Irregular Test Reports in SA?
First, apologies in advance, I know this list is for seasoned users. I'm a consumer—not an administrator by any means—but posting here in hopes that the SA focus of the list will provide a clear answer. I'm on a shared web hosting plan and receiving an inordinate amount of very obvious spam. SA is enabled and email is being scanned and scored accordingly. The problem is the scores are too low (1-2) and consequently no mail management is being triggered, messages then hit my inbox. If I paste these same Spam mails into an online check service, they trigger a handful of tests that my web host's SA install seems to ignore or miss. The difference is steep, with messages scoring a range of 4 to 14 points higher, which correctly equates to the majority of the spam. These tests are comprised mostly of checks against trustworthy blocklists. Where I'm confused: Is this an obvious sign that the web host isn't updating SA appropriately, or is it normal the test reports don't match? Am I misunderstanding the scoring system? After months of back and forth with the web host, their recommendation has been to add rules and do more intensive SA learning. But the way I understand it, no amount of tweaking symbolic test scores or adding rules can make up for not running the tests to begin with. Without having root access to the SA install, can I even influence which tests are applied? If not, my only option is to leave my host for a service that keeps their SA install updated. Your insight here will help me confidently make that decision. Example of the difference in output: http://pastebin.com/ph6wZw2R Thanks very much for your help! -- View this message in context: http://spamassassin.1065346.n5.nabble.com/Irregular-Test-Reports-in-SA-tp115438.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Irregular Test Reports in SA?
grhoderick skrev den 2015-03-30 16:12: Example of the difference in output: http://pastebin.com/ph6wZw2R http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block funny that zen.spamhaus.org still works Thanks very much for your help! ask your server admins to solve this dns problem, and it will pay of to be much better spamassassin install overall
Re: How to automatically train each users Bayes?
Here is what I'm using to do the same globally based on each users mail, but it could be tweaked to do per user.This happens to be a family only server, so I'm generally doing the spam/ham review for each user as needed: root@omega:/usr/local/bin# more sa-learn-systemwide #!/bin/sh # # sa-learn-systemwide # # Run sa-lean against user Maildir folders for ham / spam token learning # # LOGFILE=/var/log/sa-learn-run.log SALEARNBIN=/usr/bin/sa-learn SAUSERNAME=Debian-exim SADBPATH=/var/spool/exim4/.spamassassin/bayes SAFOLDERS=/etc/spamassassin/sa-learn-folders.conf MAILTO=root@localhost # # Execute sa-learn token database expire of old tokens # TIMESTAMP=`date` echo $TIMESTAMP sa-learn: Starting token expiration ... $LOGFILE $SALEARNBIN --force-expire --username=$SAUSERNAME --dbpath=$SADBPATH 21 $LOGFILE # # Execute sa-learn against configured folders # TIMESTAMP=`date` echo $TIMESTAMP sa-learn: Starting Learning ... $LOGFILE $SALEARNBIN --no-sync --username=$SAUSERNAME --dbpath=$SADBPATH --folders=$SAFOLDERS 21 $LOGFILE # # Execute sa-learn sync # TIMESTAMP=`date` echo $TIMESTAMP sa-learn: Starting token journal sync ... $LOGFILE $SALEARNBIN --sync --username=$SAUSERNAME --dbpath=$SADBPATH 21 $LOGFILE # # Execute chown # TIMESTAMP=`date` echo $TIMESTAMP sa-learn: Fixing file permissions ... $LOGFILE chown -c Debian-exim.Debian-exim $SADBPATH* 21 $LOGFILE # # Execute sa-learn stats dump # TIMESTAMP=`date` echo $TIMESTAMP sa-learn: Starting stats dump ... $LOGFILE $SALEARNBIN --dump magic --progress --username=$SAUSERNAME --dbpath=$SADBPATH $LOGFILE root@omega:/usr/local/bin# more /etc/spamassassin/sa-learn-folders.conf spam:dir:/home/*/Maildir/.SPAM.Spam-Missed/{cur,new} spam:dir:/home/*/Maildir/.SPAM.Spam-Mail/{cur,new} ham:dir:/home/*/Maildir/.SPAM.Spam-Ham/{cur,new} ham:dir:/home/*/Maildir/{cur,new} ham:dir:/home/*/Maildir/.Sent/{cur,new} root@omega:/usr/local/bin# Log snip: Mon Mar 30 09:00:01 EDT 2015 sa-learn: Starting token expiration ... bayes: synced databases from journal in 0 seconds: 304 unique entries (605 total entries) Mon Mar 30 09:00:06 EDT 2015 sa-learn: Starting Learning ... Learned tokens from 24 message(s) (6971 message(s) examined) Mon Mar 30 09:06:11 EDT 2015 sa-learn: Starting token journal sync ... Mon Mar 30 09:06:14 EDT 2015 sa-learn: Fixing file permissions ... Mon Mar 30 09:06:14 EDT 2015 sa-learn: Starting stats dump ... 