Re: Whitelist or BAYES?
On 26.09.24 10:27, joe a wrote: Maybe I should not ask this, but . . . A relatively innocuous member informational email from a local town Library (monthly) gets marked as spam as shown below. The BAYES_99 and BAYES_999 values are something I am toying with for other reasons. Seems odd these should hit either one of those tests. So, on the one hand I can add them to whitelist and be done with it, or I can add them to missed HAM for re-learning. Which is the best approach? so far, both. You may need to relearn multiple their (monthly) mails before it has effect. X-Spam-Report: * 4.1 BAYES_99 BODY: Bayes spam probability is 99 to 100% * [score: 1.] * 5.0 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% * [score: 1.] You have raised BAYES_99 and BAYES_999 to huge values so I recommend to rethink that. * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from * author's domain you can safely welcomelist_from_dkim their mail address. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 99 percent of lawyers give the rest a bad name.
Re: ATTENTION: DNSWL to be disabled by default.
Root Cause Analysis (in order):
1) DNSWL does not provide blocked codes. That deviates from
most DNS-query based systems.
On 24.09.24 20:43, Matthias Leisi wrote:
This is wrong.
On 26/09/24 01:20, Matus UHLAR - fantomas wrote:
I have checked with 1.1.1.1, where queries only return 127.0.10.3
It would help SA (and perhaps also DNSWL) if DNSWL would return
127.0.0.255 in addition to 127.0.10.3
- there is already rule to suspend
header RCVD_IN_DNSWL_BLOCKED
eval:check_rbl_sub('dnswl-firsttrusted', '^127\.0\.\d+\.255$')
dns_block_rule RCVD_IN_DNSWL_BLOCKED list.dnswl.org
On 26.09.24 18:11, Peter wrote:
I'm not very proficient at SA rules so I won't attempt to write one
for this, but perhaps this would help:
$ dig amiblocked.dnswl.org txt @1.1.1.1 +short
"You are blocked from using list.dnswl.org through public nameservers"
"yes"
$ dig amiblocked.dnswl.org txt @127.0.0.1 +short
"no"
It looks like the above test is definitive and works regardless of
what other codes might be returned.
% dig amiblocked.dnswl.org txt @1.1.1.1
amiblocked.dnswl.org. 300 IN TXT "no"
however this needs one more DNS lookup, which is the opposite of what we
need.
BTW today I get different results for open resolvers - 1.1.1.1 and 9.9.9.9
return 127.0.6.2, 8.8.8.8 returns nothing (was 127.0.10.3 a while ago).
many dnsbls supports BLOCKED reply, but only spamhaus supports different
reply for open resolvers - BLOCKED_OPENDNS (127.255.255.254).
SA reacts on BLOCKED by pausing for dns_block_time (default 300) seconds.
Of course, SA can't depend on spamhaus reply with other DNSBLs, mostly
because different blocking criteria.
...as I said, if dnswl returned BLOCKED in addition to HIGH it would help
SA at least a bit.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
My mind is like a steel trap - rusty and illegal in 37 states.
Re: ATTENTION: DNSWL to be disabled by default.
Root Cause Analysis (in order):
1) DNSWL does not provide blocked codes. That deviates from most DNS-query
based systems.
On 24.09.24 20:43, Matthias Leisi wrote:
This is wrong.
I have checked with 1.1.1.1, where queries only return 127.0.10.3
It would help SA (and perhaps also DNSWL) if DNSWL would return 127.0.0.255
in addition to 127.0.10.3
- there is already rule to suspend
header RCVD_IN_DNSWL_BLOCKED eval:check_rbl_sub('dnswl-firsttrusted',
'^127\.0\.\d+\.255$')
dns_block_rule RCVD_IN_DNSWL_BLOCKED list.dnswl.org
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fighting for peace is like fucking for virginity...
Re: ATTENTION: DNSWL to be disabled by default.
TL;DR: Rather than using an in-band signal of a special reply value to queries from blocked users, as do other DNS-Based List operators, DNSWL.org sends back a "listed high" response to all queries. I was unaware On 2024-09-24 at 04:18:06 UTC-0400 (Tue, 24 Sep 2024 10:18:06 +0200) Matthias Leisi is rumored to have said: Not to all queries. It is sent to resolvers who consistently go above the limits, sometimes for months and years after receiving the blocked response. On 24.09.24 09:13, Bill Cole wrote: I don't see how that's significant. The documented policy is directly and intentionally harmful to users. I understand this case as "abusers" instead of users. Doing that is a legitimate choice by a reputation service, but it's not one SA can endorse. The fact that it is enforced by whim rather than mechanically is not a positive factor. Is there any possibility to detect clients using open DNS, perhaps other than RCVD_IN_ZEN_BLOCKED_OPENDNS ? Then, block all dnsbl/rhsbl rules? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux is like a teepee: no Windows, no Gates and an apache inside...
Re: Tips on training bayes?
On 18.09.24 16:19, natan wrote: I was very disappointed with spamassassin 4.x because it started to grow /var/lib/amavis/tmp/ amavis should clean this itself. which amavis version do you have installed? did you tune it anyhow? Did you enable and configure extracttext plugin? Because that one may be kinda filing it up. With SA 3.4.X - on average 100MB and it deletes on the fly With SA 4.X - on average 2-6GB and I had to do a quick fix: 59 23 * * * root find /var/lib/amavis/tmp/ -mtime +0 -delete; W dniu 18.09.2024 o 16:09, Matus UHLAR - fantomas pisze: On 18.09.24 13:42, Grega via users wrote: Right now in SA 4.0.1 bayes at least for me is really challenging to train and set up. I had good trained DB from past V3 install, and it behaved really odd. I trained it on new set of mails 3000 spam and 3000 ham (HAND PICKED mail it was PAIN) and I cant get either BAYES_00 or BAYES_99 :) I mean I get them occasionally, but not even close to what it was in V3. In V3 SA bayes was decisive, when well trained it was awesome. Nov in V4.0.1 bayes is NON decisive, and in 90% of cases it gives me BAYES_40 or _50 even after I mark those mails as SPAM OR HAM. What is even more weird is, that some mails aren`t even bayes scored at all. BAYES_XX is missing from headers entirely and I don`t know why... I`m kind of sorry that I upgraded to 4.0.1... looking at your first mail, it seems that you only have tokens for a few days: dbg: bayes: corpus size: nspam = 1190, nham = 12441 dbg: bayes: DB expiry: tokens in \ DB: 979401, Expiry max size: 150, Oldest atime: 1725361640, Newest atime: \ 1725888528, Last expire: 0, Current time: 1725888537 % date -d @1725361640 Tue Sep 3 13:07:20 CEST 2024 % date -d @1725888528 Mon Sep 9 15:28:48 CEST 2024 How do you call spamassassin, directly, via spamass-milter, amavis or other way? Did you tune any bayes settings? Do you have your trusted_networks and internal_networks set up properly? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. There's a long-standing bug relating to the x86 architecture that allows you to install Windows. -- Matthew D. Fuller
Re: Tips on training bayes?
On 18.09.24 13:42, Grega via users wrote: Right now in SA 4.0.1 bayes at least for me is really challenging to train and set up. I had good trained DB from past V3 install, and it behaved really odd. I trained it on new set of mails 3000 spam and 3000 ham (HAND PICKED mail it was PAIN) and I cant get either BAYES_00 or BAYES_99 :) I mean I get them occasionally, but not even close to what it was in V3. In V3 SA bayes was decisive, when well trained it was awesome. Nov in V4.0.1 bayes is NON decisive, and in 90% of cases it gives me BAYES_40 or _50 even after I mark those mails as SPAM OR HAM. What is even more weird is, that some mails aren`t even bayes scored at all. BAYES_XX is missing from headers entirely and I don`t know why... I`m kind of sorry that I upgraded to 4.0.1... looking at your first mail, it seems that you only have tokens for a few days: dbg: bayes: corpus size: nspam = 1190, nham = 12441 dbg: bayes: DB expiry: tokens in \ DB: 979401, Expiry max size: 150, Oldest atime: 1725361640, Newest atime: \ 1725888528, Last expire: 0, Current time: 1725888537 % date -d @1725361640 Tue Sep 3 13:07:20 CEST 2024 % date -d @1725888528 Mon Sep 9 15:28:48 CEST 2024 How do you call spamassassin, directly, via spamass-milter, amavis or other way? Did you tune any bayes settings? Do you have your trusted_networks and internal_networks set up properly? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam = (S)tupid (P)eople's (A)dvertising (M)ethod
Re: What is RP? many false negatives and dont respond to emails
On 13.08.24 15:18, Philipp Ewald wrote: Thanks, it was on hold. I will upgrade it. configuring (daily) rule updates could be enough. Of course, upgrading SpamAssassin is better than not upgrading it. On 13.08.24 13:17, Axb wrote: On 8/13/24 11:37, Philipp Ewald wrote: User getting Spams with Score -5 because of this... other experiences? does they answer e-mails? mine got not in weeks RCVD_IN_RP_CERTIFIED=-3, RCVD_IN_RP_RNBL=1.31, RCVD_IN_RP_SAFE=-2] many thanks Are you using an ancient SA version? Those rules were removed/changed in March 2021 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "Two words: Windows survives." - Craig Mundie, Microsoft senior strategist "So does syphillis. Good thing we have penicillin." - Matthew Alton
uridnsbl_skip_domain and util_rb_*tld
Hello, I encountered problem where domain listed in uridnsbl_skip_domain was queried for uribl listings. I have tried to skip querying for "gov.sk" by defining uridnsbl_skip_domain ... gov.sk However, the domains were still gathered: Jul 24 18:20:28.580 [8512] dbg: check: tagrun - tag URIHOSTS is now ready, value: ARY:[g2inmail1.gov.sk,mail.gov.sk,msx1.upvsp.gov.sk] Jul 24 18:41:13.899 [9295] dbg: check: tagrun - tag URIDOMAINS is now ready, value: ARY:[g2inmail1.gov.sk,mail.gov.sk,upvsp.gov.sk] and queries were still sent: 18:05:31.348747 IP 192.168.251.228.45721 > 54.233.104.8.53: 26118 [1au] A? g2inmail1.gov.sk.multi.uribl.com. (73) 18:15:39.860161 IP 192.168.251.228.55448 > 54.152.34.162.53: 29958 [1au] A? g2inmail3.gov.sk.multi.uribl.com. (73) the "gov.sk" is listed as second-level TLD: 20_aux_tlds.cf:util_rb_2tld edu.sk gov.sk mil.sk Is this source of rht problem? I was trying to RTFS but I'm not skilled enough. I believe that uridnsbl_skip_domain should skip domain even in such cases - if someone wants to skip e.g. .com domains from URIBL checking, it should work. So far I use: dns_query_restriction deny gov.sk.multi.uribl.com gov.sk.multi.surbl.org gov.sk.dbl.spamhaus.org gov.sk.lookup.dkimwl.org -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Due to unexpected conditions Windows 2000 will be released in first quarter of year 1901
Re: DATE_IN_FUTURE_24_48 more often?
>> > > I think I am starting to see this more often. Today I was
>> > > checking again every server to see if the ntp time is syncing
>> > > properly. But don't notice anything weird, can't really believe
>> > > this sending had a bad clock. Can anyone suggest what/where to
>> > > look for?
>> > >
>> > >
>> > > DATE_IN_FUTURE_24_48 Date: is 24 to 48 hours after
>> >
>> > When you looked at the Date: header, what did it say? The part of
>> > your question where you gave an example didn't make it through the
>> > mailinglist!
>>
>> I was wondering if I am the only one seeing this. Could also be
>> related to my transitioning to el9. I can remember having to change
>> some scripts for time/timezone. Logged times seem ok:
>>
>> mta logging was on this date: Jul 4 08:51:37
>> message header Date: Thu, 4 Jul 2024 08:51:35 +0200
>> message header Received: Thu, 4 Jul 2024 08:51:37 +0200
>This does not look like something out of the ordinary not? Even if it is
>a timezone/summertime issue it is still not 'is 24 to 48 hours after'
This looks correctly.
I remember seeing this issue when users put incorrect date or incorrect
timezone.
On 25.07.24 20:57, Marc wrote:
Incorrect date on the Windows / MacOS will trigger this?
yes. Date in future will move time 24 hours into the future, or multiple
times (48,72,94).
incorrect time zone may push time few hours forwards or backwards. (here it
happens when people set the time to current, while keeping american
timezone)
Together it may generate different hour shifts.
Do those still appear?
Looks like it is still a low %, except this T_DATE_IN_FUTURE_96_Q
DATE_IN_FUTURE_03_06
0.1% DATE_IN_FUTURE_12_24
0.1% DATE_IN_FUTURE_06_12
31% T_DATE_IN_FUTURE_96_Q
I believe I don't have to explain how spammers use(d) this to show their
mail first in their MUAs
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Honk if you love peace and quiet.
Re: DATE_IN_FUTURE_24_48 more often?
> > I think I am starting to see this more often. Today I was checking > > again every server to see if the ntp time is syncing properly. But > > don't notice anything weird, can't really believe this sending had a > > bad clock. Can anyone suggest what/where to look for? > > > > > > DATE_IN_FUTURE_24_48 Date: is 24 to 48 hours after > > When you looked at the Date: header, what did it say? The part of > your question where you gave an example didn't make it through the > mailinglist! I was wondering if I am the only one seeing this. Could also be related to my transitioning to el9. I can remember having to change some scripts for time/timezone. Logged times seem ok: mta logging was on this date: Jul 4 08:51:37 message header Date: Thu, 4 Jul 2024 08:51:35 +0200 message header Received: Thu, 4 Jul 2024 08:51:37 +0200 On 22.07.24 09:58, Marc wrote: This does not look like something out of the ordinary not? Even if it is a timezone/summertime issue it is still not 'is 24 to 48 hours after' This looks correctly. I remember seeing this issue when users put incorrect date or incorrect timezone. Do those still appear? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759
Re: uridnsbl_skip_domain question
Hello, I was hoping to fix this finally... On 5/17/24 3:17 PM, Matus UHLAR - fantomas wrote: I have configured exclusion for some common domains e.g. gov.sk in SA: uridnsbl_skip_domain [...] gov.sk slovensko.sk However it seems that that domain is still queried: 9826 68.951573 127.0.0.1 → 127.0.0.1 DNS 104 Standard query 0xbffe A mail.gov.sk.multi.uribl.com OPT in SA 4 docs I see that: uridnsbl_skip_domain domain1 domain2 ... Specify a domain, or a number of domains, which should be skipped for the URIBL checks. This is very useful to specify very common domains which are not going to be listed in URIBLs. In addition to trimmed domain, the full hostname is also checked from the list. Do I have to exclude subdomains for each host too? (this would kind of defeat the directive imho). This is SA 3.4.6 (debian 11) which does not have the latter paragraph but I assume the difference is only in documentation On 18.05.24 19:30, giova...@paclan.it wrote: From a quick look at the code it seems that subdomains check has been added to Mail::SpamAssassin::Plugin::URIDNSBL with commit r1889093 ~10 days after 3.4.6 release. In addition to that Mail::SpamAssassin::Plugin::DNSEval honor uridnsbl_skip_domain preference only in trunk code. I have retried this with SA 4.0.0 (debian 12), and unfortunately this still happens: 18:05:31.348747 IP 192.168.251.228.45721 > 54.233.104.8.53: 26118 [1au] A? g2inmail1.gov.sk.multi.uribl.com. (73) 18:15:39.860161 IP 192.168.251.228.55448 > 54.152.34.162.53: 29958 [1au] A? g2inmail3.gov.sk.multi.uribl.com. (73) and SA debug output shows: Jul 24 18:20:28.580 [8512] dbg: check: tagrun - tag URIHOSTS is now ready, value: ARY:[g2inmail1.gov.sk,mail.gov.sk,msx1.upvsp.gov.sk] Jul 24 18:41:13.899 [9295] dbg: check: tagrun - tag URIDOMAINS is now ready, value: ARY:[g2inmail1.gov.sk,mail.gov.sk,upvsp.gov.sk] I see that gov.sk is listed in: 20_aux_tlds.cf:util_rb_2tld edu.sk gov.sk mil.sk Can this listing be the reason why its subdomains are still queried? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...
