Re: SPAM from our own domain

[Tom Robinson]

Hi Wolfgang,

On 28/09/15 16:24, haman...@t-online.de wrote:
> I have installed dkim on qmail (not sure about details, it is working since a 
> few years)
> Your original post said there was SPF fail on the incoming message, so you 
> could already
> score on that.
Looks like my setup ignores it. Where's the best place to update that scoring?
> I have enabled plugin support on qmail (not sure whether that is contained in 
> your package),
> and I have worked on qmail-scanner-queue.pl

I have qmail-scanner-queue.pl installed for Spamassassin and ClamAV. I also 
have the
Mail::SpamAssassin::Plugin::DKIM configured in:

# grep loadplugin /etc/mail/spamassassin/v312.pre
loadplugin Mail::SpamAssassin::Plugin::DKIM

> Both are good places to add extra filtering. The plugin would outright reject 
> mail,
> where qmail-scanner would rather tag it as "potential virus"
> So if you are very sure that nobody in your organisation would ever send from 
> your domain
> through a different mail server (maybe when sending from a mobile), you 
> should probably use
> the plugin. A plugin is an executable (script) that reads ENV variables like 
> SMPTMAILFROM
> and SMTPRCPTTO and either does nothing or outputs a single line of text like
> E550 your mail is not welcome. Go away

Nobody should be sending from a different mail server. We use IMAPS and 
authenticated SMTPS for
external users (mobiles, laptops, etc.).

Thanks,
Tom



signature.asc
Description: OpenPGP digital signature

Re: SPAM from our own domain

[Tom Robinson]

Hi Benny,

thanks for your email.

On 28/09/15 13:29, Benny Pedersen wrote:
> Tom Robinson skrev den 2015-09-28 05:02:
>
>> From tena...@qka.com Thu Sep 24 13:29:50 2015
>
> is this the envelope sender domain ?

I believe so. How can I be sure?

>
>> From:"Incoming Fax" 
>
> is this unsigned dkim domain ?
>
Sorry to be a noob. What do you mean here?

>
> begin setup spf and dkim signing
We have a TXT record in DNS for spf. I'm not sure what to do with DKIM.

>
> use pypolicyd-spf in mta stage

Is that package going to work with qmail? If it does work with qmail, will it 
install on CentOS 5?

Kind regards,
Tom



signature.asc
Description: OpenPGP digital signature

SPAM from our own domain

[Tom Robinson]

Hi,

We're receiving quite a few SPAM messages with zip files attached that look 
like they come from our
own domain. Sorry if I appear a complete noob, but how is this even possible? 
SA seems to not score
this high enough to be SPAM. What can we do to fix this? Headers are below.

Kind regards,
Tom



From tena...@qka.com Thu Sep 24 13:29:50 2015
MIME-Version:1.0
X-Spam-Status:No, hits=2.8 required=5.0
X-MS-Exchange-Organization-Authsource:ga8r9nl0j6u7...@motec.com.au
Content-Type:multipart/mixed; 
boundary="=_Next_54920_1367254513.7341918864818"
Message-ID:<3qacpit7myo3scscxw1urx79vbpnf58nkz7...@motec.com.au>
X-MS-Exchange-Organization-Authas:Internal
X-MS-Exchange-Organization-SCL:-1
X-MS-Tnef-Correlator:
Received:from mail.motec.com.au (motec6.motec.com.au [115.70.189.243]) by 
support.motec.com.au
(8.14.4/8.14.4) with ESMTP id t8O3Tn7D021736 for ; 
Thu, 24 Sep 2015
13:29:50 +1000
Received:(qmail 8515 invoked by alias); 24 Sep 2015 03:29:48 -
Received:(qmail 8502 invoked by uid 187); 24 Sep 2015 03:29:48 -
Received:from 116.58.205.184 by scion.motec.com.au (envelope-from 
, uid 181)
with qmail-scanner-2.08st (clamdscan: 0.97.8/20932. spamassassin: 3.3.1. 
perlscan: 2.08st.
Clear:RC:0(116.58.205.184):SA:0(2.8/5.0):. Processed in 6.943055 secs); 24 Sep 
2015 03:29:48 -
Received:from unknown (HELO banglalinkgsm.com) (116.58.205.184) by 
scion.motec.com.au with SMTP;
24 Sep 2015 03:29:29 -
Received:from 4750.motec.com.au (10.238.114.77) by motec.com.au 
(10.0.0.218) with Microsoft SMTP
Server id 6WSFFOKZ; Wed, 23 Sep 2015 11:28:46 GMT
Delivered-To:i2...@motec.com.au
Subject:Scanned Image from a Xerox WorkCentre
X-Spam-Report:SA TESTS 1.4 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT 
[116.58.205.184 listed
in bb.barracudacentral.org] 1.0 DATE_IN_PAST_12_24 Date: is 12 to 24 hours 
before Received: date 0.0
SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Please see
http://www.openspf.org/Why?s=helo;id=banglalinkgsm.com;ip=116.58.205.184;r=scion.motec.com.au]
 -1.9
BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.] 0.8 RDNS_NONE 
Delivered to internal
network by a host with no rDNS 1.0 XPRIO Has X-Priority header 0.4 AWL AWL: 
Adjusted score from AWL
reputation of From: address
X-Priority:3 (Normal)
Date:Wed, 23 Sep 2015 11:28:46 GMT
X-Spam-Level:++
X-MS-Has-Attach:yes
X-MS-Exchange-Organization-Authmechanism:02
To:helen.papp...@motec.com.au
X-MS-Exchange-Organization-Avstamp-Mailbox:MSFTFF;0;0;0 0 0
From:"Incoming Fax" 
Content-Length:0
content-type:text/plain; charset="utf-8"
Content-Transfer-Encoding:8bit
X-RT-Original-Encoding:    ascii
Content-Length:412

