Re: Penalty for no/bad SPF
I've noticed anecdotally that many times when a legitimate source has no PTR on the mail host, or has a PTR with no matching A record, the domain does have a SPF record authorizing the host. This carelessness is probably born from ignorance or overwork. The PTR pass could be used to balance out the PTR fail. I have not had a chance yet to test this out in real mail flow to see how close it comes to being something good enough to reject mail. Joseph Brennan
Re: New idea for stopping spam
Ted Mittelstaedtwrote: I have noticed that spam tracks current events. We've had a run of spam recently with a teaser subject that Megyn Kelly might q uit Fox news. That's a little less than current! Joseph Brennan
Re: Scoring Issues
Daniele Duca skrev den 2018-01-27 11:35: You are spot on, spammers are much more competent in setting up spf/dkim than most of legit mail administrators. sadly true I personally score spf/dkim that passes at 0 and only penalize the fails score 0 is disable tag if it littery 0 i just whitelist spammers that does not spam
Re: Scoring Issues
On 27.01.18 16:32, Daniele Duca wrote: > > score SPF_PASS -0.001 > > score SPF_HELO_PASS -0.001 > > I know, I meant to write that I score them at 0.001 (no minus sign in > my case) but I'm lazy :) I trust you are aware that you actually penalise senders which pass the SPF check if you use a greater-than-zero score? Minus signs matter. ;-) -Ralph
Re: Scoring Issues
On 27/01/2018 14:01, David Jones wrote: If you set those to 0, then you could be disabling many other helpful meta rules that use them. It is recommended to set them to a very small non-zero number as others have said: score SPF_PASS -0.001 score SPF_HELO_PASS -0.001 I know, I meant to write that I score them at 0.001 (no minus sign in my case) but I'm lazy :)
Re: New idea for stopping spam
Where I sit this is done by feeding spamtraps to Bayes. No need to name it something fancy. It's been working for over a decade and will keep on feeding my 30GB Bayes/Redis DB. On 01/26/2018 08:49 PM, Ted Mittelstaedt wrote: Hi All, OK I've been doing some sociological analysis of the spam I've been getting on my honeypot, Bays feeder email boxes (dangerous, I know) and I've come up with what I think MIGHT be a way to fight spam that I wanted to run up the flagpole. We all know ONE basic thing about spam: Spammers send it BECAUSE IT WORKS. That is, it gets OPENED and read. Now obviously anyone reading this list probably has the smarts to not be reading spam. But we all know that SOMEONE must be reading it, otherwise the spammers would give up and find some other criminal activity to engage in because it wouldn't work. So, my idea on killing spam is this: 1) Build a "spam victim archetype" filter. 2) Feed titles of current news articles into it 3) Modify the output of high scoring current news articles into common spam titles. 4) Feed that into Bays as spam. I think that when spammers create titles for spam, they MUST be already using a "spam victim archetype" program. For example, have you EVER gotten a piece of spam that said something like: "Doctors find that eating lots of green vegetables is healthy" or "Trump says if you work hard and save money you can be financially secure" By contrast how many times have we all gotten spam that says stuff like "Doctors find a food you can eat that makes you a stud in the bedroom" or "Learn Trumps secrets of making lots of money" Clearly, the spam victim archetype must LIKE titles that imply they can eat 200 pounds of sugar a day, have enormous junk that makes women jump all over them, and get a fat bank account by lying around and being a lazy-ass. They must DISLIKE titles that imply they can be thin and healthy with a moderate diet, and have to work hard to be financially secure. There's a PATTERN in there folks! There is definitely a pattern in spam titles. I think we can all see it and it must work because it's snaring people. I have noticed that spam tracks current events. When there are elections we get a ton of spam about elections. When Megyn Kelly leaves a job we get a ton of spams about that. Clearly the spammers must have realized they need to keep generating new grist for the mill they cannot re-use old spam titles and get a response. So, I think they are feeding titles of current events news stories into an AI program that has a victim archetype in it and what gets scored highly, is fed into a title bank then sent out the door. All we have to do is get there first - that is, develop the same victim archetype, feed it the same input from current events, and feed the output into the bayes learner in an effort to guess the titles the spammers are going to use BEFORE THEY USE THEM. We don't have to wait any longer to get the spams, we can stop them before the first one is received. Do you think this approach might work? Ted
Re: Scoring Issues
On 01/27/2018 04:35 AM, Daniele Duca wrote: On 26/01/2018 23:54, David B Funk wrote: Regardless, giving -1 score for SPF_PASS and another -1 for SPF_HELO_PASS is nontrivial DainBRamage. It's trivial for a spammer to set up SPF on a throw-away domain and thus waltz thru that kind of filtering. You are spot on, spammers are much more competent in setting up spf/dkim than most of legit mail administrators. I personally score spf/dkim that passes at 0 and only penalize the fails Daniele If you set those to 0, then you could be disabling many other helpful meta rules that use them. It is recommended to set them to a very small non-zero number as others have said: score SPF_PASS -0.001 score SPF_HELO_PASS -0.001 -- David Jones
Re: Scoring Issues
On 26/01/2018 23:54, David B Funk wrote: Regardless, giving -1 score for SPF_PASS and another -1 for SPF_HELO_PASS is nontrivial DainBRamage. It's trivial for a spammer to set up SPF on a throw-away domain and thus waltz thru that kind of filtering. On 27.01.18 11:35, Daniele Duca wrote: You are spot on, spammers are much more competent in setting up spf/dkim than most of legit mail administrators. I personally score spf/dkim that passes at 0 and only penalize the fails note that score of "0" disables a rule, so this disables rules that depend on SPF_PASS or SPF_HELO_PASS. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. My mind is like a steel trap - rusty and illegal in 37 states.
Re: Scoring Issues
On 26/01/2018 23:54, David B Funk wrote: Regardless, giving -1 score for SPF_PASS and another -1 for SPF_HELO_PASS is nontrivial DainBRamage. It's trivial for a spammer to set up SPF on a throw-away domain and thus waltz thru that kind of filtering. You are spot on, spammers are much more competent in setting up spf/dkim than most of legit mail administrators. I personally score spf/dkim that passes at 0 and only penalize the fails Daniele
Re: Scoring Issues
On 26.01.18 14:39, b...@inter-control.com wrote: I have an issue with my setup somehow and it may be in amavis-new, most spam gets detected and delt with, some gets through and the scoring seems odd. The headers that get through are usually along the lines of: X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=- required=5 tests=[HTML_MESSAGE=0.001, SPF_HELO_PASS=-1, SPF_PASS=-1, score SPF_PASS -0.001 score SPF_HELO_PASS -0.001 ...who the hell configured SPF_PASS and SPF_HELO_PASS to score -1? Neither of them is a sign of non-spam. in fact, spammers exploit this. SPF only talks about FORGERY (often spam sign), not about spamminess. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I drive way too fast to worry about cholesterol.