Re: how to remove T_RP_MATCHES_RCVD

[Kevin A. McGrail]

It's pedantic but I am 99.9% sure that a Test Rule (prefix T_) is scored at
0.001 but scores in the report are rounded to a ceiling so it displaces as
.01.

--
Kevin A. McGrail
Asst. Treasurer & VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

On Thu, Apr 5, 2018 at 7:50 PM, RW  wrote:

> On Thu, 5 Apr 2018 10:23:50 -0700 (PDT)
> John Hardin wrote:
>
>
> > Actually, I retract that suggestion, I wasn't aware of the special
> > automatic scoring for T_ rules. Leave it alone.
>
> There's little point in this case, but I don't think there's any harm in
> changing such scores locally.  IIRC the "T_" prefix just makes the
> default score 0.01 instead of 1.0 (or -0.01 with the 'nice' flag set).
>

Re: how to remove T_RP_MATCHES_RCVD

[RW]

On Thu, 5 Apr 2018 10:23:50 -0700 (PDT)
John Hardin wrote:


> Actually, I retract that suggestion, I wasn't aware of the special 
> automatic scoring for T_ rules. Leave it alone.

There's little point in this case, but I don't think there's any harm in
changing such scores locally.  IIRC the "T_" prefix just makes the
default score 0.01 instead of 1.0 (or -0.01 with the 'nice' flag set).

Re: how to remove T_RP_MATCHES_RCVD

[John Hardin]

On Thu, 5 Apr 2018, Motty Cruz wrote:


Thanks for your prompt reply John,

X-Spam-Status: No, score=5.27 tagged_above=-999.9 required=5.7
    tests=[BAYES_50=4.3, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001,
    T_RP_MATCHES_RCVD=-0.01] autolearn=no autolearn_force=no

always the score is -0.01 regardless; I will take your suggestion and set it 
to 0.01, will report back shortly.


Actually, I retract that suggestion, I wasn't aware of the special 
automatic scoring for T_ rules. Leave it alone.


Why do you think that a rule scoring -0.01 is responsible for FN scores?

It may be due to its use as a suppressor in some metas, but absent the 
full spam we can't check for that.



Thanks,


On 04/05/2018 09:32 AM, John Hardin wrote:

On Thu, 5 Apr 2018, Motty Cruz wrote:

Hello, T_RP_MATCHES_RCVD  this rule is allowing spammy emails past 
through. Is there a way to disable in local.cf?


The best way to disable it without breaking any meta-rules that may be 
using it is to set its score to 0.001 in your local config file.


I don't see a score for it in the latest rules update, so it should by 
default be *adding* one point to scores, which won't contribute to FNs.


What is it currently scored in your environment?

It is, however, used as a suppressor subrule in some spam meta-rules. Is 
that why it's causing FNs for you?






--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
 Windows and its users got mentioned at home today, after my wife the
 psych major brought up Seligman's theory of "learned helplessness."
 -- Dan Birchall in a.s.r
---
 8 days until Thomas Jefferson's 275th Birthday

Re: how to remove T_RP_MATCHES_RCVD

[Motty Cruz]

Thanks Tom,

my scores were definitely a problem.

Thanks again,
Motty

On 04/05/2018 09:48 AM, Tom Hendrikx wrote:

On 05-04-18 18:40, Motty Cruz wrote:

Thanks for your prompt reply John,

X-Spam-Status: No, score=5.27 tagged_above=-999.9 required=5.7
     tests=[BAYES_50=4.3, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001,
     T_RP_MATCHES_RCVD=-0.01] autolearn=no autolearn_force=no


BAYES_00 means 'pretty sure it's ham'.
BAYES_99 means 'pretty sure it's spam'.
BAYES_50 means 'no idea'.

Scoring BAYES_50 at 4.3 is your scoring issue, nothing's wrong with
T_RP_MATCHES_RCVD.

Kind regards,
Tom



always the score is -0.01 regardless; I will take your suggestion and
set it to 0.01, will report back shortly.

Thanks,


On 04/05/2018 09:32 AM, John Hardin wrote:

On Thu, 5 Apr 2018, Motty Cruz wrote:


Hello, T_RP_MATCHES_RCVD  this rule is allowing spammy emails past
through. Is there a way to disable in local.cf?

The best way to disable it without breaking any meta-rules that may be
using it is to set its score to 0.001 in your local config file.

I don't see a score for it in the latest rules update, so it should by
default be *adding* one point to scores, which won't contribute to FNs.

