Re: ANY_BOUNCE_MESSAGE questions
On Mon, 2017-05-01 at 17:13 +0200, Matus UHLAR - fantomas wrote: Is there something on vbounce that does notappl for you? loading it and settings proper whitelist_bounce_relays should hit all bounces that did not come as response to mail from your systems... On 01.05.17 19:11, Martin Gregorie wrote: Obvious spam was being rejected by apparently legit MTAswhich weren't using SPF checks before bouncing the spam. Their wrappers looked legit and the rejected spam had either my usual address or the address of my POP3 mailbox on my ISP's mailhost forged as the sender. vbounce certainly didn't stop any of this stuff (mostly Russian girlie spam) it's not supposed to stop it, but to detect it. classic score is 0.1 iirc. note that bounces that contain your relays (see whitelist_bounce_relays) are not scored. maybe you just did not set up whitelist_bounce_relays? or I would not have concocted my mail bounce rule, which I did around Oct 2014 - Jan 2015: did vbounce even exist then? and long long before... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. There's a long-standing bug relating to the x86 architecture that allows you to install Windows. -- Matthew D. Fuller
Re: ANY_BOUNCE_MESSAGE questions
On 30 Apr 2017, at 10:17, David Jones wrote: 99_mailspike.cf --- shortcircuit RCVD_IN_MSPIKE_H5 on score RCVD_IN_MSPIKE_H4 -3.2 score RCVD_IN_MSPIKE_H3 -2.2 score RCVD_IN_MSPIKE_H2 -1.2 score RCVD_IN_MSPIKE_WL -0.82 score RCVD_IN_MSPIKE_BL 1.2 score RCVD_IN_MSPIKE_L2 0.2 score RCVD_IN_MSPIKE_L3 1.2 score RCVD_IN_MSPIKE_L4 2.2 score RCVD_IN_MSPIKE_L5 3.2 Scoring RCVD_IN_MSPIKE_WL and RCVD_IN_MSPIKE_BL so strongly seems odd, as those will always hit if any of the RCVD_IN_MSPIKE_H* and RCVD_IN_MSPIKE_L* respectively. Also, in my experience those scores vastly overvalue the "good" classes. I have received every major class of spam from H4 and H3 sources, including trojans, advance fee fraud, bank phishing, ISP phishing, penis pill ads, replica watch ads, and whois-scraped solicitation for various sorts of domain promotion (violating the whois data usage rules of the relevant domain registries.) There has also been a few bits of "mainsleaze" spam (nominally legitimate companies adhering to relevant laws) but those tend to come more from H5 sources. Perversely, H2 is a better correlated to non-spamminess than either H3 or H4 in my recent (2015-now) logs and this is consistent with the scores determined by the RuleQA process: H2 is stronger than H5 and all the other rules are scores +/- 0.01
Re: ANY_BOUNCE_MESSAGE questions
On Mon, 2017-05-01 at 17:13 +0200, Matus UHLAR - fantomas wrote: > > > Is there something on vbounce that does notappl for you? > loading it and settings proper whitelist_bounce_relays should hit all > bounces that did not come as response to mail from your systems... > Obvious spam was being rejected by apparently legit MTAswhich weren't using SPF checks before bouncing the spam. Their wrappers looked legit and the rejected spam had either my usual address or the address of my POP3 mailbox on my ISP's mailhost forged as the sender. vbounce certainly didn't stop any of this stuff (mostly Russian girlie spam) or I would not have concocted my mail bounce rule, which I did around Oct 2014 - Jan 2015: did vbounce even exist then? Martin
Re: ANY_BOUNCE_MESSAGE questions
On Mon, 1 May 2017, Matus UHLAR - fantomas wrote: On Sun, 30 Apr 2017, Alex wrote: > I'm seeing far too many legitimate bounces being tagged as spam > because they are hitting stock SA rules, including bayes50 ... On 30.04.17 12:25, John Hardin wrote: BAYES_50 should have no real effect on the score of a message, because that's Bayes saying "insufficient data for an opinion". score BAYES_50 0 0 2.00.8 not that I disagree with this score, but it does not have 0 score... I was thinking 0.001 informative, like BAYES_20 and _40 have. My error, apologies. I'm surprised that "insufficient data" is biased towards spam, but perhaps that's based on an assumption that a properly trained Bayes will reliably detect your regular hammy message traffic and anything it doesn't recognize is therefore probably a new form of spam it hasn't been trained on yet. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If guns kill people, then... -- pencils miss spel words. -- cars make people drive drunk. -- spoons make people fat. --- 7 days until the 72nd anniversary of VE day
Re: ANY_BOUNCE_MESSAGE questions