Re: whitelist_auth return_path / from
On 03.07.24 23:54, Simon Wilson via users wrote: Simon Wilson via users skrev den 2024-07-03 14:56: Do I also need to disable the normal SA DKIM plugin evaluation, i.e. trusting my upstream authres_trusted_authserv only? both works in paralel, so no need to disable, best results came from both enabled its up to you to add more authres_trusted_authserv or more authres_ignored_authserv lines possible we can now have a very long debate on dmarc plugin ? :) Matus UHLAR - fantomas skrev den 2024-07-03 16:14: Please, Simon, quote the text you are replying to. On 03.07.24 17:47, Benny Pedersen wrote: i am not Simon ...I was not replying to you then. Simon does not quote text he replies to, so it's hard to see who has written what. compare your: https://www.mail-archive.com/users@spamassassin.apache.org/msg111627.html to Simon's: https://www.mail-archive.com/users@spamassassin.apache.org/msg111628.html my question is does spamassassin dmarc plugin use authres results ? not yet. also what i feared, but it should imho do also authres does imho not have spf_helo testing Do you know anything that adds spf_helo to Authentication-Results ? afaik pyspf-milter adds helo information only for DSNs have dmarc ? yes -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Honk if you love peace and quiet.
Re: whitelist_auth return_path / from
On 03.07.24 23:54, Simon Wilson via users wrote: Simon Wilson via users skrev den 2024-07-03 14:56: Do I also need to disable the normal SA DKIM plugin evaluation, i.e. trusting my upstream authres_trusted_authserv only? both works in paralel, so no need to disable, best results came from both enabled its up to you to add more authres_trusted_authserv or more authres_ignored_authserv lines possible we can now have a very long debate on dmarc plugin ? :) Please, Simon, quote the text you are replying to. my question is does spamassassin dmarc plugin use authres results ? not yet. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. (R)etry, (A)bort, (C)ancer
Re: help with ubuntu 22.04
On 29.06.24 17:07, Rick Gutierrez wrote: hi list , The latest version of spamassassin on Ubuntu 22.04 does not exist or they did not create the deb package, someone on the list who has the deb package and wants to share it. https://packages.ubuntu.com/search?keywords=spamassassin perhaps you want to upgrade to ubuntu 24.04 LTS which has SA 4.0.0 included. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Remember half the people you know are below average.
Re: Questions about spamassassin
Paul Schmehl skrev den 2024-06-21 01:17: bayes_path /usr/local/etc/mail/spamassassin/bayes/bayes On 22.06.24 16:30, Benny Pedersen wrote: this need spamd running as root :/ according to OP mail the directory is owned by spamd user https://marc.info/?l=spamassassin-users&m=171891451702472&w=2 bayes_path ~/.spamassassin/bayes path is not a file, just a dir it's a path + filename prefix so the setting is correct. I however prefer using /var, like in debian: debian-spamd:x:114:114::/var/lib/spamassassin:/bin/sh drwx-- 2 debian-spamd debian-spamd 4096 Jun 22 02:13 /var/lib/spamassassin/.spamassassin/ YMMV of course -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Quantum mechanics: The dreams stuff is made of.
Re: Sv: Re: Question about a rule
On 18.06.24 14:05, Anders Gustafsson wrote: body LOCAL_PORN_RULE /kiimainen|naida|sexikäs|nussikas|nussia|pillu|pano|kinky|bdsm|pillua|x69-JOOGA/i score LOCAL_PORN_RULE 8 describe LOCAL_PORN_RULE This catches peter's porn spam Sorry again for mailing directly. No idea why it suggests the user and not users@ I guess that the "sexikäs" causes troubles. Do you use SA 4.0 ? That should be compatible with utf-8. Matus UHLAR - fantomas 2024-06-18 14:00 >>> On 18.06.24 13:50, Anders Gustafsson wrote: body LOCAL_PORN_RULE /word1|word2.|x69-JOOGA/i score LOCAL_PORN_RULE 8 describe LOCAL_PORN_RULE This catches peter's porn spam Funny thing is that it seems to trigger on messages that contain none of those words. I have removed the actual words so that my message will not be regarded ass spam ?? Wonder if it is that last word that matches some regexp?? This can happen in case of incorrect regular expression. Maybe uf you posted it here, we could see the error. run spamassassin -D < mail 2>/tmp/mail.err and you should be able to see which string matched Finally, SA recommends using multiple rules with small scores instead of single rule with huge score. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "To Boot or not to Boot, that's the question." [WD1270 Caviar]
Re: Question about a rule
On 18.06.24 13:50, Anders Gustafsson wrote: body LOCAL_PORN_RULE /word1|word2.|x69-JOOGA/i score LOCAL_PORN_RULE 8 describe LOCAL_PORN_RULE This catches peter's porn spam Funny thing is that it seems to trigger on messages that contain none of those words. I have removed the actual words so that my message will not be regarded ass spam ?? Wonder if it is that last word that matches some regexp?? This can happen in case of incorrect regular expression. Maybe uf you posted it here, we could see the error. run spamassassin -D < mail 2>/tmp/mail.err and you should be able to see which string matched Finally, SA recommends using multiple rules with small scores instead of single rule with huge score. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "They say when you play that M$ CD backward you can hear satanic messages." "That's nothing. If you play it forward it will install Windows."
Re: Need some help decoding an SA analysis
On 16.06.24 14:42, Anders Gustafsson wrote: Return-path: X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) on xx X-Spam-Level: X-Spam-Status: No, score=-95.6 required=5.0 tests=BAYES_00,HTML_MESSAGE, MIME_HTML_ONLY,RCVD_IN_MSPIKE_BL,RCVD_IN_MSPIKE_L5,RDNS_NONE, TO_EQ_FM_DIRECT_MX,TO_NO_BRKTS_NORDNS_HTML,T_SCC_BODY_TEXT_LINE, URIBL_BLACK,URIBL_DBL_SPAM,USER_IN_WELCOMELIST,USER_IN_WHITELIST autolearn=no autolearn_force=no version=3.4.5 Received: from hosted-by.csrdp.host ([195.10.205.97]) by x with ESMTP (TLS encrypted); Sun, 16 Jun 2024 11:52:11 +0300 Reply-To: Email Mailbox Notification xx #9698 It was a phishing email and the provider has since shut it down. Now we do not have that adress in our whitelist. Should I interpret this that some of the entries we do have in our whitelist uses this adress or provider? Someone obviously has one of: Resent-From Envelope-Sender Resent-Sender X-Envelope-From From address in whitelist (renamed welcomelist since). you just need to find out which and where. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "They say when you play that M$ CD backward you can hear satanic messages." "That's nothing. If you play it forward it will install Windows."
Re: Where are your test definitions?
Am 2024-06-14 21:20, schrieb Matus UHLAR - fantomas: If you want to find out more, feed the mail to "spamassassin -D" and that should explain which text matched which rules. and as we told you already, your client should NOT play with small or semi-invisible text in mail. That's what spamers do. On 14.06.24 23:33, Thomas Barth via users wrote: Cool, but now I ve more questions! :-) When the eMail arrived the score was 6.248. I repeat the testlist: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FONT_INVIS_MSGID=2.497, FONT_INVIS_NORDNS=1.544, HTML_FONT_TINY_NORDNS=1.514, HTML_MESSAGE=0.001, RDNS_NONE=0.793, RELAYCOUNTRY_BAD=2, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01 But when piping the eMail to spamassassin -D the score is 10.5! And RDNS_NONE gets a 1.3! 2.5 URIBL_DBL_SPAM Contains a spam URL listed in the Spamhaus DBL blocklist [URI: www.example.com] [URI: example.com] This happened because spam URL was not on DBL blocklist at the time you have received the mail. This happens all the time. Also Bill has posted useful info. However, this is not the output of spamassassin -D, just the resulting spam headers. I'm skipping the rest of recommendations because of the latter. WARNING If you colleague is discussing with spammer, skip this discussion and tell him not to. There is no point in helping spammer avoiding filters. The existence of www.example.com and example.com URIs in the mail indicates that the mail was sent by spammer. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Remember half the people you know are below average.
Re: Where are your test definitions?
Am 2024-06-14 18:24, schrieb Matus UHLAR - fantomas: 1. as I said it's hard to find out without the body 2. hiding data indicates a spammer. On 14.06.24 19:15, Thomas Barth via users wrote: Yes, I've now realized that I can simply grep for the descriptions. grep -ri "FONT_INVIS_NORDNS" /var/lib/spamassassin/ | grep describe /var/lib/spamassassin/4.00/updates_spamassassin_org/72_active.cf: describe FONT_INVIS_NORDNS Invisible text + no rDNS In my case, I can say with certainty that the mail comes from a business partner of a colleague :-) If you want to find out more, feed the mail to "spamassassin -D" and that should explain which text matched which rules. and as we told you already, your client should NOT play with small or semi-invisible text in mail. That's what spamers do. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fucking windows! Bring Bill Gates! (Southpark the movie)
Re: Where are your test definitions?
Am 2024-06-14 17:11, schrieb Matus UHLAR - fantomas:
FONT_INVIS_NORDNS=1.544
HTML_FONT_TINY_NORDNS=1.514
RDNS_NONE=0.793
working fcrdns would fix much for them.
However, not doing stupid shit with fonts would help even more:
FONT_INVIS_MSGID=2.497
FONT_INVIS_NORDNS=1.544
HTML_FONT_TINY_NORDNS=1.514
On 14.06.24 18:00, Thomas Barth via users wrote:
Thanks, I have forwarded these infos and hope it will be corrected.
I cannot find the definitions on your old site
https://spamassassin.apache.org/old/tests_3_1_x.html.
why 3.1?
Google only shows this old version and I can't find a link to the
current test definitions on the website itself.
I see them in SA 4.0 rules:
72_active.cf: meta FONT_INVIS_MSGID __FONT_INVIS_MSGID && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__HAS_ERRORS_TO
&& !__RCD_RDNS_MAIL && !__MAIL_LINK && !__HDR_RCVD_AMAZON && !__MIME_QP && !__HAS_CAMPAIGNID &&
!__HAS_THREAD_INDEX && !__RCD_RDNS_MTA
72_active.cf: meta FONT_INVIS_NORDNS __FONT_INVIS_NORDNS && !__HTML_SINGLET
&& !__LYRIS_EZLM_REMAILER && !__YOUR_PERSONAL && !__HAS_X_MAILER
72_active.cf: rawbody __FONT_INVIS
/<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s*:\s*(?:0*[01](?:\.\d+)?(?:px|pt|Q|vw|vh|vmin)|0+(?:\.\d+)?(?:cm|mm|pc|ch|rem|lh|vmax|%)|0+(?:\.0\d*)(?:em|ex|in))(?:\s[a-z]|\s*[;'])|['"\s;]color\s*:\s*transparent\s*[;'])[^>]{0,80}>\w/i
72_active.cf:metaHTML_FONT_TINY_NORDNS__HTML_FONT_TINY_NORDNS &&
!__HAS_CID
72_active.cf:meta__HTML_FONT_TINY_NORDNS (__HTML_FONT_TINY_01 ||
__HTML_FONT_TINY_02 || __AC_TINY_FONT) && __RDNS_NONE
72_active.cf:rawbody __AC_TINY_FONT
/(?:font-size)\s*:\s*[1-3]\s*(?:em|p[tx]|%)?(?:\s*!important)?\s*[";]/i
72_active.cf:rawbody __HTML_FONT_TINY_01 /font-size:\s{0,5}[0-4]px;/i
72_active.cf:rawbody __HTML_FONT_TINY_02
/]{0,80}size\s*=\s*["']?-(?:[2-9]|[1-9]\d+)["']?[^>]{0,80}>/i
1. as I said it's hard to find out without the body
2. hiding data indicates a spammer.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
2B|!2B, that's a question!
Re: Where are your test definitions?
On 14.06.24 16:39, Thomas Barth via users wrote: I would like to explain a sender what he can do to create an email that is not classified as spam. X-Spam-Status: Yes, score=6.248 tagged_above=1 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FONT_INVIS_MSGID=2.497, FONT_INVIS_NORDNS=1.544, HTML_FONT_TINY_NORDNS=1.514, HTML_MESSAGE=0.001, RDNS_NONE=0.793, RELAYCOUNTRY_BAD=2, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01] FONT_INVIS_NORDNS=1.544 HTML_FONT_TINY_NORDNS=1.514 RDNS_NONE=0.793 working fcrdns would fix much for them. However, not doing stupid shit with fonts would help even more: FONT_INVIS_MSGID=2.497 FONT_INVIS_NORDNS=1.544 HTML_FONT_TINY_NORDNS=1.514 Without seeing what matched that it's hard to guess more I cannot find the definitions on your old site https://spamassassin.apache.org/old/tests_3_1_x.html. why 3.1? FONT_INVIS_NORDNS, FONT_INVIS_MSGID, HTML_FONT_TINY_NORDNS, RDNS_NONE Is there no current version of the test definition. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Remember half the people you know are below average.
Re: Warning: Your Pyzor may be broken.
