Re: USER_IN_WHITELIST
"My Break-Dancing days are over, but there's always the Funky Chicken" -- The Full Monty > On Jul 7, 2016, at 3:57 PM, Sidney Markowitz <sid...@sidney.com> wrote: > > Lorenzo Thurman wrote on 8/07/16 3:03 AM: >>> On Jul 7, 2016, at 8:14 AM, Antony Stone >>> <antony.st...@spamassassin.open.source.it> wrote: >>> \.microsoft\.com$ will match anything ending in ".microsoft.com" > > RW already pointed this out, but to make sure nobody reading this thread > misses it, the above is wrong because whitelist does not use regexps. > > See > https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html#whitelist_and_blacklist_options > > where it says > > "Whitelist and blacklist addresses are now file-glob-style patterns, so > fri...@somewhere.com, *@isp.com, or *.domain.net will all work. Specifically, > * and ? are allowed, but all other metacharacters are not. Regular expressions > are not used for security reasons. Matching is case-insensitive. > > Multiple addresses per line, separated by spaces, is OK. Multiple > whitelist_from lines are also OK." > > Notice the last example there. Spamassassin is parsing out the email addresses > and matching them with the patterns so you don't have to do tricky stuff like > *@*.microsoft.com. Specifically, you can use > > whitelist_from *@microsoft.com *.microsoft.com > > which will match what you want but will not match anyth...@onmicrosoft.com and > will not match foo.microsoft@example.com > > As the page also points out if you can figure out how to use > whitelistfrom_rcvd instead of whitelist_from it will protect against spammers > spoofing the From address. Whether you can do that depends on whether the > domain you are whitelisting has restrictions on what servers can send mail > for it. > > Sidney > > Thanks for the info. Does anyone know how I can use whitelistfrom_rcvd? I can't find any clear answers via Google.
Re: USER_IN_WHITELIST
"My Break-Dancing days are over, but there's always the Funky Chicken" -- The Full Monty > On Jul 7, 2016, at 8:14 AM, Antony Stone > <antony.st...@spamassassin.open.source.it> wrote: > > On Thursday 07 July 2016 at 15:08:44, Lorenzo Thurman wrote: > >>> On Jul 7, 2016, at 7:15 AM, Reindl Harald <h.rei...@thelounge.net> wrote: >>>> Am 07.07.2016 um 14:12 schrieb Joe Quinn: >>>> In addition to the above, it's easy for a spammer to register something >>>> like kajsdhfkjasghdskghlaskfhmicrosoft.com which would also be >>>> whitelisted for you. I would recommend against using wildcard whitelist >>>> patterns like that >>> >>> should at least look similar to that: >>> ^.*\.microsoft\.com$ >>> >>> well the ^ followed by .* is also pointless >> >> I see. Thanks for the tip, I'll make changes. The reason I did wild cards >> was so that I could also capture us domains. Is there a rule that allows >> me to get subdomains w/o opening myself like I have? > > There's a big difference between subdomains, and domains with letters in > front > of "microsoft". > > \.microsoft\.com$ will match anything ending in ".microsoft.com" > > That means it will match www.microsoft.com and cdn.microsoft.com for example, > but it will not match kajsdhfkjasghdskghlaskfhmicrosoft.com or onmicrosoft.com > > The dot in front of "microsoft" in the regex is important :) > > > Antony. > > -- > Tax inspectors are just accountants who work for the evil dictators of > democracy. > > Please reply to the list; > please *don't* CC me. Great, thanks.
