Irregular Test Reports in SA?

[grhoderick]

First, apologies in advance, I know this list is for seasoned users. I'm a
consumer—not an administrator by any means—but posting here in hopes that
the SA focus of the list will provide a clear answer. 

I'm on a shared web hosting plan and receiving an inordinate amount of very
obvious spam. SA is enabled and email is being scanned and scored
accordingly. The problem is the scores are too low (1-2) and consequently no
mail management is being triggered, messages then hit my inbox. 

If I paste these same Spam mails into an online check service, they trigger
a handful of tests that my web host's SA install seems to ignore or miss.
The difference is steep, with messages scoring a range of 4 to 14 points
higher, which correctly equates to the majority of the spam. These tests are
comprised mostly of checks against trustworthy blocklists. 

Where I'm confused: Is this an obvious sign that the web host isn't updating
SA appropriately, or is it normal the test reports don't match? Am I
misunderstanding the scoring system? 

After months of back and forth with the web host, their recommendation has
been to add rules and do more intensive SA learning. But the way I
understand it, no amount of tweaking symbolic test scores or adding rules
can make up for not running the tests to begin with. Without having root
access to the SA install, can I even influence which tests are applied? 

If not, my only option is to leave my host for a service that keeps their SA
install updated. Your insight here will help me confidently make that
decision. 

Example of the difference in output: 
http://pastebin.com/ph6wZw2R

Thanks very much for your help!




--
View this message in context: 
http://spamassassin.1065346.n5.nabble.com/Irregular-Test-Reports-in-SA-tp115438.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Irregular Test Reports in SA?

[Benny Pedersen]

grhoderick skrev den 2015-03-30 16:12:


Example of the difference in output:
http://pastebin.com/ph6wZw2R


http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block

funny that zen.spamhaus.org still works


Thanks very much for your help!


ask your server admins to solve this dns problem, and it will pay of to 
be much better spamassassin install overall

Re: How to automatically train each users Bayes?

[James Michael Keller]

Here is what I'm using to do the same globally based on each users mail, 
but it could be tweaked to do per user.This happens to be a family 
only server, so I'm generally doing the spam/ham review for each user as 
needed:


root@omega:/usr/local/bin# more sa-learn-systemwide
#!/bin/sh
#
# sa-learn-systemwide
#
# Run sa-lean against user Maildir folders for ham / spam token learning
#
#

LOGFILE=/var/log/sa-learn-run.log

SALEARNBIN=/usr/bin/sa-learn
SAUSERNAME=Debian-exim
SADBPATH=/var/spool/exim4/.spamassassin/bayes
SAFOLDERS=/etc/spamassassin/sa-learn-folders.conf
MAILTO=root@localhost


#
# Execute sa-learn token database expire of old tokens
#
TIMESTAMP=`date`
echo $TIMESTAMP sa-learn: Starting token expiration ...  $LOGFILE
$SALEARNBIN --force-expire --username=$SAUSERNAME --dbpath=$SADBPATH 
21  $LOGFILE


#
# Execute sa-learn against configured folders
#
TIMESTAMP=`date`
echo $TIMESTAMP sa-learn: Starting Learning ...  $LOGFILE
$SALEARNBIN --no-sync --username=$SAUSERNAME --dbpath=$SADBPATH 
--folders=$SAFOLDERS 21  $LOGFILE


#
# Execute sa-learn sync
#
TIMESTAMP=`date`
echo $TIMESTAMP sa-learn: Starting token journal sync ...  $LOGFILE
$SALEARNBIN --sync --username=$SAUSERNAME --dbpath=$SADBPATH 21  
$LOGFILE


#
# Execute chown
#
TIMESTAMP=`date`
echo $TIMESTAMP sa-learn: Fixing file permissions ...  $LOGFILE
chown -c Debian-exim.Debian-exim $SADBPATH* 21  $LOGFILE


