Re: Sender needs help with false positive

[Rupert Gallagher]

Avoid marketing mass-mailers when sending administrative messages.
Sent from ProtonMail Mobile

On Tue, Aug 8, 2017 at 12:56 AM, Jacek Osuchowski  wrote:

> We use emails to allow users to reset their passwords to our website. We send 
> very brief emails containing the reset password. Example between :
>
>>
>
> Your password to access your account is:
>
> S]U3bC7k
>
> Upon successful login you may change your password by going to Modify Account 
> / Change Your Password.
>
>>
>
> The emails are marked as spam. Sample report from IsnotSpam.com:
>
> SpamAssassin check details:
>
>  -- ---
>
> * 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
>
> * [score: 0.9995]
>
> * -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
>
> * [50.31.63.50 listed in wl.mailspike.net]
>
> * -0.0 SPF_PASS SPF: sender matches SPF record
>
> * 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
>
> * [score: 0.9995]
>
> * 2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words
>
> * 0.1 HTML_MESSAGE BODY: HTML included in message
>
> * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
>
> * domain
>
> * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
>
> * valid
>
> * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
>
> * -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
>
> X-Spam-Status: Yes, hits=5.7 required=-20.0 tests=BAYES_99,BAYES_999,
>
> DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_IMAGE_ONLY_12,HTML_MESSAGE,
>
> RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_PASS autolearn=no autolearn_force=no
>
> version=3.4.0
>
> X-Spam-Score: 5.7
>
> I understand you trying to provide great software to fight email spam but you 
> are making my live miserable. I am having more problems with our emails 
> marked as spam then from the spam itself. Any help on how avoid being marked 
> as spam would help. Is there a way to be whitelisted by SpamAssasin globally. 
> Most emails are blocked by internet providers like Cablevision or comcast and 
> getting them to help is IMPOSSIBLE. They just install the software and let it 
> run as it is.
>
> Thank You

Re: Sender needs help with false positive

[John Hardin]

On Tue, 8 Aug 2017, Benny Pedersen wrote:


Jacek Osuchowski skrev den 2017-08-08 00:56:


 I understand you trying to provide great software to fight email spam


stop using bad amavisd.conf, ask for help on amavisd maillist since your 
issue is not spamassassin


if you like to get a better life use spampd instaed of amavisd, amavisd is so 
simple to configure to bad results, where spampd is following spamassassin 
rule on tag only and do nothing more


...none of which helps him get his messages through **other people's** 
MTAs...


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  ...we talk about creating "millions of shovel-ready jobs" for a
  society that doesn't really encourage people to pick up a shovel.
 -- Mike Rowe, testifying before Congress
---
 8 days until the 72nd anniversary of the end of World War II

Re: Sender needs help with false positive

[Karsten Bräckelmann]

On Mon, 2017-08-07 at 19:15 -0400, Alex wrote:
> > version=3.4.0
> 
> Version 3.4.0 is like ten years old. I also don't recall BAYES_999
> being available in that version, so one thing or the other is not
> correct.

Minor nitpick: 3.4.0 was released in Feb 2014, slightly less than 10
years ago. ;)  But that's code only anyway, with sa-update rules'
version and age are kept up-to-date independently.

Similarly the BAYES_999 test indeed is not part of the original 3.4.0
release. It has been published via sa-update though, and even older
3.3.x installations with sa-update have that rule today.

The check_bayes() eval rule always supported the 99.9% variant, it's
just a float number less than 1.0...


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

RE: Sender needs help with false positive

[Jacek Osuchowski]

David,

Thanks a lot. I will try to modify the email text to have more 'meat on the
bone'. I am just surprised email with no links, no adds, no attempts to sell
anything can be interpreted as a spam. 
That img in the email is a tag from SendGrid email services used to trace
the emails. I don't know if I can get rid of it.

Dianne,

I have the same concerns with links in the email. We do train our people how
to spot 'funny' emails and to avoid clicking links in the emails unless they
are absolutely sure of what they are doing and they still do stupid things.


Thank you all.


-Original Message-
From: David B Funk [mailto:dbf...@engineering.uiowa.edu] 
Sent: Monday, August 07, 2017 7:54 PM
To: users@spamassassin.apache.org
Subject: Re: Sender needs help with false positive

On Mon, 7 Aug 2017, David Jones wrote:

[snip..]
> This IP is listed on SORBS and Spamhaus ZEN which are going to cause 
> problems with delivery to many receiving mail filters, not just
SpamAssassin.
>
> http://multirbl.valli.org/lookup/68.192.71.191.html
>

That's his PC which is the MSA. As it's the first hop, it's not surprising
it hits Zen PBL (it should, given a host name like
ool-44c047bf.dyn.optonline.net).