Re: USER_IN_WHITELIST
"My Break-Dancing days are over, but there's always the Funky Chicken" -- The Full Monty > On Jul 7, 2016, at 7:15 AM, Reindl Harald <h.rei...@thelounge.net> wrote: > > > >> Am 07.07.2016 um 14:12 schrieb Joe Quinn: >>> On 7/6/2016 11:42 PM, Bill Cole wrote: >>> On 6 Jul 2016, at 23:10, lorenzo wrote: >>> >>> [...] >>>> The output from spamassassin -t -D < In-whitelist.txt gives the >>>> answer, I believe: >>>> >>>> address hefg...@hkjhkjhk.onmicrosoft.com matches whitelist or >>>> blacklist regexp: ^.*microsoft\.com$ >>>> >>>> Very sneaky. I think I can handle this one from here. >>>> Thanks again. >>> >>> Happy to be of help. >>> >>> For what it's worth: *.onmicrosoft.com domains are part of free trials >>> of Office365 and generate almost entirely spam. I suppose one could be >>> a regular paying O365 customer and keep that free domain, but no one >>> who does that can care much about their email. Spammers have been >>> using those domains for years and MS really seems not to care about >>> the fact that they've become a de facto indication of spam. >> In addition to the above, it's easy for a spammer to register something >> like kajsdhfkjasghdskghlaskfhmicrosoft.com which would also be >> whitelisted for you. I would recommend against using wildcard whitelist >> patterns like that > > should at least look similar to that: > ^.*\.microsoft\.com$ > > well the ^ followed by .* is also pointless I see. Thanks for the tip, I'll make changes. The reason I did wild cards was so that I could also capture us domains. Is there a rule that allows me to get subdomains w/o opening myself like I have? >
Re: USER_IN_WHITELIST
> On Jul 6, 2016, at 8:50 PM, Bill Cole
> <sausers-20150...@billmail.scconsult.com> wrote:
>
> On 6 Jul 2016, at 21:13, Lorenzo Thurman wrote:
>
>> I’ve been receiving some spam where spamassassin identifies the sender with
>> USER_IN_WHITELIST. These senders (or domains) are most definitely not in my
>> whitelist. How can I get around this problem?
>
> There are so many relevant variables unspecified that no one here has any
> hope of solving your problem.
>
> To make it easier for us, please provide more information:
>
> 1. How are you using SpamAssassin? Specifically, if you have it hooked into
> an MTA like Postfix or Sendmail, tell us which one AND what mechanism you are
> using to integrate SA and the MTA.
>
> 2. If your system involved the use of spamd, what are its arguments and what
> user is it running as?
>
> 3. If you scan a message with this problem manually by piping it into
> 'spamassassin -t -D' what does the resulting flood of debugging information
> say about what address it is finding as being in the whitelist?
>
Ah, ok. Here’s some info:
spamassassin v3.4.0 - Postfix 2.11.0 Ubuntu 14.04
/usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir -d
--pidfile=/var/run/spamd.pid
In /etc/postfix/master.cf
smtp inet n - - - - smtpd -vvv -o
content_filter=spamassassin
spamassassin unix - n n - - pipe flags=Rq
user=nobody argv=/usr/bin/spamfilter.sh -oi -f ${sender} ${recipient}
The output from spamassassin -t -D < In-whitelist.txt gives the answer, I
believe:
address hefg...@hkjhkjhk.onmicrosoft.com matches whitelist or blacklist regexp:
^.*microsoft\.com$
Very sneaky. I think I can handle this one from here.
Thanks again.
