getting waring from spamassassin.apache.org
Yesterdax i got a waring, because of a bounced massage. Is this normal thats this Waring was from 2021? Subject: NOTICE: mail delivery status. Date: Tue, 27 Jul 2021 16:46:43 +0200 -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Re: MIME_BASE64_TEXT only on us-ascii
UTF-8 emails SHOULD be base64 encoded. Hmm most of our mails we get are not base64 coded... (with charset UTF-8) but OK So any UTF-8 witch is not base64 should get a spam rating bacause IT SHOULD be base64 coded? never mind On 11/16/21 6:55 PM, Bowie Bailey wrote: On 11/16/2021 7:34 AM, Philipp Ewald wrote: We support utf-8 Mails and we got Mails utf-8 base64 coded. This should be a reason too to set spam rating. Sorry i dont get it. have a nice day. The point is this: UTF-8 emails SHOULD be base64 encoded. ASCII emails SHOULD NOT be base64 encoded. Therefore, an ASCII email that IS base64 encoded is unusual and is frequently seen in spam, so it is scored in SA. A UTF-8 email that is base64 encoded is normal and so is not scored simply for being encoded. -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Re: MIME_BASE64_TEXT only on us-ascii
We support utf-8 Mails and we got Mails utf-8 base64 coded. This should be a reason too to set spam rating. Sorry i dont get it. have a nice day. On 11/16/21 1:00 PM, Reindl Harald wrote: Am 16.11.21 um 12:47 schrieb Philipp Ewald: Why should a uft-8 base64 coded Mail should contain less spam? nobody said that! MIME_BASE64_TEXT is one of hundrets if not thousands of signs for spamminess and has it's place in a *score based* classification it's point is that there is no reason for base64 except try to hide the intent -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Re: MIME_BASE64_TEXT only on us-ascii
Why should a uft-8 base64 coded Mail should contain less spam? When user get compromised we look into Spammails that was sent. many of that mails was UTF-8 base64 coded and some mail with us-ascii Guess with mail got through spamassassin? RIGHT. base64 coded male with charset utf-8. Containing the same content I can understand the point of this rule, but IMO this rule has Bug and should be redesigned On 11/16/21 12:15 PM, Martin Gregorie wrote: On Tue, 2021-11-16 at 11:32 +0100, Philipp Ewald wrote: This is correct. But why is us-ascii requeired for this rule? Are spammer only in US? No, its because the base character set for e-mail bodies is USASCII. Base64 encoding is a way of making sure that attachments using other charsets (UTF8, and those using 16 bit encoding) will look just like USASCII attachments to mail-handling programs, etc and not cause those programs to have reject the mail message. As far as I know it has no other common, legitimate use, but it does have the side effect of making anything thats base 64-encoded unreadable. So, you can see that the ONLY effect of using base64 encoding on an attachment containing usascii text is to make it unreadable. This is why spammers use it: they've worked out that SA will spot and score malicious URLs, shortners, etc. So, some spammers think that using base64 encoding will hide those bad URLs from SA, which is quite true. However their tiny minds don't see that using base64 encoding on a usascii attachment is a fairly reliable spam indicator all by itself. Martin -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Re: MIME_BASE64_TEXT only on us-ascii
My problem is that this rule is useless, while I can set the charset to utf-8 and spamassassin ignores this rule I got many SPAMS passed through because 1 scorepoint was missing, because charset was set to "utf-8" Mail with: Content-Type: text/html; charset="us-ascii" getting "MIME_BASE64_TEXT=1.741" Which is correct, if the charset is actually us-ascii and Base64 encoding is used anyway. There is no circumstance where a formally correct text/html document that is strictly us-ascii (i.e. all entities HTML-encoded) must be Base64-encoded. MIME_BASE64_TEXT exists because it is unusual to base64-encode pure us-ascii AND it is strong (albeit imperfect) indicator of the message being spam. This is correct. But why is us-ascii requeired for this rule? Are spammer only in US? You can easy trick spamassasin by setting charset="utf-8" Kind regards On 11/16/21 4:28 AM, Bill Cole wrote: I have no clue what to test. I do not understand what you think is not working as intended. -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Re: MIME_BASE64_TEXT only on us-ascii
I cannot make that line of text into a coherent English sentence. May I pray for pardon my Lord. My english is not nativ. Here you can test it Mail with: Content-Type: text/html; charset="us-ascii" getting "MIME_BASE64_TEXT=1.741" Base64 generate with site: https://www.base64encode.org/ Kind regards On 11/12/21 10:16 PM, Bill Cole wrote: On 2021-11-12 at 04:33:34 UTC-0500 (Fri, 12 Nov 2021 10:33:34 +0100) Philipp Ewald is rumored to have said: Hi folks, it's seems to be that spamassins dont check non ASCII Base64 decodes Mails. I cannot make that line of text into a coherent English sentence. Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 [BAYES_99=3.5, BAYES_999=5, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_RP_RNBL=1.31] Mails with: Content-Type: text/html; charset="us-ascii" would get "MIME_BASE64_TEXT" [BAYES_99=3.5, BAYES_999=5, CK_HELO_GENERIC=0.001, HELO_DYNAMIC_DHCP=0.206, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, HTTP_EXCESSIVE_ESCAPES=1.572, KHOP_DYNAMIC=0.001, MIME_BASE64_TEXT=1.741, MIME_HTML_ONLY=0.723, RAZOR2_CF_RANGE_51_100=1.886, RAZOR2_CHECK=0.922, RCVD_IN_RP_RNBL=1.31, T_REMOTE_IMAGE=0.01] Is this a Bug? Not until it's reproducible and described in a coherent manner. If you can provide valid email messages (perhaps artificially constructed) that do (or don't) hit the rules that you believe they should (or should not,) please do so. The purpose of MIME_BASE64_TEXT is to identify messages where a text part (or the whole message) with pure US-ASCII content has been Base64-encoded instead of being sent unencoded (or just QP-encoded to protect overlong lines.) -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds --- Begin Message --- This is ASCII--- End Message --- --- Begin Message --- This is UTF-8--- End Message ---
