RE: FW: Tons of spam getting through
Changed and Amavis has been restarted. I’ll check the headers on the next piece of spam to come through. Thanks I’m still trying to figure out how illegitimate stuff like this is getting through. It’s obviously a virus (which was caught) but then why did the email get through? I see the flag was for 4.0 so it wasn’t enough to kick it out based on wording but wouldn’t something in the headers be forged and catch this? Received: from smtp.phhwtechnology.com (10.0.1.7) by mail.phhwtechnology.com (10.0.1.5) with Microsoft SMTP Server id 14.3.195.1; Fri, 22 Aug 2014 15:12:59 -0500 Received: from localhost (localhost [127.0.0.1]) by smtp.phhwtechnology.com (Postfix) with ESMTP id DCC4C194998E for gledf...@phhwtechnology.com; Fri, 22 Aug 2014 15:01:50 -0500 (CDT) X-Quarantine-ID: NDBldcOJqsG1 X-Virus-Scanned: Debian amavisd-new at smtp.phhwtechnology.com X-Amavis-Alert: BAD HEADER SECTION, Non-encoded 8-bit data (char C2 hex): From: Janna \021\303\202\302\261N\303\203\302\276\303\203\302\267\022\303\202\302\256\303\202\302\270\303\203\302\230\303\203\302\273[...] X-Spam-Flag: NO X-Spam-Score: 4.803 X-Spam-Level: X-Spam-Status: No, score=4.803 tagged_above=-100 required=5 tests=[DCC_CHECK=1.1, FROM_ILLEGAL_CHARS=2.059, RCVD_IN_BRBL_LASTEXT=1.644] autolearn=no autolearn_force=no Received: from smtp.phhwtechnology.com ([127.0.0.1]) by localhost (smtp.phhwtechnology.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NDBldcOJqsG1 for gledf...@phhwtechnology.com; Fri, 22 Aug 2014 15:01:49 -0500 (CDT) Received-SPF: none (smtp.1-800-optisource.com: No applicable sender policy available) receiver=spamfilter; identity=mailfrom; envelope-from=dqyf...@smtp.1-800-optisource.com; helo=smtp.1-800-optisource.com; client-ip=96.56.14.106 Received: from smtp.1-800-optisource.com (smtp.1-800-optisource.com [96.56.14.106]) by smtp.phhwtechnology.com (Postfix) with ESMTP id 4BDCC194998A for gledf...@phhwtechnology.com; Fri, 22 Aug 2014 15:01:48 -0500 (CDT) From: Janna ??N??{|r???@??}W^-??#??|jQZ??+??c??_1R??cK??| /]8'+%??5????u??, Rw??d}?jh@smtp.phhwtechnology.com, zS]??? dqyf...@smtp.1-800-optisource.com To: gledf...@phhwtechnology.com Subject: inovice_AUG_7831915.pdf Date: Fri, 22 Aug 2014 16:01:06 -0400 Message-ID: 5921d510-35dc-be7b-ad00-8655a7347...@mail.phhwtechnology.com MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0025_01CFBE22.48401B00 Return-Path: dqyf...@smtp.1-800-optisource.com X-MS-Exchange-Organization-AuthSource: WEBSERVER01.mail.phhwtechnology.com X-MS-Exchange-Organization-AuthAs: Anonymous
Re: FW: Tons of spam getting through
On Tue, 19 Aug 2014, Greg Ledford wrote: What exactly are SA headers supposed to look like? On 19.08.14 13:05, John Hardin wrote: SA headers look like this: X-Spam-Status: No, score=0.138 tagged_above=-100 required=5 tests=[MISSING_MID=0.14, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no This one is actually amavisd header, which means that the MTA uses spamassassin indirectly. Just FYI. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
RE: FW: Tons of spam getting through
What exactly are SA headers supposed to look like? I’m still getting quite a bit of spam coming through. It’s blocking quite a bit but I’m not so sure SA is even doing its job. Is there maybe a way to just block everything from anything .us? Stuff like this is being missed (what’s really amusing is this list blocked my original response because IT sure seems to know what spam is!) : Received: from smtp.phhwtechnology.com (10.0.1.7) by mail.phhwtechnology.com (10.0.1.5) with Microsoft SMTP Server id 14.3.195.1; Mon, 18 Aug 2014 10:56:42 -0500 Received: from localhost (localhost [127.0.0.1]) by smtp.phhwtechnology.com (Postfix) with ESMTP id 0F1811948379 for gledf...@phhwtechnology.commailto:gledf...@phhwtechnology.com; Mon, 18 Aug 2014 10:45:28 -0500 (CDT) X-Virus-Scanned: Debian amavisd-new at smtp.phhwtechnology.com X-Spam-Flag: NO X-Spam-Score: 0.138 X-Spam-Level: X-Spam-Status: No, score=0.138 tagged_above=-100 required=5 tests=[MISSING_MID=0.14, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no Received: from smtp.phhwtechnology.com ([127.0.0.1]) by localhost (smtp.phhwtechnology.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f63HgJVgBWwg for gledf...@phhwtechnology.commailto:gledf...