Re: RP_MATCHES_RCVD

2016-05-11 Thread Matus UHLAR - fantomas 

RH> RP_MATCHES_RCVD removed 1.7 points



On 11.05.16 16:29, Reindl Harald wrote:

which proves again how badly auto-qa works and why you need to adjust
some rules up to remove them eniterily with a zero score



Am 11.05.2016 um 16:34 schrieb Matus UHLAR - fantomas:

afaik, auto-qa scores _are_ justified, just some are missed from this...


On 11.05.16 16:42, Reindl Harald wrote:

rules like this need a way lower max-score


which is just what I have said. 


/etc/mail/spamassassin/local-*.cf
score RP_MATCHES_RCVD -0.001


you can easily turn off that one (set to 0), I did.
There's __RP_MATCHES_RCVD that has to be used in metas.

the fact that spam comes from compromised account doesn't mean it's less
spam ...


looks like you don't understand what this rule does
Envelope sender domain matches handover relay domain

it's a *whitelistng rule*

"the fact that spam comes from a domain where the PTR has the same 
doesn't mean it's less spam" is the fixed version of your sentecne 


which is (in fact) just what I have said...

"spam from acco...@example.com is not less spam just because it's sent from
compromised account on example.com mailserver"

The mentioned rule just makes sending spam from compromised accounts on
companies' mailservers, which is quite common.

... and if someone wants to have this rule in metas, there's
__RP_MATCHES_RCVD that doesn't mess up score for spam

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS\*.*

Re: RP_MATCHES_RCVD

2016-05-11 Thread Reindl Harald 



Am 11.05.2016 um 16:34 schrieb Matus UHLAR - fantomas:

Am 11.05.2016 um 16:14 schrieb Niamh Holding:

Friday, September 5, 2014, 7:37:18 AM, you wrote:

RH> RP_MATCHES_RCVD removed 1.7 points

RH> is that not a little too much?

Now running at 2.1 :(


On 11.05.16 16:29, Reindl Harald wrote:

which proves again how badly auto-qa works and why you need to adjust
some rules up to remove them eniterily with a zero score


afaik, auto-qa scores _are_ justified, just some are missed from this...


rules like this need a way lower max-score


[root@mail-gw:~]$ sa-score.sh RP_MATCHES_RCVD
/usr/share/spamassassin

/var/lib/spamassassin/3.004001/updates_spamassassin_org
score RP_MATCHES_RCVD   -1.643 -2.079 -1.643 -2.079

/etc/mail/spamassassin/local-*.cf
score RP_MATCHES_RCVD -0.001


you can easily turn off that one (set to 0), I did.
There's __RP_MATCHES_RCVD that has to be used in metas.

the fact that spam comes from compromised account doesn't mean it's less
spam ...


looks like you don't understand what this rule does
Envelope sender domain matches handover relay domain

it's a *whitelistng rule*

"the fact that spam comes from a domain where the PTR has the same 
doesn't mean it's less spam" is the fixed version of your sentecne above




signature.asc
Description: OpenPGP digital signature

Re: RP_MATCHES_RCVD

2016-05-11 Thread Matus UHLAR - fantomas 

Am 11.05.2016 um 16:14 schrieb Niamh Holding:

Friday, September 5, 2014, 7:37:18 AM, you wrote:

RH> RP_MATCHES_RCVD removed 1.7 points

RH> is that not a little too much?

Now running at 2.1 :(


On 11.05.16 16:29, Reindl Harald wrote:
which proves again how badly auto-qa works and why you need to adjust 
some rules up to remove them eniterily with a zero score


afaik, auto-qa scores _are_ justified, just some are missed from this...


[root@mail-gw:~]$ sa-score.sh RP_MATCHES_RCVD
/usr/share/spamassassin

/var/lib/spamassassin/3.004001/updates_spamassassin_org
score RP_MATCHES_RCVD   -1.643 -2.079 -1.643 -2.079

/etc/mail/spamassassin/local-*.cf
score RP_MATCHES_RCVD -0.001


you can easily turn off that one (set to 0), I did.
There's __RP_MATCHES_RCVD that has to be used in metas.

the fact that spam comes from compromised account doesn't mean it's less
spam ...
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...

Re: RP_MATCHES_RCVD

2016-05-11 Thread Reindl Harald 



Am 11.05.2016 um 16:14 schrieb Niamh Holding:

Hello Reindl,

Friday, September 5, 2014, 7:37:18 AM, you wrote:

RH> RP_MATCHES_RCVD removed 1.7 points

RH> is that not a little too much?

Now running at 2.1 :(


which proves again how badly auto-qa works and why you need to adjust 
some rules up to remove them eniterily with a zero score


[root@mail-gw:~]$ sa-score.sh RP_MATCHES_RCVD
/usr/share/spamassassin

/var/lib/spamassassin/3.004001/updates_spamassassin_org
score RP_MATCHES_RCVD   -1.643 -2.079 -1.643 -2.079

/etc/mail/spamassassin/local-*.cf
score RP_MATCHES_RCVD -0.001



signature.asc
Description: OpenPGP digital signature

Re: RP_MATCHES_RCVD

2016-05-11 Thread Niamh Holding 

Hello Reindl,

Friday, September 5, 2014, 7:37:18 AM, you wrote:

RH> RP_MATCHES_RCVD removed 1.7 points

RH> is that not a little too much?

Now running at 2.1 :(

-- 
Best regards,
 Niamhmailto:ni...@fullbore.co.uk

pgpYFLZS4sAsN.pgp
Description: PGP signature

Re: RP_MATCHES_RCVD

2014-09-10 Thread Thomas Harold 
On 9/5/2014 2:37 AM, Reindl Harald wrote:
> Hi
> 
> i got recently a clear spam message which would have
> a score of 6.9 but RP_MATCHES_RCVD removed 1.7 points
> 
> is that not a little too much?
> 

This has been a problem for about 6 months now.

I complained about it back in April 2014, and there was a much larger
discussion back in Aug 2013.  After the Aug 2013 discussion it was
fixed, but then something broke it in Mar/Apr 2014.

Re: RP_MATCHES_RCVD

2014-09-05 Thread Reindl Harald 

Am 05.09.2014 um 09:19 schrieb Matus UHLAR - fantomas:
>> Am 05.09.2014 um 09:04 schrieb Matus UHLAR - fantomas:
>>> and I see more things that are way too much
>>> 5.0 BAYES_95
>>> tag-level=4.5
> 
> On 05.09.14 09:13, Reindl Harald wrote:
>> # adjust IADB scoring (way too high defaults)
>> score RCVD_IN_IADB_VOUCHED -0.5
>> score RCVD_IN_IADB_DOPTIN -0.8
>> score RCVD_IN_IADB_ML_DOPTIN -1.1
> 
> are you aware that scores 0 and 2 are defined without network tests, so they
> should be zero in this case?

yes, but thanks for the hint - the last change was before
the first coffee after look again at local.cf, all the time
before i used it like below :-(

score RCVD_IN_IADB_VOUCHED 0 -0.4 0 -0.4
score RCVD_IN_IADB_DOPTIN 0 -0.7 0 -0.7
score RCVD_IN_IADB_ML_DOPTIN 0 -1.0 0 -1.0



signature.asc
Description: OpenPGP digital signature

Re: RP_MATCHES_RCVD

2014-09-05 Thread Matus UHLAR - fantomas 

Am 05.09.2014 um 09:04 schrieb Matus UHLAR - fantomas:

and I see more things that are way too much
5.0 BAYES_95
tag-level=4.5


On 05.09.14 09:13, Reindl Harald wrote:

# adjust IADB scoring (way too high defaults)
score RCVD_IN_IADB_VOUCHED -0.5
score RCVD_IN_IADB_DOPTIN -0.8
score RCVD_IN_IADB_ML_DOPTIN -1.1


are you aware that scores 0 and 2 are defined without network tests, so they
should be zero in this case?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Atheism is a non-prophet organization.

