Re: Any ETA as to when rule updates will begin again?

2017-05-02 Thread Chris 
On Tue, 2017-05-02 at 21:52 -0400, Kevin A. McGrail wrote:
> On 5/2/2017 8:52 PM, Chris wrote:
> > 
> > Since it's now been a month and a half is there any ETA as to when
> > rule
> > updates will begin again? I've been showing the same channel
> > version
> > since 16 March as shown in the attached.
> As a volunteer project, there is no ETA.  I can tell you my goal is
> to 
> get it running before ApacheCon in Miami in 2 weeks and perhaps to
> have 
> a Hackathon during the Con to get it running if it isn't fixed
> beforehand.
> 
> There is work going on to get it back online but there have been no 
> substantial rule changes that it would be a silver bullet so there
> is 
> very little concern that it is down at the moment beyond that fact
> that 
> it makes building a release difficult without rewriting the release 
> build process.  Which I've been doing anyway so we aren't dependent
> on 
> that infrastructure anyway.
> 
> Regards,
> 
> KAM
> 
Thanks for the update Kevin, much appreciated. 

Chris

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
20:54:43 up 1 day, 3:37, 1 user, load average: 0.16, 0.19, 0.22
Description:Ubuntu 16.04.2 LTS, kernel 4.4.0-77-generic


signature.asc
Description: This is a digitally signed message part

Re: Any ETA as to when rule updates will begin again?

2017-05-02 Thread Kevin A. McGrail 

On 5/2/2017 8:52 PM, Chris wrote:

Since it's now been a month and a half is there any ETA as to when rule
updates will begin again? I've been showing the same channel version
since 16 March as shown in the attached.


As a volunteer project, there is no ETA.  I can tell you my goal is to 
get it running before ApacheCon in Miami in 2 weeks and perhaps to have 
a Hackathon during the Con to get it running if it isn't fixed beforehand.


There is work going on to get it back online but there have been no 
substantial rule changes that it would be a silver bullet so there is 
very little concern that it is down at the moment beyond that fact that 
it makes building a release difficult without rewriting the release 
build process.  Which I've been doing anyway so we aren't dependent on 
that infrastructure anyway.


Regards,

KAM

Any ETA as to when rule updates will begin again?

2017-05-02 Thread Chris 
Back on the 15th of March this was posted to the list:

"I posted this to the dev and ruleqa mailing lists, then realized that
it is
also relevant to people on this list who run rule updates.

We are in the process of migrating off old machines to a new one for
the
masschecks and rule update processing.

Unfortunately the required shutdown of the old machines has happened
before
everything was complete on the replacement.

The existing data is safe and is being migrated. However submission of
new
masscheck data and generation and download of rule updates are not
running
until the new machine is brought up.

I don't have a specific ETA for the new machine right now, just the
assurance
that the work is in progress.

I'll post more details when I get them.

Regards,

 Sidney Markowitz
 Chair, Apache SpamAssassin Project Management Committee"

Since it's now been a month and a half is there any ETA as to when rule
updates will begin again? I've been showing the same channel version
since 16 March as shown in the attached.


