remove_header not working?
Dear all, I'd like to remove the X-Spam-Report header for mails in case of ham therefore I added remove_header ham Report to my local.cf But still ham messages have the X-Spam-Report header?! What am I doing wrong? SpamAssassin Server version 3.4.0 running on Perl 5.10.0 with SSL support (IO::Socket::SSL 1.38) with zlib support (Compress::Zlib 2.064) Thanks in advance Wolfgang -- - Wolfgang Fürtbauer Tel:+43 7612 77620 Steinbichlstrasse 58d Mobil: +43 664 8332326 4812 Pinsdorf E-Mail: w.fuertba...@gmx.at Austria
Re: remove_header not working?
On 08/29/2014 10:29 AM, Fürtbauer Wolfgang wrote: Dear all, I'd like to remove the X-Spam-Report header for mails in case of ham therefore I added remove_header ham Report to my local.cf But still ham messages have the X-Spam-Report header?! What am I doing wrong? SpamAssassin Server version 3.4.0 running on Perl 5.10.0 with SSL support (IO::Socket::SSL 1.38) with zlib support (Compress::Zlib 2.064) iirc, remove_header removes headers added by a previous SA instance (sender's, for example) What exactly are you trying to achieve? What other add_header lines do you have in local.cf? what glue are you using to interface your MTA with SA?
Re: remove_header not working?
Hi, I'm trying to remove my own X-Spam-Report for ham mails leaving my organisation in order not to bother the other party. I had serveral mails returned because of the X-Spam-Reports snip Improper folded header field made up entirely of whitespace (char 20 hex): X-Spam-Report: ... postmaster for details.\n \n Content previ[...] snap my only add_header line is: add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ shortcircuit=_SCTYPE_ autolearn=_AUTOLEARN_ version=_VERSION_ glue is spamd called from exim BR Wolfgang Am 29.08.2014 10:48, schrieb Axb: On 08/29/2014 10:29 AM, Fürtbauer Wolfgang wrote: Dear all, I'd like to remove the X-Spam-Report header for mails in case of ham therefore I added remove_header ham Report to my local.cf But still ham messages have the X-Spam-Report header?! What am I doing wrong? SpamAssassin Server version 3.4.0 running on Perl 5.10.0 with SSL support (IO::Socket::SSL 1.38) with zlib support (Compress::Zlib 2.064) iirc, remove_header removes headers added by a previous SA instance (sender's, for example) What exactly are you trying to achieve? What other add_header lines do you have in local.cf? what glue are you using to interface your MTA with SA? -- - Wolfgang Fürtbauer Tel:+43 7612 77620 Steinbichlstrasse 58d Mobil: +43 664 8332326 4812 Pinsdorf E-Mail: w.fuertba...@gmx.at Austria
Re: How to report spam to mailspike
W dniu 28.08.2014 o 11:20, Reindl Harald pisze: Am 28.08.2014 um 11:11 schrieb Marcin Mirosław: I've noticed growing volume of emails listed by mailspike. Usually it's spam listed as good reputation. On his webpage I can see only page http://mailspike.org/contact.html , they want to fill many personal information, I don't want to send it to them and I don't want to lie i would say that's one part why they are somehow trustable because require that personal information makes a little barrier (you have proven) that any random guy with one single and maybe careless click can have impact in both directions (maybe bad - intentionally or unintentionally) So what should I do in your opinion? I'm getting spam to my private spamtrap so I can't fill fields about company - it doesn't matter where I'm hired for reporting spam. What if I would be unemployed? Then I would have to lie about company? IMHO it is the way to hinder sending complaints from users. Regards, Marcin
Re: Give a penalty to messages with non latin UTF-8 characters?
Hi, On 08/25/2014 05:17 PM, Michael Opdenacker wrote: Is there a simple way to give a penalty to messages containing non latin UTF-8 characters? I'm asking because we are receiving quite a lot of Chinese junk mail with subjects in Chinese (or more generally non-latin) characters, but: - The body is too short for 'ok_languages' to detect and discard the unwanted language. - The charset is UTF-8, and therefore 'ok_locales en' doesn't mind. - I shouldn't blacklist domains such as @163.com (a major source of spam) because there is legitimate traffic coming from this domain, for example e-mails sent to the LKML, which most of us subscribe to. I'm seeing fairly elaborate solutions on the net, but it surprises me that an apparently simple problem doesn't have a simple solution yet. I find it hard to believe I'm the only one getting spam in Chinese characters ;) How do you guys handle this kind of spam? For the moment, I blacklisted the 163 dot com and 126 dot com domains, without feeling too much guilt. It's not a perfect solution though, as I'm excluding a few posters on the LKML (for example). Michael. -- Michael Opdenacker, CEO, Free Electrons Embedded Linux, Kernel and Android engineering http://free-electrons.com +33 484 258 098
Re: remove_header not working?