USER_IN_WHITELIST
I’ve been receiving some spam where spamassassin identifies the sender with USER_IN_WHITELIST. These senders (or domains) are most definitely not in my whitelist. How can I get around this problem? Thanks
Block mailing lists
hi. We're receiving a lot of unsolicited mail which is not spam, but I'd like block or considerable limit it. Most of those mails come from official mailing systems, like mailchimp or similar, to which I never subscribed but who probably picked the address from our website. That said common SA rules don't work with this kind of stuff, because comes from official servers and has proper signing and all. I thought something like, for example, rising the score of mails which contains X-List-Id, but this applies only to a limited set of mailing. Did anyone ever made a collection of mailing list tag headers, which can be used to raise the score of such mails? Or any better idea, rather than obfuscate or remove the info@ address from the website? thanks -- Lorenzo Milesi - lorenzo.mil...@yetopen.it YetOpen S.r.l. - http://www.yetopen.it/
Re: Block mailing lists
Often you will see multiple of these used in a post, so if scoring I'd suggest using a regex, and not use a rule per hit else it might be scored so high as to delete. Yes I'd like to make a single tag which is triggered by at least one of these tags, not summing them. I made a quick survey and collected some more of them, like X-Campaign-Id. There are inherit dangers of what you want to do, but if you're the only mail user, then you know and accept the risks, if you host mail for others, under no circumstances should you do any of this with 100% agreement from all mail users. Indeed I know it's not the best, but this domain is collecting so many unwanted non-spam mails that it would really take too much effort to get rid of them, and they're continuously increasing so I don't think that just removing the email address from the website will do any better. I (well, they) just want that in their situation mailing lists are moved to the spam folder. thakns -- Lorenzo Milesi - lorenzo.mil...@yetopen.it YetOpen S.r.l. - http://www.yetopen.it/
Re: Block mailing lists
why don't you just hit the unsubscribe link in case of mailchimp? if the same mailchimp-customer after that *really* imports your address again you can write to mailchimp-abuse and they are *really* acting Because we're receiving so many mailing lists that it would be too cumbersome to deal with every single unsubscribe. Or at least very annoying. Also, keeping track of what unsubscribe went successful or not would be a dedicated job. Which is not my job. to be honest: by naming mailchimp in that context you sound like one of the people not remembering where they subscribed, too lazy to unsubscribe and/or confusing the spam with the delete button which are responsible for a ton of collateral damage at Razor/Pyzor und RBL's every single day and the top winners of that users even forward their electronic bill of a local supplier as spam to their provider I was naming that just to make it clear the mails come from mailing list provider, I have nothing against MC or anyone else. To be honest your comment is very offensive, made to someone you have no idea who he is. -- Lorenzo Milesi - lorenzo.mil...@yetopen.it YetOpen S.r.l. - http://www.yetopen.it/
Re: Block mailing lists
I have built an extensive list of safe senders in the whitelist_from_* that will use the SHORTCIRCUIT (DKIM, SPF, RCVD) enabled above. I didn't know about this feature, I will dig more into it and see how it works. Thank you very much for your suggestion! But if I got it right this implies the BAYES filter has been extensively trained. Is this just to speed up scanning? thanks again -- Lorenzo Milesi - lorenzo.mil...@yetopen.it YetOpen S.r.l. - http://www.yetopen.it/
Re: Spamassassin not catching spam (Follow-up)
On Mar 24, 2015, at 2:26 PM, Reindl Harald h.rei...@thelounge.net wrote: Am 24.03.2015 um 20:10 schrieb Lorenzo Thurman: I contacted the list a couple of weeks ago about SA not missing a lot of spam I thought it should be catching. There duplicates of message that I had put through sa-learn, that were still getting passed. One of the suggestions offered here, after posting my command line here, was that I should run sa-learn as the user not, as root (silly mistake). That did improve SA’s ability to catch spam. It cut it down to ~1/2, but I thought there was more I could do. So, after more digging, I found this script: http://wiki.apache.org/spamassassin/IntegratedSpamdInPostfix I had been using the default Ubuntu configuration, but after implementing this script, I’ve found SA catching ~90-95% of the spam. So my faith is now restored well, a better setup would run spamassassin via milter *before-queue* and proper reject junk at SMTP level - so you have a tag level let say between 5.5 and 7.9 points and reject above 8.0 the flagged ones can go in a seperate folder via sieve and the absolute high score junk is proper rejected and with some luck the spam attempts go down at all http://www.postfix.org/MILTER_README.html Thank you. I’ll look into this as well.
Spamassassin not catching spam (Follow-up)
I contacted the list a couple of weeks ago about SA not missing a lot of spam I thought it should be catching. There duplicates of message that I had put through sa-learn, that were still getting passed. One of the suggestions offered here, after posting my command line here, was that I should run sa-learn as the user not, as root (silly mistake). That did improve SA’s ability to catch spam. It cut it down to ~1/2, but I thought there was more I could do. So, after more digging, I found this script: http://wiki.apache.org/spamassassin/IntegratedSpamdInPostfix http://wiki.apache.org/spamassassin/IntegratedSpamdInPostfix I had been using the default Ubuntu configuration, but after implementing this script, I’ve found SA catching ~90-95% of the spam. So my faith is now restored. Thanks
Re: Improve spam hit rate
On Mar 10, 2015, at 12:54 PM, Reindl Harald h.rei...@thelounge.net wrote: Am 10.03.2015 um 18:29 schrieb Lorenzo Thurman: I have these messages in a paste: http://pastebin.com/jNQfRerx. They were received about 1 1/2 hours apart. After I received the first one, I ran sudo sa-learn —spam /path/to/mail/folder against it and then sudo sa-learn —sync. spamassasin reported that it ‘learned tokens from 1 message…’ you likely train the wrong bayes sa-learn must run at the same user as the spamassassin / spamd nobody is calling such things as root by sudo BTW Yes, I’m embarrassed. I actually receive mail in an account different account. When training, I thought I could just run sa-learn as root and get the desired affect. I’ve run it as the correct user and I’ve at least of couple of duplicate messages correctly labeled as spam.
