Re: Bayes not learning, blacklist not filtering
On Fri, 16 Nov 2018, Bill Cole wrote: On 15 Nov 2018, at 14:27, MarkCS wrote: So I've been tasked with researching an issue with the mail server at work. We use Spamassassin and at present, it's not blocking some pretty obvious spam, largely from the domain qq.com. Basically email is slipping through, being bounced back at the end receiving server, then our server tries to bounce back to qq.com, which doesn't exist at that point and we get a bounce message. Hundreds of these suckers are coming through daily. As John said, absolutely blocking a whole domain is best done before SpamAssassin, in the MTA (in your case that looks like Postfix.) In fact, all of John's reply was good. There's one thing he was probably too polite to mention though... X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on Eh, no, I don't particularly focus on that detail... Good point, though. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- From the Liberty perspective, it doesn't matter if it's a jackboot or a Birkenstock smashing your face. -- Robb Allen --- 596 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: Bayes not learning, blacklist not filtering
On 15 Nov 2018, at 14:27, MarkCS wrote: So I've been tasked with researching an issue with the mail server at work. We use Spamassassin and at present, it's not blocking some pretty obvious spam, largely from the domain qq.com. Basically email is slipping through, being bounced back at the end receiving server, then our server tries to bounce back to qq.com, which doesn't exist at that point and we get a bounce message. Hundreds of these suckers are coming through daily. As John said, absolutely blocking a whole domain is best done before SpamAssassin, in the MTA (in your case that looks like Postfix.) In fact, all of John's reply was good. There's one thing he was probably too polite to mention though... X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on Upgrade SA. 3.3.2 is antique and hasn't seen any updates in (as note) 7+ years. Each 3.4.x release has added useful functionality. Substantial parts of the default ruleset are wrapped in version checks because they demand 3.4.x features. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Available For Hire: https://linkedin.com/in/billcole
Re: Bayes not learning, blacklist not filtering
On Thu, 15 Nov 2018, MarkCS wrote: Even when the message is manually learned and the domain in question is blacklisted, these messages are getting through. If you're blacklisting the domain, do so at the MTA level. My question is basically, why would BAYES be failing to learn? The most common answer to that question is: you're training to a different Bayes database than spamassassin is using during message processing. What is your glue - how is SA hooked into your MTA? What user is SA (typically spamd) running under? What user are you logged in as for training? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- How can you reason with someone who thinks we're on a glidepath to a police state and yet their solution is to grant the government a monopoly on force? They are insane. --- 595 days since the first commercial re-flight of an orbital booster (SpaceX)
Bayes not learning, blacklist not filtering
So I've been tasked with researching an issue with the mail server at work. We use Spamassassin and at present, it's not blocking some pretty obvious spam, largely from the domain qq.com. Basically email is slipping through, being bounced back at the end receiving server, then our server tries to bounce back to qq.com, which doesn't exist at that point and we get a bounce message. Hundreds of these suckers are coming through daily. It looks like 1. The spam filter learning (BAYES_*) algorithm is failing to learn these messages, even with manual help. 2. The blacklist checks (*BL) are not running on these messages, though they are running on other messages. Even when the message is manually learned and the domain in question is blacklisted, these messages are getting through. Below is a sample of one of the message headers with a slight edit (to hide our server and clients address). Everything pertinent should be in there. My question is basically, why would BAYES be failing to learn, and what could be wrong that even manual blacklisting isn't stopping the email from coming through our servers in the first place? Return-Path: <1016127...@qq.com> Received: from ciasi.net (unknown [222.185.137.152]) by (Postfix) with SMTP id 0CBE73B78 for ; Wed, 19 Sep 2018 20:41:27 -0400 (EDT) Received: from ciasi.net (unknown (133.107.2.163]) by ciasi.net with SMTP id 5e0effce-4536-49de-bc6a-72d3e686fe4d; for <1016127...@qq.com>;Wed, 19 Sep 2018 03:29:20 +08:00 Message-ID: From: "=?utf-8?B?5YWz6JST?=" <1016127...@qq.com> To: Subject: [SPAM] =?utf-8?B?5aiBIE4gU+OAkDMzNTQxOOeCuUNPTeOAkeWFqOeQg+acgOWkp0IgQyDpm4blm6LvvIzmvrM=?= =?utf-8?B?6Zeo5Yqg5YWl54uC5qyi6IqC77yM5Li7562W6LWg6aS4MTg46Iqr77yM?= =?utf-8?B?5q+P5pyI5Lq/5ZyG6Y655Yiw5L2g5pq05a+ML+iLjeepueenkeaKgA==?= =?utf-8?B?6LWE6K6v44CQMTEwNC50ZWNo44CRWUMzSmZhQXdBbDg0VQ==?= Date: Wed, 19 Sep 2018 03:29:20 +0800 MIME-Version: 1.0 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable Disposition-Notification-To: 1016127...@qq.com X-Spam-Flag: YES X-Spam-Status: Yes, score=7.9 required=5.0 tests=BAYES_05,DATE_IN_PAST_06_12, DIGEST_MULTIPLE,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,FROM_EXCESS_BASE64, HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,PYZOR_CHECK, RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,UNPARSEABLE_RELAY autolearn=no version=3.3.2 X-Spam-Report: * 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider * (1016127695[at]qq.com) * 1.5 DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date * 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in * digit (1016127695[at]qq.com) * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * -0.5 BAYES_05 BODY: Bayes spam probability is 1 to 5% * [score: 0.0113] * 1.9 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% * [cf: 100] * 0.9 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) * 1.4 PYZOR_CHECK Listed in Pyzor * (https://pyzor.readthedocs.io/en/latest/) * 0.3 DIGEST_MULTIPLE Message hits more than one network digest check * 0.4 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag * 1.0 FROM_EXCESS_BASE64 From: base64 encoded unnecessarily * 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines X-Spam-Level: *** X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on -- Sent from: http://spamassassin.1065346.n5.nabble.com/SpamAssassin-Users-f3.html