please keep list mail on the list. Those reports are added by Exim's interface which does not seem to respect the local.cf directives. Maybe some Exim user can help you further, either on the SA or if not on the Exim list. Sorry, can't help further... On 08/29/2014 11:29 AM, Fürtbauer Wolfgang wrote: unfortunatelly not, X-Spam-Reports are still there I added these lines on the senders side (hostname hausmeister) .. receiver is aohsupport01 snip X-Spam-Report: Spam detection software, running on the system hausmeister.intern.luisesteiner.at, has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see postmaster for details. Content preview: Forwarded message Date: Tue, 26 Aug 2014 13:32:23 +0200 (CEST) From: Wolfgang Fürtbauer wolfg...@luisesteiner.at To: wolfgang Fuertbauer wolfg...@luisesteiner.at Subject: tewst (fwd) [...] Content analysis details: (-221.0 points, 5.0 required) pts rule name description -- -- -100 USER_IN_WHITELIST From: address is in the user's white-list -1.0 ALL_TRUSTEDPassed through trusted hosts only via SMTP -100 SHORTCIRCUIT Not all rules were run, due to a shortcircuited rule -20 SC_HAM No description available. ... X-Spam-Report: Software zur Erkennung von Spam auf dem Rechner aohsupport02.asamer.holding.ah hat die eingegangene E-mail als m▒gliche Spam-Nachricht identifiziert. Die urspr▒ngliche Nachricht wurde an diesen Bericht angeh▒ngt, so dass Sie sie anschauen k▒nnen (falls es doch eine legitime E-Mail ist) oder ▒hnliche unerw▒nschte Nachrichten in Zukunft markieren k▒nnen. Bei Fragen zu diesem Vorgang wenden Sie sich bitte an postmaster Vorschau: Forwarded message Date: Tue, 26 Aug 2014 13:32:23 +0200 (CEST) From: Wolfgang Fürtbauer wolfg...@luisesteiner.at To: wolfgang Fuertbauer wolfg...@luisesteiner.at Subject: tewst (fwd) [...] Inhaltsanalyse im Detail: (-1.1 Punkte, 5.0 ben▒tigt) Pkte Regelname Beschreibung -- -- -0.0 SPF_PASS SPF: Senderechner entspricht SPF-Datensatz -1.9 BAYES_00 BODY: Spamwahrscheinlichkeit nach Bayes-Test: 0-1% [score: 0.] 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Am 29.08.2014 11:08, schrieb Axb: On 08/29/2014 11:00 AM, Fürtbauer Wolfgang wrote: Hi, I'm trying to remove my own X-Spam-Report for ham mails leaving my organisation in order not to bother the other party. I had serveral mails returned because of the X-Spam-Reports snip Improper folded header field made up entirely of whitespace (char 20 hex): X-Spam-Report: ... postmaster for details.\n \n Content previ[...] snap my only add_header line is: add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ shortcircuit=_SCTYPE_ autolearn=_AUTOLEARN_ version=_VERSION_ glue is spamd called from exim remove your remove_header ham Report try this in local.cf report_safe 0 clear_headers add_header spam Flag _YESNOCAPS_ # This should be in one line add_header spam Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_ add_header spam Level _STARS(*)_ add_header spam Report _REPORT_ this should prevent adding those SA headers to msgs below threshold
Advice on how to block via a mail domain in maillog
I have a lot of Spam getting into our mail servers where the common thread is cloudapp /root/weeklymail/Thumaillog:Aug 27 11:58:15 plesk3 qmail-scanner-queue.pl: qmail-scanner[12013]: Clear:RC:0(216.170.115.184):SA:0(0.9/4.0): 4.409458 6225 comp...@franking-expert.co.uk u...@domain.com Saving_by_Switching 3442703078ef969a9f97133682d9e...@expert.cloudapp.net 1409137091.12021-1.plesk3.hostname.co.uk:3019 1409137091.12021-0.plesk3.emailitis.co.uk:1263 orig-plesk3.hostname.co.uk140913709079712013:6225 And the hyperlinks in the emails are http://expert.cloudapp.net/. Please could you advise on how I can block by the information on the maillog on that, or using a rule which checks the URL to include the above thread? Many thanks in advance for any help, Christoph
Re: no subject tagging in case of X-Spam-Status: Yes
