https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7888
--- Comment #8 from Byron Kleingeld <by...@zoomedia.co.za> --- (In reply to John Hardin from comment #7) > (In reply to Byron Kleingeld from comment #4) > > (In reply to Giovanni Bechis from comment #3) > > > For the records: > > > I told him to ask on users@ or post here because it could be a bug in our > > > rules. > > > > I have asked on both so far > > I have seen no posts regarding this on the SpamAssassin Users mailing list, > so I'll respond here. > > (In reply to RW from comment #5) > > 3 points does seem a bit extreme for a tracker. > > That's based on such headers appearing in very little ham in our corpus. If > the bulk mailer doing this was a widely-used legitimate service I'd expect > to see more hammy instances of it. The scored rule does have exclusions for > signs in the ham we do have, and is not hitting any ham, and hits on > otherwise-very-low-scoring spam, so the rule's score is fairly high. It's > not, however, a poison pill. > > > the software doesn't randomize any of the marketing headers for the > > campaigns sent with it > > Such headers were fairly prevalent in a recent forged-sender-backscatter > spam campaign that impacted one of my domains. Across spams from different > sources, the headers *were* (apparently) random. That is historically the > kind of tactic used by spammers to avoid static pattern and checksum > detection tools and to pollute spam signature databases, and does not come > across as something a legitimate mass mailer would do. > > X-Cjqp-Delivery-Sid: 1 > X-Dsyh-Delivery-Sid: 1 > X-Etxr-Delivery-Sid: 1 > X-Fxyn-Delivery-Sid: 1 > X-Hqve-Delivery-Sid: 85 > X-Kqoy-Delivery-Sid: 1 > X-Lkcl-Delivery-Sid: 1 > X-Lonj-Delivery-Sid: 6 > X-Mw-Delivery-Sid: 18 > X-Mw-Delivery-Sid: 2 > X-Mw-Delivery-Sid: 37 > X-Mw-Delivery-Sid: 4 > X-Mw-Delivery-Sid: 698 > X-toys-en-Delivery-Sid: 41 > X-Vtaf-Delivery-Sid: 2 > X-Zvjg-Delivery-Sid: 23 > > They may instead be something like a key for the bulk service client's > account. If so, they chose a poor way to do it. > > So part of the answer is: Byron, you're apparently using a bulk mailer > service that is being actively abused by spammers, and that's having a > negative impact on the reputation of your legitimate email. Work with your > provider on that part of the problem. > > > Just getting hit hard by that one rule. > > I have reduced the score limit to 2 points, and added some further > exclusions to the scored rule (which may not help in your case, it doesn't > look like you are doing any of the "hammy" things our ham samples do). These > changes will probably take overnight to take effect. I appreciate the response, I might have fudged up the sending to the mailing list, I'm not often exposing to fancy systems such as that. In the case of the mailing provider, that would be the company I work for. I assume the bulk mailing software we're using (albeit heavily modified from the original base software) could potentially be used for illicit mailing. I had manually removed those headers from the mailer code, but I am worried if there are other parts of the software that might use those headers, like bounce handling and box monitoring, regardless, knowing how the rules work now I can, if all else fails, attempt to modify how those aspects of the software work and try to get around the rules getting our mails falsely flagged. It's shame though, this software is pretty damn good at what it does, but I can absolutely see it being abused due to it's low upfront cost. -- You are receiving this mail because: You are the assignee for the bug.
