Rebuilding SpamAssassin: which linux distribution?
I decided to create a pool of spamassassin instances queried from our frontier exim mta. Can you please tell me which linux distribution has the best support, quicker updates and plugins for SpamAssassin? I'd prefer not to install from sources, but if you think it's better, please tell me. Thank you
Re: AuthRes plugin (replay RBL queries one hour later)
On Wed, Mar 01, 2023 at 04:46:27PM +0100, Matus UHLAR - fantomas wrote: > > 1. "header.a=rsa-sha256" and "header.s=hege2" options in > Authentication-Results: for dkim where "a" contains algorithm and "s" the > used selector. > > 2. unknown "arc" Authentication-Results: header > > removing mentioned fields in the first header caused one less error message > and A_DKIM_VERIFIED hit. > > removing second header removed error messages completely Fixed these in trunk..
Re: AuthRes plugin (replay RBL queries one hour later)
Matus UHLAR - fantomas skrev den 2023-03-01 15:40: so, if your mail doesn't get delivered within 1.5 seconds and the DKIM signature expires on the fly, the mail gets dropped from mail server? On 01.03.23 16:33, Benny Pedersen wrote: no, aligned spf pass from facebook, and even on unaligned i do not reject dkim fails, this is a job for dmarc I was asking about outgoing mail being removed from the queue after their DKIM signature expires. I would not expect anyone to use DKIM expiration shorter than queue lifetime of mail. Yes, it should be the core - Mail::SpamAssassin::Plugin::SPF already uses Authentication-Results: header if it exists. double checking arc spf then ? i have not checked perlcode yet ? SPF, DKIM and DMARC headers should use results of Authentication-Results: headers (optionally?) only if they produce positive result. i only wish arc plugin would be in dmarc core so the extra plugin is not needed that fits for how arc using should be trusting ARC requires configuring server to trust ARC authority. So it's a little use usually. authres is only if you would forward mails to another finaly dmarc testing authres is great, if you validate mail before you scan for spamminess. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. (R)etry, (A)bort, (C)ancer
Re: AuthRes plugin (replay RBL queries one hour later)
On 01.03.23 11:55, Henrik K wrote: Bah, I think it was tested as atleast working without errors. I'll have a look.. On 01.03.23 11:04, Matus UHLAR - fantomas wrote: yes, it's working at least partly: Authentication-Results: fantomas.fantomas.sk; dmarc=none (p=none dis=none) header.from=hege.li Authentication-Results: fantomas.fantomas.sk; dkim=pass (2048-bit key; unprotected) header.d=hege.li header.i=@hege.li header.a=rsa-sha256 header.s=hege2 header.b=sWtnWE1E; dkim-atps=neutral Authentication-Results: fantomas.fantomas.sk; spf=pass (sender SPF authorized) smtp.mailfrom=spamassassin.apache.org (client-ip=3.227.148.255; helo=mxout1-ec2-va.apache.org; envelope-from=users-return-126604-uhlar=fantomas.sk@spamassassin.apache. org; receiver=) Authentication-Results: fantomas.fantomas.sk; arc=none smtp.remote-ip=3.227.148.255 Mar 1 16:32:54.213 [30815] dbg: authres: parsing Authentication-Results: fantomas.fantomas.sk; dmarc=none (p=none dis=none) header.from=hege.li Mar 1 16:32:54.214 [30815] dbg: authres: parsing Authentication-Results: fantomas.fantomas.sk; dkim=pass (2048-bit key; unprotected) header.d=hege.li header.i=@hege.li header.a=rsa-sha256 header.s=hege2 header.b=sWtnWE1E; dkim-atps=neutral Mar 1 16:32:54.214 [30815] dbg: authres: skipping header, unknown property for header: a Mar 1 16:32:54.214 [30815] dbg: authres: parsing Authentication-Results: fantomas.fantomas.sk; spf=pass (sender SPF authorized) smtp.mailfrom=spamassassin.apache.org (client-ip=3.227.148.255; helo=mxout1-ec2-va.apache.org; envelope-from=users-return-126604-uhlar=fantomas.sk@spamassassin.apache. org; receiver=) Mar 1 16:32:54.214 [30815] dbg: authres: parsing Authentication-Results: fantomas.fantomas.sk; arc=none smtp.remote-ip=3.227.148.255 Mar 1 16:32:54.214 [30815] dbg: authres: skipping header, unknown method: arc Mar 1 16:32:54.214 [30815] dbg: authres: results: dmarc=none spf=pass Mar 1 16:32:55.618 [30815] warn: Use of uninitialized value $result in string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302. Mar 1 16:32:55.618 [30815] warn: Use of uninitialized value $result in string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302. after editing headers I see that errors are caused by 1. "header.a=rsa-sha256" and "header.s=hege2" options in Authentication-Results: for dkim where "a" contains algorithm and "s" the used selector. 2. unknown "arc" Authentication-Results: header removing mentioned fields in the first header caused one less error message and A_DKIM_VERIFIED hit. removing second header removed error messages completely -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "Two words: Windows survives." - Craig Mundie, Microsoft senior strategist "So does syphillis. Good thing we have penicillin." - Matthew Alton
