Re: Finance spam
> this whole range of 185.3.229.x is on my dns blacklist and everything on > that is either rejected or marked. I can only suggest doing something > similar ;) > Very helpful. Thanks for sharing. > RCVD_IN_HOSTKARMA_W=-2.5 > change to -0.1 That does seem to be a bit heavy-handed. > and lastly i unsubscribed you :=) lol, thanks :-)
Re: Finance spam
Alex skrev den 2024-07-16 15:00: Hi all, Does anyone have any further ideas on how to block "approved for funding" spam? https://pastebin.com/2rKiAEpt This one is another namecheap domain registered from Reykjavik. I can create body rules, but the language is very much in line with legitimate lending companies. I've also added the phone to my phone rules, but everyone knows they only last for a few days. Other ideas greatly appreciated. spf_helo_none add more possitive score to it RCVD_IN_HOSTKARMA_W=-2.5 change to -0.1 and lastly i unsubscribed you :=)
RE: Finance spam
this whole range of 185.3.229.x is on my dns blacklist and everything on that is either rejected or marked. I can only suggest doing something similar ;) 185.3.229.4 perfstat.hostex.lt. 185.3.229.5 post.alfa.lt. 185.3.229.6 185.3.229.7 185.3.229.8 185.3.229.9 185.3.229.10 185.3.229.11 185.3.229.12lexsystem.data.lt. 185.3.229.13 185.3.229.14 185.3.229.15 185.3.229.16 185.3.229.17sys6.placetgroup.com. 185.3.229.18 185.3.229.19 185.3.229.20 185.3.229.21 185.3.229.22 185.3.229.23ox-proxy1.data.lt. 185.3.229.24ox-proxy2.data.lt. 185.3.229.25 185.3.229.26 185.3.229.27 185.3.229.28 185.3.229.29 185.3.229.30mail.turbotransfers.com. 185.3.229.31ttexpress.data.lt. 185.3.229.32 185.3.229.33 185.3.229.34 185.3.229.35 185.3.229.36 185.3.229.37mail2.oxgroup.com. 185.3.229.38 185.3.229.39 185.3.229.40 185.3.229.41 185.3.229.42 185.3.229.43 185.3.229.44 185.3.229.45 185.3.229.46 185.3.229.47 185.3.229.48 185.3.229.49 185.3.229.50 185.3.229.51 185.3.229.52 185.3.229.53 185.3.229.54 185.3.229.55bs-backups-dir1-ext.data.lt. 185.3.229.56news.masinis.lt. 185.3.229.57ox-mail2.data.lt. 185.3.229.58ox-mail3.data.lt. 185.3.229.59ox-php.data.lt. 185.3.229.60 185.3.229.61 185.3.229.62 185.3.229.63 185.3.229.64 185.3.229.65 185.3.229.66 185.3.229.67 185.3.229.68 185.3.229.69 185.3.229.70alfa-lamp.data.lt. 185.3.229.71 185.3.229.72hnit-baltic-mail.data.lt. 185.3.229.73 185.3.229.74 185.3.229.75 185.3.229.76 185.3.229.77 185.3.229.78 185.3.229.79 185.3.229.80 185.3.229.81 185.3.229.82 185.3.229.83 185.3.229.84 185.3.229.85 185.3.229.86post.okgbi.ru. 185.3.229.87 185.3.229.88pzx-pastas.data.lt. 185.3.229.89 185.3.229.90 185.3.229.91 185.3.229.92 185.3.229.93 185.3.229.94 185.3.229.95 185.3.229.96 185.3.229.97news.masinis.lt. 185.3.229.98aliuminiok-web.data.lt. 185.3.229.99 185.3.229.100 185.3.229.101 ns3.data.lt. 185.3.229.102 webapp2.supermama.lt. 185.3.229.103 185.3.229.104 185.3.229.105 185.3.229.106 alfa-sentry.data.lt. 185.3.229.107 ox-mail4.data.lt. 185.3.229.108 ox-mail2.data.lt. 185.3.229.109 ox-mail3.data.lt. 185.3.229.110 185.3.229.111 185.3.229.112 185.3.229.113 185.3.229.114 185.3.229.115 185.3.229.116 185.3.229.117 185.3.229.118 185.3.229.119 185.3.229.120 cloud.miskas.org. 185.3.229.121 185.3.229.122 185.3.229.123 185.3.229.124 oneview2.hostex.lt. 185.3.229.125 mail1.sendersrv.com. 185.3.229.126 mail2.sendersrv.com. 185.3.229.127 mail3.sendersrv.com. 185.3.229.128 mail4.sendersrv.com. 185.3.229.129 mail5.sendersrv.com. 185.3.229.130 mail6.sendersrv.com. 185.3.229.131 mail7.sendersrv.com. 185.3.229.132 mail8.sendersrv.com. 185.3.229.133 mail9.sendersrv.com. 185.3.229.134 mail10.sendersrv.com. 185.3.229.135 mail1.sendersrv2.com. 185.3.229.136 mail2.sendersrv2.com. 185.3.229.137 mail3.sendersrv2.com. 185.3.229.138 mail4.sendersrv2.com. 185.3.229.139 mail5.sendersrv2.com. 185.3.229.140 mail6.sendersrv2.com. 185.3.229.141 mail7.sendersrv2.com. 185.3.229.142 mail8.sendersrv2.com. 185.3.229.143 mail9.sendersrv2.com. 185.3.229.144 mail10.sendersrv2.com. 185.3.229.145 mail1.sendersrv3.com. 185.3.229.146 mail2.sendersrv3.com. 185.3.229.147 mail3.sendersrv3.com. 185.3.229.148 mail4.sendersrv3.com. 185.3.229.149 mail5.sendersrv3.com. 185.3.229.150 mail6.sendersrv3.com. 185.3.229.151 mail7.sendersrv3.com. 185.3.229.152 mail8.sendersrv3.com. 185.3.229.153 mail9.sendersrv3.com. 185.3.229.154 mail10.sendersrv3.com. 185.3.229.155 mail11.sendersrv3.com. 185.3.229.156 mail12.sendersrv3.com. 185.3.229.157 185.3.229.158 185.3.229.159 185.3.229.160 185.3.229.161 185.3.229.162 185.3.229.163 185.3.229.164 mail-3.owexxhosting.com. 185.3.229.165 mail2-3.owexxhosting.com. 185.3.229.166 > > Does anyone have any further ideas on how to block "approved for funding" > spam? > https://pastebin.com/2rKiAEpt > > > This one is another namecheap domain registered from Reykjavik. I can > create body rules, but the language is very much in line with legitimate > lending companies. I've also added the phone to my phone rules, but > everyone knows they only last for a few days. > > Other ideas greatly appreciated.
Finance spam
Hi all, Does anyone have any further ideas on how to block "approved for funding" spam? https://pastebin.com/2rKiAEpt This one is another namecheap domain registered from Reykjavik. I can create body rules, but the language is very much in line with legitimate lending companies. I've also added the phone to my phone rules, but everyone knows they only last for a few days. Other ideas greatly appreciated.
Re: How to report SPAM?
They do if you're offering mail service to a large number of users. They login to a phished mailbox, send new phishingmails to that mailbox and check the headers if they can see which rules are hit. Then they adapt the phishingmail to get a lower score until they are below the spam threshold. That's why I am writing my own rules with very generic names and description. Op 27-05-2024 om 23:10 schreef Thomas Barth via users: What can I do? With these SPAMS, I have the impression that the senders know exactly how to trick Spamassassin. OpenPGP_0xCCDCFB22C59E9DD2.asc Description: OpenPGP public key OpenPGP_signature.asc Description: OpenPGP digital signature
Re: How to report SPAM?
On 27.05.24 23:10, Thomas Barth via users wrote: for months I have been waiting for the type of SPAM I receive to be captured by the DNS block lists. But nothing is happening. I have long since fed Spamassassin with these SPAMs. What else can I do? I have even activated HOSTKARMA-black/brown. Doesn't help either. Do I perhaps have to report the SPAM myself? Is this reporting still up to date https://cwiki.apache.org/confluence/display/SPAMASSASSIN/Report+spam The scoring of this type of SPAM is X-Spam-Status: No, score=3.502 tagged_above=2 required=6.31 tests=[BAYES_99=3.5, BAYES_999=0.2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_BL=0.001, RCVD_IN_MSPIKE_L3=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no From the score itself it's very hard to find out the issue. Maybe you are blocked on DNS blocklist (perhaps you use public DNS servers)? Perhaps the spam came from hosts that are not blocked? If you posted Received: headers (here or on e.g. pastebin), it could help us. Here the checks of a higher rated SPAM mail. A lot more working checks available. X-Spam-Status: Yes, score=15.037 tagged_above=2 required=6.31 tests=[BAYES_20=-0.001, DMARC_MISSING=0.001, EXTRA_SCORE=1, FROM_SUSPICIOUS_NTLD=0.499, FROM_SUSPICIOUS_NTLD_FP=1.999, FSL_BULK_SIG=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_IMAGE_RATIO_04=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MISSING_MID=0.497, NORDNS_LOW_CONTRAST=0.001, RAZOR2_CF_RANGE_51_100=1.886, RAZOR2_CHECK=0.922, RCVD_IN_HOSTKARMA_BL=2, RCVD_IN_MSPIKE_BL=0.001, RCVD_IN_MSPIKE_ZBI=0.001, RCVD_IN_SBL_CSS=3.335, RDNS_NONE=0.793, RELAYCOUNTRY_BAD=2, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, TO_NO_BRKTS_NORDNS_HTML=0.001] autolearn=no autolearn_force=no So, at least dnsbls work well for you. What can I do? With these SPAMS, I have the impression that the senders know exactly how to trick Spamassassin. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. You have the right to remain silent. Anything you say will be misquoted, then used against you.
RE: How to report SPAM?
> for months I have been waiting for the type of SPAM I receive to be > captured by the DNS block lists. But nothing is happening. I have long > since fed Spamassassin with these SPAMs. What else can I do? put your spam score lower? I don't think you will get many false positives when you put it at 3 > I have even > activated HOSTKARMA-black/brown. Doesn't help either. Do I perhaps have > to report the SPAM myself? I started creating own dns blacklists. I am flagging a lot as spam and users can individually unset this.
Fwd: Re: Rule: "1.0 R_DCD 90% of .com. is spam"
oh dear, when do he stop ? Original besked Emne: Re: Rule: "1.0 R_DCD 90% of .com. is spam" Dato: 2024-05-10 20:17 Afsender: "Reindl Harald (gmail)" Modtager: Benny Pedersen Am 10.05.24 um 20:14 schrieb Benny Pedersen: Matus UHLAR - fantomas skrev den 2024-05-10 18:46: On 10.05.24 15:36, Rupert Gallagher wrote: The ikea mail was received through ... mta-numbers.ikea.com.sparkpostmail.com and is a request for feedback. The SA rule says ... header R_DCD Received =~ /\.com\./ I still do not know where the rule comes from, DCD may actually mean dot-com-dot, and perhaps it is true that they are mostly spam. where is the rule stored? what file? On May 10, 2024, 17:18, Rupert Gallagher wrote: I only have stock and KAM, and it is definitely not a custom rule of mine. grep -r '\.com./' /var/lib/spamassassin/4.00/ seems some good dot.com rules everwhere and what has this to do with the other idiot? go and eat shit you dumb list spammer
Re: Rule: "1.0 R_DCD 90% of .com. is spam"
Matus UHLAR - fantomas skrev den 2024-05-10 18:46: On 10.05.24 15:36, Rupert Gallagher wrote: The ikea mail was received through ... mta-numbers.ikea.com.sparkpostmail.com and is a request for feedback. The SA rule says ... header R_DCD Received =~ /\.com\./ I still do not know where the rule comes from, DCD may actually mean dot-com-dot, and perhaps it is true that they are mostly spam. where is the rule stored? what file? On May 10, 2024, 17:18, Rupert Gallagher wrote: I only have stock and KAM, and it is definitely not a custom rule of mine. grep -r '\.com./' /var/lib/spamassassin/4.00/ seems some good dot.com rules everwhere
Re: Rule: "1.0 R_DCD 90% of .com. is spam"
On 2024-05-10 at 11:08:53 UTC-0400 (Fri, 10 May 2024 15:08:53 +) Rupert Gallagher is rumored to have said: > R_DCD That string does not occur anywhere in the SpamAssassin distribution, neither in the code nor in the rules, *including* the rules that are not currently performing well enough to in the active list. If your system generated that hit, it is one of your own local rules. If it came from elsewhere, ask them. -- Bill Cole
Re: Rule: "1.0 R_DCD 90% of .com. is spam"
On 10.05.24 15:36, Rupert Gallagher wrote: The ikea mail was received through ... mta-numbers.ikea.com.sparkpostmail.com and is a request for feedback. The SA rule says ... header R_DCD Received =~ /\.com\./ I still do not know where the rule comes from, DCD may actually mean dot-com-dot, and perhaps it is true that they are mostly spam. where is the rule stored? what file? On May 10, 2024, 17:18, Rupert Gallagher wrote: I only have stock and KAM, and it is definitely not a custom rule of mine. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam is for losers who can't get business any other way.
Re: Rule: "1.0 R_DCD 90% of .com. is spam"
Ahhh The ikea mail was received through ... mta-numbers.ikea.com.sparkpostmail.com and is a request for feedback. The SA rule says ... header R_DCD Received =~ /\.com\./ I still do not know where the rule comes from, DCD may actually mean dot-com-dot, and perhaps it is true that they are mostly spam. Original Message On May 10, 2024, 17:18, Rupert Gallagher wrote: > I only have stock and KAM, and it is definitely not a custom rule of mine. > > Original Message > On May 10, 2024, 17:11, Matus UHLAR - fantomas wrote: > >> On 10.05.24 15:08, Rupert Gallagher wrote: >My local evidence does not >> support the general claim that 90% of .com is spam. > >I just received a >> mail from informat...@info.email.ikea.com marked as spam, with positive >> R_DCD. The rule did not trigger on mail from other .com addresses. > >I do >> not know what R_DCD means, and search indexes do not help. Short of reading >> the source code, does anybody know what R_DCD means? I have no idea. where >> did you get this rule from? I don't see it in stock rules -- Matus UHLAR - >> fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to >> receive e-mail advertising to this address. Varovanie: na tuto adresu chcem >> NEDOSTAVAT akukolvek reklamnu postu. There's a long-standing bug relating to >> the x86 architecture that allows you to install Windows. -- Matthew D. Fuller
Re: Rule: "1.0 R_DCD 90% of .com. is spam"
I only have stock and KAM, and it is definitely not a custom rule of mine. Original Message On May 10, 2024, 17:11, Matus UHLAR - fantomas wrote: > On 10.05.24 15:08, Rupert Gallagher wrote: >My local evidence does not > support the general claim that 90% of .com is spam. > >I just received a mail > from informat...@info.email.ikea.com marked as spam, with positive R_DCD. The > rule did not trigger on mail from other .com addresses. > >I do not know what > R_DCD means, and search indexes do not help. Short of reading the source > code, does anybody know what R_DCD means? I have no idea. where did you get > this rule from? I don't see it in stock rules -- Matus UHLAR - fantomas, > uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive > e-mail advertising to this address. Varovanie: na tuto adresu chcem > NEDOSTAVAT akukolvek reklamnu postu. There's a long-standing bug relating to > the x86 architecture that allows you to install Windows. -- Matthew D. Fuller
Re: Rule: "1.0 R_DCD 90% of .com. is spam"
On 10.05.24 15:08, Rupert Gallagher wrote: My local evidence does not support the general claim that 90% of .com is spam. I just received a mail from informat...@info.email.ikea.com marked as spam, with positive R_DCD. The rule did not trigger on mail from other .com addresses. I do not know what R_DCD means, and search indexes do not help. Short of reading the source code, does anybody know what R_DCD means? I have no idea. where did you get this rule from? I don't see it in stock rules -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. There's a long-standing bug relating to the x86 architecture that allows you to install Windows. -- Matthew D. Fuller
Rule: "1.0 R_DCD 90% of .com. is spam"
My local evidence does not support the general claim that 90% of .com is spam. I just received a mail from informat...@info.email.ikea.com marked as spam, with positive R_DCD. The rule did not trigger on mail from other .com addresses. I do not know what R_DCD means, and search indexes do not help. Short of reading the source code, does anybody know what R_DCD means?
Re: How to get the X-Spam-Flag
On Fri, May 03, 2024 at 08:22:09PM +0200, tba...@txbweb.de wrote: > when a send a test spam message to my server it recognizes it as spam and > puts it into /var/lib/amavis/virusmails as a gz file. In this file I can > find the complete X-Spam-Header, etc: > > But this header is missing in the passed mail. I use the standard settings > of amavis > > in /etc/amavis/conf.d/20-debian_defaults Did you check @local_domains_acl in /etc/amavis/conf.d/05-domain_id ? E.g. parts that talks about: # amavisd-new needs to know which email domains are to be considered local # to the administrative domain. Only emails to "local" domains are subject # to certain functionality, such as the addition of spam tags. -- Opinions above are GNU-copylefted.
How to get the X-Spam-Flag
System (fresh installation): Debian 12,5, Postfix, Dovecot, Amavis (Clamav, Spamassassin) Hello, when a send a test spam message to my server it recognizes it as spam and puts it into /var/lib/amavis/virusmails as a gz file. In this file I can find the complete X-Spam-Header, etc: X-Envelope-To-Blocked: X-Quarantine-ID: X-Spam-Flag: YES X-Spam-Score: 999.8 X-Spam-Level: X-Spam-Status: Yes, score=999.8 tag=2 tag2=6.31 kill=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, GTUBE=1000, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no But this header is missing in the passed mail. I use the standard settings of amavis in /etc/amavis/conf.d/20-debian_defaults $final_virus_destiny = D_DISCARD; # (data not lost, see virus quarantine) $final_banned_destiny = D_DISCARD; $final_spam_destiny = D_PASS; $final_bad_header_destiny = D_PASS; # False-positive prone (for spam) I want to use a global sieve rule for the X-Spam-Flag = YES to get this mail into the Junk-folder of the recipient. Why is the header missing in the passed mail ($final_spam_destiny = D_PASS) although it is saved with the header in the quarantine folder?
