Re: Is HAS_X_OUTGOING_SPAM_STAT a useful indicator?

Sun, 25 Apr 2021 19:26:55 -0700 


On 2021-04-25 19:31, Bill Cole wrote:

On 25 Apr 2021, at 18:40, Alan wrote:
We run cPanel servers and scan every outbound message with SA in order to reduce the amount of garbage that comes through website contact forms. 

That's good.
However, in a default cPanel configuration, HAS_X_OUTGOING_SPAM_STAT scores a whopping 2.3. I'm not sure what the distribution default is
Today's dynamically-determined score in the default rules channel is 2.298 for systems with network and bayes scoring enabled, so it looks like cPanel is likely to be using default scores.
but that's enough to move a lot of messages to spam, simply because the sender was scanning messages.
Is it actually doing that to known legitimate mail? Can you share headers? It would be good to find a way to exclude false positives.
Sure spammers are going to be putting that header in, but as far as I can tell, that's an argument for always scoring the rule at a hard zero. I can see how it might be useful in a meta with some other indicators, but as it stands, it's penalizing both the guys trying to stop spam at the source and the spammers and that seems counterproductive.
The rule QA system is nowhere near as smart as you... It only knows that in the corpora of mail it used to determine whether to publish HAS_X_OUTGOING_SPAM_STAT and what to score it, 72.6% of the mail matching HAS_X_OUTGOING_SPAM_STAT was spam. That's for yesterday's weekly network mass-check. See https://ruleqa.spamassassin.org/20210424-r1889140-n/HAS_X_OUTGOING_SPAM_STAT/detail for the arcane details.
If I recall correctly, the "X-OutGoing-Spam-Status" header which triggers that rule (with some exemptions) is not actually used by anything within cPanel, and a non-spam result in that header certainly should not be trusted anywhere but the system generating it. So it may be helpful to do the scan but to forego adding the header or to at least make cPanel use a local name.
I've posted to a 13 month old thread on the cPanel forums that was left at "we'll update you", asking for an update. I can't see any useful purpose to having that header in there.
Obfuscated headers follow. Haven't dug into it but it looks like another FP on KAM_MXURI, I'm guessing that's because the message is coming from my.our-domain.net and "my" is close enough to "mx", which would be unfortunate. At least the NUMERIC_HTTP_ADDR is something I can fix. 

Return-Path: <our-domain.supp...@our-domain.com>
Delivered-To: our-domain.supp...@our-domain.com
Received: from ssc010.our-domain.net
        by ssc010.our-domain.net with LMTP
        id KGkdFSHVhWBRCgAAk/bwIA
        (envelope-from <our-domain.supp...@our-domain.com>)
        for <our-domain.supp...@our-domain.com>; Sun, 25 Apr 2021 16:46:25 -0400
Return-path: <our-domain.supp...@our-domain.com>
Envelope-to: our-domain.supp...@our-domain.com
Delivery-date: Sun, 25 Apr 2021 16:46:25 -0400
Received: from our-server.our-domain.net ([100.101.102.103]:34044)
        by ssc010.our-domain.net with esmtps  (TLS1.2) tls 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        (Exim 4.94)
        (envelope-from <our-domain.supp...@our-domain.com>)
        id 1lale4-0002xo-LD
        for our-domain.supp...@our-domain.com; Sun, 25 Apr 2021 16:46:25 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
        d=my.our-domain.net; s=default; 
h=Content-Transfer-Encoding:Content-Type:
        
MIME-Version:Message-ID:Subject:Reply-To:From:To:Date:Sender:Cc:Content-ID:
        
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
        
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
        List-Subscribe:List-Post:List-Owner:List-Archive;
        bh=j53ixXbMXzxOWOuh7uN7dlHw0Vr6LfiGnD/j577LPKs=; 
b=0nJJlFR/3NPsGrwKOpTGdc+6Vu
        
