Re: Problem installing Spamassassin 4.0.0 on Ubuntu 23.10 Server

[Niels Kobschätzki]

> On Feb 14, 2024, at 06:12, Ken Wright  wrote:
> 
> I've built a mail server and I wanted to include Spamassasin.  As noted
> above, the machine is running Ubuntu Server 23.10, so I started with
> 
>   sudo apt install spamassassin spamc
> 
> but I can't start the spamassassin.service; the error message I get
> when I run
> 
>   sudo systemctl start spamassassin
> 
> says "Failed to start spamassassin.service: Unit spamassassin.service
> not found."  Spamd, however, is active and running.  Is this normal?
> If it isn't, what can I do to correct things?
> 
> Further information available on request.  Thanks in advance!

The service seems to be have renamed. It is the same on Debian. You also have 
to change now /etc/default/spamd instead of /etc/default/spamassassin for 
start-up options.

Niels

smime.p7s
Description: S/MIME cryptographic signature

Problem installing Spamassassin 4.0.0 on Ubuntu 23.10 Server

[Ken Wright]

I've built a mail server and I wanted to include Spamassasin.  As noted
above, the machine is running Ubuntu Server 23.10, so I started with

sudo apt install spamassassin spamc

but I can't start the spamassassin.service; the error message I get
when I run

sudo systemctl start spamassassin

says "Failed to start spamassassin.service: Unit spamassassin.service
not found."  Spamd, however, is active and running.  Is this normal? 
If it isn't, what can I do to correct things?

Further information available on request.  Thanks in advance!

Ken

Re: FORGED_HOTMAIL_RCVD2

[giovanni]

On 1/26/24 12:15, Matus UHLAR - fantomas wrote:

On 26.01.24 11:03, Rupert Gallagher wrote:

Subject: FORGED_HOTMAIL_RCVD2

Rule broken. Please update.


can you provide more info, perhaps headers?

header FORGED_HOTMAIL_RCVD2 eval:check_for_no_hotmail_received_headers()



I´ve found a sample, fixed in trunk in r1915645.

 Regards
  Giovanni


OpenPGP_signature.asc
Description: OpenPGP digital signature

DecodeShortURI problems

[Wolfgang Breyha]

Hi!

I recently checked the performance of the DecodeShortURI Plugin an noticed
some oddities:

*) snip.ly seems to need url_shortener_get

*) fb.me always responds with 200 even with GET and User-Agent set

*) t.co seems to respond with 200 if User-Agent is a "valid" Browser, but
with 30x redirects if I use plain lwp request. So currently the plugin
always sees 200 and is not usable with short_url_200(). Looks like it needs
a config option to set a second/alternative User-Agent for some shorteners.

*) .app.link seems to use JS to set window.top.location and always returns 200

*) linktr.ee seems to always return 200 ... doesn't even change to location

*) lnkd.in returns 200 for all external URLs which do not point to
linked.in itself presenting a warning page. Not usable with short_url_200
as well.

*) qrco.de seems to always return 200 and uses JS magic to load the pages

Especially the t.co behavior hurts a lot and limits the use of
SHORT_URL_200

Greetings, Wolfgang

unsubscribe

[Ken Hoegeman]

Re: QR code phish?

[Matus UHLAR - fantomas]

On Thu, Feb 1, 2024 at 5:01 PM Kevin A. McGrail mailto:kmcgr...@apache.org>> wrote:
   Hi Alex, we are definitely seeing them.  There is code in trunk for this
   with one of the plugins and rules in the KAM ruleset using the new
   code.  LMK if you need more info.



On 2/4/24 18:56, Alex wrote:

It looks like it's tied to the Raptor service and the ExtractText plugin. Do 
you have more details on doing that?



On 05.02.24 08:31, giova...@paclan.it wrote:

If you do not use any other ExtractText config line for image file types, 
zbarimg(1) can be configured on SpamAssassin 4.0 as well.



On 2/5/24 09:49, Matus UHLAR - fantomas wrote:

what if you do?

does ExtractText only run one of configured programs for the same type of file?


On 05.02.24 12:14, giova...@paclan.it wrote:

Exactly, ExtractText only run the first configured program for the same type of 
file.


That's unfortunate, I already use it for OCR.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"The box said 'Requires Windows 95 or better', so I bought a Macintosh".

