Re: Anybody else getting bombarded with "I RECORDED YOU" spam?

[Alan]

I don't have the specifics at hand but I created a rule that places a 
heavy score (like 2.0) on anything that matches existing sex and bitcoin 
rules. These messages usually match a bunch of other signals and that 
rule pushes the score over my delete-on-sight threshold (8.0).


On 2023-11-10 05:51, giova...@paclan.it wrote:
To block this type of spam I've increased the score of GB_HASHBL_BTC 
(Bitcoin rbl) rule.

 Giovanni

On 11/10/23 11:01, Mark London wrote:
Sendmail didn't introduce FEATURE(require_rdns) until 2007.  I'm sure 
I've been using it longer than that.  And by default it's not enabled.


It doesn't totally block the "I RECOVERED YOU" spams. Occasional some 
come through with ip addresses that have valid reverse lookups.  But 
the number getting blocked, is still huge.


On 11/10/2023 4:48 AM, Reindl Harald (privat) wrote:



Am 10.11.23 um 08:40 schrieb Mark London:
Marc - You are correct.  All the IP sources of this spam, don't a 
valid reverse lookup of the IP address, to an IP name.   That will 
solve my problem. Thanks! - Mark


in other words your MTA is misconfigured

https://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname 




On 11/9/2023 12:38 PM, Marc wrote:
Do you at least verify the reverse lookup? That already stops a 
lot of such networks.





--
For SpamAssassin Users List

Re: FP on KAM_SOMETLD_ARE_BAD_TLD

[Alan]

On 2023-04-12 20:42, Greg Troxel wrote:

Alan  writes:


A lovely message from a reputable sender with a penchant for fancy
email formatting has CSS rules expressed in JSON, presumably so it can
adjust for the mail client or some such.

A segment contains the text:

"items":[{"type":"Input.Date","id":"date"}]}

The KAM_SOMETLD_ARE_BAD_TLD rule is triggering on Input.Date. The rule is 
weighed quite high by default (5.0 here).
This is pushing messages over the spam threshold. I've adjusted the weight 
locally but it's probably something that should be tweaked globally.

(The KAM rules are on the aggressive side, and downscoring is appropriate
for those who like to be a bit less aggressive, especially those who are
not comfortable with single rules over 4ish.  But I am still running
them, because I think they help a lot more than they hurt.)

You seem to be suggesting reducing score, but that's not the real issue
in this case.  What you have found, I think, is treating something like
a URL that isn't.  However, that's really hard to fix given the MUA
so-called feature of treating things that sort of look like URLs as
URLs.

If you haven't, I would send the message in question to KAM for analysis
and perhaps rule adjustment.

FWIW, I find that I have adjusted score to 1.5.


KAM is on this list and has replied off list. I trust him to find the 
best way to mitigate the problem.


I just lowered the score knowing it will take some time for any update 
to make it through my upstream. Short of running a headless Chromium and 
parsing the entire HTML and then inspecting the resulting DOM there are 
always going to be issues like this. I've been doing battle with a 
particularly persistent spammer (multiple spams per user per day from 
different sources) who always used long URLs that followed a specific 
format. Now he uses three formats, so I have to only match on the 
handful of users who I know are on his list to avoid my own FPs. With 
that one, I really wish I had the DOM because the [curse words] follows 
a format that would be easy to catch with an XPATH query.


All in a day's work...

--
For SpamAssassin Users List

FP on KAM_SOMETLD_ARE_BAD_TLD

[Alan]

A lovely message from a reputable sender with a penchant for fancy email 
formatting has CSS rules expressed in JSON, presumably so it can adjust for the 
mail client or some such.

A segment contains the text:

"items":[{"type":"Input.Date","id":"date"}]}

The KAM_SOMETLD_ARE_BAD_TLD rule is triggering on Input.Date. The rule is 
weighed quite high by default (5.0 here).
This is pushing messages over the spam threshold. I've adjusted the weight 
locally but it's probably something that should be tweaked globally.

--
For SpamAssassin Users List

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

[Alan Hodgson]

On Mon, 2022-11-14 at 15:14 -0500, Shawn Iverson wrote:
> How do I stop this?  paypal.com is in the default DKIM whitelist!
> 

That message really looks like it came from Paypal and then was
forwarded by Microsoft to your server. Was it really a fake? That's a
lot of headers to fake if so.

If it was really fake and that paypal-supplied DKIM signature doesn't
validate (I didn't check that), then checking DMARC when you receive
mail and rejecting on p=reject failures would block it.

Re: DMARC fails for valid record?

[Alan Hodgson]

On Mon, 2022-05-09 at 14:35 -0400, Alex wrote:
> Hi,
> 
> I'm trying to understand why this email from a bank fails DMARC
> when mxlookup says the DMARC record is just fine.
> 
> https://pastebin.com/0T4Gjn3v
> 
>  *  1.8 DMARC_REJECT DMARC reject policy
>  *  6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the
> message
>  *      and the domain has a DMARC reject policy
> 
> It also passes SPF and DKIM
> 
>  *  0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
>  * -0.0 SPF_PASS SPF: sender matches SPF record
>  * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
> author's
>  *       domain
>  * -0.1 DKIM_VALID Message has at least one valid DKIM or DK
> signature
>  *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
> necessarily
>  *      valid
> 
> I'm using a local DNS resolver, not a public server.
> 

I'm pretty sure it can't pass SPF for the purposes of satisfying
DMARC with a null envelope sender.

Dunno why the DKIM didn't pass. Can you tell if the
d=ess.firstdata.com signature is valid or only the amazonses.com sig
(which wouldn't satisfy DMARC)?

Re: how sendgrid is abusing the ukraine crisis (or they are still to dumb to filter for spam)

[Alan]

FWIW at least I've found them to be responsive to abuse reports, unlike 
Amazon SES.


On 2022-03-04 08:01, Marc wrote:

Is anyone blocking already connections from outbound-mail.sendgrid.net? Does 
that generate a lot of false positives?
PS. just posting this so it is on web archives and people searching for 
sendgrid hopefully chose a better service.


--
For SpamAssassin Users List

Re: how sendgrid is abusing the ukraine crisis (or they are still to dumb to filter for spam)

[Alan Hodgson]

On Fri, 2022-03-04 at 13:01 +, Marc wrote:
> Is anyone blocking already connections from outbound-
> mail.sendgrid.net? Does that generate a lot of false positives? 
> PS. just posting this so it is on web archives and people searching
> for sendgrid hopefully chose a better service.
> 

Unfortunately, a lot of legitimate senders still use Sendgrid.

False "bad domain" positive

[Alan]

Here's a lovely edge case...

I've got someone who posted text from MS Office into an email (wish I 
could ban that). The text contained a numbered list. The fourth list 
item started with "Date & Time". The 4 and following period were in a 
span element with a margin to separate it from the text but no actual 
whitespace, so the plain text version comes up as (I've used {dot} to 
avoid another trigger) "4{dot}Date & Time". This then triggered :


  2.0 PDS_OTHER_BAD_TLD  Untrustworthy TLDs [URI: 4{dot}date (date)]
  5.0 KAM_SOMETLD_ARE_BAD_TLD .stream, .trade, .pw, .top, .press, .bid & .date 
TLD Abuse

Thus consigning a meeting agenda to the trash. I suspect this is an 
uncommon but not rare false positive.


These rules would benefit from excluding single character domain matches 
(which IIRC would be invalid domains anyway). A this sort of FP would be 
avoided. For bonus points excluding three-character roman numerals under 
10 (iii, vii, etc.) would be useful too.


--
For SpamAssassin Users List

Re: Do these domains merit blocking?

[Alan Hodgson]

On Wed, 2021-12-15 at 10:55 -0800, Alan Hodgson wrote:
> 
> I got a couple to an actual human who answered
> ab...@princeton.edu. I can forward them privately.

Let me rephrase that; I complained to ab...@princeton.edu and
actually heard back from a human, to whom I have since sent copies of
the spam messages.

Re: Do these domains merit blocking?

[Alan Hodgson]

On Wed, 2021-12-15 at 13:24 -0500, Charles Sprickman wrote:
> Does anyone have a sample of one of their emails?
> 
> I’m composing a brief nastygram and would like to get my eyes on
> one before finishing up.
> 

I got a couple to an actual human who answered ab...@princeton.edu. I
can forward them privately.

Re: Do these domains merit blocking?

[Alan Hodgson]

On Wed, 2021-12-15 at 11:39 -0500, Bill Cole wrote:
> 
> A customer has expressed mild dismay at the concept that a fine
> research institution should be "punished for doing research." I'm
> less attached to Princeton than my NJ-based customer and (having
> worked in a NIH-funded lab) less idolizing of the Ivory Tower in
> general. I have no difficulty explaining my position, but I am
> rather surprised that I need to in 2021. Am I missing something
> special that makes such research spam somehow not spam?

No.

And that's about the stupidest "study" I've ever heard of. It's not
like they're going to get any responses other than "fsck off" (which
is what I added to my header_filters after getting the second one).
It's hard to imagine anyone being that naive in 2021, but here we
are.

Re: Fw: spam from gmail.com

[Alan]

This is why I flood their abuse box with reports: problem comes back. 
Eventually some brain cell will realize that it's not doing much for 
their brand. Moments later it will become an Important Issue, because 
brand is everything these days.


On 2021-11-09 08:49, Jared Hall wrote:

On 11/8/2021 11:36 PM, Peter wrote:

It seems that people aren't taking google as seriously any more.
First came Freemail.  Then came SpamAssassin.  I DO think that people 
take Google seriously.  There are just so many ways to deal with this 
problem - none of which is better than any other.


Google touts their AI capabilities with Spam.  Too bad they don't scan 
their outbound email.  Instead, they seem to have adopted a cowardly 
philosophy that an old C Telephone tech conveyed to me decades ago: 
"Problem's leaving here fine!"


Google should practice what they preach:  SANITIZE USER INPUT. 
Instead, their careless attitude presents a security threat to us all.


-- Jared Hall


--
For SpamAsassin Users List

Re: Fw: spam from gmail.com

[Alan]

A real spike lately, too. Send messages with full headers to 
ab...@gmail.com. It might be a bit bucket since I've never heard 
anything back, but it can't hurt.


On 2021-11-08 13:27, Rupert Gallagher wrote:
Spammers are using gmail.com. Congratulations to Google for their fine 
work...


 Original Message 
On Nov 8, 2021, 10:42, Mrs.Marann Silvia < marannsilv...@gmail.com> wrote:
Good day my dear,
How are you doing and your family.I am Mrs.Marann Silvia,a sick widow
writing from one of the America hospitals.I am suffering from a long
time cancer of breast,my health situation is becoming worse,my life is
no longer guaranteed hence i want to make this solemn donation.I want
to donate my money to help the orphans, widows and handicap people
through you because there is no more time left for me on this earth.I
take this decision because i have no child who will inherit my wealth
after my death.Please,i need your urgent reply so that i can tell you
more on how you will handle my wish before i die.I will be waiting to
hear from you immediately by God grace amen,
yours sincerely.
Mrs.Marann Silvia


--
For SpamAsassin Users List

Re: Does anyone know what generates these email headers?

[Alan]

The originating PHP script header helps people who run shared servers 
track down the source of problematic mail. The two most common cases are:


- A contact form with poor security and the option to send a copy to the 
"commenter". Hackers find these and flood them.


- A completely compromised site with some mailer script buried down in a 
folder that shouldn't have code (typically some image path).


Both give a quick indication of which account needs to be suspended and 
what the best course for remediation should be from there.


In cPanel, the X-OutGoing-Spam-Status header is generated by hosts who 
run SpamAssassin on outbound mail. As it's easily forged it's kind of 
useless on the receiving side (and until a few months back was actually 
scoring 0.2 on incoming) but it's generated by cPanel with no option to 
disable it. It might also serve as a useful diagnostic for hosts trying 
to figure out how the heck an obvious spam message managed to get sent: 
if it's not there, then the message was sent by a nonstandard MTA.


On 2021-09-08 18:40, Bert Van de Poel wrote:
By default any PHP script that's sending an email will contain 
X-PHP-Originating-Script on several Linux distros, even though it's 
not the official default (see 
https://www.php.net/manual/en/mail.configuration.php , one of the 
first Google results). It's a pretty common occurrence to see that 
header in automated emails of all kinds (e.g. registration 
confirmation emails, notifications, login link emails). Alone it's a 
sign of spam nor ham, but combined with other things it can be 
interesting. The others don't ring a bell for me.


Bert

On 8/09/2021 23:27, Loren Wilton wrote:

I'm getting a lot of mails with some very curious headers in them.
I tried searching with Google, and it has never heard of many of 
these strings.

Does anyone recognize what might be generating these headers?

X-EOPTenantAttributedMessage
X-EmailAdvisor
X-Mxtb-Transitionid
X-MG-Subscriptionuid
X-PHP-Originating-Script
X-EmailTransmit-type
CMM-X-SID-Result
CMM-X-AUTH-Result
CMM-X-Message-Status
X-OutGoing-Spam-Status
X-EmailTransmit-aid
X-rext

Thanks!

   Loren


---
This email has been checked for viruses by AVG.
https://www.avg.com




--
For SpamAsassin Users List

Re: Score for certain spam

[Alan]

On 2021-08-17 18:53, Greg Troxel wrote:

Alan <> writes:


I manage email for a couple of hundred domains, so a fair bit of stuff
that arrives to my inbox are spam complaints (they're supposed to open
tickets or use the support mailbox but... users). I flag anything over
5.0 as spam, but it still comes to my inbox. Anything over 8.0 goes to
the bit bucket. Our support inbox deletes anything over 10.0. Stuff
that scores over 20 arrives on a regular basis but 10 seems to be a
decent threshold for "absolute crap".