#
# Execute sa-learn stats dump
#
TIMESTAMP=`date`
echo $TIMESTAMP sa-learn: Starting stats dump ...  $LOGFILE
$SALEARNBIN --dump magic --progress --username=$SAUSERNAME 
--dbpath=$SADBPATH  $LOGFILE



root@omega:/usr/local/bin# more /etc/spamassassin/sa-learn-folders.conf
spam:dir:/home/*/Maildir/.SPAM.Spam-Missed/{cur,new}
spam:dir:/home/*/Maildir/.SPAM.Spam-Mail/{cur,new}
ham:dir:/home/*/Maildir/.SPAM.Spam-Ham/{cur,new}
ham:dir:/home/*/Maildir/{cur,new}
ham:dir:/home/*/Maildir/.Sent/{cur,new}
root@omega:/usr/local/bin#

Log snip:

Mon Mar 30 09:00:01 EDT 2015 sa-learn: Starting token expiration ...
bayes: synced databases from journal in 0 seconds: 304 unique entries 
(605 total entries)

Mon Mar 30 09:00:06 EDT 2015 sa-learn: Starting Learning ...
Learned tokens from 24 message(s) (6971 message(s) examined)
Mon Mar 30 09:06:11 EDT 2015 sa-learn: Starting token journal sync ...
Mon Mar 30 09:06:14 EDT 2015 sa-learn: Fixing file permissions ...
Mon Mar 30 09:06:14 EDT 2015 sa-learn: Starting stats dump ...
0.000  0  3  0  non-token data: bayes db version
0.000  0  84238  0  non-token data: nspam
0.000  0 379365  0  non-token data: nham
0.000  0 142093  0  non-token data: ntokens
0.000  0 1427425402  0  non-token data: oldest atime
0.000  0 1427720336  0  non-token data: newest atime
0.000  0 1427720773  0  non-token data: last journal 
sync atime

0.000  0 1427720406  0  non-token data: last expiry atime
0.000  0 228435  0  non-token data: last expire 
atime delta
0.000  0  0  0  non-token data: last expire 
reduction count


Obvious issues if users leave spam sitting in their inbox, but if they 
move to the spam folder it will get relearned correctly.In this case 
I trust the users with well behaved mail clients, so I also feed the 
sent mail in as ham.


Spam older then 14 days gets deleted from the spam folder.


-James

On 3/27/2015 2:09 PM, RW wrote:

On Fri, 27 Mar 2015 15:16:13 +
Michael wrote:


Hi,

I would like automatically learn each users Bayes database in the
following way:

Do the following once a day for each user:
1.) sa-learn -u username --ham ../maildir/cur
2.) sa-learn -u username --spam ../maildir/.Spam/cur

The idea is to train the Bayes for each user without the need to
take care of learning Spam/Ham on their own.

The reason for taking the cur folder instead of the new folder
is that I assume that the contents of these folders have already
been verified for false-positives/negatives by the user.

cur doesn't imply that the mail has been read; for that you
need to check the seen flag in the filename, an S somewhere after the
colon.



A problem that could occur is when the user always deletes all mails
in .Spam/cur. Then the Bayes is only trained with Ham, but never
Spam. Or isn't that a problem?

Not if you tell them - then it's their fault if it doesn't work.
Alternately you could have a separate train-spam folder and empty it
after training.

You could also supplement spam training by autolearning only spam, e.g.
I have:

bayes_auto_learn 1
bayes_auto_learn_on_error 1
bayes_auto_learn_threshold_nonspam -2000.0

Personally I've never seen a spam miss-trained as a ham with the
default threshold, and sensible rule scores.

I think where some people go wrong is that they don't specify
aggressive custom scores correctly. With autolearning it's better to
keep conservative scores in the non-Bayes scoresets 

Re: Uptick in spam

[Kris Deugau]

David Jones wrote:

 The invaluement RBL is not expensive either and it is awesome.  We pay 
 thousands per year for
 a Spamhaus feed because of our volume and mailboxes.  The invaluement RBL is 
 only hundreds
 per year and it's almost as good as Spamhaus Zen.

Seconded;  this is exactly what we've been finding.  Invaluement is a
great complement to Spamhaus for a fraction of the cost.

I wouldn't put it as a front-line reject DNSBL, because some of the
things that have been listed are not what I would class, for our
customers, as spam - but those entries are distinctly greyhat at best in
a lot of cases, and some IP range operators I've flagged as list,
delist, and whitelist_from_rcvd as needed due to the mix of legitimate
small senders and spammers.