Am 29.08.2014 um 04:03 schrieb Karsten Bräckelmann: On Fri, 2014-08-29 at 02:15 +0200, Reindl Harald wrote: look at the attached zp-archive and both messages produced with the same content before you pretend others lying damned - to make it easier i even added a config-diff But no message diff. ;) and now what? maybe you should accept that even new users are no idiots and know what they are talking about Please accept my apologies. It appears something else is going on here, and you in fact did not lie. accepted I'd like to add, though, that I do *not* assume new users to be idiots. Plus, I generally spend quite some time on helping others fixing their problems, including new users, as you certainly have noticed. that's why i was really angry because from the other guy which told me multiple times that i should go to the sa-milter list and refered to 8 years old howtos which are wrong and outdated i had expetced that, not from you which was the first constructive my only intention to reply again to that thread was hey, i found it by myself and if someone else has the same problem now he finds a soultion froma recent year Now, moving forward: I've had a look at the message diffs. Quite interesting, and I honestly want to figure out what's happening. it looks really like spamass-milter is responsible in the second version below it whines it can't extract the score to decide if it's above reject and so it really looks like the milter heavily relies on headers found that out much later last night by plaing with headers in general spamass-milter[14891]: Could not extract score from Yes: Score=5.7, Tag-Level=5.0, Block-Level=10 add_header all Status _YESNO_, score=_SCORE_, tag-level=_REQD_, block-level=10 add_header all Status _YESNO_, Score=_SCORE_, Tag-Level=_REQD_, Block-Level=10 First of all, minus all those different datetime strings, IDs and ordering, the real differences are -Subject: [SPAM] Test^M -X-Spam-Flag: Yes^M +Subject: Test^M So it appears that only the sample with add_header spam Flag has the Subject re-written. correct However, there's something else going on. When re-writing the Subject header, SA adds an X-Spam-Prev-Subject header with the original. Which is clearly missing. the version is killed in smtp_header_checks which is also the reason that i started to play around with headers nobody but me has a reason to know exact versions of running software Thus, something else has a severe impact on which headers are added or modified. In *both* cases, there is at least one SA generated header missing and/or SA modified header not preserved. /^X-Spam-Checker-Version/ IGNORE Definitely involved: Postfix, spamass-milter, SA. And probably some other tool rewriting the message / reflowing headers, as per some previous posts (and the X-Spam-Report header majorly inconvenienced by re-flowing headers). the re-flowing is pretty sure DBMail or more like the gmime library used for split and reconstruct messages in their mime parts to store them seperated and de-duplicated in the database - that's valid and per RFC OK but not nice to read :-) Regarding SA and the features in question: There is no different behavior between calling the plain spamassassin script and using spamc/d. There is absolutely nothing in SA itself that could explain the discrepancy in Subject rewriting, nor the missing X-Spam-Prev-Subject header. as said: pretty sure the milter, but i am happy that it works now My best bet would be on the SA invoking glue, not accepting or overwriting headers as received by SA. Which tool that actually is, I don't know. But I'd be interested to hear about it, if you find out. (The additional empty line between message headers and body in the case without X-Spam-Flag header most likely is just copy-n-paste body. Or possibly another artifact of some tool munging messages.) signature.asc Description: OpenPGP digital signature
Re: no subject tagging in case of X-Spam-Status: Yes
Am 29.08.2014 um 04:26 schrieb Karsten Bräckelmann: On Fri, 2014-08-29 at 02:15 +0200, Reindl Harald wrote: look at the attached zp-archive [...] Since I already had a closer look at the contents including your local cf, and I am here to offer help and didn't mean no harm, some comments regarding the SA config. thanks # resolves a bug with milter always triggering a wrong informational header score UNPARSEABLE_RELAY 0 See the RH bug you filed and its upstream report. Do you still need that? This would be the first instance of continued triggering of that test I ever encountered. well, since there was no software update in the meantime i fear yes, however it don't harm # disable most builtin DNSBL/DNSWL to not collide with webinterface settings score __RCVD_IN_SORBS 0 score __RCVD_IN_ZEN 0 score __RCVD_IN_DNSWL 0 Rules starting with double-underline are non-scoring sub-rules. Assigning a zero score doesn't disable them like it does with regular rules. In the case of RBL sub-rules like the above, it does not prevent DNS queries. It is better to meta __FOO 0 overwrite the sub-rule, rather than set a score that doesn't