Re: Whitelist or add negative values for score

[Dominic Raferd]

On 20/12/2022 23:59, Joey J wrote:

Thanks to Bill and Matus for your responses.

Basically, the client is talking about real money transactions, 
airplanes, paypal etc, but he is a legit sender with these often 
flagged topics.
Sometimes the message goes through, but by the time you reply 2 or 3 
times, there are more of the buzz words that SA looks at based on rules.


We can't whitelist j...@company.com because of course everyone 
pretending to be him will more than likely get whitelisted and you 
know the rest.
This is why I thought if user j...@company.com from ip 1.2.3.4 
condition would allow me to add some negative score to get over the 
total flagging it as spam.


You guys would know better than I as to which would be the best 
method, I like scoring it some and going to -100.


Within the reject to the user it had the following:

Spam detection results: 3

ClamAVHeuristics 3 ClamAV heuristic test: Phishing.Email.SpoofedDomain 
(clamav)


AWL -0.969 Adjusted score from AWL reputation of From: address

BAYES_00 -1.9 Bayes spam probability is 0 to 1%

BIGNUM_EMAILS_MANY  2.999 Lots of email addresses/leads, over and over

DKIM_INVALID 0.1 DKIM or DK signature exists, but is not valid

DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid

HTML_FONT_LOW_CONTRAST 0.001 HTML font color similar or identical to 
background


HTML_MESSAGE 0.001 HTML included in message

KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict 
Alignment


SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record

SPF_PASS -0.001 SPF: sender matches SPF record

T_FILL_THIS_FORM_SHORT 0.01 Fill in a short form with personal information

URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was 
blocked.  See 
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block


My approach is like this:

describe LOCAL_WELCOMING_4 Pseudo-welcomelist (case-insensitive)
score LOCAL_WELCOMING_4 -4
header LOCAL_WELCOMING_4 From =~ /(fred\@bloggs\.com|\@jones\.com)>?\s*$/i

I have a few of these with different score reductions (4,6,8,10 etc) all 
held in /etc/spamassassin/local_welcoming.cf. If you end up with a lot 
of addresses to be 'welcomed' (as I do) you need some code to manage 
them, but the principle is simple enough: they act to reduce the score 
of any email where the 'From:' address matches the regex. They do not 
guarantee acceptance (the spam score is still calculated, only some 
amount (4 in the case above) is deducted, and they do not (in my case 
anyway) apply to virus-laden emails.

Re: OT - Hotmail/Outlook.com marking most of our email as Junk

[Dominic Raferd]

On Sat, 19 Feb 2022, 01:10 Cian,  wrote:

> I am also having a world of trouble getting my emails to Outlook users.
> For reference, my work domain has one user (me).  I have had the account
> for about 9 months and I have not yet sent 100 emails.  I typically send an
> email to a single recipient, although I will occasionally CC a handful of
> people.
>
>
>
> What I’ve tried:
>
>
>
>1. I have also set up SPF, DKIM, and DMARC.  I’m **pretty sure**
>they’re solid.  Emails still go to junk.
>2. Initially, I didn’t have anything actually at the website for my
>domain, so I threw my executive summary into a google site.  Emails still
>go to junk
>3. I've checked our public IP and the domain name at mxtoolbox.com –
>no errors, but it warns that a) my DMARC policy isn’t q or r, and b) it
>doesn’t care for my SOA
>4. I tried to get on Microsoft’s SDNS and JMRP, but I was not able.  I
>am pretty sure I have a shared IP, but I don’t know how I would check
>that.  Microsoft also suggested I join the Return Path Safe Senders
>program, but I am pretty sure I would need a dedicated IP for that.  In any
>case, I don’t love the idea of paying to get whitelisted so I can send 11
>emails a month.
>5. I’ve checked several sites and my domain isn’t on any blacklists.
>However, I did register the domain through NameCheap, which is on the
>UCEPROTECT_LVL3 list
>6. The domain is relatively new, as I said, but I don’t send any bulk
>mail of any kind from it.  All mail is either to people I specifically
>know, people to whom I have received a personal introduction, or people
>listed as contacts for their organization on public websites
>7. My mail is handled by Zoho Mail, so I haven’t done anything fancy
>with the mail server.  If there’s anything I should try, I will, but I
>might need the instructions at a fifth-grade level
>8. I am fairly careful with my words, and the emails are appropriately
>long, so I would be surprised if they were getting flagged for trigger
>words.   I have tried mail-tester.com and it did not object to the
>body of my emails
>9. Mail-tester.com claims to test emails against SA, although I know
>this is a contentious point around here.  I bring it up, though, because
>the fact that my TLD is “.space” raised some flags
>10. When I have called my contacts, they have been as confused as I am
>that they did not receive my emails
>11. Emails I send to any other domains are never a problem spam-wise
>
>
>
> Notes:
>
>1. I do not have a list-unsubscribe header in my emails, for one
>because I don’t have a list, and for two, because I don’t really know how.
>I can add one if necessary, although ideally I’d like the language to be
>clear that my emails don’t go to a list of any kind
>2. I have a signature in my email.  It has my phone number, but no
>address because I don’t have a physical location yet.  Some articles
>suggested this is bad; I hate to put my home address in all my emails, but
>I can if necessary.  It’s in my Dun and Bradstreet profile, anyway
>3. My domain contacts are anonymized, courtesy of NameCheap.
>NameCheap made this sound appealing, but I read somewhere that this makes
>you look sketchy.  I could fix this, if necessary.
>
>
>
> I suspect I’ve already given you the smoking gun, but if this isn’t enough
> information to hit on the problem, I am happy to provide more
>
>
>
I don't think you mentioned whether you have a static or dynamic IP. With a
dynamic IP you will have many problems sending emails; the only solution is
to relay your outgoing emails through another mail server that has a static
IP.

>

Re: Regex error in most recent update

[Dominic Raferd]

On 18/02/2022 09:51, Bert Van de Poel wrote:

Hi everyone,

I just noticed we had two email servers complain last night after
running sa-update about a regex problem:
/etc/cron.daily/spamassassin:
config: invalid regexp for __URI_TRY_3LD
'm,^https?://(?:try(?!r\.codeschool)|start|get(?!\.adobe)|save|check(?!out)|act|compare|join|learn(?!ing)|request|visit(?!or|\.vermont)|my(?!sub|turbotax|news\.apple|a\.godaddy|account|support|build|blob)\w)[^.]*\.[^/]+\.(?
us too, so it is something wrong at updates.spamassassin.org.

Re: [Spamhaus Notice] Reminder of changes to the Spamhaus beta Domain Blocklist & request for feedback

[Dominic Raferd]

On 04/01/2022 13:51, Riccardo Alfieri wrote:

On 04/01/22 13:38, Dominic Raferd wrote:


reject_rhsbl_sender
redacted.dbl-beta.dq.spamhaus.net=127.0.[0..2].[0..255]
reject_rhsbl_reverse_client
redacted.dbl-beta.dq.spamhaus.net=127.0.[0..2].[0..255]
reject_rhsbl_helo redacted.dbl-beta.dq.spamhaus.net=127.0.[0..2].[0..255]



A quick addon to what I wrote before..  I noticed that you are using the
wrong hostname :) The correct one, for the time being and up until the
beta ends, is dbl-beta.spamhaus.org

Ah yes, which explains why there were no resulting blocks. But I am now 
trying the modified SA plug-in instead.

Re: [Spamhaus Notice] Reminder of changes to the Spamhaus beta Domain Blocklist & request for feedback

[Dominic Raferd]

On 15/12/2021 20:00, Riccardo Alfieri wrote:

We’d like to say a big “thank you” to all of you who have been testing
the beta version of the Spamhaus Domain Blocklist (DBL) with hostnames.

How are you getting on with it? Have you encountered issues? Are you
noticing a reduction in false positives with the abused-legit component
of the DBL? How’s the plug-in (with the recommended configuration
changes) working for you?