-kgd

Re: Uptick in spam

[Rob McEwen]

On 3/30/2015 11:49 AM, Kris Deugau wrote:

Seconded;  this is exactly what we've been finding.  Invaluement is a
great complement to Spamhaus for a fraction of the cost.

I wouldn't put it as a front-line reject DNSBL, because some of the
things that have been listed are not what I would class, for our
customers, as spam - but those entries are distinctly greyhat at best in
a lot of cases, and some IP range operators I've flagged as list,
delist, and whitelist_from_rcvd as needed due to the mix of legitimate
small senders and spammers.


Thanks Kris for the compliment. Also, when you say mix of legitimate 
small senders ...just to clarify, I think that any further analysis 
will show that (a) MOST of these are situations where very small senders 
had massive spam-sending outbreaks due to compromised accounts, and (b) 
the listing was most often very short lived (often mere hours).


This is a balancing act... and I think invaluement strikes a great 
balance. And even in THIS particular area, I think our FP level is still 
distinctly LESS than UCEProtect, Barracuda, and SORBS (for examples). 
But if we brought that all the way to zero, MUCH spam that slips past 
Zen wouldn't be listed on invaluement anymore. (the ham/spam ratios on 
some of these compromised account situations is horrendous--they send 
out their usual 400 hams that day, along with 200,000 spams... and the 
cumulative sum total of those spams from ALL such compromised senders 
that day, represents MUCH of the spam that gets past filters due to 
piggybacking on the sender's normally good reputation)


Also, what I've found is that many medium-sized ISPs/hosters, with 10s 
of thousand of mailboxes are very comfortable with outright blocking on 
invaluement, but will only score on UCEProtect, Barracuda, and SORBS. 
Much smaller hosters will often block on all of them, because they don't 
notice those FPs as often. In fact, I see these SAME somewhat rare 
compromised-sender FPs with Zen, too. It is all about each list's 
strategies, and aggressiveness, and tolerance levels. As shown, 
invaluement is in a very strategic spot here... having much of the 
aggressiveness of these other lists, but with FP levels VERY close to 
Zen's FP levels. (and then scoring on these other lists... even 
aggressive, yet still under-threshold, scoring... will help block spams 
missed by both invaluement and spamhaus)


Also, invaluement plays close to the edge with CAN-spam and 
snowshoe spammers. So invaluement is in a little more dangerous 
territory...that it can do so and not have a lot more FPs, is not easy. 
For example, this invaluement may occasionally list the kind of pure 
ads that, upon further analysis, are arguably not technically spam, but 
aren't exactly desired by the end users. But these situations tend to 
sort themselves out over time.


The SAME thing happens with invaluement's ivmURI domain blacklist. 
OFTEN, a normally legit web site has a CURRENT... LIVE spam infestation, 
where spammers broke into that site and placed spammy content there. 
This has become epidemic. Sure, it is frustrating for everyone, when 
such a site that is being used to send phishing and porn spams... causes 
some of that site's legitimate correspondence to get blocked... but this 
a necessary lesser of evils. The best part is that such a blacklisting 
motivates the site owner to fix their site FASTER. In such a situation, 
the blacklist provided the world a good service, and the resulting 
collateral damage was well justified. The site owner should be 
considered at fault for the collateral damage, not the DNSBL.


I hope this provides some clarity.

--
Rob McEwen
+1 478-475-9032

Re: Uptick in spam

[Rob McEwen]

On 3/30/2015 1:19 PM, Kris Deugau wrote:

The cases I
can recall are more along the lines of grey-hat ESPs who pick up a
spammer client for a while,


Kris,

The next time you run across this and think it might be causing a little 
too much collateral damage (in spite of the spamming), let me know 
(off-list) and I'll research it. I can then make adjustments 
accordingly. I'm very responsive to customer feedback.


Thanks!