Re: RP_MATCHES_RCVD

2014-09-05 Thread Reindl Harald 

Am 05.09.2014 um 09:04 schrieb Matus UHLAR - fantomas:
> On 05.09.14 08:37, Reindl Harald wrote:
>> i got recently a clear spam message which would have
>> a score of 6.9 but RP_MATCHES_RCVD removed 1.7 points
>>
>> is that not a little too much?
> 
> yes, it is, mentioned multiple times.
> 
>> * X-Spam-Status: Yes, score=5.2, tag-level=4.5, block-level=8
>> *  5.0 BAYES_95 BODY: Bayes spam probability is 95 to 99%
>> * -1.7 RP_MATCHES_RCVD Envelope sender domain matches, handover relay domain
> 
> and I see more things that are way too much
> 5.0 BAYES_95
> tag-level=4.5

# adjust IADB scoring (way too high defaults)
score RCVD_IN_IADB_VOUCHED -0.5
score RCVD_IN_IADB_DOPTIN -0.8
score RCVD_IN_IADB_ML_DOPTIN -1.1
___

defaults:

score RCVD_IN_IADB_VOUCHED 0 -2.2 0 -2.2
score RCVD_IN_IADB_DOPTIN 0 -4 0 -4
score RCVD_IN_IADB_ML_DOPTIN 0 -6 0 -6



signature.asc
Description: OpenPGP digital signature

Re: RP_MATCHES_RCVD

2014-09-05 Thread Matus UHLAR - fantomas 

On 05.09.14 08:37, Reindl Harald wrote:

i got recently a clear spam message which would have
a score of 6.9 but RP_MATCHES_RCVD removed 1.7 points

is that not a little too much?


yes, it is, mentioned multiple times.


* X-Spam-Status: Yes, score=5.2, tag-level=4.5, block-level=8
*  5.0 BAYES_95 BODY: Bayes spam probability is 95 to 99%
* -1.7 RP_MATCHES_RCVD Envelope sender domain matches, handover relay domain


and I see more things that are way too much
5.0 BAYES_95
tag-level=4.5
...

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Despite the cost of living, have you noticed how popular it remains?

Re: RP_MATCHES_RCVD

2014-09-04 Thread Reindl Harald 

Am 05.09.2014 um 08:40 schrieb Adi:
>> i got recently a clear spam message which would have
>> a score of 6.9 but RP_MATCHES_RCVD removed 1.7 points
>>
>> is that not a little too much?
> 
> think so too. I set it into local.cf:
> 
> score RP_MATCHES_RCVD -0.1

thanks for confirmation

i give it even -0.5 but -1.7 even dnswl medium trsut don't get :-)



signature.asc
Description: OpenPGP digital signature

Re: RP_MATCHES_RCVD

2014-09-04 Thread Adi 
Hi
> i got recently a clear spam message which would have
> a score of 6.9 but RP_MATCHES_RCVD removed 1.7 points
> 
> is that not a little too much?
> 

think so too. I set it into local.cf:

score RP_MATCHES_RCVD -0.1

Best Regards

Re: RP_MATCHES_RCVD

2014-04-17 Thread Benny Pedersen 

Thomas Harold skrev den 2014-04-17 19:01:


(Hopefully next month I can help out with the mass-check.)


should it not be like

meta RP_UNLISTED_HAM (!RP_MATCHES_RCVD)

if it should score as spam ?

if just scores are changed, then its another problem imho

Re: RP_MATCHES_RCVD

2014-04-17 Thread Thomas Harold 
On 4/17/2014 9:14 AM, Kevin A. McGrail wrote:
> 
>> it's not corrected, that's the point...
>>
> The scoring occurs from automatic corpus checks.  The best way to help
> the rule score better is to help with masscheck.
> 

It's not really a good indicator of spam/ham here either.  A moderate
amount of spam is being marked as ham due to that rule's weight.

This rule was discussed back in Oct/Nov 2013, after which the rule was
manually set to -0.001.  And it stayed that way until at least Feb 28th
of this year.  Then during the first few weeks of March 2014, someone
converted it to a T_ rule before re-releasing it.

(Hopefully next month I can help out with the mass-check.)

Re: RP_MATCHES_RCVD

2014-04-17 Thread Kevin A. McGrail 

On 4/17/2014 10:21 AM, Matus UHLAR - fantomas wrote:

it's not corrected, that's the point...


On 17.04.14 09:14, Kevin A. McGrail wrote:
The scoring occurs from automatic corpus checks.  The best way to 
help the rule score better is to help with masscheck.


and still SA people tune some scores manually.

Looking at 
http://ruleqa.spamassassin.org/?daterev=20140416-r1587834-n&rule=RP_MATCHES_RCVD&srcpath=&g=Change 
there does appear to be a hamminess to the rule and it justifies a 
negative score.  A score of -1.05 seems appropriate to me.


Not to me. The whole fact that @gmail.com spam comming from gmail.com
servers does not mean it's not spam, only because millions of 
@gmail.com ham

comming from gmail.com are ham...

this logic is braindead to me

Then you will likely have to use manual tuning.

regards,
KAM

Re: RP_MATCHES_RCVD

2014-04-17 Thread Matus UHLAR - fantomas 

it's not corrected, that's the point...


On 17.04.14 09:14, Kevin A. McGrail wrote:
The scoring occurs from automatic corpus checks.  The best way to 
help the rule score better is to help with masscheck.


and still SA people tune some scores manually.

Looking at http://ruleqa.spamassassin.org/?daterev=20140416-r1587834-n&rule=RP_MATCHES_RCVD&srcpath=&g=Change 
there does appear to be a hamminess to the rule and it justifies a 
negative score.  A score of -1.05 seems appropriate to me.


Not to me. The whole fact that @gmail.com spam comming from gmail.com
servers does not mean it's not spam, only because millions of @gmail.com ham
comming from gmail.com are ham...

this logic is braindead to me
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Holmes, what kind of school did you study to be a detective?
- Elementary, Watson.  -- Daffy Duck & Porky Pig

Re: RP_MATCHES_RCVD

2014-04-17 Thread Kevin A. McGrail 



it's not corrected, that's the point...

The scoring occurs from automatic corpus checks.  The best way to help 
the rule score better is to help with masscheck.


Looking at 
http://ruleqa.spamassassin.org/?daterev=20140416-r1587834-n&rule=RP_MATCHES_RCVD&srcpath=&g=Change 
there does appear to be a hamminess to the rule and it justifies a 
negative score.  A score of -1.05 seems appropriate to me.


Regards,
KAM

Re: RP_MATCHES_RCVD

2014-04-15 Thread Matus UHLAR - fantomas 

Thomas Harold skrev den 2014-04-15 05:49:

Mar 24th - RP_MATCHES_RCVD = -0.535
Mar 27th - RP_MATCHES_RCVD = -0.371
Apr 7th - RP_MATCHES_RCVD = -0.271
Apr 14th - RP_MATCHES_RCVD = -0.989

Running 3.3.1 on CentOS 6 (from the @updates channel).  Running
"sa-update" daily.


