Re: SPAM from our own domain
Hi Wolfgang, On 28/09/15 16:24, haman...@t-online.de wrote: > I have installed dkim on qmail (not sure about details, it is working since a > few years) > Your original post said there was SPF fail on the incoming message, so you > could already > score on that. Looks like my setup ignores it. Where's the best place to update that scoring? > I have enabled plugin support on qmail (not sure whether that is contained in > your package), > and I have worked on qmail-scanner-queue.pl I have qmail-scanner-queue.pl installed for Spamassassin and ClamAV. I also have the Mail::SpamAssassin::Plugin::DKIM configured in: # grep loadplugin /etc/mail/spamassassin/v312.pre loadplugin Mail::SpamAssassin::Plugin::DKIM > Both are good places to add extra filtering. The plugin would outright reject > mail, > where qmail-scanner would rather tag it as "potential virus" > So if you are very sure that nobody in your organisation would ever send from > your domain > through a different mail server (maybe when sending from a mobile), you > should probably use > the plugin. A plugin is an executable (script) that reads ENV variables like > SMPTMAILFROM > and SMTPRCPTTO and either does nothing or outputs a single line of text like > E550 your mail is not welcome. Go away Nobody should be sending from a different mail server. We use IMAPS and authenticated SMTPS for external users (mobiles, laptops, etc.). Thanks, Tom signature.asc Description: OpenPGP digital signature
Re: SPAM from our own domain
Hi Benny, thanks for your email. On 28/09/15 13:29, Benny Pedersen wrote: > Tom Robinson skrev den 2015-09-28 05:02: > >> From tena...@qka.com Thu Sep 24 13:29:50 2015 > > is this the envelope sender domain ? I believe so. How can I be sure? > >> From:"Incoming Fax" > > is this unsigned dkim domain ? > Sorry to be a noob. What do you mean here? > > begin setup spf and dkim signing We have a TXT record in DNS for spf. I'm not sure what to do with DKIM. > > use pypolicyd-spf in mta stage Is that package going to work with qmail? If it does work with qmail, will it install on CentOS 5? Kind regards, Tom signature.asc Description: OpenPGP digital signature
SPAM from our own domain
Hi, We're receiving quite a few SPAM messages with zip files attached that look like they come from our own domain. Sorry if I appear a complete noob, but how is this even possible? SA seems to not score this high enough to be SPAM. What can we do to fix this? Headers are below. Kind regards, Tom From tena...@qka.com Thu Sep 24 13:29:50 2015 MIME-Version:1.0 X-Spam-Status:No, hits=2.8 required=5.0 X-MS-Exchange-Organization-Authsource:ga8r9nl0j6u7...@motec.com.au Content-Type:multipart/mixed; boundary="=_Next_54920_1367254513.7341918864818" Message-ID:<3qacpit7myo3scscxw1urx79vbpnf58nkz7...@motec.com.au> X-MS-Exchange-Organization-Authas:Internal X-MS-Exchange-Organization-SCL:-1 X-MS-Tnef-Correlator: Received:from mail.motec.com.au (motec6.motec.com.au [115.70.189.243]) by support.motec.com.au (8.14.4/8.14.4) with ESMTP id t8O3Tn7D021736 for ; Thu, 24 Sep 2015 13:29:50 +1000 Received:(qmail 8515 invoked by alias); 24 Sep 2015 03:29:48 - Received:(qmail 8502 invoked by uid 187); 24 Sep 2015 03:29:48 - Received:from 116.58.205.184 by scion.motec.com.au (envelope-from , uid 181) with qmail-scanner-2.08st (clamdscan: 0.97.8/20932. spamassassin: 3.3.1. perlscan: 2.08st. Clear:RC:0(116.58.205.184):SA:0(2.8/5.0):. Processed in 6.943055 secs); 24 Sep 2015 03:29:48 - Received:from unknown (HELO banglalinkgsm.com) (116.58.205.184) by scion.motec.com.au with SMTP; 24 Sep 2015 03:29:29 - Received:from 4750.motec.com.au (10.238.114.77) by motec.com.au (10.0.0.218) with Microsoft SMTP Server id 6WSFFOKZ; Wed, 23 Sep 2015 11:28:46 GMT Delivered-To:i2...@motec.com.au Subject:Scanned Image from a Xerox WorkCentre X-Spam-Report:SA TESTS 1.4 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT [116.58.205.184 listed in bb.barracudacentral.org] 1.0 DATE_IN_PAST_12_24 Date: is 12 to 24 hours before Received: date 0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?s=helo;id=banglalinkgsm.com;ip=116.58.205.184;r=scion.motec.com.au] -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.] 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS 1.0 XPRIO Has X-Priority header 0.4 AWL AWL: Adjusted score from AWL reputation of From: address X-Priority:3 (Normal) Date:Wed, 23 Sep 2015 11:28:46 GMT X-Spam-Level:++ X-MS-Has-Attach:yes X-MS-Exchange-Organization-Authmechanism:02 To:helen.papp...@motec.com.au X-MS-Exchange-Organization-Avstamp-Mailbox:MSFTFF;0;0;0 0 0 From:"Incoming Fax" Content-Length:0 content-type:text/plain; charset="utf-8" Content-Transfer-Encoding:8bit X-RT-Original-Encoding: ascii Content-Length:412 -- Tom Robinson IT Manager/System Administrator MoTeC Pty Ltd 121 Merrindale Drive Croydon South 3136 Victoria Australia T: +61 3 9761 5050 F: +61 3 9761 5051 E: tom.robin...@motec.com.au signature.asc Description: OpenPGP digital signature
Re: AWL defeating my SPAM classification