That shouldn't score against him except in broken SA installations.

His problem is the small amount of text that looks like a phish spam and the
embedded image.



-- 
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

RE: Sender needs help with false positive

[David B Funk]

On Mon, 7 Aug 2017, Jacek Osuchowski wrote:


This is an email I sent to IsNotSpam.com. They list the whole thing when 
testing for spam. I am getting a lot of complains from our customers that our 
emails are not received. Our domain is not blacklisted anywhere so I suspect it 
is the spam filtering (as IsNotSpam tool indicates). Is there anything in the 
email we send that could trigger flagging as a spam. THANK YOU

https://pastebin.com/J1cdCHAe



Try this experiment.
Take that same message, add two paragraphs of text describing your 
business/organization to the end and DELETE that embedded image.


Re-test and I'll bet that you get a passing score.


--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: Sender needs help with false positive

[David B Funk]

On Mon, 7 Aug 2017, David Jones wrote:

[snip..]
This IP is listed on SORBS and Spamhaus ZEN which are going to cause problems 
with delivery to many receiving mail filters, not just SpamAssassin.


http://multirbl.valli.org/lookup/68.192.71.191.html



That's his PC which is the MSA. As it's the first hop, it's not surprising it 
hits Zen PBL (it should, given a host name like ool-44c047bf.dyn.optonline.net).


That shouldn't score against him except in broken SA installations.

His problem is the small amount of text that looks like a phish spam and the 
embedded image.




--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: Sender needs help with false positive

[Dianne Skoll]

On Mon, 7 Aug 2017 19:28:04 -0400
"Jacek Osuchowski"  wrote:

> This is an email I sent to IsNotSpam.com. They list the whole thing
> when testing for spam. I am getting a lot of complains from our
> customers that our emails are not received. Our domain is not
> blacklisted anywhere so I suspect it is the spam filtering (as
> IsNotSpam tool indicates). Is there anything in the email we send
> that could trigger flagging as a spam. THANK YOU

Don't send HTML.  Just send a plain-text message.

That'll knock 2.2 points off the score and bring it to 3.6.

Simple fix, no?

Regards,

Dianne.

Re: Sender needs help with false positive

[Benny Pedersen]

Jacek Osuchowski skrev den 2017-08-08 00:56:


I understand you trying to provide great software to fight email spam


stop using bad amavisd.conf, ask for help on amavisd maillist since your 
issue is not spamassassin


if you like to get a better life use spampd instaed of amavisd, amavisd 
is so simple to configure to bad results, where spampd is following 
spamassassin rule on tag only and do nothing more

Re: Sender needs help with false positive

[David Jones]

On 08/07/2017 06:28 PM, Jacek Osuchowski wrote:

This is an email I sent to IsNotSpam.com. They list the whole thing when 
testing for spam. I am getting a lot of complains from our customers that our 
emails are not received. Our domain is not blacklisted anywhere so I suspect it 
is the spam filtering (as IsNotSpam tool indicates). Is there anything in the 
email we send that could trigger flagging as a spam. THANK YOU

https://pastebin.com/J1cdCHAe


-Original Message-
From: Alex [mailto:mysqlstud...@gmail.com]
Sent: Monday, August 07, 2017 7:16 PM
To: ja...@osuchowski.net; SA Mailing list
Subject: Re: Sender needs help with false positive

Hi,

On Mon, Aug 7, 2017 at 6:56 PM, Jacek Osuchowski  wrote:

We use emails to allow users to reset their passwords to our website.
We send very brief emails containing the reset password. Example between :




Your password to access your account is:

S]U3bC7k

Upon successful login you may change your password by going to Modify
Account / Change Your Password.







* 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
* 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%


You can't control their bayes training so there's nothing you can do here.


* 2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of
words


Are you sending these emails as an image or text?

Do you have a text component to your message as well?

Are you able to post an entire message that includes the headers to 
pastebin.com, as it appears when it leaves your network then forward the 
resulting link to the list?


version=3.4.0


Version 3.4.0 is like ten years old. I also don't recall BAYES_999 being 
available in that version, so one thing or the other is not correct.



This IP is listed on SORBS and Spamhaus ZEN which are going to cause 
problems with delivery to many receiving mail filters, not just 
SpamAssassin.


http://multirbl.valli.org/lookup/68.192.71.191.html

--
David Jones

Password reset strategies (was Re: Sender needs help with false positive)

[Dianne Skoll]

[Just replying to one aspect of the original message.]

On Mon, 7 Aug 2017 18:26:00 -0500
David Jones  wrote:

> First, it's a bad idea for a number of reasons to send passwords via 
> email.  Most modern "lost password" mail loops use a unique URL that 
> expires after a short period of time.