--
Rob McEwen
+1 478-475-9032

Re: dangers of email forgery

[Reindl Harald]

Am 30.03.2015 um 19:55 schrieb Jude DaShiell:

One of them is that spammers forge your address so much you get your
account blacklisted and end up having to have it shut down.  That
happened to me and the jdash...@shellworld.net account.  Anyone doing a
google search on shellworld.net blacklisted will find my former
shellworld.net address in the first document google returns


did you have SPF at that time (now you have)

if yes and blacklists listing you because of forged spam from foreign 
servers you should blame the blacklists and make them public so anybody 
can stop using that idiots causing collateral damage




signature.asc
Description: OpenPGP digital signature

dangers of email forgery

[Jude DaShiell]

One of them is that spammers forge your address so much you get your 
account blacklisted and end up having to have it shut down.  That happened 
to me and the jdash...@shellworld.net account.  Anyone doing a google 
search on shellworld.net blacklisted will find my former shellworld.net 
address in the first document google returns.  As a result of spammers and 
blacklisting it's probably a good idea to minimize use of space on 
internet providers machines since sooner rather than later your account is 
going to get blown away.


What would really be useful for any spam fighting package to acquire is 
the ability to automatically check headers on messages and forward servers 
found to be forging to a kill list so those servers could be blacklisted 
in turn.  So far I know of no such software that will do this service.




-- Twitter: JudeDaShiell

Re: Uptick in spam

[Kris Deugau]

Rob McEwen wrote:
 On 3/30/2015 11:49 AM, Kris Deugau wrote:
 Seconded;  this is exactly what we've been finding.  Invaluement is a
 great complement to Spamhaus for a fraction of the cost.

 I wouldn't put it as a front-line reject DNSBL, because some of the
 things that have been listed are not what I would class, for our
 customers, as spam - but those entries are distinctly greyhat at best in
 a lot of cases, and some IP range operators I've flagged as list,
 delist, and whitelist_from_rcvd as needed due to the mix of legitimate
 small senders and spammers.
 
 Thanks Kris for the compliment. Also, when you say mix of legitimate
 small senders ...just to clarify, I think that any further analysis
 will show that (a) MOST of these are situations where very small senders
 had massive spam-sending outbreaks due to compromised accounts, and (b)
 the listing was most often very short lived (often mere hours).

I haven't analyzed after the fact, but that sounds right.  The cases I
can recall are more along the lines of grey-hat ESPs who pick up a
spammer client for a while, and unfortunately those ESPs also serve an
assortment of (very) small businesses who send email that our customers
want to receive.  Often there's a free service tier, or free trial,
and next to no up-front controls on who can send what content through
these ESPs.

I can't block these ESPs outright;  customers *will* get upset.  On the
other hand, once notified of a sender I can make fairly sure that
further mail *for that sender* through that ESP will make it to our
customers' mailboxes.

-kgd

Re: dangers of email forgery

[Reindl Harald]

Am 30.03.2015 um 21:26 schrieb Martin Gregorie:

On Mon, 2015-03-30 at 20:07 +0100, RW wrote:

On Mon, 30 Mar 2015 13:55:52 -0400 (EDT)
Jude DaShiell wrote:


One of them is that spammers forge your address so much you get your
account blacklisted and end up having to have it shut down.  That
happened to me and the jdash...@shellworld.net account.


AFAIK there is no blacklist that lists individual sender email
addresses.



As Reindl says, detecting forged addresses is what SPF is for. If you
own a domain which can send mail and is one where you expect to receive
mail, you should have an SPF record set up for it.

The SPF record should be used by other MTAs to see if the sender address
is forged before attempting to send a 5xx reject message. The benefit to
you is that you don't get showered with backscatter when spammers forge
your domain as the spam's originator


one correction: no server ever should *send* a 5xx reject message
SPF or not REJECT with 5xx is the way to go

the real problem with get your address forged are incompetent admins 
accepting undeliverable mail (mostly to non existing destination 
addresses), some of them even realize the SPF fail but finally blow out 
a bounce, the final idiots are doing this with postmaster@comanly.local 
as sender and not accepting email to postmaster / abuse


one reason are the genius MS Exchange setips with a spamfilter in front, 
set the spamfilter IP to completly trusted and by incompetence in that 
moment also disable the address verification from the spamfilter


been there - 600 backscatters to my private domain on one day





signature.asc
Description: OpenPGP digital signature

Re: dangers of email forgery

[David F. Skoll]

On Mon, 30 Mar 2015 21:47:10 +0200
Reindl Harald h.rei...@thelounge.net wrote:

 but i doubt that exchange don't know it's valid rcpt's and always 
 backscatters with no way to disable that behavior - even in case of 
 microsoft i doubt

Google specifically for Exchange 2013.  AFAIK, it's impossible in
general to get Exchange 2013 to reject a RCPT command to a nonexistent
user with a 5xx failure code.

