Re: Question about sa-updates

[Benny Pedersen]

Paul Schmehl skrev den 2024-06-22 07:44:


It’s not clear to me from your answer. Does SA read rules in both
places?


it eveal first sa-update rules, then later host rules


Or only in /etc/mail/spamassassin/?


this is host rules, you define all global configs here, and it will 
never be overrided by sa-update


add rules to userprefs.cf in same place as local.cf is, score userprefs 
rules with nearly zerro score, but not zerro 0, why this ?


if done this way scores can be changed in ldap/sql pr user, even in 
$HOME./spamassassin/user-prefs


more help, then i need more info :=)

Re: Question about sa-updates

[David B Funk]

On Sat, 22 Jun 2024, Paul Schmehl wrote:


  On Jun 22, 2024, at 12:28 AM, Kenneth Porter  
wrote:

On 6/21/2024 8:56 PM, Paul Schmehl wrote:
  I scratched my head, then looked up the man page for sa-update on the 
web. Sure enough, that’s where the rules
  go. Is that where my local.cf file should be located? Right now it’s in 
/etc/mail/spamassassin. There’s a default
  local.cf file in /var/lib/…..


/var/lib/spamassassin is where channels put their rules. /etc/mail/spamassassin 
is where the host admin puts her
customizations. I like to use separate files for different policies, named 
after each effect I'm trying to get. SA will load
anything there with a .cf extension.

It’s not clear to me from your answer. Does SA read rules in both places? Or 
only in /etc/mail/spamassassin/? 



Reading the "man" page documentation for spamassassin, it lists several 
different directories that SA looks for its config files in and the order that 
it reads them from.


The possible directories are distro and version specific so you need to read the 
docs for your specific instance.



--
Dave Funk   University of Iowa
 College of Engineering
319/335-5751   FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: Question about sa-updates

[Paul Schmehl]

> On Jun 22, 2024, at 12:28 AM, Kenneth Porter  wrote:
> 
> On 6/21/2024 8:56 PM, Paul Schmehl wrote:
>> I scratched my head, then looked up the man page for sa-update on the web. 
>> Sure enough, that’s where the rules go. Is that where my local.cf file 
>> should be located? Right now it’s in /etc/mail/spamassassin. There’s a 
>> default local.cf file in /var/lib/…..
> 
> /var/lib/spamassassin is where channels put their rules. 
> /etc/mail/spamassassin is where the host admin puts her customizations. I 
> like to use separate files for different policies, named after each effect 
> I'm trying to get. SA will load anything there with a .cf extension.
> 
> It’s not clear to me from your answer. Does SA read rules in both places? Or 
> only in /etc/mail/spamassassin/? 

Paul Schmehl
paul.schm...@gmail.com

Re: Question about sa-updates

[Kenneth Porter]

On 6/21/2024 8:56 PM, Paul Schmehl wrote:
I scratched my head, then looked up the man page for sa-update on the 
web. Sure enough, that’s where the rules go. Is that where my local.cf 
file should be located? Right now it’s in /etc/mail/spamassassin. 
There’s a default local.cf file in /var/lib/…..


/var/lib/spamassassin is where channels put their rules. 
/etc/mail/spamassassin is where the host admin puts her customizations. 
I like to use separate files for different policies, named after each 
effect I'm trying to get. SA will load anything there with a .cf extension.

Question about sa-updates

[Paul Schmehl]

I just ran sa-updates. Then I looked in /etc/mail/spamassassin to see if the 
rules had been updated, and none of them had today’s date on them

So, I downloaded the tar file, unzipped it, and searched for one of the files. 
I found them in /var/lib/spamassassin/….

I scratched my head, then looked up the man page for sa-update on the web. Sure 
enough, that’s where the rules go. Is that where my local.cf file should be 
located? Right now it’s in /etc/mail/spamassassin. There’s a default local.cf 
file in /var/lib/…..

Paul Schmehl
paul.schm...@gmail.com

Re: Sv: Re: Question about a rule

[Laurent S.]

I'd also strongly recommend adding boundaries: /\b(blah1|blah2|blah3)\b/i

Otherwise, you might have a whole *pano*ply of words that will make 
legit mails marked a spam. You need to be super sure about poison pills 
rules, or in french - *pillu*le empoisonnée.

Good luck.

On 18.06.24 13:35, Axb wrote:
> You need to enclose in brackets
> body LOCAL_BLAH   /(blah1|blah2|blah3)/i
> 
> On 6/18/24 13:05, Anders Gustafsson wrote:
>> Sure:
>>
>> body LOCAL_PORN_RULE   
>> /kiimainen|naida|sexikäs|nussikas|nussia|pillu|pano|kinky|bdsm|pillua|x69-JOOGA/i
>> score LOCAL_PORN_RULE 8
>> describe LOCAL_PORN_RULE   This catches peter's porn spam
>>
>> Sorry again for mailing directly. No idea why it suggests the user and not 
>> users@
>>
> 

Re: Sv: Re: Question about a rule

[Axb]

You need to enclose in brackets
body LOCAL_BLAH   /(blah1|blah2|blah3)/i

On 6/18/24 13:05, Anders Gustafsson wrote:

Sure:

body LOCAL_PORN_RULE   
/kiimainen|naida|sexikäs|nussikas|nussia|pillu|pano|kinky|bdsm|pillua|x69-JOOGA/i
score LOCAL_PORN_RULE 8
describe LOCAL_PORN_RULE   This catches peter's porn spam

Sorry again for mailing directly. No idea why it suggests the user and not 
users@

Re: Sv: Re: Question about a rule

[Matus UHLAR - fantomas]

On 18.06.24 14:05, Anders Gustafsson wrote:

body LOCAL_PORN_RULE   
/kiimainen|naida|sexikäs|nussikas|nussia|pillu|pano|kinky|bdsm|pillua|x69-JOOGA/i
score LOCAL_PORN_RULE 8
describe LOCAL_PORN_RULE   This catches peter's porn spam

Sorry again for mailing directly. No idea why it suggests the user and not 
users@



I guess that the "sexikäs" causes troubles.
Do you use SA 4.0 ? That should be compatible with utf-8. 




Matus UHLAR - fantomas  2024-06-18 14:00 >>>

On 18.06.24 13:50, Anders Gustafsson wrote:

body LOCAL_PORN_RULE   /word1|word2.|x69-JOOGA/i
score LOCAL_PORN_RULE 8
describe LOCAL_PORN_RULE   This catches peter's porn spam

Funny thing is that it seems to trigger on messages that contain none of those 
words. I have removed the
actual words so that my message will not be regarded ass spam ??

Wonder if it is that last word that matches some regexp??


This can happen in case of incorrect regular expression.
Maybe uf you posted it here, we could see the error.

run spamassassin -D < mail 2>/tmp/mail.err
and you should be able to see which string matched

Finally, SA recommends using multiple rules with small scores instead of
single rule with huge score.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"To Boot or not to Boot, that's the question." [WD1270 Caviar]

Sv: Re: Question about a rule

[Anders Gustafsson]

Sure:

body LOCAL_PORN_RULE   
/kiimainen|naida|sexikäs|nussikas|nussia|pillu|pano|kinky|bdsm|pillua|x69-JOOGA/i
score LOCAL_PORN_RULE 8
describe LOCAL_PORN_RULE   This catches peter's porn spam

Sorry again for mailing directly. No idea why it suggests the user and not 
users@

-- 
Med vänlig hälsning

Anders Gustafsson, ingenjör
anders.gustafs...@pedago.fi  |  Support +358 18 12060  |  Direkt +358 9 315 45 
121  |  Mobil +358 40506 7099

Pedago interaktiv ab, Nygatan 7 B , AX-22100 MARIEHAMN, ÅLAND, FINLAND



>>> Matus UHLAR - fantomas  2024-06-18 14:00 >>>
On 18.06.24 13:50, Anders Gustafsson wrote:
>body LOCAL_PORN_RULE   /word1|word2.|x69-JOOGA/i
>score LOCAL_PORN_RULE 8
>describe LOCAL_PORN_RULE   This catches peter's porn spam
>
>Funny thing is that it seems to trigger on messages that contain none of those 
>words. I have removed the
>actual words so that my message will not be regarded ass spam ??
>
>Wonder if it is that last word that matches some regexp??

This can happen in case of incorrect regular expression.
Maybe uf you posted it here, we could see the error.

run spamassassin -D < mail 2>/tmp/mail.err
and you should be able to see which string matched

Finally, SA recommends using multiple rules with small scores instead of 
single rule with huge score.


-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ 
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."

Re: Question about a rule

[Matus UHLAR - fantomas]

On 18.06.24 13:50, Anders Gustafsson wrote:

body LOCAL_PORN_RULE   /word1|word2.|x69-JOOGA/i
score LOCAL_PORN_RULE 8
describe LOCAL_PORN_RULE   This catches peter's porn spam

Funny thing is that it seems to trigger on messages that contain none of those 
words. I have removed the
actual words so that my message will not be regarded ass spam ??

Wonder if it is that last word that matches some regexp??


This can happen in case of incorrect regular expression.
Maybe uf you posted it here, we could see the error.

run spamassassin -D < mail 2>/tmp/mail.err
and you should be able to see which string matched

Finally, SA recommends using multiple rules with small scores instead of 
single rule with huge score.



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."

Question about a rule

[Anders Gustafsson]

We have a rule that is supposed to catch various porn-related stuff:

body LOCAL_PORN_RULE   /word1|word2.|x69-JOOGA/i
score LOCAL_PORN_RULE 8
describe LOCAL_PORN_RULE   This catches peter's porn spam

Funny thing is that it seems to trigger on messages that contain none of those 
words. I have removed the
actual words so that my message will not be regarded ass spam ��

Wonder if it is that last word that matches some regexp??


-- 
Med vänlig hälsning

Anders Gustafsson, ingenjör
anders.gustafs...@pedago.fi  |  Support +358 18 12060  |  Direkt +358 9 315 45 
121  |  Mobil +358 40506 7099

Pedago interaktiv ab, Nygatan 7 B , AX-22100 MARIEHAMN, ÅLAND, FINLAND

Re: uridnsbl_skip_domain question

[giovanni]

On 5/17/24 3:17 PM, Matus UHLAR - fantomas wrote:

Hi guys,

I have configured exclusion for some common domains e.g. gov.sk in SA:

uridnsbl_skip_domain [...] gov.sk slovensko.sk

However it seems that that domain is still queried:

  9826  68.951573    127.0.0.1 → 127.0.0.1    DNS 104 Standard query 0xbffe A 
mail.gov.sk.multi.uribl.com OPT

in SA 4 docs I see that:

    uridnsbl_skip_domain domain1 domain2 ...
    Specify a domain, or a number of domains, which should be skipped
    for the URIBL checks.  This is very useful to specify very common
    domains which are not going to be listed in URIBLs.

    In addition to trimmed domain, the full hostname is also checked
    from the list.

Do I have to exclude subdomains for each host too?
(this would kind of defeat the directive imho).

This is SA 3.4.6 (debian 11) which does not have the latter paragraph but I 
assume the difference is only in documentation


From a quick look at the code it seems that subdomains check has been added to 
Mail::SpamAssassin::Plugin::URIDNSBL with commit r1889093 ~10 days after 3.4.6 
release.
In addition to that Mail::SpamAssassin::Plugin::DNSEval honor 
uridnsbl_skip_domain preference only in trunk code.

  Giovanni


OpenPGP_signature.asc
Description: OpenPGP digital signature

uridnsbl_skip_domain question

[Matus UHLAR - fantomas]

Hi guys,

I have configured exclusion for some common domains e.g. gov.sk in SA:

uridnsbl_skip_domain [...] gov.sk slovensko.sk

However it seems that that domain is still queried:

 9826  68.951573127.0.0.1 → 127.0.0.1DNS 104 Standard query 0xbffe A 
mail.gov.sk.multi.uribl.com OPT

in SA 4 docs I see that:

   uridnsbl_skip_domain domain1 domain2 ...
   Specify a domain, or a number of domains, which should be skipped
   for the URIBL checks.  This is very useful to specify very common
   domains which are not going to be listed in URIBLs.

   In addition to trimmed domain, the full hostname is also checked
   from the list.

Do I have to exclude subdomains for each host too?
(this would kind of defeat the directive imho).

This is SA 3.4.6 (debian 11) which does not have the latter paragraph but I 
assume the difference is only in documentation


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
You have the right to remain silent. Anything you say will be misquoted,
then used against you.

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Byung-Hee HWANG]

On Fri, 2024-01-19 at 15:15 +0100, Benny Pedersen wrote:
> Byung-Hee HWANG skrev den 2024-01-19 11:12:
> 
> > I rely on DNSWL for the reputable MX.
> 
> if repution is 100% needed we all have to make local rescore on all 
> local mails, since repution is to be local, not external just
> 
> i consider dnswl level 0 to be possitive scored, and let the other 
> levels be negative, this fits nicely, but was not designed to be so
> in 
> mta stage
> 

I think "reputation" is a somewhat political term. And each person has
different standards. So it's quite difficult to give a detailed
response to your feedback.

Happy new year, Benny!


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[John Hardin]

On Fri, 19 Jan 2024, Thomas Cameron wrote:


On 1/19/24 16:32, Byung-Hee HWANG wrote:

 There is a filtering rule in Gmail:

 *Never send it to Spam*

 I apply that rule to extremely important emails such as debian-bugs-
 dist and debian-devel-announce.


You know that. I know that. But trying to explain to the board members I'm 
helping out is... painful.


Very simply worded step by step instructions, with screenshots amended 
with arrows, outlines, highlights and so forth as needed.


...the .sigmonster agrees.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  News flash: Lowest Common Denominator down 50 points
---
 4 days until John Moses Browning's 169th Birthday

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Thomas Cameron]

On 1/19/24 16:32, Byung-Hee HWANG wrote:

There is a filtering rule in Gmail:

*Never send it to Spam*

I apply that rule to extremely important emails such as debian-bugs-
dist and debian-devel-announce.


You know that. I know that. But trying to explain to the board members 
I'm helping out is... painful.


Thomas

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Byung-Hee HWANG]

Hellow Thomas,

> But it drops it into the spam folder every time. So when I'm sending 
> emails to someone's alias, they have to check their spam folder. Even
> when they mark it as "not spam," GMail still drops it into the spam 
> folder. It's very frustrating.
> 

There is a filtering rule in Gmail:

*Never send it to Spam*

I apply that rule to extremely important emails such as debian-bugs-
dist and debian-devel-announce.


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Thomas Cameron]

On 1/19/24 14:33, Matija Nalis wrote:

You would need to encourage at least several of the recepients (the
more the better) to click on "Not spam" button on GMail on such
mails. Then it will (eventually) start accepting them normally.


Yup, that's basically what I've been doing.


see e.g. 
https://serverfault.com/questions/953486/repairing-e-mail-domain-reputation-on-google

I suspect that Google might even doing it on purpose, in order to
"encourage" even more users to be locked in their e-mail
walled-garden ecosystem.


Google being anti-competitive? I'm shocked! SHOCKED, I say! 