As long as both methods expire, both methods require answering a
prearranged question (or some out-of-band method of authentication),
and both methods require immediate changing of the password, a link is
no more secure than sending the temporary password.  In fact, a link may
eventually lead to *less* security as it's easier to phish people if
legitimate messages include a link rather than not including a link.
Encouraging people not to click links in messages like legitimate
password recovery emails is a Good Thing, IMO, as it'll make them less
likely to click links in fake ones.

I realize I'm tilting at windmills.

Regards,

Dianne.

Re: Sender needs help with false positive

[David B Funk]

On Mon, 7 Aug 2017, Alex wrote:


Hi,

On Mon, Aug 7, 2017 at 6:56 PM, Jacek Osuchowski  wrote:

We use emails to allow users to reset their passwords to our website. We
send very brief emails containing the reset password. Example between :




Your password to access your account is:

S]U3bC7k

Upon successful login you may change your password by going to Modify
Account / Change Your Password.







* 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
* 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%


You can't control their bayes training so there's nothing you can do here.


You -can- control the content of your message. I'm guessing that short
password reset message doesn't have very many tokens, and the ones that it does 
have may be too close a match to things like password phish spams. (something 
that we train heavily on).


Put more text in there that is related to your business/organization which will 
be unique and thus unlike other spammy message.






* 2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words


Are you sending these emails as an image or text?

Do you have a text component to your message as well?


More to the point do you have an image attached/embedded in your message?
If so, either drop it altogether or add a few Kbytes of text to balance it out.


--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: Sender needs help with false positive

[David Jones]

On 08/07/2017 05:56 PM, Jacek Osuchowski wrote:
We use emails to allow users to reset their passwords to our website. We 
send very brief emails containing the reset password. Example between :






Your password to access your account is:

S]U3bC7k

Upon successful login you may change your password by going to Modify 
Account / Change Your Password.






The emails are marked as spam. Sample report from IsnotSpam.com:

SpamAssassin check details:

 -- ---

* 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%

* [score: 0.9995]

* -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)

* [50.31.63.50 listed in wl.mailspike.net]

* -0.0 SPF_PASS SPF: sender matches SPF record

* 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%

* [score: 0.9995]

* 2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words

* 0.1 HTML_MESSAGE BODY: HTML included in message

* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's

* domain

* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily

* valid

* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature

* -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders

X-Spam-Status: Yes, hits=5.7 required=-20.0 tests=BAYES_99,BAYES_999,

DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_IMAGE_ONLY_12,HTML_MESSAGE,

RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_PASS autolearn=no autolearn_force=no

version=3.4.0

X-Spam-Score: 5.7

I understand you trying to provide great software to fight email spam 
but you are making my live miserable. I am having more problems with our 
emails marked as spam then from the spam itself. Any help on how avoid 
being marked as spam would help. Is there a way to be whitelisted by 
SpamAssasin globally. Most emails are blocked by internet providers like 
Cablevision or comcast and getting them to help is IMPOSSIBLE. They just 
install the software and let it run as it is.


Thank You



Perhaps you should take a little time to figure out what should be 
changed in that message body to make those emails not score so high.


First, it's a bad idea for a number of reasons to send passwords via 
email.  Most modern "lost password" mail loops use a unique URL that 
expires after a short period of time.


Secondly, that text in the body is very commonly used by bad actors 
trying to phish passwords.  Why not change the text a bit and run it 
through the isnotspam.com site until it doesn't hit such a high Bayesian 
rule.  This won't guarantee the Bayesian score of other SpamAssassin 
platforms but should give a good hint as to what wording is not good to use.


Third, if you could send us complete headers, then we may be able to 
provide more help.  The SPF and DKIM look good and you seem to be doing 
all of the reputation stuff properly.  It comes down to content checks 
(BAYES) then.


--
David Jones

RE: Sender needs help with false positive

[Jacek Osuchowski]

This is an email I sent to IsNotSpam.com. They list the whole thing when 
testing for spam. I am getting a lot of complains from our customers that our 
emails are not received. Our domain is not blacklisted anywhere so I suspect it 
is the spam filtering (as IsNotSpam tool indicates). Is there anything in the 
email we send that could trigger flagging as a spam. THANK YOU

https://pastebin.com/J1cdCHAe


-Original Message-
From: Alex [mailto:mysqlstud...@gmail.com] 
Sent: Monday, August 07, 2017 7:16 PM
To: ja...@osuchowski.net; SA Mailing list
Subject: Re: Sender needs help with false positive

Hi,

On Mon, Aug 7, 2017 at 6:56 PM, Jacek Osuchowski  wrote:
> We use emails to allow users to reset their passwords to our website. 
> We send very brief emails containing the reset password. Example between :
>
>>
> Your password to access your account is:
>
> S]U3bC7k
>
> Upon successful login you may change your password by going to Modify 
> Account / Change Your Password.
>>
>

> * 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
> * 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%

You can't control their bayes training so there's nothing you can do here.

