd: handle_user (userdir) unable to find 
user: 'kr...@kreme.com' 
Mar 11 22:28:34 mail spamd[70438]: spamd: processing message 
<2c89470b-6522-413d-813b-a7e6f242c...@yahoo.com> for kr...@kreme.com:58 
Mar 11 22:28:38 mail spamd[70438]: spamd: identified spam (10.6/5.0) for 
kr...@kreme.com:58 in 3.5 seconds, 8168 bytes. 
Mar 11 22:28:38 mail spamd[70438]: spamd: result: Y 10 - 
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FORGED_YAHOO_RCVD,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RDNS_NONE,SPF_PASS,UNPARSEABLE_RELAY,URIBL_BLACK,URIBL_DBL_SPAM,URIBL_JP_SURBL,URIBL_RHS_DOB,URIBL_SBL_A,URIBL_SC_SURBL,URIBL_WS_SURBL
 
scantime=3.5,size=8168,user=kr...@kreme.com,uid=58,required_score=5.0,rhost=localhost,raddr=::1,rport=39788,mid=<2c89470b-6522-413d-813b-a7e6f242c...@yahoo.com>,autolearn=disabled
 
Mar 11 22:28:38 mail postfix/cleanup[79271]: 3l2cbk5MbNzJMhn: milter-reject: 
END-OF-MESSAGE from nm20-vm5.bullet.mail.ne1.yahoo.com[98.138.91.242]: 5.7.1 
Blocked by SpamAssassin; from=<*brother*@yahoo.com> to= 
proto=ESMTP helo=
Mar 11 22:28:38 mail spamd[16674]: prefork: child states: II 
Mar 11 22:28:38 mail postfix/smtpd[79324]: disconnect from 
nm20-vm5.bullet.mail.ne1.yahoo.com[98.138.91.242]

-- 
Support bacteria - they're the only culture some people have.

Re: spamass filter blocked yahoo, but why?

2015-03-12 Thread @lbutlr 
On Mar 12, 2015, at 3:36 AM, Reindl Harald  wrote:
> what's the problem?
> that a junk mail from yahoo is blocked?

But it was NOT a junk mail from yahoo, it was a message from my brother’s yahoo 
account that said only “Kill it”.

As far as I know, since he then sent me the message via gmail, there were no 
URLs in the email. Just the aforementioned text and his name and phone number.

If there were URLS in it, they were URLs added by Yahoo (do they do that?)


-- 
Why would I ever want to go outside the Beltway?

Re: whitelist_from in user_prefs is not being processed.

2015-03-12 Thread RW 
On Thu, 12 Mar 2015 11:23:33 -0700
Rick Hantz \(TirNanOg\) wrote:

>  

> However, none of the whitelist seems to get processed. Mail that
> should have a high negative number doesn't and ends up in the spam
> folder.
> 
> whitelist_from 23andme.com
> ...
> whitelist_from *.aarp.com


try: 
 
whitelist_from *@23andme.com

whitelist_from *@*.aarp.com

etc

Re: whitelist_from in user_prefs is not being processed.

2015-03-12 Thread Axb 

On 03/12/2015 07:23 PM, Rick Hantz (TirNanOg) wrote:

whitelist_from alfranken.com


bad syntax

http://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.txt

unwhitelist_from u...@example.com
Used to override a default whitelist_from entry, so for example a
distribution whitelist_from can be overridden in a local.cf 
file, or

an individual user can override a whitelist_from entry in their own
"user_prefs" file. The specified email address has to match exactly
(although case-insensitively) the address previously used in a
whitelist_from line, which implies that a wildcard only matches
literally the same wildcard (not 'any' address).

e.g.

  unwhitelist_from j...@example.com f...@example.com
  unwhitelist_from *@example.com

whitelist_from_rcvd a...@lists.sourceforge.net sourceforge.net
Works similarly to whitelist_from, except that in addition to
matching a sender address, a relay's rDNS name or its IP address
must match too for the whitelisting rule to fire. The first
parameter is a sender's e-mail address to whitelist, and the second
is a string to match the relay's rDNS, or its IP address. Matching
is case-insensitive.

This second parameter is matched against the TCP-info information
field as provided in a FROM clause of a trace information (i.e. the
Received header field, see RFC 5321). Only the Received header
fields inserted by trusted hosts are considered. This parameter can
either be a full hostname, or the domain component of that 
hostname,

or an IP address in square brackets. The reverse DNS lookup is done
by a MTA, not by SpamAssassin.

