Re: SA treats percentage spaces wording as uri

2024-05-14 Thread Shawn Iverson 
On Mon, May 13, 2024 at 8:10 PM Noel Butler  wrote:

> This morning one of our ent_domains DMARC weekly report from a third party
> was listed as spam by SA which took the wording
>  Not_percent-twenty_Resolved and passed it off to URI checks adding
> dot.com to it when there is no dot com after it, and a raw message search
> of that message in less in console confirms it.
>
If you place this badly formatted string as a link, URI checks appear to
take it and append a dot com to it as well.  I'd imagine that the word
itself isn't important and can be arbitrary.

http:undefined

Re: MS-relayed spam

2024-01-03 Thread Shawn Iverson 
On Wed, Jan 3, 2024 at 5:06 AM Matus UHLAR - fantomas 
wrote:

> What?
>
> If the message came from .outlook.com hosts, it should be reported to
> ab...@outlook.com.
>
> You are right, it did come from an .outlook.com host. My mistake. I'm not
sure why they blocked the user, then.

Re: MS-relayed spam

2024-01-02 Thread Shawn Iverson 
On Tue, Jan 2, 2024 at 3:11 PM Torpey List  wrote:

> I started forwarding full headers and text to "ab...@outlook.com" and
> they
> blocked my IP.
>
>
ab...@outlook.com is for reporting abuse on the freemail
Outlook/Hotmail/MSN platforms, not Microsoft tenants.

https://msrc.microsoft.com/report/

Re: SA build from cpan fails under certain conditions

2022-12-21 Thread Shawn Iverson 
I will not engage in furthering this conversation.  Sad there seems to be
some toxicity here.

On Wed, Dec 21, 2022, 7:46 PM Reindl Harald  wrote:

>
>
> Am 22.12.22 um 01:36 schrieb Shawn Iverson:
> > I already build my own rpms
>
> so use them
>
> > This is not for my use
>
> so what's the point of using something else than you?
>
> either what you did is wrong or what the others asking your hekp is
> wrong - if someine is asking you the asnwer is use a package - if the
> anser is not accepoted send him straight to hell
>
> > Sorry if trying
> > to provide a helpful tid on cpan as described in the SA release was
> wrong.
>
> CPAn, PIP or wthaever stuff for whatever language is crap on a package
> based system - why do you give a shit when you are able to build packages?
>
> > On Wed, Dec 21, 2022, 7:34 PM Reindl Harald  > <mailto:h.rei...@thelounge.net>> wrote:
> >
> >
> >
> > Am 21.12.22 um 21:43 schrieb Shawn Iverson:
> >  > I agree with you on that.  In my specific use case I need
> > fallback to
> >  > cpan when rpms aren't available.
> >
> > if you want the latest vesion of every piece of software don't use a
> > LTS
> > distribution or learn how to build your own rpms
> >
> >  > On Wed, Dec 21, 2022, 3:32 PM Matus UHLAR - fantomas
> > mailto:uh...@fantomas.sk>
> >  > <mailto:uh...@fantomas.sk <mailto:uh...@fantomas.sk>>> wrote:
> >  >
> >  > On 21.12.22 13:05, Shawn Iverson wrote:
> >  >  >sudo cpan Mail::Spamassassin seems to only build properly on
> >  > recent flavors
> >  >  >of rhel under very specific conditions, notably:
> >  >
> >  > I recommend you NOT install spamassassin via CPAN, but from
> > package.
> >  > perhaps the one in redhat or in EPEL
>

Re: SA build from cpan fails under certain conditions

2022-12-21 Thread Shawn Iverson 
I already build my own rpms.  This is not for my use.  Sorry if trying to
provide a helpful tid on cpan as described in the SA release was wrong.

On Wed, Dec 21, 2022, 7:34 PM Reindl Harald  wrote:

>
>
> Am 21.12.22 um 21:43 schrieb Shawn Iverson:
> > I agree with you on that.  In my specific use case I need fallback to
> > cpan when rpms aren't available.
>
> if you want the latest vesion of every piece of software don't use a LTS
> distribution or learn how to build your own rpms
>
> > On Wed, Dec 21, 2022, 3:32 PM Matus UHLAR - fantomas  > <mailto:uh...@fantomas.sk>> wrote:
> >
> > On 21.12.22 13:05, Shawn Iverson wrote:
> >  >sudo cpan Mail::Spamassassin seems to only build properly on
> > recent flavors
> >  >of rhel under very specific conditions, notably:
> >
> > I recommend you NOT install spamassassin via CPAN, but from package.
> > perhaps the one in redhat or in EPEL
>
>

Re: SA build from cpan fails under certain conditions

2022-12-21 Thread Shawn Iverson 
I agree with you on that.  In my specific use case I need fallback to cpan
when rpms aren't available.