On Sun, 2017-04-30 at 14:42 -0400, Alex wrote: It sounds like you're saying you're adding points to bounce emails that don't originate from email sent by your system? On 30.04.17 20:25, Martin Gregorie wrote: Correct, or more specifically this is intended to catch spam spoofing my domain as sender and rejected by its destination. Of course there are still domains out there that don't look at SPF, so they don't realise they're bouncing spam. I also have a suspicion that at least some spammers have deliberately sent spoofed bounce reports as a way past SA and friends. Did you miss other part of Alex's original mail? quoting: The 20_vbounce file already has a ton of rules relating to subjects saying the message wasn't deliverable. This is for bounce management for emails from foreign systems. Is there something on vbounce that does notappl for you? loading it and settings proper whitelist_bounce_relays should hit all bounces that did not come as response to mail from your systems... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam is for losers who can't get business any other way.
Re: ANY_BOUNCE_MESSAGE questions
On Sun, 30 Apr 2017, Alex wrote: I'm seeing far too many legitimate bounces being tagged as spam because they are hitting stock SA rules, including bayes50 ... On 30.04.17 12:25, John Hardin wrote: BAYES_50 should have no real effect on the score of a message, because that's Bayes saying "insufficient data for an opinion". score BAYES_50 0 0 2.00.8 not that I disagree with this score, but it does not have 0 score... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam = (S)tupid (P)eople's (A)dvertising (M)ethod
Re: ANY_BOUNCE_MESSAGE questions
From: Alex>On Sun, Apr 30, 2017 at 3:32 PM, David Jones wrote: >>>From: Alex >> 99_mailspike.cf --- shortcircuit RCVD_IN_MSPIKE_H5 on score RCVD_IN_MSPIKE_H4 -3.2 >>>... >> >>>I've actually done this, but backed off on the shortcircuit because >>>there were several instances where the email originated from a site >>>with a good reputation, but was clearly spam. I had enabled it, then >>>ignored it, and it was a big problem. >It was a while ago, so I don't really recall what the messages were, >but it was really far from a constantcontact or just some marketing >spam, iirc. >I'll create a filter that sorts the MSPIKE messages for a while, and >see what I find. It doesn't hurt anything to put those rules in place with a score of 0.001 or -0.001, let them run a while, then do some log analysis. >> I have a huge list (thousands of entries) of whitelist_auth domains >> of senders which allows me to crank up the sensitivity of content >> checks and RBLs in SA and have very few complaints from customers. >I've done that to a large extent as well, but also concerned that some >of these legitimate senders get hacked on occasion, and misconfigured, >so I'm perhaps a bit more apprehensive than you to go all out. Mass senders and system-generated emails typically don't get hacked or compromised. You really only have to worry about real human mailboxes that won't be on those shortcircuit'd rules. Notice I don't have any short- circuit'd senderscore.org rules, just these: shortcircuit RCVD_IN_MSPIKE_H5 shortcircuit USER_IN_WHITELIST on shortcircuit USER_IN_DEF_WHITELIST on shortcircuit USER_IN_BLACKLIST on shortcircuit USER_IN_DKIM_WHITELIST on shortcircuit USER_IN_DEF_DKIM_WL on shortcircuit USER_IN_SPF_WHITELIST on shortcircuit USER_IN_DEF_SPF_WL on shortcircuit RCVD_IN_RP_CERTIFIED on shortcircuit RCVD_IN_RP_SAFE on shortcircuit RCVD_IN_DNSWL_HI on shortcircuit RCVD_IN_IADB_LISTED on shortcircuit RCVD_IN_IADB_SPF on shortcircuit RCVD_IN_IADB_DK on shortcircuit RCVD_IN_IADB_RDNS on shortcircuit RCVD_IN_IADB_SENDERID on shortcircuit RCVD_IN_IADB_OPTIN on I have had 2 instances of spam from some senders listed in on of the rules above over the past 3 or 4 years. In in both cases, the senders had abuse report headers that I submitted to them and they took immediate action to block the sender. That is how it should work so I started adding abuse headers to our outbound mail to be a good Internet citizen. Dave
Re: ANY_BOUNCE_MESSAGE questions