If you could find the time to let us know we would really appreciate it...
I haven't tried using the new plug-in with SA, but I have been using the 
list in a postfix restriction list (in place of 
redacted.dbl.dq.spamhaus.net) on several of my mailservers:


reject_rhsbl_sender redacted.dbl-beta.dq.spamhaus.net=127.0.[0..2].[0..255]
reject_rhsbl_reverse_client 
redacted.dbl-beta.dq.spamhaus.net=127.0.[0..2].[0..255]

reject_rhsbl_helo redacted.dbl-beta.dq.spamhaus.net=127.0.[0..2].[0..255]

Since I started in early December 2021 these restrictions have not 
caught any incoming mail, whereas the same but using dbl.dq.spamhaus.net 
on another of my mail servers continue to pick up many (with minimal fps).


Am I doing something wrong, or is this expected behaviour?

Re: Managing long welcome_senders list

[Dominic Raferd]

On 02/12/2021 16:26, Martin Gregorie wrote:

On Thu, 2021-12-02 at 13:42 +, Dominic Raferd wrote:

I have a score-reducing algorithm for SA based on known 'good' senders.
  From a simple one-address-per-line file (which can easily be manually
or automatically edited) is built a local_welcoming.cf file which is
used by SA - with lines like this:

score LOCAL_WELCOMING_4 -4
header LOCAL_WELCOMING_4 From =~
/(\@myfriend\.com|jennifer_smith\@btinternet\.com|\
fred321@gmail\.com)>?\s*$/i


I ran into this problem quite some time ago and wrote 'portmanteau'...
Thanks to all for the suggestions and comments. I am looking into 
enlist_addrlist and portmanteau.

Managing long welcome_senders list

[Dominic Raferd]

I have a score-reducing algorithm for SA based on known 'good' senders. 
From a simple one-address-per-line file (which can easily be manually 
or automatically edited) is built a local_welcoming.cf file which is 
used by SA - with lines like this:


score LOCAL_WELCOMING_4 -4
header LOCAL_WELCOMING_4 From =~ 
/(\@myfriend\.com|jennifer_smith\@btinternet\.com|\fred321@gmail\.com)>?\s*$/i


But this is a just a short example with 3 addresses. In reality I have a 
single line with c.2000 addresses all concatenated like this, and it is 
growing. It works fine, but I suspect it is sub-optimal i.e. horrible to 
read and perhaps slow to parse. Is there a line length limit in SA? Is 
there a better way? Most of the listed items are full email addresses 
but some are domains only.


Thanks for any suggestions.

Re: Email Phishing and Zloader: Such a Disappointment

[Dominic Raferd]

On 12/07/2021 07:40, Dave Funk wrote:

On Sun, 11 Jul 2021, Kevin A. McGrail wrote:


On 7/11/2021 5:11 PM, John Hardin wrote:
"The other parts contain an application/vnd.ms-officetheme and an 
application/x-mso file. Which (in addition to the text/xml files) 
are used by Microsoft Word to load the embedded Word document."


Would the presence of all three of those MIME types be a scorable 
indicator?


If you can get me a spample, I'm sure I can tell you but in general 
we block macros so that's all that's needed.  Likely the OLEVBMacro 
plugin and KAM ruleset is blocking all of these already if you have 
the plugin enabled.


Aren't there already rules and heuristics in ClamAV for detecting 
VBmacros in office docs?


I've got two copies of ClamAV running, one used as a blocking direct 
milter with default rules and another one feeding into the SA 
"clamav.pm" plugin with extra rules and heuristics/algorithms enabled.


I quarantine emails that are caught by ClamAV with 'ScanOLE2 true' and 
'AlertOLE2Macros true'; these are then checked by command-line tool 
mraptor (part of olevba) to see if the macros are truly malicious.


I will try the OLEVBMacro plugin alongside, thanks for the heads up.

Re: spamass.sock - No such file or directory

[Dominic Raferd]

Try unix:/run/spamass/spamass.sock

On Sun, 27 Jun 2021, 18:28 ,  wrote:

> Still the same
>
> Jun 27 19:21:03 nmail postfix/smtps/smtpd[4946]: warning: connect to Milter
> service unix:spamass/spamass.sock: No such file or directory
> Jun 27 19:25:37 nmail postfix/smtps/smtpd[5552]: warning: connect to Milter
> service unix:run/spamass/spamass.sock: No such file or directory
>
> Thanks for any update
>
>
> -Ursprüngliche Nachricht-
> Von: Reindl Harald 
> Gesendet: Samstag, 26. Juni 2021 12:15
> An: mau...@gmx.ch; users@spamassassin.apache.org
> Betreff: Re: spamass.sock - No such file or directory
>
> why do you think "/run/spamass" and "unix:/spamass/" are the same path?
>
> Am 26.06.21 um 09:37 schrieb mau...@gmx.ch:
> > Run with Debian 10
> >
> > I dont see why “spamass.sock: No such file or directory” this message
> > appair
> >
> >>mail.log
> >
> > Jun 26 09:27:12 nmail postfix/smtps/smtpd[9509]: warning: connect to
> > Milter service unix:/spamass/spamass.sock: No such file or directory
> >
> >>main.cf
> >
> > smtpd_milters = unix:/spamass/spamass.sock,
> > unix:opendkim/opendkim.sock, unix:opendmarc/opendmarc.sock
> >
> >>/run/spamass# ls -la
> >
> > -rw-r--r--  1 spamass-milter spamass-milter 5 Jun 26 09:26
> spamass.pid
> > srw-rw  1   postfix  postfix 0
> Jun 26 09:26 spamass.sock
> >
> > or
> >
> > srw-rw  1   spamass-milter spamass-milter 0 Jun 26 09:26
> spamass.sock
> >
> >/etc/group
> > spamass-milter:x:128:postfix
> >
> > thanks for any help
>
>

Re: spamass.sock - No such file or directory

[Dominic Raferd]

Check that postfix user has execute permission on /run/spamass directory

On Sat, 26 Jun 2021, 08:47 ,  wrote:

>
>
> Thanks for your quick answer!
>
>
>
> Update to:
>
> smtpd_milters = unix:spamass/spamass.sock, unix:opendkim/opendkim.sock,
> unix:opendmarc/opendmarc.sock
>
>
>
> systemctl restart spamass-milter spamassassin postfix
>
>
>
> postfix/smtpd[15586]: warning: connect to Milter service
> unix:spamass/spamass.sock: Connection refused
>
>
>
>
>
>
>
> *Von:* Dominic Raferd 
> *Gesendet:* Samstag, 26. Juni 2021 09:42
> *An:* mau...@gmx.ch
> *Cc:* Postfix users 
> *Betreff:* Re: spamass.sock - No such file or directory
>
>
>
> Remove the slash after unix:
>
> On Sat, 26 Jun 2021, 08:38 ,  wrote:
>
> Run with Debian 10
>
> I dont see why “spamass.sock: No such file or directory” this message
> appair
>
> >mail.log
> Jun 26 09:27:12 nmail postfix/smtps/smtpd[9509]: warning: connect to
> Milter service unix:/spamass/spamass.sock: No such file or directory
>
> >main.cf
> smtpd_milters = unix:/spamass/spamass.sock, unix:opendkim/opendkim.sock,
> unix:opendmarc/opendmarc.sock
>
>
> >/run/spamass# ls -la
> -rw-r--r--  1 spamass-milter spamass-milter 5 Jun 26 09:26
> spamass.pid
> srw-rw  1   postfix  postfix 0 Jun
> 26 09:26 spamass.sock
>
> Or
> srw-rw  1   spamass-milter spamass-milter 0 Jun 26 09:26
> spamass.sock
>
>
>
> >/etc/group
> spamass-milter:x:128:postfix
>
> thanks for any help
>
> Mauri
>
>

Re: My 10 years old domain have a bad TLD

[Dominic Raferd]

On 05/05/2021 11:23, Antony Stone wrote:

On Wednesday 05 May 2021 at 12:15:41, Denis Chenu wrote:


Hi Dominic,

Le 03/05/2021 à 09:28, Dominic Raferd a écrit :

I have another personal rule which adds +6 for 'unusual' domains -
including .pro - so your chance of getting an email through to my users
is zero (sorry), unless indirectly (e.g. via mailing list).