On 2024-06-08 14:45:34, Bill Cole wrote: I went looking for a better fix and found a reported issue at https://github.com/SpamExperts/pyzor/issues/155 matching my original symptoms in which a workaround was provided: install directly from the GitHub project's master.zip link, i.e. a snapshot assembled from the current state of the repo, which claims to be v1.1.1. I do not like that solution at all, and added a comment to that issue suggesting that they fix the problem by cutting a release for PyPI. No response yet, but it has only been a matter of minutes. On Sun, 9 Jun 2024, Michael Orlitzky wrote: The same issue was reported in 2016 and ignored for eight years before being closed out of frustration (rather than because they did something about it): https://github.com/SpamExperts/pyzor/issues/54 On 09.06.24 10:31, John Hardin wrote: Perhaps the project should consider retiring Pyzor as "no longer effectively maintained"? consider, probably. However pyzor still generates hits and helps catch spam, at least on my server. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I wonder how much deeper the ocean would be without sponges.
Re: AW: RCVD_IN_RP_CERTIFIED always -3
On 06.06.24 21:17, hostmas...@audiogen.ch wrote: I just got the latest rules. I'm okay with poor performance for some of the rules as there isn't much load on the related system. And yes, you're right, on Ubuntu 20.04.06 the rules are installed in /usr/share/spamassassin. sa-update has placed the updated rules in /var/lib/spamassassin. I kept usr/share/spamassassin for the moment as if I got it right, /var/lib will have priority over /usr/share. Seems to work so far, however I will check the logs in a couple of days to validate it's actually running smoothly. you should enable automatic rule updates in /etc/default/spamassassin: CRON=1 As another general recommendation, run local caching non-forwarding DNS server on mail server and don't use public DNS resolvers: https://cwiki.apache.org/confluence/display/SPAMASSASSIN/CachingNameserver -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
Re: Lots of FN because of VALIDITY* rules
On 2024-06-03 at 08:35:32 UTC-0400 (Mon, 3 Jun 2024 14:35:32 +0200) postgarage Graz IT is rumored to have said: I think that the active.list file should be updated, when there are new rules, shouldn't it? On 03.06.24 08:52, Bill Cole wrote: It is updated where it is actually used, on the ASF rule maintenance system. It is irrelevant to an operational deployment. I have no idea why Debian installs that file at all. On 6/5/24 09:17, Matus UHLAR - fantomas wrote: It does not, I guess that the OP did because of misunderstanding of what it does. On 6/5/24 11:14, postgarage Graz IT wrote: No I didn't. Please have a look at https://packages.debian.org/bookworm/all/spamassassin/filelist where you can clearly see, that it is included in Debian's SA package. yes, /usr/share/spamassassin/active.list is included, but there's none in /var/lib/spamassassin/ As was already mentioned, it's not used by default. there was apparently come confusion what's in /var/lib/spamassassin/ on Debian I can only guess that the rules were not fresh enough or OP installed obsolete/invalid rules there. The first thing I did was to check if the updates worked (they did) neither did I install any rules myself. On 05.06.24 12:38, postgarage Graz IT wrote: OK, after having a second look, I take that claim back. It might be that I ran sa-update by manually myself (which works) but maybe does not run automatically. you should run this as user debian-spamd, or let cron handle that. Otherwise, you will create files cron will be unable to overwrite, which may also cause problems (and may have caused yours) drwxr-xr-x 5 debian-spamd debian-spamd 4096 Nov 27 2023 /var/lib/spamassassin/ drwxr-xr-x 3 debian-spamd debian-spamd 4096 Jun 4 02:32 /var/lib/spamassassin/4.00// drwxr-xr-x 2 debian-spamd debian-spamd 4096 Jun 4 02:32 /var/lib/spamassassin/4.00/updates_spamassassin_org/ you can also run "chown -R debian-spamd: /var/lib/spamassassin/" to fix it. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are...
Re: Lots of FN because of VALIDITY* rules
On 2024-06-03 at 08:35:32 UTC-0400 (Mon, 3 Jun 2024 14:35:32 +0200) postgarage Graz IT is rumored to have said: I think that the active.list file should be updated, when there are new rules, shouldn't it? On 03.06.24 08:52, Bill Cole wrote: It is updated where it is actually used, on the ASF rule maintenance system. It is irrelevant to an operational deployment. I have no idea why Debian installs that file at all. It does not, I guess that the OP did because of misunderstanding of what it does. I can only guess that the rules were not fresh enough or OP installed obsolete/invalid rules there. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The only substitute for good manners is fast reflexes.
Re: DKIM length 'l=' tag
On 03.06.24 11:16, Marc wrote: Hi Andrew, this is a bit of topic, I posted this a while ago on the mailing list. But did you notice by any chance that eg. hotmail.com is failing every dkim verification (except their sender rewritten messages)? I have checked yesterdays logs on one machine: Jun 4 08:57:50 proxy1 opendmarc[1815]: 4VthHc4zf1zMlJH: hotmail.com pass Jun 4 09:22:58 proxy1 opendmarc[1815]: 4Vthrc0mrNzMlFy: hotmail.com pass Jun 4 12:25:10 proxy1 opendmarc[1815]: 4Vtmts4GXGzMlM0: outlook.com fail Jun 4 12:32:17 proxy1 opendmarc[1815]: 4Vtn336J76zMl7T: hotmail.com pass Jun 4 12:36:04 proxy1 opendmarc[1815]: 4Vtn7R1B6pzMlCK: hotmail.com pass Jun 4 12:39:01 proxy1 opendmarc[1815]: 4VtnBr5mfRzMlB6: hotmail.com pass Jun 4 17:36:30 proxy1 opendmarc[1815]: 4Vtvp4063FzMlM4: hotmail.com pass Jun 4 21:24:20 proxy1 opendmarc[1815]: 4Vv0rz0TXJzMlLw: outlook.com pass Jun 4 21:30:55 proxy1 opendmarc[1815]: 4Vv10b0BFZzMlLv: outlook.com pass The failing 4Vtmts4GXGzMlM0 is DSN, which microsoft software (including on-premise exchange servers) seems not to dkim-sign. I guess that the From: header is added after DKIM signing. however we see no issues with hotmail DKIM signatures. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody
Re: Lots of FN because of VALIDITY* rules
On 03.06.24 12:02, Matus UHLAR - fantomas wrote: On 03.06.24 07:26, postgarage Graz IT wrote: A few days ago a lot of false negatives landed in our inboxes. As it turned out the reason was that the for nearly all mails the RCVD_IN_VALIDITY_CERTIFIED and RCVD_IN_VALIDITY_SAFE rules matched. I forgot to add that I have "lowered" (increased to small negative number) scores for RCVD_IN_VALIDITY_*, RCVD_IN_DNSWL_* and RCVD_IN_IADB_* because I has similar bad experience with them. I now know that validity introduced a query limit which we hit, because I have to admit, I wasn't aware that I shouldn't use public DNS resolvers for blacklists I'd say you should not use public DNS resolvers with mailserver. and therefore we got "Excessive Number of Queries" answers. I also found this patch https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8244 which introduces new rules addressing the query limit. my current rules show that all RCVD_IN_VALIDITY_* rules check for blocked. Those *BLOCKED rules where never applied because our spamassassin received an updated rule-set which was saved to /var/lib/spamassassin/4.00/updates_spamassassin_org/ but never received an update for the active.list file located in /usr/share/spamassassin/ After I manually added the changes from the above mentioned patch to the active.list file it started to work. Now for my questions: *) as is stated in active.list it should not be edited. What's the correct place to add the new rules to activate them? local.cf? you can use dns_query_restriction to restrict which DNS lists to query. further, you can tune uridnsbl_skip_domain to avoid lookups for domains in URI* lists. *) If I understand it correctly /var/lib/spamassassin/4.00/updates_spamassassin_org/ is updated by the SA update mechanism but it's the Linux distribution's responsibility to update /var/lib/spamassassin? In that case should I fill a Debian bug? Or should the SA updates also include the file active.list? reload spamd or amavis, the rules in /var/lib/spamassassin/ are used by default. Maybe you need to enable cron job by setting CRON=1 in /etc/default/spamassassin and it will happen automatically. ...I have no idea how active.list works. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Enter any 12-digit prime number to continue.
Re: Lots of FN because of VALIDITY* rules
On 03.06.24 07:26, postgarage Graz IT wrote: A few days ago a lot of false negatives landed in our inboxes. As it turned out the reason was that the for nearly all mails the RCVD_IN_VALIDITY_CERTIFIED and RCVD_IN_VALIDITY_SAFE rules matched. I now know that validity introduced a query limit which we hit, because I have to admit, I wasn't aware that I shouldn't use public DNS resolvers for blacklists I'd say you should not use public DNS resolvers with mailserver. and therefore we got "Excessive Number of Queries" answers. I also found this patch https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8244 which introduces new rules addressing the query limit. my current rules show that all RCVD_IN_VALIDITY_* rules check for blocked. Those *BLOCKED rules where never applied because our spamassassin received an updated rule-set which was saved to /var/lib/spamassassin/4.00/updates_spamassassin_org/ but never received an update for the active.list file located in /usr/share/spamassassin/ After I manually added the changes from the above mentioned patch to the active.list file it started to work. Now for my questions: *) as is stated in active.list it should not be edited. What's the correct place to add the new rules to activate them? local.cf? you can use dns_query_restriction to restrict which DNS lists to query. further, you can tune uridnsbl_skip_domain to avoid lookups for domains in URI* lists. *) If I understand it correctly /var/lib/spamassassin/4.00/updates_spamassassin_org/ is updated by the SA update mechanism but it's the Linux distribution's responsibility to update /var/lib/spamassassin? In that case should I fill a Debian bug? Or should the SA updates also include the file active.list? reload spamd or amavis, the rules in /var/lib/spamassassin/ are used by default. Maybe you need to enable cron job by setting CRON=1 in /etc/default/spamassassin and it will happen automatically. ...I have no idea how active.list works. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759
Re: dkim fail %
> I am having a large (20%) of messages fail dkim. If I do some random > checks, it looks like most of the failing messages are from the > outlook.com cloud. Does any one else have this? Or is my setup just not > properly checking dkim of outlook.com? how should i guess ? i see o365 not dkim sign at all, this is ok when spf pass, but not often spf_helo fails, should dmarc care of spf_helo ? :) more help needs more info from you On 28.05.24 12:47, Marc wrote: I am only looking at signature verifications of dkim, nothing else. My software currently does not log selector and domain of failing signatures, so I am just doing an mx lookup and 'guessing' that outgoing mail originate from something similar. It is just to much of a coincidence that everything is outlook. Maybe my software or their software is not 100% compatible with what is being signed. what about replacing such software? With one that logs proper info? add: header: X-Verification-Result: dkim=fail -@ xxx...@karllagerfeld.com [@]# dig +short -t mx karllagerfeld.com 10 fallback1.mx.nxs.nl. 5 karllagerfeld-com.mail.protection.outlook.com. add: header: X-Verification-Result: dkim=fail -@ ...@hotmail.com [@]# dig +short -t mx hotmail.com 2 hotmail-com.olc.protection.outlook.com. etc etc. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. (R)etry, (A)bort, (C)ancer
Re: How to report SPAM?
On 27.05.24 23:10, Thomas Barth via users wrote: for months I have been waiting for the type of SPAM I receive to be captured by the DNS block lists. But nothing is happening. I have long since fed Spamassassin with these SPAMs. What else can I do? I have even activated HOSTKARMA-black/brown. Doesn't help either. Do I perhaps have to report the SPAM myself? Is this reporting still up to date https://cwiki.apache.org/confluence/display/SPAMASSASSIN/Report+spam The scoring of this type of SPAM is X-Spam-Status: No, score=3.502 tagged_above=2 required=6.31 tests=[BAYES_99=3.5, BAYES_999=0.2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_BL=0.001, RCVD_IN_MSPIKE_L3=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no From the score itself it's very hard to find out the issue. Maybe you are blocked on DNS blocklist (perhaps you use public DNS servers)? Perhaps the spam came from hosts that are not blocked? If you posted Received: headers (here or on e.g. pastebin), it could help us. Here the checks of a higher rated SPAM mail. A lot more working checks available. X-Spam-Status: Yes, score=15.037 tagged_above=2 required=6.31 tests=[BAYES_20=-0.001, DMARC_MISSING=0.001, EXTRA_SCORE=1, FROM_SUSPICIOUS_NTLD=0.499, FROM_SUSPICIOUS_NTLD_FP=1.999, FSL_BULK_SIG=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_IMAGE_RATIO_04=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MISSING_MID=0.497, NORDNS_LOW_CONTRAST=0.001, RAZOR2_CF_RANGE_51_100=1.886, RAZOR2_CHECK=0.922, RCVD_IN_HOSTKARMA_BL=2, RCVD_IN_MSPIKE_BL=0.001, RCVD_IN_MSPIKE_ZBI=0.001, RCVD_IN_SBL_CSS=3.335, RDNS_NONE=0.793, RELAYCOUNTRY_BAD=2, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, TO_NO_BRKTS_NORDNS_HTML=0.001] autolearn=no autolearn_force=no So, at least dnsbls work well for you. What can I do? With these SPAMS, I have the impression that the senders know exactly how to trick Spamassassin. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. You have the right to remain silent. Anything you say will be misquoted, then used against you.
Re: Difference between spamc -L and sa-learn
On 2024-05-18 at 10:26:54 UTC-0400 (Sat, 18 May 2024 16:26:54 +0200) Francis Augusto Medeiros-Logeay is rumored to have said: Is there any difference between using spamc -L and sa-learn ? On 18.05.24 11:41, Bill Cole wrote: Yes. The compiled-C spamc binary loads no Perl, it just talks over a socket to spamd, which is always running and so always has the advantage of a warmed-up i/o cache and a permanently loaded set of Perl code objects pre-compiled and in RAM; sa-learn has to open and compile all of the needed SA Perl code on every launch. I noticed that the later is way slower. Yes, it is. It is quite expensive to execute perl and have it load the many SpamAssassin modules needed to learn a message. note that in order for spamc -L to work, spamd must be run with "-l" option which allows learning/reporting. Also, those two may use different databases - sa-learn uses by default $HOME/.spamassassin/ (of calling user), spamd depends on how it's run - it must run as root and - you need to pass it "-H" parameter without specifying directory, to use $HOME/.spamassassin/ of user specified by spamc Otherwise you need to configure SA to use SQL or LDAP config so they will use the same. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. We are but packets in the Internet of life (userfriendly.org)
uridnsbl_skip_domain question
Hi guys, I have configured exclusion for some common domains e.g. gov.sk in SA: uridnsbl_skip_domain [...] gov.sk slovensko.sk However it seems that that domain is still queried: 9826 68.951573127.0.0.1 → 127.0.0.1DNS 104 Standard query 0xbffe A mail.gov.sk.multi.uribl.com OPT in SA 4 docs I see that: uridnsbl_skip_domain domain1 domain2 ... Specify a domain, or a number of domains, which should be skipped for the URIBL checks. This is very useful to specify very common domains which are not going to be listed in URIBLs. In addition to trimmed domain, the full hostname is also checked from the list. Do I have to exclude subdomains for each host too? (this would kind of defeat the directive imho). This is SA 3.4.6 (debian 11) which does not have the latter paragraph but I assume the difference is only in documentation -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. You have the right to remain silent. Anything you say will be misquoted, then used against you.