On Wed, Dec 21, 2022, 3:32 PM Matus UHLAR - fantomas 
wrote:

> On 21.12.22 13:05, Shawn Iverson wrote:
> >sudo cpan Mail::Spamassassin seems to only build properly on recent
> flavors
> >of rhel under very specific conditions, notably:
>
> I recommend you NOT install spamassassin via CPAN, but from package.
> perhaps the one in redhat or in EPEL
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Despite the cost of living, have you noticed how popular it remains?
>

SA build from cpan fails under certain conditions

2022-12-21 Thread Shawn Iverson 
Hello SA Users,

Just posting this in case anyone else runs into similar trouble...

sudo cpan Mail::Spamassassin seems to only build properly on recent flavors
of rhel under very specific conditions, notably:

You are not root
The cpan configuration is set to build specifically using local lib or
sudo. sudo seems to work if you want to install SA for all users instead of
in the home directory. The key is that the building/testing is happening in
the user's home directory.

Re: Mial hits MISSING rules despite presence of headers

2022-12-04 Thread Shawn Iverson 
As someone that is running a large distributed spamassassin installation, I
depend on shortcircuit to handle large amounts of mail quickly that does
not need scored further.  The change in behavior has potential for negative
impact that I will have to test carefully before moving to v4.

On Sun, Dec 4, 2022 at 3:02 PM Kevin A. McGrail  wrote:

> OK, so then we have really two Choices:
>
> #1 accept that no code changes are needed, we've fixed a rule(s) we know
> might trigger wrong around MISSING HEADERS and we just document the
> change in the UPGRADE that shortcircuit may continue to run more meta
> rules to finish them out which might not have occurred previously.
>
> Some users using SHORT CIRCUIT would likely be best to weigh in on this
> because we are going to conceivably change the classification of mails
> unexpectedly different from 3.4.6 SHORT CIRCUIT behavior.
>
> #2 Work on the code so that short circuiting or at least the scoring
> behaves as with 3.4.6.
>
> Regards,
> KAM
>
> On 12/4/2022 1:42 PM, Greg Troxel wrote:
> > That's more or less what I was getting at.  If there is not a clear
> > specification (i.e. the documentation says that it works like X) that
> > people can properly rely on, then the pedant in me says that behavior
> > changing slightly, but still within the swim lane implied by the
> > previous non-spec, is not a bug.
>
> --
> Kevin A. McGrail
> kmcgr...@apache.org
>
> Member, Apache Software Foundation
> Chair Emeritus Apache SpamAssassin Project
> https://www.linkedin.com/in/kmcgrail - 703.798.0171
>
>

Re: spam subject marking

2022-11-15 Thread Shawn Iverson 
On Tue, Nov 15, 2022 at 9:46 PM Loren Wilton  wrote:

>
> If SA sees the message and classifies it as spam, it normally adds (from
> an
> example)
> X-Spam-Flag: YES
> X-Spam-Level: 
> X-Spam-Status: Yes, score=8.2 required=5.0
> tests=BAYES_50=0.8,DKIM_SIGNED=0.1,
>
> It should be trivial to look for the "X-Spam-Flag: YES" line.
>
> And most mail clients and platforms let you key off of this for
redirecting email to a spam folder.

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

2022-11-15 Thread Shawn Iverson 
Thank you Giovanni, I'll give this rule a try. I think the bigger issue was
that the default welcomelist was shortcircuiting any further rule
evaluation. Now I'm able to score these emails with rules like this one :)

On Tue, Nov 15, 2022 at 2:44 AM  wrote:

> On 11/14/22 21:14, Shawn Iverson wrote:
> > How do I stop this? paypal.com <http://paypal.com> is in the default
> DKIM whitelist!
>
> Does this work on your sample ?
> The body you posted is only partial.
>
> uri__URI_IMG_PAYPAL
> /^https:\/\/www\.paypalobjects\.com\/(?:digitalassets|en_US|ui\-web)\/.{1,64}\.(?:gif|jpg|png)/
> meta   __PAYPAL_IMG_NOT_RCVD_PAYP__URI_IMG_PAYPAL &&
> !__HDR_RCVD_PAYPAL
> meta   GB_PAYPAL_IMG_NOT_RCVD_PAYP   __PAYPAL_IMG_NOT_RCVD_PAYP &&
> !__HAS_ERRORS_TO && !__MSGID_LIST && !__MSGID_GUID && !__RCD_RDNS_SMTP
> describe   GB_PAYPAL_IMG_NOT_RCVD_PAYP   Paypal hosted image but message
> not from Paypal
> score  GB_PAYPAL_IMG_NOT_RCVD_PAYP   2.500# limit
>
>   Giovanni
>

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

2022-11-15 Thread Shawn Iverson 
Thank you Matus.  I was not aware of an unwelcomelist_from_dkim option.
This helps immensely.