When you talk about 8/10 and bitbucket/delete, are you accepting this
email at the MTA level and then sending it to /dev/null?  If so, I
wonder what your thoughts are on the wisdom of that vs rejecting at the
MTA level?  In my view MTA, rejection is much better because if there is
a legit sender they get a 550 back, rather than silent discard.


It's sent to the bit bucket, not done in the MTA. In this case, each 
account can set individual thresholds and has an individual set of local 
rules, so that might be why. I'd prefer to 550 them as well, although I 
suspect the majority of sources just don't care. Lately the most 
insidious stuff has been coming from VPS providers with insufficient 
vetting. Every few months I get something like this:


We are looking to get set up with a Dedicated Server or VPS today with 
a /24. It is to mail, but it's all compliant.

Can we get set up with you guys?
Invariably they're red flagged multiple times on ROSKO. I'm sure failing 
to take 2 minutes to do that check has done significant damage to 
website builders who figured they could make some easy money in hosting.


--
For SpamAsassin Users List

Re: Score for certain spam

[Alan]

I manage email for a couple of hundred domains, so a fair bit of stuff 
that arrives to my inbox are spam complaints (they're supposed to open 
tickets or use the support mailbox but... users). I flag anything over 
5.0 as spam, but it still comes to my inbox. Anything over 8.0 goes to 
the bit bucket. Our support inbox deletes anything over 10.0. Stuff that 
scores over 20 arrives on a regular basis but 10 seems to be a decent 
threshold for "absolute crap".


I should also mention that we refuse to send anything that scores over 
5.0. This has proved useful both in limiting damage from unprotected 
contact forms and ... um ... "overzealous" customers.


On 2021-08-17 12:03, David Bürgin wrote:

In your experience, what is a good ‘certain spam’ threshold? By that I
mean the score above which messages are virtually always spam, no false
positives.

The default threshold for spam is 5.0, which works well for me. Only
very rarely a ham message scores above that and lands in my Junk folder.
Would 10.0 be a good ‘certain spam’ threshold? 15.0? I could then reject
such messages at the SMTP layer, without having to worry about rejecting
legitimate messages.

Thank you!


--
For SpamAsassin Users List

Re: Lint failing

[Alan Sparks]

So it's Saturday, not Monday yet, but nothing has changed... has a "fix" 
been published yet?  Maybe the fix doesn't work?


]$ sudo /usr/bin/sa-update -
Update available for channel updates.spamassassin.org
rules: failed to run URI_HOST_IN_BLOCKLIST test, skipping:
    (Can't locate object method "check_uri_host_in_blacklist" via 
package "Mail::SpamAssassin::PerMsgStatus" at (eval 2016) line 394.

)
rules: failed to run URI_HOST_IN_WELCOMELIST test, skipping:
    (Can't locate object method "check_uri_host_in_whitelist" via 
package "Mail::SpamAssassin::PerMsgStatus" at (eval 2016) line 1489.

)
channel: lint check of update failed, channel failed
Update failed, exiting with code 4

-Alan

On 7/29/2021 1:36 PM, Kevin A. McGrail wrote:
Fixes are likely done and just waiting on masscheck, etc. to publish 
rules.  If it isn't fixed by Monday, please let us know.

P.S. 3.3.1 is very old.  Can you upgrade?
--
Kevin A. McGrail
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail 
<https://www.linkedin.com/in/kmcgrail> - 703.798.0171



On Thu, Jul 29, 2021 at 11:21 AM Alan Sparks <mailto:aspa...@doublesparks.net>> wrote:


Starting yesterday, my SA 3.3.1 running on CentOS started throwing
lint
errors, as below.  Is there a fix for this?

Thanks in advance.

-Alan

$ sudo /usr/bin/sa-update -vvv
Update available for channel updates.spamassassin.org
<http://updates.spamassassin.org>
rules: failed to run URI_HOST_IN_BLOCKLIST test, skipping:
 (Can't locate object method "check_uri_host_in_blacklist"
via
package "Mail::SpamAssassin::PerMsgStatus" at (eval 2016) line 394.
)
rules: failed to run URI_HOST_IN_WELCOMELIST test, skipping:
 (Can't locate object method "check_uri_host_in_whitelist"
via
package "Mail::SpamAssassin::PerMsgStatus" at (eval 2016) line 1489.
)
channel: lint check of update failed, channel failed
Update failed, exiting with code 4

Re: Lint failing

[Alan Sparks]

Thanks.  For me, there's no update package for my distribution. And 
still working on general upgrade testing here.


-Alan


On 7/29/2021 1:36 PM, Kevin A. McGrail wrote:
Fixes are likely done and just waiting on masscheck, etc. to publish 
rules.  If it isn't fixed by Monday, please let us know.

P.S. 3.3.1 is very old.  Can you upgrade?
--
Kevin A. McGrail
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail 
<https://www.linkedin.com/in/kmcgrail> - 703.798.0171



On Thu, Jul 29, 2021 at 11:21 AM Alan Sparks <mailto:aspa...@doublesparks.net>> wrote:


Starting yesterday, my SA 3.3.1 running on CentOS started throwing
lint
errors, as below.  Is there a fix for this?

Thanks in advance.

-Alan

$ sudo /usr/bin/sa-update -vvv
Update available for channel updates.spamassassin.org
<http://updates.spamassassin.org>
rules: failed to run URI_HOST_IN_BLOCKLIST test, skipping:
 (Can't locate object method "check_uri_host_in_blacklist"
via
package "Mail::SpamAssassin::PerMsgStatus" at (eval 2016) line 394.
)
rules: failed to run URI_HOST_IN_WELCOMELIST test, skipping:
 (Can't locate object method "check_uri_host_in_whitelist"
via
package "Mail::SpamAssassin::PerMsgStatus" at (eval 2016) line 1489.
)
channel: lint check of update failed, channel failed
Update failed, exiting with code 4

Lint failing

[Alan Sparks]

Starting yesterday, my SA 3.3.1 running on CentOS started throwing lint 
errors, as below.  Is there a fix for this?


Thanks in advance.

-Alan

$ sudo /usr/bin/sa-update -vvv
Update available for channel updates.spamassassin.org
rules: failed to run URI_HOST_IN_BLOCKLIST test, skipping:
    (Can't locate object method "check_uri_host_in_blacklist" via 
package "Mail::SpamAssassin::PerMsgStatus" at (eval 2016) line 394.

)
rules: failed to run URI_HOST_IN_WELCOMELIST test, skipping:
    (Can't locate object method "check_uri_host_in_whitelist" via 
package "Mail::SpamAssassin::PerMsgStatus" at (eval 2016) line 1489.

)
channel: lint check of update failed, channel failed
Update failed, exiting with code 4

Discord used to share malware

[Alan]

Not sure if this is news or not but it's the first time I've seen this. 
I got a fake "here's the invoice" message with a link to a Excel Macro 
file from


https://cdn.discordapp.com/attachments/{redacted}.xlsm

This thing slipped in with a score of 0.4, KAM_NUMSUBJECT being the only 
trigger of significance. Reported the link to Discord.


--
For SpamAsassin Users List

Re: Maybe it's time to revive EvilNumbers?

[Alan]

On 2021-06-15 19:44, Loren Wilton wrote:
My site is getting a lot of spam that is getting past spamassassin. 
Because it has a hone number to call, and rather than a link to login 
using username and password. Mostly fake amazon purchases.   They are 
getting past a lot of URL block lists because of that.   FWIW. - Mark


I have a number of "purchase" rules that add about 30 points for fake 
Amazon (and other) scams. I haven't had one get thru in the last 
couple of months since I instituted them, but I only have a personal 
account and not a whole site, so YMMV. None of them look for phone 
numbers, but I do have a set of rules for a handful of stolen business 
addresses commonly used in spams I get. They add a few points when 
those show up.


   Loren

That approach might be problematic on multi-user servers. I'm already 
getting FPs when someone does a copy/paste of an Amazon product page and 
sends it as mail. This triggers the "not from Amazon but has images from 
Amazon" rule, which is weighted quite high. The sender's signature 
typically has a phone number as well, so EvilNumbers would make things 
worse. I still think the rule and weight is appropriate for spam, so I'm 
looking for other ways to mitigate the FPs.


--
For SpamAsassin Users List

Re: KAM_SENDGRID and SPF_HELO_NONE

[Alan Hodgson]

On Thu, 2021-05-20 at 16:12 -0400, Alex wrote:
> 
> X-Envelope-From:
>     
> 
> 
> Perhaps it's because Return-Path is null?
> Return-Path: <>

Return-Path is supposed to be where your MTA stores the envelope sender. That
it doesn't match is probably a problem.


And yes, SPF falls back to testing the HELO host if the envelope sender is
empty (which should only occur in bounces or auto-responses).

Re: Is HAS_X_OUTGOING_SPAM_STAT a useful indicator?

[Alan]

On 2021-04-26 10:07, Bill Cole wrote:

[...]

It is probably worth digging into the cPanel exim.conf editor (I don't 
recall what they call it, but it's there somewhere at the WHM 
level...) to kill the header. You may want to look through the 
deployed exim.conf to make sure that it's not somehow using the header 
for internal communication between different stages of handling.
Alas, there is but one option: scan outbound or don't. Scan it and you 
get the header. If they're using it for some internal purpose, then it 
should have the form x-cpanel-... and leave me out of it.


So, that would likely be a body URI hit, as I see no match in the 
headers.
Indeed, that would be it. Part of the message tells them to use the mail 
subdomain to set up... mail. Can't circumnavigate that one.



At least the NUMERIC_HTTP_ADDR is something I can fix.


MPART_ALT_DIFF should also be fixable simply by making the text/plain 
part of the message a reasonable rendering of the HTML part or by only 
sending a text/plain message, which would be even safer but I find 
hard to get anyone to do. I guess sending only HTML would achieve the 
same thing, but, e.
That's going to be so much fun it might not be worth it. The stupid 
thing is actually sending a blank plain text part, which escalates e 
to arghhh! It's the output of a template driven system so I may be 
limited in what I can do there. At this point dropping the plain text 
would be an improvement. [string of pejoratives redacted]


You also should look at your trusted_networks and internal_networks 
settings. If I'm understanding this correctly through the obfuscation, 
it should have hit ALL_TRUSTED. Keep in mind that trusted_networks is 
machines whose MTAs you trust to not forge Received headers, it is not 
necessarily machines you trust to not send spam. That won't help with 
mail leaving your system, but it will give mail from your machines to 
you a strong advantage.

Good idea. I'll verify that.

--
For SpamAsassin Users List

Re: Is HAS_X_OUTGOING_SPAM_STAT a useful indicator?

[Alan]

On 2021-04-25 19:31, Bill Cole wrote:

On 25 Apr 2021, at 18:40, Alan wrote:

We run cPanel servers and scan every outbound message with SA in 
order to reduce the amount of garbage that comes through website 
contact forms.


That's good.

However, in a default cPanel configuration, HAS_X_OUTGOING_SPAM_STAT 
scores a whopping 2.3. I'm not sure what the distribution default is


Today's dynamically-determined score in the default rules channel is 
2.298 for systems with network and bayes scoring enabled, so it looks 
like cPanel is likely to be using default scores.


but that's enough to move a lot of messages to spam, simply because 
the sender was scanning messages.


Is it actually doing that to known legitimate mail? Can you share 
headers? It would be good to find a way to exclude false positives.


Sure spammers are going to be putting that header in, but as far as I 
can tell, that's an argument for always scoring the rule at a hard 
zero. I can see how it might be useful in a meta with some other 
indicators, but as it stands, it's penalizing both the guys trying to 
stop spam at the source and the spammers and that seems 
counterproductive.


The rule QA system is nowhere near as smart as you... It only knows 
that in the corpora of mail it used to determine whether to publish 
HAS_X_OUTGOING_SPAM_STAT and what to score it, 72.6% of the mail 
matching HAS_X_OUTGOING_SPAM_STAT was spam. That's for yesterday's 
weekly network mass-check. See 
https://ruleqa.spamassassin.org/20210424-r1889140-n/HAS_X_OUTGOING_SPAM_STAT/detail 
for the arcane details.


If I recall correctly, the "X-OutGoing-Spam-Status" header which 
triggers that rule (with some exemptions) is not actually used by 
anything within cPanel, and a non-spam result in that header certainly 
should not be trusted anywhere but the system generating it. So it may 
be helpful to do the scan but to forego adding the header or to at 
least make cPanel use a local name.


I've posted to a 13 month old thread on the cPanel forums that was left 
at "we'll update you", asking for an update. I can't see any useful 
purpose to having that header in there.


Obfuscated headers follow. Haven't dug into it but it looks like another 
FP on KAM_MXURI, I'm guessing that's because the message is coming from 
my.our-domain.net and "my" is close enough to "mx", which would be 
unfortunate. At least the NUMERIC_HTTP_ADDR is something I can fix.