In case of an IPv4 address in brackets, it may be truncated on
classful boundaries to cover whole subnets, e.g. "[10.1.2.3]",
"[10.1.2]", "[10.1]", "[10]". CIDR notation is currently not
supported, nor is IPv6. The matching on IP address is mainly
provided to cover rare cases where whitelisting of a sending MTA is
desired which does not have a correct reverse DNS configured.

In other words, if the host that connected to your MX had an IP
address 192.0.2.123 that mapped to 'sendinghost.example.org', you
should specify "sendinghost.example.org", or "example.org", or
"[192.0.2.123]" or "[192.0.2]" here.

Note that this requires that "internal_networks" be correct. For
simple cases, it will be, but for a complex network you may get
better results by setting that parameter.

It also requires that your mail exchangers be configured to perform
DNS reverse lookups on the connecting host's IP address, and to
record the result in the generated Received header field according
to RFC 5321.

e.g.

  whitelist_from_rcvd j...@example.com  example.com
  whitelist_from_rcvd *@axkit.org  sergeant.org
  whitelist_from_rcvd *@axkit.org  [192.0.2.123]

Re: whitelist_from in user_prefs is not being processed.

2015-03-12 Thread Reindl Harald 



Am 12.03.2015 um 19:23 schrieb Rick Hantz (TirNanOg):

My mail is hosted on Lunarpages.com on my own domain.

I train SpamAssassin frequently.

However, I get hundreds of spam messages daily (500-700). This is an old
public account that I need to maintain, otherwise I’d delete it.

After a while, the tokens files get corrupt, so I delete them and start
over. (I start getting a lot of spam missed).

To filter most everything, I set the spam level at -1.

I maintain a whitelist in user_prefs, so I can easily start over.

However, none of the whitelist seems to get processed. Mail that should
have a high negative number doesn’t and ends up in the spam folder.

Any ideas or workarounds?


without logs - no



signature.asc
Description: OpenPGP digital signature

whitelist_from in user_prefs is not being processed.

2015-03-12 Thread Rick Hantz (TirNanOg) 
 

My mail is hosted on Lunarpages.com on my own domain.

I train SpamAssassin frequently.

However, I get hundreds of spam messages daily (500-700). This is an old
public account that I need to maintain, otherwise I'd delete it.

After a while, the tokens files get corrupt, so I delete them and start
over. (I start getting a lot of spam missed).

To filter most everything, I set the spam level at -1.

I maintain a whitelist in user_prefs, so I can easily start over.

 

However, none of the whitelist seems to get processed. Mail that should have
a high negative number doesn't and ends up in the spam folder.

 

rewrite_header subject {SPAM _SCORE(0)_}

add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on
_HOSTNAME_

add_header all Level _STARS(*)_

add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_
autolearn=_AUTOLEARN_ version=_VERSION_

add_header spam Flag _YESNOCAPS_

bayes_file_mode 0600

bayes_ignore_header X-MailScanner

bayes_ignore_header X-MailScanner-Information

bayes_ignore_header X-MailScanner-SpamCheck

bayes_ignore_header X-MailScanner-SpamScore

bayes_path /home/tirna3/.spamassassin/bayes

required_score -2.0

use_bayes 1

 

whitelist_from 23andme.com

whitelist_from aaawa.com

whitelist_from *.aarp.com

whitelist_from *.airportparkingreservations.com

whitelist_from alfranken.com

whitelist_from alternet.org

whitelist_from amazon.com

whitelist_from amcustomercare.att-mail.com

whitelist_from autobytel.com

whitelist_from boldprogressives.org

whitelist_from *.care2.com

whitelist_from *.charbroil.com

whitelist_from cnet.online.com

whitelist_from *.consumerlab.com

whitelist_from *.costco.com

whitel

.

 

Any ideas or workarounds?

 

Thanks,

 

Rick

Re: is spamassassin scoring too high points

2015-03-12 Thread Reindl Harald 

please don't top post

Am 12.03.2015 um 13:06 schrieb Sujit Acharyya-choudhury:

I don't have any custom rules nor I am using sought.cf. I have chosen
the standard installation without any tweaks.  I am just worried,
whether I am being too aggressive in blocking messages which are not
blocked by MessageLabs.


the default SA rules are for sure not too aggresive
why premature worries without any indication?

and even if you reject a message which would have made it through 
MessageLabs that means *nothing* as long it's not a *real* false positive


we block each days a lot of forwardings from different mail services all 
having their own spamfilter and at the end of the day it turns out they 
are indeed spam