On 15.04.14 07:18, Benny Pedersen wrote:
what is the problem ?, the scores is adjusted  by public corpus, so 
if there is score that is not correct its a sign of missing ham/spam 
to correct it


the problem with this rule is (and was) that it often pushes score under the
spam threshold.  It was complained here more times IIRC.

I have complained about this too, and I still have in my cf:

/etc/spamassassin/local.cf:score RP_MATCHES_RCVD 0

This rule is imho just something that should not be used as a whole.
No complaints against metas for now.

other then that spamassassin does not just counts on one rule, so 
even if that rule seems incorrect hitting then it corrected by other 
rules


it's not corrected, that's the point...

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Posli tento mail 100 svojim znamim - nech vidia aky si idiot
Send this email to 100 your friends - let them see what an idiot you are

Re: RP_MATCHES_RCVD

2014-04-14 Thread Benny Pedersen 

Thomas Harold skrev den 2014-04-15 05:49:

(during first few weeks of March it was showing as T_RP_MATCHES_RCVD, 
-0.01)


note rules that begins with T_ is corpus testing rules, also why it 
score just 0.01 here



Mar 24th - RP_MATCHES_RCVD = -0.535
Mar 27th - RP_MATCHES_RCVD = -0.371
Apr 7th - RP_MATCHES_RCVD = -0.271
Apr 14th - RP_MATCHES_RCVD = -0.989

Running 3.3.1 on CentOS 6 (from the @updates channel).  Running
"sa-update" daily.


what is the problem ?, the scores is adjusted  by public corpus, so if 
there is score that is not correct its a sign of missing ham/spam to 
correct it


other then that spamassassin does not just counts on one rule, so even 
if that rule seems incorrect hitting then it corrected by other rules

Re: RP_MATCHES_RCVD

2014-04-14 Thread Thomas Harold 
On 11/8/2013 4:38 PM, John Hardin wrote:
> On Fri, 8 Nov 2013, Kris Deugau wrote:
> 
>> LuKreme wrote:
>>> Some spam has been matching the rule RP_MATCHES_RCVD which is worth
>>> -2.8 points. I wanted to look at this rule, so I went to
>>> /usr/local/etc/mail/spamassassin and gripped for the name, but no hits.
>>
>> There was a thread on this rule not too long ago;  check the list
>> archives
> 
> Yeah, I thought we'd killed that in favor of a subrule. I guess we never
> actually pulled the trigger on that change... Mark?
> 

It seems to be back, and the value is changing from week to week.

Feb 28th - RP_MATCHES_RCVD = -0.001

(during first few weeks of March it was showing as T_RP_MATCHES_RCVD, -0.01)

Mar 24th - RP_MATCHES_RCVD = -0.535
Mar 27th - RP_MATCHES_RCVD = -0.371
Apr 7th - RP_MATCHES_RCVD = -0.271
Apr 14th - RP_MATCHES_RCVD = -0.989

Running 3.3.1 on CentOS 6 (from the @updates channel).  Running
"sa-update" daily.

Re: RP_MATCHES_RCVD

2013-11-08 Thread LuKreme 

On 08 Nov 2013, at 13:53 , Kris Deugau  wrote:

> It's also been scored down in more recent rule updates;  as of a few
> minutes ago it looks like it's *way* down:
> 
> score RP_MATCHES_RCVD   -1.501 -0.001 -1.501 -0.001

I saw that after I ran sa-update, which was shortly after I posted.

I've set it to -0.1 for now.

-- 
Every absurdity has a champion to defend it.

Re: RP_MATCHES_RCVD

2013-11-08 Thread LuKreme 

On 08 Nov 2013, at 13:53 , Kris Deugau  wrote:

> SA is installed from package, this looks something like
> /var/lib/spamassassin.

Ah, /var/db/spamassassin

I would never have found them. thanks!

-- 
Everything you read on the Internet is false -- Glenn Fleishman

Re: RP_MATCHES_RCVD

2013-11-08 Thread John Hardin 

On Fri, 8 Nov 2013, Kris Deugau wrote:


LuKreme wrote:
Some spam has been matching the rule RP_MATCHES_RCVD which is worth 
-2.8 points. I wanted to look at this rule, so I went to 
/usr/local/etc/mail/spamassassin and gripped for the name, but no hits.


There was a thread on this rule not too long ago;  check the list
archives


Yeah, I thought we'd killed that in favor of a subrule. I guess we never 
actually pulled the trigger on that change... Mark?



and in the meantime score it down or disable it completely.  A
fair bit of spam hits this here.  :(


I'd score it as -0.001 (advisory), as there may still be other meta rules 
using it rather than the unscored subrule so you don't want to completely 
disable it.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  From the Liberty perspective, it doesn't matter if it's a
  jackboot or a Birkenstock smashing your face. -- Robb Allen
---
 3 days until Veterans Day

Re: RP_MATCHES_RCVD

2013-11-08 Thread Kris Deugau 
LuKreme wrote:
> Some spam has been matching the rule RP_MATCHES_RCVD which is worth -2.8 
> points. I wanted to look at this rule, so I went to 
> /usr/local/etc/mail/spamassassin and gripped for the name, but no hits.

There was a thread on this rule not too long ago;  check the list
archives and in the meantime score it down or disable it completely.  A
fair bit of spam hits this here.  :(

It's also been scored down in more recent rule updates;  as of a few
minutes ago it looks like it's *way* down:

score RP_MATCHES_RCVD   -1.501 -0.001 -1.501 -0.001

Run sa-update regularly to get rule and score updates.

>  # find /usr/local -name "*cf"  | grep -v postfix
> /usr/local/etc/mail/spamassassin/local.cf
> /usr/local/etc/mail/spamassassin/whitelist.cf
>  #

SA stock rules haven't been shipped in the tarball for quite a while,
and IIRC most packages don't include them any more either.  They're
downloaded by sa-update.  "spamassassin -D --lint 2>&1 |grep
LOCAL_STATE" should show the path they're under.  On most systems where
SA is installed from package, this looks something like
/var/lib/spamassassin.

-kgd

Re: RP_MATCHES_RCVD

2013-10-21 Thread Matus UHLAR - fantomas 

On Mon, 21 Oct 2013, Mauricio Tavares wrote:

b Trying to figure out why RP_MATCHES_RCVD scored so low. Is it
because Return-Path:  and the last
Received matches that domain? if so, anything I can do to score t as
the proper spam it is?


On 21.10.13 10:24, John Hardin wrote:
RP_MATCHES_RCVD is a check that the message metadata is internally 
consistent. While giving it a negative score may not be justified, 
don't think that it's useful as a spam indicator and should have a 
positive score.


Giving this rule positive value would uselessly add score to correct mail,
but any negative score increases possibility of false negative.

I don't think this should have any score, imho __RP_MATCHES_RCVD for meta
rules is just enough. It can be T_ rule if anyone wants, imho.

I have set score of this rule to 0 because of those.

In fact, as spams usually exhibit internal *inconsistencies* due to 
being largely forged, a message *not* hitting RP_MATCHES_RCVD may 
actually be a better spam indicator - that's probably the reason that 
it has a negative score.


not hitting is very common by any hosted domains.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
A day without sunshine is like, night.

Re: RP_MATCHES_RCVD

2013-10-21 Thread John Hardin 

On Mon, 21 Oct 2013, Mauricio Tavares wrote:


b Trying to figure out why RP_MATCHES_RCVD scored so low. Is it
because Return-Path:  and the last
Received matches that domain? if so, anything I can do to score t as
the proper spam it is?


RP_MATCHES_RCVD is a check that the message metadata is internally 
consistent. While giving it a negative score may not be justified, don't 
think that it's useful as a spam indicator and should have a positive 
score.


