Re: Spam by IP-address? Spamassassin with geoiplookup?
On Thu, 22 Sep 2016, Thomas Barth wrote: Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net: URIBL_BLOCKED shows you are using still a dns-forwarder and so won't get results from a lot of blacklists fix that - use a local caching resolver with *no forwarding* and if you are using dnsmasq just don't do that for a inbound mailserver I found an instruction here for a debian system https://manageacloud.com/configuration/local_dns_caching Seems to work local dns caching but I dont understand why I shouldnt use it for inbound mailserver and why I still see URIBL_BLOCKED=0.001 Lists shouldn't have said "caching", that confuses the issue. Caching and recursion are two different, unrelated pieces. Focus on the "recursion" and "no forwarding" parts of that recommendation. If you're configuring a non-local DNS server's IP address anywhere in the mix (ignoring for the moment the root zones), you're doing it wrong. As far as I understand it, dnsmasq cannot be used for local recursion; it's purely a lightweight local DNS cache layer. That's why Lists said don't use it for inpbound mail. You may have to install the full BIND package and tell it to not forward. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- A government is a lot like a gun: It's always loaded, and it's stupid and dangerous to point it at anything you don't intend to hurt. -- GOF at TSM --- 275 days since the first successful real return to launch site (SpaceX)
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 22.09.2016 um 21:40 schrieb Thomas Barth: URIBL_BLOCKED shows you are using still a dns-forwarder and so won't get results from a lot of blacklists http://uribl.com/refused.shtml fix that - use a local caching resolver with *no forwarding* and if you are using dnsmasq just don't do that for a inbound mailserver I found an instruction here for a debian system https://manageacloud.com/configuration/local_dns_caching /etc/resolv.conf nameserver 127.0.0.1 /etc/resolv.dnsmasq nameserver 208.67.222.222 nameserver 208.67.220.220 nameserver 208.67.222.220 nameserver 208.67.220.222 /etc/default/dnsmasq DNSMASQ_OPTS="-r /etc/resolv.dnsmasq" But it is using dnsmasq for local dns caching. I ve configured it, but I still see URIBL_BLOCKED=0.001 in a mail header because it is nonsense the point is not that you use 127.0.0.1 as dsn server - the point is that *nobody else* is using that dns server - i doubt that you are the only person on this plant using the 208.67.xx.xx opendns servers frankly - get the basics!
Re: Spam by IP-address? Spamassassin with geoiplookup?
On 9/22/2016 3:40 PM, Thomas Barth wrote: Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net: Am 21.09.2016 um 15:48 schrieb Thomas Barth: X-Spam-Status: No, score=3.004 tagged_above=2 required=6.31 tests=[MESSAGEID_LOCAL=3, RELAYCOUNTRY_BAD=3.1, RP_MATCHES_RCVD=-3.096, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no URIBL_BLOCKED shows you are using still a dns-forwarder and so won't get results from a lot of blacklists http://uribl.com/refused.shtml fix that - use a local caching resolver with *no forwarding* and if you are using dnsmasq just don't do that for a inbound mailserver I found an instruction here for a debian system https://manageacloud.com/configuration/local_dns_caching /etc/resolv.conf nameserver 127.0.0.1 /etc/resolv.dnsmasq nameserver 208.67.222.222 nameserver 208.67.220.220 nameserver 208.67.222.220 nameserver 208.67.220.222 /etc/default/dnsmasq DNSMASQ_OPTS="-r /etc/resolv.dnsmasq" But it is using dnsmasq for local dns caching. I ve configured it, but I still see URIBL_BLOCKED=0.001 in a mail header. with local caching it s a bit faster # for i in {1..100}; do time dig slashdot.org @localhost; done 2>&1 | grep ^real | sed -e s/.*m// | awk '{sum += $1} END {print sum / NR}' 0.0076 # for i in {1..100}; do time dig slashdot.org; done 2>&1 | grep ^real | sed -e s/.*m// | awk '{sum += $1} END {print sum / NR}' 0.00962 Seems to work local dns caching but I dont understand why I shouldnt use it for inbound mailserver and why I still see URIBL_BLOCKED=0.00 Because you are forwarding your DNS to OpenDNS (208.67.222.222, etc). You need to setup a DNS that does not do forwarding. I'm not sure dnsmasq can be configured this way. If you remove dnsmasq and install bind, it will probably do what you want without any further configuration. To make sure, you can take a look at the main bind config file (/etc/named.conf on CentOS -- I don't know if it is different with Debian) and make sure there are no "forwarders" statements. -- Bowie