-Original Message-
From: Reindl Harald [mailto:h.rei...@thelounge.net]
Sent: 12 March 2015 11:51
To: users@spamassassin.apache.org
Subject: Re: is spamassassin scoring too high points

you can't compare scores between differernt setups beause they are
likely different and using also a different reject score

* you can give each rule a non-default score
* much depends on bayes and how bayes hits are scored
* custom rules

you need at *least* all the hitting rules
your message here hitted these ones:

BAYES_00,CUST_DNSWL_10,CUST_DNSWL_3,CUST_DNSWL_8,CUST_MOST_SPAM_TO,HEADE
R_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_W
L,SPF_PASS,T_MIME_MALF,T_RP_MATCHES_RCVD




signature.asc
Description: OpenPGP digital signature

RE: is spamassassin scoring too high points

2015-03-12 Thread Sujit Acharyya-choudhury 
I don't have any custom rules nor I am using sought.cf. I have chosen
the standard installation without any tweaks.  I am just worried,
whether I am being too aggressive in blocking messages which are not
blocked by MessageLabs. 
I accept the scoring method will be different.  

-Original Message-
From: Reindl Harald [mailto:h.rei...@thelounge.net] 
Sent: 12 March 2015 11:51
To: users@spamassassin.apache.org
Subject: Re: is spamassassin scoring too high points



Am 12.03.2015 um 12:40 schrieb Sujit Acharyya-choudhury:
> We are using MessageLabs for our most of our inward mails.  However,
we
> also get mails from other places as well.  In order to get rid of
spam,
> we have installed the latest version of spamassassin, which is set to
> reject any mail at smtp time if the score is over 12.  What I find
> peculiar is some mails from MessageLabs are not scoring as high as the
> one scored by spamassassin.

you can't compare scores between differernt setups beause they are 
likely different and using also a different reject score

* you can give each rule a non-default score
* much depends on bayes and how bayes hits are scored
* custom rules

you need at *least* all the hitting rules
your message here hitted these ones:

BAYES_00,CUST_DNSWL_10,CUST_DNSWL_3,CUST_DNSWL_8,CUST_MOST_SPAM_TO,HEADE
R_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_W
L,SPF_PASS,T_MIME_MALF,T_RP_MATCHES_RCVD

Re: is spamassassin scoring too high points

2015-03-12 Thread Reindl Harald 



Am 12.03.2015 um 12:40 schrieb Sujit Acharyya-choudhury:

We are using MessageLabs for our most of our inward mails.  However, we
also get mails from other places as well.  In order to get rid of spam,
we have installed the latest version of spamassassin, which is set to
reject any mail at smtp time if the score is over 12.  What I find
peculiar is some mails from MessageLabs are not scoring as high as the
one scored by spamassassin.


you can't compare scores between differernt setups beause they are 
likely different and using also a different reject score


* you can give each rule a non-default score
* much depends on bayes and how bayes hits are scored
* custom rules

you need at *least* all the hitting rules
your message here hitted these ones:

BAYES_00,CUST_DNSWL_10,CUST_DNSWL_3,CUST_DNSWL_8,CUST_MOST_SPAM_TO,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_PASS,T_MIME_MALF,T_RP_MATCHES_RCVD



signature.asc
Description: OpenPGP digital signature

is spamassassin scoring too high points

2015-03-12 Thread Sujit Acharyya-choudhury 
We are using MessageLabs for our most of our inward mails.  However, we
also get mails from other places as well.  In order to get rid of spam,
we have installed the latest version of spamassassin, which is set to
reject any mail at smtp time if the score is over 12.  What I find
peculiar is some mails from MessageLabs are not scoring as high as the
one scored by spamassassin.   

Below is the example of the header which has been rejected at SMTP time,

 

2015-03-12 09:05:51 1YVz3t-0001lJ-6m H=mail6.bemta5.messagelabs.com
[195.245.231.135] F= rejected after DATA: This
message scored 25.8 spam points.

