Re: Finance spam

[Alex]

> this whole range of 185.3.229.x is on my dns blacklist and everything on
> that is either rejected or marked. I can only suggest doing something
> similar ;)
>

Very helpful. Thanks for sharing.

> RCVD_IN_HOSTKARMA_W=-2.5
> change to -0.1

That does seem to be a bit heavy-handed.

> and lastly i unsubscribed you :=)

lol, thanks :-)

Re: Finance spam

[Benny Pedersen]

Alex skrev den 2024-07-16 15:00:

Hi all,

Does anyone have any further ideas on how to block "approved for
funding" spam?
https://pastebin.com/2rKiAEpt

This one is another namecheap domain registered from Reykjavik. I can
create body rules, but the language is very much in line with
legitimate lending companies. I've also added the phone to my phone
rules, but everyone knows they only last for a few days.

Other ideas greatly appreciated.


spf_helo_none add more possitive score to it

RCVD_IN_HOSTKARMA_W=-2.5

change to -0.1

and lastly i unsubscribed you :=)

RE: Finance spam

[Marc]

this whole range of 185.3.229.x is on my dns blacklist and everything on that 
is either rejected or marked. I can only suggest doing something similar ;)


185.3.229.4 perfstat.hostex.lt.
185.3.229.5 post.alfa.lt.
185.3.229.6 
185.3.229.7 
185.3.229.8 
185.3.229.9 
185.3.229.10
185.3.229.11
185.3.229.12lexsystem.data.lt.
185.3.229.13
185.3.229.14
185.3.229.15
185.3.229.16
185.3.229.17sys6.placetgroup.com.
185.3.229.18
185.3.229.19
185.3.229.20
185.3.229.21
185.3.229.22
185.3.229.23ox-proxy1.data.lt.
185.3.229.24ox-proxy2.data.lt.
185.3.229.25
185.3.229.26
185.3.229.27
185.3.229.28
185.3.229.29
185.3.229.30mail.turbotransfers.com.
185.3.229.31ttexpress.data.lt.
185.3.229.32
185.3.229.33
185.3.229.34
185.3.229.35
185.3.229.36
185.3.229.37mail2.oxgroup.com.
185.3.229.38
185.3.229.39
185.3.229.40
185.3.229.41
185.3.229.42
185.3.229.43
185.3.229.44
185.3.229.45
185.3.229.46
185.3.229.47
185.3.229.48
185.3.229.49
185.3.229.50
185.3.229.51
185.3.229.52
185.3.229.53
185.3.229.54
185.3.229.55bs-backups-dir1-ext.data.lt.
185.3.229.56news.masinis.lt.
185.3.229.57ox-mail2.data.lt.
185.3.229.58ox-mail3.data.lt.
185.3.229.59ox-php.data.lt.
185.3.229.60
185.3.229.61
185.3.229.62
185.3.229.63
185.3.229.64
185.3.229.65
185.3.229.66
185.3.229.67
185.3.229.68
185.3.229.69
185.3.229.70alfa-lamp.data.lt.
185.3.229.71
185.3.229.72hnit-baltic-mail.data.lt.
185.3.229.73
185.3.229.74
185.3.229.75
185.3.229.76
185.3.229.77
185.3.229.78
185.3.229.79
185.3.229.80
185.3.229.81
185.3.229.82
185.3.229.83
185.3.229.84
185.3.229.85
185.3.229.86post.okgbi.ru.
185.3.229.87
185.3.229.88pzx-pastas.data.lt.
185.3.229.89
185.3.229.90
185.3.229.91
185.3.229.92
185.3.229.93
185.3.229.94
185.3.229.95
185.3.229.96
185.3.229.97news.masinis.lt.
185.3.229.98aliuminiok-web.data.lt.
185.3.229.99
185.3.229.100   
185.3.229.101   ns3.data.lt.
185.3.229.102   webapp2.supermama.lt.
185.3.229.103   
185.3.229.104   
185.3.229.105   
185.3.229.106   alfa-sentry.data.lt.
185.3.229.107   ox-mail4.data.lt.
185.3.229.108   ox-mail2.data.lt.
185.3.229.109   ox-mail3.data.lt.
185.3.229.110   
185.3.229.111   
185.3.229.112   
185.3.229.113   
185.3.229.114   
185.3.229.115   
185.3.229.116   
185.3.229.117   
185.3.229.118   
185.3.229.119   
185.3.229.120   cloud.miskas.org.
185.3.229.121   
185.3.229.122   
185.3.229.123   
185.3.229.124   oneview2.hostex.lt.
185.3.229.125   mail1.sendersrv.com.
185.3.229.126   mail2.sendersrv.com.
185.3.229.127   mail3.sendersrv.com.
185.3.229.128   mail4.sendersrv.com.
185.3.229.129   mail5.sendersrv.com.
185.3.229.130   mail6.sendersrv.com.
185.3.229.131   mail7.sendersrv.com.
185.3.229.132   mail8.sendersrv.com.
185.3.229.133   mail9.sendersrv.com.
185.3.229.134   mail10.sendersrv.com.
185.3.229.135   mail1.sendersrv2.com.
185.3.229.136   mail2.sendersrv2.com.
185.3.229.137   mail3.sendersrv2.com.
185.3.229.138   mail4.sendersrv2.com.
185.3.229.139   mail5.sendersrv2.com.
185.3.229.140   mail6.sendersrv2.com.
185.3.229.141   mail7.sendersrv2.com.
185.3.229.142   mail8.sendersrv2.com.
185.3.229.143   mail9.sendersrv2.com.
185.3.229.144   mail10.sendersrv2.com.
185.3.229.145   mail1.sendersrv3.com.
185.3.229.146   mail2.sendersrv3.com.
185.3.229.147   mail3.sendersrv3.com.
185.3.229.148   mail4.sendersrv3.com.
185.3.229.149   mail5.sendersrv3.com.
185.3.229.150   mail6.sendersrv3.com.
185.3.229.151   mail7.sendersrv3.com.
185.3.229.152   mail8.sendersrv3.com.
185.3.229.153   mail9.sendersrv3.com.
185.3.229.154   mail10.sendersrv3.com.
185.3.229.155   mail11.sendersrv3.com.
185.3.229.156   mail12.sendersrv3.com.
185.3.229.157   
185.3.229.158   
185.3.229.159   
185.3.229.160   
185.3.229.161   
185.3.229.162   
185.3.229.163   
185.3.229.164   mail-3.owexxhosting.com.
185.3.229.165   mail2-3.owexxhosting.com.
185.3.229.166   

> 
> Does anyone have any further ideas on how to block "approved for funding"
> spam?
> https://pastebin.com/2rKiAEpt
> 
> 
> This one is another namecheap domain registered from Reykjavik. I can
> create body rules, but the language is very much in line with legitimate
> lending companies. I've also added the phone to my phone rules, but
> everyone knows they only last for a few days.
> 
> Other ideas greatly appreciated.

Finance spam

[Alex]

Hi all,

Does anyone have any further ideas on how to block "approved for funding"
spam?
https://pastebin.com/2rKiAEpt

This one is another namecheap domain registered from Reykjavik. I can
create body rules, but the language is very much in line with legitimate
lending companies. I've also added the phone to my phone rules, but
everyone knows they only last for a few days.

Other ideas greatly appreciated.

Re: How to report SPAM?

[Frido Otten]

They do if you're offering mail service to a large number of users. They 
login to a phished mailbox, send new phishingmails to that mailbox and 
check the headers if they can see which rules are hit. Then they adapt 
the phishingmail to get a lower score until they are below the spam 
threshold. That's why I am writing my own rules with very generic names 
and description.


Op 27-05-2024 om 23:10 schreef Thomas Barth via users:
What can I do? With these SPAMS, I have the impression that the 
senders know exactly how to trick Spamassassin.


OpenPGP_0xCCDCFB22C59E9DD2.asc
Description: OpenPGP public key


OpenPGP_signature.asc
Description: OpenPGP digital signature

Re: How to report SPAM?

[Matus UHLAR - fantomas]

On 27.05.24 23:10, Thomas Barth via users wrote:
for months I have been waiting for the type of SPAM I receive to be 
captured by the DNS block lists. But nothing is happening. I have long 
since fed Spamassassin with these SPAMs. What else can I do? I have 
even activated HOSTKARMA-black/brown. Doesn't help either. Do I 
perhaps have to report the SPAM myself? Is this reporting still up to 
date 
https://cwiki.apache.org/confluence/display/SPAMASSASSIN/Report+spam




The scoring of this type of SPAM is
X-Spam-Status: No, score=3.502 tagged_above=2 required=6.31
   tests=[BAYES_99=3.5, BAYES_999=0.2, DKIM_SIGNED=0.1, 
DKIM_VALID=-0.1,

   DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001,
   HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_BL=0.001, 
RCVD_IN_MSPIKE_L3=0.001,
   SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no 
autolearn_force=no


From the score itself it's very hard to find out the issue.
Maybe you are blocked on DNS blocklist (perhaps you use public DNS 
servers)? Perhaps the spam came from hosts that are not blocked?


If you posted Received: headers (here or on e.g. pastebin), it could help us.


Here the checks of a higher rated SPAM mail. A lot more working checks 
available.


X-Spam-Status: Yes, score=15.037 tagged_above=2 required=6.31
   tests=[BAYES_20=-0.001, DMARC_MISSING=0.001, EXTRA_SCORE=1,
   FROM_SUSPICIOUS_NTLD=0.499, FROM_SUSPICIOUS_NTLD_FP=1.999,
   FSL_BULK_SIG=0.001, HTML_FONT_LOW_CONTRAST=0.001, 
HTML_IMAGE_RATIO_04=0.001,

   HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MISSING_MID=0.497,
   NORDNS_LOW_CONTRAST=0.001, RAZOR2_CF_RANGE_51_100=1.886, 
RAZOR2_CHECK=0.922,
   RCVD_IN_HOSTKARMA_BL=2, RCVD_IN_MSPIKE_BL=0.001, 
RCVD_IN_MSPIKE_ZBI=0.001,

   RCVD_IN_SBL_CSS=3.335, RDNS_NONE=0.793, RELAYCOUNTRY_BAD=2,
   SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, 
TO_NO_BRKTS_NORDNS_HTML=0.001]

   autolearn=no autolearn_force=no


So, at least dnsbls work well for you.

What can I do? With these SPAMS, I have the impression that the 
senders know exactly how to trick Spamassassin.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
You have the right to remain silent. Anything you say will be misquoted,
then used against you.

RE: How to report SPAM?

[Marc]

> for months I have been waiting for the type of SPAM I receive to be
> captured by the DNS block lists. But nothing is happening. I have long
> since fed Spamassassin with these SPAMs. What else can I do?

put your spam score lower? I don't think you will get many false positives when 
you put it at 3

> I have even
> activated HOSTKARMA-black/brown. Doesn't help either. Do I perhaps have
> to report the SPAM myself? 

I started creating own dns blacklists. I am flagging a lot as spam and users 
can individually unset this.

Fwd: Re: Rule: "1.0 R_DCD 90% of .com. is spam"

[Benny Pedersen]

oh dear, when do he stop ?

 Original besked 
Emne: Re: Rule: "1.0 R_DCD 90% of .com. is spam"
Dato: 2024-05-10 20:17
Afsender: "Reindl Harald (gmail)" 
Modtager: Benny Pedersen 

Am 10.05.24 um 20:14 schrieb Benny Pedersen:

Matus UHLAR - fantomas skrev den 2024-05-10 18:46:

On 10.05.24 15:36, Rupert Gallagher wrote:
The ikea mail was received through ... 
mta-numbers.ikea.com.sparkpostmail.com and is a request for feedback.


The SA rule says ...

header R_DCD Received =~ /\.com\./

I still do not know where the rule comes from, DCD may actually mean 
dot-com-dot, and perhaps it is true that they are mostly spam.


where is the rule stored? what file?


On May 10, 2024, 17:18, Rupert Gallagher wrote:
I only have stock and KAM, and it is definitely not a custom rule of 
mine.


grep -r '\.com./' /var/lib/spamassassin/4.00/

seems some good dot.com rules everwhere


and what has this to do with the other idiot?
go and eat shit you dumb list spammer

Re: Rule: "1.0 R_DCD 90% of .com. is spam"

[Benny Pedersen]

Matus UHLAR - fantomas skrev den 2024-05-10 18:46:

On 10.05.24 15:36, Rupert Gallagher wrote:
The ikea mail was received through ... 
mta-numbers.ikea.com.sparkpostmail.com and is a request for feedback.


The SA rule says ...

header R_DCD Received =~ /\.com\./

I still do not know where the rule comes from, DCD may actually mean 
dot-com-dot, and perhaps it is true that they are mostly spam.


where is the rule stored? what file?


On May 10, 2024, 17:18, Rupert Gallagher wrote:
I only have stock and KAM, and it is definitely not a custom rule of 
mine.


grep -r '\.com./' /var/lib/spamassassin/4.00/

seems some good dot.com rules everwhere

Re: Rule: "1.0 R_DCD 90% of .com. is spam"

[Bill Cole]

On 2024-05-10 at 11:08:53 UTC-0400 (Fri, 10 May 2024 15:08:53 +)
Rupert Gallagher 
is rumored to have said:

> R_DCD

That string does not occur anywhere in the SpamAssassin distribution, neither 
in the code nor in the rules, *including* the rules that are not currently 
performing well enough to in the active list.

If your system generated that hit, it is one of your own local rules. If it 
came from elsewhere, ask them.



-- 
Bill Cole

Re: Rule: "1.0 R_DCD 90% of .com. is spam"

[Matus UHLAR - fantomas]

On 10.05.24 15:36, Rupert Gallagher wrote:

The ikea mail was received through ... mta-numbers.ikea.com.sparkpostmail.com 
and is a request for feedback.

The SA rule says ...

header R_DCD Received =~ /\.com\./

I still do not know where the rule comes from, DCD may actually mean 
dot-com-dot, and perhaps it is true that they are mostly spam.


where is the rule stored? what file?


On May 10, 2024, 17:18, Rupert Gallagher wrote:

I only have stock and KAM, and it is definitely not a custom rule of mine.



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam is for losers who can't get business any other way.

Re: Rule: "1.0 R_DCD 90% of .com. is spam"

[Rupert Gallagher]

Ahhh

The ikea mail was received through ... mta-numbers.ikea.com.sparkpostmail.com 
and is a request for feedback.

The SA rule says ...

header R_DCD Received =~ /\.com\./

I still do not know where the rule comes from, DCD may actually mean 
dot-com-dot, and perhaps it is true that they are mostly spam.
 Original Message 
On May 10, 2024, 17:18, Rupert Gallagher wrote:

> I only have stock and KAM, and it is definitely not a custom rule of mine.
>
>  Original Message 
> On May 10, 2024, 17:11, Matus UHLAR - fantomas wrote:
>
>> On 10.05.24 15:08, Rupert Gallagher wrote: >My local evidence does not 
>> support the general claim that 90% of .com is spam. > >I just received a 
>> mail from informat...@info.email.ikea.com marked as spam, with positive 
>> R_DCD. The rule did not trigger on mail from other .com addresses. > >I do 
>> not know what R_DCD means, and search indexes do not help. Short of reading 
>> the source code, does anybody know what R_DCD means? I have no idea. where 
>> did you get this rule from? I don't see it in stock rules -- Matus UHLAR - 
>> fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to 
>> receive e-mail advertising to this address. Varovanie: na tuto adresu chcem 
>> NEDOSTAVAT akukolvek reklamnu postu. There's a long-standing bug relating to 
>> the x86 architecture that allows you to install Windows. -- Matthew D. Fuller

Re: Rule: "1.0 R_DCD 90% of .com. is spam"

[Rupert Gallagher]

I only have stock and KAM, and it is definitely not a custom rule of mine.

 Original Message 
On May 10, 2024, 17:11, Matus UHLAR - fantomas wrote:

> On 10.05.24 15:08, Rupert Gallagher wrote: >My local evidence does not 
> support the general claim that 90% of .com is spam. > >I just received a mail 
> from informat...@info.email.ikea.com marked as spam, with positive R_DCD. The 
> rule did not trigger on mail from other .com addresses. > >I do not know what 
> R_DCD means, and search indexes do not help. Short of reading the source 
> code, does anybody know what R_DCD means? I have no idea. where did you get 
> this rule from? I don't see it in stock rules -- Matus UHLAR - fantomas, 
> uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive 
> e-mail advertising to this address. Varovanie: na tuto adresu chcem 
> NEDOSTAVAT akukolvek reklamnu postu. There's a long-standing bug relating to 
> the x86 architecture that allows you to install Windows. -- Matthew D. Fuller

Re: Rule: "1.0 R_DCD 90% of .com. is spam"

[Matus UHLAR - fantomas]

On 10.05.24 15:08, Rupert Gallagher wrote:

My local evidence does not support the general claim that 90% of .com is spam.

I just received a mail from informat...@info.email.ikea.com marked as spam, 
with positive R_DCD. The rule did not trigger on mail from other .com addresses.

I do not know what R_DCD means, and search indexes do not help. Short of 
reading the source code, does anybody know what R_DCD means?


I have no idea. where did you get this rule from?
I don't see it in stock rules


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
There's a long-standing bug relating to the x86 architecture that
allows you to install Windows.   -- Matthew D. Fuller

Rule: "1.0 R_DCD 90% of .com. is spam"

[Rupert Gallagher]

My local evidence does not support the general claim that 90% of .com is spam.

I just received a mail from informat...@info.email.ikea.com marked as spam, 
with positive R_DCD. The rule did not trigger on mail from other .com addresses.

I do not know what R_DCD means, and search indexes do not help. Short of 
reading the source code, does anybody know what R_DCD means?

Re: How to get the X-Spam-Flag

[Matija Nalis]

On Fri, May 03, 2024 at 08:22:09PM +0200, tba...@txbweb.de wrote:
> when a send a test spam message to my server it recognizes it as spam and
> puts it into /var/lib/amavis/virusmails as a gz file. In this file I can
> find the complete X-Spam-Header, etc:
> 
> But this header is missing in the passed mail. I use the standard settings
> of amavis
> 
> in /etc/amavis/conf.d/20-debian_defaults


Did you check @local_domains_acl in /etc/amavis/conf.d/05-domain_id ?

E.g. parts that talks about:

# amavisd-new needs to know which email domains are to be considered local
# to the administrative domain.  Only emails to "local" domains are subject
# to certain functionality, such as the addition of spam tags.


-- 
Opinions above are GNU-copylefted.

How to get the X-Spam-Flag

[tbarth]

System (fresh installation): Debian 12,5, Postfix, Dovecot, Amavis 
(Clamav, Spamassassin)


Hello,

when a send a test spam message to my server it recognizes it as spam 
and puts it into /var/lib/amavis/virusmails as a gz file. In this file I 
can find the complete X-Spam-Header, etc:


X-Envelope-To-Blocked:
X-Quarantine-ID: 
X-Spam-Flag: YES
X-Spam-Score: 999.8
X-Spam-Level: 


X-Spam-Status: Yes, score=999.8 tag=2 tag2=6.31 kill=6.31
 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
 DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, GTUBE=1000,
 RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_PASS=-0.001, 
SPF_PASS=-0.001,

 URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001]
 autolearn=no autolearn_force=no


But this header is missing in the passed mail. I use the standard 
settings of amavis


in /etc/amavis/conf.d/20-debian_defaults
$final_virus_destiny  = D_DISCARD;  # (data not lost, see virus 
quarantine)

$final_banned_destiny = D_DISCARD;
$final_spam_destiny   = D_PASS;
$final_bad_header_destiny = D_PASS; # False-positive prone (for 
spam)


I want to use a global sieve rule for the X-Spam-Flag = YES to get this 
mail into the Junk-folder of the recipient.


Why is the header missing in the passed mail ($final_spam_destiny = 
D_PASS) although it is saved with the header in the quarantine folder?

Re: How to find why a mail is SPAM DROPPED ?