And if you're filtering for customers on Office 365, there's
categorically no way to convince Microsoft that O365 should fail
invalid RCPT commmands.

Regards,

David.


signature.asc
Description: PGP signature

Re: dangers of email forgery

[RW]

On Mon, 30 Mar 2015 13:55:52 -0400 (EDT)
Jude DaShiell wrote:

 One of them is that spammers forge your address so much you get your 
 account blacklisted and end up having to have it shut down.  That
 happened to me and the jdash...@shellworld.net account. 

AFAIK there is no blacklist that lists individual sender email
addresses. 

Re: dangers of email forgery

[Reindl Harald]

Am 30.03.2015 um 21:07 schrieb RW:

On Mon, 30 Mar 2015 13:55:52 -0400 (EDT)
Jude DaShiell wrote:


One of them is that spammers forge your address so much you get your
account blacklisted and end up having to have it shut down.  That
happened to me and the jdash...@shellworld.net account.


AFAIK there is no blacklist that lists individual sender email
addresses


the only thing i can imagine from the OP is a URIBL listing the domain 
and i would be really interested which one would make such major 
mistakes - more realistic is a local sender blacklist like we do for all 
the new registered domains used for the recent Apple phishings




signature.asc
Description: OpenPGP digital signature

Re: dangers of email forgery

[David F. Skoll]

On Mon, 30 Mar 2015 21:34:02 +0200
Reindl Harald h.rei...@thelounge.net wrote:

 one reason are the genius MS Exchange setips with a spamfilter in
 front, set the spamfilter IP to completly trusted and by
 incompetence in that moment also disable the address verification
 from the spamfilter

Recipient verification is disabled by default in Exchange, and it's almost
impossible to ENable it in Exchange 2013. :(

Microsoft--

We've had to play ghastly tricks to catch bounces from our Exchange-using
customers and use heuristics to decide whether or not they're legit.  It's
the only way we can stay off backscatterer.org

Regards,

David.


signature.asc
Description: PGP signature

Re: dangers of email forgery

[David F. Skoll]

On Mon, 30 Mar 2015 20:07:56 +0100
RW rwmailli...@googlemail.com wrote:

 AFAIK there is no blacklist that lists individual sender email
 addresses. 

There's this one:

https://code.google.com/p/anti-phishing-email-reply/

but its contributors are usually quite competent and won't list a
joe-jobbed address.

Regards,

David.

Re: dangers of email forgery

[Reindl Harald]

Am 30.03.2015 um 21:42 schrieb David F. Skoll:

On Mon, 30 Mar 2015 21:34:02 +0200
Reindl Harald h.rei...@thelounge.net wrote:


one reason are the genius MS Exchange setips with a spamfilter in
front, set the spamfilter IP to completly trusted and by
incompetence in that moment also disable the address verification
from the spamfilter


Recipient verification is disabled by default in Exchange, and it's almost
impossible to ENable it in Exchange 2013. :(

Microsoft--

We've had to play ghastly tricks to catch bounces from our Exchange-using
customers and use heuristics to decide whether or not they're legit.  It's
the only way we can stay off backscatterer.org


hm - not so long ago talking with a ms admin on the phone he was able to 
tell me switch which needs to be enabled - not sure which version


but i doubt that exchange don't know it's valid rcpt's and always 
backscatters with no way to disable that behavior - even in case of 
microsoft i doubt




signature.asc
Description: OpenPGP digital signature

Re: dangers of email forgery

[Martin Gregorie]

On Mon, 2015-03-30 at 20:07 +0100, RW wrote:
 On Mon, 30 Mar 2015 13:55:52 -0400 (EDT)
 Jude DaShiell wrote:
 
  One of them is that spammers forge your address so much you get your 
  account blacklisted and end up having to have it shut down.  That
  happened to me and the jdash...@shellworld.net account. 
 