Re: How to find why a mail is SPAM DROPPED ?
Pierluigi Frullani skrev den 2024-04-18 20:23: It was simscan, that is compiled with enable-drop. with is fine The problem was a bad expression in blacklist_from section in local.cf [1] this is spam, not virus Sorry for the noise. if you like to reject all / drop all, why not pants ? :) /me hiddes, but i belive simscan can reject virus, and pass / not drop spam if you configure it so
Re: How to find why a mail is SPAM DROPPED ?
Pierluigi Frullani skrev den 2024-04-18 19:52: So could it be simscan ? super you wake up :) configure it to pass spam, and reject virus simscan is very old, btw
Re: How to find why a mail is SPAM DROPPED ?
Pierluigi Frullani skrev den 2024-04-18 19:44: I'm really fighting with spamassasin as one ( legit ) mail get spam dropped with a 99.90 value, also if I have put, in local.cf [1] a required hit of 100. why is 100 required score ? spamassassin does only tag, it does not drop The mail is sent from a legit gmail account ( my daughter ) to me and contains some amazon links for stuff to buy. ask your family to be nice :) I have disabled bayes, just to be sure it was not the same as last time ( corrupted database ) but still cannot get the mail in to understand what's catching SA attention. would be nice to see spamc --full spam-results Being dropped I cannot find the real motivations. Any idea on how to get this mail through ? spamasssassin does not drop, ask your mailhoster why its not delivered
Re: How to find why a mail is SPAM DROPPED ?
It was simscan, that is compiled with enable-drop. The problem was a bad expression in blacklist_from section in local.cf Sorry for the noise. Pierluigi Il giorno gio 18 apr 2024 alle ore 19:56 Reindl Harald (privat) < ha...@rhsoft.net> ha scritto: > > > Am 18.04.24 um 19:52 schrieb Pierluigi Frullani: > > So could it be simscan ? > > god knows - if you don't your mail-setup how should anybody else without > providing informations - spamassassin don't drop - it marks mails in the > headers and whatever software does with it is up to that software > > read your logs and simplify your setup so you understand what it does > > > I'm using qmail with simscan for clamav and spamassasin. > > Thanks ! > > > > Il giorno gio 18 apr 2024 alle ore 19:48 Reindl Harald (privat) > > mailto:ha...@rhsoft.net>> ha scritto: > > > > > > > > Am 18.04.24 um 19:44 schrieb Pierluigi Frullani: > > > Hello all, > > > I'm really fighting with spamassasin as one ( legit ) mail get > > spam > > > dropped with a 99.90 value, also if I have put, in local.cf > > <http://local.cf> > > > <http://local.cf <http://local.cf>> a required hit of 100. > > > The mail is sent from a legit gmail account ( my daughter ) to me > > and > > > contains some amazon links for stuff to buy. > > > I have disabled bayes, just to be sure it was not the same as > > last time > > > ( corrupted database ) but still cannot get the mail in to > > understand > > > what's catching SA attention. > > > Being dropped I cannot find the real motivations. > > > Any idea on how to get this mail through ? > > > > Spamassasin don't drop mails - it only marks > > without the full headers nobody can tell anything >
Re: How to find why a mail is SPAM DROPPED ?
So could it be simscan ? I'm using qmail with simscan for clamav and spamassasin. Thanks ! Il giorno gio 18 apr 2024 alle ore 19:48 Reindl Harald (privat) < ha...@rhsoft.net> ha scritto: > > > Am 18.04.24 um 19:44 schrieb Pierluigi Frullani: > > Hello all, > > I'm really fighting with spamassasin as one ( legit ) mail get spam > > dropped with a 99.90 value, also if I have put, in local.cf > > <http://local.cf> a required hit of 100. > > The mail is sent from a legit gmail account ( my daughter ) to me and > > contains some amazon links for stuff to buy. > > I have disabled bayes, just to be sure it was not the same as last time > > ( corrupted database ) but still cannot get the mail in to understand > > what's catching SA attention. > > Being dropped I cannot find the real motivations. > > Any idea on how to get this mail through ? > > Spamassasin don't drop mails - it only marks > without the full headers nobody can tell anything >
How to find why a mail is SPAM DROPPED ?
Hello all, I'm really fighting with spamassasin as one ( legit ) mail get spam dropped with a 99.90 value, also if I have put, in local.cf a required hit of 100. The mail is sent from a legit gmail account ( my daughter ) to me and contains some amazon links for stuff to buy. I have disabled bayes, just to be sure it was not the same as last time ( corrupted database ) but still cannot get the mail in to understand what's catching SA attention. Being dropped I cannot find the real motivations. Any idea on how to get this mail through ? TIA Pierluigi
Re: problems with Plugin::ASN and spam
> On Apr 11, 2024, at 5:51 PM, Darrell Budic wrote: > > On Apr 11, 2024, at 3:30 PM, Bill Cole > wrote: >> >> On 2024-04-10 at 21:19:48 UTC-0400 (Wed, 10 Apr 2024 20:19:48 -0500) >> Darrell Budic mailto:bu...@onholyground.com>> >> is rumored to have said: >> >>>> On Apr 10, 2024, at 2:52 PM, Benny Pedersen wrote: >>>> >>>> Darrell Budic skrev den 2024-04-10 19:48: >>>> >>>>> Anything I’m missing? >>>> >>>> using amavisd ? >>>> >>>> then try this in amavisd.conf: >>> >>> No, I”m using spamass-milter to send it over from postfix. Here’s my >>> spamass-milter config in case I missed something there (systemd running it >>> on alma 8 in this case): >>> >>> EXTRA_FLAGS="-e onholyground.com -u defang -m -r 15 -i 127.0.0.1 -g sa-milt >>> -- --max-size=512 >>> --dest=sa0.int.ohgnetworks.com,sa1.int.ohgnetworks.com —randomize" >> Found it, even with the -m, spamass-milter only replaces a hardcoded set of X-Spam-* headers, not anything that comes back from spamd. With some more work, I was able to confirm that spamc/spamd were indeed including the headers where they were supposed to be. Thanks for the help tracking it down, I’m going to reconsider my preference for milters here ;)
Re: problems with Plugin::ASN and spam
On Apr 11, 2024, at 3:30 PM, Bill Cole wrote: > > On 2024-04-10 at 21:19:48 UTC-0400 (Wed, 10 Apr 2024 20:19:48 -0500) > Darrell Budic mailto:bu...@onholyground.com>> > is rumored to have said: > >>> On Apr 10, 2024, at 2:52 PM, Benny Pedersen wrote: >>> >>> Darrell Budic skrev den 2024-04-10 19:48: >>> >>>> Anything I’m missing? >>> >>> using amavisd ? >>> >>> then try this in amavisd.conf: >> >> No, I”m using spamass-milter to send it over from postfix. Here’s my >> spamass-milter config in case I missed something there (systemd running it >> on alma 8 in this case): >> >> EXTRA_FLAGS="-e onholyground.com -u defang -m -r 15 -i 127.0.0.1 -g sa-milt >> -- --max-size=512 --dest=sa0.int.ohgnetworks.com,sa1.int.ohgnetworks.com >> --randomize" > > That's intriguing because "-u defang" looks like cargo-cult spoor from an > installation running MIMEDefang. Does the user 'defang' have appropriate > configs? It is indeed, leftover user stuff from before I migrated to postfix and spamass-milter with a database backend for SA prefs. It’s still a valid default user with appropriate configs, but the -e default domain takes precedence so I can have per domain SA policies. Users too, for that matter, but that’s handled by the sql setup. >> Both sa0 & sa1 run the same spamassassin/spamd configurations, neither of >> them add the X-Spam-ASN headers. All other add_header entries work fine. > > Validate that configs on both machines match. In this sort of setup, only the > SA config on the spamd hosts of the user spamd is run as makes any difference. I push them using ansible, but yeah, a quick audit to double check confirms they are the same.
Re: problems with Plugin::ASN and spam
On 2024-04-10 at 21:19:48 UTC-0400 (Wed, 10 Apr 2024 20:19:48 -0500) Darrell Budic is rumored to have said: >> On Apr 10, 2024, at 2:52 PM, Benny Pedersen wrote: >> >> Darrell Budic skrev den 2024-04-10 19:48: >> >>> Anything I’m missing? >> >> using amavisd ? >> >> then try this in amavisd.conf: >> >> >> @spam_scanners = ( >># ['SpamAssassin', 'Amavis::SpamControl::SpamAssassin'], >>['SpamdClient', 'Amavis::SpamControl::SpamdClient'] >> ); >> >> 1; # insure a defined return value >> >> if this works, its amavisd missing to add that header spamassassin add in >> add-header >> >> dont enable both spam_scanners, just one of them, and with the last start >> spamd, as you have you already have this >> >> would be nice if its just that >> > > No, I”m using spamass-milter to send it over from postfix. Here’s my > spamass-milter config in case I missed something there (systemd running it on > alma 8 in this case): > > EXTRA_FLAGS="-e onholyground.com -u defang -m -r 15 -i 127.0.0.1 -g sa-milt > -- --max-size=512 --dest=sa0.int.ohgnetworks.com,sa1.int.ohgnetworks.com > --randomize" That's intriguing because "-u defang" looks like cargo-cult spoor from an installation running MIMEDefang. Does the user 'defang' have appropriate configs? > Both sa0 & sa1 run the same spamassassin/spamd configurations, neither of > them add the X-Spam-ASN headers. All other add_header entries work fine. Validate that configs on both machines match. In this sort of setup, only the SA config on the spamd hosts of the user spamd is run as makes any difference. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: problems with Plugin::ASN and spam
> On Apr 10, 2024, at 2:52 PM, Benny Pedersen wrote: > > Darrell Budic skrev den 2024-04-10 19:48: > >> Anything I’m missing? > > using amavisd ? > > then try this in amavisd.conf: > > > @spam_scanners = ( ># ['SpamAssassin', 'Amavis::SpamControl::SpamAssassin'], >['SpamdClient', 'Amavis::SpamControl::SpamdClient'] > ); > > 1; # insure a defined return value > > if this works, its amavisd missing to add that header spamassassin add in > add-header > > dont enable both spam_scanners, just one of them, and with the last start > spamd, as you have you already have this > > would be nice if its just that > No, I”m using spamass-milter to send it over from postfix. Here’s my spamass-milter config in case I missed something there (systemd running it on alma 8 in this case): EXTRA_FLAGS="-e onholyground.com -u defang -m -r 15 -i 127.0.0.1 -g sa-milt -- --max-size=512 --dest=sa0.int.ohgnetworks.com,sa1.int.ohgnetworks.com --randomize" Both sa0 & sa1 run the same spamassassin/spamd configurations, neither of them add the X-Spam-ASN headers. All other add_header entries work fine.
Re: problems with Plugin::ASN and spam
Darrell Budic skrev den 2024-04-10 19:48: Anything I’m missing? using amavisd ? then try this in amavisd.conf: @spam_scanners = ( # ['SpamAssassin', 'Amavis::SpamControl::SpamAssassin'], ['SpamdClient', 'Amavis::SpamControl::SpamdClient'] ); 1; # insure a defined return value if this works, its amavisd missing to add that header spamassassin add in add-header dont enable both spam_scanners, just one of them, and with the last start spamd, as you have you already have this would be nice if its just that
Re: problems with Plugin::ASN and spam
> On Apr 10, 2024, at 1:30 PM, Bill Cole > wrote: > > On 2024-04-10 at 13:48:47 UTC-0400 (Wed, 10 Apr 2024 12:48:47 -0500) > Darrell Budic mailto:bu...@onholyground.com>> > is rumored to have said: > >> Just checking in here that I’m not doing something wrong with the ASN plugin >> before I file a bug on this. SpamAssassin 4.0.1 installed from cpan on Alma >> 9. >> >> I’ve got it configured to use the local maxmind db files, and those show up >> in logs. Testing in spamassassin itself show that it finds the ASN and >> includes it in the headers as expected. But when I let spamc/spamd process >> emails, the X-Spam-ASN headers do not appear. Enabling debug logging on >> spamd shows it does find the ASN properly, but doesn’t include the header. >> All my other add_header entries show up as expected. > > This smells like a case of not using the config that you think you are. I keep thinking that, but the default ruleset's /var/lib/spamassassin/4.01/updates_spamassassin_org/25_asn.cf should also add headers, and isn’t. >> Relevant config: > > Says you... :) Sure do :) > When you run the spamassassin script from the command line, it loads your > user prefs from ~/.spamassassin/user_prefs and uses them. When you use spamc > to talk to spamd, which prefs are loaded depends on your configuration of > spamd, perhaps using only the global config, possibly using the config of the > user running spamd, and possibly (with configuration of spamd that allows it > to use per-user configs properly) that of arbitrary users per message. > > Differences in how spamc/spamd and spamassassin on the command line behave > are almost always due to this. It certainly appears to be reading the right files. From the same debug log snipped earlier: Wed Apr 10 17:06:48 2024 [2246409] dbg: plugin: loading Mail::SpamAssassin::Plugin::ASN from @INC Wed Apr 10 17:06:50 2024 [2246409] dbg: plugin: Mail::SpamAssassin::Plugin::ASN=HASH(0x55c6b04063d8) implements 'extract_metadata', priority 0 Wed Apr 10 17:06:48 2024 [2246409] dbg: config: read file /etc/mail/spamassassin/custom.cf Wed Apr 10 17:06:49 2024 [2246409] dbg: config: parsing file /etc/mail/spamassassin/custom.cf Wed Apr 10 17:06:49 2024 [2246409] dbg: config: using "/var/lib/spamassassin/4.01/updates_spamassassin_org/25_asn.cf" for included file Wed Apr 10 17:06:49 2024 [2246409] dbg: config: read file /var/lib/spamassassin/4.01/updates_spamassassin_org/25_asn.cf Wed Apr 10 17:06:49 2024 [2246409] dbg: config: parsing file /var/lib/spamassassin/4.01/updates_spamassassin_org/25_asn.cf Wed Apr 10 17:07:09 2024 [2246418] dbg: check: tagrun - tag ASN is now ready, value: 11377 SENDGRID Wed Apr 10 17:07:09 2024 [2246418] dbg: asn: GeoDB lookup successful, skipping DNS lookup The asn_prefix and add_header below are in /etc/mail/spamassassin/custom.cf. >> report_safe 0 >> ifplugin Mail::SpamAssassin::Plugin::ASN >> asn_prefix '' >> asn_lookup asn.routeviews.org _ASN_ _ASNCIDR_ >> add_header all ASN _ASN_ _ASNCIDR_ >> >> # IPv6 support (Bug 7211) >> asn_lookup_ipv6 origin6.asn.cymru.com _ASN_ _ASNCIDR_ >> endif # Mail::SpamAssassin::Plugin::ASN >> >> From the spamd debug log: >> >> Wed Apr 10 17:06:50 2024 [2246409] dbg: geodb: GeoIP2: search found asn >> /usr/share/GeoIP/GeoLite2-ASN.mmdb >> Wed Apr 10 17:06:50 2024 [2246409] dbg: geodb: GeoIP2: loaded asn from >> /usr/share/GeoIP/GeoLite2-ASN.mmdb >> Wed Apr 10 17:07:09 2024 [2246418] dbg: asn: using GeoDB ASN for lookups >> Wed Apr 10 17:07:09 2024 [2246418] dbg: asn: using first external relay IP >> for lookups: 149.72.37.58 >> Wed Apr 10 17:07:09 2024 [2246418] dbg: asn: GeoDB found ASN 11377 >> >> There are no dgb: markup: entries for the ASN header. >> >> Anything I’m missing? > > Look at the debug channel for config and etermine which config files are > actually being used by spamd and by spamassassin. (spamc knows nothing of SA > configs…) Spamassassin reads the same ones. [root@sa0 spamassassin]# /usr/local/bin/spamassassin -t -D < ~telsin/testemail.eml 2>&1 | egrep -i 'asn' Apr 10 19:18:24.185 [2249580] dbg: plugin: loading Mail::SpamAssassin::Plugin::ASN from @INC Apr 10 19:18:24.628 [2249580] dbg: config: fixed relative path: /var/lib/spamassassin/4.01/updates_spamassassin_org/25_asn.cf Apr 10 19:18:24.628 [2249580] dbg: config: using "/var/lib/spamassassin/4.01/updates_spamassassin_org/25_asn.cf" for included file Apr 10 19:18:24.629 [2249580] dbg: config: read file /var/lib/spamassassin/4.01/updates_spamassassin_org/25_asn.cf Apr 10 19:18:24.629 [2249580] dbg: config: parsing file
Re: problems with Plugin::ASN and spam
On 2024-04-10 at 13:48:47 UTC-0400 (Wed, 10 Apr 2024 12:48:47 -0500) Darrell Budic is rumored to have said: > Just checking in here that I’m not doing something wrong with the ASN plugin > before I file a bug on this. SpamAssassin 4.0.1 installed from cpan on Alma 9. > > I’ve got it configured to use the local maxmind db files, and those show up > in logs. Testing in spamassassin itself show that it finds the ASN and > includes it in the headers as expected. But when I let spamc/spamd process > emails, the X-Spam-ASN headers do not appear. Enabling debug logging on spamd > shows it does find the ASN properly, but doesn’t include the header. All my > other add_header entries show up as expected. This smells like a case of not using the config that you think you are. > Relevant config: Says you... :) When you run the spamassassin script from the command line, it loads your user prefs from ~/.spamassassin/user_prefs and uses them. When you use spamc to talk to spamd, which prefs are loaded depends on your configuration of spamd, perhaps using only the global config, possibly using the config of the user running spamd, and possibly (with configuration of spamd that allows it to use per-user configs properly) that of arbitrary users per message. Differences in how spamc/spamd and spamassassin on the command line behave are almost always due to this. > report_safe 0 > ifplugin Mail::SpamAssassin::Plugin::ASN > asn_prefix '' > asn_lookup asn.routeviews.org _ASN_ _ASNCIDR_ > add_header all ASN _ASN_ _ASNCIDR_ > > # IPv6 support (Bug 7211) > asn_lookup_ipv6 origin6.asn.cymru.com _ASN_ _ASNCIDR_ > endif # Mail::SpamAssassin::Plugin::ASN > > From the spamd debug log: > > Wed Apr 10 17:06:50 2024 [2246409] dbg: geodb: GeoIP2: search found asn > /usr/share/GeoIP/GeoLite2-ASN.mmdb > Wed Apr 10 17:06:50 2024 [2246409] dbg: geodb: GeoIP2: loaded asn from > /usr/share/GeoIP/GeoLite2-ASN.mmdb > Wed Apr 10 17:07:09 2024 [2246418] dbg: asn: using GeoDB ASN for lookups > Wed Apr 10 17:07:09 2024 [2246418] dbg: asn: using first external relay IP > for lookups: 149.72.37.58 > Wed Apr 10 17:07:09 2024 [2246418] dbg: asn: GeoDB found ASN 11377 > > There are no dgb: markup: entries for the ASN header. > > Anything I’m missing? Look at the debug channel for config and etermine which config files are actually being used by spamd and by spamassassin. (spamc knows nothing of SA configs...) -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
problems with Plugin::ASN and spam
Just checking in here that I’m not doing something wrong with the ASN plugin before I file a bug on this. SpamAssassin 4.0.1 installed from cpan on Alma 9. I’ve got it configured to use the local maxmind db files, and those show up in logs. Testing in spamassassin itself show that it finds the ASN and includes it in the headers as expected. But when I let spamc/spamd process emails, the X-Spam-ASN headers do not appear. Enabling debug logging on spamd shows it does find the ASN properly, but doesn’t include the header. All my other add_header entries show up as expected. Relevant config: report_safe 0 ifplugin Mail::SpamAssassin::Plugin::ASN asn_prefix '' asn_lookup asn.routeviews.org _ASN_ _ASNCIDR_ add_header all ASN _ASN_ _ASNCIDR_ # IPv6 support (Bug 7211) asn_lookup_ipv6 origin6.asn.cymru.com _ASN_ _ASNCIDR_ endif # Mail::SpamAssassin::Plugin::ASN From the spamd debug log: Wed Apr 10 17:06:50 2024 [2246409] dbg: geodb: GeoIP2: search found asn /usr/share/GeoIP/GeoLite2-ASN.mmdb Wed Apr 10 17:06:50 2024 [2246409] dbg: geodb: GeoIP2: loaded asn from /usr/share/GeoIP/GeoLite2-ASN.mmdb Wed Apr 10 17:07:09 2024 [2246418] dbg: asn: using GeoDB ASN for lookups Wed Apr 10 17:07:09 2024 [2246418] dbg: asn: using first external relay IP for lookups: 149.72.37.58 Wed Apr 10 17:07:09 2024 [2246418] dbg: asn: GeoDB found ASN 11377 There are no dgb: markup: entries for the ASN header. Anything I’m missing? Thanks! -Darrell
Re: Reporting Spam to csa-complai...@eco.de
It appears that Kirk Ismay said: >-=-=-=-=-=- > >I've got a lot of finance / political spam that is passing through all >filters because it's DKIM signed and using an email provider >(salesforce.com & others). One thing they do include is a >X-CSA-Complaints: csa-complai...@eco.de header, which looks legit. > >Has anyone had success with reporting mail to this address? Does it get >results? ECO is real and I've found it worthwhile to report spam to them. R's, John
Reporting Spam to csa-complai...@eco.de
I've got a lot of finance / political spam that is passing through all filters because it's DKIM signed and using an email provider (salesforce.com & others). One thing they do include is a X-CSA-Complaints: csa-complai...@eco.de header, which looks legit. Has anyone had success with reporting mail to this address? Does it get results? Thanks in advance, Kirk
Re: SpamAssassin4 + DCC not populating "X-Spam-DCC: : " header ?