On Sun, 2017-04-30 at 17:10 -0400, Alex wrote: > I'm talking about legitimate, non-spam mail sent by users on our > systems with valid accounts having their bounces being tagged as > spam. > And of course, any valid bounce must be delivered. > > In any case, regardless of whether I get bounced spam containing my > > domain as forged sender or whether the whole bounce message is a > > forgery, it can be safely binned, hence my rule. > > I would think people would want their legitimate bounce > notifications, no? > Yes, quite so. Mail sent from my domain invariably has a related and recognisably related domain name in the message ID, so I can be quite certain that mail with an unrelated domain on the message ID is spam. I realise that this may not work in all cases (and especially not if mailing lists are involved). That said, similar rules to mine are likely to be useful wherever the domain name is part of the names of hosts that send external mail. > And if they are fakes, how effective could they really be, with > "Undeliverable" in the subject, and the spam/payload only appearing > well down into the body of the email, past all the notification > messages? > Many people are going to look at the bounced message to remind themselves what it was about and who it was sent to. IIRC there are mail readers where you can't see that detail without opening the attached message. Do that and BOOM, the payload is launched: this is especially dangerous if the mail reader has an active preview window. Martin
Re: ANY_BOUNCE_MESSAGE questions
On Sat, 29 Apr 2017 20:57:49 -0400 Alex wrote: > Hi, > > I'm having a problem with bounce messages being tagged as spam. What > is the proper way to handle legitimate bounce messages these days? Is > it safe to bypass scanning DSN bounce messages and route them directly > with postfix? > > I've created some rules over the years which attempt to identify > spoofed bounce messages (mailer-daemon@...), but the rule hit this > message when it shouldn't have. > > We have a mail system that allows user forwarding. The user with an > account on our system sent a message from their gmail address > (bfg38...@gmail.com) with the envelope-from being the account on our > system (38...@example.com). The DSN was sent back to the 38137 user, > where spamassassin tagged it as spam incorrectly. I didn't think you could do this from gmail. I thought that in order to send third-party domain email from gmail you had to set it up with submission server detail.
Re: ANY_BOUNCE_MESSAGE questions
Hi, On Sun, Apr 30, 2017 at 3:32 PM, David Joneswrote: >>From: Alex > >>On Sun, Apr 30, 2017 at 10:17 AM, David Jones wrote: From: Alex >>> I'm having a problem with bounce messages being tagged as spam. What is the proper way to handle legitimate bounce messages these days? Is it safe to bypass scanning DSN bounce messages and route them directly with postfix? >>> >>> Sender reputation is key to proper spam detection including bounces. You >>> could try out these rules with very low scores until you are comfortable >>> with >>> them then set your own scores: >>> >>> 99_senderscore.cf > >>I'm using senderscore, but doing it in postfix, where I can reject >>messages outright. Perhaps I'll consider doing it in SA instead. > > You should do it in both. SA will have other rules based on content like > bayes that Postfix is not able to do. Think of Postfix as level 1 filtering > and > SA as level 2. Some checks will overlap which is fine. Postfix with > postscreen > RBLs will be more about sender reputation and SA will be more about content. > Trusted senders should be allowed to send some content as long as it's not > malicious. Okay, I will investigate that and try it out for a while. >>> 99_mailspike.cf >>> --- >>> shortcircuit RCVD_IN_MSPIKE_H5 on >>> >>> score RCVD_IN_MSPIKE_H4 -3.2 >>... > >>I've actually done this, but backed off on the shortcircuit because >>there were several instances where the email originated from a site >>with a good reputation, but was clearly spam. I had enabled it, then >>ignored it, and it was a big problem. It was a while ago, so I don't really recall what the messages were, but it was really far from a constantcontact or just some marketing spam, iirc. I'll create a filter that sorts the MSPIKE messages for a while, and see what I find. > I have a huge list (thousands of entries) of whitelist_auth domains > of senders which allows me to crank up the sensitivity of content > checks and RBLs in SA and have very few complaints from customers. I've done that to a large extent as well, but also concerned that some of these legitimate senders get hacked on occasion, and misconfigured, so I'm perhaps a bit more apprehensive than you to go all out. Thanks for your advice, as always.
