USER_IN_DEF_DKIM_WL -7.5
http://www.antivirushelptool.com/spamassassin/header/USER_IN_DEF_DKIM_WL that's too much and gives even a message on systems where BAYES_99 and BAYES_999 would reach 8.0 a negative score adjusted also some other scores in local.cf reputation to prevent from false positives is good but not that much overrides score SPF_PASS -0.005 score SPF_SOFTFAIL 1.5 score SPF_FAIL 2.0 score RP_MATCHES_RCVD -0.5 score USER_IN_DEF_DKIM_WL -3.0 score RCVD_IN_RP_CERTIFIED -1.0 score RCVD_IN_RP_SAFE -1.0 _ -2 AC_DIV_BONANZA BAYES_99 BAYES_999 DKIM_SIGNED DKIM_VALID DKIM_VALID_AU HTML_FONT_LOW_CONTRAST, TML_MESSAGE RCVD_IN_RP_SAFE RP_MATCHES_RCVD,SPF_PASS USER_IN_DEF_DKIM_WL signature.asc Description: OpenPGP digital signature
Re: USER_IN_DEF_DKIM_WL -7.5
On Sat, 20 Sep 2014 15:48:05 +0200 Reindl Harald wrote: http://www.antivirushelptool.com/spamassassin/header/USER_IN_DEF_DKIM_WL that's too much and gives even a message on systems where BAYES_99 and BAYES_999 would reach 8.0 a negative score Do you have any evidence for it being too much? It seems about right to me. If you have an actual problem I'd suggest you use unwhitelist_from_dkim locally and report the domain so it can be considered for delisting. The dkim default whitelist contains domains that send a lot of autogenerated and bulk mail, but have a very low probabilty of sending spam.
Re: USER_IN_DEF_DKIM_WL -7.5
Am 20.09.2014 um 23:54 schrieb RW: On Sat, 20 Sep 2014 15:48:05 +0200 Reindl Harald wrote: http://www.antivirushelptool.com/spamassassin/header/USER_IN_DEF_DKIM_WL that's too much and gives even a message on systems where BAYES_99 and BAYES_999 would reach 8.0 a negative score Do you have any evidence for it being too much? It seems about right to me. If you have an actual problem I'd suggest you use unwhitelist_from_dkim locally and report the domain so it can be considered for delisting. The dkim default whitelist contains domains that send a lot of autogenerated and bulk mail, but have a very low probabilty of sending spam how can -7.5 be right? it bypasses unconditional any bayse regardless if it is trained with 100, 1000 or 1 messages ham / spam and that can not be the the right thing there are in summary way too much whitelists with too high scores and the problem is that many senders are on a lot of them like 4 or 5 IADB whitelists which gives a total WL count with no way to get a clear spam message blocked frankly i have faced *clear* spam messages listed on Mailspike, IADB multiple times hit a bayes of 100% and some other spam tages but still get a negative score by excessive whitelisting signature.asc Description: OpenPGP digital signature
Re: USER_IN_DEF_DKIM_WL -7.5
On Sun, 21 Sep 2014, Reindl Harald wrote: Am 20.09.2014 um 23:54 schrieb RW: On Sat, 20 Sep 2014 15:48:05 +0200 Reindl Harald wrote: http://www.antivirushelptool.com/spamassassin/header/USER_IN_DEF_DKIM_WL that's too much and gives even a message on systems where BAYES_99 and BAYES_999 would reach 8.0 a negative score Do you have any evidence for it being too much? It seems about right to me. If you have an actual problem I'd suggest you use unwhitelist_from_dkim locally and report the domain so it can be considered for delisting. The dkim default whitelist contains domains that send a lot of autogenerated and bulk mail, but have a very low probabilty of sending spam how can -7.5 be right? it bypasses unconditional any bayse regardless if it is trained with 100, 1000 or 1 messages ham / spam and that can not be the the right thing That's kinda the *point* to a whitelist. I would suggest getting BAYES_999 on a message that has a valid DKIM signature for a domain in the default DKIM whitelist may instead indicate either bayes mistraining or somebody has put something into the default DKIM whitelist locally that they shouldn't have. Would you care to share the spam that you posted the scores for at the start of this thread? There's not much we can do with just the rules that hit beside post vague guesses. The critical part is: which domain is that whitelisted DKIM signature for? Is it possible that your bayes has been trained with legit[1] newsletters that someone is dropping into their spambox rather than unsubscribing from? [1] legit meaning that the person actually subscribed to, or from a sender that the person actually is a customer of or does have a business relationship with. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Markley's Law (variant of Godwin's Law): As an online discussion of gun owners' rights grows longer, the probability of an ad hominem attack involving penis size approaches 1. --- 842 days since the first successful private support mission to ISS (SpaceX)