> * 2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of 
> words

Are you sending these emails as an image or text?

Do you have a text component to your message as well?

Are you able to post an entire message that includes the headers to 
pastebin.com, as it appears when it leaves your network then forward the 
resulting link to the list?

> version=3.4.0

Version 3.4.0 is like ten years old. I also don't recall BAYES_999 being 
available in that version, so one thing or the other is not correct.

Re: Sender needs help with false positive

[Alex]

Hi,

On Mon, Aug 7, 2017 at 6:56 PM, Jacek Osuchowski  wrote:
> We use emails to allow users to reset their passwords to our website. We
> send very brief emails containing the reset password. Example between :
>
>>
> Your password to access your account is:
>
> S]U3bC7k
>
> Upon successful login you may change your password by going to Modify
> Account / Change Your Password.
>>
>

> * 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
> * 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%

You can't control their bayes training so there's nothing you can do here.

> * 2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words

Are you sending these emails as an image or text?

Do you have a text component to your message as well?

Are you able to post an entire message that includes the headers to
pastebin.com, as it appears when it leaves your network then forward
the resulting link to the list?

> version=3.4.0

Version 3.4.0 is like ten years old. I also don't recall BAYES_999
being available in that version, so one thing or the other is not
correct.

Sender needs help with false positive

[Jacek Osuchowski]

We use emails to allow users to reset their passwords to our website. We
send very brief emails containing the reset password. Example between :

> 

Your password to access your account is: 

 

S]U3bC7k 

 

Upon successful login you may change your password by going to Modify
Account / Change Your Password.  

> 

 

The emails are marked as spam. Sample report from IsnotSpam.com:

 

SpamAssassin check details:

 -- ---

 

* 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%

* [score: 0.9995]

* -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)

* [50.31.63.50 listed in wl.mailspike.net]

* -0.0 SPF_PASS SPF: sender matches SPF record

* 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%

* [score: 0.9995]

* 2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words

* 0.1 HTML_MESSAGE BODY: HTML included in message

* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's

* domain

* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily

* valid

* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature

* -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders

X-Spam-Status: Yes, hits=5.7 required=-20.0 tests=BAYES_99,BAYES_999,

DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_IMAGE_ONLY_12,HTML_MESSAGE,

RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_PASS autolearn=no autolearn_force=no

version=3.4.0

X-Spam-Score: 5.7

 

I understand you trying to provide great software to fight email spam but
you are making my live miserable. I am having more problems with our emails
marked as spam then from the spam itself. Any help on how avoid being marked
as spam would help. Is there a way to be whitelisted by SpamAssasin
globally. Most emails are blocked by internet providers like Cablevision or
comcast and getting them to help is IMPOSSIBLE. They just install the
software and let it run as it is.

 

Thank You

 

Re: Random word spams and wiki spams

[David Jones]

On 08/07/2017 02:53 PM, Scott wrote:

David:

re: Postscreen weighted RBLs

I've got my postscreen setup with some weighted RBL's.  But I was curious
what others did here.  I searched for that subject and didn't get any
specific hits.  Any particular thread you know of?



See the bottom of this page.

https://lists.gt.net/spamassassin/users/199423?search_string=senderscore;#199423

Postwhite perfectly complements a well-tuned RBL list and is a must to 
prevent false positives:


https://github.com/stevejenkins/postwhite

I add trusted senders and freemail domains to the "custom_hosts=" entry 
to allow them past Postscreen and into SA for primarily content-based 
filtering.


custom_hosts="comcast.net rr.com bluehost.com mxlogic.net 
messagelabs.com messagegears.net authsmtp.com eventbrite.com 
trendmicro.com spf.mandrillapp.com amazonses.com radware.com 
embarqmail.com mailer.surveygizmo.com app.sgizmo.com 
spf.ess.barracudanetworks.com"


Postwhite now handles Yahoo IPs to work around their odd SPF record.

--
David Jones

Re: Results of Individual Tests on spamd "CHECK"

[Karsten Bräckelmann]

On Mon, 2017-08-07 at 14:17 -0500, Jerry Malcolm wrote:
> I tried SYMBOLS.  You are correct that it lists the tests, but not the 
> results:
> 
> BAYES_95,HTML_IMAGE_ONLY_32,HTML_MESSAGE,JAM_DO_STH_HERE,LOTS_OF_MONEY,MIME_HTML_ONLY,
>  [...]
> 
> But I saw this line in a forum discussion... So I'm sure there is some 
> way to generate it.
> 
>  >>> tests=[AWL=-1.103, BAYES_00=-2.599, 
> HTML_MESSAGE=0.001,URIBL_BLACK=1.955, URIBL_GREY=0.25]
> 
> Any ideas?