-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
19:43:42 up 1 day, 2:26, 1 user, load average: 0.29, 0.27, 0.20
Description:Ubuntu 16.04.2 LTS, kernel 4.4.0-77-generic
--- Begin Message ---
May  2 12:02:04.234 [6197] dbg: logger: adding facilities: all
May  2 12:02:04.234 [6197] dbg: logger: logging level is DBG
May  2 12:02:04.234 [6197] dbg: generic: SpamAssassin version 3.4.1
May  2 12:02:04.234 [6197] dbg: generic: Perl 5.022001, PREFIX=/usr, 
DEF_RULES_DIR=/usr/share/spamassassin, LOCAL_RULES_DIR=/etc/spamassassin, 
LOCAL_STATE_DIR=/var/lib/spamassassin
May  2 12:02:04.234 [6197] dbg: config: timing enabled
May  2 12:02:04.235 [6197] dbg: config: score set 0 chosen.
May  2 12:02:04.241 [6197] dbg: generic: sa-update version svn1652181
May  2 12:02:04.241 [6197] dbg: generic: using update directory: 
/var/lib/spamassassin/3.004001
May  2 12:02:05.002 [6197] dbg: diag: perl platform: 5.022001 linux
May  2 12:02:05.002 [6197] dbg: diag: [...] module installed: Digest::SHA1, 
version 2.13
May  2 12:02:05.002 [6197] dbg: diag: [...] module installed: HTML::Parser, 
version 3.72
May  2 12:02:05.002 [6197] dbg: diag: [...] module installed: Net::DNS, version 
0.81
May  2 12:02:05.002 [6197] dbg: diag: [...] module installed: NetAddr::IP, 
version 4.078
May  2 12:02:05.002 [6197] dbg: diag: [...] module installed: Time::HiRes, 
version 1.9726
May  2 12:02:05.002 [6197] dbg: diag: [...] module installed: Archive::Tar, 
version 2.04
May  2 12:02:05.002 [6197] dbg: diag: [...] module installed: IO::Zlib, version 
1.10
May  2 12:02:05.002 [6197] dbg: diag: [...] module installed: Digest::SHA1, 
version 2.13
May  2 12:02:05.002 [6197] dbg: diag: [...] module installed: MIME::Base64, 
version 3.15
May  2 12:02:05.003 [6197] dbg: diag: [...] module installed: DB_File, version 
1.835
May  2 12:02:05.003 [6197] dbg: diag: [...] module installed: Net::SMTP, 
version 3.05
May  2 12:02:05.003 [6197] dbg: diag: [...] module installed: Mail::SPF, 
version v2.009
May  2 12:02:05.003 [6197] dbg: diag: [...] module installed: Geo::IP, version 
1.45
May  2 12:02:05.003 [6197] dbg: diag: [...] module installed: Net::CIDR::Lite, 
version 0.21
May  2 12:02:05.003 [6197] dbg: diag: [...] module not installed: 
Razor2::Client::Agent ('require' failed)
May  2 12:02:05.003 [6197] dbg: diag: [...] module installed: IO::Socket::IP, 
version 0.37
May  2 12:02:05.003 [6197] dbg: diag: [...] module installed: 
IO::Socket::INET6, version 2.72
May  2 12:02:05.003 [6197] dbg: diag: [...] module installed: IO::Socket::SSL, 
version 2.024
May  2 12:02:05.003 [6197] dbg: diag: [...] module installed: Compress::Zlib, 
version 2.068
May  2 12:02:05.003 [6197] dbg: diag: [...] module installed: Mail::DKIM, 
version 0.4
May  2 12:02:05.003 [6197] dbg: diag: [...] module installed: DBI, version 1.634
May  2 12:02:05.003 [6197] dbg: diag: [...] module installed: Getopt::Long, 
version 2.45
May  2 12:02:05.003 [6197] dbg: diag: [...] module installed: LWP::UserAgent, 
version 6.15
May  2 12:02:05.003 [6197] dbg: diag: [...] module installed: HTTP::Date, 
version 6.02
May  2 12:02:05.003 [6197] dbg: diag: [...] module installed: 
Encode::Detect::Detector, version 1.01
May  2 12:02:05.003 [6197] dbg: diag: [...] module installed: Net::Patricia, 
version 1.22
May  2 12:02:05.003 [6197] dbg: diag: [...] module installed: 
Net::DNS::Nameserver, version 1276
May  2 12:02:05.004 [6197] dbg: gpg: adding key id 6C6191E3
May  2 12:02:05.004 [6197] dbg: gpg: adding key id E8B493D6
May  2 12:02:05.004 [6197] dbg: gpg: Searching for 'gpg'
May  2 12:02:05.004 [6197] dbg: util: current PATH is: /usr/bin:/bin
May  2 12:02:05.004 [6197] dbg: util: executable for gpg was found at 
/usr/bin/gpg
May  2 12:02:05.004 [6197] dbg: gpg: found /usr/bin/gpg
May  2 12:02:05.028 [6197] dbg: gpg: release trusted key id list: 
0C2B1D7175B852C64B3CDC716C55397824F434CE 6C6191E3 E8B493D6 
5E541DC959CB8BAC7C78DFDC4056A61A5244EC45
May  2

Re: Mailspike scores

2017-05-02 Thread John Hardin 

On Tue, 2 May 2017, RW wrote:


On Tue, 2 May 2017 09:20:49 -0700 (PDT)
John Hardin wrote:


On Tue, 2 May 2017, Bowie Bailey wrote:


On 5/2/2017 11:53 AM, John Hardin wrote:

 On Tue, 2 May 2017, Bowie Bailey wrote:


 I was checking to see what the scores for mailspike were on my
server and I noticed that there are two sets of scores.