--
Thomas

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Matija Nalis]

On Fri, Jan 19, 2024 at 10:37:13AM -0600, Thomas Cameron wrote:
> The forwarded email is being *accepted* by GMail. My issue now is that GMail
> drops it into the recipient's spam folder. I suspect it's a reputation
> thing. Once the server is up and running for a while, I'm hoping that GMail
> will stop flagging the emails from the server as spam.


You would need to encourage at least several of the recepients (the
more the better) to click on "Not spam" button on GMail on such
mails. Then it will (eventually) start accepting them normally.

see e.g. 
https://serverfault.com/questions/953486/repairing-e-mail-domain-reputation-on-google

I suspect that Google might even doing it on purpose, in order to
"encourage" even more users to be locked in their e-mail
walled-garden ecosystem.

-- 
Opinions above are GNU-copylefted.

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Thomas Cameron]

On 1/7/24 05:40, Matus UHLAR - fantomas wrote:
I built email servers for a non-profit I volunteer for.  If email 
comes into the server for presid...@myassociation.org, I would 
normally just create an alias in /etc/aliases so that emails to 
president@ get forwarded to the president's "real" email address, say 
presidents_real_em...@gmail.com.


postfix supports expand_owner_alias, which, when you are sending to 
al...@example.com, will set sender to owner-al...@example.com.


That way SPF should pass.

The problem is, when I send email to presid...@myassociation.org, 
gmail rejects the forwarded email because it appears to come from my 
personal domain, not the mythical myassociation.org domain.  DKIM, 
DMARC, and SPF all fail, which I totally understand.


How can I make this work?


DKIM should not fail, unless you modify the message. Do you modify the 
message?



On 07.01.24 19:07, Byung-Hee HWANG wrote:

See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043539#88


Cite:


If your dkim signature is OK, then Gmail does accept all
mails. So never use SRS. DKIM is enough.


This is not a good advice. Whoever filters SPF at SMTP time will reject 
that message. Gmail is not the only mail service available.


Initially, I was seeing errors where GMail didn't list SPF as "passed." 
But after about an hour, it started passing. I think it was an old DNS 
record that finally expired.


The forwarded email is being *accepted* by GMail. My issue now is that 
GMail drops it into the recipient's spam folder. I suspect it's a 
reputation thing. Once the server is up and running for a while, I'm 
hoping that GMail will stop flagging the emails from the server as spam.


Thomas

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Thomas Cameron]

On 1/7/24 04:07, Byung-Hee HWANG wrote:

Hellow Thomas,

See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043539#88


Sincerely, Byung-Hee


The issue is not so much that GMail doesn't accept the email. It does, 
since I have DKIM, DMARC, and SPF set up.


But it drops it into the spam folder every time. So when I'm sending 
emails to someone's alias, they have to check their spam folder. Even 
when they mark it as "not spam," GMail still drops it into the spam 
folder. It's very frustrating.


Thomas

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Benny Pedersen]

Byung-Hee HWANG skrev den 2024-01-19 11:12:


I rely on DNSWL for the reputable MX.


if repution is 100% needed we all have to make local rescore on all 
local mails, since repution is to be local, not external just


i consider dnswl level 0 to be possitive scored, and let the other 
levels be negative, this fits nicely, but was not designed to be so in 
mta stage

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Benny Pedersen]

Marc skrev den 2024-01-19 09:34:


Hi Byung and Benny, are you having a nice MX party? :)


not needed yet, hehe

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Benny Pedersen]

Byung-Hee HWANG skrev den 2024-01-19 06:16:


Actually i used Google MX for 10 years. Recently, i created dedicated
MXs and am continuing to operate them. Plus, the dedicated MXs run on
Google Cloud and RimuHosting.


it was to vierd for me to figure out how to get it working, and posible 
in the long run also too expansive, one of the problems i spoted is no 
dnssec, who will accept this in 2024 ?


i have considered also prothonmail and fastmail, just to name other, i 
lost prothon with loosed the mails on the account, lost the private key, 
so learned in the hard way


for me host own servers is best for me with gentoo, no precompiled 
problems at all



I terminated my Google Workspace commercial account. 2 years ago.


not needed anymore ?, or just too expansive ?, minimal one could have a 
own mta, and then relay with sasl auth to gmail, so this way gmail is 
just mailstorage, and the reverse is in gmail to use external mta, if i 
do anything, i might try it

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Byung-Hee HWANG]

On Fri, 2024-01-19 at 08:34 +, Marc wrote:
> > > Byung-Hee HWANG skrev den 2024-01-08 12:27:
> > > 
> > > > Gmail is my last INBOX. That's enough for me.
> > > 
> > > +1, so you are ready to setup google mx ? :)
> > > 
> > 
> > Hellow Benny,
> > 
> > Actually i used Google MX for 10 years. Recently, i created
> > dedicated
> > MXs and am continuing to operate them. Plus, the dedicated MXs run
> > on
> > Google Cloud and RimuHosting.
> > 
> > I terminated my Google Workspace commercial account. 2 years ago.
> > 
> 
> Hi Byung and Benny, are you having a nice MX party? :)
> 

Hellow Marc,

I rely on DNSWL for the reputable MX.


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//

RE: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Marc]

> > Byung-Hee HWANG skrev den 2024-01-08 12:27:
> >
> > > Gmail is my last INBOX. That's enough for me.
> >
> > +1, so you are ready to setup google mx ? :)
> >
> 
> Hellow Benny,
> 
> Actually i used Google MX for 10 years. Recently, i created dedicated
> MXs and am continuing to operate them. Plus, the dedicated MXs run on
> Google Cloud and RimuHosting.
> 
> I terminated my Google Workspace commercial account. 2 years ago.
> 

Hi Byung and Benny, are you having a nice MX party? :)

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Byung-Hee HWANG]

On Mon, 2024-01-08 at 17:17 +0100, Benny Pedersen wrote:
> Byung-Hee HWANG skrev den 2024-01-08 12:27:
> 
> > Gmail is my last INBOX. That's enough for me.
> 
> +1, so you are ready to setup google mx ? :)
> 

Hellow Benny,

Actually i used Google MX for 10 years. Recently, i created dedicated
MXs and am continuing to operate them. Plus, the dedicated MXs run on
Google Cloud and RimuHosting.

I terminated my Google Workspace commercial account. 2 years ago. 


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Benny Pedersen]

Byung-Hee HWANG skrev den 2024-01-08 12:27:


Gmail is my last INBOX. That's enough for me.


+1, so you are ready to setup google mx ? :)

https://support.google.com/a/answer/140034?hl=en

i don't like it yet, missing dnssec and dane, tlsa, google is not 
friendly there


if google wants my money its required payment for me

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Matus UHLAR - fantomas]

This is not a good advice. Whoever filters SPF at SMTP time will
reject that
message. Gmail is not the only mail service available.


On 08.01.24 20:27, Byung-Hee HWANG wrote:

Gmail is my last INBOX. That's enough for me.


that's what I wanted to say - enough for someone, but not generally enough.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Byung-Hee HWANG]

> 
> This is not a good advice. Whoever filters SPF at SMTP time will
> reject that 
> message. Gmail is not the only mail service available.

Hellow Matus,

Gmail is my last INBOX. That's enough for me.


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Matus UHLAR - fantomas]

I built email servers for a non-profit I volunteer for.  If email comes 
into the server for presid...@myassociation.org, I would normally just 
create an alias in /etc/aliases so that emails to president@ get 
forwarded to the president's "real" email address, say 
presidents_real_em...@gmail.com.


postfix supports expand_owner_alias, which, when you are sending to 
al...@example.com, will set sender to owner-al...@example.com.


That way SPF should pass.

The problem is, when I send email to presid...@myassociation.org, gmail 
rejects the forwarded email because it appears to come from my personal 
domain, not the mythical myassociation.org domain.  DKIM, DMARC, and SPF 
all fail, which I totally understand.


How can I make this work?


DKIM should not fail, unless you modify the message. Do you modify the 
message?



On 07.01.24 19:07, Byung-Hee HWANG wrote:

See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043539#88


Cite:


If your dkim signature is OK, then Gmail does accept all
mails. So never use SRS. DKIM is enough.


This is not a good advice. Whoever filters SPF at SMTP time will reject that 
message. Gmail is not the only mail service available.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Eagles may soar, but weasels don't get sucked into jet engines.

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Byung-Hee HWANG]

> 
> I built email servers for a non-profit I volunteer for. If email
> comes 
> into the server for presid...@myassociation.org, I would normally
> just 
> create an alias in /etc/aliases so that emails to president@ get 
> forwarded to the president's "real" email address, say 
> presidents_real_em...@gmail.com.
> 
> The problem is, when I send email to presid...@myassociation.org,
> gmail 
> rejects the forwarded email because it appears to come from my
> personal 
> domain, not the mythical myassociation.org domain. DKIM, DMARC, and
> SPF 
> all fail, which I totally understand.
> 
> How can I make this work? 


Hellow Thomas,

See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043539#88


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Andy Smith]

Hello,

On Wed, Jan 03, 2024 at 01:24:02PM -0600, Thomas Cameron via users wrote:
> On 1/2/24 17:51, Andy Smith wrote:
> > - Have your users collect their your-org email by some means other
> >than SMTP, such as running an IMAP server and having them view
> >both their gmail mailbox and their your-org inbox in one place (I
> >have no idea if that is feasible with gmail).
> 
> This is what *I* would do, for sure. But the members of the association are
> incredibly non-technical, and trying to walk them through setting up an
> email client like Thunderbird or Outlook is a recipe for disaster.

I understand their point of view but maybe it needs putting to them
from the angle that the org is like any other workplace. They would
not expect their employer's internal emails to be forwarded to them
at $freemail.

Though then that does invite them to ask if they can have a
dedicated device to manage org email then. 

(Which in many ways in not unreasonable either…)

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Thomas Cameron]

On 1/4/24 06:35, Matus UHLAR - fantomas wrote:

On 03.01.24 20:36, Thomas Cameron wrote:
Fair point. But I'm guessing that because it has two DKIM signatures, 
it's not passing the DKIM check.


only one of those DKIM dignatures needs to pass, with the domain in From:


Yup, and it seems to be working now. After about an hour, it suddenly 
started working as expected.



GMail doesn't flag it as "passed" for DKIM. I am looking to see if
PostSRSd has any sort configuration option to delete the DKIM of the
original sending server so that it will "pass" DKIM checks.


Not sure why pass is in quotes.   But again if you don't change headers
the original signature should be valid.


Well, it's not marked as failed, and it's not marked as passed, but I 
am looking at the OpenDKIM headers. It's in a weird limbo where I can 
see the email got marked but GMail is not marking it either way.


can we see headers From: and Authentication-Results as they were seen on 
your server?


I absolutely can send them, but since it's working now, I'm going to 
blame this on Google and run. :-D


--
Thanks!
Thomas

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Thomas Cameron]

On 1/4/24 06:31, Matus UHLAR - fantomas wrote:

On 03.01.24 19:30, Thomas Cameron wrote:
Thanks for the advice on SRS - I have set it up and it's mostly 
working. At least GMail accepts the emails, although it seems to be 
failing DKIM and DMARC tests. I'm digging into what, if anything, can 
be done to make PostSRSd fix this issue.


DKIM fails if the message is modified in your server (or, if DKIM failed 
already when it came to it)


DMARC fails if neither DKIM nor SPF succeed, where DKIM signature or the 
SPF record must be from the domain in From:


When you forward e-mail, SRS makes sure SPF record is from your domain, 
but the DKIM signature must be made by sending server, so forwarded 
messages without valid DKIM signature will not pass.


The weird thing is, after a little while, everything seems to be working 
just fine. When I send an email to one of the aliases on the server, it 
sends it to the "real" email address at GMail. It now passes SPF, DMARC, 
and DKIM tests. Looking in the headers on GMail, I see both DKIM 
signatures, from the server which sent the original email, and the one 
on our mail server.


I have no idea why GMail was saying it didn't pass checks earlier. I saw 
the same DKIM signatures in the headers before.


Anyway, SRS is very cool, and I appreciate all the folks who pointed me 
to it.


--
Thanks for the advice, Matus!
Thomas

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Matus UHLAR - fantomas]

Thomas Cameron  writes:

Yeah, the weird thing is, when I check the forwarded email on GMail, I
see in the headers that both the original sending email server (call
it mail.somedomain.com) and the relay server (call it
mail.myassociation.org) put DKIM signatures in the message.



On 1/3/24 19:45, Greg Troxel wrote:

That's more or less broken in my opinion.   I think an MTA should only
DKIM-sign messages that it is responsible for in the sense of
origination, because it is from an authenticated sender.


On 03.01.24 20:36, Thomas Cameron wrote:
Fair point. But I'm guessing that because it has two DKIM signatures, 
it's not passing the DKIM check.


only one of those DKIM dignatures needs to pass, with the domain in From:


GMail doesn't flag it as "passed" for DKIM. I am looking to see if
PostSRSd has any sort configuration option to delete the DKIM of the
original sending server so that it will "pass" DKIM checks.


Not sure why pass is in quotes.   But again if you don't change headers
the original signature should be valid.


Well, it's not marked as failed, and it's not marked as passed, but I 
am looking at the OpenDKIM headers. It's in a weird limbo where I can 
see the email got marked but GMail is not marking it either way.


can we see headers From: and Authentication-Results as they were seen on 
your server?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I'm not interested in your website anymore.
If you need cookies, bake them yourself.

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Matus UHLAR - fantomas]

On 1/3/24 15:44, Bill Cole wrote:
Indeed: your solution is known as "SRS" (Sender Rewriting Scheme) 
and it has multiple implementations. If you forward mail, you will 
break SPF unless you fix the envelope sender so that it uses a 
domain  that permits the example.org server to send for it.


OR, you could instead deliver to a POP mailbox locally and have 
users fetch from there instead of simply forwarding mail to them. 
This also avoids a completely distinct problem of places like GMail 
deciding that your org's mail server is a spamming service because 
it is forwarding spam. If users POP their mail instead of having it 
forwarded via SMTP, that does not happen.


On 03.01.24 19:30, Thomas Cameron wrote:
Thanks for the advice on SRS - I have set it up and it's mostly 
working. At least GMail accepts the emails, although it seems to be 
failing DKIM and DMARC tests. I'm digging into what, if anything, can 
be done to make PostSRSd fix this issue.


DKIM fails if the message is modified in your server (or, if DKIM failed 
already when it came to it)


DMARC fails if neither DKIM nor SPF succeed, where DKIM signature or the SPF 
record must be from the domain in From:


When you forward e-mail, SRS makes sure SPF record is from your domain, but 
the DKIM signature must be made by sending server, so forwarded messages 
without valid DKIM signature will not pass.



Many thanks for your help, it's genuinely appreciated!


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I intend to live forever - so far so good.

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Thomas Cameron]

On 1/3/24 19:45, Greg Troxel wrote:

Thomas Cameron  writes:


Yeah, the weird thing is, when I check the forwarded email on GMail, I
see in the headers that both the original sending email server (call
it mail.somedomain.com) and the relay server (call it
mail.myassociation.org) put DKIM signatures in the message.


That's more or less broken in my opinion.   I think an MTA should only
DKIM-sign messages that it is responsible for in the sense of
origination, because it is from an authenticated sender.


Fair point. But I'm guessing that because it has two DKIM signatures, 
it's not passing the DKIM check.



