Re: ANY_BOUNCE_MESSAGE questions

[Matus UHLAR - fantomas]

On Mon, 2017-05-01 at 17:13 +0200, Matus UHLAR - fantomas wrote:

Is there something on vbounce that does notappl for you?
loading it and settings proper whitelist_bounce_relays should hit all
bounces that did not come as response to mail from your systems...


On 01.05.17 19:11, Martin Gregorie wrote:

Obvious spam was being rejected by apparently legit MTAswhich
weren't using SPF checks before bouncing the spam. Their wrappers
looked legit and the rejected spam had either my usual address or the
address of my POP3 mailbox on my ISP's mailhost forged as the sender.

vbounce certainly didn't stop any of this stuff (mostly Russian girlie
spam)


it's not supposed to stop it, but to detect it. classic score is 0.1 iirc.
note that bounces that contain your relays (see whitelist_bounce_relays) are
not scored.

maybe you just did not set up whitelist_bounce_relays?


or I would not have concocted my mail bounce rule, which I did
around Oct 2014 - Jan 2015: did vbounce even exist then?


and long long before...

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
There's a long-standing bug relating to the x86 architecture that
allows you to install Windows.   -- Matthew D. Fuller

Re: ANY_BOUNCE_MESSAGE questions

[Bill Cole]

On 30 Apr 2017, at 10:17, David Jones wrote:


99_mailspike.cf
---
shortcircuit RCVD_IN_MSPIKE_H5 on

score RCVD_IN_MSPIKE_H4 -3.2
score RCVD_IN_MSPIKE_H3 -2.2
score RCVD_IN_MSPIKE_H2 -1.2
score RCVD_IN_MSPIKE_WL -0.82
score RCVD_IN_MSPIKE_BL 1.2
score RCVD_IN_MSPIKE_L2 0.2
score RCVD_IN_MSPIKE_L3 1.2
score RCVD_IN_MSPIKE_L4 2.2
score RCVD_IN_MSPIKE_L5 3.2


Scoring RCVD_IN_MSPIKE_WL and RCVD_IN_MSPIKE_BL so strongly seems odd, 
as those will always hit if any of the RCVD_IN_MSPIKE_H* and 
RCVD_IN_MSPIKE_L* respectively. Also, in my experience those scores 
vastly overvalue the "good" classes. I have received every major class 
of spam from H4 and H3 sources, including trojans, advance fee fraud, 
bank phishing, ISP phishing, penis pill ads, replica watch ads, and 
whois-scraped solicitation for various sorts of domain promotion 
(violating the whois data usage rules of the relevant domain 
registries.) There has also been a few bits of "mainsleaze" spam 
(nominally legitimate companies adhering to relevant laws) but those 
tend to come more from H5 sources. Perversely, H2 is a better correlated 
to non-spamminess than either H3 or H4 in my recent (2015-now) logs and 
this is consistent with the scores determined by the RuleQA process: H2 
is stronger than H5 and all the other rules are scores +/- 0.01

Re: ANY_BOUNCE_MESSAGE questions

[Martin Gregorie]

On Mon, 2017-05-01 at 17:13 +0200, Matus UHLAR - fantomas wrote:
> > 
> Is there something on vbounce that does notappl for you?
> loading it and settings proper whitelist_bounce_relays should hit all
> bounces that did not come as response to mail from your systems...
>
Obvious spam was being rejected by apparently legit MTAswhich
weren't using SPF checks before bouncing the spam. Their wrappers
looked legit and the rejected spam had either my usual address or the
address of my POP3 mailbox on my ISP's mailhost forged as the sender.
 
vbounce certainly didn't stop any of this stuff (mostly Russian girlie
spam) or I would not have concocted my mail bounce rule, which I did
around Oct 2014 - Jan 2015: did vbounce even exist then?