exist. thanks for the information, i will change that i verfified that it does *really* skip all of them because as i had only all sub-rules listed it still fired the request # unconditional sender whitelists whitelist_from *@apache.org whitelist_from *@bipa.co.at whitelist_from *@centos.org whitelist_from *@dovecot.org [...] uhm i am not terrible happy to not have stripped that block from the config :-( Unconditional whitelisting generally is a bad idea and might appear in forged addresses. i know - i would love the same logic for senders as for MORE_SPAM_TO and ALL_SPAM_TO to and at the end even combine it From/To for mailing-lists you need a big hammer to be present if URIs are blacklisted or in case of security discussions refer to exploits which is not possible on the device i am about to replace which leads anytime something is on the zero-hour-intent-list appears in a message to override whitelists - like the name of the SA config file if some client wraps it in link headers something like that would be me final goal from s...@a.tld to s...@b.tld -100 from @a.tld to s...@b.tld -20 from @a.tld to s...@b.tld -2 which would give a way to implement dropdowns in the admin backend for different trust levels without need to know the underlying scores which could be adjusted transparent since it may make sense to do so in the context of tag-score/block-score in general after going online and analyze things my intention will be no whitelists at all active but only after some time where i can make sure from logs there are no false positives which are more bad than slipped spam but have known working options if needed If possible, it is strongly suggested to use whitelist_from_auth, or at least whitelist_from_rcvd (which requires *_networks be set correctly) oh - fine, that pretty easy, the config is generated from a webUI based script - the networks are correct now, that was only a temporary thing in the other thread to study behavior with hand-written craft before write backends and find out that i can't implement it later as expected whitelist_from_rcvd i already had in mind, but since only my personal domain is live i rely at forging by myself for testing things out signature.asc Description: OpenPGP digital signature
Re: Advice on how to block via a mail domain in maillog
On 8/29/2014 5:48 AM, emailitis.com wrote: I have a lot of Spam getting into our mail servers where the common thread is cloudapp /root/weeklymail/Thumaillog:Aug 27 11:58:15 plesk3 qmail-scanner-queue.pl: qmail-scanner[12013]: Clear:RC:0(216.170.115.184):SA:0(0.9/4.0): 4.409458 6225 comp...@franking-expert.co.uk u...@domain.com Saving_by_Switching 3442703078ef969a9f97133682d9e3f1@*expert.cloudapp.net* 1409137091.12021-1.plesk3.hostname.co.uk:3019 1409137091.12021-0.plesk3.emailitis.co.uk:1263 orig-plesk3.hostname.co.uk140913709079712013:6225 And the hyperlinks in the emails are http://expert.cloudapp.net/. Please could you advise on how I can block by the information on the maillog on that, or using a rule which checks the URL to include the above thread? Many thanks in advance for any help, Christoph Christoph, There is a new feature in trunk that I believe will help you easily called URILocalBL.pm See https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7060 Philip, your thoughts? Regards, KAM
Re: Advice on how to block via a mail domain in maillog
On 08/29/2014 02:45 PM, Kevin A. McGrail wrote: On 8/29/2014 5:48 AM, emailitis.com wrote: I have a lot of Spam getting into our mail servers where the common thread is cloudapp /root/weeklymail/Thumaillog:Aug 27 11:58:15 plesk3 qmail-scanner-queue.pl: qmail-scanner[12013]: Clear:RC:0(216.170.115.184):SA:0(0.9/4.0): 4.409458 6225 comp...@franking-expert.co.uk u...@domain.com Saving_by_Switching 3442703078ef969a9f97133682d9e3f1@*expert.cloudapp.net* 1409137091.12021-1.plesk3.hostname.co.uk:3019 1409137091.12021-0.plesk3.emailitis.co.uk:1263 orig-plesk3.hostname.co.uk140913709079712013:6225 And the hyperlinks in the emails are http://expert.cloudapp.net/. Please could you advise on how I can block by the information on the maillog on that, or using a rule which checks the URL to include the above thread? Many thanks in advance for any help, Christoph Christoph, There is a new feature in trunk that I believe will help you easily called URILocalBL.pm or with SA 3.4 blacklist_uri_host expert.cloudapp.net or if you want it wider blacklist_uri_host cloudapp.net can't be easier than that.
