Re: "Please send us a quote..."?
On 4/6/21 6:38 PM, Charles Sprickman wrote: Not totally clear on the scam as it went no further than saying “yeah bud, we have the drives, how would you like to pay?”. I've seen a few where they are asking for samples prior to -- purportedly -- submitting an order. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature
Re: "Please send us a quote..."?
> On Apr 6, 2021, at 8:20 PM, John Hardin wrote: > > On Tue, 6 Apr 2021, Kris Deugau wrote: > >> John Hardin wrote: >>> Can anybody explain to me the reason behind the blind "please send us a >>> quote for your product X" emails? I mean, I know they are somehow a >>> scam, but I can't figure it out how it's supposed to work when the target >>> isn't a business... >> >> Most of the examples I've seen are arguably virus emails, on the basis of an >> attached archive file with a .exe in it. > > *Those* are easy enough to figure out. I was asking about the ones with no > attachments, no links, nothing obviously exploitable. I had one of them, they wanted to buy 300 hard drives from us, and were spoofing a DOD contractor. Wacky stuff (we don’t sell hard drives). Had a back and forth with them, it was a pretty slick scam - had a full website that was like the spoofed contractor but a different TLD, US phone and fax numbers and were very eager for us to send them some drives. I just forwarded all my correspondence on to the spoofed contractor. Not totally clear on the scam as it went no further than saying “yeah bud, we have the drives, how would you like to pay?”. C > > -- > John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ > jhar...@impsec.org pgpk -a jhar...@impsec.org > key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 > --- > Activist: Someone who gets involved. > Unregistered Lobbyist: Someone who gets involved > with something the MSM doesn't approve of. -- WizardPC > --- > 7 days until Thomas Jefferson's 278th Birthday
Re: DNSWL overriding bayes_99 and bayes_999 rules
RW writes: > On Tue, 06 Apr 2021 12:03:52 -0400 > Greg Troxel wrote: > > >> You can and probably should report spam to dnswl. In theory HI should >> have essentially no spam. > > I thought that because I've never received a single spam with it, but in > mass checks it's at 0.23% of spam. Do you mean that of all the spam in in-use corporaa, 0.23% of those spam messages trigger DNSWL_HI? I found some old discussion and it seems there is often trouble with a machine that receives and forwards mail, sort of j...@example.org getting sent to john@other.com, as a legit thing, but if other.com doesn't put the example.org MTA in trusted_networks, it gets complicated. Although, HI is more or less supposed to be for things that do not have user-controlled mail, for non-controlled users. I did a quick scan over my own mail, and found 5 DNSWL_HI and none in spam folders. (This omits any that were MTA-rejected.) I realize that's an anecdote, not data. signature.asc Description: PGP signature
Re: "Please send us a quote..."?
On Tue, 6 Apr 2021, Kris Deugau wrote: John Hardin wrote: Can anybody explain to me the reason behind the blind "please send us a quote for your product X" emails? I mean, I know they are somehow a scam, but I can't figure it out how it's supposed to work when the target isn't a business... Most of the examples I've seen are arguably virus emails, on the basis of an attached archive file with a .exe in it. *Those* are easy enough to figure out. I was asking about the ones with no attachments, no links, nothing obviously exploitable. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Activist: Someone who gets involved. Unregistered Lobbyist: Someone who gets involved with something the MSM doesn't approve of. -- WizardPC --- 7 days until Thomas Jefferson's 278th Birthday
Re: DNSWL overriding bayes_99 and bayes_999 rules
On Tue, 06 Apr 2021 12:03:52 -0400 Greg Troxel wrote: > You can and probably should report spam to dnswl. In theory HI should > have essentially no spam. I thought that because I've never received a single spam with it, but in mass checks it's at 0.23% of spam.
Re: Getting different SA scores when using -R argument with spamc
It can only do so if report_safe is set to 0. With non-zero report_safe settings, the original mail is encapsulated as an attachment inside a wrapper message also including the report. That wrapper message containing the SA report is "safe" because it is fully local, the text/plain part won't look like spam to any spam filter, and the original, encapsulated as a message/rfc822 attachment, should be skipped by any filter. If you want to test the *original* message, you have to extract the message/rfc822 part into its own file and test that. OK, did some more googling on this. Let me spell this out and help clear up those who may be as confused as I was: 1) sa-learn *will* "unwrap" the original encapsulated spam emails when they are encapsulated by SA: https://cwiki.apache.org/confluence/display/SPAMASSASSIN/LearningMarkedUpMessages 2) However, the spamassassin command (or spamc/spamd) does not do this for you. You must use the -d option to remove any spam markup. What this means is if that report_safe is set to "1" (the default) in your SA config file, you must pull the original spam email out with the -d option if you wish to run it through spamassassin/spamc again. You do *not* have to worry about doing this with the sa-learn command. If I got this wrong, let me know. Thanks.