Martin

Re: ANY_BOUNCE_MESSAGE questions

[John Hardin]

On Mon, 1 May 2017, Matus UHLAR - fantomas wrote:


On Sun, 30 Apr 2017, Alex wrote:

> I'm seeing far too many legitimate bounces being tagged as spam
> because they are hitting stock SA rules, including bayes50 ...


On 30.04.17 12:25, John Hardin wrote:
BAYES_50 should have no real effect on the score of a message, because 
that's Bayes saying "insufficient data for an opinion".


score BAYES_50  0  0  2.00.8

not that I disagree with this score, but it does not have 0 score...


I was thinking 0.001 informative, like BAYES_20 and _40 have. My error, 
apologies.


I'm surprised that "insufficient data" is biased towards spam, but perhaps 
that's based on an assumption that a properly trained Bayes will reliably 
detect your regular hammy message traffic and anything it doesn't 
recognize is therefore probably a new form of spam it hasn't been trained 
on yet.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  If guns kill people, then...
-- pencils miss spel words.
-- cars make people drive drunk.
-- spoons make people fat.
---
 7 days until the 72nd anniversary of VE day

Re: ANY_BOUNCE_MESSAGE questions

[Matus UHLAR - fantomas]

On Sun, 2017-04-30 at 14:42 -0400, Alex wrote:

It sounds like you're saying you're adding points to bounce emails
that don't originate from email sent by your system?


On 30.04.17 20:25, Martin Gregorie wrote:

Correct, or more specifically this is intended to catch spam spoofing
my domain as sender and rejected by its destination.

Of course there are still domains out there that don't look at SPF, so
they don't realise they're bouncing spam. I also have a suspicion that
at least some spammers have deliberately sent spoofed bounce reports as
a way past SA and friends.


Did you miss other part of Alex's original mail? 
quoting:



The 20_vbounce file already has a ton of rules relating to subjects
saying the message wasn't deliverable. This is for bounce management
for emails from foreign systems.


Is there something on vbounce that does notappl for you?
loading it and settings proper whitelist_bounce_relays should hit all
bounces that did not come as response to mail from your systems...
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam is for losers who can't get business any other way.

Re: ANY_BOUNCE_MESSAGE questions

[Matus UHLAR - fantomas]

On Sun, 30 Apr 2017, Alex wrote:


I'm seeing far too many legitimate bounces being tagged as spam
because they are hitting stock SA rules, including bayes50 ...


On 30.04.17 12:25, John Hardin wrote:
BAYES_50 should have no real effect on the score of a message, 
because that's Bayes saying "insufficient data for an opinion".


score BAYES_50  0  0  2.00.8

not that I disagree with this score, but it does not have 0 score...
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam = (S)tupid (P)eople's (A)dvertising (M)ethod

Re: ANY_BOUNCE_MESSAGE questions

[David Jones]

From: Alex 

>On Sun, Apr 30, 2017 at 3:32 PM, David Jones  wrote:
>>>From: Alex 
>>
 99_mailspike.cf
 ---
 shortcircuit RCVD_IN_MSPIKE_H5 on

 score RCVD_IN_MSPIKE_H4 -3.2
>>>...
>>
>>>I've actually done this, but backed off on the shortcircuit because
>>>there were several instances where the email originated from a site
>>>with a good reputation, but was clearly spam. I had enabled it, then
>>>ignored it, and it was a big problem.

>It was a while ago, so I don't really recall what the messages were,
>but it was really far from a constantcontact or just some marketing
>spam, iirc.

>I'll create a filter that sorts the MSPIKE messages for a while, and
>see what I find.

It doesn't hurt anything to put those rules in place with a score of
0.001 or -0.001, let them run a while, then do some log analysis.

>> I have a huge list (thousands of entries) of whitelist_auth domains
>> of senders which allows me to crank up the sensitivity of content
>> checks and RBLs in SA and have very few complaints from customers.

>I've done that to a large extent as well, but also concerned that some
>of these legitimate senders get hacked on occasion, and misconfigured,
>so I'm perhaps a bit more apprehensive than you to go all out.