Re: AuthRes plugin (replay RBL queries one hour later)
Matus UHLAR - fantomas skrev den 2023-03-01 15:40: so, if your mail doesn't get delivered within 1.5 seconds and the DKIM signature expires on the fly, the mail gets dropped from mail server? no, aligned spf pass from facebook, and even on unaligned i do not reject dkim fails, this is a job for dmarc this plugin is ment to be in core dmarc plugin not as a seperate plugin imho, that sayed it need config :) It should be stable first. +1, it cant be since its only localy trustness first Yes, it should be the core - Mail::SpamAssassin::Plugin::SPF already uses Authentication-Results: header if it exists. double checking arc spf then ? i have not checked perlcode yet SPF, DKIM and DMARC headers should use results of Authentication-Results: headers (optionally?) only if they produce positive result. i only wish arc plugin would be in dmarc core so the extra plugin is not needed that fits for how arc using should be authres is only if you would forward mails to another finaly dmarc testing Forced revalidation should be possible, although I have no idea how to implement it. +1
Re: AuthRes plugin (replay RBL queries one hour later)
Matus UHLAR - fantomas skrev den 2023-03-01 09:56: I hope these senders expire their e-mail 1.5 hours after sending... On 01.03.23 13:35, Benny Pedersen wrote: facebook can do it in 1.5 sekunds :) so, if your mail doesn't get delivered within 1.5 seconds and the DKIM signature expires on the fly, the mail gets dropped from mail server? This should be avoidable by using opendkim at SMTP time, and using Mail::SpamAssassin::Plugin::AuthRes plugin in the way that DKIM rules aren't rechecked if they are this plugin is ment to be in core dmarc plugin not as a seperate plugin imho, that sayed it need config :) It should be stable first. Yes, it should be the core - Mail::SpamAssassin::Plugin::SPF already uses Authentication-Results: header if it exists. SPF, DKIM and DMARC headers should use results of Authentication-Results: headers (optionally?) only if they produce positive result. Forced revalidation should be possible, although I have no idea how to implement it. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Atheism is a non-prophet organization.
Re: The rewrite_header Subject [SPAM] directive has stopped working?!
On 2023-03-01 at 02:52:10 UTC-0500 (Wed, 1 Mar 2023 08:52:10 +0100) David Bürgin is rumored to have said: Bill Cole: If your mailstore uses mbox or Maildir, the unmaintained antique software named "procmail" could be used for delivery. As an antique myself, I use it, but I cannot in good conscience recommend anyone else adopt it de novo. It looks like procmail is maintained again, by the original author even (with interesting background on the procmail code, too): https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006633#24 I rescind my warning. That is very good news, as there is nothing that quite replaces it. Translating my personal .procmailrc to Sieve has been on my 'to do' list for longer than I've used SpamAssassin. Also very good news there from the author that he has integrated most of the Debian patches and fixed all of the bug backlog. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: BAYES scores
joe a skrev den 2023-02-28 17:37: Curious as to why these scores, apparently "stock" are what they are. I'd expect BAYES_999 BODY to count more than BAYES_99 BODY. Noted in a header this morning: * 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% * [score: 1.] * 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% * [score: 1.] Was this discussed recently? I added a local score to mollify my sense of propriety. what does it solve for you ? maybe it could be changed to not overlap on scores, but what should scores change ?
