date:20170809

Re: SA dbg: dkim: FAILED DKIM .. does not match author domain

2017-08-09 Thread RW

On Wed, 9 Aug 2017 16:33:57 +0200
Felix Defrance wrote:

> Hi all,
> 
> I don't understand why Mail::SpamAssassin::Plugin::DKIM fail on
> signature verification instead of opendkim success..
> 
> I see thats issues on domain which use onmicrosoft.com or
> gappssmtp.com
...
> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) truncating a message
> passed to SA at 211221 bytes, orig 558708

If  amavis only passes part of the email to SA, it isn't going to pass
DKIM.

Re: bayes sql: bayes_seen needs UPDATE

2017-08-09 Thread Jesse Norell

It should, yes; the (simple) fix looks correct, though I haven't
actually cut/pasted the example GRANT statement from the readme to test.


On Wed, 2017-08-09 at 16:48 -0400, Kevin A. McGrail wrote:
> Jesse, did bz https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7442 
> completely resolve this issue?
> 
> On 6/22/2017 2:49 PM, Jesse Norell wrote:
> > Hello,
> >
> > I'm working on converting a spam training script/setup which works with
> > bayes dbm files to support sql bayes, and came across an error in the
> > grants in the README.bayes file at:
> >
> >GRANT SELECT, DELETE, INSERT ON TABLE bayes_seen TO ;
> >
> > I'm using the MySQL driver (maybe it matters), and UPDATE permission is
> > needed on bayes_seen to avoid:
> >
> >  write(6, "\257\0\0\0\3INSERT INTO bayes_seen (id, msgid, flag)\n   
> >   VALUES 
> > ('2','2d74cc15f332ac5a1789ac7d979ef9320ac98d80@sa_generated','s')\n\t 
> > ON DUPLICATE KEY UPDATE flag=VALUES(flag)", 179) = 179
> >  read(6, "X\0\0\1\377v\4#42000UPDATE command denied to user 
> > 'spamassassin'@'localhost' for table 'bayes_seen'", 16384) = 92
> >
> > I never did see any error printed by sa-learn on that, I just happened
> > to catch it in tracing sa-learn to see what takes so long.  After
> > granting UPDATE permission I see a few quirks with bayes_seen disappear,
> > where re-learning the same message shows an increase in nspam or nham
> > count (and entries in bayes_seen are duplicated), where using dbm files
> > showed the counts stayed the same.  I was hoping for a performance
> > improvement too, but not seeing much change there yet (though I don't
> > have much of a baseline on this new system).
> >
> > I'm running 3.4.1-6~bpo8+1 from jessie-backports, but README.bayes is
> > the same:
> > https://svn.apache.org/repos/asf/spamassassin/trunk/sql/README.bayes
> >
> >
> > Thanks,
> > Jesse
> >
> >
> > (I've been waiting a few hours on a bugzilla email so haven't yet added
> > this to the bug tracker.)
> >
> >
> 

-- 
Jesse Norell 
Kentec Communications, Inc.

Re: bayes sql: bayes_seen needs UPDATE

2017-08-09 Thread Kevin A. McGrail

Jesse, did bz https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7442 
completely resolve this issue?


On 6/22/2017 2:49 PM, Jesse Norell wrote:

Hello,

I'm working on converting a spam training script/setup which works with
bayes dbm files to support sql bayes, and came across an error in the
grants in the README.bayes file at:

   GRANT SELECT, DELETE, INSERT ON TABLE bayes_seen TO ;

I'm using the MySQL driver (maybe it matters), and UPDATE permission is
needed on bayes_seen to avoid:

 write(6, "\257\0\0\0\3INSERT INTO bayes_seen (id, msgid, flag)\n
 VALUES ('2','2d74cc15f332ac5a1789ac7d979ef9320ac98d80@sa_generated','s')\n\t ON 
DUPLICATE KEY UPDATE flag=VALUES(flag)", 179) = 179
 read(6, "X\0\0\1\377v\4#42000UPDATE command denied to user 
'spamassassin'@'localhost' for table 'bayes_seen'", 16384) = 92

I never did see any error printed by sa-learn on that, I just happened
to catch it in tracing sa-learn to see what takes so long.  After
granting UPDATE permission I see a few quirks with bayes_seen disappear,
where re-learning the same message shows an increase in nspam or nham
count (and entries in bayes_seen are duplicated), where using dbm files
showed the counts stayed the same.  I was hoping for a performance
improvement too, but not seeing much change there yet (though I don't
have much of a baseline on this new system).

