Re: how to remove T_RP_MATCHES_RCVD
It's pedantic but I am 99.9% sure that a Test Rule (prefix T_) is scored at 0.001 but scores in the report are rounded to a ceiling so it displaces as .01. -- Kevin A. McGrail Asst. Treasurer & VP Fundraising, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171 On Thu, Apr 5, 2018 at 7:50 PM, RWwrote: > On Thu, 5 Apr 2018 10:23:50 -0700 (PDT) > John Hardin wrote: > > > > Actually, I retract that suggestion, I wasn't aware of the special > > automatic scoring for T_ rules. Leave it alone. > > There's little point in this case, but I don't think there's any harm in > changing such scores locally. IIRC the "T_" prefix just makes the > default score 0.01 instead of 1.0 (or -0.01 with the 'nice' flag set). >
Re: how to remove T_RP_MATCHES_RCVD
On Thu, 5 Apr 2018 10:23:50 -0700 (PDT) John Hardin wrote: > Actually, I retract that suggestion, I wasn't aware of the special > automatic scoring for T_ rules. Leave it alone. There's little point in this case, but I don't think there's any harm in changing such scores locally. IIRC the "T_" prefix just makes the default score 0.01 instead of 1.0 (or -0.01 with the 'nice' flag set).
Re: how to remove T_RP_MATCHES_RCVD
On Thu, 5 Apr 2018, Motty Cruz wrote: Thanks for your prompt reply John, X-Spam-Status: No, score=5.27 tagged_above=-999.9 required=5.7 tests=[BAYES_50=4.3, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no autolearn_force=no always the score is -0.01 regardless; I will take your suggestion and set it to 0.01, will report back shortly. Actually, I retract that suggestion, I wasn't aware of the special automatic scoring for T_ rules. Leave it alone. Why do you think that a rule scoring -0.01 is responsible for FN scores? It may be due to its use as a suppressor in some metas, but absent the full spam we can't check for that. Thanks, On 04/05/2018 09:32 AM, John Hardin wrote: On Thu, 5 Apr 2018, Motty Cruz wrote: Hello, T_RP_MATCHES_RCVD this rule is allowing spammy emails past through. Is there a way to disable in local.cf? The best way to disable it without breaking any meta-rules that may be using it is to set its score to 0.001 in your local config file. I don't see a score for it in the latest rules update, so it should by default be *adding* one point to scores, which won't contribute to FNs. What is it currently scored in your environment? It is, however, used as a suppressor subrule in some spam meta-rules. Is that why it's causing FNs for you? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Windows and its users got mentioned at home today, after my wife the psych major brought up Seligman's theory of "learned helplessness." -- Dan Birchall in a.s.r --- 8 days until Thomas Jefferson's 275th Birthday
Re: how to remove T_RP_MATCHES_RCVD
Thanks Tom, my scores were definitely a problem. Thanks again, Motty On 04/05/2018 09:48 AM, Tom Hendrikx wrote: On 05-04-18 18:40, Motty Cruz wrote: Thanks for your prompt reply John, X-Spam-Status: No, score=5.27 tagged_above=-999.9 required=5.7 tests=[BAYES_50=4.3, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no autolearn_force=no BAYES_00 means 'pretty sure it's ham'. BAYES_99 means 'pretty sure it's spam'. BAYES_50 means 'no idea'. Scoring BAYES_50 at 4.3 is your scoring issue, nothing's wrong with T_RP_MATCHES_RCVD. Kind regards, Tom always the score is -0.01 regardless; I will take your suggestion and set it to 0.01, will report back shortly. Thanks, On 04/05/2018 09:32 AM, John Hardin wrote: On Thu, 5 Apr 2018, Motty Cruz wrote: Hello, T_RP_MATCHES_RCVD this rule is allowing spammy emails past through. Is there a way to disable in local.cf? The best way to disable it without breaking any meta-rules that may be using it is to set its score to 0.001 in your local config file. I don't see a score for it in the latest rules update, so it should by default be *adding* one point to scores, which won't contribute to FNs. What is it currently scored in your environment? It is, however, used as a suppressor subrule in some spam meta-rules. Is that why it's causing FNs for you?