MIME_BASE64_TEXT only on us-ascii
Hi folks, it's seems to be that spamassins dont check non ASCII Base64 decodes Mails. Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 [BAYES_99=3.5, BAYES_999=5, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_RP_RNBL=1.31] Mails with: Content-Type: text/html; charset="us-ascii" would get "MIME_BASE64_TEXT" [BAYES_99=3.5, BAYES_999=5, CK_HELO_GENERIC=0.001, HELO_DYNAMIC_DHCP=0.206, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, HTTP_EXCESSIVE_ESCAPES=1.572, KHOP_DYNAMIC=0.001, MIME_BASE64_TEXT=1.741, MIME_HTML_ONLY=0.723, RAZOR2_CF_RANGE_51_100=1.886, RAZOR2_CHECK=0.922, RCVD_IN_RP_RNBL=1.31, T_REMOTE_IMAGE=0.01] Is this a Bug? Kind regards Philipp -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Re: Fw: spam from gmail.com
You can report it. Gmail is on DNSWL @gmail.com> RCVD_IN_DNSWL_MED=-2.3 https://www.dnswl.org/?page_id=17 As far as i know DNSWL is used by default On 11/8/21 7:27 PM, Rupert Gallagher wrote: Spammers are using gmail.com. Congratulations to Google for their fine work... Original Message On Nov 8, 2021, 10:42, Mrs.Marann Silvia < marannsilv...@gmail.com> wrote: Good day my dear, How are you doing and your family.I am Mrs.Marann Silvia,a sick widow writing from one of the America hospitals.I am suffering from a long time cancer of breast,my health situation is becoming worse,my life is no longer guaranteed hence i want to make this solemn donation.I want to donate my money to help the orphans, widows and handicap people through you because there is no more time left for me on this earth.I take this decision because i have no child who will inherit my wealth after my death.Please,i need your urgent reply so that i can tell you more on how you will handle my wish before i die.I will be waiting to hear from you immediately by God grace amen, yours sincerely. Mrs.Marann Silvia -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Re: What does that rule mean "SUBJ_OBFU_PUNCT FEW"
No the Support said "Yes your listed because your "no-reply@" his hitting the following rules..." nothing *else* On 1/13/21 6:07 PM, John Hardin wrote: The scores on those rules are rather low - they are not "poison pills". What *else* are those mails hitting? -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Re: What does that rule mean "SUBJ_OBFU_PUNCT FEW"
aaah sorry: i mean "no-reply(system notification)" E-Mails Hits SPAM Rule: SUBJ_OBFU_PUNCT_FEW -> Possible punctuation-obfuscated Subject: header SUBJ_OBFU_PUNCT_MANY -> Punctuation-obfuscated Subject: header We send mails Like this: (You got a E-Mail) X-To: <@web.de> From: "" Reply-To: "" Date: Mon, 07 Sep 2020 07:14:19 +0200 Subject: : Mailservice: Neue Mail X-Date: Mon, 07 Sep 2020 07:14:19 +0200 To: @web.de Message-ID: X-User-Message: X-User-Message-013 X-Auto-Response-Suppress: All Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit X-Mime-Autoconverted: from 8bit to 7bit by courier 1.0 On 1/13/21 5:02 PM, Antony Stone wrote: On Wednesday 13 January 2021 at 16:57:55, Philipp Ewald wrote: Hello, we try to deliver mails to GMX/WEB but we got frequency blocked because "ro-reply@ Mails" hits following rules: Sorry, but what do you mean by "ro-reply@ Mails"? SUBJ_OBFU_PUNCT_FEW -> Possible punctuation-obfuscated Subject: header SUBJ_OBFU_PUNCT_MANY -> Punctuation-obfuscated Subject: header Can you give us an example of the Subject line you're trying to send the emails with? Antony. -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
What does that rule mean "SUBJ_OBFU_PUNCT FEW"
Hello, we try to deliver mails to GMX/WEB but we got frequency blocked because "ro-reply@ Mails" hits following rules: SUBJ_OBFU_PUNCT_FEW -> Possible punctuation-obfuscated Subject: header SUBJ_OBFU_PUNCT_MANY -> Punctuation-obfuscated Subject: header i can't find any good declaration for this rules.. can some one explain please? (easy as possible) Does that has todo with ".", ";", ":" in Headers? many thank! kind regards Philipp -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Re: contact from blacklist
Philipp are these spam using things like Google forms for spam? If so, take a look at KAM.cf on mcgrail.com, we've added a number of rules to combat those recently. on my freemail i got google formular SPAM. AM.cf on mcgrail.com i will have a look - thanks On 11/21/20 6:08 AM, Andrew Colin Kissa wrote: On 20 Nov 2020, at 22:23, Levente Birta wrote: I'd like to try the KAM channel. A quick install how-to would be nice too I would like to test the KAM channel tool. Thanks, Andrew +1 On 11/20/20 8:46 PM, John Hardin wrote: On Fri, 20 Nov 2020, Kevin A. McGrail wrote: Philipp are these spam using things like Google forms for spam? If so, take a look at KAM.cf on mcgrail.com, we've added a number of rules to combat those recently. There are also Google Docs rules in the base ruleset that should catch that. Based on the sample that was posted, it looks to me like abuse of a web-based feedback form - post a spammy feedback using the email address of your victim and you spam the victim via the confirmation (and the domain hosting the feedback form at the same time). -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Re: contact from blacklist