Mass senders and system-generated emails typically don't get hacked or
compromised.  You really only have to worry about real human mailboxes
that won't be on those shortcircuit'd rules.  Notice I don't have any short-
circuit'd senderscore.org rules, just these:

shortcircuit RCVD_IN_MSPIKE_H5
shortcircuit USER_IN_WHITELIST on
shortcircuit USER_IN_DEF_WHITELIST on
shortcircuit USER_IN_BLACKLIST on
shortcircuit USER_IN_DKIM_WHITELIST on
shortcircuit USER_IN_DEF_DKIM_WL on
shortcircuit USER_IN_SPF_WHITELIST on
shortcircuit USER_IN_DEF_SPF_WL on
shortcircuit RCVD_IN_RP_CERTIFIED on
shortcircuit RCVD_IN_RP_SAFE on
shortcircuit RCVD_IN_DNSWL_HI on
shortcircuit RCVD_IN_IADB_LISTED on
shortcircuit RCVD_IN_IADB_SPF on
shortcircuit RCVD_IN_IADB_DK on
shortcircuit RCVD_IN_IADB_RDNS on
shortcircuit RCVD_IN_IADB_SENDERID on
shortcircuit RCVD_IN_IADB_OPTIN on

I have had 2 instances of spam from some senders listed in on of the
rules above over the past 3 or 4 years.  In in both cases, the senders
had abuse report headers that I submitted to them and they took
immediate action to block the sender.  That is how it should work so
I started adding abuse headers to our outbound mail to be a good
Internet citizen.

Dave

Re: ANY_BOUNCE_MESSAGE questions

[Martin Gregorie]

On Sun, 2017-04-30 at 17:10 -0400, Alex wrote:

> I'm talking about legitimate, non-spam mail sent by users on our
> systems with valid accounts having their bounces being tagged as
> spam.
> 
And of course, any valid bounce must be delivered.

> > In any case, regardless of whether I get bounced spam containing my
> > domain as forged sender or whether the whole bounce message is a
> > forgery, it can be safely binned, hence my rule.
> 
> I would think people would want their legitimate bounce
> notifications, no?
> 
Yes, quite so. Mail sent from my domain invariably has a related and
recognisably related domain name in the message ID, so I can be quite
certain that mail with an unrelated domain on the message ID is spam.

I realise that this may not work in all cases (and especially not if
mailing lists are involved). That said, similar rules to mine are
likely to be useful wherever the domain name is part of the names of
hosts that send external mail. 

> And if they are fakes, how effective could they really be, with
> "Undeliverable" in the subject, and the spam/payload only appearing
> well down into the body of the email, past all the notification
> messages?
> 
Many people are going to look at the bounced message to remind
themselves what it was about and who it was sent to. IIRC there are
mail readers where you can't see that detail without opening the
attached message. Do that and BOOM, the payload is launched: this is
especially dangerous if the mail reader has an active preview window.


Martin

Re: ANY_BOUNCE_MESSAGE questions

[RW]

On Sat, 29 Apr 2017 20:57:49 -0400
Alex wrote:

> Hi,
> 
> I'm having a problem with bounce messages being tagged as spam. What
> is the proper way to handle legitimate bounce messages these days? Is
> it safe to bypass scanning DSN bounce messages and route them directly
> with postfix?
> 
> I've created some rules over the years which attempt to identify
> spoofed bounce messages (mailer-daemon@...), but the rule hit this
> message when it shouldn't have.
> 
> We have a mail system that allows user forwarding. The user with an
> account on our system sent a message from their gmail address
> (bfg38...@gmail.com) with the envelope-from being the account on our
> system (38...@example.com). The DSN was sent back to the 38137 user,
> where spamassassin tagged it as spam incorrectly.

I didn't think you could do this from gmail. I thought that in order to
send third-party domain email from gmail you had to set it up with
submission server detail. 