Re: how to remove T_RP_MATCHES_RCVD
On 05-04-18 18:40, Motty Cruz wrote: > Thanks for your prompt reply John, > > X-Spam-Status: No, score=5.27 tagged_above=-999.9 required=5.7 > tests=[BAYES_50=4.3, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001, > T_RP_MATCHES_RCVD=-0.01] autolearn=no autolearn_force=no > BAYES_00 means 'pretty sure it's ham'. BAYES_99 means 'pretty sure it's spam'. BAYES_50 means 'no idea'. Scoring BAYES_50 at 4.3 is your scoring issue, nothing's wrong with T_RP_MATCHES_RCVD. Kind regards, Tom > always the score is -0.01 regardless; I will take your suggestion and > set it to 0.01, will report back shortly. > > Thanks, > > > On 04/05/2018 09:32 AM, John Hardin wrote: >> On Thu, 5 Apr 2018, Motty Cruz wrote: >> >>> Hello, T_RP_MATCHES_RCVD this rule is allowing spammy emails past >>> through. Is there a way to disable in local.cf? >> >> The best way to disable it without breaking any meta-rules that may be >> using it is to set its score to 0.001 in your local config file. >> >> I don't see a score for it in the latest rules update, so it should by >> default be *adding* one point to scores, which won't contribute to FNs. >> >> What is it currently scored in your environment? >> >> It is, however, used as a suppressor subrule in some spam meta-rules. >> Is that why it's causing FNs for you? >> > signature.asc Description: OpenPGP digital signature
Re: how to remove T_RP_MATCHES_RCVD
Thanks for your prompt reply John, X-Spam-Status: No, score=5.27 tagged_above=-999.9 required=5.7 tests=[BAYES_50=4.3, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no autolearn_force=no always the score is -0.01 regardless; I will take your suggestion and set it to 0.01, will report back shortly. Thanks, On 04/05/2018 09:32 AM, John Hardin wrote: On Thu, 5 Apr 2018, Motty Cruz wrote: Hello, T_RP_MATCHES_RCVD this rule is allowing spammy emails past through. Is there a way to disable in local.cf? The best way to disable it without breaking any meta-rules that may be using it is to set its score to 0.001 in your local config file. I don't see a score for it in the latest rules update, so it should by default be *adding* one point to scores, which won't contribute to FNs. What is it currently scored in your environment? It is, however, used as a suppressor subrule in some spam meta-rules. Is that why it's causing FNs for you?
Re: how to remove T_RP_MATCHES_RCVD
On Thu, 5 Apr 2018 09:12:45 -0700 Motty Cruz wrote: > Hello, T_RP_MATCHES_RCVD this rule is allowing spammy emails past > through. Is there a way to disable in local.cf? How's that happening? A T_* rule only scores +/- 0.01.