That particular one appears to be part of the Amavisd-new generated
headers. You can get the same rules with individual scores in stock SA
using the _TESTSSCORES(,)_ Template Tag with the add_header config
option. See M::SA::Conf docs [1].

For ad-hoc testing without adding this to your general SA / spamd
configuration, feed the sample message to the plain spamassassin script
with additional --cf configuration:

  spamassassin --cf="add_header all TestsScores tests=_TESTSSCORES(,)_"  < 
message

Also see 10_default_prefs.cf for more informational detail in the stock
Status header.


> On 8/7/2017 1:13 PM, Daniel J. Luke wrote:
> > On Aug 7, 2017, at 2:00 PM, Jerry Malcolm  wrote:
> > > I'm invoking spamd using:
> > >
> > > CHECK SPAMC/1.2\r\n
> > > 

Not your best option for ad-hoc tests... ;)

> > > Can someone tell me what I need to add to the spamd call (and the
> > > syntax) in order to get the results of the individual tests
> > > returned as part of the status?

You will need SA configuration. The spamd protocol itself does not allow
such fine grained configuration.


[1] http://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html

-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: Random word spams and wiki spams

[Scott]

David:

re: Postscreen weighted RBLs

I've got my postscreen setup with some weighted RBL's.  But I was curious
what others did here.  I searched for that subject and didn't get any
specific hits.  Any particular thread you know of?





--
View this message in context: 
http://spamassassin.1065346.n5.nabble.com/Random-word-spams-and-wiki-spams-tp134792p137999.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Results of Individual Tests on spamd "CHECK"

[Jerry Malcolm]

David,

Thanks, I'll try REPORT .

I am indeed using the full spamd invocation as you described.  I just 
abbreviated it in my orig post.  It has been working for a couple of 
years.  I'm just seeing a few spams that I can't seem to get rid of.  
I've tried training BAYES with them.  But I'm still getting negative 
scores on them.  So I simply wanted to be able to do a bit of research 
disecting the score to see why the score is what it is.


Thanks again.

Jerry


On 8/7/2017 1:33 PM, David B Funk wrote:

On Mon, 7 Aug 2017, Jerry Malcolm wrote:


I'm invoking spamd using:

CHECK SPAMC/1.2\r\n


I'm getting the expected response such as:

Spam: False ; -1.8 / 4.0

I am trying to figure out how to get the TESTS= results of the 
individual tests returned as well.


(e.g.tests=[AWL=-1.103, BAYES_00=-2.599, 
HTML_MESSAGE=0.001,URIBL_BLACK=1.955, URIBL_GREY=0.25])
I see there's an option in spamc that appears to do that.  But I 
can't figure out how to make

that happen when I do a direct socket invoke of spamd.

Can someone tell me what I need to add to the spamd call (and the 
syntax) in order to get the

results of the individual tests returned as part of the status?

Thanks,

Jerry


Jerry,
the spamd 'CHECK' command just returns the status+score, nothing else.

the spamd 'REPORT' command returns the status+score and report.
So replace 'CHECK' with 'REPORT' in your spamd call. Then be ready to 
read an arbitrary number of additonal lines in the return connection.


Note that it will not return any part of the original message.
If you want to use any of the SA report features that add additional 
headers (such as the relays header) you will need to use a different 
spamd command: 'HEADERS'.


BTW, I cannot tell from your posting if you have one detail correct; 
you need the command, (and any addtional optional arguments) then a 
blank line, then the message.


EG:

REPORT SPAMC/1.2\r\n
User: joe-blow\r\n
\r\n

Re: Results of Individual Tests on spamd "CHECK"

[Jerry Malcolm]

I tried SYMBOLS.  You are correct that it lists the tests, but not the 
results:


BAYES_95,HTML_IMAGE_ONLY_32,HTML_MESSAGE,JAM_DO_STH_HERE,LOTS_OF_MONEY,MIME_HTML_ONLY,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_SBL_CSS,SUBJ_DOLLARS,T_HTML_TAG_BALANCE_CENTER,URIBL_BLOCKED,URIBL_DBL_SPAM,URIBL_SBL_A

But I saw this line in a forum discussion... So I'm sure there is some 
way to generate it.


>>> tests=[AWL=-1.103, BAYES_00=-2.599, 
HTML_MESSAGE=0.001,URIBL_BLACK=1.955, URIBL_GREY=0.25]


Any ideas?