[Benny Pedersen]

Pierluigi Frullani skrev den 2024-04-18 20:23:

It was simscan, that is compiled with enable-drop.


with is fine


The problem was a bad expression in blacklist_from section in local.cf
[1]


this is spam, not virus


Sorry for the noise.


if you like to reject all / drop all, why not pants ? :)

/me hiddes, but i belive simscan can reject virus, and pass / not drop 
spam if you  configure it so

Re: How to find why a mail is SPAM DROPPED ?

[Benny Pedersen]

Pierluigi Frullani skrev den 2024-04-18 19:52:

So could it be simscan ?


super you wake up :)

configure it to pass spam, and reject virus

simscan is very old, btw

Re: How to find why a mail is SPAM DROPPED ?

[Benny Pedersen]

Pierluigi Frullani skrev den 2024-04-18 19:44:


 I'm really fighting with spamassasin as one ( legit ) mail get spam
dropped with a 99.90 value, also if I have put, in local.cf [1] a
required hit of 100.


why is 100 required score ?

spamassassin does only tag, it does not drop


The mail is sent from a legit gmail account ( my daughter ) to me and
contains some amazon links for stuff to buy.


ask your family to be nice :)


I have disabled bayes, just to be sure it was not the same as last
time ( corrupted database ) but still cannot get the mail in to
understand what's catching SA attention.


would be nice to see

spamc --full spam-results


Being dropped I cannot find the real motivations.
Any idea on how to get this mail through ?


spamasssassin does not drop, ask your mailhoster why its not delivered

Re: How to find why a mail is SPAM DROPPED ?

[Pierluigi Frullani]

It was simscan, that is compiled with enable-drop.
The problem was a bad expression in blacklist_from section in local.cf

Sorry for the noise.


Pierluigi

Il giorno gio 18 apr 2024 alle ore 19:56 Reindl Harald (privat) <
ha...@rhsoft.net> ha scritto:

>
>
> Am 18.04.24 um 19:52 schrieb Pierluigi Frullani:
> > So could it be simscan ?
>
> god knows - if you don't your mail-setup how should anybody else without
> providing informations - spamassassin don't drop - it marks mails in the
> headers and whatever software does with it is up to that software
>
> read your logs and simplify your setup so you understand what it does
>
> > I'm using qmail with simscan for clamav and spamassasin.
> > Thanks !
> >
> > Il giorno gio 18 apr 2024 alle ore 19:48 Reindl Harald (privat)
> > mailto:ha...@rhsoft.net>> ha scritto:
> >
> >
> >
> > Am 18.04.24 um 19:44 schrieb Pierluigi Frullani:
> >  > Hello all,
> >  >   I'm really fighting with spamassasin as one ( legit ) mail get
> > spam
> >  > dropped with a 99.90 value, also if I have put, in local.cf
> > <http://local.cf>
> >  > <http://local.cf <http://local.cf>> a required hit of 100.
> >  > The mail is sent from a legit gmail account ( my daughter ) to me
> > and
> >  > contains some amazon links for stuff to buy.
> >  > I have disabled bayes, just to be sure it was not the same as
> > last time
> >  > ( corrupted database ) but still cannot get the mail in to
> > understand
> >  > what's catching SA attention.
> >  > Being dropped I cannot find the real motivations.
> >  > Any idea on how to get this mail through ?
> >
> > Spamassasin don't drop mails - it only marks
> > without the full headers nobody can tell anything
>

Re: How to find why a mail is SPAM DROPPED ?

[Pierluigi Frullani]

So could it be simscan ?

I'm using qmail with simscan for clamav and spamassasin.
Thanks !

Il giorno gio 18 apr 2024 alle ore 19:48 Reindl Harald (privat) <
ha...@rhsoft.net> ha scritto:

>
>
> Am 18.04.24 um 19:44 schrieb Pierluigi Frullani:
> > Hello all,
> >   I'm really fighting with spamassasin as one ( legit ) mail get spam
> > dropped with a 99.90 value, also if I have put, in local.cf
> > <http://local.cf> a required hit of 100.
> > The mail is sent from a legit gmail account ( my daughter ) to me and
> > contains some amazon links for stuff to buy.
> > I have disabled bayes, just to be sure it was not the same as last time
> > ( corrupted database ) but still cannot get the mail in to understand
> > what's catching SA attention.
> > Being dropped I cannot find the real motivations.
> > Any idea on how to get this mail through ?
>
> Spamassasin don't drop mails - it only marks
> without the full headers nobody can tell anything
>

How to find why a mail is SPAM DROPPED ?

[Pierluigi Frullani]

Hello all,
 I'm really fighting with spamassasin as one ( legit ) mail get spam
dropped with a 99.90 value, also if I have put, in local.cf a required hit
of 100.
The mail is sent from a legit gmail account ( my daughter ) to me and
contains some amazon links for stuff to buy.
I have disabled bayes, just to be sure it was not the same as last time (
corrupted database ) but still cannot get the mail in to understand what's
catching SA attention.
Being dropped I cannot find the real motivations.
Any idea on how to get this mail through ?

TIA

Pierluigi

Re: problems with Plugin::ASN and spam

[Darrell Budic]

> On Apr 11, 2024, at 5:51 PM, Darrell Budic  wrote:
> 
> On Apr 11, 2024, at 3:30 PM, Bill Cole 
>  wrote:
>> 
>> On 2024-04-10 at 21:19:48 UTC-0400 (Wed, 10 Apr 2024 20:19:48 -0500)
>> Darrell Budic mailto:bu...@onholyground.com>>
>> is rumored to have said:
>> 
>>>> On Apr 10, 2024, at 2:52 PM, Benny Pedersen  wrote:
>>>> 
>>>> Darrell Budic skrev den 2024-04-10 19:48:
>>>> 
>>>>> Anything I’m missing?
>>>> 
>>>> using amavisd ?
>>>> 
>>>> then try this in amavisd.conf:
>>> 
>>> No, I”m using spamass-milter to send it over from postfix. Here’s my 
>>> spamass-milter config in case I missed something there (systemd running it 
>>> on alma 8 in this case):
>>> 
>>> EXTRA_FLAGS="-e onholyground.com -u defang -m -r 15 -i 127.0.0.1 -g sa-milt 
>>> -- --max-size=512 
>>> --dest=sa0.int.ohgnetworks.com,sa1.int.ohgnetworks.com —randomize"
>> 


Found it, even with the -m, spamass-milter only replaces a hardcoded set of 
X-Spam-* headers, not anything that comes back from spamd. With some more work, 
I was able to confirm that spamc/spamd were indeed including the headers where 
they were supposed to be.

Thanks for the help tracking it down, I’m going to reconsider my preference for 
milters here ;)

Re: problems with Plugin::ASN and spam

[Darrell Budic]

On Apr 11, 2024, at 3:30 PM, Bill Cole 
 wrote:
> 
> On 2024-04-10 at 21:19:48 UTC-0400 (Wed, 10 Apr 2024 20:19:48 -0500)
> Darrell Budic mailto:bu...@onholyground.com>>
> is rumored to have said:
> 
>>> On Apr 10, 2024, at 2:52 PM, Benny Pedersen  wrote:
>>> 
>>> Darrell Budic skrev den 2024-04-10 19:48:
>>> 
>>>> Anything I’m missing?
>>> 
>>> using amavisd ?
>>> 
>>> then try this in amavisd.conf:
>> 
>> No, I”m using spamass-milter to send it over from postfix. Here’s my 
>> spamass-milter config in case I missed something there (systemd running it 
>> on alma 8 in this case):
>> 
>> EXTRA_FLAGS="-e onholyground.com -u defang -m -r 15 -i 127.0.0.1 -g sa-milt 
>> -- --max-size=512 --dest=sa0.int.ohgnetworks.com,sa1.int.ohgnetworks.com 
>> --randomize"
> 
> That's intriguing because "-u defang" looks like cargo-cult spoor from an 
> installation running MIMEDefang. Does the user 'defang' have appropriate 
> configs?

It is indeed, leftover user stuff from before I migrated to postfix and 
spamass-milter with a database backend for SA prefs. It’s still a valid default 
user with appropriate configs, but the -e default domain takes precedence so I 
can have per domain SA policies. Users too, for that matter, but that’s handled 
by the sql setup.

>> Both sa0 & sa1 run the same spamassassin/spamd configurations, neither of 
>> them add the X-Spam-ASN headers. All other add_header entries work fine.
> 
> Validate that configs on both machines match. In this sort of setup, only the 
> SA config on the spamd hosts of the user spamd is run as makes any difference.

I push them using ansible, but yeah, a quick audit to double check confirms 
they are the same.

Re: problems with Plugin::ASN and spam

[Bill Cole]

On 2024-04-10 at 21:19:48 UTC-0400 (Wed, 10 Apr 2024 20:19:48 -0500)
Darrell Budic 
is rumored to have said:

>> On Apr 10, 2024, at 2:52 PM, Benny Pedersen  wrote:
>>
>> Darrell Budic skrev den 2024-04-10 19:48:
>>
>>> Anything I’m missing?
>>
>> using amavisd ?
>>
>> then try this in amavisd.conf:
>>
>>
>> @spam_scanners = (
>># ['SpamAssassin', 'Amavis::SpamControl::SpamAssassin'],
>>['SpamdClient', 'Amavis::SpamControl::SpamdClient']
>> );
>>
>> 1;  # insure a defined return value
>>
>> if this works, its amavisd missing to add that header spamassassin add in 
>> add-header
>>
>> dont enable both spam_scanners, just one of them, and with the last start 
>> spamd, as you have you already have this
>>
>> would be nice if its just that
>>
>
> No, I”m using spamass-milter to send it over from postfix. Here’s my 
> spamass-milter config in case I missed something there (systemd running it on 
> alma 8 in this case):
>
> EXTRA_FLAGS="-e onholyground.com -u defang -m -r 15 -i 127.0.0.1 -g sa-milt 
> -- --max-size=512 --dest=sa0.int.ohgnetworks.com,sa1.int.ohgnetworks.com 
> --randomize"

That's intriguing because "-u defang" looks like cargo-cult spoor from an 
installation running MIMEDefang. Does the user 'defang' have appropriate 
configs?

> Both sa0 & sa1 run the same spamassassin/spamd configurations, neither of 
> them add the X-Spam-ASN headers. All other add_header entries work fine.

Validate that configs on both machines match. In this sort of setup, only the 
SA config on the spamd hosts of the user spamd is run as makes any difference.

-- 
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: problems with Plugin::ASN and spam

[Darrell Budic]

> On Apr 10, 2024, at 2:52 PM, Benny Pedersen  wrote:
> 
> Darrell Budic skrev den 2024-04-10 19:48:
> 
>> Anything I’m missing?
> 
> using amavisd ?
> 
> then try this in amavisd.conf:
> 
> 
> @spam_scanners = (
># ['SpamAssassin', 'Amavis::SpamControl::SpamAssassin'],
>['SpamdClient', 'Amavis::SpamControl::SpamdClient']
> );
> 
> 1;  # insure a defined return value
> 
> if this works, its amavisd missing to add that header spamassassin add in 
> add-header
> 
> dont enable both spam_scanners, just one of them, and with the last start 
> spamd, as you have you already have this
> 
> would be nice if its just that
> 

No, I”m using spamass-milter to send it over from postfix. Here’s my 
spamass-milter config in case I missed something there (systemd running it on 
alma 8 in this case):

EXTRA_FLAGS="-e onholyground.com -u defang -m -r 15 -i 127.0.0.1 -g sa-milt -- 
--max-size=512 --dest=sa0.int.ohgnetworks.com,sa1.int.ohgnetworks.com 
--randomize"

Both sa0 & sa1 run the same spamassassin/spamd configurations, neither of them 
add the X-Spam-ASN headers. All other add_header entries work fine.

Re: problems with Plugin::ASN and spam

[Benny Pedersen]

Darrell Budic skrev den 2024-04-10 19:48:


Anything I’m missing?


using amavisd ?

then try this in amavisd.conf:


@spam_scanners = (
# ['SpamAssassin', 'Amavis::SpamControl::SpamAssassin'],
['SpamdClient', 'Amavis::SpamControl::SpamdClient']
);

1;  # insure a defined return value

if this works, its amavisd missing to add that header spamassassin add 
in add-header


dont enable both spam_scanners, just one of them, and with the last 
start spamd, as you have you already have this


would be nice if its just that

Re: problems with Plugin::ASN and spam

[Darrell Budic]

> On Apr 10, 2024, at 1:30 PM, Bill Cole 
>  wrote:
> 
> On 2024-04-10 at 13:48:47 UTC-0400 (Wed, 10 Apr 2024 12:48:47 -0500)
> Darrell Budic mailto:bu...@onholyground.com>>
> is rumored to have said:
> 
>> Just checking in here that I’m not doing something wrong with the ASN plugin 
>> before I file a bug on this. SpamAssassin 4.0.1 installed from cpan on Alma 
>> 9.
>> 
>> I’ve got it configured to use the local maxmind db files, and those show up 
>> in logs. Testing in spamassassin itself show that it finds the ASN and 
>> includes it in the headers as expected. But when I let spamc/spamd process 
>> emails, the X-Spam-ASN headers do not appear. Enabling debug logging on 
>> spamd shows it does find the ASN properly, but doesn’t include the header. 
>> All my other add_header entries show up as expected.
> 
> This smells like a case of not using the config that you think you are.

I keep thinking that, but the default ruleset's 
/var/lib/spamassassin/4.01/updates_spamassassin_org/25_asn.cf should also 
add headers, and isn’t.

>> Relevant config:
> 
> Says you... :)

Sure do :)

> When you run the spamassassin script from the command line, it loads your 
> user prefs from ~/.spamassassin/user_prefs and uses them. When you use spamc 
> to talk to spamd, which prefs are loaded depends on your configuration of 
> spamd, perhaps using only the global config, possibly using the config of the 
> user running spamd, and possibly (with configuration of spamd that allows it 
> to use per-user configs properly) that of arbitrary users per message.
> 
> Differences in how spamc/spamd and spamassassin on the command line behave 
> are almost always due to this.

It certainly appears to be reading the right files. From the same debug log 
snipped earlier:

Wed Apr 10 17:06:48 2024 [2246409] dbg: plugin: loading 
Mail::SpamAssassin::Plugin::ASN from @INC
Wed Apr 10 17:06:50 2024 [2246409] dbg: plugin: 
Mail::SpamAssassin::Plugin::ASN=HASH(0x55c6b04063d8) implements 
'extract_metadata', priority 0
Wed Apr 10 17:06:48 2024 [2246409] dbg: config: read file 
/etc/mail/spamassassin/custom.cf
Wed Apr 10 17:06:49 2024 [2246409] dbg: config: parsing file 
/etc/mail/spamassassin/custom.cf
Wed Apr 10 17:06:49 2024 [2246409] dbg: config: using 
"/var/lib/spamassassin/4.01/updates_spamassassin_org/25_asn.cf" for 
included file
Wed Apr 10 17:06:49 2024 [2246409] dbg: config: read file 
/var/lib/spamassassin/4.01/updates_spamassassin_org/25_asn.cf
Wed Apr 10 17:06:49 2024 [2246409] dbg: config: parsing file 
/var/lib/spamassassin/4.01/updates_spamassassin_org/25_asn.cf

Wed Apr 10 17:07:09 2024 [2246418] dbg: check: tagrun - tag ASN is now ready, 
value: 11377 SENDGRID
Wed Apr 10 17:07:09 2024 [2246418] dbg: asn: GeoDB lookup successful, skipping 
DNS lookup

The asn_prefix and add_header below are in /etc/mail/spamassassin/custom.cf.

>> report_safe 0
>> ifplugin Mail::SpamAssassin::Plugin::ASN
>> asn_prefix ''
>> asn_lookup asn.routeviews.org _ASN_ _ASNCIDR_
>> add_header all ASN _ASN_ _ASNCIDR_
>> 
>> # IPv6 support (Bug 7211)
>> asn_lookup_ipv6 origin6.asn.cymru.com _ASN_ _ASNCIDR_
>> endif   # Mail::SpamAssassin::Plugin::ASN
>> 
>> From the spamd debug log:
>> 
>> Wed Apr 10 17:06:50 2024 [2246409] dbg: geodb: GeoIP2: search found asn 
>> /usr/share/GeoIP/GeoLite2-ASN.mmdb
>> Wed Apr 10 17:06:50 2024 [2246409] dbg: geodb: GeoIP2: loaded asn from 
>> /usr/share/GeoIP/GeoLite2-ASN.mmdb
>> Wed Apr 10 17:07:09 2024 [2246418] dbg: asn: using GeoDB ASN for lookups
>> Wed Apr 10 17:07:09 2024 [2246418] dbg: asn: using first external relay IP 
>> for lookups: 149.72.37.58
>> Wed Apr 10 17:07:09 2024 [2246418] dbg: asn: GeoDB found ASN 11377
>> 
>> There are no dgb: markup: entries for the ASN header.
>> 
>> Anything I’m missing?
> 
> Look at the debug channel for config and etermine which config files are 
> actually being used by spamd and by spamassassin. (spamc knows nothing of SA 
> configs…)

Spamassassin reads the same ones.

[root@sa0 spamassassin]# /usr/local/bin/spamassassin -t -D < 
~telsin/testemail.eml 2>&1 | egrep -i 'asn'
Apr 10 19:18:24.185 [2249580] dbg: plugin: loading 
Mail::SpamAssassin::Plugin::ASN from @INC
Apr 10 19:18:24.628 [2249580] dbg: config: fixed relative path: 
/var/lib/spamassassin/4.01/updates_spamassassin_org/25_asn.cf
Apr 10 19:18:24.628 [2249580] dbg: config: using 
"/var/lib/spamassassin/4.01/updates_spamassassin_org/25_asn.cf" for 
included file
Apr 10 19:18:24.629 [2249580] dbg: config: read file 
/var/lib/spamassassin/4.01/updates_spamassassin_org/25_asn.cf
Apr 10 19:18:24.629 [2249580] dbg: config: parsing file 

Re: problems with Plugin::ASN and spam

[Bill Cole]

On 2024-04-10 at 13:48:47 UTC-0400 (Wed, 10 Apr 2024 12:48:47 -0500)
Darrell Budic 
is rumored to have said:

> Just checking in here that I’m not doing something wrong with the ASN plugin 
> before I file a bug on this. SpamAssassin 4.0.1 installed from cpan on Alma 9.
>
> I’ve got it configured to use the local maxmind db files, and those show up 
> in logs. Testing in spamassassin itself show that it finds the ASN and 
> includes it in the headers as expected. But when I let spamc/spamd process 
> emails, the X-Spam-ASN headers do not appear. Enabling debug logging on spamd 
> shows it does find the ASN properly, but doesn’t include the header. All my 
> other add_header entries show up as expected.

This smells like a case of not using the config that you think you are.

> Relevant config:

Says you... :)

When you run the spamassassin script from the command line, it loads your user 
prefs from ~/.spamassassin/user_prefs and uses them. When you use spamc to talk 
to spamd, which prefs are loaded depends on your configuration of spamd, 
perhaps using only the global config, possibly using the config of the user 
running spamd, and possibly (with configuration of spamd that allows it to use 
per-user configs properly) that of arbitrary users per message.

Differences in how spamc/spamd and spamassassin on the command line behave are 
almost always due to this.
> report_safe 0
> ifplugin Mail::SpamAssassin::Plugin::ASN
>  asn_prefix ''
>  asn_lookup asn.routeviews.org _ASN_ _ASNCIDR_
>  add_header all ASN _ASN_ _ASNCIDR_
>
>  # IPv6 support (Bug 7211)
>  asn_lookup_ipv6 origin6.asn.cymru.com _ASN_ _ASNCIDR_
> endif   # Mail::SpamAssassin::Plugin::ASN
>
> From the spamd debug log:
>
> Wed Apr 10 17:06:50 2024 [2246409] dbg: geodb: GeoIP2: search found asn 
> /usr/share/GeoIP/GeoLite2-ASN.mmdb
> Wed Apr 10 17:06:50 2024 [2246409] dbg: geodb: GeoIP2: loaded asn from 
> /usr/share/GeoIP/GeoLite2-ASN.mmdb
> Wed Apr 10 17:07:09 2024 [2246418] dbg: asn: using GeoDB ASN for lookups
> Wed Apr 10 17:07:09 2024 [2246418] dbg: asn: using first external relay IP 
> for lookups: 149.72.37.58
> Wed Apr 10 17:07:09 2024 [2246418] dbg: asn: GeoDB found ASN 11377
>
> There are no dgb: markup: entries for the ASN header.
>
> Anything I’m missing?