Return-Path: 
Delivered-To: our-domain.supp...@our-domain.com
Received: from ssc010.our-domain.net
by ssc010.our-domain.net with LMTP
id KGkdFSHVhWBRCgAAk/bwIA
(envelope-from )
for ; Sun, 25 Apr 2021 16:46:25 -0400
Return-path: 
Envelope-to: our-domain.supp...@our-domain.com
Delivery-date: Sun, 25 Apr 2021 16:46:25 -0400
Received: from our-server.our-domain.net ([100.101.102.103]:34044)
by ssc010.our-domain.net with esmtps  (TLS1.2) tls 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.94)
(envelope-from )
id 1lale4-0002xo-LD
for our-domain.supp...@our-domain.com; Sun, 25 Apr 2021 16:46:25 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=my.our-domain.net; s=default; 
h=Content-Transfer-Encoding:Content-Type:

MIME-Version:Message-ID:Subject:Reply-To:From:To:Date:Sender:Cc:Content-ID:

Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc

:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=j53ixXbMXzxOWOuh7uN7dlHw0Vr6LfiGnD/j577LPKs=; 
b=0nJJlFR/3NPsGrwKOpTGdc+6Vu

YO7UqkOwYydYNQijRJqe0dxqUwdHt06x57tx1DhoAJC/EmM6buHejeghdXLO+K+X3Di9rQ/hU85bj

uvZnd2jvf4kn/Hg47bCEw7/3oByYNbTJ8VK2WhNTb6x3q0zsbT//ODf5t2afLOM1SqWNW65i2YR2J

OvoY+VLh6dH44zhssa0XWuDZ+JYJYKoDMYKLN5SQ9PLqu+tQo50frwLmvfULLqP5scNCir9xWvDHH

/WRF490NRwD5ljrTNxAxT6xQgTQV2KGM/ND6WnajJJpT5JeAsGP41C/YzNUOZyhX62DNB4XbYId6b
Mgj3eN4w==;
Received: from [100.101.102.103] (port=54664 helo=my.our-domain.net)
by our-server.our-domain.net with esmtpsa  (TLS1.2) tls 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94)
(envelope-from )
id 1lale3-0002hS-Sp; Sun, 25 Apr 2021 16:46:24 -0400
Date: Sun, 25 Apr 2021 20:46:23 +
To: "First Last (Customer, Inc.)" 
From: "our-domain Inc." 
Reply-To: "our-domain Inc." 
Message-ID: 
X-Mailer: our-domain Inc.
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="b1_rqx1wOkfk2HPwH7li3bl39DQAjYTzhuJiJOD1cfpxU"
Content-Transfer-Encoding: 8bit
X-OutGoing-Spam-Status: No, score=1.3
X-AntiAbuse: This header was added to track abuse, please include it with any 
abuse report
X-AntiAbuse: Primary Hostname - our-server.our-domain.net
X-AntiAbuse: Original Domain - our-domain.com
X-AntiAbuse: Originator/Caller UID/GID - [xx yy] / [xx yy]
X

Is HAS_X_OUTGOING_SPAM_STAT a useful indicator?

[Alan]

We run cPanel servers and scan every outbound message with SA in order 
to reduce the amount of garbage that comes through website contact forms.


However, in a default cPanel configuration, HAS_X_OUTGOING_SPAM_STAT 
scores a whopping 2.3. I'm not sure what the distribution default is but 
that's enough to move a lot of messages to spam, simply because the 
sender was scanning messages. Sure spammers are going to be putting that 
header in, but as far as I can tell, that's an argument for always 
scoring the rule at a hard zero. I can see how it might be useful in a 
meta with some other indicators, but as it stands, it's penalizing both 
the guys trying to stop spam at the source and the spammers and that 
seems counterproductive.


--
For SpamAsassin Users List

Re: Are X-MC-xxx headers legit?

[Alan]

On 2021-03-29 12:11, John Hardin wrote:

On Mon, 29 Mar 2021, Loren Wilton wrote:


I'd call these headers a great spam sign.


Depending on their rarity... :)

Occasionally spammers will screw up and leave template replacement 
tokens in their message bodies. Great spam sign, too rare to be useful 
in practice.



Rare perhaps, but I've used this and other signatures from the design in 
combination with keywords that would otherwise generate false positives 
to eliminate some specific and persistent irritants, in particular some 
purveyors of apparel from India.


--
For SpamAsassin Users List

Re: Rules for a recent flood of BTC/webcam spam

[Alan]

On 2021-02-25 10:54, John Hardin wrote:

On Thu, 25 Feb 2021, RW wrote:


On Wed, 24 Feb 2021 18:37:42 -0800 (PST)
John Hardin wrote:


On Wed, 24 Feb 2021, Alan wrote:


After a little more research, a better regex for an obfuscated BTC
address is

/[13][ \-]([a-km-zA-HJ-NP-Z0-9][ \-]){25,32}[a-km-zA-HJ-NP-Z0-9]/

It might be worth adding = and _ to the obfuscating delimiters.
YMMV.


I've updated __BITCOIN_ID with -, = and _ obfuscations, which I
haven't seen myself yet.

Thanks!



Possibly

 (?:[-_=\s][a-km-zA-HJ-NP-Z1-9]){25,34}|[a-km-zA-HJ-NP-Z1-9]{25,34})

should be

 (?:[-_=\s]*[a-km-zA-HJ-NP-Z1-9]){25,34}

It's shorter and more general.


I'd prefer:

 (?:[-_=\s]?[a-km-zA-HJ-NP-Z1-9]){25,34}

The reason I haven't is I have not seen a mixture yet - it's either 
all spaced or not at all.


I'll take a look at that tonight when I have some time.


The more loose you get with matching obfuscation the greater the 
chance of false positives. Consider, for example, the PGP key in my 
.sig (which has a zero, but I'd wager there are PGP key signatures 
that look like obfuscated bitcoin wallet addresses...)


Also, there's a limit to how complex the obfuscation can get before 
the recipient can't (or won't) follow the instructions.



Bitcoin addresses start with either 1 or 3. It's less general 
specifically to avoid FPs. Personally I'm weighting this pretty high so 
I don't want to trigger on non-obfuscated BTC addresses. So far, all of 
my targets send a plain text version so "just a space" has been working.


All that said, another potential obfuscation would be a period. I'm 
going to add that.


--
For SpamAsassin Users List

Re: Rules for a recent flood of BTC/webcam spam

[Alan]

On 2021-02-24 17:52, I wrote:
I've seen a recent flood of "I hacked your camera and caught you doing 
stuff" emails. I doubt they'll continue for a long time, but I made 
some rules to target them. Find them here https://pastebin.com/B5Q6emBU


--
For SpamAsassin Users List

After a little more research, a better regex for an obfuscated BTC 
address is


/[13][ \-]([a-km-zA-HJ-NP-Z0-9][ \-]){25,32}[a-km-zA-HJ-NP-Z0-9]/

Also added in more possible keyword misspellings 
https://pastebin.com/nCQrLunx


It might be worth adding = and _ to the obfuscating delimiters. YMMV.

--
For SpamAsassin Users List

Rules for a recent flood of BTC/webcam spam

[Alan]

I've seen a recent flood of "I hacked your camera and caught you doing 
stuff" emails. I doubt they'll continue for a long time, but I made some 
rules to target them. Find them here https://pastebin.com/B5Q6emBU


--
For SpamAsassin Users List

Re: PDS_URISHORTENER or __KAM_SHORT

[Alan]

On 2021-02-01 08:36, RW wrote:

On Mon, 1 Feb 2021 13:23:58 +
RW wrote:


On Mon, 1 Feb 2021 00:28:12 -0500
Alan wrote:


I'm working on a rule to up the spam score for messages that contain
a large number (>=30) of Mailchimp CSS declarations and a link
shortener, since all links in something actually sent through
Mailchimp are forced through their click tracking, this is turning
out to be a decent indicator.

In the debug output I see these two rules PDS_URISHORTENER and
__KAM_SHORT. Are their pros/cons for using one over the other?

PDS_URISHORTENER has the advantage that you can easily extend it.


The actual rule is __PDS_URISHORTENER

That's perfect. Thanks!

--
For SpamAsassin Users List

PDS_URISHORTENER or __KAM_SHORT

[Alan]

I'm working on a rule to up the spam score for messages that contain a 
large number (>=30) of Mailchimp CSS declarations and a link shortener, 
since all links in something actually sent through Mailchimp are forced 
through their click tracking, this is turning out to be a decent indicator.


In the debug output I see these two rules PDS_URISHORTENER and 
__KAM_SHORT. Are their pros/cons for using one over the other?


--
For SpamAsassin Users List

Re: UNSUBSCRIBE

[Alan]

On 2020-12-23 16:33, Antony Stone wrote:

On Wednesday 23 December 2020 at 22:29:50, Alan wrote:


On 2020-12-23 16:22, Richard Ozer wrote:

To unsubscribe, e-mail: users-unsubscr...@netbeans.apache.org
<mailto:users-unsubscr...@netbeans.apache.org>
For additional commands, e-mail: users-h...@netbeans.apache.org
<mailto:users-h...@netbeans.apache.org>

Hm, strange - I thought it was (quoting from the headers of any email on this
list):

list-help: <mailto:users-h...@spamassassin.apache.org>
list-unsubscribe: <mailto:users-unsubscr...@spamassassin.apache.org>
List-Post: <mailto:users@spamassassin.apache.org>
List-Id: 


Antony.


Argh. I have a bad case of mailing list schizophrenia. Hence a signature 
to remind me where the heck I am. :(


My apologies.

--
For SpamAsassin Users List

Re: UNSUBSCRIBE

[Alan]

On 2020-12-23 16:22, Richard Ozer wrote:


To unsubscribe, e-mail: users-unsubscr...@netbeans.apache.org 

For additional commands, e-mail: users-h...@netbeans.apache.org 



--
For SpamAsassin Users List

Re: A few noob questions

[Alan]

On 2020-12-20 21:11, John Hardin wrote:

On Sun, 20 Dec 2020, Alan wrote:

n.b.: you're not subscribed to the list from 
netbeans.5zc...@ambitonline.com but I pushed it through moderation. If 
you're going to post regularly from that address you should register 
it as an alternate.


Oh nuts. I always set up a forwarder per list with random suffix, just 
so that if it ever leaks out I can change the suffix and beat the 
harvesters. I picked the wrong identity to send from. Guess my Netbeans 
address now needs an update. Self-inflicted wounds. :(


I do a lot of rule dev so I have a dedicated test environment. I can't 
say whether --cf would work, I've never tried it. Seems plausible.


You'll also want "--debug area=all,rules,rules-all,message,uri" to see 
the hits in the log output.



Perfect. Thanks!

Re: A few noob questions

[Alan]

Many thanks for your help.

On 2020-12-20 15:26, John Hardin wrote:

On Sat, 19 Dec 2020, Alan wrote:

The reason for asking is that I want to use SpamAssassin to flag some 
things that are suspicious but only when other conditions are met for 
specific users. I'd like to have SA insert the rule text, eg. 
LOCAL_SOME_RULE so that I can have an exim filter check for a 
specific form of to address plus this rule match before removing the 
message.


You should be able to do that purely in SA; it's a tad more difficult 
if you want to match the envelope to address rather than the To: 
header. If you want to reliably match the envelope to address you'd 
need to have it recorded in a Received header (either the one that 
your MTA generates or the one that some trusted MTA prior to your MTA 
generates).


Agreed, ideally this is something I can stick into a KB article and have 
afflicted users implement on their own. I'd like to keep system-wide 
modifications to a minimum. A user's exim filters also move when we 
transfer an account to another server, so as long as there's a common 
rule set, not having to adjust SA configuration is a benefit.


Basically what I have now is this:

uri __LCL_SUSPECT_LINK1 /target_pattern_1/i
tflags __LCL_SUSPECT_LINK1 multiple maxhits=5
uri __LCL_SUSPECT_LINK2 /target_pattern_2/i
tflags __LCL_SUSPECT_LINK2 multiple maxhits=5
meta LCL_MANY_SUSPECT_LINKS __LCL_SUSPECT_LINK1 && __LCL_SUSPECT_LINK2 
&& rules_matching(__LCL_SUSPECT_LINK?) > 5

score LCL_MANY_SUSPECT_LINKS 0.001
describe LCL_MANY_SUSPECT_LINKS More than 5 links match a suspected spam 
pattern
As for long sequences of random characters - that's FP-prone. It's 
difficult to detect *random* in a simple RE. A long string of 
characters from a given set, easy. Characteristics about that string? 
complicated. A rule like that might potentially hit on legitimate (for 
values of "legitimate") tracking analysis URIs or caching URIs, unless 
there is some kind of uncommon pattern to it that you can discern and 
look for in the RE.


No kidding. I've seen this specific pattern in many a spam message over 
the years so I suspect it's particularly FP vulnerable. If there was a 
regex rule for "matches English word" I could nail them with ease. OTOH 
my regex skills are pretty decent. Finding the two common patterns and 
checking that at least one of each is there will hopefully eliminate 
messages that consistently only use one form, eliminating a range of FPs.


If I can use the "many suspect links" match along with a few other 
indicators, including that this particular [expletive] makes the message 
look like it comes from a mailing list, I think I can kill their spew. 
I'm seeing upwards of 20 messages per day per user from this source, but 
they're rotating through junk data center IP addresses and disposable 
mail server identities daily. This is war.


One more noob question. Can I test a rule without messing with the 
production environment by using


spamassassin -t -cf='include myrule.cf' path

or should I build a test environment?

Re: A few noob questions

[Alan]

Thanks Bill. I know very little about Perl, so while I saw the reference 
to Mail::SpamAssassin::Conf without the "perldoc" in front of it, I had 
no clue what to do with that information.