Thx



On 8/7/2017 1:13 PM, Daniel J. Luke wrote:

On Aug 7, 2017, at 2:00 PM, Jerry Malcolm  wrote:

I'm invoking spamd using:

CHECK SPAMC/1.2\r\n


I'm getting the expected response such as:

Spam: False ; -1.8 / 4.0

I am trying to figure out how to get the TESTS= results of the individual tests 
returned as well.

did you try SYMBOLS?

spamd/PROTOCOL says:

"SYMBOLS command returns the same as CHECK, followed by a line listing all the
rule names, separated by commas."

(that will give you the names of all the tests hit, but I don't think you get 
their scores).


(e.g.tests=[AWL=-1.103, BAYES_00=-2.599, HTML_MESSAGE=0.001,URIBL_BLACK=1.955, 
URIBL_GREY=0.25])
I see there's an option in spamc that appears to do that.  But I can't figure 
out how to make
that happen when I do a direct socket invoke of spamd.

Can someone tell me what I need to add to the spamd call (and the syntax) in 
order to get the
results of the individual tests returned as part of the status?

Re: Results of Individual Tests on spamd "CHECK"

[David B Funk]

On Mon, 7 Aug 2017, Jerry Malcolm wrote:


I'm invoking spamd using:

CHECK SPAMC/1.2\r\n


I'm getting the expected response such as:

Spam: False ; -1.8 / 4.0

I am trying to figure out how to get the TESTS= results of the individual 
tests returned as well.


(e.g.tests=[AWL=-1.103, BAYES_00=-2.599, 
HTML_MESSAGE=0.001,URIBL_BLACK=1.955, URIBL_GREY=0.25])
I see there's an option in spamc that appears to do that.  But I can't figure 
out how to make

that happen when I do a direct socket invoke of spamd.

Can someone tell me what I need to add to the spamd call (and the syntax) in 
order to get the

results of the individual tests returned as part of the status?

Thanks,

Jerry


Jerry,
the spamd 'CHECK' command just returns the status+score, nothing else.

the spamd 'REPORT' command returns the status+score and report.
So replace 'CHECK' with 'REPORT' in your spamd call. Then be ready to read an 
arbitrary number of additonal lines in the return connection.


Note that it will not return any part of the original message.
If you want to use any of the SA report features that add additional headers 
(such as the relays header) you will need to use a different spamd command: 
'HEADERS'.


BTW, I cannot tell from your posting if you have one detail correct; you need 
the command, (and any addtional optional arguments) then a blank line, then the 
message.


EG:

REPORT SPAMC/1.2\r\n
User: joe-blow\r\n
\r\n





--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: Logwatch from local machine being flagged as spam

[Ian Zimmerman]

On 2017-08-06 10:37, Scott wrote:

> Centos7
> Posftfix 3.2.2
> Amavisd 2.11.0
> spamassassin-3.4.0

> To: r...@mail2.myserver.com
> From: logwa...@mail2.myserver.com

Since these are locally submitted messages (i.e. not SMTP), IMO the best
and cleanest way to deal with it is to tell the MTA not to pass them to
amavisd, if you can.  This is easy to do with Exim, for example - I'm
not sure about Postfix.  Then you don't have to care about the IP
addresses or domains.

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
Do obvious transformation on domain to reply privately _only_ on Usenet.

Results of Individual Tests on spamd "CHECK"

[Jerry Malcolm]

I'm invoking spamd using:

CHECK SPAMC/1.2\r\n


I'm getting the expected response such as:

Spam: False ; -1.8 / 4.0

I am trying to figure out how to get the TESTS= results of the individual tests 
returned as well.

(e.g.tests=[AWL=-1.103, BAYES_00=-2.599, 
HTML_MESSAGE=0.001,URIBL_BLACK=1.955, URIBL_GREY=0.25])

I see there's an option in spamc that appears to do that.  But I can't figure 
out how to make
that happen when I do a direct socket invoke of spamd.

Can someone tell me what I need to add to the spamd call (and the syntax) in 
order to get the
results of the individual tests returned as part of the status?

Thanks,

Jerry

Re: SA 3.4.1 for Centos 7?

[David Jones]

On 08/07/2017 08:37 AM, Scott wrote:

spamassassin-3.4.1-14.fc27.src.rpm is available now.