-- 

Tom Robinson
IT Manager/System Administrator

MoTeC Pty Ltd

121 Merrindale Drive
Croydon South
3136 Victoria
Australia

T: +61 3 9761 5050
F: +61 3 9761 5051   
E: tom.robin...@motec.com.au




signature.asc
Description: OpenPGP digital signature

Re: AWL defeating my SPAM classification

[Tom Robinson]

On 30/04/15 15:09, Reindl Harald wrote:
>
>
> Am 30.04.2015 um 04:10 schrieb Tom Robinson:
>> Is it correct that currently, because I'm forwarding, the DNSBL query is
>> denied because the DNSBL server thinks I'm the ISP making a query? Sorry, 
>> I'm not understanding the
>> mechanism
>
> it is the ISP making the query for you and thousands of other of his 
> customers - you are making
> 5 queries, your left and right meighbour too - oops 150 queries from 
> your ISP's nameserver
> which exceeds teh limit for a single IP
>
> there is no "mechanism" - when you don't make your queries at your own the 
> forwarder does and the
> rest is trivial math
>

Got it. Thanks Reindl.

BTW, where can I see the results of my configuration changes? It would be nice 
to confirm that my
changes have rectified the situation.



signature.asc
Description: OpenPGP digital signature

Re: AWL defeating my SPAM classification

[Tom Robinson]

On 30/04/15 12:15, Kevin A. McGrail wrote:
> On 4/29/2015 10:10 PM, Tom Robinson wrote:
>> I have the mail server and a separate name server set up in a DMZ. The name 
>> server already runs as a
>> caching nameserver but does forwarding to our ISP.
> Hi Tom,
>
> Your ISP is doing too many queries to the services exceeding free limits.  
> You are being lumped in
> with your ISP.
>
> Run your own caching DNS server without forwarding but instead going to the 
> root servers so you
> query on your own.
>
Finally that makes sense. I will add the forwarding in as per the documentation.



signature.asc
Description: OpenPGP digital signature

Re: AWL defeating my SPAM classification

[Tom Robinson]

Tom Robinson
IT Manager/System Administrator

MoTeC Pty Ltd

121 Merrindale Drive
Croydon South
3136 Victoria
Australia

T: +61 3 9761 5050
F: +61 3 9761 5051   
E: tom.robin...@motec.com.au

On 30/04/15 10:10, Benny Pedersen wrote:
> Tom Robinson skrev den 2015-04-30 01:38:
>
>>   0.0 URIBL_BLOCKED  ADMINISTRATOR NOTICE: The query to URIBL
>> was blocked.
>>  See
>>
>> http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
>
> did you read the url here ?
>
> well if yes, show your AWL config for the AWL plugin

Actually, looking for this config I can't seem to find it. My spamassassin is 
linked in with qmail
using qmail-scanner-queue.pl. That script looks in 
/home/qscand/.spamassassin/user_prefs but I also
have configs in /etc/mail/spamassassin. What am I looking for exactly?