Re: QR code phish?

[giovanni]

On 2/5/24 09:49, Matus UHLAR - fantomas wrote:

On Thu, Feb 1, 2024 at 5:01 PM Kevin A. McGrail mailto:kmcgr...@apache.org>> wrote:
   Hi Alex, we are definitely seeing them.  There is code in trunk for this
   with one of the plugins and rules in the KAM ruleset using the new
   code.  LMK if you need more info.



On 2/4/24 18:56, Alex wrote:

It looks like it's tied to the Raptor service and the ExtractText plugin. Do 
you have more details on doing that?


On 05.02.24 08:31, giova...@paclan.it wrote:

you can configure ExtractText to run zbarimg(1) to extract uris from QR codes.
zbarimg(1) is available at https://zbar.sf.net or packaged on many OS.


in Debian (I assume Ubuntu as well) it's in the zbar-tools package


If you do not use any other ExtractText config line for image file types, 
zbarimg(1) can be configured on SpamAssassin 4.0 as well.


what if you do?

does ExtractText only run one of configured programs for the same type of file?


Exactly, ExtractText only run the first configured program for the same type of 
file.
 Giovanni


OpenPGP_signature.asc
Description: OpenPGP digital signature

Re: QR code phish?

[Matus UHLAR - fantomas]

On Thu, Feb 1, 2024 at 5:01 PM Kevin A. McGrail mailto:kmcgr...@apache.org>> wrote:
   Hi Alex, we are definitely seeing them.  There is code in trunk for this
   with one of the plugins and rules in the KAM ruleset using the new
   code.  LMK if you need more info.



On 2/4/24 18:56, Alex wrote:

It looks like it's tied to the Raptor service and the ExtractText plugin. Do 
you have more details on doing that?


On 05.02.24 08:31, giova...@paclan.it wrote:

you can configure ExtractText to run zbarimg(1) to extract uris from QR codes.
zbarimg(1) is available at https://zbar.sf.net or packaged on many OS.


in Debian (I assume Ubuntu as well) it's in the zbar-tools package


If you do not use any other ExtractText config line for image file types, 
zbarimg(1) can be configured on SpamAssassin 4.0 as well.


what if you do?

does ExtractText only run one of configured programs for the same type of 
file?


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
A day without sunshine is like, night.

Re: QR code phish?

[giovanni]

On 2/4/24 18:56, Alex wrote:

Hi,

On Thu, Feb 1, 2024 at 5:01 PM Kevin A. McGrail mailto:kmcgr...@apache.org>> wrote:

Hi Alex, we are definitely seeing them.  There is code in trunk for this
with one of the plugins and rules in the KAM ruleset using the new
code.  LMK if you need more info.


It looks like it's tied to the Raptor service and the ExtractText plugin. Do 
you have more details on doing that?


you can configure ExtractText to run zbarimg(1) to extract uris from QR codes.
zbarimg(1) is available at https://zbar.sf.net or packaged on many OS.
If you do not use any other ExtractText config line for image file types, 
zbarimg(1) can be configured on SpamAssassin 4.0 as well.

 Regards
  Giovanni



OpenPGP_signature.asc
Description: OpenPGP digital signature

Re: QR code phish?

[Alex]

Hi,

On Thu, Feb 1, 2024 at 5:01 PM Kevin A. McGrail  wrote:

> Hi Alex, we are definitely seeing them.  There is code in trunk for this
> with one of the plugins and rules in the KAM ruleset using the new
> code.  LMK if you need more info.
>

It looks like it's tied to the Raptor service and the ExtractText plugin.
Do you have more details on doing that?

Thanks,
Alex

Community over Code EU 2024 Travel Assistance Applications now open!

[Gavin McDonald]

Hello to all users, contributors and Committers!

The Travel Assistance Committee (TAC) are pleased to announce that
travel assistance applications for Community over Code EU 2024 are now
open!

We will be supporting Community over Code EU, Bratislava, Slovakia,
June 3th - 5th, 2024.

TAC exists to help those that would like to attend Community over Code
events, but are unable to do so for financial reasons. For more info
on this years applications and qualifying criteria, please visit the
TAC website at < https://tac.apache.org/ >. Applications are already
open on https://tac-apply.apache.org/, so don't delay!

The Apache Travel Assistance Committee will only be accepting
applications from those people that are able to attend the full event.