GMail doesn't flag it as "passed" for DKIM. I am looking to see if
PostSRSd has any sort configuration option to delete the DKIM of the
original sending server so that it will "pass" DKIM checks.


Not sure why pass is in quotes.   But again if you don't change headers
the original signature should be valid.


Well, it's not marked as failed, and it's not marked as passed, but I am 
looking at the OpenDKIM headers. It's in a weird limbo where I can see 
the email got marked but GMail is not marking it either way.


Thomas

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Greg Troxel]

Thomas Cameron  writes:

> Yeah, the weird thing is, when I check the forwarded email on GMail, I
> see in the headers that both the original sending email server (call
> it mail.somedomain.com) and the relay server (call it
> mail.myassociation.org) put DKIM signatures in the message.

That's more or less broken in my opinion.   I think an MTA should only
DKIM-sign messages that it is responsible for in the sense of
origination, because it is from an authenticated sender.

> GMail doesn't flag it as "passed" for DKIM. I am looking to see if
> PostSRSd has any sort configuration option to delete the DKIM of the
> original sending server so that it will "pass" DKIM checks.

Not sure why pass is in quotes.   But again if you don't change headers
the original signature should be valid.

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Thomas Cameron]

On 1/3/24 17:41, Greg Troxel wrote:

You are overlooking that DKIM from the original From: is the
responsibility of that domain and that if you do not modify the message
then it should still pass.  Domains sending without DKIM are going to be
a mess.


Yeah, the weird thing is, when I check the forwarded email on GMail, I 
see in the headers that both the original sending email server (call it 
mail.somedomain.com) and the relay server (call it 
mail.myassociation.org) put DKIM signatures in the message.


GMail doesn't flag it as "passed" for DKIM. I am looking to see if 
PostSRSd has any sort configuration option to delete the DKIM of the 
original sending server so that it will "pass" DKIM checks.


Thomas

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Thomas Cameron]

On 1/3/24 15:44, Bill Cole wrote:


Indeed: your solution is known as "SRS" (Sender Rewriting Scheme) and it 
has multiple implementations. If you forward mail, you will break SPF 
unless you fix the envelope sender so that it uses a domain  that 
permits the example.org server to send for it.


OR, you could instead deliver to a POP mailbox locally and have users 
fetch from there instead of simply forwarding mail to them. This also 
avoids a completely distinct problem of places like GMail deciding that 
your org's mail server is a spamming service because it is forwarding 
spam. If users POP their mail instead of having it forwarded via SMTP, 
that does not happen.


Thanks for the advice on SRS - I have set it up and it's mostly working. 
At least GMail accepts the emails, although it seems to be failing DKIM 
and DMARC tests. I'm digging into what, if anything, can be done to make 
PostSRSd fix this issue.


Many thanks for your help, it's genuinely appreciated!

Thomas

[SOLVED] Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Thomas Cameron]

On 1/3/24 18:16, Michael Grant wrote:

Here's what I have done in the past from my server to get around this
situation you are having:

1. In my .procmailrc file

:0c:
!exam...@gmail.com

This sends a copy (the c flag in first line) of the message to the
gmail account and leaves a copy in your inbox.

2. From your exam...@gmail.com acct, go to Settings -> Accounts and
Import.  Under the section 'Check email from other accounts', Add an
email account.  Then add your server's account and use POP to suck
over emails as they arrive.  Have it delete the emails once they are
sucked over.

What this does is it causes messages to be forwarded to gmail, but
some small number of them bounce because of whatever decision gmail
makes.  But those messages are popped in later, so there's no lost
mail.  Gmail de-duplicates the messages so you don't get messages
twice, and it never refuses to pop the messages in.  Popping in
messages is slow, so when the forward works (which seems to be most of
the time), mail comes in quick, unless it bounces, in which case, it's
popped in a few minutes, sometimes 10s of minutes, later.

If you are concerned about the bounce messages going back into your
mailbox (gmail doesn't loop here fortunately), you can write a
procmail rule to siphon those off into another folder or into
/dev/null.  (Left as exercise for the reader...)

3. You *may* need to do one further thing, you may need to go back
into gmail's Account and Import settings and set up 'Send mail as' and
set up to send mail as your email address on your server.  I can't
remember if gmail does this automatically for you in step 2 above or
not.

4. You probably want to then click the radio button "Reply from the
same address to which the message was sent".  Otherwise, when you
reply, it'll come from your gmail address and not your server's email
address. These radio buttons only appear once you have at least one
Send As address set up.

Michael Grant


This is super helpful, thank you very much! I was not aware you could 
configure GMail to pull from another account, that's incredibly helpful!


I wound up installing PostSRSd 
(https://github.com/roehling/postsrsd/tree/main). Now, when I send email 
to one of the officers in the non-profit, I have their actual email 
address set up in /etc/aliases, and SRSd rewrites the headers so that 
GMail at least accepts them now. Before, it was just flat out rejecting 
them.


The annoying thing is that when I send email from the mail server I set 
up, even though it *passes* SPF, DKIM, and DMARC 
(https://imgur.com/a/FuA6HiK), GMail is still dumping into the Spam 
folder. It's incredibly irritating. After I marked a handful of them 
"not spam," it stopped doing it, but we're going to be sending emails to 
the members of the association (and I know several use GMail). I really 
don't know what the heck I am supposed to do to get GMail to stop 
dropping the messages into the spam folder. I thought you could set up 
some sort of DNS TXT record for Google to show that you're a legit 
sender, but I can't find documentation for it except for Google Workplaces.


Anyway, thanks everyone for the great suggestions! I learned a lot doing 
this, and I was unaware of SRS... That's fantastic info!


--
Thomas

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Michael Grant via users]

Here's what I have done in the past from my server to get around this
situation you are having:

1. In my .procmailrc file

:0c:
!exam...@gmail.com

This sends a copy (the c flag in first line) of the message to the
gmail account and leaves a copy in your inbox.

2. From your exam...@gmail.com acct, go to Settings -> Accounts and
Import.  Under the section 'Check email from other accounts', Add an
email account.  Then add your server's account and use POP to suck
over emails as they arrive.  Have it delete the emails once they are
sucked over.

What this does is it causes messages to be forwarded to gmail, but
some small number of them bounce because of whatever decision gmail
makes.  But those messages are popped in later, so there's no lost
mail.  Gmail de-duplicates the messages so you don't get messages
twice, and it never refuses to pop the messages in.  Popping in
messages is slow, so when the forward works (which seems to be most of
the time), mail comes in quick, unless it bounces, in which case, it's
popped in a few minutes, sometimes 10s of minutes, later.

If you are concerned about the bounce messages going back into your
mailbox (gmail doesn't loop here fortunately), you can write a
procmail rule to siphon those off into another folder or into
/dev/null.  (Left as exercise for the reader...)

3. You *may* need to do one further thing, you may need to go back
into gmail's Account and Import settings and set up 'Send mail as' and
set up to send mail as your email address on your server.  I can't
remember if gmail does this automatically for you in step 2 above or
not.

4. You probably want to then click the radio button "Reply from the
same address to which the message was sent".  Otherwise, when you
reply, it'll come from your gmail address and not your server's email
address. These radio buttons only appear once you have at least one
Send As address set up.

Michael Grant


signature.asc
Description: PGP signature

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Greg Troxel]

"Thomas Cameron via users"  writes:

> I actually set up SPF, DMARC, and DKIM on the non-profit's email
> server. It works fine if I send email from the server.
>
> The rub is, I want all emails to presid...@example.org to be forwarded
> to presidents_real_addr...@gmail.com. Since the forward happens at
> mail.example.org, the "from" is from some other domain from
> example.org, so it fails all the tests.

You are overlooking that DKIM from the original From: is the
responsibility of that domain and that if you do not modify the message
then it should still pass.  Domains sending without DKIM are going to be
a mess.

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[admin]

Hello Thomas,

This might help too:
These failures are often due to SPFs that have a hard fail (meaning they end 
with ‘-all’). When I dealt with this in the past, the original sending domain 
was one where we could modify the SPF. So we had the email sender change “-all” 
to “~all” and since that makes it a soft fail, the email forwards started 
operating again. 

And it sounds like you already know this but: 

SPFs are basically TXT records attached to a domain’s DNS that specifies which 
mail server IPs have permission to send that domain’s emails. Hence the issue 
with email forwarding; Domain A sends to B which sends to C which makes C 
grumpy since B isn’t on A’s list of approved IPs. 

> On Jan 3, 2024, at 1:46 PM, Bill Cole 
>  wrote:
> 
> On 2024-01-03 at 14:17:11 UTC-0500 (Wed, 3 Jan 2024 13:17:11 -0600)
> Thomas Cameron via users 
> is rumored to have said:
> 
>> The rub is, I want all emails to presid...@example.org to be forwarded to 
>> presidents_real_addr...@gmail.com. Since the forward happens at 
>> mail.example.org, the "from" is from some other domain from example.org, so 
>> it fails all the tests.
> 
> Indeed: your solution is known as "SRS" (Sender Rewriting Scheme) and it has 
> multiple implementations. If you forward mail, you will break SPF unless you 
> fix the envelope sender so that it uses a domain  that permits the 
> example.org server to send for it.
> 
> OR, you could instead deliver to a POP mailbox locally and have users fetch 
> from there instead of simply forwarding mail to them. This also avoids a 
> completely distinct problem of places like GMail deciding that your org's 
> mail server is a spamming service because it is forwarding spam. If users POP 
> their mail instead of having it forwarded via SMTP, that does not happen.
> 
> 
> --
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Not Currently Available For Hire
> 
> 

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Bill Cole]

On 2024-01-03 at 14:17:11 UTC-0500 (Wed, 3 Jan 2024 13:17:11 -0600)
Thomas Cameron via users 
is rumored to have said:

The rub is, I want all emails to presid...@example.org to be forwarded 
to presidents_real_addr...@gmail.com. Since the forward happens at 
mail.example.org, the "from" is from some other domain from 
example.org, so it fails all the tests.


Indeed: your solution is known as "SRS" (Sender Rewriting Scheme) and it 
has multiple implementations. If you forward mail, you will break SPF 
unless you fix the envelope sender so that it uses a domain  that 
permits the example.org server to send for it.


OR, you could instead deliver to a POP mailbox locally and have users 
fetch from there instead of simply forwarding mail to them. This also 
avoids a completely distinct problem of places like GMail deciding that 
your org's mail server is a spamming service because it is forwarding 
spam. If users POP their mail instead of having it forwarded via SMTP, 
that does not happen.



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Thomas Cameron via users]

On 1/2/24 17:51, Andy Smith wrote:

Hi Thomas,

On Tue, Jan 02, 2024 at 04:24:37PM -0600, Thomas Cameron via users wrote:

I built email servers for a non-profit I volunteer for. If email comes into
the server for presid...@myassociation.org, I would normally just create an
alias in /etc/aliases so that emails to president@ get forwarded to the
president's "real" email address, say presidents_real_em...@gmail.com.


This causes your server to pass on email without changing envelope
sender, so your server is purporting to be whoever the email is
originally from. Any email authentication measure working on the
envelope sender, such as SPF, will then fail, as your server is
indistinguishable from a random host forging the original sender's
domain.


Yup, that's exactly what's happening. Email from an association member 
may come in from u...@otherdomain.com and when it gets forwarded to 
GMail, they reject it because the mail server isn't otherdomain.com's 
email server. I get *why* it's failing, I was just hoping someone had a 
better idea.



How can I make this work? Is there a good way to use something like
/etc/aliases to forward emails to the domain I manage to another recipient?
Or is there something better I can do?


You need to give up on /etc/aliases for external routing of email
unless you control all the original sender domains and can for
example add your server IPs to its authentication mechanisms (e.g.
SPF).

Since you probably can't do that for any recipient domain that
expects to receive Internet email, you need to either:

- Implement Sender Rewriting Scheme (SRS) so that your server takes
   responsibility for forwarded emails with its own envelope sender.
   https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme


This is excellent, I was not aware of it. I'm digging into it now. I was 
playing around with using a procmail recipe to munch the "from" address, 
but SRS looks like a MUCH better plan. Thank you so much!



Or:

- Have your users collect their your-org email by some means other
   than SMTP, such as running an IMAP server and having them view
   both their gmail mailbox and their your-org inbox in one place (I
   have no idea if that is feasible with gmail).


This is what *I* would do, for sure. But the members of the association 
are incredibly non-technical, and trying to walk them through setting up 
an email client like Thunderbird or Outlook is a recipe for disaster. I 
really like the SRS idea, I'm digging into that now.



Thanks,
Andy



Thanks a bunch!
Thomas

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Thomas Cameron via users]

On 1/3/24 01:21, Jared Hall wrote:

On 1/2/2024 5:24 PM, Thomas Cameron via users wrote:


The problem is, when I send email to presid...@myassociation.org, 
gmail rejects the forwarded email because it appears to come from my 
personal domain, not the mythical myassociation.org domain. DKIM, 
DMARC, and SPF all fail, which I totally understand.


How can I make this work? Is there a good way to use something like 
/etc/aliases to forward emails to the domain I manage to another 
recipient? Or is there something better I can do?




You will probably find that forwarding Emails to most systems, including 
MSN/Live/Hotmail/Outlook and Yahoo/AOL works OK (for now).  But if you 
want Vacation/Out-Of-Office/Autoresponders to work to Gmail addresses, 
you MUST run DKIM on your managed domain.  Even valid SPF alone will NOT 
do.


I actually set up SPF, DMARC, and DKIM on the non-profit's email server. 
It works fine if I send email from the server.


The rub is, I want all emails to presid...@example.org to be forwarded 
to presidents_real_addr...@gmail.com. Since the forward happens at 
mail.example.org, the "from" is from some other domain from example.org, 
so it fails all the tests.


Implementing DKIM w/ DMARC is a good, if not the best, practice. 
Considering present trends, SPF/DKIM/DMARC Auth-neutral will become the 
new "bad".


Oh, I firmly agree with you. I have all three services configured, and I 
wouldn't deploy a mail server without them. This is just an odd corner 
case where the easiest thing to do is just redirect emails to the 
non-profit's president's real email address.


Instead of using /etc/aliases, I'm playing around with a procmail recipe 
to munge the "from." We'll see if it works.


I apologize this isn't strictly SA related, I am just hoping someone 
can give me advice or provide I link to follow on how to make this work.


package: opendkim + access to your managed domain's DNS records.


I agree, and that's already done.

Thanks, sir!
Thomas

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Jared Hall via users]

On 1/2/2024 5:24 PM, Thomas Cameron via users wrote:


The problem is, when I send email to presid...@myassociation.org, 
gmail rejects the forwarded email because it appears to come from my 
personal domain, not the mythical myassociation.org domain. DKIM, 
DMARC, and SPF all fail, which I totally understand.


How can I make this work? Is there a good way to use something like 
/etc/aliases to forward emails to the domain I manage to another 
recipient? Or is there something better I can do?




You will probably find that forwarding Emails to most systems, including 
MSN/Live/Hotmail/Outlook and Yahoo/AOL works OK (for now).  But if you 
want Vacation/Out-Of-Office/Autoresponders to work to Gmail addresses, 
you MUST run DKIM on your managed domain.  Even valid SPF alone will NOT 
do.