Re: how to remove T_RP_MATCHES_RCVD
On Thu, 5 Apr 2018, Motty Cruz wrote: Hello, T_RP_MATCHES_RCVD this rule is allowing spammy emails past through. Is there a way to disable in local.cf? The best way to disable it without breaking any meta-rules that may be using it is to set its score to 0.001 in your local config file. I don't see a score for it in the latest rules update, so it should by default be *adding* one point to scores, which won't contribute to FNs. What is it currently scored in your environment? It is, however, used as a suppressor subrule in some spam meta-rules. Is that why it's causing FNs for you? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The first time I saw a bagpipe, I thought the player was torturing an octopus. I was amazed they could scream so loudly. -- cat_herder_5263 on Y! SCOX --- 8 days until Thomas Jefferson's 275th Birthday
how to remove T_RP_MATCHES_RCVD
Hello, T_RP_MATCHES_RCVD this rule is allowing spammy emails past through. Is there a way to disable in local.cf? Thanks, Motty
Re: FUZZY_XPILL FP hitting all Travelodge emails
On Thu, 5 Apr 2018, Kris Deugau wrote: Alex wrote: We're also seeing it hit mailer-daemon emails. https://pastebin.com/raw/UXnzEN8U This one also hit FUZZY_AMBIEN, POISEN_SPAM_PILL (spelling incorrect) and when I re-ran it here locally, FUZZY_DR_OZ. The problem is that it's hitting on the mime attachments which are apparently treated as body text in mailer-daemon emails. ran body rule FUZZY_AMBIEN ==> got hit: "GRm8iEn" ran body rule __FUZZY_DR_OZ ==> got hit: "DGCGS+" ran body rule FUZZY_XPILL ==> got hit: "xxgnoX" If you look closely I expect you'll find that those are "poorly formatted" postmaster notices; ie, any content from the original message is NOT actually wrapped up in a separate MIME part, it's just another blob of text stuffed in beside the actual postmaster notice info. Even so, I'm surprised the Dr Oz rule hit *that*. I'll review it. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- At $8 billion per year, the TSA is the most expensive theatrical production in history. -- David Burge @iowahawkblog --- 8 days until Thomas Jefferson's 275th Birthday
Re: FUZZY_XPILL FP hitting all Travelodge emails
It found "xon, OX" in "Aylesbury Road, Thame, Oxon, OX9 3AT" It's an aggressive rule that finds anything that might be an obfuscated Xanax. It only scores 0.8 points because it can produce FPs like this. Actually that is my private, custom score. I think the default is 2.8 or something like that. *@travelodge.co.uk emails should be scoring much lower in SA around the Internet running sa-update regularly as long as there is an SPF_PASS and/or DKIM_VALID_AU hits. Setup OpenDKIM and DKIM signing on those outbound emails for even better delivery results. This applies to any domain. I highly recommend setting up DMARC reporting to everyone out there to get feedback on your SPF and DKIM results. It can be very interesting to see who is trying to spoof your domain and who is auto-forwarding your emails. I stay at Travelodge regularly, it doesn't hit their marketing emails, but Booking Confirmations and Invoices, come out with the following for me: X-Spam-Status: No, score=1.3 required=5.0 tests=AWL,BAYES_00,FUZZY_XPILL, HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,MIME_HTML_ONLY,T_FILL_THIS_FORM_SHORT, T_RP_MATCHES_RCVD autolearn=no autolearn_force=no version=3.4.1 X-Spam-Report: * -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay * domain * 2.8 FUZZY_XPILL BODY: Attempt to obfuscate words in spam * 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or identical to * background * 0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.] * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal * information * -0.3 AWL AWL: Adjusted score from AWL reputation of From: address It is still a bit way off before it could be considered SPAM.
Re: FUZZY_XPILL FP hitting all Travelodge emails
Alex wrote: We're also seeing it hit mailer-daemon emails. https://pastebin.com/raw/UXnzEN8U This one also hit FUZZY_AMBIEN, POISEN_SPAM_PILL (spelling incorrect) and when I re-ran it here locally, FUZZY_DR_OZ. The problem is that it's hitting on the mime attachments which are apparently treated as body text in mailer-daemon emails. ran body rule FUZZY_AMBIEN ==> got hit: "GRm8iEn" ran body rule __FUZZY_DR_OZ ==> got hit: "DGCGS+" ran body rule FUZZY_XPILL ==> got hit: "xxgnoX" If you look closely I expect you'll find that those are "poorly formatted" postmaster notices; ie, any content from the original message is NOT actually wrapped up in a separate MIME part, it's just another blob of text stuffed in beside the actual postmaster notice info. From the pastebin: > Hi. This is the qmail-send program ... yep. qmail is one of the MTAs that deliberately breaks MIME layering in its notices. -kgd