When trying to rebuild that src (or the one you mentioned earlier) for my
Centos7 box I get these warnings:

Is this OK?  Is there a fix?


spamc/libspamc.c: In function '_try_to_connect_tcp':
spamc/libspamc.c:490:19: warning: variable 'family' set but not used
[-Wunused-but-set-variable]
  char *family = NULL;
^
spamc/libspamc.c: In function 'message_filter':
spamc/libspamc.c:1217:11: warning: assignment discards 'const' qualifier
from pointer target type [enabled by default]
   meth = TLSv1_client_method();
^
spamc/libspamc.c:1219:11: warning: assignment discards 'const' qualifier
from pointer target type [enabled by default]
   meth = SSLv3_client_method(); /* default */
^
spamc/libspamc.c: In function 'message_tell':
spamc/libspamc.c:1607:7: warning: assignment discards 'const' qualifier from
pointer target type [enabled by default]
   meth = SSLv3_client_method();
^
spamc/libspamc.c: In function 'transport_setup':
spamc/libspamc.c:1914:35: warning: unused variable 'addrp'
[-Wunused-variable]
  struct addrinfo hints, *res, *addrp;
^
spamc/libspamc.c: In function 'libspamc_log':
spamc/libspamc.c:2242:9: warning: ignoring return value of 'write', declared
with attribute warn_unused_result [-Wunused-result]
  (void) write (2, buf, len);
  ^


I get this too and it still builds fine and works properly.  These are 
only warnings.


--
David Jones

Re: Logwatch from local machine being flagged as spam

[RW]

On Sun, 6 Aug 2017 10:37:36 -0700 (MST)
Scott wrote:

> Centos7
> Posftfix 3.2.2
> Amavisd 2.11.0
> spamassassin-3.4.0
> 
> I have a logwatch output that gets mailed to me daily.  Spamassassin
> is scoring it high enough as exceed my threshold for whacking it as
> spam.  
> 
> While this is not good, I'm concerned I have something fundamental
> misconfigured where it would flag anything internal at all.  Bayes is
> not being used yet (tokens <200).  What is the proper way to allow
> messages form the server itself to not get flagged by SA?
> 
> I have the server's IP address (y.y.y.y) in my lists of trusted and
> internal as so:
> trusted_networks xx.xx.xx.xx
> trusted_networks y.y.y.y
> trusted_networks z.z.z.z
> 
> internal_networks xx.xx.xx.xx
> internal_networks y.y.y.y
> internal_networks z.z.z.z
> 
> I don't see that that made any difference.  Shouldn't it have?
> 
> Header of intercepted message:
> 
> From MAILER-DAEMON  Sun Aug  6 04:02:19 2017
> Return-Path: <>
> X-Original-To: s...@myserver.com
> Delivered-To: s...@myserver.com
> X-Envelope-From: 
> X-Envelope-To: 
> X-Envelope-To-Blocked: 
> X-Quarantine-ID: 
> X-Spam-Flag: YES
> X-Spam-Score: 7.332
> X-Spam-Level: ***
> X-Spam-Status: Yes, score=7.332 tag=- tag2=5 kill=6.4
> tests=[NORMAL_HTTP_TO_IP=0.001, NO_RELAYS=-0.001,
> URIBL_ABUSE_SURBL=1.948, URIBL_BLACK=1.7, URIBL_DBL_SPAM=2.5,
> URIBL_GREY=1.084, URIBL_SBL_A=0.1] autolearn=no


What's happening here is that SA is picking-up spammer domains in
the text.  SA is seeing no Received headers so whitelist_from_rcvd
isn't going to work  and your internal/trusted networks are irrelevant.

What you could do is meta NO_RELAYS with a rule that's a suitable
identifier for this kind of mail. Check that you aren't seeing
NO_RELAYS in any spam.

Re: Increased spam related to drugs such as medicine and health

[David Jones]

On 08/07/2017 08:25 AM, Naisiew Yeak wrote:

Hi All,

Recently we notice some increased of spam mostly related to drugs, like 
medication, health and so on. Is that correct? Does anyone of you 
experiencing the same?


The current updated version is 1799552 since June 2017.



That is the latest version of rules which are still on hold while we are 
investigating an issue with the generation of 72_scores.cf.  There 
really haven't been any rule updates anyway so we aren't missing much 
other than slight score changes from the nightly masscheck processing.


There are other things commonly added to SpamAssassin setup that help 
better with dynamic detection of new spam campaigns such as:


- KAM.cf rules
- ClamAV UNOFFICIAL sigs
- DCC, Razor, Pyzor
- RBL additions/tuning (senderscore.org, lashback, etc.)
- regular bayesian DB training
- local custom rules with header and body content matching

I also bump up FREEMAIL rule hits a point or two to trust them a little 
less since this is a common source of spam.


If you need more specific answers, please include details about your SA 
setup like what is calling it (spamd, amavis, MIMEdefang, MailScanner, 
etc.), your threshold score for blocking, the MTA used, and any 
customizations you have done.