 Is this expected?


 50_scores is handcoded default scores, 72_scores is generated from
 masscheck


That's what I thought, but what's the point of having handcoded
scores that are overridden by the generated scores?


Reasonable default values are always a good idea.


It looks like 72_scores only holds scores for rules from 72_active.cf
plus scores for MSPIKE rules and SURBL_BLOCKED (what's that doing
there?).

If 72_scores holds generated scores why are so many of then 1.000?


Limits?


You say that 50_scores is "handcoded default scores", but at the top
of the file there's a big block of scores that are claimed to have been
set by perceptron, which I understand fell-off a long time ago. They
certainly look autogenerated.


Check the revision history in SVN.

   http://svn.apache.org/viewvc/spamassassin/trunk/rules/50_scores.cf


On the face of it it looks a lot of the rules I assumed were autoscored
are using scores generated years ago.


Potentially. I have not done a detailed review.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Maxim IV: Close air support covereth a multitude of sins.
---
 6 days until the 72nd anniversary of VE day

Re: Mailspike scores

2017-05-02 Thread RW 
On Tue, 2 May 2017 09:20:49 -0700 (PDT)
John Hardin wrote:

> On Tue, 2 May 2017, Bowie Bailey wrote:
> 
> > On 5/2/2017 11:53 AM, John Hardin wrote:  
> >>  On Tue, 2 May 2017, Bowie Bailey wrote:
> >>   
> >> >  I was checking to see what the scores for mailspike were on my
> >> > server and I noticed that there are two sets of scores.
> >> > 
> >> >  Is this expected?  
> >>
> >>  50_scores is handcoded default scores, 72_scores is generated from
> >>  masscheck  
> >
> > That's what I thought, but what's the point of having handcoded
> > scores that are overridden by the generated scores?  
> 
> Reasonable default values are always a good idea.


It looks like 72_scores only holds scores for rules from 72_active.cf
plus scores for MSPIKE rules and SURBL_BLOCKED (what's that doing
there?).

If 72_scores holds generated scores why are so many of then 1.000?

You say that 50_scores is "handcoded default scores", but at the top
of the file there's a big block of scores that are claimed to have been
set by perceptron, which I understand fell-off a long time ago. They
certainly look autogenerated. 

On the face of it it looks a lot of the rules I assumed were autoscored
are using scores generated years ago.

Re: Outgoing email without DMARC

2017-05-02 Thread Matus UHLAR - fantomas 

On Mon, 1 May 2017 19:30:01 -0700 Marc Perkel wrote:

Might be slightly off topic but I've been running into more delivery
problems with outgoing email because I don't use DMARC.



On 05/02/17 03:54, RW wrote:

How do you know it's because you don't use DMARC.


On 02.05.17 08:09, Marc Perkel wrote:

The rejection message specified dmarc as the reason.


show us the message. 
Doesn't it just recommmend using DMARC as one of ways to fix your problem?


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
How does cat play with mouse? cat /dev/mouse

Re: ANY_BOUNCE_MESSAGE questions

2017-05-02 Thread Matus UHLAR - fantomas 

On Mon, 2017-05-01 at 17:13 +0200, Matus UHLAR - fantomas wrote:

Is there something on vbounce that does notappl for you?
loading it and settings proper whitelist_bounce_relays should hit all
bounces that did not come as response to mail from your systems...


On 01.05.17 19:11, Martin Gregorie wrote:

Obvious spam was being rejected by apparently legit MTAswhich
weren't using SPF checks before bouncing the spam. Their wrappers
looked legit and the rejected spam had either my usual address or the
address of my POP3 mailbox on my ISP's mailhost forged as the sender.

vbounce certainly didn't stop any of this stuff (mostly Russian girlie
spam)


it's not supposed to stop it, but to detect it. classic score is 0.1 iirc.
note that bounces that contain your relays (see whitelist_bounce_relays) are
not scored.

maybe you just did not set up whitelist_bounce_relays?


or I would not have concocted my mail bounce rule, which I did
around Oct 2014 - Jan 2015: did vbounce even exist then?


and long long before...