Re: AuthRes plugin (replay RBL queries one hour later)
Matus UHLAR - fantomas skrev den 2023-03-01 10:50: . Mar 1 10:47:17.689 [19813] warn: Use of uninitialized value $result in string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302. spamassassin --version ? aurhres was in 3.4.6 aswell is why i ask authres in 4.0.0 does imho not make that error
Re: AuthRes plugin (replay RBL queries one hour later)
Henrik K skrev den 2023-03-01 10:28: On Wed, Mar 01, 2023 at 09:56:56AM +0100, Matus UHLAR - fantomas wrote: I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available. However, I don't see AuthRes plugin mention in .pre files nor in SA rules. Because it's experimental and unfinished. logic is aswell why should spf pluging be enabled to test if arc chain pass spf ? same problem with dkim imho aslong forwarders insists on doing dkim sign and leave arc seal and arc sign :/ I will try to load it to see if it works. You also need rules for it to do anything. No plugin uses it's parsing at this time. its aswell good to define trustness in this senario, this is more or less bogos :) Try the example rules and report back if it works.. https://spamassassin.apache.org/full/4.0.x/doc/Mail_SpamAssassin_Plugin_AuthRes.html it does not, how should dmarc plugin use this ? dmarc only works with A-R headers imho, not internal data as in spamassassin, okay first step first :)
Re: AuthRes plugin (replay RBL queries one hour later)
Matus UHLAR - fantomas skrev den 2023-03-01 09:56: I hope these senders expire their e-mail 1.5 hours after sending... facebook can do it in 1.5 sekunds :) This should be avoidable by using opendkim at SMTP time, and using Mail::SpamAssassin::Plugin::AuthRes plugin in the way that DKIM rules aren't rechecked if they are this plugin is ment to be in core dmarc plugin not as a seperate plugin imho, that sayed it need config :) I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available. +1 However, I don't see AuthRes plugin mention in .pre files nor in SA rules. +1 I will try to load it to see if it works. share config if it does (lets share trustness)
Re: AuthRes plugin (replay RBL queries one hour later)
On 01.03.23 11:55, Henrik K wrote: Bah, I think it was tested as atleast working without errors. I'll have a look.. yes, it's working at least partly: Authentication-Results: fantomas.fantomas.sk; dmarc=none (p=none dis=none) header.from=hege.li Authentication-Results: fantomas.fantomas.sk; dkim=pass (2048-bit key; unprotected) header.d=hege.li header.i=@hege.li header.a=rsa-sha256 header.s=hege2 header.b=sWtnWE1E; dkim-atps=neutral Authentication-Results: fantomas.fantomas.sk; spf=pass (sender SPF authorized) smtp.mailfrom=spamassassin.apache.org (client-ip=3.227.148.255; helo=mxout1-ec2-va.apache.org; envelope-from=users-return-126604-uhlar=fantomas.sk@spamassassin.apache. org; receiver=) Authentication-Results: fantomas.fantomas.sk; arc=none smtp.remote-ip=3.227.148.255 X-Spam-Report: * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record * -0.0 SPF_PASS SPF: sender matches SPF record * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily * valid * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's * domain * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature * 0.0 A_SPF_PASS No description available. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Chernobyl was an Windows 95 beta test site.
Re: AuthRes plugin (replay RBL queries one hour later)
On Wed, Mar 01, 2023 at 10:50:02AM +0100, Matus UHLAR - fantomas wrote: > > On Wed, Mar 01, 2023 at 09:56:56AM +0100, Matus UHLAR - fantomas wrote: > > > I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available. > > > > > > However, I don't see AuthRes plugin mention in .pre files nor in SA rules. > > On 01.03.23 11:28, Henrik K wrote: > > Because it's experimental and unfinished. > > this is the info I was searching for :-) Apparently any info was removed from UPGRADE too https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6918 > However, so far spamassassin --lint produces: > > Mar 1 10:40:36.659 [19493] warn: Use of uninitialized value $result in > string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302. > Mar 1 10:40:36.661 [19493] warn: Use of uninitialized value $result in > string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302. > Mar 1 10:40:36.661 [19493] warn: Use of uninitialized value $result in > string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302. > Mar 1 10:40:36.662 [19493] warn: Use of uninitialized value $result in > string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302. > Mar 1 10:40:36.663 [19493] warn: Use of uninitialized value $result in > string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302. > Mar 1 10:40:36.666 [19493] warn: Use of uninitialized value $result in > string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302. > > I guess it's missing the headers, when I pasted this your mail with headers: > > Authentication-Results: fantomas.fantomas.sk; dmarc=none (p=none dis=none) > header.from=hege.li > Authentication-Results: fantomas.fantomas.sk; > dkim=pass (2048-bit key; unprotected) header.d=hege.li > header.i=@hege.li header.a=rsa-sha256 header.s=hege2 header.b=B6Wp55NL; > dkim-atps=neutral > Authentication-Results: fantomas.fantomas.sk; spf=pass (sender SPF > authorized) smtp.mailfrom=spamassassin.apache.org > (client-ip=3.227.148.255; helo=mxout1-ec2-va.apache.org; > > envelope-from=users-return-126602-uhlar=fantomas.sk@spamassassin.apache. > org; receiver=) > Authentication-Results: fantomas.fantomas.sk; arc=none > smtp.remote-ip=3.227.148.255 > > I only got two lines of errors: > > Mar 1 10:47:17.688 [19813] warn: Use of uninitialized value $result in > string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302. > Mar 1 10:47:17.689 [19813] warn: Use of uninitialized value $result in > string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302. Bah, I think it was tested as atleast working without errors. I'll have a look..