I'm running 3.4.1-6~bpo8+1 from jessie-backports, but README.bayes is
the same:
https://svn.apache.org/repos/asf/spamassassin/trunk/sql/README.bayes


Thanks,
Jesse


(I've been waiting a few hours on a bugzilla email so haven't yet added
this to the bug tracker.)

Re: SA dbg: dkim: FAILED DKIM .. does not match author domain

2017-08-09 Thread David Jones


On 08/09/2017 10:19 AM, Felix Defrance wrote:
Do you have any idea why the body has been altered sometimes ? I don't 
have any log about amavis alterate body message.




This happens when any server in the path modify some of the headers or 
the body of the email after it was signed by the originator.  Older 
Exchange servers are known to mess with DKIM signing.  I think Exchange 
2016 and Office 365 now properly handle mail so that DKIM doesn't break.


It could be any of the Received: mail servers that broke DKIM.  I don't 
think it was your Amavis that caused it.  You could install OpenDKIM and 
OpenDMARC as a milter on the MTA to get some extra information before 
the message was passed to Amavis.



You don't think the problem came from this line ?

SA dbg: dkim: FAILED DKIM, i=@groupeastek365.onmicrosoft.com, 
d=groupeastek365.onmicrosoft.com, s=selector1-groupeastek-fr, 
a=rsa-sha256, c=relaxed/relaxed, fail, does not match author domain




No.  This didn't cause the problem.  It's just showing that the 
envelope-from domain didn't match the DKIM d= domain.


groupeastek.fr <> groupeastek365.onmicrosoft.com

Microsoft is trying to be helpful here and automatically DKIM signing 
with their own domain.




Thx,

Le 09/08/2017 à 16:37, David Jones a écrit :

On 08/09/2017 09:33 AM, Felix Defrance wrote:

Hi all,

I don't understand why Mail::SpamAssassin::Plugin::DKIM fail on 
signature verification instead of opendkim success..


I see thats issues on domain which use onmicrosoft.com or gappssmtp.com

Here is the mail trace on my MTA, if anybody could help me.

Thx,

Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: 
signature verification result: FAIL (BODY HAS BEEN ALTERED)


--
Félix
PGP: 0x0F04DC57



This is in the logs above:

dbg: dkim: signature verification result: FAIL (BODY HAS BEEN ALTERED)



--
Félix Defrance
PGP: 0x0F04DC57



--
David Jones

Re: SA dbg: dkim: FAILED DKIM .. does not match author domain

2017-08-09 Thread Felix Defrance

Do you have any idea why the body has been altered sometimes ? I don't
have any log about amavis alterate body message.

You don't think the problem came from this line ?

SA dbg: dkim: FAILED DKIM, i=@groupeastek365.onmicrosoft.com,
d=groupeastek365.onmicrosoft.com, s=selector1-groupeastek-fr,
a=rsa-sha256, c=relaxed/relaxed, fail, does not match author domain