Re: SA treats percentage spaces wording as uri
On 14.05.24 10:09, Noel Butler wrote: This morning one of our ent_domains DMARC weekly report from a third party was listed as spam by SA which took the wording Not_percent-twenty_Resolved and passed it off to URI checks adding dot.com to it when there is no dot com after it, and a raw message search of that message in less in console confirms it. Problem with the code that scans the content for things like URI's? It shouldn't be assuming there's a TLD after it. are you sure that .com was not in the original mail? Some MUAs like to change everything possible to an URL even if you don't see it. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. He who laughs last thinks slowest.
Re: Score 0.001
On 12.05.24 06:39, Greg Troxel wrote: I would suggest that if Debian is modifying the default config from 5 to 6.31, then as it was already said, it's not Debian, it's default score in amavis. Even the original header is in the amavis format: X-Spam-Status: No, score=3.999 tagged_above=2 required=6.31 tests=[DMARC_MISSING=0.001, FSL_BULK_SIG=0.001, Amavis has some more scores than stock SA, of course they can be modified if your scanner is well trained. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux - It's now safe to turn on your computer. Linux - Teraz mozete pocitac bez obav zapnut.
Re: Rule: "1.0 R_DCD 90% of .com. is spam"
On 10.05.24 15:36, Rupert Gallagher wrote: The ikea mail was received through ... mta-numbers.ikea.com.sparkpostmail.com and is a request for feedback. The SA rule says ... header R_DCD Received =~ /\.com\./ I still do not know where the rule comes from, DCD may actually mean dot-com-dot, and perhaps it is true that they are mostly spam. where is the rule stored? what file? On May 10, 2024, 17:18, Rupert Gallagher wrote: I only have stock and KAM, and it is definitely not a custom rule of mine. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam is for losers who can't get business any other way.
Re: Rule: "1.0 R_DCD 90% of .com. is spam"
On 10.05.24 15:08, Rupert Gallagher wrote: My local evidence does not support the general claim that 90% of .com is spam. I just received a mail from informat...@info.email.ikea.com marked as spam, with positive R_DCD. The rule did not trigger on mail from other .com addresses. I do not know what R_DCD means, and search indexes do not help. Short of reading the source code, does anybody know what R_DCD means? I have no idea. where did you get this rule from? I don't see it in stock rules -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. There's a long-standing bug relating to the x86 architecture that allows you to install Windows. -- Matthew D. Fuller
Re: Score 0.001
On 09.05.24 20:41, Thomas Barth wrote: I don't understand why there are so many checks where the meaningless value of 0.001 is assigned. Those rules may be tested in the present. They also may be informative, e.g. DMARC_MISSING or SPF_PASS rules with score 0 are not used so using 0 is not possible in these cases. Those rules may have different scores with diffent rulesets (bayes/non-bayes, network/non-netwotk) And they can be used in metas, e.g: score HTML_MESSAGE 0.001 meta OBFUSCATING_COMMENT ((__OBFUSCATING_COMMENT_A && HTML_MESSAGE) || (__OBFUSCATING_COMMENT_B && MIME_HTML_ONLY)) && !__ISO_2022_JP_DELIM score OBFUSCATING_COMMENT 0.000 0.000 0.001 0.723 The total score could be much higher. Do I have to define all the checks myself with a desired value? you can redefine values if you think, but you should be careful about it. X-Spam-Status: No, score=3.999 tagged_above=2 required=6.31 tests=[DMARC_MISSING=0.001, FSL_BULK_SIG=0.001, HTML_IMAGE_RATIO_02=0.001, HTML_MESSAGE=0.001, PYZOR_CHECK=1.985, RELAYCOUNTRY_BAD=2, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_TVD_MIME_EPI=0.01] or X-Spam-Status: Yes, score=7.281 tagged_above=2 required=6.31 tests=[DMARC_MISSING=0.001, FSL_BULK_SIG=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_IMAGE_ONLY_24=1.282, HTML_IMAGE_RATIO_02=0.001, HTML_MESSAGE=0.001, MIXED_HREF_CASE=1.999, PYZOR_CHECK=1.985, RELAYCOUNTRY_BAD=2, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_TVD_MIME_EPI=0.01] -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Chernobyl was an Windows 95 beta test site.
Re: Tips for improving bounce message deliverability?
Alex skrev den 2024-04-24 15:45: I'm using SA 4.0.1 and amavisd with postfix. I've identified a few bounce messages in the quarantine because they weren't identified properly. Here's one: https://pastebin.com/RMNkcyhF 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS This is apparently related to this: Received: from gambit.example.com ([130.250.178.199]) by localhost (iceman.example.com [127.0.0.1]) (amavis, port 10024) with ESMTP id D5Mo318nYFrZ; Wed, 24 Apr 2024 08:17:07 -0400 (EDT) Alex: Is gambit.example.com ([130.250.178.199]) your server? If so, it should be in trusted_networks and internal_networks Also, why don't you resolve DNS? That IP has valid fcrdns name gambit.guardiandigital.com. For example, it matches on * 3.1 URI_IMG_CWINDOWSNET Non-MSFT image hosted by Microsoft Azure infra, possible phishing On 24.04.24 18:27, Benny Pedersen wrote: this is not in spamassassin core rules I _can_ see this in 4.0 rules * 2.6 HOSTED_IMG_DIRECT_MX Image hosted at large ecomm, CDN or hosting * site, message direct-to-mx also not in default rule sets also this one. Perhaps Benny uses older SA? It also matches on ANY_BOUNCE_MESSAGE and BOUNCE_MESSAGE. Should metas be created to avoid adding the above scores? What more can be done to improve deliverability of these messages? Perhaps this is something postfix can identify and bypass scanning? BOUNCE_MESSAGE requires setting up welcomelist_bounce_relays, which defines servers who send your e-mail - thus you know bounces from those hosts are legitimate. the original message opriginated from mailgun, perhaps you need to add its servers. it matches bounces since its a bounce, alt that is seen as a results of forwarding emails -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are...
Re: authres missing spf-helo ?
On 24.04.24 18:50, Benny Pedersen wrote: unsure so i ask :) try to explain your question a bit more -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. One OS to rule them all, One OS to find them, One OS to bring them all and into darkness bind them
Re: another problem in disable in spamassassin
On 12.04.24 10:50, natan wrote:
I have problem with disabled spamhaus.org in spamassassin:
In local.cf I disable check like:
...
dns_query_restriction deny spamhaus.org
dns_query_restriction deny zen.spamhaus.org
dns_query_restriction deny dbl.spamhaus.org
But in mail.log I fund still checking RCVD_IN_PBL, URIBL_CSS_A,
URIBL_DBL_SPAM
mail.log
Apr 12 06:04:48 amavis5 amavis[3060074]: (3060074-10) spam-tag,
-> , Yes, score=26.884
tagged_above=3.6 required=6 tests=[AM.IP_BAD_62.133.61.198=1.8,
BAYES_50=0.8, DCC_CHECK=4, DCC_REPUT_99_100=1.4, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, RCVD_IN_MSPIKE_BL=0.001,
RCVD_IN_MSPIKE_ZBI=0.001, RCVD_IN_PBL=3.335, RCVD_IN_SBL_CSS=3.335,
RELAYCOUNTRY_BAD=2, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
URIBL_BLOCKED=0.2, URIBL_CSS_A=0.1, URIBL_DBL_SPAM=10] autolearn=no
autolearn_force=no
did you reload amavis after changing local.cf?
do they appear when you feed mail in to "spamassassin" commandline client?
It still can be amavis issue.
in /var/lib/spamassassin/3.004006/updates_spamassassin_org/20_dnsbl_tests.cf
...
# PBL is the Policy Block List: https://www.spamhaus.org/pbl/
header RCVD_IN_PBL eval:check_rbl('zen-lastexternal',
'zen.spamhaus.org.', '^127\.0\.0\.1[01]$')
describe RCVD_IN_PBL Received via a relay in Spamhaus PBL
tflags RCVD_IN_PBL net
reuse RCVD_IN_PBL
...
in /var/lib/spamassassin/3.004006/updates_spamassassin_org/25_uribl.cf
...
25_uribl.cf:urirhssub URIBL_DBL_SPAM dbl.spamhaus.org. A
127.0.1.2
25_uribl.cf:body URIBL_DBL_SPAM
eval:check_uridnsbl('URIBL_DBL_SPAM')
25_uribl.cf:describe URIBL_DBL_SPAM Contains a spam URL
listed in the Spamhaus DBL blocklist
25_uribl.cf:tflags URIBL_DBL_SPAM net domains_only notrim
25_uribl.cf:reuse URIBL_DBL_SPAM
...
And I dont have idea how disable all check in spamhaus.org
--
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam = (S)tupid (P)eople's (A)dvertising (M)ethod
Re: Weird whitelist
On 08.04.24 12:09, natan wrote:
I use amavis+SA and In log I get "whitlisted"
...
Apr 6 01:15:08 amavis3 amavis[3887068]: (3887068-17) wbl: whitelisted
sender <>,
...
Log:
Apr 6 01:15:08 amavis3 amavis[3887068]: (3887068-17) Checking:
6LRhEwtUmP7u [34.23.17.0] <> ->
Apr 6 01:15:08 amavis3 amavis[3887068]: (3887068-17) p002 1
Content-Type: multipart/related
Apr 6 01:15:08 amavis3 amavis[3887068]: (3887068-17) p001 1/1
Content-Type: text/html, base64, size: 7409, SHA1 digest:
74442afff932dbc7aa40fcd95c5445df29e8a5cc
Apr 6 01:15:08 amavis3 amavis[3887068]: (3887068-17) check_header: 7,
Missing required header field: "Date"
Apr 6 01:15:08 amavis3 amavis[3887068]: (3887068-17) wbl: whitelisted
sender <>,
this looks like whitelist at amavis level, not at spamassassin level.
Apr 6 01:15:08 amavis3 amavis[3887068]: (3887068-17) bounce
unverifiable, <> ->
Apr 6 01:15:09 amavis3 amavis[3887068]: (3887068-17) 6LRhEwtUmP7u FWD
from <> -> , BODY=7BIT 250 2.0.0 from
MTA(smtp:[86.xxx.xxx.xxx]:10027): 250 2.0.0 Ok: queued as
4VBDq06n69z1Q9q1
Apr 6 01:15:09 amavis3 amavis[3887068]: (3887068-17) Passed
BAD-HEADER-7 {RelayedInbound}, [34.23.17.0]:38582 [34.23.17.0] <> ->
, Queue-ID: 4VBDq04Bn7z1Q9qQ, mail_id: 6LRhEwtUmP7u,
Hits: -, size: 10888, queued_as: 4VBDq06n69z1Q9q1, 358 ms
I check and I not found any <> in whitelist
check amavis config.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows found: (R)emove, (E)rase, (D)elete
Re: disable URIBL_ and spamhaus.net
On 03.04.24 11:18, natan wrote: Where in pdns-recursor? I use pdns-recursor /etc/powerdns/recursor.conf W dniu 3.04.2024 o 13:17, Matus UHLAR - fantomas pisze: This is not about pdns-recursor itself. It's about using own recursing DNS server - you you don't use DNS server of your ISP, google(8.8.8.8/8.8.4.4), cloudflare(1.1.1.1) or quad-nine (9.9.9.9) look into your /etc/resolv.conf or SpamAssassin's configuration of "dns_server" (if there's none, /etc/resolv.conf is used). On 03.04.24 14:34, natan wrote: cat /etc/resolv.conf nameserver 127.0.0.1 so apparently you only use locally installed DNS server which I assume is powerdns-recursor. I guess your powerdns-recursor is not configured to forward lookups to other DNS servers but your ISP still may redirect DNS lookups to its servers. How many mail does your machine process daily? spamhaus limits to about 100k lookups daily. according to SA docs: https://cwiki.apache.org/confluence/display/SPAMASSASSIN/DnsBlocklists since spamassassin 3.4 it should be enough to disable spamhaus lookups: dns_query_restriction deny spamhaus.org or probably split to these: dns_query_restriction deny zen.spamhaus.org dns_query_restriction deny dbl.spamhaus.org (if you lates find out one of those would work) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 42.7 percent of all statistics are made up on the spot.
Re: disable URIBL_ and spamhaus.net
On 03.04.24 11:18, natan wrote: Where in pdns-recursor? I use pdns-recursor /etc/powerdns/recursor.conf This is not about pdns-recursor itself. It's about using own recursing DNS server - you you don't use DNS server of your ISP, google(8.8.8.8/8.8.4.4), cloudflare(1.1.1.1) or quad-nine (9.9.9.9) look into your /etc/resolv.conf or SpamAssassin's configuration of "dns_server" (if there's none, /etc/resolv.conf is used). W dniu 3.04.2024 o 11:10, Reindl Harald (privat) pisze: use unbound as caching resolver and configure TTL properly cache-min-ttl: 60 cache-max-negative-ttl: 60 Am 03.04.24 um 11:06 schrieb natan: Hi I must chane or disable permanently spamhaus.net and all everything he uses. They calculated the rate so much that I couldn't afford to use their toys Does anyone have an interesting solution to this problem? Or maybe some other lists connected? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Enter any 12-digit prime number to continue.
Re: Order of handling whitelist/blacklist
On 27.03.24 20:56, Philip Prindeville via users wrote: I have something that looks like: whitelist_from_rcvd v...@yandex.ru vger.kernel.org blacklist_from *@yandex.ru And I only ever seem to see the 2nd rule being hit, but not the first. What is the order of evaluation? Mail::SpamAssassin::Conf doesn't say that I could find. You'd think the first would happen first, since it's more specific. Or, maybe that both would happen. On Mar 28, 2024, at 2:39 AM, Matus UHLAR - fantomas wrote: they both should happen. note that the second argument must be Received: header provided by trusted server, so that argument depends on proper TrustPath set up https://cwiki.apache.org/confluence/display/SPAMASSASSIN/TrustPath On 28.03.24 11:55, Philip Prindeville via users wrote: My config also has: trusted_networks 192.168.6.0/24 trusted_networks 192.168.8.0/24 trusted_networks 127.0.0.1/32 So I don't think that's the problem. What are some steps to troubleshoot how the white/black-listing is happening? can you show us the headers? Here or somewhere on pastebin? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
Re: Order of handling whitelist/blacklist
On 27.03.24 20:56, Philip Prindeville via users wrote: I have something that looks like: whitelist_from_rcvd v...@yandex.ru vger.kernel.org blacklist_from *@yandex.ru And I only ever seem to see the 2nd rule being hit, but not the first. What is the order of evaluation? Mail::SpamAssassin::Conf doesn't say that I could find. You'd think the first would happen first, since it's more specific. Or, maybe that both would happen. they both should happen. note that the second argument must be Received: header provided by trusted server, so that argument depends on proper TrustPath set up https://cwiki.apache.org/confluence/display/SPAMASSASSIN/TrustPath -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. One OS to rule them all, One OS to find them, One OS to bring them all and into darkness bind them
Re: Doesn't spamc/spamd need block/welcomeliist support???