Please unsubscribe me from list On Mon, Feb 19, 2024 at 2:51 PM wrote: > >>If you do, it's anyway disabled on --lint. > > > > It does not matter what happens when you use --lint, because it skips > > network checks, including DCC. > > Yes, that's what I said. It's disabled on --lint. > > >>spamassassin --prefs-file=/etc/spamassassin/local.cf -D 2> tmp.out < > ~/test.eml > > > > I have already asked why you use --prefs-file. > > You have not answered my question and simply deleted it. > > Because it's irrelevant. > > I use it because I choose to. >
Re: SpamAssassin4 + DCC not populating "X-Spam-DCC: : " header ?
>>If you do, it's anyway disabled on --lint. > > It does not matter what happens when you use --lint, because it skips > network checks, including DCC. Yes, that's what I said. It's disabled on --lint. >>spamassassin --prefs-file=/etc/spamassassin/local.cf -D 2> tmp.out < >>~/test.eml > > I have already asked why you use --prefs-file. > You have not answered my question and simply deleted it. Because it's irrelevant. I use it because I choose to.
Re: SpamAssassin4 + DCC not populating "X-Spam-DCC: : " header ?
and these indicate DCC is available. I have "loadplugin Mail::SpamAssassin::Plugin::DCC" in /etc/spamassassin/v310.pre - try uncommenting it there. On 19.02.24 08:17, glad.tent3...@fastmail.com wrote: If you do, it's anyway disabled on --lint. It does not matter what happens when you use --lint, because it skips network checks, including DCC. spamassassin --prefs-file=/etc/spamassassin/local.cf -D 2> tmp.out < ~/test.eml I have already asked why you use --prefs-file. You have not answered my question and simply deleted it. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Have you got anything without Spam in it? - Well, there's Spam egg sausage and Spam, that's not got much Spam in it.
Re: SpamAssassin4 + DCC not populating "X-Spam-DCC: : " header ?
> and these indicate DCC is available. > > I have "loadplugin Mail::SpamAssassin::Plugin::DCC" in > /etc/spamassassin/v310.pre > > - try uncommenting it there. If you do, it's anyway disabled on --lint. grep "loadplugin Mail::SpamAssassin::Plugin::DCC" `grep -rlni "loadplugin Mail::SpamAssassin::Plugin::DCC" .` ./v310.pre:loadplugin Mail::SpamAssassin::Plugin::DCC ./local.cf:loadplugin Mail::SpamAssassin::Plugin::DCC spamassassin --prefs-file=/etc/spamassassin/local.cf -D --lint 2> tmp.out grep -i dcc tmp.out Feb 19 08:03:57.566 [13073] dbg: config: fixed relative path: /var/spamassassin/4.00/updates_spamassassin_org/25_dcc.cf Feb 19 08:03:57.566 [13073] dbg: config: using "/var/spamassassin/4.00/updates_spamassassin_org/25_dcc.cf" for included file Feb 19 08:03:57.566 [13073] dbg: config: read file /var/spamassassin/4.00/updates_spamassassin_org/25_dcc.cf Feb 19 08:03:57.566 [13073] dbg: config: parsing file /var/spamassassin/4.00/updates_spamassassin_org/25_dcc.cf Feb 19 08:03:58.094 [13073] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC Feb 19 08:03:58.098 [13073] dbg: dcc: local tests only, disabling DCC Feb 19 08:03:58.136 [13073] dbg: rules: meta test DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK' Feb 19 08:03:58.148 [13073] dbg: rules: meta test FSL_BULK_SIG has undefined dependency 'DCC_CHECK' Feb 19 08:03:59.862 [13073] dbg: plugin: Mail::SpamAssassin::Plugin::DCC=HASH(0x5562b03e8738) implements 'check_tick', priority 0 Feb 19 08:04:00.409 [13073] dbg: plugin: Mail::SpamAssassin::Plugin::DCC=HASH(0x5562b03e8738) implements 'check_cleanup', priority 0 Feb 19 08:04:00.411 [13073] dbg: plugin: Mail::SpamAssassin::Plugin::DCC=HASH(0x5562b03e8738) implements 'check_post_learn', priority 0 spamassassin --prefs-file=/etc/spamassassin/local.cf -D 2> tmp.out < ~/test.eml grep -i dcc tmp.out Feb 19 08:05:51.904 [13609] dbg: config: fixed relative path: /var/spamassassin/4.00/updates_spamassassin_org/25_dcc.cf Feb 19 08:05:51.904 [13609] dbg: config: using "/var/spamassassin/4.00/updates_spamassassin_org/25_dcc.cf" for included file Feb 19 08:05:51.904 [13609] dbg: config: read file /var/spamassassin/4.00/updates_spamassassin_org/25_dcc.cf Feb 19 08:05:51.904 [13609] dbg: config: parsing file /var/spamassassin/4.00/updates_spamassassin_org/25_dcc.cf Feb 19 08:05:52.432 [13609] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC Feb 19 08:05:52.459 [13609] dbg: rules: meta test FSL_BULK_SIG has undefined dependency 'DCC_CHECK' Feb 19 08:05:52.463 [13609] dbg: rules: meta test DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK' Feb 19 08:05:54.179 [13609] dbg: message: _decode_header x-spam-dcc: : Feb 19 08:05:54.211 [13609] dbg: plugin: Mail::SpamAssassin::Plugin::DCC=HASH(0x55f0c228b150) implements 'check_tick', priority 0 Feb 19 08:05:54.224 [13609] dbg: plugin: Mail::SpamAssassin::Plugin::DCC=HASH(0x55f0c228b150) implements 'check_dnsbl', priority 0 Feb 19 08:06:02.367 [13609] dbg: plugin: Mail::SpamAssassin::Plugin::DCC=HASH(0x55f0c228b150) implements 'check_cleanup', priority 0 Feb 19 08:06:02.379 [13609] dbg: plugin: Mail::SpamAssassin::Plugin::DCC=HASH(0x55f0c228b150) implements 'check_post_learn', priority 0 Feb 19 08:06:02.379 [13609] dbg: dcc: DCC learning not enabled by dcc_learn_score Headers in all real received emails, for example ... X-Spam-Status: No, score=1.5 required=8.0 tests=BODY_SINGLE_WORD,FREEMAIL_FROM, KAM_NUMSUBJECT,SCC_BODY_SINGLE_WORD,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=4.0.0 X-Spam-DCC: : X-Spam-Pyzor: Reported 0 times, welcomelisted 0 times. X-Spam-Level: * X-Spam-Relay-Country: US US X-Spam-ASN: AS15169 GOOGLE X-Spam-SenderDomain: gmail.com X-Spam-AuthorDomain: gmail.com X-Spam-Remote-IP: 209.85.128.177 X-Spam-Remote-RDNS: mail-yw1-f177.google.com X-Spam-Remote-HELO: mail-yw1-f177.google.com ... Denny
Re: SpamAssassin4 + DCC not populating "X-Spam-DCC: : " header ?
On 18.02.24 14:21, glad.tent3...@fastmail.com wrote: I'm hoping someone can help troubleshooting using DCC in SpamAssassin. My setup isn't populating the "X-Spam-DCC: : " header. I configured SpamAssassin to use DCC cat local.cf ... loadplugin Mail::SpamAssassin::Plugin::DCC add_header all DCC _DCCB_: _DCCR_ ... ifplugin Mail::SpamAssassin::Plugin::DCC use_dcc1 dcc_home /etc/dcc dcc_path /usr/local/bin/dccproc dcc_timeout10 dcc_body_max 99 dcc_fuz1_max 99 dcc_fuz2_max 99 score DCC_CHECK3.000 dcc_learn_score99 endif ... Testing against a sample email, spamassassin --prefs-file=/etc/spamassassin/local.cf -D I wonser why you use --prefs-file=/etc/spamassassin/local.cf ? /etc/spamassassin/local.cf should be loaded automatically Feb 18 11:24:48.255 [7041] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC Feb 18 11:24:48.296 [7041] dbg: rules: meta test DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK' Feb 18 11:24:48.304 [7041] dbg: rules: meta test FSL_BULK_SIG has undefined dependency 'DCC_CHECK' These indicate DCC is not available Feb 18 11:24:49.989 [7041] dbg: plugin: Mail::SpamAssassin::Plugin::DCC=HASH(0x55f8e8a5da20) implements 'check_tick', priority 0 Feb 18 11:24:50.003 [7041] dbg: plugin: Mail::SpamAssassin::Plugin::DCC=HASH(0x55f8e8a5da20) implements 'check_dnsbl', priority 0 Feb 18 11:24:50.904 [7041] dbg: plugin: Mail::SpamAssassin::Plugin::DCC=HASH(0x55f8e8a5da20) implements 'check_cleanup', priority 0 Feb 18 11:24:50.914 [7041] dbg: plugin: Mail::SpamAssassin::Plugin::DCC=HASH(0x55f8e8a5da20) implements 'check_post_learn', priority 0 Feb 18 11:24:50.914 [7041] dbg: dcc: DCC learning not enabled by dcc_learn_score and these indicate DCC is available. I have "loadplugin Mail::SpamAssassin::Plugin::DCC" in /etc/spamassassin/v310.pre - try uncommenting it there. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #98652: Operation completed successfully.
Re: SpamAssassin4 + DCC not populating "X-Spam-DCC: : " header ?
> Try this command for some real mail.eml > >spamassassin --prefs-file=/etc/spamassassin/local.cf -D dcc X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on mail.MYDOMAIN.COM X-Spam-Scanned: spamd.mail.MYDOMAIN.COM X-Spam-Status: No, score=0.7 required=8.0 tests=BODY_SINGLE_WORD,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM, SCC_BODY_SINGLE_WORD,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE, URIBL_DBL_BLOCKED_OPENDNS autolearn=unavailable autolearn_force=no version=4.0.0 X-Spam-DCC: : X-Spam-Level: X-Spam-SenderDomain: gmail.com X-Spam-AuthorDomain: gmail.com X-Spam-Remote-IP: 209.85.210.42 X-Spam-Remote-RDNS: mail-ot1-f42.google.com X-Spam-Remote-HELO: mail-ot1-f42.google.com ... To compare, network tests with Pyzor spamassassin --prefs-file=/etc/spamassassin/local.cf -D pyzor < /root/test2.eml Feb 18 15:57:40.187 [35119] dbg: pyzor: network tests on, attempting Pyzor Feb 18 15:57:40.893 [35119] dbg: pyzor: adjusting rule PYZOR_CHECK priority to -100 Feb 18 15:57:42.728 [35119] dbg: pyzor: pyzor is available: /usr/local/bin/pyzor Feb 18 15:57:42.734 [35120] dbg: pyzor: child process 35120 forked Feb 18 15:57:42.736 [35120] dbg: pyzor: opening pipe: /usr/local/bin/pyzor --homedir /etc/spamassassin/.pyzor/ check
Re: SpamAssassin4 + DCC not populating "X-Spam-DCC: : " header ?
Try this command for some real mail.eml spamassassin --prefs-file=/etc/spamassassin/local.cf -D dcc Feb 18 21:10:36.754 [801727] warn: netset: cannot include 127.0.0.0/8 as it has already been included Feb 18 21:10:36.758 [801727] warn: netset: cannot include 172.16.0.0/12 as it has already been included Feb 18 21:10:36.758 [801727] warn: netset: cannot include 192.168.0.0/16 as it has already been included Feb 18 21:10:36.759 [801727] warn: netset: cannot include 127.0.0.0/8 as it has already been included Feb 18 21:10:37.285 [801727] dbg: dcc: dcc_pgm_path, found cdcc in dcc_path: /usr/local/bin/cdcc Feb 18 21:10:37.289 [801727] dbg: dcc: `/usr/local/bin/cdcc -qV homedir libexecdir` reports '2.3.168 homedir=/var/dcc libexecdir=/var/dcc/libexec ' Feb 18 21:10:37.290 [801727] dbg: dcc: use 'dcc_libexec /var/dcc/libexec' from cdcc Feb 18 21:10:37.290 [801727] dbg: dcc: dccifd is not available; no r/w socket at /var/dcc/dccifd Feb 18 21:10:37.290 [801727] dbg: dcc: /usr/local/bin/dccproc is available Feb 18 21:10:37.291 [801727] dbg: dcc: opening pipe to /usr/local/bin/dccproc -C -x 0 -h /var/dcc -a 45.112.84.5 -w whiteclnt Feb 18 21:10:37.295 [801731] info: util: setuid: ruid=0 euid=0 rgid=0 0 egid=0 0 Feb 18 21:10:37.476 [801727] dbg: dcc: dccproc responded with 'X-DCC-www.nova53.net-Metrics: some.server.mx 1205; Body=many Fuz1=many rep=73%' Feb 18 21:10:37.477 [801727] dbg: dcc: dcc_rep 73, min 95, max 98 => result=no Feb 18 21:10:37.477 [801727] dbg: dcc: dcc_rep 73, min 70, max 89 => result=YES Feb 18 21:10:37.478 [801727] dbg: dcc: dcc_rep 73, min 99, max 100 => result=no Feb 18 21:10:37.478 [801727] dbg: dcc: dcc_rep 73, min 90, max 94 => result=no Feb 18 21:10:37.479 [801727] dbg: dcc: listed: BODY=99/99 FUZ1=99/99 FUZ2=0/99 REP=73/90 Feb 18 21:10:37.480 [801727] dbg: dcc: dcc_rep 73, min 00, max 12 => result=no Feb 18 21:10:37.480 [801727] dbg: dcc: dcc_rep 73, min 13, max 19 => result=no Feb 18 21:10:37.738 [801732] info: util: setuid: ruid=0 euid=0 rgid=0 0 egid=0 0 Feb 18 21:10:37.872 [801727] info: rules: meta test CONTENT_AFTER_HTML_WEAK has dependency 'MAILING_LIST_MULTI' with a zero score Feb 18 21:10:37.872 [801727] info: rules: meta test FORGED_MUA_EUDORA has dependency 'MAILING_LIST_MULTI' with a zero score Feb 18 21:10:37.873 [801727] info: rules: meta test OBFU_UNSUB_UL has dependency 'MAILING_LIST_MULTI' with a zero score Feb 18 21:10:37.882 [801727] info: rules: meta test HAS_X_OUTGOING_SPAM_STAT has dependency 'MAILING_LIST_MULTI' with a zero score Feb 18 21:10:37.937 [801727] dbg: dcc: DCC learning not enabled by dcc_learn_score Martin Hello, try to increase dcc_timeout. # this works for me use_dcc 1 dcc_home /var/dcc dcc_path /usr/local/bin/dccproc dcc_timeout 16 add_header all DCC _DCCB_:_DCCR_ I tried values of 16, 30 & 100. Same as before unfortunately. No errors that I can see. Just no headers populated. Denny
Re: SpamAssassin4 + DCC not populating "X-Spam-DCC: : " header ?