I have a question about this : you don't offer any way to postmaster of
«unusual» domain to contact you postmaster ?

I hope you send a SMTP error code to inform clean user you disallow them
to send email.
Why not just send a private email and find out?  You could even send it 

to the

postmaster address.


Good tip. In my case, whatever address you send it to it is likely to 
end up in quarantine where someone (er, me) will review it. You won't be 
automatically notified about this.


I have modified my local.cf so that TLDs that are already penalised by 
__KAM_FUN1 are not further penalised.

Re: My 10 years old domain have a bad TLD

[Dominic Raferd]

On 03/05/2021 08:15, Denis Chenu wrote:

Hi,

I own and manage sondages.pro domain since more than 10 years now.
Since some week now, my spamassassin score is lower than before.

Seems some version give a -2 score. Maybe since a debian update.
I never send any spam email.

When looking at spam received : i receive a lot more spam from .com 
TLD than .pro TLD.


Is there a way other than change my domain to fix score and get again 
a perfect score .


Thansk a lot,
Denis

I see that .pro is included in KAM_FUN (via _KAM_FUN1) which gives +7.75 
to SA score. I am not sure if this is a recent change.


Those of us who use the KAM rules will be affected by this unless of 
course we code an exception for your domain.


I have another personal rule which adds +6 for 'unusual' domains - 
including .pro - so your chance of getting an email through to my users 
is zero (sorry), unless indirectly (e.g. via mailing list).

Re: pyzor

[Dominic Raferd]

On 21/04/2021 16:15, Steve Dondley wrote:

On 2021-04-21 11:00 AM, Eric Broch wrote:

Does anyone one have a solution to this:

spamd[]: pyzor: check failed: internal error, python traceback
seen in response

I have this in my local.cf

#pyzor
use_pyzor 1
pyzor_path /usr/bin/pyzor


I don't have this in my config at all. Maybe you are following 
outdated advice?


Make sure you have the pyzor plugin line uncommented:

loadplugin Mail::SpamAssassin::Plugin::Pyzor

Also, ensure you have installed the pyzor package on your OS.


+1

If you have installed pyzor the default settings for SA should use it. 
You can look for all SA pyzor settings with something like:


grep -hEr pyzor /var/lib/spamassassin /etc/spamassassin

My only personal setting is:

# overcome 'SA info: pyzor: [num] error: TERMINATED, signal 15 (000f)'
pyzor_timeout 20

Re: OT: is sorbs.net sleeping ?

[Dominic Raferd]

  
  
On 09/04/2021 15:57, Rob McEwen wrote:


  
  On 4/9/2021 10:34 AM, Benny Pedersen wrote:

  above ip is not
  listed yet, with inho is sign of no maintain at all anymore
  
  So I noticed that this IP you mentioned is a heavily-listed IP
  that is currently listed on many DNSBLs, including many of the
  best and most reliable and accurate ones. (I think that was
  part of your point.) So you're complaining that SORBS isn't
  listed this one. Maybe you were providing this as a
  representative example, correct? So I guess you're saying that
  there are more like this?

  But for the
  sake of clarity, let me just say that no DNSBLs should ever be
  judged too harshly for "false negatives" - no DNSBL has the
  exact same view of the worldwide email data - and each DNSBL's
  false positive prevention filters will always make SOME
  mistakes that cause "false negatives" - that's a very acceptable
price to pay considering that no system can ever be perfect.
  Low false
positives AND overall catch-rates AND overall UNIQUE
catch-rates (blocking stuff everyone else is still missing)
- are all far more important metrics.
  (you might be
disappointed with SORBS in those areas too? - that's fine -
I'm just trying to clarify that overly judging a DNSBL based
on particular false negatives can be overly
harsh and might miss the good things that a DNSBL has to
offer)

That
sounds reasonable. But my experience is that spamhaus RBLs (zen,
zrd, dbl) have a zero false positive rate (or so low that I have
never found one). IMHO if an email is matched by spamhaus it is
the sender's big problem, not the recipient's. (And I have no
connection to spamhaus...)
  

Re: Catch subtly-different Reply-To domain

[Dominic Raferd]

On 22/02/2021 15:45, Dominic Raferd wrote:

On 22/02/2021 15:05, RW wrote:



On Sun, 21 Feb 2021, Dominic Raferd wrote:

Michael's suggestion is interesting. There is a github project
allowing Levenshtein numbers to be calculated and used in SA, I
will see if there is a way to apply it in this situation. Thanks
to all for their input.



There is also a Damerau–Levenshtein version which is probably a better
choice as the transposition of two adjacent characters counts as 1
difference rather than 2.

That sounds better, but I don't know how to employ it to make a rule for
SA. My idea is to compare the domain part of the 'From' and 'Reply-To'
addresses, scoring for a close but not exact match (maybe
Damerau–Levenshtein between 1 and 3). The same logic could also be used
to compare the domain part of the 'From' to a list of domains that are
prone to impersonation (and don't have DMARC policy with
p=reject|quarantine).


I have now implemented this using the (updated) code at 
https://github.com/fmbla/spamassassin-levenshtein. This was super-easy 
as the new LEVENSHTEIN_REPLY rule does exactly what I need - I just 
added the 3 files to /etc/spamassassin and added 1 line to 
/etc/spamassassin/z_local.cf:


score LEVENSHTEIN_REPLY 4

My thanks to the coder! Now I need a real-world case to see it in action...

Re: Catch subtly-different Reply-To domain

[Dominic Raferd]

On 22/02/2021 15:05, RW wrote:

On Sun, 21 Feb 2021 16:32:01 -0800 (PST)
John Hardin wrote:


On Sun, 21 Feb 2021, John Hardin wrote:


On Sun, 21 Feb 2021, Dominic Raferd wrote:

Michael's suggestion is interesting. There is a github project
allowing Levenshtein numbers to be calculated and used in SA, I
will see if there is a way to apply it in this situation. Thanks
to all for their input.

It would have to be a plugin, and there's a CPAN module for
calculating Levenshtein numbers so most of the heavy lifting is
already done.

Sigh. Ignore that, that's exactly what it is. I need to stop replying
so quickly to stuff.

I don't think there was anything wrong in pointing out that it's
available from CPAN.

There is also a Damerau–Levenshtein version which is probably a better
choice as the transposition of two adjacent characters counts as 1
difference rather than 2.
That sounds better, but I don't know how to employ it to make a rule for 
SA. My idea is to compare the domain part of the 'From' and 'Reply-To' 
addresses, scoring for a close but not exact match (maybe 
Damerau–Levenshtein between 1 and 3). The same logic could also be used 
to compare the domain part of the 'From' to a list of domains that are 
prone to impersonation (and don't have DMARC policy with 
p=reject|quarantine).

Re: Catch subtly-different Reply-To domain

[Dominic Raferd]

On 21/02/2021 20:09, Benny Pedersen wrote:

On 2021-02-21 19:44, Dominic Raferd wrote:


Presumably interfacefm.com has been hacked, but not to the extent that
they can intercept incoming replies.


I stand corrected; but as they specify p=none, the mail must still pass.


in what way should it pass ?

dmarc tests spf, dkim, and opendmarc from github trunk validates arc 
chains aswell, there is no garenti that anything pass


only sendgrid maked that mistake, sorry sendgrid


p=none is an instruction from the domain controller *not* to reject 
emails from their domain even when they fail DMARC testing. So the end 
result is that this mail should pass through DMARC testing.