In fact, as spams usually exhibit internal *inconsistencies* due to being 
largely forged, a message *not* hitting RP_MATCHES_RCVD may actually be a 
better spam indicator - that's probably the reason that it has a negative 
score.


Given the surge in WhatsApp spams recently (I've been getting a lot) I 
think I should add some specific rules to my sandbox for testing.


For the time being, you might want to do this in your local rules:

  body  __VOICEMAIL/\bYou have a new voicemail!/i
  body  __WHATSAPP /\bWhatsApp\b/
  meta  LCL_WHATSAPP   __WHATSAPP && __VOICEMAIL
  score LCL_WHATSAPP   1.000

That should be enough to push it over the threshold without FPs on 
legitimate (non-WhatsApp) voicemail notifications.


Pointers from anyone who actually uses WhatsApp about how to distinguish 
legitimate voicemail notifications from these spams are solicited.



 Original Message 
Return-Path: 
Delivered-To: r...@domain.com
Received: from localhost (localhost [127.0.0.1]) by
mail.domain.com (Postfix) with ESMTP id CAE8980058; Sun, 20
Oct 2013 22:10:19 -0400 (EDT)
X-Virus-Scanned: Debian amavisd-new at mail.domain.com
X-Spam-Flag: NO
X-Spam-Score: 4.1
X-Spam-Level: 
X-Spam-Status: No, score=4.1 required=4.7 tests=[BAYES_99=4.2,
HTML_MESSAGE=1.27, RP_MATCHES_RCVD=-1.37] autolearn=no
Received: from mail.domain.com ([127.0.0.1]) by localhost
(mail.domain.com [127.0.0.1]) (amavisd-new, port 10024)
with SMTP id Fzg7udDKz5bJ; Sun, 20 Oct 2013 22:10:17 -0400 (EDT)
Received: from c001n01.zahost.ru (c001n01.zahost.ru [88.212.201.48])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client
certificate requested) by mail.domain.com (Postfix) with
ESMTPS id 669DC80051 for ; Sun, 20 Oct 2013 22:10:15
-0400 (EDT)
Received: from localhost.zahost.ru ([127.0.0.1] helo=c001n01.zahost.ru)
by c001n01.zahost.ru with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69
(FreeBSD)) (envelope-from ) id 1VY1ND-0005fT-Kk
for i...@domain.com; Mon, 21 Oct 2013 02:21:23 +0400
Received: (from semik@localhost) by c001n01.zahost.ru
(8.14.4/8.13.8/Submit) id r9KMLM0s021783; Mon, 21 Oct 2013 02:21:22
+0400 (MSD) (envelope-from semik)
Date: Mon, 21 Oct 2013 02:21:22 +0400 (MSD)
Message-Id: <201310202221.r9kmlm0s021...@c001n01.zahost.ru>
To: i...@domain.com
Subject: 4 New Voicemail(s)
X-PHP-Script: 35x35.ru/ for 127.0.0.1
From: WhatsApp Messaging Service 
X-Mailer: Spmailver8.5
Reply-To: WhatsApp Messaging Service 
Mime-Version: 1.0
Content-Type:
multipart/alternative;boundary="--138230768252645762B1112"

WhatsApp



You have a new voicemail!
*Details*
Time of Call: Oct-15 2013 07:55:57
Lenth of Call: 57 seconds

Play



*If you cannot play, move message to the "Inbox" folder.

2013 WhatsApp Inc



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Gun Control laws aren't enacted to control guns, they are enacted
  to control people: catholics (1500s), japanese peasants (1600s),
  blacks (1860s), italian immigrants (1911), the irish (1920s),
  jews (1930s), blacks (1960s), the poor (always)
---
 508 days since the first successful private support mission to ISS (SpaceX)

Re: SA not "honoring" customs in "local.cf" - was Re: RP_MATCHES_RCVD letting in SPAM

2013-09-06 Thread Kris Deugau 
Joe Acquisto-j4 wrote:
> I'd like to revisit this, now that I have sufficient energy to devote to
> some hard sleuthing.   Despite the
> fact that I was less than sharp (ahem) when first looking at this, I do
> feel I have covered all the obvious
> suspects.
> 
> Some gentle nudges (or not) might get me rolling again.   I suppose I
> should repost this with details of what I
> have done so far, as even those of kind and gentle nature may not be
> inclined to search it out.

I read back a bit in the thread;  you've definitely got something
strange going on.

I don't see a couple of bits of information that might help narrow it down:

- which distribution?
- is this a packaged SA, or installed from source?
- where did the init script come from?
- how are you calling SA for normal scanning?

Next:

You should have, in the first few lines from spamassassin -D --lint, a
line like this (this is from CentOS, self-built package derived at one
time from the RPMForge package):

Sep  6 09:35:26.372 [30447] dbg: generic: Perl 5.008008, PREFIX=/usr,
DEF_RULES_DIR=/usr/share/spamassassin, LOCAL_RULES
_DIR=/etc/mail/spamassassin, LOCAL_STATE_DIR=/var/lib/spamassassin

SA reads rules from all of these locations, and the processes them from
the DEF_RULES_DIR, LOCAL_STATE_DIR, and then LOCAL_RULES_DIR locations,
sorted alphabetically within each grouping.  Unfortunately -D doesn't
actually indicate when it parses any given specific file from one of
those locations.

Try "grep -r RP_MATCHES_RCVD /etc" - compare that with the list of files
spamassassin -D --lint reports that it's read.

> The /etc/init.d/spamd file has a hardcoded reference to that specific
> file. I'm pretty sure it is the one being read.

Take a message that triggered this rule, and run "spamassassin <
message";  does it still trigger the rule?  If not then try removing the
arguments that set any of the configuration paths from the init script.
 For most cases this is redundant anyway;  SA knows which directories it
should look in.

-kgd

Re: SA not "honoring" customs in "local.cf" - was Re: RP_MATCHES_RCVD letting in SPAM

2013-09-06 Thread Axb 

if you need help, the best way is to:

- stay *concise* at all times - verbose blah can drive ppl away
- post config and then explain issue, *concisely*
- don't revive old threads.
- help ppl help you - their time is precious and few have unlimited 
patience.
- keep it down to facts - if you have a problem, "I thought", I 
assumed", "I hoped" are of little value.




On 09/06/2013 03:20 PM, Joe Acquisto-j4 wrote:

I'd like to revisit this, now that I have sufficient energy to devote to some 
hard sleuthing.   Despite the
fact that I was less than sharp (ahem) when first looking at this, I do feel I 
have covered all the obvious
suspects.

Some gentle nudges (or not) might get me rolling again.   I suppose I should 
repost this with details of what I
have done so far, as even those of kind and gentle nature may not be inclined 
to search it out.

But I won't clutter further, if there is no interest.

joe a.


"Joe Acquisto-j4"  08/21/13 9:45 AM >>>




Bear in mind, that will tell you whether those configuration files are
syntactically correct; that does not tell you anything about whether or
not those are the files the spamd daemon is using.

Take a look at the script that starts spamd. It may have a hardcoded path
to the configuration directory.

--
   John Hardin KA7OHZhttp://www.impsec.org/~jhardin/


The /etc/init.d/spamd file has a hardcoded reference to that specific file.  
I'm pretty sure  it is the one being read.

However, I am not so certain others are not being read later.

I find a lot of references, for example, to BAYES_99 in 
/usr/share/spamassassin/blah.cf.  I certainly don't know if these would 
override the setting in /etc/mail/spamassassin/local.cf.

joe a.