Hello, > try to increase dcc_timeout. > > # this works for me > use_dcc 1 > dcc_home /var/dcc > dcc_path /usr/local/bin/dccproc > dcc_timeout 16 > add_header all DCC _DCCB_:_DCCR_ I tried values of 16, 30 & 100. Same as before unfortunately. No errors that I can see. Just no headers populated. Denny
Re: SpamAssassin4 + DCC not populating "X-Spam-DCC: : " header ?
Hello, try to increase dcc_timeout. # this works for me use_dcc 1 dcc_home /var/dcc dcc_path /usr/local/bin/dccproc dcc_timeout 16 add_header all DCC _DCCB_:_DCCR_ Martin Hello, I'm hoping someone can help troubleshooting using DCC in SpamAssassin. My setup isn't populating the "X-Spam-DCC: : " header. I installed SpamAssassin 4.0.0 spamassassin -V SpamAssassin version 4.0.0 running on Perl version 5.38.2 I run Postfix 3.8.5 postconf mail_version mail_version = 3.8.5 I setup Postfix to use SpamAssassin through a pre-queue milter over a unix socket smtpd_milters=unix:/run/sa-milter/sa-milter.sock I installed DCC cdcc -V 2.3.168 It can connect to its servers cdcc info # 02/18/24 11:31:46 EST /etc/dcc/map # Re-resolve names after 12:29:46 Check RTTs after 11:46:45 # 1691.96 ms threshold, 1239.41 ms average12 total, 6 working servers IPv6 on version=3 ... I configured SpamAssassin to use DCC cat local.cf ... loadplugin Mail::SpamAssassin::Plugin::DCC add_header all DCC _DCCB_: _DCCR_ ... ifplugin Mail::SpamAssassin::Plugin::DCC use_dcc1 dcc_home /etc/dcc dcc_path /usr/local/bin/dccproc dcc_timeout10 dcc_body_max 99 dcc_fuz1_max 99 dcc_fuz2_max 99 score DCC_CHECK3.000 dcc_learn_score99 endif ... Checking with SA --lint, local only with no network spamassassin --prefs-file=/etc/spamassassin/local.cf -D --lint ... Feb 18 11:18:06.242 [6905] dbg: config: fixed relative path: /var/spamassassin/4.00/updates_spamassassin_org/25_dcc.cf Feb 18 11:18:06.242 [6905] dbg: config: using "/var/spamassassin/4.00/updates_spamassassin_org/25_dcc.cf" for included file Feb 18 11:18:06.242 [6905] dbg: config: read file /var/spamassassin/4.00/updates_spamassassin_org/25_dcc.cf Feb 18 11:18:06.243 [6905] dbg: config: parsing file /var/spamassassin/4.00/updates_spamassassin_org/25_dcc.cf ... Feb 18 11:18:06.792 [6905] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC Feb 18 11:18:06.796 [6905] dbg: dcc: local tests only, disabling DCC ... Feb 18 11:18:06.843 [6905] dbg: rules: meta test DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK' Feb 18 11:18:06.843 [6905] dbg: rules: meta test FSL_BULK_SIG has undefined dependency 'DCC_CHECK' ... Feb 18 11:18:08.561 [6905] dbg: plugin: Mail::SpamAssassin::Plugin::DCC=HASH(0x56116a3060f0) implements 'check_tick', priority 0 ... Feb 18 11:18:09.072 [6905] dbg: plugin: Mail::SpamAssassin::Plugin::DCC=HASH(0x56116a3060f0) implements 'check_cleanup', priority 0 ... Feb 18 11:18:09.074 [6905] dbg: plugin: Mail::SpamAssassin::Plugin::DCC=HASH(0x56116a3060f0) implements 'check_post_learn', priority 0 ... Testing against a sample email, spamassassin --prefs-file=/etc/spamassassin/local.cf -D
Re: SpamAssassin4 + DCC not populating "X-Spam-DCC: : " header ?
On Sun, Feb 18, 2024, at 2:47 PM, Bill Cole wrote: > On 2024-02-18 at 14:21:41 UTC-0500 (Sun, 18 Feb 2024 14:21:41 -0500) > > is rumored to have said: > >> Feb 18 11:18:06.796 [6905] dbg: dcc: local tests only, >> disabling DCC > > That seems like a clear explanation: your configuration has disabled > 'net' tests. You seem to have dns_available set to 'no' No, that's only for the shown "--lint" case. Iiuc 3.1.6+ disables network tests during lint as they don't need to be run to confirm a working config. For the case where I run an actual message through SpamAssassin, network tests are fine. And "dns_available" isn't set anywhere in my configuration. For SA that leave it at the default, I believe == yes.
Re: SpamAssassin4 + DCC not populating "X-Spam-DCC: : " header ?
On 2024-02-18 at 14:21:41 UTC-0500 (Sun, 18 Feb 2024 14:21:41 -0500) is rumored to have said: Feb 18 11:18:06.796 [6905] dbg: dcc: local tests only, disabling DCC That seems like a clear explanation: your configuration has disabled 'net' tests. You seem to have dns_available set to 'no' -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
SpamAssassin4 + DCC not populating "X-Spam-DCC: : " header ?
Hello, I'm hoping someone can help troubleshooting using DCC in SpamAssassin. My setup isn't populating the "X-Spam-DCC: : " header. I installed SpamAssassin 4.0.0 spamassassin -V SpamAssassin version 4.0.0 running on Perl version 5.38.2 I run Postfix 3.8.5 postconf mail_version mail_version = 3.8.5 I setup Postfix to use SpamAssassin through a pre-queue milter over a unix socket smtpd_milters=unix:/run/sa-milter/sa-milter.sock I installed DCC cdcc -V 2.3.168 It can connect to its servers cdcc info # 02/18/24 11:31:46 EST /etc/dcc/map # Re-resolve names after 12:29:46 Check RTTs after 11:46:45 # 1691.96 ms threshold, 1239.41 ms average12 total, 6 working servers IPv6 on version=3 ... I configured SpamAssassin to use DCC cat local.cf ... loadplugin Mail::SpamAssassin::Plugin::DCC add_header all DCC _DCCB_: _DCCR_ ... ifplugin Mail::SpamAssassin::Plugin::DCC use_dcc1 dcc_home /etc/dcc dcc_path /usr/local/bin/dccproc dcc_timeout10 dcc_body_max 99 dcc_fuz1_max 99 dcc_fuz2_max 99 score DCC_CHECK3.000 dcc_learn_score99 endif ... Checking with SA --lint, local only with no network spamassassin --prefs-file=/etc/spamassassin/local.cf -D --lint ... Feb 18 11:18:06.242 [6905] dbg: config: fixed relative path: /var/spamassassin/4.00/updates_spamassassin_org/25_dcc.cf Feb 18 11:18:06.242 [6905] dbg: config: using "/var/spamassassin/4.00/updates_spamassassin_org/25_dcc.cf" for included file Feb 18 11:18:06.242 [6905] dbg: config: read file /var/spamassassin/4.00/updates_spamassassin_org/25_dcc.cf Feb 18 11:18:06.243 [6905] dbg: config: parsing file /var/spamassassin/4.00/updates_spamassassin_org/25_dcc.cf ... Feb 18 11:18:06.792 [6905] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC Feb 18 11:18:06.796 [6905] dbg: dcc: local tests only, disabling DCC ... Feb 18 11:18:06.843 [6905] dbg: rules: meta test DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK' Feb 18 11:18:06.843 [6905] dbg: rules: meta test FSL_BULK_SIG has undefined dependency 'DCC_CHECK' ... Feb 18 11:18:08.561 [6905] dbg: plugin: Mail::SpamAssassin::Plugin::DCC=HASH(0x56116a3060f0) implements 'check_tick', priority 0 ... Feb 18 11:18:09.072 [6905] dbg: plugin: Mail::SpamAssassin::Plugin::DCC=HASH(0x56116a3060f0) implements 'check_cleanup', priority 0 ... Feb 18 11:18:09.074 [6905] dbg: plugin: Mail::SpamAssassin::Plugin::DCC=HASH(0x56116a3060f0) implements 'check_post_learn', priority 0 ... Testing against a sample email, spamassassin --prefs-file=/etc/spamassassin/local.cf -D
Re: MS-relayed spam
On Wed, Jan 3, 2024 at 5:06 AM Matus UHLAR - fantomas wrote: > What? > > If the message came from .outlook.com hosts, it should be reported to > ab...@outlook.com. > > You are right, it did come from an .outlook.com host. My mistake. I'm not sure why they blocked the user, then.
Re: MS-relayed spam
On Tue, Jan 2, 2024 at 3:11 PM Torpey List wrote: I started forwarding full headers and text to "ab...@outlook.com" and they blocked my IP. On 02.01.24 16:49, Shawn Iverson wrote: ab...@outlook.com is for reporting abuse on the freemail Outlook/Hotmail/MSN platforms, not Microsoft tenants. What? If the message came from .outlook.com hosts, it should be reported to ab...@outlook.com. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. You have the right to remain silent. Anything you say will be misquoted, then used against you.
Re: MS-relayed spam
On Tue, Jan 2, 2024 at 3:11 PM Torpey List wrote: > I started forwarding full headers and text to "ab...@outlook.com" and > they > blocked my IP. > > ab...@outlook.com is for reporting abuse on the freemail Outlook/Hotmail/MSN platforms, not Microsoft tenants. https://msrc.microsoft.com/report/
Re: MS-relayed spam
I started forwarding full headers and text to "ab...@outlook.com" and they blocked my IP. -Original Message- From: David Jones via users Sent: Tuesday, January 2, 2024 1:07 PM To: Charles Sprickman Cc: SA Mailing list Subject: Re: MS-relayed spam I would report this to Microsoft Abuse and setup local rules that add a point or two something like this: header BAD_O365_SENDER X-OriginatorOrg =~ /.*\.onmicrosoft\.com$/ With a threshold of 6.2, you might want to consider either lowering that a little or bumping up some default scores for some of the "worse" rules. Most legit senders should not be using their onmicrosoft.com for their primary address but there are a few that I have seen over the years so I also have a counter rule to subtract a point or two for specific onmicrosoft.com subdomains. On 1/1/24, 3:29 PM, "Charles Sprickman" <mailto:sp...@bway.net>> wrote: EXTERNAL EMAIL: This message originated outside of ENA. Use caution when clicking links, opening attachments, or complying with requests. Click the "Phish Alert Report" button above the email, or contact MIS, regarding any suspicious message. Hi all, Full headers are here as well: https://pastebin.com/wHNmnvtE <https://pastebin.com/wHNmnvtE> I'm not really following what's going on here - a few things confuse me... - the empty from envelope, which I thought was more of a "bounce" thing - that it does seem formatted like a bounce - across multiple servers I'm seeing a ton more spam just like this the past few weeks coming in via MS - I had assumed that MS (or gmail, or any large provider) would be a bit more tuned to this kind of abuse Anyone else seeing this and if so, what mitigations are you doing in SA? To me, it appears that a company with some kind of on-prem email server is using MS' inbound/outbound filtering/relaying for their email, and I'm assuming that the company (acquiretm dot com) has compromised account(s) being used for spam, and that this type of account is valuable since it's relayed through a somewhat "trusted" entity (MS). Stumped on the empty envelope from though... Thanks, Charles Full headers inline: Return-Path: Delivered-To: myem...@mydomain.com <mailto:myem...@mydomain.com> Received: from mail.MYDOMAIN.COM (mail.MYDOMAIN.COM [207.99.1.2]) by mail.MYDOMAIN.COM (Postfix) with ESMTP id 62E4ACCE44 for mailto:myem...@mydomain.com>>; Mon, 1 Jan 2024 14:23:33 -0500 (EST) X-Virus-Scanned: amavisd-new at MYDOMAIN.COM X-Spam-Flag: NO X-Spam-Score: 3.971 X-Spam-Level: *** X-Spam-Status: No, score=3.971 tagged_above=-100 required=6.2 tests=[ARC_SIGNED=0.001, ARC_VALID=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FORGED_SPF_HELO=1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_FROM=0.001, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL=1.31, SCC_BODY_URI_ONLY=1.44, SPF_HELO_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no Received: from mail.MYDOMAIN.COM ([207.99.1.2]) by mail.MYDOMAIN.COM (mail.MYDOMAIN.COM [207.99.1.]) (amavisd-new, port 10024) with ESMTP id y8UwjrBjDDCO for <mailto:myem...@mydomain.com>>; Mon, 1 Jan 2024 14:23:31 -0500 (EST) Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11hn2245.outbound.protection.outlook.com [52.100.172.245]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.MYDOMAIN.COM (Postfix) with ESMTPS id 731A6CCE43 for mailto:myem...@mydomain.com>>; Mon, 1 Jan 2024 14:23:31 -0500 (EST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Icl1NbdVBzy5nVKV4XGHyD5lhcUdtzirTQuOX40QfE0Qb4eogob5tBOWT7T7oxZ6O7oogwqarlyCmJXZfKwxDknw8W/1q9UzYGmNu0vt9l/C/TAQGHd2qdDo7k/S5rA/VkvSbwsWsPlPzHM5gpPvERtV1AwGRibQFb7IAJkW1bL6aTyG8R2JHPyDtSE5hG+0/XFuct7sSqoyr8J1hv7cOP6ZsOmlfLFuKxYoAEqFdi0qCsQD/CjfFzFNcaj9Sas09hbA1E/lEU5lf43EJFPOUX9ieGQA292aleu0PO2lqaU+TOwrr9UdnSHPyo89vQUHCiMd9+4ZMb51dxkvx6dLWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cMMl8FFbE2iyyDXVN5kGmj7djfYu1Ef14DADjnKqLVc=; b=gBRRLW2K0klYaRjOr+bNZO7zS3m+Kb+mkggilqYBqELoa12h3G5gwGFye+aLoJjtPSDnS1d0/GUkPYWm2/JlQZtoKmq4YAqwA4tnT2HYRcckobGDbhOcaop7wKmcQutiBxdr2iG8Hjmbvkf6jkP2AHL9kVqZv73Byv60sg1djmVaNHR+2qJd3vyQ3kepYsngd9QtdsyjjFBb+VjyItwaijKmjO4IBSIr4X5i5CmK+v67YoalMVjoXnKaMEpK/4Qh3Eh5zyzGHjdT7+QzK/T4cDSu+1XA+rHcK7G4/BTwLRs+NBTOYMT52Zr4eo5462nuo/ITG3+SjPM9g8QXkfJ06Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none (sender ip is 193.176.158.
