Re: Getting high spam score for email server hosted on AWS instance
Which level that can give such a result (the score)? Thanx. Regards, Mario On Wed, Feb 8, 2012 at 6:41 PM, Sharma, Ashish ashish.shar...@hp.comwrote: Hi, I have a mail server setup on an AWS instance. When I am sending mails via this setup to a test spamassassin setup that acts as an email receiver server, I am getting high spam scores as follows: [FROM_LOCAL_HEX=0.331, HTML_IMAGE_ONLY_24=1.282, HTML_MESSAGE=0.001, RCVD_ILLEGAL_IP=3.399, T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=no As can be seen, the highest contributor is RCVD_ILLEGAL_IP=3.399 My investigation leads me to the spamassassin tests wiki ( http://wiki.apache.org/spamassassin/Rules/RCVD_ILLEGAL_IP), that states the my AWS machines IP has been identified as invalid or not a mail source. Is there a whitelist kind of thing that I need to notify to get my AWS email server IP out of the invalid IP list? Please suggest. Thanks Ashish
RE: Getting high spam score for email server hosted on AWS instance
Following is the spam score received for cloudemail5.cpgtest.ostinet.net (184.72.247.145) email sending setup on one of my Spamassassin email receiving setup: [FROM_LOCAL_HEX=0.331, HTML_IMAGE_ONLY_24=1.282, HTML_MESSAGE=0.001, RCVD_ILLEGAL_IP=3.399, T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=no Is there anything else you need? I didn't get your last question completely. Thanks Ashish -Original Message- From: Joe Sniderman [mailto:joseph.snider...@thoroquel.org] Sent: Friday, February 10, 2012 1:21 PM To: users@spamassassin.apache.org Subject: Re: Getting high spam score for email server hosted on AWS instance On 02/10/2012 02:16 AM, Sharma, Ashish wrote: The cluster with which I am facing problem is different one. The node for which I am getting high spam score has the following details: cloudemail5.cpgtest.ostinet.net (184.72.247.145) No other Received lines? -- Joe Sniderman joseph.snider...@thoroquel.org
Re: Getting high spam score for email server hosted on AWS instance
On 02/10/2012 09:33 AM, Sharma, Ashish wrote: Following is the spam score received for cloudemail5.cpgtest.ostinet.net (184.72.247.145) email sending setup on one of my Spamassassin email receiving setup: [FROM_LOCAL_HEX=0.331, HTML_IMAGE_ONLY_24=1.282, HTML_MESSAGE=0.001, RCVD_ILLEGAL_IP=3.399, T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=no Is there anything else you need? I didn't get your last question completely. why not post a sample msg's headers in a pastebin ? Would prevent a lot of the guess work. What SA version are you using?
RE: Getting high spam score for email server hosted on AWS instance
My Spamassassin version : 3.3.1 Following are sample message headers: Return-Path: Delivered-To: clean-quarantine X-Envelope-From: b9d02381-7740-4159-badd-eadc565eb...@cloudemail5.cpgtest.ostinet.net X-Envelope-To: 4564eji78...@load.cpgtest.ostinet.net X-Envelope-To-Blocked: X-Quarantine-ID: F2SbkzVKv8fE X-Spam-Flag: NO X-Spam-Score: 6.423 X-Spam-Level: ** X-Spam-Status: No, score=6.423 tag=-999 tag2=6.9 kill=6.9 tests=[FROM_LOCAL_HEX=0.331, HTML_IMAGE_ONLY_24=1.282, HTML_MESSAGE=0.001, RCVD_ILLEGAL_IP=3.399, SARE_GIF_ATTACH=1.42, T_RP_MATCHES_RCVD=-0.01] autolearn=no X-Spam-Report: * 3.4 RCVD_ILLEGAL_IP Received: contains illegal IP address * 0.3 FROM_LOCAL_HEX From: localpart has long hexadecimal sequence * -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay * domain * 1.3 HTML_IMAGE_ONLY_24 BODY: HTML: images with 2000-2400 bytes of words * 0.0 HTML_MESSAGE BODY: HTML included in message * 1.4 SARE_GIF_ATTACH FULL: Email has a inline gif Received: from load.cpgtest.ostinet.net ([127.0.0.1]) by localhost (load.cpgtest.ostinet.