On 30/04/15 15:09, Reindl Harald wrote: > > > Am 30.04.2015 um 04:10 schrieb Tom Robinson: >> Is it correct that currently, because I'm forwarding, the DNSBL query is >> denied because the DNSBL server thinks I'm the ISP making a query? Sorry, >> I'm not understanding the >> mechanism > > it is the ISP making the query for you and thousands of other of his > customers - you are making > 5 queries, your left and right meighbour too - oops 150 queries from > your ISP's nameserver > which exceeds teh limit for a single IP > > there is no "mechanism" - when you don't make your queries at your own the > forwarder does and the > rest is trivial math > Got it. Thanks Reindl. BTW, where can I see the results of my configuration changes? It would be nice to confirm that my changes have rectified the situation. signature.asc Description: OpenPGP digital signature
Re: AWL defeating my SPAM classification
On 30/04/15 12:15, Kevin A. McGrail wrote: > On 4/29/2015 10:10 PM, Tom Robinson wrote: >> I have the mail server and a separate name server set up in a DMZ. The name >> server already runs as a >> caching nameserver but does forwarding to our ISP. > Hi Tom, > > Your ISP is doing too many queries to the services exceeding free limits. > You are being lumped in > with your ISP. > > Run your own caching DNS server without forwarding but instead going to the > root servers so you > query on your own. > Finally that makes sense. I will add the forwarding in as per the documentation. signature.asc Description: OpenPGP digital signature
Re: AWL defeating my SPAM classification
Tom Robinson IT Manager/System Administrator MoTeC Pty Ltd 121 Merrindale Drive Croydon South 3136 Victoria Australia T: +61 3 9761 5050 F: +61 3 9761 5051 E: tom.robin...@motec.com.au On 30/04/15 10:10, Benny Pedersen wrote: > Tom Robinson skrev den 2015-04-30 01:38: > >> 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL >> was blocked. >> See >> >> http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block > > did you read the url here ? > > well if yes, show your AWL config for the AWL plugin Actually, looking for this config I can't seem to find it. My spamassassin is linked in with qmail using qmail-scanner-queue.pl. That script looks in /home/qscand/.spamassassin/user_prefs but I also have configs in /etc/mail/spamassassin. What am I looking for exactly? signature.asc Description: OpenPGP digital signature
Re: AWL defeating my SPAM classification
On 30/04/15 09:56, Marieke Janssen wrote: > Hi, > > Besides your awl problem, you have other problems. > > 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was > blocked. > See > > http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block > for more information. > [URIs: world-plants.ru] > > You are blocked, This probably means you are using either public nameservers > or do too much queries. Running a dedicated nameserver on localhost > (dnsmasq,bind,unbound,whatever) can solve this (and besides that, it speeds > things up). > If you fix this chances are you get scores high enough to compensate/correct > AWL. > > In SpamAssassin 3.4.1 there is a TxRep module, maybe you'll find it > interesting. It decayes the learned scores over time (and other neat stuff). > You can migrate existing AWL data to TxRep. (make sure to backup it first so > you can go back). > > Thanks Marieke, I have the mail server and a separate name server set up in a DMZ. The name server already runs as a caching nameserver but does forwarding to our ISP. I'm not sure how the non-caching works to eliminate this problem. Is it correct that currently, because I'm forwarding, the DNSBL query is denied because the DNSBL server thinks I'm the ISP making a query? Sorry, I'm not understanding the mechanism. If bind is going to forward lookups for DNSBL servers to a null list, will the cache have a record to look up at all? e.g. /* Disable forwarding for DNSBL queries */ zone "multi.uribl.com" { type forward; forward first; forwarders {}; }; zone "dnsbl.sorbs.net" { type forward; forward first; forwarders {}; }; Does this rely on the caching namesever having already looked up and cached the DNSBL servers? BTW, I do have rbldnsd set up on the caching nameserver in my DMZ. Is that useful in any way to resolve this issue? signature.asc Description: OpenPGP digital signature
AWL defeating my SPAM classification
