Re: SpamAssassin does not scan consistently

[Matus UHLAR - fantomas]

On 09.02.17 09:34, Motty Cruz wrote:

Although both of this emails were blocked, both emails were really spammy;
one received high score while the other was percentage point away from
passing through. My question pertains to spamassassin not consistently given
"razor score, URIBL, T_REMOTE_IMAGE" to all emails. It is not being more
aggressive?


network tests and BAYES change over time. early recipients don't get hits
when mail is received, but they often do later.

other rules change, when SA is updated with new rules...


## Optional Score Increases

score DCC_CHECK 4.000

score RAZOR2_CHECK 2.500


DCC indicates bulkiness, while RAZOR indicated spamminess.
I really wonder why you put DCC higher score than RAZOR...


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Silvester Stallone: Father of the RISC concept.

SpamAssassin does not scan consistently

[Motty Cruz]

Although both of this emails were blocked, both emails were really spammy;
one received high score while the other was percentage point away from
passing through. My question pertains to spamassassin not consistently given
"razor score, URIBL, T_REMOTE_IMAGE" to all emails. It is not being more
aggressive? 

 

X-Quarantine-ID: 

X-Spam-Flag: YES

X-Spam-Score: 5.502

X-Spam-Level: *

X-Spam-Status: Yes, score=5.502 tag=-999.9 tag2=5.4 kill=5.5

tests=[BAYES_999=0.2, BAYES_99=5.3, HTML_FONT_LOW_CONTRAST=0.001,

HTML_MESSAGE=0.001] autolearn=no autolearn_force=no

Received: from m1.fqdn.com ([127.0.0.1])

 

X-Quarantine-ID: 

X-Spam-Flag: YES

X-Spam-Score: 16.578

X-Spam-Level: 

X-Spam-Status: Yes, score=16.578 tag=-999.9 tag2=5.4 kill=5.5

tests=[BAYES_999=0.2, BAYES_99=5.3, HTML_MESSAGE=0.001,

RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.886,

RAZOR2_CHECK=2.5, T_REMOTE_IMAGE=1.99, URIBL_BLACK=1.7,

URIBL_DBL_SPAM=2.5, URI_TRY_USME=0.001]

autolearn=no autolearn_force=no

 

local.cf

## Optional Score Increases

score DCC_CHECK 4.000

score RAZOR2_CHECK 2.500

score BAYES_99 5.300

score BAYES_90 4.500

score BAYES_80 4.000

# For scores have a look at /usr/local/share/spamassassin/50_scores.cf

# file.

score HTML_FONT_INVISIBLE 3

score HTML_FONTCOLOR_UNKNOWN 2

score ORDER_NOW 1.5

score CLICK_BELOW 1

score LIMITED_TIME_ONLY 1

# This rule might be extreme but html only spams get through too easy.

# In other words, if you can't take the time to write something and are

# posting an image only, then you're 86'd!

score HTML_IMAGE_ONLY_02 2

score HTML_IMAGE_ONLY_04 2

score OFFERS_ETC 2

score HTML_LINK_CLICK_HERE 1

score LINES_OF_YELLING 1

score RP_MATCHES_RCVD 0

# adding more feb 8 2017

score BODY_ENHANCEMENT 5.213

 

Thanks, 
Motty

Re: New type of monstrosity / RFC Pedantry

[John Hardin]

On Thu, 9 Feb 2017, Groach wrote:


https://imgs.xkcd.com/comics/duty_calls.png

Come on chaps and chapesses.  Nothing is going to be concluded between you 
too.  And having the last word doesnt make one better than the others (and it 
still doesnt make you right).


Just agree that neither of you is going to convince the other or leave them 
happy.


Life is shortand this is silly.


Agreed.

RFC compliance is relevant to this list only insofar as it is a useful 
spam sign. SA is *not* an RFC-compliance-verification tool.


Whether or not "undisclosed recipients:" is valid per RFCs is off topic 
for this list, and is engendering a lot of ill will and increasingly 
personal attacks.


Ruga: if you can show that "undisclosed recipients:" occurs *significantly 
more often* in spam than in ham, the topic is germane to this list.


Warning to all: the banhammer is being warmed up. Please, everyone, just 
stop now, before it's too late.



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Usually Microsoft doesn't develop products, we buy products.
  -- Arno Edelmann, Microsoft product manager
---
 3 days until Abraham Lincoln's and Charles Darwin's 208th Birthdays

Re: New type of monstrosity

[Groach]

https://imgs.xkcd.com/comics/duty_calls.png

Come on chaps and chapesses.  Nothing is going to be concluded between 
you too.  And having the last word doesnt make one better than the 
others (and it still doesnt make you right).