On 2020-12-20 00:18, Bill Cole wrote:

On 19 Dec 2020, at 23:39, Alan wrote:

Please forgive me if these are easy/common questions. I have done 
some searching and haven't found any clear answers.


I'm running SpamAssassin 3.4.4 in a cPanel environment.

1. What is the smallest increment for a rule score? I see some 
indications that it's 0.1, others seem to say it is 0.01. Can I go to 
0.001? Lower?


Any number that Perl understands will work but very small scores are 
pointless.  So if you really want to score a rule at 12.34e-56 you can.


The reason for asking is that I want to use SpamAssassin to flag some 
things that are suspicious but only when other conditions are met for 
specific users. I'd like to have SA insert the rule text, eg. 
LOCAL_SOME_RULE so that I can have an exim filter check for a 
specific form of to address plus this rule match before removing the 
message. But at the same time I don't want messages that match this 
rule generate false positives for other users.


Generally 0.01 or -0.01 is adequately small for such purposes.

2. I would like to match against some suspicious URLs that contain 
long sequences of random characters, but only have the rule match if 
I find multiple URLs that follow the same pattern. Normally I would 
use /(some-regex){5}/ but it seems that the rawbody command only 
looks at smaller chunks of the message (in this case the spammer is 
sending messages that are in the 11KB range and I have adjusted exim 
to pass enough in $message_body to capture enough URLs to fire a rule).


Is it possible to configure SA to look at bigger chunks? 8 KB or even 
16 KB would work. If not, is there a way to write a rule that counts 
the total number of matches of a regex against the raw body?


A rule can be allowed to match multiple times, as described in the 
documentation (perldoc Mail::SpamAssassin::Conf.) Here's the example 
provided there:


  uri  __KAM_COUNT_URIS /^./
  tflags   __KAM_COUNT_URIS multiple maxhits=16
  describe __KAM_COUNT_URIS A multiple match used to count 
URIs in a message


  meta __KAM_HAS_0_URIS (__KAM_COUNT_URIS == 0)
  meta __KAM_HAS_1_URIS (__KAM_COUNT_URIS >= 1)
  meta __KAM_HAS_2_URIS (__KAM_COUNT_URIS >= 2)
  meta __KAM_HAS_3_URIS (__KAM_COUNT_URIS >= 3)
  meta __KAM_HAS_4_URIS (__KAM_COUNT_URIS >= 4)
  meta __KAM_HAS_5_URIS (__KAM_COUNT_URIS >= 5)
  meta __KAM_HAS_10_URIS (__KAM_COUNT_URIS >= 10)
  meta __KAM_HAS_15_URIS (__KAM_COUNT_URIS >= 15)

A few noob questions

[Alan]

Please forgive me if these are easy/common questions. I have done some 
searching and haven't found any clear answers.


I'm running SpamAssassin 3.4.4 in a cPanel environment.

1. What is the smallest increment for a rule score? I see some 
indications that it's 0.1, others seem to say it is 0.01. Can I go to 
0.001? Lower?


The reason for asking is that I want to use SpamAssassin to flag some 
things that are suspicious but only when other conditions are met for 
specific users. I'd like to have SA insert the rule text, eg. 
LOCAL_SOME_RULE so that I can have an exim filter check for a specific 
form of to address plus this rule match before removing the message. But 
at the same time I don't want messages that match this rule generate 
false positives for other users.


2. I would like to match against some suspicious URLs that contain long 
sequences of random characters, but only have the rule match if I find 
multiple URLs that follow the same pattern. Normally I would use 
/(some-regex){5}/ but it seems that the rawbody command only looks at 
smaller chunks of the message (in this case the spammer is sending 
messages that are in the 11KB range and I have adjusted exim to pass 
enough in $message_body to capture enough URLs to fire a rule).


Is it possible to configure SA to look at bigger chunks? 8 KB or even 16 
KB would work. If not, is there a way to write a rule that counts the 
total number of matches of a regex against the raw body?

Re: to: header is not in my domain

[Alan Hodgson]

On Tue, 2020-10-20 at 20:38 +0100, Miki wrote:
> Thanks for quick reply, but blacklist what?
> The problem is I do not know this spammy domains.
> I want to give a score when To: field is NOT in anyaddr...@mydomain.com

Not tested, but something like this should work:

header __LOCAL_TO_ME To =~ /\@mydomain/i
header __LOCAL_CC_ME Cc =~ /\@mydomain/i
header __LOCAL_MAILING_LIST1 List-Unsubscribe =~ /[a-z]+/ 
header __LOCAL_MAILING_LIST2 List-ID =~ /[a-z]+/

meta LOCAL_NOT_TO_ME ( ! ( __LOCAL_TO_ME || __LOCAL_CC_ME
 || __LOCAL_MAILING_LIST1 || __LOCAL_MAILING_LIST2 )) 
score LOCAL_NOT_TO_ME ??

You'll want to whitelist authenticated mail from your regular correspondents
though so it doesn't hit normal bcc's.

Re: SpamAssassin DKIM with Virtual Hosting

[Alan Hodgson]

> 

> > Or is there some criteria to determine which domain name
> > should have the DKIM signature?  Is there a penalty score if one or
> > the other is missing?
> 
> It's doesn't make much difference, unless there's a whitelist involved.

If you publish a DMARC record, DMARC requires that the DKIM signing domain be
aligned with the From: header domain in order to pass. SA doesn't currently
check DMARC I don't think but lots of other receivers do.

And even if you don't want to publish DMARC records now it's probably best
practice to sign with the organizational domain of the From: header. A DKIM
signature from an unrelated domain doesn't really say anything except that the
message wasn't altered in transit.

Re: 1.6 FORGED_MUA_MOZILLA Forged mail pretending to be from Mozilla

[Alan Hodgson]

On Wed, 2020-09-23 at 14:46 -0500, Jerry Malcolm wrote:
> On 9/23/2020 2:33 PM, iulian stan wrote:
> > Most of the time the IPs from AWS are already blacklisted and you 
> > cannot do anything.
> 
> I'm curious why such a blanket statement.  Why does AWS have such a bad 
> reputation?  With companies like Netflix and Dropbox using AWS, why are 
> they considered across-the-board spammers?  I'm also curious why 
> SpamAssassin and mail-tester doesn't report that my AWS IP is blacklisted.
> 
> My client is massively invested in AWS with many servers, databases, and 
> services unrelated to mail.  Moving to another platform is not an 
> option.  What is a good 'reputable' 3rd party service that I can use as 
> a proxy to make sure I have 'clean' mail?

If it's normal transactional mail to people who have agreed to receive it,
just send it through a reputable ESP like Postmark. If your sending domain
itself hasn't been spamming that should be enough to get your mail delivered
fine.

Make sure your DKIM and SPF are setup right before sending.

Re: base64 encoded subjects

[Alan Hodgson]

On Fri, 2020-02-07 at 16:29 -0600, Benjamin Toll wrote:
> I'm seeing a lot of spam with base64 encoded subjects:
> 
> Subject:
> =?UTF-8?B?RnVsbCBkZW50YWwgY292ZXJhZ2UgZm9yIGZhbWlsaWVzIGFuZCBzZW5pb3JzLCBjb3ZlcnMgYWxsIHByb2NlZHVyZXM=?=
> 
> Subject: =?UTF-8?B?V2VhciB5b3VyIE11bHRpLVRvb2wgYXJvdW5kIHlvdXIgd3Jpc3Qu?=
> 
> 
> SA is scoring the messages pretty high based off the body, but a lot of
> spams with the base64 is still getting through. I thought it wouldn't be
> too hard to write a rule to catch these, but clearly I don't know what
> I'm doing:
> 
> header   BRT_BASE64_SUBJECT Subject =~ /=\?UTF\-8/
> 
> This doesn't trigger on any of these spams. Am I going about this the
> wrong way or I'm I just that bad at writing regexs? Any suggestions
> would be appreciated.
> 

SA decodes those before rule matching.

Try Subject:raw =~ 

Re: help with simple test?

[Alan Hodgson]

On Wed, 2020-01-15 at 11:02 -0500, AJ Weber wrote:
> I'm hoping this is a relatively simple test...
> I'm seeing emails "From Me, To Me", typically extortion types. I'm not
> even seeing which of the SA tests are getting hit, because I have my
> own email in my Whitelist.
> Is there a way I can check IF From = m...@staticinfo.com AND Return-Path 
> != FROM in a rule?
> I guess no matter what, I would have to remove my own email address
> from the Whitelist?  Or can this be checked and override the
> whitelist-shortcircuit somehow?

I'd suggest a few things.
1) Make sure all your real email is DKIM signed. Then change the
whitelist on your own email to one or more  whitelist_from_dkim entries
with valid signing domains. Proper use of DKIM is awesome for
whitelisting.
2) You can't test multiple headers in one rule but meta rules are your
friend.
header __LOCAL_RETURN_PATH_ME Return-Path =~ /my@address/imheader
__LOCAL_FROM_ME From =~ /my@address/immeta LOCAL_ME_FORGED ( __FROM_ME
&& ! __RETURN_PATH_ME)score LOCAL_ME_FORGED 10describe LOCAL_ME_FORGED
Message has my address in From but not in envelope sender
3) Much better plan, just add DMARC to your domain and high score
anything from your domain that fails DMARC. There is no reason to be
seeing mail forged from your own address in 2020 (assuming you have your
own domain).
4) Remember that most mailing list messages will fail both 2) and 3)
above. Have a plan for mailing lists.

Re: Custom rule to please the Mayor

[Alan Hodgson]

On Thu, 2019-11-21 at 13:24 -0500, Dave Goodrich wrote:
> Good day,
> I know I will incur some wrath for this but I have the Mayor breathing
> down my neck. We stop nearly all spam now, but some does get through.
> Mostly it has been mail from gmail and outlook servers that pass DKIM
> and SPF.
> This morning a large number of messages appearing to come from the
> Mayor were delivered. The email is technically legitimate and was
> scored appropriately. Unfortunately, the From address was in the
> following format 'the Mayor's display name '
> . So, everyone who saw the message opened it because it looked like it
> came from the Mayor. then they called the Mayor's office.
> - The message was benign.- The users know to hover over display names
> to check the address, but this was the Mayor. They did not.- All mail
> delivered locally comes through our server. No one is allowed to use
> their City email address on none City devices. Had the address been
> correct, it would have been stopped.
> Even if only for this one account, I need a rule to check that the
> Mayor's display name matches the Mayor's email account and I am at a
> loss how to manage that with SA rule structure.
> Any thoughts on that or has anyone done something similar?

Make sure your real mail streams are authenticated with DKIM and you're
setup to use the whitelist_from_dkim rule; which I believe requires the
header added by opendkim on received mail.

whitelist_from_dkim *@yourdomain your_signing_domain

Then you can add a custom rule to add a large score to From =~ /mayor's
name/ and variants , possibly meta'd with FREEMAIL_FROM if you're only
concerned about gmail spoofs.

It'll only be so useful but at least you can catch the straight-up
imposter who isn't using charset encoding or spelling tricks to masq the
name.

Re: Spamassassin using remote rules definition source?

[Alan Hodgson]

On Mon, 2018-12-10 at 04:57 -0700, ozgurerdogan wrote:
> I simply need to write custom rules to block certain mails, domain names. Do
> I have to learn programming language for this? Is not it easy like create a
> conf file and let Sa update rules from that source remotely via http?
> 
> 

cron + wget + reload.

Although if you're running multiple servers it's well worth setting up
puppet or something similar eventually.

Re: SpamSender with 2 @-signs in the address

[Alan Hodgson]

On Wed, 2018-12-05 at 00:17 +, David Jones wrote:
> 
I think he meant that DKIM related to DMARC means the DKIM signature has 
> to align/match the From: header domain to pass which is DKIM_VALID_AU in SA.
> 
> In the case of SPF, DMARC will pass if the envelope-from domain check 
> hits SPF_PASS in SA.
> 

Not quite; DMARC also requires the envelope sender domain to be aligned
with the From: header domain to pass on an SPF_PASS.

Re: SpamSender with 2 @-signs in the address

[Alan Hodgson]

On Mon, 2018-12-03 at 13:17 -0600, sha...@shanew.net wrote:
> Yeah, I see all these same things.  Better to test against From:addr
> rather than the full From:  Perhaps something like:
> 
> From:addr =~ /\@[^\s]+\@/
> 
> Of course, there might still be legit cases of that kind of usage.
> 

The problem though for phishes is that some user agents (ie. Outlook)
only display the quoted user-friendly part of the address, not the rest
of the From: header. So phishers specifically put a fake
@domainbeingphished.com in quotes so your users will see that.

I don't think I've ever seen multiple @'s in any single address part,
not since the mid-90s anyway. It would definitely be safe to block on
that for any single address.

Re: SpamSender with 2 @-signs in the address

[Alan Hodgson]

On Mon, 2018-12-03 at 11:15 -0700, Grant Taylor wrote:
> 
I don't think the multiple @ signs have worked in a very long time.  So 
> I see no reason not to add score based on multiple @ signs.  Or if there 
> is a legitimate use for it, it should be extremely rare and the false 
> positive rate should be acceptable.
> 


I've been watching these for a while, and unfortunately there are a lot
of customer-service type systems that send From: addresses with quoted
@domain addresses in them. Many of them do "user@address via"
, but not all.

And then there are the messages with 2 different From: addresses within
<>'s in them. I see those from Gmail sometimes.

And I see quite a few messages where the actual sender address is given
in quotes and then followed by the same address in <>'s.