Look at the debug channel for config and etermine which config files are 
actually being used by spamd and by spamassassin. (spamc knows nothing of SA 
configs...)


-- 
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

problems with Plugin::ASN and spam

[Darrell Budic]

Just checking in here that I’m not doing something wrong with the ASN plugin 
before I file a bug on this. SpamAssassin 4.0.1 installed from cpan on Alma 9.

I’ve got it configured to use the local maxmind db files, and those show up in 
logs. Testing in spamassassin itself show that it finds the ASN and includes it 
in the headers as expected. But when I let spamc/spamd process emails, the 
X-Spam-ASN headers do not appear. Enabling debug logging on spamd shows it does 
find the ASN properly, but doesn’t include the header. All my other add_header 
entries show up as expected.

Relevant config:

report_safe 0
ifplugin Mail::SpamAssassin::Plugin::ASN
 asn_prefix ''
 asn_lookup asn.routeviews.org _ASN_ _ASNCIDR_
 add_header all ASN _ASN_ _ASNCIDR_

 # IPv6 support (Bug 7211)
 asn_lookup_ipv6 origin6.asn.cymru.com _ASN_ _ASNCIDR_
endif   # Mail::SpamAssassin::Plugin::ASN

From the spamd debug log:

Wed Apr 10 17:06:50 2024 [2246409] dbg: geodb: GeoIP2: search found asn 
/usr/share/GeoIP/GeoLite2-ASN.mmdb
Wed Apr 10 17:06:50 2024 [2246409] dbg: geodb: GeoIP2: loaded asn from 
/usr/share/GeoIP/GeoLite2-ASN.mmdb
Wed Apr 10 17:07:09 2024 [2246418] dbg: asn: using GeoDB ASN for lookups
Wed Apr 10 17:07:09 2024 [2246418] dbg: asn: using first external relay IP for 
lookups: 149.72.37.58
Wed Apr 10 17:07:09 2024 [2246418] dbg: asn: GeoDB found ASN 11377

There are no dgb: markup: entries for the ASN header.

Anything I’m missing?

Thanks!

  -Darrell

Re: Reporting Spam to csa-complai...@eco.de

[John Levine]

It appears that Kirk Ismay  said:
>-=-=-=-=-=-
>
>I've got a lot of finance / political spam that is passing through all 
>filters because it's DKIM signed and using an email provider 
>(salesforce.com & others).   One thing they do include is a 
>X-CSA-Complaints: csa-complai...@eco.de header, which looks legit.
>
>Has anyone had success with reporting mail to this address?  Does it get 
>results?

ECO is real and I've found it worthwhile to report spam to them.

R's,
John

Reporting Spam to csa-complai...@eco.de

[Kirk Ismay]

I've got a lot of finance / political spam that is passing through all 
filters because it's DKIM signed and using an email provider 
(salesforce.com & others).   One thing they do include is a 
X-CSA-Complaints: csa-complai...@eco.de header, which looks legit.


Has anyone had success with reporting mail to this address?  Does it get 
results?


Thanks in advance,

Kirk

Re: SpamAssassin4 + DCC not populating "X-Spam-DCC: : " header ?

[Dejan Doder]

Please unsubscribe me from list


On Mon, Feb 19, 2024 at 2:51 PM  wrote:

> >>If you do, it's anyway disabled on --lint.
> >
> > It does not matter what happens when you use --lint, because it skips
> > network checks, including DCC.
>
> Yes, that's what I said. It's disabled on --lint.
>
> >>spamassassin --prefs-file=/etc/spamassassin/local.cf -D 2> tmp.out <
> ~/test.eml
> >
> > I have already asked why you use --prefs-file.
> > You have not answered my question and simply deleted it.
>
> Because it's irrelevant.
>
> I use it because I choose to.
>

Re: SpamAssassin4 + DCC not populating "X-Spam-DCC: : " header ?

[glad . tent3766]

>>If you do, it's anyway disabled on --lint.
>
> It does not matter what happens when you use --lint, because it skips 
> network checks, including DCC.

Yes, that's what I said. It's disabled on --lint.

>>spamassassin --prefs-file=/etc/spamassassin/local.cf -D 2> tmp.out < 
>>~/test.eml
>
> I have already asked why you use --prefs-file.
> You have not answered my question and simply deleted it.

Because it's irrelevant.

I use it because I choose to.

Re: SpamAssassin4 + DCC not populating "X-Spam-DCC: : " header ?

[Matus UHLAR - fantomas]

and these indicate DCC is available.

I have "loadplugin Mail::SpamAssassin::Plugin::DCC" in
/etc/spamassassin/v310.pre

- try uncommenting it there.


On 19.02.24 08:17, glad.tent3...@fastmail.com wrote:

If you do, it's anyway disabled on --lint.


It does not matter what happens when you use --lint, because it skips 
network checks, including DCC.



spamassassin --prefs-file=/etc/spamassassin/local.cf -D 2> tmp.out < ~/test.eml


I have already asked why you use --prefs-file.
You have not answered my question and simply deleted it.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.

Re: SpamAssassin4 + DCC not populating "X-Spam-DCC: : " header ?

[glad . tent3766]

> and these indicate DCC is available.
>
> I have "loadplugin Mail::SpamAssassin::Plugin::DCC" in 
> /etc/spamassassin/v310.pre
>
> - try uncommenting it there.

If you do, it's anyway disabled on --lint.

grep "loadplugin Mail::SpamAssassin::Plugin::DCC" `grep -rlni "loadplugin 
Mail::SpamAssassin::Plugin::DCC" .`
./v310.pre:loadplugin Mail::SpamAssassin::Plugin::DCC
./local.cf:loadplugin Mail::SpamAssassin::Plugin::DCC


spamassassin --prefs-file=/etc/spamassassin/local.cf -D --lint 2> tmp.out
grep -i dcc tmp.out
Feb 19 08:03:57.566 [13073] dbg: config: fixed relative path: 
/var/spamassassin/4.00/updates_spamassassin_org/25_dcc.cf
Feb 19 08:03:57.566 [13073] dbg: config: using 
"/var/spamassassin/4.00/updates_spamassassin_org/25_dcc.cf" for included 
file
Feb 19 08:03:57.566 [13073] dbg: config: read file 
/var/spamassassin/4.00/updates_spamassassin_org/25_dcc.cf
Feb 19 08:03:57.566 [13073] dbg: config: parsing file 
/var/spamassassin/4.00/updates_spamassassin_org/25_dcc.cf
Feb 19 08:03:58.094 [13073] dbg: plugin: loading 
Mail::SpamAssassin::Plugin::DCC from @INC
Feb 19 08:03:58.098 [13073] dbg: dcc: local tests only, disabling DCC
Feb 19 08:03:58.136 [13073] dbg: rules: meta test DIGEST_MULTIPLE has 
undefined dependency 'DCC_CHECK'
Feb 19 08:03:58.148 [13073] dbg: rules: meta test FSL_BULK_SIG has 
undefined dependency 'DCC_CHECK'
Feb 19 08:03:59.862 [13073] dbg: plugin: 
Mail::SpamAssassin::Plugin::DCC=HASH(0x5562b03e8738) implements 'check_tick', 
priority 0
Feb 19 08:04:00.409 [13073] dbg: plugin: 
Mail::SpamAssassin::Plugin::DCC=HASH(0x5562b03e8738) implements 
'check_cleanup', priority 0
Feb 19 08:04:00.411 [13073] dbg: plugin: 
Mail::SpamAssassin::Plugin::DCC=HASH(0x5562b03e8738) implements 
'check_post_learn', priority 0

spamassassin --prefs-file=/etc/spamassassin/local.cf -D 2> tmp.out < ~/test.eml
grep -i dcc tmp.out
Feb 19 08:05:51.904 [13609] dbg: config: fixed relative path: 
/var/spamassassin/4.00/updates_spamassassin_org/25_dcc.cf
Feb 19 08:05:51.904 [13609] dbg: config: using 
"/var/spamassassin/4.00/updates_spamassassin_org/25_dcc.cf" for included 
file
Feb 19 08:05:51.904 [13609] dbg: config: read file 
/var/spamassassin/4.00/updates_spamassassin_org/25_dcc.cf
Feb 19 08:05:51.904 [13609] dbg: config: parsing file 
/var/spamassassin/4.00/updates_spamassassin_org/25_dcc.cf
Feb 19 08:05:52.432 [13609] dbg: plugin: loading 
Mail::SpamAssassin::Plugin::DCC from @INC
Feb 19 08:05:52.459 [13609] dbg: rules: meta test FSL_BULK_SIG has 
undefined dependency 'DCC_CHECK'
Feb 19 08:05:52.463 [13609] dbg: rules: meta test DIGEST_MULTIPLE has 
undefined dependency 'DCC_CHECK'
Feb 19 08:05:54.179 [13609] dbg: message: _decode_header x-spam-dcc: :
Feb 19 08:05:54.211 [13609] dbg: plugin: 
Mail::SpamAssassin::Plugin::DCC=HASH(0x55f0c228b150) implements 'check_tick', 
priority 0
Feb 19 08:05:54.224 [13609] dbg: plugin: 
Mail::SpamAssassin::Plugin::DCC=HASH(0x55f0c228b150) implements 'check_dnsbl', 
priority 0
Feb 19 08:06:02.367 [13609] dbg: plugin: 
Mail::SpamAssassin::Plugin::DCC=HASH(0x55f0c228b150) implements 
'check_cleanup', priority 0
Feb 19 08:06:02.379 [13609] dbg: plugin: 
Mail::SpamAssassin::Plugin::DCC=HASH(0x55f0c228b150) implements 
'check_post_learn', priority 0
Feb 19 08:06:02.379 [13609] dbg: dcc: DCC learning not enabled by 
dcc_learn_score

Headers in all real received emails, for example

...
X-Spam-Status: No, score=1.5 required=8.0 
tests=BODY_SINGLE_WORD,FREEMAIL_FROM,
KAM_NUMSUBJECT,SCC_BODY_SINGLE_WORD,T_SCC_BODY_TEXT_LINE 
autolearn=no
    autolearn_force=no version=4.0.0
    X-Spam-DCC: : 
X-Spam-Pyzor: Reported 0 times, welcomelisted 0 times.
X-Spam-Level: *
X-Spam-Relay-Country: US US
X-Spam-ASN: AS15169 GOOGLE
X-Spam-SenderDomain: gmail.com
X-Spam-AuthorDomain: gmail.com
X-Spam-Remote-IP: 209.85.128.177
X-Spam-Remote-RDNS: mail-yw1-f177.google.com
X-Spam-Remote-HELO: mail-yw1-f177.google.com
...


Denny

Re: SpamAssassin4 + DCC not populating "X-Spam-DCC: : " header ?

[Matus UHLAR - fantomas]

On 18.02.24 14:21, glad.tent3...@fastmail.com wrote:

I'm hoping someone can help troubleshooting using DCC in SpamAssassin.
My setup isn't populating the "X-Spam-DCC: : " header.



I configured SpamAssassin to use DCC

cat local.cf
...
loadplugin Mail::SpamAssassin::Plugin::DCC
add_header all DCC _DCCB_: _DCCR_
...
ifplugin Mail::SpamAssassin::Plugin::DCC
  use_dcc1
  dcc_home   /etc/dcc
  dcc_path   /usr/local/bin/dccproc
  dcc_timeout10
  dcc_body_max   99
  dcc_fuz1_max   99
  dcc_fuz2_max   99
  score DCC_CHECK3.000
  dcc_learn_score99
endif
...




Testing against a sample email,

spamassassin --prefs-file=/etc/spamassassin/local.cf -D 


I wonser why you use  --prefs-file=/etc/spamassassin/local.cf ?

/etc/spamassassin/local.cf should be loaded automatically



Feb 18 11:24:48.255 [7041] dbg: plugin: loading 
Mail::SpamAssassin::Plugin::DCC from @INC



Feb 18 11:24:48.296 [7041] dbg: rules: meta test 
DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK'
Feb 18 11:24:48.304 [7041] dbg: rules: meta test FSL_BULK_SIG 
has undefined dependency 'DCC_CHECK'


These indicate DCC is not available 


Feb 18 11:24:49.989 [7041] dbg: plugin: 
Mail::SpamAssassin::Plugin::DCC=HASH(0x55f8e8a5da20) implements 'check_tick', 
priority 0
Feb 18 11:24:50.003 [7041] dbg: plugin: 
Mail::SpamAssassin::Plugin::DCC=HASH(0x55f8e8a5da20) implements 'check_dnsbl', 
priority 0
Feb 18 11:24:50.904 [7041] dbg: plugin: 
Mail::SpamAssassin::Plugin::DCC=HASH(0x55f8e8a5da20) implements 
'check_cleanup', priority 0
Feb 18 11:24:50.914 [7041] dbg: plugin: 
Mail::SpamAssassin::Plugin::DCC=HASH(0x55f8e8a5da20) implements 
'check_post_learn', priority 0
Feb 18 11:24:50.914 [7041] dbg: dcc: DCC learning not enabled 
by dcc_learn_score


and these indicate DCC is available.

I have "loadplugin Mail::SpamAssassin::Plugin::DCC" in 
/etc/spamassassin/v310.pre


- try uncommenting it there.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #98652: Operation completed successfully.

Re: SpamAssassin4 + DCC not populating "X-Spam-DCC: : " header ?

[glad . tent3766]

> Try this command for some real mail.eml
>
>spamassassin --prefs-file=/etc/spamassassin/local.cf -D dcc 
    X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on 
mail.MYDOMAIN.COM
    X-Spam-Scanned: spamd.mail.MYDOMAIN.COM
    X-Spam-Status: No, score=0.7 required=8.0 
tests=BODY_SINGLE_WORD,DKIM_SIGNED,

DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM,

SCC_BODY_SINGLE_WORD,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,
URIBL_DBL_BLOCKED_OPENDNS autolearn=unavailable 
autolearn_force=no
version=4.0.0
    X-Spam-DCC: :
    X-Spam-Level:
    X-Spam-SenderDomain: gmail.com
    X-Spam-AuthorDomain: gmail.com
    X-Spam-Remote-IP: 209.85.210.42
    X-Spam-Remote-RDNS: mail-ot1-f42.google.com
    X-Spam-Remote-HELO: mail-ot1-f42.google.com
...


To compare, network tests with Pyzor

spamassassin --prefs-file=/etc/spamassassin/local.cf -D  pyzor < 
/root/test2.eml
Feb 18 15:57:40.187 [35119] dbg: pyzor: network tests on, 
attempting Pyzor
Feb 18 15:57:40.893 [35119] dbg: pyzor: adjusting rule 
PYZOR_CHECK priority to -100
Feb 18 15:57:42.728 [35119] dbg: pyzor: pyzor is available: 
/usr/local/bin/pyzor
Feb 18 15:57:42.734 [35120] dbg: pyzor: child process 35120 
forked
Feb 18 15:57:42.736 [35120] dbg: pyzor: opening pipe: 
/usr/local/bin/pyzor --homedir /etc/spamassassin/.pyzor/ check 

Re: SpamAssassin4 + DCC not populating "X-Spam-DCC: : " header ?

[Martin via users]

Try this command for some real mail.eml

    spamassassin --prefs-file=/etc/spamassassin/local.cf -D dcc Feb 18 21:10:36.754 [801727] warn: netset: cannot include 127.0.0.0/8 as 
it has already been included
Feb 18 21:10:36.758 [801727] warn: netset: cannot include 172.16.0.0/12 
as it has already been included
Feb 18 21:10:36.758 [801727] warn: netset: cannot include 192.168.0.0/16 
as it has already been included
Feb 18 21:10:36.759 [801727] warn: netset: cannot include 127.0.0.0/8 as 
it has already been included
Feb 18 21:10:37.285 [801727] dbg: dcc: dcc_pgm_path, found cdcc in 
dcc_path: /usr/local/bin/cdcc
Feb 18 21:10:37.289 [801727] dbg: dcc: `/usr/local/bin/cdcc -qV homedir 
libexecdir` reports '2.3.168 homedir=/var/dcc libexecdir=/var/dcc/libexec '
Feb 18 21:10:37.290 [801727] dbg: dcc: use 'dcc_libexec 
/var/dcc/libexec' from cdcc
Feb 18 21:10:37.290 [801727] dbg: dcc: dccifd is not available; no r/w 
socket at /var/dcc/dccifd

Feb 18 21:10:37.290 [801727] dbg: dcc: /usr/local/bin/dccproc is available
Feb 18 21:10:37.291 [801727] dbg: dcc: opening pipe to 
/usr/local/bin/dccproc -C -x 0 -h /var/dcc -a 45.112.84.5 -w whiteclnt 
Feb 18 21:10:37.295 [801731] info: util: setuid: ruid=0 euid=0 rgid=0 0 
egid=0 0
Feb 18 21:10:37.476 [801727] dbg: dcc: dccproc responded with 
'X-DCC-www.nova53.net-Metrics: some.server.mx 1205; Body=many Fuz1=many 
rep=73%'
Feb 18 21:10:37.477 [801727] dbg: dcc: dcc_rep 73, min 95, max 98 => 
result=no
Feb 18 21:10:37.477 [801727] dbg: dcc: dcc_rep 73, min 70, max 89 => 
result=YES
Feb 18 21:10:37.478 [801727] dbg: dcc: dcc_rep 73, min 99, max 100 => 
result=no
Feb 18 21:10:37.478 [801727] dbg: dcc: dcc_rep 73, min 90, max 94 => 
result=no
Feb 18 21:10:37.479 [801727] dbg: dcc: listed: BODY=99/99 
FUZ1=99/99 FUZ2=0/99 REP=73/90
Feb 18 21:10:37.480 [801727] dbg: dcc: dcc_rep 73, min 00, max 12 => 
result=no
Feb 18 21:10:37.480 [801727] dbg: dcc: dcc_rep 73, min 13, max 19 => 
result=no
Feb 18 21:10:37.738 [801732] info: util: setuid: ruid=0 euid=0 rgid=0 0 
egid=0 0
Feb 18 21:10:37.872 [801727] info: rules: meta test 
CONTENT_AFTER_HTML_WEAK has dependency 'MAILING_LIST_MULTI' with a zero 
score
Feb 18 21:10:37.872 [801727] info: rules: meta test FORGED_MUA_EUDORA 
has dependency 'MAILING_LIST_MULTI' with a zero score
Feb 18 21:10:37.873 [801727] info: rules: meta test OBFU_UNSUB_UL has 
dependency 'MAILING_LIST_MULTI' with a zero score
Feb 18 21:10:37.882 [801727] info: rules: meta test 
HAS_X_OUTGOING_SPAM_STAT has dependency 'MAILING_LIST_MULTI' with a zero 
score
Feb 18 21:10:37.937 [801727] dbg: dcc: DCC learning not enabled by 
dcc_learn_score


Martin

Hello,


   try to increase dcc_timeout.

# this works for me
use_dcc 1
dcc_home /var/dcc
dcc_path /usr/local/bin/dccproc
dcc_timeout 16
add_header all DCC _DCCB_:_DCCR_

I tried values of 16, 30 & 100.

Same as before unfortunately.

No errors that I can see.  Just no headers populated.

Denny

Re: SpamAssassin4 + DCC not populating "X-Spam-DCC: : " header ?