Important: Applications close on Friday, March 1st, 2024.

Applicants have until the the closing date above to submit their
applications (which should contain as much supporting material as
required to efficiently and accurately process their request), this
will enable TAC to announce successful applications shortly
afterwards.

As usual, TAC expects to deal with a range of applications from a
diverse range of backgrounds; therefore, we encourage (as always)
anyone thinking about sending in an application to do so ASAP.

For those that will need a Visa to enter the Country - we advise you apply
now so that you have enough time in case of interview delays. So do not
wait until you know if you have been accepted or not.

We look forward to greeting many of you in Bratislava, Slovakia in June,
2024!

Kind Regards,

Gavin

(On behalf of the Travel Assistance Committee)

[no subject]

[Gavin McDonald]

Hello to all users, contributors and Committers!

The Travel Assistance Committee (TAC) are pleased to announce that
travel assistance applications for Community over Code EU 2024 are now
open!

We will be supporting Community over Code EU, Bratislava, Slovakia,
June 3th - 5th, 2024.

TAC exists to help those that would like to attend Community over Code
events, but are unable to do so for financial reasons. For more info
on this years applications and qualifying criteria, please visit the
TAC website at < https://tac.apache.org/ >. Applications are already
open on https://tac-apply.apache.org/, so don't delay!

The Apache Travel Assistance Committee will only be accepting
applications from those people that are able to attend the full event.

Important: Applications close on Friday, March 1st, 2024.

Applicants have until the the closing date above to submit their
applications (which should contain as much supporting material as
required to efficiently and accurately process their request), this
will enable TAC to announce successful applications shortly
afterwards.

As usual, TAC expects to deal with a range of applications from a
diverse range of backgrounds; therefore, we encourage (as always)
anyone thinking about sending in an application to do so ASAP.

For those that will need a Visa to enter the Country - we advise you apply
now so that you have enough time in case of interview delays. So do not
wait until you know if you have been accepted or not.

We look forward to greeting many of you in Bratislava, Slovakia in June,
2024!

Kind Regards,

Gavin

(On behalf of the Travel Assistance Committee)

Re: QR code phish?

[Kevin A. McGrail]

Hi Alex, we are definitely seeing them.  There is code in trunk for this 
with one of the plugins and rules in the KAM ruleset using the new 
code.  LMK if you need more info.


On 2/1/2024 4:06 PM, Alex wrote:

Hi,

I'm just wondering if there is any mechanism for detecting and 
blocking QR code emails? Would that require using image detection? 
Perhaps instead it's a database of known malicious QR codes?


Has anyone even really seen any?



--
Kevin A. McGrail
kmcgr...@apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

QR code phish?

[Alex]

Hi,

I'm just wondering if there is any mechanism for detecting and blocking QR
code emails? Would that require using image detection? Perhaps instead it's
a database of known malicious QR codes?

Has anyone even really seen any?

mimeheader multiple?

[Jared Hall via users]

SA 3.4.6.

Is there any way to create a rule that hits emails with duplicate
filename attachments?

   MAIN HEADER DECLARATION:

   Content-Type: multipart/mixed; boundary="=-6aIz+S039AYG/4raFdExeg=="

   BODY PART MIME HEADERS:

   --=-6aIz+S039AYG/4raFdExeg==
   Content-Type: application/octet-stream; name=1341251248.pdf
   Content-Disposition: attachment; filename=1341251248.pdf
   Content-Transfer-Encoding: base64

   

   --=-6aIz+S039AYG/4raFdExeg==
   Content-Type: application/octet-stream; name=1341251248.pdf
   Content-Disposition: attachment; filename=1341251248.pdf
   Content-Transfer-Encoding: base64

   

I can hit on the Content-Disposition header regex fine, but tflags/multiple
doesn't seem to work here.  I'm not sure if this is a problem (1) with the
Mimeheader plugin, (2) working as designed, (3) or a fault in my system.

Any suggestions?

Thanks,

-- Jared Hall

Re: Bayes "corpus" - how old?