Thx,

Le 09/08/2017 à 16:37, David Jones a écrit :
> On 08/09/2017 09:33 AM, Felix Defrance wrote:
>> Hi all,
>>
>> I don't understand why Mail::SpamAssassin::Plugin::DKIM fail on
>> signature verification instead of opendkim success..
>>
>> I see thats issues on domain which use onmicrosoft.com or gappssmtp.com
>>
>> Here is the mail trace on my MTA, if anybody could help me.
>>
>> Thx,
>>
>> Aug  9 10:25:42 vmail opendkim[21923]: 0D81A778B1D:
>> mail-he1eur01on0135.outbound.protection.outlook.com [104.47.0.135]
>> not internal
>> Aug  9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: not authenticated
>> Aug  9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: no signing domain
>> match for 'groupeastek.fr'
>> Aug  9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: no signing
>> subdomain match for 'groupeastek.fr'
>> Aug  9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: failed to parse
>> authentication-results: header field
>> Aug  9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: DKIM verification
>> successful
>> Aug  9 10:25:43 vmail opendkim[21923]: 0D81A778B1D:
>> s=selector1-groupeastek-fr d=groupeastek365.onmicrosoft.com SSL
>> Aug  9 10:25:43 vmail opendmarc[7879]: 0D81A778B1D: groupeastek.fr none
>> Aug  9 10:25:43 vmail postfix/qmgr[9226]: 0D81A778B1D:
>> from=, size=558389, nrcpt=1 (queue active)
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) ESMTP :10024
>> /var/lib/amavis/tmp/amavis-20170809T101204-01524-PE_s500S:
>>  ->  SIZE=558389 Received: from
>> vmail.tata.com ([127.0.0.1]) by localhost (vmail.tata.com
>> [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for
>> ; Wed,  9 Aug 2017 10:25:43 +0200 (CEST)
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) Checking: 9j8FwaumEeNr
>> [104.47.0.135]  -> 
>> Aug  9 10:25:43 vmail postfix/smtpd[4885]: disconnect from
>> mail-he1eur01on0135.outbound.protection.outlook.com[104.47.0.135]
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p005 1 Content-Type:
>> multipart/mixed
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p006 1/1 Content-Type:
>> multipart/related
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p007 1/1/1
>> Content-Type: multipart/alternative
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p001 1/1/1/1
>> Content-Type: text/plain, size: 968 B, name:
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p002 1/1/1/2
>> Content-Type: text/html, size: 5183 B, name:
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p003 1/1/2
>> Content-Type: image/png, size: 4414 B, name: image001.png
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p004 1/2 Content-Type:
>> application/pdf, size: 393097 B, name: DC_ASTEK_Q_Charles_2017_08.pdf
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) truncating a message
>> passed to SA at 211221 bytes, orig 558708
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim:
>> performing public key lookup and signature verification
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: FAILED
>> DKIM, i=@groupeastek365.onmicrosoft.com,
>> d=groupeastek365.onmicrosoft.com, s=selector1-groupeastek-fr,
>> a=rsa-sha256, c=relaxed/relaxed, fail, does not match author domain
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim:
>> signature verification result: FAIL (BODY HAS BEEN ALTERED)
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: adsp:
>> performing lookup on _adsp._domainkey.groupeastek.fr
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: adsp
>> result: U/unknown (dns: unknown), author domain 'groupeastek.fr'
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: checking
>> to see if the message has a Received-SPF header that we can use
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: found a
>> Received-SPF header added by an internal host: Received-SPF: Pass
>> (sender SPF authorized) identity=mailfrom; client-ip=104.47.0.135;
>> helo=eur01-he1-obe.outbound.protection.outlook.com;
>> envelope-from=t...@groupeastek.fr; receiver=t...@tata.com
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: re-using
>> mfrom result from Received-SPF header: pass
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: checking
>> HELO (helo=EUR01-HE1-obe.outbound.protection.outlook.com,
>> ip=104.47.0.135)
>> Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: query for
>> /104.47.0.135/EUR01-HE1-obe.outbound.protection.outlook.com: result:
>> pass, comment: , text: Mechanism 'include:spf.protection.outlook.com'
>> matched
>> Aug  9 10:25:43 vmail amavis[1524]:

Re: SA dbg: dkim: FAILED DKIM .. does not match author domain

2017-08-09 Thread David Jones


On 08/09/2017 09:33 AM, Felix Defrance wrote:

Hi all,

I don't understand why Mail::SpamAssassin::Plugin::DKIM fail on 
signature verification instead of opendkim success..


I see thats issues on domain which use onmicrosoft.com or gappssmtp.com

Here is the mail trace on my MTA, if anybody could help me.

