Re: "bout u" campaign

2017-07-14 Thread Alex
Hi,

>>> The ENA_BAD_SPAM rule is a combination of 2 different types (reputation
>>> and
>>> content) rules with an AND between them.  For example (this is is about
>>> one-third of the rule):
>>
>> Is it usable like this?
>
> Try it out with a score of 0.001 and see what you think.  It should have
> been valid.  Just drop it in and run:
>
> spamassassin -D --lint 2>&1 | /bin/grep -Ei '(failed|undefined
> dependency|score set for non-existent rule)' | /bin/grep ENA_

By "usable" I meant have you included enough of the rule for it to
really be effective?

I let it run for the day, and it's just not anchored well enough to
provide any meaningful benefit. It's hitting on jcpenny, vresp.com,
constantcontact, sendgrid, facebook, etc.


Re: low scoring spam

2017-07-14 Thread Antony Stone
On Friday 14 July 2017 at 15:29:38, Charles Amstutz wrote:

> Hello,
> 
> I keep having spam come through that hits on almost zero rules, (or very
> few) .  I get this is definitely possibly, but it's annoying as its
> obviously spam. I guess my question is, if what we have in place isn't
> hitting on much, then aside from learning it to Bayes, what do we do?

I don't think we can really answer that until we know "what you have in 
place".

We either need to see some examples of spam (DON'T paste here - put on 
pastebin or similar and then provide a link) with all the headers so we can 
see what scores you're getting, or we at least need to know what configuration 
you have so we might be able to suggest anything that seems missing.


You help us and we might be able to help you :)

The more information you give us, the better we understand what the question 
is.



Antony.

-- 
Most people are aware that the Universe is big.

 - Paul Davies, Professor of Theoretical Physics

   Please reply to the list;
 please *don't* CC me.


low scoring spam

2017-07-14 Thread Charles Amstutz
Hello,

I keep having spam come through that hits on almost zero rules, (or very few) . 
 I get this is definitely possibly, but it's annoying as its obviously spam. I 
guess my question is, if what we have in place isn't hitting on much, then 
aside from learning it to Bayes, what do we do? Even that isn't enough it seems 
as it learns it to Bayes_50 and not Bayes_99.  Even Bayes_99 is not enough to 
catch it as spam typically if it doesn't trip anything else. (as it only 3.5 
for Bayes_99 and many users are set to default to 4 or 5)


Re: reason why sendmail w/ SA3.4.1 scantime=15.0, delay=00:01:06 w/ SquirrelMail?

2017-07-14 Thread RW
On Fri, 14 Jul 2017 10:00:45 +0200
Matus UHLAR - fantomas wrote:

> >Robert Kudyba  wrote:  


> >> Jul 13 23:04:05 storm spamd[13378]: spamd: processing message
> >> <9ca00a710c6bfad3d60dd424cd79ac19.squirrel@our-domain> for
> >> root:1001 Jul 13 23:04:20 storm spamd[13378]: spamd: clean message
> >> (-101.5/5.0) for root:1001 in 15.0 seconds, 1193 bytes. Jul 13
> >> 23:04:20 storm spamd[13378]: spamd: result: . -101 -
> >> ALL_TRUSTED,BAYES_00,PYZOR_CHECK,USER_IN_WHITELIST scantime=15.0
> >> [...]  
> >
> >Hitting PYZOR_CHECK is scary.  
> 
> not at all. well, it MAY cause some delay but the default pyzor
> timeout is 3.5 seconds

It's hitting ALL_TRUSTED so I think he probably means it's that's it's
scary that his own mail hit PYZOR_CHECK. 

It's probably an empty body or just a standard signature.

If you use pyzor it's a good idea to run, at very least,

echo "" | pyzor local_whitelist

Possibly with --homedir= or --local-whitelist set as appropriate, or
run it as any unix user and copy ~/.pyzor/whitelist to the equivalent
location that's used by SA.


Re: "bout u" campaign

2017-07-14 Thread David Jones

On 07/13/2017 05:26 PM, Alex wrote:

Hi,


Are you paying for DCC? I think we're over their limit and they
blacklisted us long ago, lol.


I have my own DCC server joined into the DCC network.

https://www.dcc-servers.net/dcc/


So you only provide spam services for your own users? Or do you pay?



Our DCC server was setup 6+ years ago by a previous mail sysadmin before 
I started working at my current job.  We don't budget or pay anything 
annually for DCC.  We are peered with another DCC server in their 
network.  All I know is that we must keep our current IP address the 
same to maintain the peering.  I have one DCC server that I point my 8 
mail filters to.




I am classifying about 10K ham and 8K spam each day which I also use in the
masscheck processing (currently on hold).  Since I have started doing this


Through autolearn?

It is otherwise extremely time-intensive.



Actually I have found some rule combinations and score thresholds that 
are definitely ham/spam.  I have built an iRedMail VM with no RBLs, 
postscreen, or other MTA optimizations and disabled some things in 
amavis-new so spam will get to SA.  Ham comes from a subset of my 
primary SA filters based on SHORTCIRCUIT rules and very low scoring 
messages.


I setup Inbox rules to move certain messages into ham/spam folders.  I 
have to login once a day and spend a few minutes quickly reviewing the 
unread messages and marking them as read.  My masscheck and SA learning 
uses the read folder (Maildir cur directory).



Yep.  Again my block threshold is 6.0 in MailScanner and I have less default
trust for FREEMAIL senders.  I also have meta rules based on FREEMAIL and
other hits that add to the score based on combinations I have seen over the
years.