On Tue, Nov 15, 2022 at 4:35 AM Matus UHLAR - fantomas 
wrote:

> On 14.11.22 16:39, Shawn Iverson wrote:
> >Corrected...
> >
> >Default Whitelist Exceptions handling -- SJI 11/14/22
> >shortcircuit USER_IN_DKIM_WHITELIST off
> >score   USER_IN_DKIM_WHITELIST 0
> >score   USER_IN_DEF_DKIM_WL 0
> >
> >header  CUSTOM_FROM_PAYPAL From:addr =~ /paypal\.com/
> >metaCUSTOM_DKIM_WL_EXCEPTIONS  USER_IN_DKIM_WHITELIST &&
> >CUSTOM_FROM_PAYPAL
> >describeCUSTOM_DKIM_WL_EXCEPTIONS  Exception for paypal in DKIM
> >whitelisting
> >score   CUSTOM_DKIM_WL_EXCEPTIONS  0.001
> >
> >metaCUSTOM_DKIM_OK USER_IN_DKIM_WHITELIST &&
> >!CUSTOM_DKIM_WL_EXCEPTIONS
> >describeCUSTOM_DKIM_OK All other whitelisted senders
> >score   CUSTOM_DKIM_OK -100
>
> I guess removing paypal from w*list should be easier:
>
> % pwd
> /var/lib/spamassassin/4.00
> % grep -Firh def_welcomelist_from_dkim | grep -i paypal
> def_welcomelist_from_dkim  *@*  paypal.com
> def_welcomelist_from_dkim  *@paypal.com
> def_welcomelist_from_dkim  *@*.paypal.com
> def_welcomelist_from_dkim  *@paypal.co.uk
> def_welcomelist_from_dkim  *@*.paypal.co.uk
> def_welcomelist_from_dkim  *@paypal.at
> def_welcomelist_from_dkim  *@*.paypal.at
> def_welcomelist_from_dkim  *@paypal.be
> def_welcomelist_from_dkim  *@*.paypal.be
> def_welcomelist_from_dkim  *@paypal.de
> def_welcomelist_from_dkim  *@*.paypal.de
> def_welcomelist_from_dkim  *@paypal.es
> def_welcomelist_from_dkim  *@*.paypal.es
> def_welcomelist_from_dkim  *@paypal.fr
> def_welcomelist_from_dkim  *@*.paypal.fr
> def_welcomelist_from_dkim  *@paypal.ie
> def_welcomelist_from_dkim  *@*.paypal.ie
> def_welcomelist_from_dkim  *@paypal.it
> def_welcomelist_from_dkim  *@*.paypal.it
> def_welcomelist_from_dkim  *@paypal.nl
> def_welcomelist_from_dkim  *@*.paypal.nl
> def_welcomelist_from_dkim  *@paypal.pt
> def_welcomelist_from_dkim  *@*.paypal.pt
> def_welcomelist_from_dkim  *@paypal.ca
> def_welcomelist_from_dkim  *@*.paypal.ca
>
> so it should be removed by:
>
> unwelcomelist_from_dkim  *@*paypal.com
> unwelcomelist_from_dkim  *@paypal.com
> unwelcomelist_from_dkim  *@*.paypal.com
> unwelcomelist_from_dkim  *@paypal.co.uk
> unwelcomelist_from_dkim  *@*.paypal.co.uk
> unwelcomelist_from_dkim  *@paypal.at
> unwelcomelist_from_dkim  *@*.paypal.at
> unwelcomelist_from_dkim  *@paypal.be
> unwelcomelist_from_dkim  *@*.paypal.be
> unwelcomelist_from_dkim  *@paypal.de
> unwelcomelist_from_dkim  *@*.paypal.de
> unwelcomelist_from_dkim  *@paypal.es
> unwelcomelist_from_dkim  *@*.paypal.es
> unwelcomelist_from_dkim  *@paypal.fr
> unwelcomelist_from_dkim  *@*.paypal.fr
> unwelcomelist_from_dkim  *@paypal.ie
> unwelcomelist_from_dkim  *@*.paypal.ie
> unwelcomelist_from_dkim  *@paypal.it
> unwelcomelist_from_dkim  *@*.paypal.it
> unwelcomelist_from_dkim  *@paypal.nl
> unwelcomelist_from_dkim  *@*.paypal.nl
> unwelcomelist_from_dkim  *@paypal.pt
> unwelcomelist_from_dkim  *@*.paypal.pt
> unwelcomelist_from_dkim  *@paypal.ca
> unwelcomelist_from_dkim  *@*.paypal.ca
>
> with SA3.4 replace "welcomelist" by "whitelist"
>
>
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Depression is merely anger without enthusiasm.
>

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

2022-11-14 Thread Shawn Iverson 
Corrected...

