Am 2024-06-14 21:20, schrieb Matus UHLAR - fantomas:
grep -ri "FONT_INVIS_NORDNS" /var/lib/spamassassin/ | grep describe
/var/lib/spamassassin/4.000000/updates_spamassassin_org/72_active.cf:
describe FONT_INVIS_NORDNS Invisible text + no rDNS
In my case, I can say with certainty that the mail comes from a
business partner of a colleague :-)
If you want to find out more, feed the mail to "spamassassin -D" and
that should explain which text matched which rules.
and as we told you already, your client should NOT play with small or
semi-invisible text in mail. That's what spamers do.
Cool, but now I ve more questions! :-)
When the eMail arrived the score was 6.248. I repeat the testlist:
BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FONT_INVIS_MSGID=2.497,
FONT_INVIS_NORDNS=1.544, HTML_FONT_TINY_NORDNS=1.514,
HTML_MESSAGE=0.001,
RDNS_NONE=0.793, RELAYCOUNTRY_BAD=2, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001,
T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01
But when piping the eMail to spamassassin -D the score is 10.5! And
RDNS_NONE gets a 1.3!
2.5 URIBL_DBL_SPAM Contains a spam URL listed in the Spamhaus
DBL
blocklist
[URI: www.example.com]
[URI: example.com]
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily valid
0.1 DKIM_INVALID DKIM or DK signature exists, but is not
valid
2.0 RELAYCOUNTRY_BAD Relayed through spammy country at some point
0.0 HTML_MESSAGE BODY: Nachricht enth<E4>lt HTML
-0.0 T_SCC_BODY_TEXT_LINE No description available.
1.2 FONT_INVIS_NORDNS Invisible text + no rDNS
1.3 RDNS_NONE Delivered to internal network by a host with
no rDNS
0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted
Colors
in HTML
2.5 FONT_INVIS_MSGID Invisible text + suspicious message ID
0.0 HTML_FONT_TINY_NORDNS Font too small to read, no rDNS
0.9 DMARC_NONE DMARC none policy
Let's just assume that the colleague is corresponding with a spammer and
the colleague knows nothing about it. I'm just interested to know why
the score is lower when the last mail arrived than in the current test.
Is it because a few hours have already passed and the mail is rated
differently in the DNS blocklists? Or could it be that something is
still wrong with my configuration? However, I can see in the journal
that every mail is checked against blocklists, may be not completly?
This difference is now irritating me.