Improve spam hit rate
I have these messages in a paste: http://pastebin.com/jNQfRerx http://pastebin.com/jNQfRerx. They were received about 1 1/2 hours apart. After I received the first one, I ran sudo sa-learn —spam /path/to/mail/folder against it and then sudo sa-learn —sync. spamassasin reported that it ‘learned tokens from 1 message…’ I received the second message, but it was not marked as spam, even though, at least as far as I can see, the messages are identical. All the way down to the low contrast ‘hidden’ text. I’m seeing a lot of this lately, although sometimes, the messages come from different domains (reverse lookups are always ok). My server is Ubuntu linux 14.04. What can I do to improve the detection rate? I’m running sa 3.4.0 which is invoked via postfix in master.cf: smtpinetn - - - - smtpd -vvv -o content_filter=spamassassin sa-update is run via a cron job daily and it last ran early this morning, so its rules should be up to date. So, any ideas? Thanks
Re: Spamassasin not as effective anymore
I’ve created a paste bin with a couple of sample emails here: http://pastebin.com/KfYrGMm8 I’m running spam assassin on a my Mail server Ubuntu 14.04. I use postfix as my MTA. Spamassasin is at 3.4.0, with razor and I have these recipient restrictions set in postfix: smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unknown_recipient_domain, reject_unknown_sender_domain, reject_unauth_destination, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client multi.uribl.com, reject_rbl_client dsn.rfc-ignorant.org, reject_rbl_client list.dsbl.org, reject_rbl_client bl.spamcop.net, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client combined.rbl.msrbl.net, reject_rbl_client rabl.nuclearelephant.com, permit My DNS forwards queries. I hope this is enough. Thanks On Sep 27, 2014, at 7:02 AM, Axb axb.li...@gmail.com wrote: On 09/27/2014 04:59 AM, Lorenzo Thurman wrote: I’ve be using spamassasin for a number of years with excellent results. But, now over the last month or so, it has been scoring spam very low. It still catches most spam, but whereas only about a dozen or so might get through to my inbox in a week, I’m suddenly getting a dozen or so a day. I run sa-update via cron every dat and I have a special mail folder where I place missed spam and run sa-learn against it weekly. I know its an arms race out there fighting spam, but here some sample subject lines with SA's scores that I think should be caught. I know spamassasin looks at a lot more than subject lines, but Does anyone know what I can do to increase spamassasin’s ability to detect spam? My threshold is set to 4.6. Complete Our Survey, qualify for free-samples 4.1 Re: Your Score-Changes on: 09/26/2014* 2.9 Weird 30 second trick cURES Diabetes..” 4.1 Quality Window Replacement Deals” 4.4 Find a PhD degree online in the specialty field” 2.8 Your background check is Available online” 2.4 Perfect vision with one weird trick” 0.0 Please try to reply the questions below so others get a better picture of your setup/issue. - Please post missed spam samples in pastebin.com - do not post samples to mailing list - What SA version are you using - How are using SA? (amavis, milter, Mailscanner, procmail, Fuglu, etc, etc) - Are you using SA in a PC/notebook? or on a server? - What plugins are you using? (Razor, Pyzor, DCC, etc) - Are you using a local, non forwarding, DNS resolver/caching server ? Axb
Re: Spamassasin not as effective anymore