Re: ANY_BOUNCE_MESSAGE questions

[Alex]

Hi,

On Sun, Apr 30, 2017 at 3:32 PM, David Jones  wrote:
>>From: Alex 
>
>>On Sun, Apr 30, 2017 at 10:17 AM, David Jones  wrote:
From: Alex 
>>>
I'm having a problem with bounce messages being tagged as spam. What
is the proper way to handle legitimate bounce messages these days? Is
it safe to bypass scanning DSN bounce messages and route them directly
with postfix?
>>>
>>> Sender reputation is key to proper spam detection including bounces.  You
>>> could try out these rules with very low scores until you are comfortable 
>>> with
>>> them then set your own scores:
>>>
>>> 99_senderscore.cf
>
>>I'm using senderscore, but doing it in postfix, where I can reject
>>messages outright. Perhaps I'll consider doing it in SA instead.
>
> You should do it in both.  SA will have other rules based on content like
> bayes that Postfix is not able to do.  Think of Postfix as level 1 filtering 
> and
> SA as level 2.  Some checks will overlap which is fine.  Postfix with 
> postscreen
> RBLs will be more about sender reputation and SA will be more about content.
> Trusted senders should be allowed to send some content as long as it's not
> malicious.

Okay, I will investigate that and try it out for a while.

>>> 99_mailspike.cf
>>> ---
>>> shortcircuit RCVD_IN_MSPIKE_H5 on
>>>
>>> score RCVD_IN_MSPIKE_H4 -3.2
>>...
>
>>I've actually done this, but backed off on the shortcircuit because
>>there were several instances where the email originated from a site
>>with a good reputation, but was clearly spam. I had enabled it, then
>>ignored it, and it was a big problem.

It was a while ago, so I don't really recall what the messages were,
but it was really far from a constantcontact or just some marketing
spam, iirc.

I'll create a filter that sorts the MSPIKE messages for a while, and
see what I find.

> I have a huge list (thousands of entries) of whitelist_auth domains
> of senders which allows me to crank up the sensitivity of content
> checks and RBLs in SA and have very few complaints from customers.

I've done that to a large extent as well, but also concerned that some
of these legitimate senders get hacked on occasion, and misconfigured,
so I'm perhaps a bit more apprehensive than you to go all out.

Thanks for your advice, as always.

Re: ANY_BOUNCE_MESSAGE questions

[Alex]

Hi,

On Sun, Apr 30, 2017 at 3:25 PM, Martin Gregorie  wrote:
> On Sun, 2017-04-30 at 14:42 -0400, Alex wrote:
>> It sounds like you're saying you're adding points to bounce emails
>> that don't originate from email sent by your system?
>>
> Correct, or more specifically this is intended to catch spam spoofing
> my domain as sender and rejected by its destination.
>
> Of course there are still domains out there that don't look at SPF, so
> they don't realise they're bouncing spam. I also have a suspicion that
> at least some spammers have deliberately sent spoofed bounce reports as
> a way past SA and friends.

I'm talking about legitimate, non-spam mail sent by users on our
systems with valid accounts having their bounces being tagged as spam.

> I was receiving a lot of bounces where the bounced message was obvious
> spam and which had not been sent from here but where the bounce wrapper
> was either genuine or a very good fake.
>
> In any case, regardless of whether I get bounced spam containing my
> domain as forged sender or whether the whole bounce message is a
> forgery, it can be safely binned, hence my rule.

I would think people would want their legitimate bounce notifications, no?

And if they are fakes, how effective could they really be, with
"Undeliverable" in the subject, and the spam/payload only appearing
well down into the body of the email, past all the notification
messages?

That's somewhat rhetorical, but I wish there was an answer on how to
more effectively deal with these.

John Hardin wrote:
> BAYES_50 should have no real effect on the score of a message,
> because that's Bayes saying "insufficient data for an opinion".