Re: ANY_BOUNCE_MESSAGE questions
Hi, On Sun, Apr 30, 2017 at 3:25 PM, Martin Gregoriewrote: > On Sun, 2017-04-30 at 14:42 -0400, Alex wrote: >> It sounds like you're saying you're adding points to bounce emails >> that don't originate from email sent by your system? >> > Correct, or more specifically this is intended to catch spam spoofing > my domain as sender and rejected by its destination. > > Of course there are still domains out there that don't look at SPF, so > they don't realise they're bouncing spam. I also have a suspicion that > at least some spammers have deliberately sent spoofed bounce reports as > a way past SA and friends. I'm talking about legitimate, non-spam mail sent by users on our systems with valid accounts having their bounces being tagged as spam. > I was receiving a lot of bounces where the bounced message was obvious > spam and which had not been sent from here but where the bounce wrapper > was either genuine or a very good fake. > > In any case, regardless of whether I get bounced spam containing my > domain as forged sender or whether the whole bounce message is a > forgery, it can be safely binned, hence my rule. I would think people would want their legitimate bounce notifications, no? And if they are fakes, how effective could they really be, with "Undeliverable" in the subject, and the spam/payload only appearing well down into the body of the email, past all the notification messages? That's somewhat rhetorical, but I wish there was an answer on how to more effectively deal with these. John Hardin wrote: > BAYES_50 should have no real effect on the score of a message, > because that's Bayes saying "insufficient data for an opinion". It still accounts for 0.8 points :-( With the headers appearing all mangled to SA due to the "email within an email" where the original email is wrapped in a bounce message, it often appears to hit MISSING_HEADERS or other weird combinations that add points incorrectly.
Re: ANY_BOUNCE_MESSAGE questions
>From: Alex>On Sun, Apr 30, 2017 at 10:17 AM, David Jones wrote: >>>From: Alex >> >>>I'm having a problem with bounce messages being tagged as spam. What >>>is the proper way to handle legitimate bounce messages these days? Is >>>it safe to bypass scanning DSN bounce messages and route them directly >>>with postfix? >> >> Sender reputation is key to proper spam detection including bounces. You >> could try out these rules with very low scores until you are comfortable with >> them then set your own scores: >> >> 99_senderscore.cf >I'm using senderscore, but doing it in postfix, where I can reject >messages outright. Perhaps I'll consider doing it in SA instead. You should do it in both. SA will have other rules based on content like bayes that Postfix is not able to do. Think of Postfix as level 1 filtering and SA as level 2. Some checks will overlap which is fine. Postfix with postscreen RBLs will be more about sender reputation and SA will be more about content. Trusted senders should be allowed to send some content as long as it's not malicious. >> >> 99_mailspike.cf >> --- >> shortcircuit RCVD_IN_MSPIKE_H5 on >> >> score RCVD_IN_MSPIKE_H4 -3.2 >... >I've actually done this, but backed off on the shortcircuit because >there were several instances where the email originated from a site >with a good reputation, but was clearly spam. I had enabled it, then >ignored it, and it was a big problem. I know the definition of spam is subjective and I don't want to start a storm on the list but I have defined spam as malicious email. There is a difference between unwanted email and spam. For me, if the sender has a reliable unsubscribe process that doesn't have a mailto: link or something that just harvests/verifies the recipient's email address, then I consider it ham. Unwanted email from a reputable sender hitting MSPIKE_H4 should have a valid opt-out link and therefore be allowed through to the recipient for them to unsubscribe if they no longer want it. If you don't have a clear distinction between spam and unwanted email, then it's going to be very tough to get your mail filtering accurate. Two different senders can send nearly the identical email and one could be legit and the other be phishing. Spammers often spoof Paypal emails to get people to enter their creds which definitely should be spam and blocked. How would you allow the legit paypal.com email and block the spoofed one if you didn't base the scoring on sender reputation? I have a huge list (thousands of entries) of whitelist_auth domains of senders which allows me to crank up the sensitivity of content checks and RBLs in SA and have very few complaints from customers. Dave