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
There's a long-standing bug relating to the x86 architecture that
allows you to install Windows.   -- Matthew D. Fuller

Re: Mailspike scores

2017-05-02 Thread John Hardin 

On Tue, 2 May 2017, Bowie Bailey wrote:


On 5/2/2017 11:53 AM, John Hardin wrote:

 On Tue, 2 May 2017, Bowie Bailey wrote:

>  I was checking to see what the scores for mailspike were on my server 
>  and I noticed that there are two sets of scores.
> 
>  Is this expected?


 50_scores is handcoded default scores, 72_scores is generated from
 masscheck


That's what I thought, but what's the point of having handcoded scores that 
are overridden by the generated scores?


Reasonable default values are always a good idea.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  USMC Rules of Gunfighting #4: If your shooting stance is good,
  you're probably not moving fast enough nor using cover correctly.
---
 6 days until the 72nd anniversary of VE day

Re: Mailspike scores

2017-05-02 Thread Bowie Bailey 

On 5/2/2017 11:53 AM, John Hardin wrote:

On Tue, 2 May 2017, Bowie Bailey wrote:

I was checking to see what the scores for mailspike were on my server 
and I noticed that there are two sets of scores.


50_scores.cf:  score RCVD_IN_MSPIKE_ZBI 2.7
50_scores.cf:  score RCVD_IN_MSPIKE_L5  2.5
50_scores.cf:  score RCVD_IN_MSPIKE_L4  1.7
50_scores.cf:  score RCVD_IN_MSPIKE_L3  0.9
50_scores.cf:  score RCVD_IN_MSPIKE_H3  -0.01
50_scores.cf:  score RCVD_IN_MSPIKE_H4  -0.01
50_scores.cf:  score RCVD_IN_MSPIKE_H5  -1.0
50_scores.cf:  score RCVD_IN_MSPIKE_BL  0.01
50_scores.cf:  score RCVD_IN_MSPIKE_WL  -0.01
72_scores.cf:score RCVD_IN_MSPIKE_BL 0.001 0.010 
0.001  0.010
72_scores.cf:score RCVD_IN_MSPIKE_H2 0.001 -2.800 
0.001 -2.800
72_scores.cf:score RCVD_IN_MSPIKE_H3 0.001 -0.010 
0.001 -0.010
72_scores.cf:score RCVD_IN_MSPIKE_H4 0.001 -0.010 
0.001 -0.010
72_scores.cf:score RCVD_IN_MSPIKE_H5 0.001 -1.000 
0.001 -1.000
72_scores.cf:score RCVD_IN_MSPIKE_L2 0.001 0.001 
0.001 0.001
72_scores.cf:score RCVD_IN_MSPIKE_L3 0.001 0.001 
0.001 0.001
72_scores.cf:score RCVD_IN_MSPIKE_L4 0.001 0.001 
0.001 0.001
72_scores.cf:score RCVD_IN_MSPIKE_L5 0.001 0.001 
0.001 0.001
72_scores.cf:score RCVD_IN_MSPIKE_WL 0.001 -0.010 
0.001 -0.010
72_scores.cf:score RCVD_IN_MSPIKE_ZBI0.001 0.001 
0.001 -1.001


Is this expected?


50_scores is handcoded default scores, 72_scores is generated from 
masscheck


That's what I thought, but what's the point of having handcoded scores 
that are overridden by the generated scores?


--
Bowie

Re: Mailspike scores

2017-05-02 Thread John Hardin 

On Tue, 2 May 2017, Bowie Bailey wrote:

I was checking to see what the scores for mailspike were on my server and I 
noticed that there are two sets of scores.


