Re: Whitelist or add negative values for score

2022-12-24 Thread Matus UHLAR - fantomas 

On 23.12.22 21:24, Joey J wrote:

This is the best I can grab header wise, Names/IP's have changed here to
protect privacy.
Know the following:
The senders real server (1.2.3.4), (1.2.3.4 is the SPF match) sends the
mail to the gateway, and the gateway blocked it as shown.
Yes, legit going to paypal.



Dec 19 19:39:42 mgw postfix/smtpd[1070732]: 1270980A01: 
client=Sender.MailServer.com[1.2.3.4]
Dec 19 19:39:42 mgw postfix/cleanup[1070437]: 1270980A01: 
message-id=
Dec 19 19:39:42 mgw postfix/qmgr[5368]: 1270980A01: from=, 
size=673334, nrcpt=1 (queue active)
Dec 19 19:39:42 mgw postfix/smtpd[1070732]: disconnect from 
Sender.MailServer.com[1.2.3.4] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=1 quit=1 
commands=7
Dec 19 19:39:42 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: new mail 
message-id=#012
Dec 19 19:39:42 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: virus 
detected: Heuristics.Phishing.Email.SpoofedDomain (clamav)
Dec 19 19:39:47 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: SA score=3/5 
time=4.186 bayes=0.00 autolearn=no autolearn_force=no 
hits=ClamAVHeuristics(3),AWL(-0.969),BAYES_00(-1.9),BIGNUM_EMAILS_MANY(2.999),DKIM_INVALID(0.1),DKIM_SIGNED(0.1),HTML_FONT_LOW_CONTRAST(0.001),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),T_FILL_THIS_FORM_SHORT(0.01),URIBL_BLOCKED(0.001)


sender address is sen...@customer.com and SPF passed (SPF_PASS), so:

welcomelist_auth sen...@customer.com 
or

welcomelist_from_spf sen...@customer.com

should both allow this sender.
I assume the sen...@customer.com is also in the From: address.

welcomelist_from_dkim sen...@customer.com
will NOT work, because there's no valid DKIM signature.



On 21.12.22 15:48, Joey J wrote:
>Thank you for pointing me in the better direction.
>Since not many people are typing these types of email , I could do the one
>off rule and it would be manageable.
>But in better seeing the welcomelist_from_spf option, I think this will be
>my first try.


On Thu, Dec 22, 2022 at 2:24 AM Matus UHLAR - fantomas  
wrote:
welcomelist_auth does the same as welcomelist_from_spf and 
welcomelist_from_dkim both.


Note that SPF is related to envelope from address and if it's different 
from header From:, it won't help you much.


You haven't provided example of mail (headers) we are talking about.
Without it, we can only guess what your problem really is and what the
solution should be.


>On Wed, Dec 21, 2022 at 2:39 PM Greg Troxel  wrote:
>> The other thing that should be done for j...@company.com is that
>> company.com should sign their mail with DKIM, and then you can
>>
>>   welcomelist_from_dkim *@company.com
>>
>> I find that many companies I deal with that produce semi-spammy mail
>> (most big companies :-) have DKIM signatures and I can welcomelist on
>> that, without welcomelisting forgeries.
>>
>> You can of course use _rcvd for the IP address.  DKIM is just nicer if
>> you can get them to do it.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
   One OS to rule them all, One OS to find them,
One OS to bring them all and into darkness bind them

Re: Whitelist or add negative values for score

2022-12-23 Thread Joey J 
Hello All,

This is the best I can grab header wise, Names/IP's have changed here to
protect privacy.
Know the following:
The senders real server (1.2.3.4), (1.2.3.4 is the SPF match) sends the
mail to the gateway, and the gateway blocked it as shown.
Yes, legit going to paypal.

Based on your response, will assist in making the best choice.

Thanks everyone!