Re: ANY_BOUNCE_MESSAGE questions
On Sun, 2017-04-30 at 14:42 -0400, Alex wrote: > It sounds like you're saying you're adding points to bounce emails > that don't originate from email sent by your system? > Correct, or more specifically this is intended to catch spam spoofing my domain as sender and rejected by its destination. Of course there are still domains out there that don't look at SPF, so they don't realise they're bouncing spam. I also have a suspicion that at least some spammers have deliberately sent spoofed bounce reports as a way past SA and friends. > I'm seeing far too many legitimate bounces being tagged as spam > because they are hitting stock SA rules, including bayes50 and > URI_PHISH, which is a really involved rule, and almost assuredly is a > FP here. I was receiving a lot of bounces where the bounced message was obvious spam and which had not been sent from here but where the bounce wrapper was either genuine or a very good fake. In any case, regardless of whether I get bounced spam containing my domain as forged sender or whether the whole bounce message is a forgery, it can be safely binned, hence my rule. Martin
Re: ANY_BOUNCE_MESSAGE questions
On Sun, 30 Apr 2017, Alex wrote: I'm seeing far too many legitimate bounces being tagged as spam because they are hitting stock SA rules, including bayes50 ... BAYES_50 should have no real effect on the score of a message, because that's Bayes saying "insufficient data for an opinion". -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- No representation without taxation! --- 8 days until the 72nd anniversary of VE day
Re: ANY_BOUNCE_MESSAGE questions
Hi, On Sun, Apr 30, 2017 at 7:17 AM, Martin Gregoriewrote: > On Sat, 2017-04-29 at 20:57 -0400, Alex wrote: >> Hi, >> >> I'm having a problem with bounce messages being tagged as spam. What >> is the proper way to handle legitimate bounce messages these days? Is >> it safe to bypass scanning DSN bounce messages and route them >> directly >> with postfix? >> >> I've created some rules over the years which attempt to identify >> spoofed bounce messages (mailer-daemon@...), but the rule hit this >> message when it shouldn't have. >> >> We have a mail system that allows user forwarding. The user with an >> account on our system sent a message from their gmail address >> (bfg38...@gmail.com) with the envelope-from being the account on our >> system (38...@example.com). The DSN was sent back to the 38137 user, >> where spamassassin tagged it as spam incorrectly. >> >> https://pastebin.com/HBTx7Cqw >> >> I realize this is convoluted, and forwarding is problematic for many >> reasons. That's a separate issue. I'm trying to figure out how I can >> better configure bounce message management on my system in general, >> particularly as it relates to preventing legitimate messages from >> being marked as spam. >> >> Is the solution here to use the whitelist_bounce_relays? Or does it >> not apply here since the mail originated at gmail? >> > I use a homegrown meta rule that seems fairly reliable. > It triggers if: > > - the recipient isn't one of my published domains OR > the Message_ID doesn't include one of my domains OR > the message includes "Please enable images" > > AND > > - the message includes any one from a list of subjects saying the > message wasn't deliverable It sounds like you're saying you're adding points to bounce emails that don't originate from email sent by your system? The 20_vbounce file already has a ton of rules relating to subjects saying the message wasn't deliverable. This is for bounce management for emails from foreign systems. I don't think that is what's happening here. Unless I'm misunderstanding your comment... I'm seeing far too many legitimate bounces being tagged as spam because they are hitting stock SA rules, including bayes50 and URI_PHISH, which is a really involved rule, and almost assuredly is a FP here.