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net: Am 21.09.2016 um 15:48 schrieb Thomas Barth: X-Spam-Status: No, score=3.004 tagged_above=2 required=6.31 tests=[MESSAGEID_LOCAL=3, RELAYCOUNTRY_BAD=3.1, RP_MATCHES_RCVD=-3.096, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no URIBL_BLOCKED shows you are using still a dns-forwarder and so won't get results from a lot of blacklists http://uribl.com/refused.shtml fix that - use a local caching resolver with *no forwarding* and if you are using dnsmasq just don't do that for a inbound mailserver I found an instruction here for a debian system https://manageacloud.com/configuration/local_dns_caching /etc/resolv.conf nameserver 127.0.0.1 /etc/resolv.dnsmasq nameserver 208.67.222.222 nameserver 208.67.220.220 nameserver 208.67.222.220 nameserver 208.67.220.222 /etc/default/dnsmasq DNSMASQ_OPTS="-r /etc/resolv.dnsmasq" But it is using dnsmasq for local dns caching. I ve configured it, but I still see URIBL_BLOCKED=0.001 in a mail header. with local caching it s a bit faster # for i in {1..100}; do time dig slashdot.org @localhost; done 2>&1 | grep ^real | sed -e s/.*m// | awk '{sum += $1} END {print sum / NR}' 0.0076 # for i in {1..100}; do time dig slashdot.org; done 2>&1 | grep ^real | sed -e s/.*m// | awk '{sum += $1} END {print sum / NR}' 0.00962 Seems to work local dns caching but I dont understand why I shouldnt use it for inbound mailserver and why I still see URIBL_BLOCKED=0.001
Re: Spam by IP-address? Spamassassin with geoiplookup?
On Thu, 22 Sep 2016, Thomas Barth wrote: And what about filter poisening? In the last 10 hours my company address got 43 mails classified as spam (even a virus mail detected today). And there was one mail classified as spam due to my rule (bad country, message-id. X-Spam-Status: Yes, score=7.474 tag=2 tag2=6.31 kill=6.31 tests=[MESSAGEID_LOCAL=3, RDNS_NONE=1.274, RELAYCOUNTRY_BAD=3.2] autolearn=no autolearn_force=no The content of the mail is: From: "Lupe Monroe" To: "my boss address" Subject: Payment approved MIME-Version: 1.0 Content-Type: multipart/related; boundary="boundary_af9c8db46eb73fca8b315aafef01" Message-Id: <20160922063255.e11d3e5...@static.vnpt.vn.local> Date: Thu, 22 Sep 2016 06:32:55 +0700 --boundary_af9c8db46eb73fca8b315aafef01 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Dear so, Your payment has been approved. Your account will be debited within two days. You can email us for any query regarding your account. Thank you. Lupe Monroe Support --boundary_af9c8db46eb73fca8b315aafef01 Content-Type: application/x-zip-compressed; name="e6dfa16bdb.zip.virus-scan-me.virus-scan-me" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="e6dfa16bdb.zip.virus-scan-me.virus-scan-me" There is no spam content, am I right? Normal words and content that a normal person can use. I dont need spam learning for all the mails already classified as spam with high score. Spam with low score are interesting for spam learning like this one. But when I use these mails for spam learning there is a risk of false positive some day, because it has learned that normal mails are also spam? You are missing the point that Bayes uses more than just body words from a message. It also looks at headers and meta-data. So those particular body words could become "neutral" (neither spam nor ham indicators) but the other components of that message (such as that '.vn.local' message ID) would be learned as spam signs. This is why you MUST also train your Bayes with HAM messages (and train them with the --ham flag) so Bayes knows how to recognise 'hammy' or 'neutral' tokens to prevent false-positives. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Spam by IP-address? Spamassassin with geoiplookup?
On Thu, 22 Sep 2016, Thomas Barth wrote: Hi ho, a virus was found: Sanesecurity.Malware.26327.JsHeur.UNOFFICIAL Scanner detecting a virus: ClamAV-clamd Content type: Virus Internal reference code for the message is 35123-18/WRf_y9XIIOFq First upstream SMTP client IP address: [103.230.105.6] According to a 'Received:' trace, the message apparently originated at: [103.230.105.6], [103.230.107.6] unknown [103.230.105.6] You REALLY should get your DNSBL problem fixed. Once you get DNSBLs working it will help alot. That particular IP address hit almost a dozen different RBLs here, including some that I use at the SMTP level to out-right block incoming traffic (such as cbl.abuseat.org , Spamhaus PBL, SBL). -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
AW: AW: X-Spam Tagging - Spam Status YESNO Flags - Sometimes not appended...