[Bill Cole]

On 2024-01-31 at 08:16:13 UTC-0500 (Wed, 31 Jan 2024 14:16:13 +0100)
Matus UHLAR - fantomas 
is rumored to have said:


On 2024-01-30 at 12:08:18 UTC-0500 (Tue, 30 Jan 2024 18:08:18 +0100)
Matus UHLAR - fantomas 
is rumored to have said:

[...]
autolearn may help if your DB is well maintained, although I have 
disabled nearly all rules with negative scores, like


RCVD_IN_DNSWL_*
RCVD_IN_IADB_* DKIMWL_WL_*
RCVD_IN_MSPIKE_*
RCVD_IN_VALIDITY_*
USER_IN_DEF_*
ALL_TRUSTED

etc, because spammers often abuse these.
I mean, they may have negative score but don't train on them.


On 30.01.24 15:31, Bill Cole wrote:
If spammers can 'abuse' ALL_TRUSTED you have a major problem. Either 
a serious misconfiguration or compromised machines in 
trusted_networks.


Can't ALL_TRUSTED happen if spammer delivers mail directly to my 
network,

or, if last mail server removes Received: headers?

I think this happened to me in the past but I may be wrong


I just did a manual test on my personal machine to confirm: mail entered 
manually in a connection to port 25 from an unprivileged network with no 
Received headers did NOT get an ALL_TRUSTED match.


The semantics around the word 'trusted' in SA are subtle and arcane. 
There's an important distinction between trusting that a particular MTA 
writes transparent and honest Received headers and trusting that a 
particular MTA does not relay spam. For example, I have 2 address blocks 
in my trusted_networks that are used by the ASF for forwarding, which I 
needed precisely because those machines sometimes forward spam and I 
need SA to look beyond the immediate clients, which I know tell me the 
truth about where they get the spam they offer me.



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Bayes "corpus" - how old?

[Matus UHLAR - fantomas]

On 2024-01-30 at 12:08:18 UTC-0500 (Tue, 30 Jan 2024 18:08:18 +0100)
Matus UHLAR - fantomas 
is rumored to have said:

[...]
autolearn may help if your DB is well maintained, although I have 
disabled nearly all rules with negative scores, like


RCVD_IN_DNSWL_*
RCVD_IN_IADB_* DKIMWL_WL_*
RCVD_IN_MSPIKE_*
RCVD_IN_VALIDITY_*
USER_IN_DEF_*
ALL_TRUSTED

etc, because spammers often abuse these.
I mean, they may have negative score but don't train on them.


On 30.01.24 15:31, Bill Cole wrote:
If spammers can 'abuse' ALL_TRUSTED you have a major problem. Either a 
serious misconfiguration or compromised machines in trusted_networks.


Can't ALL_TRUSTED happen if spammer delivers mail directly to my network,
or, if last mail server removes Received: headers?

I think this happened to me in the past but I may be wrong
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
LSD will make your ECS screen display 16.7 million colors

Re: Bayes "corpus" - how old?

[Bill Cole]

On 2024-01-30 at 12:08:18 UTC-0500 (Tue, 30 Jan 2024 18:08:18 +0100)
Matus UHLAR - fantomas 
is rumored to have said:

[...]
autolearn may help if your DB is well maintained, although I have 
disabled nearly all rules with negative scores, like


RCVD_IN_DNSWL_*
RCVD_IN_IADB_* DKIMWL_WL_*
RCVD_IN_MSPIKE_*
RCVD_IN_VALIDITY_*
USER_IN_DEF_*
ALL_TRUSTED

etc, because spammers often abuse these.
I mean, they may have negative score but don't train on them.


If spammers can 'abuse' ALL_TRUSTED you have a major problem. Either a 
serious misconfiguration or compromised machines in trusted_networks.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Bayes "corpus" - how old?

[Matus UHLAR - fantomas]

On 30.01.24 09:59, joe a wrote:

Advisable to "prune" Bayes data based on age?

While cleaning up recent Ham/Spam, found my "saved SPAM" goes back 
to 2013.


Why that's over . . . wait, I need to take off my socks . . .

So, how old is "too old".  For saved SPAM?



On 1/30/2024 10:58:52, Matus UHLAR - fantomas wrote:

I did retrain on old spam a few times and it was working fine.
Depends on how much mail you have:

0.000  0   7542  0  non-token data: nspam
0.000  0  80869  0  non-token data: nham
0.000  0 996032  0  non-token data: ntokens
0.000  0 1172945918  0  non-token data: oldest atime

so, even old spam mey be fine. You however need much of ham to train 
otherwise everything starts looking like spam.