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id F2SbkzVKv8fE for 4564eji78...@load.cpgtest.ostinet.net; Fri, 10 Feb 2012 08:23:09 -0500 (EST) Received: from mail.ostinet.net (mail.ostinet.net [194.149.89.24]) by load.cpgtest.ostinet.net (Postfix) with ESMTPS id C054F1ACC045 for 4564eji78...@load.cpgtest.ostinet.net; Fri, 10 Feb 2012 08:23:07 -0500 (EST) Authentication-Results: load.cpgtest.ostinet.net; sender-id=none header.from=b9d02381-7740-4159-badd-eadc565eb...@cloudemail5.cpgtest.ostinet.net; spf=none smtp.mfrom=b9d02381-7740-4159-badd-eadc565eb...@cloudemail5.cpgtest.ostinet.net X-DKIM: OpenDKIM Filter v2.1.3 load.cpgtest.ostinet.net C054F1ACC045 Authentication-Results: load.cpgtest.ostinet.net; dkim=none (no signature); dkim-adsp=none Received: from cloudemail5.cpgtest.ostinet.net (ec2-184-72-247-145.compute-1.amazonaws.com [184.72.247.145]) by mail.ostinet.net (8.13.1/8.13.1) with SMTP id q1ADMwXp018879 for 4564eji78...@load.cpgtest.ostinet.net; Fri, 10 Feb 2012 13:23:00 GMT Received: from expedite (unknown [15.219.195.127]) by cloudemail5.cpgtest.ostinet.net (Postfix) with ESMTP id 8328E3485E for 4564eji78...@load.cpgtest.ostinet.net; Fri, 10 Feb 2012 08:22:54 -0500 (EST) X-Original-To: 1364_testm...@cloudemail5.cpgtest.ostinet.net Delivered-To: 1364_testm...@cloudemail5.cpgtest.ostinet.net Received: from mail-pz0-f41.google.com (mail-pz0-f41.google.com [209.85.210.41]) by cloudemail5.cpgtest.ostinet.net (Postfix) with ESMTP id 2152834837 for 1364_testm...@cloudemail5.cpgtest.ostinet.net; Tue, 7 Feb 2012 06:03:59 -0500 (EST) Received: by dadv6 with SMTP id v6so5891220dad.28 for 1364_testm...@cloudemail5.cpgtest.ostinet.net; Tue, 07 Feb 2012 03:03:58 -0800 (PST) Received: by 10.68.219.101 with SMTP id pn5mr5483175pbc.37.1328612638547; Tue, 07 Feb 2012 03:03:58 -0800 (PST) Received: from [192.168.1.106] ([14.98.27.245]) by mx.google.com with ESMTPS id q8sm22575740pbi.1.2012.02.07.03.03.33 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 07 Feb 2012 03:03:56 -0800 (PST) Subject: Fwd: GMAIL WEB attachment contains Gif and Giff files References: CAK=nnrwusn3jfxt2e0yxhmeutykgyh7sh+iqgxydwxggxht...@mail.gmail.com From: b9d02381-7740-4159-badd-eadc565eb...@cloudemail5.cpgtest.ostinet.net Content-Type: multipart/alternative; boundary=Apple-Mail-6494678E-A93F-4140-86A9-5E0B53C654F4 X-Mailer: iPhone Mail (9A405) Message-Id: 17004336.2371328880174317.javamail.hpad...@cloudemail5.cpgtest.ostinet.net Date: Tue, 7 Feb 2012 16:33:25 +0530 To: 4564eji78...@load.cpgtest.ostinet.net Content-Transfer-Encoding: 7bit Mime-Version: 1.0 Reply-To: b9d02381-7740-4159-badd-eadc565eb...@cloudemail5.cpgtest.ostinet.net Thanks Ashish -Original Message- From: Axb [mailto:axb.li...@gmail.com] Sent: Friday, February 10, 2012 2:39 PM To: users@spamassassin.apache.org Subject: Re: Getting high spam score for email server hosted on AWS instance On 02/10/2012 09:33 AM, Sharma, Ashish wrote: Following is the spam score received for cloudemail5.cpgtest.ostinet.net (184.72.247.145) email sending setup on one of my Spamassassin email receiving setup: [FROM_LOCAL_HEX=0.331, HTML_IMAGE_ONLY_24=1.282, HTML_MESSAGE=0.001, RCVD_ILLEGAL_IP=3.399, T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=no Is there anything else you need? I didn't get your last question completely. why not post a sample msg's headers in a pastebin ? Would prevent a lot of the guess work. What SA version are you using?