50_scores.cf:  score RCVD_IN_MSPIKE_ZBI 2.7
50_scores.cf:  score RCVD_IN_MSPIKE_L5  2.5
50_scores.cf:  score RCVD_IN_MSPIKE_L4  1.7
50_scores.cf:  score RCVD_IN_MSPIKE_L3  0.9
50_scores.cf:  score RCVD_IN_MSPIKE_H3  -0.01
50_scores.cf:  score RCVD_IN_MSPIKE_H4  -0.01
50_scores.cf:  score RCVD_IN_MSPIKE_H5  -1.0
50_scores.cf:  score RCVD_IN_MSPIKE_BL  0.01
50_scores.cf:  score RCVD_IN_MSPIKE_WL  -0.01
72_scores.cf:score RCVD_IN_MSPIKE_BL 0.001 0.010 0.001  
0.010
72_scores.cf:score RCVD_IN_MSPIKE_H2 0.001 -2.800 0.001 
-2.800
72_scores.cf:score RCVD_IN_MSPIKE_H3 0.001 -0.010 0.001 
-0.010
72_scores.cf:score RCVD_IN_MSPIKE_H4 0.001 -0.010 0.001 
-0.010
72_scores.cf:score RCVD_IN_MSPIKE_H5 0.001 -1.000 0.001 
-1.000
72_scores.cf:score RCVD_IN_MSPIKE_L2 0.001 0.001 0.001 0.001
72_scores.cf:score RCVD_IN_MSPIKE_L3 0.001 0.001 0.001 0.001
72_scores.cf:score RCVD_IN_MSPIKE_L4 0.001 0.001 0.001 0.001
72_scores.cf:score RCVD_IN_MSPIKE_L5 0.001 0.001 0.001 0.001
72_scores.cf:score RCVD_IN_MSPIKE_WL 0.001 -0.010 0.001 
-0.010
72_scores.cf:score RCVD_IN_MSPIKE_ZBI0.001 0.001 0.001 
-1.001

Is this expected?


50_scores is handcoded default scores, 72_scores is generated from 
masscheck.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  How do you argue with people to whom math is an opinion? -- Unknown
---
 6 days until the 72nd anniversary of VE day

Re: Outgoing email without DMARC

2017-05-02 Thread A. Schulze 


Am 02.05.2017 um 17:09 schrieb Marc Perkel:
> 
> 
> On 05/02/17 03:54, RW wrote:
>> On Mon, 1 May 2017 19:30:01 -0700
>> Marc Perkel wrote:
>>
>>> Might be slightly off topic but I've been running into more delivery
>>> problems with outgoing email because I don't use DMARC.
>> How do you know it's because you don't use DMARC.
>>
>>
> 
> The rejection message specified dmarc as the reason.
may you provide
 - src ip
 - RFC5321.MailFrom
 - RFC5322.From
 - the rejection message

Andreas

Mailspike scores

2017-05-02 Thread Bowie Bailey 
I was checking to see what the scores for mailspike were on my server 
and I noticed that there are two sets of scores.


50_scores.cf:  score RCVD_IN_MSPIKE_ZBI 2.7
50_scores.cf:  score RCVD_IN_MSPIKE_L5  2.5
50_scores.cf:  score RCVD_IN_MSPIKE_L4  1.7
50_scores.cf:  score RCVD_IN_MSPIKE_L3  0.9
50_scores.cf:  score RCVD_IN_MSPIKE_H3  -0.01
50_scores.cf:  score RCVD_IN_MSPIKE_H4  -0.01
50_scores.cf:  score RCVD_IN_MSPIKE_H5  -1.0
50_scores.cf:  score RCVD_IN_MSPIKE_BL  0.01
50_scores.cf:  score RCVD_IN_MSPIKE_WL  -0.01
72_scores.cf:score RCVD_IN_MSPIKE_BL 0.001 0.010 
0.001 0.010
72_scores.cf:score RCVD_IN_MSPIKE_H2 0.001 -2.800 
0.001 -2.800
72_scores.cf:score RCVD_IN_MSPIKE_H3 0.001 -0.010 
0.001 -0.010
72_scores.cf:score RCVD_IN_MSPIKE_H4 0.001 -0.010 
0.001 -0.010
72_scores.cf:score RCVD_IN_MSPIKE_H5 0.001 -1.000 
0.001 -1.000
72_scores.cf:score RCVD_IN_MSPIKE_L2 0.001 0.001 
0.001 0.001
72_scores.cf:score RCVD_IN_MSPIKE_L3 0.001 0.001 
0.001 0.001
72_scores.cf:score RCVD_IN_MSPIKE_L4 0.001 0.001 
0.001 0.001
72_scores.cf:score RCVD_IN_MSPIKE_L5 0.001 0.001 
0.001 0.001
72_scores.cf:score RCVD_IN_MSPIKE_WL 0.001 -0.010 
0.001 -0.010
72_scores.cf:score RCVD_IN_MSPIKE_ZBI0.001 0.001 
0.001 0.001


Is this expected?