Implementing DKIM w/ DMARC is a good, if not the best, practice. 
Considering present trends, SPF/DKIM/DMARC Auth-neutral will become the 
new "bad".


I apologize this isn't strictly SA related, I am just hoping someone 
can give me advice or provide I link to follow on how to make this work.


package: opendkim + access to your managed domain's DNS records.


$0.02,

-- Jared Hall

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Greg Troxel]

"Thomas Cameron via users"  writes:

> I built email servers for a non-profit I volunteer for. If email comes
> into the server for presid...@myassociation.org, I would normally just
> create an alias in /etc/aliases so that emails to president@ get
> forwarded to the president's "real" email address, say
> presidents_real_em...@gmail.com.
>
> The problem is, when I send email to presid...@myassociation.org,
> gmail rejects the forwarded email because it appears to come from my
> personal domain, not the mythical myassociation.org domain. DKIM,
> DMARC, and SPF all fail, which I totally understand.

Why does DKIM fail?  You said there is an /etc/aliases alias, but you
did not say that you modified the message.  Basically you should never
modify messages.

> How can I make this work? Is there a good way to use something like
> /etc/aliases to forward emails to the domain I manage to another
> recipient? Or is there something better I can do?

I think the advice to set up IMAP and submission is wise.  I realize
this may be a small non-profit, but company mail belongs on company
servers, and personal mail on personal servers.  With IMAP and
submission, your president can have their outgoing email be
presid...@myassociation.org, DKIM signed, with an SPF record, and even
DMARC.  If someone writes and gets a reply from a random gmail account,
that is at best confusing.

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Andy Smith]

Hi Thomas,

On Tue, Jan 02, 2024 at 04:24:37PM -0600, Thomas Cameron via users wrote:
> I built email servers for a non-profit I volunteer for. If email comes into
> the server for presid...@myassociation.org, I would normally just create an
> alias in /etc/aliases so that emails to president@ get forwarded to the
> president's "real" email address, say presidents_real_em...@gmail.com.

This causes your server to pass on email without changing envelope
sender, so your server is purporting to be whoever the email is
originally from. Any email authentication measure working on the
envelope sender, such as SPF, will then fail, as your server is
indistinguishable from a random host forging the original sender's
domain.

> How can I make this work? Is there a good way to use something like
> /etc/aliases to forward emails to the domain I manage to another recipient?
> Or is there something better I can do?

You need to give up on /etc/aliases for external routing of email
unless you control all the original sender domains and can for
example add your server IPs to its authentication mechanisms (e.g.
SPF).

Since you probably can't do that for any recipient domain that
expects to receive Internet email, you need to either:

- Implement Sender Rewriting Scheme (SRS) so that your server takes
  responsibility for forwarded emails with its own envelope sender.
  https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme

Or:

- Have your users collect their your-org email by some means other
  than SMTP, such as running an IMAP server and having them view
  both their gmail mailbox and their your-org inbox in one place (I
  have no idea if that is feasible with gmail).

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Thomas Cameron via users]

Howdy, all -

This is not strictly SpamAssassin related, but y'all probably know where 
to point me to make this work.


I built email servers for a non-profit I volunteer for. If email comes 
into the server for presid...@myassociation.org, I would normally just 
create an alias in /etc/aliases so that emails to president@ get 
forwarded to the president's "real" email address, say 
presidents_real_em...@gmail.com.


The problem is, when I send email to presid...@myassociation.org, gmail 
rejects the forwarded email because it appears to come from my personal 
domain, not the mythical myassociation.org domain. DKIM, DMARC, and SPF 
all fail, which I totally understand.


How can I make this work? Is there a good way to use something like 
/etc/aliases to forward emails to the domain I manage to another 
recipient? Or is there something better I can do?


I apologize this isn't strictly SA related, I am just hoping someone can 
give me advice or provide I link to follow on how to make this work.


Thanks,
Thomas

Re: check_rbl question

[Benny Pedersen]

Michael Grant via users skrev den 2023-07-07 17:41:

On Fri, Jul 07, 2023 at 04:50:18PM +0200, giova...@paclan.it wrote:

if can(Mail::SpamAssassin::Conf::has_tflags_nolog)
  tflags URIBL_IVMURI net nolog
else
  tflags URIBL_IVMURI net
endif


and Benny Pedersen's idea of using a rule like:

header __FOO eval:check_rbl('ivmSIP-lastexternal', 'my_key.inv-sip.')
meta INVSIP __FOO
describe IVMSIP listed at dnsbl.invaluement.com/ivmsip,
score IVMSIP 5

Neither of these are ideal.  I really need to see what ip address is
being looked up.  Perhaps yes, I'll need to do a feature request.


header  __RCVD_IN_AUTHBL
eval:check_rbl('authbl','your_DQS_key.authbl.dq.spamhaus.net.')
tflags  __RCVD_IN_AUTHBLnet
metaRCVD_IN_AUTHBL  __RCVD_IN_AUTHBL
describeRCVD_IN_AUTHBL  Received via a relay in Spamhaus AuthBL

so maybe nolog and debug mode ?

feature request imho, it have never being supported without meta yet, 
but why not use syslogs ?, this will not be in recipients mailbox that 
way


maybe nolog, extended to syslog only ?

syslog __foo foo_ip 'metadata'

grep foo_ip /var/log/messages

thinking just load now :)

Re: check_rbl question

[Michael Grant via users]

On Fri, Jul 07, 2023 at 04:50:18PM +0200, giova...@paclan.it wrote:
> if can(Mail::SpamAssassin::Conf::has_tflags_nolog)
>   tflags URIBL_IVMURI net nolog
> else
>   tflags URIBL_IVMURI net
> endif

and Benny Pedersen's idea of using a rule like:

header __FOO eval:check_rbl('ivmSIP-lastexternal', 'my_key.inv-sip.')
meta INVSIP __FOO
describe IVMSIP listed at dnsbl.invaluement.com/ivmsip,
score IVMSIP 5

Neither of these are ideal.  I really need to see what ip address is
being looked up.  Perhaps yes, I'll need to do a feature request.





signature.asc
Description: PGP signature

Re: check_rbl question

[giovanni]

On 7/7/23 16:18, Michael Grant via users wrote:

I'm using check_rbl with some paid lists for example invaluement.  I
don't want to put my license key into the rule or it ends up in the
spamassassin X-Spam-Report header.  On one server, I've configured
bind9 with DNAME records to hide the key.  But what do others do?  Is
there some easier way to do this?


If you are using SpamAssassin 4.0 you can use the "nolog" feature like this:

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub URIBL_IVMURI uri.XXX.invaluement.com. A 2
body  URIBL_IVMURI eval:check_uridnsbl('URIBL_IVMURI')
describe  URIBL_IVMURI listed on ivmURI found at invaluement.com
if can(Mail::SpamAssassin::Conf::has_tflags_nolog)
  tflags URIBL_IVMURI net nolog
else
  tflags URIBL_IVMURI net
endif
score URIBL_IVMURI 2.0
reuse URIBL_IVMURI
endif


  Giovanni


OpenPGP_signature
Description: OpenPGP digital signature

Re: check_rbl question

[Benny Pedersen]

Michael Grant via users skrev den 2023-07-07 16:18:

I'm using check_rbl with some paid lists for example invaluement.  I
don't want to put my license key into the rule or it ends up in the
spamassassin X-Spam-Report header.  On one server, I've configured
bind9 with DNAME records to hide the key.  But what do others do?  Is
there some easier way to do this?


this is imho a feature requst, what eval calls are used ?

example 
https://github.com/spamhaus/spamassassin-dqs/blob/master/4.0.0%2B/sh_hbl.cf


will not reveal keys

if need to do rbl, make __foo eval:check rbl, and then make meta foo 
__foo, this is a workaround


ask your data provider :)

check_rbl question

[Michael Grant via users]

I'm using check_rbl with some paid lists for example invaluement.  I
don't want to put my license key into the rule or it ends up in the
spamassassin X-Spam-Report header.  On one server, I've configured
bind9 with DNAME records to hide the key.  But what do others do?  Is
there some easier way to do this?

Michael Grant


signature.asc
Description: PGP signature

Re: Question about user specific bayes

[Benny Pedersen]

On 2022-01-18 22:34, Bill Cole wrote:


Well, maybe? I don't currently have a system using per-user Bayes and
it's been a bit since I set one up so hopefully someone who has a
working rig will speak up...


fuglu have pr user bayes pr default, and it recently fixed that local 
part before could be mixed case so sender could create another bayes 
user, ups, i had hoped on that this was solved in spamassassin core, but 
maybe in sa 4.0.0



Note that SA will try to create an empty DB if none exists.


and if spamd / spamc uses virtual sql users, or have static db files for 
all users with read/write permissions, ideal if sqlite3 user prefs is 
configured it could be very simple



I'm not
sure that I can think up a circumstance (other than a disappearing
user) where fallback to global Bayes would happen.


is this even supported ?


SA will not fall
back to a global Bayes DB just because an otherwise perfectly good
per-user DB isn't properly seeded.


good

RE: Question about user specific bayes

[Dino Edwards]

> Note that SA will try to create an empty DB if none exists. I'm not sure that 
> I can think up a circumstance (other than a disappearing user) where fallback 
> > to global Bayes would happen. SA will not fall back to a global Bayes DB 
> just because an otherwise perfectly good per-user DB isn't properly seeded.

It doesn't seem to be creating an empty database at all. Not sure why

> -Original Message-
> From: Bill Cole 
> Sent: Tuesday, January 18, 2022 12:23 PM
> To: users@spamassassin.apache.org
> Subject: Re: Question about user specific bayes
>
> On 2022-01-18 at 11:12:01 UTC-0500 (Tue, 18 Jan 2022 16:12:01 +) 
> Dino Edwards  is rumored to have said:
>
>> Hi,
>>
>> Trying to implement user specific bayes. My current setup is setup as 
>> follows in regards to global bayes. I'm also using amavis:
>>
>> bayes_path /opt/sa-bayes/bayes
>> bayes_file_mode 0777
>
> Don't do that anywhere. It's not safe.
>
>> use_bayes 1
>> use_bayes_rules 1
>> bayes_auto_learn 0
>> bayes_auto_learn_threshold_spam 15
>> bayes_auto_learn_threshold_nonspam -5
> [...]
>>
>> and it did seem to create  bayes_toks and bayes_seen files under the 
>> /opt/sa-bayes-users/b...@domain.tld<mailto:/opt/sa-bayes-users/bob@dom
>> a
>> in.tld>
>> directory as expected.
>
> So, it is working.
>
>> Is this all that's required to get this working?
>
> Yes
>
>> What happens to the global bayes file  in local.cf? Is that no longer 
>> used?
>
> I believe that it would be used if for some reason SA couldn't figure 
> out which user to pick for a scan at runtime. Maybe if spamd was 
> launched as a user that was later deleted?
>
> But generally, working per-user Bayes setup makes the global file 
> pointless and unused.
>
>>
>> How do the following settings from the local.cf figure in the user 
>> specific bayes files?
>>
>> use_bayes 1
>> use_bayes_rules 1
>> bayes_auto_learn 0
>> bayes_auto_learn_threshold_spam 15
>> bayes_auto_learn_threshold_nonspam -5
>
> The local.cf file is loaded before user_prefs, which is the last 
> config file loaded, so anything that can be changed in user_prefs 
> (i.e. all of those, I believe) which is set in user_prefs will 'stick'
>
> Note that in this case you're choosing to disable auto-learn, so the 
> threshold values are never used.
>
>> Do the user specific bayes have the same requirements to train them 
>> with at least 200 messages?
>
> Yes. Each Bayes DB must be seeded before it can be used. You should 
> also plan a way to regularly feed known spam and ham to those 
> databases, since you aren't auto-learning.
>
>> before they start working?
>
> Before SA will determine a Bayes score on incoming messages, yes.
>
>
>
>
> --
> Bill Cole
> b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many 
> *@billmail.scconsult.com addresses) Not Currently Available For Hire


--
Bill Cole
b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many 
*@billmail.scconsult.com addresses) Not Currently Available For Hire

Re: Question about user specific bayes

[Bill Cole]

On 2022-01-18 at 13:40:29 UTC-0500 (Tue, 18 Jan 2022 18:40:29 +)
Dino Edwards 
is rumored to have said:

Hi, thanks for the quick reply. So when amavis calls on SA for an 
incoming message, it will pass the recipient (e-mail address) in the 
%u variable and then SA will take that variable and look in the 
/opt/sa-bayes-users/%u directory for the existence of bayes database 
and if it finds one, it will use it provided it's properly seeded. If 
not, it will fall back to the global bayes. Is that correct?


Well, maybe? I don't currently have a system using per-user Bayes and 
it's been a bit since I set one up so hopefully someone who has a 
working rig will speak up...


Note that SA will try to create an empty DB if none exists. I'm not sure 
that I can think up a circumstance (other than a disappearing user) 
where fallback to global Bayes would happen. SA will not fall back to a 
global Bayes DB just because an otherwise perfectly good per-user DB 
isn't properly seeded.





-Original Message-
From: Bill Cole 
Sent: Tuesday, January 18, 2022 12:23 PM
To: users@spamassassin.apache.org
Subject: Re: Question about user specific bayes

On 2022-01-18 at 11:12:01 UTC-0500 (Tue, 18 Jan 2022 16:12:01 +) 
Dino Edwards  is rumored to have said:



Hi,

Trying to implement user specific bayes. My current setup is setup as
follows in regards to global bayes. I'm also using amavis:

bayes_path /opt/sa-bayes/bayes
bayes_file_mode 0777


Don't do that anywhere. It's not safe.


use_bayes 1
use_bayes_rules 1
bayes_auto_learn 0
bayes_auto_learn_threshold_spam 15
bayes_auto_learn_threshold_nonspam -5

[...]


and it did seem to create  bayes_toks and bayes_seen files under the
/opt/sa-bayes-users/b...@domain.tld<mailto:/opt/sa-bayes-users/bob@doma
in.tld>
directory as expected.


So, it is working.


Is this all that's required to get this working?


Yes


What happens to the global bayes file  in local.cf? Is that no longer
used?


I believe that it would be used if for some reason SA couldn't figure 
out which user to pick for a scan at runtime. Maybe if spamd was 
launched as a user that was later deleted?


But generally, working per-user Bayes setup makes the global file 
pointless and unused.




How do the following settings from the local.cf figure in the user
specific bayes files?

use_bayes 1
use_bayes_rules 1
bayes_auto_learn 0
bayes_auto_learn_threshold_spam 15
bayes_auto_learn_threshold_nonspam -5


The local.cf file is loaded before user_prefs, which is the last 
config file loaded, so anything that can be changed in user_prefs 
(i.e. all of those, I believe) which is set in user_prefs will 'stick'


Note that in this case you're choosing to disable auto-learn, so the 
threshold values are never used.



Do the user specific bayes have the same requirements to train them
with at least 200 messages?


Yes. Each Bayes DB must be seeded before it can be used. You should 
also plan a way to regularly feed known spam and ham to those 
databases, since you aren't auto-learning.



before they start working?


Before SA will determine a Bayes score on incoming messages, yes.




