Re: Legitimate message being flagged as spam
How do I get the SA headers? Thank you. Daryl On Sun, Nov 29, 2020 at 10:32 AM Martin Gregorie wrote: > Showing us the SA headers and hits would be a good idea: without them we > don't know why SA rejected the mail. > > I notice that domain in the Message-ID is ficticious may not be > significant, but I usually think this is suspicious. > > Martin > > > On Sun, 2020-11-29 at 09:40 -0600, Daryl Rose wrote: > > I get an email/receipt from a vendor on a payment made. This message > > continuously gets flagged as spam even though I've added it to the > > whitelist_from.cf list. > > > > Received: (qmail 26946 invoked by uid 30297); 27 Nov 2020 20:52:17 > > - > > > Received: from unknown (HELO p3plibsmtp02- > > > 04.prod.phx3.secureserver.net) > > > ([68.178.213.4]) > > > (envelope-sender > > > @sendgrid.net>) > > > by p3plsmtp23-04-26.prod.phx3.secureserver.net (qmail- > > > 1.03) with > > > SMTP > > > for ; 27 Nov 2020 20:52:17 - > > > Received: from o1.3nn.shared.sendgrid.net ([167.89.100.129]) > > > (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 256/256 bits) > > > (Client did not present a certificate) > > > by CMGW with ESMTP > > > id ikj3kLwOeFeQXikj3kiQrL; Fri, 27 Nov 2020 13:52:17 -0700 > > > X-CMAE-Analysis: v=2.4 cv=SdYyytdu c=1 sm=1 tr=0 ts=5fc16701 b=1 > > > cx=a_idp_nop > > > a=d87GDerR7hnUjA61tTL9RQ==:117 a=d87GDerR7hnUjA61tTL9RQ==:17 > > > a=kj9zAlcOel0A:10 a=zPYWiABU:8 a=5-f5ixlAKy49-4MjWEkA:9 > > > a=O-7aY5Sf57aUu7p3:21 a=_W_S_7VecoQA:10 a=CjuIK1q_8ugA:10 > > > a=5LfDJFqq-uUA:10 > > > a=AWL3az150N33eOPX4RKm:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 > > > a=UDnyf2zBuKT2w-IlGP_r:22 > > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; > > > d=sendgrid.net; > > > h=from:subject:mime-version:to:content-type:content-transfer- > > > encoding; > > > s=smtpapi; bh=5/eVCwWUZDl73ybzUYFmyMNdYNgvUvrvS9S5NJHu8QU=; > > > b=kDKnSU9Bb2Mi5khPiwjinzdlOorchkBuNfEWHSiqVeWqCaZPHmztDB3ZeQXPLVkVbL > > > uH > > > 6NgvFXajs2aidTnh9bSKSMn4RaTPC+nvQU4DxFoXj0dL9yy9rjBGsdmS0BBD6+qzBl6g > > > Si > > > i2UwAMxRGXKbODjK5T5Ll1us3XKXKt9cI= > > > Received: by filterdrecv-p3iad2-5dc87598f5-8bxxp with SMTP id > > > filterdrecv-p3iad2-5dc87598f5-8bxxp-19-5FC16700-AD > > > 2020-11-27 20:52:16.878084415 + UTC m=+951689.287978429 > > > Received: from spiderdoor.com (unknown) > > > by ismtpd0118p1mdw1.sendgrid.net (SG) with ESMTP > > > id ceyKf2F5QpyH7v63ZKS3nA > > > Fri, 27 Nov 2020 20:52:16.783 + (UTC) > > > Date: Fri, 27 Nov 2020 20:52:16 + (UTC) > > > From: no-re...@spiderdoor.com > > > Message-ID: <5fc1670079f34_26fd3171828...@api1.mail> > > > Subject: Payment Receipt for Unit G030 - paid from SpiderApp > > > Mime-Version: 1.0 > > > X-SG-EID: > > > > > > =?us- > > > ascii?Q?nNFctdm0BWd6iTjLSzehWYRyQOg6=2FUycD+ddLrh9vGVcvZBTHPJYDTCViD > > > qyYQ?= > > > =?us-ascii?Q?Li3bEIOOksE35=2FhSgezGSc37DN46Fkbxk1TO9E8?= > > > =?us-ascii?Q?MGQPgTWt6k58DhiRQTG0=2F+79xc=2FO7jtyaG0XkLO?= > > > =?us-ascii?Q?1DjUXyElg+pd9Ry=2Fm1Wy7CmJWR0I1zJgLk=2FUjTC?= > > > =?us-ascii?Q?=2F7EUOycJlpjn1eLS5JSN9MBpwsXNk7EKGYPvDxO?= > > > =?us-ascii?Q?duJHjPbILEuJJjx1g=3D?= > > > To: i...