YO7UqkOwYydYNQijRJqe0dxqUwdHt06x57tx1DhoAJC/EmM6buHejeghdXLO+K+X3Di9rQ/hU85bj
        
uvZnd2jvf4kn/Hg47bCEw7/3oByYNbTJ8VK2WhNTb6x3q0zsbT//ODf5t2afLOM1SqWNW65i2YR2J
        
OvoY+VLh6dH44zhssa0XWuDZ+JYJYKoDMYKLN5SQ9PLqu+tQo50frwLmvfULLqP5scNCir9xWvDHH
        
/WRF490NRwD5ljrTNxAxT6xQgTQV2KGM/ND6WnajJJpT5JeAsGP41C/YzNUOZyhX62DNB4XbYId6b
        Mgj3eN4w==;
Received: from [100.101.102.103] (port=54664 helo=my.our-domain.net)
        by our-server.our-domain.net with esmtpsa  (TLS1.2) tls 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        (Exim 4.94)
        (envelope-from <our-domain.supp...@our-domain.com>)
        id 1lale3-0002hS-Sp; Sun, 25 Apr 2021 16:46:24 -0400
Date: Sun, 25 Apr 2021 20:46:23 +0000
To: "First Last (Customer, Inc.)" <first-l...@their-domain.com>
From: "our-domain Inc." <our-domain.supp...@our-domain.com>
Reply-To: "our-domain Inc." <our-domain.supp...@our-domain.com>
Message-ID: <rqx1wokfk2hpwh7li3bl39dqajytzhujijod1cf...@my.our-domain.net>
X-Mailer: our-domain Inc.
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="b1_rqx1wOkfk2HPwH7li3bl39DQAjYTzhuJiJOD1cfpxU"
Content-Transfer-Encoding: 8bit
X-OutGoing-Spam-Status: No, score=1.3
X-AntiAbuse: This header was added to track abuse, please include it with any 
abuse report
X-AntiAbuse: Primary Hostname - our-server.our-domain.net
X-AntiAbuse: Original Domain - our-domain.com
X-AntiAbuse: Originator/Caller UID/GID - [xx yy] / [xx yy]
X-AntiAbuse: Sender Address Domain - our-domain.com
X-Get-Message-Sender-Via: our-server.our-domain.net: authenticated_id: 
system-nore...@my.our-domain.net
X-Authenticated-Sender: our-server.our-domain.net: 
system-nore...@my.our-domain.net
X-Source:
X-Source-Args:
X-Source-Dir:
X-Spam-Status: Yes, score=6.7
X-Spam-Score: 67
X-Spam-Bar: ++++++
X-Spam-Report: Spam detection software, running on the system 
"ssc010.our-domain.net",
 has identified this incoming email as possible spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 root\@localhost for details.
 Content preview:  our-domain Hosting Services To protect against forged 
messages,
    we are using a verification code, set by you, in every message we send. 
Please
    check the code below against the value you set. If you have not set a 
verification
    co [...]
 Content analysis details:   (6.7 points, 5.0 required)
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was
                             blocked.  See
                             
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                              for more information.
                             [URIs: list-manage.com]
  0.8 BAYES_50               BODY: Bayes spam probability is 40 to 60%
                             [score: 0.5000]
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 -0.0 SPF_PASS               SPF: sender matches SPF record
  0.0 WEIRD_PORT             URI: Uses non-standard port number for HTTP
  1.2 NUMERIC_HTTP_ADDR      URI: Uses a numeric IP address in URL
  1.5 KAM_MXURI              URI: URI begins with a mail exchange prefix, i.e.
                             mx.[...]
  0.0 NORMAL_HTTP_TO_IP      URI: URI host has a public dotted-decimal IPv4
                              address
  0.0 HTML_MESSAGE           BODY: HTML included in message
  0.8 MPART_ALT_DIFF         BODY: HTML and text parts are different
  0.1 MIME_HTML_MOSTLY       BODY: Multipart message mostly text/html MIME
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily
                             valid
 -0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
  2.3 HAS_X_OUTGOING_SPAM_STAT Has header claiming outbound spam scan
                             - why trust the results?
X-Spam-Flag: YES
Subject:  ***SPAM***  New Account Information

--
For SpamAsassin Users List

Reply via email to