Default Whitelist Exceptions handling -- SJI 11/14/22
shortcircuit USER_IN_DKIM_WHITELIST off
score   USER_IN_DKIM_WHITELIST 0
score   USER_IN_DEF_DKIM_WL 0

header  CUSTOM_FROM_PAYPAL From:addr =~ /paypal\.com/
metaCUSTOM_DKIM_WL_EXCEPTIONS  USER_IN_DKIM_WHITELIST &&
CUSTOM_FROM_PAYPAL
describeCUSTOM_DKIM_WL_EXCEPTIONS  Exception for paypal in DKIM
whitelisting
score   CUSTOM_DKIM_WL_EXCEPTIONS  0.001

metaCUSTOM_DKIM_OK USER_IN_DKIM_WHITELIST &&
!CUSTOM_DKIM_WL_EXCEPTIONS
describeCUSTOM_DKIM_OK All other whitelisted senders
score   CUSTOM_DKIM_OK -100

On Mon, Nov 14, 2022 at 4:38 PM Shawn Iverson 
wrote:

> For those fighting the same battles...
>
> # Default Whitelist Exceptions handling -- SJI 11/14/22
> shortcircuit USER_IN_DKIM_WHITELIST off
> score   USER_IN_DKIM_WHITELIST 0
> score   USER_IN_DEF_DKIM_WL 0
>
> header  CUSTOM_FROM_PAYPAL From:addr =~ /paypal\.com/
> metaCUSTOM_DKIM_WL_EXCEPTIONS  USER_IN_DKIM_WHITELIST &&
> ENA_FROM_PAYPAL
> describeCUSTOM_DKIM_WL_EXCEPTIONS  Exception for paypal in DKIM
> whitelisting
> score   CUSTOM_DKIM_WL_EXCEPTIONS  0.001
>
> metaCUSTOM_DKIM_OK USER_IN_DKIM_WHITELIST &&
> !CUSTOM_DKIM_WL_EXCEPTIONS
> describeCUSTOM_DKIM_OK All other whitelisted senders
> score   CUSTOM_DKIM_OK -100
>
> On Mon, Nov 14, 2022 at 3:56 PM Shawn Iverson 
> wrote:
>
>> So what I'm going to do is turn shortcircuit off for
>> USER_IN_DKIM_WHITELIST
>>
>> Create a meta to catch papal.com as the from address and score
>> appropriately
>> Create a counter meta to score other deserving DKIM-signers appropriately
>>
>> On Mon, Nov 14, 2022 at 3:43 PM Alan Hodgson 
>> wrote:
>>
>>> On Mon, 2022-11-14 at 15:14 -0500, Shawn Iverson wrote:
>>> > How do I stop this?  paypal.com is in the default DKIM whitelist!
>>> >
>>>
>>> That message really looks like it came from Paypal and then was
>>> forwarded by Microsoft to your server. Was it really a fake? That's a
>>> lot of headers to fake if so.
>>>
>>> If it was really fake and that paypal-supplied DKIM signature doesn't
>>> validate (I didn't check that), then checking DMARC when you receive
>>> mail and rejecting on p=reject failures would block it.
>>>
>>

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

2022-11-14 Thread Shawn Iverson 
For those fighting the same battles...

# Default Whitelist Exceptions handling -- SJI 11/14/22
shortcircuit USER_IN_DKIM_WHITELIST off
score   USER_IN_DKIM_WHITELIST 0
score   USER_IN_DEF_DKIM_WL 0

header  CUSTOM_FROM_PAYPAL From:addr =~ /paypal\.com/
metaCUSTOM_DKIM_WL_EXCEPTIONS  USER_IN_DKIM_WHITELIST && ENA_FROM_PAYPAL
describeCUSTOM_DKIM_WL_EXCEPTIONS  Exception for paypal in DKIM
whitelisting
score   CUSTOM_DKIM_WL_EXCEPTIONS  0.001

metaCUSTOM_DKIM_OK USER_IN_DKIM_WHITELIST &&
!CUSTOM_DKIM_WL_EXCEPTIONS
describeCUSTOM_DKIM_OK All other whitelisted senders
score   CUSTOM_DKIM_OK -100

On Mon, Nov 14, 2022 at 3:56 PM Shawn Iverson 
wrote:

> So what I'm going to do is turn shortcircuit off for USER_IN_DKIM_WHITELIST
>
> Create a meta to catch papal.com as the from address and score
> appropriately
> Create a counter meta to score other deserving DKIM-signers appropriately
>
> On Mon, Nov 14, 2022 at 3:43 PM Alan Hodgson 
> wrote:
>
>> On Mon, 2022-11-14 at 15:14 -0500, Shawn Iverson wrote:
>> > How do I stop this?  paypal.com is in the default DKIM whitelist!
>> >
>>
>> That message really looks like it came from Paypal and then was
>> forwarded by Microsoft to your server. Was it really a fake? That's a
>> lot of headers to fake if so.
>>
>> If it was really fake and that paypal-supplied DKIM signature doesn't
>> validate (I didn't check that), then checking DMARC when you receive
>> mail and rejecting on p=reject failures would block it.
>>
>

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

2022-11-14 Thread Shawn Iverson 
Oh yeah?