Re: AuthRes plugin (replay RBL queries one hour later)
On Wed, Mar 01, 2023 at 09:56:56AM +0100, Matus UHLAR - fantomas wrote: I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available. However, I don't see AuthRes plugin mention in .pre files nor in SA rules. On 01.03.23 11:28, Henrik K wrote: Because it's experimental and unfinished. this is the info I was searching for :-) I will try to load it to see if it works. You also need rules for it to do anything. No plugin uses it's parsing at this time. I see as it's missing from SA rules. Try the example rules and report back if it works.. https://spamassassin.apache.org/full/4.0.x/doc/Mail_SpamAssassin_Plugin_AuthRes.html I'll try to define another set of rules to see if they fit: header A_SPF_PASS eval:check_authres_result('spf', 'pass') score A_SPF_PASS 0.001 header A_SPF_FAIL eval:check_authres_result('spf', 'fail') score A_SPF_FAIL 0.1 header A_SPF_SOFTFAIL eval:check_authres_result('spf', 'softfail') score A_SPF_SOFTFAIL 0.1 header A_SPF_TEMPFAIL eval:check_authres_result('spf', 'tempfail') score A_SPF_SOFTFAIL 0.1 header A_DKIM_VERIFIED eval:check_authres_result('dkim', 'pass') score A_DKIM_VERIFIED 0.1 header A_DKIM_INVALID eval:check_authres_result('dkim', 'fail') score A_DKIM_INVALID 0.001 However, so far spamassassin --lint produces: Mar 1 10:40:36.659 [19493] warn: Use of uninitialized value $result in string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302. Mar 1 10:40:36.661 [19493] warn: Use of uninitialized value $result in string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302. Mar 1 10:40:36.661 [19493] warn: Use of uninitialized value $result in string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302. Mar 1 10:40:36.662 [19493] warn: Use of uninitialized value $result in string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302. Mar 1 10:40:36.663 [19493] warn: Use of uninitialized value $result in string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302. Mar 1 10:40:36.666 [19493] warn: Use of uninitialized value $result in string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302. I guess it's missing the headers, when I pasted this your mail with headers: Authentication-Results: fantomas.fantomas.sk; dmarc=none (p=none dis=none) header.from=hege.li Authentication-Results: fantomas.fantomas.sk; dkim=pass (2048-bit key; unprotected) header.d=hege.li header.i=@hege.li header.a=rsa-sha256 header.s=hege2 header.b=B6Wp55NL; dkim-atps=neutral Authentication-Results: fantomas.fantomas.sk; spf=pass (sender SPF authorized) smtp.mailfrom=spamassassin.apache.org (client-ip=3.227.148.255; helo=mxout1-ec2-va.apache.org; envelope-from=users-return-126602-uhlar=fantomas.sk@spamassassin.apache. org; receiver=) Authentication-Results: fantomas.fantomas.sk; arc=none smtp.remote-ip=3.227.148.255 I only got two lines of errors: Mar 1 10:47:17.688 [19813] warn: Use of uninitialized value $result in string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302. Mar 1 10:47:17.689 [19813] warn: Use of uninitialized value $result in string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Posli tento mail 100 svojim znamim - nech vidia aky si idiot Send this email to 100 your friends - let them see what an idiot you are
Re: AuthRes plugin (replay RBL queries one hour later)
On Wed, Mar 01, 2023 at 09:56:56AM +0100, Matus UHLAR - fantomas wrote: > > I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available. > > However, I don't see AuthRes plugin mention in .pre files nor in SA rules. Because it's experimental and unfinished. > I will try to load it to see if it works. You also need rules for it to do anything. No plugin uses it's parsing at this time. Try the example rules and report back if it works.. https://spamassassin.apache.org/full/4.0.x/doc/Mail_SpamAssassin_Plugin_AuthRes.html
AuthRes plugin (replay RBL queries one hour later)
Rob McEwen wrote: All I know for sure is this - for MANY legit emails - DKIM fails some days later On 28.02.23 12:52, Kris Deugau wrote: Hours. I've recently learned about this, in the context of trying to welcomelist legitimate senders. A 2-hour validity window for the DKIM signature is pretty common. :( I hope these senders expire their e-mail 1.5 hours after sending... This should be avoidable by using opendkim at SMTP time, and using Mail::SpamAssassin::Plugin::AuthRes plugin in the way that DKIM rules aren't rechecked if they are I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available. However, I don't see AuthRes plugin mention in .pre files nor in SA rules. I will try to load it to see if it works. - when it had originally worked/validated at the time the message was sent. I see this often in the real world when I rescan a message to try to verify the impact on a message that a spam filtering change caused - then notice that a very legit email that original passed DKIM at the time the message was received - now suddenly fails DKIM during this days-later rescan - and without ANY changes to the message itself. I think that this is most likely caused by DNS records for that DKIM being changed/updated. On most of those messages I expect it's an attribute set on the signature, not a rotated DKIM record. Look for "t=..." and "x=..." in the DKIM-Signature header. t= is the timestamp when it was signed, x= is when it expires. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. He who laughs last thinks slowest.