On 30.01.24 11:12, joe a wrote:
Recently missed spam has increased a bit, so I was dropping it into 
"missed spam" and went poking through marked spam and found lots of 
"missed ham".Which triggered my pondering.


training on false-positives/false-negatives is important to have it up to 
date.


full retraining only makes sense if you lose your DB, it gets corrupt or 
starts misclassifying too often (may the reason be known or not).


autolearn may help if your DB is well maintained, although I have disabled 
nearly all rules with negative scores, like


RCVD_IN_DNSWL_*
RCVD_IN_IADB_* 
DKIMWL_WL_*

RCVD_IN_MSPIKE_*
RCVD_IN_VALIDITY_*
USER_IN_DEF_*
ALL_TRUSTED

etc, because spammers often abuse these.
I mean, they may have negative score but don't train on them.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !

Re: Bayes "corpus" - how old?

[joe a]

On 1/30/2024 10:58:52, Matus UHLAR - fantomas wrote:

On 30.01.24 09:59, joe a wrote:

Advisable to "prune" Bayes data based on age?

While cleaning up recent Ham/Spam, found my "saved SPAM" goes back to 
2013.


Why that's over . . . wait, I need to take off my socks . . .

So, how old is "too old".  For saved SPAM?



I did retrain on old spam a few times and it was working fine.
Depends on how much mail you have:

0.000  0   7542  0  non-token data: nspam
0.000  0  80869  0  non-token data: nham
0.000  0 996032  0  non-token data: ntokens
0.000  0 1172945918  0  non-token data: oldest atime

so, even old spam mey be fine. You however need much of ham to train 
otherwise everything starts looking like spam.




Recently missed spam has increased a bit, so I was dropping it into 
"missed spam" and went poking through marked spam and found lots of 
"missed ham".Which triggered my pondering.

Re: Bayes "corpus" - how old?

[Bill Cole]

On 2024-01-30 at 09:59:52 UTC-0500 (Tue, 30 Jan 2024 09:59:52 -0500)
joe a 
is rumored to have said:


Advisable to "prune" Bayes data based on age?


Yes. That is why it has an expiration model. Expiration may be de facto 
blocked on some busy systems so you may need to explicitly force it 
occasionally. The command "sa-learn --dump magic" will show you 
expiration and other Bayes metadata.


While cleaning up recent Ham/Spam, found my "saved SPAM" goes back to 
2013.


Why that's over . . . wait, I need to take off my socks . . .


I've still got some almost 3x as old. BUT: I do not use it for training 
SA today.



So, how old is "too old".  For saved SPAM?


I would suggest a year as the outer edge of Bayes usefulness.

I find it helpful to keep my decades of garbage because I use them (and 
my ham archive) in developing prospective rules. There are non-obvious 
fingerprints in some spam that imply decades-long spamming operations.



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Bayes "corpus" - how old?

[Matus UHLAR - fantomas]

On 30.01.24 09:59, joe a wrote:

Advisable to "prune" Bayes data based on age?

While cleaning up recent Ham/Spam, found my "saved SPAM" goes back to 
2013.


Why that's over . . . wait, I need to take off my socks . . .

So, how old is "too old".  For saved SPAM?



I did retrain on old spam a few times and it was working fine.
Depends on how much mail you have:

0.000  0   7542  0  non-token data: nspam
0.000  0  80869  0  non-token data: nham
0.000  0 996032  0  non-token data: ntokens
0.000  0 1172945918  0  non-token data: oldest atime

so, even old spam mey be fine. You however need much of ham to train 
otherwise everything starts looking like spam.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.

Re: install SA p a i n f u l l

[Bill Cole]

On 2024-01-29 at 23:06:07 UTC-0500 (Tue, 30 Jan 2024 14:06:07 +1000)
Nick Edwards 
is rumored to have said:


omfg
even killing it, then having to kill every individual  sub process
manually...
re run using  -f

and it still loops and times out.

 very braindead install process. looks like there is no way for
spamassassin to install, I never recall having this problem ever 
before  on

all 3.x versions, but 4.0.0 is a useless bitch,  i'm about to install
rspamd


I'm sorry to hear that you're having such problems. I don't know of any 
major changes to the install process in 4.x, so without any specific 
details I can't really offer a solution.


