Re: Where are your test definitions?
On Fri, 14 Jun 2024, Bowie Bailey wrote: On 6/14/2024 10:39 AM, Thomas Barth via users wrote: Hello, I would like to explain a sender what he can do to create an email that is not classified as spam. X-Spam-Status: Yes, score=6.248 tagged_above=1 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FONT_INVIS_MSGID=2.497, FONT_INVIS_NORDNS=1.544, HTML_FONT_TINY_NORDNS=1.514, HTML_MESSAGE=0.001, RDNS_NONE=0.793, RELAYCOUNTRY_BAD=2, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01] You can get the definitions directly from the rule files. On my system, the updated rules are in /var/lib/spamassassin/3.004006/updates_spamassassin_org. describe RDNS_NONE Delivered to internal network by a host with no rDNS describe FONT_INVIS_MSGID Invisible text + suspicious message ID describe FONT_INVIS_NORDNS Invisible text + no rDNS describe HTML_FONT_TINY_NORDNS Font too small to read, no rDNS You can also configure SA to include the rule descriptions in an X-Spam-Report header when the message is scored as "spammy". Take a look at config "report_safe 0". -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Users mistake widespread adoption of Microsoft Office for the development of a document format standard. --- 4 days until SWMBO's Birthday
Re: Where are your test definitions?
On 2024-06-14 at 17:33:22 UTC-0400 (Fri, 14 Jun 2024 23:33:22 +0200) Thomas Barth via users is rumored to have said: Am 2024-06-14 21:20, schrieb Matus UHLAR - fantomas: grep -ri "FONT_INVIS_NORDNS" /var/lib/spamassassin/ | grep describe /var/lib/spamassassin/4.00/updates_spamassassin_org/72_active.cf: describe FONT_INVIS_NORDNS Invisible text + no rDNS In my case, I can say with certainty that the mail comes from a business partner of a colleague :-) If you want to find out more, feed the mail to "spamassassin -D" and that should explain which text matched which rules. and as we told you already, your client should NOT play with small or semi-invisible text in mail. That's what spamers do. Cool, but now I ve more questions! :-) When the eMail arrived the score was 6.248. I repeat the testlist: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FONT_INVIS_MSGID=2.497, FONT_INVIS_NORDNS=1.544, HTML_FONT_TINY_NORDNS=1.514, HTML_MESSAGE=0.001, RDNS_NONE=0.793, RELAYCOUNTRY_BAD=2, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01 But when piping the eMail to spamassassin -D the score is 10.5! And RDNS_NONE gets a 1.3! It is very likely (almost certain...) that your shell account and your mail server have different SpamAssassin configurations. Per-user configurations are in ~/.spamassassin/user_prefs by default, while the settings used by SpamAssassin via whatever glue you are using to hook into your MTA really depends on how you do that. Per-user prefs can change scores or even scoresets (i.e. using net and bayes or not) so you need to figure out which prefs each checking method is using. A single user also stands a strong chance of not having enough data learned into their own Bayes DB for it to be used, while a system-wide DB usually will. The above list has a (favorable) BAYES score, the one below has none 2.5 URIBL_DBL_SPAM Contains a spam URL listed in the Spamhaus DBL blocklist [URI: www.example.com] [URI: example.com] That's a rule that is likely to hit on "aged" spam that it did not hit earlier, because it can take time for Spamhaus to list spammers like example.com... ( I assume you've redacted to protect the definitely guilty.) 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not necessarily valid 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid 2.0 RELAYCOUNTRY_BAD Relayed through spammy country at some point 0.0 HTML_MESSAGE BODY: Nachricht enthlt HTML -0.0 T_SCC_BODY_TEXT_LINE No description available. 1.2 FONT_INVIS_NORDNS Invisible text + no rDNS 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML 2.5 FONT_INVIS_MSGID Invisible text + suspicious message ID 0.0 HTML_FONT_TINY_NORDNS Font too small to read, no rDNS 0.9 DMARC_NONE DMARC none policy Let's just assume that the colleague is corresponding with a spammer OR: discussing a spammer, with domain names. and the colleague knows nothing about it. I'm just interested to know why the score is lower when the last mail arrived than in the current test. Is it because a few hours have already passed and the mail is rated differently in the DNS blocklists? That's the URIBL_DBL_SPAM hit. Or could it be that something is still wrong with my configuration? "Wrong" is such a judgy word... You have variances. Your MTA checks in one way, your shell checks in another. However, I can see in the journal that every mail is checked against blocklists, may be not completly? This difference is now irritating me. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo@toad.social and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: Where are your test definitions?