--
Bill Cole
b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many 
*@billmail.scconsult.com addresses) Not Currently Available For Hire



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

RE: Question about user specific bayes

[Dino Edwards]

Hi, thanks for the quick reply. So when amavis calls on SA for an incoming 
message, it will pass the recipient (e-mail address) in the %u variable and 
then SA will take that variable and look in the /opt/sa-bayes-users/%u 
directory for the existence of bayes database and if it finds one, it will use 
it provided it's properly seeded. If not, it will fall back to the global 
bayes. Is that correct?

Thanks



-Original Message-
From: Bill Cole  
Sent: Tuesday, January 18, 2022 12:23 PM
To: users@spamassassin.apache.org
Subject: Re: Question about user specific bayes

On 2022-01-18 at 11:12:01 UTC-0500 (Tue, 18 Jan 2022 16:12:01 +) Dino 
Edwards  is rumored to have said:

> Hi,
>
> Trying to implement user specific bayes. My current setup is setup as 
> follows in regards to global bayes. I'm also using amavis:
>
> bayes_path /opt/sa-bayes/bayes
> bayes_file_mode 0777

Don't do that anywhere. It's not safe.

> use_bayes 1
> use_bayes_rules 1
> bayes_auto_learn 0
> bayes_auto_learn_threshold_spam 15
> bayes_auto_learn_threshold_nonspam -5
[...]
>
> and it did seem to create  bayes_toks and bayes_seen files under the 
> /opt/sa-bayes-users/b...@domain.tld<mailto:/opt/sa-bayes-users/bob@doma
> in.tld>
> directory as expected.

So, it is working.

> Is this all that's required to get this working?

Yes

> What happens to the global bayes file  in local.cf? Is that no longer 
> used?

I believe that it would be used if for some reason SA couldn't figure out which 
user to pick for a scan at runtime. Maybe if spamd was launched as a user that 
was later deleted?

But generally, working per-user Bayes setup makes the global file pointless and 
unused.

>
> How do the following settings from the local.cf figure in the user 
> specific bayes files?
>
> use_bayes 1
> use_bayes_rules 1
> bayes_auto_learn 0
> bayes_auto_learn_threshold_spam 15
> bayes_auto_learn_threshold_nonspam -5

The local.cf file is loaded before user_prefs, which is the last config file 
loaded, so anything that can be changed in user_prefs (i.e. all of those, I 
believe) which is set in user_prefs will 'stick'

Note that in this case you're choosing to disable auto-learn, so the threshold 
values are never used.

> Do the user specific bayes have the same requirements to train them 
> with at least 200 messages?

Yes. Each Bayes DB must be seeded before it can be used. You should also plan a 
way to regularly feed known spam and ham to those databases, since you aren't 
auto-learning.

> before they start working?

Before SA will determine a Bayes score on incoming messages, yes.




--
Bill Cole
b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many 
*@billmail.scconsult.com addresses) Not Currently Available For Hire

Re: Question about user specific bayes

[Bill Cole]

On 2022-01-18 at 11:12:01 UTC-0500 (Tue, 18 Jan 2022 16:12:01 +)
Dino Edwards 
is rumored to have said:


Hi,

Trying to implement user specific bayes. My current setup is setup as 
follows in regards to global bayes. I'm also using amavis:


bayes_path /opt/sa-bayes/bayes
bayes_file_mode 0777


Don't do that anywhere. It's not safe.


use_bayes 1
use_bayes_rules 1
bayes_auto_learn 0
bayes_auto_learn_threshold_spam 15
bayes_auto_learn_threshold_nonspam -5

[...]


and it did seem to create  bayes_toks and bayes_seen files under the 
/opt/sa-bayes-users/b...@domain.tld 
directory as expected.


So, it is working.


Is this all that's required to get this working?


Yes

What happens to the global bayes file  in local.cf? Is that no longer 
used?


I believe that it would be used if for some reason SA couldn't figure 
out which user to pick for a scan at runtime. Maybe if spamd was 
launched as a user that was later deleted?


But generally, working per-user Bayes setup makes the global file 
pointless and unused.




How do the following settings from the local.cf figure in the user 
specific bayes files?


use_bayes 1
use_bayes_rules 1
bayes_auto_learn 0
bayes_auto_learn_threshold_spam 15
bayes_auto_learn_threshold_nonspam -5


The local.cf file is loaded before user_prefs, which is the last config 
file loaded, so anything that can be changed in user_prefs (i.e. all of 
those, I believe) which is set in user_prefs will 'stick'


Note that in this case you're choosing to disable auto-learn, so the 
threshold values are never used.


Do the user specific bayes have the same requirements to train them 
with at least 200 messages?


Yes. Each Bayes DB must be seeded before it can be used. You should also 
plan a way to regularly feed known spam and ham to those databases, 
since you aren't auto-learning.



before they start working?


Before SA will determine a Bayes score on incoming messages, yes.




--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Question about user specific bayes

[Dino Edwards]

Hi,

Trying to implement user specific bayes. My current setup is setup as follows 
in regards to global bayes. I'm also using amavis:

bayes_path /opt/sa-bayes/bayes
bayes_file_mode 0777
use_bayes 1
use_bayes_rules 1
bayes_auto_learn 0
bayes_auto_learn_threshold_spam 15
bayes_auto_learn_threshold_nonspam -5



According to various things I've read online, I've setup the following in 
/etc/default/spamassassin in an attempt to setup user specific bayes:


OPTIONS="--create-prefs --max-children 5 
--helper-home-dir=/opt/sa-bayes-users/%u -x -u amavis"

I've also created a bunch of subdirectories with usernames under 
/opt/sa-bayes-users. Example:

/opt/sa-bayes-users/b...@domain.tld
/opt/sa-bayes-users/la...@domain.tld

Etc...

I've setup the owner in /opt/sa-bayes-users/ to amavis and I've also setup the 
permissions to 700.

I've run a test sa-learn as follows where /mnt/data/amavis/clean/n/nTutbwTMVWzK 
is the actual e-mail file I use to train SA:

sa-learn --spam --dbpath /opt/sa-bayes-users/b...@domain.tld 
/mnt/data/amavis/clean/n/nTutbwTMVWzK

and it did seem to create  bayes_toks and bayes_seen files under the 
/opt/sa-bayes-users/b...@domain.tld 
directory as expected.

Is this all that's required to get this working?

What happens to the global bayes file  in local.cf? Is that no longer used?

How do the following settings from the local.cf figure in the user specific 
bayes files?

use_bayes 1
use_bayes_rules 1
bayes_auto_learn 0
bayes_auto_learn_threshold_spam 15
bayes_auto_learn_threshold_nonspam -5


Do the user specific bayes have the same requirements to train them with at 
least 200 messages? before they start working?

Thanks in advance

RE: Question about whitelisting of naadac.org

[John Hardin]

On Thu, 12 Aug 2021, Lukasz Maik wrote:


Dear John,

Sure, please find full tests results here: 
https://www.mail-tester.com/test-bw02eaxrt

We've lost a point for not having DKIM/DMARC authentication, which is 
unfortunately not supported by our hosted exchange.


That's not something SA scores for.


We also lost 0.5 point for not having alt attribute in the images, so we will 
add it.


That's also not something SA scores for. The above problems are things 
mail-tester thinks you can do to improve your message, independent of 
whatever SA thinks of it.


The net SA score for that test message is 0.644 points, which is well 
under the default spam threshold of 5 points.


This is in the headers in that test message:

   X-Spam-Status: No/0.7/5.0

"No".

I agree with Bill's comments regarding www.mail-tester.com, and echo that 
"www.naadac.org" is not listed at SBL.



Total is 7.8/10.


Meaningless.

The problem, when user is sending normal work e-mails, recipients are 
finding those messages in the Junk Email folder. Even people with who he 
was previously working before.


If we could see one of *those* mails (which was quarantined in a 
production environment versus analyzed in a misconfigured and stale 
theoretical environment), with all headers intact (<- this is important), 
then we might be able to tell you why it ended up there.




Kind Regards
Lukas

-Original Message-
From: John Hardin 
Sent: Thursday, August 12, 2021 5:43 AM
To: users@spamassassin.apache.org
Subject: Re: Question about whitelisting of naadac.org

On Wed, 11 Aug 2021, Lukasz Maik wrote:


Hi All,

The company naadac.org is experiencing problems with their e-mails
being marked as SPAM, when they are putting link to their domain
https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.naadac.org%2Fdata=04%7C01%7CLukasz.Maik%40ricoh-europe.com%7Cd9ba04e2fffa42bd4b1b08d95d435fec%7Cdd29478d624e429eb453fffc969ac768%7C0%7C0%7C637643367114945933%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000sdata=IkcJvzYcpJvlUWr3l%2FzGbvD3IbSSaeia66LNwTjOj60%3Dreserved=0
 in the signature of their mails.

Is it possible to whitelist this domain/link in your SPAM filtering?
Results from the mail-tester.com tool are available below:

[cid:image001.png@01D78EFB.CD78CAE0]


0.644 points is not sufficient to mark a message as spam using the default 
scoring, and isn't worth hitting the panic button. If it's being marked as spam 
by some recipients, there are other reason(s). Is this analysis the only thing 
you are basing your analysis on?

As Kenneth said, contact Spamhaus regarding why that domain is listed.

In order to offer more advice, we would have to see the results from a site 
that is actually marking such a message as spam (i.e. where it's scoring 5 or 
more points).


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  ...every time I sit down in front of a Windows machine I feel as
  if the computer is just a place for the manufacturers to put their
  advertising. -- fwadling on Y! SCOX
---
 Today: the 900th anniversary of the muslim Seljuq defeat at Didgori

Re: Question about whitelisting of naadac.org

[Bill Cole]

On 2021-08-12 at 16:16:21 UTC-0400 (Thu, 12 Aug 2021 20:16:21 +)
Lukasz Maik 
is rumored to have said:


Dear John,

Sure, please find full tests results here: 
https://www.mail-tester.com/test-bw02eaxrt


That website is not in any way authoritative, misrerpresents 
SpamAssassin scores, is running an obsolete version of SpamAssassin, and 
seems to be *INCORRECTLY* claiming that some hostname in an URI in the 
message resolves to an IP listed in Spamhaus' SBL. Checking the message 
as provided on that page against a current SpamAssassin deployment does 
not show hits on URIBL_SBL or URIBL_SBL_A, and manual checks of 
www.naadac.org and naadac.org confirm that they are NOT LISTED. If you 
show the "source" of the test message on that page, you will note that 
it shows a hit on the rule named URIBL_BLOCKED, which indicates a gross 
misconfiguration of SpamAssassin and is probably responsible for the 
bogus URIBL_SBL and URIBL_SBL_A hits.


IN SHORT: mail-tester.com is a garbage site providing garbage results. 
No one should trust it for anything.


We've lost a point for not having DKIM/DMARC authentication, which is 
unfortunately not supported by our hosted exchange.


That is a far more likely cause for delivery problems than anything 
else. There is no excuse for any commercial mail provider to not offer 
it to their hosted customers.


We also lost 0.5 point for not having alt attribute in the images, so 
we will add it.

Total is 7.8/10.


Note that the number on the mail-tester.com site is an invention of 
mail-tester.com, an organization that can't even be bothered to keep 
their SpamAssassin installation updated or to have the needed recursive 
DNS resolver for SA to use. That "Total" is meaningless. The points 
allotted for each element are arbitrary and basically meaningless.



The problem, when user is sending normal work e-mails, recipients are 
finding those messages in the Junk Email folder. Even people with who 
he was previously working before.


That has nothing to do with SpamAssassin. No reasonable SpamAssassin 
deployment would score the message shown on that test page anywhere near 
the standard spam threshold (5.0). SpamAssassin is not involved in how 
any receiving sites choose to deliver mail, all SpamAssassin does is 
provide a score. In this case that score is essentially zero, provided 
SA is not misconfigured.




--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Question about whitelisting of naadac.org

[Tom Hendrikx]

Hi Lukasz,

The Spamassassin score looks reasonable. If mail-tester uses anything
similar to a stock Spamassassin setup, then you should be safe and
spamassassin will not be the cause of your delivery problems.
Whitelisting a somewhat arbitrary URL will not solve your problem.

Of course, it could be that certain recipients of your customer have
setup additional Spamassasin rules, tuned their setup to raise some
penalties, or added additional filtering (outside of SA) to their
mailstack that results in a different conclusion. You cannot be sure
unless you ask the mail-admin of those customers.

So you need to get in touch with them, not with the SA community (but as
you can see, we're happy to point you in the correct direction ;-> ).

Kind regards,
Tom

On 12-08-2021 22:16, Lukasz Maik wrote:

Dear John,

Sure, please find full tests results here:
https://www.mail-tester.com/test-bw02eaxrt

We've lost a point for not having DKIM/DMARC authentication, which is
unfortunately not supported by our hosted exchange. We also lost 0.5
point for not having alt attribute in the images, so we will add it. 
Total is 7.8/10.


The problem, when user is sending normal work e-mails, recipients are
finding those messages in the Junk Email folder. Even people with who
he was previously working before.

Kind Regards Lukas

-Original Message- From: John Hardin  
Sent: Thursday, August 12, 2021 5:43 AM To:

users@spamassassin.apache.org Subject: Re: Question about
whitelisting of naadac.org

This message was sent from an external source. Please be careful
opening attachments/links or replying to sources you don't know.

On Wed, 11 Aug 2021, Lukasz Maik wrote:


Hi All,

The company naadac.org is experiencing problems with their e-mails 
being marked as SPAM, when they are putting link to their domain 
https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.naadac.org%2Fdata=04%7C01%7CLukasz.Maik%40ricoh-europe.com%7Cd9ba04e2fffa42bd4b1b08d95d435fec%7Cdd29478d624e429eb453fffc969ac768%7C0%7C0%7C637643367114945933%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000sdata=IkcJvzYcpJvlUWr3l%2FzGbvD3IbSSaeia66LNwTjOj60%3Dreserved=0

in the signature of their mails.

Is it possible to whitelist this domain/link in your SPAM
filtering? Results from the mail-tester.com tool are available
below:

[cid:image001.png@01D78EFB.CD78CAE0]


0.644 points is not sufficient to mark a message as spam using the
default scoring, and isn't worth hitting the panic button. If it's
being marked as spam by some recipients, there are other reason(s).
Is this analysis the only thing you are basing your analysis on?

As Kenneth said, contact Spamhaus regarding why that domain is
listed.

In order to offer more advice, we would have to see the results from
a site that is actually marking such a message as spam (i.e. where
it's scoring 5 or more points).