[glad . tent3766]

Hello,

>   try to increase dcc_timeout.
>
> # this works for me
> use_dcc 1
> dcc_home /var/dcc
> dcc_path /usr/local/bin/dccproc
> dcc_timeout 16
> add_header all DCC _DCCB_:_DCCR_

I tried values of 16, 30 & 100.

Same as before unfortunately.

No errors that I can see.  Just no headers populated.

Denny

Re: SpamAssassin4 + DCC not populating "X-Spam-DCC: : " header ?

[Martin via users]

Hello,

 try to increase dcc_timeout.

# this works for me
use_dcc 1
dcc_home /var/dcc
dcc_path /usr/local/bin/dccproc
dcc_timeout 16
add_header all DCC _DCCB_:_DCCR_


Martin

Hello,

I'm hoping someone can help troubleshooting using DCC in SpamAssassin.
My setup isn't populating the "X-Spam-DCC: : " header.

I installed SpamAssassin 4.0.0

spamassassin -V
SpamAssassin version 4.0.0
  running on Perl version 5.38.2

I run Postfix 3.8.5

postconf mail_version
mail_version = 3.8.5

I setup Postfix to use SpamAssassin through a pre-queue milter over a unix 
socket

  smtpd_milters=unix:/run/sa-milter/sa-milter.sock

I installed DCC

cdcc -V
2.3.168

It can connect to its servers

cdcc info
# 02/18/24 11:31:46 EST  /etc/dcc/map
# Re-resolve names after 12:29:46  Check RTTs after 11:46:45
# 1691.96 ms threshold, 1239.41 ms average12 total, 6 
working servers
IPv6 on   version=3
...

I configured SpamAssassin to use DCC

cat local.cf
...
loadplugin Mail::SpamAssassin::Plugin::DCC
add_header all DCC _DCCB_: _DCCR_
...
ifplugin Mail::SpamAssassin::Plugin::DCC
  use_dcc1
  dcc_home   /etc/dcc
  dcc_path   /usr/local/bin/dccproc
  dcc_timeout10
  dcc_body_max   99
  dcc_fuz1_max   99
  dcc_fuz2_max   99
  score DCC_CHECK3.000
  dcc_learn_score99
endif
...

Checking with SA --lint, local only with no network

spamassassin --prefs-file=/etc/spamassassin/local.cf -D --lint

...
Feb 18 11:18:06.242 [6905] dbg: config: fixed relative path: 
/var/spamassassin/4.00/updates_spamassassin_org/25_dcc.cf
Feb 18 11:18:06.242 [6905] dbg: config: using 
"/var/spamassassin/4.00/updates_spamassassin_org/25_dcc.cf" for included 
file
Feb 18 11:18:06.242 [6905] dbg: config: read file 
/var/spamassassin/4.00/updates_spamassassin_org/25_dcc.cf
Feb 18 11:18:06.243 [6905] dbg: config: parsing file 
/var/spamassassin/4.00/updates_spamassassin_org/25_dcc.cf
...
Feb 18 11:18:06.792 [6905] dbg: plugin: loading 
Mail::SpamAssassin::Plugin::DCC from @INC
Feb 18 11:18:06.796 [6905] dbg: dcc: local tests only, 
disabling DCC
...
Feb 18 11:18:06.843 [6905] dbg: rules: meta test 
DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK'
Feb 18 11:18:06.843 [6905] dbg: rules: meta test FSL_BULK_SIG 
has undefined dependency 'DCC_CHECK'
...
Feb 18 11:18:08.561 [6905] dbg: plugin: 
Mail::SpamAssassin::Plugin::DCC=HASH(0x56116a3060f0) implements 'check_tick', 
priority 0
...
Feb 18 11:18:09.072 [6905] dbg: plugin: 
Mail::SpamAssassin::Plugin::DCC=HASH(0x56116a3060f0) implements 
'check_cleanup', priority 0
...
Feb 18 11:18:09.074 [6905] dbg: plugin: 
Mail::SpamAssassin::Plugin::DCC=HASH(0x56116a3060f0) implements 
'check_post_learn', priority 0
...

Testing against a sample email,

spamassassin --prefs-file=/etc/spamassassin/local.cf -D 

Re: SpamAssassin4 + DCC not populating "X-Spam-DCC: : " header ?

[glad . tent3766]

On Sun, Feb 18, 2024, at 2:47 PM, Bill Cole wrote:
> On 2024-02-18 at 14:21:41 UTC-0500 (Sun, 18 Feb 2024 14:21:41 -0500)
>   
> is rumored to have said:
>
>>  Feb 18 11:18:06.796 [6905] dbg: dcc: local tests only, 
>> disabling DCC
>
> That seems like a clear explanation: your configuration has disabled 
> 'net' tests. You seem to have dns_available set to 'no'


No, that's only for the shown "--lint" case.

Iiuc 3.1.6+ disables network tests during lint as they don't need to be run
to confirm a working config.

For the case where I run an actual message through SpamAssassin, network tests 
are fine.

And "dns_available" isn't set anywhere in my configuration.
For SA that leave it at the default, I believe == yes.

Re: SpamAssassin4 + DCC not populating "X-Spam-DCC: : " header ?

[Bill Cole]

On 2024-02-18 at 14:21:41 UTC-0500 (Sun, 18 Feb 2024 14:21:41 -0500)
 
is rumored to have said:


Feb 18 11:18:06.796 [6905] dbg: dcc: local tests only, 
disabling DCC


That seems like a clear explanation: your configuration has disabled 
'net' tests. You seem to have dns_available set to 'no'




--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

SpamAssassin4 + DCC not populating "X-Spam-DCC: : " header ?

[glad . tent3766]

Hello,

I'm hoping someone can help troubleshooting using DCC in SpamAssassin.
My setup isn't populating the "X-Spam-DCC: : " header.

I installed SpamAssassin 4.0.0

spamassassin -V
SpamAssassin version 4.0.0
  running on Perl version 5.38.2

I run Postfix 3.8.5

postconf mail_version
mail_version = 3.8.5

I setup Postfix to use SpamAssassin through a pre-queue milter over a unix 
socket

  smtpd_milters=unix:/run/sa-milter/sa-milter.sock

I installed DCC

cdcc -V
2.3.168

It can connect to its servers

cdcc info
# 02/18/24 11:31:46 EST  /etc/dcc/map
# Re-resolve names after 12:29:46  Check RTTs after 11:46:45
# 1691.96 ms threshold, 1239.41 ms average12 total, 6 
working servers
IPv6 on   version=3
...

I configured SpamAssassin to use DCC

cat local.cf
...
loadplugin Mail::SpamAssassin::Plugin::DCC
add_header all DCC _DCCB_: _DCCR_
...
ifplugin Mail::SpamAssassin::Plugin::DCC
  use_dcc1
  dcc_home   /etc/dcc
  dcc_path   /usr/local/bin/dccproc
  dcc_timeout10
  dcc_body_max   99
  dcc_fuz1_max   99
  dcc_fuz2_max   99
  score DCC_CHECK3.000
  dcc_learn_score99
endif
...

Checking with SA --lint, local only with no network

spamassassin --prefs-file=/etc/spamassassin/local.cf -D --lint

...
Feb 18 11:18:06.242 [6905] dbg: config: fixed relative path: 
/var/spamassassin/4.00/updates_spamassassin_org/25_dcc.cf
Feb 18 11:18:06.242 [6905] dbg: config: using 
"/var/spamassassin/4.00/updates_spamassassin_org/25_dcc.cf" for included 
file
Feb 18 11:18:06.242 [6905] dbg: config: read file 
/var/spamassassin/4.00/updates_spamassassin_org/25_dcc.cf
Feb 18 11:18:06.243 [6905] dbg: config: parsing file 
/var/spamassassin/4.00/updates_spamassassin_org/25_dcc.cf
...
Feb 18 11:18:06.792 [6905] dbg: plugin: loading 
Mail::SpamAssassin::Plugin::DCC from @INC
Feb 18 11:18:06.796 [6905] dbg: dcc: local tests only, 
disabling DCC
...
Feb 18 11:18:06.843 [6905] dbg: rules: meta test 
DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK'
Feb 18 11:18:06.843 [6905] dbg: rules: meta test FSL_BULK_SIG 
has undefined dependency 'DCC_CHECK'
...
Feb 18 11:18:08.561 [6905] dbg: plugin: 
Mail::SpamAssassin::Plugin::DCC=HASH(0x56116a3060f0) implements 'check_tick', 
priority 0
...
Feb 18 11:18:09.072 [6905] dbg: plugin: 
Mail::SpamAssassin::Plugin::DCC=HASH(0x56116a3060f0) implements 
'check_cleanup', priority 0
...
Feb 18 11:18:09.074 [6905] dbg: plugin: 
Mail::SpamAssassin::Plugin::DCC=HASH(0x56116a3060f0) implements 
'check_post_learn', priority 0
...

Testing against a sample email,

spamassassin --prefs-file=/etc/spamassassin/local.cf -D 

Re: MS-relayed spam

[Shawn Iverson]

On Wed, Jan 3, 2024 at 5:06 AM Matus UHLAR - fantomas 
wrote:

> What?
>
> If the message came from .outlook.com hosts, it should be reported to
> ab...@outlook.com.
>
> You are right, it did come from an .outlook.com host. My mistake. I'm not
sure why they blocked the user, then.

Re: MS-relayed spam

[Matus UHLAR - fantomas]

On Tue, Jan 2, 2024 at 3:11 PM Torpey List  wrote:
I started forwarding full headers and text to "ab...@outlook.com" and 
they blocked my IP.


On 02.01.24 16:49, Shawn Iverson wrote:

ab...@outlook.com is for reporting abuse on the freemail
Outlook/Hotmail/MSN platforms, not Microsoft tenants.


What?

If the message came from .outlook.com hosts, it should be reported to 
ab...@outlook.com.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
You have the right to remain silent. Anything you say will be misquoted,
then used against you.

Re: MS-relayed spam

[Shawn Iverson]

On Tue, Jan 2, 2024 at 3:11 PM Torpey List  wrote:

> I started forwarding full headers and text to "ab...@outlook.com" and
> they
> blocked my IP.
>
>
ab...@outlook.com is for reporting abuse on the freemail
Outlook/Hotmail/MSN platforms, not Microsoft tenants.

https://msrc.microsoft.com/report/

Re: MS-relayed spam

[Torpey List]

I started forwarding full headers and text to "ab...@outlook.com" and they 
blocked my IP.


-Original Message- 
From: David Jones via users

Sent: Tuesday, January 2, 2024 1:07 PM
To: Charles Sprickman
Cc: SA Mailing list
Subject: Re: MS-relayed spam

I would report this to Microsoft Abuse and setup local rules that add a 
point or two something like this:


header BAD_O365_SENDER  X-OriginatorOrg =~ /.*\.onmicrosoft\.com$/

With a threshold of 6.2, you might want to consider either lowering that a 
little or bumping up some default scores for some of the "worse" rules.


Most legit senders should not be using their onmicrosoft.com for their 
primary address but there are a few that I have seen over the years so I 
also have a counter rule to subtract a point or two for specific 
onmicrosoft.com subdomains.


On 1/1/24, 3:29 PM, "Charles Sprickman" <mailto:sp...@bway.net>> wrote:



EXTERNAL EMAIL: This message originated outside of ENA. Use caution when 
clicking links, opening attachments, or complying with requests. Click the 
"Phish Alert Report" button above the email, or contact MIS, regarding any 
suspicious message.


Hi all,

Full headers are here as well: https://pastebin.com/wHNmnvtE 
<https://pastebin.com/wHNmnvtE>


I'm not really following what's going on here - a few things confuse me...

- the empty from envelope, which I thought was more of a "bounce" thing
- that it does seem formatted like a bounce
- across multiple servers I'm seeing a ton more spam just like this the past 
few weeks coming in via MS
- I had assumed that MS (or gmail, or any large provider) would be a bit 
more tuned to this kind of abuse


Anyone else seeing this and if so, what mitigations are you doing in SA?

To me, it appears that a company with some kind of on-prem email server is 
using MS' inbound/outbound filtering/relaying for their email, and I'm 
assuming that the company (acquiretm dot com) has compromised account(s) 
being used for spam, and that this type of account is valuable since it's 
relayed through a somewhat "trusted" entity (MS). Stumped on the empty 
envelope from though...


Thanks,
Charles

Full headers inline:


Return-Path: 
Delivered-To: myem...@mydomain.com <mailto:myem...@mydomain.com>
Received: from mail.MYDOMAIN.COM (mail.MYDOMAIN.COM [207.99.1.2])
by mail.MYDOMAIN.COM (Postfix) with ESMTP id 62E4ACCE44
for mailto:myem...@mydomain.com>>; Mon, 1 Jan 2024 
14:23:33 -0500 (EST)

X-Virus-Scanned: amavisd-new at MYDOMAIN.COM
X-Spam-Flag: NO
X-Spam-Score: 3.971
X-Spam-Level: ***
X-Spam-Status: No, score=3.971 tagged_above=-100 required=6.2
tests=[ARC_SIGNED=0.001, ARC_VALID=0.001, BAYES_00=-1.9,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
FORGED_SPF_HELO=1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5,
HK_RANDOM_FROM=0.001, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001,
MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_NONE=-0.0001,
RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL=1.31,
SCC_BODY_URI_ONLY=1.44, SPF_HELO_PASS=-0.001, T_REMOTE_IMAGE=0.01,
T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.MYDOMAIN.COM ([207.99.1.2])
by mail.MYDOMAIN.COM (mail.MYDOMAIN.COM [207.99.1.]) (amavisd-new, port 
10024)
with ESMTP id y8UwjrBjDDCO for <mailto:myem...@mydomain.com>>;

Mon, 1 Jan 2024 14:23:31 -0500 (EST)
Received: from NAM11-DM6-obe.outbound.protection.outlook.com 
(mail-dm6nam11hn2245.outbound.protection.outlook.com [52.100.172.245])

(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mail.MYDOMAIN.COM (Postfix) with ESMTPS id 731A6CCE43
for mailto:myem...@mydomain.com>>; Mon, 1 Jan 2024 
14:23:31 -0500 (EST)

ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=Icl1NbdVBzy5nVKV4XGHyD5lhcUdtzirTQuOX40QfE0Qb4eogob5tBOWT7T7oxZ6O7oogwqarlyCmJXZfKwxDknw8W/1q9UzYGmNu0vt9l/C/TAQGHd2qdDo7k/S5rA/VkvSbwsWsPlPzHM5gpPvERtV1AwGRibQFb7IAJkW1bL6aTyG8R2JHPyDtSE5hG+0/XFuct7sSqoyr8J1hv7cOP6ZsOmlfLFuKxYoAEqFdi0qCsQD/CjfFzFNcaj9Sas09hbA1E/lEU5lf43EJFPOUX9ieGQA292aleu0PO2lqaU+TOwrr9UdnSHPyo89vQUHCiMd9+4ZMb51dxkvx6dLWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; 
d=microsoft.com;

s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=cMMl8FFbE2iyyDXVN5kGmj7djfYu1Ef14DADjnKqLVc=;
b=gBRRLW2K0klYaRjOr+bNZO7zS3m+Kb+mkggilqYBqELoa12h3G5gwGFye+aLoJjtPSDnS1d0/GUkPYWm2/JlQZtoKmq4YAqwA4tnT2HYRcckobGDbhOcaop7wKmcQutiBxdr2iG8Hjmbvkf6jkP2AHL9kVqZv73Byv60sg1djmVaNHR+2qJd3vyQ3kepYsngd9QtdsyjjFBb+VjyItwaijKmjO4IBSIr4X5i5CmK+v67YoalMVjoXnKaMEpK/4Qh3Eh5zyzGHjdT7+QzK/T4cDSu+1XA+rHcK7G4/BTwLRs+NBTOYMT52Zr4eo5462nuo/ITG3+SjPM9g8QXkfJ06Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none (sender ip is
193.176.158.

Re: MS-relayed spam

[Bill Cole]

On 2024-01-01 at 16:28:04 UTC-0500 (Mon, 1 Jan 2024 16:28:04 -0500)
Charles Sprickman 
is rumored to have said:


Hi all,

Full headers are here as well: https://pastebin.com/wHNmnvtE

I'm not really following what's going on here - a few things confuse 
me...


 - the empty from envelope, which I thought was more of a "bounce" 
thing


Yes. You can safely reject mail with a null sender that does not meet 
norms for mail-system-generated mail.



 - that it does seem formatted like a bounce


Not in the headers... No one legit sends bounces with "Content-Type: 
text/html" or with In-Reply-To headers without a References header or Cc 
headers.


 - across multiple servers I'm seeing a ton more spam just like this 
the past few weeks coming in via MS


Everyone's spam is unique.

I see some similar stuff at various sites but nothing in the places 
where I can really dig into details. I don't see much null sender spam 
at all. I do see a few cases of $jjunk@$ggarbage.onmicrosoft.com senders 
similar to the From: header in your example, but they are all getting 
caught by SA.


 - I had assumed that MS (or gmail, or any large provider) would be a 
bit more tuned to this kind of abuse


By their own customers? Have you been paying any attention this century?

MS could kill this particular flavor of spam (identifiable by 
correlating patterns in From and other headers) if they wanted to. They 
CHOOSE as a corporation to be a bad neighbor as a matter of unstated 
policy and unconscious strategy. In the same way a junkie chooses their 
dope...


Anyone else seeing this and if so, what mitigations are you doing in 
SA?


In the one place where I save SA-rejected mail, I see nothing with 
"onmicrosoft.com" anywhere except in mail talking about this garbage. On 
a larger system with less retained info I see some similar-ish messages 
but nothing similar with null senders.


I don't see an obvious pattern of SA rule matches in the similar 
messages that are being rejected on the systems I have access to. I also 
see no null senders from MS hosts associated with UUID-like message-Id 
local parts. Hmmm... that might be an interesting rule.


To me, it appears that a company with some kind of on-prem email 
server is using MS' inbound/outbound filtering/relaying for their 
email, and I'm assuming that the company (acquiretm dot com) has 
compromised account(s) being used for spam,


Not sure how you got there...

Everywhere in those headers that I see that domain I also see it 
attributed as the HELO from IP address 193.176.158.140, which has no 
obvious connection to the domain. That IP address is allocated via RIPE, 
but it might be in Russia, Estonia, Hong Kong, or France depending on 
which registration records you think are relevant.


I'd bet that you could get a perfect score sniping that IP address in 
the various MS attribution headers, but that probably will not be useful 
for long.


and that this type of account is valuable since it's relayed through a 
somewhat "trusted" entity (MS). Stumped on the empty envelope from 
though...


I assume that your system is turning <> into ...


Full headers inline:


My first-glance thoughts are embedded below.



Return-Path: 

[internal stuff snipped]
Received: from NAM11-DM6-obe.outbound.protection.outlook.com 
(mail-dm6nam11hn2245.outbound.protection.outlook.com [52.100.172.245])
(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 
bits))

(No client certificate requested)
by mail.MYDOMAIN.COM (Postfix) with ESMTPS id 731A6CCE43
for ; Mon, 1 Jan 2024 14:23:31 -0500 (EST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; 
cv=none;

b=Icl1NbdVBzy5nVKV4XGHyD5lhcUdtzirTQuOX40QfE0Qb4eogob5tBOWT7T7oxZ6O7oogwqarlyCmJXZfKwxDknw8W/1q9UzYGmNu0vt9l/C/TAQGHd2qdDo7k/S5rA/VkvSbwsWsPlPzHM5gpPvERtV1AwGRibQFb7IAJkW1bL6aTyG8R2JHPyDtSE5hG+0/XFuct7sSqoyr8J1hv7cOP6ZsOmlfLFuKxYoAEqFdi0qCsQD/CjfFzFNcaj9Sas09hbA1E/lEU5lf43EJFPOUX9ieGQA292aleu0PO2lqaU+TOwrr9UdnSHPyo89vQUHCiMd9+4ZMb51dxkvx6dLWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; 
d=microsoft.com;

s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=cMMl8FFbE2iyyDXVN5kGmj7djfYu1Ef14DADjnKqLVc=;
b=gBRRLW2K0klYaRjOr+bNZO7zS3m+Kb+mkggilqYBqELoa12h3G5gwGFye+aLoJjtPSDnS1d0/GUkPYWm2/JlQZtoKmq4YAqwA4tnT2HYRcckobGDbhOcaop7wKmcQutiBxdr2iG8Hjmbvkf6jkP2AHL9kVqZv73Byv60sg1djmVaNHR+2qJd3vyQ3kepYsngd9QtdsyjjFBb+VjyItwaijKmjO4IBSIr4X5i5CmK+v67YoalMVjoXnKaMEpK/4Qh3Eh5zyzGHjdT7+QzK/T4cDSu+1XA+rHcK7G4/BTwLRs+NBTOYMT52Zr4eo5462nuo/ITG3+SjPM9g8QXkfJ06Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none (sender 
ip is
193.176.158.140) smtp.rcpttodomain=MYDOMAIN.COM 
smtp.helo=mail.acquiretm.com;

dmarc=none action=none header.from=x1r862t.onmicrosoft.co

Re: MS-relayed spam

[Matus UHLAR - fantomas]

On 01.01.24 16:28, Charles Sprickman wrote:

Full headers are here as well: https://pastebin.com/wHNmnvtE


neither indicate that the mail was relayes by microsoft.
Isn't this just backscatter, non-delivery notice on fake mail?