It still accounts for 0.8 points :-(

With the headers appearing all mangled to SA due to the "email within
an email" where the original email is wrapped in a bounce message, it
often appears to hit MISSING_HEADERS or other weird combinations that
add points incorrectly.

Re: ANY_BOUNCE_MESSAGE questions

[David Jones]

>From: Alex 

>On Sun, Apr 30, 2017 at 10:17 AM, David Jones  wrote:
>>>From: Alex 
>>
>>>I'm having a problem with bounce messages being tagged as spam. What
>>>is the proper way to handle legitimate bounce messages these days? Is
>>>it safe to bypass scanning DSN bounce messages and route them directly
>>>with postfix?
>>
>> Sender reputation is key to proper spam detection including bounces.  You
>> could try out these rules with very low scores until you are comfortable with
>> them then set your own scores:
>>
>> 99_senderscore.cf

>I'm using senderscore, but doing it in postfix, where I can reject
>messages outright. Perhaps I'll consider doing it in SA instead.

You should do it in both.  SA will have other rules based on content like
bayes that Postfix is not able to do.  Think of Postfix as level 1 filtering and
SA as level 2.  Some checks will overlap which is fine.  Postfix with postscreen
RBLs will be more about sender reputation and SA will be more about content.
Trusted senders should be allowed to send some content as long as it's not
malicious.

>>
>> 99_mailspike.cf
>> ---
>> shortcircuit RCVD_IN_MSPIKE_H5 on
>>
>> score RCVD_IN_MSPIKE_H4 -3.2
>...

>I've actually done this, but backed off on the shortcircuit because
>there were several instances where the email originated from a site
>with a good reputation, but was clearly spam. I had enabled it, then
>ignored it, and it was a big problem.

I know the definition of spam is subjective and I don't want to start
a storm on the list but I have defined spam as malicious email.  There
is a difference between unwanted email and spam.  For me, if the 
sender has a reliable unsubscribe process that doesn't have a mailto:
link or something that just harvests/verifies the recipient's email
address, then I consider it ham.

Unwanted email from a reputable sender hitting MSPIKE_H4 should
have a valid opt-out link and therefore be allowed through to the
recipient for them to unsubscribe if they no longer want it.

If you don't have a clear distinction between spam and unwanted
email, then it's going to be very tough to get your mail filtering
accurate.  Two different senders can send nearly the identical
email and one could be legit and the other be phishing.  Spammers
often spoof Paypal emails to get people to enter their creds which
definitely should be spam and blocked.  How would you allow the
legit paypal.com email and block the spoofed one if you didn't base
the scoring on sender reputation?

I have a huge list (thousands of entries) of whitelist_auth domains
of senders which allows me to crank up the sensitivity of content
checks and RBLs in SA and have very few complaints from customers.

Dave

Re: ANY_BOUNCE_MESSAGE questions

[Martin Gregorie]

On Sun, 2017-04-30 at 14:42 -0400, Alex wrote:
> It sounds like you're saying you're adding points to bounce emails
> that don't originate from email sent by your system?
> 
Correct, or more specifically this is intended to catch spam spoofing
my domain as sender and rejected by its destination.

Of course there are still domains out there that don't look at SPF, so
they don't realise they're bouncing spam. I also have a suspicion that
at least some spammers have deliberately sent spoofed bounce reports as
a way past SA and friends.

> I'm seeing far too many legitimate bounces being tagged as spam
> because they are hitting stock SA rules, including bayes50 and
> URI_PHISH, which is a really involved rule, and almost assuredly is a
> FP here.

I was receiving a lot of bounces where the bounced message was obvious
spam and which had not been sent from here but where the bounce wrapper
was either genuine or a very good fake.

In any case, regardless of whether I get bounced spam containing my
domain as forged sender or whether the whole bounce message is a
forgery, it can be safely binned, hence my rule. 