@myspace.rent, > > > X-Entity-ID: eEuAPys4acQ9ere1FZlp6A== > > > Content-Type: text/html; charset=us-ascii > > > Content-Transfer-Encoding: 7bit > > > X-CMAE-Envelope: > > > > > > MS4xfLrAfEKlWNG6dcz1a05VWlMXnGyOE7soLGjybMz1QFzvpZ8a8cRDyTGNbMY9ezX > > > 311xKb9zb5aWg3AtH7xkCUlT7kaAYASl+bOfJ3EEdSfKKIoPXjO+i > > > > > > gjrerNiIxiRiWOcLF0BuxQKyIc/5BN0U4rxx20N0k1kPbaXyR06Ty99IgAWy9imxFxs > > > ms0GP03MmGWur7XyGwMcP6r/JKJ3ntGwGN1Diolw7WC+ywjp9VBM5 > > > X6m7dicNVVVO+LUx/qLWyQ== > > > X-Nonspam: None > > > > > > > > > > > Any idea why it gets flagged and what rule I need to put in place to > > prevent it from happening? > > > > Thank you. > > > > Daryl > >
Re: Legitimate message being flagged as spam
Yes, the cf is in the same location as the local.cf. How do I find the results SA is giving? I'll post it once I know how. Thank you. Daryl On Sun, Nov 29, 2020 at 9:46 AM Benny Pedersen wrote: > Daryl Rose skrev den 2020-11-29 16:40: > > I get an email/receipt from a vendor on a payment made. This message > > continuously gets flagged as spam even though I've added it to the > > whitelist_from.cf [7] list. > > is this cf file placed same path that local.cf is ? > > what results is spamassassin giving ? > > after you show this i can help more >
Legitimate message being flagged as spam
I get an email/receipt from a vendor on a payment made. This message continuously gets flagged as spam even though I've added it to the whitelist_from.cf list. Received: (qmail 26946 invoked by uid 30297); 27 Nov 2020 20:52:17 - > Received: from unknown (HELO p3plibsmtp02-04.prod.phx3.secureserver.net) > ([68.178.213.4]) > (envelope-sender > @sendgrid.net>) > by p3plsmtp23-04-26.prod.phx3.secureserver.net (qmail-1.03) with > SMTP > for ; 27 Nov 2020 20:52:17 - > Received: from o1.3nn.shared.sendgrid.net ([167.89.100.129]) > (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 256/256 bits) > (Client did not present a certificate) > by CMGW with ESMTP > id ikj3kLwOeFeQXikj3kiQrL; Fri, 27 Nov 2020 13:52:17 -0700 > X-CMAE-Analysis: v=2.4 cv=SdYyytdu c=1 sm=1 tr=0 ts=5fc16701 b=1 > cx=a_idp_nop > a=d87GDerR7hnUjA61tTL9RQ==:117 a=d87GDerR7hnUjA61tTL9RQ==:17 > a=kj9zAlcOel0A:10 a=zPYWiABU:8 a=5-f5ixlAKy49-4MjWEkA:9 > a=O-7aY5Sf57aUu7p3:21 a=_W_S_7VecoQA:10 a=CjuIK1q_8ugA:10 > a=5LfDJFqq-uUA:10 > a=AWL3az150N33eOPX4RKm:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 > a=UDnyf2zBuKT2w-IlGP_r:22 > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sendgrid.net; > h=from:subject:mime-version:to:content-type:content-transfer-encoding; > s=smtpapi; bh=5/eVCwWUZDl73ybzUYFmyMNdYNgvUvrvS9S5NJHu8QU=; > b=kDKnSU9Bb2Mi5khPiwjinzdlOorchkBuNfEWHSiqVeWqCaZPHmztDB3ZeQXPLVkVbLuH > 6NgvFXajs2aidTnh9bSKSMn4RaTPC+nvQU4DxFoXj0dL9yy9rjBGsdmS0BBD6+qzBl6gSi > i2UwAMxRGXKbODjK5T5Ll1us3XKXKt9cI= > Received: by filterdrecv-p3iad2-5dc87598f5-8bxxp with SMTP id > filterdrecv-p3iad2-5dc87598f5-8bxxp-19-5FC16700-AD > 2020-11-27 20:52:16.878084415 + UTC m=+951689.287978429 > Received: from spiderdoor.com (unknown) > by ismtpd0118p1mdw1.sendgrid.net (SG) with ESMTP > id ceyKf2F5QpyH7v63ZKS3nA > Fri, 27 Nov 2020 20:52:16.783 + (UTC) > Date: Fri, 27 Nov 2020 20:52:16 + (UTC) > From: no-re...@spiderdoor.com > Message-ID: <5fc1670079f34_26fd3171828...