--
Bowie

Re: ANY_BOUNCE_MESSAGE questions

2017-05-02 Thread Bill Cole 

On 30 Apr 2017, at 10:17, David Jones wrote:


99_mailspike.cf
---
shortcircuit RCVD_IN_MSPIKE_H5 on

score RCVD_IN_MSPIKE_H4 -3.2
score RCVD_IN_MSPIKE_H3 -2.2
score RCVD_IN_MSPIKE_H2 -1.2
score RCVD_IN_MSPIKE_WL -0.82
score RCVD_IN_MSPIKE_BL 1.2
score RCVD_IN_MSPIKE_L2 0.2
score RCVD_IN_MSPIKE_L3 1.2
score RCVD_IN_MSPIKE_L4 2.2
score RCVD_IN_MSPIKE_L5 3.2


Scoring RCVD_IN_MSPIKE_WL and RCVD_IN_MSPIKE_BL so strongly seems odd, 
as those will always hit if any of the RCVD_IN_MSPIKE_H* and 
RCVD_IN_MSPIKE_L* respectively. Also, in my experience those scores 
vastly overvalue the "good" classes. I have received every major class 
of spam from H4 and H3 sources, including trojans, advance fee fraud, 
bank phishing, ISP phishing, penis pill ads, replica watch ads, and 
whois-scraped solicitation for various sorts of domain promotion 
(violating the whois data usage rules of the relevant domain 
registries.) There has also been a few bits of "mainsleaze" spam 
(nominally legitimate companies adhering to relevant laws) but those 
tend to come more from H5 sources. Perversely, H2 is a better correlated 
to non-spamminess than either H3 or H4 in my recent (2015-now) logs and 
this is consistent with the scores determined by the RuleQA process: H2 
is stronger than H5 and all the other rules are scores +/- 0.01

Re: Outgoing email without DMARC

2017-05-02 Thread Marc Perkel 



On 05/02/17 07:14, Rob McEwen wrote:

On 5/1/2017 10:30 PM, Marc Perkel wrote:

Might be slightly off topic but I've been running into more delivery
problems with outgoing email because I don't use DMARC. I don't know a
lot about it but is there some simple way I can get around this? Kind of
a pain in the rear.


Marc,

This probably has more to do with DKIM than DMARC?

Either way... you're not willing to jump (or haven't yet jumped) 
though the hoops that the largest ISPs/hosters want us all to jump 
through... meanwhile... so many of them (and for many many years) have 
sent such high volumes AND high percentages of outbound spam to all of 
our SMTPs - to such an extent that you and I would be out of business 
if our SMTP outbound traffic did that for just one week.


I sort of wish they (or many of them... "if the shoe fits...") would 
clean up their own act FIRST - get the basics done FIRST - before 
imposing new standards on the rest of us.


I'm in the same boat - I'm now having to set aside dozens of hours to 
get all various domains updated to DKIM so that they'll have more 
success sending to a certain large/famous hoster - who has sent my 
server a shitload of spam over the past several years (not just 
volume-wise - but percentage-wise... I'd be run out of town if I did 
that)




Yeah - I know what you mean. Many of these ISPs would be blacklisted if 
they weren't so big. I get an amazing amount of spam from the big guys. 
I was just wondering what I could do to get by.


--
Marc Perkel - Sales/Support
supp...@junkemailfilter.com
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3400

Re: Outgoing email without DMARC

2017-05-02 Thread Marc Perkel 



On 05/02/17 03:54, RW wrote:

On Mon, 1 May 2017 19:30:01 -0700
Marc Perkel wrote:


Might be slightly off topic but I've been running into more delivery
problems with outgoing email because I don't use DMARC.

How do you know it's because you don't use DMARC.




The rejection message specified dmarc as the reason.

--
Marc Perkel - Sales/Support
supp...@junkemailfilter.com
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3400

Re: SpamAssassin not parsing/seeing all headers?