Dec 19 19:39:42 mgw postfix/smtpd[1070732]: connect from
Sender.MailServer.com[1.2.3.4]
Dec 19 19:39:42 mgw postfix/smtpd[1070732]: Anonymous TLS connection
established from Sender.MailServer.com[1.2.3.4]: TLSv1.2 with cipher
ECDHE-RSA-AES256-SHA384 (256/256 bits)
Dec 19 19:39:42 mgw postfix/smtpd[1070732]: 1270980A01: client=
Sender.MailServer.com[1.2.3.4]
Dec 19 19:39:42 mgw postfix/cleanup[1070437]: 1270980A01: message-id=<
mn0pr22mb3689503197a395d549ee6d0daa...@mn0pr22mb3689.namprd22.prod.outlook.com
>
Dec 19 19:39:42 mgw postfix/qmgr[5368]: 1270980A01:
from=, size=673334, nrcpt=1 (queue active)
Dec 19 19:39:42 mgw postfix/smtpd[1070732]: disconnect from
Sender.MailServer.com[1.2.3.4] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=1
quit=1 commands=7
Dec 19 19:39:42 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: new mail
message-id=<
mn0pr22mb3689503197a395d549ee6d0daa...@mn0pr22mb3689.namprd22.prod.outlook.com
>#012
Dec 19 19:39:42 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: virus
detected: Heuristics.Phishing.Email.SpoofedDomain (clamav)
Dec 19 19:39:47 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: SA
score=3/5 time=4.186 bayes=0.00 autolearn=no autolearn_force=no
hits=ClamAVHeuristics(3),AWL(-0.969),BAYES_00(-1.9),BIGNUM_EMAILS_MANY(2.999),DKIM_INVALID(0.1),DKIM_SIGNED(0.1),HTML_FONT_LOW_CONTRAST(0.001),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),T_FILL_THIS_FORM_SHORT(0.01),URIBL_BLOCKED(0.001)
Dec 19 19:39:47 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: notify
 (rule: Block outgoing Spam, 342C580C8D)
Dec 19 19:39:47 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: block
mail to  (rule: Block outgoing Spam)
Dec 19 19:39:47 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D:
processing time: 5.04 seconds (4.186, 0.664, 0)
Dec 19 19:39:47 mgw postfix/lmtp[1070520]: 1270980A01: to=<
recipi...@paypal.com>, relay=127.0.0.1[127.0.0.1]:10023, delay=5.2,
delays=0.06/0/0.05/5.1, dsn=2.7.0, status=sent (250 2.7.0 BLOCKED
(A760963A1044E2E16D))
Dec 19 19:39:47 mgw postfix/qmgr[5368]: 1270980A01: removed




On Thu, Dec 22, 2022 at 2:24 AM Matus UHLAR - fantomas 
wrote:

> On 21.12.22 15:48, Joey J wrote:
> >Thank you for pointing me in the better direction.
> >Since not many people are typing these types of email , I could do the one
> >off rule and it would be manageable.
> >But in better seeing the welcomelist_from_spf option, I think this will be
> >my first try.
>
> welcomelist_auth does the same as welcomelist_from_spf and
> welcomelist_from_dkim
> both.
>
> Note that SPF is related to envelope from address and if it's different
> from
> header From:, it won't help you much.
>
> You haven't provided example of mail (headers) we are talking about.
> Without it, we can only guess what your problem really is and what the
> solution should be.
>
>
> >On Wed, Dec 21, 2022 at 2:39 PM Greg Troxel  wrote:
> >> The other thing that should be done for j...@company.com is that
> >> company.com should sign their mail with DKIM, and then you can
> >>
> >>   welcomelist_from_dkim *@company.com
> >>
> >> I find that many companies I deal with that produce semi-spammy mail
> >> (most big companies :-) have DKIM signatures and I can welcomelist on
> >> that, without welcomelisting forgeries.
> >>
> >> You can of course use _rcvd for the IP address.  DKIM is just nicer if
> >> you can get them to do it.
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> 2B|!2B, that's a question!
>


-- 
Thanks!
Joey

Re: Whitelist or add negative values for score

2022-12-22 Thread John Hardin 

On Wed, 21 Dec 2022, Joey J wrote:


But in better seeing the welcomelist_from_spf option, I think this will be
my first try.