Thank you very much. That works. Von: Matus UHLAR - fantomas [uh...@fantomas.sk] Gesendet: Montag, 19. September 2016 12:26 An: users@spamassassin.apache.org Betreff: Re: AW: X-Spam Tagging - Spam Status YESNO Flags - Sometimes not appended... >On Fri, 16 Sep 2016, Maik Linnemann wrote: >> SA is integrated into postix via master.cf like: >> spamassassin unix - n n - - pipe >> user=nobody argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f >> ${sender} ${recipient} >Please note the 'max-size' parameter for spamc: > > -s max_size, --max-size=max_size On 17.09.16 10:34, Maik Linnemann wrote: >Thanks! I checked that and it gave me a direction. Log says that messages > skipped because of size limit which i haven't set and is still default > (512000 bytes). On the other site I checked the messages that are not > tagged and not all of them are bigger than 512kb. Anyway most of them > are! > >I tried to set the -s option in /etc/default/spamassassin on debian to 1024000 >for a test, with no effect. > >Log still says its skipping due to the limit of 512000. > >Does anyone have a clue what needs to be done in debian?! /etc/default/spamassassin contains options for spamassassin DAEMON, not for its clients. you must set the option for spamc in master.cf if you want it to apply. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Saving Private Ryan... Private Ryan exists. Overwrite? (Y/N)
Re: Spam by IP-address? Spamassassin with geoiplookup?
On 2016-09-22 12:32, Thomas Barth wrote: I ve installed clamav-unofficial-sigs by debian package. If this is not working good enough I will try the installation I found here: https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/INSTALL you have to configure it aswell here i have 2 clamd, one with official signatures, and another with 3dr party signatures, so both clamd have diffrent database dir configure the script to only update the unofficial clamd database dir when this is in place one can use clamav milter to reject from clamd with official sigs, and another clamav milter to just add virus header to mail, next with that is to make a header test in spamassassin with a spam score for 3dr party sigs in clamav I dont know what is in the zip file. I just have a compressed copy of the mail. I tried to save the content of the zip boundary part in a zip file but I get an loading error when opening the zip file. I suppose it contains a javascript file (name.pdf.js) just make sure the clamav detect its malware, and you are done, but keep in mind not reject 3dr party virus :=) note aswell foxhole is good candidate to be reject besed on, you can make that happen if using pr sigs scanning in spamassasin header testing, so spamass-milter will reject it, do not use one clamd and one clamav-milter for all this
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 22.09.2016 um 12:41 schrieb li...@rhsoft.net: I ve installed clamav-unofficial-sigs by debian package. If this is not working good enough I will try the installation I found here: https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/INSTALL dunno - and it's off-topic here - we use own scripts to update the signatures and that stuff is catched by http://sanesecurity.com/foxhole-databases/ Hi ho, a virus was found: Sanesecurity.Malware.26327.JsHeur.UNOFFICIAL Scanner detecting a virus: ClamAV-clamd Content type: Virus Internal reference code for the message is 35123-18/WRf_y9XIIOFq First upstream SMTP client IP address: [103.230.105.6] According to a 'Received:' trace, the message apparently originated at: [103.230.105.6], [103.230.107.6] unknown [103.230.105.6] I added this to my mailserver documentation to install clamav-unofficial-sigs package during next mailserver installation :)
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 22.09.2016 um 12:59 schrieb Thomas Barth: Am 22.09.2016 um 12:41 schrieb li...@rhsoft.net: I ve installed clamav-unofficial-sigs by debian package. If this is not working good enough I will try the installation I found here: https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/INSTALL dunno - and it's off-topic here - we use own scripts to update the signatures and that stuff is catched by http://sanesecurity.com/foxhole-databases/ may i ask why you put such a unfinished and untested in many ways setup in production? The mailservers are ready and work very good but can be improved. And I only improve them when there is a need to do it. If there is a spam mail going through again, I m going the next step ;-) i see - that good that you add posion pill rules for message-id and similar because the other parts, even very basic ones, are not working and scores are not adjusted while the SA header tells you exactly your problems to catch things :-) but do what you want I dont know what is in the zip file. I just have a compressed copy of the mail. I tried to save the content of the zip boundary part in a zip file but I get an loading error when opening the zip file. what are you doing? When you ever have parsed emails for content then you would know that you can extracts parts of raw mails to specific file types and opened it. I dont know why I get an error this time, but dont have time to find an answer now. i know more about email than you think but that's no reason for wasting time when you can just drag a message to a mail client as you are saying by yourself "dont have time"
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 22.09.2016 um 12:41 schrieb li...@rhsoft.net: I ve installed clamav-unofficial-sigs by debian package. If this is not working good enough I will try the installation I found here: https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/INSTALL dunno - and it's off-topic here - we use own scripts to update the signatures and that stuff is catched by http://sanesecurity.com/foxhole-databases/ may i ask why you put such a unfinished and untested in many ways setup in production? The mailservers are ready and work very good but can be improved. And I only improve them when there is a need to do it. If there is a spam mail going through again, I m going the next step ;-) I dont know what is in the zip file. I just have a compressed copy of the mail. I tried to save the content of the zip boundary part in a zip file but I get an loading error when opening the zip file. what are you doing? When you ever have parsed emails for content then you would know that you can extracts parts of raw mails to specific file types and opened it. I dont know why I get an error this time, but dont have time to find an answer now.