Hi, Below is the source from an email that is clearly spam but the AWL is -1.3 defeating the spam classification. How can I best adjust the AWL to get this classified as SPAM. Kind regards, Tom -- Tom Robinson IT Manager/System Administrator MoTeC Pty Ltd 121 Merrindale Drive Croydon South 3136 Victoria Australia T: +61 3 9761 5050 F: +61 3 9761 5051 E: tom.robin...@motec.com.au Return-Path: Delivered-To: t...@motec.com.au Received: (qmail 2934 invoked by alias); 29 Apr 2015 23:02:24 - Delivered-To: fo...@motec.com.au Received: (qmail 2923 invoked by uid 187); 29 Apr 2015 23:02:24 - Received: from 78.188.129.11.dynamic.ttnet.com.tr by scion.motec.com.au (envelope-from , uid 181) with qmail-scanner-2.08st (clamdscan: 0.97.8/20394. spamassassin: 3.3.1. perlscan: 2.08st. Clear:RC:0(78.188.129.11):SA:0(4.6/5.0):. Processed in 14.230659 secs); 29 Apr 2015 23:02:24 - X-Spam-Status: No, hits=4.6 required=5.0 X-Spam-Level: X-Spam-Report: SA TESTS 0.7 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [78.188.129.11 listed in zen.spamhaus.org] 2.9 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split IP) 0.2 CK_HELO_GENERICRelay used name indicative of a Dynamic Pool or Generic rPTR 0.0 TVD_RCVD_IPMessage was received from an IP address 1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT [78.188.129.11 listed in bb.barracudacentral.org] 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: world-plants.ru] 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS -1.3 AWLAWL: Adjusted score from AWL reputation of From: address Received: from 78.188.129.11.dynamic.ttnet.com.tr (78.188.129.11) by scion.motec.com.au with SMTP; 29 Apr 2015 23:02:09 - Message-ID: Date: Thu, 30 Apr 2015 01:48:15 +0200 From: "American Express" User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: Subject: Irregular card activity Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Irregular check card activity American Express Dear Customer, We detected irregular card activity on your American Express Check Card on 29 April, 2015. As the Primary Contact, you must verify your credit card activity before you can continue using your card, and upon verification, we will remove any restrictions placed on your card. To review your account as soon as possible please click on the link below. http://world-plants.ru/foldername/index.html Thank you for your Card Membership. - American Express Customer Care Fraud Department: Erica Bermudez Level III Security Officer signature.asc Description: OpenPGP digital signature
Re: Scoring numbers explained
On 12/11/14 09:45, Reindl Harald wrote: > > Am 11.11.2014 um 23:41 schrieb Tom Robinson: >> Hopefully someone can answer this simply with a link to the right >> documentation. >> >> I want to adjust the score on a test but I have no idea what the four >> numbers actually are. e.g. >> >> score AC_SPAMMY_URI_PATTERNS10 3.995 1.010 3.995 1.010 >> >> I feel so dumb as I can't find the documentation anywhere > > http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Conf.html#scoring_options > > in short: > if you are running SA on a server and blacklists are active, DNS is working > you need just "score > RULE points" > Ahh, thank you for returning me to my sanity. Subsequently, I found that the following works on my CentOS system: man Mail::SpamAssassin::Conf I searched the SpamAssassin Wiki but didn't find references to the doco. signature.asc Description: OpenPGP digital signature
Scoring numbers explained
Hi, Hopefully someone can answer this simply with a link to the right documentation. I want to adjust the score on a test but I have no idea what the four numbers actually are. e.g. score AC_SPAMMY_URI_PATTERNS10 3.995 1.010 3.995 1.010 I feel so dumb as I can't find the documentation anywhere. Please help. Regards, Tom signature.asc Description: OpenPGP digital signature
Bareword found where operator expected at /usr/local/bin/sa-heatu line 227, near "s/... //r"
Hi, Sorry to bother you with this. As referenced on the ApacheSpamAssassin Wiki for AutoWhiteList (https://wiki.apache.org/spamassassin/AutoWhitelist) I downloaded the Truxoft version of the sa-heatu utility (http://truxoft.com/resources/sa-heatu.v4.02.tar.gz ) but when I run it I get these errors: Bareword found where operator expected at /usr/local/bin/sa-heatu line 227, near "s/... //r" Bareword found where operator expected at /usr/local/bin/sa-heatu line 227, near "s/:.. / /r" syntax error at /usr/local/bin/sa-heatu line 227, near "s/... //r " Execution of /usr/local/bin/sa-heatu aborted due to compilation errors. I'm running a CentOS 5.10, 32bit system. My version of perl is: # perl -version This is perl, v5.8.8 built for i386-linux-thread-multi ---8<---snip*--- I fetched a version of sa-heatu from git hub as well but it is the same file (diff shows no differences and I get the same errors when running). Here is a snippet of the code in context: 224 if ($count && ($opt_verbose || ($opt_verboseHits && $count>$opt_verboseHits) || ($opt_showUpdates && $prtu))) { 225 printf $fmt, $totscore/$count, $totscore,$count, $email, $ip, $reason; 226 if (!$opt_NoTimes && (($twas||0)!=0)) 227 {printf "%s", ((localtime $twas) =~ s/... //r =~ s/:.. / /r);} # don't include d-o-w, and drop seconds as that implies precision 228 } Not being a perl expert I'm not sure exactly what is wrong here. Can anyone please help determine the issue? Kind regards, Tom -- Tom Robinson IT Manager/System Administrator MoTeC Pty Ltd 121 Merrindale Drive Croydon South 3136 Victoria Australia T: +61 3 9761 5050 F: +61 3 9761 5051 E: tom.robin...@motec.com.au signature.asc Description: OpenPGP digital signature