RE: Getting high spam score for email server hosted on AWS instance
Den 2012-02-10 08:15, Sharma, Ashish skrev: Can you please explain now? Received: from G9W0367G.americas.hpqcorp.net (16.216.193.231) by G5W2206G.americas.hpqcorp.net (16.228.43.185) with Microsoft SMTP Server (TLS) id 14.1.289.1; Fri, 10 Feb 2012 07:15:47 + Received: from G9W0725.americas.hpqcorp.net ([169.254.8.28]) by G9W0367G.americas.hpqcorp.net ([16.216.193.231]) with mapi id 14.01.0289.001; Fri, 10 Feb 2012 07:15:07 + mapi must not use this ip, use another ip in rfc1918 this is what being triggered in spamassassin
RE: Getting high spam score for email server hosted on AWS instance
Den 2012-02-10 09:33, Sharma, Ashish skrev: [FROM_LOCAL_HEX=0.331, HTML_IMAGE_ONLY_24=1.282, HTML_MESSAGE=0.001, RCVD_ILLEGAL_IP=3.399, T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=no Is there anything else you need? I didn't get your last question completely. its local problem when local ips is used No, score=-10.591 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_THREADED=-1.5, NO_USER_AGENT=0.1, NO_X_MAILER=0.1, RCVD_IN_DNSWL_HI=-5, RELAY_STAR=0.1, RELAY_US=0.01, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-2.5] autolearn=no to solve it localy, configure internal_networks and trusted_networks in local.cf i see no link local in my spamassassin :)
RE: Getting high spam score for email server hosted on AWS instance
Den 2012-02-10 14:43, Sharma, Ashish skrev: My Spamassassin version : 3.3.1 Following are sample message headers: remove sare rules set, its depricated
RE: Getting high spam score for email server hosted on AWS instance
The cluster with which I am facing problem is different one. The node for which I am getting high spam score has the following details: cloudemail5.cpgtest.ostinet.net (184.72.247.145) Can you please explain now? Thanks Ashish -Original Message- From: Michael Scheidell [mailto:michael.scheid...@secnap.com] Sent: Wednesday, February 08, 2012 7:28 PM To: users@spamassassin.apache.org Subject: Re: Getting high spam score for email server hosted on AWS instance On 2/8/12 6:41 AM, Sharma, Ashish wrote: Hi, I have a mail server setup on an AWS instance. When I am sending mails via this setup to a test spamassassin setup that acts as an email receiver server, I am getting high spam scores as follows: [FROM_LOCAL_HEX=0.331, HTML_IMAGE_ONLY_24=1.282, HTML_MESSAGE=0.001, RCVD_ILLEGAL_IP=3.399, T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=no As can be seen, the highest contributor is RCVD_ILLEGAL_IP=3.399 no, since the ip address in question is, by definition, an unroutable ip, and should never be seen in a received list (I am just guessing: Received: from G9W0725.americas.hpqcorp.net ([169.254.8.28]) by You have a microsoft cluster, where microsoft thought it would be a good idea to use 169.254.0.0/16 ip addresses?) Bring this up with microsoft, have them 'fix' this. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 *| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
RE: Getting high spam score for email server hosted on AWS instance
The cluster with which I am facing problem is different one. The node for which I am getting high spam score has the following details: cloudemail5.cpgtest.ostinet.net (184.72.247.145) Can you please explain now? Thanks Ashish -Original Message- From: Joe Sniderman [mailto:joseph.snider...@thoroquel.org] Sent: Wednesday, February 08, 2012 10:53 PM To: users@spamassassin.apache.org Subject: Re: Getting high spam score for email server hosted on AWS instance On 02/08/2012 08:57 AM, Michael Scheidell wrote: On 2/8/12 6:41 AM, Sharma, Ashish wrote: Hi, I have a mail server setup on an AWS instance. When I am sending mails via this setup to a test spamassassin setup that acts as an email receiver server, I am getting high spam scores as follows: [FROM_LOCAL_HEX=0.331, HTML_IMAGE_ONLY_24=1.282, HTML_MESSAGE=0.001, RCVD_ILLEGAL_IP=3.399, T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=no As can be seen, the highest contributor is RCVD_ILLEGAL_IP=3.399 no, since the ip address in question is, by definition, an unroutable ip, and should never be seen in a received list (I am just guessing: Received: from G9W0725.americas.hpqcorp.net ([169.254.8.28]) by That should not be a problem in and of itself... 169.254.0.0/16 is intended for link-local.. (see RFCs 5735 and 3330) It might or might not be less than ideal to use addresses in 169.254.0.0/16 for the communication between one machine and a smarthost on a LAN, but far from illegal. 