0.000 0 3 0 non-token data: bayes db version 0.000 0 84238 0 non-token data: nspam 0.000 0 379365 0 non-token data: nham 0.000 0 142093 0 non-token data: ntokens 0.000 0 1427425402 0 non-token data: oldest atime 0.000 0 1427720336 0 non-token data: newest atime 0.000 0 1427720773 0 non-token data: last journal sync atime 0.000 0 1427720406 0 non-token data: last expiry atime 0.000 0 228435 0 non-token data: last expire atime delta 0.000 0 0 0 non-token data: last expire reduction count Obvious issues if users leave spam sitting in their inbox, but if they move to the spam folder it will get relearned correctly.In this case I trust the users with well behaved mail clients, so I also feed the sent mail in as ham. Spam older then 14 days gets deleted from the spam folder. -James On 3/27/2015 2:09 PM, RW wrote: On Fri, 27 Mar 2015 15:16:13 + Michael wrote: Hi, I would like automatically learn each users Bayes database in the following way: Do the following once a day for each user: 1.) sa-learn -u username --ham ../maildir/cur 2.) sa-learn -u username --spam ../maildir/.Spam/cur The idea is to train the Bayes for each user without the need to take care of learning Spam/Ham on their own. The reason for taking the cur folder instead of the new folder is that I assume that the contents of these folders have already been verified for false-positives/negatives by the user. cur doesn't imply that the mail has been read; for that you need to check the seen flag in the filename, an S somewhere after the colon. A problem that could occur is when the user always deletes all mails in .Spam/cur. Then the Bayes is only trained with Ham, but never Spam. Or isn't that a problem? Not if you tell them - then it's their fault if it doesn't work. Alternately you could have a separate train-spam folder and empty it after training. You could also supplement spam training by autolearning only spam, e.g. I have: bayes_auto_learn 1 bayes_auto_learn_on_error 1 bayes_auto_learn_threshold_nonspam -2000.0 Personally I've never seen a spam miss-trained as a ham with the default threshold, and sensible rule scores. I think where some people go wrong is that they don't specify aggressive custom scores correctly. With autolearning it's better to keep conservative scores in the non-Bayes scoresets
Re: Uptick in spam
David Jones wrote: The invaluement RBL is not expensive either and it is awesome. We pay thousands per year for a Spamhaus feed because of our volume and mailboxes. The invaluement RBL is only hundreds per year and it's almost as good as Spamhaus Zen. Seconded; this is exactly what we've been finding. Invaluement is a great complement to Spamhaus for a fraction of the cost. I wouldn't put it as a front-line reject DNSBL, because some of the things that have been listed are not what I would class, for our customers, as spam - but those entries are distinctly greyhat at best in a lot of cases, and some IP range operators I've flagged as list, delist, and whitelist_from_rcvd as needed due to the mix of legitimate small senders and spammers. -kgd
Re: Uptick in spam
On 3/30/2015 11:49 AM, Kris Deugau wrote: Seconded; this is exactly what we've been finding. Invaluement is a great complement to Spamhaus for a fraction of the cost. I wouldn't put it as a front-line reject DNSBL, because some of the things that have been listed are not what I would class, for our customers, as spam - but those entries are distinctly greyhat at best in a lot of cases, and some IP range operators I've flagged as list, delist, and whitelist_from_rcvd as needed due to the mix of legitimate small senders and spammers. Thanks Kris for the compliment. Also, when you say mix of legitimate small senders ...just to clarify, I think that any further analysis will show that (a) MOST of these are situations where very small senders had massive spam-sending outbreaks due to compromised accounts, and (b) the listing was most often very short lived (often mere hours). This is a balancing act... and I think invaluement strikes a great balance. And even in THIS particular area, I think our FP level is still distinctly LESS than UCEProtect, Barracuda, and SORBS (for examples). But if we brought that all the way to zero, MUCH spam that slips past Zen wouldn't be listed on invaluement anymore. (the ham/spam ratios on some of these compromised account situations is horrendous--they send out their usual 400 hams that day, along with 200,000 spams... and the cumulative sum total of those spams from ALL such compromised senders that day, represents MUCH of the spam that gets past filters due to piggybacking on the sender's normally good reputation) Also, what I've found is that many medium-sized ISPs/hosters, with 10s of thousand of mailboxes are very comfortable with outright blocking on invaluement, but will only score on UCEProtect, Barracuda, and SORBS. Much smaller hosters will often block on all of them, because they don't notice those FPs as often. In fact, I see these SAME somewhat rare compromised-sender FPs with