@phhwtechnology.com; Mon, 18 Aug 2014 10:45:23 -0500 (CDT) Received-SPF: pass (onlyfastsloans.us: 107.158.196.226 is authorized to use 'quick.apprv...@onlyfastslans.us' in 'mfrom' identity (mechanism 'a' matched)) receiver=spamfilter; identity=mailfrom; envelope-from=quick.approv...@onlyfastslans.usmailto:quick.approv...@onlyfastslans.us; helo=onlyfastslans.us; client-ip=107.158.196.226 Received: from onlyfastslans.us (items.onlyfastslans.us [107.158.196.226]) by smtp.phhwtechnology.com (Postfix) with ESMTP id A4EE81948385 for gledf...@phhwtechnology.commailto:gledf...@phhwtechnology.com; Mon, 18 Aug 2014 10:45:23 -0500 (CDT) Date: Mon, 18 Aug 2014 08:45:25 -0700 Subject: Fnds Up to 5000dollars on 8-18-2014. Notic #14258781 From: Fast-Funds684 quick.apprv...@onlyfastslans.usmailto:quick.apprv...@onlyfastslans.us To: gledf...@phhwtechnology.commailto:gledf...@phhwtechnology.com Message-ID: 20140818154528.0f1811948...@smtp.phhwtechnology.commailto:20140818154528.0f1811948...@smtp.phhwtechnology.com MIME-Version: 1.0 Content-Type: text/plain Return-Path: quick.apprv...@onlyfastslans.usmailto:quick.apprv...@onlyfastslans.us X-MS-Exchange-Organization-AuthSource: WEBSERVER01.mail.phhwtechnology.com X-MS-Exchange-Organization-AuthAs: Anonymous Use sa_tag_level_deflt = -100; All your emails will have the SpamAssassin headers. Changed and Amavis has been restarted. I’ll check the headers on the next piece of spam to come through. Thanks
RE: FW: Tons of spam getting through
On Tue, 19 Aug 2014, Greg Ledford wrote: What exactly are SA headers supposed to look like? SA headers look like this: X-Spam-Flag: NO X-Spam-Score: 0.138 X-Spam-Level: X-Spam-Status: No, score=0.138 tagged_above=-100 required=5 tests=[MISSING_MID=0.14, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no I’m still getting quite a bit of spam coming through. It’s blocking quite a bit but I’m not so sure SA is even doing its job. Messages are apparently being scanned, though they don't appear to be hitting much in the way of rules... Is there maybe a way to just block everything from anything .us? That would probably be easier to do in your MTA before the message is even passed to SA. Stuff like this is being missed (what’s really amusing is this list blocked my original response because IT sure seems to know what spam is!) : If that's a spam, then please post the entire message, with all headers intact in their raw form, to pastebin and post the URL here. That will let us take a look at what rules are hit in our environment and suggest possible fixes. Note: if the headers look like this: From: Fast-Funds684 quick.apprv...@onlyfastslans.usmailto:quick.apprv...@onlyfastslans.us i.e., with mailto:... injected, they probably are not raw. I don't know of the best way to get a raw RFC-822-format message out of Exchange, but I assume there is a way. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- People think they're trading chaos for order [by ceding more and more power to the Government], but they're just trading normal human evil for the really dangerous organized kind of evil, the kind that simply does not give a shit. Only bureaucrats can give you true evil. -- Larry Correia --- 5 days until the 1935th anniversary of the destruction of Pompeii
FW: Tons of spam getting through
Take a look at the sa_tag_level_deflt in your amavisd configuration file. $sa_tag_level_deflt = 5.5; $sa_tag2_level_deflt= 6.0; $sa_spam_subject_tag= '***POSSIBLE SPAM***'; $sa_kill_level_deflt= 7.0; I did. I bumped the levels a bit because they were catching some legitimate emails. I may bump them back down some as a test.
Re: FW: Tons of spam getting through
On Tue, Aug 12, 2014 at 2:50 PM, Greg Ledford gledf...@phhwtechnology.com wrote: Take a look at the sa_tag_level_deflt in your amavisd configuration file. $sa_tag_level_deflt = 5.5; $sa_tag2_level_deflt= 6.0; $sa_spam_subject_tag= '***POSSIBLE SPAM***'; $sa_kill_level_deflt= 7.0; I did. I bumped the levels a bit because they were catching some legitimate emails. I may bump them back down some as a test. Use sa_tag_level_deflt = -100; All your emails will have the SpamAssassin headers. Karl
RE: FW: Tons of spam getting through
Use sa_tag_level_deflt = -100; All your emails will have the SpamAssassin headers. Changed and Amavis has been restarted. I’ll check the headers on the next piece of spam to come through. Thanks for the great help!