If you are *really* worried about getting faked mail from that 
correspondent, you can do something like:


whitelist_from_spf  j...@company.com
blacklist_from  j...@company.com

I have a bunch of these sort of entries in my local config:

whitelist_auth  *@wellsfargo.com
blacklist_from  *@wellsfargo.com
whitelist_auth  *@*.wellsfargo.com
blacklist_from  *@*.wellsfargo.com
whitelist_auth  *@netflix.com
blacklist_from  *@netflix.com
whitelist_auth  *@*.netflix.com
blacklist_from  *@*.netflix.com

You may need to dial back the blacklist score a bit for it to work 
reliably:


score  USER_IN_BLACKLIST   85.000  # let whitelist override blacklist


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
   -- Peter da Silva in a.s.r
---
 3 days until Christmas

Re: Whitelist or add negative values for score

2022-12-21 Thread Matus UHLAR - fantomas 

On 21.12.22 15:48, Joey J wrote:

Thank you for pointing me in the better direction.
Since not many people are typing these types of email , I could do the one
off rule and it would be manageable.
But in better seeing the welcomelist_from_spf option, I think this will be
my first try.


welcomelist_auth does the same as welcomelist_from_spf and welcomelist_from_dkim
both.

Note that SPF is related to envelope from address and if it's different from 
header From:, it won't help you much.


You haven't provided example of mail (headers) we are talking about.
Without it, we can only guess what your problem really is and what the 
solution should be.




On Wed, Dec 21, 2022 at 2:39 PM Greg Troxel  wrote:

The other thing that should be done for j...@company.com is that
company.com should sign their mail with DKIM, and then you can

  welcomelist_from_dkim *@company.com

I find that many companies I deal with that produce semi-spammy mail
(most big companies :-) have DKIM signatures and I can welcomelist on
that, without welcomelisting forgeries.

You can of course use _rcvd for the IP address.  DKIM is just nicer if
you can get them to do it.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
2B|!2B, that's a question!

Re: Whitelist or add negative values for score

2022-12-21 Thread Joey J 
Kris & Greg,

Thank you for pointing me in the better direction.
Since not many people are typing these types of email , I could do the one
off rule and it would be manageable.
But in better seeing the welcomelist_from_spf option, I think this will be
my first try.

I appreciate all of your points and it makes us all better evaluate what we
are doing and consider efficiency and effectiveness.

Thanks!!

On Wed, Dec 21, 2022 at 2:39 PM Greg Troxel  wrote:

> The other thing that should be done for j...@company.com is that
> company.com should sign their mail with DKIM, and then you can
>
>   welcomelist_from_dkim *@company.com
>
> I find that many companies I deal with that produce semi-spammy mail
> (most big companies :-) have DKIM signatures and I can welcomelist on
> that, without welcomelisting forgeries.
>
> You can of course use _rcvd for the IP address.  DKIM is just nicer if
> you can get them to do it.
>


-- 
Thanks!
Joey

Re: Whitelist or add negative values for score

2022-12-21 Thread Kris Deugau 

Joey J wrote:

Thanks Everyone.
Within all of the responses, I will try to reply here.
1. The legit sender will talk about big numbers because of the real 
things he is involved with so big numbers is still a valid method to 
score, just not in this case.
2. The SPF record is set to fail on no match, however this does not 
automatically say, ok it's the approved source everything is ok, let 
them spam out, SA will still score content, and simply not score for bad 
SPF.
3. The goal is to say for user j...@company.com , 
if we can confirm the source is their mail server IP, the lets add some 
negative value, lets say -2, to allow message that might be scored such 
as the above #1 because they are legit.


Unless there is something I'm missing, I'm not sure how to better 
explain it.
Yes, I can provide the full headers, but I thought the spam info was 
enough to provide the SA aspect of the scoring.


This is why I thought of the extra rule based on email address and IP 
combo, almost confirming its legit, to add ot the negative score.


If you really want to go down this road, and assign small or 
individualized scores for senders like this instead of just using 
welcomelist_from_(rcvd|dkim|spf) or welcomelist_auth, use something like 
this:


header __FROM_GOODGUY   From:addr =~ /^joe\@company\.com$/
header __RCVD_GOODGUY   X-Spam-Relays-External =~ /^\[ ip=1\.2\.3\.4 /
meta NOTSPAM_GOODGUY__FROM_GOODGUY && __RCVD_GOODGUY
describe NOTSPAM_GOODGUY Score nudge for j...@company.com
score NOTSPAM_GOODGUY   -2

Have a long read through "man Mail::SpamAssassin::Conf" to deconstruct 
those.