DMARC is a red herring here. My original question wouldn't be relevant 
if the sending domain had an enforced DMARC policy 
(p=quarantine|reject), but they don't.


Michael's suggestion is interesting. There is a github project allowing 
Levenshtein numbers to be calculated and used in SA, I will see if there 
is a way to apply it in this situation. Thanks to all for their input.

Re: Catch subtly-different Reply-To domain

[Dominic Raferd]

On 21/02/2021 17:37, RW wrote:

On Sun, 21 Feb 2021 17:00:32 +
Dominic Raferd wrote:


On 21/02/2021 16:20, Benny Pedersen wrote:

On 2021-02-21 17:00, RW wrote:

On Sun, 21 Feb 2021 14:04:20 +
Dominic Raferd wrote:
  

On 21/02/2021 13:56, RW wrote:
  

From: "Karen Howard" 
Reply-To: "Karen Howard" 
  

Yes this mail passed DMARC

How did it pass DMARC when it has the domain being spoofed in the
from header?

both domains can have dmarc, but only from header is dmarc tested

and dkim can sign reply-to

and interfacefm.com (like most domains) does not publish a DMARC
policy, so it must pass

But it does:

$ dig +short txt _dmarc.interfacefm.com
"v=DMARC1; p=none; rua=mailto:postmas...@interfacefm.com;

Presumably interfacefm.com has been hacked, but not to the extent that
they can intercept incoming replies.


I stand corrected; but as they specify p=none, the mail must still pass.

Re: Catch subtly-different Reply-To domain

[Dominic Raferd]

On 21/02/2021 16:20, Benny Pedersen wrote:

On 2021-02-21 17:00, RW wrote:

On Sun, 21 Feb 2021 14:04:20 +
Dominic Raferd wrote:


On 21/02/2021 13:56, RW wrote:



>>> From: "Karen Howard" 
>>> Reply-To: "Karen Howard" 



Yes this mail passed DMARC


How did it pass DMARC when it has the domain being spoofed in the from
header?


both domains can have dmarc, but only from header is dmarc tested

and dkim can sign reply-to
and interfacefm.com (like most domains) does not publish a DMARC policy, 
so it must pass

Re: Catch subtly-different Reply-To domain

[Dominic Raferd]

On 21/02/2021 13:56, RW wrote:

On Sun, 21 Feb 2021 11:28:51 +0100
Michael Storz wrote:


Am 2021-02-20 08:58, schrieb Dominic Raferd:

Is there a rule to catch cases where the domain of the Reply-To
header is a subtle variant on that in the To header. Take this
(real) example from a phishing email sent yesterday:

From: "Karen Howard" 
Reply-To: "Karen Howard" 

Use the "Damerau–Levenshtein distance" to calcutate the similarity.
Since long I was interested to try this, but never found the time.

Did you have particular use in mind for that? The example above doesn't
seem all that useful as a phishing technique as it will fail DMARC.

My suspicion  is that they are trying to exploit mail systems that
haven't yet adopted DMARC checking and that interfacefm.com was chosen
for its SPF record:

v=spf1 +a +mx +a:ns1.c57578.sgvps.net include:_spf.mailspamprotection.com

There's no -all or ~all on the end.
Yes this mail passed DMARC and it is cases like this that I want to 
catch. 99% of domains have not implemented full DMARC with 
p=quarantine|reject, so one can't rely on it (although it has a valuable 
role).

Catch subtly-different Reply-To domain

[Dominic Raferd]

Is there a rule to catch cases where the domain of the Reply-To header 
is a subtle variant on that in the To header. Take this (real) example 
from a phishing email sent yesterday:


From: "Karen Howard" 
Reply-To: "Karen Howard" 

I realise that other elements of the address can be different without 
being a reliable spam indicator but I think that interfacefm.com -> 
intrefacefm.com are so similar and yet different that they should be 
worth a few points. But I can't think how to write such a rule myself.

Re: Protection.Outlook.Com

[Dominic Raferd]

You can check the ip status by registering it at Microsoft’s Smart 
Network Data Service 
 (you probably 
did this already). You might have to contact your VPS provider to get 
/*them*/ to escalate any problem (as it is their ip space), and they 
might have to escalate it twice (once via Microsoft automated service, 
2nd time via human).


Microsoft do clear these false positives in my experience. By contrast 
your provider (tbi.net) blocks emails from my mailserver ip - and 
doesn't offer any way to correct it.


On 04/02/2021 13:59, Jared Hall wrote:
I ported my physical server to a Linode instance and have been trying 
to get Microsoft to de-list my IP address from their blacklist for 
four weeks now; ticket SRX1517586366ID.  Four freakin' weeks.


Does anybody here have a better method to get removed from their 
blacklist?


Thanks,

Jared

Re: google and spam

[Dominic Raferd]

On 14/12/2020 11:01, Iulian Stan wrote:

Hi all,

First of all i am writing this email from yahoo because from my own 
domain it seems it's not working because i have DMARC setup and 
apparently something(maybe ezml) is messing up with the headers. If 
you have any ideea to whom should i address i will more than happy :)


I am also receiving a lot of spam from google (aparently always domain 
is trix.bounces.google.com) and all spam is using google forms.
For me the problem is solved(meaning that all of these spam is going 
to quarantine and bayes is learning about those) but i was wondering if:


1) Since email are coming from google how come google is not doing 
anything?
2) Are those spam sent manually ? It will be a nightmare for a spammer 
to do this but how come there not any limitation coming from google if 
spam are sent via mass-bulk programs/interfaces/etc?
3) I am using also a local(my own) RBL which is trained with IPs from 
spam. It is queried by spammasssin because i don't want to reject from 
MTA but use it in conjunction with others scores/rules. Now i have 
doubts that if i keep adding IPs from google i will end up having all 
google MTAs added and legit email might be hurt in the progress. What 
do you think ? Do you have insides about  this trix.bouces.google.com? 
Looking on RBL doesn't looks too great and it seems from his domain 
there is spam which is actively sent.
4) I though that maybe google launch something similar with sendgrid 
but i don't find any reference about it and also the envelope-from are 
different i didn't found a common denominator. Few examples:


envelope-from 
<3lxrkxxqobqgumoiuqttqwva.rjfiarllqitwojzivl.zcwnnqkmoajmb...@trix.bounces.google.com>

...

Above also a full example of an email:

https://pastebin.com/DW6dvdxP 


To my surprise, you seem to be right. In my logs I have a number of 
these (but not a huge number) over the last year, they have almost all 
been blocked by SA (not using bayes) - but not blocked by earlier 
defences. I have received only a handful of such mails that have passed 
SA; now when I check them all definitely spam/phishing. The IPs all seem 
to be Google's (within CIDR 209.85.128.0/17). I'm going to add a couple 
of points scoring to anything from trix.bounces.google.com.

Re: dbip-country-lite database

[Dominic Raferd]

On Sun, 15 Nov 2020, 18:27 Philip Prindeville, <
philipp_s...@redfish-solutions.com> wrote:

> Is anyone else using this database?
>
> I’ve been using it with xt_geoip and Mimedefang and Plugin::URILocalBL to
> block countries since Maxmind retired support for GeoIP on RHEL.
>
> But I keep running into cases where parts of the database are very
> obviously wrong.  It’s showing about 50% of 183.128.0.0-183.170.255.255 as
> being in the US.  But APNIC says 183.128.0.0/11 is CHINANET.
>

Can you not use GeoIP2?

Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!

[Dominic Raferd]

Here's mine, had it running as a regular cron job for a few days now.

On Wed, 26 Aug 2020 at 04:08, Rob McEwen  wrote:

> On 8/25/2020 11:04 PM, John Hardin wrote:
> > I just wrote something similar to generate a rule, in case for some
> > reason you don't want to use a plugin. Let me know if there's any
> > interest in it.
>
> yes - please share!
>


spbl.sh
Description: Binary data

Re: handling spam from gmail.

