Re: Very strange SA result!

2015-12-04 Thread RW 
On Fri, 04 Dec 2015 08:15:19 -0500
Kevin A. McGrail wrote:
> On December 3, 2015 3:19:04 PM EST, Jari Fredriksson 
> wrote:
> >
> >I was now trying to debug with spamassassin -D  to find out why sfp 
> >fails, but could not. It just works now, and I did not even restart 
> >spamd between...

But you didn't use spamd when you ran spamassassin -D.

> Perhaps a receive line is synthesized in your mail stream that
> differs from the end result?  

The IP address that failed has the rDNS eilopu.iki.fi. and the website
for iki.fi says it's a web and mail forwarding service - it's
certainly not a paypal IP address. I think it's probably a difference in
internal networks between spamd and spamassassin.

Re: Very strange SA result!

2015-12-04 Thread Kevin A. McGrail 
Perhaps a receive line is synthesized in your mail stream that differs from the 
end result?
Regards,
KAM

On December 3, 2015 3:19:04 PM EST, Jari Fredriksson  wrote:
>
>I was now trying to debug with spamassassin -D  to find out why sfp 
>fails, but could not. It just works now, and I did not even restart 
>spamd between...
>
>Some temporary hickup? Ah well...
>
>Sorry for the noise.
>
>On 3.12.2015 16:07, Jari Fredriksson wrote:
>> KAM_PAYPAL1 rampant paypal phishing scams
>>
>> Aarghs!
>>
>> I found out a mail from paypal as follows:
>>
>> X-Spam-Status: Yes, score=7.8 required=5.0 
>> tests=BAYES_00,DKIM_SIGNED,
>> 
>>
>DKIM_VALID,DKIM_VALID_AU,DKIM_VERIFIED,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,
>> KAM_PAYPAL1,MIME_HTML_ONLY,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,
>> 
>>
>RCVD_IN_MSPIKE_WL,RP_MATCHES_RCVD,SPF_FAIL,T_FILL_THIS_FORM_SHORT,URG_BIZ,
>> URIBL_GREY,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no 
>> version=3.4.1
>> X-Spam-Orig-To: 
>> X-Spam-Report:
>> * -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at 
>> http://www.dnswl.org/, no
>> *  trust
>> *  [96.47.30.215 listed in list.dnswl.org]
>> *  0.4 URIBL_GREY Contains an URL listed in the URIBL greylist
>> *  [URIs: ed4.net]
>> * -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
>> *  [96.47.30.215 listed in wl.mailspike.net]
>> *  0.6 URG_BIZ BODY: Contains urgent matter
>> * -7.5 USER_IN_DEF_DKIM_WL From: address is in the default DKIM 
>> white-list
>> * -1.4 RP_MATCHES_RCVD Envelope sender domain matches handover relay 
>> domain
>> *  0.0 SPF_FAIL SPF: sender does not match SPF record (fail)
>> *  [SPF failed: Please see
>> 
>>
>http://www.openspf.net/Why?s=mfrom;id=fdybuw6-6w2q86-ll1e2s-7aamagp-b95mhd-h-m2-20151203-1d62cdfd8632d%40emea.e.paypal.com;ip=212.16.98.57;r=gamecock.fredriksson.dy.fi]
>> * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
>> *  [score: 0.]
>> *  1.0 HTML_MESSAGE BODY: HTML included in message
>> *  0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or 
>> identical to
>> *   background
>> *  0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
>> * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from 
>> author's
>> *   domain
>> * -0.0 DKIM_VERIFIED No description available.
>> * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
>> *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not 
>> necessarily
>> *  valid
>> * -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
>> *   16 KAM_PAYPAL1 rampant paypal phishing scams
>> *  0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal
>> *  information
>> X-Spam-Level: ***
>> X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
>> gamecock.fredriksson.dy.fi
>
>-- 
>jarif.bit

Re: Very strange SA result!

2015-12-04 Thread Jari Fredriksson 

On 4.12.2015 16:56, RW wrote:

On Fri, 04 Dec 2015 08:15:19 -0500
Kevin A. McGrail wrote:

On December 3, 2015 3:19:04 PM EST, Jari Fredriksson 
wrote:
>
>I was now trying to debug with spamassassin -D  to find out why sfp
>fails, but could not. It just works now, and I did not even restart
>spamd between...


But you didn't use spamd when you ran spamassassin -D.


Perhaps a receive line is synthesized in your mail stream that
differs from the end result?


The IP address that failed has the rDNS eilopu.iki.fi. and the 
website

for iki.fi says it's a web and mail forwarding service - it's
certainly not a paypal IP address. I think it's probably a difference 
in

internal networks between spamd and spamassassin.



Those use the same configs, and I tried of course with spamc too, using 
the normal arguments, without restarting spamd. It just worked now.


eilopu.iki.fi is and has been in my trusted_networks for ages.

--
jarif.bit

Re: Very strange SA result!

2015-12-03 Thread Kevin A. McGrail 

You are using KAM.cf which isn't a project ruleset.