Add spamassassin triggered rules in logs when email is blocked
Hello, I'm using amavisd-new-2.9.1 and SpamAssassin v3.3.1. I would like to know if it's possible to add Spamassassin triggered rules when an email is blocked because I discard the email when it's spam and I want to know why it's blocked (which rules). For now I only have the score (hits) in maillog: Aug 24 04:04:36 relais amavis[3475]: (03475-08) Blocked SPAM {DiscardedInternal}, MYNETS LOCAL [205.0.0.0]:54459 [205.0.0.0] bluew...@zzz.zzz.ca - z...@zzz.ca, Message-ID: e1xlsmo-0002nt...@zz.zz.ca, mail_id: 4RZ-Vm0_iZmi, Hits: 13.573, size: 4269, 10089 ms I would like to add in logs for example: DATE_IN_FUTURE_06_12=0.001, DCC_CHECK=4, SPF_PASS=-0.001,TVD_SPACE_RATIO=0.001 Is that possible? Karl
Re: Advice on how to block via a mail domain in maillog
On Aug 29, 2014, at 6:45 AM, Kevin A. McGrail kmcgr...@pccc.com wrote: On 8/29/2014 5:48 AM, emailitis.com wrote: I have a lot of Spam getting into our mail servers where the common thread is cloudapp /root/weeklymail/Thumaillog:Aug 27 11:58:15 plesk3 qmail-scanner-queue.pl: qmail-scanner[12013]: Clear:RC:0(216.170.115.184):SA:0(0.9/4.0): 4.409458 6225 comp...@franking-expert.co.uk user@domain.comSaving_by_Switching 3442703078ef969a9f97133682d9e...@expert.cloudapp.net 1409137091.12021-1.plesk3.hostname.co.uk:3019 1409137091.12021-0.plesk3.emailitis.co.uk:1263 orig-plesk3.hostname.co.uk140913709079712013:6225 And the hyperlinks in the emails are http://expert.cloudapp.net/. Please could you advise on how I can block by the information on the maillog on that, or using a rule which checks the URL to include the above thread? Many thanks in advance for any help, Christoph Christoph, There is a new feature in trunk that I believe will help you easily called URILocalBL.pm See https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7060 Philip, your thoughts? Regards, KAM That should do it. There’s a configuration example in the bug, and POD documentation in the plugin, but in this particular case you’d do something like: uri_block_cidr L_BLOCK_CLOUDAPP 191.237.208.246 body L_BLOCK_CLOUDAPP eval:check_uri_local_bl() describe L_BLOCK_CLOUDAPP Block URI’s pointing to expert.cloudapp.net score L_BLOCK_CLOUDAPP 5.0 You should be able to drop in the patch fairly easily. -Philip
Re: Add spamassassin triggered rules in logs when email is blocked
On Fri, 2014-08-29 at 11:27 -0400, Karl Johnson wrote: I'm using amavisd-new-2.9.1 and SpamAssassin v3.3.1. I would like to know if it's possible to add Spamassassin triggered rules when an email is blocked because I discard the email when it's spam and I want to know why it's blocked (which rules). Wrong place, that is an Amavis question. SA does not reject, discard or otherwise block mail. Amavis does, based on the SA score. For now I only have the score (hits) in maillog: Aug 24 04:04:36 relais amavis[3475]: (03475-08) Blocked SPAM {DiscardedInternal}, MYNETS LOCAL [205.0.0.0]:54459 [205.0.0.0] bluew...@zzz.zzz.ca - z...@zzz.ca, Message-ID: e1xlsmo-0002nt...@zz.zz.ca, mail_id: 4RZ-Vm0_iZmi, Hits: 13.573, size: 4269, 10089 ms That log line is generated by Amavis. SA has no control of its contents. I would like to add in logs for example: DATE_IN_FUTURE_06_12=0.001, DCC_CHECK=4, SPF_PASS=-0.001,TVD_SPACE_RATIO=0.001 Is that possible? -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Advice on how to block via a mail domain in maillog
On Fri, 2014-08-29 at 12:43 -0600, Philip Prindeville wrote: On Aug 29, 2014, at 6:45 AM, Kevin A. McGrail kmcgr...@pccc.com wrote: On 8/29/2014 5:48 AM, emailitis.com wrote: I have a lot of Spam getting into our mail servers where the common thread is cloudapp You guys realize cloudapp.net is Microsoft Azure, don't you? And the hyperlinks in the emails are http://expert.cloudapp.net/. Please could you advise on how I can block by the information on the maillog on that, or using a rule which checks the URL to include the above thread? SA does not block. There is a new feature in trunk that I believe will help you easily called URILocalBL.pm That should do it. There’s a configuration example in the bug, and POD documentation in the plugin, but in this particular case you’d do something like: uri_block_cidr L_BLOCK_CLOUDAPP 191.237.208.246 body L_BLOCK_CLOUDAPP eval:check_uri_local_bl() That seem an overly complicated variant of a simple uri regex rule. And it really depends on the IP to match a URI? And manual looking it up? uri URI_EXPERT_CLOUDAPP m~^https?://expert\.cloudapp\.net$~ describe L_BLOCK_CLOUDAPP Block URI’s pointing to expert.cloudapp.net score L_BLOCK_CLOUDAPP5.0 SA does not block. *sigh* -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Add spamassassin triggered rules in logs when email is blocked