Re: MS-relayed spam
On 2024-01-01 at 16:28:04 UTC-0500 (Mon, 1 Jan 2024 16:28:04 -0500) Charles Sprickman is rumored to have said: Hi all, Full headers are here as well: https://pastebin.com/wHNmnvtE I'm not really following what's going on here - a few things confuse me... - the empty from envelope, which I thought was more of a "bounce" thing Yes. You can safely reject mail with a null sender that does not meet norms for mail-system-generated mail. - that it does seem formatted like a bounce Not in the headers... No one legit sends bounces with "Content-Type: text/html" or with In-Reply-To headers without a References header or Cc headers. - across multiple servers I'm seeing a ton more spam just like this the past few weeks coming in via MS Everyone's spam is unique. I see some similar stuff at various sites but nothing in the places where I can really dig into details. I don't see much null sender spam at all. I do see a few cases of $jjunk@$ggarbage.onmicrosoft.com senders similar to the From: header in your example, but they are all getting caught by SA. - I had assumed that MS (or gmail, or any large provider) would be a bit more tuned to this kind of abuse By their own customers? Have you been paying any attention this century? MS could kill this particular flavor of spam (identifiable by correlating patterns in From and other headers) if they wanted to. They CHOOSE as a corporation to be a bad neighbor as a matter of unstated policy and unconscious strategy. In the same way a junkie chooses their dope... Anyone else seeing this and if so, what mitigations are you doing in SA? In the one place where I save SA-rejected mail, I see nothing with "onmicrosoft.com" anywhere except in mail talking about this garbage. On a larger system with less retained info I see some similar-ish messages but nothing similar with null senders. I don't see an obvious pattern of SA rule matches in the similar messages that are being rejected on the systems I have access to. I also see no null senders from MS hosts associated with UUID-like message-Id local parts. Hmmm... that might be an interesting rule. To me, it appears that a company with some kind of on-prem email server is using MS' inbound/outbound filtering/relaying for their email, and I'm assuming that the company (acquiretm dot com) has compromised account(s) being used for spam, Not sure how you got there... Everywhere in those headers that I see that domain I also see it attributed as the HELO from IP address 193.176.158.140, which has no obvious connection to the domain. That IP address is allocated via RIPE, but it might be in Russia, Estonia, Hong Kong, or France depending on which registration records you think are relevant. I'd bet that you could get a perfect score sniping that IP address in the various MS attribution headers, but that probably will not be useful for long. and that this type of account is valuable since it's relayed through a somewhat "trusted" entity (MS). Stumped on the empty envelope from though... I assume that your system is turning <> into ... Full headers inline: My first-glance thoughts are embedded below. Return-Path: [internal stuff snipped] Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11hn2245.outbound.protection.outlook.com [52.100.172.245]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.MYDOMAIN.COM (Postfix) with ESMTPS id 731A6CCE43 for ; Mon, 1 Jan 2024 14:23:31 -0500 (EST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Icl1NbdVBzy5nVKV4XGHyD5lhcUdtzirTQuOX40QfE0Qb4eogob5tBOWT7T7oxZ6O7oogwqarlyCmJXZfKwxDknw8W/1q9UzYGmNu0vt9l/C/TAQGHd2qdDo7k/S5rA/VkvSbwsWsPlPzHM5gpPvERtV1AwGRibQFb7IAJkW1bL6aTyG8R2JHPyDtSE5hG+0/XFuct7sSqoyr8J1hv7cOP6ZsOmlfLFuKxYoAEqFdi0qCsQD/CjfFzFNcaj9Sas09hbA1E/lEU5lf43EJFPOUX9ieGQA292aleu0PO2lqaU+TOwrr9UdnSHPyo89vQUHCiMd9+4ZMb51dxkvx6dLWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cMMl8FFbE2iyyDXVN5kGmj7djfYu1Ef14DADjnKqLVc=; b=gBRRLW2K0klYaRjOr+bNZO7zS3m+Kb+mkggilqYBqELoa12h3G5gwGFye+aLoJjtPSDnS1d0/GUkPYWm2/JlQZtoKmq4YAqwA4tnT2HYRcckobGDbhOcaop7wKmcQutiBxdr2iG8Hjmbvkf6jkP2AHL9kVqZv73Byv60sg1djmVaNHR+2qJd3vyQ3kepYsngd9QtdsyjjFBb+VjyItwaijKmjO4IBSIr4X5i5CmK+v67YoalMVjoXnKaMEpK/4Qh3Eh5zyzGHjdT7+QzK/T4cDSu+1XA+rHcK7G4/BTwLRs+NBTOYMT52Zr4eo5462nuo/ITG3+SjPM9g8QXkfJ06Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none (sender ip is 193.176.158.140) smtp.rcpttodomain=MYDOMAIN.COM smtp.helo=mail.acquiretm.com; dmarc=none action=none header.from=x1r862t.onmicrosoft.co
Re: MS-relayed spam
On 01.01.24 16:28, Charles Sprickman wrote: Full headers are here as well: https://pastebin.com/wHNmnvtE neither indicate that the mail was relayes by microsoft. Isn't this just backscatter, non-delivery notice on fake mail? I'm not really following what's going on here - a few things confuse me... - the empty from envelope, which I thought was more of a "bounce" thing - that it does seem formatted like a bounce - across multiple servers I'm seeing a ton more spam just like this the past few weeks coming in via MS - I had assumed that MS (or gmail, or any large provider) would be a bit more tuned to this kind of abuse Anyone else seeing this and if so, what mitigations are you doing in SA? To me, it appears that a company with some kind of on-prem email server is using MS' inbound/outbound filtering/relaying for their email, and I'm assuming that the company (acquiretm dot com) has compromised account(s) being used for spam, and that this type of account is valuable since it's relayed through a somewhat "trusted" entity (MS). Stumped on the empty envelope from though... Thanks, Charles Full headers inline: Return-Path: Delivered-To: myem...@mydomain.com Received: from mail.MYDOMAIN.COM (mail.MYDOMAIN.COM [207.99.1.2]) by mail.MYDOMAIN.COM (Postfix) with ESMTP id 62E4ACCE44 for ; Mon, 1 Jan 2024 14:23:33 -0500 (EST) X-Virus-Scanned: amavisd-new at MYDOMAIN.COM X-Spam-Flag: NO X-Spam-Score: 3.971 X-Spam-Level: *** X-Spam-Status: No, score=3.971 tagged_above=-100 required=6.2 tests=[ARC_SIGNED=0.001, ARC_VALID=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FORGED_SPF_HELO=1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_FROM=0.001, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL=1.31, SCC_BODY_URI_ONLY=1.44, SPF_HELO_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no Received: from mail.MYDOMAIN.COM ([207.99.1.2]) by mail.MYDOMAIN.COM (mail.MYDOMAIN.COM [207.99.1.]) (amavisd-new, port 10024) with ESMTP id y8UwjrBjDDCO for ; Mon, 1 Jan 2024 14:23:31 -0500 (EST) Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11hn2245.outbound.protection.outlook.com [52.100.172.245]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.MYDOMAIN.COM (Postfix) with ESMTPS id 731A6CCE43 for ; Mon, 1 Jan 2024 14:23:31 -0500 (EST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Icl1NbdVBzy5nVKV4XGHyD5lhcUdtzirTQuOX40QfE0Qb4eogob5tBOWT7T7oxZ6O7oogwqarlyCmJXZfKwxDknw8W/1q9UzYGmNu0vt9l/C/TAQGHd2qdDo7k/S5rA/VkvSbwsWsPlPzHM5gpPvERtV1AwGRibQFb7IAJkW1bL6aTyG8R2JHPyDtSE5hG+0/XFuct7sSqoyr8J1hv7cOP6ZsOmlfLFuKxYoAEqFdi0qCsQD/CjfFzFNcaj9Sas09hbA1E/lEU5lf43EJFPOUX9ieGQA292aleu0PO2lqaU+TOwrr9UdnSHPyo89vQUHCiMd9+4ZMb51dxkvx6dLWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cMMl8FFbE2iyyDXVN5kGmj7djfYu1Ef14DADjnKqLVc=; b=gBRRLW2K0klYaRjOr+bNZO7zS3m+Kb+mkggilqYBqELoa12h3G5gwGFye+aLoJjtPSDnS1d0/GUkPYWm2/JlQZtoKmq4YAqwA4tnT2HYRcckobGDbhOcaop7wKmcQutiBxdr2iG8Hjmbvkf6jkP2AHL9kVqZv73Byv60sg1djmVaNHR+2qJd3vyQ3kepYsngd9QtdsyjjFBb+VjyItwaijKmjO4IBSIr4X5i5CmK+v67YoalMVjoXnKaMEpK/4Qh3Eh5zyzGHjdT7+QzK/T4cDSu+1XA+rHcK7G4/BTwLRs+NBTOYMT52Zr4eo5462nuo/ITG3+SjPM9g8QXkfJ06Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none (sender ip is 193.176.158.140) smtp.rcpttodomain=MYDOMAIN.COM smtp.helo=mail.acquiretm.com; dmarc=none action=none header.from=x1r862t.onmicrosoft.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=x1r862t.onmicrosoft.com; s=selector1-x1r862t-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cMMl8FFbE2iyyDXVN5kGmj7djfYu1Ef14DADjnKqLVc=; b=R1X4dpKSgryTH6OLmMzRy/tDWLnQEV8mHOEEtjH+lXKLhUWP1IcSU7ti48ZJoXOksGz7A4+ZbSb5s1wNp2A4dGS+psXMeDNERbCeNVeGFRy/0AfJX4BSO52imrh48OaXFvTjmcrwSondZQkeC2plLlatu2jWPXn+a48T+gCuUZtFOpy6+1OlQqtOhQd5Ork4w7yD6nIicaXcQ4GhpDX1YM6zU02EUOSl+pxEgJj5/WuHvXNbtuTmdsGid1JhRnmIyvR15jGzXHkyrD/KYHw3evZSOV8pJ8EMpUPDEiwdHjDGYt38j/Wwiho5yVfR/zNZa5wELOq9bYgLK0G91JywQA== X-MS-Exchange-Authentication-Results: spf=none (sender IP is 193.176.158.140) smtp.helo=mail.acquiretm.com; dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=x1r862t.onmicrosoft.com; Date: Mon, 01 Jan 2024 20:19:49 +0100 Importance: high Subject: Your iCloud Storage Is Full. Receive 50 GB for FREE X-TOI-MSGID: <1660898088.4bdab4ab9e89d.1704136789...@acquiretm.com> In-Reply-To: <952htcjgcsdxt5hydix5kfocgsan34o2gphcyv.
Re: MS-relayed spam
I would report this to Microsoft Abuse and setup local rules that add a point or two something like this: header BAD_O365_SENDER X-OriginatorOrg =~ /.*\.onmicrosoft\.com$/ With a threshold of 6.2, you might want to consider either lowering that a little or bumping up some default scores for some of the "worse" rules. Most legit senders should not be using their onmicrosoft.com for their primary address but there are a few that I have seen over the years so I also have a counter rule to subtract a point or two for specific onmicrosoft.com subdomains. On 1/1/24, 3:29 PM, "Charles Sprickman" mailto:sp...@bway.net>> wrote: EXTERNAL EMAIL: This message originated outside of ENA. Use caution when clicking links, opening attachments, or complying with requests. Click the "Phish Alert Report" button above the email, or contact MIS, regarding any suspicious message. Hi all, Full headers are here as well: https://pastebin.com/wHNmnvtE <https://pastebin.com/wHNmnvtE> I'm not really following what's going on here - a few things confuse me... - the empty from envelope, which I thought was more of a "bounce" thing - that it does seem formatted like a bounce - across multiple servers I'm seeing a ton more spam just like this the past few weeks coming in via MS - I had assumed that MS (or gmail, or any large provider) would be a bit more tuned to this kind of abuse Anyone else seeing this and if so, what mitigations are you doing in SA? To me, it appears that a company with some kind of on-prem email server is using MS' inbound/outbound filtering/relaying for their email, and I'm assuming that the company (acquiretm dot com) has compromised account(s) being used for spam, and that this type of account is valuable since it's relayed through a somewhat "trusted" entity (MS). Stumped on the empty envelope from though... Thanks, Charles Full headers inline: Return-Path: Delivered-To: myem...@mydomain.com <mailto:myem...@mydomain.com> Received: from mail.MYDOMAIN.COM (mail.MYDOMAIN.COM [207.99.1.2]) by mail.MYDOMAIN.COM (Postfix) with ESMTP id 62E4ACCE44 for mailto:myem...@mydomain.com>>; Mon, 1 Jan 2024 14:23:33 -0500 (EST) X-Virus-Scanned: amavisd-new at MYDOMAIN.COM X-Spam-Flag: NO X-Spam-Score: 3.971 X-Spam-Level: *** X-Spam-Status: No, score=3.971 tagged_above=-100 required=6.2 tests=[ARC_SIGNED=0.001, ARC_VALID=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FORGED_SPF_HELO=1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_FROM=0.001, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL=1.31, SCC_BODY_URI_ONLY=1.44, SPF_HELO_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no Received: from mail.MYDOMAIN.COM ([207.99.1.2]) by mail.MYDOMAIN.COM (mail.MYDOMAIN.COM [207.99.1.]) (amavisd-new, port 10024) with ESMTP id y8UwjrBjDDCO for mailto:myem...@mydomain.com>>; Mon, 1 Jan 2024 14:23:31 -0500 (EST) Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11hn2245.outbound.protection.outlook.com [52.100.172.245]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.MYDOMAIN.COM (Postfix) with ESMTPS id 731A6CCE43 for mailto:myem...@mydomain.com>>; Mon, 1 Jan 2024 14:23:31 -0500 (EST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Icl1NbdVBzy5nVKV4XGHyD5lhcUdtzirTQuOX40QfE0Qb4eogob5tBOWT7T7oxZ6O7oogwqarlyCmJXZfKwxDknw8W/1q9UzYGmNu0vt9l/C/TAQGHd2qdDo7k/S5rA/VkvSbwsWsPlPzHM5gpPvERtV1AwGRibQFb7IAJkW1bL6aTyG8R2JHPyDtSE5hG+0/XFuct7sSqoyr8J1hv7cOP6ZsOmlfLFuKxYoAEqFdi0qCsQD/CjfFzFNcaj9Sas09hbA1E/lEU5lf43EJFPOUX9ieGQA292aleu0PO2lqaU+TOwrr9UdnSHPyo89vQUHCiMd9+4ZMb51dxkvx6dLWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cMMl8FFbE2iyyDXVN5kGmj7djfYu1Ef14DADjnKqLVc=; b=gBRRLW2K0klYaRjOr+bNZO7zS3m+Kb+mkggilqYBqELoa12h3G5gwGFye+aLoJjtPSDnS1d0/GUkPYWm2/JlQZtoKmq4YAqwA4tnT2HYRcckobGDbhOcaop7wKmcQutiBxdr2iG8Hjmbvkf6jkP2AHL9kVqZv73Byv60sg1djmVaNHR+2qJd3vyQ3kepYsngd9QtdsyjjFBb+VjyItwaijKmjO4IBSIr4X5i5CmK+v67YoalMVjoXnKaMEpK/4Qh3Eh5zyzGHjdT7+QzK/T4cDSu+1XA+rHcK7G4/BTwLRs+NBTOYMT52Zr4eo5462nuo/ITG3+SjPM9g8QXkfJ06Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none (sender ip is 193.176.158.140) smtp.rcpttodomain=MYDOMAIN.COM smtp.helo=mail.acquiretm.com; dmarc=none action=none header.from=x1r862t.onmicrosoft.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=x1r862t.onmicrosoft.com; s=selecto
MS-relayed spam
Hi all, Full headers are here as well: https://pastebin.com/wHNmnvtE I'm not really following what's going on here - a few things confuse me... - the empty from envelope, which I thought was more of a "bounce" thing - that it does seem formatted like a bounce - across multiple servers I'm seeing a ton more spam just like this the past few weeks coming in via MS - I had assumed that MS (or gmail, or any large provider) would be a bit more tuned to this kind of abuse Anyone else seeing this and if so, what mitigations are you doing in SA? To me, it appears that a company with some kind of on-prem email server is using MS' inbound/outbound filtering/relaying for their email, and I'm assuming that the company (acquiretm dot com) has compromised account(s) being used for spam, and that this type of account is valuable since it's relayed through a somewhat "trusted" entity (MS). Stumped on the empty envelope from though... Thanks, Charles Full headers inline: Return-Path: Delivered-To: myem...@mydomain.com Received: from mail.MYDOMAIN.COM (mail.MYDOMAIN.COM [207.99.1.2]) by mail.MYDOMAIN.COM (Postfix) with ESMTP id 62E4ACCE44 for ; Mon, 1 Jan 2024 14:23:33 -0500 (EST) X-Virus-Scanned: amavisd-new at MYDOMAIN.COM X-Spam-Flag: NO X-Spam-Score: 3.971 X-Spam-Level: *** X-Spam-Status: No, score=3.971 tagged_above=-100 required=6.2 tests=[ARC_SIGNED=0.001, ARC_VALID=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FORGED_SPF_HELO=1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_FROM=0.001, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL=1.31, SCC_BODY_URI_ONLY=1.44, SPF_HELO_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no Received: from mail.MYDOMAIN.COM ([207.99.1.2]) by mail.MYDOMAIN.COM (mail.MYDOMAIN.COM [207.99.1.]) (amavisd-new, port 10024) with ESMTP id y8UwjrBjDDCO for ; Mon, 1 Jan 2024 14:23:31 -0500 (EST) Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11hn2245.outbound.protection.outlook.com [52.100.172.245]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.MYDOMAIN.COM (Postfix) with ESMTPS id 731A6CCE43 for ; Mon, 1 Jan 2024 14:23:31 -0500 (EST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Icl1NbdVBzy5nVKV4XGHyD5lhcUdtzirTQuOX40QfE0Qb4eogob5tBOWT7T7oxZ6O7oogwqarlyCmJXZfKwxDknw8W/1q9UzYGmNu0vt9l/C/TAQGHd2qdDo7k/S5rA/VkvSbwsWsPlPzHM5gpPvERtV1AwGRibQFb7IAJkW1bL6aTyG8R2JHPyDtSE5hG+0/XFuct7sSqoyr8J1hv7cOP6ZsOmlfLFuKxYoAEqFdi0qCsQD/CjfFzFNcaj9Sas09hbA1E/lEU5lf43EJFPOUX9ieGQA292aleu0PO2lqaU+TOwrr9UdnSHPyo89vQUHCiMd9+4ZMb51dxkvx6dLWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cMMl8FFbE2iyyDXVN5kGmj7djfYu1Ef14DADjnKqLVc=; b=gBRRLW2K0klYaRjOr+bNZO7zS3m+Kb+mkggilqYBqELoa12h3G5gwGFye+aLoJjtPSDnS1d0/GUkPYWm2/JlQZtoKmq4YAqwA4tnT2HYRcckobGDbhOcaop7wKmcQutiBxdr2iG8Hjmbvkf6jkP2AHL9kVqZv73Byv60sg1djmVaNHR+2qJd3vyQ3kepYsngd9QtdsyjjFBb+VjyItwaijKmjO4IBSIr4X5i5CmK+v67YoalMVjoXnKaMEpK/4Qh3Eh5zyzGHjdT7+QzK/T4cDSu+1XA+rHcK7G4/BTwLRs+NBTOYMT52Zr4eo5462nuo/ITG3+SjPM9g8QXkfJ06Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none (sender ip is 193.176.158.140) smtp.rcpttodomain=MYDOMAIN.COM smtp.helo=mail.acquiretm.com; dmarc=none action=none header.from=x1r862t.onmicrosoft.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=x1r862t.onmicrosoft.com; s=selector1-x1r862t-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cMMl8FFbE2iyyDXVN5kGmj7djfYu1Ef14DADjnKqLVc=; b=R1X4dpKSgryTH6OLmMzRy/tDWLnQEV8mHOEEtjH+lXKLhUWP1IcSU7ti48ZJoXOksGz7A4+ZbSb5s1wNp2A4dGS+psXMeDNERbCeNVeGFRy/0AfJX4BSO52imrh48OaXFvTjmcrwSondZQkeC2plLlatu2jWPXn+a48T+gCuUZtFOpy6+1OlQqtOhQd5Ork4w7yD6nIicaXcQ4GhpDX1YM6zU02EUOSl+pxEgJj5/WuHvXNbtuTmdsGid1JhRnmIyvR15jGzXHkyrD/KYHw3evZSOV8pJ8EMpUPDEiwdHjDGYt38j/Wwiho5yVfR/zNZa5wELOq9bYgLK0G91JywQA== X-MS-Exchange-Authentication-Results: spf=none (sender IP is 193.176.158.140) smtp.helo=mail.acquiretm.com; dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=x1r862t.onmicrosoft.com; Date: Mon, 01 Jan 2024 20:19:49 +0100 Importance: high Subject: Your iCloud Storage Is Full. Receive 50 GB for FREE X-TOI-MSGID: <1660898088.4bdab4ab9e89d.1704136789...@acquiretm.com> In-Reply-To: <952htcjgcsdxt5hydix5kfocgsan34o2gphcyv...@egw.x1r862t.onmicrosoft.com> Content-Type: text/html; charset="UTF-8" CC: myem...@mydomain.com To: myem...@mydomain.com MIME-Version: 1.0 Content-
Re: Beginner Setting up Spam Assassin
On Saturday 30 December 2023 at 11:54:33, FalconChristopher wrote: > The comment by Michael Grant ? Yes, the comment I quoted below. He is suggesting how you can deal with this problematic user you want to "eliminate spam coming in from". > On 12/30/2023 5:52 AM, Antony Stone wrote: > > On Saturday 30 December 2023 at 11:48:30, FalconChristopher wrote: > >> Hi, can I not ask how to set up Spam Assassin in this mailing group it > >> is a group for Spam Assassin. > > > > That comment was a recommendation of how you can achieve what you want > > to. > > > >> On 12/30/2023 4:30 AM, Michael Grant wrote: > >>> Can you ban this user in whatever your equivalent of the access file > >>> is so instead of putting the messages into a spam folder, you reject > >>> messages from that address at delivery time (SMTP)? > > > > Antony. -- "I estimate there's a world market for about five computers." - Thomas J Watson, Chairman of IBM Please reply to the list; please *don't* CC me.