I'm not really following what's going on here - a few things confuse me...

- the empty from envelope, which I thought was more of a "bounce" thing
- that it does seem formatted like a bounce
- across multiple servers I'm seeing a ton more spam just like this the past 
few weeks coming in via MS
- I had assumed that MS (or gmail, or any large provider) would be a bit more 
tuned to this kind of abuse

Anyone else seeing this and if so, what mitigations are you doing in SA?

To me, it appears that a company with some kind of on-prem email server is using MS' 
inbound/outbound filtering/relaying for their email, and I'm assuming that the company 
(acquiretm dot com) has compromised account(s) being used for spam, and that this type of 
account is valuable since it's relayed through a somewhat "trusted" entity 
(MS). Stumped on the empty envelope from though...

Thanks,

Charles


Full headers inline:

Return-Path: 
Delivered-To: myem...@mydomain.com
Received: from mail.MYDOMAIN.COM (mail.MYDOMAIN.COM [207.99.1.2])
by mail.MYDOMAIN.COM (Postfix) with ESMTP id 62E4ACCE44
for ; Mon, 1 Jan 2024 14:23:33 -0500 (EST)
X-Virus-Scanned: amavisd-new at MYDOMAIN.COM
X-Spam-Flag: NO
X-Spam-Score: 3.971
X-Spam-Level: ***
X-Spam-Status: No, score=3.971 tagged_above=-100 required=6.2
tests=[ARC_SIGNED=0.001, ARC_VALID=0.001, BAYES_00=-1.9,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
FORGED_SPF_HELO=1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5,
HK_RANDOM_FROM=0.001, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001,
MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_NONE=-0.0001,
RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL=1.31,
SCC_BODY_URI_ONLY=1.44, SPF_HELO_PASS=-0.001, T_REMOTE_IMAGE=0.01,
T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.MYDOMAIN.COM ([207.99.1.2])
by mail.MYDOMAIN.COM (mail.MYDOMAIN.COM [207.99.1.]) (amavisd-new, port 10024)
with ESMTP id y8UwjrBjDDCO for ;
Mon, 1 Jan 2024 14:23:31 -0500 (EST)
Received: from NAM11-DM6-obe.outbound.protection.outlook.com 
(mail-dm6nam11hn2245.outbound.protection.outlook.com [52.100.172.245])
(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mail.MYDOMAIN.COM (Postfix) with ESMTPS id 731A6CCE43
for ; Mon, 1 Jan 2024 14:23:31 -0500 (EST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=Icl1NbdVBzy5nVKV4XGHyD5lhcUdtzirTQuOX40QfE0Qb4eogob5tBOWT7T7oxZ6O7oogwqarlyCmJXZfKwxDknw8W/1q9UzYGmNu0vt9l/C/TAQGHd2qdDo7k/S5rA/VkvSbwsWsPlPzHM5gpPvERtV1AwGRibQFb7IAJkW1bL6aTyG8R2JHPyDtSE5hG+0/XFuct7sSqoyr8J1hv7cOP6ZsOmlfLFuKxYoAEqFdi0qCsQD/CjfFzFNcaj9Sas09hbA1E/lEU5lf43EJFPOUX9ieGQA292aleu0PO2lqaU+TOwrr9UdnSHPyo89vQUHCiMd9+4ZMb51dxkvx6dLWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=cMMl8FFbE2iyyDXVN5kGmj7djfYu1Ef14DADjnKqLVc=;
b=gBRRLW2K0klYaRjOr+bNZO7zS3m+Kb+mkggilqYBqELoa12h3G5gwGFye+aLoJjtPSDnS1d0/GUkPYWm2/JlQZtoKmq4YAqwA4tnT2HYRcckobGDbhOcaop7wKmcQutiBxdr2iG8Hjmbvkf6jkP2AHL9kVqZv73Byv60sg1djmVaNHR+2qJd3vyQ3kepYsngd9QtdsyjjFBb+VjyItwaijKmjO4IBSIr4X5i5CmK+v67YoalMVjoXnKaMEpK/4Qh3Eh5zyzGHjdT7+QzK/T4cDSu+1XA+rHcK7G4/BTwLRs+NBTOYMT52Zr4eo5462nuo/ITG3+SjPM9g8QXkfJ06Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none (sender ip is
193.176.158.140) smtp.rcpttodomain=MYDOMAIN.COM smtp.helo=mail.acquiretm.com;
dmarc=none action=none header.from=x1r862t.onmicrosoft.com; dkim=none
(message not signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=x1r862t.onmicrosoft.com; s=selector1-x1r862t-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=cMMl8FFbE2iyyDXVN5kGmj7djfYu1Ef14DADjnKqLVc=;
b=R1X4dpKSgryTH6OLmMzRy/tDWLnQEV8mHOEEtjH+lXKLhUWP1IcSU7ti48ZJoXOksGz7A4+ZbSb5s1wNp2A4dGS+psXMeDNERbCeNVeGFRy/0AfJX4BSO52imrh48OaXFvTjmcrwSondZQkeC2plLlatu2jWPXn+a48T+gCuUZtFOpy6+1OlQqtOhQd5Ork4w7yD6nIicaXcQ4GhpDX1YM6zU02EUOSl+pxEgJj5/WuHvXNbtuTmdsGid1JhRnmIyvR15jGzXHkyrD/KYHw3evZSOV8pJ8EMpUPDEiwdHjDGYt38j/Wwiho5yVfR/zNZa5wELOq9bYgLK0G91JywQA==
X-MS-Exchange-Authentication-Results: spf=none (sender IP is 193.176.158.140)
smtp.helo=mail.acquiretm.com; dkim=none (message not signed)
header.d=none;dmarc=none action=none header.from=x1r862t.onmicrosoft.com;
Date: Mon, 01 Jan 2024 20:19:49 +0100
Importance: high
Subject: Your iCloud Storage Is Full. Receive 50 GB for FREE
X-TOI-MSGID: <1660898088.4bdab4ab9e89d.1704136789...@acquiretm.com>
In-Reply-To: 
<952htcjgcsdxt5hydix5kfocgsan34o2gphcyv.

Re: MS-relayed spam

[David Jones via users]

I would report this to Microsoft Abuse and setup local rules that add a point 
or two something like this:

header BAD_O365_SENDER  X-OriginatorOrg =~ /.*\.onmicrosoft\.com$/

With a threshold of 6.2, you might want to consider either lowering that a 
little or bumping up some default scores for some of the "worse" rules.

Most legit senders should not be using their onmicrosoft.com for their primary 
address but there are a few that I have seen over the years so I also have a 
counter rule to subtract a point or two for specific onmicrosoft.com 
subdomains. 

On 1/1/24, 3:29 PM, "Charles Sprickman" mailto:sp...@bway.net>> wrote:


EXTERNAL EMAIL: This message originated outside of ENA. Use caution when 
clicking links, opening attachments, or complying with requests. Click the 
"Phish Alert Report" button above the email, or contact MIS, regarding any 
suspicious message.

Hi all,

Full headers are here as well: https://pastebin.com/wHNmnvtE 
<https://pastebin.com/wHNmnvtE>

I'm not really following what's going on here - a few things confuse me...

- the empty from envelope, which I thought was more of a "bounce" thing
- that it does seem formatted like a bounce
- across multiple servers I'm seeing a ton more spam just like this the past 
few weeks coming in via MS
- I had assumed that MS (or gmail, or any large provider) would be a bit more 
tuned to this kind of abuse

Anyone else seeing this and if so, what mitigations are you doing in SA?

To me, it appears that a company with some kind of on-prem email server is 
using MS' inbound/outbound filtering/relaying for their email, and I'm assuming 
that the company (acquiretm dot com) has compromised account(s) being used for 
spam, and that this type of account is valuable since it's relayed through a 
somewhat "trusted" entity (MS). Stumped on the empty envelope from though...

Thanks,
Charles

Full headers inline:


Return-Path: 
Delivered-To: myem...@mydomain.com <mailto:myem...@mydomain.com>
Received: from mail.MYDOMAIN.COM (mail.MYDOMAIN.COM [207.99.1.2])
by mail.MYDOMAIN.COM (Postfix) with ESMTP id 62E4ACCE44
for mailto:myem...@mydomain.com>>; Mon, 1 Jan 2024 
14:23:33 -0500 (EST)
X-Virus-Scanned: amavisd-new at MYDOMAIN.COM
X-Spam-Flag: NO
X-Spam-Score: 3.971
X-Spam-Level: ***
X-Spam-Status: No, score=3.971 tagged_above=-100 required=6.2
tests=[ARC_SIGNED=0.001, ARC_VALID=0.001, BAYES_00=-1.9,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
FORGED_SPF_HELO=1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5,
HK_RANDOM_FROM=0.001, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001,
MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_NONE=-0.0001,
RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL=1.31,
SCC_BODY_URI_ONLY=1.44, SPF_HELO_PASS=-0.001, T_REMOTE_IMAGE=0.01,
T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.MYDOMAIN.COM ([207.99.1.2])
by mail.MYDOMAIN.COM (mail.MYDOMAIN.COM [207.99.1.]) (amavisd-new, port 10024)
with ESMTP id y8UwjrBjDDCO for mailto:myem...@mydomain.com>>;
Mon, 1 Jan 2024 14:23:31 -0500 (EST)
Received: from NAM11-DM6-obe.outbound.protection.outlook.com 
(mail-dm6nam11hn2245.outbound.protection.outlook.com [52.100.172.245])
(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mail.MYDOMAIN.COM (Postfix) with ESMTPS id 731A6CCE43
for mailto:myem...@mydomain.com>>; Mon, 1 Jan 2024 
14:23:31 -0500 (EST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=Icl1NbdVBzy5nVKV4XGHyD5lhcUdtzirTQuOX40QfE0Qb4eogob5tBOWT7T7oxZ6O7oogwqarlyCmJXZfKwxDknw8W/1q9UzYGmNu0vt9l/C/TAQGHd2qdDo7k/S5rA/VkvSbwsWsPlPzHM5gpPvERtV1AwGRibQFb7IAJkW1bL6aTyG8R2JHPyDtSE5hG+0/XFuct7sSqoyr8J1hv7cOP6ZsOmlfLFuKxYoAEqFdi0qCsQD/CjfFzFNcaj9Sas09hbA1E/lEU5lf43EJFPOUX9ieGQA292aleu0PO2lqaU+TOwrr9UdnSHPyo89vQUHCiMd9+4ZMb51dxkvx6dLWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=cMMl8FFbE2iyyDXVN5kGmj7djfYu1Ef14DADjnKqLVc=;
b=gBRRLW2K0klYaRjOr+bNZO7zS3m+Kb+mkggilqYBqELoa12h3G5gwGFye+aLoJjtPSDnS1d0/GUkPYWm2/JlQZtoKmq4YAqwA4tnT2HYRcckobGDbhOcaop7wKmcQutiBxdr2iG8Hjmbvkf6jkP2AHL9kVqZv73Byv60sg1djmVaNHR+2qJd3vyQ3kepYsngd9QtdsyjjFBb+VjyItwaijKmjO4IBSIr4X5i5CmK+v67YoalMVjoXnKaMEpK/4Qh3Eh5zyzGHjdT7+QzK/T4cDSu+1XA+rHcK7G4/BTwLRs+NBTOYMT52Zr4eo5462nuo/ITG3+SjPM9g8QXkfJ06Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none (sender ip is
193.176.158.140) smtp.rcpttodomain=MYDOMAIN.COM smtp.helo=mail.acquiretm.com;
dmarc=none action=none header.from=x1r862t.onmicrosoft.com; dkim=none
(message not signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=x1r862t.onmicrosoft.com; s=selecto

MS-relayed spam

[Charles Sprickman]

Hi all,

Full headers are here as well: https://pastebin.com/wHNmnvtE

I'm not really following what's going on here - a few things confuse me...

 - the empty from envelope, which I thought was more of a "bounce" thing
 - that it does seem formatted like a bounce
 - across multiple servers I'm seeing a ton more spam just like this the past 
few weeks coming in via MS
 - I had assumed that MS (or gmail, or any large provider) would be a bit more 
tuned to this kind of abuse

Anyone else seeing this and if so, what mitigations are you doing in SA?

To me, it appears that a company with some kind of on-prem email server is 
using MS' inbound/outbound filtering/relaying for their email, and I'm assuming 
that the company (acquiretm dot com) has compromised account(s) being used for 
spam, and that this type of account is valuable since it's relayed through a 
somewhat "trusted" entity (MS). Stumped on the empty envelope from though...

Thanks,

Charles


Full headers inline:

Return-Path: 
Delivered-To: myem...@mydomain.com
Received: from mail.MYDOMAIN.COM (mail.MYDOMAIN.COM [207.99.1.2])
by mail.MYDOMAIN.COM (Postfix) with ESMTP id 62E4ACCE44
for ; Mon, 1 Jan 2024 14:23:33 -0500 (EST)
X-Virus-Scanned: amavisd-new at MYDOMAIN.COM
X-Spam-Flag: NO
X-Spam-Score: 3.971
X-Spam-Level: ***
X-Spam-Status: No, score=3.971 tagged_above=-100 required=6.2
tests=[ARC_SIGNED=0.001, ARC_VALID=0.001, BAYES_00=-1.9,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
FORGED_SPF_HELO=1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5,
HK_RANDOM_FROM=0.001, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001,
MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_NONE=-0.0001,
RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL=1.31,
SCC_BODY_URI_ONLY=1.44, SPF_HELO_PASS=-0.001, T_REMOTE_IMAGE=0.01,
T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.MYDOMAIN.COM ([207.99.1.2])
by mail.MYDOMAIN.COM (mail.MYDOMAIN.COM [207.99.1.]) (amavisd-new, port 10024)
with ESMTP id y8UwjrBjDDCO for ;
Mon, 1 Jan 2024 14:23:31 -0500 (EST)
Received: from NAM11-DM6-obe.outbound.protection.outlook.com 
(mail-dm6nam11hn2245.outbound.protection.outlook.com [52.100.172.245])
(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mail.MYDOMAIN.COM (Postfix) with ESMTPS id 731A6CCE43
for ; Mon, 1 Jan 2024 14:23:31 -0500 (EST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=Icl1NbdVBzy5nVKV4XGHyD5lhcUdtzirTQuOX40QfE0Qb4eogob5tBOWT7T7oxZ6O7oogwqarlyCmJXZfKwxDknw8W/1q9UzYGmNu0vt9l/C/TAQGHd2qdDo7k/S5rA/VkvSbwsWsPlPzHM5gpPvERtV1AwGRibQFb7IAJkW1bL6aTyG8R2JHPyDtSE5hG+0/XFuct7sSqoyr8J1hv7cOP6ZsOmlfLFuKxYoAEqFdi0qCsQD/CjfFzFNcaj9Sas09hbA1E/lEU5lf43EJFPOUX9ieGQA292aleu0PO2lqaU+TOwrr9UdnSHPyo89vQUHCiMd9+4ZMb51dxkvx6dLWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=cMMl8FFbE2iyyDXVN5kGmj7djfYu1Ef14DADjnKqLVc=;
b=gBRRLW2K0klYaRjOr+bNZO7zS3m+Kb+mkggilqYBqELoa12h3G5gwGFye+aLoJjtPSDnS1d0/GUkPYWm2/JlQZtoKmq4YAqwA4tnT2HYRcckobGDbhOcaop7wKmcQutiBxdr2iG8Hjmbvkf6jkP2AHL9kVqZv73Byv60sg1djmVaNHR+2qJd3vyQ3kepYsngd9QtdsyjjFBb+VjyItwaijKmjO4IBSIr4X5i5CmK+v67YoalMVjoXnKaMEpK/4Qh3Eh5zyzGHjdT7+QzK/T4cDSu+1XA+rHcK7G4/BTwLRs+NBTOYMT52Zr4eo5462nuo/ITG3+SjPM9g8QXkfJ06Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none (sender ip is
193.176.158.140) smtp.rcpttodomain=MYDOMAIN.COM smtp.helo=mail.acquiretm.com;
dmarc=none action=none header.from=x1r862t.onmicrosoft.com; dkim=none
(message not signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=x1r862t.onmicrosoft.com; s=selector1-x1r862t-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=cMMl8FFbE2iyyDXVN5kGmj7djfYu1Ef14DADjnKqLVc=;
b=R1X4dpKSgryTH6OLmMzRy/tDWLnQEV8mHOEEtjH+lXKLhUWP1IcSU7ti48ZJoXOksGz7A4+ZbSb5s1wNp2A4dGS+psXMeDNERbCeNVeGFRy/0AfJX4BSO52imrh48OaXFvTjmcrwSondZQkeC2plLlatu2jWPXn+a48T+gCuUZtFOpy6+1OlQqtOhQd5Ork4w7yD6nIicaXcQ4GhpDX1YM6zU02EUOSl+pxEgJj5/WuHvXNbtuTmdsGid1JhRnmIyvR15jGzXHkyrD/KYHw3evZSOV8pJ8EMpUPDEiwdHjDGYt38j/Wwiho5yVfR/zNZa5wELOq9bYgLK0G91JywQA==
X-MS-Exchange-Authentication-Results: spf=none (sender IP is 193.176.158.140)
smtp.helo=mail.acquiretm.com; dkim=none (message not signed)
header.d=none;dmarc=none action=none header.from=x1r862t.onmicrosoft.com;
Date: Mon, 01 Jan 2024 20:19:49 +0100
Importance: high
Subject: Your iCloud Storage Is Full. Receive 50 GB for FREE
X-TOI-MSGID: <1660898088.4bdab4ab9e89d.1704136789...@acquiretm.com>
In-Reply-To: 
<952htcjgcsdxt5hydix5kfocgsan34o2gphcyv...@egw.x1r862t.onmicrosoft.com>
Content-Type: text/html; charset="UTF-8"
CC: myem...@mydomain.com
To: myem...@mydomain.com
MIME-Version: 1.0
Content-

Re: Beginner Setting up Spam Assassin

[Antony Stone]

On Saturday 30 December 2023 at 11:54:33, FalconChristopher wrote:

> The comment by Michael Grant ?

Yes, the comment I quoted below.  He is suggesting how you can deal with this 
problematic user you want to "eliminate spam coming in from".

> On 12/30/2023 5:52 AM, Antony Stone wrote:
> > On Saturday 30 December 2023 at 11:48:30, FalconChristopher wrote:
> >> Hi, can I not ask how to set up Spam Assassin in this mailing group it
> >> is a group for Spam Assassin.
> > 
> > That comment was a recommendation of how you can achieve what you want
> > to.
> > 
> >> On 12/30/2023 4:30 AM, Michael Grant wrote:
> >>> Can you ban this user in whatever your equivalent of the access file
> >>> is so instead of putting the messages into a spam folder, you reject
> >>> messages from that address at delivery time (SMTP)?
> > 
> > Antony.