What is it currently scored in your environment?

It is, however, used as a suppressor subrule in some spam meta-rules.
Is that why it's causing FNs for you?

Re: how to remove T_RP_MATCHES_RCVD

[Tom Hendrikx]

On 05-04-18 18:40, Motty Cruz wrote:
> Thanks for your prompt reply John,
> 
> X-Spam-Status: No, score=5.27 tagged_above=-999.9 required=5.7
>     tests=[BAYES_50=4.3, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001,
>     T_RP_MATCHES_RCVD=-0.01] autolearn=no autolearn_force=no
> 

BAYES_00 means 'pretty sure it's ham'.
BAYES_99 means 'pretty sure it's spam'.
BAYES_50 means 'no idea'.

Scoring BAYES_50 at 4.3 is your scoring issue, nothing's wrong with
T_RP_MATCHES_RCVD.

Kind regards,
Tom


> always the score is -0.01 regardless; I will take your suggestion and
> set it to 0.01, will report back shortly.
> 
> Thanks,
> 
> 
> On 04/05/2018 09:32 AM, John Hardin wrote:
>> On Thu, 5 Apr 2018, Motty Cruz wrote:
>>
>>> Hello, T_RP_MATCHES_RCVD  this rule is allowing spammy emails past
>>> through. Is there a way to disable in local.cf?
>>
>> The best way to disable it without breaking any meta-rules that may be
>> using it is to set its score to 0.001 in your local config file.
>>
>> I don't see a score for it in the latest rules update, so it should by
>> default be *adding* one point to scores, which won't contribute to FNs.
>>
>> What is it currently scored in your environment?
>>
>> It is, however, used as a suppressor subrule in some spam meta-rules.
>> Is that why it's causing FNs for you?
>>
> 




signature.asc
Description: OpenPGP digital signature

Re: how to remove T_RP_MATCHES_RCVD

[Motty Cruz]

Thanks for your prompt reply John,

X-Spam-Status: No, score=5.27 tagged_above=-999.9 required=5.7
    tests=[BAYES_50=4.3, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001,
    T_RP_MATCHES_RCVD=-0.01] autolearn=no autolearn_force=no

always the score is -0.01 regardless; I will take your suggestion and 
set it to 0.01, will report back shortly.


Thanks,


On 04/05/2018 09:32 AM, John Hardin wrote:

On Thu, 5 Apr 2018, Motty Cruz wrote:

Hello, T_RP_MATCHES_RCVD  this rule is allowing spammy emails past 
through. Is there a way to disable in local.cf?


The best way to disable it without breaking any meta-rules that may be 
using it is to set its score to 0.001 in your local config file.


I don't see a score for it in the latest rules update, so it should by 
default be *adding* one point to scores, which won't contribute to FNs.


What is it currently scored in your environment?

It is, however, used as a suppressor subrule in some spam meta-rules. 
Is that why it's causing FNs for you?

Re: how to remove T_RP_MATCHES_RCVD

[RW]

On Thu, 5 Apr 2018 09:12:45 -0700
Motty Cruz wrote:

> Hello, T_RP_MATCHES_RCVD  this rule is allowing spammy emails past 
> through. Is there a way to disable in local.cf?

How's that happening? A T_* rule only scores +/- 0.01. 

Re: how to remove T_RP_MATCHES_RCVD

[John Hardin]

On Thu, 5 Apr 2018, Motty Cruz wrote:

Hello, T_RP_MATCHES_RCVD  this rule is allowing spammy emails past through. 
Is there a way to disable in local.cf?


The best way to disable it without breaking any meta-rules that may be 
using it is to set its score to 0.001 in your local config file.


I don't see a score for it in the latest rules update, so it should by 
default be *adding* one point to scores, which won't contribute to FNs.


What is it currently scored in your environment?

It is, however, used as a suppressor subrule in some spam meta-rules. Is 
that why it's causing FNs for you?


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The first time I saw a bagpipe, I thought the player was
  torturing an octopus. I was amazed they could scream so loudly.
-- cat_herder_5263 on Y! SCOX
---
 8 days until Thomas Jefferson's 275th Birthday

how to remove T_RP_MATCHES_RCVD

[Motty Cruz]

Hello, T_RP_MATCHES_RCVD  this rule is allowing spammy emails past 
through. Is there a way to disable in local.cf?