-- John Hardin KA7OHZ
https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.impsec.org%2F~jhardin%2Fdata=04%7C01%7CLukasz.Maik%40ricoh-europe.com%7Cd9ba04e2fffa42bd4b1b08d95d435fec%7Cdd29478d624e429eb453fffc969ac768%7C0%7C0%7C637643367114945933%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000sdata=99khbdmpdLV%2BpMuWur8MkrCcd2dzn5qr02xBSWC7GH8%3Dreserved=0



jhar...@impsec.org pgpk -a jhar...@impsec.org

key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873
2E79 
---




The difference between ignorance and stupidity is that the stupid
desire to remain ignorant. -- Jim Bacon 
---




Tomorrow: the 900th anniversary of the muslim Seljuq defeat at Didgori

Ricoh Europe Holdings PLC is a company registered in England, under
company number 06273215, with a registered office at 20 Triton
Street, London, NW1 3BF. The UK business of Ricoh Europe Holdings PLC
is operated by: (i) Ricoh Europe PLC, a company registered in England
under company number 00720944, with a registered office at 20 Triton
Street, London, NW1 3BF; (ii) Ricoh UK Limited, a company registered
in England under company number 01271033, with a registered office at
Ricoh House, 800 Pavilion Drive, Northampton, NN4 7YL; and (iii)
Ricoh Capital Limited, a company registered in England under company
number 03001351, with a registered office at 20 Triton Street,
London, NW1 3BF Please consider the environment before printing this
e-mail

Re: Question about whitelisting of naadac.org

[Greg Troxel]

Lukasz Maik  writes:

[not sure what the relationship of ricoh-europe is to a US .org is]

> Sure, please find full tests results here: 
> https://www.mail-tester.com/test-bw02eaxrt
>
> We've lost a point for not having DKIM/DMARC authentication, which is 
> unfortunately not supported by our hosted exchange.
> We also lost 0.5 point for not having alt attribute in the images, so we will 
> add it.
> Total is 7.8/10.
>
> The problem, when user is sending normal work e-mails, recipients are
> finding those messages in the Junk Email folder. Even people with who
> he was previously working before.

I'm not sure anybody said this yet, but: spamassassin the project is not
going to add your domain to a whitelist because you are having problems
with how others sort your mail.  As I understand it, the project would
only consider that sot of addition for domains that are 1) really known
to send pretty much zero spam and 2) users of spamassassin are
inconvenienced by what they perceive as incorrect tagging as spam.
Note that this is very different from senders being unhappy about how
recipients tag the messages.

Reading the  test report, I see that you have a URL in SBL

This domain has two hits in rfc-clueless

  https://multirbl.valli.org/lookup/naadac.org.html

and the outgoing IP address is

   208.70.208.232   Spam Grouper Net block list


So basically you (they?) need to clean up all the issues.  That may
involve finding a mail host that doesn't do business with spammers and
whose IP addresses are not in DNSBLs.


Also, if you are bothered by recipient filtering decisions, you need to
ask the recipients what filtering they are doing and why they sorted how
they did.  That's up to them, not the spamassassin project.

It may be that they have no idea and are uncooperative.  I have had
problems with yahoo misfiling mail, and found the experience of asking
them about it not to be useful.   So it is possible that your recipients
should get a different email provider.



You might also remove URLS to social media.  They have privacy policies
which are inconsistent with addiction treatment anyway.


signature.asc
Description: PGP signature

RE: Question about whitelisting of naadac.org

[Lukasz Maik]

Dear John,

Sure, please find full tests results here: 
https://www.mail-tester.com/test-bw02eaxrt

We've lost a point for not having DKIM/DMARC authentication, which is 
unfortunately not supported by our hosted exchange.
We also lost 0.5 point for not having alt attribute in the images, so we will 
add it.
Total is 7.8/10.

The problem, when user is sending normal work e-mails, recipients are finding 
those messages in the Junk Email folder. Even people with who he was previously 
working before.

Kind Regards
Lukas

-Original Message-
From: John Hardin 
Sent: Thursday, August 12, 2021 5:43 AM
To: users@spamassassin.apache.org
Subject: Re: Question about whitelisting of naadac.org

This message was sent from an external source. Please be careful opening 
attachments/links or replying to sources you don't know.

On Wed, 11 Aug 2021, Lukasz Maik wrote:

> Hi All,
>
> The company naadac.org is experiencing problems with their e-mails
> being marked as SPAM, when they are putting link to their domain
> https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.naadac.org%2Fdata=04%7C01%7CLukasz.Maik%40ricoh-europe.com%7Cd9ba04e2fffa42bd4b1b08d95d435fec%7Cdd29478d624e429eb453fffc969ac768%7C0%7C0%7C637643367114945933%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000sdata=IkcJvzYcpJvlUWr3l%2FzGbvD3IbSSaeia66LNwTjOj60%3Dreserved=0
>  in the signature of their mails.
>
> Is it possible to whitelist this domain/link in your SPAM filtering?
> Results from the mail-tester.com tool are available below:
>
> [cid:image001.png@01D78EFB.CD78CAE0]

0.644 points is not sufficient to mark a message as spam using the default 
scoring, and isn't worth hitting the panic button. If it's being marked as spam 
by some recipients, there are other reason(s). Is this analysis the only thing 
you are basing your analysis on?

As Kenneth said, contact Spamhaus regarding why that domain is listed.

In order to offer more advice, we would have to see the results from a site 
that is actually marking such a message as spam (i.e. where it's scoring 5 or 
more points).

--
  John Hardin KA7OHZ
https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.impsec.org%2F~jhardin%2Fdata=04%7C01%7CLukasz.Maik%40ricoh-europe.com%7Cd9ba04e2fffa42bd4b1b08d95d435fec%7Cdd29478d624e429eb453fffc969ac768%7C0%7C0%7C637643367114945933%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000sdata=99khbdmpdLV%2BpMuWur8MkrCcd2dzn5qr02xBSWC7GH8%3Dreserved=0
  jhar...@impsec.org pgpk -a jhar...@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
   The difference between ignorance and stupidity is that the stupid
   desire to remain ignorant. -- Jim Bacon
---
  Tomorrow: the 900th anniversary of the muslim Seljuq defeat at Didgori
Ricoh Europe Holdings PLC is a company registered in England, under company 
number 06273215, with a registered office at 20 Triton Street, London, NW1 3BF. 
The UK business of Ricoh Europe Holdings PLC is operated by: (i) Ricoh Europe 
PLC, a company registered in England under company number 00720944, with a 
registered office at 20 Triton Street, London, NW1 3BF; (ii) Ricoh UK Limited, 
a company registered in England under company number 01271033, with a 
registered office at Ricoh House, 800 Pavilion Drive, Northampton, NN4 7YL; and 
(iii) Ricoh Capital Limited, a company registered in England under company 
number 03001351, with a registered office at 20 Triton Street, London, NW1 3BF 
Please consider the environment before printing this e-mail

Re: Question about whitelisting of naadac.org

[Martin Gregorie]

On Wed, 2021-08-11 at 20:43 -0700, John Hardin wrote:
> As Kenneth said, contact Spamhaus regarding why that domain is listed.
> 
> 
I took a look at it with a text-mode web browser, Lynx, thats too simple
to try to process nastys and with all cookies disabled. It looked more
than slightly suspect to me - AFAICT entries in its top-level menu link
only to a recursive chain of identical top-level menus.

It reminded me of nothing so much as the mazes in Colossal Cavern and
their 'little twisty passages which all look the same' - and built the
same way too!

My bottom line take - a useless URL that deserves to be listed.


Martin

Re: Question about whitelisting of naadac.org

[John Hardin]

On Wed, 11 Aug 2021, Lukasz Maik wrote:


Hi All,

The company naadac.org is experiencing problems with their e-mails being 
marked as SPAM, when they are putting link to their domain 
www.naadac.org in the signature of their mails.


Is it possible to whitelist this domain/link in your SPAM filtering?
Results from the mail-tester.com tool are available below:

[cid:image001.png@01D78EFB.CD78CAE0]


0.644 points is not sufficient to mark a message as spam using the default 
scoring, and isn't worth hitting the panic button. If it's being marked as 
spam by some recipients, there are other reason(s). Is this analysis the 
only thing you are basing your analysis on?


As Kenneth said, contact Spamhaus regarding why that domain is listed.

In order to offer more advice, we would have to see the results from a 
site that is actually marking such a message as spam (i.e. where it's 
scoring 5 or more points).


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The difference between ignorance and stupidity is that the stupid
  desire to remain ignorant. -- Jim Bacon
---
 Tomorrow: the 900th anniversary of the muslim Seljuq defeat at Didgori

Re: Question about whitelisting of naadac.org

[Kenneth Porter]

--On Wednesday, August 11, 2021 8:57 PM + Lukasz Maik 
 wrote:



The company naadac.org is experiencing problems with their e-mails being
marked as SPAM, when they are putting link to their domain
www.naadac.org in the signature of their mails. Is
it possible to whitelist this domain/link in your SPAM filtering? Results
from the mail-tester.com tool are available below:


You should copy/paste the text of the report, not a screen capture.

According to the image, your domain and/or its A record are in the SBL 
blocklist. So you need to find out why and go fix that.

Re: Spamass milter question

[John Hardin]

On Wed, 27 May 2020, LuKreme wrote:


On May 27, 2020, at 20:08, John Hardin  wrote:


On Wed, 27 May 2020, @lbutlr wrote:

On 27 May 2020, at 18:27, RW  wrote:
I should have added that if  whitelist_from_rcvd *@* server.example.com
(without the colon) is only only failing occasionally on mail from
server.example.com, it's probably just an rDNS lookup failure of some
sort.


Well, I do not get anything that I consider spam from that server, so how often 
is this happening? Is it every time spamass-milter thinks the message is spam 
or is it some odd rdns issue? And how could I possibly try? The name and IP of 
the server show up in postfix logs.


Consider telling your MTA to skip SA entirely for that IP.


This is my server running my Postfix, bind, Spamassassin, and spamass-milter. I 
am trying to stop SA from checking mail from that domain (not a single IP).


...or for mail from that domain.

There is no way you can configure SA to stop checking any messages it is 
given. The most you can do is affect what score it assigns (which is what 
you're attempting).


If you're *always* going to accept messages from a given IP/domain, then 
tell your MTA to not send those messages to SA and spare the processing 
overhead.


One reason to not do that is if you have bayes autolearn enabled and you 
want that ham to potentially contribute to the bayes scoring.



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  A government is a lot like a gun: It's always loaded,
  and it's stupid and dangerous to point it at anything
  you don't intend to hurt. -- GOF at TSM
---
 9 days until the 76th anniversary of D-Day

Re: Spamass milter question

[Matus UHLAR - fantomas]

On 27.05.20 10:35, @lbutlr wrote:

What, if any, local SpamAssassin settings does spams-milter use when
processing incoming mail?


don't you mean spamass-milter?


For example, if I wanted to white list a sender or blacklist a domain, would 
the general settings in /usr/local/etc/spamassasin/local.cf be the place?

I am wondering because I have a server whitelisted in that file (or do I?), but 
I am seeing occasional logs like:

postfix/cleanup[7771] 49MN7m64m8z2rPFW: milter-reject: END-OF-MESSAGE from 
server.example.com[n.n.n.n]: 5.7.1 Blocked by SpamAssassin;


... looks like. You may use 


"-i n.n.n.n" option for spamass-milter not to scan mail coming from this IP


# Allow all mailing list posts from example.com
whitelist_from_rcvd: *@* server.example.com

This seems to be in accordance with the docs.



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.

Re: Spamass milter question

[LuKreme]

On May 27, 2020, at 20:08, John Hardin  wrote:
> 
> On Wed, 27 May 2020, @lbutlr wrote:
>>> On 27 May 2020, at 18:27, RW  wrote:
>>> I should have added that if  whitelist_from_rcvd *@* server.example.com
>>> (without the colon) is only only failing occasionally on mail from
>>> server.example.com, it's probably just an rDNS lookup failure of some
>>> sort.
>> 
>> Well, I do not get anything that I consider spam from that server, so how 
>> often is this happening? Is it every time spamass-milter thinks the message 
>> is spam or is it some odd rdns issue? And how could I possibly try? The name 
>> and IP of the server show up in postfix logs.
> 
> Consider telling your MTA to skip SA entirely for that IP.

This is my server running my Postfix, bind, Spamassassin, and spamass-milter. I 
am trying to stop SA from checking mail from that domain (not a single IP).

-- 
My main job is trying to come up with new and innovative and effective ways to 
reject even more mail. I'm up to about 97% now

Re: Spamass milter question

[John Hardin]

On Wed, 27 May 2020, @lbutlr wrote:


On 27 May 2020, at 18:27, RW  wrote:

I should have added that if  whitelist_from_rcvd *@* server.example.com
(without the colon) is only only failing occasionally on mail from
server.example.com, it's probably just an rDNS lookup failure of some
sort.


Well, I do not get anything that I consider spam from that server, so 
how often is this happening? Is it every time spamass-milter thinks the 
message is spam or is it some odd rdns issue? And how could I possibly 
try? The name and IP of the server show up in postfix logs.


Consider telling your MTA to skip SA entirely for that IP.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  ...the good of having the government prohibited from doing harm
  far outweighs the harm of having it obstructed from doing good.
   -- Mike@mike-istan
---
 10 days until the 76th anniversary of D-Day

Re: Spamass milter question

[@lbutlr]

On 27 May 2020, at 18:27, RW  wrote:
> I should have added that if  whitelist_from_rcvd *@* server.example.com
> (without the colon) is only only failing occasionally on mail from
> server.example.com, it's probably just an rDNS lookup failure of some
> sort. 

Well, I do not get anything that I consider spam from that server, so how often 
is this happening? Is it every time spamass-milter thinks the message is spam 
or is it some odd rdns issue? And how could I possibly try? The name and IP of 
the server show up in postfix logs.




-- 
Patty > Melt > Foundry > Terminator > SCSI > Voodoo > Economics >
Discworld > Ringworld > Niven > Pink Panther > Black Panther >
Avengers > Assemble > LEGO > Builder > Bob (word association with
geeks)

Re: Spamass milter question

[RW]

On Thu, 28 May 2020 01:04:20 +0100
RW wrote:

> On Wed, 27 May 2020 10:35:26 -0600
> @lbutlr wrote:

> > I am wondering because I have a server whitelisted in that file (or
> > do I?), but I am seeing occasional logs like:

> The lack of recorded rDNS is a common reason for failure.

I should have added that if  whitelist_from_rcvd *@* server.example.com
(without the colon) is only only failing occasionally on mail from
server.example.com, it's probably just an rDNS lookup failure of some
sort. 

Re: Spamass milter question

[RW]

On Wed, 27 May 2020 10:35:26 -0600
@lbutlr wrote:

> What, if any, local SpamAssassin settings does spams-milter use when
> processing incoming mail?
> 
> For example, if I wanted to white list a sender or blacklist a
> domain, would the general settings in
> /usr/local/etc/spamassasin/local.cf be the place?
> 
> I am wondering because I have a server whitelisted in that file (or
> do I?), but I am seeing occasional logs like:
> 
> postfix/cleanup[7771] 49MN7m64m8z2rPFW: milter-reject: END-OF-MESSAGE
> from server.example.com[n.n.n.n]: 5.7.1 Blocked by SpamAssassin;
...
> whitelist_from_rcvd: *@* server.example.com

whitelist_from_rcvd needs rDNS to be recorded in the Received header on
the edge of the trusted network (this is not necessarily your own
server). The lack of recorded rDNS is a common reason for failure.

There's also a potential complication here that spamass-milter forges a
provisional received header for SpamAssassin to use.