On 20.03.24 16:58, Bill Cole wrote: I'm not sure how I've not noticed before, but unless I'm missing something, there is no way to replicate the [block,welcome]list functionalities of the spamassassin script when using the spamc/spamd interface. Does anyone see it hiding somewhere that I don't? Does anyone have any rationale for this missing functionality? I don't expect that it would be difficult to add. (Something I've believed every time I've taken on a coding task...) How/where did you try to define it? "spamc -u" should pass username to spamd which then should use that users' user_prefs file (if it exists) unless spamd was started with "-x" parameter or can't access that file. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "Where do you want to go to die?" [Microsoft]
Re: Help with rule matching when it shouldn't
On 20.03.24 06:44, Jimmy wrote: Regarding the example provided, the "__RETURNPATH_IS" rule should indeed be triggered since it matches "yahoo.com" in the return-path. If you're uncertain about the intended behavior of the rules, please clarify the requirements so we can adjust the rules accordingly. Note that Return-Path may not exist at the time spam is filtered as it is often added when mail is delivered to mailbox. On Wed, Mar 20, 2024 at 4:52 AM Erickarlo Porro wrote: Could someone help me figure out why my custom rule is matching when it should not be matching? This is my current setup: header __FROM_ADDRESS From =~ /yahoo/i header __RETURNPATH_IS Return-Path !~ /yahoo.com$/i meta NOT_IT (__FROM_ADDRESS && __RETURNPATH_IS) describe NOT_IT Sender is not correct score NOT_IT 4.0 Take these headers as an exmaple: From: ya...@gmail.com Return-path: ya...@yahoo.com If I send an email that would have those headers Spamassassin is getting a hit for my NOT_IT rule but that should not match because __RETURNAPTH_IS should not get a hit. How can I troubleshoot this? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "The box said 'Requires Windows 95 or better', so I bought a Macintosh".
Re: unsubscribe
On 19.02.24 15:03, Dejan Doder wrote: Please unsubscribe me from list We can't, the process is user-driven. send mail to users-unsubscr...@spamassassin.apache.org and confirm in the confirmation mail that will be sent to tou. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I'm not interested in your website anymore. If you need cookies, bake them yourself.
Re: SpamAssassin4 + DCC not populating "X-Spam-DCC: : " header ?
and these indicate DCC is available. I have "loadplugin Mail::SpamAssassin::Plugin::DCC" in /etc/spamassassin/v310.pre - try uncommenting it there. On 19.02.24 08:17, glad.tent3...@fastmail.com wrote: If you do, it's anyway disabled on --lint. It does not matter what happens when you use --lint, because it skips network checks, including DCC. spamassassin --prefs-file=/etc/spamassassin/local.cf -D 2> tmp.out < ~/test.eml I have already asked why you use --prefs-file. You have not answered my question and simply deleted it. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Have you got anything without Spam in it? - Well, there's Spam egg sausage and Spam, that's not got much Spam in it.
Re: Plugin fo content modification
On 19.02.24 12:47, Pedro David Marco via users wrote: Yea Mattus, thanks i know it very well just wondering whether someone tried it before or not via plugins... not with spamassassin. Perhaps filters like amavis, mimedefang, milter-regex or similar support this. On Monday, February 19, 2024 at 01:42:46 PM GMT+1, Matus UHLAR - fantomas wrote: On 19.02.24 12:37, Pedro David Marco via users wrote: Does anyone know of a plugin for content modification? SpamAssassin detects spam, it is not designed to tho content modification. an example, i want to change the word 'sex' for '---' Anyway, this is a bad idea, for example you can cause changing middlesex to middle--- or sextant to ---tant. You would also invalidate DKIM signatures. Try avoiding this clbuttic problem. https://en.wikipedia.org/wiki/Scunthorpe_problem -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Microsoft dick is soft to do no harm
Re: Plugin fo content modification
On 19.02.24 12:37, Pedro David Marco via users wrote: Does anyone know of a plugin for content modification? SpamAssassin detects spam, it is not designed to tho content modification. an example, i want to change the word 'sex' for '---' Anyway, this is a bad idea, for example you can cause changing middlesex to middle--- or sextant to ---tant. You would also invalidate DKIM signatures. Try avoiding this clbuttic problem. https://en.wikipedia.org/wiki/Scunthorpe_problem -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Quantum mechanics: The dreams stuff is made of.
Re: SpamAssassin4 + DCC not populating "X-Spam-DCC: : " header ?
On 18.02.24 14:21, glad.tent3...@fastmail.com wrote: I'm hoping someone can help troubleshooting using DCC in SpamAssassin. My setup isn't populating the "X-Spam-DCC: : " header. I configured SpamAssassin to use DCC cat local.cf ... loadplugin Mail::SpamAssassin::Plugin::DCC add_header all DCC _DCCB_: _DCCR_ ... ifplugin Mail::SpamAssassin::Plugin::DCC use_dcc1 dcc_home /etc/dcc dcc_path /usr/local/bin/dccproc dcc_timeout10 dcc_body_max 99 dcc_fuz1_max 99 dcc_fuz2_max 99 score DCC_CHECK3.000 dcc_learn_score99 endif ... Testing against a sample email, spamassassin --prefs-file=/etc/spamassassin/local.cf -D I wonser why you use --prefs-file=/etc/spamassassin/local.cf ? /etc/spamassassin/local.cf should be loaded automatically Feb 18 11:24:48.255 [7041] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC Feb 18 11:24:48.296 [7041] dbg: rules: meta test DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK' Feb 18 11:24:48.304 [7041] dbg: rules: meta test FSL_BULK_SIG has undefined dependency 'DCC_CHECK' These indicate DCC is not available Feb 18 11:24:49.989 [7041] dbg: plugin: Mail::SpamAssassin::Plugin::DCC=HASH(0x55f8e8a5da20) implements 'check_tick', priority 0 Feb 18 11:24:50.003 [7041] dbg: plugin: Mail::SpamAssassin::Plugin::DCC=HASH(0x55f8e8a5da20) implements 'check_dnsbl', priority 0 Feb 18 11:24:50.904 [7041] dbg: plugin: Mail::SpamAssassin::Plugin::DCC=HASH(0x55f8e8a5da20) implements 'check_cleanup', priority 0 Feb 18 11:24:50.914 [7041] dbg: plugin: Mail::SpamAssassin::Plugin::DCC=HASH(0x55f8e8a5da20) implements 'check_post_learn', priority 0 Feb 18 11:24:50.914 [7041] dbg: dcc: DCC learning not enabled by dcc_learn_score and these indicate DCC is available. I have "loadplugin Mail::SpamAssassin::Plugin::DCC" in /etc/spamassassin/v310.pre - try uncommenting it there. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #98652: Operation completed successfully.
Re: Problem installing Spamassassin 4.0.0 on Ubuntu 23.10 Server
> On Feb 14, 2024, at 06:12, Ken Wright > wrote: > > I've built a mail server and I wanted to include Spamassasin. As > noted above, the machine is running Ubuntu Server 23.10, so I > started with > > sudo apt install spamassassin spamc > > but I can't start the spamassassin.service; the error message I get > when I run > > sudo systemctl start spamassassin > > says "Failed to start spamassassin.service: Unit > spamassassin.service not found." Spamd, however, is active and > running. Is this normal? If it isn't, what can I do to correct > things? > > Further information available on request. Thanks in advance! On Wed, 2024-02-14 at 06:15 +0100, Niels Kobschätzki wrote: The service seems to be have renamed. It is the same on Debian. You also have to change now /etc/default/spamd instead of /etc/default/spamassassin for start-up options. On 14.02.24 00:23, Ken Wright wrote: So it's normal? I don't need to obsess over it? You don't. Just note it for further installations. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fighting for peace is like fucking for virginity...
Re: Problem installing Spamassassin 4.0.0 on Ubuntu 23.10 Server
On Feb 14, 2024, at 06:12, Ken Wright wrote: I've built a mail server and I wanted to include Spamassasin. As noted above, the machine is running Ubuntu Server 23.10, so I started with sudo apt install spamassassin spamc but I can't start the spamassassin.service; the error message I get when I run sudo systemctl start spamassassin says "Failed to start spamassassin.service: Unit spamassassin.service not found." Spamd, however, is active and running. Is this normal? If it isn't, what can I do to correct things? Further information available on request. Thanks in advance! On 14.02.24 06:15, Niels Kobschätzki wrote: The service seems to be have renamed. It is the same on Debian. You also have to change now /etc/default/spamd instead of /etc/default/spamassassin for start-up options. and the "spamd" package as well. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Chernobyl was an Windows 95 beta test site.
Re: QR code phish?
On Thu, Feb 1, 2024 at 5:01 PM Kevin A. McGrail mailto:kmcgr...@apache.org>> wrote: Hi Alex, we are definitely seeing them. There is code in trunk for this with one of the plugins and rules in the KAM ruleset using the new code. LMK if you need more info. On 2/4/24 18:56, Alex wrote: It looks like it's tied to the Raptor service and the ExtractText plugin. Do you have more details on doing that? On 05.02.24 08:31, giova...@paclan.it wrote: If you do not use any other ExtractText config line for image file types, zbarimg(1) can be configured on SpamAssassin 4.0 as well. On 2/5/24 09:49, Matus UHLAR - fantomas wrote: what if you do? does ExtractText only run one of configured programs for the same type of file? On 05.02.24 12:14, giova...@paclan.it wrote: Exactly, ExtractText only run the first configured program for the same type of file. That's unfortunate, I already use it for OCR. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "The box said 'Requires Windows 95 or better', so I bought a Macintosh".
Re: QR code phish?
On Thu, Feb 1, 2024 at 5:01 PM Kevin A. McGrail mailto:kmcgr...@apache.org>> wrote: Hi Alex, we are definitely seeing them. There is code in trunk for this with one of the plugins and rules in the KAM ruleset using the new code. LMK if you need more info. On 2/4/24 18:56, Alex wrote: It looks like it's tied to the Raptor service and the ExtractText plugin. Do you have more details on doing that? On 05.02.24 08:31, giova...@paclan.it wrote: you can configure ExtractText to run zbarimg(1) to extract uris from QR codes. zbarimg(1) is available at https://zbar.sf.net or packaged on many OS. in Debian (I assume Ubuntu as well) it's in the zbar-tools package If you do not use any other ExtractText config line for image file types, zbarimg(1) can be configured on SpamAssassin 4.0 as well. what if you do? does ExtractText only run one of configured programs for the same type of file? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. A day without sunshine is like, night.
Re: Bayes "corpus" - how old?
On 2024-01-30 at 12:08:18 UTC-0500 (Tue, 30 Jan 2024 18:08:18 +0100) Matus UHLAR - fantomas is rumored to have said: [...] autolearn may help if your DB is well maintained, although I have disabled nearly all rules with negative scores, like RCVD_IN_DNSWL_* RCVD_IN_IADB_* DKIMWL_WL_* RCVD_IN_MSPIKE_* RCVD_IN_VALIDITY_* USER_IN_DEF_* ALL_TRUSTED etc, because spammers often abuse these. I mean, they may have negative score but don't train on them. On 30.01.24 15:31, Bill Cole wrote: If spammers can 'abuse' ALL_TRUSTED you have a major problem. Either a serious misconfiguration or compromised machines in trusted_networks. Can't ALL_TRUSTED happen if spammer delivers mail directly to my network, or, if last mail server removes Received: headers? I think this happened to me in the past but I may be wrong -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. LSD will make your ECS screen display 16.7 million colors
Re: Bayes "corpus" - how old?
On 30.01.24 09:59, joe a wrote: Advisable to "prune" Bayes data based on age? While cleaning up recent Ham/Spam, found my "saved SPAM" goes back to 2013. Why that's over . . . wait, I need to take off my socks . . . So, how old is "too old". For saved SPAM? On 1/30/2024 10:58:52, Matus UHLAR - fantomas wrote: I did retrain on old spam a few times and it was working fine. Depends on how much mail you have: 0.000 0 7542 0 non-token data: nspam 0.000 0 80869 0 non-token data: nham 0.000 0 996032 0 non-token data: ntokens 0.000 0 1172945918 0 non-token data: oldest atime so, even old spam mey be fine. You however need much of ham to train otherwise everything starts looking like spam. On 30.01.24 11:12, joe a wrote: Recently missed spam has increased a bit, so I was dropping it into "missed spam" and went poking through marked spam and found lots of "missed ham".Which triggered my pondering. training on false-positives/false-negatives is important to have it up to date. full retraining only makes sense if you lose your DB, it gets corrupt or starts misclassifying too often (may the reason be known or not). autolearn may help if your DB is well maintained, although I have disabled nearly all rules with negative scores, like RCVD_IN_DNSWL_* RCVD_IN_IADB_* DKIMWL_WL_* RCVD_IN_MSPIKE_* RCVD_IN_VALIDITY_* USER_IN_DEF_* ALL_TRUSTED etc, because spammers often abuse these. I mean, they may have negative score but don't train on them. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. M$ Win's are shit, do not use it !
Re: Bayes "corpus" - how old?
On 30.01.24 09:59, joe a wrote: Advisable to "prune" Bayes data based on age? While cleaning up recent Ham/Spam, found my "saved SPAM" goes back to 2013. Why that's over . . . wait, I need to take off my socks . . . So, how old is "too old". For saved SPAM? I did retrain on old spam a few times and it was working fine. Depends on how much mail you have: 0.000 0 7542 0 non-token data: nspam 0.000 0 80869 0 non-token data: nham 0.000 0 996032 0 non-token data: ntokens 0.000 0 1172945918 0 non-token data: oldest atime so, even old spam mey be fine. You however need much of ham to train otherwise everything starts looking like spam. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux - It's now safe to turn on your computer. Linux - Teraz mozete pocitac bez obav zapnut.