Thx,

Aug  9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: 
mail-he1eur01on0135.outbound.protection.outlook.com [104.47.0.135] not 
internal

Aug  9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: not authenticated
Aug  9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: no signing domain 
match for 'groupeastek.fr'
Aug  9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: no signing subdomain 
match for 'groupeastek.fr'
Aug  9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: failed to parse 
authentication-results: header field
Aug  9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: DKIM verification 
successful
Aug  9 10:25:43 vmail opendkim[21923]: 0D81A778B1D: 
s=selector1-groupeastek-fr d=groupeastek365.onmicrosoft.com SSL

Aug  9 10:25:43 vmail opendmarc[7879]: 0D81A778B1D: groupeastek.fr none
Aug  9 10:25:43 vmail postfix/qmgr[9226]: 0D81A778B1D: 
from=, size=558389, nrcpt=1 (queue active)
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) ESMTP :10024 
/var/lib/amavis/tmp/amavis-20170809T101204-01524-PE_s500S: 
 ->  SIZE=558389 Received: from 
vmail.tata.com ([127.0.0.1]) by localhost (vmail.tata.com [127.0.0.1]) 
(amavisd-new, port 10024) with ESMTP for ; Wed,  9 Aug 
2017 10:25:43 +0200 (CEST)
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) Checking: 9j8FwaumEeNr 
[104.47.0.135]  -> 
Aug  9 10:25:43 vmail postfix/smtpd[4885]: disconnect from 
mail-he1eur01on0135.outbound.protection.outlook.com[104.47.0.135]
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p005 1 Content-Type: 
multipart/mixed
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p006 1/1 Content-Type: 
multipart/related
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p007 1/1/1 Content-Type: 
multipart/alternative
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p001 1/1/1/1 
Content-Type: text/plain, size: 968 B, name:
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p002 1/1/1/2 
Content-Type: text/html, size: 5183 B, name:
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p003 1/1/2 Content-Type: 
image/png, size: 4414 B, name: image001.png
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p004 1/2 Content-Type: 
application/pdf, size: 393097 B, name: DC_ASTEK_Q_Charles_2017_08.pdf
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) truncating a message 
passed to SA at 211221 bytes, orig 558708
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: performing 
public key lookup and signature verification
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: FAILED 
DKIM, i=@groupeastek365.onmicrosoft.com, 
d=groupeastek365.onmicrosoft.com, s=selector1-groupeastek-fr, 
a=rsa-sha256, c=relaxed/relaxed, fail, does not match author domain
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: signature 
verification result: FAIL (BODY HAS BEEN ALTERED)
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: adsp: 
performing lookup on _adsp._domainkey.groupeastek.fr
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: adsp 
result: U/unknown (dns: unknown), author domain 'groupeastek.fr'
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: checking to 
see if the message has a Received-SPF header that we can use
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: found a 
Received-SPF header added by an internal host: Received-SPF: Pass 
(sender SPF authorized) identity=mailfrom; client-ip=104.47.0.135; 
helo=eur01-he1-obe.outbound.protection.outlook.com; 
envelope-from=t...@groupeastek.fr; receiver=t...@tata.com
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: re-using 
mfrom result from Received-SPF header: pass
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: checking 
HELO (helo=EUR01-HE1-obe.outbound.protection.outlook.com, ip=104.47.0.135)
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: query for 
/104.47.0.135/EUR01-HE1-obe.outbound.protection.outlook.com: result: 
pass, comment: , text: Mechanism 'include:spf.protection.outlook.com' 
matched
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: 
def_whitelist_from_spf: t...@groupeastek.fr is not in DEF_WHITELIST_FROM_SPF
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: FAILED 
signature by groupeastek365.onmicrosoft.com, author t...@groupeastek.fr, 
no valid matches
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: author 
t...@groupeastek.fr, not in any dkim whitelist
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: 
whitelist_from_spf: t...@groupeastek.fr is not in user's WHITELIST_FROM_SPF
Aug  9 10:25:44 vmail amavis[1524]: (01524-06) spam-tag, 
 -> ,

SA dbg: dkim: FAILED DKIM .. does not match author domain

2017-08-09 Thread Felix Defrance

Hi all,

I don't understand why Mail::SpamAssassin::Plugin::DKIM fail on
signature verification instead of opendkim success..

I see thats issues on domain which use onmicrosoft.com or gappssmtp.com

Here is the mail trace on my MTA, if anybody could help me.