 

Re: Spamass milter question

[@lbutlr]

On 27 May 2020, at 10:44, Robert Schetterer  wrote:
> Am 27.05.20 um 18:35 schrieb @lbutlr:
>> # Allow all mailing list posts from example.com

>> whitelist_from_rcvd: *@* server.example.com

Actual file has "whitelist_from_rcvd *@* server.example.com" without the ':'. 
Was hopeful that was the issue.

>> This seems to be in accordance with the docs.

> i think it was
> 
> *@example.com
> 
> but perhaps my memory is out of date

The docs for whitelist_from_rcvd show the following examples:

  whitelist_from_rcvd j...@example.com  example.com
  whitelist_from_rcvd *@*  mail.example.org
  whitelist_from_rcvd *@axkit.org  [192.0.2.123]
  whitelist_from_rcvd *@axkit.org  [192.0.2.0/24]
  whitelist_from_rcvd *@axkit.org  [192.0.2.0]/24
  whitelist_from_rcvd *@axkit.org  [2001:db8:1234::/48]
  whitelist_from_rcvd *@axkit.org  [2001:db8:1234::]/48





-- 
Instant karma's going to get you!

Re: Spamass milter question

[Robert Schetterer]

Am 27.05.20 um 18:35 schrieb @lbutlr:

What, if any, local SpamAssassin settings does spams-milter use when processing 
incoming mail?

For example, if I wanted to white list a sender or blacklist a domain, would 
the general settings in /usr/local/etc/spamassasin/local.cf be the place?

I am wondering because I have a server whitelisted in that file (or do I?), but 
I am seeing occasional logs like:

postfix/cleanup[7771] 49MN7m64m8z2rPFW: milter-reject: END-OF-MESSAGE from 
server.example.com[n.n.n.n]: 5.7.1 Blocked by SpamAssassin;

# Allow all mailing list posts from example.com
whitelist_from_rcvd: *@* server.example.com

This seems to be in accordance with the docs.



 i think it was

*@example.com

but perhaps my memory is out of date

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Spamass milter question

[@lbutlr]

What, if any, local SpamAssassin settings does spams-milter use when processing 
incoming mail?

For example, if I wanted to white list a sender or blacklist a domain, would 
the general settings in /usr/local/etc/spamassasin/local.cf be the place?

I am wondering because I have a server whitelisted in that file (or do I?), but 
I am seeing occasional logs like:

postfix/cleanup[7771] 49MN7m64m8z2rPFW: milter-reject: END-OF-MESSAGE from 
server.example.com[n.n.n.n]: 5.7.1 Blocked by SpamAssassin;

# Allow all mailing list posts from example.com
whitelist_from_rcvd: *@* server.example.com

This seems to be in accordance with the docs.


-- 
The true prize was control. Lord Vetinari knew that. When heavy
weights were balanced on the scales, the trick was to know where
to place your thumb. --The Fifth Elephant

Re: Question about the 'URIBL_BLOCKED' rule

[Tom]

On 5/3/20 1:16 AM, Bill Cole wrote:
> On 30 Apr 2020, at 14:59, Tom Williams wrote:
>
>> Hi!  I'm new to this mailing list, but not new to SpamAssassin. I've
>> used it on and off for a number years.  :)   Recently, (within the
>> past 6 months or so) I enabled it for email in a shared web hosting
>> environment (we host with InMotionHosting). Anyway, due to the volume
>> of email traffic the server receives, I see a *lot* of
>> 'URIBL_BLOCKED' entries in the SpamAssassin header injected in the
>> headers of incoming mail.   If our server can't use URIBL to check
>> mail, will that have an adverse or negative impact on SpamAssassin's
>> ability to detect/identify spam? 
>
> Yes. A quick look at one of the servers I manage shows that about 10%
> of the spam identified by SA would not be over the threshold without
> the contribution of URIBL rules.
>
>
Thanks!  This is the kind of feedback I was most interested in.


Tom

Re: Question about the 'URIBL_BLOCKED' rule

[Bill Cole]

On 30 Apr 2020, at 14:59, Tom Williams wrote:

Hi!  I'm new to this mailing list, but not new to SpamAssassin. I've 
used it on and off for a number years.  :)   Recently, (within the 
past 6 months or so) I enabled it for email in a shared web hosting 
environment (we host with InMotionHosting). Anyway, due to the volume 
of email traffic the server receives, I see a *lot* of 'URIBL_BLOCKED' 
entries in the SpamAssassin header injected in the headers of incoming 
mail.   If our server can't use URIBL to check mail, will that have 
an adverse or negative impact on SpamAssassin's ability to 
detect/identify spam? 


Yes. A quick look at one of the servers I manage shows that about 10% of 
the spam identified by SA would not be over the threshold without the 
contribution of URIBL rules.



Our host is running SpamAssassin 3.0 (shudders, I know it's ancient).


Ancient, unsupported, incapable of using many current rules, and unsafe.

I know of no "in the wild" exploits of the known vulnerabilities that 
have been fixed since 3.0, but that just means that any which exist have 
been used carefully. I would not feel safe with anything older than 
3.4.3. Given the fact that we've fixed a lot of issues that are based in 
Perl versions since 5.10, I expect that there are issues in 3.0 that are 
keeping you at some ancient version of Perl which itself has problems.


Update.

--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)

Re: Question about the 'URIBL_BLOCKED' rule

[Tom]

Man thanks to those who responded.  I was mainly wondering how the
inability to do blacklist checks would impact the overall ability of
SpamAssassin to detect spam.  Given the responses, I'll go in a
different direction.  I'll move the site to a VPS, where I can have more
control over SpamAssassin and DNS configuration.

Thanks!

Tom

On 5/2/20 3:25 AM, Jari Fredriksson wrote:
> I have too had a problem of this in my masscheck box. It is a cloud VM
> in Google Cloud and they do like to provide a /etc/resolv.conf for
> their own DNS which has been next to impossible to overcome. I do
> replace it in the beginning of my masscheck process with my own but to
> no avail.
>
> I now figured out I can add this to auto-mass-check.cf and going to
> see how it works.
>
> spam@gauntlet ~ $ grep dns gcloud/auto-mass-check.sh
>     echo "dns_server 127.0.0.1" >> spamassassin/user_prefs
>
> br. jarif
>
> On 30.4.2020 22.28, Richard Doyle wrote:
>> First result on Google:
>> http://cweiske.de/tagebuch/uribl_blocked.htm
>>
>> Short version: URIBL will block you if you use any of the big DNS
>> providers, such as 8.8.8.8.
>>
>>
>> On 4/30/20 11:59 AM, Tom Williams wrote:
>>> Hi!  I'm new to this mailing list, but not new to SpamAssassin. I've
>>> used it on and off for a number years.  :)   Recently, (within the past
>>> 6 months or so) I enabled it for email in a shared web hosting
>>> environment (we host with InMotionHosting). Anyway, due to the
>>> volume of
>>> email traffic the server receives, I see a *lot* of 'URIBL_BLOCKED'
>>> entries in the SpamAssassin header injected in the headers of incoming
>>> mail.   If our server can't use URIBL to check mail, will that have an
>>> adverse or negative impact on SpamAssassin's ability to detect/identify
>>> spam?  Our host is running SpamAssassin 3.0 (shudders, I know it's
>>> ancient).
>>>
>>> Thanks in advance!
>>>
>>> Tom
>>>

Re: Question about the 'URIBL_BLOCKED' rule

[RW]

On Sat, 2 May 2020 15:59:27 +0300
Jari Fredriksson wrote:

> On 2.5.2020 13.30, Reindl Harald wrote:
> > and why don't you just replace /etc/resolv.conf and fire up "chattr
> > +i /etc/resolv.conf" like everyone else does for years to keep it
> > untouched (that's even a ducomentaed way to prevent it overwritten
> > by dhcp clients)
> >
> > there is no point using a shared dns from whatever provider and
> > it's a shame that most people are still so bound to it that they
> > often fuckup even tehir own named/unbound setup with forwarders  
> 
> Thanks! I have used Linux since 1994 but was not aware of that. I'll
> try it next.

You shouldn't need to do that as you can configure the DNS cache in your
settings.   

My understanding is that masschecks are supposed to reuse network
results from X-Spam-Status. Presumably the URIBL_BLOCKED warning is
about lookups that occurred during the original scan rather than during
the masscheck. Any network tests repeated during the masscheck would
tend to corrupt the results.

If you have dns_server set during scans and you are getting
URIBL_BLOCKED then you have either found a bug, your DNS is diverted,
or your IP address itself is blocked for some reason.

Re: Question about the 'URIBL_BLOCKED' rule

[Jari Fredriksson]

On 2.5.2020 13.30, Reindl Harald wrote:

and why don't you just replace /etc/resolv.conf and fire up "chattr +i
/etc/resolv.conf" like everyone else does for years to keep it untouched
(that's even a ducomentaed way to prevent it overwritten by dhcp clients)

there is no point using a shared dns from whatever provider and it's a
shame that most people are still so bound to it that they often fuckup
even tehir own named/unbound setup with forwarders


Thanks! I have used Linux since 1994 but was not aware of that. I'll try 
it next.


br. jarif

Re: Question about the 'URIBL_BLOCKED' rule

[Jari Fredriksson]

Still!

Syncing weekly_mass_check
check: dns_block_rule URIBL_BLOCKED hit, 
creating/home/jarif/.spamassassin/dnsblock_multi.uribl.com (This means dnsbl blocked you 
due to too many queries. Set all affected rules score to 0, or use 
"dns_query_restriction deny multi.uribl.com" to disable queries)
 12:34:19 up  1:34,  0 users,  load average: 32.21, 32.29, 32.17
rsync -Pcqz  ham-net-jarif.log spam-net-jarif.log*munged*/
 12:34:43 up  1:34,  0 users,  load average: 21.57, 29.78, 31.34

Bummer.

br. jarif

On 2.5.2020 13.25, Jari Fredriksson wrote:
I have too had a problem of this in my masscheck box. It is a cloud VM 
in Google Cloud and they do like to provide a /etc/resolv.conf for 
their own DNS which has been next to impossible to overcome. I do 
replace it in the beginning of my masscheck process with my own but to 
no avail.


I now figured out I can add this to auto-mass-check.cf and going to 
see how it works.


spam@gauntlet ~ $ grep dns gcloud/auto-mass-check.sh
    echo "dns_server 127.0.0.1" >> spamassassin/user_prefs

br. jarif

On 30.4.2020 22.28, Richard Doyle wrote:

First result on Google:
http://cweiske.de/tagebuch/uribl_blocked.htm

Short version: URIBL will block you if you use any of the big DNS
providers, such as 8.8.8.8.


On 4/30/20 11:59 AM, Tom Williams wrote:

Hi!  I'm new to this mailing list, but not new to SpamAssassin. I've
used it on and off for a number years.  :)   Recently, (within the past
6 months or so) I enabled it for email in a shared web hosting
environment (we host with InMotionHosting). Anyway, due to the 
volume of

email traffic the server receives, I see a *lot* of 'URIBL_BLOCKED'
entries in the SpamAssassin header injected in the headers of incoming
mail.   If our server can't use URIBL to check mail, will that have an
adverse or negative impact on SpamAssassin's ability to detect/identify
spam?  Our host is running SpamAssassin 3.0 (shudders, I know it's
ancient).

Thanks in advance!

Tom

Re: Question about the 'URIBL_BLOCKED' rule

[Jari Fredriksson]

I have too had a problem of this in my masscheck box. It is a cloud VM 
in Google Cloud and they do like to provide a /etc/resolv.conf for their 
own DNS which has been next to impossible to overcome. I do replace it 
in the beginning of my masscheck process with my own but to no avail.


I now figured out I can add this to auto-mass-check.cf and going to see 
how it works.


spam@gauntlet ~ $ grep dns gcloud/auto-mass-check.sh
    echo "dns_server 127.0.0.1" >> spamassassin/user_prefs

br. jarif

On 30.4.2020 22.28, Richard Doyle wrote:

First result on Google:
http://cweiske.de/tagebuch/uribl_blocked.htm

Short version: URIBL will block you if you use any of the big DNS
providers, such as 8.8.8.8.


On 4/30/20 11:59 AM, Tom Williams wrote:

Hi!  I'm new to this mailing list, but not new to SpamAssassin. I've
used it on and off for a number years.  :)   Recently, (within the past
6 months or so) I enabled it for email in a shared web hosting
environment (we host with InMotionHosting). Anyway, due to the volume of
email traffic the server receives, I see a *lot* of 'URIBL_BLOCKED'
entries in the SpamAssassin header injected in the headers of incoming
mail.   If our server can't use URIBL to check mail, will that have an
adverse or negative impact on SpamAssassin's ability to detect/identify
spam?  Our host is running SpamAssassin 3.0 (shudders, I know it's
ancient).

Thanks in advance!

Tom

Re: Question about the 'URIBL_BLOCKED' rule

[Richard Doyle]

First result on Google:
http://cweiske.de/tagebuch/uribl_blocked.htm

Short version: URIBL will block you if you use any of the big DNS
providers, such as 8.8.8.8.


On 4/30/20 11:59 AM, Tom Williams wrote:
> Hi!  I'm new to this mailing list, but not new to SpamAssassin. I've
> used it on and off for a number years.  :)   Recently, (within the past
> 6 months or so) I enabled it for email in a shared web hosting
> environment (we host with InMotionHosting). Anyway, due to the volume of
> email traffic the server receives, I see a *lot* of 'URIBL_BLOCKED'
> entries in the SpamAssassin header injected in the headers of incoming
> mail.   If our server can't use URIBL to check mail, will that have an
> adverse or negative impact on SpamAssassin's ability to detect/identify
> spam?  Our host is running SpamAssassin 3.0 (shudders, I know it's
> ancient).
> 
> Thanks in advance!
> 
> Tom
> 

Question about the 'URIBL_BLOCKED' rule

[Tom Williams]

Hi!  I'm new to this mailing list, but not new to SpamAssassin. I've 
used it on and off for a number years.  :)   Recently, (within the past 
6 months or so) I enabled it for email in a shared web hosting 
environment (we host with InMotionHosting). Anyway, due to the volume of 
email traffic the server receives, I see a *lot* of 'URIBL_BLOCKED' 
entries in the SpamAssassin header injected in the headers of incoming 
mail.   If our server can't use URIBL to check mail, will that have an 
adverse or negative impact on SpamAssassin's ability to detect/identify 
spam?  Our host is running SpamAssassin 3.0 (shudders, I know it's ancient).


Thanks in advance!

Tom

Re: Question on early detection for relay spam

[Benny Pedersen]

Rupert Gallagher skrev den 2020-03-05 00:27:

Fails with travelling clients.


my custommers want vacation without stress :=)

Re: Question on early detection for relay spam

[@lbutlr]

On 04 Mar 2020, at 16:27, Rupert Gallagher  wrote:
> Fails with travelling clients.

Depends. I block several countries from accessing my mail server. If someone 
travels to one of those countries, they can use webmail to access their mail.

There are always options.

However, most people simply use a VPN.

Re: Question on early detection for relay spam

[Rupert Gallagher]

Fails with travelling clients.