Thanks,
Motty

Re: FUZZY_XPILL FP hitting all Travelodge emails

[John Hardin]

On Thu, 5 Apr 2018, Kris Deugau wrote:


Alex wrote:


We're also seeing it hit mailer-daemon emails.

https://pastebin.com/raw/UXnzEN8U

This one also hit FUZZY_AMBIEN, POISEN_SPAM_PILL (spelling incorrect)
and when I re-ran it here locally, FUZZY_DR_OZ.

The problem is that it's hitting on the mime attachments which are
apparently treated as body text in mailer-daemon emails.

ran body rule FUZZY_AMBIEN ==> got hit: "GRm8iEn"
ran body rule __FUZZY_DR_OZ ==> got hit: "DGCGS+"
ran body rule FUZZY_XPILL ==> got hit: "xxgnoX"


If you look closely I expect you'll find that those are "poorly formatted" 
postmaster notices;  ie, any content from the original message is NOT 
actually wrapped up in a separate MIME part, it's just another blob of text 
stuffed in beside the actual postmaster notice info.


Even so, I'm surprised the Dr Oz rule hit *that*. I'll review it.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  At $8 billion per year, the TSA is the most expensive
  theatrical production in history.  -- David Burge @iowahawkblog
---
 8 days until Thomas Jefferson's 275th Birthday

Re: FUZZY_XPILL FP hitting all Travelodge emails

[Giles Coochey]

It found "xon, OX" in "Aylesbury Road, Thame, Oxon, OX9 3AT"

It's an aggressive rule that finds anything that might be an
obfuscated Xanax. It only scores 0.8 points because it can produce FPs
like this.


Actually that is my private, custom score. I think the default is 2.8 
or something like that.


*@travelodge.co.uk emails should be scoring much lower in SA around 
the Internet running sa-update regularly as long as there is an 
SPF_PASS and/or DKIM_VALID_AU hits.


Setup OpenDKIM and DKIM signing on those outbound emails for even 
better delivery results.  This applies to any domain.


I highly recommend setting up DMARC reporting to everyone out there to 
get feedback on your SPF and DKIM results.  It can be very interesting 
to see who is trying to spoof your domain and who is auto-forwarding 
your emails.


I stay at Travelodge regularly, it doesn't hit their marketing emails, 
but Booking Confirmations and Invoices, come out with the following for me:


X-Spam-Status: No, score=1.3 required=5.0 tests=AWL,BAYES_00,FUZZY_XPILL,

HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,MIME_HTML_ONLY,T_FILL_THIS_FORM_SHORT,
T_RP_MATCHES_RCVD autolearn=no autolearn_force=no version=3.4.1
X-Spam-Report:
* -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
*  domain
*  2.8 FUZZY_XPILL BODY: Attempt to obfuscate words in spam
*  0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or 
identical to
*   background
*  0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
* -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
*  [score: 0.]
*  0.0 HTML_MESSAGE BODY: HTML included in message
*  0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal
*  information
* -0.3 AWL AWL: Adjusted score from AWL reputation of From: address

It is still a bit way off before it could be considered SPAM.

Re: FUZZY_XPILL FP hitting all Travelodge emails

[Kris Deugau]

Alex wrote:


We're also seeing it hit mailer-daemon emails.

https://pastebin.com/raw/UXnzEN8U

This one also hit FUZZY_AMBIEN, POISEN_SPAM_PILL (spelling incorrect)
and when I re-ran it here locally, FUZZY_DR_OZ.

The problem is that it's hitting on the mime attachments which are
apparently treated as body text in mailer-daemon emails.

ran body rule FUZZY_AMBIEN ==> got hit: "GRm8iEn"
ran body rule __FUZZY_DR_OZ ==> got hit: "DGCGS+"
ran body rule FUZZY_XPILL ==> got hit: "xxgnoX"


If you look closely I expect you'll find that those are "poorly 
formatted" postmaster notices;  ie, any content from the original 
message is NOT actually wrapped up in a separate MIME part, it's just 
another blob of text stuffed in beside the actual postmaster notice info.


From the pastebin:

> Hi. This is the qmail-send program

... yep.  qmail is one of the MTAs that deliberately breaks MIME 
layering in its notices.


-kgd

Re: FUZZY_XPILL FP hitting all Travelodge emails

[Alex]

Hi,

On Mon, Apr 2, 2018 at 8:10 AM, Kevin A. McGrail  wrote:
> Pastebin a sample(s).