Thx,

Aug  9 10:25:42 vmail opendkim[21923]: 0D81A778B1D:
mail-he1eur01on0135.outbound.protection.outlook.com [104.47.0.135] not
internal
Aug  9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: not authenticated
Aug  9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: no signing domain
match for 'groupeastek.fr'
Aug  9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: no signing subdomain
match for 'groupeastek.fr'
Aug  9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: failed to parse
authentication-results: header field
Aug  9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: DKIM verification
successful
Aug  9 10:25:43 vmail opendkim[21923]: 0D81A778B1D:
s=selector1-groupeastek-fr d=groupeastek365.onmicrosoft.com SSL
Aug  9 10:25:43 vmail opendmarc[7879]: 0D81A778B1D: groupeastek.fr none
Aug  9 10:25:43 vmail postfix/qmgr[9226]: 0D81A778B1D:
from=, size=558389, nrcpt=1 (queue active)
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) ESMTP :10024
/var/lib/amavis/tmp/amavis-20170809T101204-01524-PE_s500S:
 ->  SIZE=558389 Received: from
vmail.tata.com ([127.0.0.1]) by localhost (vmail.tata.com [127.0.0.1])
(amavisd-new, port 10024) with ESMTP for ; Wed,  9 Aug
2017 10:25:43 +0200 (CEST)
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) Checking: 9j8FwaumEeNr
[104.47.0.135]  -> 
Aug  9 10:25:43 vmail postfix/smtpd[4885]: disconnect from
mail-he1eur01on0135.outbound.protection.outlook.com[104.47.0.135]
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p005 1 Content-Type:
multipart/mixed
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p006 1/1 Content-Type:
multipart/related
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p007 1/1/1 Content-Type:
multipart/alternative
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p001 1/1/1/1
Content-Type: text/plain, size: 968 B, name:
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p002 1/1/1/2
Content-Type: text/html, size: 5183 B, name:
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p003 1/1/2 Content-Type:
image/png, size: 4414 B, name: image001.png
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) p004 1/2 Content-Type:
application/pdf, size: 393097 B, name: DC_ASTEK_Q_Charles_2017_08.pdf
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) truncating a message
passed to SA at 211221 bytes, orig 558708
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: performing
public key lookup and signature verification
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: FAILED
DKIM, i=@groupeastek365.onmicrosoft.com,
d=groupeastek365.onmicrosoft.com, s=selector1-groupeastek-fr,
a=rsa-sha256, c=relaxed/relaxed, fail, does not match author domain
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: signature
verification result: FAIL (BODY HAS BEEN ALTERED)
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: adsp:
performing lookup on _adsp._domainkey.groupeastek.fr
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: adsp
result: U/unknown (dns: unknown), author domain 'groupeastek.fr'
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: checking to
see if the message has a Received-SPF header that we can use
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: found a
Received-SPF header added by an internal host: Received-SPF: Pass
(sender SPF authorized) identity=mailfrom; client-ip=104.47.0.135;
helo=eur01-he1-obe.outbound.protection.outlook.com;
envelope-from=t...@groupeastek.fr; receiver=t...@tata.com
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: re-using
mfrom result from Received-SPF header: pass
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: checking
HELO (helo=EUR01-HE1-obe.outbound.protection.outlook.com, ip=104.47.0.135)
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf: query for
/104.47.0.135/EUR01-HE1-obe.outbound.protection.outlook.com: result:
pass, comment: , text: Mechanism 'include:spf.protection.outlook.com'
matched
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf:
def_whitelist_from_spf: t...@groupeastek.fr is not in DEF_WHITELIST_FROM_SPF
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: FAILED
signature by groupeastek365.onmicrosoft.com, author t...@groupeastek.fr,
no valid matches
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: author
t...@groupeastek.fr, not in any dkim whitelist
Aug  9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: spf:
whitelist_from_spf: t...@groupeastek.fr is not in user's WHITELIST_FROM_SPF
Aug  9 10:25:44 vmail amavis[1524]: (01524-06) spam-tag,
 -> , No, score=3.189
tagged_above=- required=5 tests=[BAYES_00=-1.9,
CUST_DKIM_SIGNED_INVALID=5,