nope i will check spamassassin for more "low" volume services URIBL provides public lookups over DNS for low volume usage. If you spam check a large amount of email, or you use a shared DNS platform for resolution, you may receive a response saying the query was refused. we have a higher usage On 11/20/20 7:05 PM, Benny Pedersen wrote: Philipp Ewald skrev den 2020-11-20 18:52: X-Spam-Flag: NO X-Spam-Score: 1.526 X-Spam-Level: + X-Spam-Status: No, score=1.526 tagged_above=- required=5 tests=[BAYES_50=0.8, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no http://uribl.com/usage.shtml urirhssub URIBL_BLOCKED multi.uribl.com. A 1 body URIBL_BLOCKED eval:check_uridnsbl('URIBL_BLOCKED') describe URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information. tflags URIBL_BLOCKED net noautolearn works better if you solve this -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Re: contact from blacklist
On 11/20/20 6:41 PM, Marc Roos wrote: Url blacklists? Maybe paste some headers here? Not real URL Blacklist. On my freemail-account i got this kind of email too so i thought maybe there will be a Blacklist for this kind of SPAM. X-Spam-Flag: NO X-Spam-Score: 1.901 X-Spam-Level: + X-Spam-Status: No, score=1.901 tagged_above=- required=5 tests=[BAYES_50=0.8, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.723] autolearn=no autolearn_force=no Received: from mail.alnatura.de (mail.alnatura.de [145.253.236.209]) by mailwall.bringe.digionline.de (Postfix) with ESMTPS id F222445BD4 for ; Fri, 20 Nov 2020 13:18:30 +0100 (CET) Received: from psrvexc03.alnatura.local ([10.11.11.49]:37454 helo=mail.alnatura.de) by mail.alnatura.de with esmtp (Exim 4.82_1-5b7a7c0-XX) (envelope-from ) id 1kg5My-0005UX-2H for postmaster@; Fri, 20 Nov 2020 13:18:28 +0100 Received: from PSRVEXC04.alnatura.local (10.11.11.52) by PSRVEXC03.alnatura.local (10.11.11.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Fri, 20 Nov 2020 13:18:28 +0100 Received: from RD0003FF4CBBCD (13.80.108.215) by smtp.alnatura.de (10.11.11.52) with Microsoft SMTP Server id 15.1.2106.2 via Frontend Transport; Fri, 20 Nov 2020 13:18:28 +0100 MIME-Version: 1.0 From: nore...@alnatura.de To: postmaster@ Date: Fri, 20 Nov 2020 13:18:28 +0100 Subject: Kontaktformular Alnatura 20.11.2020 13:18:28 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 Message-ID: <08fd5fa0-6388-4af1-96c1-9fe93e59fc7a@PSRVEXC04.alnatura.local> ### X-Spam-Flag: NO X-Spam-Score: 1.526 X-Spam-Level: + X-Spam-Status: No, score=1.526 tagged_above=- required=5 tests=[BAYES_50=0.8, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from production331.hipex.io (production331.hipex.io [195.201.187.140]) by mailwall.bringe.digionline.de (Postfix) with ESMTPS id 1E152476FC for ; Thu, 19 Nov 2020 22:17:10 +0100 (CET) Received: by production331.hipex.io (Postfix, from userid 2005) id EA15A7D2DB1; Thu, 19 Nov 2020 22:16:41 +0100 (CET) To: postmaster@ Subject: =?UTF-8?Q?Danke=20f=C3=BCr=20Ihre=20Kontaktanfrage:=20Mein=20Konto=20/=20?= =?UTF-8?Q?Frage=20zur=20Rechnung=20/=20Ein=20Konto=20erstellen?= Date: Thu, 19 Nov 2020 21:16:41 + MIME-Version: 1.0 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable Reply-To: nore...@heuts.de Thanks for contact BLABLALBA Your Text to us: SPAM or is this only a german problem? Kind regards Philipp -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
contact from blacklist
Hi everyone, lately I get more and more spam from so called contact forms. Does anyone know a blacklist for this? Kind regards Philipp -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Re: Check HELO
that customer is apparently losing too much mail - last time I checked, google, aol, yahoo SMTP servers used HELO strings that did not resolve back Year - i thought there will be many false positive. what really matters is: 1. the PTR of connecting should be resolvable and the resulting hostname should resolve back to the IP. 2. the name in HELO/EHLO should be resolvable and should have A/ record Check ;-) Does anyone else checks the HELO/ELHO? very few. Thanks for feedback! I will not check HELO. Kind regards Philipp Am 14.09.20 um 15:08 schrieb Matus UHLAR - fantomas: On 14.09.20 14:35, Philipp Ewald wrote: we have one customer the reported problems about HELO. We send the RFC821 HELO for only DOMAIN not FQDN. The customer scanning the helo and check the PTR and if the PTR don't match the HELO there is SPAM rating. this is forbidden by any SMTP RFCs issued so far. that customer is apparently losing too much mail - last time I checked, google, aol, yahoo SMTP servers used HELO strings that did not resolve back to those IPs. what really matters is: 1. the PTR of connecting should be resolvable and the resulting hostname should resolve back to the IP. 2. the name in HELO/EHLO should be resolvable and should have A/ record I don't really like that but we think about to check the HELO too. Does anyone else checks the HELO/ELHO? very few. -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Telefon: +49 221 6500-532, Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Check HELO
Hi, we have one customer the reported problems about HELO. We send the RFC821 HELO for only DOMAIN not FQDN. The customer scanning the helo and check the PTR and if the PTR don't match the HELO there is SPAM rating. I don't really like that but we think about to check the HELO too. Does anyone else checks the HELO/ELHO? Kind Regards Philipp -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Re: A new high score!