Re: USER_IN_DEF_DKIM_WL -7.5
Am 21.09.2014 um 03:29 schrieb John Hardin: On Sun, 21 Sep 2014, Reindl Harald wrote: Am 20.09.2014 um 23:54 schrieb RW: On Sat, 20 Sep 2014 15:48:05 +0200 Reindl Harald wrote: http://www.antivirushelptool.com/spamassassin/header/USER_IN_DEF_DKIM_WL that's too much and gives even a message on systems where BAYES_99 and BAYES_999 would reach 8.0 a negative score Do you have any evidence for it being too much? It seems about right to me. If you have an actual problem I'd suggest you use unwhitelist_from_dkim locally and report the domain so it can be considered for delisting. The dkim default whitelist contains domains that send a lot of autogenerated and bulk mail, but have a very low probabilty of sending spam how can -7.5 be right? it bypasses unconditional any bayse regardless if it is trained with 100, 1000 or 1 messages ham / spam and that can not be the the right thing That's kinda the *point* to a whitelist. unconditional whitelists are as bad as unconditional blacklists I would suggest getting BAYES_999 on a message that has a valid DKIM signature for a domain in the default DKIM whitelist may instead indicate either bayes mistraining or somebody has put something into the default DKIM whitelist locally that they shouldn't have. none of both i would say no bayes mistraining and there is no sender host which never is affected by something bad passing by - recently had the same happening on the own network thats's why you have a *content* filter which should not unconditionally whitelist Would you care to share the spam that you posted the scores for at the start of this thread? There's not much we can do with just the rules that hit beside post vague guesses. The critical part is: which domain is that whitelisted DKIM signature for? no message content available - we don't store anything on the gateway 3 cases with score -5 twice and one time -2 message-id=@xtinmta4208.xt.local bounce-...@bounce.mail.hotels.com Is it possible that your bayes has been trained with legit[1] newsletters that someone is dropping into their spambox rather than unsubscribing from? unlikely - i am the only one who trains the bayes frankly i collected a lot of newsletters and stuff for HAM where i thought well, how that message is built normally would not deserve any good scoring 0.000 0 1592 0 non-token data: nspam 0.000 0 1627 0 non-token data: nham 0.000 0 318955 0 non-token data: ntokens [1] legit meaning that the person actually subscribed to, or from a sender that the person actually is a customer of or does have a business relationship with even if - the bayes should not be *that* outbeated and the fear from a possible FP is not a good reason for nearly unconditional whitelists and -2 + 7.5 would have been 5.5 which is still fine having a milter-reject of 8.0 what if a account there is hacked which can happen everytime? until such a WL is terminated a spam wave makes it's way signature.asc Description: OpenPGP digital signature
Re: USER_IN_DEF_DKIM_WL -7.5
Dont pay too much attention to reindl, he is a well known internet troll, and highly abusive to those who disagree with him, hes been kicked off or moderated on so many lists now, most folks have lost count, and most folks ignore him, the stain is best treated as a stain, washed away with good rules :-) On 9/21/14, RW rwmailli...@googlemail.com wrote: On Sat, 20 Sep 2014 15:48:05 +0200 Reindl Harald wrote: http://www.antivirushelptool.com/spamassassin/header/USER_IN_DEF_DKIM_WL that's too much and gives even a message on systems where BAYES_99 and BAYES_999 would reach 8.0 a negative score Do you have any evidence for it being too much? It seems about right to me. If you have an actual problem I'd suggest you use unwhitelist_from_dkim locally and report the domain so it can be considered for delisting. The dkim default whitelist contains domains that send a lot of autogenerated and bulk mail, but have a very low probabilty of sending spam.