SA not "honoring" customs in "local.cf" - was Re: RP_MATCHES_RCVD letting in SPAM

2013-09-06 Thread Joe Acquisto-j4 
I'd like to revisit this, now that I have sufficient energy to devote to some 
hard sleuthing.   Despite the
fact that I was less than sharp (ahem) when first looking at this, I do feel I 
have covered all the obvious
suspects.

Some gentle nudges (or not) might get me rolling again.   I suppose I should 
repost this with details of what I
have done so far, as even those of kind and gentle nature may not be inclined 
to search it out.

But I won't clutter further, if there is no interest.

joe a.

>>> "Joe Acquisto-j4"  08/21/13 9:45 AM >>>

> 
> Bear in mind, that will tell you whether those configuration files are 
> syntactically correct; that does not tell you anything about whether or 
> not those are the files the spamd daemon is using.
> 
> Take a look at the script that starts spamd. It may have a hardcoded path 
> to the configuration directory.
> 
> -- 
>   John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ 

The /etc/init.d/spamd file has a hardcoded reference to that specific file.  
I'm pretty sure  it is the one being read.   

However, I am not so certain others are not being read later.

I find a lot of references, for example, to BAYES_99 in 
/usr/share/spamassassin/blah.cf.  I certainly don't know if these would 
override the setting in /etc/mail/spamassassin/local.cf.

joe a.

Re: RP_MATCHES_RCVD letting in SPAM

2013-08-24 Thread LuKreme 

On 21 Aug 2013, at 16:33 , Joe Acquisto-j4  wrote:

> OK.  That's what I thought.   However, lint shows it "reading"
> /etc/mail/spamassassing/local.cf
> near the top of lint output and all the others, "further down",
> which suggests it is reading them after.
> 
> Perhaps that is a poor conclusion.

I can't think of a reason that --lint would need to check the files in the same 
order than SA applies them.

-- 
Adolescence is the period between childhood and adultery

Re: RP_MATCHES_RCVD letting in SPAM

2013-08-21 Thread Joe Acquisto-j4 
. . . 
>> I find a lot of references, for example, to BAYES_99 in 
>> /usr/share/spamassassin/blah.cf.  I certainly don't know if these would 
>> override the setting in /etc/mail/spamassassin/local.cf.
> 
> Local settings should override standard settings, so no.

OK.  That's what I thought.   However, lint shows it "reading"
/etc/mail/spamassassing/local.cf
near the top of lint output and all the others, "further down",
which suggests it is reading them after.

Perhaps that is a poor conclusion.

> /usr/share/spamassassin is the base install directory. There is another 
> directory that sa-update populates that is read after the base directory. 
> Then the local configs are read. Last one read, wins.
> 
> "spamassassin --lint -D" should output all the directories being used; you 
> can use the same command-line options given to spamd to configure 
> "spamassin --lint -D" the  same way

Since both the root user (me) and the defined spam user (whose name I do see in 
logs) use /etc/spamassassin/local.cf (per lint), is that still worth trying?

joe a.

>   John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ 
>   jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org 
>   key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> ---
>Yet another example of a Mexican doing a job Americans are
>unwilling to do.   -- Reno Sepulveda, on UniVision reporters asking
>  President Obama some pointed questions about
>  the BATFE Fast and Furious scandal.
> ---
>   3 days until the 1934th anniversary of the destruction of Pompeii

Re: RP_MATCHES_RCVD letting in SPAM

2013-08-21 Thread John Hardin 

On Wed, 21 Aug 2013, Joe Acquisto-j4 wrote:





Bear in mind, that will tell you whether those configuration files are
syntactically correct; that does not tell you anything about whether or
not those are the files the spamd daemon is using.

Take a look at the script that starts spamd. It may have a hardcoded path
to the configuration directory.


The /etc/init.d/spamd file has a hardcoded reference to that specific file.  
I'm pretty sure  it is the one being read.


OK.


However, I am not so certain others are not being read later.


There should be a reference to a directory, SA will read all the .cf files 
in that directory. Does it have a -C, --configpath or --siteconfigpath 
option defined with a directory?


I find a lot of references, for example, to BAYES_99 in 
/usr/share/spamassassin/blah.cf.  I certainly don't know if these would 
override the setting in /etc/mail/spamassassin/local.cf.


Local settings should override standard settings, so no.

/usr/share/spamassassin is the base install directory. There is another 
directory that sa-update populates that is read after the base directory. 
Then the local configs are read. Last one read, wins.


"spamassassin --lint -D" should output all the directories being used; you 
can use the same command-line options given to spamd to configure 
"spamassin --lint -D" the same way


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Yet another example of a Mexican doing a job Americans are
  unwilling to do.   -- Reno Sepulveda, on UniVision reporters asking
President Obama some pointed questions about
the BATFE Fast and Furious scandal.
---
 3 days until the 1934th anniversary of the destruction of Pompeii

Re: RP_MATCHES_RCVD letting in SPAM

2013-08-21 Thread Joe Acquisto-j4 

> 
> Bear in mind, that will tell you whether those configuration files are 
> syntactically correct; that does not tell you anything about whether or 
> not those are the files the spamd daemon is using.
> 
> Take a look at the script that starts spamd. It may have a hardcoded path 
> to the configuration directory.
> 
> -- 
>   John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ 

The /etc/init.d/spamd file has a hardcoded reference to that specific file.  
I'm pretty sure  it is the one being read.   

However, I am not so certain others are not being read later.

I find a lot of references, for example, to BAYES_99 in 
/usr/share/spamassassin/blah.cf.  I certainly don't know if these would 
override the setting in /etc/mail/spamassassin/local.cf.

joe a.

Re: RP_MATCHES_RCVD letting in SPAM

2013-08-20 Thread John Hardin 

On Tue, 20 Aug 2013, Joe Acquisto-j4 wrote:


On 8/20/2013 at 5:00 AM, Matus UHLAR - fantomas  wrote:


what happens then you pipe a mail into "spamassassin -D"?


Never tried it.


What "spamassassin --lint" produce?


Quite a lot.   You want me to post the entire output?


Bear in mind, that will tell you whether those configuration files are 
syntactically correct; that does not tell you anything about whether or 
not those are the files the spamd daemon is using.


Take a look at the script that starts spamd. It may have a hardcoded path 
to the configuration directory.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  We are hell-bent and determined to allocate the talent, the
  resources, the money, the innovation to absolutely become a
  powerhouse in the ad business.   -- Microsoft CEO Steve Ballmer
  ...because allocating talent to securing Windows isn't profitable?
---
 4 days until the 1934th anniversary of the destruction of Pompeii

Re: RP_MATCHES_RCVD letting in SPAM

2013-08-20 Thread Joe Acquisto-j4 

>>> What "spamassassin --lint" produce?
>>
>>Quite a lot.   You want me to post the entire output?
> 
> here it produces nothing. Maybe there's really syntax error in your
> configuration files?
> -- 

Oh, sorry, it produces nothing here as well.  I was thinking (not!) of  
spamassassin -D --lint > file 2>&1,
which is quite verbose.   But has not lead me to a solution.   It may be trying 
to . . . 

joe a.

Re: RP_MATCHES_RCVD letting in SPAM

2013-08-20 Thread Matus UHLAR - fantomas 

On 8/20/2013 at 5:00 AM, Matus UHLAR - fantomas  wrote:

On 19.08.13 18:23, Joe Acquisto-j4 wrote:

So, I have this in my /etc/mail/spamassassin/local.cf:


is that the same as /etc/spamassassin/local.cf?


On 20.08.13 08:05, Joe Acquisto-j4 wrote:

Don't have one of those.