On Fri, Aug 29, 2014 at 3:11 PM, Karsten Bräckelmann guent...@rudersport.de wrote: On Fri, 2014-08-29 at 11:27 -0400, Karl Johnson wrote: I'm using amavisd-new-2.9.1 and SpamAssassin v3.3.1. I would like to know if it's possible to add Spamassassin triggered rules when an email is blocked because I discard the email when it's spam and I want to know why it's blocked (which rules). Wrong place, that is an Amavis question. SA does not reject, discard or otherwise block mail. Amavis does, based on the SA score. Yes but I thought a lot of people are probably using SA with Amavis here so I asked. I found the answer if other people are also looking for it: Add [? %#T ||, Tests: \[[%T|,]\]]#' in the log template. Karl
Re: remove_header not working?
On Fri, 2014-08-29 at 11:46 +0200, Axb wrote: Those reports are added by Exim's interface which does not seem to respect the local.cf directives. Exim accessing SA template tags? On 08/29/2014 11:29 AM, Fürtbauer Wolfgang wrote: unfortunatelly not, X-Spam-Reports are still there If the option report_safe 0 is set, SA automatically adds a Report header, though only to spam. Equivalent add_header spam Report _REPORT_ The following is not only added to ham, but its contents are not the _REPORT_ template tag but resemble the default report template, the body text used for spam with report_safe 1. There is no template tag to access the report template. Thus, this header must be defined somewhere in the configuration, complete with all that text, embedded \n newlines and _PREVIEW_ and _SUMMARY_ template tags. X-Spam-Report: Spam detection software, running on the system hausmeister.intern.luisesteiner.at, has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see postmaster for details. Content preview: [...] Content analysis details: (-221.0 points, 5.0 required) pts rule name description -- -- -100 USER_IN_WHITELIST From: address is in the user's white-list X-Spam-Report: Software zur Erkennung von Spam auf dem Rechner aohsupport02.asamer.holding.ah Are there really *two* X-Spam-Report headers? Also, why is this one in German? SA doesn't mix languages during a single run. Why do the hostnames differ? And, well, which hostmaster fat-fingered that ccTLD? -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Spam info headers
On Fri, 2014-08-29 at 00:30 -0400, Alex wrote: Regarding report_safe, the docs say it can only be applied to spam. Is that correct? Yes, it only applies to spam. It defines whether classified spam will be attached to a newly generated reporting message, or only modified by adding some X-Spam headers. Ham will never get wrapped in another message by SA... -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: How to report spam to mailspike
On 2014-08-29 02:38, Marcin Mirosław wrote: So what should I do in your opinion? I'm getting spam to my private spamtrap so I can't fill fields about company - it doesn't matter where I'm hired for reporting spam. What if I would be unemployed? Then I would have to lie about company? IMHO it is the way to hinder sending complaints from users. If you're not willing to provide the information they request, and they won't accept an inquiry without it, then you're left with a different choice: 1) Do nothing, 2) Cease using the service. From their perspective, either the policy will increase the quality of reports they get by reducing the noise, allowing them to focus on real queries, and ultimately increasing the quality of the list, or it will discourage people from reporting, decreasing the quality of the list, resulting in less users and less relevance. They've made their choice, now you get to make yours. Personally, I'm quite pleased with their performance, and I have no problem identifying myself when I contact a company. If I'm acting on my own behalf, I'd put Personal or None or N/A into a form, and if it's not accepted, oh well. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren
Re: Give a penalty to messages with non latin UTF-8 characters?