So you will definitely get false positives just looking at @'s.

I've excluded the ones with " via" in them and add a bunch of extra
points if they come from phishy countries or have .doc or .pdf
attachments, and that hits fewer fps. And I'm only scoring if the
domain parts don't match.

Re: spoofing mail

[Alan Hodgson]

On Tue, 2018-11-27 at 11:22 -0600, Rick Gutierrez wrote:
> El mar., 27 nov. 2018 a las 11:14, Alan Hodgson
> () escribió:
> 
> > Wow, that's hard to read.
> > 
> > It was close to being tagged because of the Pakistan relay. Just
> > add a few points for Word docs and you should be good. Word docs
> > from spammy countries should really get a lot of points.
> 
> Hi Alan , I think it's a valid point, except for one thing, what
> happens if you do not attach a document?
> 

Malware/phishes are usually either in an attachment or the message has
a link. Personally I add a lot of points to either if they come through
questionable countries. Users can dig them out of their Junk if they
happen to be expecting a resume from Algeria.


> Something I want to ask you, where can I increase this score or in
> what rules?
> 
> 

You'd probably have to write your own. I'm not even sure where you got
that RELAY_PK rule from but I'd guess a download from Ironport or
something.

Personally I have one set of rules for classifying countries and a few
metas on top of those.

But you probably wouldn't want to use my rules; my servers are small
with homegenous user bases and they don't get real mail from, say,
Russia or Pakistan or the Sudan. You can tag a lot of real mail if
you're not careful writing rules.

Re: spoofing mail

[Alan Hodgson]

On Tue, 2018-11-27 at 10:42 -0600, Rick Gutierrez wrote:
> Hi , I have a situation a little complicated, I have emails from
> spammers that come with the name of one of my users, but the email
> address is not from my domain , they send it from a valid domain,
> which complies with spf, DKIM etc etc, some idea that could help me to
> adjust my spamassassin and stop this kind of post, someone has had
> experience in this type of evasion?
> 
> my user is lvelasquez
> 

Wow, that's hard to read.

It was close to being tagged because of the Pakistan relay. Just add a
few points for Word docs and you should be good. Word docs from spammy
countries should really get a lot of points.

Re: dropping other's email(s) as a "best practice" for hosted email? (was: "anyone recognize these headers? ...")

[Alan Hodgson]

On Thu, 2018-04-26 at 13:41 -0700, L A Walsh wrote:
> To my way of thinking, dropping someone else's email,
> telling the sender the email is being rejected for having
> spam-like characteristics and telling the recipient nothing
> seems like it might have legal liability for the for the
> user potentially missing vital email.
> 
> It also would seem to violate what used to be a basic 
> expectation of internet email -- that it is either delivered
> to the recipient's inbox OR you'll receive a
> non-delivery notification (a "bounce").

Rejecting the message during receipt causes the sending server to
generate a bounce. If it's at all functional.

Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)

[Alan Hodgson]

On Sun, 2018-03-18 at 17:14 -0500, David Jones wrote:
> 
I have Steve Freegard's DecodeShortURLs.pm installed but didn't get any 
> HAS_SHORT_URL hits on this one:
> 
> https://pastebin.com/t85b0Bns


Is it getting any hits? It definitely hits on that one in a test here.

Note it needs Perl's LWP::UserAgent and DBD::SQLite to get it to work
at all.

Re: Turn OFF SA spam filtering but keep ON header examination

[Alan Hodgson]

On Thu, 2018-01-18 at 18:49 -0500, Chip wrote:
> Very well stated.  Bravo!
> 
> The end point here is to examine the email headers that specifically
> refer to dkim and spf signatures.  Based on fail or pass, or some
> combination in concert with the sender's email address, they get moved
> into fail or pass folders.
> 
> That's it!
> 

If that's literally all you want to do, then have SpamAssassin score
every message at +50 with a generic local rule, and whitelist_from_spf
or whitelist_from_dkim the ones you want to keep. SA knows how to do
SPF and DKIM.

Then dump anything that passes SA into the pass folder, everything else
into fail.

Re: From name containing a spoofed email address

[Alan Hodgson]

On Wed, 2018-01-17 at 13:31 -0600, David Jones wrote:
> Would a plugin need to be created (or an existing one enhanced) to
> be 
> able to detect this type of spoofed From header?
> 
> From: "h...@hulumail.com !" 
> 
> https://pastebin.com/vVhGjC8H
> 
> Does anyone else think this would be a good idea to make a rule that
> at 
> least checks both the From:name and From:addr to see if there is an 
> email address in the From:name and if the domain is different add
> some 
> points?
> 
> We are seeing more and more of this now that SPF, DKIM, and DMARC
> are 
> making it harder to spoof common/major brands that have properly 
> implemented some or all of them.

I've been testing this:

header __LOCAL_CRAZY_MULTI_ATS From =~ /.*\@.*\@.*\@/
header __LOCAL_MULTI_ATS From =~ /.*\@.*\..*["\s].*\@[a-zA-Z0-9\-
]+\.[a-zA-Z0-9\-]+/
header __LOCAL_MULTI_ATS_SAME_DOMAIN From =~ /.*\@([a-zA-Z0-9\.\-
]+\.[a-zA-Z0-9\.\-]+).+\@\1[^a-zA-Z0-9\.\-]/i
meta LOCAL_FORGED_DISPLAY_DOMAIN ( __LOCAL_CRAZY_MULTI_ATS || (
__LOCAL_MULTI_ATS && ! __LOCAL_MULTI_ATS_SAME_DOMAIN ) )
describe LOCAL_FORGED_DISPLAY_DOMAIN From header appears to have a
forged domain in part of the address

... which tries to see if there are two @domain.names in the From and
score if they aren't the same domain.

I doubt it's usable yet, and I don't have the mail volume to look for
all the ways it breaks, but it's a start. I would appreciate tweaks.

Re: Malformed spam email gets through.

[Alan Hodgson]

On Mon, 2018-01-01 at 10:29 -0500, Bill Cole wrote:
> On 1 Jan 2018, at 9:59 (-0500), David Jones wrote:
> 
> > I think some mail systems will keep the same message-ID per email 
> > thread so your system must reject some replies.
> 
> I have not seen such behavior in the past 20 years...
> 
> Intentionally re-using another site's MIDs is so wrong that I'd
> happily 
> make it break hard.
> 
> HOWEVER, the idea of enforcing any standard on MIDs beyond gross
> format 
> (e.g.: <[[:ascii:]]{3,996}>) on a system where the admin isn't the
> sole 
> user is ludicrous.

I've had good success junking anything with one of my domains in the
message-id, where I know the mail isn't actually from someone in that
domain. That's a pretty solid spam signature.

Lack of any message-id is also significant, but sadly there are still
some real senders sending mail with no message-id.

Re: TO_NO_BRKTS_DYNIP

[Alan Hodgson]

On Mon, 2017-12-04 at 15:20 -0500, Joseph Brennan wrote:
> New rule: TO_NO_BRKTS_DYNIP
> 
> Since TO_NO_BRKTS_DYNIP is 2.361 and its component RDNS_DYNAMIC is
> 2.639, one gets an even 5.0 score just for sending from ec2-54-225-
> 189-51.compute-1.amazonaws.com without < > around the To address.
> 
> Should the amazonaws.com hosts not be in RDNS_DYNAMIC? I'm not silly
> enough to say they are free of spam customers, but they are
> definitely servers.
> 
> Joseph Brennan / Columbia U
> 
> 

Mail servers don't generally have generic reverse DNS, if they don't
want to be mistaken for end-user IPs or spambots.

https://aws.amazon.com/blogs/aws/reverse-dns-for-ec2s-elastic-ip-
addresses/

Re: FROM header with two email addresses

[Alan Hodgson]

On Wed, 2017-09-27 at 11:42 -0700, Miles Fidelman wrote:
> This could also be an attempt to get a mailing list to work.
> 
> There's a continuing problem with email list traffic getting bounced by 
> DKIM, and various work-arounds - the gist is that the mail has to come 
> from the list manager, but you still need a way to indicate the original 
> author of the message.  Hacks abound. But basically, DKIM is just broken.
> 

DKIM works fine. It is in fact working as intended when a signature
fails to validate against a message that has been modified in transit.

Mailing lists or other forwarders that modify signed portions of the
message without taking ownership of the From: header are just not
compatible with DKIM or DMARC-reject senders.

Re: Somewhat OT: DMARC and this list

[Alan Hodgson]

On Friday 19 May 2017 20:11:42 David Jones wrote:
> >Urgg, I see that now. I looked at a few of David Jones' posts to this list
> >and saw that they weren't DKIM signed, so I extrapolated that to a general
> >asumption.
> 
> They are DKIM signed so something must be striping the headers.
> 

Well, it's not the list. Others' signatures are coming through fine. 

I had to tell OpenDMARC to whitelist ena.com to get anything from you.

Re: Somewhat OT: DMARC and this list

[Alan Hodgson]

On Friday 19 May 2017 14:47:56 Dianne Skoll wrote:
> On Fri, 19 May 2017 20:43:39 +0200
> 
> Benny Pedersen  wrote:
> > some maillists break DKIM, forkus on that first, not last !
> 
> Thank you for not adding any value to the conversation.  The
> domain in question is not using DKIM.
> 

This is actually one of the few mailing lists that a DMARC p=reject domain can 
send anything to. Assuming they DKIM-sign their mail, of course. 

I would argue that setting a DMARC p=reject policy without working DKIM is 
fundamentally broken idea on the sender's part. They can't send bounces or 
vacation messages or anything else with a null envelope sender, for starters. 
Or send anything to anyone who forwards their mail to Gmail, at least 

I guess you can whitelist them if you care enough.

Re: Today's Google Docs phish

[Alan Hodgson]

On Thursday 04 May 2017 17:07:31 John Hardin wrote:
> I expect a basic accounts.google.com URI rule would be a good idea even if
> a redirector pattern for this was added - is there any legitimate reason
> for a "log in to your google account" URL to be in an email?
> 

Not from anyone who isn't whitelisted ...

Re: Matching To and Received addresses

[Alan Hodgson]

On Tuesday 28 March 2017 13:58:43 Alex wrote:
> I'd like to be able to use the fact that the To address is not the
> same as the address shown in the Received header in a meta of some
> kind.
> 
> How frequent would you think that would appear in ham alone? It's the
> basis for a number of phishing attacks here, so I'd like to see about
> using it in some way.
> 

Checking that the envelope recipient address is in To or Cc works great on my 
mail and also for any public role addresses like sales or support, but 
probably not so much for general users. Any BCC will hit such a rule.  And of 
course you have to exclude real mailing list mail.

I guess the question would be how many legit bcc's do your users get from non-
whitelisted senders?

Re: New whitelisting trick using from and spf

[Alan Hodgson]

On Monday 06 March 2017 11:58:25 David B Funk wrote:
> On Mon, 6 Mar 2017, Alan Hodgson wrote:
> >> It seems it should be easy to setup “If mail claims to be From:
> >> PayPal.com
> >> and is not from PayPal, score +100” but it is not.
> > 
> > This is what DMARC is for.
> > 
> > Run opendmarc as a milter and reject failures. Or score later on DMARC
> > failure, even if just selectively for highly phished domains.
> > 
> > PayPal publishes p=reject, on paypal.com at least, if not their other
> > domains.
> But that won't help you when the scammers set the user visible from as
> "acco...@paypai.com" or some other variant (with the actual address part as
> <acco...@example.com> or something else.
> 
> user-agents (such as OutHouse) by default only show the "comment" part of
> the address and hide the actual <> address part, making it easy for
> scammers to fool the non-tech savvy users.

Well, sure. And they can use any variant of paypal.whatever that they own, 
too, to show in better email clients. 

But you do what you can. Personally I've been flagging anything with paypal or 
pay pal anywhere in the From: that doesn't have a whitelisted PayPal domain's 
DKIM signature on it, but I don't know how well that scales.

Re: New whitelisting trick using from and spf

[Alan Hodgson]

> It seems it should be easy to setup “If mail claims to be From: PayPal.com
> and is not from PayPal, score +100” but it is not.

This is what DMARC is for.

Run opendmarc as a milter and reject failures. Or score later on DMARC 
failure, even if just selectively for highly phished domains. 

PayPal publishes p=reject, on paypal.com at least, if not their other domains.

Re: Keyword Whitelist?

[Alan Hodgson]

On Wednesday 11 January 2017 14:31:15 John Hardin wrote:
> That's more complex than needed. The message subject is automatically
> included in body rules, so you only need __LOCAL_BODY_PRODUCTS.
> 

Cool, I did not know that. txs.

Re: SA bayes file db permission issue

[Alan Hodgson]

On Thursday 09 June 2016 16:26:26 Yu Qian wrote:
> Yes, I am sure the path is correct, also, if the path is not correct, it
> will show 'db not present'.
> 
> I tried to write a small perl script to open the db file, it failed too. so
> I think it maybe the file damaged during the mounting. but I don't know why
> this can happen
> 

The docker container probably has a different DB version than your Mac.