/etc/mail/spamassassin is where bayes_db, sa-update-keys and the assorted .pre 
files
are.


OK, I wasn't just sure if you change the correct file.


score RP_MATCHES_RCVD 0

Yet, even after restart of spamd, mail comes thru with a -2.8.

What should I look at?


maybe any other file in /etc/mail/spamassassin?


I know other stuff is read as I changed trusted and local network IP's and

had a typo in one.  lint called me out on it.

what happens then you pipe a mail into "spamassassin -D"?


Never tried it.


What "spamassassin --lint" produce?


Quite a lot.   You want me to post the entire output?


here it produces nothing. Maybe there's really syntax error in your
configuration files?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Eagles may soar, but weasels don't get sucked into jet engines.

Re: RP_MATCHES_RCVD letting in SPAM

2013-08-20 Thread Joe Acquisto-j4 
>>> On 8/20/2013 at 5:00 AM, Matus UHLAR - fantomas  wrote:
> On 19.08.13 18:23, Joe Acquisto-j4 wrote:
>>So, I have this in my /etc/mail/spamassassin/local.cf:
> 
> is that the same as /etc/spamassassin/local.cf?

Don't have one of those.  

/etc/mail/spamassassin is where bayes_db, sa-update-keys and the assorted .pre 
files 
are.

>>score RP_MATCHES_RCVD 0
>>
>>Yet, even after restart of spamd, mail comes thru with a -2.8.
>>
>>What should I look at?
>>
>>I know other stuff is read as I changed trusted and local network IP's and 
> had a typo in one.  lint called me out on it.
> 
> what happens then you pipe a mail into "spamassassin -D"?

Never tried it.

> What "spamassassin --lint" produce?

Quite a lot.   You want me to post the entire output?

joe a.



> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ 
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> I wonder how much deeper the ocean would be without sponges. 
l

Re: RP_MATCHES_RCVD letting in SPAM

2013-08-20 Thread Matus UHLAR - fantomas 

On 19.08.13 18:23, Joe Acquisto-j4 wrote:

So, I have this in my /etc/mail/spamassassin/local.cf:


is that the same as /etc/spamassassin/local.cf?


score RP_MATCHES_RCVD 0

Yet, even after restart of spamd, mail comes thru with a -2.8.

What should I look at?

I know other stuff is read as I changed trusted and local network IP's and had 
a typo in one.  lint called me out on it.


what happens then you pipe a mail into "spamassassin -D"?
What "spamassassin --lint" produce?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I wonder how much deeper the ocean would be without sponges.

Re: RP_MATCHES_RCVD letting in SPAM

2013-08-19 Thread Joe Acquisto-j4 
>>> On 8/19/2013 at 6:54 PM, John Hardin  wrote:
> On Mon, 19 Aug 2013, Joe Acquisto-j4 wrote:
> 
>> So, I have this in my /etc/mail/spamassassin/local.cf:
>>
>> score RP_MATCHES_RCVD 0
>>
>> Yet, even after restart of spamd, mail comes thru with a -2.8.
> 
> I assume you mean by that, RP_MATCHES_RCVD is still hitting and scoring 
> points?

You assume correctly, Sir.

> 
>> What should I look at?
> 
> Silly question: are you using Amavis?

No. ISP is, tho.

> Are you sure that spamd is using that configuration file?

I thought so, as I put in the PW_IS_BAD_TLD rule someone on list provided,
but now I see it is scoring 3.0, while I have it set to 4.0 in the config I 
think
it is using.

Has PW_IS_BAD_TLD been incorporated in to the base rule set?  

I guess I need to dig in and refresh myself on where the config file to use
is defined.

joe a.

>> I know other stuff is read as I changed trusted and local network IP's 
>> and had a typo in one.  lint called me out on it.
> 
> The command-line SA environment is not necessarily the same environment as 
> the daemon uses.
> 
> -- 
>   John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ 
>   jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org 
>   key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> ---
>Windows Genuine Advantage (WGA) means that now you use your
>computer at the sufferance of Microsoft Corporation. They can
>kill it remotely without your consent at any time for any reason;
>it also shuts down in sympathy when the servers at Microsoft crash.
> ---
>   5 days until the 1934th anniversary of the destruction of Pompeii

Re: RP_MATCHES_RCVD letting in SPAM

2013-08-19 Thread John Hardin 

On Mon, 19 Aug 2013, Joe Acquisto-j4 wrote:


So, I have this in my /etc/mail/spamassassin/local.cf:

score RP_MATCHES_RCVD 0

Yet, even after restart of spamd, mail comes thru with a -2.8.


I assume you mean by that, RP_MATCHES_RCVD is still hitting and scoring 
points?



What should I look at?


Silly question: are you using Amavis?

Are you sure that spamd is using that configuration file?

I know other stuff is read as I changed trusted and local network IP's 
and had a typo in one.  lint called me out on it.


The command-line SA environment is not necessarily the same environment as 
the daemon uses.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Windows Genuine Advantage (WGA) means that now you use your
  computer at the sufferance of Microsoft Corporation. They can
  kill it remotely without your consent at any time for any reason;
  it also shuts down in sympathy when the servers at Microsoft crash.
---
 5 days until the 1934th anniversary of the destruction of Pompeii

Re: RP_MATCHES_RCVD letting in SPAM

2013-08-19 Thread Joe Acquisto-j4 
So, I have this in my /etc/mail/spamassassin/local.cf:

score RP_MATCHES_RCVD 0

Yet, even after restart of spamd, mail comes thru with a -2.8.

What should I look at?

I know other stuff is read as I changed trusted and local network IP's and had 
a typo in one.  lint called me out on it.  

joe a.

Re: RP_MATCHES_RCVD letting in SPAM

2013-08-15 Thread Quanah Gibson-Mount 

--On Thursday, August 15, 2013 10:07 PM +0200 Benny Pedersen wrote:


Quanah Gibson-Mount skrev den 2013-08-15 21:25:


Hm, that won't catch our other BR spam though. :(



List-Unsubscribe:




unsubscribe ?

if recipient was not opt-in then block sender domain with mta rule, dont
accept "opt-out" !


Thanks Benny, I will just blacklist them.

--Quanah

--

Quanah Gibson-Mount
Lead Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration

Re: RP_MATCHES_RCVD letting in SPAM

2013-08-15 Thread Matus UHLAR - fantomas 

Matus UHLAR - fantomas skrev den 2013-08-15 22:33:


score RP_MATCHES_RCVD 0


hard scoreing

there is __RP_MATCHES_RCVD that has to be used in metas. I don't 
see any
poing in giving positive score to mail just because it's not any 
kind of

forged...


On 15.08.13 22:41, Benny Pedersen wrote:
__foo have no scores, no point in setting it, well if rules gives 
negative scores for spam it would make sense to add (softblacklist) 
that rule until its detected as spam, or create another rule so it 
works specific to the spam


with hard scoreing one loose corpus scoreing from apache.org :)


I have said it already: There's no point in decreasing score just because
the sender domain is the same as the mail server.  That's why I set
RP_MATCHES_RCVD to 0 so it will not hit.

If anyone wants to use this in meta rules, we have __RP_MATCHES_RCVD (with
default score of 0) for such usage.

Since RP_MATCHES_RCVD has score of 0, it won' hit any metas since it's
disabled by setting the score to 0.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Save the whales. Collect the whole set.

Re: RP_MATCHES_RCVD letting in SPAM

2013-08-15 Thread Benny Pedersen 

Matus UHLAR - fantomas skrev den 2013-08-15 22:33:


score RP_MATCHES_RCVD 0


hard scoreing

there is __RP_MATCHES_RCVD that has to be used in metas. I don't see 
any
poing in giving positive score to mail just because it's not any kind 
of

forged...