[@x~]$ grep DEF_WHITELIST
/var/lib/spamassassin/3.004006/updates_spamassassin_org/*
/var/lib/spamassassin/3.004004/updates_spamassassin_org/30_text_de.cf:lang
de describe USER_IN_DEF_WHITELIST Absenderadresse steht in der allgemeinen
weien Liste
/var/lib/spamassassin/3.004004/updates_spamassassin_org/30_text_fr.cf:lang
fr describe USER_IN_DEF_WHITELISTExpditeur dans la liste OK par dfaut
de SpamAssassin
/var/lib/spamassassin/3.004004/updates_spamassassin_org/30_text_pl.cf:lang
pl describe USER_IN_DEF_WHITELISTUytkownik jest wymieniony w domylnej
white-list (biaej licie)
/var/lib/spamassassin/3.004004/updates_spamassassin_org/30_text_pt_br.cf:lang
pt_BR describe USER_IN_DEF_WHITELIST Endereo do From: est na whitelist padro
/var/lib/spamassassin/3.004004/updates_spamassassin_org/50_scores.cf:#score
USER_IN_DEF_WHITELIST -15.000 - Moved to 60_whitelist.cf
/var/lib/spamassassin/3.004004/updates_spamassassin_org/60_shortcircuit.cf:priority
USER_IN_DEF_WHITELIST -1000
/var/lib/spamassassin/3.004004/updates_spamassassin_org/60_whitelist.cf:
   meta USER_IN_DEF_WHITELIST(USER_IN_DEF_WELCOMELIST)
/var/lib/spamassassin/3.004004/updates_spamassassin_org/60_whitelist.cf:
   describe USER_IN_DEF_WHITELISTDEPRECATED: See USER_IN_WELCOMELIST
/var/lib/spamassassin/3.004004/updates_spamassassin_org/60_whitelist.cf:
   tflags USER_IN_DEF_WHITELIST  userconf nice noautolearn
/var/lib/spamassassin/3.004004/updates_spamassassin_org/60_whitelist.cf:
   score USER_IN_DEF_WHITELIST   -15.0
/var/lib/spamassassin/3.004004/updates_spamassassin_org/60_whitelist.cf:
 meta USER_IN_DEF_WHITELIST  (USER_IN_DEF_WELCOMELIST)
/var/lib/spamassassin/3.004004/updates_spamassassin_org/60_whitelist.cf:
 describe USER_IN_DEF_WHITELIST  DEPRECATED: See
USER_IN_DEF_WELCOMELIST
/var/lib/spamassassin/3.004004/updates_spamassassin_org/60_whitelist.cf:
 tflags USER_IN_DEF_WHITELISTuserconf nice noautolearn
/var/lib/spamassassin/3.004004/updates_spamassassin_org/60_whitelist.cf:
 score USER_IN_DEF_WHITELIST -15.0
/var/lib/spamassassin/3.004004/updates_spamassassin_org/local.cf:#
shortcircuit USER_IN_DEF_WHITELIST   on

On Mon, Nov 14, 2022 at 4:34 PM Marc  wrote:

>
> There is no such thing as a default whitelist.
>
> > >>
> > >> How do I stop this?  paypal.com   is in the
> > default
> > >> DKIM whitelist!
> > >>
> > >
> > >
> > > score  USER_IN_DKIM_WHITELIST 0
> >
> > would affect *every* mail in the default whitelist and so be a knee-jerk
> > reaction without brain
>

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

2022-11-14 Thread Shawn Iverson 
Bottom line is I don't think paypal deserves to be default whitelisted in
recent history.  I've received a lot of spam actually from paypal and
judiciously report it to phish...@paypal.com with no apparent action or
response.

On Mon, Nov 14, 2022 at 3:56 PM Shawn Iverson 
wrote:

> So what I'm going to do is turn shortcircuit off for USER_IN_DKIM_WHITELIST
>
> Create a meta to catch papal.com as the from address and score
> appropriately
> Create a counter meta to score other deserving DKIM-signers appropriately
>
> On Mon, Nov 14, 2022 at 3:43 PM Alan Hodgson 
> wrote:
>
>> On Mon, 2022-11-14 at 15:14 -0500, Shawn Iverson wrote:
>> > How do I stop this?  paypal.com is in the default DKIM whitelist!
>> >
>>
>> That message really looks like it came from Paypal and then was
>> forwarded by Microsoft to your server. Was it really a fake? That's a
>> lot of headers to fake if so.
>>
>> If it was really fake and that paypal-supplied DKIM signature doesn't
>> validate (I didn't check that), then checking DMARC when you receive
>> mail and rejecting on p=reject failures would block it.
>>
>

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

2022-11-14 Thread Shawn Iverson 
So what I'm going to do is turn shortcircuit off for USER_IN_DKIM_WHITELIST

Create a meta to catch papal.com as the from address and score appropriately
Create a counter meta to score other deserving DKIM-signers appropriately

On Mon, Nov 14, 2022 at 3:43 PM Alan Hodgson 
wrote:

> On Mon, 2022-11-14 at 15:14 -0500, Shawn Iverson wrote:
> > How do I stop this?  paypal.com is in the default DKIM whitelist!
> >
>
> That message really looks like it came from Paypal and then was
> forwarded by Microsoft to your server. Was it really a fake? That's a
> lot of headers to fake if so.
>
> If it was really fake and that paypal-supplied DKIM signature doesn't
> validate (I didn't check that), then checking DMARC when you receive
> mail and rejecting on p=reject failures would block it.
>

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

2022-11-14 Thread Shawn Iverson 
The DKIM signature looks valid.