Re: install SA p a i n f u l l
On 30.01.24 13:36, Nick Edwards wrote: Set up a new server today, took no time in postfix dovecot and amavisd, apache roundcube, and everything, then came spamassassin thankfully I chose to install this whilst we left for lunch, but 45mins later to my horror it was still trying to install, why? because its tests failed for timeouts this, timeouts that, everytime its set keeps on retrying reporting Why don't you install SA from packaging system? Don't you use FreeBSD or some linux distro? error: config: no rules were found! Do you need to run 'sa-update'? config: no rules were found! Do you need to run 'sa-update'? of fricken course there is no rules, its a new fricken install that cpan hasn't got around to yet to allow us to run sa-update. perhaps spamassassin developers can consider not everyone is upgrading, there are some of us trying to get the fricken thing on the fricken machine in the fricken first place. I am not going to run cpan with force because that may hide *real* errors. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Silvester Stallone: Father of the RISC concept.
Re: FORGED_HOTMAIL_RCVD2
On 26.01.24 11:03, Rupert Gallagher wrote: Subject: FORGED_HOTMAIL_RCVD2 Rule broken. Please update. can you provide more info, perhaps headers? header FORGED_HOTMAIL_RCVD2 eval:check_for_no_hotmail_received_headers() -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "The box said 'Requires Windows 95 or better', so I bought a Macintosh".
Re: Adding IP to report
On 16.01.24 15:29, Linkcheck via users wrote: When receiving a report in a spam the reported rules state reason and score but it would be useful if, either on one of those rules or a separate rule (or even in the Subject) there could be a report of the final Received IP. Depending on the IP and its country of origin I sometimes block the sending IP by some method. perhaps you could add to your SA config or user_prefs: add_header spam LastIP _LASTEXTERNALIP_ https://spamassassin.apache.org/full/4.0.x/doc/Mail_SpamAssassin_Conf.html -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Quantum mechanics: The dreams stuff is made of.
Re: milter vs spamc
On 14.01.24 22:22, Mike Bostock via users wrote: I currently have users set up with spamc called in .procmailrc However, I have quite a few aliases/redirects in sendmail virtusertable who are not being protected by Spamassassin. spamass-milter has setting for default user (-U username) that is used when the destination mailbox does not exist. (to be precise, local user with same name as LHS of e-mail address, e.g. if any of your virtusers has address daemon@[example.com], local user "daemon" may be used). Would I be better using the milter? Yes, you can reject mail this way so you don't have deal with it not with the bounce. What are the pros and cons? The only con is that milter can't apply multiple SA settings when single mail has multiple destination users - it only has to use single setting for them. spamass-milter has option " How do I redirect spam to a mailbox if I use the milter? spamass-miter supports "-b spamaddress" option to redirect spam. I prefer "-r nn" option that rejects mail if it scores over "nn" SA points. I use reject score 8 on tuned systems, 10 on non-tuned. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "They say when you play that M$ CD backward you can hear satanic messages." "That's nothing. If you play it forward it will install Windows."
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
This is not a good advice. Whoever filters SPF at SMTP time will reject that message. Gmail is not the only mail service available. On 08.01.24 20:27, Byung-Hee HWANG wrote: Gmail is my last INBOX. That's enough for me. that's what I wanted to say - enough for someone, but not generally enough. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
I built email servers for a non-profit I volunteer for. If email comes into the server for presid...@myassociation.org, I would normally just create an alias in /etc/aliases so that emails to president@ get forwarded to the president's "real" email address, say presidents_real_em...@gmail.com. postfix supports expand_owner_alias, which, when you are sending to al...@example.com, will set sender to owner-al...@example.com. That way SPF should pass. The problem is, when I send email to presid...@myassociation.org, gmail rejects the forwarded email because it appears to come from my personal domain, not the mythical myassociation.org domain. DKIM, DMARC, and SPF all fail, which I totally understand. How can I make this work? DKIM should not fail, unless you modify the message. Do you modify the message? On 07.01.24 19:07, Byung-Hee HWANG wrote: See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043539#88 Cite: If your dkim signature is OK, then Gmail does accept all mails. So never use SRS. DKIM is enough. This is not a good advice. Whoever filters SPF at SMTP time will reject that message. Gmail is not the only mail service available. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Eagles may soar, but weasels don't get sucked into jet engines.
Re: Gift Card Scam
On 04.01.24 22:57, Matija Nalis wrote: bodyGIFT_CARD /gift card/i score GIFT_CARD 1.5 metaFREEMAIL_GIFTCARDSGIFT_CARD && (FREEMAIL_FROM || !DKIM_VALID) Matus UHLAR - fantomas skrev den 2024-01-05 09:06: shouldn't that be !DKIM_VALID_AU ? valid DKIM signature means nothing by itself On 05.01.24 14:52, Benny Pedersen wrote: pointless comment, reason valid_au is not used here is that its still valid, be carefull !foo means its not pass, take fokus next time !DKIM_VALID produces true if there's no valid DKIM signature !DKIM_VALID_AU produces true if there is no valid signature, OR if there is valid signature, but not from domain in header From: so, !DKIM_VALID_AU is a superset of !DKIM_VALID thus should produce more hits. The question is, if we want this. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. We are but packets in the Internet of life (userfriendly.org)
Re: Gift Card Scam
On 04.01.24 22:57, Matija Nalis wrote: bodyGIFT_CARD /gift card/i score GIFT_CARD 1.5 metaFREEMAIL_GIFTCARDSGIFT_CARD && (FREEMAIL_FROM || !DKIM_VALID) shouldn't that be !DKIM_VALID_AU ? valid DKIM signature means nothing by itself -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 99 percent of lawyers give the rest a bad name.
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
Thomas Cameron writes: Yeah, the weird thing is, when I check the forwarded email on GMail, I see in the headers that both the original sending email server (call it mail.somedomain.com) and the relay server (call it mail.myassociation.org) put DKIM signatures in the message. On 1/3/24 19:45, Greg Troxel wrote: That's more or less broken in my opinion. I think an MTA should only DKIM-sign messages that it is responsible for in the sense of origination, because it is from an authenticated sender. On 03.01.24 20:36, Thomas Cameron wrote: Fair point. But I'm guessing that because it has two DKIM signatures, it's not passing the DKIM check. only one of those DKIM dignatures needs to pass, with the domain in From: GMail doesn't flag it as "passed" for DKIM. I am looking to see if PostSRSd has any sort configuration option to delete the DKIM of the original sending server so that it will "pass" DKIM checks. Not sure why pass is in quotes. But again if you don't change headers the original signature should be valid. Well, it's not marked as failed, and it's not marked as passed, but I am looking at the OpenDKIM headers. It's in a weird limbo where I can see the email got marked but GMail is not marking it either way. can we see headers From: and Authentication-Results as they were seen on your server? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I'm not interested in your website anymore. If you need cookies, bake them yourself.
Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)
On 1/3/24 15:44, Bill Cole wrote: Indeed: your solution is known as "SRS" (Sender Rewriting Scheme) and it has multiple implementations. If you forward mail, you will break SPF unless you fix the envelope sender so that it uses a domain that permits the example.org server to send for it. OR, you could instead deliver to a POP mailbox locally and have users fetch from there instead of simply forwarding mail to them. This also avoids a completely distinct problem of places like GMail deciding that your org's mail server is a spamming service because it is forwarding spam. If users POP their mail instead of having it forwarded via SMTP, that does not happen. On 03.01.24 19:30, Thomas Cameron wrote: Thanks for the advice on SRS - I have set it up and it's mostly working. At least GMail accepts the emails, although it seems to be failing DKIM and DMARC tests. I'm digging into what, if anything, can be done to make PostSRSd fix this issue. DKIM fails if the message is modified in your server (or, if DKIM failed already when it came to it) DMARC fails if neither DKIM nor SPF succeed, where DKIM signature or the SPF record must be from the domain in From: When you forward e-mail, SRS makes sure SPF record is from your domain, but the DKIM signature must be made by sending server, so forwarded messages without valid DKIM signature will not pass. Many thanks for your help, it's genuinely appreciated! -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I intend to live forever - so far so good.
Re: MS-relayed spam
On Tue, Jan 2, 2024 at 3:11 PM Torpey List wrote: I started forwarding full headers and text to "ab...@outlook.com" and they blocked my IP. On 02.01.24 16:49, Shawn Iverson wrote: ab...@outlook.com is for reporting abuse on the freemail Outlook/Hotmail/MSN platforms, not Microsoft tenants. What? If the message came from .outlook.com hosts, it should be reported to ab...@outlook.com. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. You have the right to remain silent. Anything you say will be misquoted, then used against you.
Re: MS-relayed spam
..@egw.x1r862t.onmicrosoft.com> Content-Type: text/html; charset="UTF-8" CC: myem...@mydomain.com To: myem...@mydomain.com MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Storage Notice Message-ID: <0e3b3785-6682-4c22-b6d7-87286c342...@cy4pepfee34.namprd05.prod.outlook.com> X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CY4PEPFEE34:EE_|CO6PR20MB3698:EE_ X-MS-Office365-Filtering-Correlation-Id: 3b787f74-e97d-4744-853e-08dc0aff1ea0 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: iCzQWJ07Pkvdn8gTGxmT6VSZBHnP6M4JvFEye6phLeBazoMicRP+n8Frj4I9QfVf8WmFZWPRNg978JVG7BDaqn4bxfC0shO0mBk5itJtr3ZRYKiFIMx+NVO8t79WCu7UZJdf5LjDih1sTt+noqH2CGSPWsRE96PG8UNfGoWJzkMS0AuY1CjhHfjpwbklk+QzQ985nESwb7Ozb1+o/yfzzFtq41ta6WcUp5s8ksM2nqTUwdf972ZCOgy6ctn0sJ9r3illogeg+K31zzwq2Xqd0Vvg6H2kJfjDZX6zLUHzmVvjYpX6RX65FU0EigndAzHHhGwPpJrPf4pUCCtB7NP80Rz0Ab4sKj48wAaiZHnJVEwEvbBw+sRP4FO3eIj6WnKBQ24yedrXW6i2nsoH5sWkO1OYq9tNi+1OCMgdVO7ZdJdkmCpZxc5yC0IK8aXOGUEGBhXTCJY/UWwnnfkYh4a6p4p12+lKfAmlhkMrFLR1GxXlukfPi6rLJGiwHUawX6hE4mS4BqHQJllk3wTRVrRK0sTgqJvVf/4wT/7pbAelOBBjANVObgm5V5PtBNuM+EMPSpqOJz/pAK+8mxjdlbZRLQ== X-Forefront-Antispam-Report: CIP:193.176.158.140;CTRY:FR;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.acquiretm.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230031)(136003)(346002)(376002)(396003)(3986042)(230922051799003)(61400799012)(1690799017)(451199024)(7200799017)(64100799003)(82310400011)(46966006)(8400799017)(3082699003)(4048071)(336012)(42882007)(26005)(4132071)(31696002)(81166007)(558084003)(166002)(8274043)(1744073)(3595071)(3402074)(47076005)(4326008)(6728041)(19625305002)(566032)(9686003)(8936002)(8676002)(70206006)(70586007)(786003)(78352004)(316002)(6916009)(42186006)(2906002)(4130071)(49861)(84603001)(42472002)(38122002);DIR:OUT;SFP:1501; X-OriginatorOrg: x1r862t.onmicrosoft.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Jan 2024 19:23:21.7479 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 3b787f74-e97d-4744-853e-08dc0aff1ea0 X-MS-Exchange-CrossTenant-Id: aae3bce2-b5e6-4c64-9336-2909094ee8c9 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=aae3bce2-b5e6-4c64-9336-2909094ee8c9;Ip=[193.176.158.140];Helo=[mail.acquiretm.com] X-MS-Exchange-CrossTenant-AuthSource: CY4PEPFEE34.namprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO6PR20MB3698 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Remember half the people you know are below average.
Re: Beginner Setting up Spam Assassin
On 29.12.23 22:08, FalconChristopher wrote: Anyone know how I can check and setup SpamAssassin so that I can eliminate some spam from coming in from a email account ? do you mean if one of your users started spamming out? On 12/28/2023 2:24 AM, Matus UHLAR - fantomas wrote: On 27.12.23 16:53, FalconChristopher wrote: Hi, I want to setup Spam Assassin so that any email that Spam Assassin flags as spam this is spamassassin's job gets placed into a folder for a specific SMTP or IMAP email account. this is not spamassassin's job. It's job of mail delivery agent - procmail, maildrop, sieve Then if Spam Assassin flags emails that are not spam I can tell it which of those emails to not place into the spam folder for the specific email client. Until it gradually learns which emails are spam and which are not. dovecot (imap/pop3 server) has plugins that support training of spam/ham, if you move the mail from/to spam folder. https://doc.dovecot.org/configuration_manual/spam_reporting/ I've done a little research and I have access with my distribution to a mail directory as well as the local.cf file for which configurations are for Spam Assassin but I don't know how to setup what I mentioned above ? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Microsoft dick is soft to do no harm
Re: Beginner Setting up Spam Assassin
On 27.12.23 16:53, FalconChristopher wrote: Hi, I want to setup Spam Assassin so that any email that Spam Assassin flags as spam this is spamassassin's job gets placed into a folder for a specific SMTP or IMAP email account. this is not spamassassin's job. It's job of mail delivery agent - procmail, maildrop, sieve Then if Spam Assassin flags emails that are not spam I can tell it which of those emails to not place into the spam folder for the specific email client. Until it gradually learns which emails are spam and which are not. dovecot (imap/pop3 server) has plugins that support training of spam/ham, if you move the mail from/to spam folder. https://doc.dovecot.org/configuration_manual/spam_reporting/ I've done a little research and I have access with my distribution to a mail directory as well as the local.cf file for which configurations are for Spam Assassin but I don't know how to setup what I mentioned above ? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I don't have lysdexia. The Dog wouldn't allow that.
Re: missing something in new SA config
On 27.12.23 10:30, AJ Weber wrote: Migrating a mailserver with SA and I see this in my log when testing: spamd[30912]: razor2: razor2 check failed: No such file or directory razor2: Can't read: /var/lib/razor/ at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/Razor2.pm line 331. My local.cf has the following: use_razor2 1 razor_config /etc/mail/spamassassin/.razor/razor-agent.conf In the config: razorhome = /etc/mail/spamassassin/.razor So I can't for the life of me understand what is looking in /var/lib/razor and for what? On 27.12.23 11:10, AJ Weber wrote: razor is installed: optional module installed: Razor2::Client::Agent, version 2.84 razor plugin is enabled in v310.pre: loadplugin Mail::SpamAssassin::Plugin::Razor2 I don't see any "logs" in the first page of the lint output. Would you be so kind as to describe how my "razor_config" is incorrect? That might be helpful. what is in the /etc/mail/spamassassin/.razor/razor-agent.conf ? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. You have the right to remain silent. Anything you say will be misquoted, then used against you.