Re: Getting different SA scores when using -R argument with spamc
On 6 Apr 2021, at 16:19, Steve Dondley wrote: [...] It can only do so if report_safe is set to 0. With non-zero report_safe settings, the original mail is encapsulated as an attachment inside a wrapper message also including the report. That wrapper message containing the SA report is "safe" because it is fully local, the text/plain part won't look like spam to any spam filter, and the original, encapsulated as a message/rfc822 attachment, should be skipped by any filter. If you want to test the *original* message, you have to extract the message/rfc822 part into its own file and test that. OK, so that's the problem, I guess. That config option is commented out in my local.cf file: # report_safe 1 That is to document the fact that it is not explicitly set but that it defaults to 1. So what do you recommend setting this to '1'? It's 1 now, by default. I use '0' because I overtly reject mail that SA scores over my threshold, while stashing a pristine copy in a 3-day message dumpster. The best choice depends on how you handle messages that SA scores as spam after that determination, and who your users are. The default is good because it raises the difficulty for users to accidentally treat spam as ham after delivery, if they are the sort to not notice things like subject tagging or the fact that a message is in a folder named "Spam." I think that '2' is misguided in principle, because it leaves the original message open to re-filtering, is likely to cause Bayes poisoning if you autolearn, and opens accidental access to a broader range of users. Any downsides to that? I'm just a little leery of changing a default setting. But I'll do whatever the pros suggest. Leaving it at the default setting of 1 leaves you where you are. The main downside to that in my opinion is that the wrapper is a nuisance if you want to work with original spam messages. Once you understand how to handle that, it's a minor problem to work around. It says a value of '2' sets it "use text/plain instead" but I don't know what that is referring to. The attached original message uses a MIME file type of 'message/rfc822' when report_safe is 1. That is the standard MIME file type for Internet email messages embedded in other messages. When report_safe is 2, it uses the type 'text/plain' which makes the original message more widely accessible to MUAs and when extracted to an independent text file. In practice, the only difference is whether the extracted file as a '.eml' or '.txt' extension. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: Getting different SA scores when using -R argument with spamc
On 2021-04-06 04:19 PM, Steve Dondley wrote: It seems to have done so. Thank you. Some MUAs have a "Reply to List" function that uses the List-Post header (and sometimes heuristics when that header is missing) to send replies only to a list itself. I've recently switched to Roundcube from gmail. I didn't see that option but I think I've figured out I just need to hit "reply". Thanks for pointing out you were getting dupes. It can only do so if report_safe is set to 0. With non-zero report_safe settings, the original mail is encapsulated as an attachment inside a wrapper message also including the report. That wrapper message containing the SA report is "safe" because it is fully local, the text/plain part won't look like spam to any spam filter, and the original, encapsulated as a message/rfc822 attachment, should be skipped by any filter. If you want to test the *original* message, you have to extract the message/rfc822 part into its own file and test that. OK, so that's the problem, I guess. That config option is commented out in my local.cf file: # report_safe 1 I should read the documentation before asking questions. So '1' is the default which encapsulates the original spam as an attachment.
Re: Getting different SA scores when using -R argument with spamc
Some MUAs have a "Reply to List" function that uses the List-Post header (and sometimes heuristics when that header is missing) to send replies only to a list itself. Ah! I see that option now under the little down arrow next to "Reply all". My day is made. Thanks!
Re: Getting different SA scores when using -R argument with spamc
It seems to have done so. Thank you. Some MUAs have a "Reply to List" function that uses the List-Post header (and sometimes heuristics when that header is missing) to send replies only to a list itself. I've recently switched to Roundcube from gmail. I didn't see that option but I think I've figured out I just need to hit "reply". Thanks for pointing out you were getting dupes. It can only do so if report_safe is set to 0. With non-zero report_safe settings, the original mail is encapsulated as an attachment inside a wrapper message also including the report. That wrapper message containing the SA report is "safe" because it is fully local, the text/plain part won't look like spam to any spam filter, and the original, encapsulated as a message/rfc822 attachment, should be skipped by any filter. If you want to test the *original* message, you have to extract the message/rfc822 part into its own file and test that. OK, so that's the problem, I guess. That config option is commented out in my local.cf file: # report_safe 1 So what do you recommend setting this to '1'? Any downsides to that? I'm just a little leery of changing a default setting. But I'll do whatever the pros suggest. It says a value of '2' sets it "use text/plain instead" but I don't know what that is referring to.