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 22.09.2016 um 12:32 schrieb Thomas Barth: Am 22.09.2016 um 11:50 schrieb li...@rhsoft.net: Am 22.09.2016 um 11:36 schrieb Benny Pedersen: On 2016-09-22 10:16, Thomas Barth wrote: The content of the mail is: --boundary_af9c8db46eb73fca8b315aafef01 Content-Type: application/x-zip-compressed; name="e6dfa16bdb.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="e6dfa16bdb.zip" whats in this zip file? malware as in all attachments from this type of spam, easily to detect be clamd with sanesecurity signatures I ve installed clamav-unofficial-sigs by debian package. If this is not working good enough I will try the installation I found here: https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/INSTALL dunno - and it's off-topic here - we use own scripts to update the signatures and that stuff is catched by http://sanesecurity.com/foxhole-databases/ may i ask why you put such a unfinished and untested in many ways setup in production? I dont know what is in the zip file. I just have a compressed copy of the mail. I tried to save the content of the zip boundary part in a zip file but I get an loading error when opening the zip file. what are you doing? uncompress the mail and drag&drop the raw-mail with .eml extension in tunderbird from where you can simply save the attachment instead grab manually around in multipart-mails I suppose it contains a javascript file (name.pdf.js) or .wsf/.exe/.jar and so on - they are changing all the time
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 22.09.2016 um 11:50 schrieb li...@rhsoft.net: Am 22.09.2016 um 11:36 schrieb Benny Pedersen: On 2016-09-22 10:16, Thomas Barth wrote: The content of the mail is: --boundary_af9c8db46eb73fca8b315aafef01 Content-Type: application/x-zip-compressed; name="e6dfa16bdb.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="e6dfa16bdb.zip" whats in this zip file? malware as in all attachments from this type of spam, easily to detect be clamd with sanesecurity signatures I ve installed clamav-unofficial-sigs by debian package. If this is not working good enough I will try the installation I found here: https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/INSTALL I dont know what is in the zip file. I just have a compressed copy of the mail. I tried to save the content of the zip boundary part in a zip file but I get an loading error when opening the zip file. I suppose it contains a javascript file (name.pdf.js)
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 21.09.2016 um 18:47 schrieb Bowie Bailey: That is ridiculous. The more training bayes gets the better it works. And manual training is better than autolearning because autolearning can automatically learn false positives and false negatives and cause problems for the database. correct according to my experience. On 22.09.16 10:16, Thomas Barth wrote: And what about filter poisening? In the last 10 hours my company address got 43 mails classified as spam (even a virus mail detected today). And there was one mail classified as spam due to my rule (bad country, message-id. X-Spam-Status: Yes, score=7.474 tag=2 tag2=6.31 kill=6.31 tests=[MESSAGEID_LOCAL=3, RDNS_NONE=1.274, RELAYCOUNTRY_BAD=3.2] autolearn=no autolearn_force=no there's no poisoning, unless you count two your rules with indcredibly high score (which is why rules should not have too big scores). Lower scores of those two... according to your previous mail you have: - rule RP_MATCHES_RCVD scoring -3.096 that should be increased to -0.001 (already recommended by li...@rhsoft.net) or killed/zeroed (recommended by me) - rule URIBL_BLOCKED indicating you use DNS server used by too many clients. Set up your own recursing nameserver, BIND or unbound and don't configure it to forward queries to upstream. There is no spam content, am I right? Normal words and content that a normal person can use. spammers typically use "normal words and content that a normal person can use", that's why it's so hard to catch spam. BAYES helps you find the differencies between spam and ham and you can trust us it works great. I dont need spam learning for all the mails already classified as spam with high score. Spam with low score are interesting for spam learning like this one. But when I use these mails for spam learning there is a risk of false positive some day, because it has learned that normal mails are also spam? you must of course train ham mail, especially false positives, bayes needs to be trained with ham too, because it needs to see the differencies. if you train ham with big bayes score, it will help you much. since you already got false positive without using BAYES, I think it's useless to be reluctant about it. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I intend to live forever - so far so good.