Just agree that neither of you is going to convince the other or leave 
them happy.


Life is shortand this is silly.


On 09/02/2017 15:26, Dianne Skoll wrote:

Ruga  wrote:


RFC-822 is the e-mail standard, without "group addresses". What we do
complies with the standard.

You are wrong.  Wrong, wrong, wrong, wrong.

Take a look at RFC-822: https://www.ietf.org/rfc/rfc0822.txt

Go to Section 6. ADDRESS SPECIFICATION.  Look at Section 6.1.

Here's a copy/paste:

  address =  mailbox  ; one addressee
  /  group; named list

  group   =  phrase ":" [#mailbox] ";"


Oh look!  The group address specification!  In RFC 822!  Amazing!

Ruga, my dear fellow, (or lady... I can't tell), stop digging yourself
in deeper.

Regards,

Dianne.

Re: New type of monstrosity

[Dianne Skoll]

Ruga  wrote:

> RFC-822 is the e-mail standard, without "group addresses". What we do
> complies with the standard.

You are wrong.  Wrong, wrong, wrong, wrong.

Take a look at RFC-822: https://www.ietf.org/rfc/rfc0822.txt

Go to Section 6. ADDRESS SPECIFICATION.  Look at Section 6.1.

Here's a copy/paste:

 address =  mailbox  ; one addressee
 /  group; named list

 group   =  phrase ":" [#mailbox] ";"


Oh look!  The group address specification!  In RFC 822!  Amazing!

Ruga, my dear fellow, (or lady... I can't tell), stop digging yourself
in deeper.

Regards,

Dianne.

Re: RFC compliance pedantry (was Re: New type of monstrosity)

[Ruga]

RFC-822 is the e-mail standard, without "group addresses". What we do complies 
with the standard.

Sent from ProtonMail Mobile


On Thu, Feb 9, 2017 at 2:19 PM, Dianne Skoll <'d...@roaringpenguin.com'> wrote:
On Thu, 09 Feb 2017 03:44:24 -0500
Ruga  wrote:

> Proper snail mail and e-mail have addresses. Those who do not, are
> quickly archived in the trashcan. This is what we do, and it works.

We get it.

I'm overcome with delight that you are implementing the mail policy
that you like. It warms my heart... you have no idea.

But please don't claim you're doing it in the name of RFC compliance.

Regards,

Dianne.

Aiieee, stop it! (was Re: RFC compliance pedantry (was Re: New type of monstrosity))

[Dianne Skoll]

On Thu, 09 Feb 2017 08:21:28 -0500
Ruga  wrote:

[nonsense]

I thought I'd take this opportunity to remind everyone of my Perl package
http://search.cpan.org/~dskoll/Mail-ThreadKiller-1.0.1/lib/Mail/ThreadKiller.pm

Regards,

Dianne.

Re: RFC compliance pedantry (was Re: New type of monstrosity)

[Ruga]

Remind me to tell you when I use the iPhone.



On Thu, Feb 9, 2017 at 1:13 PM, Dianne Skoll <'d...@roaringpenguin.com'> wrote:
On February 9, 2017 3:41:32 AM EST, Ruga  wrote:

>Let see who can read amon us.

You spelled "among" incorrectly.

>What is your highest level of formal education?

Um? None of your business?

Master's degree, if you must know.

-- Dianne

Re: RFC compliance pedantry (was Re: New type of monstrosity)

[Ruga]

Speaking of personal attacks against me, how old are you?


On Thu, Feb 9, 2017 at 10:13 AM, Reindl Harald <'h.rei...@thelounge.net'> wrote:


Am 09.02.2017 um 09:28 schrieb Ruga:
>> A large class of wanted email comes with the "undisclosed recipients" 
>> header. A large class of wanted email comes from domains that lack SPF.
>
> Our security policy demands rejection of both types. They do not hit SA.
> They are denied as soon as their strings are received. The IP of
> repeated offenders is then dropped by firewall.


your childish posts are funny but slowly becoming annoying

you live in your own small world where you can do what you want if the
people which are owning the mailbox suck it - but don't pretend that
this works in the real world out there if you want to be taken serious