2017-05-02 Thread Ralf Hildebrandt 
> Perhaps there's something in amavisd-new that can't cope with the
> dkim headers and has done something that breaks SA's header parsing.
> This wouldn't necessarily show-up in the delivered email. 

Indeed. amavisd+SA says:
X-Spam-Status: Yes, score=5.763 tagged_above=2 required=4
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
EMPTY_MESSAGE=2.32, MISSING_DATE=1.36, MISSING_FROM=1,
MISSING_HEADERS=1.021, MISSING_MID=0.497, MISSING_SUBJECT=1.799,
RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, TXREP=-0.842,
CRM114.UNSURE(-2.55)=0.510] autolearn=no autolearn_force=no

while piping the mail through spamassassin -D says:

X-Spam-Status: No, score=-1.6 required=5.0 tests=BAYES_00,DKIM_SIGNED,
FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,
RP_MATCHES_RCVD,SPF_PASS,T_DKIM_INVALID shortcircuit=no autolearn=no
autolearn_force=no version=3.4.1

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
https://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155

Re: SpamAssassin not parsing/seeing all headers?

2017-05-02 Thread RW 
On Tue, 2 May 2017 14:04:48 +0100
RW wrote:


> > 64 KB - have you seen typical headers from microsoft these days as
> > well as others?  
> 
> They are much smaller than that. It remains to be seen whether this
> limit is causing the OPs problem. 

And I don't think it is. The 64k limit doesn't seem to affect "exists:"
rules.

Perhaps there's something in amavisd-new that can't cope with the
dkim headers and has done something that breaks SA's header parsing.
This wouldn't necessarily show-up in the delivered email. 

Try running one through spamassassin -D.

Re: Outgoing email without DMARC

2017-05-02 Thread Rob McEwen 

On 5/1/2017 10:30 PM, Marc Perkel wrote:

Might be slightly off topic but I've been running into more delivery
problems with outgoing email because I don't use DMARC. I don't know a
lot about it but is there some simple way I can get around this? Kind of
a pain in the rear.


Marc,

This probably has more to do with DKIM than DMARC?

Either way... you're not willing to jump (or haven't yet jumped) though 
the hoops that the largest ISPs/hosters want us all to jump through... 
meanwhile... so many of them (and for many many years) have sent such 
high volumes AND high percentages of outbound spam to all of our SMTPs - 
to such an extent that you and I would be out of business if our SMTP 
outbound traffic did that for just one week.


I sort of wish they (or many of them... "if the shoe fits...") would 
clean up their own act FIRST - get the basics done FIRST - before 
imposing new standards on the rest of us.


I'm in the same boat - I'm now having to set aside dozens of hours to 
get all various domains updated to DKIM so that they'll have more 
success sending to a certain large/famous hoster - who has sent my 
server a shitload of spam over the past several years (not just 
volume-wise - but percentage-wise... I'd be run out of town if I did that)


--
Rob McEwen

Re: SpamAssassin not parsing/seeing all headers?

2017-05-02 Thread RW 
On Tue, 2 May 2017 14:14:19 +0200
Reindl Harald wrote:

 against DoS type situations."  
> > 
> > 
> > That's the limit for a specific header. The relevant limit here is
> > the limit for total headers of 64k.  
> 
> that's both too low and makes it easiy to bypass SA

It wouldn't make it bypass SA.

> 64 KB - have you seen typical headers from microsoft these days as
> well as others?

They are much smaller than that. It remains to be seen whether this
limit is causing the OPs problem. 


> 8 KB - well, if someone encodes his whole payload base64 encoded in
> the subject you are there

It's pretty unlikely that anyone is going to read a subject beyond the
first 8K of decoded text.

Re: SpamAssassin not parsing/seeing all headers?

2017-05-02 Thread RW 
On Tue, 2 May 2017 12:42:52 +0200
Ralf Hildebrandt wrote:

> * Ralf Hildebrandt :
> 
> > But the real question is: Why is SA not seeing all the headers?  
> 
> Looking at the archives, I find this:
> https://lists.gt.net/spamassassin/users/172198
> 
> "Specifically, I have been adding characters and addresses to the
> list of email addresses in the To: header to see at what point my
> rule stops being hit. As far as I can tell, it is a byte limit, not a
> number of email addresses limit. 
> 
> The byte limit (at least in my configuration) seems to be
> approximately 8KB"
> 
> And:
> 
> "Pretty sure it's hardcoded at 8k. This was done several years ago to
> protect against DoS type situations."