We have a own rule that mark special mails with spam score 1000 but with default values record is round about 22 Am 24.08.20 um 23:27 schrieb micah anderson: What is the highest score you've seen a spam get? I think I just broke my own high score, with a spam that managed to pile up 64 points. I'm sure you all have seen much higher! -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Telefon: +49 221 6500-532, Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Re: IMPORTANT NOTICE: Rules referencing WHITELIST or BLACKLIST in process of being Renamed
ah sorry i wrote that totally wrong... i mean we have "whitelist_from" setting. should i change that to "welcomelist_from" or to "welcome_from", because when changing from "whitelist" to "welcomelist" should "welcomelist_from" be "right" but "welcome_from" sounds better. So my second question is about how to automatically change that in configuration files? sed -i 's/whitelist/welcomelist/g' Am 20.07.20 um 13:54 schrieb Marc Roos: What is being used for mail that is not welcome, but still needs to be allowed thru? -Original Message- To: users@spamassassin.apache.org Subject: Re: IMPORTANT NOTICE: Rules referencing WHITELIST or BLACKLIST in process of being Renamed can we use something like that or is there any special edit necessary? sed -i 's/whitelist/welcomelist/g' $CONFIG my setting "whitelist_from" to "welcomelist_from" || "welcome_from"? Thanks Am 19.07.20 um 18:09 schrieb Kevin A. McGrail: All: As of today, the configuration option WHITELIST_TO has been renamed WELCOMELIST_TO with an alias for backwards compatibility. Additionally, the rule USER_IN_WHITELIST_TO has been renamed to USER_IN_WELCOMELIST_TO to assist those running older versions of SpamAssassin get stock rulesets. If you have custom scoring or any custom rules building on USER_IN_WHITELIST_TO, please accept our apologies and change the references to USER_IN_WELCOMELIST_TO. In order to remove racially charged configuration options, whitelist will become welcomelist and blacklist will become blocklist. More changes will be coming for this with these small changes in the stock ruleset. Apologies for the disruption and thanks to those who are reporting issues as we work through the changes. Regards, KAM -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Telefon: +49 221 6500-532, Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Re: IMPORTANT NOTICE: Rules referencing WHITELIST or BLACKLIST in process of being Renamed
can we use something like that or is there any special edit necessary? sed -i 's/whitelist/welcomelist/g' $CONFIG my setting "whitelist_from" to "welcomelist_from" || "welcome_from"? Thanks Am 19.07.20 um 18:09 schrieb Kevin A. McGrail: All: As of today, the configuration option WHITELIST_TO has been renamed WELCOMELIST_TO with an alias for backwards compatibility. Additionally, the rule USER_IN_WHITELIST_TO has been renamed to USER_IN_WELCOMELIST_TO to assist those running older versions of SpamAssassin get stock rulesets. If you have custom scoring or any custom rules building on USER_IN_WHITELIST_TO, please accept our apologies and change the references to USER_IN_WELCOMELIST_TO. In order to remove racially charged configuration options, whitelist will become welcomelist and blacklist will become blocklist. More changes will be coming for this with these small changes in the stock ruleset. Apologies for the disruption and thanks to those who are reporting issues as we work through the changes. Regards, KAM -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Telefon: +49 221 6500-532, Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Re: spamhaus enabled by default
Thank you for the update! Last time we used spamhaus this was not given. Am 10.07.20 um 18:07 schrieb Riccardo Alfieri: Hi, sorry but this will never happen. We are not going to use a "list the world" response to queries from anyone. There are dedicated return codes for that (already included in SpamAssassin): https://www.spamhaus.org/news/article/788/spamhaus-dnsbl-return-codes-technical-update -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Telefon: +49 221 6500-532, Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Re: spamhaus enabled by default
Most smaller sites have no problem unless they use third party DNS resolvers which are blocked. if you're local resolver is forwarding to some ISP's resolver then you also get blocked. No. We are like a ISP... and got more than 50.000 accepted Mails a day so this is totally not in free-use includes, but i think enabled by default is... na Am 10.07.20 um 13:54 schrieb Kevin A. McGrail: Here's the policy: https://cwiki.apache.org/confluence/display/spamassassin/DnsBlocklistsInclusionPolicy This was active since 2018? Maybe it would be better to ask if your are commercial or not... AFIK you got problem if your running spamhaus and have no license so any mail got marked as SPAM (or got hit SMAPMHAUS rule on any domain?) Am 10.07.20 um 13:43 schrieb Axb: On 7/10/20 1:40 PM, Philipp Ewald wrote: in local.cf add: dns_query_restriction deny spamhaus.org that should fix the problem and survive SA updates Many Thank! now it's work. but why is this enabled by default? because, under fair use, it's free for all. Most smaller sites have no problem unless they use third party DNS resolvers which are blocked. if you're local resolver is forwarding to some ISP's resolver then you also get blocked. -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Telefon: +49 221 6500-532, Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Re: spamhaus enabled by default