On 2014-08-29 02:41, Michael Opdenacker wrote: I find it hard to believe I'm the only one getting spam in Chinese characters;) I get a fair amount in my spamtraps, but only because my trap addresses are very permissive. None of it would have been accepted for normal delivery. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren
Re: no subject tagging in case of X-Spam-Status: Yes
On Fri, 2014-08-29 at 12:02 +0200, Reindl Harald wrote: Am 29.08.2014 um 04:03 schrieb Karsten Bräckelmann: Now, moving forward: I've had a look at the message diffs. Quite interesting, and I honestly want to figure out what's happening. it looks really like spamass-milter is responsible in the second version below it whines it can't extract the score to decide if it's above reject and so it really looks like the milter heavily relies on headers Yay for case in-sensitive parsing... found that out much later last night by plaing with headers in general spamass-milter[14891]: Could not extract score from Yes: Score=5.7, Tag-Level=5.0, Block-Level=10 add_header all Status _YESNO_, score=_SCORE_, tag-level=_REQD_, block-level=10 add_header all Status _YESNO_, Score=_SCORE_, Tag-Level=_REQD_, Block-Level=10 If you use the SA default Status header, or at least the prefix containing score and required, is header rewriting retained by the milter without the Flag header? add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ ... Given that log line, a likely explanation simply is that the milter needs to determine the spam status, to decide which SA generated headers to apply to the message. Your choice of custom Status header is not what the milter expects, and thus needs to resort to the simple Flag header. (Note the comma after yes/no, but no comma between score and required.) First of all, minus all those different datetime strings, IDs and ordering, the real differences are -Subject: [SPAM] Test^M -X-Spam-Flag: Yes^M +Subject: Test^M So it appears that only the sample with add_header spam Flag has the Subject re-written. correct However, there's something else going on. When re-writing the Subject header, SA adds an X-Spam-Prev-Subject header with the original. Which is clearly missing. the version is killed in smtp_header_checks which is also the reason that i started to play around with headers nobody but me has a reason to know exact versions of running software Previous-Subject, not Version. I mentioned this specifically, because the absence of the Previous Subject header with Subject rewrite clearly shows, SA generated headers are not unconditionally added to the message, but single headers are cherry picked. IOW, header rewriting does work without the Flag header. It is the glue that decides whether to inherit the rewritten header, and outright ignores the Previous Subject header. Thus, something else has a severe impact on which headers are added or modified. In *both* cases, there is at least one SA generated header missing and/or SA modified header not preserved. -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: no subject tagging in case of X-Spam-Status: Yes
Am 30.08.2014 um 00:35 schrieb Karsten Bräckelmann: On Fri, 2014-08-29 at 12:02 +0200, Reindl Harald wrote: Am 29.08.2014 um 04:03 schrieb Karsten Bräckelmann: Now, moving forward: I've had a look at the message diffs. Quite interesting, and I honestly want to figure out what's happening. it looks really like spamass-milter is responsible in the second version below it whines it can't extract the score to decide if it's above reject and so it really looks like the milter heavily relies on headers Yay for case in-sensitive parsing... found that out much later last night by plaing with headers in general spamass-milter[14891]: Could not extract score from Yes: Score=5.7, Tag-Level=5.0, Block-Level=10 add_header all Status _YESNO_, score=_SCORE_, tag-level=_REQD_, block-level=10 add_header all Status _YESNO_, Score=_SCORE_, Tag-Level=_REQD_, Block-Level=10 If you use the SA default Status header, or at least the prefix containing score and required, is header rewriting retained by the milter without the Flag header? add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ ... yes, that's what i tried to express score= instead of Score= is liked by the milter well, no big deal, i would have preferred it score or Yes/No also starzing lowercase :-) Given that log line, a likely explanation simply is that the milter needs to determine the spam status, to decide which SA generated headers to apply to the message. Your choice of custom Status header is not what the milter expects, and thus needs to resort to the simple Flag header. (Note the comma after yes/no, but no comma between score and required.) it's really only s versus S in score, tried it out before my post First of all, minus all those different datetime strings, IDs and ordering, the real differences are -Subject: [SPAM] Test^M -X-Spam-Flag: Yes^M +Subject: Test^M So it appears that only the sample with add_header spam Flag has the Subject re-written. correct However, there's something else going on. When re-writing the Subject header, SA adds an X-Spam-Prev-Subject header with the original. Which is clearly missing. the version is killed in smtp_header_checks which is also the reason that i started to play around with headers nobody but me has a reason to know exact versions of running software Previous-Subject, not Version. i saw that somewhere in the debug options and wondered too but i referred to the SA version header because doc says you can't remove it and so i explained why it's not there I mentioned this specifically, because the absence of the Previous Subject header with Subject rewrite clearly shows, SA generated headers are not unconditionally added to the message, but single headers are cherry picked. IOW, header rewriting does work without the Flag header. It is the glue that decides whether to inherit the rewritten header, and outright ignores the Previous Subject header. yep - as said: the intention of my post to that topic was only to make public how i fixed it before someone in the future wastes his time with outdated google hits mentioning no longer existing options which are not the reason in that case well, now i know that the milter relies on SA generated headers which was totally unexpected and i work with a lot of server software for many years - give me my daily WTF :-) Thus, something else has a severe impact on which headers are added or modified. In *both* cases, there is at least one SA generated header missing and/or SA modified header not preserved signature.asc Description: OpenPGP digital signature
Re: Certain types of spam seem to get through SA
On 28 Aug 2014, at 17:38 , Martin Gregorie mar...@gregorie.org wrote: http://www.libelle-systems.com/free/portmanteau/portmanteau.tgz This file is a compressed source archive that includes documentation for the tool and the definition file format. Any reason not to include your dataset? -- If at first you don't succeed, destroy all evidence that you tried.
Re: How to report spam to mailspike
Dave Warren wrote: On 2014-08-29 02:38, Marcin Mirosław wrote: So what should I do in your opinion? I'm getting spam to my private spamtrap so I can't fill fields about company - it doesn't matter where I'm hired for reporting spam. What if I would be unemployed? Then I would have to lie about company? IMHO it is the way to hinder sending complaints from users. If you're not willing --- I think perception may be am not able... ? to provide the information they request, and they won't accept an inquiry without it, then you're left with a different choice: 1) Do nothing, 2) Cease using the service. From their perspective, either the policy will ... --- If they really mean company then it helps them target companies for their own advertising. If I'm acting on my own behalf, I'd put Personal or None or N/A into a form, and if it's not accepted, oh well. --- Ditto on this... Company Self has been in business for decades! ;-) They are definitely a Service provider... (think of all the things 'self' does for you!) ;-) Corporation was a way of embodying a business practice to give it human rights... but you are already embodied, thus incorporated (no offense to the non-corporeal beings reading this list). I'm sure you govern yourself as well if you want to get technical, so if they want to be technical, so can others... Then again, are they worth the bother?
Re: Outlook, we do love to hate you....
while we're having a grizzle... how about the Outlook/MAPI feature where if you copy/move an Exchange mail message onto an IMAP folder, what arrives can barely be described as a legitimate mail message: it has no Received: headers, and it's To/From lines consist of Jason Haar instead of Jason Haar email@address. You can imagine what spamassassin thinks about such messages... Words fail me... -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: Give a penalty to messages with non latin UTF-8 characters?
On Fri, 29 Aug 2014 11:41:48 +0200 Michael Opdenacker michael.opdenac...@free-electrons.com wrote: I find it hard to believe I'm the only one getting spam in Chinese characters ;) And legitimate messages as well. (Here, at least.) BLocking merely messages have more than just the Roman alphabet in them is a bit too much. How do you guys handle this kind of spam? For the moment, I blacklisted the 163 dot com and 126 dot com domains, without feeling too much guilt. It's not a perfect solution though, as I'm excluding a few posters on the LKML (for example). rbl, sbl, access control, header checks, HELO checks, greylisting, firewall, fail2ban, et cetera do fairly nicely. and a fairly broad blocking of the worst network blocks and 2nd-level domains. Excepting their legitimate mail servers, of course cos little spam, if any, typically goes through those.