Zen, too. It is all about each list's strategies, and aggressiveness, and tolerance levels. As shown, invaluement is in a very strategic spot here... having much of the aggressiveness of these other lists, but with FP levels VERY close to Zen's FP levels. (and then scoring on these other lists... even aggressive, yet still under-threshold, scoring... will help block spams missed by both invaluement and spamhaus) Also, invaluement plays close to the edge with CAN-spam and snowshoe spammers. So invaluement is in a little more dangerous territory...that it can do so and not have a lot more FPs, is not easy. For example, this invaluement may occasionally list the kind of pure ads that, upon further analysis, are arguably not technically spam, but aren't exactly desired by the end users. But these situations tend to sort themselves out over time. The SAME thing happens with invaluement's ivmURI domain blacklist. OFTEN, a normally legit web site has a CURRENT... LIVE spam infestation, where spammers broke into that site and placed spammy content there. This has become epidemic. Sure, it is frustrating for everyone, when such a site that is being used to send phishing and porn spams... causes some of that site's legitimate correspondence to get blocked... but this a necessary lesser of evils. The best part is that such a blacklisting motivates the site owner to fix their site FASTER. In such a situation, the blacklist provided the world a good service, and the resulting collateral damage was well justified. The site owner should be considered at fault for the collateral damage, not the DNSBL. I hope this provides some clarity. -- Rob McEwen +1 478-475-9032
Re: Uptick in spam
On 3/30/2015 1:19 PM, Kris Deugau wrote: The cases I can recall are more along the lines of grey-hat ESPs who pick up a spammer client for a while, Kris, The next time you run across this and think it might be causing a little too much collateral damage (in spite of the spamming), let me know (off-list) and I'll research it. I can then make adjustments accordingly. I'm very responsive to customer feedback. Thanks! -- Rob McEwen +1 478-475-9032
Re: dangers of email forgery
Am 30.03.2015 um 19:55 schrieb Jude DaShiell: One of them is that spammers forge your address so much you get your account blacklisted and end up having to have it shut down. That happened to me and the jdash...@shellworld.net account. Anyone doing a google search on shellworld.net blacklisted will find my former shellworld.net address in the first document google returns did you have SPF at that time (now you have) if yes and blacklists listing you because of forged spam from foreign servers you should blame the blacklists and make them public so anybody can stop using that idiots causing collateral damage signature.asc Description: OpenPGP digital signature
dangers of email forgery
One of them is that spammers forge your address so much you get your account blacklisted and end up having to have it shut down. That happened to me and the jdash...@shellworld.net account. Anyone doing a google search on shellworld.net blacklisted will find my former shellworld.net address in the first document google returns. As a result of spammers and blacklisting it's probably a good idea to minimize use of space on internet providers machines since sooner rather than later your account is going to get blown away. What would really be useful for any spam fighting package to acquire is the ability to automatically check headers on messages and forward servers found to be forging to a kill list so those servers could be blacklisted in turn. So far I know of no such software that will do this service. -- Twitter: JudeDaShiell
Re: Uptick in spam
Rob McEwen wrote: On 3/30/2015 11:49 AM, Kris Deugau wrote: Seconded; this is exactly what we've been finding. Invaluement is a great complement to Spamhaus for a fraction of the cost. I wouldn't put it as a front-line reject DNSBL, because some of the things that have been listed are not what I would class, for our customers, as spam - but those entries are distinctly greyhat at best in a lot of cases, and some IP range operators I've flagged as list, delist, and whitelist_from_rcvd as needed due to the mix of legitimate small senders and spammers. Thanks Kris for the compliment. Also, when you say mix of legitimate small senders ...just to clarify, I think that any further analysis will show that (a) MOST of these are situations where very small senders had massive spam-sending outbreaks due to compromised accounts, and (b) the listing was most often very short lived (often mere hours). I haven't analyzed after the fact, but that sounds right. The cases I can recall are more along the lines of grey-hat ESPs who pick up a spammer client for a while, and unfortunately those ESPs also serve an assortment of (very) small businesses who send email that our customers want to receive. Often there's a free service tier, or free trial, and next to no up-front controls on who can send what content through these ESPs. I can't block these ESPs outright; customers *will* get upset. On the other hand, once notified of a sender I can make fairly sure that further mail *for that sender* through that ESP will make it to our customers' mailboxes. -kgd