in local.cf add: dns_query_restriction deny spamhaus.org that should fix the problem and survive SA updates Many Thank! now it's work. but why is this enabled by default? Am 10.07.20 um 13:23 schrieb Axb: On 7/10/20 1:20 PM, Philipp Ewald wrote: Hey everyone, we got a nice mail from spamhaus. We have used their DNS Query's. Important is that we thought we have disabled them by: score __RCVD_IN_ZEN 0 But tcpdump says we make dns querys to spamhaus, but the result got ignored. you forgot that DBL rules also query Spamhaus I have removed the configuration lines in /usr/share/spamassassin but after update the configuration comes back. How do i disable them right? and why got this behavior changed? in local.cf add: dns_query_restriction deny spamhaus.org that should fix the problem and survive SA updates h2h -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
spamhaus enabled by default
Hey everyone, we got a nice mail from spamhaus. We have used their DNS Query's. Important is that we thought we have disabled them by: score __RCVD_IN_ZEN 0 But tcpdump says we make dns querys to spamhaus, but the result got ignored. I have removed the configuration lines in /usr/share/spamassassin but after update the configuration comes back. How do i disable them right? and why got this behavior changed? kind regard Philipp Ewald -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Re: [SPAM] Re: REPLYTO_WITHOUT_TO_CC
Thanks for help! Notice: same mail on Debian 10 Server Rule dont hit spamassassin -V SpamAssassin version 3.4.2 running on Perl version 5.28.1 on this server i have installed updates Debian 9.11 Server which rule was hit: # damn this sounds so wrong spamassassin -V SpamAssassin version 3.4.2 running on Perl version 5.24.1 apt list --upgradable spamassassin/oldstable 3.4.2-1~deb9u3 all [upgradable from: 3.4.2-1~deb9u1] Am 05.02.20 um 17:14 schrieb Matus UHLAR - fantomas: On 05.02.20 17:18, Henrik K wrote: >The error can only happen if there was unquoted $ in regex. > >header __ZMIfish_ForgedBill01 Message-ID =~ /$Blat.v3/ > >Newer 3.4.4 don't care about such things, you should upgrade asap since >there are vulnerabilities. On Wed, Feb 05, 2020 at 04:55:33PM +0100, Matus UHLAR - fantomas wrote: the OP reported using debian, which has those bugs fixed in 3.4.2. developers have backported fixed into the old version. On 05.02.20 17:58, Henrik K wrote: It's clearly not using debian version or then the backport is lacking fixes. I have not reviewed it personally so there are no guarantees. it's possible that the OP doesn't have security updates installed. Philipp, please check which SA version you have: % apt-cache policy spamassassin spamassassin: Installed: 3.4.2-1+deb10u2 Candidate: 3.4.2-1+deb10u2 Version table: *** 3.4.2-1+deb10u2 500 500 http://security.debian.org/debian-security buster/updates/main i386 Packages 100 /var/lib/dpkg/status 3.4.2-1 500 500 file:/mount/mirrors/debian buster/main i386 Packages if it's not 3.4.2-1+deb10u2 (or 3.4.2-1~deb9u3 on Debian 9), try installing security updated. I recommend you installing unattended-upgrades package and enabling security updates, so security updates are installed automatically. -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Telefon: +49 221 6500-532, Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Re: [SPAM] Re: REPLYTO_WITHOUT_TO_CC
That is strange. Do you have a copy of that file? Is it identical to [1] no really... i have remove all lines with starting "#" sed -i '/^#.*/d' /etc/spamassassin/70_zmi_german.cf File comes from: http://sa.zmi.at/sa-update-german/402.tar.gz linux-distribution package, CPAN, other? Debian 9.11 CPAN = not changed? spamassassin 3.4.2 after reinstall from http://sa.zmi.at/sa-update-german rule dont hint and no errors in debug Am 05.02.20 um 15:37 schrieb Damian: That is strange. Do you have a copy of that file? Is it identical to [1]? What exact SA codebase is this; linux-distribution package, CPAN, other? Feb 5 14:19:46.438 [6998] warn: (Global symbol "$Blat" requires explicit package name (did you forget to declare "my $Blat"?) at /etc/spamassassin/70_zmi_german.cf, rule __ZMIfish_ForgedBill01, line 1.) [1] http://zmi.at/x/70_zmi_german.cf -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Telefon: +49 221 6500-532, Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Re: [SPAM] Re: REPLYTO_WITHOUT_TO_CC