signature.asc
Description: OpenPGP digital signature

Re: AWL defeating my SPAM classification

[Tom Robinson]

On 30/04/15 09:56, Marieke Janssen wrote:
> Hi,
>
> Besides your awl problem, you have other problems.
>
>   0.0 URIBL_BLOCKED  ADMINISTRATOR NOTICE: The query to URIBL was 
> blocked.
>  See
>  
> http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
>   for more information.
>  [URIs: world-plants.ru]
>
> You are blocked, This probably means you are using either public nameservers 
> or do too much queries.  Running a dedicated nameserver on localhost 
> (dnsmasq,bind,unbound,whatever) can solve this (and besides that, it speeds 
> things up).
> If you fix this chances are you get scores high enough to compensate/correct 
> AWL.
>
> In SpamAssassin 3.4.1 there is a TxRep module, maybe you'll find it 
> interesting. It decayes the learned scores over time (and other neat stuff).  
> You can migrate existing AWL data to TxRep. (make sure to backup it first so 
> you can go back).
>
>

Thanks Marieke,

I have the mail server and a separate name server set up in a DMZ. The name 
server already runs as a
caching nameserver but does forwarding to our ISP. I'm not sure how the 
non-caching works to
eliminate this problem. Is it correct that currently, because I'm forwarding, 
the DNSBL query is
denied because the DNSBL server thinks I'm the ISP making a query? Sorry, I'm 
not understanding the
mechanism.

If bind is going to forward lookups for DNSBL servers to a null list, will the 
cache have a record
to look up at all?

e.g.
/* Disable forwarding for DNSBL queries */
zone "multi.uribl.com" { type forward; forward first; forwarders {}; };
zone "dnsbl.sorbs.net" { type forward; forward first; forwarders {}; };

Does this rely on the caching namesever having already looked up and cached the 
DNSBL servers?

BTW, I do have rbldnsd set up on the caching nameserver in my DMZ. Is that 
useful in any way to
resolve this issue?





signature.asc
Description: OpenPGP digital signature

AWL defeating my SPAM classification

[Tom Robinson]

Hi,

Below is the source from an email that is clearly spam but the AWL is -1.3 
defeating the spam classification. How can I best adjust the AWL to get this 
classified as SPAM.

Kind regards,
Tom

-- 

Tom Robinson
IT Manager/System Administrator

MoTeC Pty Ltd

121 Merrindale Drive
Croydon South
3136 Victoria
Australia

T: +61 3 9761 5050
F: +61 3 9761 5051   
E: tom.robin...@motec.com.au




Return-Path: 
Delivered-To: t...@motec.com.au
Received: (qmail 2934 invoked by alias); 29 Apr 2015 23:02:24 -
Delivered-To: fo...@motec.com.au
Received: (qmail 2923 invoked by uid 187); 29 Apr 2015 23:02:24 -
Received: from 78.188.129.11.dynamic.ttnet.com.tr by scion.motec.com.au 
(envelope-from , uid 181) with qmail-scanner-2.08st 
 (clamdscan: 0.97.8/20394. spamassassin: 3.3.1. perlscan: 2.08st.  
 Clear:RC:0(78.188.129.11):SA:0(4.6/5.0):. 
 Processed in 14.230659 secs); 29 Apr 2015 23:02:24 -
X-Spam-Status: No, hits=4.6 required=5.0
X-Spam-Level: 
X-Spam-Report: SA TESTS
  0.7 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
 [78.188.129.11 listed in zen.spamhaus.org]
  2.9 HELO_DYNAMIC_SPLIT_IP  Relay HELO'd using suspicious hostname (Split
 IP)
  0.2 CK_HELO_GENERICRelay used name indicative of a Dynamic Pool or
 Generic rPTR
  0.0 TVD_RCVD_IPMessage was received from an IP address
  1.6 RCVD_IN_BRBL_LASTEXT   RBL: RCVD_IN_BRBL_LASTEXT
 [78.188.129.11 listed in bb.barracudacentral.org]
  0.0 URIBL_BLOCKED  ADMINISTRATOR NOTICE: The query to URIBL was 
blocked.
 See
 
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
  for more information.
 [URIs: world-plants.ru]
  0.4 RDNS_DYNAMIC   Delivered to internal network by host with
 dynamic-looking rDNS
 -1.3 AWLAWL: Adjusted score from AWL reputation of From: 
address
Received: from 78.188.129.11.dynamic.ttnet.com.tr (78.188.129.11)
  by scion.motec.com.au with SMTP; 29 Apr 2015 23:02:09 -
Message-ID: 
Date: Thu, 30 Apr 2015 01:48:15 +0200
From: "American Express" 
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 
Thunderbird/24.2.0
MIME-Version: 1.0
To: 
Subject: Irregular card activity
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Irregular check card activity
American Express

Dear Customer,
We detected irregular card activity on your American Express Check Card on 29 
April, 2015.