Re: DNSWL overriding bayes_99 and bayes_999 rules
Den 06-04-2021 kl. 19:23 skrev Bill Cole: > Because DNSWL has problematic sources, Depending on the eyes looking at it, for NONE, maybe true? - "These are legitimate mail servers, but they may also emit spam or have other issues from time to time." But there shouldn't be any kind of "problematic sources" triggering e.g. RCVD_IN_DNSWL_HI, like it appears in OP's situation. OP does however have a similar thread, "What makes this email spam and how do I train myself to find markers for spam so I can train spamassassin properly?" on 28th of March, indicating RCVD_IN_DNSWL_HI, but with none of the IP's mentioned being listed at RCVD_IN_DNSWL_HI. If you happen to know of any of such definitive "problematic sources" that are listed, I suggest you report them ASAP, including any kind of evidence/proof you may have of your claims. -- Med venlig hilsen / Kind regards, Arne Jensen
Re: Getting different SA scores when using -R argument with spamc
On 6 Apr 2021, at 14:55, Steve Dondley wrote: On 2021-04-06 02:32 PM, Bill Cole wrote: PLEASE NOTE: I read the mailing list obsessively and DO NOT NEED (or want) the extra copies sent when you send both to me and to the list. Sorry, I still haven't figured out how to properly respond. When I hi "reply all" it cc's the list and sends to you. When I hit just "reply" it only sends to you. I've manually deleted you from the "To" box and sending it directly to the list here. Hopefully that fixes things up. It seems to have done so. Thank you. Some MUAs have a "Reply to List" function that uses the List-Post header (and sometimes heuristics when that header is missing) to send replies only to a list itself. Since the scores being added during delivery are much richer, detecting enough info to do SPF and DKIM analysis, I am 99.9% certain that the format of 'some_email' is mangled, probably missing critical headers or using CR linebreaks instead of proper LFs. Hmm, this is on a linux box, so I'm not sure how it could be screwing up the line breaks. Is it possible that when spamd injects the scores before the body of the email, it is screwing things up? Here is email as it sits in my inbox now, which is after it gets processed by spamd. I was under the impression that an email that had already been processed by SA could be processed again and it would ignore any modifications made by earlier passes through SA. It can only do so if report_safe is set to 0. With non-zero report_safe settings, the original mail is encapsulated as an attachment inside a wrapper message also including the report. That wrapper message containing the SA report is "safe" because it is fully local, the text/plain part won't look like spam to any spam filter, and the original, encapsulated as a message/rfc822 attachment, should be skipped by any filter. If you want to test the *original* message, you have to extract the message/rfc822 part into its own file and test that. So these are the headers you were checking post-delivery: Return-Path: Delivered-To: s...@exmaple.com Received: from email.exmaple.com by email.exmaple.com with LMTP id kAhSKc1dY2BCKgAAB604Gw (envelope-from ) for ; Tue, 30 Mar 2021 13:20:13 -0400 Received: by email.exmaple.com (Postfix, from userid 115) id A64BE200C8; Tue, 30 Mar 2021 13:20:13 -0400 (EDT) Received: from localhost by email.exmaple.com with SpamAssassin (version 3.4.2); Tue, 30 Mar 2021 13:20:13 -0400 From: "Home Warranty - AHS" To: Subject: *SPAM* It's getting warmer, are you covered? Date: Tue, 30 Mar 2021 05:18:34 -0700 Message-Id: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on email.exmaple.com X-Spam-Flag: YES X-Spam-Level: * X-Spam-Status: Yes, score=5.2 required=5.0 tests=BAYES_99,BAYES_999, DATE_IN_PAST_03_06,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU, HTML_IMAGE_RATIO_02,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H2, SPF_HELO_NONE,SPF_SOFTFAIL shortcircuit=no autolearn=no autolearn_force=no version=3.4.2 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--=_60635DCD.A0F5D194" [...] but this is the original header block buried in the attachment: Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=69.252.207.38; helo=resqmta-ch2-06v.sys.comcast.net; envelope-from=bounce-use=m=44682734836=echo4=6df0a8c162cdc2810dc8b4fe0a119...@returnpath.bluehornet.com; receiver= Authentication-Results: email.exmaple.com; dkim=pass (2048-bit key; secure) header.d=comcastmailservice.net header.i=@comcastmailservice.net header.b="YTHf56Fx"; dkim=pass (1024-bit key; unprotected) header.d=forgetmassives.com header.i=@forgetmassives.com header.b="Cc3SOvHE"; dkim-atps=neutral Received: from resqmta-ch2-06v.sys.comcast.net (resqmta-ch2-06v.sys.comcast.net [69.252.207.38]) by email.exmaple.com (Postfix) with ESMTPS id F0A9D200C8 for ; Tue, 30 Mar 2021 13:20:12 -0400 (EDT) Received: from resomta-ch2-06v.sys.comcast.net ([69.252.207.102]) by resqmta-ch2-06v.sys.comcast.net with ESMTP id RCA7l3lgvsjoSRI2ElIKl6; Tue, 30 Mar 2021 17:20:10 + DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcastmailservice.net; s=20180828_2048; t=1617124810; bh=EzUwkxtc+07gV+1cIeMVwIqhGkZuGI/a4ukUrCjG7nM=; h=Received:Received:Received:Received:Received:Received:Received: Message-ID:Date:From:Reply-To:To:Subject:Mime-Version: Content-Type; b=YTHf56FxVyphxJLrqEnfZKfP5M62QfSc0ICCe5ZS/2UXQUsumO0ltgCO6ZjDRxrso Up8oEgr4gqv8kNMAtJEM532f15eLObwwty+P0OAS8HncjfsiHJspdnk3Eg0aC4A57k 5w8gnpRbQoa/KaAn0bejQNcCdr+KArf6VwKO+q5/HY9UQxa2RxIWUsoxIMmyZX0WpF upTL1nKnd+zaRENmudAllcfxCLMUpnc9oK/Ea//4bcT/51ofrewbe/J0ZhaAUfJu5O /40UsSsWx49VFVQ1X7Bifw/CE56spoesfnOSm9/7W/V0PptjjleM6LIQ3S+xWRJFaS xfwTExYFqt5sw== R