Re: USER_IN_DEF_DKIM_WL -7.5
Am 21.09.2014 um 03:44 schrieb Nick Edwards: Dont pay too much attention to reindl, he is a well known internet troll, and highly abusive to those who disagree with him, hes been kicked off or moderated on so many lists now, most folks have lost count, and most folks ignore him, the stain is best treated as a stain, washed away with good rules :-) what about just shut up instead starting flamewars on every list we both meet if you have nothing to say? On 9/21/14, RW rwmailli...@googlemail.com wrote: On Sat, 20 Sep 2014 15:48:05 +0200 Reindl Harald wrote: http://www.antivirushelptool.com/spamassassin/header/USER_IN_DEF_DKIM_WL that's too much and gives even a message on systems where BAYES_99 and BAYES_999 would reach 8.0 a negative score Do you have any evidence for it being too much? It seems about right to me. If you have an actual problem I'd suggest you use unwhitelist_from_dkim locally and report the domain so it can be considered for delisting. The dkim default whitelist contains domains that send a lot of autogenerated and bulk mail, but have a very low probabilty of sending spam. signature.asc Description: OpenPGP digital signature
Re: USER_IN_DEF_DKIM_WL -7.5
and to make clear why Nick Edwars just should shut up https://www.mail-archive.com/bind-users@lists.isc.org/msg19672.html the out-of-context there where two *off-list* messages i brought back to the list *including an answer* with asking why respond in private and days later Nick was bored and tried flamewar as often before on other lists that happens because this fool filters out my mails and from time to time decides to respond to partially quotes Am 21.09.2014 um 03:46 schrieb Reindl Harald: Am 21.09.2014 um 03:44 schrieb Nick Edwards: Dont pay too much attention to reindl, he is a well known internet troll, and highly abusive to those who disagree with him, hes been kicked off or moderated on so many lists now, most folks have lost count, and most folks ignore him, the stain is best treated as a stain, washed away with good rules :-) what about just shut up instead starting flamewars on every list we both meet if you have nothing to say? On 9/21/14, RW rwmailli...@googlemail.com wrote: On Sat, 20 Sep 2014 15:48:05 +0200 Reindl Harald wrote: http://www.antivirushelptool.com/spamassassin/header/USER_IN_DEF_DKIM_WL that's too much and gives even a message on systems where BAYES_99 and BAYES_999 would reach 8.0 a negative score Do you have any evidence for it being too much? It seems about right to me. If you have an actual problem I'd suggest you use unwhitelist_from_dkim locally and report the domain so it can be considered for delisting. The dkim default whitelist contains domains that send a lot of autogenerated and bulk mail, but have a very low probabilty of sending spam signature.asc Description: OpenPGP digital signature
Re: USER_IN_DEF_DKIM_WL -7.5
On Sun, 21 Sep 2014, Reindl Harald wrote: Am 21.09.2014 um 03:29 schrieb John Hardin: On Sun, 21 Sep 2014, Reindl Harald wrote: Am 20.09.2014 um 23:54 schrieb RW: On Sat, 20 Sep 2014 15:48:05 +0200 Reindl Harald wrote: http://www.antivirushelptool.com/spamassassin/header/USER_IN_DEF_DKIM_WL that's too much and gives even a message on systems where BAYES_99 and BAYES_999 would reach 8.0 a negative score Do you have any evidence for it being too much? It seems about right to me. If you have an actual problem I'd suggest you use unwhitelist_from_dkim locally and report the domain so it can be considered for delisting. The dkim default whitelist contains domains that send a lot of autogenerated and bulk mail, but