Martin

 

Re: ANY_BOUNCE_MESSAGE questions

[John Hardin]

On Sun, 30 Apr 2017, Alex wrote:


I'm seeing far too many legitimate bounces being tagged as spam
because they are hitting stock SA rules, including bayes50 ...


BAYES_50 should have no real effect on the score of a message, because 
that's Bayes saying "insufficient data for an opinion".



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  No representation without taxation!
---
 8 days until the 72nd anniversary of VE day

Re: ANY_BOUNCE_MESSAGE questions

[Alex]

Hi,

On Sun, Apr 30, 2017 at 7:17 AM, Martin Gregorie  wrote:
> On Sat, 2017-04-29 at 20:57 -0400, Alex wrote:
>> Hi,
>>
>> I'm having a problem with bounce messages being tagged as spam. What
>> is the proper way to handle legitimate bounce messages these days? Is
>> it safe to bypass scanning DSN bounce messages and route them
>> directly
>> with postfix?
>>
>> I've created some rules over the years which attempt to identify
>> spoofed bounce messages (mailer-daemon@...), but the rule hit this
>> message when it shouldn't have.
>>
>> We have a mail system that allows user forwarding. The user with an
>> account on our system sent a message from their gmail address
>> (bfg38...@gmail.com) with the envelope-from being the account on our
>> system (38...@example.com). The DSN was sent back to the 38137 user,
>> where spamassassin tagged it as spam incorrectly.
>>
>> https://pastebin.com/HBTx7Cqw
>>
>> I realize this is convoluted, and forwarding is problematic for many
>> reasons. That's a separate issue. I'm trying to figure out how I can
>> better configure bounce message management on my system in general,
>> particularly as it relates to preventing legitimate messages from
>> being marked as spam.
>>
>> Is the solution here to use the whitelist_bounce_relays? Or does it
>> not apply here since the mail originated at gmail?
>>
> I use a homegrown meta rule that seems fairly reliable.
> It triggers if:
>
> - the recipient isn't one of my published domains  OR
>   the Message_ID doesn't include one of my domains OR
>   the message includes "Please enable images"
>
> AND
>
> - the message includes any one from a list of subjects saying the
>   message wasn't deliverable

It sounds like you're saying you're adding points to bounce emails
that don't originate from email sent by your system?

The 20_vbounce file already has a ton of rules relating to subjects
saying the message wasn't deliverable. This is for bounce management
for emails from foreign systems.

I don't think that is what's happening here. Unless I'm
misunderstanding your comment...

I'm seeing far too many legitimate bounces being tagged as spam
because they are hitting stock SA rules, including bayes50 and
URI_PHISH, which is a really involved rule, and almost assuredly is a
FP here.

Re: ANY_BOUNCE_MESSAGE questions

[Alex]

Hi,

On Sun, Apr 30, 2017 at 10:17 AM, David Jones  wrote:
>>From: Alex 
>
>>I'm having a problem with bounce messages being tagged as spam. What
>>is the proper way to handle legitimate bounce messages these days? Is
>>it safe to bypass scanning DSN bounce messages and route them directly
>>with postfix?
>
> Sender reputation is key to proper spam detection including bounces.  You
> could try out these rules with very low scores until you are comfortable with
> them then set your own scores:
>
> 99_senderscore.cf
> -
> ifplugin Mail::SpamAssassin::Plugin::DNSEval
>
> header  __RCVD_IN_SENDERSCORE_90_100
> eval:check_rbl('senderscore90-lastexternal','score.senderscore.com.','^127\.0\.4\.(9[0-9]|100)$')
> metaRCVD_IN_SENDERSCORE_90_100  SPF_PASS && 
> __RCVD_IN_SENDERSCORE_90_100
> describeRCVD_IN_SENDERSCORE_90_100  Senderscore.org score of 90 
> to 100
> score   RCVD_IN_SENDERSCORE_90_100  -2.2
> tflags  RCVD_IN_SENDERSCORE_90_100  net

I'm using senderscore, but doing it in postfix, where I can reject
messages outright. Perhaps I'll consider doing it in SA instead.