But that doesn't scale well to very many senders, where welcomelist_* 
seem to scale pretty well to at least low thousands of entries.  _spf 
and _dkim in particular also rely on other information published by the 
sender, so *you* don't have to keep manually updating your rules if 
their mail sending infrastructure changes.


I'd be more inclined to to some per-user score setting on the 
*recipient* account - ie, whoever is receiving these can have a line 
added to ~/.spamassassin/user_prefs (or whereever you're storing SA 
userprefs) saying "score BIGNUM_EMAILS_MANY (-1)".


I'd also see if you can narrow down exactly what 
Phishing.Email.SpoofedDomain is hitting on, IME it's all too likely to 
fire on a certain class of legitimate mail and what you've described 
sounds like a prime place for FPs.  Calling ClamAV like this either 
requires a plugin or relies on ClamAV being called earlier, and leaving 
a header for SA to check.  You'll have to do a bit more digging to find 
out how it's configured.


Locally I started with the plugin on the wiki 
(https://cwiki.apache.org/confluence/display/SPAMASSASSIN/ClamAVPlugin) 
and extended it quite a bit.  I've just posted the current production 
version at http://deepnet.cx/~kdeugau/spamtools/clamav.pm.  I have that 
particular Clam hit scored at 1.5 due to the FP potential.


-kgd

Re: Whitelist or add negative values for score

2022-12-21 Thread Greg Troxel 
The other thing that should be done for j...@company.com is that
company.com should sign their mail with DKIM, and then you can

  welcomelist_from_dkim *@company.com

I find that many companies I deal with that produce semi-spammy mail
(most big companies :-) have DKIM signatures and I can welcomelist on
that, without welcomelisting forgeries.

You can of course use _rcvd for the IP address.  DKIM is just nicer if
you can get them to do it.

Re: Whitelist or add negative values for score

2022-12-21 Thread Joey J 
Thanks Everyone.
Within all of the responses, I will try to reply here.
1. The legit sender will talk about big numbers because of the real things
he is involved with so big numbers is still a valid method to score, just
not in this case.
2. The SPF record is set to fail on no match, however this does not
automatically say, ok it's the approved source everything is ok, let them
spam out, SA will still score content, and simply not score for bad SPF.
3. The goal is to say for user j...@company.com, if we can confirm the
source is their mail server IP, the lets add some negative value, lets say
-2, to allow message that might be scored such as the above #1 because they
are legit.

Unless there is something I'm missing, I'm not sure how to better explain
it.
Yes, I can provide the full headers, but I thought the spam info was enough
to provide the SA aspect of the scoring.

This is why I thought of the extra rule based on email address and IP
combo, almost confirming its legit, to add ot the negative score.



On Wed, Dec 21, 2022 at 1:12 PM Bill Cole <
sausers-20150...@billmail.scconsult.com> wrote:

> On 2022-12-21 at 12:02:27 UTC-0500 (Wed, 21 Dec 2022 18:02:27 +0100)
> Matus UHLAR - fantomas 
> is rumored to have said:
> [...]>
> > On 21.12.22 11:19, Henrik K wrote:
> >> It will pass welcomelist_auth, since there is SPF_PASS, which you
> missed:
> >>
> >> SPF_PASS   -0.001 SPF: sender matches SPF record
> >
> > I understood KAM_DMARC_STATUS as failing SPF alignment.
>
>KAM_DMARC_STATUS  0.01  Test Rule for DKIM or SPF Failure with Strict
> Alignment
>
> Note that 'or' is not 'and' in that description. The message in question
> had a bad DKIM signature.
>
>
> --
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Not Currently Available For Hire
>


-- 
Thanks!
Joey

Re: Whitelist or add negative values for score

2022-12-21 Thread Bill Cole 
On 2022-12-21 at 12:02:27 UTC-0500 (Wed, 21 Dec 2022 18:02:27 +0100)
Matus UHLAR - fantomas 
is rumored to have said:
[...]>
> On 21.12.22 11:19, Henrik K wrote:
>> It will pass welcomelist_auth, since there is SPF_PASS, which you missed:
>>
>> SPF_PASS   -0.001 SPF: sender matches SPF record
>
> I understood KAM_DMARC_STATUS as failing SPF alignment.