Am 2024-06-14 21:20, schrieb Matus UHLAR - fantomas: grep -ri "FONT_INVIS_NORDNS" /var/lib/spamassassin/ | grep describe /var/lib/spamassassin/4.00/updates_spamassassin_org/72_active.cf: describe FONT_INVIS_NORDNS Invisible text + no rDNS In my case, I can say with certainty that the mail comes from a business partner of a colleague :-) If you want to find out more, feed the mail to "spamassassin -D" and that should explain which text matched which rules. and as we told you already, your client should NOT play with small or semi-invisible text in mail. That's what spamers do. Cool, but now I ve more questions! :-) When the eMail arrived the score was 6.248. I repeat the testlist: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FONT_INVIS_MSGID=2.497, FONT_INVIS_NORDNS=1.544, HTML_FONT_TINY_NORDNS=1.514, HTML_MESSAGE=0.001, RDNS_NONE=0.793, RELAYCOUNTRY_BAD=2, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01 But when piping the eMail to spamassassin -D the score is 10.5! And RDNS_NONE gets a 1.3! 2.5 URIBL_DBL_SPAM Contains a spam URL listed in the Spamhaus DBL blocklist [URI: www.example.com] [URI: example.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not necessarily valid 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid 2.0 RELAYCOUNTRY_BAD Relayed through spammy country at some point 0.0 HTML_MESSAGE BODY: Nachricht enthlt HTML -0.0 T_SCC_BODY_TEXT_LINE No description available. 1.2 FONT_INVIS_NORDNS Invisible text + no rDNS 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML 2.5 FONT_INVIS_MSGID Invisible text + suspicious message ID 0.0 HTML_FONT_TINY_NORDNS Font too small to read, no rDNS 0.9 DMARC_NONE DMARC none policy Let's just assume that the colleague is corresponding with a spammer and the colleague knows nothing about it. I'm just interested to know why the score is lower when the last mail arrived than in the current test. Is it because a few hours have already passed and the mail is rated differently in the DNS blocklists? Or could it be that something is still wrong with my configuration? However, I can see in the journal that every mail is checked against blocklists, may be not completly? This difference is now irritating me.
Re: Where are your test definitions?
Am 2024-06-14 18:24, schrieb Matus UHLAR - fantomas: 1. as I said it's hard to find out without the body 2. hiding data indicates a spammer. On 14.06.24 19:15, Thomas Barth via users wrote: Yes, I've now realized that I can simply grep for the descriptions. grep -ri "FONT_INVIS_NORDNS" /var/lib/spamassassin/ | grep describe /var/lib/spamassassin/4.00/updates_spamassassin_org/72_active.cf: describe FONT_INVIS_NORDNS Invisible text + no rDNS In my case, I can say with certainty that the mail comes from a business partner of a colleague :-) If you want to find out more, feed the mail to "spamassassin -D" and that should explain which text matched which rules. and as we told you already, your client should NOT play with small or semi-invisible text in mail. That's what spamers do. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fucking windows! Bring Bill Gates! (Southpark the movie)
Re: Where are your test definitions?
On 2024-06-14 at 10:39:36 UTC-0400 (Fri, 14 Jun 2024 16:39:36 +0200) Thomas Barth via users is rumored to have said: Hello, I would like to explain a sender what he can do to create an email that is not classified as spam. X-Spam-Status: Yes, score=6.248 tagged_above=1 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FONT_INVIS_MSGID=2.497, FONT_INVIS_NORDNS=1.544, HTML_FONT_TINY_NORDNS=1.514, HTML_MESSAGE=0.001, RDNS_NONE=0.793, RELAYCOUNTRY_BAD=2, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01] I cannot find the definitions on your old site https://spamassassin.apache.org/old/tests_3_1_x.html. FONT_INVIS_NORDNS, FONT_INVIS_MSGID, HTML_FONT_TINY_NORDNS, RDNS_NONE Is there no current version of the test definition. The rules get tested, rescored, and assembled into a release package daily so it is not really feasible to put a set of static pages up with all the descriptions of all active rules, as the set changes daily. You can either use sa-update to get the current ruleset and find the rule descriptions in that package or go through the current files in the repo: https://svn.apache.org/viewvc/spamassassin/trunk/rules/ and https://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/ -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo@toad.social and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: Where are your test definitions?
Am 2024-06-14 18:24, schrieb Matus UHLAR - fantomas: 1. as I said it's hard to find out without the body 2. hiding data indicates a spammer. Yes, I've now realized that I can simply grep for the descriptions. grep -ri "FONT_INVIS_NORDNS" /var/lib/spamassassin/ | grep describe /var/lib/spamassassin/4.00/updates_spamassassin_org/72_active.cf: describe FONT_INVIS_NORDNS Invisible text + no rDNS In my case, I can say with certainty that the mail comes from a business partner of a colleague :-)
Re: Where are your test definitions?