Re: DMARC auto-away rejects

[Alan Hodgson]

On Monday, April 04, 2016 11:09:12 PM A. Schulze wrote:
> really?
> 
> I know DMARC as
> "example.com may dkim sign with example.com. relax alignment will
> match even for RFC5322.From sub.example.com"
> 
> but you claim
> "sub.example.com may dkim sign with sub.example.com a message with
> RFC5322.From example.com and that will be relax aligned"
> -> I don't agree.
> 
> see https://tools.ietf.org/html/rfc7489#appendix-B.1.2
> 
> 
> As "RW" pointed out: The message has a dkim signature mx.aol.com but
> RFC5322.From is the /parent/ domain
> That does not align and dmarc will not pass. It's AOL's fault.
> 
> Andreas

I really believe that's incorrect. Relaxed alignment specifically means you can 
sign with a subdomain's key or use a subdomain for SPF.

Read sections 3.1.2 and 10.4 of that same document, for instance.

Re: DMARC auto-away rejects

[Alan Hodgson]

On Monday, April 04, 2016 09:34:56 PM RW wrote:
> On Mon, 04 Apr 2016 13:18:54 -0700
> 
> Alan Hodgson wrote:
> > On Monday, April 04, 2016 08:59:51 PM RW wrote:
> > > I'm assuming that you are using these rules:
> > > 
> > > https://blog.laussat.de/2014/11/06/using-dmarc-in-spamassassin-native/
> 
> ...
> 
> > That's invalid, though. DMARC allows a subdomain to sign the mail
> > with a relaxed alignment policy. The original message should have
> > passed a DMARC test.
> 
> It's just a collection of rules that make use  of the dmarc dns
> lookup, it doesn't pretend to be a dmarc implementation. See the bottom
> of the page linked.

I see that, and it's a good disclaimer. I would disagree that those tests will 
work as intended in most cases, though. Many ESPs sign with subdomain keys. 
And clearly AOL is, too. Relaxed alignment is the DMARC default.

Re: DMARC auto-away rejects

[Alan Hodgson]

On Monday, April 04, 2016 08:59:51 PM RW wrote:
> I'm assuming that you are using these rules:
> 
> https://blog.laussat.de/2014/11/06/using-dmarc-in-spamassassin-native/
> 
> 
> meta DMARC_FAIL_REJECT !(DKIM_VALID_AU || SPF_PASS) &&
>  __DMARC_POLICY_REJECT
> 
>  __DMARC_POLICY_REJECT comes from a dns look-up which says that the
> policy is to reject. The rule will then fire if neither  DKIM_VALID_AU
> nor SPF_PASS hit.
> 
> SPF can't be  used here because there's no envelope sender, dkim
> passes but it's signed by mx.aol.com not by the domain in the
> header from address, so DKIM_VALID_AU doesn't get hit either.
> 

That's invalid, though. DMARC allows a subdomain to sign the mail with a 
relaxed alignment policy. The original message should have passed a DMARC 
test.

> > So ultimately who's at fault here for causing this to fail? AOL? What
> > should have been done to prevent it?
> 
> AOL, I guess.

Uh, no. The test is bad.

Re: how to fix this issue-spam

[Alan Hodgson]

On Thursday, February 04, 2016 08:05:59 PM Reindl Harald wrote:
> in context of "DKIM and DMARC are the present and near future" how do
> you imaine that to work if you have no clue who is sending on behalf of
> yours?
> 

Well you obviously have something emotionally invested in SPF.

But anyways DMARC explicitly has a full testing mode and a reporting feedback 
cycle - which actually works and is supported by some big mail receivers - so 
you can work through these issues during deployment.

Re: how to fix this issue-spam

[Alan Hodgson]

On Thursday, February 04, 2016 06:06:14 PM Reindl Harald wrote:
> before Google ist telling somebody something they should better learn
> the difference between "~" and "-" in a SPF record to make gmail.com at
> least on envelope-level spoofing protected
> 
> i high percentage of spam here would not only have been flagged but
> outright rejected if they would do their own homework
> 
> ;; ANSWER SECTION:
> gmail.com.  300 IN  TXT "v=spf1
> redirect=_spf.google.com"
> 
> ;; ANSWER SECTION:
> _spf.google.com.300 IN  TXT "v=spf1
> include:_netblocks.google.com include:_netblocks2.google.com
> include:_netblocks3.google.com ~all"

SPF strict outright breaks mail forwarding, unless the forwarder rewrites the 
envelope sender.

DKIM + DMARC is a much better compromise. It allows properly-signed mail 
forwarded intact to still pass DMARC checks.

The only significant forwarders that break DMARC are mailing lists, because 
they tend to change headers (especially subject lines) and add content to the 
message body, both of which break the DKIM signatures. Ironically, they also 
rewrite the envelope sender, so they didn't notice how broken SPF by itself 
was.

Mailing lists will need to learn to either not modify the message being 
forwarded, or else both rewrite the From: header and preferably remove any 
now-broken DKIM signatures. Or just refuse mail from DMARC-reject senders, 
which will eventually marginalize their use.

Neither mechanism is perfect, but I think everyone can agree that email needs 
to adapt to remain useful in a world full of criminals. And even more 
importantly, it does seem that DMARC-reject is gaining traction among big mail 
receivers.

Re: how to fix this issue-spam

[Alan Hodgson]

On Thursday, February 04, 2016 04:36:14 PM Reindl Harald wrote:
> 
> wait i tell you something (for you) new: DMARC and mailing-lists is a
> awful topic - what do you think would have happened with you mail to the
> list if your domain would enforce DMARC and my MX reject mails violating
> the policy?

Actually, it appears this list is one of the rare ones that would be fine with 
DMARC reject, since it doesn't break existing DKIM signatures.

Re: how to fix this issue-spam

[Alan Hodgson]

On Thursday, February 04, 2016 07:41:44 PM Reindl Harald wrote:
> which people don't know this?
> admins?
> don't maintain services then!
> 
> users?
> 
> just use the SMTP server your mailprovider tells you and no other one
> and for smtp-admins: just don't accept enevlope senders for which you
> would not accept incoming mail
> 
> that is as easy as something can be
> 

Yeah, it's really really not.

I'm in a 50 person company and we have our internal mail server, 3 different 
ESPs sending mail on our behalf for diffferent applications, Google calendar 
sending on our behalf, and 2 different SAAS customer service platforms sending 
as us. I can't even imagine how many different sources a large company has.

And SPF doesn't do anything about the only part of the message the users care 
about, the message headers.

In any event, SPF is legacy. DKIM and DMARC are the present and near future of 
mail services. DMARC uses SPF only as a fallback for broken or missing DKIM 
signatures.

RE: How to find where email server has been blacklisted

[Stanier, Alan M]

That would be a very useful site, except that it shows the results as 
colour-coded icons, and I see the listed and not-listed icons as identical.

-Original Message-
From: Mikael Syska [mailto:mik...@syska.dk] 
Sent: 08 March 2010 01:56
To: users@spamassassin.apache.org
Subject: Re: How to find where email server has been blacklisted

Hi,

This sites works for me:
http://whatismyipaddress.com/staticpages/index.php/is-my-ip-address-blacklisted

mvh

On Mon, Mar 8, 2010 at 1:24 AM, Rops roberta3...@yahoo.com wrote:

 Hello

 I'm trying to figure out why some emails get lost, which most likely is due
 to emails killed by ISP spam filter due to high spam score these lost email
 have.

 How to find out if some mail server is blacklisted and where?
 Is there any central database for queries from all different blacklists?
 Also IP based search is required and data when and why.


 IP based search may be needed, as server under question has it's mailbox
 hosted with ISP, but I believe that still the virtual server can be
 blacklisted separately based on it's static IP and not the whole ISP mail
 server.

 Additional side effect is that emails sent inside company get lost more
 often - I believe because  they virtual server is blacklisted somewhere and
 therefore emails sent always gather higher spam score.
 So the question is to find out where it's blacklisted?


 Thanks for any help and guidelines how and where to continue!
 --
 View this message in context: 
 http://old.nabble.com/How-to-find-where-email-server-has-been-blacklisted-tp27815915p27815915.html
 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: A little help with a local.cf rule... please!

[Michael Alan Dorman]

 So my rule:
 # hotmail drug spam
 uri MY_HOTMAIL_SPAM
 m{https?://{1,30}\.{1,30}\.(com|ru|cn)/[0-9][0-9][0-9][0-9]/i}
 describe MY_HOTMAIL_SPAM Druggy hotmail.com links
 score MY_HOTMAIL_SPAM 5.0
 
 And running emails through it using -D, it does not hit it as far as
 I can tell - scores 3.5 due to other tests.
 Yes, it IS reading it cause if I mess with the rule and make it have
 bad syntax, SA --lint complains loudly. Right now, no complaints -
 and no results.
 Any ideas? Suggestions?

//{1,30} matches a slash, followed by 1-30 more slashes.
\.{1,30} matches 1-30 periods.

I think you forgot a \S or something before each of those.  Also,
[0-9]{4} would do what you want for numeric component.  And I think you
want the i *after* the bracket, no?

Mike.

Re: Dear Santa

[Michael Alan Dorman]

On Sat, 19 Dec 2009 10:06:11 -0600
Dave Pooser dave...@pooserville.com wrote:
 share the code so that some of us could auto-generate rules based on
 our own ham/spam mailstreams, and then share those rules with you for
 possible SOUGHT inclusion?

I think that's already done, though not well documented; check
$SRC/masses/rule-dev. The blog posts that are referenced in the sought
page on the wiki talk about the process some.

Mike.

Re: Eliminating russian spam

[Makoev Alan]

Thank you, John!
Both how-to (http://sa-russian.narod.ru/no_russian.html) and the ruleset 
(http://sa-russian.narod.ru/files/20090916/99_no_russian_mail.cf) are updated.

Re: Cyrillic charsets normalization

[Makoev Alan]

But that would also prevent MUAs from correct rendering the contents, wouldn't 
it?

16.02.09, 10:48, Jeff Chan je...@surbl.org:

 On Sunday, February 15, 2009, 11:19:17 PM, Makoev Alan wrote:
  So my question is: Is it just due
  to developers' time shortage, or there are some reasons for
  avoiding using the charset indicated in the header field as a
  source charset for normalization? 
 Perhaps spammers set that field deceptively or incorrectly some
 of the time or don't set it at all other times, so that an
 attempt to automatically detect the character set is useful in
 some cases?  This is just a guess on my part however.
 Cheers,
 Jeff C.
 -- 
 Jeff Chan
 mailto:je...@surbl.org
 http://www.surbl.org/

Cyrillic charsets normalization

[Makoev Alan]

Here was recently a discussion on charset normalization feature (see e.g. 
http://markmail.org/message/hvdtbca6lm5tsjtm?q=list:org.apache.spamassassin.users+date:200901+page=42)
I ran a simple check on results that Encode::Detect::Detector facility yields.
I selected manually a set of 39 spam messages in Russian (those that were not 
MIME-encoded so I could see the contents by just tapping F3 in mc) - 32 with 
KOI8-R encoding, 6 with CP-1251 and 1 (ham) UTF-8. After that I ran the a 
simple script that feeds message body to Encode::Detect::Detector::detect, and 
got the following:
- among 6 CP-1251 messages 1 was detected as Mac-Cyrillic (which might be 
pardonable when making texts for humans, since these encodings differ only in 2 
letters, but it may affect negatively text analysis results) and 1 was not 
recognized at all (Encode::Detect::Detector::detect returned undef);
- among 32 KOI8-R messages 3 were detected as CP-1255 (Hebrew);
- 1 UTF-8 message was detected correctly.
Of course, this set is by no means representative, but it illustrates possible 
drawbacks in using normalize_charset option.
Strictly speaking, one could expect such result, because the tricks widely used 
by spammers (replacing cyrillic letters with similar-looking latin ones, 
replacing digits with letters that look similar to digits and vice versa, 
adding random letter sequences to poison bayes, etc.) should affect the 
detection result.
And despite that SA ignores charset= statement in Content-type: header 
field. So my question is: Is it just due to developers' time shortage, or there 
are some reasons for avoiding using the charset indicated in the header field 
as a source charset for normalization? 

Cyrillic charsets normalization

[Makoev Alan]

Here was recently a discussion on charset normalization feature (see e.g. 
http://markmail.org/message/hvdtbca6lm5tsjtm?q=list:org.apache.spamassassin.users+date:200901+page=42)
I ran a simple check of results Encode::Detect::Detector facility yields.
I selected manually a set of 39 spam messages in Russian (those that were not 
MIME-encoded so I could check them by just tapping F3 in mc) - 32 with KOI8-R 
encoding, 6 with CP-1251 and 1 UTF-8. After that I ran the a simple script that 
feeds message body to Encode::Detect::Detector::detect, and got the following:
- among 6 CP-1251 messages 1 was detected as Mac-Cyrillic (which might be 
pardonable when making texts for humans, since these encodings differ only in 2 
letters, but it may affect negatively text analysis results) and 1 was not 
recognized at all (Encode::Detect::Detector::detect returned undef);
- among 32 KOI8-R messages 3 were detected as CP-1255 (Hebrew);
- 1 UTF-8 message was detected correctly.
Of course, this set is by no means representative, but it illustrates possible 
drawbacks in using normalize_charset option.
Strictly speaking, one could expect such result since the tricks widely used by 
spammers (replacing cyrillic letters with similar-looking latin ones, replacing 
digits with letters that look similar to digits and vice versa, adding random 
letter sequences to poison bayes, etc.) should affect the detection result.
And despite that SA ignores charset= statement in Content-type: header 
field. So my question is: Is it just due to developers' time shortage, or there 
are some reasons for avoiding using the charset indicated in the header field 
as a source charset for normalization?