Re: Beginner Setting up Spam Assassin
SpamAssassin cannot block or eliminate spam. It does not have the facilities to do that. SA can only score potential spam. Whatever method you used to glue SA into your mail path needs to parse the score SA assigned in the returned mail, and do whatever routing it thinks is appropriate. We do not know what glue you are using to put SA into your mail path, so it is hard to give suggestions on how to set that unknown software up. With more details of your setup we may be able to help. We can suggest rules to assign a score to mail if it comes from a particular account. But something other than SA will then have to deal with that score and do the routing. - Original Message - From: FalconChristopher To: Michael Grant ; users@spamassassin.apache.org Sent: Saturday, December 30, 2023 2:48 AM Subject: Re: Beginner Setting up Spam Assassin Hi, can I not ask how to set up Spam Assassin in this mailing group it is a group for Spam Assassin. On 12/30/2023 4:30 AM, Michael Grant wrote: Can you ban this user in whatever your equivalent of the access file is so instead of putting the messages into a spam folder, you reject messages from that address at delivery time (SMTP)? On 30 December 2023 04:08:17 CET, FalconChristopher wrote: Anyone know how I can check and setup SpamAssassin so that I can eliminate some spam from coming in from a email account ? On 12/28/2023 2:24 AM, Matus UHLAR - fantomas wrote: > On 27.12.23 16:53, Fal Sangu verification: ⓘ No issues found, please report it if otherwise Request analyst action Verified by Sangu Anyone know how I can check and setup SpamAssassin so that I can eliminate some spam from coming in from a email account ? On 12/28/2023 2:24 AM, Matus UHLAR - fantomas wrote: > On 27.12.23 16:53, FalconChristopher wrote: >> Hi, I want to setup Spam Assassin so that any email that Spam >> Assassin flags as spam > > this is spamassassin's job > >> gets placed into a folder for a specific SMTP or IMAP email account. > > this is not spamassassin's job. > It's job of mail delivery agent - procmail, maildrop, sieve > >> Then if Spam Assassin flags emails that are not spam I can tell it >> which of those emails to not place into the spam folder for the >> specific email client. Until it gradually learns which emails are >> spam and which are not. > > dovecot (imap/pop3 server) has plugins that support training of > spam/ham, if you move the mail from/to spam folder. > > https://doc.dovecot.org/configuration_manual/spam_reporting/ > >> I've done a little research and I have access with my distribution to >> a mail directory as well as the local.cf file for which >> configurations are for Spam Assassin but I don't know how to setup >> what I mentioned above ? >
Re: Beginner Setting up Spam Assassin
The comment by Michael Grant ? On 12/30/2023 5:52 AM, Antony Stone wrote: On Saturday 30 December 2023 at 11:48:30, FalconChristopher wrote: Hi, can I not ask how to set up Spam Assassin in this mailing group it is a group for Spam Assassin. That comment was a recommendation of how you can achieve what you want to. On 12/30/2023 4:30 AM, Michael Grant wrote: Can you ban this user in whatever your equivalent of the access file is so instead of putting the messages into a spam folder, you reject messages from that address at delivery time (SMTP)? Antony.
Re: Beginner Setting up Spam Assassin
On Saturday 30 December 2023 at 11:48:30, FalconChristopher wrote: > Hi, can I not ask how to set up Spam Assassin in this mailing group it > is a group for Spam Assassin. That comment was a recommendation of how you can achieve what you want to. > On 12/30/2023 4:30 AM, Michael Grant wrote: > > Can you ban this user in whatever your equivalent of the access file > > is so instead of putting the messages into a spam folder, you reject > > messages from that address at delivery time (SMTP)? Antony. -- Users don't know what they want until they see what they get. Please reply to the list; please *don't* CC me.
Re: Beginner Setting up Spam Assassin
Hi, can I not ask how to set up Spam Assassin in this mailing group it is a group for Spam Assassin. On 12/30/2023 4:30 AM, Michael Grant wrote: Can you ban this user in whatever your equivalent of the access file is so instead of putting the messages into a spam folder, you reject messages from that address at delivery time (SMTP)? On 30 December 2023 04:08:17 CET, FalconChristopher wrote: Anyone know how I can check and setup SpamAssassin so that I can eliminate some spam from coming in from a email account ? On 12/28/2023 2:24 AM, Matus UHLAR - fantomas wrote: > On 27.12.23 16:53, Fal Sangu verification: ⓘ No issues found, please report it if otherwise Request analyst action <https://sangumail.com/report?p=eyJhbGciOiJIUzI1NiJ9.eyJhY2NvdW50IjoibWdyYW50QGdyYW50Lm9yZyIsImlkIjoiPGY3ZjYzNmRjLTdmNTUtZmNlZC0wYzAzLTZjYTViNmJkYzQ0N0BiZWxsLm5ldD4iLCJ0aXRsZSI6IlJlOiBCZWdpbm5lciBTZXR0aW5nIHVwIFNwYW0gQXNzYXNzaW4ifQ.Vwwge9G3mUKo9AeBG79Fcw4W6ytHj-_ZwuvwOO9GI5U> Verified by Sangu Anyone know how I can check and setup SpamAssassin so that I can eliminate some spam from coming in from a email account ? On 12/28/2023 2:24 AM, Matus UHLAR - fantomas wrote: > On 27.12.23 16:53, FalconChristopher wrote: >> Hi, I want to setup Spam Assassin so that any email that Spam >> Assassin flags as spam > > this is spamassassin's job > >> gets placed into a folder for a specific SMTP or IMAP email account. > > this is not spamassassin's job. > It's job of mail delivery agent - procmail, maildrop, sieve > >> Then if Spam Assassin flags emails that are not spam I can tell it >> which of those emails to not place into the spam folder for the >> specific email client. Until it gradually learns which emails are >> spam and which are not. > > dovecot (imap/pop3 server) has plugins that support training of > spam/ham, if you move the mail from/to spam folder. > > https://doc.dovecot.org/configuration_manual/spam_reporting/ > >> I've done a little research and I have access with my distribution to >> a mail directory as well as the local.cf file for which >> configurations are for Spam Assassin but I don't know how to setup >> what I mentioned above ? >
Re: Beginner Setting up Spam Assassin
Can you ban this user in whatever your equivalent of the access file is so instead of putting the messages into a spam folder, you reject messages from that address at delivery time (SMTP)? On 30 December 2023 04:08:17 CET, FalconChristopher wrote: >ⓘ *No issues found, please report it if otherwise* >Anyone know how I can check and setup SpamAssassin so that I can >eliminate some spam from coming in from a email account ? > > >On 12/28/2023 2:24 AM, Matus UHLAR - fantomas wrote: >> On 27.12.23 16:53, FalconChristopher wrote: >>> Hi, I want to setup Spam Assassin so that any email that Spam >>> Assassin flags as spam >> >> this is spamassassin's job >> >>> gets placed into a folder for a specific SMTP or IMAP email account. >> >> this is not spamassassin's job. >> It's job of mail delivery agent - procmail, maildrop, sieve >> >>> Then if Spam Assassin flags emails that are not spam I can tell it >>> which of those emails to not place into the spam folder for the >>> specific email client. Until it gradually learns which emails are >>> spam and which are not. >> >> dovecot (imap/pop3 server) has plugins that support training of >> spam/ham, if you move the mail from/to spam folder. >> >> https://doc.dovecot.org/configuration_manual/spam_reporting/ >> >>> I've done a little research and I have access with my distribution to >>> a mail directory as well as the local.cf file for which >>> configurations are for Spam Assassin but I don't know how to setup >>> what I mentioned above ? >> >
Re: Beginner Setting up Spam Assassin
On 29.12.23 22:08, FalconChristopher wrote: Anyone know how I can check and setup SpamAssassin so that I can eliminate some spam from coming in from a email account ? do you mean if one of your users started spamming out? On 12/28/2023 2:24 AM, Matus UHLAR - fantomas wrote: On 27.12.23 16:53, FalconChristopher wrote: Hi, I want to setup Spam Assassin so that any email that Spam Assassin flags as spam this is spamassassin's job gets placed into a folder for a specific SMTP or IMAP email account. this is not spamassassin's job. It's job of mail delivery agent - procmail, maildrop, sieve Then if Spam Assassin flags emails that are not spam I can tell it which of those emails to not place into the spam folder for the specific email client. Until it gradually learns which emails are spam and which are not. dovecot (imap/pop3 server) has plugins that support training of spam/ham, if you move the mail from/to spam folder. https://doc.dovecot.org/configuration_manual/spam_reporting/ I've done a little research and I have access with my distribution to a mail directory as well as the local.cf file for which configurations are for Spam Assassin but I don't know how to setup what I mentioned above ? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Microsoft dick is soft to do no harm
Re: Beginner Setting up Spam Assassin
You can create rule something like this header BLOCK_EMAIL From:addr =~ /user\@domain\.com/ describe BLOCK_EMAIL Block email scoreBLOCK_EMAIL5.00 On Sat, Dec 30, 2023 at 10:08 AM FalconChristopher < falconchristop...@bell.net> wrote: > Anyone know how I can check and setup SpamAssassin so that I can > eliminate some spam from coming in from a email account ? > > > On 12/28/2023 2:24 AM, Matus UHLAR - fantomas wrote: > > On 27.12.23 16:53, FalconChristopher wrote: > >> Hi, I want to setup Spam Assassin so that any email that Spam > >> Assassin flags as spam > > > > this is spamassassin's job > > > >> gets placed into a folder for a specific SMTP or IMAP email account. > > > > this is not spamassassin's job. > > It's job of mail delivery agent - procmail, maildrop, sieve > > > >> Then if Spam Assassin flags emails that are not spam I can tell it > >> which of those emails to not place into the spam folder for the > >> specific email client. Until it gradually learns which emails are > >> spam and which are not. > > > > dovecot (imap/pop3 server) has plugins that support training of > > spam/ham, if you move the mail from/to spam folder. > > > > https://doc.dovecot.org/configuration_manual/spam_reporting/ > > > >> I've done a little research and I have access with my distribution to > >> a mail directory as well as the local.cf file for which > >> configurations are for Spam Assassin but I don't know how to setup > >> what I mentioned above ? > > >
Re: Beginner Setting up Spam Assassin
Anyone know how I can check and setup SpamAssassin so that I can eliminate some spam from coming in from a email account ? On 12/28/2023 2:24 AM, Matus UHLAR - fantomas wrote: On 27.12.23 16:53, FalconChristopher wrote: Hi, I want to setup Spam Assassin so that any email that Spam Assassin flags as spam this is spamassassin's job gets placed into a folder for a specific SMTP or IMAP email account. this is not spamassassin's job. It's job of mail delivery agent - procmail, maildrop, sieve Then if Spam Assassin flags emails that are not spam I can tell it which of those emails to not place into the spam folder for the specific email client. Until it gradually learns which emails are spam and which are not. dovecot (imap/pop3 server) has plugins that support training of spam/ham, if you move the mail from/to spam folder. https://doc.dovecot.org/configuration_manual/spam_reporting/ I've done a little research and I have access with my distribution to a mail directory as well as the local.cf file for which configurations are for Spam Assassin but I don't know how to setup what I mentioned above ?
Re: Beginner Setting up Spam Assassin
On 27.12.23 16:53, FalconChristopher wrote: Hi, I want to setup Spam Assassin so that any email that Spam Assassin flags as spam this is spamassassin's job gets placed into a folder for a specific SMTP or IMAP email account. this is not spamassassin's job. It's job of mail delivery agent - procmail, maildrop, sieve Then if Spam Assassin flags emails that are not spam I can tell it which of those emails to not place into the spam folder for the specific email client. Until it gradually learns which emails are spam and which are not. dovecot (imap/pop3 server) has plugins that support training of spam/ham, if you move the mail from/to spam folder. https://doc.dovecot.org/configuration_manual/spam_reporting/ I've done a little research and I have access with my distribution to a mail directory as well as the local.cf file for which configurations are for Spam Assassin but I don't know how to setup what I mentioned above ? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I don't have lysdexia. The Dog wouldn't allow that.
Beginner Setting up Spam Assassin
Hi, I want to setup Spam Assassin so that any email that Spam Assassin flags as spam gets placed into a folder for a specific SMTP or IMAP email account. Then if Spam Assassin flags emails that are not spam I can tell it which of those emails to not place into the spam folder for the specific email client. Until it gradually learns which emails are spam and which are not. I've done a little research and I have access with my distribution to a mail directory as well as the local.cf file for which configurations are for Spam Assassin but I don't know how to setup what I mentioned above ? Thank You Christopher
Re: some problem with spam
Hi thenx i try in this ruleset W dniu 12.12.2023 o 14:59, Jimmy pisze: These rules should matched rawbody __DOUBLE_HTML /<\/a>\s*/ uri __LONG_LINK_URL /https?:\/\/.{50,128}\.[a-z]{2,}\/\.[a-z]{2,}\//i On Tue, Dec 12, 2023 at 8:44 PM natan wrote: Hi Thenx but link is random too like: https://paste.debian.net/1300874/ W dniu 12.12.2023 o 12:21, Jimmy pisze: uri __ADB_CPN_LINK /\.campaign\.adobe\.com\/r\/\?/ rawbody __IMG_SRC_CID / wrote: Hi I have a SpamAssassin version 3.4.6 And I try resolv two problem 1)I put eml with spam and learn SA like: sa-learn --spam /root/spamik/ In /root/spamik/ is 4 e-mail Worsk great but after 7 day i must learn agin like SA forgot what he learned 2)I have a problem with one type a spam like: https://paste.debian.net/1300865/ beacuse: contents - random from - random IP - random The construction is only somewhat similar like base64 + html and png All wass signed by DKIM And I had to work around it in the following way but it is not a solution rawbody EMAIL_20231207 /(necessary to delete the message completely|email message and any attachments are intended|automatically archived by Mimecast|sender and take the steps necessary)/i describe EMAIL_20231207 Spam fake IQ password score EMAIL_20231207 2 rawbody EMAIL_20231207_1 /FONT\-FAMILY\:Arial/ score EMAIL_20231207_1 0.1 rawbody EMAIL_20231207_2 /BORDER-LEFT\:0\;MARGIN\:0\;PADDING-RIGHT\:0\;BACKGROUND\-COLOR\:white\;font\-stretch\:inherit/ meta EMAIL_20231207_ALL IQ_EMAIL_20231207_1 && IQ_EMAIL_20231207_2 && KAM_HTML_FONT_INVALID && MIME_HTML_ONLY score EMAIL_20231207_ALL 2 Any idea ? -- -- --
Re: some problem with spam
These rules should matched rawbody __DOUBLE_HTML /<\/a>\s*/ uri __LONG_LINK_URL /https?:\/\/.{50,128}\.[a-z]{2,}\/\.[a-z]{2,}\//i On Tue, Dec 12, 2023 at 8:44 PM natan wrote: > Hi > Thenx but link is random too like: > > https://paste.debian.net/1300874/ > > > W dniu 12.12.2023 o 12:21, Jimmy pisze: > > > uri __ADB_CPN_LINK /\.campaign\.adobe\.com\/r\/\?/ > rawbody __IMG_SRC_CID / > meta ADB_CPN_ABUSE __ADB_CPN_LINK && __IMG_SRC_CID > describe ADB_CPN_ABUSE Possible malware link > score ADB_CPN_ABUSE 2.5000 > > Establishing a rule for "CONFIDENTIALITY NOTICE" is ineffective, it can be > false positive. Since I don't have visibility into all headers, consider > create rules based on specific headers or other rule that match these. > Append these rules to the meta-rule and boost the overall score accordingly. > > Jimmy > > > On Tue, Dec 12, 2023 at 5:53 PM natan wrote: > >> Hi >> I have a SpamAssassin version 3.4.6 >> >> And I try resolv two problem >> >> 1)I put eml with spam and learn SA like: >> sa-learn --spam /root/spamik/ >> >> In /root/spamik/ is 4 e-mail >> Worsk great but after 7 day i must learn agin like SA forgot what he >> learned >> >> 2)I have a problem with one type a spam like: >> https://paste.debian.net/1300865/ >> beacuse: >> contents - random >> from - random >> IP - random >> >> The construction is only somewhat similar like base64 + html and png >> All wass signed by DKIM >> >> And I had to work around it in the following way but it is not a solution >> >> rawbody EMAIL_20231207/(necessary to delete the message >> completely|email message and any attachments are intended|automatically >> archived by Mimecast|sender and take the steps necessary)/i >> describe EMAIL_20231207Spam fake IQ password >> scoreEMAIL_202312072 >> >> rawbody EMAIL_20231207_1 /FONT\-FAMILY\:Arial/ >> scoreEMAIL_20231207_1 0.1 >> rawbody EMAIL_20231207_2 >> /BORDER-LEFT\:0\;MARGIN\:0\;PADDING-RIGHT\:0\;BACKGROUND\-COLOR\:white\;font\-stretch\:inherit/ >> meta EMAIL_20231207_ALL IQ_EMAIL_20231207_1 && IQ_EMAIL_20231207_2 && >> KAM_HTML_FONT_INVALID && MIME_HTML_ONLY >> scoreEMAIL_20231207_ALL 2 >> >> Any idea ? >> >> >> >> -- >> > > > > -- >
Re: some problem with spam
Hi Thenx but link is random too like: https://paste.debian.net/1300874/ W dniu 12.12.2023 o 12:21, Jimmy pisze: uri __ADB_CPN_LINK /\.campaign\.adobe\.com\/r\/\?/ rawbody __IMG_SRC_CID /Establishing a rule for "CONFIDENTIALITY NOTICE" is ineffective, it can be false positive. Since I don't have visibility into all headers, consider create rules based on specific headers or other rule that match these. Append these rules to the meta-rule and boost the overall score accordingly. Jimmy On Tue, Dec 12, 2023 at 5:53 PM natan wrote: Hi I have a SpamAssassin version 3.4.6 And I try resolv two problem 1)I put eml with spam and learn SA like: sa-learn --spam /root/spamik/ In /root/spamik/ is 4 e-mail Worsk great but after 7 day i must learn agin like SA forgot what he learned 2)I have a problem with one type a spam like: https://paste.debian.net/1300865/ beacuse: contents - random from - random IP - random The construction is only somewhat similar like base64 + html and png All wass signed by DKIM And I had to work around it in the following way but it is not a solution rawbody EMAIL_20231207 /(necessary to delete the message completely|email message and any attachments are intended|automatically archived by Mimecast|sender and take the steps necessary)/i describe EMAIL_20231207 Spam fake IQ password score EMAIL_20231207 2 rawbody EMAIL_20231207_1 /FONT\-FAMILY\:Arial/ score EMAIL_20231207_1 0.1 rawbody EMAIL_20231207_2 /BORDER-LEFT\:0\;MARGIN\:0\;PADDING-RIGHT\:0\;BACKGROUND\-COLOR\:white\;font\-stretch\:inherit/ meta EMAIL_20231207_ALL IQ_EMAIL_20231207_1 && IQ_EMAIL_20231207_2 && KAM_HTML_FONT_INVALID && MIME_HTML_ONLY score EMAIL_20231207_ALL 2 Any idea ? -- --
Re: some problem with spam
uri __ADB_CPN_LINK /\.campaign\.adobe\.com\/r\/\?/ rawbody __IMG_SRC_CID / wrote: > Hi > I have a SpamAssassin version 3.4.6 > > And I try resolv two problem > > 1)I put eml with spam and learn SA like: > sa-learn --spam /root/spamik/ > > In /root/spamik/ is 4 e-mail > Worsk great but after 7 day i must learn agin like SA forgot what he > learned > > 2)I have a problem with one type a spam like: > https://paste.debian.net/1300865/ > beacuse: > contents - random > from - random > IP - random > > The construction is only somewhat similar like base64 + html and png > All wass signed by DKIM > > And I had to work around it in the following way but it is not a solution > > rawbody EMAIL_20231207/(necessary to delete the message > completely|email message and any attachments are intended|automatically > archived by Mimecast|sender and take the steps necessary)/i > describe EMAIL_20231207Spam fake IQ password > scoreEMAIL_202312072 > > rawbody EMAIL_20231207_1 /FONT\-FAMILY\:Arial/ > scoreEMAIL_20231207_1 0.1 > rawbody EMAIL_20231207_2 > /BORDER-LEFT\:0\;MARGIN\:0\;PADDING-RIGHT\:0\;BACKGROUND\-COLOR\:white\;font\-stretch\:inherit/ > meta EMAIL_20231207_ALL IQ_EMAIL_20231207_1 && IQ_EMAIL_20231207_2 && > KAM_HTML_FONT_INVALID && MIME_HTML_ONLY > scoreEMAIL_20231207_ALL 2 > > Any idea ? > > > > -- >
some problem with spam
Hi I have a SpamAssassin version 3.4.6 And I try resolv two problem 1)I put eml with spam and learn SA like: sa-learn --spam /root/spamik/ In /root/spamik/ is 4 e-mail Worsk great but after 7 day i must learn agin like SA forgot what he learned 2)I have a problem with one type a spam like: https://paste.debian.net/1300865/ beacuse: contents - random from - random IP - random The construction is only somewhat similar like base64 + html and png All wass signed by DKIM And I had to work around it in the following way but it is not a solution rawbody EMAIL_20231207 /(necessary to delete the message completely|email message and any attachments are intended|automatically archived by Mimecast|sender and take the steps necessary)/i describe EMAIL_20231207 Spam fake IQ password score EMAIL_20231207 2 rawbody EMAIL_20231207_1 /FONT\-FAMILY\:Arial/ score EMAIL_20231207_1 0.1 rawbody EMAIL_20231207_2 /BORDER-LEFT\:0\;MARGIN\:0\;PADDING-RIGHT\:0\;BACKGROUND\-COLOR\:white\;font\-stretch\:inherit/ meta EMAIL_20231207_ALL IQ_EMAIL_20231207_1 && IQ_EMAIL_20231207_2 && KAM_HTML_FONT_INVALID && MIME_HTML_ONLY score EMAIL_20231207_ALL 2 Any idea ? --
Re: when whitelisting, do what with marked SPAM?