@api1.mail> > Subject: Payment Receipt for Unit G030 - paid from SpiderApp > Mime-Version: 1.0 > X-SG-EID: > > > =?us-ascii?Q?nNFctdm0BWd6iTjLSzehWYRyQOg6=2FUycD+ddLrh9vGVcvZBTHPJYDTCViDqyYQ?= > =?us-ascii?Q?Li3bEIOOksE35=2FhSgezGSc37DN46Fkbxk1TO9E8?= > =?us-ascii?Q?MGQPgTWt6k58DhiRQTG0=2F+79xc=2FO7jtyaG0XkLO?= > =?us-ascii?Q?1DjUXyElg+pd9Ry=2Fm1Wy7CmJWR0I1zJgLk=2FUjTC?= > =?us-ascii?Q?=2F7EUOycJlpjn1eLS5JSN9MBpwsXNk7EKGYPvDxO?= > =?us-ascii?Q?duJHjPbILEuJJjx1g=3D?= > To: i...@myspace.rent, > X-Entity-ID: eEuAPys4acQ9ere1FZlp6A== > Content-Type: text/html; charset=us-ascii > Content-Transfer-Encoding: 7bit > X-CMAE-Envelope: > > > MS4xfLrAfEKlWNG6dcz1a05VWlMXnGyOE7soLGjybMz1QFzvpZ8a8cRDyTGNbMY9ezX311xKb9zb5aWg3AtH7xkCUlT7kaAYASl+bOfJ3EEdSfKKIoPXjO+i > > > gjrerNiIxiRiWOcLF0BuxQKyIc/5BN0U4rxx20N0k1kPbaXyR06Ty99IgAWy9imxFxsms0GP03MmGWur7XyGwMcP6r/JKJ3ntGwGN1Diolw7WC+ywjp9VBM5 > X6m7dicNVVVO+LUx/qLWyQ== > X-Nonspam: None > > > Any idea why it gets flagged and what rule I need to put in place to prevent it from happening? Thank you. Daryl
Re: Crap getting through
Sorry, I deleted it right away. I normally delete that crap as soon as it comes in. I'll remember to keep it next time I get something so I can post the headers. Daryl On Sun, Nov 8, 2020 at 6:49 PM Rob McEwen wrote: > Daryl, > > Can you please post a copy of the raw email message - with headers - > perhaps with your own user's email address (and name?) masked out (change > to "") - to pastebin, or to a similar site - then reply here with > the link. It is difficult to give specific suggestions without having the > raw underlying text of the message (w/headers). But please try to avoid > pasting that directly to this list. Thanks! > > Rob McEwen > > > On 11/8/2020 5:00 PM, Daryl Rose wrote: > > I'm getting obvious phishing attempts. This one was made to look like it > was from Wells Fargo with an obvious spoofed email address. However, when > I examined the headers, the From Address was this garbage: > *=?utf-8?B?V+G7hWxsc+G4nmFyZ28gQmFuaw==?= * > > I received another one that was meant to be an Amazon Prime Membership > failure. How can I block these? The last time I inquired about phishing, > it was suggested to install KAM, which I did, but this crap is still > getting through. Any other suggestions? > > Thank you. > > Daryl > > > > > -- > Rob McEwen, invaluement > >
Crap getting through
I'm getting obvious phishing attempts. This one was made to look like it was from Wells Fargo with an obvious spoofed email address. However, when I examined the headers, the From Address was this garbage: *=?utf-8?B?V+G7hWxsc+G4nmFyZ28gQmFuaw==?= * I received another one that was meant to be an Amazon Prime Membership failure. How can I block these? The last time I inquired about phishing, it was suggested to install KAM, which I did, but this crap is still getting through. Any other suggestions? Thank you. Daryl
Re: Catching Phishing messages