--
David Jones

Re: SA 3.4.1 for Centos 7?

[Scott]

spamassassin-3.4.1-14.fc27.src.rpm is available now.

When trying to rebuild that src (or the one you mentioned earlier) for my
Centos7 box I get these warnings:

Is this OK?  Is there a fix?


spamc/libspamc.c: In function '_try_to_connect_tcp':
spamc/libspamc.c:490:19: warning: variable 'family' set but not used
[-Wunused-but-set-variable]
 char *family = NULL;
   ^
spamc/libspamc.c: In function 'message_filter':
spamc/libspamc.c:1217:11: warning: assignment discards 'const' qualifier
from pointer target type [enabled by default]
  meth = TLSv1_client_method();
   ^
spamc/libspamc.c:1219:11: warning: assignment discards 'const' qualifier
from pointer target type [enabled by default]
  meth = SSLv3_client_method(); /* default */
   ^
spamc/libspamc.c: In function 'message_tell':
spamc/libspamc.c:1607:7: warning: assignment discards 'const' qualifier from
pointer target type [enabled by default]
  meth = SSLv3_client_method();
   ^
spamc/libspamc.c: In function 'transport_setup':
spamc/libspamc.c:1914:35: warning: unused variable 'addrp'
[-Wunused-variable]
 struct addrinfo hints, *res, *addrp;
   ^
spamc/libspamc.c: In function 'libspamc_log':
spamc/libspamc.c:2242:9: warning: ignoring return value of 'write', declared
with attribute warn_unused_result [-Wunused-result]
 (void) write (2, buf, len);
 ^







--
View this message in context: 
http://spamassassin.1065346.n5.nabble.com/SA-3-4-1-for-Centos-7-tp136474p137981.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Increased spam related to drugs such as medicine and health

[Naisiew Yeak]

Hi All,

Recently we notice some increased of spam mostly related to drugs, like
medication, health and so on. Is that correct? Does anyone of you
experiencing the same?

The current updated version is 1799552 since June 2017.

Thanks.


-- 
Naisiew Yeak

Re: Logwatch from local machine being flagged as spam

[David Jones]

On 08/06/2017 05:10 PM, msxc wrote:

I have a logwatch output that gets mailed to me daily.  Spamassassin is
scoring it high enough as exceed my threshold for whacking it as spam.

Please subscribe to the list for future posts.

However, I would argue that this is expected behavior because your
logwatch notice almost certainly contains lots of information about spam
emails. You'll want to look at whitelisting/exempting it from scanning.


KAM, thanks.

Re subscribe, I am, I may have my sending address crossed up as I migrate to a 
new server.  I'll try to get that straightened out.  Sorry about that.

I understand/agree whit your point.  If it smells like spam, tag it if asked to 
analyze it.  Perhaps I incorrectly assumed it shouldn't be smelling for trusted 
networks. :)

Anyway, I found a potential cause, or at least a misconfiguration.  I've got 
Amavisd calling SA and I missed a primary IP in its mynetworks setting.  If 
that doesn't clear it I'll see about whitelisting.



As Alex already mentioned, the mynetworks setting isn't about 
whitelisting. That only controls the ALL_TRUSTED rule hit and some other 
RBL checks based on last_external.  Basically it provides a little trust 
based on IP reputation and has nothing to do with content-based rules 
that are most likely the problem with logwatch emails.


I would and have setup a whitelist_from_rcvd entry something like:

whitelist_from_rcvd root@* [ip.ad.dr.ess]

or

whitelist_from_rcvd root@* mycompany.com

Note the second one is going going to be useful if you have setup 
correct FCrDNS which is not common on internal RFC 1918 network space so 
I would recommend the IP address version.


--
David Jones

RE: Logwatch from local machine being flagged as spam

[msxc]

>> I have a logwatch output that gets mailed to me daily.  Spamassassin is
>> scoring it high enough as exceed my threshold for whacking it as spam.
>Please subscribe to the list for future posts.
>
>However, I would argue that this is expected behavior because your
>logwatch notice almost certainly contains lots of information about spam
>emails. You'll want to look at whitelisting/exempting it from scanning.

KAM, thanks.

Re subscribe, I am, I may have my sending address crossed up as I migrate to a 
new server.  I'll try to get that straightened out.  Sorry about that.

I understand/agree whit your point.  If it smells like spam, tag it if asked to 
analyze it.  Perhaps I incorrectly assumed it shouldn't be smelling for trusted 
networks. :)

Anyway, I found a potential cause, or at least a misconfiguration.  I've got 
Amavisd calling SA and I missed a primary IP in its mynetworks setting.  If 
that doesn't clear it I'll see about whitelisting.

Thanks,
Scott