On Sep 29, 2014, at 4:58 PM, Mark London m...@psfc.mit.edu wrote: On 9/29/2014 12:58 PM, Mark London wrote: On 9/29/2014 4:21 AM, users-digest-h...@spamassassin.apache.org wrote: From: Lorenzo Thurman lore...@thethurmans.com Date: 9/26/2014 10:59 PM I’ve been using spamassasin for a number of years with excellent results. But, now over the last month or so, it has been scoring spam very low. It still catches most spam, but whereas only about a dozen or so might get through to my inbox in a week, I’m suddenly getting a dozen or so a day. I run sa-update via cron every dat and I have a special mail folder where I place missed spam and run sa-learn against it weekly. I know its an arms race out there fighting spam, but here some sample subject lines with SA's scores that I think should be caught. I know spamassasin looks at a lot more than subject lines, but Does anyone know what I can do to increase spamassasin’s ability to detect spam? My threshold is set to 4.6. Complete Our Survey, qualify for free-samples 4.1 Re: Your Score-Changes on: 09/26/2014* 2.9 Weird 30 second trick cURES Diabetes..” 4.1 Quality Window Replacement Deals” 4.4 Find a PhD degree online in the specialty field” 2.8 Your background check is Available online” 2.4 Perfect vision with one weird trick” 0.0 What are the From: addresses in those spam emails? We have been recently inundated from spam using domains such as .eu and .coThe IP names that the spammers are using, are constantly changing, so that the URIBLs are not able to keep up with them. you've had to add customized rules that increases the spam scores, for emails from these and other domains, that are now popular with spammers. I meant to say I've had to add..., not you've had to add... - Mark I looked at those emails again and tried to resolve the sender’s addresses (dig -x z.z.z.z). They don’t resolve to valid hostnames, which means they should even reach SA. Postfix should reject them outright. I’ve changed a couple of postfix’s reject_rbl_client settings, put a tail on its log and now I see many emails being rejected outright. So I’ll take this to the postfix lists. These are the changes I made: old sbl.spamhaus.org sbl-xbl.spamhaus.org new reject_rbl_client zen.spamhaus.ord reject_rbl_client dns.sorbd.net Thanks all.
Spamassasin not as effective anymore
I’ve be using spamassasin for a number of years with excellent results. But, now over the last month or so, it has been scoring spam very low. It still catches most spam, but whereas only about a dozen or so might get through to my inbox in a week, I’m suddenly getting a dozen or so a day. I run sa-update via cron every dat and I have a special mail folder where I place missed spam and run sa-learn against it weekly. I know its an arms race out there fighting spam, but here some sample subject lines with SA's scores that I think should be caught. I know spamassasin looks at a lot more than subject lines, but Does anyone know what I can do to increase spamassasin’s ability to detect spam? My threshold is set to 4.6. Complete Our Survey, qualify for free-samples 4.1 Re: Your Score-Changes on: 09/26/2014* 2.9 Weird 30 second trick cURES Diabetes..” 4.1 Quality Window Replacement Deals” 4.4 Find a PhD degree online in the specialty field” 2.8 Your background check is Available online” 2.4 Perfect vision with one weird trick” 0.0
what does MIME_HTML_ONLY: Message only has text/html MIME parts mean?
Hello, I receive some emails form a newsletter that is not spam. These emails go through SpamAssasin and they get this score: Content analysis details: (2.0 points, 2.0 required) pts rule name description -- -- 0.2 INVALID_DATE Invalid Date: header (not RFC 2822) 0.1 HTML_40_50 BODY: Message is 40% to 50% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 0.2 HTML_FONT_BIG BODY: HTML tag for a big font size 0.2 HTML_TAG_EXIST_TBODY BODY: HTML has tbody tag 1.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.1 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag 0.0 MISSING_MIMEOLEMessage has X-MSMail-Priority, but no X-MimeOLE I configured SpamAssasin with a 2.0 points as threshold because many spams came with a score lower than 3.0. I would suggest to the person who send this newsletter to apply a correction to his emails to avoid the: 1.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts but I don't understand what it does mean. Can you help me and suggest my how to modify emails to avoid the matching with this rule? Thank you very much, Lorenzo