On Tue, 14 Nov 2023, joe a wrote: On 11/14/2023 13:46:11, Matus UHLAR - fantomas wrote: On 14.11.23 13:05, joe a wrote: Low volume home office user and system. Occasionally when first dealing with a new entity, their correspondence gets flagged as SPAM. When I whitelist these, what should be done with those messages that might remain in "flagged SPAM" or "Missed SPAM"?, thinking along lines of keeping BAYES "clean and sharp". So to speak. Leave as is? Delete and re learn? Simply relearn FPs. Unless you have huge misclassification issue, learning as few mail as one should fix BAYES issues. Move previously tagged SPAM into HAM folder and "relearn"? Right. Train on misclassifications. Also if there was a ham in your spam corpus review why it got misclassified in the first place. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Poor planning on your part does not create an obligation on my part. --- 1,264 days since the first private commercial manned orbital mission (SpaceX)
Re: when whitelisting, do what with marked SPAM?
On 14.11.23 13:05, joe a wrote: Low volume home office user and system. Occasionally when first dealing with a new entity, their correspondence gets flagged as SPAM. When I whitelist these, what should be done with those messages that might remain in "flagged SPAM" or "Missed SPAM"?, thinking along lines of keeping BAYES "clean and sharp". So to speak. Leave as is? Delete and re learn? On 11/14/2023 13:46:11, Matus UHLAR - fantomas wrote: Simply relearn FPs. Unless you have huge misclassification issue, learning as few mail as one should fix BAYES issues. On 14.11.23 22:02, joe a wrote: Move previously tagged SPAM into HAM folder and "relearn"? yes. re-training SA on the same file works as if previous training was not done. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I just got lost in thought. It was unfamiliar territory.
Re: when whitelisting, do what with marked SPAM?
On 11/14/2023 13:46:11, Matus UHLAR - fantomas wrote: On 14.11.23 13:05, joe a wrote: Low volume home office user and system. Occasionally when first dealing with a new entity, their correspondence gets flagged as SPAM. When I whitelist these, what should be done with those messages that might remain in "flagged SPAM" or "Missed SPAM"?, thinking along lines of keeping BAYES "clean and sharp". So to speak. Leave as is? Delete and re learn? Simply relearn FPs. Unless you have huge misclassification issue, learning as few mail as one should fix BAYES issues. Move previously tagged SPAM into HAM folder and "relearn"?
Re: when whitelisting, do what with marked SPAM?
On 11/14/2023 20:48:27, John Hardin wrote: On Tue, 14 Nov 2023, joe a wrote: Low volume home office user and system. Occasionally when first dealing with a new entity, their correspondence gets flagged as SPAM. When I whitelist these, what should be done with those messages that might remain in "flagged SPAM" or "Missed SPAM"?, thinking along lines of keeping BAYES "clean and sharp". So to speak. Leave as is? Delete and re learn? For a low volume home office user, I would simply NOT autolearn. Set up a hambox and a spambox and manually feed them and train from them. I have autolearn off and have a spam and ham folder set up and "relearn" twice daily.
Re: when whitelisting, do what with marked SPAM?
On Tue, 14 Nov 2023, joe a wrote: Low volume home office user and system. Occasionally when first dealing with a new entity, their correspondence gets flagged as SPAM. When I whitelist these, what should be done with those messages that might remain in "flagged SPAM" or "Missed SPAM"?, thinking along lines of keeping BAYES "clean and sharp". So to speak. Leave as is? Delete and re learn? For a low volume home office user, I would simply NOT autolearn. Set up a hambox and a spambox and manually feed them and train from them. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The reason it took so long to get Bin Laden is that it took the SEALs five years to swim that far into the desert. -- anon --- 1,263 days since the first private commercial manned orbital mission (SpaceX)
Re: when whitelisting, do what with marked SPAM?
On 14.11.23 13:05, joe a wrote: Low volume home office user and system. Occasionally when first dealing with a new entity, their correspondence gets flagged as SPAM. When I whitelist these, what should be done with those messages that might remain in "flagged SPAM" or "Missed SPAM"?, thinking along lines of keeping BAYES "clean and sharp". So to speak. Leave as is? Delete and re learn? Simply relearn FPs. Unless you have huge misclassification issue, learning as few mail as one should fix BAYES issues. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. M$ Win's are shit, do not use it !
when whitelisting, do what with marked SPAM?
Low volume home office user and system. Occasionally when first dealing with a new entity, their correspondence gets flagged as SPAM. When I whitelist these, what should be done with those messages that might remain in "flagged SPAM" or "Missed SPAM"?, thinking along lines of keeping BAYES "clean and sharp". So to speak. Leave as is? Delete and re learn?
Re: Anybody else getting bombarded with "I RECORDED YOU" spam?
Using Sendmail. I added milter-regex which allows very simple rules eg. reject "Unsolicited Spam" - make this as rude as you like. body /I RECORDED YOU/i Done and dusted. It's available as an RPM frpm epel for RedHat and variants. *** REPLY SEPARATOR *** On 11/11/2023 at 1:09 PM Mike Bostock via users wrote: >In your message regarding Re: Anybody else getting bombarded with "I >RECORDED YOU" spam? dated 11/11/2023, Noel Butler said ... > >> On 11/11/2023 22:37, Mike Bostock via users wrote: > >> > There is a way to whitelist domains with no RDNS but so far I haven't >> > found a way to do this in the .mc file. >> > >> > Thanks again > >> /etc/mail/access > >> Connect:foo OK > >Of course, du! ;-) > > >-- >Mike
Re: Anybody else getting bombarded with "I RECORDED YOU" spam?
In your message regarding Re: Anybody else getting bombarded with "I RECORDED YOU" spam? dated 11/11/2023, Noel Butler said ... > On 11/11/2023 22:37, Mike Bostock via users wrote: > > There is a way to whitelist domains with no RDNS but so far I haven't > > found a way to do this in the .mc file. > > > > Thanks again > /etc/mail/access > Connect:foo OK Of course, du! ;-) -- Mike
Re: Anybody else getting bombarded with "I RECORDED YOU" spam?
On 11/11/2023 22:37, Mike Bostock via users wrote: There is a way to whitelist domains with no RDNS but so far I haven't found a way to do this in the .mc file. Thanks again /etc/mail/access Connect:foo OK -- Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore at all times remains confidential and subject to copyright protected under international law. You may not disseminate this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.
Re: Anybody else getting bombarded with "I RECORDED YOU" spam?
In your message regarding Re: Anybody else getting bombarded with "I RECORDED YOU" spam? dated 10/11/2023, Mark London said ... > Sendmail didn't introduce FEATURE(require_rdns) until 2007. I'm sure > I've been using it longer than that. And by default it's not enabled. > It doesn't totally block the "I RECOVERED YOU" spams. Occasional some > come through with ip addresses that have valid reverse lookups. But the > number getting blocked, is still huge. Mark, thank you for this. I have just added this feature to my Sendmail and installed pyspf-milter as well and I would say it has reduced my spam by 95%. There is a way to whitelist domains with no RDNS but so far I haven't found a way to do this in the .mc file. Thanks again -- Mike
Re: Anybody else getting bombarded with "I RECORDED YOU" spam?
I don't have the specifics at hand but I created a rule that places a heavy score (like 2.0) on anything that matches existing sex and bitcoin rules. These messages usually match a bunch of other signals and that rule pushes the score over my delete-on-sight threshold (8.0). On 2023-11-10 05:51, giova...@paclan.it wrote: To block this type of spam I've increased the score of GB_HASHBL_BTC (Bitcoin rbl) rule. Giovanni On 11/10/23 11:01, Mark London wrote: Sendmail didn't introduce FEATURE(require_rdns) until 2007. I'm sure I've been using it longer than that. And by default it's not enabled. It doesn't totally block the "I RECOVERED YOU" spams. Occasional some come through with ip addresses that have valid reverse lookups. But the number getting blocked, is still huge. On 11/10/2023 4:48 AM, Reindl Harald (privat) wrote: Am 10.11.23 um 08:40 schrieb Mark London: Marc - You are correct. All the IP sources of this spam, don't a valid reverse lookup of the IP address, to an IP name. That will solve my problem. Thanks! - Mark in other words your MTA is misconfigured https://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname On 11/9/2023 12:38 PM, Marc wrote: Do you at least verify the reverse lookup? That already stops a lot of such networks. -- For SpamAssassin Users List
Re: Anybody else getting bombarded with "I RECORDED YOU" spam?
To block this type of spam I've increased the score of GB_HASHBL_BTC (Bitcoin rbl) rule. Giovanni On 11/10/23 11:01, Mark London wrote: Sendmail didn't introduce FEATURE(require_rdns) until 2007. I'm sure I've been using it longer than that. And by default it's not enabled. It doesn't totally block the "I RECOVERED YOU" spams. Occasional some come through with ip addresses that have valid reverse lookups. But the number getting blocked, is still huge. On 11/10/2023 4:48 AM, Reindl Harald (privat) wrote: Am 10.11.23 um 08:40 schrieb Mark London: Marc - You are correct. All the IP sources of this spam, don't a valid reverse lookup of the IP address, to an IP name. That will solve my problem. Thanks! - Mark in other words your MTA is misconfigured https://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname On 11/9/2023 12:38 PM, Marc wrote: Do you at least verify the reverse lookup? That already stops a lot of such networks. OpenPGP_signature.asc Description: OpenPGP digital signature
Re: Anybody else getting bombarded with "I RECORDED YOU" spam?
Sendmail didn't introduce FEATURE(require_rdns) until 2007. I'm sure I've been using it longer than that. And by default it's not enabled. It doesn't totally block the "I RECOVERED YOU" spams. Occasional some come through with ip addresses that have valid reverse lookups. But the number getting blocked, is still huge. On 11/10/2023 4:48 AM, Reindl Harald (privat) wrote: Am 10.11.23 um 08:40 schrieb Mark London: Marc - You are correct. All the IP sources of this spam, don't a valid reverse lookup of the IP address, to an IP name. That will solve my problem. Thanks! - Mark in other words your MTA is misconfigured https://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname On 11/9/2023 12:38 PM, Marc wrote: Do you at least verify the reverse lookup? That already stops a lot of such networks.
RE: Anybody else getting bombarded with "I RECORDED YOU" spam?
Yes that is fucked up that experience and wisdom comes with getting older ;) https://faculty.cs.niu.edu/~rickert/cf/hack/require_rdns.m4 > > Marc - You are correct. All the IP sources of this spam, don't a valid > reverse lookup of the IP address, to an IP name. That will solve my > problem. Thanks! - Mark > > On 11/9/2023 12:38 PM, Marc wrote: > > Do you at least verify the reverse lookup? That already stops a lot of > such networks.
Re: Anybody else getting bombarded with "I RECORDED YOU" spam?
Marc - You are correct. All the IP sources of this spam, don't a valid reverse lookup of the IP address, to an IP name. That will solve my problem. Thanks! - Mark On 11/9/2023 12:38 PM, Marc wrote: Do you at least verify the reverse lookup? That already stops a lot of such networks.
RE: Anybody else getting bombarded with "I RECORDED YOU" spam?
> > Heck, maybe I should just block the whole country. :) You have to be careful with this. I think there are 'organisations' that specifically abuse with the intend to provoke you to have blanket block a specific region/range.
Re: Anybody else getting bombarded with "I RECORDED YOU" spam?
Unfortunately most of the ip addresses do have reverse lookups. On the other hand, I do see that some have common domains. So I could use block by domain using sendmail. Heck, maybe I should just block the whole country. :) On 11/9/2023 12:38 PM, Marc wrote: The spam is coming from many different IP ranges, with little repetition. Most of them are from countries like Afghanistan, Kyrgyzstan, Azerbaijan, Kazakhstan, and Uzbekistan. Are these the latest sources that spam software is using, because other countries have tightened up their security? Do you at least verify the reverse lookup? That already stops a lot of such networks. I've been using spamassassin for almost several decades, and I've never noticed anything like this. I don't understand why the spam continues to be sent over and over. I do reject emails with a very high spam, which these spams have. So I tried changing my configuration to discard the email instead, hoping the spammer software would decide that the email had been received. This didn't help. I'm curious if anyone is noticing this spam. Thanks. - Mark This takes a while (afaik months at least).
RE: Anybody else getting bombarded with "I RECORDED YOU" spam?
> > The spam is coming from many different IP ranges, with little > repetition. Most of them are from countries like Afghanistan, > Kyrgyzstan, Azerbaijan, Kazakhstan, and Uzbekistan. Are these the > latest sources that spam software is using, because other countries have > tightened up their security? Do you at least verify the reverse lookup? That already stops a lot of such networks. > I've been using spamassassin for almost several decades, and I've never > noticed anything like this. I don't understand why the spam continues > to be sent over and over. I do reject emails with a very high spam, > which these spams have. So I tried changing my configuration to discard > the email instead, hoping the spammer software would decide that the > email had been received. This didn't help. I'm curious if anyone is > noticing this spam. Thanks. - Mark > This takes a while (afaik months at least).
Anybody else getting bombarded with "I RECORDED YOU" spam?