   KAM_DMARC_STATUS  0.01  Test Rule for DKIM or SPF Failure with Strict 
Alignment

Note that 'or' is not 'and' in that description. The message in question had a 
bad DKIM signature.


-- 
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Whitelist or add negative values for score

2022-12-21 Thread Dominic Raferd 


On 20/12/2022 23:59, Joey J wrote:

Thanks to Bill and Matus for your responses.

Basically, the client is talking about real money transactions, 
airplanes, paypal etc, but he is a legit sender with these often 
flagged topics.
Sometimes the message goes through, but by the time you reply 2 or 3 
times, there are more of the buzz words that SA looks at based on rules.


We can't whitelist j...@company.com because of course everyone 
pretending to be him will more than likely get whitelisted and you 
know the rest.
This is why I thought if user j...@company.com from ip 1.2.3.4 
condition would allow me to add some negative score to get over the 
total flagging it as spam.


You guys would know better than I as to which would be the best 
method, I like scoring it some and going to -100.


Within the reject to the user it had the following:

Spam detection results: 3

ClamAVHeuristics 3 ClamAV heuristic test: Phishing.Email.SpoofedDomain 
(clamav)


AWL -0.969 Adjusted score from AWL reputation of From: address

BAYES_00 -1.9 Bayes spam probability is 0 to 1%

BIGNUM_EMAILS_MANY  2.999 Lots of email addresses/leads, over and over

DKIM_INVALID 0.1 DKIM or DK signature exists, but is not valid

DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid

HTML_FONT_LOW_CONTRAST 0.001 HTML font color similar or identical to 
background


HTML_MESSAGE 0.001 HTML included in message

KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict 
Alignment


SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record

SPF_PASS -0.001 SPF: sender matches SPF record

T_FILL_THIS_FORM_SHORT 0.01 Fill in a short form with personal information

URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was 
blocked.  See 
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block


My approach is like this:

describe LOCAL_WELCOMING_4 Pseudo-welcomelist (case-insensitive)
score LOCAL_WELCOMING_4 -4
header LOCAL_WELCOMING_4 From =~ /(fred\@bloggs\.com|\@jones\.com)>?\s*$/i

I have a few of these with different score reductions (4,6,8,10 etc) all 
held in /etc/spamassassin/local_welcoming.cf. If you end up with a lot 
of addresses to be 'welcomed' (as I do) you need some code to manage 
them, but the principle is simple enough: they act to reduce the score 
of any email where the 'From:' address matches the regex. They do not 
guarantee acceptance (the spam score is still calculated, only some 
amount (4 in the case above) is deducted, and they do not (in my case 
anyway) apply to virus-laden emails.

Re: Whitelist or add negative values for score

2022-12-21 Thread Matus UHLAR - fantomas 

> DKIM_INVALID  0.1 DKIM or DK signature exists, but is not valid
>
> DKIM_SIGNED   0.1 Message has a DKIM or DK signature, not
> necessarily valid
>
> HTML_FONT_LOW_CONTRAST  0.001 HTML font color similar or identical to
> background
>
> HTML_MESSAGE0.001 HTML included in message
>
> KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict
> Alignment



On Wed, Dec 21, 2022 at 08:43:18AM +0100, Matus UHLAR - fantomas wrote:

this rule indicates that mail would NOT pass welcomelist_auth

If this is the mail you want then yes, you need welcomelist_from_rcvd, but
that's sender's faule.


On 21.12.22 11:19, Henrik K wrote:

It will pass welcomelist_auth, since there is SPF_PASS, which you missed:

SPF_PASS   -0.001 SPF: sender matches SPF record


I understood KAM_DMARC_STATUS as failing SPF alignment.

in such case From: is not the same as envelope From, so while SPF matches 
the envelope from, From: domain is different from the one that has to be 
listed in welcomelist_auth for it to work.


was I wrong?