Re: Getting different SA scores when using -R argument with spamc
On 2021-04-06 02:55 PM, Steve Dondley wrote: On 2021-04-06 02:32 PM, Bill Cole wrote: PLEASE NOTE: I read the mailing list obsessively and DO NOT NEED (or want) the extra copies sent when you send both to me and to the list. Sorry, I still haven't figured out how to properly respond. When I hi "reply all" it cc's the list and sends to you. When I hit just "reply" it only sends to you. I've manually deleted you from the "To" box and sending it directly to the list here. Hopefully that fixes things up. Since the scores being added during delivery are much richer, detecting enough info to do SPF and DKIM analysis, I am 99.9% certain that the format of 'some_email' is mangled, probably missing critical headers or using CR linebreaks instead of proper LFs. I just noticed the date in the email header was from about a week ago.
Re: DNSWL overriding bayes_99 and bayes_999 rules
On 2021-04-06 21:12, Arne Jensen wrote: Den 06-04-2021 kl. 17:48 skrev Steve Dondley: I have emails that have been flagged as spam in the past but that are still getting through, presumably because the servers are on some DNSWL. Example: X-Spam-Status: No, score=0.9 required=5.0 tests=BAYES_99,BAYES_999, DATE_IN_PAST_03_06,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU, HTML_IMAGE_RATIO_02,HTML_MESSAGE,RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H2, SPF_HELO_NONE,SPF_SOFTFAIL shortcircuit=no autolearn=no autolearn_force=no version=3.4.2 What's the recommended way to handle these? Do I turn on shortcircuit? Do I bump up the score for BAYES_99, BAYES_999? Or might there be a way to ignore DNSWL scores if they have a high bayes score? - Report the full message to DNSWL? - Provide more information about the message, such as e.g. the Received: headers as well, or even better: The full message in question? spf softfail, so its forged even, why accept it in mta stage :/ bayes here says its well trained for spam, but it could be added meta to meta BAYES_SPAM_SPF_SOFTFAIL (BAYES_999 && SPF_SOFTFAIL && RCVD_IN_DNSWL_HI) and score that meta so its considered spam in end results this will go away if reported to dnswl.org
Re: DNSWL overriding bayes_99 and bayes_999 rules
Den 06-04-2021 kl. 17:48 skrev Steve Dondley: > I have emails that have been flagged as spam in the past but that are > still getting through, presumably because the servers are on some DNSWL. > > Example: > > X-Spam-Status: No, score=0.9 required=5.0 tests=BAYES_99,BAYES_999, > DATE_IN_PAST_03_06,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU, > HTML_IMAGE_RATIO_02,HTML_MESSAGE,RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H2, > SPF_HELO_NONE,SPF_SOFTFAIL shortcircuit=no autolearn=no > autolearn_force=no version=3.4.2 > > What's the recommended way to handle these? Do I turn on shortcircuit? > Do I bump up the score for BAYES_99, BAYES_999? Or might there be a > way to ignore DNSWL scores if they have a high bayes score? - Report the full message to DNSWL? - Provide more information about the message, such as e.g. the Received: headers as well, or even better: The full message in question? -- Med venlig hilsen / Kind regards, Arne Jensen
Re: Getting different SA scores when using -R argument with spamc
On 2021-04-06 02:32 PM, Bill Cole wrote: PLEASE NOTE: I read the mailing list obsessively and DO NOT NEED (or want) the extra copies sent when you send both to me and to the list. Sorry, I still haven't figured out how to properly respond. When I hi "reply all" it cc's the list and sends to you. When I hit just "reply" it only sends to you. I've manually deleted you from the "To" box and sending it directly to the list here. Hopefully that fixes things up. Since the scores being added during delivery are much richer, detecting enough info to do SPF and DKIM analysis, I am 99.9% certain that the format of 'some_email' is mangled, probably missing critical headers or using CR linebreaks instead of proper LFs. Hmm, this is on a linux box, so I'm not sure how it could be screwing up the line breaks. Is it possible that when spamd injects the scores before the body of the email, it is screwing things up? Here is email as it sits in my inbox now, which is after it gets processed by spamd. I was under the impression that an email that had already been processed by SA could be processed again and it would ignore any modifications made by earlier passes through SA. Return-Path: Delivered-To: s...