>
> 99_mailspike.cf
> ---
> shortcircuit RCVD_IN_MSPIKE_H5 on
>
> score RCVD_IN_MSPIKE_H4 -3.2
...

I've actually done this, but backed off on the shortcircuit because
there were several instances where the email originated from a site
with a good reputation, but was clearly spam. I had enabled it, then
ignored it, and it was a big problem.

I think my take-away from this is that there's no way to avoid
processing bounce emails in the same way as all other emails?

Is ANY_BOUNCE_MESSAGE and BOUNCE_MESSAGE trustworthy? Are spammers
using multipart/report types with null return path?

Re: ANY_BOUNCE_MESSAGE questions

[David Jones]

>From: Alex 

>I'm having a problem with bounce messages being tagged as spam. What
>is the proper way to handle legitimate bounce messages these days? Is
>it safe to bypass scanning DSN bounce messages and route them directly
>with postfix?

Sender reputation is key to proper spam detection including bounces.  You
could try out these rules with very low scores until you are comfortable with
them then set your own scores:

99_senderscore.cf 
-
ifplugin Mail::SpamAssassin::Plugin::DNSEval

header  __RCVD_IN_SENDERSCORE_90_100
eval:check_rbl('senderscore90-lastexternal','score.senderscore.com.','^127\.0\.4\.(9[0-9]|100)$')
metaRCVD_IN_SENDERSCORE_90_100  SPF_PASS && 
__RCVD_IN_SENDERSCORE_90_100
describeRCVD_IN_SENDERSCORE_90_100  Senderscore.org score of 90 to 
100
score   RCVD_IN_SENDERSCORE_90_100  -2.2
tflags  RCVD_IN_SENDERSCORE_90_100  net

header  __RCVD_IN_SENDERSCORE_80_89 
eval:check_rbl('senderscorer80-lastexternal','score.senderscore.com.','^127\.0\.4\.(8[0-9])$')
metaRCVD_IN_SENDERSCORE_80_89   SPF_PASS && 
__RCVD_IN_SENDERSCORE_80_89
describeRCVD_IN_SENDERSCORE_80_89   Senderscore.org score of 80 to 
89
score   RCVD_IN_SENDERSCORE_80_89   -1.2
tflags  RCVD_IN_SENDERSCORE_80_89   net

header  RCVD_IN_SENDERSCORE_70_79   
eval:check_rbl('senderscorer70-lastexternal','score.senderscore.com.','^127\.0\.4\.(7[0-9])$')
describeRCVD_IN_SENDERSCORE_70_79   Senderscore.org score of 70 to 
79
score   RCVD_IN_SENDERSCORE_70_79   1.2
tflags  RCVD_IN_SENDERSCORE_70_79   net

header  RCVD_IN_SENDERSCORE_60_69   
eval:check_rbl('senderscorer60-lastexternal','score.senderscore.com.','^127\.0\.4\.(6[0-9])$')
describeRCVD_IN_SENDERSCORE_60_69   Senderscore.org score of 60 to 
69
score   RCVD_IN_SENDERSCORE_60_69   2.2
tflags  RCVD_IN_SENDERSCORE_60_69   net

header  RCVD_IN_SENDERSCORE_50_59   
eval:check_rbl('senderscorer50-lastexternal','score.senderscore.com.','^127\.0\.4\.(5[0-9])$')
describeRCVD_IN_SENDERSCORE_50_59   Senderscore.org score of 50 to 
59
score   RCVD_IN_SENDERSCORE_50_59   3.2
tflags  RCVD_IN_SENDERSCORE_50_59   net

header  RCVD_IN_SENDERSCORE_30_49   
eval:check_rbl('senderscorer30-lastexternal','score.senderscore.com.','^127\.0\.4\.([3-4][0-9])$')
describeRCVD_IN_SENDERSCORE_30_49   Senderscore.org score of 30 to 
49
score   RCVD_IN_SENDERSCORE_30_49   4.2
tflags  RCVD_IN_SENDERSCORE_30_49   net

