Re: Classifying mail as unsolicited
On 07.07.2015 05:21, Alex wrote: Hi, We have a system with a few hundred users, many of which forward their mail off the server to their gmail or yahoo account. Lately I've started to notice quite a few messages are being tagged by gmail and delayed being received as unsolicited. I know the KAM rules contain a marketing rule, and razor helps too, but too many of these marketing messages are not being tagged. I'm referring to warnings such as this: Jul 6 22:54:20 bwipropemail postfix/smtp[25057]: C09F4885EA2BC: to=44...@gmail.com, orig_to=44...@example.com, relay=alt1.gmail-smtp-in.l.google.com[173.194.208.26]:25, delay=38223, delays=38220/1.3/1/0.22, dsn=4.7.0, status=deferred (host alt1.gmail-smtp-in.l.google.com[173.194.208.26] said: 421-4.7.0 [66.XXX.XXX.100 15] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 rate limited. Please visit 421-4.7.0 https://support.google.com/mail/answer/81126 to review our Bulk Email 421 4.7.0 Senders Guidelines. 5si23309629qks.82 - gsmtp (in reply to end of DATA command)) Here is an example message: http://pastebin.com/kaD3AQMz I realize bayes may be a problem on this one, but do you have any suggestions for blocking these more effectively before they're forwarded on to gmail? imo, this is not something SA will consistently fix for you but more of a policy decision which will probably cause you endless problems. If you are forced to permit forwarding, you should do SRS on the forwarding msgs (inkl. SPF/DKIM) so receivers see you're not the original msg source and act accordingly. I would ban forwarding, period. Axb
Re: Classifying mail as unsolicited
Hi. Why do you think bayes have problems with such email? Considering the example you put on Pastebin is triggering BAYES_00=-1.9 I believe that if you are able to collect a sufficient amount of these messages and feed it to SA through sa-learn you should start to trigger more BAYES_5X or even BAYES_9X rules. Since you are operating a forwarding server for other users you can think about creating a fake account just to collect samples such as the one you've posted. Regards, Matteo On 07.07.2015 05:21, Alex wrote: Hi, We have a system with a few hundred users, many of which forward their mail off the server to their gmail or yahoo account. Lately I've started to notice quite a few messages are being tagged by gmail and delayed being received as unsolicited. I know the KAM rules contain a marketing rule, and razor helps too, but too many of these marketing messages are not being tagged. [SNIP] Here is an example message: http://pastebin.com/kaD3AQMz I realize bayes may be a problem on this one, but do you have any suggestions for blocking these more effectively before they're forwarded on to gmail? Thanks, Alex
Re: Classifying mail as unsolicited
not only relayed spam ...gmail is also throttling legit forwarded email. It is a per IP quota, and all trafic seen from a single IP beyond their thresholds is delayed (spam or not) 2015-07-07 10:50 GMT-03:00 Dave Funk dbf...@engineering.uiowa.edu: On Mon, 6 Jul 2015, Alex wrote: Hi, We have a system with a few hundred users, many of which forward their mail off the server to their gmail or yahoo account. Lately I've started to notice quite a few messages are being tagged by gmail and delayed being received as unsolicited. I know the KAM rules contain a marketing rule, and razor helps too, but too many of these marketing messages are not being tagged. I'm referring to warnings such as this: Jul 6 22:54:20 bwipropemail postfix/smtp[25057]: C09F4885EA2BC: to=44...@gmail.com, orig_to=44...@example.com, relay=alt1.gmail-smtp-in.l.google.com[173.194.208.26]:25, delay=38223, delays=38220/1.3/1/0.22, dsn=4.7.0, status=deferred (host alt1.gmail-smtp-in.l.google.com[173.194.208.26] said: 421-4.7.0 [66.XXX.XXX.100 15] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 rate limited. Please visit 421-4.7.0 https://support.google.com/mail/answer/81126 to review our Bulk Email 421 4.7.0 Senders Guidelines. 5si23309629qks.82 - gsmtp (in reply to end of DATA command)) Yes, gmail does that to almost anything they decide is relayed spam. Here is an example message: http://pastebin.com/kaD3AQMz It came from ymlpsv.net, black list them (and their other names such as ymlpsv.com, ymlpsrv.net, ymlpserver.net, ymlpsrv.com) unless one of your clients -really- wants crap from them, then selective whitelist. They are a spammy MSP. I regularly find garbage from them in my spamtraps. I realize bayes may be a problem on this one, but do you have any suggestions for blocking these more effectively before they're forwarded on to gmail? As others have alluded to, forwarding opens up a while can-of-worms but forwarding to gmail is the most problematic. -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
Re: Spam way above SA threshold getting delivered
On Mon, 6 Jul 2015 15:37:43 -0500 ch...@antennex.com wrote: As I state in the subject, for some unknown reason spam is getting through in excess of the required threshold, in some cases WAY above like this: spam=YES score=103.60 required=6.00 I've been using spamassassin on freebsd ever since it first came out and quite familiar with how to set it up. My OS platform and SA version: freebsd-9.3px and spamassassin-3.4 with sendmail-8.15 So presumably it did previously work. Perhaps you broke your procmail script when you added recipes for .in.net.
Re: Classifying mail as unsolicited
On Mon, 6 Jul 2015, Alex wrote: Hi, We have a system with a few hundred users, many of which forward their mail off the server to their gmail or yahoo account. Lately I've started to notice quite a few messages are being tagged by gmail and delayed being received as unsolicited. I know the KAM rules contain a marketing rule, and razor helps too, but too many of these marketing messages are not being tagged. I'm referring to warnings such as this: Jul 6 22:54:20 bwipropemail postfix/smtp[25057]: C09F4885EA2BC: to=44...@gmail.com, orig_to=44...@example.com, relay=alt1.gmail-smtp-in.l.google.com[173.194.208.26]:25, delay=38223, delays=38220/1.3/1/0.22, dsn=4.7.0, status=deferred (host alt1.gmail-smtp-in.l.google.com[173.194.208.26] said: 421-4.7.0 [66.XXX.XXX.100 15] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 rate limited. Please visit 421-4.7.0 https://support.google.com/mail/answer/81126 to review our Bulk Email 421 4.7.0 Senders Guidelines. 5si23309629qks.82 - gsmtp (in reply to end of DATA command)) Yes, gmail does that to almost anything they decide is relayed spam. Here is an example message: http://pastebin.com/kaD3AQMz It came from ymlpsv.net, black list them (and their other names such as ymlpsv.com, ymlpsrv.net, ymlpserver.net, ymlpsrv.com) unless one of your clients -really- wants crap from them, then selective whitelist. They are a spammy MSP. I regularly find garbage from them in my spamtraps. I realize bayes may be a problem on this one, but do you have any suggestions for blocking these more effectively before they're forwarded on to gmail? As others have alluded to, forwarding opens up a while can-of-worms but forwarding to gmail is the most problematic. -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{