@exmaple.com Received: from email.exmaple.com by email.exmaple.com with LMTP id kAhSKc1dY2BCKgAAB604Gw (envelope-from ) for ; Tue, 30 Mar 2021 13:20:13 -0400 Received: by email.exmaple.com (Postfix, from userid 115) id A64BE200C8; Tue, 30 Mar 2021 13:20:13 -0400 (EDT) Received: from localhost by email.exmaple.com with SpamAssassin (version 3.4.2); Tue, 30 Mar 2021 13:20:13 -0400 From: "Home Warranty - AHS" To: Subject: *SPAM* It's getting warmer, are you covered? Date: Tue, 30 Mar 2021 05:18:34 -0700 Message-Id: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on email.exmaple.com X-Spam-Flag: YES X-Spam-Level: * X-Spam-Status: Yes, score=5.2 required=5.0 tests=BAYES_99,BAYES_999, DATE_IN_PAST_03_06,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU, HTML_IMAGE_RATIO_02,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H2, SPF_HELO_NONE,SPF_SOFTFAIL shortcircuit=no autolearn=no autolearn_force=no version=3.4.2 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--=_60635DCD.A0F5D194" This is a multi-part message in MIME format. =_60635DCD.A0F5D194 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit Spam detection software, running on the system "email.exmaple.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Your AHS Home Warranty covers the repair or replacement of many system and appliance breakdowns, but not necessarily the entire system or appliance. Please refer to your contract for details. American Home Shield 150 Peabody Pl., Memphis, TN 38103. Unsubscribe | Privacy Policy © 2021 American Home Shield Corporation. All rights reserved. Content analysis details: (5.2 points, 5.0 required) pts rule name description -- -- 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% [score: 1.] 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.] 0.7 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [69.252.207.38 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [69.252.207.38 listed in wl.mailspike.net] 1.6 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 HTML_IMAGE_RATIO_02BODY: HTML has a low ratio of text to image area 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not necessarily valid The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor. =_60635DCD.A0F5D194 Content-Type: message/rfc822; x-spam-type=original Content-D
Re: Getting different SA scores when using -R argument with spamc
PLEASE NOTE: I read the mailing list obsessively and DO NOT NEED (or want) the extra copies sent when you send both to me and to the list. On 6 Apr 2021, at 14:17, Steve Dondley wrote: Can you provide a working example message AND the operative user prefs? OK, I was being very stupid. It finally dawned on me that the SA scores that appeared above the message body and below the headers when spamc was run without the -R option were SA scores embedded in the message by the postfix software and were not getting generated by spamc. But that doesn't change the fact that the spamassassin score that is generated by the postfix command is different than what I'm getting directly on the command line. Here's is what is in my postfix master.cf file: spamassassin unix - n n - - pipe user=debian-spamd argv=/usr/bin/spamc -u ${user} -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} Nitpick: Postfix is not adding the score report in the header, spamd is. That line hands off the message to spamc, which sends it to spamd and gets back a scored copy, which it then re-injects via sendmail (which is actually part of Postfix...) spamassassin --prefs-file user_prefs_file -D all < some_email Does the score and hits match one of your spamc tests? No. The headers have a different score and the tests are different. It's scored only as 2.6 with BAYES_50 while what was embedded in the email by postfix had a BAYES_99 and BAYES_999 ans scored 5.2. postfix score also shows RCVD_IN_DNSWL_LOW while running from the command line does not show any such test hit. And I cannot reproduce the SA scores embedded in the email by postfix even if I log in as user "s" and run this command: spamassassin --prefs-file=/home/s/.spamassassin/user_prefs -t < some_email So I'm not sure what's going on. Since the scores being added during delivery are much richer, detecting enough info to do SPF and DKIM analysis, I am 99.9% certain that the format of 'some_email' is mangled, probably missing critical headers or using CR linebreaks instead of proper LFs. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: Getting different SA scores when using -R argument with spamc