We still miss example of original e-mail headers to decide better.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
LSD will make your ECS screen display 16.7 million colors

Re: Whitelist or add negative values for score

2022-12-21 Thread Henrik K 
On Wed, Dec 21, 2022 at 08:43:18AM +0100, Matus UHLAR - fantomas wrote:
> > DKIM_INVALID  0.1 DKIM or DK signature exists, but is not valid
> > 
> > DKIM_SIGNED   0.1 Message has a DKIM or DK signature, not
> > necessarily valid
> > 
> > HTML_FONT_LOW_CONTRAST  0.001 HTML font color similar or identical to
> > background
> > 
> > HTML_MESSAGE0.001 HTML included in message
> > 
> > KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict
> > Alignment
> 
> this rule indicates that mail would NOT pass welcomelist_auth
> 
> If this is the mail you want then yes, you need welcomelist_from_rcvd, but
> that's sender's faule.

It will pass welcomelist_auth, since there is SPF_PASS, which you missed:

SPF_PASS   -0.001 SPF: sender matches SPF record

Re: Whitelist or add negative values for score

2022-12-20 Thread Matus UHLAR - fantomas 

On 20.12.22 18:59, Joey J wrote:

Basically, the client is talking about real money transactions, airplanes,
paypal etc, but he is a legit sender with these often flagged topics.
Sometimes the message goes through, but by the time you reply 2 or 3 times,
there are more of the buzz words that SA looks at based on rules.

We can't whitelist j...@company.com because of course everyone pretending to
be him will more than likely get whitelisted and you know the rest.


You have misunderstood that welcomelist_auth means.

It means that the sender has to pass SPF or DKIM, which means that random 
people can NOT just send j...@company.com.



Within the reject to the user it had the following:
Spam detection results:  3


was this the legitimate mail? If so, your sender has multiple problems.


ClamAVHeuristics3 ClamAV heuristic test:
Phishing.Email.SpoofedDomain (clamav)


this is at least not nice, problematic I'd say.


AWL-0.969 Adjusted score from AWL reputation of From:
address

BAYES_00 -1.9 Bayes spam probability is 0 to 1%

BIGNUM_EMAILS_MANY  2.999 Lots of email addresses/leads, over and over


this is very common with spam.


DKIM_INVALID  0.1 DKIM or DK signature exists, but is not valid

DKIM_SIGNED   0.1 Message has a DKIM or DK signature, not
necessarily valid

HTML_FONT_LOW_CONTRAST  0.001 HTML font color similar or identical to
background

HTML_MESSAGE0.001 HTML included in message

KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict
Alignment


this rule indicates that mail would NOT pass welcomelist_auth 

If this is the mail you want then yes, you need welcomelist_from_rcvd, but 
that's sender's faule.



T_FILL_THIS_FORM_SHORT   0.01 Fill in a short form with personal information
URIBL_BLOCKED   0.001 ADMINISTRATOR NOTICE: The query to URIBL was
blocked.  See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block


this usually means you need to configure your own DNS server and not use 
public google/cloudflage/quad9 or your ISPs DNS servers.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Nothing is fool-proof to a talented fool.

Re: Whitelist or add negative values for score

2022-12-20 Thread Loren Wilton 
Personally I'd look at why BIGNUM_EMAILS_MANY is hitting and see if there is 
something the sender could do to avoid it. I'm pretty sure I've never seen that 
rule hit in any of my spam, so it must be something a bit unique.

Loren

Re: Whitelist or add negative values for score

2022-12-20 Thread Joey J 
Thanks to Bill and Matus for your responses.

Basically, the client is talking about real money transactions, airplanes,
paypal etc, but he is a legit sender with these often flagged topics.
Sometimes the message goes through, but by the time you reply 2 or 3 times,
there are more of the buzz words that SA looks at based on rules.

We can't whitelist j...@company.com because of course everyone pretending to
be him will more than likely get whitelisted and you know the rest.
This is why I thought if user j...@company.com from ip 1.2.3.4 condition
would allow me to add some negative score to get over the total flagging it
as spam.

You guys would know better than I as to which would be the best method, I
like scoring it some and going to -100.