Adjusting many of the default rules disrupts the score balance created
by masschecks, no?



Correct.  Before I knew about the masscheck processing and what it does, 
I used to adjust the scores on most of the rules which was time 
consuming just like re-actively creating rules for new spam campaigns. 
A few months ago I removed most of my custom scores on default SA rules 
and I use meta rules to combine hits on certain rules to add some points.



I want to avoid having to juggle scores around, in addition to already
worrying about writing rules that ultimately have the same effect as
existing metas.


   2.2 ENA_DIGEST_FREEMAILFreemail account hitting message digest spam
seen by the Internet (DCC, Pyzor, or Razor).


Are you worried about overlap between the checksum systems?

I've enabled DCC again today, and remembered what I don't like about
it. Do you have DCC_CHECK at its default 1.1 score? That's quite high
for something described as "bulk mail" when bulk mail is already
scored very close to 5.0.



If you follow my logical separation of rules into reputation-based and 
content-based then DCC, RAZOR, and PYZOR are going to fall into the 
content side.  You still have the reputation rules that will lower the 
score and offset these DIGEST rules.  Plus with many SHORTCIRCUIT'd 
senders based on whitelist_auth and whitelist_from_rcvd, the 
trusted/safe bulk senders with a valid unsubscribe process will pass 
through fine.



How much more effective do you find DCC than PYZOR? That's already
scored at 1.4.



Haven't really had to worry about this with SHORTCIRCUIT'ing and 
whitelist_auth on the envelope-from domain (SPF_PASS + non-human account 
domains).



I have no idea.  I just analyzed my mail scoring and noticed combinations
like DCC and FREEMAIL are common in my spam.


That's a good combination.


The ENA_BAD_SPAM rule is a combination of 2 different types (reputation and
content) rules with an AND between them.  For example (this is is about
one-third of the rule):


Is it usable like this?



Try it out with a score of 0.001 and see what you think.  It should have 
been valid.  Just drop it in and run:


spamassassin -D --lint 2>&1 | /bin/grep -Ei '(failed|undefined 
dependency|score set for non-existent rule)' | /bin/grep ENA_


You can also run the first section and check for a zero return code.  I 
have a config distribution script that runs the first part above and 
will not send it out if the return code is not zero.




/etc/mail/spamassassin/99_mailspike.cf
shortcircuit RCVD_IN_MSPIKE_H5 on

score RCVD_IN_MSPIKE_H4 -3.2
score RCVD_IN_MSPIKE_H3 -2.2
score RCVD_IN_MSPIKE_H2 -1.2
score RCVD_IN_MSPIKE_WL -0.82
score RCVD_IN_MSPIKE_BL 1.2
score RCVD_IN_MSPIKE_L2 0.2
score RCVD_IN_MSPIKE_L3 1.2
score RCVD_IN_MSPIKE_L4 2.2
score RCVD_IN_MSPIKE_L5 3.2


The default scores for these rules are all almost 0 when bayes and
network tests are enabled. I've adjusted the L[2-5] rules from 0.2 to
1.2. Took a quick look at a handful of L5 mail and anything higher
would be problematic.


Hope this is helpful.


Thanks, as always.




--
David Jones

--
David Jones


Re: reason why sendmail w/ SA3.4.1 scantime=15.0, delay=00:01:06 w/ SquirrelMail?

2017-07-14 Thread Matus UHLAR - fantomas

Robert Kudyba  wrote:

Over the past few days sending mail via SquirrelMail has become glacial. The 
load on the server is under 1. I've restarted the SA, sendmail and dovecot 
processes several times. Here are
some logs I can provide any settings if desired.


tried to run a message through "spamassassin -D" ?
that should give you debug/timing info.


Jul 13 23:03:24 storm sendmail[14504]: v6E33EOQ014504: Authentication-Warning: 
our-domain: apache set sender to me@our-domain using -f
Jul 13 23:03:39 storm sendmail[14504]: v6E33EOQ014504:
  from=me@our-domain, size=535, class=0, nrcpts=1,
  msgid=<9ca00a710c6bfad3d60dd424cd79ac19.squirrel@our-domain>,
  relay=apache@localhost


On 14.07.17 06:10, Andrzej A. Filip wrote:

n*5s delay *may* indicate unresponsive DNS host(s)/resolver(s) in /etc/hots


you apparently mean in /etc/resolv.conf


How long does it take to get SMTP greeting message when you start
"/usr/sbin/sendmail -bs" as a non root user?
[ Is it sendmail startup or message processing? ]


[...]
Jul 13 23:04:05 storm spamd[13378]: spamd: processing message 
<9ca00a710c6bfad3d60dd424cd79ac19.squirrel@our-domain> for root:1001
Jul 13 23:04:20 storm spamd[13378]: spamd: clean message (-101.5/5.0) for 
root:1001 in 15.0 seconds, 1193 bytes.
Jul 13 23:04:20 storm spamd[13378]: spamd: result: . -101 - 
ALL_TRUSTED,BAYES_00,PYZOR_CHECK,USER_IN_WHITELIST
  scantime=15.0 [...]


Hitting PYZOR_CHECK is scary.


not at all. well, it MAY cause some delay but the default pyzor timeout is
3.5 seconds
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Posli tento mail 100 svojim znamim - nech vidia aky si idiot
Send this email to 100 your friends - let them see what an idiot you are