 AFAIK there is no blacklist that lists individual sender email
 addresses. 
 

As Reindl says, detecting forged addresses is what SPF is for. If you
own a domain which can send mail and is one where you expect to receive
mail, you should have an SPF record set up for it. 

The SPF record should be used by other MTAs to see if the sender address
is forged before attempting to send a 5xx reject message. The benefit to
you is that you don't get showered with backscatter when spammers forge
your domain as the spam's originator.
 

Martin

Re: dangers of email forgery

[Reindl Harald]

Am 30.03.2015 um 21:52 schrieb David F. Skoll:

On Mon, 30 Mar 2015 21:47:10 +0200
Reindl Harald h.rei...@thelounge.net wrote:


but i doubt that exchange don't know it's valid rcpt's and always
backscatters with no way to disable that behavior - even in case of
microsoft i doubt


Google specifically for Exchange 2013.  AFAIK, it's impossible in
general to get Exchange 2013 to reject a RCPT command to a nonexistent
user with a 5xx failure code.

And if you're filtering for customers on Office 365, there's
categorically no way to convince Microsoft that O365 should fail
invalid RCPT commmands


well, than you can't use recent MS Exchange as a MX and have to place a 
MTA in front which get it's user list via database, LDAP or whatever and 
is able to reject invalid RCPTs




signature.asc
Description: OpenPGP digital signature

Re: dangers of email forgery

[David F. Skoll]

On Mon, 30 Mar 2015 23:41:21 +0200
Reindl Harald h.rei...@thelounge.net wrote:

 well, than you can't use recent MS Exchange as a MX and have to place
 a MTA in front which get it's user list via database, LDAP or
 whatever and is able to reject invalid RCPTs

Indeed.

Office 365 does not grant LDAP access.  So the only way is to explicitly
list all valid recipients in the filtering machine, which is not
a very nice solution.

Regards,

David.

Re: Uptick in spam

[Amir Caspi]

On Mar 30, 2015, at 9:49 AM, Kris Deugau kdeu...@vianet.ca wrote:

 Seconded;  this is exactly what we've been finding.  Invaluement is a
 great complement to Spamhaus for a fraction of the cost.

Definitely something to add to my nice to have list for the future.  Sadly, 
as I mentioned earlier, a paid subscription is simply not in the cards for me 
right now... so, unless a miracle happens, invaluement will have to go on my 
wish list rather than my to-do list.

For now it seems I don't really have any viable alternative besides 
greylisting, as I'm already implementing most other free things I can think of 
(and that others have asked about).

If anyone has additional suggestions besides what's been mentioned previously, 
please do let me know...

Thanks.

--- Amir

Re: Irregular Test Reports in SA?

[John Hardin]

On Mon, 30 Mar 2015, grhoderick wrote:


After months of back and forth with the web host, their recommendation has
been to add rules and do more intensive SA learning. But the way I
understand it, no amount of tweaking symbolic test scores or adding rules
can make up for not running the tests to begin with. Without having root
access to the SA install, can I even influence which tests are applied?



Example of the difference in output:
http://pastebin.com/ph6wZw2R


I assume that's for a spam?

Two big things jump out:

0.0 URIBL_BLOCKED

This means that your ISP's URIBL queries are exceeding the free-access 
limits of the URIBL provider. They should set up a separate dedicated 
caching recursing nameserver for their mail system so that their URIBL 
traffic is not aggregated with other URIBL traffic using their main name 
servers. However, as they are an ISP, this by itself may not be enough to 
drop their query traffic below the free-access threshold. They may need to 
contact the URIBL provider and set up a paid feed for UDIBL data.


-1.9 BAYES_00

If this is the score for an obvious spam, then 
this stongly suggests mistraining, or autolearn that has run off the 
rails.


How is bayes being trained? Has the ISP provided you with any way to train 
obviously misclassified messages? If they don't give you any way to train 
then they have taken that burden upon themselves, and are not doing it 
effectively. They probably need to wipe their database and start over from 
scratch.



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  USMC Rules of Gunfighting #7: In ten years nobody will remember the
  details of caliber, stance, or tactics. They will only remember who
  lived.
---
 2 days until April Fools' day