have a very low probabilty of sending spam how can -7.5 be right? it bypasses unconditional any bayse regardless if it is trained with 100, 1000 or 1 messages ham / spam and that can not be the the right thing That's kinda the *point* to a whitelist. unconditional whitelists are as bad as unconditional blacklists So you would be okay with the alternative: DKIM-signed legitimate emails from a real bank being rejected as spam because your bayes has been trained with legitimate-looking phishes and thinks they look phishy? Would you care to share the spam that you posted the scores for at the start of this thread? There's not much we can do with just the rules that hit beside post vague guesses. The critical part is: which domain is that whitelisted DKIM signature for? no message content available - we don't store anything on the gateway 3 cases with score -5 twice and one time -2 message-id=@xtinmta4208.xt.local bounce-...@bounce.mail.hotels.com OK, mail.hotels.com is in the default DKIM whitelist. I haven't looked through the DKIM whitelist code but I note that def_whitelist_from_dkim supports specification of the domain in the DKIM signature, and the mail.hotels.com entry does not specify the signing domain. Speculation: I wonder if it's possible that message was a forged hotels.com email signed with DKIM from *another domain* and that's why the default DKIM whitelist rule triggered. Can someone with more familiarity with the details of DKIM comment on that possibility? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Markley's Law (variant of Godwin's Law): As an online discussion of gun owners' rights grows longer, the probability of an ad hominem attack involving penis size approaches 1. --- 842 days since the first successful private support mission to ISS (SpaceX)
Re: USER_IN_DEF_DKIM_WL -7.5
Am 21.09.2014 um 04:08 schrieb John Hardin: On Sun, 21 Sep 2014, Reindl Harald wrote: Am 21.09.2014 um 03:29 schrieb John Hardin: On Sun, 21 Sep 2014, Reindl Harald wrote: Am 20.09.2014 um 23:54 schrieb RW: On Sat, 20 Sep 2014 15:48:05 +0200 Reindl Harald wrote: http://www.antivirushelptool.com/spamassassin/header/USER_IN_DEF_DKIM_WL that's too much and gives even a message on systems where BAYES_99 and BAYES_999 would reach 8.0 a negative score Do you have any evidence for it being too much? It seems about right to me. If you have an actual problem I'd suggest you use unwhitelist_from_dkim locally and report the domain so it can be considered for delisting. The dkim default whitelist contains domains that send a lot of autogenerated and bulk mail, but have a very low probabilty of sending spam how can -7.5 be right? it bypasses unconditional any bayse regardless if it is trained with 100, 1000 or 1 messages ham / spam and that can not be the the right thing That's kinda the *point* to a whitelist. unconditional whitelists are as bad as unconditional blacklists So you would be okay with the alternative: DKIM-signed legitimate emails from a real bank being rejected as spam because your bayes has been trained with legitimate-looking phishes and thinks they look phishy? no - it's always a tradeoff i just say -7.5 is too high because it also outbeats any other rules - you need a lot bad things in a message with -7.5 and also on several whitelists to get a message rejected as FP Would you care to share the spam that you posted the scores for at the start of this thread? There's not much we can do with just the rules that hit beside post vague guesses. The critical part is: which domain is that whitelisted DKIM signature for? no message content available - we don't store anything on the gateway 3 cases with score -5 twice and one time -2 message-id=@xtinmta4208.xt.local bounce-...