> On Thu, Feb 9, 2017 at 12:55 AM, Joe Quinn
> <'headprogrammingc...@gmail.com'> wrote:
>> On 2/8/2017 1:36 PM, Philip Prindeville wrote:
>>> Having been through the process of authoring 2 RFC’s, perhaps I can shed 
>>> some light on the process for you.
>>>
>>> All proposed standards started life as draft RFC’s (this was before the 
>>> days of IDEA’s but after the days of IEN’s).
>>>
>>> If it were validated by the working group and passed up to the IAB and they 
>>> concurred (they usually deferred to the WG except on editorial matters), 
>>> then the proposed draft was issued officially as an RFC and given a number.
>>>
>>> Later, after it accepted wide enough adoption in the Internet community, an 
>>> existing RFC might be promoted to "standard" from "experimental", etc.
>>>
>>> Occasionally, if a WG (working group) did enough reference implementations 
>>> and proved them at one or more interoperability meetings (the so-called 
>>> "bake-offs"), then the WG could petition for immediate labeling as a 
>>> "standard" when the RFC was approved by the IAB.
>>>
>>> It’s even possible for a standard (like RFC-1035) to have both "standard" 
>>> parts (like A RR’s) and "experimental" parts (like MB RR’s).
>>>
>>>
 On Feb 8, 2017, at 7:04 AM, Ruga  wrote:

 Read the headers of RFCs; some o them are explicitly labeled as standard. 
 Most of them are request for comments.


 On Wed, Feb 8, 2017 at 2:58 PM, Kevin A. McGrail <'kmcgr...@pccc.com'> 
 wrote:
> On 2/8/2017 8:52 AM, Ruga wrote:
>> Not all RFCs are standards.
>> Educate yourself.
> The personal attacks aren't necessary. These RFCs are the basis for
> effectively 100% of the email on the planet for decades. If that's not
> a standard, what is?
>>
>> This bears some emphasis, actually. Going from experimental to
>> standard comes /after/ the implementations are used in practice and
>> proven to be useful. Beyond that, SA is not a standards checker or an
>> RFC checker or an IEEE checker. All it does is classify email as
>> wanted or not wanted. A large class of wanted email comes with the
>> "undisclosed recipients" header. A large class of wanted email comes
>> from domains that lack SPF. A smaller class of wanted email comes from
>> the actual manufacturer of Viagra. Some mail servers disregard some
>> standards entirely. You just have to deal with it.
>>
>> As Dianne points out, the "undisclosed recipients" to header is valid
>> under RFC822, which has been itself expanded on in multiple subsequent
>> RFCs. As multiple other people here have mentioned, the "undisclosed
>> recipients" to header is used in wanted email. I am right now two
>> clicks away from adding it to this email with my mail client. It is an
>> implementation detail of BCC, and unambiguously is not spam indicator
>> on its own.

Re: RFC compliance pedantry (was Re: New type of monstrosity)

[Dianne Skoll]

On Thu, 09 Feb 2017 03:44:24 -0500
Ruga  wrote:

> Proper snail mail and e-mail have addresses. Those who do not, are
> quickly archived in the trashcan. This is what we do, and it works.

We get it.

I'm overcome with delight that you are implementing the mail policy
that you like.  It warms my heart... you have no idea.

But please don't claim you're doing it in the name of RFC compliance.

Regards,

Dianne.

Re: RFC compliance pedantry (was Re: New type of monstrosity)

[Dianne Skoll]

On February 9, 2017 3:41:32 AM EST, Ruga  wrote:

>Let see who can read amon us.

You spelled "among" incorrectly.

>What is your highest level of formal education?

Um?  None of your business?

Master's degree, if you must know.

-- Dianne 

Re: RFC compliance pedantry (was Re: New type of monstrosity)

[Ruga]

Proper snail mail and e-mail have addresses. Those who do not, are quickly 
archived in the trashcan. This is what we do, and it works.


On Wed, Feb 8, 2017 at 3:13 PM, David Jones <'djo...@ena.com'> wrote:

>From: Ruga 
>Sent: Wednesday, February 8, 2017 8:01 AM

>How odd, in a mailing list of spam fighters someone really
>wants me to accept junk mail.

>In the snail mail box, we put in the trashcan everything that
>does not carry a recipient address. Guess what? We do the
>same with e-mail. And we are happy about it.

Snail mail doesn't support the concept of BCC and email
does. BCC'ing is legit and it's tough to block spam that is
sent this way but it's doable, just not based on the To:
header.

Re: RFC compliance pedantry (was Re: New type of monstrosity)

[Ruga]

> You really don't know how to read, do you?

Now this is a personal attack from you.

Let see who can read amon us.
What is your highest level of formal education?



On Wed, Feb 8, 2017 at 3:24 PM, Dianne Skoll <'d...@roaringpenguin.com'> wrote:
On Wed, 08 Feb 2017 09:01:35 -0500
Ruga  wrote:

> How odd, in a mailing list of spam fighters someone really wants me
> to accept junk mail.