Re: apache.org have URIBL_BLOCKED now :/

2017-08-09 Thread Kevin A. McGrail


On 8/9/2017 10:13 AM, Benny Pedersen wrote:

Kevin A. McGrail skrev den 2017-08-09 15:48:


So I think the X-Spam-Status is also from spamd1-us-west.apache.org

I see that pov but it shouldn't cause mail delivery issues.  It just
means we couldn't fully scan things so I'm not sure what problem Benny
is trying to report.


why did i concenrn a problem on other servers then my own :(

back to my android studio hello world project :=)


It's the language barrier.  I couldn't decipher what you were trying to 
report and the URIBL_BLOCKED issue has been known for a while.  My 
apologies as you were trying to help and I was trying to help you with 
your server.  Ships in the night...



Best,

KAM

Re: apache.org have URIBL_BLOCKED now :/

2017-08-09 Thread Benny Pedersen


Kevin A. McGrail skrev den 2017-08-09 15:48:


So I think the X-Spam-Status is also from spamd1-us-west.apache.org

I see that pov but it shouldn't cause mail delivery issues.  It just
means we couldn't fully scan things so I'm not sure what problem Benny
is trying to report.


why did i concenrn a problem on other servers then my own :(

back to my android studio hello world project :=)

Re: apache.org have URIBL_BLOCKED now :/

2017-08-09 Thread Kevin A. McGrail


On 8/9/2017 9:37 AM, Merijn van den Kroonenberg wrote:

According to the headers he posted, it is not Benny who hit the
URIBL_BLOCKED but indeed apache infra:

X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org

So I think the X-Spam-Status is also from spamd1-us-west.apache.org
I see that pov but it shouldn't cause mail delivery issues.  It just 
means we couldn't fully scan things so I'm not sure what problem Benny 
is trying to report.

Re: apache.org have URIBL_BLOCKED now :/

2017-08-09 Thread Merijn van den Kroonenberg

> Hi Benny,
>
> As Michael pointed out and I emailed you off-list, yes, you are reading
> the header incorrectly.
>
> Focusing on just the tests, you hit URIBL_BLOCKED.  Here's the

According to the headers he posted, it is not Benny who hit the
URIBL_BLOCKED but indeed apache infra:

X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org

So I think the X-Spam-Status is also from spamd1-us-west.apache.org

> description for that test:
> ADMINISTRATOR NOTICE: The query to URIBL was blocked.  See
> http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more
> information.
>
> HTH, KAM
>
> On 8/9/2017 8:46 AM, Benny Pedersen wrote:
>>
>> do i read headers incorect ?
>>
>> X-Spam-Status: No, score=-5.102 tagged_above=-999 required=6.31
>> tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
>> RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001,
>> SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled
>
>
>

Re: apache.org have URIBL_BLOCKED now :/

2017-08-09 Thread Kevin A. McGrail


Hi Benny,

As Michael pointed out and I emailed you off-list, yes, you are reading 
the header incorrectly.


Focusing on just the tests, you hit URIBL_BLOCKED.  Here's the 
description for that test:
ADMINISTRATOR NOTICE: The query to URIBL was blocked.  See 
http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more 
information.


HTH, KAM

On 8/9/2017 8:46 AM, Benny Pedersen wrote:


do i read headers incorect ?

X-Spam-Status: No, score=-5.102 tagged_above=-999 required=6.31
tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001,
SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled

Re: Bayes auto-learn - not happening

2017-08-09 Thread David Jones


On 08/08/2017 08:02 PM, Ian Zimmerman wrote:

On 2017-08-08 15:20, Scott wrote:


Another new one  big score, auto-learn disabled.  This one is fairly small.