Re: dangers of email forgery
Am 30.03.2015 um 21:26 schrieb Martin Gregorie: On Mon, 2015-03-30 at 20:07 +0100, RW wrote: On Mon, 30 Mar 2015 13:55:52 -0400 (EDT) Jude DaShiell wrote: One of them is that spammers forge your address so much you get your account blacklisted and end up having to have it shut down. That happened to me and the jdash...@shellworld.net account. AFAIK there is no blacklist that lists individual sender email addresses. As Reindl says, detecting forged addresses is what SPF is for. If you own a domain which can send mail and is one where you expect to receive mail, you should have an SPF record set up for it. The SPF record should be used by other MTAs to see if the sender address is forged before attempting to send a 5xx reject message. The benefit to you is that you don't get showered with backscatter when spammers forge your domain as the spam's originator one correction: no server ever should *send* a 5xx reject message SPF or not REJECT with 5xx is the way to go the real problem with get your address forged are incompetent admins accepting undeliverable mail (mostly to non existing destination addresses), some of them even realize the SPF fail but finally blow out a bounce, the final idiots are doing this with postmaster@comanly.local as sender and not accepting email to postmaster / abuse one reason are the genius MS Exchange setips with a spamfilter in front, set the spamfilter IP to completly trusted and by incompetence in that moment also disable the address verification from the spamfilter been there - 600 backscatters to my private domain on one day signature.asc Description: OpenPGP digital signature
Re: dangers of email forgery
On Mon, 30 Mar 2015 21:47:10 +0200 Reindl Harald h.rei...@thelounge.net wrote: but i doubt that exchange don't know it's valid rcpt's and always backscatters with no way to disable that behavior - even in case of microsoft i doubt Google specifically for Exchange 2013. AFAIK, it's impossible in general to get Exchange 2013 to reject a RCPT command to a nonexistent user with a 5xx failure code. And if you're filtering for customers on Office 365, there's categorically no way to convince Microsoft that O365 should fail invalid RCPT commmands. Regards, David. signature.asc Description: PGP signature
Re: dangers of email forgery
On Mon, 30 Mar 2015 13:55:52 -0400 (EDT) Jude DaShiell wrote: One of them is that spammers forge your address so much you get your account blacklisted and end up having to have it shut down. That happened to me and the jdash...@shellworld.net account. AFAIK there is no blacklist that lists individual sender email addresses.
Re: dangers of email forgery
Am 30.03.2015 um 21:07 schrieb RW: On Mon, 30 Mar 2015 13:55:52 -0400 (EDT) Jude DaShiell wrote: One of them is that spammers forge your address so much you get your account blacklisted and end up having to have it shut down. That happened to me and the jdash...@shellworld.net account. AFAIK there is no blacklist that lists individual sender email addresses the only thing i can imagine from the OP is a URIBL listing the domain and i would be really interested which one would make such major mistakes - more realistic is a local sender blacklist like we do for all the new registered domains used for the recent Apple phishings signature.asc Description: OpenPGP digital signature
Re: dangers of email forgery
On Mon, 30 Mar 2015 21:34:02 +0200 Reindl Harald h.rei...@thelounge.net wrote: one reason are the genius MS Exchange setips with a spamfilter in front, set the spamfilter IP to completly trusted and by incompetence in that moment also disable the address verification from the spamfilter Recipient verification is disabled by default in Exchange, and it's almost impossible to ENable it in Exchange 2013. :( Microsoft-- We've had to play ghastly tricks to catch bounces from our Exchange-using customers and use heuristics to decide whether or not they're legit. It's the only way we can stay off backscatterer.org Regards, David. signature.asc Description: PGP signature
Re: dangers of email forgery
On Mon, 30 Mar 2015 20:07:56 +0100 RW rwmailli...@googlemail.com wrote: AFAIK there is no blacklist that lists individual sender email addresses. There's this one: https://code.google.com/p/anti-phishing-email-reply/ but its contributors are usually quite competent and won't list a joe-jobbed address. Regards, David.