-- 
"I estimate there's a world market for about five computers."

 - Thomas J Watson, Chairman of IBM

   Please reply to the list;
 please *don't* CC me.

Re: Beginner Setting up Spam Assassin

[Loren Wilton]

SpamAssassin cannot block or eliminate spam. It does not have the facilities to 
do that. SA can only score potential spam. 

Whatever method you used to glue SA into your mail path needs to parse the 
score SA assigned in the returned mail, and do whatever routing it thinks is 
appropriate. 

We do not know what glue you are using to put SA into your mail path, so it is 
hard to give suggestions on how to set that unknown software up. With more 
details of your setup we may be able to help.

We can suggest rules to assign a score to mail if it comes from a particular 
account. But something other than SA will then have to deal with that score and 
do the routing.


  - Original Message - 
  From: FalconChristopher 
  To: Michael Grant ; users@spamassassin.apache.org 
  Sent: Saturday, December 30, 2023 2:48 AM
  Subject: Re: Beginner Setting up Spam Assassin


  Hi, can I not ask how to set up Spam Assassin in this mailing group it is a 
group for Spam Assassin.




  On 12/30/2023 4:30 AM, Michael Grant wrote:

Can you ban this user in whatever your equivalent of the access file is so 
instead of putting the messages into a spam folder, you reject messages from 
that address at delivery time (SMTP)?





On 30 December 2023 04:08:17 CET, FalconChristopher 
 wrote:
  Anyone know how I can check and setup SpamAssassin so that I can 
eliminate some spam from coming in from a email account ? On 12/28/2023 2:24 
AM, Matus UHLAR - fantomas wrote: > On 27.12.23 16:53, Fal Sangu verification: 
ⓘ No issues found, please report it if otherwise  

  Request analyst action Verified by Sangu 
  Anyone know how I can check and setup SpamAssassin so that I can 
  eliminate some spam from coming in from a email account ? 


  On 12/28/2023 2:24 AM, Matus UHLAR - fantomas wrote: 
  > On 27.12.23 16:53, FalconChristopher wrote: 
  >> Hi, I want to setup Spam Assassin so that any email that Spam 
  >> Assassin flags as spam 
  > 
  > this is spamassassin's job 
  > 
  >> gets placed into a folder for a specific SMTP or IMAP email account. 
  > 
  > this is not spamassassin's job. 
  > It's job of mail delivery agent - procmail, maildrop, sieve 
  > 
  >> Then if Spam Assassin flags emails that are not spam I can tell it 
  >> which of those emails to not place into the spam folder for the 
  >> specific email client. Until it gradually learns which emails are 
  >> spam and which are not. 
  > 
  > dovecot (imap/pop3 server) has plugins that support training of 
  > spam/ham, if you move the mail from/to spam folder. 
  > 
  > https://doc.dovecot.org/configuration_manual/spam_reporting/ 
  > 
  >> I've done a little research and I have access with my distribution to 
  >> a mail directory as well as the local.cf file for which 
  >> configurations are for Spam Assassin but I don't know how to setup 
  >> what I mentioned above ? 
  > 

Re: Beginner Setting up Spam Assassin

[FalconChristopher]

The comment by Michael Grant ?


On 12/30/2023 5:52 AM, Antony Stone wrote:

On Saturday 30 December 2023 at 11:48:30, FalconChristopher wrote:


Hi, can I not ask how to set up Spam Assassin in this mailing group it
is a group for Spam Assassin.

That comment was a recommendation of how you can achieve what you want to.


On 12/30/2023 4:30 AM, Michael Grant wrote:

Can you ban this user in whatever your equivalent of the access file
is so instead of putting the messages into a spam folder, you reject
messages from that address at delivery time (SMTP)?


Antony.

Re: Beginner Setting up Spam Assassin

[Antony Stone]

On Saturday 30 December 2023 at 11:48:30, FalconChristopher wrote:

> Hi, can I not ask how to set up Spam Assassin in this mailing group it
> is a group for Spam Assassin.

That comment was a recommendation of how you can achieve what you want to.

> On 12/30/2023 4:30 AM, Michael Grant wrote:
> > Can you ban this user in whatever your equivalent of the access file
> > is so instead of putting the messages into a spam folder, you reject
> > messages from that address at delivery time (SMTP)?


Antony.

-- 
Users don't know what they want until they see what they get.

   Please reply to the list;
 please *don't* CC me.

Re: Beginner Setting up Spam Assassin

[FalconChristopher]

Hi, can I not ask how to set up Spam Assassin in this mailing group it 
is a group for Spam Assassin.



On 12/30/2023 4:30 AM, Michael Grant wrote:
Can you ban this user in whatever your equivalent of the access file 
is so instead of putting the messages into a spam folder, you reject 
messages from that address at delivery time (SMTP)?




On 30 December 2023 04:08:17 CET, FalconChristopher 
 wrote:


Anyone know how I can check and setup SpamAssassin so that I can
eliminate some spam from coming in from a email account ? On
12/28/2023 2:24 AM, Matus UHLAR - fantomas wrote: > On 27.12.23
16:53, Fal Sangu verification:
ⓘ No issues found, please report it if otherwise

Request analyst action

<https://sangumail.com/report?p=eyJhbGciOiJIUzI1NiJ9.eyJhY2NvdW50IjoibWdyYW50QGdyYW50Lm9yZyIsImlkIjoiPGY3ZjYzNmRjLTdmNTUtZmNlZC0wYzAzLTZjYTViNmJkYzQ0N0BiZWxsLm5ldD4iLCJ0aXRsZSI6IlJlOiBCZWdpbm5lciBTZXR0aW5nIHVwIFNwYW0gQXNzYXNzaW4ifQ.Vwwge9G3mUKo9AeBG79Fcw4W6ytHj-_ZwuvwOO9GI5U>
Verified by Sangu
Anyone know how I can check and setup SpamAssassin so that I can
eliminate some spam from coming in from a email account ?


On 12/28/2023 2:24 AM, Matus UHLAR - fantomas wrote:
> On 27.12.23 16:53, FalconChristopher wrote:
>> Hi, I want to setup Spam Assassin so that any email that Spam
>> Assassin flags as spam
>
> this is spamassassin's job
>
>> gets placed into a folder for a specific SMTP or IMAP email
account.
>
> this is not spamassassin's job.
> It's job of mail delivery agent - procmail, maildrop, sieve
    >
>> Then if Spam Assassin flags emails that are not spam I can tell it
>> which of those emails to not place into the spam folder for the
    >> specific email client. Until it gradually learns which emails are
>> spam and which are not.
>
> dovecot (imap/pop3 server) has plugins that support training of
> spam/ham, if you move the mail from/to spam folder.
>
> https://doc.dovecot.org/configuration_manual/spam_reporting/
>
>> I've done a little research and I have access with my
distribution to
>> a mail directory as well as the local.cf file for which
>> configurations are for Spam Assassin but I don't know how to setup
>> what I mentioned above ?
>

Re: Beginner Setting up Spam Assassin

[Michael Grant via users]

Can you ban this user in whatever your equivalent of the access file is so 
instead of putting the messages into a spam folder, you reject messages from 
that address at delivery time (SMTP)?



On 30 December 2023 04:08:17 CET, FalconChristopher 
 wrote:
>ⓘ *No issues found, please report it if otherwise*
>Anyone know how I can check and setup SpamAssassin so that I can 
>eliminate some spam from coming in from a email account ?
>
>
>On 12/28/2023 2:24 AM, Matus UHLAR - fantomas wrote:
>> On 27.12.23 16:53, FalconChristopher wrote:
>>> Hi, I want to setup Spam Assassin so that any email that Spam 
>>> Assassin flags as spam
>>
>> this is spamassassin's job
>>
>>> gets placed into a folder for a specific SMTP or IMAP email account.
>>
>> this is not spamassassin's job.
>> It's job of mail delivery agent - procmail, maildrop, sieve
>>
>>> Then if Spam Assassin flags emails that are not spam I can tell it 
>>> which of those emails to not place into the spam folder for the 
>>> specific email client. Until it gradually learns which emails are 
>>> spam and which are not.
>>
>> dovecot (imap/pop3 server) has plugins that support training of 
>> spam/ham, if you move the mail from/to spam folder.
>>
>> https://doc.dovecot.org/configuration_manual/spam_reporting/
>>
>>> I've done a little research and I have access with my distribution to 
>>> a mail directory as well as the local.cf file for which 
>>> configurations are for Spam Assassin but I don't know how to setup 
>>> what I mentioned above ?
>>
>

Re: Beginner Setting up Spam Assassin

[Matus UHLAR - fantomas]

On 29.12.23 22:08, FalconChristopher wrote:
Anyone know how I can check and setup SpamAssassin so that I can 
eliminate some spam from coming in from a email account ?


do you mean if one of your users started spamming out?



On 12/28/2023 2:24 AM, Matus UHLAR - fantomas wrote:

On 27.12.23 16:53, FalconChristopher wrote:
Hi, I want to setup Spam Assassin so that any email that Spam 
Assassin flags as spam


this is spamassassin's job


gets placed into a folder for a specific SMTP or IMAP email account.


this is not spamassassin's job.
It's job of mail delivery agent - procmail, maildrop, sieve

Then if Spam Assassin flags emails that are not spam I can tell it 
which of those emails to not place into the spam folder for the 
specific email client. Until it gradually learns which emails are 
spam and which are not.


dovecot (imap/pop3 server) has plugins that support training of 
spam/ham, if you move the mail from/to spam folder.


https://doc.dovecot.org/configuration_manual/spam_reporting/

I've done a little research and I have access with my distribution 
to a mail directory as well as the local.cf file for which 
configurations are for Spam Assassin but I don't know how to setup 
what I mentioned above ?




--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Microsoft dick is soft to do no harm

Re: Beginner Setting up Spam Assassin

[Jimmy]

You can create rule something like this

header  BLOCK_EMAIL   From:addr =~ /user\@domain\.com/
describe BLOCK_EMAIL   Block email
scoreBLOCK_EMAIL5.00

On Sat, Dec 30, 2023 at 10:08 AM FalconChristopher <
falconchristop...@bell.net> wrote:

> Anyone know how I can check and setup SpamAssassin so that I can
> eliminate some spam from coming in from a email account ?
>
>
> On 12/28/2023 2:24 AM, Matus UHLAR - fantomas wrote:
> > On 27.12.23 16:53, FalconChristopher wrote:
> >> Hi, I want to setup Spam Assassin so that any email that Spam
> >> Assassin flags as spam
> >
> > this is spamassassin's job
> >
> >> gets placed into a folder for a specific SMTP or IMAP email account.
> >
> > this is not spamassassin's job.
> > It's job of mail delivery agent - procmail, maildrop, sieve
> >
> >> Then if Spam Assassin flags emails that are not spam I can tell it
> >> which of those emails to not place into the spam folder for the
> >> specific email client. Until it gradually learns which emails are
> >> spam and which are not.
> >
> > dovecot (imap/pop3 server) has plugins that support training of
> > spam/ham, if you move the mail from/to spam folder.
> >
> > https://doc.dovecot.org/configuration_manual/spam_reporting/
> >
> >> I've done a little research and I have access with my distribution to
> >> a mail directory as well as the local.cf file for which
> >> configurations are for Spam Assassin but I don't know how to setup
> >> what I mentioned above ?
> >
>

Re: Beginner Setting up Spam Assassin

[FalconChristopher]

Anyone know how I can check and setup SpamAssassin so that I can 
eliminate some spam from coming in from a email account ?



On 12/28/2023 2:24 AM, Matus UHLAR - fantomas wrote:

On 27.12.23 16:53, FalconChristopher wrote:
Hi, I want to setup Spam Assassin so that any email that Spam 
Assassin flags as spam


this is spamassassin's job


gets placed into a folder for a specific SMTP or IMAP email account.


this is not spamassassin's job.
It's job of mail delivery agent - procmail, maildrop, sieve

Then if Spam Assassin flags emails that are not spam I can tell it 
which of those emails to not place into the spam folder for the 
specific email client. Until it gradually learns which emails are 
spam and which are not.


dovecot (imap/pop3 server) has plugins that support training of 
spam/ham, if you move the mail from/to spam folder.


https://doc.dovecot.org/configuration_manual/spam_reporting/

I've done a little research and I have access with my distribution to 
a mail directory as well as the local.cf file for which 
configurations are for Spam Assassin but I don't know how to setup 
what I mentioned above ?

Re: Beginner Setting up Spam Assassin

[Matus UHLAR - fantomas]

On 27.12.23 16:53, FalconChristopher wrote:
Hi, I want to setup Spam Assassin so that any email that Spam Assassin 
flags as spam


this is spamassassin's job


gets placed into a folder for a specific SMTP or IMAP email account.


this is not spamassassin's job.
It's job of mail delivery agent - procmail, maildrop, sieve

Then if Spam Assassin flags emails that are not spam I 
can tell it which of those emails to not place into the spam folder 
for the specific email client. Until it gradually learns which emails 
are spam and which are not.


dovecot (imap/pop3 server) has plugins that support training of spam/ham, 
if you move the mail from/to spam folder.


https://doc.dovecot.org/configuration_manual/spam_reporting/

I've done a little research and I have access with my distribution to 
a mail directory as well as the local.cf file for which configurations 
are for Spam Assassin but I don't know how to setup what I mentioned 
above ?


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I don't have lysdexia. The Dog wouldn't allow that.

Beginner Setting up Spam Assassin

[FalconChristopher]

Hi, I want to setup Spam Assassin so that any email that Spam Assassin 
flags as spam gets placed into a folder for a specific SMTP or IMAP 
email account. Then if Spam Assassin flags emails that are not spam I 
can tell it which of those emails to not place into the spam folder for 
the specific email client. Until it gradually learns which emails are 
spam and which are not.


I've done a little research and I have access with my distribution to a 
mail directory as well as the local.cf file for which configurations are 
for Spam Assassin but I don't know how to setup what I mentioned above ?


Thank You

Christopher

Re: some problem with spam

[natan]

Hi
thenx i try in this ruleset

W dniu 12.12.2023 o 14:59, Jimmy pisze:

These rules should matched

rawbody __DOUBLE_HTML /<\/a>\s*/
uri           __LONG_LINK_URL 
 /https?:\/\/.{50,128}\.[a-z]{2,}\/\.[a-z]{2,}\//i




On Tue, Dec 12, 2023 at 8:44 PM natan  wrote:

Hi
Thenx but link is random too like:

https://paste.debian.net/1300874/


W dniu 12.12.2023 o 12:21, Jimmy pisze:


uri     __ADB_CPN_LINK /\.campaign\.adobe\.com\/r\/\?/
rawbody __IMG_SRC_CID   / wrote:

Hi
I have a SpamAssassin version 3.4.6

And I try resolv two problem

1)I put eml with spam and learn SA like:
sa-learn --spam /root/spamik/

In /root/spamik/ is 4 e-mail
Worsk great but after 7 day i must learn agin like SA forgot
what he learned

2)I have a problem with one type a spam like:
https://paste.debian.net/1300865/
beacuse:
contents - random
from - random
IP - random

The construction is only somewhat similar like base64 + html
and png
All wass signed by DKIM

And I had to work around it in the following way but it is
not a solution

rawbody  EMAIL_20231207    /(necessary to delete the message
completely|email message and any attachments are
intended|automatically archived by Mimecast|sender and take
the steps necessary)/i
describe EMAIL_20231207    Spam fake IQ password
score    EMAIL_20231207    2

rawbody  EMAIL_20231207_1   /FONT\-FAMILY\:Arial/
score    EMAIL_20231207_1   0.1
rawbody  EMAIL_20231207_2

/BORDER-LEFT\:0\;MARGIN\:0\;PADDING-RIGHT\:0\;BACKGROUND\-COLOR\:white\;font\-stretch\:inherit/
meta EMAIL_20231207_ALL IQ_EMAIL_20231207_1 &&
IQ_EMAIL_20231207_2 && KAM_HTML_FONT_INVALID && MIME_HTML_ONLY
score    EMAIL_20231207_ALL 2

Any idea ?



-- 





-- 



--

Re: some problem with spam

[Jimmy]

These rules should matched

rawbody __DOUBLE_HTML   /<\/a>\s*/
uri   __LONG_LINK_URL
 /https?:\/\/.{50,128}\.[a-z]{2,}\/\.[a-z]{2,}\//i



On Tue, Dec 12, 2023 at 8:44 PM natan  wrote:

> Hi
> Thenx but link is random too like:
>
> https://paste.debian.net/1300874/
>
>
> W dniu 12.12.2023 o 12:21, Jimmy pisze:
>
>
> uri __ADB_CPN_LINK /\.campaign\.adobe\.com\/r\/\?/
> rawbody __IMG_SRC_CID   /
> meta ADB_CPN_ABUSE __ADB_CPN_LINK && __IMG_SRC_CID
> describe ADB_CPN_ABUSE Possible malware link
> score ADB_CPN_ABUSE 2.5000
>
> Establishing a rule for "CONFIDENTIALITY NOTICE" is ineffective, it can be
> false positive. Since I don't have visibility into all headers, consider
> create rules based on specific headers or other rule that match these.
> Append these rules to the meta-rule and boost the overall score accordingly.
>
> Jimmy
>
>
> On Tue, Dec 12, 2023 at 5:53 PM natan  wrote:
>
>> Hi
>> I have a SpamAssassin version 3.4.6
>>
>> And I try resolv two problem
>>
>> 1)I put eml with spam and learn SA like:
>> sa-learn --spam /root/spamik/
>>
>> In /root/spamik/ is 4 e-mail
>> Worsk great but after 7 day i must learn agin like SA forgot what he
>> learned
>>
>> 2)I have a problem with one type a spam like:
>> https://paste.debian.net/1300865/
>> beacuse:
>> contents - random
>> from - random
>> IP - random
>>
>> The construction is only somewhat similar like base64 + html and png
>> All wass signed by DKIM
>>
>> And I had to work around it in the following way but it is not a solution
>>
>> rawbody  EMAIL_20231207/(necessary to delete the message
>> completely|email message and any attachments are intended|automatically
>> archived by Mimecast|sender and take the steps necessary)/i
>> describe EMAIL_20231207Spam fake IQ password
>> scoreEMAIL_202312072
>>
>> rawbody  EMAIL_20231207_1   /FONT\-FAMILY\:Arial/
>> scoreEMAIL_20231207_1   0.1
>> rawbody  EMAIL_20231207_2
>> /BORDER-LEFT\:0\;MARGIN\:0\;PADDING-RIGHT\:0\;BACKGROUND\-COLOR\:white\;font\-stretch\:inherit/
>> meta EMAIL_20231207_ALL IQ_EMAIL_20231207_1 && IQ_EMAIL_20231207_2 &&
>> KAM_HTML_FONT_INVALID && MIME_HTML_ONLY
>> scoreEMAIL_20231207_ALL 2
>>
>> Any idea ?
>>
>>
>>
>> --
>>
>
>
>
> --
>

Re: some problem with spam

[natan]

Hi
Thenx but link is random too like:

https://paste.debian.net/1300874/


W dniu 12.12.2023 o 12:21, Jimmy pisze:


uri     __ADB_CPN_LINK /\.campaign\.adobe\.com\/r\/\?/
rawbody __IMG_SRC_CID   /Establishing a rule for "CONFIDENTIALITY NOTICE" is ineffective, it 
can be false positive. Since I don't have visibility into all headers, 
consider create rules based on specific headers or other rule that 
match these. Append these rules to the meta-rule and boost the overall 
score accordingly.