X-Spam-Status: Yes, score=29.428 tag=- tag2=5 kill=6.4
 tests=[DATE_IN_PAST_03_06=1.076, DCC_CHECK=3.2,
DIGEST_MULTIPLE=0.001,
 FILL_THIS_FORM=0.001, FROM_MISSPACED=0.001, FROM_MISSP_SPF_FAIL=1,
 HEADER_FROM_DIFFERENT_DOMAINS=0.001, HEXHASH_WORD=1,
 HTML_EXTRA_CLOSE=0.001, HTML_MESSAGE=0.001,
 HTML_MIME_NO_HTML_TAG=0.635, MIME_HTML_ONLY=1.105, MISSING_MID=0.14,
 NORMAL_HTTP_TO_IP=0.001, RAZOR2_CF_RANGE_51_100=0.365,
 RAZOR2_CF_RANGE_E8_51_100=2.43, RAZOR2_CHECK=2.5,
 RCVD_IN_BRBL_LASTEXT=1.644, RDNS_NONE=1.274, SPF_FAIL=4,
 SPF_HELO_FAIL=4, STYLE_GIBBERISH=3.093,
 T_HTML_TAG_BALANCE_CENTER=0.01, URIBL_ABUSE_SURBL=1.948,
 WEIRD_QUOTING=0.001] autolearn=unavailable autolearn_force=no

Can you tell if this one has the 3 point match?


Scott,

when I tried to use the autolearn feature I was as confused as you are.
As far as I remember, the 3 point each from header and body is not the
only requirement; the full truth is that some rules are "privileged" and
can contribute to autolearning while others cannot.  I found it opaque
in the extreme and essentially unpredictable, and so I stopped
autolearning and hacked up some scripts that put duplicate of each ham
message into a folder which is then processed by sa-learn from a
cronjob, with sufficient delay that I can review the contents and remove
any false negatives; and similarly with spam, excluding the utterly
horrible category which just goes to /dev/null.

It may not be possible for you to adopt such a process if your volume is
high, but OTOH in that case you probably have users to help you :)

I think this is what RW is telling you, too.

FWIW, this is documented (sort of) by:

perldoc Mail::SpamAssassin::Plugin::AutoLearnThreshold



Same here.  I had a little success with autolearn.  When I started 
splitting out messages into a spam and ham folder and using a cron 
script to train explicitly, the BAYES hits became very accurate and 
helped with zero-hour spam which is the hardest to block.


I setup an iRedmail server on a local-only subdomain and send/BCC copies 
of messages over to it.  Then I can use simple Inbox rules to sort or 
discard them.  Then I cron'd spam and ham training based on the Maildir 
"cur" folders.  This requires me to do a quick scan of the unread 
messages.  When I mark them as read, then they get sa-learn'd.  Takes a 
few minutes a day and drastically improved the mail filtering.


A side effect of this has allowed me to easily spot some new spam 
campaigns and messages that are scoring just below the block threshold 
so I can add them to local custom rules.  Sometimes these are legit 
senders with good opt-out so I add them to a whitelist_auth entry.


--
David Jones

Re: apache.org have URIBL_BLOCKED now :/

2017-08-09 Thread Benny Pedersen


Michael Orlitzky skrev den 2017-08-08 23:39:


URIBL_BLOCKED means that the URIBL refused your DNS query:

  http://uribl.com/refused.shtml

The name "apache.org" isn't blacklisted, and there's nothing apache can
do to fix it. You need to make your DNS queries from somewhere else,
probably.


do i read headers incorect ?

Received: (qmail 1703 invoked by uid 500); 8 Aug 2017 20:18:12 -
Mailing-List: contact users-h...@spamassassin.apache.org; run by ezmlm
Precedence: bulk
list-help: 
list-unsubscribe: 
List-Post: 
List-Id: 
Delivered-To: mailing list users@spamassassin.apache.org
Received: (qmail 1693 invoked by uid 99); 8 Aug 2017 20:18:12 -
Received: from pnap-us-west-generic-nat.apache.org (HELO 
spamd1-us-west.apache.org) (209.188.14.142)
by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 08 Aug 2017 20:18:12 
+

Received: from localhost (localhost [127.0.0.1])
by spamd1-us-west.apache.org (ASF Mail Server at 
spamd1-us-west.apache.org) with ESMTP id B8CA0C37B1
for ; Tue,  8 Aug 2017 20:18:11 + 
(UTC)