__foo have no scores, no point in setting it, well if rules gives 
negative scores for spam it would make sense to add (softblacklist) that 
rule until its detected as spam, or create another rule so it works 
specific to the spam


with hard scoreing one loose corpus scoreing from apache.org :)

Re: RP_MATCHES_RCVD letting in SPAM

2013-08-15 Thread Matus UHLAR - fantomas 

On 15.08.13 12:05, Quanah Gibson-Mount wrote:
Some of our users are getting a ton of SPAM from .br domains.  If it 
weren't for RP_MATCHES_RCVD they would actually end up in their junk 
folder rather than their Inbox.  Is there a general suggested 
adjustment I can make catch these without tweaking RP_MATCHES_RCVD?


I have

score RP_MATCHES_RCVD 0

in /etc/mail/local.cf

there is __RP_MATCHES_RCVD that has to be used in metas. I don't see any
poing in giving positive score to mail just because it's not any kind of
forged... 


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fighting for peace is like fucking for virginity...

Re: RP_MATCHES_RCVD letting in SPAM

2013-08-15 Thread Benny Pedersen 

Quanah Gibson-Mount skrev den 2013-08-15 21:25:


Hm, that won't catch our other BR spam though. :(



List-Unsubscribe:




unsubscribe ?

if recipient was not opt-in then block sender domain with mta rule, 
dont accept "opt-out" !

Re: RP_MATCHES_RCVD letting in SPAM

2013-08-15 Thread Benny Pedersen 

John Hardin skrev den 2013-08-15 21:41:


the score noticeably. It's intended to be used in metas with other
rules that make a mention of a large amount of money suspicious.


also why i used soft blacklists, i have not seen the real problem yet, 
but imho anyone can soft score adjust if needed, or even make more 
specific rules to detect spams localy, i loosed to check if the mails 
was really from a maillist with "opt-out" problematic, only the 
recipient can tell

Re: RP_MATCHES_RCVD letting in SPAM

2013-08-15 Thread John Hardin 

On Thu, 15 Aug 2013, Benny Pedersen wrote:


meta LOTS_OF_MONEY (3) (3) (3) (3)


I *do not recommend* doing that. There is a lot of legitimate email that 
mentions large monetary amounts (e.g. a newsletter discussing the US 
budget deficit). That rule's score is informational on purpose, so that 
the description will appear in the rule hits without affecting the score 
noticeably. It's intended to be used in metas with other rules that make a 
mention of a large amount of money suspicious.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Maxim IX: Never turn your back on an enemy.
---
 Today: the 68th anniversary of the end of World War II

Re: RP_MATCHES_RCVD letting in SPAM

2013-08-15 Thread Quanah Gibson-Mount 
--On Thursday, August 15, 2013 12:21 PM -0700 Quanah Gibson-Mount 
 wrote:



--On Thursday, August 15, 2013 9:16 PM +0200 Benny Pedersen <> wrote:


Quanah Gibson-Mount skrev den 2013-08-15 21:05:

Some of our users are getting a ton of SPAM from .br domains.  If it
weren't for RP_MATCHES_RCVD they would actually end up in their junk
folder rather than their Inbox.  Is there a general suggested
adjustment I can make catch these without tweaking RP_MATCHES_RCVD?


meta LOTS_OF_MONEY (3) (3) (3) (3)
meta RP_MATCHES_RCVD (1) (1) (1) (1)


Perfect, thanks!


Hm, that won't catch our other BR spam though. :(

Return-Path: reto...@registraclique.com.br
Received: from edge01-zcs.vmware.com (LHLO edge01-zcs.vmware.com)
(10.113.208.51) by mbs03-zcs.vmware.com with LMTP; Thu, 15 Aug 2013
11:15:55 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
by edge01-zcs.vmware.com (Postfix) with ESMTP id CB83A1968;
Thu, 15 Aug 2013 11:15:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at edge01-zcs.vmware.com
X-Spam-Flag: NO
X-Spam-Score: 2.833
X-Spam-Level: **
X-Spam-Status: No, score=2.833 tagged_above=-10 required=3
tests=[BAYES_99=3.5, DKIM_SIGNED=0.1, HTML_IMAGE_RATIO_04=0.556,
HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-1.344, T_DKIM_INVALID=0.01,
T_KHOP_FOREIGN_CLICK=0.01] autolearn=no
Authentication-Results: edge01-zcs.vmware.com (amavisd-new); dkim=neutral
reason="invalid (public key: not available)"
header.d=registraclique.com.br
Received: from edge01-zcs.vmware.com ([127.0.0.1])
by localhost (edge01-zcs.vmware.com [127.0.0.1]) (amavisd-new, port 
10024)
with ESMTP id Qup1pMAcaDgg; Thu, 15 Aug 2013 11:15:53 -0700 (PDT)
Received: from registraclique.com.br (s175.registraclique.com.br 
[141.105.64.175])

by edge01-zcs.vmware.com (Postfix) with ESMTPS id 90F8A1940
for ; Thu, 15 Aug 2013 11:15:52 -0700 (PDT)
Received: by registraclique.com.br (Postfix, from userid 0)
id 2BAEB8860B8; Thu, 15 Aug 2013 10:22:21 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=registraclique.com.br; s=default; t=1376590475;
bh=nUoQ44WhTVHL4zF0mcmuHnMTLjLNO1sgscswqFRg/0g=;
h=To:Subject:Date:From:Reply-To:List-Unsubscribe;
b=ovlYK4eRDyhcbVMwLbd+TqVjdXO2pwQyko4Kc0FKjdan2k8tz9uO6y2633kIBG+fb
 NJLigYccPUTrD/2B6MYTgWzXulw8pQtVbXSKnuzXAq0pZmwx5a+jXiVJOWH8gsW1e7
 FW+Qaxu0aIrmfOkPLOzGHALhLkg8JIxWLiAbe/lE=
To: xx...@zimbra.com
Subject: Fale Ilimitado Com Todo O Brasil Por R$19,90!
Message-ID: <350297cb0672e79fdb9aa53472cca...@www.registraclique.com.br>
Date: Thu, 15 Aug 2013 09:16:29 -0400
From: "=?UTF-8?B?Q2xhcm8gRmFsZSDDoCBWb250YWRl?=" 


Reply-To: cont...@registraclique.com.br
MIME-Version: 1.0
X-Mailer-LID: 11
List-Unsubscribe: 


X-Mailer-RecptId: 1531174
X-Mailer-SID: 72
X-Mailer-Sent-By: 1
Content-Type: multipart/alternative; charset="UTF-8"; 
boundary="b1_bb3d14c03992adb6a28e84dfa3fb4b7d"

Content-Transfer-Encoding: 8bit

--b1_bb3d14c03992adb6a28e84dfa3fb4b7d
Content-Type: text/plain; format=flowed; charset="UTF-8"
Content-Transfer-Encoding: 8bit

--

Quanah Gibson-Mount
Lead Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration

Re: RP_MATCHES_RCVD letting in SPAM

2013-08-15 Thread Quanah Gibson-Mount 

--On Thursday, August 15, 2013 9:16 PM +0200 Benny Pedersen <> wrote:


Quanah Gibson-Mount skrev den 2013-08-15 21:05:

Some of our users are getting a ton of SPAM from .br domains.  If it
weren't for RP_MATCHES_RCVD they would actually end up in their junk
folder rather than their Inbox.  Is there a general suggested
adjustment I can make catch these without tweaking RP_MATCHES_RCVD?


meta LOTS_OF_MONEY (3) (3) (3) (3)
meta RP_MATCHES_RCVD (1) (1) (1) (1)


Perfect, thanks!