just saw this error: Feb 5 14:19:46.438 [6998] warn: rules: failed to compile Mail::SpamAssassin::Plugin::Check::_head_tests_0_4, skipping: Feb 5 14:19:46.438 [6998] warn: (Global symbol "$Blat" requires explicit package name (did you forget to declare "my $Blat"?) at /etc/spamassassin/70_zmi_german.cf, rule __ZMIfish_ForgedBill01, line 1.) After delete /etc/spamassassin/70_zmi_german.cf and restart amavis: -- -- 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.] 5.0 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% [score: 1.] 1.2 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL blocklist [URIs: negosev.site] 1.7 URIBL_BLACKContains an URL listed in the URIBL blacklist [URIs: negosev.site] 0.0 HTML_MESSAGE BODY: HTML included in message 0.8 MPART_ALT_DIFF BODY: HTML and text parts are different 1.2 HTML_IMAGE_ONLY_04 BODY: HTML: images with 0-400 bytes of words 2.5 PYZOR_CHECKListed in Pyzor (https://pyzor.readthedocs.io/en/latest/) 0.0 HTML_SHORT_LINK_IMG_1 HTML is very short with a linked image 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager 0.6 BODY_URI_ONLY Message body is only a URI in one line of text or for an image 2.0 TO_NO_BRKTS_HTML_IMG To: lacks brackets and HTML and one image Am 05.02.20 um 14:22 schrieb Philipp Ewald: Sure. spamassassin -V SpamAssassin version 3.4.2 running on Perl version 5.24.1 pts rule name description -- -- 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.] 5.0 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% [score: 1.] 1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist [URIs: negosev.site] 1.2 HTML_IMAGE_ONLY_04 BODY: HTML: images with 0-400 bytes of words 0.0 HTML_MESSAGE BODY: HTML included in message 0.8 MPART_ALT_DIFF BODY: HTML and text parts are different 2.5 PYZOR_CHECK Listed in Pyzor (https://pyzor.readthedocs.io/en/latest/) 1.6 REPLYTO_WITHOUT_TO_CC No description available. 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS 1.0 FSL_BULK_SIG Bulk signature with no Unsubscribe 1.0 MISSING_FROM Missing From: header 0.0 HTML_SHORT_LINK_IMG_1 HTML is very short with a linked image 0.6 BODY_URI_ONLY Message body is only a URI in one line of text or for an image Notice: same mail on Debian 10 Server Rule dont hit spamassassin -V SpamAssassin version 3.4.2 running on Perl version 5.28.1 pts rule name description -- -- 1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist [URIs: negosev.site] 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.] 1.2 HTML_IMAGE_ONLY_04 BODY: HTML: images with 0-400 bytes of words 0.0 HTML_MESSAGE BODY: HTML included in message 0.8 MPART_ALT_DIFF BODY: HTML and text parts are different 5.0 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% [score: 1.] 2.5 PYZOR_CHECK Listed in Pyzor (https://pyzor.readthedocs.io/en/latest/) 0.0 HTML_SHORT_LINK_IMG_1 HTML is very short with a linked image -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS 0.0 BODY_URI_ONLY Message body is only a URI in one line of text or for an image 2.0 TO_NO_BRKTS_HTML_IMG To: lacks brackets and HTML and one image Am 05.02.20 um 13:55 schrieb Damian: Can you provide an .eml that will reproduce the hit with a manual spamassassin invocation? i have a mail with REPLYTO_WITHOUT_TO_CC=1.552 but in Mail Header there is a "To" why does this rule hit? From: "Kreditkarte" Reply-To: "Kreditkarte" To: u...@another.tld -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Telefon: +49 221 65
REPLYTO_WITHOUT_TO_CC
Hello guys, i have a mail with REPLYTO_WITHOUT_TO_CC=1.552 but in Mail Header there is a "To" why does this rule hit? From: "Kreditkarte" Reply-To: "Kreditkarte" To: u...@another.tld Unfortunately *all* of the rules don't have descriptions on the web. For this one the rule name should be description enough: there is a Reply-To: header but not a To: or Cc: header. is this an error/bug or do is miss something? Kind regards Philipp -- Philipp Ewald Administrator
Re: Bitcoin ransom mail
I have a solution with ClamAV for any image that is "not allowed". I my case i create a md5sum from images i don't want to receive and but them into hashtable. This Hashtable place into /var/lib/clamav/NAME.hsb /var/lib/clamav/NAME.hsb looks like: 129895eb534a7e568b4284b6860fa93c:1245184:BitcoinImage hash:size:"VIRUS name" so any new mail with this attachment get treated as virus if you want to set score to this image you need this: in /etc/amavis/conf.d/50-user insert: @virus_name_to_spam_score_maps = (new_RE( # the order matters! [ qr'BitcoinImage.UNOFFICIAL' => 999], )); service amavis restart done Am 10.12.19 um 19:03 schrieb Joseph Brennan: A user here reported a new twist on the bitcoin ransom mail. New to me, anyway. From: Casper Mitten Sent: Monday, December 9, 2019 10:00 PM The Subject was a single word, supposedly a password. The message was a jpg picture of text. Although it was in English, many vowels were accented special characters. The recipient was expected to scan a QR code in the picture to get the bitcoin string! I'm sending this purely for information. The user's report (as usual) does not include headers so I don't know what scored. It must have hit a rule for a message with no text and an image. There isn't much else there. -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Telefon: +49 221 6500-532, Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
bayes_auto_learn_on_error