[Dominic Raferd]

On Thu, 11 Jun 2020 at 09:20, Marc Roos  wrote:

>
>
> I am sick of this gmail spam. Does anyone know a solution where I can do
> something like this:
>
> 1. received email from adcpni...@gmail.com
> 2. system recognizes this email address has been 'whitelisted', continue
> with 7.
> 3. system recognizes as this email never been seen before
> 4. auto reply with something like (maybe with a wait time of x hours):
>Your message did not receive the final recipient. You are sending
> from a known spam provider
>network that is why we blocked your message. Please confirm that:
>- you are not a spammer and
>- you have permission to use the mail adress you send your message to
>- you and your provider agree to uphold GDPR legislation
>- you and your provider are liable for damages when breaching any of
> the above.
>
>
>Click link to confirm and you agree with the above
>https://www.domainwithoutletsencryptcertificate.com/asdfasdfadsfaf
>
> 5. sender clicks confirm url
> 6. email address is added to some white list.
> 7. email is delivered to recipient.
>

Are you sure these emails are really coming from gmail or are they fakes?
If fakes, they will mostly be stopped if you test with decent rbls such as
zen. Much easier and less intrusive.

Re: dcc-servers.net seems to have gone away

[Dominic Raferd]

On Sat, 23 May 2020 at 09:55, hospice admin  wrote:
>
> Hi Gang,
>
> Looks like DCC/Rhyolite has stopped working. First noticed problems around 
> 19:30 last night UK time.
>
> Problem seems to be that DNS for dcc-servers.net has gone away. Have checked 
> with the likes of mxtoolbox and intoDNS and they appear to agree.
>
> When I do a 'whois' for the domain I notice:
>
>Updated Date: 2020-05-23T07:40:31Z
>
>
> Just wondered if anyone knows what's going on?

I have no idea, but I confirm the problem.

Re: generate rule, wrong?

[Dominic Raferd]

On Fri, 22 May 2020 at 10:28, Maurizio Caloro  wrote:
>
> Hello
> After generating this rule rawbody, spam mail like this words still appear, 
> possible mistake from my syntax?
>
> >required_score 5
> >use_pyzor 1
> >use_razor2 1
> >rawbody BECAUSE_OPTIN 
> >/(geschiedene|sexuellen|beziehungen|singlefrauen|zweisamkeit|Dating-Szene|datingszene|sex|männern|wild|unersättlich|dates|girl)/i
> >score BECAUSE_OPTIN 5.0

Perhaps there are some other rules with negative scores that reduce
the total score so it is <5? Did you try using body instead of
rawbody? To use body, also set 'normalize_charset 1' and ensure the
text in the rule is entered as UTF-8.

Re: HTTP checks on sending IP

[Dominic Raferd]

On Wed, 13 May 2020 at 06:27, Pedro David Marco  wrote:
>
> Not a long time ago, there was an very interesting thread post about the idea 
> of reverse
> check of the website content of sending IP...
>
> To my remember even a "spamassassiner" wrote a plugin for that.
>
> Honouring my terrible (lack of) brain, i cannot find those posts.  Please can 
> anyone help me to find them or point me to the plugin?

I believe the thread you are referring to is from Feb-Mar 2019 here:
http://spamassassin.1065346.n5.nabble.com/Spam-rule-for-HTTP-HTTPS-request-to-sender-s-root-domain-td154612.html

I was using the OP's suggested rule (which calls his server), but on
checking I see that it has not triggered since 1 October 2019, so I
have now turned it off; presumably he turned off his server facility a
long time ago. He provided the code to set up your own at
https://github.com/mikernet/HttpCheckDnsServer, but I have not tried
this.

Re: New Spamhaus zone and updates to the plugin

[Dominic Raferd]

On Thu, 30 Apr 2020 at 09:51, Riccardo Alfieri 
wrote:

> Hello,
>
> I'm happy to announce to the SpamAssassin community that Spamhaus has
> released an updated version of our plugin that solves minor issues and,
> more importantly, adds support for a new dataset we just released.
>
> The new zone is called HBL (Hash BlockList) and deals with three
> different email scenarios previously not covered by the plugin:
>
> - Dropbox emails: emails - mostly on freemail providers - used in
> 419-like scams, sextortions and the like
> - Cryptowallets: malicious crypto addresses used mainly in extortion
> scams. Currently supports BTC,BCH,LTC,XRP,XMR and ETH
> - Filehash: hashes of suspicious or confirmed malicious attachments
>
> All the relevant technical information is available at
>
> https://docs.spamhaustech.com/10-data-type-documentation/datasets/030-datasets.html#hbl
>
>
> HBL is a zone available only to paid-for DQS users, but we do offer a
> free trial; just follow the instructions at
> https://github.com/spamhaus/spamassassin-dqs
>
> Even if you are not planning to use HBL, we strongly suggest you to
> update the plugin to the latest release for general security.
>
> We'd love some feedback and I'm always open for suggestions or
> discussion. Thank you!
>

Thanks Riccardo this is a great tool and I have updated our SA plugin as
advised. I think it is a pity we small-scale users can't benefit from the
new HBL :( what was the logic here?

It might be worth posting on the postfix users list about the benefits of a
dqs account; I use it with postscreen and smtpd to good effect.

Re: URIBL_SBL_A - Spamhaus false positive..

[Dominic Raferd]

On Thu, 23 Jan 2020 at 13:06, Jonathan Gilpin 
wrote:

> Hi,
>
> It seems that SpamAsassin is giving out a false positive on a Spamhaus SBL
> lookup:
>
> *  0.1 URIBL_SBL_A Contains URL's A record listed in the Spamhaus SBL
> *  blocklist
> *  [URIs: fluent.ltd.uk]
> *  2.1 URIBL_SBL Contains an URL's NS IP listed in the Spamhaus SBL
> *  blocklist
> *  [URIs: fluent.ltd.uk]
>
>
> fluent.ltd.uk has address 195.78.94.252
>
> Name servers:
> dns1.fluent.ltd.uk195.78.94.253
> dns2.fluent.ltd.uk195.78.94.254
>
>
> *195.78.94.252 is not listed in the SBL*
>
> *195.78.94.252 is not listed in the PBL*
>
> *195.78.94.252 is not listed in the XBL*
> *195.78.94.253 is not listed in the SBL*
>
> *195.78.94.253 is not listed in the PBL*
>
> *195.78.94.253 is not listed in the XBL*
> *195.78.94.254 is not listed in the SBL*
>
> *195.78.94.254 is not listed in the PBL*
>
> *195.78.94.254 is not listed in the XBL*
>
> Has anyone come across this before or can someone give any advise of what
> the cause of this might be? most importantly how to fix it?
>

Assuming you are still seeing the FPs (and they weren't a temporary problem
with the SBL now having been updated), what DNS resolver was being used by
the system that generated the FPs? Are you confident that it was sending
the RBL lookup requests direct to Spamhaus and not forwarding them to
another DNS server outside your control?

Re: DMARC_REJECT?

[Dominic Raferd]

On Fri, 15 Nov 2019 at 21:17, Kevin A. McGrail  wrote:

> Good idea.  This is done.
>
> On 11/15/2019 11:49 AM, David Jones wrote:
> > Perhaps it needs to be named KAM_DMARC_REJECT to make it obvious that it
> > came from the KAM.cf and have a default score of 0.001?
>

I believe only the renaming has been done, the default score remains 10; so
anyone overriding the default score (that would be, er, me) needs to update
their local settings for the new name.

Re: DMARC_REJECT?