We're also seeing it hit mailer-daemon emails.

https://pastebin.com/raw/UXnzEN8U

This one also hit FUZZY_AMBIEN, POISEN_SPAM_PILL (spelling incorrect)
and when I re-ran it here locally, FUZZY_DR_OZ.

The problem is that it's hitting on the mime attachments which are
apparently treated as body text in mailer-daemon emails.

ran body rule FUZZY_AMBIEN ==> got hit: "GRm8iEn"
ran body rule __FUZZY_DR_OZ ==> got hit: "DGCGS+"
ran body rule FUZZY_XPILL ==> got hit: "xxgnoX"

Re: This sucks

[RW]

On Tue, 3 Apr 2018 14:58:39 +0200
Michael Brunnbauer wrote:

> Hello Giovanni,
> 
> On Tue, Apr 03, 2018 at 11:04:46AM +0200, Giovanni Bechis wrote:
> > if you start spamd from /root and you use a perl module that is
> > using "use lib 'lib';" or similar piece of code the relevant code
> > will not load because the user spamd is running on (spamd or
> > whichever you have configured) will not have access to $PWD.  
> 
> Thank you very much - this makes sense. NetAddr uses such a construct

I'm curious what it's using, "use lib ..." is a way to make perl
look for libraries first in additional non-standard  locations. I
don't see why  NetAddr would have that unless someone had edited it
locally.

Also I don't see what the location of a library has to do with the
spamd user's access to $PWD, unless the library is in $PWD. And you've
already said you have no libraries under /root.  

Re: FUZZY_XPILL FP hitting all Travelodge emails

[Giles Coochey]

It found "xon, OX" in "Aylesbury Road, Thame, Oxon, OX9 3AT"

It's an aggressive rule that finds anything that might be an
obfuscated Xanax. It only scores 0.8 points because it can produce FPs
like this.


Actually that is my private, custom score. I think the default is 2.8 
or something like that.


*@travelodge.co.uk emails should be scoring much lower in SA around 
the Internet running sa-update regularly as long as there is an 
SPF_PASS and/or DKIM_VALID_AU hits.


Setup OpenDKIM and DKIM signing on those outbound emails for even 
better delivery results.  This applies to any domain.


I highly recommend setting up DMARC reporting to everyone out there to 
get feedback on your SPF and DKIM results.  It can be very interesting 
to see who is trying to spoof your domain and who is auto-forwarding 
your emails.


I stay at Travelodge regularly, it doesn't hit their marketing emails, 
but Booking Confirmations and Invoices, come out with the following for me:


X-Spam-Status: No, score=1.3 required=5.0 tests=AWL,BAYES_00,FUZZY_XPILL,

HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,MIME_HTML_ONLY,T_FILL_THIS_FORM_SHORT,
T_RP_MATCHES_RCVD autolearn=no autolearn_force=no version=3.4.1
X-Spam-Report:
* -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
*  domain
*  2.8 FUZZY_XPILL BODY: Attempt to obfuscate words in spam
*  0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or 
identical to
*   background
*  0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
* -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
*  [score: 0.]
*  0.0 HTML_MESSAGE BODY: HTML included in message
*  0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal
*  information
* -0.3 AWL AWL: Adjusted score from AWL reputation of From: address

It is still a bit way off before it could be considered SPAM.

Re: FUZZY_XPILL FP hitting all Travelodge emails

[David Jones]

On 04/02/2018 09:50 AM, Sebastian Arcus wrote:


On 02/04/18 14:58, RW wrote:

On Mon, 2 Apr 2018 08:26:27 -0500
David Jones wrote:


On 04/02/2018 07:18 AM, Sebastian Arcus wrote:

Thank you - one example here: https://pastebin.com/UGStfCys


It found "xon, OX" in "Aylesbury Road, Thame, Oxon, OX9 3AT"

It's an aggressive rule that finds anything that might be an
obfuscated Xanax. It only scores 0.8 points because it can produce FPs
like this.


Actually that is my private, custom score. I think the default is 2.8 or 
something like that.


*@travelodge.co.uk emails should be scoring much lower in SA around the 
Internet running sa-update regularly as long as there is an SPF_PASS 
and/or DKIM_VALID_AU hits.


Setup OpenDKIM and DKIM signing on those outbound emails for even better 
delivery results.  This applies to any domain.


I highly recommend setting up DMARC reporting to everyone out there to 
get feedback on your SPF and DKIM results.  It can be very interesting 
to see who is trying to spoof your domain and who is auto-forwarding 
your emails.


--
David Jones