Can you provide a working example message AND the operative user prefs? OK, I was being very stupid. It finally dawned on me that the SA scores that appeared above the message body and below the headers when spamc was run without the -R option were SA scores embedded in the message by the postfix software and were not getting generated by spamc. But that doesn't change the fact that the spamassassin score that is generated by the postfix command is different than what I'm getting directly on the command line. Here's is what is in my postfix master.cf file: spamassassin unix - n n - - pipe user=debian-spamd argv=/usr/bin/spamc -u ${user} -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} spamassassin --prefs-file user_prefs_file -D all < some_email Does the score and hits match one of your spamc tests? No. The headers have a different score and the tests are different. It's scored only as 2.6 with BAYES_50 while what was embedded in the email by postfix had a BAYES_99 and BAYES_999 ans scored 5.2. postfix score also shows RCVD_IN_DNSWL_LOW while running from the command line does not show any such test hit. And I cannot reproduce the SA scores embedded in the email by postfix even if I log in as user "s" and run this command: spamassassin --prefs-file=/home/s/.spamassassin/user_prefs -t < some_email So I'm not sure what's going on.
Re: Getting different SA scores when using -R argument with spamc
On 6 Apr 2021, at 12:54, Steve Dondley wrote: When I run spamc without -R option like this: spamc -u some_user < some_email I get the following output: [...] However, when I run this command on the same email with the -R command to get the SA scores only like this: spamc -R -u some_user < some_email I get this output: [...] Notice the scores are totally different. Also, rules related to parsing the headers are wildly different. That shouldn't happen with the same input. I suspect a subtle difference between your inputs. According to man page, -R says: Just output the SpamAssassin report text to stdout, for all messages. See -r for details of the output format used. So why are the scores different with and without the -R option? Dunno. I cannot reproduce it despite trying with the last 50 messages to be seen by my mail server. I'm trying another 125 also but I don't really expect to see differences. Can you provide a working example message AND the operative user prefs? Run this: spamassassin --prefs-file user_prefs_file -D all < some_email Does the score and hits match one of your spamc tests? -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: DNSWL overriding bayes_99 and bayes_999 rules
On 6 Apr 2021, at 11:48, Steve Dondley wrote: I have emails that have been flagged as spam in the past but that are still getting through, presumably because the servers are on some DNSWL. Example: X-Spam-Status: No, score=0.9 required=5.0 tests=BAYES_99,BAYES_999, DATE_IN_PAST_03_06,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU, HTML_IMAGE_RATIO_02,HTML_MESSAGE,RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H2, SPF_HELO_NONE,SPF_SOFTFAIL shortcircuit=no autolearn=no autolearn_force=no version=3.4.2 What's the recommended way to handle these? Do I turn on shortcircuit? Certainly NOT for Bayes, since it is fairly common for Bayes to be simply wrong on essentially random messages. I personally don't think shortcircuit qualifies as a generally useful feature in the modern world. Do I bump up the score for BAYES_99, BAYES_999? Or might there be a way to ignore DNSWL scores if they have a high bayes score? Rather than constructing a meta-rule for just that case, I adjust scores: score RCVD_IN_DNSWL_HI -2 score BAYES_00 -1.0 score BAYES_999 0.5 Because DNSWL has problematic sources, BAYES_00 is not really a great ham indicator, and BAYES_999 is better than the default score gives it credit for. YMMV! -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Getting different SA scores when using -R argument with spamc
When I run spamc without -R option like this: spamc -u some_user < some_email I get the following output: This is a multi-part message in MIME format. Content analysis details: (5.2 points, 5.0 required) pts rule name description -- -- 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% [score: 1.] 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.] 0.7 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [69.252.207.38 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [69.252.207.38 listed in wl.mailspike.net] 1.6 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 HTML_IMAGE_RATIO_02BODY: HTML has a low ratio of text to image area 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not necessarily === However, when I run this command on the same email with the -R command to get the SA scores only like this: spamc -R -u some_user < some_email I get this output: === 2.6/5.0 Spam detection software, running on the system "email.dondley.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Spam detection software, running on the system "email.dondley.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it or label simi [...] Content analysis details: (2.6 points, 5.0 required) pts rule name description -- -- 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.5000] -0.0 NO_RELAYS Informational: message was not relayed via SMTP 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 1.6 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 HTML_IMAGE_RATIO_02BODY: HTML has a low ratio of text to image area Notice the scores are totally different. According to man page, -R says: Just output the SpamAssassin report text to stdout, for all messages. See -r for details of the output format used. So why are the scores different with and without the -R option?