Please report the issue and a spample at 
https://raptor.pccc.com/raptor.cgim?template=report_problem


We can likely look at it quickly and adjust.  However, the fact that SPF 
failed makes me lean towards the fact that the rule fired correctly...


Regards,
KAM

On 12/3/2015 9:07 AM, Jari Fredriksson wrote:


KAM_PAYPAL1 rampant paypal phishing scams

Aarghs!

I found out a mail from paypal as follows:

X-Spam-Status: Yes, score=7.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VERIFIED,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE, 


KAM_PAYPAL1,MIME_HTML_ONLY,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,
RCVD_IN_MSPIKE_WL,RP_MATCHES_RCVD,SPF_FAIL,T_FILL_THIS_FORM_SHORT,URG_BIZ, 

URIBL_GREY,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no 
version=3.4.1

X-Spam-Orig-To: 
X-Spam-Report:
* -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at 
http://www.dnswl.org/, no

*  trust
*  [96.47.30.215 listed in list.dnswl.org]
*  0.4 URIBL_GREY Contains an URL listed in the URIBL greylist
*  [URIs: ed4.net]
* -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
*  [96.47.30.215 listed in wl.mailspike.net]
*  0.6 URG_BIZ BODY: Contains urgent matter
* -7.5 USER_IN_DEF_DKIM_WL From: address is in the default DKIM 
white-list
* -1.4 RP_MATCHES_RCVD Envelope sender domain matches handover 
relay domain

*  0.0 SPF_FAIL SPF: sender does not match SPF record (fail)
*  [SPF failed: Please see 
http://www.openspf.net/Why?s=mfrom;id=fdybuw6-6w2q86-ll1e2s-7aamagp-b95mhd-h-m2-20151203-1d62cdfd8632d%40emea.e.paypal.com;ip=212.16.98.57;r=gamecock.fredriksson.dy.fi]

* -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
*  [score: 0.]
*  1.0 HTML_MESSAGE BODY: HTML included in message
*  0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or 
identical to

*   background
*  0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from 
author's

*   domain
* -0.0 DKIM_VERIFIED No description available.
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not 
necessarily

*  valid
* -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
*   16 KAM_PAYPAL1 rampant paypal phishing scams
*  0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal
*  information
X-Spam-Level: ***
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
gamecock.fredriksson.dy.fi




--
*Kevin A. McGrail*
CEO

Peregrine Computer Consultants Corporation
3927 Old Lee Highway, Suite 102-C
Fairfax, VA 22030-2422

http://www.pccc.com/

703-359-9700 x50 / 800-823-8402 (Toll-Free)
703-798-0171 (wireless)
kmcgr...@pccc.com

Re: Very strange SA result!

2015-12-03 Thread Joe Quinn 

On 12/3/2015 9:23 AM, Jari Fredriksson wrote:

On 3.12.2015 16.11, Kevin A. McGrail wrote:

You are using KAM.cf which isn't a project ruleset.

Please report the issue and a spample at
https://raptor.pccc.com/raptor.cgim?template=report_problem

We can likely look at it quickly and adjust.  However, the fact that SPF
failed makes me lean towards the fact that the rule fired correctly...

Regards,
KAM



There seems to be something in the spf detection. SPF claims that 
paypal is not allowed (by their sfp record) to send mail via my email 
relay. That relay IS in my trusted_networks. What am I missing now?


br. jarif

Probably this bug, which we are still working out a good solution for:
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7182

The SPF RFC has a "MUST" constraint on 10 lookups per SPF check, which 
Paypal has broken before. The reasoning given is resistance to denial of 
service attacks via DNS traffic, which makes it a tricky fix. We'll 
discuss the KAM.cf issue privately, and bring it back on-list in dev@ if 
it comes back to new information on this issue.

Re: Very strange SA result!

2015-12-03 Thread Jari Fredriksson 

On 3.12.2015 16.11, Kevin A. McGrail wrote:

You are using KAM.cf which isn't a project ruleset.

Please report the issue and a spample at
https://raptor.pccc.com/raptor.cgim?template=report_problem

We can likely look at it quickly and adjust.  However, the fact that SPF
failed makes me lean towards the fact that the rule fired correctly...

Regards,
KAM



There seems to be something in the spf detection. SPF claims that paypal 
is not allowed (by their sfp record) to send mail via my email relay. 
That relay IS in my trusted_networks. What am I missing now?


br. jarif




On 12/3/2015 9:07 AM, Jari Fredriksson wrote:


KAM_PAYPAL1 rampant paypal phishing scams

Aarghs!