On Mon, Nov 14, 2022 at 3:43 PM Alan Hodgson 
wrote:

> On Mon, 2022-11-14 at 15:14 -0500, Shawn Iverson wrote:
> > How do I stop this?  paypal.com is in the default DKIM whitelist!
> >
>
> That message really looks like it came from Paypal and then was
> forwarded by Microsoft to your server. Was it really a fake? That's a
> lot of headers to fake if so.
>
> If it was really fake and that paypal-supplied DKIM signature doesn't
> validate (I didn't check that), then checking DMARC when you receive
> mail and rejecting on p=reject failures would block it.
>

Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

2022-11-14 Thread Shawn Iverson 
Are you asking me to rescore these back to 0?  That will take some effort
to do, but if that's what it takes...

On Mon, Nov 14, 2022 at 3:42 PM Marc  wrote:

> >
> > How do I stop this?  paypal.com   is in the default
> > DKIM whitelist!
> >
> >
>
>
> score  USER_IN_DKIM_WHITELIST 0
>
> ?
>

Spam DKIM signed by Paypal coming from their Microsoft Tenant?

2022-11-14 Thread Shawn Iverson 
How do I stop this?  paypal.com is in the default DKIM whitelist!

X-Spam-Status: No, score=-107.7 required=6.0 tests=DKIM_VALID,DKIM_VALID_AU,
,FREEMAIL_FROM,SHORTCIRCUIT,SPF_HELO_PASS,
USER_IN_DEF_DKIM_WL,USER_IN_DKIM_WHITELIST shortcircuit=ham
autolearn=disabled version=3.4.4
X-Spam-Relay-Country: US US US US
Received: from GBR01-LO2-obe.outbound.protection.outlook.com (
mail-lo2gbr01on2073.outbound.protection.outlook.com [40.107.10.73])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by xx (Postfix) with ESMTPS id 4BF1F1480FCB
for ; Mon, 14 Nov 2022 13:02:57 -0600 (CST)
Authentication-Results: 
dkim=pass (2048-bit key) header.d=paypal.com header.i=@paypal.com
header.b="r6hmfVu3"
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 
b=OVohkgjr3UJbiohxx1KCrPdnaD1WXK9mrLMvZ4VloK9eudd9Gkh7tImMPXIN1iOrETjNj59A47N+uJqf4kZFPVUGJS6KAdzWZczL7LiBaIsg1uSQwoD60Z7heKEjC5cfOLsXZhwf0nhhwzbXpjXltGfYn0Jd8VQGxT64hKtfyVoP9JpRyF6h8I9FnCxfVvRbP4i8iYk5zkdvi4I9eR7z4dXeB9vLwZv5hb6nIt6le9lMJriMoM11QYHcLlqZqj9S8L1pN9ynLzAVezxmWmH9YDKyB9aKf4vJP32HHLmzPCCgnqplW6xObPUI5Wt5HagqD+ImpgKMQ1JgM86tq+Tuzg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com
;
 s=arcselector9901;
 
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=o8/9XRPNBSb6rQV6HcDwELycPOzUJqxucQ/nMDyby+o=;
 