Re: dangers of email forgery
Am 30.03.2015 um 21:42 schrieb David F. Skoll: On Mon, 30 Mar 2015 21:34:02 +0200 Reindl Harald h.rei...@thelounge.net wrote: one reason are the genius MS Exchange setips with a spamfilter in front, set the spamfilter IP to completly trusted and by incompetence in that moment also disable the address verification from the spamfilter Recipient verification is disabled by default in Exchange, and it's almost impossible to ENable it in Exchange 2013. :( Microsoft-- We've had to play ghastly tricks to catch bounces from our Exchange-using customers and use heuristics to decide whether or not they're legit. It's the only way we can stay off backscatterer.org hm - not so long ago talking with a ms admin on the phone he was able to tell me switch which needs to be enabled - not sure which version but i doubt that exchange don't know it's valid rcpt's and always backscatters with no way to disable that behavior - even in case of microsoft i doubt signature.asc Description: OpenPGP digital signature
Re: dangers of email forgery
On Mon, 2015-03-30 at 20:07 +0100, RW wrote: On Mon, 30 Mar 2015 13:55:52 -0400 (EDT) Jude DaShiell wrote: One of them is that spammers forge your address so much you get your account blacklisted and end up having to have it shut down. That happened to me and the jdash...@shellworld.net account. AFAIK there is no blacklist that lists individual sender email addresses. As Reindl says, detecting forged addresses is what SPF is for. If you own a domain which can send mail and is one where you expect to receive mail, you should have an SPF record set up for it. The SPF record should be used by other MTAs to see if the sender address is forged before attempting to send a 5xx reject message. The benefit to you is that you don't get showered with backscatter when spammers forge your domain as the spam's originator. Martin
Re: dangers of email forgery
Am 30.03.2015 um 21:52 schrieb David F. Skoll: On Mon, 30 Mar 2015 21:47:10 +0200 Reindl Harald h.rei...@thelounge.net wrote: but i doubt that exchange don't know it's valid rcpt's and always backscatters with no way to disable that behavior - even in case of microsoft i doubt Google specifically for Exchange 2013. AFAIK, it's impossible in general to get Exchange 2013 to reject a RCPT command to a nonexistent user with a 5xx failure code. And if you're filtering for customers on Office 365, there's categorically no way to convince Microsoft that O365 should fail invalid RCPT commmands well, than you can't use recent MS Exchange as a MX and have to place a MTA in front which get it's user list via database, LDAP or whatever and is able to reject invalid RCPTs signature.asc Description: OpenPGP digital signature
Re: dangers of email forgery
On Mon, 30 Mar 2015 23:41:21 +0200 Reindl Harald h.rei...@thelounge.net wrote: well, than you can't use recent MS Exchange as a MX and have to place a MTA in front which get it's user list via database, LDAP or whatever and is able to reject invalid RCPTs Indeed. Office 365 does not grant LDAP access. So the only way is to explicitly list all valid recipients in the filtering machine, which is not a very nice solution. Regards, David.
Re: Uptick in spam
On Mar 30, 2015, at 9:49 AM, Kris Deugau kdeu...@vianet.ca wrote: Seconded; this is exactly what we've been finding. Invaluement is a great complement to Spamhaus for a fraction of the cost. Definitely something to add to my nice to have list for the future. Sadly, as I mentioned earlier, a paid subscription is simply not in the cards for me right now... so, unless a miracle happens, invaluement will have to go on my wish list rather than my to-do list. For now it seems I don't really have any viable alternative besides greylisting, as I'm already implementing most other free things I can think of (and that others have asked about). If anyone has additional suggestions besides what's been mentioned previously, please do let me know... Thanks. --- Amir
Re: Irregular Test Reports in SA?
On Mon, 30 Mar 2015, grhoderick wrote: After months of back and forth with the web host, their recommendation has been to add rules and do more intensive SA learning. But the way I understand it, no amount of tweaking symbolic test scores or adding rules can make up for not running the tests to begin with. Without having root access to the SA install, can I even influence which tests are applied? Example of the difference in output: http://pastebin.com/ph6wZw2R I assume that's for a spam? Two big things jump out: 0.0 URIBL_BLOCKED This means that your ISP's URIBL queries are exceeding the free-access limits of the URIBL provider. They should set up a separate dedicated caching recursing nameserver for their mail system so that their URIBL traffic is not aggregated with other URIBL traffic using their main name servers. However, as they are an ISP, this by itself may not be enough to drop their query traffic below the free-access threshold. They may need to contact the URIBL provider and set up a paid feed for UDIBL data. -1.9 BAYES_00 If this is the score for an obvious spam, then this stongly suggests mistraining, or autolearn that has run off the rails. How is bayes being trained? Has the ISP provided you with any way to train obviously misclassified messages? If they don't give you any way to train then they have taken that burden upon themselves, and are not doing it effectively. They probably need to wipe their database and start over from scratch. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- USMC Rules of Gunfighting #7: In ten years nobody will remember the details of caliber, stance, or tactics. They will only remember who lived. --- 2 days until April Fools' day