I found out a mail from paypal as follows:

X-Spam-Status: Yes, score=7.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VERIFIED,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,

KAM_PAYPAL1,MIME_HTML_ONLY,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,
RCVD_IN_MSPIKE_WL,RP_MATCHES_RCVD,SPF_FAIL,T_FILL_THIS_FORM_SHORT,URG_BIZ,

URIBL_GREY,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no
version=3.4.1
X-Spam-Orig-To: 
X-Spam-Report:
* -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
http://www.dnswl.org/, no
*  trust
*  [96.47.30.215 listed in list.dnswl.org]
*  0.4 URIBL_GREY Contains an URL listed in the URIBL greylist
*  [URIs: ed4.net]
* -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
*  [96.47.30.215 listed in wl.mailspike.net]
*  0.6 URG_BIZ BODY: Contains urgent matter
* -7.5 USER_IN_DEF_DKIM_WL From: address is in the default DKIM
white-list
* -1.4 RP_MATCHES_RCVD Envelope sender domain matches handover
relay domain
*  0.0 SPF_FAIL SPF: sender does not match SPF record (fail)
*  [SPF failed: Please see
http://www.openspf.net/Why?s=mfrom;id=fdybuw6-6w2q86-ll1e2s-7aamagp-b95mhd-h-m2-20151203-1d62cdfd8632d%40emea.e.paypal.com;ip=212.16.98.57;r=gamecock.fredriksson.dy.fi]
* -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
*  [score: 0.]
*  1.0 HTML_MESSAGE BODY: HTML included in message
*  0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
identical to
*   background
*  0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's
*   domain
* -0.0 DKIM_VERIFIED No description available.
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily
*  valid
* -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
*   16 KAM_PAYPAL1 rampant paypal phishing scams
*  0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal
*  information
X-Spam-Level: ***
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
gamecock.fredriksson.dy.fi







--
jarif.bit

Re: Very strange SA result!

2015-12-03 Thread Jari Fredriksson 


I was now trying to debug with spamassassin -D  to find out why sfp 
fails, but could not. It just works now, and I did not even restart 
spamd between...


Some temporary hickup? Ah well...

Sorry for the noise.

On 3.12.2015 16:07, Jari Fredriksson wrote:

KAM_PAYPAL1 rampant paypal phishing scams

Aarghs!

I found out a mail from paypal as follows:

X-Spam-Status: Yes, score=7.8 required=5.0 
tests=BAYES_00,DKIM_SIGNED,


DKIM_VALID,DKIM_VALID_AU,DKIM_VERIFIED,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,
KAM_PAYPAL1,MIME_HTML_ONLY,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,

RCVD_IN_MSPIKE_WL,RP_MATCHES_RCVD,SPF_FAIL,T_FILL_THIS_FORM_SHORT,URG_BIZ,
URIBL_GREY,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no 
version=3.4.1

X-Spam-Orig-To: 
X-Spam-Report:
* -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at 
http://www.dnswl.org/, no

*  trust
*  [96.47.30.215 listed in list.dnswl.org]
*  0.4 URIBL_GREY Contains an URL listed in the URIBL greylist
*  [URIs: ed4.net]
* -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
*  [96.47.30.215 listed in wl.mailspike.net]
*  0.6 URG_BIZ BODY: Contains urgent matter
* -7.5 USER_IN_DEF_DKIM_WL From: address is in the default DKIM 
white-list
* -1.4 RP_MATCHES_RCVD Envelope sender domain matches handover relay 
domain

*  0.0 SPF_FAIL SPF: sender does not match SPF record (fail)
*  [SPF failed: Please see

http://www.openspf.net/Why?s=mfrom;id=fdybuw6-6w2q86-ll1e2s-7aamagp-b95mhd-h-m2-20151203-1d62cdfd8632d%40emea.e.paypal.com;ip=212.16.98.57;r=gamecock.fredriksson.dy.fi]
* -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
*  [score: 0.]
*  1.0 HTML_MESSAGE BODY: HTML included in message
*  0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or 
identical to

*   background
*  0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from 
author's

*   domain
* -0.0 DKIM_VERIFIED No description available.
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not 
necessarily

*  valid
* -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
*   16 KAM_PAYPAL1 rampant paypal phishing scams
*  0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal
*  information
X-Spam-Level: ***
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
gamecock.fredriksson.dy.fi


--
jarif.bit

Re: Very strange SA result!

2015-12-03 Thread Bill Cole 

On 3 Dec 2015, at 9:36, Joe Quinn wrote:


On 12/3/2015 9:23 AM, Jari Fredriksson wrote:

On 3.12.2015 16.11, Kevin A. McGrail wrote:

You are using KAM.cf which isn't a project ruleset.

Please report the issue and a spample at
https://raptor.pccc.com/raptor.cgim?template=report_problem

We can likely look at it quickly and adjust.  However, the fact that 
SPF
failed makes me lean towards the fact that the rule fired 
correctly...


Regards,
KAM



There seems to be something in the spf detection. SPF claims that 
paypal is not allowed (by their sfp record) to send mail via my email 
relay. That relay IS in my trusted_networks. What am I missing now?


br. jarif

Probably this bug, which we are still working out a good solution for:
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7182

The SPF RFC has a "MUST" constraint on 10 lookups per SPF check, which 
Paypal has broken before. The reasoning given is resistance to denial 
of service attacks via DNS traffic, which makes it a tricky fix. We'll 
discuss the KAM.cf issue privately, and bring it back on-list in dev@ 
if it comes back to new information on this issue.


Not in this case. Note that the URL in the SPF_FAIL line indicates 
emea.e.paypal.com as the sender domain. Not a complex record.