Hi guys, autolearning will be performed only when a bayes classifier had a different opinion from what the autolearner is now trying to teach it i thought bayes only learn on error like: score > 5 && Bayes_00 or score < -1 && bayes_99 (+bayes_999) i dont get it: score=-1.9 tagged_above=- required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no score=0.813 tagged_above=- required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no score=-1.898 tagged_above=- required=5 tests=[BAYES_00=-1.9, FSL_HELO_NON_FQDN_1=0.001, TVD_SPACE_RATIO=0.001] autolearn=ham autolearn_force=no score=-1.899 tagged_above=- required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, TVD_SPACE_RATIO=0.001] autolearn=ham autolearn_force=no score=-1.899 tagged_above=- required=5 tests=[BAYES_00=-1.9, TVD_SPACE_RATIO=0.001] autolearn=ham autolearn_force=no score=0.8 tagged_above=- required=5 tests=[BAYES_50=0.8, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no score=-2.808 tagged_above=- required=5 tests=[BAYES_00=-1.9, PYZOR_CHECK=1.392, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no score=-1.998 tagged_above=- required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_RATIO_08=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no [...] score=-3.042 tagged_above=- required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTML_TAG_BALANCE_BODY=1.157, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no score=-6.599 tagged_above=- required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no can someone explain me this option? Thanks! kind regards Philipp -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Telefon: +49 221 6500-532, Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Re: shortcircuit on alread x-spam-flag: yes
Hi Benny, thanks for your link! ( i did not follow any BOFH Rules from this site ;-) ) i check headers and if "X-SPam-Flag: YES" is set, i write a custom Header from postfix. and in Spamassassin i search this custom header in shortcircuit. It works! X-Spam-Status: Yes, score=98.7 tagged_above=- required=5 tests=[RCVD_IN_DNSWL_MED=-2.3, SHORTCIRCUIT=100, SpamFlag=1] autolearn=disabled i set this priority lower then DNSWL so save some network traffic kind regards Philipp Am 27.11.19 um 18:30 schrieb Benny Pedersen: On 2019-11-27 17:56, Philipp Ewald wrote: we only want to trust "X-Spam-Flag: YES" or why should someone (spammer, other mailserver with outgoing spamfilter) set this Flag to Yes? trustness https://www.techiepark.com/tutorials/blocking-spam-using-postfix-header_checks-and-spamassassin/ bad example on what not to do :) http://www.techiepark.com/resources/postfix-header-checks/ really want to make postfix a spam filter ? bettr is to use fuglu.org as a before queue content filter with then can reject spam :=) i have still not seen mimedefang working -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Telefon: +49 221 6500-532, Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Re: shortcircuit on alread x-spam-flag: yes
Hi Tobi, we only want to trust "X-Spam-Flag: YES" or why should someone (spammer, other mailserver with outgoing spamfilter) set this Flag to Yes? but like RW wrote: If you want to match on such a header you need to rewrite it before SA sees it. i thought shortcircuit will test before any other tests but header was remove before shortcircuit :( I have a lot to learn... Thanks for help maybe i try this again... later :-) Am 27.11.19 um 17:15 schrieb Tobi : Philipp, Think you should ask yourself the following question: do I trust the spam result from a remote server? If yes then why using a spamassassin rule and not straight-out reject such mails on mta (header check)? And if you do not trust the remote server then why using its spam decission at all? Cheers tobi Am 26.11.19 um 14:06 schrieb Philipp Ewald: Hi guys, i want to bypas scanning mail if mail has already X-Spam-Flag: YES set. I found "clear_headers" in "/usr/share/spamassassin/10_default_prefs.cf". how can i override this setting? (include next update) Kind regards Philipp -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Telefon: +49 221 6500-532, Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Re: shortcircuit on alread x-spam-flag: yes
Am 26.11.19 um 15:43 schrieb Matus UHLAR - fantomas: On 26.11.19 15:08, Philipp Ewald wrote: Not really... or why should some one set this header on non-spam? FP means false positive. Mail that was evaluated as spam but is not. i know ;-) X-Spam-Flag: yes on non spam is false positiv :) we trust our mailserver (MX for all domains) so ones this mails was scored to spam and this mail got forwarded to any other customer (through mailserver again) can be skipped and any mail from external with X-SPAM-FLAG: YES can be skipped to (why not?) -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Telefon: +49 221 6500-532, Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Re: shortcircuit on alread x-spam-flag: yes