I can say that AS ALWAYS it is a bad idea to build and test ANY software 
as 'root' and SA does not accommodate doing so. There may well be places 
where the tests fail slowly if you run them as root. The only step you 
should perform as root is  the actual installation. Another possible 
issue arising from how some platforms (e.g. RedHat) use Perl's 
"local::lib" mechanism by default, giving each user their own bespoke 
Perl environment. You must disable that when building and testing SA.


I'm not sure how exactly one should use the cpan tool to install SA or 
any other Perl package designed as a system-wide facility. I think it is 
generally better to either use distro-provided packages or to do the 
real install from source with this arcane spell:


  perl Makefile.PL
  make build && make test
  sudo make install

On Tue, Jan 30, 2024 at 1:36 PM Nick Edwards 


wrote:


Venting

Set up a new server today, took no time in postfix dovecot and 
amavisd,

apache roundcube, and everything, then came spamassassin

thankfully I chose to install this whilst we left for lunch, but 
45mins
later to my horror it was still trying to install, why?  because its 
tests

failed for timeouts this, timeouts that,  everytime its set keeps on
retrying reporting

error: config: no rules were found!  Do you need to run 'sa-update'?
config: no rules were found!  Do you need to run 'sa-update'?

of fricken course there is no rules, its a new fricken install that 
cpan

hasn't got around to yet to allow us to run sa-update.

perhaps spamassassin developers can consider not everyone is 
upgrading,
there are some of us trying to get the fricken thing on the fricken 
machine

in the fricken first place.

I am not going to run cpan with force because that may hide *real* 
errors.






--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Bayes "corpus" - how old?

[joe a]

Advisable to "prune" Bayes data based on age?

While cleaning up recent Ham/Spam, found my "saved SPAM" goes back to 
2013.


Why that's over . . . wait, I need to take off my socks . . .

So, how old is "too old".  For saved SPAM?

Re: install SA p a i n f u l l

[Matus UHLAR - fantomas]

On 30.01.24 13:36, Nick Edwards wrote:

Set up a new server today, took no time in postfix dovecot and amavisd,
apache roundcube, and everything, then came spamassassin



thankfully I chose to install this whilst we left for lunch, but 45mins
later to my horror it was still trying to install, why?  because its tests
failed for timeouts this, timeouts that,  everytime its set keeps on
retrying reporting


Why don't you install SA from packaging system? Don't you use FreeBSD or 
some linux distro?



error: config: no rules were found!  Do you need to run 'sa-update'?
config: no rules were found!  Do you need to run 'sa-update'?

of fricken course there is no rules, its a new fricken install that cpan
hasn't got around to yet to allow us to run sa-update.

perhaps spamassassin developers can consider not everyone is upgrading,
there are some of us trying to get the fricken thing on the fricken machine
in the fricken first place.

I am not going to run cpan with force because that may hide *real* errors.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Silvester Stallone: Father of the RISC concept.

Re: install SA p a i n f u l l

[Nick Edwards]

omfg
even killing it, then having to kill every individual  sub process
manually...
re run using  -f

and it still loops and times out.

 very braindead install process. looks like there is no way for
spamassassin to install, I never recall having this problem ever before  on
all 3.x versions, but 4.0.0 is a useless bitch,  i'm about to install
rspamd




On Tue, Jan 30, 2024 at 1:36 PM Nick Edwards 
wrote:

> Venting
>
> Set up a new server today, took no time in postfix dovecot and amavisd,
> apache roundcube, and everything, then came spamassassin
>
> thankfully I chose to install this whilst we left for lunch, but 45mins
> later to my horror it was still trying to install, why?  because its tests
> failed for timeouts this, timeouts that,  everytime its set keeps on
> retrying reporting
>
> error: config: no rules were found!  Do you need to run 'sa-update'?
> config: no rules were found!  Do you need to run 'sa-update'?
>
> of fricken course there is no rules, its a new fricken install that cpan
> hasn't got around to yet to allow us to run sa-update.
>
> perhaps spamassassin developers can consider not everyone is upgrading,
> there are some of us trying to get the fricken thing on the fricken machine
> in the fricken first place.
>
> I am not going to run cpan with force because that may hide *real* errors.
>
>

install SA p a i n f u l l

[Nick Edwards]

Venting

Set up a new server today, took no time in postfix dovecot and amavisd,
apache roundcube, and everything, then came spamassassin

thankfully I chose to install this whilst we left for lunch, but 45mins
later to my horror it was still trying to install, why?  because its tests
failed for timeouts this, timeouts that,  everytime its set keeps on
retrying reporting

error: config: no rules were found!  Do you need to run 'sa-update'?
config: no rules were found!  Do you need to run 'sa-update'?

of fricken course there is no rules, its a new fricken install that cpan
hasn't got around to yet to allow us to run sa-update.

perhaps spamassassin developers can consider not everyone is upgrading,
there are some of us trying to get the fricken thing on the fricken machine
in the fricken first place.