I don't have the email server, it's hosted by a provider. This provider does a crappy job at filtering spam and phishing, so I am running ISBG and Spamassassin to block the spam and phishing. Thanks Daryl On Mon, Sep 21, 2020 at 7:33 AM Bryan K. Walton < bwalton+1576874...@leepfrog.com> wrote: > On Sun, Sep 20, 2020 at 09:35:22AM -0500, Daryl Rose wrote: > > I tend to get a lot of phishing attempts, and they all get through. > > > > This appears to come from Apple, but obviously is not. > > Not a spamassassin solution, but Apple has a DMARC policy of quarantine > for those types of emails. If you implement dmarc policy checking on > your mail server and enforce the policy that Apple asks you to follow > when you receive emails supposedly from apple.com, those phishing > emails will end up in your mail server's quarantine directory. > > -Bryan >
Re: Catching Phishing messages
I'm not familiar with RBL. What and how would I use it? Thanks Daryl On Sun, Sep 20, 2020 at 9:42 AM sebast...@debianfan.de < sebast...@debianfan.de> wrote: > What about rbl integration in spamassassin? > > Am 20. September 2020 16:35:22 MESZ schrieb Daryl Rose >: >> >> I tend to get a lot of phishing attempts, and they all get through. >> >> This appears to come from Apple, but obviously is not. >> >> Subject: Re: Purchase Notification - Here is confirmation of your order >>> >> >> >> Mail From: >>> acc.mubmx4btmqkymgfv1leobg.copsess2049113.222...@v2345t3w4t0inbox13.com >> >> >> I can blacklist the email address, but I know that won't help. Is there >> a rule that I can set up to catch more phishing attempts? >> >> Thanks >> >> Daryl >> > > -- > Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet. >
Re: Catching Phishing messages
I am not using the KAM.cf rule set. I found the script on github. Can I just drop in into /etc/mail/spamassassin stop/start spamassassin and start catching phishing emails? Thanks Daryl On Sun, Sep 20, 2020 at 10:32 AM Kevin A. McGrail wrote: > Are you using the KAM.cf ruleset? > > Can you manually test the email and give the output from the report? Or > put a spample up on pastebin? > > > On 9/20/2020 10:35 AM, Daryl Rose wrote: > > I tend to get a lot of phishing attempts, and they all get through. > > This appears to come from Apple, but obviously is not. > > Subject: Re: Purchase Notification - Here is confirmation of your order > > > Mail From: >> acc.mubmx4btmqkymgfv1leobg.copsess2049113.222...@v2345t3w4t0inbox13.com > > > I can blacklist the email address, but I know that won't help. Is there a > rule that I can set up to catch more phishing attempts? > > Thanks > > Daryl > > -- > Kevin A. mcgrailkmcgr...@apache.org > > Member, Apache Software Foundation > Chair Emeritus Apache SpamAssassin > Projecthttps://www.linkedin.com/in/kmcgrail - 703.798.0171 > >
Re: Catching Phishing messages
I understand what you're saying. Yes, my email client only shows the fake email address, so to find the actual email address, I copy the header contents into an email header analyzer. I prefer https://mailheader.org/. It breaks apart the header really nicely and I can see the actual email address. Thanks Daryl On Sun, Sep 20, 2020 at 11:34 PM @lbutlr wrote: > On 20 Sep 2020, at 08:35, Daryl Rose wrote: > > I can blacklist the email address, but I know that won't help. Is there > a rule that I can set up to catch more phishing attempts? > > SPF and DMARC seem to be the only ways to deal with spams from large > senders that are faked, but what is considered ‘faked’ may nt always match > expectations. > > As an example, with many GUI mail clients the client shows the “nice” part > of the from, and does not show the actual address. So some scammer can send > an email from > > From: “supportad...@paypal.com” > > And the recipient will only see a fake PayPal address. > > > -- > "...and Digby considered how much he liked salt..."