That's the limit for a specific header. The relevant limit here is the
limit for total headers of 64k.

Re: short-circuit ALL_TRUSTED

2017-05-02 Thread RW 
On Mon, 01 May 2017 12:26:55 -0400
micah anderson wrote: 

> internal_networks 10.0.
> 
> but things are not shortcircuiting, you can see it is finding the
> relay as trusted and internal in this line:
> 
> Apr 24 15:32:38.862 [29876] dbg: received-header: relay 10.0.1.163
> trusted? yes internal? yes msa? no
> 
> but I'm not clear how it decides if it should short circuit or not.
> Can anyone clarify?

> X-Spam-Status: No, ... UNPARSEABLE_RELAY

It's because the other received header is not parseable,
UNPARSEABLE_RELAY prevents ALL_TRUSTED from being hit.

Probably because it's missing "by "

>Received: from [127.0.0.1] (localhost [127.0.0.1])
>    (Authenticated sender: foodefai)
>    with ESMTPSA id 7492F1C05F2

Re: Outgoing email without DMARC

2017-05-02 Thread RW 
On Mon, 1 May 2017 19:30:01 -0700
Marc Perkel wrote:

> Might be slightly off topic but I've been running into more delivery 
> problems with outgoing email because I don't use DMARC.

How do you know it's because you don't use DMARC.

Re: SpamAssassin not parsing/seeing all headers?

2017-05-02 Thread Ralf Hildebrandt 
* Ralf Hildebrandt :

> But the real question is: Why is SA not seeing all the headers?

Looking at the archives, I find this:
https://lists.gt.net/spamassassin/users/172198

"Specifically, I have been adding characters and addresses to the list of
email addresses in the To: header to see at what point my rule stops
being hit. As far as I can tell, it is a byte limit, not a number of
email addresses limit. 

The byte limit (at least in my configuration) seems to be approximately
8KB"

And:

"Pretty sure it's hardcoded at 8k. This was done several years ago to
protect against DoS type situations."

If that's the case, is that limit still up-to-date?

The default in Postfix (bytes):

# postconf -d header_size_limit
header_size_limit = 102400

But curently we're using a conservativ 32KB instead.

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
https://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155

SpamAssassin not parsing/sseing all headers?

2017-05-02 Thread Ralf Hildebrandt 
Hi!

I'm using SpamAssassin in an amavisd-new/Milter setup.
Recently, I found some mails from a mailinglist, which contained a
whopping 48 identical (!) DKIM Headers - in some cases the amount of
headers would exceed 32KB!

SpamAssassin was tagging these mails as spam, since it couldn't see
Date:/Subject: and other headers.

My interim "solution" is to delete the DKIM headers.

But the real questing is: Why is SA not seeing all the headers?

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
https://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155

Re: Outgoing email without DMARC

2017-05-02 Thread Rupert Gallagher 
> junkemailfilter.com. 35997 IN TXT  "v=spf1 a mx ptr ip4:184.105.182.0/24 
> ip4:69.50.231.128/26 ip4:108.38.233.28 ip4:198.23.154.75 ip4:172.245.58.202 
> ?all"

Change ?all into -all.

Add this:

_dmarc.junkemailfilter.com. IN TXT "v=DMARC1; p=reject; sp=reject; aspf=s; 
rua=mailto:postmas...@junkemailfilter.com; 
ruf=mailto:postmas...@junkemailfilter.com; rf=afrf; pct=100; ri=86400"

If you add dkim signatures to outgoing email, you may want to improve the above 
dmarc RR accordingly.

Sent from ProtonMail Mobile

On Tue, May 2, 2017 at 4:30 AM, Marc Perkel 
<[support@](mailto:supp...@junkemailfilter.com)[junkemailfilter.com](mailto:supp...@junkemailfilter.com)>
 wrote:  Might be slightly off topic but I've been running into more delivery
problems with outgoing email because I don't use DMARC. I don't know a
lot about it but is there some simple way I can get around this? Kind of
a pain in the rear.

--
Marc Perkel - Sales/Support
supp...@junkemailfilter.com
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3400