In the last couple of days, the number of "I RECORDED YOU" spams that my server has been receiving, has gone way up. Well over a thousand a day. And the spam is only being sent to about 20 of my users. We had been receiving these for the last month, but nothing at all like rate it's now happening. It's not using up a ton of CPU, but it is very annoying to see happening. The spam is coming from many different IP ranges, with little repetition. Most of them are from countries like Afghanistan, Kyrgyzstan, Azerbaijan, Kazakhstan, and Uzbekistan. Are these the latest sources that spam software is using, because other countries have tightened up their security? I've been using spamassassin for almost several decades, and I've never noticed anything like this. I don't understand why the spam continues to be sent over and over. I do reject emails with a very high spam, which these spams have. So I tried changing my configuration to discard the email instead, hoping the spammer software would decide that the email had been received. This didn't help. I'm curious if anyone is noticing this spam. Thanks. - Mark z
Re: (Re-)emergence of UTF based obfuscation in phishing/spam
Typo, I meant to say I was on SA 3.4.6. On Wed, Aug 30, 2023, 3:22 PM Ricky Boone wrote: > Something I noticed on a set of emails that were reported to me. > > I have custom rules to look out for certain names in From:name. The > messages should have been caught by them, however upon inspection the > name was UTF-8 encoded, and included a character that doesn't seem to > render, but interferes with the regex I used. Specifically, the bad > actor included a RIGHT-TO-LEFT mark (U+200F, or \xe2\x80\x8f) > effectively as a null-space character. The body of the message was > also flooded with LEFT-TO-RIGHT (U+200E, or \xe2\x80\x8e) and ZERO > WIDTH NO-BREAK SPACE (U+FEFF, or \xef\xbb\xbf) characters randomly > placed within the body and within words to interfere with other rules. > When debugging the message, it doesn't appear that the characters are > normalized, so from SA's perspective it seems like all of these > characters have to be accounted for with any rules. > > To add, I'm currently on SA 3.6.x. It looks like 4.0 improves UTF-8 > handling, but I'm not sure if it would address the behavior I see > (though happy to be wrong... albeit not able to update immediately). > > I'm trying to see if ReplaceTags might be useful, and found an older > discussion in this list on the matter related to the trouble with > UTF-8. I checked to see if there were any existing tags that would > account for null-space/zero-width space-like characters, but didn't > see any. I have no issues working on creating a tag, but wanted to > gauge the community to see what their thoughts were while I started > down that path. >
(Re-)emergence of UTF based obfuscation in phishing/spam
Something I noticed on a set of emails that were reported to me. I have custom rules to look out for certain names in From:name. The messages should have been caught by them, however upon inspection the name was UTF-8 encoded, and included a character that doesn't seem to render, but interferes with the regex I used. Specifically, the bad actor included a RIGHT-TO-LEFT mark (U+200F, or \xe2\x80\x8f) effectively as a null-space character. The body of the message was also flooded with LEFT-TO-RIGHT (U+200E, or \xe2\x80\x8e) and ZERO WIDTH NO-BREAK SPACE (U+FEFF, or \xef\xbb\xbf) characters randomly placed within the body and within words to interfere with other rules. When debugging the message, it doesn't appear that the characters are normalized, so from SA's perspective it seems like all of these characters have to be accounted for with any rules. To add, I'm currently on SA 3.6.x. It looks like 4.0 improves UTF-8 handling, but I'm not sure if it would address the behavior I see (though happy to be wrong... albeit not able to update immediately). I'm trying to see if ReplaceTags might be useful, and found an older discussion in this list on the matter related to the trouble with UTF-8. I checked to see if there were any existing tags that would account for null-space/zero-width space-like characters, but didn't see any. I have no issues working on creating a tag, but wanted to gauge the community to see what their thoughts were while I started down that path.
Re: Expanded Spam Report
Hello, perhaps try setting report_safe 0 Then, according to the documentation at ‘man Mail::SpamAssassin::Conf’, a header ‘X-Spam-Report’ will be added that might just be what you need.
Expanded Spam Report
Hi, It looks like I am using SA 4.0.0 on Ubuntu 23.x. I have looked for an answer in Google-pedia, and it either does not exist or I am not able to figure out the correct search term. Is there a way to get a "spam report" or "expanded spam headers" from spamassassin included in the incoming emails? I'm think of something like what rspamd provides when expanded_headers is set to true. I would also accept a tool that I can submit an email too that would do the same. Ultimately, when I see an piece of spam that gets through, I'm having to manually look up each rule, the score, and figure out why it was considered ham. I'd like something that would automate some of the work while I'm tweaking things. Here's an example of what I'm thinking of (from rspamd): X-Spamd-Result: default: False [12.36 / 15.01]; BAYES_SPAM(5.10)[99.99%]; URIBL_RED(3.50)[spamserver.domain.xx:url]; FORGED_RECIPIENTS(2.00)[m:m...@domain1.xx,s:m...@domain2.xx]; R_MIXED_CHARSET(1.07)[subject]; MID_RHS_NOT_FQDN(0.50)[]; BAD_REP_POLICIES(0.10)[]; RCVD_NO_TLS_LAST(0.10)[]; HAS_ANON_DOMAIN(0.10)[]; MIME_GOOD(-0.10)[multipart/related,multipart/alternative,text/plain]; MX_GOOD(-0.01)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_NA(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; ASN(0.00)[asn:34300, ipnet:XXX.XXX.XXX.0/19, country:XX]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~,4:~,5:+]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; GREYLIST(0.00)[pass,body]; R_SPF_ALLOW(0.00)[+a:c]; RWL_MAILSPIKE_POSSIBLE(0.00)[XXX.XXX.XXX.36:from]; TO_DN_NONE(0.00)[]; CLAM_VIRUS_FAIL(0.00)[failed to scan and retransmits exceed]; <https://www.allerstorfer.at/clamav-with-rspamd-and-ispconfig-on-ubuntu/>DMARC_NA(0.00)[spamsender.domain.xx]; ARC_NA(0.00)[] D
Re: Really hard-to-filter spam
On Fri, Aug 04, 2023 at 08:38:24AM -0500, Thomas Cameron wrote: > It was a typo, sorry. I have a cron job that uses --spam against the spam > folder, and --ham against the ham folder. I just copied and pasted poorly. > This is the actual script for my account: > > [thomas.cameron@mail-east ~]$ cat bin/spamcheck > #!/bin/bash > sa-learn --progress --spam --mbox /home/thomas.cameron/mail/INBOX/spam > sa-learn --progress --ham --mbox /home/thomas.cameron/mail/INBOX/ham > > Bayes tests for other messages, like the one you sent me, looks like this: > > ------ > Return-Path: > X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on > mail-east.camerontech.com > X-Spam-Level: > X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, > DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,SPF_HELO_NONE, > SPF_PASS,T_SCC_BODY_TEXT_LINE shortcircuit=no autolearn=ham > autolearn_force=no version=3.4.6 > -- > > But messages flagged as spam look like this: > > -- > Return-Path: > > X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on > mail-east.camerontech.com > X-Spam-Flag: YES > X-Spam-Level: > X-Spam-Status: Yes, score=36.8 required=5.0 tests=BAYES_99,BAYES_999, > DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FROM_FMBLA_NEWDOM, > FROM_SUSPICIOUS_NTLD,FROM_SUSPICIOUS_NTLD_FP,HTML_IMAGE_ONLY_32, > HTML_MESSAGE,PDS_OTHER_BAD_TLD,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK, > RCVD_IN_DNSWL_HI,RDNS_NONE,SH_HELO_DBL,SH_HELO_ZRD_FRESH, > SH_ZRD_HEADERS_FRESH,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE, > URIBL_ABUSE_SURBL,URIBL_BLACK,URIBL_ZRD shortcircuit=no autolearn=spam > autolearn_force=no version=3.4.6 > -- > > The previous email I copied headers from as an example was just a bad > example. Usually Bayes is /pretty/ accurate on my system. I only used that > one because it was a message which made it through SpamAssassin. I was > trying to demonstrate that the checks were not failing, as suggested in an > earlier comment. > > Thanks for catching that, though. I have made silly mistakes like that so I > appreciate you checking me. In that case, I think I can only offer some general suggestions that I personally follow. I have the autolearn function completely disabled. In my experience, if you have a decent training corpus of known ham and known spam, autolearn doesn't really add anything. Like yours, my bayes results are usually quite accurate. At this point, I only train messages that are actually false positives or false negatives. I can't say for sure how effective this is, but my intuition is that by only training on "hard" messages (meaning ones that the non-bayes SA rules couldn't take care of on their own), I'm keeping the bayes engine focused on the most important messages to classify correctly. Your above spample has such a high score, my mail server would have rejected that message at SMTP time even if it had triggered BAYES_00. I wouldn't bother training such a message; the rest of the rules have it covered. Another thing to note is that spam tends to change over time. Having really old spams in your bayes DB could be diluting its effectiveness by having it look for signs that the current crop of spams don't show. It might be worth starting fresh with an empty bayes db and training just a few hundred of your most recent hams and spams. And finally, if there's something consistent about the messages, don't be afraid to write a manual rule. I have a few special rules in my configs that alter the bayes scoring based on other aspects of the messages. --Sean
Re: Really hard-to-filter spam
On 8/4/23 02:15, Sean Greenslade wrote: On Wed, Aug 02, 2023 at 04:17:22PM -0500, Thomas Cameron via users wrote: On 8/2/23 15:52, David B Funk wrote: I have the users move spam to an imap folder, and then run (via the user's cron job): sa-learn --mbox --spam /home/[username]/mail/spam If something is flagged as spam and it's not supposed to be, I have them copy it to the ham folder and I run (also via cron job): sa-learn --mbox --ham /home/[username]/mail/spam Hopefully this is just a typo in your email, but the above line trains your spam folder as if it's ham. That could easily cause your screwed-up bayes scores. --Sean It was a typo, sorry. I have a cron job that uses --spam against the spam folder, and --ham against the ham folder. I just copied and pasted poorly. This is the actual script for my account: [thomas.cameron@mail-east ~]$ cat bin/spamcheck #!/bin/bash sa-learn --progress --spam --mbox /home/thomas.cameron/mail/INBOX/spam sa-learn --progress --ham --mbox /home/thomas.cameron/mail/INBOX/ham Bayes tests for other messages, like the one you sent me, looks like this: -- Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mail-east.camerontech.com X-Spam-Level: X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE shortcircuit=no autolearn=ham autolearn_force=no version=3.4.6 -- But messages flagged as spam look like this: -- Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mail-east.camerontech.com X-Spam-Flag: YES X-Spam-Level: X-Spam-Status: Yes, score=36.8 required=5.0 tests=BAYES_99,BAYES_999, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FROM_FMBLA_NEWDOM, FROM_SUSPICIOUS_NTLD,FROM_SUSPICIOUS_NTLD_FP,HTML_IMAGE_ONLY_32, HTML_MESSAGE,PDS_OTHER_BAD_TLD,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK, RCVD_IN_DNSWL_HI,RDNS_NONE,SH_HELO_DBL,SH_HELO_ZRD_FRESH, SH_ZRD_HEADERS_FRESH,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE, URIBL_ABUSE_SURBL,URIBL_BLACK,URIBL_ZRD shortcircuit=no autolearn=spam autolearn_force=no version=3.4.6 -- The previous email I copied headers from as an example was just a bad example. Usually Bayes is /pretty/ accurate on my system. I only used that one because it was a message which made it through SpamAssassin. I was trying to demonstrate that the checks were not failing, as suggested in an earlier comment. Thanks for catching that, though. I have made silly mistakes like that so I appreciate you checking me. -- Thomas
Re: Really hard-to-filter spam
On Wed, Aug 02, 2023 at 04:17:22PM -0500, Thomas Cameron via users wrote: > On 8/2/23 15:52, David B Funk wrote: > > > > I have the users move spam to an imap folder, and then run (via the user's > cron job): > > sa-learn --mbox --spam /home/[username]/mail/spam > > If something is flagged as spam and it's not supposed to be, I have them > copy it to the ham folder and I run (also via cron job): > > sa-learn --mbox --ham /home/[username]/mail/spam Hopefully this is just a typo in your email, but the above line trains your spam folder as if it's ham. That could easily cause your screwed-up bayes scores. --Sean
Re: Really hard-to-filter spam
On 8/2/23 15:52, David B Funk wrote: Regardless, if a message has never been seen before and has little correlation to earlier messages its Bayes should hit someplace in the 40% to 60% range. The fact that it hit 00% indicates a strong correlation to lots of ham (or something is screwy with your Bayes). OK, here's what I got just now: [thomas.cameron@mail-east ~]$ sa-learn --dump magic 0.000 0 3 0 non-token data: bayes db version 0.000 0 41449 0 non-token data: nspam 0.000 0 49720 0 non-token data: nham 0.000 0 162741 0 non-token data: ntokens 0.000 0 1689089541 0 non-token data: oldest atime 0.000 0 1691009577 0 non-token data: newest atime 0.000 0 1691007146 0 non-token data: last journal sync atime 0.000 0 1690991018 0 non-token data: last expiry atime 0.000 01382400 0 non-token data: last expire atime delta 0.000 0 13879 0 non-token data: last expire reduction count I can absolutely re-train Bayes. I am kind of an email pack-rat, so I have over a gig of saved known good emails in various folders. I have SA set up so that emails are scanned individually on a per user basis via procmail rule: [thomas.cameron@mail-east ~]$ head .procmailrc MAILDIR=$HOME/mail LOGFILE=$MAILDIR/procmail.log :0fw: spamassassin.lock * < 512000 | spamassassin I have the users move spam to an imap folder, and then run (via the user's cron job): sa-learn --mbox --spam /home/[username]/mail/spam If something is flagged as spam and it's not supposed to be, I have them copy it to the ham folder and I run (also via cron job): sa-learn --mbox --ham /home/[username]/mail/spam For my email account, I've used my inbox and various other folders to train Bayes in the past (although it's definitely been a while since I did Bayes maintenance), but I have zero issue nuking my personal Bayes data and starting over. Thoughts? -- Thomas
Re: Really hard-to-filter spam
On Wed, 2 Aug 2023, Thomas Cameron via users wrote: Thank you very much. The message that slipped through today was NOT one of the ones being discussed in this thread, it was a different format and totally different message. I only included it to demonstrate that my server was not being rejected for queries as the blocked user intimated. I will dig deeper into the --magic and make sure I'm feeding Bayes with spam and ham. Regardless, if a message has never been seen before and has little correlation to earlier messages its Bayes should hit someplace in the 40% to 60% range. The fact that it hit 00% indicates a strong correlation to lots of ham (or something is screwy with your Bayes). -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Really hard-to-filter spam
On 8/2/23 14:32, Dave Funk wrote: On Wed, 2 Aug 2023, Thomas Cameron via users wrote: Wow! What a charming response! You must be a LOT of fun at parties, and have lots of friends! Please don't feed the troll. There's a reason that Reindl is blocked from this list. I was not aware, and I apologize. No, I did not get that response. I don't have any of those specific spam to sample, as I have not gotten one today. But the last spam I got that slipped through SA had this score: X-Spam-Status: No, score=-5.1 required=5.0 tests=BAYES_00,DEAR_SOMETHING, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, HTML_MESSAGE,RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H2,RCVD_IN_PBL, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE shortcircuit=no So nothing about any tests not working, or queries being rejected. Nothing that looks like misconfiguration on my end. I am not saying there are no misconfigurations on my end, but if there are, it's not super obvious to me. The fact that you're getting BAYES_00 on that message indicates that Bayes -really- thinks it's ham. Given that you've trained multiple instances of this kind of message to Bayes as spam but it still gets BAYES_00 score means one of two things: 1) Either you've got thousands of instances of similar messages that were learned as 'ham' 2) or the database that Bayes in your running SA instance is using is not the same one that you were doing your training to. This could be configuration issues or pilot error (using the wrong identity when doing the training, training on the wrong machine, etc). On your SA machine what does the output of "sa-learn --dump magic" show you? (IE how many nspam & nham tokens, what is the newest "atime", etc). If careful config & log inspection doesn't give clues, try this brute-force test. Shut down your SA, move the directory containing your Bayes database out of the way and create a new empty one. ("sa-learn --dump magic" should now show 0 tokens). Then train a few ham & spam messages (only a dozen or so), recheck the --dump magic to see that there are now some tokens in the database but not too many. Restart your SA and watch the log results. If there are fewer than 200 messages (both ham & spam) in your Bayes database then SA won't use it, so make sure that's the case, your new database should be too empty for SA to be willing to use it. So if you -are- getting Bayes scores then that indicates that SA is using some database other than what you think it has. Now start manually training more messages (spam & ham). When you hit the 200 count threashold Bayes scores should start showing up in your logs. Good luck. Thank you very much. The message that slipped through today was NOT one of the ones being discussed in this thread, it was a different format and totally different message. I only included it to demonstrate that my server was not being rejected for queries as the blocked user intimated. I will dig deeper into the --magic and make sure I'm feeding Bayes with spam and ham. Thanks for your response, and again, I apologize for leaking that user's garbage to the list. I was not aware that he was blocked. -- Thomas
Re: Really hard-to-filter spam
On Wed, 2 Aug 2023, Thomas Cameron via users wrote: Wow! What a charming response! You must be a LOT of fun at parties, and have lots of friends! Please don't feed the troll. There's a reason that Reindl is blocked from this list. No, I did not get that response. I don't have any of those specific spam to sample, as I have not gotten one today. But the last spam I got that slipped through SA had this score: X-Spam-Status: No, score=-5.1 required=5.0 tests=BAYES_00,DEAR_SOMETHING, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, HTML_MESSAGE,RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H2,RCVD_IN_PBL, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE shortcircuit=no So nothing about any tests not working, or queries being rejected. Nothing that looks like misconfiguration on my end. I am not saying there are no misconfigurations on my end, but if there are, it's not super obvious to me. The fact that you're getting BAYES_00 on that message indicates that Bayes -really- thinks it's ham. Given that you've trained multiple instances of this kind of message to Bayes as spam but it still gets BAYES_00 score means one of two things: 1) Either you've got thousands of instances of similar messages that were learned as 'ham' 2) or the database that Bayes in your running SA instance is using is not the same one that you were doing your training to. This could be configuration issues or pilot error (using the wrong identity when doing the training, training on the wrong machine, etc). On your SA machine what does the output of "sa-learn --dump magic" show you? (IE how many nspam & nham tokens, what is the newest "atime", etc). If careful config & log inspection doesn't give clues, try this brute-force test. Shut down your SA, move the directory containing your Bayes database out of the way and create a new empty one. ("sa-learn --dump magic" should now show 0 tokens). Then train a few ham & spam messages (only a dozen or so), recheck the --dump magic to see that there are now some tokens in the database but not too many. Restart your SA and watch the log results. If there are fewer than 200 messages (both ham & spam) in your Bayes database then SA won't use it, so make sure that's the case, your new database should be too empty for SA to be willing to use it. So if you -are- getting Bayes scores then that indicates that SA is using some database other than what you think it has. Now start manually training more messages (spam & ham). When you hit the 200 count threashold Bayes scores should start showing up in your logs. Good luck. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{