Re: ATT RBL f---wits
On 29/11/2023 00:51, Tracy Greggs via users wrote: Cableone is SOA on this zone, so they are the issue. You can ask them to create a PTR for your static IP and hope for the best. Most I have dealt with will do it as long as it's a commercial account. On 29.11.23 07:24, Noel Butler wrote: As I pointed out - but failed to copy/paste a couple extra lines - cableone have issues, earlier they were reporting SERVFAIL then it was unreachables. I have tried now. 116.24.in-addr.arpa. is only delegated to two DNS servers and both of them have problems Name: 116.24.in-addr.arpa. Updated:2004-08-10 NameServer: NS2.CABLEONE.NET NameServer: NS1.CABLEONE.NET Ref:https://rdap.arin.net/registry/domain/116.24.in-addr.arpa. While reverse zone on those servers has 4 NS records, it won't help before either of those servers can be reached to provide cacheable response. The fact OP showed google knowing his PTR. says he should not have to have them add it manually, they need to fix what they already have - or they need to pay their bill :) It's also why we dont accept reports here that " oh google says its there" because google have a history of not honouring TTL's, and it always pays to use a DNS server that you don't think would have your zone cached, to get a fresh perspective. correct. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam is for losers who can't get business any other way.
Re: Spamassassin rule
On 17.11.23 11:19, natan wrote: E-mail was signed DKIM but why SA set "DMARC_REJECT" in this time ? W dniu 17.11.2023 o 12:31, Matus UHLAR - fantomas pisze: it's hard to see this without envelope and header from: On 17.11.23 12:42, natan wrote: Return-Path: <3jtxxzrapacwkwuumvba-vwzmxtglwka.owwotm@chime-notifications.bounces.google.com> this means SPF applies to chime-notifications.bounces.google.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1700215845; x=1700820645; this is DKIOM signature for google.com X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700215845; x=1700820645; This should be irelevant. From: Google Sheets so the DMARC applies for docs.google.com On 17.11.23 14:54, natan wrote: I had spamassassin-4.x dor ~1 day ;) And I had to downgrade to spamassasin-3.4.6 The Problem was in /var/lib/amavis/tmp/ where content of the catalog grow and grow more was rising than falling like 29 GB and more This is strange, generally this is not SA problem but amavis problem. When dowgrade to stable spamassassin-3.4.6 problem fixed and size is ~100MB Can upu send examle or working conf with dmarc plugin ? you need SA4 for that. W dniu 17.11.2023 o 14:21, Benny Pedersen pisze: natan skrev den 2023-11-17 11:19: How it realy realy works in SA ? I ask beacuse warking not so cool: its a hack, and bad example on expect it hits unaligned mail aswell as aligned, we screwed there :) alignment could be the real culprit. I didn't study DMARC deeply enough to know if DKIM signature for google.com is fine here (I have feeling it's not). _dmarc.docs.google.com. TXT "v=DMARC1; p=reject; rua=mailto:mailauth-repo...@google.com"; _dmarc.google.com. TXT "v=DMARC1; p=reject; rua=mailto:mailauth-repo...@google.com"; However, original mail misses the DKIM_VALID_AU so there's no validation there. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Quantum mechanics: The dreams stuff is made of.
Re: Spamassassin rule
natan skrev den 2023-11-17 11:19: How it realy realy works in SA ? I ask beacuse warking not so cool: On 17.11.23 14:21, Benny Pedersen wrote: its a hack, and bad example on expect it hits unaligned mail aswell as aligned, we screwed there :) generally it could work, but it could be the reason for subdomain alignment. good news dmarc plugin in sa trunc does aswell work in spamasasssin 3.4.6 last time i tryed i am still waiting for spamassassin stable release of 4.x That happened 11 months ago today, where have you been? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Microsoft dick is soft to do no harm
Re: Spamassassin rule
On 17.11.23 11:19, natan wrote: How it realy realy works in SA ? I ask beacuse warking not so cool: example: ifplugin Mail::SpamAssassin::Plugin::AskDNS askdns __DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=none;/ askdns __DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=quarantine;/ askdns __DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=reject;/ meta DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_REJECT score DMARC_REJECT 1 meta DMARC_QUAR !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_QUAR score DMARC_QUAR 0.5 meta DMARC_NONE !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_NONE score DMARC_NONE 0.1 endif Note that SPF uses envelope from domain whie DKIM uses header From, so it must be combined with HEADER_FROM_DIFFERENT_DOMAINS so something like: meta DMARC_REJECT __DMARC_POLICY_REJECT && !(DKIM_VALID_AU || (SPF_PASS && !HEADER_FROM_DIFFERENT_DOMAINS)) However there is stock SA rule that uses Mail::SpamAssassin::Plugin::DMARC: header DMARC_REJECT eval:check_dmarc_reject() Log: Nov 17 11:10:49 amavis5 amavis[598804]: (598804-07) spam-tag, <3jtxxzrapacwkwuumvba-vwzmxtglwka.owwotm@chime-notifications.bounces.google.com> -> , No, score=4.865 tagged_above=3.6 required=6 tests=[AWL=-0.124, BAYES_00=-1.9, DCC_CHECK=4, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, DMARC_REJECT=1, FROM_NOT_RETURN_PATH=2, root@amavis5:/etc/mail/spamassassin# host -t txt chime-notifications.bounces.google.com chime-notifications.bounces.google.com descriptive text "v=spf1 redirect=_spf.google.com" root@amavis5:/etc/mail/spamassassin# host -t txt _spf.google.com _spf.google.com descriptive text "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all" root@amavis5:/etc/mail/spamassassin# host -t txt _dmarc.chime-notifications.bounces.google.com _dmarc.chime-notifications.bounces.google.com descriptive text "v=spf1 redirect=_spf.google.com" E-mail was signed DKIM but why SA set "DMARC_REJECT" in this time ? it's hard to see this without envelope and header from: -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. One OS to rule them all, One OS to find them, One OS to bring them all and into darkness bind them
Re: Too many dots?
Alex wrote: I recently had an account activation email blocked due to AC_FROM_MANY_DOTS in the From address: From: VitalSource <mailto:do.not.re...@vitalsource.com>> It also hit KAM_SENDGRID and BAYES_50 and KAM_MARKETINGBL_PCCC, pushing it over to spam. * 1.5 KAM_SENDGRID Sendgrid being exploited by scammers * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * 0.2 KAM_MARKETINGBL_PCCC Message contains URI associated with in addition to a few smaller rules, like KAM_DMARC_NONE. Does it sound reasonable to add 3 points plus another 1.5 simply for having been sent by sendgrid? How do we offset those points? Do we just rely on bayes/txrep? I think my bayes db is pretty well-trained, but there's also a lot of account activation fraud emails. On 16.11.23 10:29, Kris Deugau wrote: Third party rule sets always need evaluation for your local mail flow. Just FYI: AC_FROM_MANY_DOTS stock SA rule and has score 3 as OP complained: score AC_FROM_MANY_DOTS 2.999 2.999 2.999 2.999 from this point of view KAM rules are a bit safer: score KAM_MARKETINGBL_PCCC 1.0 score KAM_SENDGRID 1.50 And you can always override scores in a third party channel with a local channel loaded after any others, or in a .cf in your local configuration directory. the same applies to stock SA rules FYI. I looked at the KAM rules and decided that using them as-is was a nonstarter. However, using selected rule groups, at a reduced score, for spam I've had a hard time writing my own rules, has worked quite well. (Up until the spammers started just dropping their fake invoice content into an attached image - or PDF.) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #9: Out of error messages.
Re: when whitelisting, do what with marked SPAM?
On 14.11.23 13:05, joe a wrote: Low volume home office user and system. Occasionally when first dealing with a new entity, their correspondence gets flagged as SPAM. When I whitelist these, what should be done with those messages that might remain in "flagged SPAM" or "Missed SPAM"?, thinking along lines of keeping BAYES "clean and sharp". So to speak. Leave as is? Delete and re learn? On 11/14/2023 13:46:11, Matus UHLAR - fantomas wrote: Simply relearn FPs. Unless you have huge misclassification issue, learning as few mail as one should fix BAYES issues. On 14.11.23 22:02, joe a wrote: Move previously tagged SPAM into HAM folder and "relearn"? yes. re-training SA on the same file works as if previous training was not done. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I just got lost in thought. It was unfamiliar territory.
Re: when whitelisting, do what with marked SPAM?
On 14.11.23 13:05, joe a wrote: Low volume home office user and system. Occasionally when first dealing with a new entity, their correspondence gets flagged as SPAM. When I whitelist these, what should be done with those messages that might remain in "flagged SPAM" or "Missed SPAM"?, thinking along lines of keeping BAYES "clean and sharp". So to speak. Leave as is? Delete and re learn? Simply relearn FPs. Unless you have huge misclassification issue, learning as few mail as one should fix BAYES issues. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. M$ Win's are shit, do not use it !
Re: spamc -L does not return 5, or 6
On Tue, Nov 07, 2023 at 02:28:38AM +0100, Cecil Westerhof wrote: https://spamassassin.apache.org/full/3.1.x/doc/spamc.html says: -L learn type Send message to spamd for learning. The learn type can be either spam, ham or forget. The exitcode for spamc will be set to 5 if the message was learned, or 6 if it was already learned. Note that the spamd must run with the --allow-tell option for this to work. "George A. Theall via users" writes: How are you running spamd? With -l / --allow-tell? On 07.11.23 15:01, Cecil Westerhof wrote: --pidfile=/run/spamd.pid --username=imaps --allow-tell --create-prefs --max-children 5 --helper-home-dir And the learning does work. But I have to use the generated text instead of the exit codes. I'm afraid that for --allow-tell and --username=imaps you need all mailboxes to be writable under "imaps" user, e.g. virtual users or similar. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Posli tento mail 100 svojim znamim - nech vidia aky si idiot Send this email to 100 your friends - let them see what an idiot you are
Re: Getting error 74
What platform are you running on? (OS, distro, perl version, etc.) Debian 12. sa-update version 4.0.0 / svn1900642 running on Perl version 5.36.0 Matus UHLAR - fantomas writes: Debian 12 contains SpamAssassion 4.0.0-6. Cecil Westerhof writes: Strange. When running 'apt update' I get: All packages are up to date. On 05.11.23 13:54, Cecil Westerhof wrote: It is installed: spamd/stable,now 4.0.0-6 all [installed] Sadly 'sa-update -V' only shows part of the information. But I have the latest version. :-D my sa-update procused the same output. I guess your scripts and system scripts clash somehow. My recommendation is to check permissions in /var/lib/spamassassin/ and /var/lib/spamassassin/4.00/ to see idf you didn't break something and let system scripts to do the update. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 2B|!2B, that's a question!
Re: Getting error 74
What platform are you running on? (OS, distro, perl version, etc.) Debian 12. sa-update version 4.0.0 / svn1900642 running on Perl version 5.36.0 Matus UHLAR - fantomas writes: Debian 12 contains SpamAssassion 4.0.0-6. On 02.11.23 21:43, Cecil Westerhof wrote: Strange. When running 'apt update' I get: All packages are up to date. Maybe I need to ask a question on a Debian group. "apt-cache policy spamassassin spamd" might tell you more. It also updates rules daily, if you set CRON=1 in /etc/default/spamassassin I use my own bash script to update the rules. This may have created the problem you have. debian-installed SA updates run under user debian-spamd user. did you install SpamAssassin from debian packages or using other way? I really do not know for sure. I thought default packages, but it is to long ago. this is quite important because packages installed and maintained using packaging system are easier to debug/fix -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I just got lost in thought. It was unfamiliar territory.
Re: Getting error 74
On 2023-11-01 at 07:50:38 UTC-0400 (Wed, 01 Nov 2023 12:50:38 +0100) Cecil Westerhof is rumored to have said: )On 01.11.23 16:02, Cecil Westerhof wrote: Using scripts that hide things has his problems. :-( The script was using: sa-update And when I run that from the command line I get: gpg: WARNING: unsafe ownership on homedir '/etc/spamassassin/sa-update-keys' In SOME contexts, '74' is defined as EX_IOERR. That would indicate a problem with the underlying storage (OR network connection, in some cases) used for your Bayes database. What database are you using for Bayes? I do not know. How can I find this out? sa-update does not use BAYES database. Installed about ten years ago on the then current Debian with the defaults. What tool are you using to learn messages? I was confused. It was sa-update that went wrong. What platform are you running on? (OS, distro, perl version, etc.) Debian 12. sa-update version 4.0.0 / svn1900642 running on Perl version 5.36.0 Debian 12 contains SpamAssassion 4.0.0-6. It also updates rules daily, if you set CRON=1 in /etc/default/spamassassin did you install SpamAssassin from debian packages or using other way? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The only substitute for good manners is fast reflexes.
Re: Getting error 74
On 01.11.23 12:50, Cecil Westerhof wrote: Since some time I see that when I want to update the spamassassin filters I get error 74 for every email that I use to train the filters. What could be happening here? /usr/include/sysexits.h:#define EX_IOERR74 /* input/output error */ looks like you have problem reading or writing. If you want less generic answer, please provide info what command you execute and what is the exact error. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux - It's now safe to turn on your computer. Linux - Teraz mozete pocitac bez obav zapnut.
Re: spamd: still running as root
On 31.10.23 09:10, Linkcheck via users wrote: Thanks, Matus. So nice when these little changes creep up on you. :) I have merged the new OPTIONS with my old one... OPTIONS="--create-prefs --nouser-config -4 -i 127.0.0.1 --max-children=5 --helper-home-dir=/var/lib/spamassassin -u debian-spamd" I assume that's ok. Matus UHLAR - fantomas skrev den 2023-10-31 11:48: yes, although --create-prefs is useless when you use --nouser-config On 31.10.23 17:51, Benny Pedersen wrote: and --create-prefs needs root ? no. Even if you keep spamd running as root, it won't check as root, it will chuid to the "--default-user" and create/read prefs under that user. quite effective with spamass-milter If you use "--username", it will create/read under that user. But if you disable user preferences using --nouser-config, there's no reason to create user preferences, spams won't read them. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I'm not interested in your website anymore. If you need cookies, bake them yourself.
Re: spamd: still running as root
On 31.10.23 09:10, Linkcheck via users wrote: Thanks, Matus. So nice when these little changes creep up on you. :) I have merged the new OPTIONS with my old one... OPTIONS="--create-prefs --nouser-config -4 -i 127.0.0.1 --max-children=5 --helper-home-dir=/var/lib/spamassassin -u debian-spamd" I assume that's ok. yes, although --create-prefs is useless when you use --nouser-config -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Honk if you love peace and quiet.