Jimmy


On Tue, Dec 12, 2023 at 5:53 PM natan  wrote:

Hi
I have a SpamAssassin version 3.4.6

And I try resolv two problem

1)I put eml with spam and learn SA like:
sa-learn --spam /root/spamik/

In /root/spamik/ is 4 e-mail
Worsk great but after 7 day i must learn agin like SA forgot what
he learned

2)I have a problem with one type a spam like:
https://paste.debian.net/1300865/
beacuse:
contents - random
from - random
IP - random

The construction is only somewhat similar like base64 + html and png
All wass signed by DKIM

And I had to work around it in the following way but it is not a
solution

rawbody  EMAIL_20231207    /(necessary to delete the message
completely|email message and any attachments are
intended|automatically archived by Mimecast|sender and take the
steps necessary)/i
describe EMAIL_20231207    Spam fake IQ password
score    EMAIL_20231207    2

rawbody  EMAIL_20231207_1   /FONT\-FAMILY\:Arial/
score    EMAIL_20231207_1   0.1
rawbody  EMAIL_20231207_2

/BORDER-LEFT\:0\;MARGIN\:0\;PADDING-RIGHT\:0\;BACKGROUND\-COLOR\:white\;font\-stretch\:inherit/
meta EMAIL_20231207_ALL IQ_EMAIL_20231207_1 &&
IQ_EMAIL_20231207_2 && KAM_HTML_FONT_INVALID && MIME_HTML_ONLY
score    EMAIL_20231207_ALL 2

Any idea ?



-- 



--

Re: some problem with spam

[Jimmy]

uri __ADB_CPN_LINK /\.campaign\.adobe\.com\/r\/\?/
rawbody __IMG_SRC_CID   / wrote:

> Hi
> I have a SpamAssassin version 3.4.6
>
> And I try resolv two problem
>
> 1)I put eml with spam and learn SA like:
> sa-learn --spam /root/spamik/
>
> In /root/spamik/ is 4 e-mail
> Worsk great but after 7 day i must learn agin like SA forgot what he
> learned
>
> 2)I have a problem with one type a spam like:
> https://paste.debian.net/1300865/
> beacuse:
> contents - random
> from - random
> IP - random
>
> The construction is only somewhat similar like base64 + html and png
> All wass signed by DKIM
>
> And I had to work around it in the following way but it is not a solution
>
> rawbody  EMAIL_20231207/(necessary to delete the message
> completely|email message and any attachments are intended|automatically
> archived by Mimecast|sender and take the steps necessary)/i
> describe EMAIL_20231207Spam fake IQ password
> scoreEMAIL_202312072
>
> rawbody  EMAIL_20231207_1   /FONT\-FAMILY\:Arial/
> scoreEMAIL_20231207_1   0.1
> rawbody  EMAIL_20231207_2
> /BORDER-LEFT\:0\;MARGIN\:0\;PADDING-RIGHT\:0\;BACKGROUND\-COLOR\:white\;font\-stretch\:inherit/
> meta EMAIL_20231207_ALL IQ_EMAIL_20231207_1 && IQ_EMAIL_20231207_2 &&
> KAM_HTML_FONT_INVALID && MIME_HTML_ONLY
> scoreEMAIL_20231207_ALL 2
>
> Any idea ?
>
>
>
> --
>

some problem with spam

[natan]

Hi
I have a SpamAssassin version 3.4.6

And I try resolv two problem

1)I put eml with spam and learn SA like:
sa-learn --spam /root/spamik/

In /root/spamik/ is 4 e-mail
Worsk great but after 7 day i must learn agin like SA forgot what he learned

2)I have a problem with one type a spam like:
https://paste.debian.net/1300865/
beacuse:
contents - random
from - random
IP - random

The construction is only somewhat similar like base64 + html and png
All wass signed by DKIM

And I had to work around it in the following way but it is not a solution

rawbody  EMAIL_20231207    /(necessary to delete the message 
completely|email message and any attachments are intended|automatically 
archived by Mimecast|sender and take the steps necessary)/i

describe EMAIL_20231207    Spam fake IQ password
score    EMAIL_20231207    2

rawbody  EMAIL_20231207_1   /FONT\-FAMILY\:Arial/
score    EMAIL_20231207_1   0.1
rawbody  EMAIL_20231207_2 
/BORDER-LEFT\:0\;MARGIN\:0\;PADDING-RIGHT\:0\;BACKGROUND\-COLOR\:white\;font\-stretch\:inherit/
meta EMAIL_20231207_ALL IQ_EMAIL_20231207_1 && IQ_EMAIL_20231207_2 
&& KAM_HTML_FONT_INVALID && MIME_HTML_ONLY

score    EMAIL_20231207_ALL 2

Any idea ?

--

Re: when whitelisting, do what with marked SPAM?

[John Hardin]

On Tue, 14 Nov 2023, joe a wrote:


On 11/14/2023 13:46:11, Matus UHLAR - fantomas wrote:

 On 14.11.23 13:05, joe a wrote:

 Low volume home office user and system.

 Occasionally when first dealing with a new entity, their correspondence
 gets flagged as SPAM.

 When I whitelist these, what should be done with those messages that
 might remain in "flagged SPAM" or "Missed SPAM"?, thinking along lines of
 keeping BAYES "clean and sharp".  So to speak.

 Leave as is?  Delete and re learn?


 Simply relearn FPs. Unless you have huge misclassification issue, learning
 as few mail as one should fix BAYES issues.



Move previously tagged SPAM into HAM folder and "relearn"?


Right. Train on misclassifications.

Also if there was a ham in your spam corpus review why it got 
misclassified in the first place.



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Poor planning on your part does not create
  an obligation on my part.
---
 1,264 days since the first private commercial manned orbital mission (SpaceX)

Re: when whitelisting, do what with marked SPAM?

[Matus UHLAR - fantomas]

On 14.11.23 13:05, joe a wrote:

Low volume home office user and system.

Occasionally when first dealing with a new entity, their 
correspondence gets flagged as SPAM.


When I whitelist these, what should be done with those messages 
that might remain in "flagged SPAM" or "Missed SPAM"?, thinking 
along lines of keeping BAYES "clean and sharp".  So to speak.


Leave as is?  Delete and re learn?



On 11/14/2023 13:46:11, Matus UHLAR - fantomas wrote:
Simply relearn FPs. Unless you have huge misclassification issue, 
learning as few mail as one should fix BAYES issues.


On 14.11.23 22:02, joe a wrote:

Move previously tagged SPAM into HAM folder and "relearn"?


yes.
re-training SA on the same file works as if previous training was not done.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I just got lost in thought. It was unfamiliar territory.

Re: when whitelisting, do what with marked SPAM?

[joe a]

On 11/14/2023 13:46:11, Matus UHLAR - fantomas wrote:

On 14.11.23 13:05, joe a wrote:

Low volume home office user and system.

Occasionally when first dealing with a new entity, their 
correspondence gets flagged as SPAM.


When I whitelist these, what should be done with those messages that 
might remain in "flagged SPAM" or "Missed SPAM"?, thinking along lines 
of keeping BAYES "clean and sharp".  So to speak.


Leave as is?  Delete and re learn?


Simply relearn FPs. Unless you have huge misclassification issue, 
learning as few mail as one should fix BAYES issues.




Move previously tagged SPAM into HAM folder and "relearn"?

Re: when whitelisting, do what with marked SPAM?

[joe a]

On 11/14/2023 20:48:27, John Hardin wrote:

On Tue, 14 Nov 2023, joe a wrote:


Low volume home office user and system.

Occasionally when first dealing with a new entity, their 
correspondence gets flagged as SPAM.


When I whitelist these, what should be done with those messages that 
might remain in "flagged SPAM" or "Missed SPAM"?, thinking along lines 
of keeping BAYES "clean and sharp".  So to speak.


Leave as is?  Delete and re learn?


For a low volume home office user, I would simply NOT autolearn. Set up 
a hambox and a spambox and manually feed them and train from them.





I have autolearn off and have a spam and ham folder set up and "relearn" 
twice daily.

Re: when whitelisting, do what with marked SPAM?

[John Hardin]

On Tue, 14 Nov 2023, joe a wrote:


Low volume home office user and system.

Occasionally when first dealing with a new entity, their correspondence gets 
flagged as SPAM.


When I whitelist these, what should be done with those messages that might 
remain in "flagged SPAM" or "Missed SPAM"?, thinking along lines of keeping 
BAYES "clean and sharp".  So to speak.


Leave as is?  Delete and re learn?


For a low volume home office user, I would simply NOT autolearn. Set up a 
hambox and a spambox and manually feed them and train from them.



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The reason it took so long to get Bin Laden is that it took the
  SEALs five years to swim that far into the desert.  -- anon
---
 1,263 days since the first private commercial manned orbital mission (SpaceX)

Re: when whitelisting, do what with marked SPAM?

[Matus UHLAR - fantomas]

On 14.11.23 13:05, joe a wrote:

Low volume home office user and system.

Occasionally when first dealing with a new entity, their 
correspondence gets flagged as SPAM.


When I whitelist these, what should be done with those messages that 
might remain in "flagged SPAM" or "Missed SPAM"?, thinking along lines 
of keeping BAYES "clean and sharp".  So to speak.


Leave as is?  Delete and re learn?


Simply relearn FPs. Unless you have huge misclassification issue, learning 
as few mail as one should fix BAYES issues.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !

when whitelisting, do what with marked SPAM?

[joe a]

Low volume home office user and system.

Occasionally when first dealing with a new entity, their correspondence 
gets flagged as SPAM.


When I whitelist these, what should be done with those messages that 
might remain in "flagged SPAM" or "Missed SPAM"?, thinking along lines 
of keeping BAYES "clean and sharp".  So to speak.


Leave as is?  Delete and re learn?

Re: Anybody else getting bombarded with "I RECORDED YOU" spam?

[Peter]

Using Sendmail.

I added milter-regex which allows very simple rules eg.

reject "Unsolicited Spam"   - make this as rude as you like.
body /I RECORDED YOU/i

Done and dusted.

It's available as an RPM frpm epel for RedHat and variants.



*** REPLY SEPARATOR  ***

On 11/11/2023 at 1:09 PM Mike Bostock via users wrote:

>In your message regarding Re: Anybody else getting bombarded with "I
>RECORDED YOU" spam? dated 11/11/2023, Noel Butler said ...
>
>> On 11/11/2023 22:37, Mike Bostock via users wrote:
>
>> > There is a way to whitelist domains with no RDNS but so far I haven't
>> > found a way to do this in the .mc file.
>> > 
>> > Thanks again
>
>> /etc/mail/access
>
>> Connect:foo  OK
>
>Of course, du! ;-)
>
>
>-- 
>Mike

Re: Anybody else getting bombarded with "I RECORDED YOU" spam?

[Mike Bostock via users]

In your message regarding Re: Anybody else getting bombarded with "I
RECORDED YOU" spam? dated 11/11/2023, Noel Butler said ...

> On 11/11/2023 22:37, Mike Bostock via users wrote:

> > There is a way to whitelist domains with no RDNS but so far I haven't
> > found a way to do this in the .mc file.
> >
> > Thanks again

> /etc/mail/access

> Connect:foo  OK

Of course, du! ;-)


--
Mike

Re: Anybody else getting bombarded with "I RECORDED YOU" spam?

[Noel Butler]

On 11/11/2023 22:37, Mike Bostock via users wrote:


There is a way to whitelist domains with no RDNS but so far I haven't
found a way to do this in the .mc file.

Thanks again


/etc/mail/access

Connect:foo  OK

--
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged 
information, therefore at all times remains confidential and subject to 
copyright protected under international law. You may not disseminate 
this message without the authors express written authority to do so.   
If you are not the intended recipient, please notify the sender then 
delete all copies of this message including attachments immediately. 
Confidentiality, copyright, and legal privilege are not waived or lost 
by reason of the mistaken delivery of this message.

Re: Anybody else getting bombarded with "I RECORDED YOU" spam?

[Mike Bostock via users]

In your message regarding Re: Anybody else getting bombarded with "I
RECORDED YOU" spam? dated 10/11/2023, Mark London said ...

> Sendmail didn't introduce FEATURE(require_rdns) until 2007.  I'm sure
> I've been using it longer than that.  And by default it's not enabled.

> It doesn't totally block the "I RECOVERED YOU" spams.   Occasional some
> come through with ip addresses that have valid reverse lookups.  But the
> number getting blocked, is still huge.



Mark, thank you for this.  I have just added this feature to my Sendmail
and installed pyspf-milter as well and I would say it has reduced my spam
by 95%.

There is a way to whitelist domains with no RDNS but so far I haven't
found a way to do this in the .mc file.

Thanks again

--
Mike

Re: Anybody else getting bombarded with "I RECORDED YOU" spam?

[Alan]

I don't have the specifics at hand but I created a rule that places a 
heavy score (like 2.0) on anything that matches existing sex and bitcoin 
rules. These messages usually match a bunch of other signals and that 
rule pushes the score over my delete-on-sight threshold (8.0).


On 2023-11-10 05:51, giova...@paclan.it wrote:
To block this type of spam I've increased the score of GB_HASHBL_BTC 
(Bitcoin rbl) rule.

 Giovanni

On 11/10/23 11:01, Mark London wrote:
Sendmail didn't introduce FEATURE(require_rdns) until 2007.  I'm sure 
I've been using it longer than that.  And by default it's not enabled.


It doesn't totally block the "I RECOVERED YOU" spams. Occasional some 
come through with ip addresses that have valid reverse lookups.  But 
the number getting blocked, is still huge.


On 11/10/2023 4:48 AM, Reindl Harald (privat) wrote:



Am 10.11.23 um 08:40 schrieb Mark London:
Marc - You are correct.  All the IP sources of this spam, don't a 
valid reverse lookup of the IP address, to an IP name.   That will 
solve my problem. Thanks! - Mark


in other words your MTA is misconfigured

https://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname 




On 11/9/2023 12:38 PM, Marc wrote:
Do you at least verify the reverse lookup? That already stops a 
lot of such networks.





--
For SpamAssassin Users List

Re: Anybody else getting bombarded with "I RECORDED YOU" spam?

[giovanni]

To block this type of spam I've increased the score of GB_HASHBL_BTC (Bitcoin 
rbl) rule.
 Giovanni

On 11/10/23 11:01, Mark London wrote:

Sendmail didn't introduce FEATURE(require_rdns) until 2007.  I'm sure I've been 
using it longer than that.  And by default it's not enabled.

It doesn't totally block the "I RECOVERED YOU" spams.   Occasional some come 
through with ip addresses that have valid reverse lookups.  But the number getting 
blocked, is still huge.

On 11/10/2023 4:48 AM, Reindl Harald (privat) wrote:



Am 10.11.23 um 08:40 schrieb Mark London:

Marc - You are correct.  All the IP sources of this spam, don't a valid reverse 
lookup of the IP address, to an IP name.   That will solve my problem.  Thanks! 
- Mark


in other words your MTA is misconfigured

https://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname


On 11/9/2023 12:38 PM, Marc wrote:

Do you at least verify the reverse lookup? That already stops a lot of such 
networks.






OpenPGP_signature.asc
Description: OpenPGP digital signature

Re: Anybody else getting bombarded with "I RECORDED YOU" spam?

[Mark London]

Sendmail didn't introduce FEATURE(require_rdns) until 2007.  I'm sure 
I've been using it longer than that.  And by default it's not enabled.


It doesn't totally block the "I RECOVERED YOU" spams.   Occasional some 
come through with ip addresses that have valid reverse lookups.  But the 
number getting blocked, is still huge.


On 11/10/2023 4:48 AM, Reindl Harald (privat) wrote:



Am 10.11.23 um 08:40 schrieb Mark London:
Marc - You are correct.  All the IP sources of this spam, don't a 
valid reverse lookup of the IP address, to an IP name.   That will 
solve my problem.  Thanks! - Mark


in other words your MTA is misconfigured

https://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname 




On 11/9/2023 12:38 PM, Marc wrote:
Do you at least verify the reverse lookup? That already stops a lot 
of such networks.

RE: Anybody else getting bombarded with "I RECORDED YOU" spam?

[Marc]

Yes that is fucked up that experience and wisdom comes with getting older ;)

https://faculty.cs.niu.edu/~rickert/cf/hack/require_rdns.m4


> 
> Marc - You are correct.  All the IP sources of this spam, don't a valid
> reverse lookup of the IP address, to an IP name.   That will solve my
> problem.  Thanks! - Mark
> 
> On 11/9/2023 12:38 PM, Marc wrote:
> > Do you at least verify the reverse lookup? That already stops a lot of
> such networks.

Re: Anybody else getting bombarded with "I RECORDED YOU" spam?

[Mark London]

Marc - You are correct.  All the IP sources of this spam, don't a valid 
reverse lookup of the IP address, to an IP name.   That will solve my 
problem.  Thanks! - Mark


On 11/9/2023 12:38 PM, Marc wrote:

Do you at least verify the reverse lookup? That already stops a lot of such 
networks.

RE: Anybody else getting bombarded with "I RECORDED YOU" spam?

[Marc]

> 
> Heck, maybe I should just block the whole country.  :)

You have to be careful with this. I think there are 'organisations' that 
specifically abuse with the intend to provoke you to have blanket block a 
specific region/range.

Re: Anybody else getting bombarded with "I RECORDED YOU" spam?

[Mark London]

Unfortunately most of the ip addresses do have reverse lookups.

On the other hand, I do see that some have common domains.   So I could 
use block by domain using sendmail.


Heck, maybe I should just block the whole country.  :)

On 11/9/2023 12:38 PM, Marc wrote:

The spam is coming from many different IP ranges, with little
repetition.   Most of them are from countries like Afghanistan,
Kyrgyzstan, Azerbaijan, Kazakhstan, and Uzbekistan.  Are these the
latest sources that spam software is using, because other countries have
tightened up their security?

Do you at least verify the reverse lookup? That already stops a lot of such 
networks.


I've been using spamassassin for almost several decades, and I've never
noticed anything like this.  I don't understand why the spam continues
to be sent over and over.  I do reject emails with a very high spam,
which these spams have.  So I tried changing my configuration to discard
the email instead, hoping the spammer software would decide that the
email had been received.   This didn't help.   I'm curious if anyone is
noticing this spam. Thanks.  - Mark


This takes a while (afaik months at least).

RE: Anybody else getting bombarded with "I RECORDED YOU" spam?

[Marc]

> 
> The spam is coming from many different IP ranges, with little
> repetition.   Most of them are from countries like Afghanistan,
> Kyrgyzstan, Azerbaijan, Kazakhstan, and Uzbekistan.  Are these the
> latest sources that spam software is using, because other countries have
> tightened up their security?

Do you at least verify the reverse lookup? That already stops a lot of such 
networks.

> I've been using spamassassin for almost several decades, and I've never
> noticed anything like this.  I don't understand why the spam continues
> to be sent over and over.  I do reject emails with a very high spam,
> which these spams have.  So I tried changing my configuration to discard
> the email instead, hoping the spammer software would decide that the
> email had been received.   This didn't help.   I'm curious if anyone is
> noticing this spam. Thanks.  - Mark
> 

This takes a while (afaik months at least). 

Anybody else getting bombarded with "I RECORDED YOU" spam?

[Mark London]

In the last couple of days, the number of "I RECORDED YOU" spams that my 
server has been receiving, has gone way up. Well over a thousand a day.  
And the spam is only being sent to about 20 of my users.  We had been 
receiving these for the last month, but nothing at all like rate it's 
now happening.   It's not using up a ton of CPU, but it is very annoying 
to see happening.


The spam is coming from many different IP ranges, with little 
repetition.   Most of them are from countries like Afghanistan, 
Kyrgyzstan, Azerbaijan, Kazakhstan, and Uzbekistan.  Are these the 
latest sources that spam software is using, because other countries have 
tightened up their security?


I've been using spamassassin for almost several decades, and I've never 
noticed anything like this.  I don't understand why the spam continues 
to be sent over and over.  I do reject emails with a very high spam, 
which these spams have.  So I tried changing my configuration to discard 
the email instead, hoping the spammer software would decide that the 
email had been received.   This didn't help.   I'm curious if anyone is 
noticing this spam. Thanks.  - Mark



































z

Re: (Re-)emergence of UTF based obfuscation in phishing/spam

[Ricky Boone]

Typo, I meant to say I was on SA 3.4.6.