@bounce.mail.hotels.com OK, mail.hotels.com is in the default DKIM whitelist. I haven't looked through the DKIM whitelist code but I note that def_whitelist_from_dkim supports specification of the domain in the DKIM signature, and the mail.hotels.com entry does not specify the signing domain. Speculation: I wonder if it's possible that message was a forged hotels.com email signed with DKIM from *another domain* and that's why the default DKIM whitelist rule triggered. Can someone with more familiarity with the details of DKIM comment on that possibility? yes, please all other def_whitelist_from_dkim looks sane in the logs and have -10 to -16 scores because no bayes hit and no other tags - only that 3 messages which looks questionable signature.asc Description: OpenPGP digital signature
Re: USER_IN_DEF_DKIM_WL -7.5
On Sun, 21 Sep 2014, Reindl Harald wrote: Am 21.09.2014 um 04:08 schrieb John Hardin: On Sun, 21 Sep 2014, Reindl Harald wrote: Am 21.09.2014 um 03:29 schrieb John Hardin: Would you care to share the spam that you posted the scores for at the start of this thread? There's not much we can do with just the rules that hit beside post vague guesses. The critical part is: which domain is that whitelisted DKIM signature for? no message content available - we don't store anything on the gateway 3 cases with score -5 twice and one time -2 message-id=@xtinmta4208.xt.local bounce-...@bounce.mail.hotels.com OK, mail.hotels.com is in the default DKIM whitelist. I haven't looked through the DKIM whitelist code but I note that def_whitelist_from_dkim supports specification of the domain in the DKIM signature, and the mail.hotels.com entry does not specify the signing domain. Speculation: I wonder if it's possible that message was a forged hotels.com email signed with DKIM from *another domain* and that's why the default DKIM whitelist rule triggered. Can someone with more familiarity with the details of DKIM comment on that possibility? yes, please all other def_whitelist_from_dkim looks sane in the logs and have -10 to -16 scores because no bayes hit and no other tags - only that 3 messages which looks questionable Are all three of those messages related to hotels.com? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- [People] are socialists because they are blinded by envy and ignorance. -- economist Ludwig von Mises (1881-1973) --- 842 days since the first successful private support mission to ISS (SpaceX)
Re: USER_IN_DEF_DKIM_WL -7.5
Am 21.09.2014 um 04:37 schrieb John Hardin: On Sun, 21 Sep 2014, Reindl Harald wrote: Am 21.09.2014 um 04:08 schrieb John Hardin: On Sun, 21 Sep 2014, Reindl Harald wrote: Am 21.09.2014 um 03:29 schrieb John Hardin: Would you care to share the spam that you posted the scores for at the start of this thread? There's not much we can do with just the rules that hit beside post vague guesses. The critical part is: which domain is that whitelisted DKIM signature for? no message content available - we don't store anything on the gateway 3 cases with score -5 twice and one time -2 message-id=@xtinmta4208.xt.local bounce-...