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 22.09.2016 um 11:36 schrieb Benny Pedersen: On 2016-09-22 10:16, Thomas Barth wrote: The content of the mail is: --boundary_af9c8db46eb73fca8b315aafef01 Content-Type: application/x-zip-compressed; name="e6dfa16bdb.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="e6dfa16bdb.zip" whats in this zip file? malware as in all attachments from this type of spam, easily to detect be clamd with sanesecurity signatures
Re: Spam by IP-address? Spamassassin with geoiplookup?
On 2016-09-22 10:16, Thomas Barth wrote: The content of the mail is: --boundary_af9c8db46eb73fca8b315aafef01 Content-Type: application/x-zip-compressed; name="e6dfa16bdb.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="e6dfa16bdb.zip" whats in this zip file ?
Re: Spam by IP-address? Spamassassin with geoiplookup?
On 22/09/16 09:16, Thomas Barth wrote: --boundary_af9c8db46eb73fca8b315aafef01 Content-Type: application/x-zip-compressed; name="e6dfa16bdb.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="e6dfa16bdb.zip" This run of emails can be blocked using the Sanesecurity ClamAV ruleset for Foxhole - http://sanesecurity.org/ Paul -- Paul Stead Systems Engineer Zen Internet
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 22.09.2016 um 10:16 schrieb Thomas Barth: Am 21.09.2016 um 18:47 schrieb Bowie Bailey: That is ridiculous. The more training bayes gets the better it works. And manual training is better than autolearning because autolearning can automatically learn false positives and false negatives and cause problems for the database. And what about filter poisening? In the last 10 hours my company address got 43 mails classified as spam (even a virus mail detected today). And there was one mail classified as spam due to my rule (bad country, message-id. Dear so, Your payment has been approved. Your account will be debited within two days. You can email us for any query regarding your account. Thank you. Lupe Monroe Support There is no spam content, am I right? Normal words and content that a normal person can use. I dont need spam learning for all the mails already classified as spam with high score. Spam with low score are interesting for spam learning like this one. But when I use these mails for spam learning there is a risk of false positive some day, because it has learned that normal mails are also spam? no you are not right - that *is spam content* and has nothing to do with bayes poisioning - in fact that are malware messages - known by our bayes for at least 12 months and already BAYES_99 stuff will not be trained it's the job of the bayes filter to find the minimal but existing differences and mistakes between that and similar ham and *hence* autolearning won't work in general because you need still to decide and classify the border cases bayes poisioning can become a problem and is *another* reason why you train you filter manually instead let him decide itself and if it once decided wrong learn more and more in the wrong direction but that above is NOT bayes poisioning
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 21.09.2016 um 18:47 schrieb Bowie Bailey: That is ridiculous. The more training bayes gets the better it works. And manual training is better than autolearning because autolearning can automatically learn false positives and false negatives and cause problems for the database. And what about filter poisening? In the last 10 hours my company address got 43 mails classified as spam (even a virus mail detected today). And there was one mail classified as spam due to my rule (bad country, message-id. X-Spam-Status: Yes, score=7.474 tag=2 tag2=6.31 kill=6.31 tests=[MESSAGEID_LOCAL=3, RDNS_NONE=1.274, RELAYCOUNTRY_BAD=3.2] autolearn=no autolearn_force=no The content of the mail is: From: "Lupe Monroe" To: "my boss address" Subject: Payment approved MIME-Version: 1.0 Content-Type: multipart/related; boundary="boundary_af9c8db46eb73fca8b315aafef01" Message-Id: <20160922063255.e11d3e5...@static.vnpt.vn.local> Date: Thu, 22 Sep 2016 06:32:55 +0700 --boundary_af9c8db46eb73fca8b315aafef01 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Dear so, Your payment has been approved. Your account will be debited within two days. You can email us for any query regarding your account. Thank you. Lupe Monroe Support --boundary_af9c8db46eb73fca8b315aafef01 Content-Type: application/x-zip-compressed; name="e6dfa16bdb.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="e6dfa16bdb.zip" There is no spam content, am I right? Normal words and content that a normal person can use. I dont need spam learning for all the mails already classified as spam with high score. Spam with low score are interesting for spam learning like this one. But when I use these mails for spam learning there is a risk of false positive some day, because it has learned that normal mails are also spam?