b=XYTuQtEngNxrDz/McbFCv0GHj1RQ59jBE0nCMgxzQivSL51NnzAFIjsVs0BMxFtLPZmdwxx6fRBkRe6OLtpjUzut7MBMX0jYenXqsHZfLodWIT51fjG6JcEO1LPFvIJkl0WHl9w+agVHgUZy+c7TcADN5IdHh+/wDy5Pyh8iuEAE7g4+fPPaehKGfwLzqZJ+TdZKyXgbxbCMUCYrRjQvkV2xUqI+cTwZolauv847RlgIUqwG9OWiImbcruwIexjn+cOb1eidxluPnHVXILS/+AH6TVAz7oIsoCXB8rjBFrVCyGU1HTAYvLTDN31F7/QDMbDaiAHGTtbbvvAT7eZqig==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 173.0.84.228) smtp.rcpttodomain=duta788.onmicrosoft.com
 smtp.mailfrom=paypal.com; dmarc=pass (p=reject sp=reject pct=100)
action=none
 header.from=paypal.com; dkim=pass (signature was verified)
 header.d=paypal.com; arc=none (0)
Resent-From: 
Received: from CWLP123MB6161.GBRP123.PROD.OUTLOOK.COM
(2603:10a6:400:1a5::13)
 by LO0P123MB5990.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:280::12) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5813.17; Mon, 14 Nov
 2022 19:02:54 +
Received: from CWLP123CA0130.GBRP123.PROD.OUTLOOK.COM (2603:10a6:401:87::22)
 by CWLP123MB6161.GBRP123.PROD.OUTLOOK.COM (2603:10a6:400:1a5::13) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5813.17; Mon, 14 Nov
 2022 19:02:52 +
Received: from CWLGBR01FT040.eop-gbr01.prod.protection.outlook.com
 (2603:10a6:401:87:cafe::11) by CWLP123CA0130.outlook.office365.com
 (2603:10a6:401:87::22) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5813.17 via Frontend
 Transport; Mon, 14 Nov 2022 19:02:52 +
Authentication-Results: spf=pass (sender IP is 173.0.84.228)
 smtp.mailfrom=paypal.com; dkim=pass (signature was verified)
 header.d=paypal.com;dmarc=pass action=none header.from=paypal.com;
Received-SPF: Pass (protection.outlook.com: domain of paypal.com designates
 173.0.84.228 as permitted sender) receiver=protection.outlook.com;
 client-ip=173.0.84.228; helo=mx3.slc.paypal.com; pr=C
Received: from mx3.slc.paypal.com (173.0.84.228) by
 CWLGBR01FT040.mail.protection.outlook.com (10.152.40.168) with Microsoft
SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.5813.12 via Frontend Transport; Mon, 14 Nov 2022 19:02:51 +
DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-dkim1;
c=relaxed/relaxed;
q=dns/txt; i=@paypal.com; t=1668452569;
h=From:From:Subject:Date:To:MIME-Version:Content-Type;
bh=o8/9XRPNBSb6rQV6HcDwELycPOzUJqxucQ/nMDyby+o=;
b=r6hmfVu3PlK5UN/X+kDNdo8TkUbOkfVn6+tT3VtTr30ic5BMR9vuyrZED4ARPF74
eywsS4yJTH3S3EB0IBX5yao3SN0WFNR23EUszb8LWgSpL0lz4+ZGqAfbjWP6UvI8
2XVzbjiT2tDP2ONkvM5e9g06CuC1VH2Bte5+S/Qke61W8OaagNu8sIcu6MNfoUiO
b/esckpPfghQtqDs693+pxDtuk9SBrbf14qZ2ih9eVV/38dRdz5B22pq8Kfws9yZ
hjvQlCDfovONXEEf6+lD1rs9p0NvKEIeIK/BFxbUmShXAyL3/LlYVLELEwzQ/mnl
zoIwzGQJ9u8i005oZVUnJA==;
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="UTF-8"
Date: Mon, 14 Nov 2022 11:02:49 -0800
Message-ID: <67.91.14851.9D092736@ccg13mail05>
X-PP-REQUESTED-TIME: 1668452563268
X-PP-Email-transmission-Id: ed77fc42-644e-11ed-9b35-3cecef442a74
PP-Correlation-Id: f452526a2e2b2
Subject: Billing Department updated your invoice ( ALS56730 )
X-MaxCode-Template: PPC001082
To: PayPal User 
From: "serv...@paypal.com" 
X-Email-Type-Id: PPC001082
MIME-Version: 1.0
X-PP-Priority: 0-none-false
AMQ-Delivery-Message-Id: nullval
X-XPT-XSL-Name: nullval
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: adbfa5e6-3343-4fe0-8aa8-9f0cc484823f:0

Re: Intuit servers sending paypal phishes

2022-05-06 Thread Shawn Iverson 
Just got one as well, deciding how to handle it...

On Fri, May 6, 2022 at 1:52 PM Kevin A. McGrail  wrote:

> Oh joy.
> On 5/6/2022 11:19 AM, Dave Wreski wrote:
>
> Hi, Intuit's servers are being used to send Paypal phishing invoices
> combined with the "evil numbers" scam.
>
> --
> Kevin A. mcgrailkmcgr...@apache.org
>
> Member, Apache Software Foundation
> Chair Emeritus Apache SpamAssassin 
> Projecthttps://www.linkedin.com/in/kmcgrail - 703.798.0171
>
>

Re: Managing long welcome_senders list

2021-12-02 Thread Shawn Iverson 
You can break up the rule into multiple rules and use a meta rule,
definitely more readable and gives you some flexibility as well as more
information when debugging rules and timing things.

header __WELCOMING_LIST1 From =~ ...
header __WELCOMING_LIST2 From =~ ...

score LOCAL_WELCOMING_4 -4
meta LOCAL_WELCOMING_4 __WELCOMING_LIST1 || __WELCOMING_LIST2 ...

Re: A new high score!

2020-08-25 Thread Shawn Iverson 
This sounds like a really fun game! SpamAssassin's Creed!