I am not going to run cpan with force because that may hide *real* errors.

Re: Adding IP to report

[Linkcheck via users]

So there is no solution to this?

Is it possible to add the IP as an argument to a rule's Describe, using 
something like $1 for the detected regex value? If so, how would this be 
implemented?


An actual exemple is FREEMAIL_ENVFROM_END_DIGIT which has a description 
such as [sfierds31(at)gmail.com]

Re: FORGED_HOTMAIL_RCVD2

[Matus UHLAR - fantomas]

On 26.01.24 11:03, Rupert Gallagher wrote:

Subject: FORGED_HOTMAIL_RCVD2

Rule broken. Please update.


can you provide more info, perhaps headers?

header FORGED_HOTMAIL_RCVD2 eval:check_for_no_hotmail_received_headers()


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"The box said 'Requires Windows 95 or better', so I bought a Macintosh".

FORGED_HOTMAIL_RCVD2

[Rupert Gallagher]

Rule broken. Please update.

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Byung-Hee HWANG]

On Fri, 2024-01-19 at 15:15 +0100, Benny Pedersen wrote:
> Byung-Hee HWANG skrev den 2024-01-19 11:12:
> 
> > I rely on DNSWL for the reputable MX.
> 
> if repution is 100% needed we all have to make local rescore on all 
> local mails, since repution is to be local, not external just
> 
> i consider dnswl level 0 to be possitive scored, and let the other 
> levels be negative, this fits nicely, but was not designed to be so
> in 
> mta stage
> 

I think "reputation" is a somewhat political term. And each person has
different standards. So it's quite difficult to give a detailed
response to your feedback.

Happy new year, Benny!


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[John Hardin]

On Fri, 19 Jan 2024, Thomas Cameron wrote:


On 1/19/24 16:32, Byung-Hee HWANG wrote:

 There is a filtering rule in Gmail:

 *Never send it to Spam*

 I apply that rule to extremely important emails such as debian-bugs-
 dist and debian-devel-announce.


You know that. I know that. But trying to explain to the board members I'm 
helping out is... painful.


Very simply worded step by step instructions, with screenshots amended 
with arrows, outlines, highlights and so forth as needed.


...the .sigmonster agrees.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  News flash: Lowest Common Denominator down 50 points
---
 4 days until John Moses Browning's 169th Birthday

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Thomas Cameron]

On 1/19/24 16:32, Byung-Hee HWANG wrote:

There is a filtering rule in Gmail:

*Never send it to Spam*

I apply that rule to extremely important emails such as debian-bugs-
dist and debian-devel-announce.


You know that. I know that. But trying to explain to the board members 
I'm helping out is... painful.


Thomas

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Byung-Hee HWANG]

Hellow Thomas,

> But it drops it into the spam folder every time. So when I'm sending 
> emails to someone's alias, they have to check their spam folder. Even
> when they mark it as "not spam," GMail still drops it into the spam 
> folder. It's very frustrating.
> 

There is a filtering rule in Gmail:

*Never send it to Spam*

I apply that rule to extremely important emails such as debian-bugs-
dist and debian-devel-announce.


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Thomas Cameron]

On 1/19/24 14:33, Matija Nalis wrote:

You would need to encourage at least several of the recepients (the
more the better) to click on "Not spam" button on GMail on such
mails. Then it will (eventually) start accepting them normally.


Yup, that's basically what I've been doing.


see e.g. 
https://serverfault.com/questions/953486/repairing-e-mail-domain-reputation-on-google

I suspect that Google might even doing it on purpose, in order to
"encourage" even more users to be locked in their e-mail
walled-garden ecosystem.


Google being anti-competitive? I'm shocked! SHOCKED, I say! 