header  RCVD_IN_SENDERSCORE_0_29
eval:check_rbl('senderscore0-lastexternal','score.senderscore.com.','^127\.0\.4\.([1-2]?[0-9])$')
describeRCVD_IN_SENDERSCORE_0_29Senderscore.org score of 0 to 29
score   RCVD_IN_SENDERSCORE_0_295.2
tflags  RCVD_IN_SENDERSCORE_0_29net

endif


99_mailspike.cf
---
shortcircuit RCVD_IN_MSPIKE_H5 on

score RCVD_IN_MSPIKE_H4 -3.2
score RCVD_IN_MSPIKE_H3 -2.2
score RCVD_IN_MSPIKE_H2 -1.2
score RCVD_IN_MSPIKE_WL -0.82
score RCVD_IN_MSPIKE_BL 1.2
score RCVD_IN_MSPIKE_L2 0.2
score RCVD_IN_MSPIKE_L3 1.2
score RCVD_IN_MSPIKE_L4 2.2
score RCVD_IN_MSPIKE_L5 3.2

Dave

Re: ANY_BOUNCE_MESSAGE questions

[Martin Gregorie]

On Sat, 2017-04-29 at 20:57 -0400, Alex wrote:
> Hi,
> 
> I'm having a problem with bounce messages being tagged as spam. What
> is the proper way to handle legitimate bounce messages these days? Is
> it safe to bypass scanning DSN bounce messages and route them
> directly
> with postfix?
> 
> I've created some rules over the years which attempt to identify
> spoofed bounce messages (mailer-daemon@...), but the rule hit this
> message when it shouldn't have.
> 
> We have a mail system that allows user forwarding. The user with an
> account on our system sent a message from their gmail address
> (bfg38...@gmail.com) with the envelope-from being the account on our
> system (38...@example.com). The DSN was sent back to the 38137 user,
> where spamassassin tagged it as spam incorrectly.
> 
> https://pastebin.com/HBTx7Cqw
> 
> I realize this is convoluted, and forwarding is problematic for many
> reasons. That's a separate issue. I'm trying to figure out how I can
> better configure bounce message management on my system in general,
> particularly as it relates to preventing legitimate messages from
> being marked as spam.
> 
> Is the solution here to use the whitelist_bounce_relays? Or does it
> not apply here since the mail originated at gmail?
> 
I use a homegrown meta rule that seems fairly reliable.
It triggers if:

- the recipient isn't one of my published domains  OR
  the Message_ID doesn't include one of my domains OR
  the message includes "Please enable images"

AND

- the message includes any one from a list of subjects saying the
  message wasn't deliverable 


This has been a pretty reliable rule for me, anyway.


Martin

ANY_BOUNCE_MESSAGE questions

[Alex]

Hi,

I'm having a problem with bounce messages being tagged as spam. What
is the proper way to handle legitimate bounce messages these days? Is
it safe to bypass scanning DSN bounce messages and route them directly
with postfix?

I've created some rules over the years which attempt to identify
spoofed bounce messages (mailer-daemon@...), but the rule hit this
message when it shouldn't have.

We have a mail system that allows user forwarding. The user with an
account on our system sent a message from their gmail address
(bfg38...@gmail.com) with the envelope-from being the account on our
system (38...@example.com). The DSN was sent back to the 38137 user,
where spamassassin tagged it as spam incorrectly.

https://pastebin.com/HBTx7Cqw

I realize this is convoluted, and forwarding is problematic for many
reasons. That's a separate issue. I'm trying to figure out how I can
better configure bounce message management on my system in general,
particularly as it relates to preventing legitimate messages from
being marked as spam.

Is the solution here to use the whitelist_bounce_relays? Or does it
not apply here since the mail originated at gmail?

Thanks for any ideas.