Am 2024-06-14 17:11, schrieb Matus UHLAR - fantomas:
FONT_INVIS_NORDNS=1.544
HTML_FONT_TINY_NORDNS=1.514
RDNS_NONE=0.793
working fcrdns would fix much for them.
However, not doing stupid shit with fonts would help even more:
FONT_INVIS_MSGID=2.497
FONT_INVIS_NORDNS=1.544
HTML_FONT_TINY_NORDNS=1.514
On 14.06.24 18:00, Thomas Barth via users wrote:
Thanks, I have forwarded these infos and hope it will be corrected.
I cannot find the definitions on your old site
https://spamassassin.apache.org/old/tests_3_1_x.html.
why 3.1?
Google only shows this old version and I can't find a link to the
current test definitions on the website itself.
I see them in SA 4.0 rules:
72_active.cf: meta FONT_INVIS_MSGID __FONT_INVIS_MSGID && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__HAS_ERRORS_TO
&& !__RCD_RDNS_MAIL && !__MAIL_LINK && !__HDR_RCVD_AMAZON && !__MIME_QP && !__HAS_CAMPAIGNID &&
!__HAS_THREAD_INDEX && !__RCD_RDNS_MTA
72_active.cf: meta FONT_INVIS_NORDNS __FONT_INVIS_NORDNS && !__HTML_SINGLET
&& !__LYRIS_EZLM_REMAILER && !__YOUR_PERSONAL && !__HAS_X_MAILER
72_active.cf: rawbody __FONT_INVIS
/<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s*:\s*(?:0*[01](?:\.\d+)?(?:px|pt|Q|vw|vh|vmin)|0+(?:\.\d+)?(?:cm|mm|pc|ch|rem|lh|vmax|%)|0+(?:\.0\d*)(?:em|ex|in))(?:\s[a-z]|\s*[;'])|['"\s;]color\s*:\s*transparent\s*[;'])[^>]{0,80}>\w/i
72_active.cf:metaHTML_FONT_TINY_NORDNS__HTML_FONT_TINY_NORDNS &&
!__HAS_CID
72_active.cf:meta__HTML_FONT_TINY_NORDNS (__HTML_FONT_TINY_01 ||
__HTML_FONT_TINY_02 || __AC_TINY_FONT) && __RDNS_NONE
72_active.cf:rawbody __AC_TINY_FONT
/(?:font-size)\s*:\s*[1-3]\s*(?:em|p[tx]|%)?(?:\s*!important)?\s*[";]/i
72_active.cf:rawbody __HTML_FONT_TINY_01 /font-size:\s{0,5}[0-4]px;/i
72_active.cf:rawbody __HTML_FONT_TINY_02
/]{0,80}size\s*=\s*["']?-(?:[2-9]|[1-9]\d+)["']?[^>]{0,80}>/i
1. as I said it's hard to find out without the body
2. hiding data indicates a spammer.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
2B|!2B, that's a question!
Re: Lots of FN because of VALIDITY* rules
> On Jun 3, 2024, at 4:09 AM, Matus UHLAR - fantomas wrote: > > I forgot to add that I have "lowered" (increased to small negative number) > scores for RCVD_IN_VALIDITY_*, RCVD_IN_DNSWL_* and RCVD_IN_IADB_* > because I has similar bad experience with them. Matus, if you EVER have a bad experience with RCVD_IN_IADB_ (or any other IADB test), *please* let me personally know asap. We take our responsibility to the receiving industry *very* seriously (always have, for more than 20 years now) - that's *why* we invented the data response code concept, and developed it specifically so that SA could take advantage of it (and didn't patent it so that others could use the concept to, again, assist receivers). So, *please*, again, let me know personally, directly, if you ever find an issue with a certified sender (that is who would trigger the IADB tests) not doing the right thing! Thank you, Anne --- Anne P. Mitchell, Esq. Internet Law & Policy Attorney CEO Institute for Social Internet Public Policy (ISIPP) Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal email marketing law) Creator of the term 'deliverability' and founder of the deliverability industry Author: The Email Deliverability Handbook Board of Directors, Denver Internet Exchange Dean Emeritus, Cyberlaw & Cybersecurity, Lincoln Law School Prof. Emeritus, Lincoln Law School Chair Emeritus, Asilomar Microcomputer Workshop Counsel Emeritus, eMail Abuse Prevention System (MAPS)
Re: Where are your test definitions?