Re: FreeMail.pm

[Alan Munday]

Henrik K wrote the following on 28/01/09 18:54:
 On Wed, Jan 28, 2009 at 10:35:44AM -0800, John Hardin wrote:
 On Wed, 28 Jan 2009, Henrik K wrote:

 http://sa.hege.li/FreeMail.pm
 I notice the list of freemail providers has changed - how frequently  
 should we be updating this plugin? Is there an sa-update channel for it?
 
 Haven't updated it in a long time..
 
 Someone could easily host a freemail.cf with only freemail_domains lines if
 they wanted. Unfortunately I don't have the resources to detect/find/update
 such domains currently.
 
 Cheers,
 Henrik

Henrik

A list of freemail address has been maintained for a long time at
http://www.oryx.com/spam/freemail/domains.txt

Not sure how often they update, but I've been using their list for some
years now.

Alan

Re: Serious problem with scores file for todays rule update?

[Michael Alan Dorman]

On Tue, 30 Dec 2008 09:55:52 +
Justin Mason jma...@gmail.com wrote:

 Does the sa-compile step complete with an exit code of 0?  If there
 are problems with re2c (which has happened in the past) it should exit
 with !=0.

There were no errors visible in the output, but the script I was using
to do the update is, of course, one of the few that I've written
without using /bin/sh -e, so even if sa-compile had failed, it would
have continued.

I suspect we can mark this down to re2c not liking something yesterday
+ I/O error.

Thanks, Justin,

Mike.

Serious problem with scores file for todays rule update?

[Michael Alan Dorman]

Hey, all,

I have a bunch of servers that picked up a rule update, 729912 this
morning about 10am EST, at which point all hell broke loose---scores for
everything but bayes dropped to almost nothing.

Has anyone else experienced anything like this?

Mike.

Re: Serious problem with scores file for todays rule update?

[Michael Alan Dorman]

On Mon, 29 Dec 2008 23:21:48 +
j...@jmason.org (Justin Mason) wrote:

 hmm.  What do you have in /var/lib/spamassassin for the scores files?
 they should look like this:
 
 : 183...; ls
 -l /var/lib/spamassassin/3.002006/updates_spamassassin_org/50_scores.cf  
 /var/lib/spamassassin/3.002006/updates_spamassassin_org/72_scores.cf
 -rw-r--r-- 1 root root 48928 Dec 29
 23:20 /var/lib/spamassassin/3.002006/updates_spamassassin_org/50_scores.cf
 -rw-r--r-- 1 root root  1392 Dec 29
 23:20 /var/lib/spamassassin/3.002006/updates_spamassassin_org/72_scores.cf

Hey, Justin, thanks for the quick response.

My 50_scores.cf is 48923, so it differs, but close enough.

In fact, it didn't occur to me immediately, but further investigation
(for lack of a better word for the last rather tense 45 minutes :) seems
to be pointing the finger at sa-compile, rather than the scores.

I got fixated on 72_scores.cf and totally forgot about 50_scores, which
is why I was thinking scores at first.

I'll be doing more testing and such, later, but just zapping the
compiled files and restarting the processes seems to have taken care of
it.

If there's anything in particular you'd like me to do to try and help
track the interaction down, please let me know.  I'm using re2c 0.13.5
on debian amd64 boxes, and am happy to throw some time and resources at
figuring out what's going on.

Mike.

MATCH_WORDS false positives

[Alan Lehman]

I've seen a few false positives that hit MATCH_WORDS_5. Can someone
point me to this rule so I can try to determine what is causing the hit?


George Butler Associates, Inc.
Creating Remarkable Solutions
for a Higher Quality of Life

Alan Lehman, P.E.
Electrical/Critical Facilities Group
One Renner Ridge
9801 Renner Boulevard
Lenexa, KS 66219-9745
T. 913.577.8829
M. 816.210.8785
F. 913.577.8264
mailto:[EMAIL PROTECTED]
http://www.gbutler.com/

CONFIDENTIALITY NOTICE: This e-mail message including attachments, if any, is 
intended for the person or entity to which it is addressed and may contain 
confidential and/or privileged material. Any unauthorized review, use, 
disclosure or distribution is prohibited. If you are not the intended 
recipient, please contact the sender by reply e-mail and destroy all copies of 
the original message. Thank you.

RE: MATCH_WORDS false positives

[Alan Lehman]

 
 On Wed, Sep 24, 2008 at 01:52:27PM -0500, Alan Lehman wrote:
  I've seen a few false positives that hit MATCH_WORDS_5. Can someone
  point me to this rule so I can try to determine what is causing the
 hit?
 
 As far as I can see, there is no such rule in the standard or updates
 rulesets.  Perhaps it's something you have defined locally?  Check out
 /etc/mail/spamassassin/*.cf or whatever your site rules dir is.
 
 --
 Randomly Selected Tagline:
 I'm a fraud - a poor, lazy, sexy fraud. -Bender


Thanks. I found it in a rule I created a long time ago. Sorry.

RE: sare rule updates ?

[Alan Lehman]

Rob McEwen wrote:
 Check out Justin Mason's SOUGHT rules. They are very effective and
 are
 updated frequently. They have been around for many months, but I just
 started using them a few weeks ago.
 
 These rules are built dynamically and in an automated fashion using
 messages from spam trap feeds. Therefore, they are updated frequently.
 
 SEE:
 
 http://taint.org/2007/08/15/004348a.html
 
 Rob McEwen


Thanks. This helps a lot!
Alan

RE: sare rule updates ?

[Alan Lehman]

Yet Another Ninja wrote:
 
 SARE recommends shutting off all updates and wait for any
announcement.
 

The decline of SARE would seem to significantly devalue SA. We've been
noticing a significant increase in missed spam over the past few months.
Are there other sources for maintained rulesets (besides me writing them
myself)? 
George Butler Associates, Inc. 
Creating Remarkable Solutions
for a Higher Quality of Life 

Alan Lehman, P.E. 
Electrical/Critical Facilities Group
One Renner Ridge
9801 Renner Boulevard
Lenexa, KS 66219-9745
T. 913.577.8829
M. 816.210.8785
F. 913.577.8264
[EMAIL PROTECTED]
www.gbutler.com


CONFIDENTIALITY NOTICE: This e-mail message including attachments, if any, is 
intended for the person or entity to which it is addressed and may contain 
confidential and/or privileged material. Any unauthorized review, use, 
disclosure or distribution is prohibited. If you are not the intended 
recipient, please contact the sender by reply e-mail and destroy all copies of 
the original message. Thank you.

SA-3.2.4 overload

[Alan Lehman]

Upgrading from 3.1.7 to 3.2.4 resulted in my server becoming seriously
overloaded. Normally I see 3 to 6 slaves running with scan times
averaging 5-10 seconds. After upgrade, 10 slaves (my max setting) were
busy constantly with scan time running 60 to 300 seconds. CPU
utilization pegged at 100%. Typical traffic is about 10,000/day. 

 

I tried the following, but there was no significant improvement:

Disabling RBL checks

Disabling bayes

Disabling RCVD_IN_WHOIS, RCVD_IN_WHOIS_INVALID, URIBL_COMPLETEWHOIS

 

I installed SA-3.1.9 and processing seemed to return to normal, but I
get the following error:

Slave 0 stderr: Use of uninitialized value in pattern match (m//) at
/usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Message/Node.pm line
125.

 

Running: 

Sendmail-8.13.8

Mimedefang-2.64

Clamav-0.92

Uvscan-4.32.0

SA is called by Mimedefang (not using spamd). Standard rulesets.

 

Hardware:

HP Proliant DL380 single CPU 2.4GHz, 4G RAM

 

Thanks,

Alan Lehman 
George Butler Associates, Inc. 
Creating Remarkable Solutions
for a Higher Quality of Life 

Alan Lehman, P.E. 
Electrical/Critical Facilities Group
One Renner Ridge
9801 Renner Boulevard
Lenexa, KS 66219-9745
T. 913.577.8829
M. 816.210.8785
F. 913.577.8264
[EMAIL PROTECTED]
www.gbutler.com


CONFIDENTIALITY NOTICE: This e-mail message including attachments, if any, is 
intended for the person or entity to which it is addressed and may contain 
confidential and/or privileged material. Any unauthorized review, use, 
disclosure or distribution is prohibited. If you are not the intended 
recipient, please contact the sender by reply e-mail and destroy all copies of 
the original message. Thank you.

We need help with error messages

[Alan Morgan]

Hi,

We use SPAM Assassin in Silverpop.  We have been having a tough time with
the messages and results after running SPAM A.  Can someone help?  We want a
guide of definitions.

The latest we got is  2.2  REMOVE_BEFORE_LINK BODY: Removal phrase
right before a link

Thanks,

Alan D Morgan
MTD Marketing Inc

Re: BOTNET Exceptions for Today

[Michael Alan Dorman]

On Tue, 21 Aug 2007 16:56:27 -0500
Andy Sutton [EMAIL PROTECTED] wrote:

 On Tue, 2007-08-21 at 13:42 -0700, John Rudd wrote:
  b) Botnet gets 0% false positives at one of my services (not just 
  borked DNS == bad, as you're suggesting, but actual everything
  that triggered botnet was actually spam).  And, yes, I actually
  check
 
 I never suggested that.

Um, you suggested _exactly_ that.  From the message John was replying to
([EMAIL PROTECTED]):

  On Tue, 2007-08-21 at 13:08 -0700, Bret Miller wrote:
   When I see on the list that many people run botnet with ZERO false
   positives, I have to ask myself, how?   

  Anyone who claims that isn't really looking at the email they are
  blocking, or don't believe borked DNS qualify as a FP.

 A bit tetchy today?

When you're presenting hyperbole as reasoned commentary, seems to me
John has a right to be tetchy.

If you had said what you said in this message originally, I suspect you
would have gotten a different response.

Mike.

Re: SUBJECT_ENCODED_TWICE really wrong?

[alan premselaar]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 4/25/07 11:15 PM, John Wilcock wrote:
 Andy Spiegl wrote:

 But the score for SUBJECT_ENCODED_TWICE is pretty high:
  1.723
 How does that justify?
 
 No doubt it is justified by the fact that the corpora used to
 determine SpamAssassin scores don't contain enough non-English-language
 content.
 
 You'll almost certainly find that you want to lower the score for this
 rule (and other rules such as SUBJ_ILLEGAL_CHARS which tend to cause FPs
 on genuine non-English mail).
 
 John.
 

I've had to reduce the SUBJ_ENCODED_TWICE score (to .001 so i know it
hits but so it doesn't have any impact) because it's basically required
to handle long 2-byte subject encoding.

I've left SUBJ_ILLEGAL_CHARS as is because the subject really shouldn't
contain raw non-ascii characters, it should be encoded.

So far I haven't had any problems with this combination.

just my 2 yen worth.

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGMpHtE2gsBSKjZHQRAsfMAJwO8iqLnF/BpAw5tX/YOm/tsSGCVQCfaJHP
JRPY+2PKlce6j0hKfKsoQ9Y=
=BEbK
-END PGP SIGNATURE-

DKIM

[Alan Munday]

The DKIM plugin files have all but disappeared on one of my mx's..I'm left 
with

/usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin/DKIM.pm
/usr/share/man/man3/Mail::SpamAssassin::Plugin::DKIM.3pm.gz

I've tried re-installing/upgrading from the rpm (spamassassin-3.1.7-1.fc5) but 
this has not fixed things.

Is there another way I can re-install this plugins files?

Thanks

Alan

Re: DKIM

[Alan Munday]

Mark Martinec wrote the following on 10/01/2007 16:45:

The Plugin/DKIM.pm is all there is to it. No other files
in SA plugins directory is associated with DKIM.

There is however a Mail/DKIM.pm and Mail/DKIM/* perl module
in the usual modules places that you may be looking for.

  Mark


Thanks Mark.

When I saw the lint fail I just started comparing file lists

Too busy looking at a VoIP problem to think that the perl module had 
disappeared.

Alan

Re: RelayCountry plugin doesn't add header

[Alan Munday]

Nick Radov wrote the following on 02/01/2007 18:35:
I am running SpamAssassin 3.1.7 in serial mode on Windows 2003. I would 
like to use the RelayCountry plugin and have enabled it as described on 
this web page: http://wiki.apache.org/spamassassin/RelayCountryPlugin. 
But when I ran a test message through, the X-Relay-Countries header wasn't 
added. Can anyone suggest how to fix this?


The IP::Country::Fast module is installed. And here is a filtered excerpt 
from the SpamAssassin debugging output which seems to show the plugin is 
being loaded correctly. 

[18136] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayCountry from 
@INC
[18136] dbg: plugin: registered 
Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x29b40b0)
[18136] dbg: plugin: 
Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x29b40b0) implements 
'extract_metadata'
[18136] dbg: plugin: 
Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x29b40b0) implements 
'parsed_metadata'


The particular test message that I used has this Received header.

Received: from 14.9.17.81.nexcom.ru ([81.17.9.14])
  by ax7.axolotl.com (Lotus Domino Release 7.0.2)
  with ESMTP id 2006122820 http://www.snapanumber.com/563462-40926 ;
  Thu, 28 Dec 2006 20:56:34 -0800 

I did a manual whois lookup on IP address 81.17.9.14 and it is registered 
to Russia, so I think I should get a X-Relay-Countries: RU header. But 
it doesn't work.



If you just want a header added with the relay countries listed then you'll 
need to patch SA (3.1x) see the wiki (or review recent threads here).


Otherwise you need to specify in either local.cf or a dedicated conf file those 
countries you want to see in the headers and with which score.