 Original Message 
On Mar 3, 2020, 16:49, Benny Pedersen wrote:

> Marc Roos skrev den 2020-03-03 16:15:
>> Use ipset, hardly causing any latency using 50k entries.
>
> i dont need to block 50k entries, but only whitelist few accepted client
> ips, where i resolve asn and open this specifik asn to have access, if
> there is abuse it will be removed so its again is blocked, i have tryed
> blockin 50k entries it failed maserable, for me it does not matter of
> ipsets or not was used
>
> keeping it tieght helps alot
>
> the log i showed was not from clients that already had access, so no
> need to block it
>
> if you know iptabels you dont need ipsets :=)

Re: Question on early detection for relay spam

[Bill Cole]

On 4 Mar 2020, at 14:43, RW wrote:


On Tue, 03 Mar 2020 16:05:31 -0800
Ted Mittelstaedt wrote:



2FA isn't going to help unless 2FA could be applied to the SMTP Auth
port.


Sometime 2FA on webmail is combined with separate autogenerated
passwords for pop/imap/submission.


A.k.a. "application passwords" which people may be accustomed to as a 
feature of both Google's and Apple's 2FA implementations.


It is also possible to couple 2FA with OAuth 2.0 (as Google does) 
although that does put you in the position of forcing users to adopt 
MUAs that support OAuth 2.0.





--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Question on early detection for relay spam

[RW]

On Tue, 03 Mar 2020 16:05:31 -0800
Ted Mittelstaedt wrote:


> 2FA isn't going to help unless 2FA could be applied to the SMTP Auth
> port.  

Sometime 2FA on webmail is combined with separate autogenerated
passwords for pop/imap/submission.

Re: Question on early detection for relay spam

[M. Omer GOLGELI]

If password rotating is out of the question, you might want to check your IPs 
against blacklists multiple times at a day, it wouldn't stop it but it may 
notify you earlier to stop an outbreak.

Other thing that comes to mind is, you may try rate limiting your users and 
setup a cron to monitor the number of outgoing messages and notify you if 
there's a sudden surge of mail requests.





M. Omer GOLGELI
---
AS202365

  https://as202365.peeringdb.com 
  https://bgp.he.net/AS202365 

NOC:
 Phone: +90-533-2600533
 Email:  o...@chronos.com.tr


March 3, 2020 10:26 AM, "Ted Mittelstaedt"  wrote:

> I know this is probably off topic but I'm getting desperate enough to ask.
> 
> I run a commercial mailserver that regularly seems to have spammers relay 
> mail through it that have
> obtained stolen credentials for a user. Many years ago I stopped allowing 
> users to change passwords
> on it and I setup passwords for all users added to it, and the passwords are 
> random strings of 8
> characters or more.
> 
> The problem is of course that since the passwords are difficult to remember, 
> once the users do
> remember them they merrily proceed to use
> this "highly secure password that I can now remember" on every stupid
> website out on the Internet that they care to login to. The problem
> isn't really the people using Thunderbird or Outlook or their cell phones or 
> whatever, because they
> save the password in the email client and then immediately forget it, which 
> is what I want. It is
> the people who use the webmail interface on multiple different systems, kiosk
> computers and the like, who are the problem. When hosts out on the
> Internet get busted into, the spammers get their passwords and
> email addresses and start relaying. I've confirmed this with several
> users I've called and it's always the same story.
> 
> By the time I see what's going on the server is blacklisted everywhere
> and I have to waste time delisting it, and asskissing all of the
> little tiny blacklists run by little pricks who want me to pay money
> or wait a month to be delisted, etc. (no I'm NOT talking about
> spamcop, or barracuda or anyone professional - THEY know what they are
> doing and don't look at this as a chance for a shakedown)
> 
> I estimate that last year this happened around 5 times and I just
> lost an afternoon today answering the passle of help requests from
> users because it happened again.
> 
> What I am wondering is how to tighten up my monitoring on my servers to
> more rapidly identify when this starts happening. What I'm doing now is
> a kludge but I run mailq (this is a sendmail system) and when I see the
> number of pending mail mesages in there exceed a threshold I send an alert to 
> my cell. It is a
> kludge and the problem is that
> the mailq doesn't start filling up until my server gets blacklisted.
> 
> I've considered several ideas like running a script out of cron that
> checks the number of authid's per hour but all of these seem like even
> worse kludges. The only idea that I have come up with that I really
> like is taking an AK-47 to the spammers but unfortunately spammers
> know that they are unloved and cowardly hide away in Russia and scummier
> places and I can't reach 'em. (maybe I could offer a bounty? A nickle a head? 
> That would pay for
> the bullet at least. I don't think those people are worth even that, though)
> 
> I do run a daily sendmail statistics report but by the time I read that
> and see the bump in traffic it's too late.
> 
> What do other people do for this problem?
> 
> Ted

Re: Question on early detection for relay spam

[Ted Mittelstaedt]

On 3/3/2020 5:53 AM, Riccardo Alfieri wrote:

On 03/03/20 08:54, Benny Pedersen wrote:


Ted Mittelstaedt skrev den 2020-03-03 08:26:


What do other people do for this problem?

Hi Ted,



What I can suggest you is to look at our DQS product
(https://www.spamhaustech.com/dqs/), that even in it's free subscription
model includes AuthBL, a list made of botnet's known to be used to spam
with abused credentials. A simple 5xx if a client connect to your
submission port using a listed IP would take care of *most* of your
problems.



Well since I also am fully IPv6 compliant I don't think I have the space
for a real dynamic blacklist.  A spammer with half a brain can simply 
forgo IPv4 completely and have almost an infinite number of IP's to 
attack me from.  Of course most spammers are too stupid to setup a 
rotator on an IPv6 line so maybe we might get a few more years in the

IPv4 space but much of this blacklist stuff can be easily defeated
once more people run IPv6.




After that, just running a daily report with a table like:

sasl_username - number of different ips observed in the latest 24h.



Yes, this is what I have been thinking is most likely going to be the 
most useful approach - that is, writing a log analysis script that runs

when the mailog is rolled over, and stuffs all authid IP addresses and
corresponding userIDs into a mysql database.  Then a second report 
script that queries the database looking for excessive use. 
Unfortunately while it's the least kludgy approach it's also the most

complicated one.  :-(


Can help you find out abused credentials that were being used by bots
(still) not in AuthBL.

I've observed in the field that this is an approach that works when you
have up to 20-30k users; after this threshold you may want to write
something to automate warnings and/or automatically block accounts if
they exceed a defined threshold of (different_ips per sasl_username) per
hour.



Unfortunately that just opens a DoS hole as an attacker who is attacking
a particular userID can stuff the log and lock out a legitimate user.

Unlike Google who gives out accounts for free I collect money for them 
and so therefore unlike Google I can't just do whatever the eff I want 
to them for no reason anytime I feel like.


That's WHY Google gives out free accounts.  That, and they have enough 
of them they can gather all that lovely marketing data by scraping 
people's emails for keywords.


Ted

RE: Question on early detection for relay spam

[Ted Mittelstaedt]

Well for example of the trouble RBLS cause see this one for your own number:


-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
 trust
 [212.26.193.44 listed in list.dnswl.org]

>and then immediately forget it, which is what I want.  It is the
people
 >who use the webmail interface on multiple different systems, kiosk
 >computers and the like, who are the problem.  When hosts out on the
 >Internet get busted into, the spammers get their passwords and
 >email addresses and start relaying.  I've confirmed this with several
 >users I've called and it's always the same story.

>Strange your webmail should be on https then it is difficult to catch
>passwords.

As I mentioned already the issue isn't that people using the password on 
the webmail interface are getting hacked,  The issue is people using
the email password on -other- servers on the Internet, which then later 
get hacked.  Some users in fact never use the webmail interface yet 
still get hacked, it is because they choose to use the same password on 
multiple servers on the Internet.


It's more prevalent with the webmail users because those users type the
password in repeatedly, which commits it to their memory, and then since 
it is committed to memory they find it easy to use elsewhere.


2FA isn't going to help unless 2FA could be applied to the SMTP Auth
port.  In fact, since my incoming and outgoing mailservers are 
independent servers, I can use different passwords for incoming and
outgoing servers, which is one answer.  However, that is a decision that 
would have been great if it was made back in 2004 when I split the 
mailserver into independent servers.


The main coorelation I have is that users who call me asking "what is my
email password" because they are setting up new phones, etc. - they are
never hacked.  It's the users that remember the passwords that get 
hacked - obviously because they are using them elsewhere.


Ted

Re: Question on early detection for relay spam

[Grant Taylor]

On 3/3/20 3:40 AM, Marc Roos wrote:

No problem I would say, it is good exchange thoughts and idea's


Agreed.

Strange your webmail should be on https then it is difficult to catch 
passwords. I do not have this at al, that peoples passwords get stolen. 
Hardly ever. So maybe somewhere something is wrong in your setup. Maybe 
spammers get access via a remote exploit?  I do not think this is a 
common problem.


I suspect that key loggers, or malicious browser add-ons, more nefarious 
things (MitM proxies) are partially to blame.


Please remember, that you are causing work for these companies. Someone 
is complaining. And someone is adding your ip to the blacklist. 
They get harassed why the shit is getting through their spam filters.


True.

I would also ask amazon to pay me a few thousands for wasting my 
time constantly.


~chuckle~

Sendmail has a nice filter that rate limits a user. I was always 
thinking of implementing this, when I run into a situation as yours.


I thought that Sendmail had a per authenticated user rate limit.  If it 
doesn't, I expect that a milter could be created to do that with little 
effort.


I wonder if it would be possible to combine this rate limiting with 
quarantining.  That way the messages could be received from the client 
and held on the server.  Client's would likely be none the wiser.  You 
could then look at the count of quarantined messages and take action 
based on that.  You could also have an automated job that would email 
the authenticated user when their messages were being quarantined; i.e. 
they sent > X number of messages in the last Y hours.  (25–50 & 24 seems 
like a start.  Check your logs for better numbers.)



Things you should consider:
- investigate what clients mostly have these problems. Give them a 
sperate outgoing server. This way when it happens again not everyone's 
email is blocked.


Hum.  This seems somewhat problematic.  How do you propose using 
different SMTP servers based on authenticating client /without/ 
reconfiguring clients or playing DNS games?  It seems like the front 
line MSA would need to conditionally route messages to the next SMTP 
server based on behavior & sending rate.


ps. When I get spam I put the whole /24 range on the blacklist. So 
maybe get ip's in different ranges.


- filter your logs of the last year that have outgoing spam. You wil 
see same ip ranges. Put all of them on your outgoing mailservers dns 
blacklist so they cannot connect.


- google for outgoing milters. You get blacklisted on the bigger rbl's 
after sending a lot of spam.


At the risk of using buzz words, I wonder if anyone has applied A.I. / 
M.L. to authenticated user / sending address / recipient address tuples.


Do you have any idea if the abusers are using different from addresses 
(envelope and / or header) not associated with the authentication 
credentials?  It might be a low hanging fruit to associate 
authentication credentials with the from addressees.


Do you filter on outbound messages?  Make sure that you aren't violating 
SFP / DMARC / spam / viruses.



A user is not sending 100 emails a day.


Most users don't.  I'm sure that I have done that in the past, though 
rarely.



Good luck, fighting these spammers!!!


+1



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Question on early detection for relay spam

[Bill Cole]

On 3 Mar 2020, at 2:26, Ted Mittelstaedt wrote:

I know this is probably off topic but I'm getting desperate enough to 
ask.


I run a commercial mailserver that regularly seems to have spammers 
relay mail through it that have obtained stolen credentials for a 
user.  Many years ago I stopped allowing users to change passwords on 
it and I setup passwords for all users added to it, and the passwords 
are random strings of 8 characters or more.


The problem is of course that since the passwords are difficult to 
remember, once the users do remember them they merrily proceed to use

this "highly secure password that I can now remember" on every stupid
website out on the Internet that they care to login to.  The problem
isn't really the people using Thunderbird or Outlook or their cell 
phones or whatever, because they save the password in the email client 
and then immediately forget it, which is what I want.  It is the 
people who use the webmail interface on multiple different systems, 
kiosk

computers and the like, who are the problem.


The standard answer for this is to require some form of 2-step/2-factor 
authentication. If you have users actually entering their usernames and 
passwords in to random computers they will never see again, the only 
sound practice is some form of 2FA where the 2nd step is ephemeral: OTP 
of some variety, one-time codes via SMS, etc.


However, there's another useful tactic that doesn't require you to 
deploy all-new services, although it will require some user training. 
Decouple authentication identities from email address deliverability. 
There is no intrinsic reason that a username must be a deliverable email 
address, even if it looks like one. I originally did this almost 
accidentally on my oldest surviving mail system, which has now hit 25 
years (across multiple platforms, of course) without a single account 
hijack. It's absurdly simple. My users all have real user accounts on 
the mail server. They authenticate using 
usern...@mailhostname.scconsult.com. Their primary email addresses are 
somthinge...@scconsult.com. somethinge...@mailhostname.scconsult.com is 
non-existent in any sense, as is usern...@scconsult.com. The 
authentication name (usern...@mailhostname.scconsult.com) is only 
deliverable locally: Postfix only accepts mail via SMTP for virtual 
domains (e.g. scconsult.com, billmail.scconsult.com, grumpybozo.us, 
etc.) Usable email addresses are not authentication identities and 
authentication identities are not usable email addresses. Before I 
started firewalling them as noisy nuisances, I had a constant flow of 
auth attempts for various names that could never succeed against IMAP, 
POP, both submission ports, SMTP (where I don't even allow AUTH!) and a 
private website with an entirely distinct user namespace. HIBP tells me 
that some miscreants probably have once-valid email+password combos for 
some of my users at random breached websites, and I've seen auth 
attempts for those email addresses from credential-stuffer bots, but 
even if the owners of those addresses used the same passwords for the 
breached sites as for their email, those attempts cannot succeed because 
their email accounts do not use their email addresses as usernames.


That DOES NOT solve the Evil Kiosk Operator problem, of course. For 
that, you need the aforementioned 2FA with one-use second factors.



[...]
What I am wondering is how to tighten up my monitoring on my servers 
to
more rapidly identify when this starts happening.  What I'm doing now 
is
a kludge but I run mailq  (this is a sendmail system) and when I see 
the
number of pending mail mesages in there exceed a threshold I send an 
alert to my cell.  It is a kludge and the problem is that

the mailq doesn't start filling up until my server gets blacklisted.


That's particularly bad with low-flow/snowshoe spammers who route one 
message every 10 minutes through each of 300 compromised accounts spread 
across 20 different servers, most of them on megaproviders. You won't 
notice anything until the particular spam content has been fingerprinted 
in shared systems like DCC, Pyzor, Razor, and Cloudmark.



I've considered several ideas like running a script out of cron that
checks the number of authid's per hour but all of these seem like even
worse kludges.  The only idea that I have come up with that I really
like is taking an AK-47 to the spammers but unfortunately spammers
know that they are unloved and cowardly hide away in Russia and 
scummier
places and I can't reach 'em.  (maybe I could offer a bounty?  A 
nickle a head?  That would pay for the bullet at least.  I don't think 
those people are worth even that, though)


There's a seed of a useful idea in that paragraph...

Why do you allow access to IMAP, POP, or either mail submission port 
(465 or 587) from random Russian IPs? Do you allow AUTH at all on port 
25 and if so, why?


What I've done is that I have a log watcher (akin to fail2ban, but