Re: spamd: still running as root
On 30.10.23 16:45, Linkcheck via users wrote: I have just updated Debian to Bookworm in order to install SA 4. Very few problems so far but the postfix log is giving: "spamd: still running as root: user not specified with -u, not found, or set to root, falling back to nobody" I am not sure where to specify an appropriate user (and possibly how and what). Help, please? In /etc/default/spamassassin I have... OPTIONS="--nouser-config -4 -i 127.0.0.1 --max-children=5 --helper-home-dir=/var/lib/spamassassin -u debian-spamd" PIDFILE="/run/spamd.pid" CRON=1 since SA 4, spamd uses /etc/default/spamd I don't use -u option, so spamd setuids to user spamc provides, this allows spamd use per-user configuration files. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "They say when you play that M$ CD backward you can hear satanic messages." "That's nothing. If you play it forward it will install Windows."
Re: Missing Mail::SpamAssassin::Plugin::WelcomeListSubject
On 2023-10-26 at 10:14:44 UTC-0400 (Thu, 26 Oct 2023 15:14:44 +0100) Linkcheck via users is rumored to have said: I have just had reason to run --lint (first time in a week) and it failed drastically. This is on an well-established postfix mail server (but currently no real users) running 3.4.6 on Perl version 5.32.1 on Debian Bullseye. Result of --lint is... Oct 26 14:39:02.888 [121778] warn: plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/WelcomeListSubject.pm in @INC (you may need to install the Mail::SpamAssassin::Plugin::WelcomeListSubject module) (@INC contains: /usr/share/perl5 /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.32.1 /usr/local/share/perl/5.32.1 /usr/lib/x86_64-linux-gnu/perl5/5.32 /usr/lib/x86_64-linux-gnu/perl-base /usr/lib/x86_64-linux-gnu/perl/5.32 /usr/share/perl/5.32 /usr/local/lib/site_perl) at (eval 109) line 1. On 26.10.23 11:03, Bill Cole wrote: Your SA installation is broken. WelcomeListSubject is a new module in v4, replacing WhiteListSubject. If you have anything referencing it in a 3.4.6 installation, you have something very wrong. The easiest fix is likely to be to remove and re-install SA. perhaps it's just v310.pre containing "loadplugin Mail::SpamAssassin::Plugin::WelcomeListSubject" copied from v4 installation OP, change it to "loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject" to see if it helps. with two added comments due to plugin not found. Reload just perormed gives... [ ... SNIP ... ] Oct 26 14:38:53 bristolmail spamd[121772]: config: failed to parse line, skipping, in "/etc/spamassassin/w7_whitelist.cf": whitelist_subject Barstaple House Whatever that file is, it is NOT part of the SA distribution. Consult the author of 'w7_whitelist.cf' for support of whatever configuration it includes. This only produces error because WelcomeListSubject does not exist and WhiteListSubject is not installed. Fixing the error above should fix this as well. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Emacs is a complicated operating system without good text editor.
Re: dkim-test valid but spamassassin scores DKIM_INVALID
Matus UHLAR - fantomas skrev den 2023-10-25 09:36: I have: 50_scores.cf:score DKIM_VALID -0.1 check if you really haven't set score for DKIM_VALID anywhere, since SA complains about it being zero. I guess this may cause DKIM_INVALID misfiring On 25.10.23 13:08, Benny Pedersen wrote: imho no, DKIM_INVALID have 0.1 in score, both should not be changed its just a result tag, not a policy of any kind This looks like OP has changed score of DKIM_VALID to 0: >Oct 25 07:10:54.364 [1687666] info: rules: meta test DKIM_INVALID has dependency 'DKIM_VALID' with a zero score and since DKIM_INVALID depends on it: meta DKIM_INVALIDDKIM_SIGNED && !DKIM_VALID ...it would make sense DKIM_INVALID to hit whenever DKIM_SIGNED does since DKIM_VALID apparently was made not to fire ever. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I wonder how much deeper the ocean would be without sponges.
Re: dkim-test valid but spamassassin scores DKIM_INVALID
On 25.10.23 07:21, Niels Kobschätzki wrote: >I'm having here a mail that scores as DKIM_INVALID. I tried sending the > same mail to gmail for example and it tells me that DKIM is valid. Now I > put it through "spamassassin -D" and I am even more baffled because the > debug seems to say that DKIM is valid but then scores as INVALID. >Any idea why this could be? > >debug-output from "spamassassin -t -D dkim < message": > >Oct 25 07:10:52.341 [1687666] dbg: dkim: VALID DKIM, i=@my.domain.com, d=my.domain.com, s=inx, a=rsa-sha256, c=relaxed/relaxed, key_bits=2048, pass, matches author domain >Oct 25 07:10:52.342 [1687666] dbg: dkim: signature verification result: PASS >Oct 25 07:10:52.342 [1687666] dbg: dkim: adsp not retrieved, author domain signature is valid >Oct 25 07:10:52.342 [1687666] dbg: dkim: adsp result: - (valid a. d. signature), author domain 'my.domain.com' >Oct 25 07:10:52.352 [1687666] dbg: dkim: VALID signature by my.domain.com, author m...@my.domain.com, no valid matches >Oct 25 07:10:52.352 [1687666] dbg: dkim: author m...@my.domain.com, not in any dkim whitelist >Oct 25 07:10:54.125 [1687779] info: util: setuid: ruid=0 euid=0 rgid=0 0 egid=0 0 >Oct 25 07:10:54.364 [1687666] info: rules: meta test DKIM_INVALID has dependency 'DKIM_VALID' with a zero score Matus UHLAR - fantomas hat am 25.10.2023 08:16 CEST geschrieben: did you set score of DKIM_VALID do 0 ? On 25.10.23 08:46, Niels Kobschätzki wrote: DKIM_VALID is not overwritten by any of my local rules. So I would expect that this is the case. But even if I set for example score DKIM_VALID 0 in local.cf there is no change I have: 50_scores.cf:score DKIM_VALID -0.1 check if you really haven't set score for DKIM_VALID anywhere, since SA complains about it being zero. I guess this may cause DKIM_INVALID misfiring -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I drive way too fast to worry about cholesterol.
Re: dkim-test valid but spamassassin scores DKIM_INVALID
On 25.10.23 07:21, Niels Kobschätzki wrote: I'm having here a mail that scores as DKIM_INVALID. I tried sending the same mail to gmail for example and it tells me that DKIM is valid. Now I put it through "spamassassin -D" and I am even more baffled because the debug seems to say that DKIM is valid but then scores as INVALID. Any idea why this could be? debug-output from "spamassassin -t -D dkim < message": Oct 25 07:10:52.341 [1687666] dbg: dkim: VALID DKIM, i=@my.domain.com, d=my.domain.com, s=inx, a=rsa-sha256, c=relaxed/relaxed, key_bits=2048, pass, matches author domain Oct 25 07:10:52.342 [1687666] dbg: dkim: signature verification result: PASS Oct 25 07:10:52.342 [1687666] dbg: dkim: adsp not retrieved, author domain signature is valid Oct 25 07:10:52.342 [1687666] dbg: dkim: adsp result: - (valid a. d. signature), author domain 'my.domain.com' Oct 25 07:10:52.352 [1687666] dbg: dkim: VALID signature by my.domain.com, author m...@my.domain.com, no valid matches Oct 25 07:10:52.352 [1687666] dbg: dkim: author m...@my.domain.com, not in any dkim whitelist Oct 25 07:10:54.125 [1687779] info: util: setuid: ruid=0 euid=0 rgid=0 0 egid=0 0 Oct 25 07:10:54.364 [1687666] info: rules: meta test DKIM_INVALID has dependency 'DKIM_VALID' with a zero score did you set score of DKIM_VALID do 0 ? Return-path: X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on one.ofmyhosts.com X-Spam-Level: * X-Spam-Status: No, score=1.6 required=5.0 tests=ALL_TRUSTED,DKIM_INVALID, DKIM_SIGNED,KAM_DMARC_REJECT,KAM_DMARC_STATUS autolearn=disabled version=3.4.6 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 42.7 percent of all statistics are made up on the spot.
Re: users Digest 29 Sep 2023 01:08:28 -0000 Issue 5575
On 29.09.23 12:41, Mark London wrote: Hi - Can anyone tell me why the following email header triggered DKIM_SIGNED and DKIM_VALID, yet I don't see a DKIM header line? Strangely, if I run spamassassin from the command line on the message, DKIM_SIGNED is not triggered. SpamAssassin version 3.4.6 1. Hasn't your exchange wiped out dkim headers? Exchange and other microsoft software like to do things like this.. 2. are you sure they triggered your instance of spamassassin, not remote? (Note, I truncated the X-Spam-Level header, as I have some customized rules.) Thanks. - MARK Received: from SRV-EXCHANGE.sdis58.local (static-css-csd-160189.business.bouyguestelecom.com [176.162.160.1 89]) by simplerelay.pulsation.fr (Postfix) with ESMTPS id 644B1203A3E3; Fri, 29 Sep 2023 04:56:31 +0200 (CEST) Received: from simplerelay.pulsation.fr (simplerelay.pulsation.fr [80.74.64.73]) by psfcmail2.psfc.mit.edu (8.15.2/8.15.2/Debian-22ubuntu3) with ESMTP id 38T31Prc585381 for ; Thu, 28 Sep 2023 23:01:25 -0400 Received: from SRV-EXCHANGE.sdis58.local ([fe80::5034:8469:e7c0:7ca0]) by SRV-EXCHANGE.sdis58.local ([fe80::5034:8469:e7c0:7ca0%5]) with mapi id 15.01.2507.032; Fri, 29 Sep 2023 04:56:20 +0200 Received: from SRV-EXCHANGE.sdis58.local (192.168.20.11) by SRV-EXCHANGE.sdis58.local (192.168.20.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.32; Fri, 29 Sep 2023 04:56:20 +0200 Received: from psfcmail2.psfc.mit.edu ([unix socket]) by psfcmail2.psfc.mit.edu (Cyrus 3.4.3-dirty-Debian-3.4.3-3build2) with LMTPA; Thu, 28 Sep 2023 23:01:27 -0400 Reply-To: From: "Louis LASTELLA" To: "Louis LASTELLA" Subject: RE: GRANT Date: Thu, 28 Sep 2023 20:56:19 -0600 Message-ID: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_NextPart_000_0AB3_01D9F291.A3EE6670" X-Mailer: Microsoft Outlook 16.0 X-Cyrus-Session-Id: cyrus-1695956487-582568-1-13949929973302507258 X-Sieve: CMU Sieve 3.0 X-Spam-Level: 5.61 (*) DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU ... X-Scanned-By: MIMEDefang 2.84 Thread-Index: AQE/AG+iBnwgFQrrEE2E+wgvHkku+Q== Content-Language: en-us X-MS-Has-Attach: X-MS-TNEF-Correlator: X-OlkEid: D75AD23CECE28241A24D055234BB07EE0700C3B68E10F77511CEB4CD00AA00BBB6E6000B5BBF9 7B16F0AE24BA3D270A637831578CAB77333E06029E36245B2E3DACE37D29594 x-originating-ip: [195.154.60.67] x-esetresult: clean, is OK x-esetid: 37303A2976F0D65A657466 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Christian Science Programming: "Let God Debug It!".
Re: rbl for smtp auth hosts
>Marc skrev den 2023-09-15 17:01: >>Anyone have any experience with a dns blacklist specific to known smtp >>auth abuse? On 15.09.23 17:51, Benny Pedersen wrote: >spamrats ? > >https://www.spamrats.com/ I have bad experiente with spam rats and thus wouldn't recommend using them. YMMV of course. On 15.09.23 21:57, Marc wrote: You could be right about this. When I compare the last 413 failed smtp auths, none are listed in auth.spamrats.com. While bl.spamcop.net lists 230 at 127.0.0.2, while zen.spamhaus.org gets 371 at 127.0.0.4/127.0.0.3/127.0.0.11. I just have to check which of them is not a list that lists any 'dynamic' ip by default. zen is not good idea for auth too. It's supposed to contain dynamic IPS which aren't used for spaming. authbl from spamhaus should do that. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Holmes, what kind of school did you study to be a detective? - Elementary, Watkins. -- Daffy Duck & Porky Pig
Re: rbl for smtp auth hosts
Marc skrev den 2023-09-15 17:01: Anyone have any experience with a dns blacklist specific to known smtp auth abuse? On 15.09.23 17:51, Benny Pedersen wrote: spamrats ? https://www.spamrats.com/ I have bad experiente with spam rats and thus wouldn't recommend using them. YMMV of course. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. It's now safe to throw off your computer.
Re: rbl for smtp auth hosts
On 15/09/23 17:01, Marc wrote: Anyone have any experience with a dns blacklist specific to known smtp auth abuse? On 15.09.23 15:31, Riccardo Alfieri wrote: Yes, at previous $dayjob. Applied on the submission MSA, it proved to be useful in mitigating the fallout when users got their credentials compromised. can you describe it more? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Due to unexpected conditions Windows 2000 will be released in first quarter of year 1901
Re: DNS Help
On 11.09.23 10:35, D Benham wrote: Ok, I need some guidance. I am getting a lot of this: 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. On 2023-09-12 at 02:51:46 UTC-0400 (Tue, 12 Sep 2023 08:51:46 +0200) Matus UHLAR - fantomas is rumored to have said: have you also read the link(s) above? SA explains the problem and how to avoid it, namely points to: https://cwiki.apache.org/confluence/display/SPAMASSASSIN/CachingNameserver Unfortunately, the current page does NOT have A name="dnsbl-block", which should be fixed. Is anyone familiar with this wiki? On 12.09.23 09:07, Bill Cole wrote: I believe that anyone with committer status in the SA repo can fix it. At first I was mystified by your problem description, but I believe I have fixed the issue (corrected the anchor in the referring link to "DnsBlocklists-dnsbl-block") I meant that the http://wiki.apache.org/spamassassin/DnsBlocklists page has no anchor named "dnsbl-block", thus "DnsBlocklists#dnsbl-block" points to the beginning of document. I'd expect it to point to the first Q&A segment where the problem and solutions are explained. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Saving Private Ryan... Private Ryan exists. Overwrite? (Y/N)
Re: sane max value for message size in 2023?
On 11.09.23 17:15, AJ Weber wrote: I realize this is very much an "it depends", but recently I'm getting a lot of messages bypassing spamc because they're a few KB over the default, 500KB limit (spamassassin 3.4.x). Can I bump this to maybe 750KB, and if so, will spamc read that from one of my .pre files, or do I have to somehow add that to a scan command-line? On 12.09.23 08:47, Matus UHLAR - fantomas wrote: I bumped mine to maximum size my server can accept, currently 30M. I checked my spambox for biggest spam recorded (not rejected or lost) and I have pretty much spam over 1, even 2MB. And I have just received 1.2MB spam, with short HTML and PDF attachment. The HTML content could be enough for BAYES, but luckily we have ExtractText plugin which can extract text from it tool. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. It's now safe to throw off your computer.