Envelope-from: 

Envelope-to: 

P Received: from mail6.bemta5.messagelabs.com ([195.245.231.135])

by mail2.ccs.bbk.ac.uk with smtp (Exim 4.80.1)

(envelope-from )

id 1YVz3t-0001lJ-6m

for g.christodouli...@bbk.ac.uk; Thu, 12 Mar 2015 09:05:49 +

* Return-Path: 

P Received: from [195.245.231.67] by server-13.bemta-5.messagelabs.com
id D7/7A-09628-DE651055; Thu, 12 Mar 2015 09:05:49 +

  X-Env-Sender: t...@dodobooking.com

  X-Msg-Ref: server-7.tower-82.messagelabs.com!1426151146!25986048!1

  X-Originating-IP: [192.254.214.131]

  X-SpamReason: No, hits=4.7 required=7.0 tests=msgid: No Message-ID,

  ADVANCE_FEE_1,ADVANCE_FEE_2,FORGED_MUA_OUTLOOK,TO_CC_NONE

  X-StarScan-Received:

  X-StarScan-Version: 6.13.4; banners=-,-,-

  X-VirusChecked: Checked

P Received: (qmail 32108 invoked from network); 12 Mar 2015 09:05:48
-

P Received: from cre.creative3ddesign.net (HELO
cre.creative3ddesign.net) (192.254.214.131)

  by server-7.tower-82.messagelabs.com with DHE-RSA-AES256-SHA encrypted
SMTP; 12 Mar 2015 09:05:48 -

P Received: from 41-66-233-120-dedicated.4u.com.gh ([41.66.233.120]:8629
helo=User)

by cre.creative3ddesign.net with esmtpa (Exim 4.85)

(envelope-from )

id 1YVyxT-ed-Cl; Thu, 12 Mar 2015 12:59:12 +0400

R Reply-To: 

F From: "Mr. William Koffie"

  Subject: Please i apologize using this medium to reach you.

  Date: Thu, 12 Mar 2015 08:58:57 -

  MIME-Version: 1.0

  Content-Type: text/plain;

charset="Windows-1251"

  Content-Transfer-Encoding: 7bit

  X-Priority: 3

  X-MSMail-Priority: Normal

  X-Mailer: Microsoft Outlook Express 6.00.2600.

  X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.

  X-OutGoing-Spam-Status: No, score=

  X-AntiAbuse: This header was added to track abuse, please include it
with any abuse report

  X-AntiAbuse: Primary Hostname - cre.creative3ddesign.net

  X-AntiAbuse: Original Domain - bbk.ac.uk

  X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]

  X-AntiAbuse: Sender Address Domain - DODOBOOKING.COM

  X-Get-Message-Sender-Via: cre.creative3ddesign.net: authenticated_id:
t...@dodobooking.com

 

Unfortunately we don't have the full message to take it up with
MessageLabs.

Any comment will be appreciated.  

 

Regards

 

Sujit Choudhury

Re: spamass filter blocked yahoo, but why?

2015-03-12 Thread Benny Pedersen 

On March 12, 2015 5:53:43 AM "@lbutlr"  wrote:

spamd: result: Y 10 - 
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FORGED_YAHOO_RCVD,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RDNS_NONE,SPF_PASS,UNPARSEABLE_RELAY,URIBL_BLACK,URIBL_DBL_SPAM,URIBL_JP_SURBL,URIBL_RHS_DOB,URIBL_SBL_A,URIBL_SC_SURBL,URIBL_WS_SURBL 
scantime=3.5,size=8168,


A 10 seems high for an email that actually came from yahoo? Maybe not. I 
only know one person who is still using yahoo mail, myself. I see a lot of 
blocked mail in the logs from yahoo servers.


yahoo use google and hotmail ips for outbound, if you like to prevent 
reject use whitelist from dkim, yahoo is smart to not have there owns ip 
blacklisted, is there spammy urls in that mail ?, :)

Re: spamass filter blocked yahoo, but why?

2015-03-12 Thread Reindl Harald 



Am 12.03.2015 um 05:52 schrieb @lbutlr:



On 11 Mar 2015, at 22:45 , @lbutlr  wrote:

$ grep 3l2cbk5MbNzJMhn /var/log/maillog
Mar 11 22:28:34 mail postfix/smtpd[79324]: 3l2cbk5MbNzJMhn: 
client=nm20-vm5.bullet.mail.ne1.yahoo.com[98.138.91.242]
Mar 11 22:28:34 mail postfix/cleanup[79271]: 3l2cbk5MbNzJMhn: 
message-id=<2c89470b-6522-413d-813b-a7e6f242c...@yahoo.com>
Mar 11 22:28:38 mail postfix/cleanup[79271]: 3l2cbk5MbNzJMhn: milter-reject: END-OF-MESSAGE from 
nm20-vm5.bullet.mail.ne1.yahoo.com[98.138.91.242]: 5.7.1 Blocked by SpamAssassin; 
from=<*munged*@yahoo.com> to= proto=ESMTP 
helo=