Am 26.11.19 um 15:28 schrieb Reindl Harald: Am 26.11.19 um 15:08 schrieb Philipp Ewald: Not really... or why should some one set this header on non-spam? strange question why should anybody forard a mail instead reject it when it's 100% spam? we have "old customer" (with historical terms) there have forwarding rules for any mail and we are not allowed to set SPAM Filter rule or to change the forwarding rules. We have different domains and all postmaster mails will be foreword to ( with alias to monitored e-mail) Am 26.11.19 um 14:44 schrieb Reindl Harald: Am 26.11.19 um 14:06 schrieb Philipp Ewald: i want to bypas scanning mail if mail has already X-Spam-Flag: YES set. I found "clear_headers" in "/usr/share/spamassassin/10_default_prefs.cf". how can i override this setting? (include next update) like every other setting by put it into a whatever called file with the extension .cf in /etc/mail/spamassassin Okay maybe forgot to activate shortcircuit(?) my rule: /etc/spamassassin/09_X_SPAM_FLAG.cf header SpamFlag X-Spam-Flag =~ /YES/ score SpamFlag 99 was loaded before "/usr/share/spamassassin/10_default_prefs.cf" but score was not set. I will try in /etc/spamassassin/local.cf in shortcircuit plugin thanks for help -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Telefon: +49 221 6500-532, Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
Re: shortcircuit on alread x-spam-flag: yes
Not really... or why should some one set this header on non-spam? Am 26.11.19 um 14:44 schrieb Matus UHLAR - fantomas: On 26.11.19 14:06, Philipp Ewald wrote: i want to bypas scanning mail if mail has already X-Spam-Flag: YES set. I found "clear_headers" in "/usr/share/spamassassin/10_default_prefs.cf". how can i override this setting? (include next update) don't you care about incoming FPs? -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Telefon: +49 221 6500-532, Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
shortcircuit on alread x-spam-flag: yes
Hi guys, i want to bypas scanning mail if mail has already X-Spam-Flag: YES set. I found "clear_headers" in "/usr/share/spamassassin/10_default_prefs.cf". how can i override this setting? (include next update) Kind regards Philipp -- Philipp Ewald Administrator DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln Telefon: +49 221 6500-532, Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de AG Köln HRB 27711, St.-Nr. 5215 5811 0640 Geschäftsführer: Werner Grafenhain Informationen zum Datenschutz: www.digionline.de/ds
some question about bayes learn/score math
Hi folks, sorry for asking again but Bayes is a blackbox for me :( I have some question about bayes math. How does bayes/spamassassin calculate this values? i'm wonder about : auto-learn?* and "score so far=8.601) dbg: rules: running head tests; score so far=8.601 [...] dbg: rules: running body tests; score so far=8.601 [...] dbg: rules: running uri tests; score so far=8.601 [...] dbg: rules: running body_eval tests; score so far=8.601 [..] dbg: rules: running rawbody tests; score so far=8.601 [...] dbg: rules: running full tests; score so far=8.601 [...] dbg: rules: running meta tests; score so far=8.601 [...] dbg: learn: auto-learn: currently using scoreset 3, recomputing score based on scoreset 1 dbg: learn: auto-learn: adding body_only points 0.001 dbg: learn: auto-learn: not considered head or body scores: 0.1 dbg: learn: auto-learn: adding head_only points 1.274 dbg: learn: auto-learn: adding head_only points 0.01 dbg: learn: auto-learn: message score: 9.404, computed score for autolearn: 1.385 dbg: learn: auto-learn? ham=-1, spam=6.5, body-points=0.001, head-points=1.284, learned-points=8.5 can someone explain this? ore give me some reading stuff? i can't find anything else... PS: I have already read the following http://www.paulgraham.com/naivebayes.html(like spamassassin say it use bayes like this) http://www.paulgraham.com/spam.html https://cwiki.apache.org Kind regards -- Philipp Ewald Administrator
Autolearn HAM with spamscore 996
First thanks for help, i will train them with current mail. my Amavis configuration found my Attachment and score this with SPAM score 999 but auto learn ignore this X-Spam-Flag: YES X-Spam-Score: 996.7 X-Spam-Level: X-Spam-Status: Yes, score=996.7 tagged_above=- required=5 tests=[AV:NSFW.UNOFFICIAL=999, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no Test with GTUBE: X-Spam-Flag: YES X-Spam-Score: 997.7 X-Spam-Level: X-Spam-Status: Yes, score=997.7 tagged_above=- required=5 tests=[GTUBE=1000, RCVD_IN_DNSWL_MED=-2.3] autolearn=no autolearn_force=no Amavis config: /etc/amavis/conf.d/50-user @virus_name_to_spam_score_maps = (new_RE( # the order matters! [ qr'NSFW.UNOFFICIAL' => 999], )); did i miss something? can someone help me? google "auto learn amavis spamassassin" its really tricky to find something helpful. kind regards Philipp On 22.10.19 15:56, RW wrote: Train on the actual email. -- Philipp Ewald Administrator
Question about Bayes implementation
Hi folks, at this point i split all my SPAM mail to get the attachment to create a hash table. (but this is not my point) Its also possible to split my SPAM into html/text, plain/text and headers to. Debian package: ripmime Now i ask myself: If i learn spamassassin with my mails should i learn with whole mail or can i split them and learn only plain/text part? ore wich part would be "the best" to learn? thanks for help kind regards -- Philipp Ewald Administrator