[Dominic Raferd]

On Thu, 14 Nov 2019 at 05:49, Bill Cole <
sausers-20150...@billmail.scconsult.com> wrote:

> On 14 Nov 2019, at 0:14, Amir Caspi wrote:
>
> > DMARC_REJECT
>
> Is not the name of any rule currently distributed by the Apache
> SpamAssassin project...
>

This comes from an update to KAM.cf in the last few weeks. It briefly
caused me problems because I pass all authenticated/local mails through SA
and these all started being scored +10. My solution was to add a line in my
local.cf:
score DMARC_REJECT 0

This works for me because I run opendmarc as milter - any emails that
non-auth/local and which fail DMARC with p=reject will be blocked anyway.

Re: SpamAssassin 18th anniversary article

[Dominic Raferd]

On Thu, 24 Oct 2019 at 16:29, Dave Wreski  wrote:

> Hi all,
>
> LinuxSecurity just posted an article on the history of SpamAssassin and
> its recent 18th anniversary, some of the new features coming in v4, and
> speaks with some of the lead developers.
>
>
> https://linuxsecurity.com/features/features/an-open-source-success-story-apache-spamassassin-celebrates-18-years-of-effectively-combating-spam-email
>
> We'd love to know what you think.
>
> Thanks,
> Dave
>

Interesting. I started using SpamAssassin about 3 years ago as a backend to
Amavis for our forwarding mail servers and for the first 18 months it was
just a black box to me; but as I have learned more I have been able to make
it (even) better by including KAM.cf and non-KAM.cf, GeoIP2 and my own
bespoke rules. And of course the release of v3.4.3 helped.

My thanks and congratulations to all who have been or still are involved in
the project - your child has really grown up!

Re: Something much BETTER that Setting Threshold

[Dominic Raferd]

On Sat, 28 Sep 2019 at 06:11, Ramon F Herrera  wrote:
> I was going to start a new thread about the following, but this is a good 
> point to interject.
> What I need is simply to remove all traffic coming from the domains: icu, 
> info, etc. That simple step would go a long way to solving my SPAM problem.

Instead I suggest you use (and periodically update) Kevin's KAM.cf and
nonKAMrules.cf from http://www.mcgrail.com/downloads/

Re: How to block mails from unknown ip addresses?

[Dominic Raferd]

On Sun, 25 Aug 2019 at 20:16,  wrote:

> Am 2019-08-25 20:54, schrieb Matus UHLAR - fantomas:
>
> > I don't think you should download geoip postgres modules when what you
> > really need is apparently more recent database.
> >
> > Debian SA package suggests installing libgeo-ip-perl which further
> > recommends geoip-database.
> >
> > buster contains version 20181108-1, while buster-backports contains
> > version
> > 20190724-1~bpo10+1
> > Your problem could apparently be solves installing backported
> > geoip-database
> > version.
>
> I tried this already (described in e-Mail at 4:53 pm), but the ip
> address 45.141.151.5 wasn't in the backport geoip-database.
>
> >> Maybe I have tomatoes on my eyes. I can't find the right debian
> >> package with the DB_File-Module. Do you or someone else know which
> >> package does contain the module? I don't use the cpan shell for
> >> installing modules.
> >
> > it's very good that you don't use these. They can make mess on debian
> > system. Onlly install debian packages unless you really need and can
> > take
> > care of manually installed packages.
>
> Yes, as you can see I got a warnung and I installed the
> liblocale-codes-perl package.
>
> # ./pgeoiplookup.pl -f /opt/ipcc/ipcc.db 45.141.151.5
> Locale::Country will be removed from the Perl core distribution in the
> next major release. Please install the separate liblocale-codes-perl
> package. It is being used at ./pgeoiplookup.pl, line 35.
> Locale::Codes will be removed from the Perl core distribution in the
> next major release. Please install the separate liblocale-codes-perl
> package. It is being used at /usr/share/perl/5.28/Locale/Country.pm,
> line 22.
> GeoIP version 1566699945: TR, Turkey
>

This has worked for me on Debian derivatives (Ubuntu...) to install GeoIP2
with the much faster XS implementation:

cpan App::cpanminus &&\
add-apt-repository -y ppa:maxmind/ppa &&\
apt install libmaxminddb0 libmaxminddb-dev mmdb-bin &&\
cpanm Math::Int128 &&\
cpanm Net::Works::Network &&\
cpanm MaxMind::DB::Reader::XS &&\
cpanm GeoIP2::Database::Reader

Re: amavisd 100% cpu load - 470 queued messages...

[Dominic Raferd]

On Fri, 28 Jun 2019 at 09:56, hg user  wrote:

> Messages reported by mailq decreased to about 370 and then, in a few
> seconds, to 0... from 370 to 0 in a few seconds...
>
>
>
> On Fri, Jun 28, 2019 at 10:49 AM hg user  wrote:
>
>> I'm not able to lower cpu usage of amavisd.
>> 4 cpus are used 100% and messages queue up to 15 minutes before being
>> processed.
>>
>> mailq reports up to 470 queued messages... and this is bad, really bad.
>>
>> The most part of SA work is spent here:
>> tests_pri_0: 7371 (93.7%)
>> and I know that priority 0 includes almost everything
>>
>> Other than disabling some rules (which one?!!?!) and adding some cpus,
>> what can I really do?
>>
>
As a workaround you could set (in amavis conf file) something like:

$child_timeout = 20;

which restricts any child process to (roughly) 20 seconds after which
amavis will abort it

Re: No longer just embedded =9D characters in blackmail emails.

[Dominic Raferd]

On Wed, 20 Mar 2019 at 13:14, piecka  wrote:
>
> Hello
>
> We've encountered a high false positive rate with MIXED_ES rule for emails
> written in Czech language. Czech naturally uses all of the e,ě and é.
>
> The situation is similar for Slovak language, which includes e and é.
>
> It seems the same with Greek
> (https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7691).
>
> Email messages written in one of the above mentioned (probably even other)
> languages have a much higher false positive rate than I would consider
> acceptable.
>
> Additionally, the default score for the rule is 3.999 which is quite high.
>
> I don't think the rule is suitable for the default ruleset in the current
> form.

I have seen similar problems and agree. I reduced its score with this
line in /etc/spamassassin/local.cf:
score MIXED_ES 0.499

Re: Spam rule for HTTP/HTTPS request to sender's root domain

[Dominic Raferd]

On Wed, 13 Mar 2019 at 13:04, RW  wrote:
>
> On Wed, 13 Mar 2019 10:53:06 +0000
> Dominic Raferd wrote:
>
> > On Wed, 13 Mar 2019 at 10:33, Mike Marynowski 
> > wrote:
> > >
> >
> > For those of us who are not SA experts can you give an example of how
> > to use your helpful new lookup facility (i.e. lines to add in
> > local.cf)? Thanks
>
>
> askdns AUTHOR_IN_HTTPCHECK  _AUTHORDOMAIN_.httpcheck.singulink.com A 1
>
> score  AUTHOR_IN_HTTPCHECK   0.1 # adjust as appropriate
>
> This assumes that Mail::SpamAssassin::Plugin::AskDNS is loaded, which
> it is by default.

Thanks, giving it a go...

Re: Spam rule for HTTP/HTTPS request to sender's root domain

[Dominic Raferd]

On Wed, 13 Mar 2019 at 10:33, Mike Marynowski  wrote:
>

For those of us who are not SA experts can you give an example of how
to use your helpful new lookup facility (i.e. lines to add in
local.cf)? Thanks

Re: X-Relay-Countries not working

[Dominic Raferd]

On Wed, 28 Nov 2018 at 10:36, Brent Clark  wrote:

> Sorry if I can just add, maybe the documentation can be updated?
>
> https://wiki.apache.org/spamassassin/RelayCountryPlugin


I think the documentation is fine, the example with the hat/circumflex has
describe text 'First untrusted relay is...'. It assumes some knowledge of
regex syntax that is all.