X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -5.102
X-Spam-Level:
X-Spam-Status: No, score=-5.102 tagged_above=-999 required=6.31
tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001,
SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled
Authentication-Results: spamd1-us-west.apache.org (amavisd-new);
dkim=pass (1024-bit key) header.d=junc.eu
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, 
port 10024)

with ESMTP id H8f21Ce-uPKN for ;
Tue,  8 Aug 2017 20:18:09 + (UTC)
Received: from linode.junc.eu (linode.junc.eu [176.58.121.172])
by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) 
with ESMTPS id 031AE5FCB5
for ; Tue,  8 Aug 2017 20:18:08 + 
(UTC)

Received: from localhost.junc.eu (localhost.junc.eu [127.0.0.1])
by localhost.junc.eu (Postfix) with ESMTP id A7CE71BE112
for ; Tue,  8 Aug 2017 21:18:08 +0100 
(BST)

X-Spam-ASN:
X-Spam-dcc_result:
X-Spam-Uri-Domains: gt.net
Received: from localhost.junc.eu (localhost.junc.eu [IPv6:::1])
by linode.junc.eu (Postfix) with ESMTPSA id 847331BE084
for ; Tue,  8 Aug 2017 21:18:08 +0100 
(BST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=junc.eu; 
s=default;

t=1502223488; x=1502655488;
bh=ACeA4nE20azqhWy2oTSvIBD+bT388AqX7TJhMDuvlcA=;
h=Date:From:To:Subject:In-Reply-To:References;
b=qKmTUlrBK35djC6I7UYWeQXPS5+PzFk+01Mqx5bCIbL/D19Unu7t91ZA+iQTZatUG
 SqaXotlpIkhh4LA4rrFhl7bdIXRk2ohNxrETijGs47+glwBc/BqRxjYpgG31l6qiWk
 yq2M9cC/IgFBkHaGtIfg1nh7Pb0YQVRJUkFs4XVg=
X-Virus-Status: Clean
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
Date: Tue, 08 Aug 2017 22:18:08 +0200
From: Benny Pedersen 
To: users@spamassassin.apache.org
Subject: Re: Bayes auto-learn - not happening
Organization: Jersore Underground Network Center
In-Reply-To: <150802318-138072.p...@n5.nabble.com>
References: <0d5d01d31071$0d6be500$2843af00$@org>
 <40e49a6ef18d255c5b83fa7038337...@junc.eu>
 <150802318-138072.p...@n5.nabble.com>
Message-ID: 
X-Sender: m...@junc.eu
User-Agent: Roundcube Webmail/1.2.5

Re: Bayes auto-learn - not happening

2017-08-09 Thread Matus UHLAR - fantomas


On 08.08.17 14:38, Scott wrote:

Brand new spam arrives.  It gets
autolearn=unavailable.

[...]

su amavis -c 'sa-learn -D --spam --showdots  --max-size=600 --mbox
/home/mail/twospam'

Aug  8 16:35:23.567 [18045] dbg: bayes: learned
'419769464db0fabb0f1220f9ae0cf12931ad7076@sa_generated', atime: 1502226537
Learned tokens from 1 message(s) (1 message(s) examined)

At it learned it.  So autolearn=unavailable was NOT due to the token already
there.


autolearn=unavailable apparently due to not accessible bayes database.

try running "ls -la ~amavis/.spamassassin/" - apparently permissions make
the directory or files in it unwritable for amavis user.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Atheism is a non-prophet organization.

Re: SA dbg: dkim: FAILED DKIM .. does not match author domain

Re: bayes sql: bayes_seen needs UPDATE

Re: bayes sql: bayes_seen needs UPDATE

Re: SA dbg: dkim: FAILED DKIM .. does not match author domain

Re: SA dbg: dkim: FAILED DKIM .. does not match author domain

Re: SA dbg: dkim: FAILED DKIM .. does not match author domain

SA dbg: dkim: FAILED DKIM .. does not match author domain

Re: apache.org have URIBL_BLOCKED now :/

Re: apache.org have URIBL_BLOCKED now :/

Re: apache.org have URIBL_BLOCKED now :/

Re: apache.org have URIBL_BLOCKED now :/

Re: apache.org have URIBL_BLOCKED now :/

Re: Bayes auto-learn - not happening

Re: apache.org have URIBL_BLOCKED now :/

Re: Bayes auto-learn - not happening

15 matches

Site Navigation

Mail list logo

Footer information