Catching Phishing messages
I tend to get a lot of phishing attempts, and they all get through. This appears to come from Apple, but obviously is not. Subject: Re: Purchase Notification - Here is confirmation of your order Mail From: > acc.mubmx4btmqkymgfv1leobg.copsess2049113.222...@v2345t3w4t0inbox13.com I can blacklist the email address, but I know that won't help. Is there a rule that I can set up to catch more phishing attempts? Thanks Daryl
Re: How to write a rule to block phishing?
I thought that a 5 was an average number and lowering it improves spam hits, I may end up getting legitimate emails flagged as spam but I can add the address to a whitefrom_list. I read that in more than one location. I believe that I have the required score set to 2.0 or 2.5, or somewhere around that. I'm not able to look at this moment. But you're saying that if I change it back to the default score of 5, then I'll catch more spam? Thanks Daryl On Thu, Jun 18, 2020 at 11:02 AM @lbutlr wrote: > On 15 Jun 2020, at 17:18, Daryl Rose wrote: > > I analyzed the headers, the message comes from a server here in the > United States, the spam score is 5, and Spamassassian says "No Spam". > > SpamAssassin thinks the mail is spam if it scored 5. Someone (you?) has > changed the default spam score from 5.0 to some other number. > > Doing this will result in spam being marked as not spam. > > > > > -- > The whole thing that makes a mathematician's life worthwhile is that > he gets the grudging admiration of three or four colleagues > > >
How to write a rule to block phishing?
So, I received an email from "service.i...@paypal.com", Subject "Your PayPaI account has been limited". This is clearly a phishing attempt and not a legitimate email from paypal. I analyzed the headers, the message comes from a server here in the United States, the spam score is 5, and Spamassassian says "No Spam". Yea!! Only not yea, because it's clearly a phishing attempt. Normally I just add the email address to a blacklist_from.cf file and stop it that way, but adding "service.i...@paypal.com" to the blackfrom list would block any legitimate email from PayPal. So how does a person write a rule for something like this? I've never written rules before and not really sure how to. Thanks Daryl
How to block chimpmail emails?
I receive several marking emails from chimpmail. I've tried adding the from email address to the blackfrom_list, but that does not block chimpmail. How can a person block these? Thank you. Daryl
External whitelist_from and blacklist_from lists
Can I have external whitelist_from and blacklist_from lists? Currently they're in the users_prefs file and are growing. I would prefer to have an external list and keep them out of the users_prefs file. Thanks Daryl