On Wed, Aug 30, 2023, 3:22 PM Ricky Boone  wrote:

> Something I noticed on a set of emails that were reported to me.
>
> I have custom rules to look out for certain names in From:name.  The
> messages should have been caught by them, however upon inspection the
> name was UTF-8 encoded, and included a character that doesn't seem to
> render, but interferes with the regex I used.  Specifically, the bad
> actor included a RIGHT-TO-LEFT mark (U+200F, or \xe2\x80\x8f)
> effectively as a null-space character.  The body of the message was
> also flooded with LEFT-TO-RIGHT (U+200E, or \xe2\x80\x8e) and ZERO
> WIDTH NO-BREAK SPACE (U+FEFF, or \xef\xbb\xbf) characters randomly
> placed within the body and within words to interfere with other rules.
> When debugging the message, it doesn't appear that the characters are
> normalized, so from SA's perspective it seems like all of these
> characters have to be accounted for with any rules.
>
> To add, I'm currently on SA 3.6.x.  It looks like 4.0 improves UTF-8
> handling, but I'm not sure if it would address the behavior I see
> (though happy to be wrong... albeit not able to update immediately).
>
> I'm trying to see if ReplaceTags might be useful, and found an older
> discussion in this list on the matter related to the trouble with
> UTF-8.  I checked to see if there were any existing tags that would
> account for null-space/zero-width space-like characters, but didn't
> see any.  I have no issues working on creating a tag, but wanted to
> gauge the community to see what their thoughts were while I started
> down that path.
>

(Re-)emergence of UTF based obfuscation in phishing/spam

[Ricky Boone]

Something I noticed on a set of emails that were reported to me.

I have custom rules to look out for certain names in From:name.  The
messages should have been caught by them, however upon inspection the
name was UTF-8 encoded, and included a character that doesn't seem to
render, but interferes with the regex I used.  Specifically, the bad
actor included a RIGHT-TO-LEFT mark (U+200F, or \xe2\x80\x8f)
effectively as a null-space character.  The body of the message was
also flooded with LEFT-TO-RIGHT (U+200E, or \xe2\x80\x8e) and ZERO
WIDTH NO-BREAK SPACE (U+FEFF, or \xef\xbb\xbf) characters randomly
placed within the body and within words to interfere with other rules.
When debugging the message, it doesn't appear that the characters are
normalized, so from SA's perspective it seems like all of these
characters have to be accounted for with any rules.

To add, I'm currently on SA 3.6.x.  It looks like 4.0 improves UTF-8
handling, but I'm not sure if it would address the behavior I see
(though happy to be wrong... albeit not able to update immediately).

I'm trying to see if ReplaceTags might be useful, and found an older
discussion in this list on the matter related to the trouble with
UTF-8.  I checked to see if there were any existing tags that would
account for null-space/zero-width space-like characters, but didn't
see any.  I have no issues working on creating a tag, but wanted to
gauge the community to see what their thoughts were while I started
down that path.

Re: Expanded Spam Report

[David Bürgin]

Hello,

perhaps try setting

report_safe 0

Then, according to the documentation at ‘man Mail::SpamAssassin::Conf’,
a header ‘X-Spam-Report’ will be added that might just be what you need.

Expanded Spam Report

[D Benham]

Hi,


It looks like I am using SA 4.0.0 on Ubuntu 23.x.  I have looked for an 
answer in Google-pedia, and it either does not exist or I am not able to 
figure out the correct search term.



Is there a way to get a "spam report" or "expanded spam headers" from 
spamassassin included in the incoming emails?  I'm think of something 
like what rspamd provides when expanded_headers is set to true.  I would 
also accept a tool that I can submit an email too that would do the 
same.  Ultimately, when I see an piece of spam that gets through, I'm 
having to manually look up each rule, the score, and figure out why it 
was considered ham.  I'd like something that would automate some of the 
work while I'm tweaking things.



Here's an example of what I'm thinking of (from rspamd):


X-Spamd-Result: default: False [12.36 / 15.01]; 
BAYES_SPAM(5.10)[99.99%]; URIBL_RED(3.50)[spamserver.domain.xx:url]; 
FORGED_RECIPIENTS(2.00)[m:m...@domain1.xx,s:m...@domain2.xx]; 
R_MIXED_CHARSET(1.07)[subject]; MID_RHS_NOT_FQDN(0.50)[]; 
BAD_REP_POLICIES(0.10)[]; RCVD_NO_TLS_LAST(0.10)[]; 
HAS_ANON_DOMAIN(0.10)[]; 
MIME_GOOD(-0.10)[multipart/related,multipart/alternative,text/plain]; 
MX_GOOD(-0.01)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_NA(0.00)[]; 
RCVD_COUNT_TWO(0.00)[2]; ASN(0.00)[asn:34300, ipnet:XXX.XXX.XXX.0/19, 
country:XX]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~,4:~,5:+]; 
FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; 
GREYLIST(0.00)[pass,body]; R_SPF_ALLOW(0.00)[+a:c]; 
RWL_MAILSPIKE_POSSIBLE(0.00)[XXX.XXX.XXX.36:from]; TO_DN_NONE(0.00)[]; 
CLAM_VIRUS_FAIL(0.00)[failed to scan and retransmits exceed]; 
<https://www.allerstorfer.at/clamav-with-rspamd-and-ispconfig-on-ubuntu/>DMARC_NA(0.00)[spamsender.domain.xx]; 
ARC_NA(0.00)[]

D

Re: Really hard-to-filter spam

[Sean Greenslade]

On Fri, Aug 04, 2023 at 08:38:24AM -0500, Thomas Cameron wrote:
> It was a typo, sorry. I have a cron job that uses --spam against the spam
> folder, and --ham against the ham folder. I just copied and pasted poorly.
> This is the actual script for my account:
> 
> [thomas.cameron@mail-east ~]$ cat bin/spamcheck
> #!/bin/bash
> sa-learn --progress --spam --mbox /home/thomas.cameron/mail/INBOX/spam
> sa-learn --progress --ham --mbox /home/thomas.cameron/mail/INBOX/ham
> 
> Bayes tests for other messages, like the one you sent me, looks like this:
> 
> ------
> Return-Path: 
> X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
>   mail-east.camerontech.com
> X-Spam-Level:
> X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
>   DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,SPF_HELO_NONE,
>   SPF_PASS,T_SCC_BODY_TEXT_LINE shortcircuit=no autolearn=ham
>   autolearn_force=no version=3.4.6
> --
> 
> But messages flagged as spam look like this:
> 
> --
> Return-Path:
> 
> X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
>   mail-east.camerontech.com
> X-Spam-Flag: YES
> X-Spam-Level: 
> X-Spam-Status: Yes, score=36.8 required=5.0 tests=BAYES_99,BAYES_999,
>   DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FROM_FMBLA_NEWDOM,
>   FROM_SUSPICIOUS_NTLD,FROM_SUSPICIOUS_NTLD_FP,HTML_IMAGE_ONLY_32,
>   HTML_MESSAGE,PDS_OTHER_BAD_TLD,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,
>   RCVD_IN_DNSWL_HI,RDNS_NONE,SH_HELO_DBL,SH_HELO_ZRD_FRESH,
>   SH_ZRD_HEADERS_FRESH,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,
>   URIBL_ABUSE_SURBL,URIBL_BLACK,URIBL_ZRD shortcircuit=no autolearn=spam
>   autolearn_force=no version=3.4.6
> --
> 
> The previous email I copied headers from as an example was just a bad
> example. Usually Bayes is /pretty/ accurate on my system. I only used that
> one because it was a message which made it through SpamAssassin. I was
> trying to demonstrate that the checks were not failing, as suggested in an
> earlier comment.
> 
> Thanks for catching that, though. I have made silly mistakes like that so I
> appreciate you checking me.

In that case, I think I can only offer some general suggestions that I
personally follow.

I have the autolearn function completely disabled. In my experience, if
you have a decent training corpus of known ham and known spam, autolearn
doesn't really add anything.

Like yours, my bayes results are usually quite accurate. At this point,
I only train messages that are actually false positives or false
negatives. I can't say for sure how effective this is, but my intuition
is that by only training on "hard" messages (meaning ones that the
non-bayes SA rules couldn't take care of on their own), I'm keeping the
bayes engine focused on the most important messages to classify
correctly. Your above spample has such a high score, my mail server
would have rejected that message at SMTP time even if it had triggered
BAYES_00. I wouldn't bother training such a message; the rest of the
rules have it covered.

Another thing to note is that spam tends to change over time. Having
really old spams in your bayes DB could be diluting its effectiveness by
having it look for signs that the current crop of spams don't show. It
might be worth starting fresh with an empty bayes db and training just a
few hundred of your most recent hams and spams.

And finally, if there's something consistent about the messages, don't
be afraid to write a manual rule. I have a few special rules in my
configs that alter the bayes scoring based on other aspects of the
messages.

--Sean

Re: Really hard-to-filter spam

[Thomas Cameron via users]

On 8/4/23 02:15, Sean Greenslade wrote:

On Wed, Aug 02, 2023 at 04:17:22PM -0500, Thomas Cameron via users wrote:

On 8/2/23 15:52, David B Funk wrote:



I have the users move spam to an imap folder, and then run (via the user's
cron job):

sa-learn --mbox --spam /home/[username]/mail/spam

If something is flagged as spam and it's not supposed to be, I have them
copy it to the ham folder and I run (also via cron job):

sa-learn --mbox --ham /home/[username]/mail/spam


   
Hopefully this is just a typo in your email, but the above line trains
your spam folder as if it's ham. That could easily cause your screwed-up
bayes scores.

--Sean


It was a typo, sorry. I have a cron job that uses --spam against the 
spam folder, and --ham against the ham folder. I just copied and pasted 
poorly. This is the actual script for my account:


[thomas.cameron@mail-east ~]$ cat bin/spamcheck
#!/bin/bash
sa-learn --progress --spam --mbox /home/thomas.cameron/mail/INBOX/spam
sa-learn --progress --ham --mbox /home/thomas.cameron/mail/INBOX/ham

Bayes tests for other messages, like the one you sent me, looks like this:

--
Return-Path: 
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
mail-east.camerontech.com
X-Spam-Level:
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,SPF_HELO_NONE,
SPF_PASS,T_SCC_BODY_TEXT_LINE shortcircuit=no autolearn=ham
autolearn_force=no version=3.4.6
--

But messages flagged as spam look like this:

--
Return-Path: 


X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
mail-east.camerontech.com
X-Spam-Flag: YES
X-Spam-Level: 
X-Spam-Status: Yes, score=36.8 required=5.0 tests=BAYES_99,BAYES_999,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FROM_FMBLA_NEWDOM,
FROM_SUSPICIOUS_NTLD,FROM_SUSPICIOUS_NTLD_FP,HTML_IMAGE_ONLY_32,
HTML_MESSAGE,PDS_OTHER_BAD_TLD,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,
RCVD_IN_DNSWL_HI,RDNS_NONE,SH_HELO_DBL,SH_HELO_ZRD_FRESH,
SH_ZRD_HEADERS_FRESH,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,
URIBL_ABUSE_SURBL,URIBL_BLACK,URIBL_ZRD shortcircuit=no autolearn=spam
autolearn_force=no version=3.4.6
--

The previous email I copied headers from as an example was just a bad 
example. Usually Bayes is /pretty/ accurate on my system. I only used 
that one because it was a message which made it through SpamAssassin. I 
was trying to demonstrate that the checks were not failing, as suggested 
in an earlier comment.


Thanks for catching that, though. I have made silly mistakes like that 
so I appreciate you checking me.


--
Thomas

Re: Really hard-to-filter spam

[Sean Greenslade]

On Wed, Aug 02, 2023 at 04:17:22PM -0500, Thomas Cameron via users wrote:
> On 8/2/23 15:52, David B Funk wrote:
>
> 
>
> I have the users move spam to an imap folder, and then run (via the user's
> cron job):
> 
> sa-learn --mbox --spam /home/[username]/mail/spam
> 
> If something is flagged as spam and it's not supposed to be, I have them
> copy it to the ham folder and I run (also via cron job):
> 
> sa-learn --mbox --ham /home/[username]/mail/spam

  
Hopefully this is just a typo in your email, but the above line trains
your spam folder as if it's ham. That could easily cause your screwed-up
bayes scores.

--Sean

Re: Really hard-to-filter spam

[Thomas Cameron via users]

On 8/2/23 15:52, David B Funk wrote:


Regardless, if a message has never been seen before and has little 
correlation to earlier messages its Bayes should hit someplace in the 
40% to 60% range.


The fact that it hit 00% indicates a strong correlation to lots of ham 
(or something is screwy with your Bayes).


OK, here's what I got just now:

[thomas.cameron@mail-east ~]$ sa-learn --dump magic
0.000  0  3  0  non-token data: bayes db version
0.000  0  41449  0  non-token data: nspam
0.000  0  49720  0  non-token data: nham
0.000  0 162741  0  non-token data: ntokens
0.000  0 1689089541  0  non-token data: oldest atime
0.000  0 1691009577  0  non-token data: newest atime
0.000  0 1691007146  0  non-token data: last journal 
sync atime

0.000  0 1690991018  0  non-token data: last expiry atime
0.000  01382400  0  non-token data: last expire 
atime delta
0.000  0  13879  0  non-token data: last expire 
reduction count


I can absolutely re-train Bayes. I am kind of an email pack-rat, so I 
have over a gig of saved known good emails in various folders. I have SA 
set up so that emails are scanned individually on a per user basis via 
procmail rule:


[thomas.cameron@mail-east ~]$ head .procmailrc
MAILDIR=$HOME/mail
LOGFILE=$MAILDIR/procmail.log

:0fw: spamassassin.lock
* < 512000
| spamassassin

I have the users move spam to an imap folder, and then run (via the 
user's cron job):


sa-learn --mbox --spam /home/[username]/mail/spam

If something is flagged as spam and it's not supposed to be, I have them 
copy it to the ham folder and I run (also via cron job):


sa-learn --mbox --ham /home/[username]/mail/spam

For my email account, I've used my inbox and various other folders to 
train Bayes in the past (although it's definitely been a while since I 
did Bayes maintenance), but I have zero issue nuking my personal Bayes 
data and starting over.


Thoughts?

--
Thomas

Re: Really hard-to-filter spam

[David B Funk]

On Wed, 2 Aug 2023, Thomas Cameron via users wrote:

Thank you very much. The message that slipped through today was NOT one of 
the ones being discussed in this thread, it was a different format and 
totally different message. I only included it to demonstrate that my server 
was not being rejected for queries as the blocked user intimated. I will dig 
deeper into the --magic and make sure I'm feeding Bayes with spam and ham.


Regardless, if a message has never been seen before and has little correlation 
to earlier messages its Bayes should hit someplace in the 40% to 60% range.


The fact that it hit 00% indicates a strong correlation to lots of ham (or 
something is screwy with your Bayes).



--
Dave Funk   University of Iowa
 College of Engineering
319/335-5751   FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: Really hard-to-filter spam

[Thomas Cameron via users]

On 8/2/23 14:32, Dave Funk wrote:

On Wed, 2 Aug 2023, Thomas Cameron via users wrote:

Wow! What a charming response! You must be a LOT of fun at parties, 
and have lots of friends! 


Please don't feed the troll. There's a reason that Reindl is blocked 
from this list.


I was not aware, and I apologize.



No, I did not get that response. I don't have any of those specific 
spam to sample, as I have not gotten one today. But the last spam I 
got that

slipped through SA had this score:

X-Spam-Status: No, score=-5.1 required=5.0 
tests=BAYES_00,DEAR_SOMETHING,

DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
HTML_MESSAGE,RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H2,RCVD_IN_PBL,
SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE shortcircuit=no
So nothing about any tests not working, or queries being rejected. 
Nothing that looks like misconfiguration on my end. I am not saying 
there are
no misconfigurations on my end, but if there are, it's not super 
obvious to me.


The fact that you're getting BAYES_00 on that message indicates that 
Bayes -really- thinks it's ham.
Given that you've trained multiple instances of this kind of message 
to Bayes as spam but it still gets BAYES_00 score means one of two 
things:
1) Either you've got thousands of instances of similar messages that 
were learned as 'ham'
2) or the database that Bayes in your running SA instance is using is 
not the same one that you were doing your training to.


This could be configuration issues or pilot error (using the wrong 
identity when doing the training, training on the wrong machine, etc).


On your SA machine what does the output of "sa-learn --dump magic" 
show you?

(IE how many nspam & nham tokens, what is the newest "atime", etc).

If careful config & log inspection doesn't give clues, try this 
brute-force test.
Shut down your SA, move the directory containing your Bayes database 
out of the way and create a new empty one.

("sa-learn --dump magic" should now show 0 tokens).

Then train a few ham & spam messages (only a dozen or so), recheck the 
--dump magic to see that there are now some tokens in the database but 
not too many.


Restart your SA and watch the log results. If there are fewer than 200 
messages (both ham & spam) in your Bayes database then SA won't use 
it, so make sure that's the case, your new database should be too 
empty for SA to be willing to use it.
So if you -are- getting Bayes scores then that indicates that SA is 
using some database other than what you think it has.


Now start manually training more messages (spam & ham). When you hit 
the 200 count threashold Bayes scores should start showing up in your 
logs.


Good luck.


Thank you very much. The message that slipped through today was NOT one 
of the ones being discussed in this thread, it was a different format 
and totally different message. I only included it to demonstrate that my 
server was not being rejected for queries as the blocked user intimated. 
I will dig deeper into the --magic and make sure I'm feeding Bayes with 
spam and ham.


Thanks for your response, and again, I apologize for leaking that user's 
garbage to the list. I was not aware that he was blocked.


--
Thomas

Re: Really hard-to-filter spam

[Dave Funk]

On Wed, 2 Aug 2023, Thomas Cameron via users wrote:


Wow! What a charming response! You must be a LOT of fun at parties, and have lots of 
friends! 


Please don't feed the troll. There's a reason that Reindl is blocked from this 
list.



No, I did not get that response. I don't have any of those specific spam to 
sample, as I have not gotten one today. But the last spam I got that
slipped through SA had this score:

X-Spam-Status: No, score=-5.1 required=5.0 tests=BAYES_00,DEAR_SOMETHING,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
HTML_MESSAGE,RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H2,RCVD_IN_PBL,
SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE shortcircuit=no
So nothing about any tests not working, or queries being rejected. Nothing that 
looks like misconfiguration on my end. I am not saying there are
no misconfigurations on my end, but if there are, it's not super obvious to me.


The fact that you're getting BAYES_00 on that message indicates that Bayes 
-really- thinks it's ham.
Given that you've trained multiple instances of this kind of message to Bayes as 
spam but it still gets BAYES_00 score means one of two things:
1) Either you've got thousands of instances of similar messages that were 
learned as 'ham'
2) or the database that Bayes in your running SA instance is using is not the 
same one that you were doing your training to.


This could be configuration issues or pilot error (using the wrong identity when 
doing the training, training on the wrong machine, etc).


On your SA machine what does the output of "sa-learn --dump magic" show you?
(IE how many nspam & nham tokens, what is the newest "atime", etc).

If careful config & log inspection doesn't give clues, try this brute-force 
test.
Shut down your SA, move the directory containing your Bayes database out of the 
way and create a new empty one.

("sa-learn --dump magic" should now show 0 tokens).

Then train a few ham & spam messages (only a dozen or so), recheck the --dump 
magic to see that there are now some tokens in the database but not too many.


Restart your SA and watch the log results. If there are fewer than 200 messages 
(both ham & spam) in your Bayes database then SA won't use it, so make sure 
that's the case, your new database should be too empty for SA to be willing to 
use it.
So if you -are- getting Bayes scores then that indicates that SA is using some 
database other than what you think it has.


Now start manually training more messages (spam & ham). When you hit the 200 
count threashold Bayes scores should start showing up in your logs.


Good luck.

--
Dave Funk   University of Iowa
 College of Engineering
319/335-5751   FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{