Re: ANY_BOUNCE_MESSAGE questions
Hi, On Sun, Apr 30, 2017 at 10:17 AM, David Joneswrote: >>From: Alex > >>I'm having a problem with bounce messages being tagged as spam. What >>is the proper way to handle legitimate bounce messages these days? Is >>it safe to bypass scanning DSN bounce messages and route them directly >>with postfix? > > Sender reputation is key to proper spam detection including bounces. You > could try out these rules with very low scores until you are comfortable with > them then set your own scores: > > 99_senderscore.cf > - > ifplugin Mail::SpamAssassin::Plugin::DNSEval > > header __RCVD_IN_SENDERSCORE_90_100 > eval:check_rbl('senderscore90-lastexternal','score.senderscore.com.','^127\.0\.4\.(9[0-9]|100)$') > metaRCVD_IN_SENDERSCORE_90_100 SPF_PASS && > __RCVD_IN_SENDERSCORE_90_100 > describeRCVD_IN_SENDERSCORE_90_100 Senderscore.org score of 90 > to 100 > score RCVD_IN_SENDERSCORE_90_100 -2.2 > tflags RCVD_IN_SENDERSCORE_90_100 net I'm using senderscore, but doing it in postfix, where I can reject messages outright. Perhaps I'll consider doing it in SA instead. > > 99_mailspike.cf > --- > shortcircuit RCVD_IN_MSPIKE_H5 on > > score RCVD_IN_MSPIKE_H4 -3.2 ... I've actually done this, but backed off on the shortcircuit because there were several instances where the email originated from a site with a good reputation, but was clearly spam. I had enabled it, then ignored it, and it was a big problem. I think my take-away from this is that there's no way to avoid processing bounce emails in the same way as all other emails? Is ANY_BOUNCE_MESSAGE and BOUNCE_MESSAGE trustworthy? Are spammers using multipart/report types with null return path?
Re: ANY_BOUNCE_MESSAGE questions
>From: Alex>I'm having a problem with bounce messages being tagged as spam. What >is the proper way to handle legitimate bounce messages these days? Is >it safe to bypass scanning DSN bounce messages and route them directly >with postfix? Sender reputation is key to proper spam detection including bounces. You could try out these rules with very low scores until you are comfortable with them then set your own scores: 99_senderscore.cf - ifplugin Mail::SpamAssassin::Plugin::DNSEval header __RCVD_IN_SENDERSCORE_90_100 eval:check_rbl('senderscore90-lastexternal','score.senderscore.com.','^127\.0\.4\.(9[0-9]|100)$') metaRCVD_IN_SENDERSCORE_90_100 SPF_PASS && __RCVD_IN_SENDERSCORE_90_100 describeRCVD_IN_SENDERSCORE_90_100 Senderscore.org score of 90 to 100 score RCVD_IN_SENDERSCORE_90_100 -2.2 tflags RCVD_IN_SENDERSCORE_90_100 net header __RCVD_IN_SENDERSCORE_80_89 eval:check_rbl('senderscorer80-lastexternal','score.senderscore.com.','^127\.0\.4\.(8[0-9])$') metaRCVD_IN_SENDERSCORE_80_89 SPF_PASS && __RCVD_IN_SENDERSCORE_80_89 describeRCVD_IN_SENDERSCORE_80_89 Senderscore.org score of 80 to 89 score RCVD_IN_SENDERSCORE_80_89 -1.2 tflags RCVD_IN_SENDERSCORE_80_89 net header RCVD_IN_SENDERSCORE_70_79 eval:check_rbl('senderscorer70-lastexternal','score.senderscore.com.','^127\.0\.4\.(7[0-9])$') describeRCVD_IN_SENDERSCORE_70_79 Senderscore.org score of 70 to 79 score RCVD_IN_SENDERSCORE_70_79 1.2 tflags RCVD_IN_SENDERSCORE_70_79 net header RCVD_IN_SENDERSCORE_60_69 eval:check_rbl('senderscorer60-lastexternal','score.senderscore.com.','^127\.0\.4\.(6[0-9])$') describeRCVD_IN_SENDERSCORE_60_69 Senderscore.org score of 60 to 69 score RCVD_IN_SENDERSCORE_60_69 2.2 tflags RCVD_IN_SENDERSCORE_60_69 net header RCVD_IN_SENDERSCORE_50_59 eval:check_rbl('senderscorer50-lastexternal','score.senderscore.com.','^127\.0\.4\.(5[0-9])$') describeRCVD_IN_SENDERSCORE_50_59 Senderscore.org score of 50 to 59 score RCVD_IN_SENDERSCORE_50_59 3.2 tflags RCVD_IN_SENDERSCORE_50_59 net header RCVD_IN_SENDERSCORE_30_49 eval:check_rbl('senderscorer30-lastexternal','score.senderscore.com.','^127\.0\.4\.