As the Primary Contact, you must verify your credit card activity before you 
can continue using your card, and upon verification, we will remove any 
restrictions placed on your card.

To review your account as soon as possible please click on the link below.

http://world-plants.ru/foldername/index.html

Thank you for your Card Membership.


-
American Express Customer Care
  
Fraud Department:
Erica Bermudez
Level III Security Officer




signature.asc
Description: OpenPGP digital signature

Re: Scoring numbers explained

[Tom Robinson]

On 12/11/14 09:45, Reindl Harald wrote:
>
> Am 11.11.2014 um 23:41 schrieb Tom Robinson:
>> Hopefully someone can answer this simply with a link to the right 
>> documentation.
>>
>> I want to adjust the score on a test but I have no idea what the four 
>> numbers actually are. e.g.
>>
>> score AC_SPAMMY_URI_PATTERNS10 3.995 1.010 3.995 1.010
>>
>> I feel so dumb as I can't find the documentation anywhere
>
> http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Conf.html#scoring_options
>
> in short:
> if you are running SA on a server and blacklists are active, DNS is working 
> you need just "score
> RULE points"
>
Ahh, thank you for returning me to my sanity. Subsequently, I found that the 
following works on my
CentOS system:

man Mail::SpamAssassin::Conf

I searched the SpamAssassin Wiki but didn't find references to the doco.





signature.asc
Description: OpenPGP digital signature

Scoring numbers explained

[Tom Robinson]

Hi,

Hopefully someone can answer this simply with a link to the right documentation.

I want to adjust the score on a test but I have no idea what the four numbers 
actually are. e.g.

score AC_SPAMMY_URI_PATTERNS10 3.995 1.010 3.995 1.010

I feel so dumb as I can't find the documentation anywhere.

Please help.

Regards,
Tom



signature.asc
Description: OpenPGP digital signature

Bareword found where operator expected at /usr/local/bin/sa-heatu line 227, near "s/... //r"

[Tom Robinson]

Hi,

Sorry to bother you with this. As referenced on the ApacheSpamAssassin Wiki for 
AutoWhiteList
(https://wiki.apache.org/spamassassin/AutoWhitelist) I downloaded the Truxoft 
version of the
sa-heatu utility (http://truxoft.com/resources/sa-heatu.v4.02.tar.gz ) but when 
I run it I get these
errors:

Bareword found where operator expected at /usr/local/bin/sa-heatu line 227, 
near "s/... //r"
Bareword found where operator expected at /usr/local/bin/sa-heatu line 227, 
near "s/:.. / /r"
syntax error at /usr/local/bin/sa-heatu line 227, near "s/... //r "
Execution of /usr/local/bin/sa-heatu aborted due to compilation errors.

I'm running a CentOS 5.10, 32bit system.

My version of perl is:
# perl -version
This is perl, v5.8.8 built for i386-linux-thread-multi
---8<---snip*---

I fetched a version of sa-heatu from git hub as well but it is the same file 
(diff shows no
differences and I get the same errors when running).

Here is a snippet of the code in context:

224 if ($count && ($opt_verbose || ($opt_verboseHits && 
$count>$opt_verboseHits) ||
($opt_showUpdates && $prtu))) {
225 printf $fmt, $totscore/$count, $totscore,$count, $email, $ip, 
$reason;
226 if (!$opt_NoTimes && (($twas||0)!=0))
227 {printf "%s", ((localtime $twas) =~ s/... //r =~ s/:.. / /r);}  
# don't
include d-o-w, and drop seconds as that implies precision
228 }

Not being a perl expert I'm not sure exactly what is wrong here. Can anyone 
please help determine
the issue?

Kind regards,
Tom

-- 

Tom Robinson
IT Manager/System Administrator

MoTeC Pty Ltd

121 Merrindale Drive
Croydon South
3136 Victoria
Australia

T: +61 3 9761 5050
F: +61 3 9761 5051   
E: tom.robin...@motec.com.au




signature.asc
Description: OpenPGP digital signature