Wow. You really don't know how to read, do you? What was unclear
about my statement:

Hey, you do you. You can do whatever you want with your mail, but
claiming it's in the name of RFC compliance is alternatively factual.

> In the snail mail box, we put in the trashcan everything that does
> not carry a recipient address. Guess what? We do the same with
> e-mail. And we are happy about it.

You can do whatever you want. But don't spread misinformation about
standards. We have to deal with enough crappy noncompliant software.
We don't need Internet vigilantes on a witch-hunt against software
that actually *does* comply with standards.

Regards,

Dianne.

Re: RFC compliance pedantry (was Re: New type of monstrosity)

[Ruga]

Stop that. I did not attack anyone.


On Wed, Feb 8, 2017 at 4:30 PM, Kevin A. McGrail <'kmcgr...@pccc.com'> wrote:
On 2/8/2017 9:04 AM, Ruga wrote:
> Read the headers of RFCs; some o them are explicitly labeled as
> standard. Most of them are request for comments.
I'm well aware of the standards and don't appreciate being told to read
them. That's a personal attack and you are also attacking others who
are some of the best email people I've ever met.

Standards evolve organically and there is just "how it's done" as well
as the RFCs.

If these people are telling you it's "standard", don't start arguing the
definition of "standard". Take it on face value that you should do it
or risk losing important email.

To attack them and say they are forcing you to accept spam is nothing
but an argument fallacy because everyone is here to stop bastard spammers.

Regards,
KAM

Re: RFC compliance pedantry (was Re: New type of monstrosity)

[Ruga]

> A large class of wanted email comes with the "undisclosed recipients" header. 
> A large class of wanted email comes from domains that lack SPF.

Our security policy demands rejection of both types. They do not hit SA. They 
are denied as soon as their strings are received. The IP of repeated offenders 
is then dropped by firewall.


On Thu, Feb 9, 2017 at 12:55 AM, Joe Quinn <'headprogrammingc...@gmail.com'> 
wrote:

On 2/8/2017 1:36 PM, Philip Prindeville wrote:
Having been through the process of authoring 2 RFC’s, perhaps I can shed some 
light on the process for you. All proposed standards started life as draft 
RFC’s (this was before the days of IDEA’s but after the days of IEN’s). If it 
were validated by the working group and passed up to the IAB and they concurred 
(they usually deferred to the WG except on editorial matters), then the 
proposed draft was issued officially as an RFC and given a number. Later, after 
it accepted wide enough adoption in the Internet community, an existing RFC 
might be promoted to "standard" from "experimental", etc. Occasionally, if a WG 
(working group) did enough reference implementations and proved them at one or 
more interoperability meetings (the so-called "bake-offs"), then the WG could 
petition for immediate labeling as a "standard" when the RFC was approved by 
the IAB. It’s even possible for a standard (like RFC-1035) to have both 
"standard" parts (like A RR’s) and "experimental" parts (like MB RR’s).   On 
Feb 8, 2017, at 7:04 AM, Ruga 
[](mailto:r...@protonmail.com) wrote: Read the headers of 
RFCs; some o them are explicitly labeled as standard. Most of them are request 
for comments. On Wed, Feb 8, 2017 at 2:58 PM, Kevin A. McGrail 
[<'kmcgr...@pccc.com'>](mailto:'kmcgr...@pccc.com') wrote:   On 2/8/2017 8:52 
AM, Ruga wrote:   Not all RFCs are standards. Educate yourself.   The personal 
attacks aren't necessary. These RFCs are the basis for effectively 100% of the 
email on the planet for decades. If that's not a standard, what is?
This bears some emphasis, actually. Going from experimental to standard comes 
after the implementations are used in practice and proven to be useful. Beyond 
that, SA is not a standards checker or an RFC checker or an IEEE checker. All 
it does is classify email as wanted or not wanted. A large class of wanted 
email comes with the "undisclosed recipients" header. A large class of wanted 
email comes from domains that lack SPF. A smaller class of wanted email comes 
from the actual manufacturer of Viagra. Some mail servers disregard some 
standards entirely. You just have to deal with it.

As Dianne points out, the "undisclosed recipients" to header is valid under 
RFC822, which has been itself expanded on in multiple subsequent RFCs. As 
multiple other people here have mentioned, the "undisclosed recipients" to 
header is used in wanted email. I am right now two clicks away from adding it 
to this email with my mail client. It is an implementation detail of BCC, and 
unambiguously is not spam indicator on its own.