To test these I wrote a simple script (I'm no programmer) below which writes 
Relay_Countries.cf which you can put in your spamassassin directory. You can 
enable/disable each entry by toggling the value of the 1st field and adjust the 
scores by amending the last field. You can then tweak to just track those 
countries you are interested in. I did include all the country codes as listed 
on the ISO site.

Alan




#! /bin/bash

echo start


# shopt -s -o xtrace


OUTPUT_FILE=Relay_Countries.cf
OUTPUT_DIR=.
#OUTPUT_DIR=/etc/mail/spamassassin


#
# Fields:  
#

USE=1   # yes=1, no=0
CODE=2  # Country Code
DESCRIPTION=3   # Description
SCORE=4 # Score

NUM_FIELDS=4

#
# Data:
#
COUNTRY[1]=1~AD~Andorra~0.001
COUNTRY[2]=1~AE~United Arab Emirates~0.001
COUNTRY[3]=1~AF~Afghanistan~0.001
COUNTRY[4]=1~AG~Antigua and Barbuda~0.001
COUNTRY[5]=1~AI~Anguilla~0.001
COUNTRY[6]=1~AL~Albania~0.001
COUNTRY[7]=1~AM~Armenia~0.001
COUNTRY[8]=1~AN~Netherlands Antilles~0.001
COUNTRY[9]=1~AO~Angola~0.001
COUNTRY[10]=1~AQ~Antarctica~0.001
COUNTRY[11]=1~AR~Argentina~0.001
COUNTRY[12]=1~AS~American Samoa~0.001
COUNTRY[13]=1~AT~Austria~0.001
COUNTRY[14]=1~AU~Australia~0.001
COUNTRY[15]=1~AW~Aruba~0.001
COUNTRY[16]=1~AX~Åland Islands~0.001
COUNTRY[17]=1~AZ~Azerbaijan~0.001
COUNTRY[18]=1~BA~Bosnia and Herzegovina~0.001
COUNTRY[19]=1~BB~Barbados~0.001
COUNTRY[20]=1~BD~Bangladesh~0.001
COUNTRY[21]=1~BE~Belgium~0.001
COUNTRY[22]=1~BF~Burkina Faso~0.001
COUNTRY[23]=1~BG~Bulgaria~0.001
COUNTRY[24]=1~BH~Bahrain~0.001
COUNTRY[25]=1~BI~Burundi~0.001
COUNTRY[26]=1~BJ~Benin~0.001
COUNTRY[27]=1~BM~Bermuda~0.001
COUNTRY[28]=1~BN~Brunei Darussalam~0.001
COUNTRY[29]=1~BO~Bolivia~0.001
COUNTRY[30]=1~BR~Brazil~0.001
COUNTRY[31]=1~BS~Bahamas~0.001
COUNTRY[32]=1~BT~Bhutan~0.001
COUNTRY[33]=1~BV~Bouvet Island~0.001
COUNTRY[34]=1~BW~Botswana~0.001
COUNTRY[35]=1~BY~Belarus~0.001
COUNTRY[36]=1~BZ~Belize~0.001
COUNTRY[37]=1~CA~Canada~0.001
COUNTRY[38]=1~CC~Cocos (Keeling) Islands~0.001
COUNTRY[39]=1~CD~Congo, the Democratic Republic of the~0.001
COUNTRY[40]=1~CF~Central African Republic~0.001
COUNTRY[41]=1~CG~Congo~0.001
COUNTRY[42]=1~CH~Switzerland~0.001
COUNTRY[43]=1~CI~Côte d'Ivoire~0.001
COUNTRY[44]=1~CK~Cook Islands~0.001
COUNTRY[45]=1~CL~Chile~0.001
COUNTRY[46]=1~CM~Cameroon~0.001
COUNTRY[47]=1~CN~China~0.001
COUNTRY[48]=1~CO~Colombia~0.001
COUNTRY[49]=1~CR~Costa Rica~0.001
COUNTRY[50]=1~CU~Cuba~0.001
COUNTRY[51]=1~CV~Cape Verde~0.001
COUNTRY[52]=1~CX~Christmas Island~0.001
COUNTRY[53]=1~CY~Cyprus~0.001
COUNTRY[54]=1~CZ~Czech Republic~0.001
COUNTRY[55]=1~DE~Germany~0.001
COUNTRY[56]=1~DJ~Djibouti~0.001
COUNTRY[57]=1~DK~Denmark~0.001
COUNTRY[58]=1~DM~Dominica~0.001
COUNTRY[59]=1~DO~Dominican Republic~0.001
COUNTRY[60]=1~DZ~Algeria~0.001
COUNTRY[61]=1~EC~Ecuador~0.001
COUNTRY[62]=1~EE~Estonia~0.001
COUNTRY[63]=1~EG~Egypt~0.001
COUNTRY[64]=1~EH~Western Sahara~0.001
COUNTRY[65]=1~ER~Eritrea~0.001
COUNTRY[66]=1~ES~Spain~0.001
COUNTRY[67]=1~ET~Ethiopia~0.001
COUNTRY[68]=1~FI~Finland~0.001
COUNTRY[69]=1~FJ~Fiji~0.001
COUNTRY[70]=1~FK~Falkland Islands (Malvinas)~0.001
COUNTRY[71]=1~FM~Micronesia, Federated States of~0.001
COUNTRY[72]=1~FO~Faroe Islands~0.001
COUNTRY[73]=1~FR~France~0.001
COUNTRY[74]=1~GA~Gabon~0.001
COUNTRY[75]=1~GB~United Kingdom

Re: Spamassassin doesn't ding sender for saying HELO i-am-you

[Alan Munday]

Justin Mason wrote the following on 07/12/2006 13:21:


This is a great spam-sign alright, but I don't know of a way to detect
what the local site's HELO is, bar each site writing their own rules to do
so.

Bayes does a good job of figuring this out, btw.

Any suggestions?


A script that telnets into the mail system to discover helo name and the 
associated IP?

Then it can write a system specific rule.

Alan

Re: rules_du_jour not working confusion?

[Alan Munday]

Daryl C. W. O'Shea wrote the following on 06/12/2006 00:31:


Advantage over sa-update?  Other than the issue with 3.1.6 (only), there 
shouldn't be any issues with how sa-update lints rules. 


This is not obvious as there is no mention of linting in the docs http://spamassassin.apache.org/full/3.1.x/doc/sa-update.html 

If so is there a migration guide somewhere on moving from RDJ to 
sa-update?


- remove existing SARE rules from wherever you've got them
- decide on which provider of the SARE channel(s) you're going to use
- follow that providers directions


And while there is good information on using sa-update for SARE rules, there 
don't appear to be any references on how-to migrate to it from RDJ.

The only other thing (AFAIK) that would hold someone from moving is that RDJ 
still covers some rule sets that are not available via sa-update.

Alan

Re: rules_du_jour not working confusion?

[Alan Munday]

By default, there is no duplication.  sa-update will update only the stock
rules.  However, there have been additional channels created for sa-update
to allow it to update the SARE rules as well.  You just add the ones you
want to your sa-update channels file.


One advantage RDJ seems to have is that it won't leave you in the situation of 
a non functional SA because your updated rules don't lint.

If using sa-update for SARE rules, are these stored in the same location as the 
originals or are they downloaded to the /var/lib/spamassassin tree?

If so is there a migration guide somewhere on moving from RDJ to sa-update?

Alan

Re: spam

[Alan Premselaar]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Coffey, Neal wrote:
 Rosenbaum, Larry M. wrote:
 This matches the spam message, but it also matches messages where the
 number is followed by a blank line and more text, which is a false
 positive.

 In all cases I got the same results.  What am I missing?
 
 Try a compound rule.  Look for the number, and then anything that's not
 a number. (Mind the line wrapping, of course.)
 
 body ORNL_B0RKEN1_SHORTNUM   /^\d{3,5}\n{1,3}$/s
 body ORNL_B0RKEN1_BODYTEXT   /[a-zA-Z]/
 meta ORNL_B0RKEN1(ORNL_B0RKEN1_SHORTNUM 
 ORNL_B0RKEN1_BODYTEXT)
 describe ORNL_B0RKEN1B0rken spamware, message just
 contains a short number
 scoreORNL_B0RKEN11.0
 
 That'll prevent the rule from matching if there's so much as a single
 letter in the body.
 

Actually, that'll only hit if there's a 3-5 digit number followed by 1
to 3 \n characters *AND* there *ARE* alphabetical characters in the body.

I'm guessing this isn't what you want.

your meta should probably look like (!ORNL_B0RKEN1_BODYTEXT 
ORNL_B0RKEN1_SHORTNUM)

(this is untested, but should work as expected)

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFdiJQE2gsBSKjZHQRAtfXAJ9YMWfkxAx7Oq31DilaqdGCqA9WegCgvBaL
9ld47BoNnFo2ePYG3IlcK0k=
=DQ7t
-END PGP SIGNATURE-

Re: How to examine a system and determine the mail delivery agent.

[Alan Premselaar]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



Don Saklad wrote:
 How would, where would a mail transfer agent tell you the
 mail delivery agent for a the system at hand?...
 
 Developing instructive information without acronyms,
 without industry jargon that complete novices, neophytes
 can use easily is the heart of the matter.

Don,

 to my knowledge, there is no way to determine the MDA (mail delivery
agent) without having access to the mail server's configuration files.

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFdNfxE2gsBSKjZHQRAlDCAJ4uSVmxnpkNzqWaWOiuDSVYiPYF+ACfbxD+
UgSh4d/dst6sC+AoruiCrxU=
=dP3a
-END PGP SIGNATURE-

Re: Problem with spam from non-existant users of my domain.

[Alan Premselaar]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Steven W. Orr wrote:
 On Tuesday, Nov 28th 2006 at 08:09 -0800, quoth John D. Hardin:
 
 =On Tue, 28 Nov 2006, Steven W. Orr wrote:
 =
 = Spam comes in to steveo from [EMAIL PROTECTED] and I want to
 = reject it because it's coming from an address that doesn't exist.
 = Sendmail does not support this; i.e., it can only reject mail *to*
 = an address that doesn't exist.
 = 
 = Is there a way to do this?
 =
 =First off, what exactly do you mean by does not exist? The domain
 =is not registered? Or the username is not valid within the domain?
 
 Sorry, I was afraid this might not be clear. I want to find a way to 
 reject/tag all messages that come From the syslang.net domain (I am that 
 domain) which are From a user which does not exist. I'm not talking about 
 messages coming in that have a From address that is not syslang.net.
 
 One more example to be clearerer. This message came in from someplace in 
 Russia (maybe), to syslang.net and claims to come from bs at syslang.net. 
 I don't have a bs on my machine. If it helps, I'd even be willing to 
 create a file with a list of all of my valid account names.
...snip...
 
 So this idea is to reject all mail from invalid accounts that claim to be 
 coming from my own domain.
...snip...

Steven,

 you should be able to do this pretty easily within MIMEDefang. you
could put a routine in the filter_sender() subroutine that does
something like a getpwent on the user portion of the sender address if
the domain portion is in your domain.  (there are probably plenty of
ways to do this)

on top of that, if you have any control over your DNS settings (and your
DNS provider supports TXT records) you may want to consider configuring
SPF.  SPF is designed (in part) to reduce this type of scenario.

so, with SPF what will happen is, some machine in RU connects to you and
sends a MAIL FROM: [EMAIL PROTECTED] ... the SPF checks will lookup
the SPF information from your DNS records and determine if that host in
RU is allowed to send mail for your domain. if not, it get a score
boost. (or with something like MIMEDefang you could just reject on
failed SPF if you chose to)

hope this helps,

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFb8lfE2gsBSKjZHQRAqenAKDrcNu7h2l7xZFKC09CgQERto3OEwCgo1x/
Ivq9yfQf8kWC0FUcouCi9xI=
=HN2v
-END PGP SIGNATURE-

Score=x+5

[Alan Munday]

I've just seen a mail marked as spammy (amavisd-new) where the score header had 
Score=x+5 where x was the sum of the SA tests.

X-Spam-Status:  Yes, score=0.917+5 tagged_above=0 required=5 
tests=[AWL=0.727,BAYES_00=-2.599, BOTNET_SERVERWORDS=-0.01, 
FORGED_RCVD_HELO=0.135,HTML_MESSAGE=0.001, P0F_UNIX=-0.001, 
SARE_HTML_MANY_BR05=0.5,SARE_HTML_TD_BR=0.934, SARE_UNA=1.231, SPF_PASS=-0.001]

I'm curious as to where the 5 came from as the the mail report does not look like spam: 


Content analysis details:   (0.9 points, 5.0 required)

pts rule name  description
 -- --
-0.0 P0F_UNIX   OS fingerprint BSD/Solaris/HP-UX/Tru64
0.1 FORGED_RCVD_HELO   Received: contains a forged HELO
-0.0 SPF_PASS   SPF: sender matches SPF record
-0.0 BOTNET_SERVERWORDS Hostname contains server-like substrings
-2.6 BAYES_00   BODY: Bayesian spam probability is 0 to 1%
   [score: 0.]
0.0 HTML_MESSAGE   BODY: HTML included in message
1.2 SARE_UNA   RAW: SARE_UNA
0.9 SARE_HTML_TD_BRFULL: Multiple line breaks in spammer pattern
0.5 SARE_HTML_MANY_BR05Tooo many br's!
0.7 AWLAWL: From: address is in the auto white-list



I've not seen this before (in over 4 years) and could not see and answer from a 
quick search.

Thanks

Alan