@bounce.mail.hotels.com OK, mail.hotels.com is in the default DKIM whitelist. I haven't looked through the DKIM whitelist code but I note that def_whitelist_from_dkim supports specification of the domain in the DKIM signature, and the mail.hotels.com entry does not specify the signing domain. Speculation: I wonder if it's possible that message was a forged hotels.com email signed with DKIM from *another domain* and that's why the default DKIM whitelist rule triggered. Can someone with more familiarity with the details of DKIM comment on that possibility? yes, please all other def_whitelist_from_dkim looks sane in the logs and have -10 to -16 scores because no bayes hit and no other tags - only that 3 messages which looks questionable Are all three of those messages related to hotels.com? yes! and all 3 have AC_DIV_BONANZA,BAYES_99,BAYES_999 and besides USER_IN_DEF_DKIM_WL a lot of other WL tags which makes them unblockable - the problem with DKIM is that if messages are signed automatically and someone manged to abuse mta2.mail.hotels.com he won the game because USER_IN_DEF_DKIM_WL and the other whitelistings assigned to the sending host that's why i am a little bit suspect which such high WL scores in general even if the message triggers a bunde of LOT_OF_MONEY rules and bayes it can't be blocked because unconditional reputation cat maillog | grep USER_IN_DEF_DKIM_WL | grep AC_DIV_BONANZA,BAYES_99,BAYES_999 Sep 18 22:07:07 mail-gw spamd[794]: spamd: result: . -5 - AC_DIV_BONANZA,BAYES_99,BAYES_999,CUST_DNSWL_2,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_FONT_LOW_CONTRAST,HTML_IMAGE_RATIO_06,HTML_MESSAGE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_SAFE,RP_MATCHES_RCVD,SPF_PASS,USER_IN_DEF_DKIM_WL scantime=0.5,size=37869,user=sa-milt,uid=189,required_score=4.5,rhost=localhost,raddr=127.0.0.1,rport=45683,mid=c7226d0b-71f1-4073-916c-3befbe4a2...@xtinmta1203.xt.local,bayes=0.999286,autolearn=disabled Sep 20 02:19:31 mail-gw spamd[2292]: spamd: result: . -5 - AC_DIV_BONANZA,BAYES_99,BAYES_999,CUST_DNSWL_2,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_SAFE,RP_MATCHES_RCVD,SPF_PASS,USER_IN_DEF_DKIM_WL scantime=2.2,size=64731,user=sa-milt,uid=189,required_score=4.5,rhost=localhost,raddr=127.0.0.1,rport=52217,mid=85a8a7cc-deb6-417e-a84a-8fc1ae9d5...@xtinmta1203.xt.local,bayes=0.95,autolearn=disabled Sep 20 02:19:37 mail-gw spamd[2292]: spamd: result: . -2 - AC_DIV_BONANZA,BAYES_99,BAYES_999,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,RCVD_IN_RP_SAFE,RP_MATCHES_RCVD,SPF_PASS,USER_IN_DEF_DKIM_WL scantime=5.1,size=63944,user=sa-milt,uid=189,required_score=4.5,rhost=localhost,raddr=127.0.0.1,rport=52219,mid=866eaeb0-d57b-4585-b0d3-c73247fa3...@xtinmta4208.xt.local,bayes=0.999525,autolearn=disabled Sep 18 22:07:05 mail-gw postfix/smtpd[2667]: 3hzTjP3cM0z1l: client=mta2.mail.hotels.com[66.231.92.97] Sep 18 22:07:05 mail-gw postfix/cleanup[4074]: 3hzTjP3cM0z1l: message-id=c7226d0b-71f1-4073-916c-3befbe4a2...@xtinmta1203.xt.local Sep 18 22:07:07 mail-gw postfix/qmgr[2114]: 3hzTjP3cM0z1l: from=bounce-1935712_html-1467588252-20587959-177351-...@bounce.mail.hotels.com, size=37627, nrcpt=1 (queue active) Sep 20 02:19:28 mail-gw postfix/smtpd[6121]: 3j0CG819Njz1l: client=mta2.email.hotels.com[66.231.84.80] Sep 20 02:19:28 mail-gw postfix/cleanup[12995]: 3j0CG819Njz1l: message-id=85a8a7cc-deb6-417e-a84a-8fc1ae9d5...@xtinmta1203.xt.local Sep 20 02:19:31 mail-gw postfix/qmgr[14151]: 3j0CG819Njz1l: from=bounce-1935712_html-1530991121-20588407-177351-...@bounce.mail.hotels.com, size=64489, nrcpt=1 (queue active) Sep 20 02:19:30 mail-gw postfix/smtpd[6157]: 3j0CGB4DWBz1y: client=mta2.email.hotels.com[66.231.84.80] Sep 20 02:19:31 mail-gw postfix/cleanup[13002]: 3j0CGB4DWBz1y: message-id=866eaeb0-d57b-4585-b0d3-c73247fa3...@xtinmta4208.xt.local Sep 20 02:19:37 mail-gw postfix/qmgr[14151]: 3j0CGB4DWBz1y: from=bounce-1935712_html-1531355010-20588407-177351-...@bounce.mail.hotels.com, size=63702, nrcpt=1 (queue active) signature.asc