Re: DNSWL overriding bayes_99 and bayes_999 rules
Steve Dondley writes: > I have emails that have been flagged as spam in the past but that are > still getting through, presumably because the servers are on some > DNSWL. > > Example: > > X-Spam-Status: No, score=0.9 required=5.0 tests=BAYES_99,BAYES_999, > DATE_IN_PAST_03_06,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU, > HTML_IMAGE_RATIO_02,HTML_MESSAGE,RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H2, > SPF_HELO_NONE,SPF_SOFTFAIL shortcircuit=no autolearn=no > autolearn_force=no version=3.4.2 > > What's the recommended way to handle these? Do I turn on shortcircuit? > Do I bump up the score for BAYES_99, BAYES_999? Or might there be a > way to ignore DNSWL scores if they have a high bayes score? First, run spamassassin -t on the raw file, so you can see all the scores. You can and probably should report spam to dnswl. In theory HI should have essentially no spam. I look at spam that gets to INBOX (which means scores < 1, as I bin into "not spam", "maybe" and "spam") and semi-look at "maybe" spam, and I haven't been noticing spam from DNSWL_MED or DNSWL_HI. There may be some way to ignore DNSWL_HI for that particular domain, basically removing it for you. I'd expect dnsbl_skip, but I have no idea. After that, you can think about score tweaks. Perhaps interesting about DNSWL_HI and SPF_SOFTFAIL, but probably not actually interesting. Certainly you can make a meta rule that looks at BAYES_999, DATE_IN_PAST_03_06, and DNSWL_HI and if so cancels the DNSWL_HI. But, DNSWL_HI is meant to be a presumption of non-spam, so you can also turn down DNSWL_HI, making -5 down to -2, or even put it at -0.01 so it is essentially advisory. I of course don't know how much of your legit mail is being saved from high scores by DNSWL_HI. But do report it and let us know how that goes. It's an interesting question how that's handled. signature.asc Description: PGP signature
Re: OT: Re: Unsubscribe link at the bottom.
On 4/6/21 8:34 AM, John Hardin wrote: What ticks me off is an unsubscribe link that goes to a javascript-heavy page and that *won't work* without javascript. And an unsubscribe link with a huge identifying key on it, yet the unsubscribe page still asks you to enter your email address... Ya Those types of senders usually end up banned on my server with a custom comment to that effect. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature
DNSWL overriding bayes_99 and bayes_999 rules
I have emails that have been flagged as spam in the past but that are still getting through, presumably because the servers are on some DNSWL. Example: X-Spam-Status: No, score=0.9 required=5.0 tests=BAYES_99,BAYES_999, DATE_IN_PAST_03_06,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU, HTML_IMAGE_RATIO_02,HTML_MESSAGE,RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H2, SPF_HELO_NONE,SPF_SOFTFAIL shortcircuit=no autolearn=no autolearn_force=no version=3.4.2 What's the recommended way to handle these? Do I turn on shortcircuit? Do I bump up the score for BAYES_99, BAYES_999? Or might there be a way to ignore DNSWL scores if they have a high bayes score?
Re: google.com spam
Matus UHLAR - fantomas wrote: I see they are evolving now, using google redirects to google links, further hiding. https://www.google.com/url?q=https://sites.google.com/ I've just created local rules to give a few points to several such constructs ranging from a low-scoring hit on just having http(s) more than once in the URI to various explicit pairs of Google Service A -> Google Service B. I've also handed out a few 0.5 scores just for hitting any one of those services. I've also been targeting (ab)use of the "data-saferedirecturl" attribute in tags because for the life of me I can NOT figure out what valid use case it has that can't be (and as best I can tell, absolutely IS) trivially abused. I'm eyeing the "title" attribute much the same way; both appear to interfere with what shows up in the lower-left corner of the screen to show where the link is supposedly going. IMO if that popup/status bar info does NOT show the exact URL from the href attribute, that client is Doing It Wrong. -kgd
Re: "Please send us a quote..."?
John Hardin wrote: Can anybody explain to me the reason behind the blind "please send us a quote for your product X" emails? I mean, I know they are somehow a scam, but I can't figure it out how it's supposed to work when the target isn't a business... Most of the examples I've seen are arguably virus emails, on the basis of an attached archive file with a .exe in it. -kgd
Re: "Please send us a quote..."?