On 6/14/2024 10:39 AM, Thomas Barth via users wrote: Hello, I would like to explain a sender what he can do to create an email that is not classified as spam. X-Spam-Status: Yes, score=6.248 tagged_above=1 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FONT_INVIS_MSGID=2.497, FONT_INVIS_NORDNS=1.544, HTML_FONT_TINY_NORDNS=1.514, HTML_MESSAGE=0.001, RDNS_NONE=0.793, RELAYCOUNTRY_BAD=2, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01] I cannot find the definitions on your old site https://spamassassin.apache.org/old/tests_3_1_x.html. FONT_INVIS_NORDNS, FONT_INVIS_MSGID, HTML_FONT_TINY_NORDNS, RDNS_NONE Is there no current version of the test definition. You can get the definitions directly from the rule files. On my system, the updated rules are in /var/lib/spamassassin/3.004006/updates_spamassassin_org. describe RDNS_NONE Delivered to internal network by a host with no rDNS describe FONT_INVIS_MSGID Invisible text + suspicious message ID describe FONT_INVIS_NORDNS Invisible text + no rDNS describe HTML_FONT_TINY_NORDNS Font too small to read, no rDNS Since those make up the majority of the score, it looks like you should explain to the sender that they should not be using tiny or invisible fonts in their emails, and that they should fix the reverse DNS for their mailserver. -- Bowie
Re: Where are your test definitions?
Am 2024-06-14 17:11, schrieb Matus UHLAR - fantomas: FONT_INVIS_NORDNS=1.544 HTML_FONT_TINY_NORDNS=1.514 RDNS_NONE=0.793 working fcrdns would fix much for them. However, not doing stupid shit with fonts would help even more: FONT_INVIS_MSGID=2.497 FONT_INVIS_NORDNS=1.544 HTML_FONT_TINY_NORDNS=1.514 Thanks, I have forwarded these infos and hope it will be corrected. I cannot find the definitions on your old site https://spamassassin.apache.org/old/tests_3_1_x.html. why 3.1? Google only shows this old version and I can't find a link to the current test definitions on the website itself.
Re: Where are your test definitions?
On 15/06/2024 01:04, Thomas Barth via users wrote: Am 2024-06-14 16:44, schrieb Reindl Harald (privat): with RDNS_NONE nobody on this planet should accept mails from that machine and the admin has to be fired, the message should be jejected at SMTP level long before spamassassin And you would have been dismissed because of your pathological fascist thought structure ;-) Not if he worked for me, it's smtp 101 not only enforce PTRs, but enforce matching A/ -> PTR and back again, so they need fix their mail server DNS, the bad relay country, not a lot they can do about that to that sender. That said, Harry would never work for me because as you pointed out he's pathological, it's why he replies privately, he is perm moderated on this and most other lists, please do not reply to him via the list, hehas a habit of setting the reply-to, to the list, please check and remove it, feel free to tell him what you think of him directly, the rest of us already have. -- Regards, Noel Butler
Re: Where are your test definitions?
Am 2024-06-14 16:44, schrieb Reindl Harald (privat): with RDNS_NONE nobody on this planet should accept mails from that machine and the admin has to be fired, the message should be jejected at SMTP level long before spamassassin And you would have been dismissed because of your pathological fascist thought structure ;-)
Re: Where are your test definitions?
On 14.06.24 16:39, Thomas Barth via users wrote: I would like to explain a sender what he can do to create an email that is not classified as spam. X-Spam-Status: Yes, score=6.248 tagged_above=1 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FONT_INVIS_MSGID=2.497, FONT_INVIS_NORDNS=1.544, HTML_FONT_TINY_NORDNS=1.514, HTML_MESSAGE=0.001, RDNS_NONE=0.793, RELAYCOUNTRY_BAD=2, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01] FONT_INVIS_NORDNS=1.544 HTML_FONT_TINY_NORDNS=1.514 RDNS_NONE=0.793 working fcrdns would fix much for them. However, not doing stupid shit with fonts would help even more: FONT_INVIS_MSGID=2.497 FONT_INVIS_NORDNS=1.544 HTML_FONT_TINY_NORDNS=1.514 Without seeing what matched that it's hard to guess more I cannot find the definitions on your old site https://spamassassin.apache.org/old/tests_3_1_x.html. why 3.1? FONT_INVIS_NORDNS, FONT_INVIS_MSGID, HTML_FONT_TINY_NORDNS, RDNS_NONE Is there no current version of the test definition. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Remember half the people you know are below average.
Where are your test definitions?
Hello, I would like to explain a sender what he can do to create an email that is not classified as spam. X-Spam-Status: Yes, score=6.248 tagged_above=1 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FONT_INVIS_MSGID=2.497, FONT_INVIS_NORDNS=1.544, HTML_FONT_TINY_NORDNS=1.514, HTML_MESSAGE=0.001, RDNS_NONE=0.793, RELAYCOUNTRY_BAD=2, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01] I cannot find the definitions on your old site https://spamassassin.apache.org/old/tests_3_1_x.html. FONT_INVIS_NORDNS, FONT_INVIS_MSGID, HTML_FONT_TINY_NORDNS, RDNS_NONE Is there no current version of the test definition.