Re: X-Relay-Countries not working

[Dominic Raferd]

On Wed, 28 Nov 2018 at 06:15, Brent Clark  wrote:

> Thanks for replying
>
> I did as you asked, here is the pastebin
>
> https://pastebin.com/XqSXndpW
>
> I could not see anything like you describe (i.e "I've found that the
> plugin will fallback to the 'fast' version ...")
>
> It looks like KR is getting found but if you look at the pastebin below,
> it does not display RELAYCOUNTRY
>
> https://pastebin.com/sh8S10ph


You use a hat ^ so that only the first (or ?last) relay server's country is
matched. Maybe this is the problem? Try using:

header   RELAYCOUNTRY_BAD X-Relay-Countries =~ /(CN|RU|SU|IN|BR|UA|KR)/

I use a similar header match string (but with GeoIP2 database, not the old
GeoIP) and it seems to work fine.

Re: spoofing mail

[Dominic Raferd]

On Wed, 28 Nov 2018 at 01:57, Rick Gutierrez  wrote:

> El mar., 27 nov. 2018 a las 16:22, David Jones ()
> escribió:
>
> >
> > Can you send a copy of the original email lightly redacted via pastebin
> > so I can run it through my filters to give some pointers?
> >
> > --
> > David Jones
>
> Hi David , the email is very simple, but I attach it in the following link
>
> https://pastebin.com/cYaLibt1
>
> and the trace for a better reading
>
> https://pastebin.com/8vpVejPc
>
> the name of one of my users is Ariana Molina and the valid mail of
> another of my users is lvasquez.
>

So the real user's name and email (Ariana Molina mol...@domain.com) occurs
only in the body of the email, and not anywhere in the headers, nor in the
SMTP transaction? I think this is hard to catch because a real user's name
and email may legitimately be found in the body of an email from another
user.

Re: Forgery with SPF/DKIM/DMARC

[Dominic Raferd]

On Fri, 16 Nov 2018 at 15:54, Robert Fitzpatrick  wrote:
>
> Dominic Raferd wrote on 11/16/2018 8:50 AM>
> > Please clarify what you mean by 'even though SPF and DKIM is setup
> > with DMARC to reject'? I presume that 'company.com' does not have a
> > DMARC p=reject policy, or else your DMARC program (e.g. opendmarc)
> > should block forged emails from them.
> >
>
> Oh yes, sorry, the names changed to protect the innocent. But now that I
> am confirming, I don't see the _dmarc record setup by the DNS company as
> requested. So, this message with would fail DMARC if setup for
> company.com to reject as you noted? I'll send them the request again and
> see, thanks.

In principle I recommend that everyone set up dmarc with p=reject for
their domains, but it is not to be undertaken lightly because it can
lead to rejection of their genuine but misconfigured emails (and cause
particular problems on mailing lists). I think your request to the
third party is unlikely to have any effect, and the problem you are
having needs to be tackled a different way.

Re: Forgery with SPF/DKIM/DMARC

[Dominic Raferd]

On Fri, 16 Nov 2018 at 13:45, Robert Fitzpatrick  wrote:
>
> We're having an issue with spam coming from the same company even though
> SPF and DKIM is setup with DMARC to reject. Take this forwarded email
> for instances
>
> >  Original message 
> > From: User 
> > Date: 11/15/18 10:42 AM (GMT-07:00)
> > To: Other User 
> > Subject: OVERDUE INVOICE
> >
> > Sorry for the delay…. This is an invoice reminder. The total for your item 
> > is $1,879.17.
> >
> > THX,
> >
> > -
> >
> > User
> > T 123.456.7890 | O 123.456.7891
> > EMail:u...@company.com
>
> However, the raw headers show as this...
>
> > Date: Thu, 15 Nov 2018 18:35:35 +0100
> > From: User 
> > 
> > To: other.u...@company.com
> > Message-ID: <860909106225419267.2007038e08376...@company.com>
> > Subject: OVERDUE INVOICE
>
> Could someone suggest a rule to match the signature with the last From
> email or envelope from? Or another suggestion how this could be resolved.
>
> Thanks!

Please clarify what you mean by 'even though SPF and DKIM is setup
with DMARC to reject'? I presume that 'company.com' does not have a
DMARC p=reject policy, or else your DMARC program (e.g. opendmarc)
should block forged emails from them.

Re: KAM_RAPTOR and other dependencies...

[Dominic Raferd]

On Thu, 25 Oct 2018 at 22:44, Kevin A. McGrail  wrote:

> On 10/25/2018 1:07 AM, Dominic Raferd wrote:
>
> On Tue, 23 Oct 2018 at 14:22, Kevin A. McGrail 
> wrote:
>
>> It means I forgot to encapsulate that rule in a plugin check.  Download
>> the latest KAM.cf and you'll be good.
>>
>> On Mon, Oct 22, 2018 at 4:40 PM Peter L. Berghold 
>> wrote:
>>
>>> I've seen the following message and others similar:
>>> spamd[20463]: rules: meta test KAM_VERY_MALWARE has dependency
>>> 'KAM_RAPTOR' with a zero score
>>>
>>> what is spamassassin trying to tell me?
>>>
>>
> I am seeing 19 of these messages every day when
> /etc/cron.daily/spamassassin runs under anacron (Ubuntu 18.04.1,
> SpamAssassin 3.4.1, Perl 5.26.1). I am using the latest KAM.cf from
> http://www.mcgrail.com/downloads/KAM.cf which I added to
> /etc/spamassassin. The dependencies with zero score are:
> CBJ_GiveMeABreak
> KAM_IFRAME
> KAM_RAPTOR
> KAM_RPTR_PASSED
> KAM_RPTR_SUSPECT
>
> Should I ignore these messages (by modifying /etc/cron.daily/spamassassin)?
>
> Suggest you look at the KAM.cf and get the nonKAMrules.cf file mentioned
> will get rid of a warning or two.  The other warnings on the daily update
> are fine.  It has to do with the fact that I maintain KAM.cf as a single
> source for both internal usage and for the world at large.  So those using
> it externally get some warnings that we don't see internally.
>

Thanks I will do that now and I have edited /etc/cron.daily/spamassassin so
I don't see those specific info messages.

Re: Version 3.4.2, Debian Stretch

[Dominic Raferd]

On Thu, 25 Oct 2018 at 21:16, Vitali Quiering  wrote:

> Is not compatible with debian stretch or just not available as a package?
> Is it tested and considered stable?
>
> Regards,
> Vitali
>
> Am 25.10.2018 um 16:26 schrieb Dominic Raferd :
>
> On Thu, 25 Oct 2018 at 15:12, Vitali Quiering  wrote:
>
>> sorry if this has been asked before. I am new to this list and couldn’t
>> find a solution I liked. :-)
>> Is there a spamassassin 3.4.2 package available for Debian Stretch? I
>> need the the RelayCountryPlugin with GeoIP2.
>
>
> Only in sid and buster at the moment. Ubuntu 18.04 is similarly affected.
>
>
I am confident it will be compatible, just the package for these platforms
has not been built yet.

Re: Version 3.4.2, Debian Stretch

[Dominic Raferd]

On Thu, 25 Oct 2018 at 15:12, Vitali Quiering  wrote:

> sorry if this has been asked before. I am new to this list and couldn’t
> find a solution I liked. :-)
> Is there a spamassassin 3.4.2 package available for Debian Stretch? I need
> the the RelayCountryPlugin with GeoIP2.


Only in sid and buster at the moment. Ubuntu 18.04 is similarly affected.

Re: Cannot install SpamAssassin on Ubuntu 18.04.1 (gpg not found?)