On Tue, Aug 25, 2020 at 8:32 AM Philipp Ewald 
wrote:

> We have a own rule that mark special mails with spam score 1000
> but with default values record is round about 22
>
> Am 24.08.20 um 23:27 schrieb micah anderson:
> >
> > What is the highest score you've seen a spam get? I think I just broke
> > my own high score, with a spam that managed to pile up 64 points.
> >
> > I'm sure you all have seen much higher!
> >
>
> --
> Philipp Ewald
> Administrator
>
> DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln
> Telefon: +49 221 6500-532, Fax: +49 221 6500-690, E-Mail:
> philipp.ew...@digionline.de
>
> AG Köln HRB 27711, St.-Nr. 5215 5811 0640
> Geschäftsführer: Werner Grafenhain
>
> Informationen zum Datenschutz: www.digionline.de/ds
>

Re: dcc-servers.net seems to have gone away

2020-05-23 Thread Shawn Iverson 
Well, crud.  Anyone have a replica from before the records dropped they
would be willing to share out?

On Sat, May 23, 2020 at 5:12 AM Dominic Raferd 
wrote:

> On Sat, 23 May 2020 at 09:55, hospice admin 
> wrote:
> >
> > Hi Gang,
> >
> > Looks like DCC/Rhyolite has stopped working. First noticed problems
> around 19:30 last night UK time.
> >
> > Problem seems to be that DNS for dcc-servers.net has gone away. Have
> checked with the likes of mxtoolbox and intoDNS and they appear to agree.
> >
> > When I do a 'whois' for the domain I notice:
> >
> >Updated Date: 2020-05-23T07:40:31Z
> >
> >
> > Just wondered if anyone knows what's going on?
>
> I have no idea, but I confirm the problem.
>

Spamassassin 3.4.4-rc1 testing

2020-01-26 Thread Shawn Iverson 
So far testing is looking good for 3.4.4-rc1.

Packaging went well and more testing is underway.  Package is out in my
testing repo and have others giving it a go.

Re: New Release Candidate: 3.4.4-rc1 - Testers Needed

2020-01-19 Thread Shawn Iverson 
Thanks a bunch! Look forward to testing this.

On Sat, Jan 18, 2020 at 8:57 PM Kevin A. McGrail 
wrote:

> Good Evening Assassins,
>
> 3.4.4 release candidate 1 is now available at
> https://people.apache.org/~kmcgrail/devel
>
> There are CVEs fixed in 3.4.4 that we will disclose more at release so
> you'll definitely want to look at upgrading.
>
> Please test!
>
>
> sha256sum of archive files:
>
>   509878df10811f596df3bf6437be900659e89b60bffacef877c7b734f38ffc2a
> Mail-SpamAssassin-3.4.4-rc1.tar.bz2
>   1fcd713e6396f7f3c68c92fbc5a32a9f16502cc4fe84e881ea5f66976ff3b81c
> Mail-SpamAssassin-3.4.4-rc1.tar.gz
>   c774e6d4c9bdab2fae44f6159b61ddf3b698935b5b79dbfe60450c0017eea98f
> Mail-SpamAssassin-3.4.4-rc1.zip
>   17389f23b2dcf73ed156f412e5f59ae8436956ede78fa40e6563fc667a8ec3d9
> Mail-SpamAssassin-rules-3.4.4-rc1.r1872902.tgz
>
> sha512sum of archive files:
>
>
>
> ab3898293023f192873c4188ba80dbd22d91c0d2540031ee7d1b18fc9930b28dd389fb7a378004659b64c19f5d11f7692e5d920daba3a852efbd93ce990c
> Mail-SpamAssassin-3.4.4-rc1.tar.bz2
>
>
> b9fc11d6bed83146567ee5fa43b3753bc4596dcc1b55d75199a488336b4f51fab5b1622265032d7593b1211acc571093bcc6fe5160b77d9c82811bc9249205d9
> Mail-SpamAssassin-3.4.4-rc1.tar.gz
>
>
> 7d3966e15373c0fab0fa12faa3aeb0a042a3d21e984731aaab9b30b10b9e9ee9ca57c94c44ac31ee6b2a8e4467faa941b07b737f3d86ab11a65bbc5763460c7d
> Mail-SpamAssassin-3.4.4-rc1.zip
>
>
> 69ba65234ee18c24a279c0ba7177c1e671f36cd8de7c7cf79452de5890c7ed8d2eee1a5973a56394b6d57d1729cafce3284500872ec19bb3945d6d0ba5ea7660
> Mail-SpamAssassin-rules-3.4.4-rc1.r1872902.tgz
>
> Regards,
> KAM
>
> --
> Kevin A. McGrail
> kmcgr...@apache.org
>
> Member, Apache Software Foundation
> Chair Emeritus Apache SpamAssassin Project
> https://www.linkedin.com/in/kmcgrail - 703.798.0171
>
>