169.254.0.0/16 is also notably *not* mentioned in the wiki for RCVD_ILLEGAL_IP: http://wiki.apache.org/spamassassin/Rules/RCVD_ILLEGAL_IP All that said, RCVD_ILLEGAL_IP _used to_ hit on IPs 169.254.0.0/16, but AFAIK that changed with 3.3. See also: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6460 And: http://svn.apache.org/viewvc/spamassassin/branches/3.3/rules/20_head_tests.cf?view=markup#l423 # must keep it in sync with http://www.iana.org/assignments/ipv4-address-space/ header RCVD_ILLEGAL_IP X-Spam-Relays-Untrusted =~ / (?:by|ip)=(?=\d+\.\d+\.\d+\.\d+ )(?:0|2(?:2[4-9]|[3-5]\d)|192\.0\.2|198\.51\.100|203\.0\.113)\./ describe RCVD_ILLEGAL_IP Received: contains illegal IP address IOW, 196.254.0.0/16 no longer matches as of 3.3 You have a microsoft cluster, where microsoft thought it would be a good idea to use 169.254.0.0/16 ip addresses?) Its really not that horrible an idea.. Bring this up with microsoft, have them 'fix' this. Or better yet, the OP should bring it up with whoever is running the test spamassassin instance and get them to upgrade it. -- Joe Sniderman joseph.snider...@thoroquel.org
Re: Getting high spam score for email server hosted on AWS instance
On 02/10/2012 02:16 AM, Sharma, Ashish wrote: The cluster with which I am facing problem is different one. The node for which I am getting high spam score has the following details: cloudemail5.cpgtest.ostinet.net (184.72.247.145) No other Received lines? -- Joe Sniderman joseph.snider...@thoroquel.org
Re: Getting high spam score for email server hosted on AWS instance
On 2/8/12 6:41 AM, Sharma, Ashish wrote: Hi, I have a mail server setup on an AWS instance. When I am sending mails via this setup to a test spamassassin setup that acts as an email receiver server, I am getting high spam scores as follows: [FROM_LOCAL_HEX=0.331, HTML_IMAGE_ONLY_24=1.282, HTML_MESSAGE=0.001, RCVD_ILLEGAL_IP=3.399, T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=no As can be seen, the highest contributor is RCVD_ILLEGAL_IP=3.399 no, since the ip address in question is, by definition, an unroutable ip, and should never be seen in a received list (I am just guessing: Received: from G9W0725.americas.hpqcorp.net ([169.254.8.28]) by You have a microsoft cluster, where microsoft thought it would be a good idea to use 169.254.0.0/16 ip addresses?) Bring this up with microsoft, have them 'fix' this. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 *| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Getting high spam score for email server hosted on AWS instance
On 02/08/2012 08:57 AM, Michael Scheidell wrote: On 2/8/12 6:41 AM, Sharma, Ashish wrote: Hi, I have a mail server setup on an AWS instance. When I am sending mails via this setup to a test spamassassin setup that acts as an email receiver server, I am getting high spam scores as follows: [FROM_LOCAL_HEX=0.331, HTML_IMAGE_ONLY_24=1.282, HTML_MESSAGE=0.001, RCVD_ILLEGAL_IP=3.399, T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=no As can be seen, the highest contributor is RCVD_ILLEGAL_IP=3.399 no, since the ip address in question is, by definition, an unroutable ip, and should never be seen in a received list (I am just guessing: Received: from G9W0725.americas.hpqcorp.net ([169.254.8.28]) by That should not be a problem in and of itself... 169.254.0.0/16 is intended for link-local.. (see RFCs 5735 and 3330) It might or might not be less than ideal to use addresses in 169.254.0.0/16 for the communication between one machine and a smarthost on a LAN, but far from illegal. 169.254.0.0/16 is also notably *not* mentioned in the wiki for RCVD_ILLEGAL_IP: http://wiki.apache.org/spamassassin/Rules/RCVD_ILLEGAL_IP All that said, RCVD_ILLEGAL_IP _used to_ hit on IPs 169.254.0.0/16, but AFAIK that changed with 3.3. See also: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6460 And: http://svn.apache.org/viewvc/spamassassin/branches/3.3/rules/20_head_tests.cf?view=markup#l423 # must keep it in sync with http://www.iana.org/assignments/ipv4-address-space/ header RCVD_ILLEGAL_IP X-Spam-Relays-Untrusted =~ / (?:by|ip)=(?=\d+\.\d+\.\d+\.\d+ )(?:0|2(?:2[4-9]|[3-5]\d)|192\.0\.2|198\.51\.100|203\.0\.113)\./ describe RCVD_ILLEGAL_IP Received: contains illegal IP address IOW, 196.254.0.0/16 no longer matches as of 3.3 You have a microsoft cluster, where microsoft thought it would be a good idea to use 169.254.0.0/16 ip addresses?) Its really not that horrible an idea.. Bring this up with microsoft, have them 'fix' this. Or better yet, the OP should bring it up with whoever is running the test spamassassin instance and get them to upgrade it. -- Joe Sniderman joseph.snider...@thoroquel.org
Re: Getting high spam score for email server hosted on AWS instance
On 02/08/2012 12:22 PM, Joe Sniderman typed hurriedly: IOW, 196.254.0.0/16 no longer matches as of 3.3 Well, I meant to type 169.254.0.0/16... but then.. obvious typo is obvious. -- Joe Sniderman joseph.snider...@thoroquel.org