On 2021-04-06 10:13 a.m., RW wrote: On Mon, 5 Apr 2021 18:30:31 -0700 (PDT) John Hardin wrote: Can anybody explain to me the reason behind the blind "please send us a quote for your product X" emails? I mean, I know they are somehow a scam, but I can't figure it out how it's supposed to work when the target isn't a business... It may just be an attempt to soften-up the spam filtering. TxRep, for example, is vulnerable to that tactic. Replying in many cases also adds the recipient to the local user whitelist/address book which improves the chance of future inbox delivery on subsequent messages. ~ MV
Re: OT: Re: Unsubscribe link at the bottom.
On Mon, 5 Apr 2021, Grant Taylor wrote: On 4/5/21 8:41 PM, Peter West wrote: I’d agree it’s address verification, as with the Unsubscribe link at the bottom. I'm of the opinion that if I have any inclining of knowledge of the company sending the email, and SPF/DKIM/DMARC pass, I'll probably use the unsubscribe link. Recently I ran into a 404 from the unsubscribe link from a company that my wife did business with. *facepalm* What ticks me off is an unsubscribe link that goes to a javascript-heavy page and that *won't work* without javascript. And an unsubscribe link with a huge identifying key on it, yet the unsubscribe page still asks you to enter your email address... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- 7 days until Thomas Jefferson's 278th Birthday
Re: "Please send us a quote..."?
On Mon, 5 Apr 2021 18:30:31 -0700 (PDT) John Hardin wrote: > Can anybody explain to me the reason behind the blind "please send us > a quote for your product X" emails? I mean, I know they are > somehow a scam, but I can't figure it out how it's supposed to work > when the target isn't a business... It may just be an attempt to soften-up the spam filtering. TxRep, for example, is vulnerable to that tactic.
Re: google.com spam
An update to this: On 04.04.21 12:54, Matus UHLAR - fantomas wrote: I have received spam from: From: "Linda marry (via Google Drive)" it wasn't catches because of: 60_whitelist_auth.cf:def_welcomelist_auth *@google.com Now that users can abuse google.com domain, isn't it time to remove *@google.com from def_whitelist_* ? the full header: X-Spam-Report: * 3.5 L_URIBL_FANTOMAS contains locally blocklisted URI * [URIs: sites.google.com] * -7.5 USER_IN_DEF_DKIM_WL From: address is in the default DKIM * white-list I see they are evolving now, using google redirects to google links, further hiding. Subject: Husband is outside from home for two month From: "Sarah Babe (via Google Docs)" [1]sa...@bestusaproduct.com has attached the following document: Husband is outside from home for two month Snapshot of the item below: First time attempting this. He will NOT be present. Husband is outside from home for two month. Seeking a horny guys who like blow job. Will be at my apartment. I'm game for whatever. No I'm not going to ask you to go to another site. If U real hit me on my [2]Facebook Profile.I will call you after add me. My Pic, Videos Number and details Here: [3]Login After submit your email checks the spam or inbox massage, to get my phone number. Google Docs: Create and edit documents online. Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA [5]Logo for Google You have received this email becauseDocs [4]sa...@bestusaproduct.com shared a document with you from Google Docs. References Visible links 1. mailto:sa...@bestusaproduct.com 2. https://www.google.com/url?q=https://sites.google.com/view/privatedate0/home&sa=D&source=editors&ust=161765771651&usg=AOvVaw30LDkVa5l018jaWFV4lSAv 3. https://www.google.com/url?q=https://sites.google.com/view/privatedate0/home&sa=D&source=editors&ust=1617657716511000&usg=AOvVaw1vJ3q82cTvOBs37YX7kXUX 4. mailto:sa...@bestusaproduct.com 5. http://drive.google.com/ -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "They say when you play that M$ CD backward you can hear satanic messages." "That's nothing. If you play it forward it will install Windows."
Re: Problem installing sa on my pi 3b+
On Tue, 6 Apr 2021 03:29:12 +0200 Christian Tasler wrote: > Ok, maybe I'll need more than just a hint as I understood mostly > nothing. I am running said packet install from an internet tutorial. > I cannot do anything between issuing that command and the printout of > the error. So how am I supposed to comment anything out? And > when/where to issue that loadplugin command? > I cant even tell which version the apt-get is fetching. > > I did hope for such hints like "missing params" or "not enough ram" > when I asked for hints but with such a in depth advice I am totally > lost. Thus any help (noob-level !) would be greatly appreciated. I didn't realize that was from within a package installer. If you can ignore the error and proceed you should do so. Otherwise you'll have to take it up with the package maintainer. Commenting-out that line just prevents SA from trying to use compiled rules. Actually I see that this is commented by default anyway.