Oh, found the log line seconds later:

spamd: result: Y 10 - 
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FORGED_YAHOO_RCVD,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RDNS_NONE,SPF_PASS,UNPARSEABLE_RELAY,URIBL_BLACK,URIBL_DBL_SPAM,URIBL_JP_SURBL,URIBL_RHS_DOB,URIBL_SBL_A,URIBL_SC_SURBL,URIBL_WS_SURBL
 scantime=3.5,size=8168,

A 10 seems high for an email that actually came from yahoo?


how does it matter from where it came?
it's *content* is spam and 10 is *not* high

frankly we score URIBL_BLACK with 7.0 for good
reasons by reject above 8.0

URIBL_BLACK
URIBL_DBL_SPAM
URIBL_JP_SURBL
URIBL_SC_SURBL
URIBL_WS_SURBL


our scores:

score URIBL_AB_SURBL 4.5
score URIBL_JP_SURBL 4.5
score URIBL_MW_SURBL 5.0
score URIBL_PH_SURBL 5.0
score URIBL_WS_SURBL 3.5
score URIBL_SC_SURBL 0.5
score URIBL_SBL 1.5
score URIBL_SBL_A 1.5
score URIBL_DBL_SPAM 3.5
score URIBL_DBL_BOTNETCC 3.5
score URIBL_DBL_PHISH 5.0
score URIBL_DBL_MALWARE 5.0
score URIBL_DBL_ABUSE_SPAM 3.5
score URIBL_DBL_ABUSE_BOTCC 4.0
score URIBL_DBL_ABUSE_PHISH 5.0
score URIBL_DBL_ABUSE_MALW 5.0
score URIBL_BLACK 7.0
score URIBL_GREY 0.5
score URIBL_RED 0.5
score URIBL_DBL_REDIR 0.1
score URIBL_DBL_ABUSE_REDIR 0.3
score URIBL_RHS_DOB 0.2
score URIBL_BLOCKED 0
score URIBL_DBL_ERROR 0



signature.asc
Description: OpenPGP digital signature

Re: spamass filter blocked yahoo, but why?

2015-03-12 Thread Reindl Harald 


Am 12.03.2015 um 05:45 schrieb @lbutlr:

$ grep 3l2cbk5MbNzJMhn /var/log/maillog
Mar 11 22:28:34 mail postfix/smtpd[79324]: 3l2cbk5MbNzJMhn: 
client=nm20-vm5.bullet.mail.ne1.yahoo.com[98.138.91.242]
Mar 11 22:28:34 mail postfix/cleanup[79271]: 3l2cbk5MbNzJMhn: 
message-id=<2c89470b-6522-413d-813b-a7e6f242c...@yahoo.com>
Mar 11 22:28:38 mail postfix/cleanup[79271]: 3l2cbk5MbNzJMhn: milter-reject: END-OF-MESSAGE from 
nm20-vm5.bullet.mail.ne1.yahoo.com[98.138.91.242]: 5.7.1 Blocked by SpamAssassin; 
from=<*munged*@yahoo.com> to= proto=ESMTP 
helo=

Yes, I realize this is almost certainly yahoo breaking something, but still, I 
need to check


what's the problem?
that a junk mail from yahoo is blocked?

well, that's the purpose of a contentfilter to block spam from machines 
which have legit users too and can't be blocked by RBL's






signature.asc
Description: OpenPGP digital signature

Re: spamass filter blocked yahoo, but why?

2015-03-12 Thread Axb 

On 03/12/2015 06:28 AM, Oli Schacher wrote:

On Wed, 11 Mar 2015 22:52:41 -0600
"@lbutlr"  wrote:



Oh, found the log line seconds later:

spamd: result: Y 10 -
[...] 
,URIBL_BLACK,URIBL_DBL_SPAM,URIBL_JP_SURBL,URIBL_RHS_DOB,URIBL_SBL_A,URIBL_SC_SURBL,URIBL_WS_SURBL


Looks like the message text contains a blacklisted domain.



Sheldon asks "was that sarcasm?"

Re: Improve spam hit rate

2015-03-12 Thread Reindl Harald 


Am 10.03.2015 um 18:29 schrieb Lorenzo Thurman:

I have these messages in a paste: http://pastebin.com/jNQfRerx. They
were received about 1 1/2 hours apart. After I received the first one, I
ran sudo sa-learn —spam /path/to/mail/folder against it and then sudo
sa-learn —sync. spamassasin reported that it ‘learned tokens from 1
message…’


you likely train the wrong bayes
sa-learn must run at the same user as the spamassassin / spamd

nobody is calling such things as root by sudo BTW



signature.asc
Description: OpenPGP digital signature