Within the reject to the user it had the following:

Spam detection results:  3

ClamAVHeuristics3 ClamAV heuristic test:
Phishing.Email.SpoofedDomain (clamav)

AWL-0.969 Adjusted score from AWL reputation of From:
address

BAYES_00 -1.9 Bayes spam probability is 0 to 1%

BIGNUM_EMAILS_MANY  2.999 Lots of email addresses/leads, over and over

DKIM_INVALID  0.1 DKIM or DK signature exists, but is not valid

DKIM_SIGNED   0.1 Message has a DKIM or DK signature, not
necessarily valid

HTML_FONT_LOW_CONTRAST  0.001 HTML font color similar or identical to
background

HTML_MESSAGE0.001 HTML included in message

KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict
Alignment

SPF_HELO_NONE   0.001 SPF: HELO does not publish an SPF Record

SPF_PASS   -0.001 SPF: sender matches SPF record

T_FILL_THIS_FORM_SHORT   0.01 Fill in a short form with personal information
URIBL_BLOCKED   0.001 ADMINISTRATOR NOTICE: The query to URIBL was
blocked.  See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block



On Tue, Dec 20, 2022 at 6:14 AM Matus UHLAR - fantomas 
wrote:

> On 19.12.22 20:05, Joey J wrote:
> >I'm trying to see if there is a "best way" to provide negative scoring for
> >a certain persons email.
> >As an example if j...@company.com is communicating with paypal or other
> real
> >banking institutions, then at times within the email chain, SA will tag it
> >as spam.
>
> do you have an example?
>
> >I want to see if there is if email is from j...@company.com AND is from IP
> >address 1.2.3.4, then lets take away 2 from the score, hopefully allowing
> >those legitimate types of messages through.
>
> there are techniques like SPF and DKIM to authenticate e-mail.
> In such case you should be able to "welcomelist_auth j...@company.com"
> without
> providing outgoing mailserver IP
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
>


-- 
Thanks!
Joey

Re: Whitelist or add negative values for score

2022-12-20 Thread Matus UHLAR - fantomas 

On 19.12.22 20:05, Joey J wrote:

I'm trying to see if there is a "best way" to provide negative scoring for
a certain persons email.
As an example if j...@company.com is communicating with paypal or other real
banking institutions, then at times within the email chain, SA will tag it
as spam.


do you have an example?


I want to see if there is if email is from j...@company.com AND is from IP
address 1.2.3.4, then lets take away 2 from the score, hopefully allowing
those legitimate types of messages through.


there are techniques like SPF and DKIM to authenticate e-mail.
In such case you should be able to "welcomelist_auth j...@company.com" without 
providing outgoing mailserver IP


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease

Re: Whitelist or add negative values for score

2022-12-19 Thread Bill Cole 

On 2022-12-19 at 21:43:08 UTC-0500 (Mon, 19 Dec 2022 21:43:08 -0500)
Joey J 
is rumored to have said:


Thanks,
So welcomelist_from_rcvd j...@company.com [1.2.3.4]
Is saying if it's received from j...@company.com and the IP 
combination?

And then simply score it
 welcomelist_from_rcvd score -2
I will try that thank you!


No, there is no score line for a 'welcomelist_from_rcvd' directive.

The syntax for all of the welcomelist/blocklist directives is documented 
in Mail::SpamAssassin::Conf. You can see that with:


 perldoc Mail::SpamAssassin::Conf

In previous versions, these directives all used 'whitelist' and 
'blacklist' so if you are not running 3.4.6 or 4.0.0 those names will be 
in the docs.


The scores for the various wl/bl settings are controlled by a set of 
rules distributed and described in rules/60_welcomelist.cf. As Greg 
indicated, welcomelist_from_rcvd causes a hit on USER_IN_WELCOMELIST, 
which has a default score of -100. You can change that locally in your 
local.cf file, but it will change for ALL addresses you've used with 
welcomelist_from_rcvd or (not recommended) welcomelist_from. You can 
also use def_welcomelist_from_rcvd, which is used for the addresses in 
the "default" welcomelist which is part of the rules distribution. That 
is scored via USER_IN_DEF_WELCOMELIST, set at -15 in the distribution.


A better tool for this would be welcomelist_from_auth, which you can use 
if the sender's SPF authorizes the IP you see the mail from or if their 
mail is signed with DKIM.


The BEST solution would be to figure out specifically why the mail is 
sometimes being tagged as spam, and fix that.





On Mon, Dec 19, 2022 at 8:39 PM Greg Troxel  wrote:



Joey J  writes:

I'm trying to see if there is a "best way" to provide negative 
scoring

for

a certain persons email.


That's easy.  There are many ways, but not best way.