([3-4][0-9])$') describeRCVD_IN_SENDERSCORE_30_49 Senderscore.org score of 30 to 49 score RCVD_IN_SENDERSCORE_30_49 4.2 tflags RCVD_IN_SENDERSCORE_30_49 net header RCVD_IN_SENDERSCORE_0_29 eval:check_rbl('senderscore0-lastexternal','score.senderscore.com.','^127\.0\.4\.([1-2]?[0-9])$') describeRCVD_IN_SENDERSCORE_0_29Senderscore.org score of 0 to 29 score RCVD_IN_SENDERSCORE_0_295.2 tflags RCVD_IN_SENDERSCORE_0_29net endif 99_mailspike.cf --- shortcircuit RCVD_IN_MSPIKE_H5 on score RCVD_IN_MSPIKE_H4 -3.2 score RCVD_IN_MSPIKE_H3 -2.2 score RCVD_IN_MSPIKE_H2 -1.2 score RCVD_IN_MSPIKE_WL -0.82 score RCVD_IN_MSPIKE_BL 1.2 score RCVD_IN_MSPIKE_L2 0.2 score RCVD_IN_MSPIKE_L3 1.2 score RCVD_IN_MSPIKE_L4 2.2 score RCVD_IN_MSPIKE_L5 3.2 Dave
Re: ANY_BOUNCE_MESSAGE questions
On Sat, 2017-04-29 at 20:57 -0400, Alex wrote: > Hi, > > I'm having a problem with bounce messages being tagged as spam. What > is the proper way to handle legitimate bounce messages these days? Is > it safe to bypass scanning DSN bounce messages and route them > directly > with postfix? > > I've created some rules over the years which attempt to identify > spoofed bounce messages (mailer-daemon@...), but the rule hit this > message when it shouldn't have. > > We have a mail system that allows user forwarding. The user with an > account on our system sent a message from their gmail address > (bfg38...@gmail.com) with the envelope-from being the account on our > system (38...@example.com). The DSN was sent back to the 38137 user, > where spamassassin tagged it as spam incorrectly. > > https://pastebin.com/HBTx7Cqw > > I realize this is convoluted, and forwarding is problematic for many > reasons. That's a separate issue. I'm trying to figure out how I can > better configure bounce message management on my system in general, > particularly as it relates to preventing legitimate messages from > being marked as spam. > > Is the solution here to use the whitelist_bounce_relays? Or does it > not apply here since the mail originated at gmail? > I use a homegrown meta rule that seems fairly reliable. It triggers if: - the recipient isn't one of my published domains OR the Message_ID doesn't include one of my domains OR the message includes "Please enable images" AND - the message includes any one from a list of subjects saying the message wasn't deliverable This has been a pretty reliable rule for me, anyway. Martin
ANY_BOUNCE_MESSAGE questions
Hi, I'm having a problem with bounce messages being tagged as spam. What is the proper way to handle legitimate bounce messages these days? Is it safe to bypass scanning DSN bounce messages and route them directly with postfix? I've created some rules over the years which attempt to identify spoofed bounce messages (mailer-daemon@...), but the rule hit this message when it shouldn't have. We have a mail system that allows user forwarding. The user with an account on our system sent a message from their gmail address (bfg38...@gmail.com) with the envelope-from being the account on our system (38...@example.com). The DSN was sent back to the 38137 user, where spamassassin tagged it as spam incorrectly. https://pastebin.com/HBTx7Cqw I realize this is convoluted, and forwarding is problematic for many reasons. That's a separate issue. I'm trying to figure out how I can better configure bounce message management on my system in general, particularly as it relates to preventing legitimate messages from being marked as spam. Is the solution here to use the whitelist_bounce_relays? Or does it not apply here since the mail originated at gmail? Thanks for any ideas.