Re: FUZZY_XPILL FP hitting all Travelodge emails
Hi, On Mon, Apr 2, 2018 at 8:10 AM, Kevin A. McGrailwrote: > Pastebin a sample(s). We're also seeing it hit mailer-daemon emails. https://pastebin.com/raw/UXnzEN8U This one also hit FUZZY_AMBIEN, POISEN_SPAM_PILL (spelling incorrect) and when I re-ran it here locally, FUZZY_DR_OZ. The problem is that it's hitting on the mime attachments which are apparently treated as body text in mailer-daemon emails. ran body rule FUZZY_AMBIEN ==> got hit: "GRm8iEn" ran body rule __FUZZY_DR_OZ ==> got hit: "DGCGS+" ran body rule FUZZY_XPILL ==> got hit: "xxgnoX"
Re: This sucks
On Tue, 3 Apr 2018 14:58:39 +0200 Michael Brunnbauer wrote: > Hello Giovanni, > > On Tue, Apr 03, 2018 at 11:04:46AM +0200, Giovanni Bechis wrote: > > if you start spamd from /root and you use a perl module that is > > using "use lib 'lib';" or similar piece of code the relevant code > > will not load because the user spamd is running on (spamd or > > whichever you have configured) will not have access to $PWD. > > Thank you very much - this makes sense. NetAddr uses such a construct I'm curious what it's using, "use lib ..." is a way to make perl look for libraries first in additional non-standard locations. I don't see why NetAddr would have that unless someone had edited it locally. Also I don't see what the location of a library has to do with the spamd user's access to $PWD, unless the library is in $PWD. And you've already said you have no libraries under /root.
Re: FUZZY_XPILL FP hitting all Travelodge emails
It found "xon, OX" in "Aylesbury Road, Thame, Oxon, OX9 3AT" It's an aggressive rule that finds anything that might be an obfuscated Xanax. It only scores 0.8 points because it can produce FPs like this. Actually that is my private, custom score. I think the default is 2.8 or something like that. *@travelodge.co.uk emails should be scoring much lower in SA around the Internet running sa-update regularly as long as there is an SPF_PASS and/or DKIM_VALID_AU hits. Setup OpenDKIM and DKIM signing on those outbound emails for even better delivery results. This applies to any domain. I highly recommend setting up DMARC reporting to everyone out there to get feedback on your SPF and DKIM results. It can be very interesting to see who is trying to spoof your domain and who is auto-forwarding your emails. I stay at Travelodge regularly, it doesn't hit their marketing emails, but Booking Confirmations and Invoices, come out with the following for me: X-Spam-Status: No, score=1.3 required=5.0 tests=AWL,BAYES_00,FUZZY_XPILL, HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,MIME_HTML_ONLY,T_FILL_THIS_FORM_SHORT, T_RP_MATCHES_RCVD autolearn=no autolearn_force=no version=3.4.1 X-Spam-Report: * -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay * domain * 2.8 FUZZY_XPILL BODY: Attempt to obfuscate words in spam * 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or identical to * background * 0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.] * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal * information * -0.3 AWL AWL: Adjusted score from AWL reputation of From: address It is still a bit way off before it could be considered SPAM.
Re: FUZZY_XPILL FP hitting all Travelodge emails
On 04/02/2018 09:50 AM, Sebastian Arcus wrote: On 02/04/18 14:58, RW wrote: On Mon, 2 Apr 2018 08:26:27 -0500 David Jones wrote: On 04/02/2018 07:18 AM, Sebastian Arcus wrote: Thank you - one example here: https://pastebin.com/UGStfCys It found "xon, OX" in "Aylesbury Road, Thame, Oxon, OX9 3AT" It's an aggressive rule that finds anything that might be an obfuscated Xanax. It only scores 0.8 points because it can produce FPs like this. Actually that is my private, custom score. I think the default is 2.8 or something like that. *@travelodge.co.uk emails should be scoring much lower in SA around the Internet running sa-update regularly as long as there is an SPF_PASS and/or DKIM_VALID_AU hits. Setup OpenDKIM and DKIM signing on those outbound emails for even better delivery results. This applies to any domain. I highly recommend setting up DMARC reporting to everyone out there to get feedback on your SPF and DKIM results. It can be very interesting to see who is trying to spoof your domain and who is auto-forwarding your emails. -- David Jones