As an example if j...@company.com is communicating with paypal or 
other

real
banking institutions, then at times within the email chain, SA will 
tag

it

as spam.


It's really not clear what your issue is.

I want to see if there is if email is from j...@company.com AND is 
from

IP
address 1.2.3.4, then lets take away 2 from the score, hopefully 
allowing

those legitimate types of messages through.
I couldn't find an example on how to accomplish this dual criteria 
check.

Any assistance is apreciated.


welcomelist_from_rcvd   j...@company.com [1.2.3.4]

should work, but -100.  It would be nice if welcomelist_* could take 
a

score, but it you are sure you want *your* SA to not mark it as spam,
-100 is the way to spell that.




--
Thanks!
Joey



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Whitelist or add negative values for score

2022-12-19 Thread Joey J 
Actually, what would be the format, in respect to header for that rule?
so
header welcomelist_from_rcvd   j...@company.com [1.2.3.4]

On Mon, Dec 19, 2022 at 8:39 PM Greg Troxel  wrote:

>
> Joey J  writes:
>
> > I'm trying to see if there is a "best way" to provide negative scoring
> for
> > a certain persons email.
>
> That's easy.  There are many ways, but not best way.
>
> > As an example if j...@company.com is communicating with paypal or other
> real
> > banking institutions, then at times within the email chain, SA will tag
> it
> > as spam.
>
> It's really not clear what your issue is.
>
> > I want to see if there is if email is from j...@company.com AND is from
> IP
> > address 1.2.3.4, then lets take away 2 from the score, hopefully allowing
> > those legitimate types of messages through.
> > I couldn't find an example on how to accomplish this dual criteria check.
> > Any assistance is apreciated.
>
> welcomelist_from_rcvd   j...@company.com [1.2.3.4]
>
> should work, but -100.  It would be nice if welcomelist_* could take a
> score, but it you are sure you want *your* SA to not mark it as spam,
> -100 is the way to spell that.
>


-- 
Thanks!
Joey

Re: Whitelist or add negative values for score

2022-12-19 Thread Joey J 
Thanks,
So welcomelist_from_rcvd j...@company.com [1.2.3.4]
Is saying if it's received from j...@company.com and the IP combination?
And then simply score it
 welcomelist_from_rcvd score -2
I will try that thank you!

On Mon, Dec 19, 2022 at 8:39 PM Greg Troxel  wrote:

>
> Joey J  writes:
>
> > I'm trying to see if there is a "best way" to provide negative scoring
> for
> > a certain persons email.
>
> That's easy.  There are many ways, but not best way.
>
> > As an example if j...@company.com is communicating with paypal or other
> real
> > banking institutions, then at times within the email chain, SA will tag
> it
> > as spam.
>
> It's really not clear what your issue is.
>
> > I want to see if there is if email is from j...@company.com AND is from
> IP
> > address 1.2.3.4, then lets take away 2 from the score, hopefully allowing
> > those legitimate types of messages through.
> > I couldn't find an example on how to accomplish this dual criteria check.
> > Any assistance is apreciated.
>
> welcomelist_from_rcvd   j...@company.com [1.2.3.4]
>
> should work, but -100.  It would be nice if welcomelist_* could take a
> score, but it you are sure you want *your* SA to not mark it as spam,
> -100 is the way to spell that.
>


-- 
Thanks!
Joey

Re: Whitelist or add negative values for score

2022-12-19 Thread Greg Troxel 

Joey J  writes:

> I'm trying to see if there is a "best way" to provide negative scoring for
> a certain persons email.

That's easy.  There are many ways, but not best way.

> As an example if j...@company.com is communicating with paypal or other real
> banking institutions, then at times within the email chain, SA will tag it
> as spam.

It's really not clear what your issue is.

> I want to see if there is if email is from j...@company.com AND is from IP
> address 1.2.3.4, then lets take away 2 from the score, hopefully allowing
> those legitimate types of messages through.
> I couldn't find an example on how to accomplish this dual criteria check.
> Any assistance is apreciated.

welcomelist_from_rcvd   j...@company.com[1.2.3.4]

should work, but -100.  It would be nice if welcomelist_* could take a
score, but it you are sure you want *your* SA to not mark it as spam,
-100 is the way to spell that.


signature.asc
Description: PGP signature