[Dominic Raferd]

On Thu, 25 Oct 2018 at 15:16, RW  wrote:

> On Thu, 25 Oct 2018 16:07:02 +0200
> Matus UHLAR - fantomas wrote:
>
> > >On Thu, 25 Oct 2018 08:37:45 -0400 Alexander Lieflander wrote:
> > >> As a side-note, it seems like the error message returned by dpkg
> > >> (and thus SpamAssassin, I guess) is incorrect. Where it mentions
> > >> “sa-compile”, it should really be mentioning “sa-update”, as the
> > >> man page for sa-update contains the “--nogpg” option, and the man
> > >> page for sa-compile does not.
> >
> > where did it say sa-compile?
>
> It failed when sa-compile was being installed
>
> > nothing with sa-compile.
> >
> > On 25.10.18 14:37, RW wrote:
> > >This is a consequence of Ubuntu (or Debian) splitting off sa-compile
> > >into a separate  package. The error occurred  while checking
> > >sa-compile's dependency, the spamassassin package.
> >
> > this should not happen at all. when sa-compile is installed,
> > spamassassin (and sa-update) should be installed and configured.
>
> I would guess that there was no problem when spamassassin was installed
> and sa-compile was installed later.
>

I am using SA on Ubuntu 18.04 without any such problems. Looking at the
package changelogs for SA 3.4.1-8 under Debian/Ubuntu they are identical
except that, for Ubuntu 18.04, SA was rebuilt against openssl1.1. The only
sadness is that Ubuntu 18.04 is currently stuck with 3.4.1 (3.4.2 is
available on 18.10).

Re: KAM_RAPTOR and other dependencies...

[Dominic Raferd]

On Tue, 23 Oct 2018 at 14:22, Kevin A. McGrail  wrote:

> It means I forgot to encapsulate that rule in a plugin check.  Download
> the latest KAM.cf and you'll be good.
>
> On Mon, Oct 22, 2018 at 4:40 PM Peter L. Berghold 
> wrote:
>
>> I've seen the following message and others similar:
>> spamd[20463]: rules: meta test KAM_VERY_MALWARE has dependency
>> 'KAM_RAPTOR' with a zero score
>>
>> what is spamassassin trying to tell me?
>>
>
I am seeing 19 of these messages every day when
/etc/cron.daily/spamassassin runs under anacron (Ubuntu 18.04.1,
SpamAssassin 3.4.1, Perl 5.26.1). I am using the latest KAM.cf from
http://www.mcgrail.com/downloads/KAM.cf which I added to /etc/spamassassin.
The dependencies with zero score are:
CBJ_GiveMeABreak
KAM_IFRAME
KAM_RAPTOR
KAM_RPTR_PASSED
KAM_RPTR_SUSPECT

Should I ignore these messages (by modifying /etc/cron.daily/spamassassin)?

Re: DNS and RBL problems

[Dominic Raferd]

On 15/09/2018 02:44, Alex wrote:

On Fri, Sep 14, 2018 at 4:24 PM Daniel J. Luke  wrote:

On Sep 14, 2018, at 3:26 PM, Kevin A. McGrail  wrote:

On 9/14/2018 3:22 PM, Alex wrote:

I wish it were that easy. /etc/resolv.conf is set up to use 127.0.0.1,
which is bind configured as a my local caching resolver.

Sinister issues like this are hard.  I'll try and escalate our plans for
rsync access.

Alex - have you looked at bad checksum counters on the host? (netstat -s) - 
I've seen strange issues before with broken network hardware (or bugs in 
switch/router code) caused changes to packets as they passed through the 'bad' 
device. The first hints were those counters increasing at the same time as the 
mysterious issue happening.

I don't see anything relating to bad checksums with netstat :-( I've
also tried numerous ethtool config changes. I've also looked through
hundreds of packets with tcpdump and wireshark.

This isn't a spamassassin message, but does anyone with a postfix
system ever see similar "Name service error" messages such as the one
below?

Sep 14 21:12:54 mail03 postfix/dnsblog[3713]: warning: dnsblog_query:
lookup error for DNS query 239.242.238.54.ubl.unsubscore.com: Host or
domain name not found. Name service error for
name=239.242.238.54.ubl.unsubscore.com type=A: Host not found, try
again

It appears to occur quite frequently, and on multiple unrelated
systems. I'd love to find out what's causing it. The postfix people
ascribed it to a remote server problem, but I can't believe virtually
all RBLs, including spamhaus, would have such intermittent problems
with *their* name servers.


On one of our mailservers (but not others, which are at different 
locations with different isps) we had a problem with queries to rbls 
being blocked either by the rbls themselves or by one of the 
intermediate dns servers. So we set up local bind9 resolver; it uses 
forwarding for normal queries but for the rbls we set up special zones 
to prevent forwarding. Example:


zone "hostkarma.junkemailfilter.com" { type forward; forward first; 
forwarders {}; };


This solved nearly all our problems - we still see b.barracuda.org 
refusing some queries from this mailserver (despite this ip being 
registered with them). But not from our other mailservers, and not any 
other rbls.

Re: Update to Ubuntu 18.04.1 seems to have partially broken SA

[Dominic Raferd]

On Fri, 17 Aug 2018 at 17:34, Chris  wrote:

> I noticed last night while updating to 18.04.1 that there were warnings
> about SA Compile. I tried to copy to the clipboard however that
> didn't work. I did manage to capture this:
>
> installed sa-compile package post-installation script subprocess
> returned error exit status 13
>
> What I'm seeing in my syslog now is this:
>
> Aug 17 09:01:43 localhost spamd[1837]: rules: failed to run CLAMAV
> test, skipping:
> Aug 17 09:01:43 localhost spamd[1837]:  (Can't locate object method
> "check_clamav" via package "Mail: [...]:SpamAssassin::PerMsgStatus" at
> (eval 1894) line 19.
> Aug 17 09:01:43 localhost spamd[1837]: )
> Aug 17 09:01:43 localhost spamd[1837]: rules: failed to run __F_DM1
> test, skipping:
> Aug 17 09:01:43 localhost spamd[1837]:  (Can't locate object method
> "from_domains_mismatch" via package "Mail:
> [...]:SpamAssassin::PerMsgStatus" at (eval 1899) line 19.
>
> Any suggestions on a fix? Installed info below:
>
> apt-cache policy spamassassin
> spamassassin:
>   Installed: 3.4.1-8build1
>   Candidate: 3.4.1-8build1
>   Version table:
>  *** 3.4.1-8build1 500
> 500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64
> Packages
> 500 http://us.archive.ubuntu.com/ubuntu bionic/main i386
> Packages
> 100 /var/lib/dpkg/status


A short answer as I am in a hurry but may help you get started. I hit this
problem on one machine. For future reference for anyone, run 'sudo -u
debian-spamd sa-compile' immediately *before* attempting upgrade to 18.04,
because it is run automatically during the upgrade and if it fails (because
of a prior error, in my case it was my bad syntax in /etc/spamassassin/
local.cf) the whole upgrade aborts. In my case the final stage (removing
old/redundant packages) had not happened.

There should be a track of what happened during the upgrade in log files in
/var/log/dist-upgrade. Look especially at the last say 300 lines of
screenlog.0.

The way I fixed it afterwards was to follow instructions in the first
answer at
https://askubuntu.com/questions/539235/how-to-remove-obsolete-packages-after-failed-release-upgrade-via-do-release-upgr
.
Then found what had prevented sa-compile from completing and ran it through
without error.

Now 18.04 plays nicely. HTH

Re: Issues with Yahoo/AOL emails and RCVD_NUMERIC_HELO

[Dominic Raferd]

On Sun, 29 Jul 2018 at 18:33, RW  wrote:

> On Sun, 29 Jul 2018 12:28:08 +0200
> Antony Stone wrote:
>
> > On Sunday 29 July 2018 at 12:17:07, Sebastian Arcus wrote yet another
> > email that's guaranteed to fail DMARC with a reject when posted
> > through a mailing list, and consequently I didn't receive:
> ​...
>

​Ditto, and I haven't received (and won't receive) any of his subsequent
postings either (opendmarc is - quite rightly - blocking them). More
strangely, I didn't receive this message (above) except apparently when
quoted in reply by RW.​ Note to OP: when posting to mailing lists, use a
domain that does not have DMARC with p=reject (and preferably not
p=quarantine either).