--Quanah


--

Quanah Gibson-Mount
Lead Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration

Re: RP_MATCHES_RCVD letting in SPAM

2013-08-15 Thread Benny Pedersen 

Quanah Gibson-Mount skrev den 2013-08-15 21:05:

Some of our users are getting a ton of SPAM from .br domains.  If it
weren't for RP_MATCHES_RCVD they would actually end up in their junk
folder rather than their Inbox.  Is there a general suggested
adjustment I can make catch these without tweaking RP_MATCHES_RCVD?


meta LOTS_OF_MONEY (3) (3) (3) (3)
meta RP_MATCHES_RCVD (1) (1) (1) (1)

Re: RP_MATCHES_RCVD

2011-07-28 Thread darxus 
On 07/28, John Hardin wrote:
> On Thu, 28 Jul 2011, Daniel McDonald wrote:
> >I see a lot of messages hitting RP_MATCHES_RCVD that also hits one of the
> >Invaluement rbls.  Invaluement primarily targets snowshoe spammers.

> http://ruleqa.spamassassin.org/20110727-r1151385-n/RP_MATCHES_RCVD/detail
> 
> Care to drop a few thousand of those into your corpus? :)

As John is kind of pointing out here, the spamassassin score generation
system is capable of handling this kind of problem automatically, if more
of you participate in masschecks:
http://wiki.apache.org/spamassassin/NightlyMassCheck

-- 
Immorality: "The morality of those who are having a better time"
- Henry Louis Mencken
http://www.ChaosReigns.com

Re: RP_MATCHES_RCVD

2011-07-28 Thread Daniel McDonald 

On 7/28/11 11:47 AM, "John Hardin"  wrote:

> On Thu, 28 Jul 2011, Daniel McDonald wrote:
> 
>> I see a lot of messages hitting RP_MATCHES_RCVD that also hits one of the
>> Invaluement rbls.  Invaluement primarily targets snowshoe spammers.
>> 
>> $ grep RP_MATCHES_RCVD /var/log/mail/info.log | grep -vc INVL
>> 41618
>> $ grep RP_MATCHES_RCVD /var/log/mail/info.log | grep -c INVL
>> 55033
>> 
>> So I have also changed the score to 0.01
> 
> Dan, your last masscheck only had 6 spam hits for that rule...
> 
> http://ruleqa.spamassassin.org/20110727-r1151385-n/RP_MATCHES_RCVD/detail
> 

That's my home mail, not $DAYJOB...

> Care to drop a few thousand of those into your corpus? :)

I might be able to figure out a way to extract them from quarantine.  But
they haven't been hand-checked  I've got 33,084 of them that hit
RP_MATCHES_RCVD and an Invaluement list that are in this week's quarantine.

I'll see what I can do...


-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281

Re: RP_MATCHES_RCVD

2011-07-28 Thread John Hardin 

On Thu, 28 Jul 2011, Daniel McDonald wrote:


I see a lot of messages hitting RP_MATCHES_RCVD that also hits one of the
Invaluement rbls.  Invaluement primarily targets snowshoe spammers.

$ grep RP_MATCHES_RCVD /var/log/mail/info.log | grep -vc INVL
41618
$ grep RP_MATCHES_RCVD /var/log/mail/info.log | grep -c INVL
55033

So I have also changed the score to 0.01


Dan, your last masscheck only had 6 spam hits for that rule...

http://ruleqa.spamassassin.org/20110727-r1151385-n/RP_MATCHES_RCVD/detail

Care to drop a few thousand of those into your corpus? :)

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  One difference between a liberal and a pickpocket is that if you
  demand your money back from a pickpocket he will not question your
  motives.  -- William Rusher
---
 8 days until the 276th anniversary of John Peter Zenger's acquittal

Re: RP_MATCHES_RCVD

2011-07-28 Thread Benny Pedersen 

On Thu, 28 Jul 2011 15:28:37 +0100, RW wrote:

There seems to be a consensus that SPF and DKIM passes aren't worth
significant scores. So how is it that RP_MATCHES_RCVD, scores -1.2 
when

it just a circumstantial version of what SPF does explicitly.

For me it's hitting more spam that ham, and what's worse, it's mostly
hitting low-scoring freemail spam. Is it just me that's seeing this, 
or

is there maybe  some kind of bias the test corpora?


add in local.cf:

score RP_MATCHES_RCVD (1.1)

if that solves the problem, make a bug

Re: RP_MATCHES_RCVD

2011-07-28 Thread Daniel McDonald 



On 7/28/11 9:48 AM, "Mike Grau"  wrote:

> On 07/28/2011 09:28 AM the voices made RW write:
>> There seems to be a consensus that SPF and DKIM passes aren't worth
>> significant scores. So how is it that RP_MATCHES_RCVD, scores -1.2 when
>> it just a circumstantial version of what SPF does explicitly.
>> 
>> For me it's hitting more spam that ham, and what's worse, it's mostly
>> hitting low-scoring freemail spam. Is it just me that's seeing this, or
>> is there maybe  some kind of bias the test corpora?
>> 
>> 
> 
> +1
> 
> RP_MATCHES_RCVD hits tons of (snowshoe?) spam here. Different senders
> different IPs, but often the same /16 or /24 networks. I had some local
> meta rules that used T_RP_MATCHES_RCVD, but evidently the name was
> changed to RP_MATCHES_RCVD and the spam started flying in.
> 

I see a lot of messages hitting RP_MATCHES_RCVD that also hits one of the
Invaluement rbls.  Invaluement primarily targets snowshoe spammers.

$ grep RP_MATCHES_RCVD /var/log/mail/info.log | grep -vc INVL
41618
$ grep RP_MATCHES_RCVD /var/log/mail/info.log | grep -c INVL
55033

So I have also changed the score to 0.01

-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281

Re: RP_MATCHES_RCVD

2011-07-28 Thread Mike Grau 

On 07/28/2011 09:28 AM the voices made RW write:

There seems to be a consensus that SPF and DKIM passes aren't worth
significant scores. So how is it that RP_MATCHES_RCVD, scores -1.2 when
it just a circumstantial version of what SPF does explicitly.

For me it's hitting more spam that ham, and what's worse, it's mostly
hitting low-scoring freemail spam. Is it just me that's seeing this, or
is there maybe  some kind of bias the test corpora?




+1

RP_MATCHES_RCVD hits tons of (snowshoe?) spam here. Different senders 
different IPs, but often the same /16 or /24 networks. I had some local 
meta rules that used T_RP_MATCHES_RCVD, but evidently the name was 
changed to RP_MATCHES_RCVD and the spam started flying in.

Re: RP_MATCHES_RCVD

2011-07-28 Thread Ned Slider 

On 28/07/11 15:28, RW wrote:

There seems to be a consensus that SPF and DKIM passes aren't worth
significant scores. So how is it that RP_MATCHES_RCVD, scores -1.2 when
it just a circumstantial version of what SPF does explicitly.

For me it's hitting more spam that ham, and what's worse, it's mostly
hitting low-scoring freemail spam. Is it just me that's seeing this, or
is there maybe  some kind of bias the test corpora?






Yes, I've noticed this too recently and had knocked the score down to 
0.001 for information only about a week ago. I've found it hitting on 
spam and didn't find it useful on ham (i.e, I don't generally suffer 
from ham being mis-classified as spam).