--
Thomas

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Matija Nalis]

On Fri, Jan 19, 2024 at 10:37:13AM -0600, Thomas Cameron wrote:
> The forwarded email is being *accepted* by GMail. My issue now is that GMail
> drops it into the recipient's spam folder. I suspect it's a reputation
> thing. Once the server is up and running for a while, I'm hoping that GMail
> will stop flagging the emails from the server as spam.


You would need to encourage at least several of the recepients (the
more the better) to click on "Not spam" button on GMail on such
mails. Then it will (eventually) start accepting them normally.

see e.g. 
https://serverfault.com/questions/953486/repairing-e-mail-domain-reputation-on-google

I suspect that Google might even doing it on purpose, in order to
"encourage" even more users to be locked in their e-mail
walled-garden ecosystem.

-- 
Opinions above are GNU-copylefted.

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Thomas Cameron]

On 1/7/24 05:40, Matus UHLAR - fantomas wrote:
I built email servers for a non-profit I volunteer for.  If email 
comes into the server for presid...@myassociation.org, I would 
normally just create an alias in /etc/aliases so that emails to 
president@ get forwarded to the president's "real" email address, say 
presidents_real_em...@gmail.com.


postfix supports expand_owner_alias, which, when you are sending to 
al...@example.com, will set sender to owner-al...@example.com.


That way SPF should pass.

The problem is, when I send email to presid...@myassociation.org, 
gmail rejects the forwarded email because it appears to come from my 
personal domain, not the mythical myassociation.org domain.  DKIM, 
DMARC, and SPF all fail, which I totally understand.


How can I make this work?


DKIM should not fail, unless you modify the message. Do you modify the 
message?



On 07.01.24 19:07, Byung-Hee HWANG wrote:

See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043539#88


Cite:


If your dkim signature is OK, then Gmail does accept all
mails. So never use SRS. DKIM is enough.


This is not a good advice. Whoever filters SPF at SMTP time will reject 
that message. Gmail is not the only mail service available.


Initially, I was seeing errors where GMail didn't list SPF as "passed." 
But after about an hour, it started passing. I think it was an old DNS 
record that finally expired.


The forwarded email is being *accepted* by GMail. My issue now is that 
GMail drops it into the recipient's spam folder. I suspect it's a 
reputation thing. Once the server is up and running for a while, I'm 
hoping that GMail will stop flagging the emails from the server as spam.


Thomas

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Thomas Cameron]

On 1/7/24 04:07, Byung-Hee HWANG wrote:

Hellow Thomas,

See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043539#88


Sincerely, Byung-Hee


The issue is not so much that GMail doesn't accept the email. It does, 
since I have DKIM, DMARC, and SPF set up.


But it drops it into the spam folder every time. So when I'm sending 
emails to someone's alias, they have to check their spam folder. Even 
when they mark it as "not spam," GMail still drops it into the spam 
folder. It's very frustrating.


Thomas

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Benny Pedersen]

Byung-Hee HWANG skrev den 2024-01-19 11:12:


I rely on DNSWL for the reputable MX.


if repution is 100% needed we all have to make local rescore on all 
local mails, since repution is to be local, not external just


i consider dnswl level 0 to be possitive scored, and let the other 
levels be negative, this fits nicely, but was not designed to be so in 
mta stage

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Benny Pedersen]

Marc skrev den 2024-01-19 09:34:


Hi Byung and Benny, are you having a nice MX party? :)


not needed yet, hehe

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Benny Pedersen]

Byung-Hee HWANG skrev den 2024-01-19 06:16:


Actually i used Google MX for 10 years. Recently, i created dedicated
MXs and am continuing to operate them. Plus, the dedicated MXs run on
Google Cloud and RimuHosting.


it was to vierd for me to figure out how to get it working, and posible 
in the long run also too expansive, one of the problems i spoted is no 
dnssec, who will accept this in 2024 ?


i have considered also prothonmail and fastmail, just to name other, i 
lost prothon with loosed the mails on the account, lost the private key, 
so learned in the hard way


for me host own servers is best for me with gentoo, no precompiled 
problems at all



I terminated my Google Workspace commercial account. 2 years ago.


not needed anymore ?, or just too expansive ?, minimal one could have a 
own mta, and then relay with sasl auth to gmail, so this way gmail is 
just mailstorage, and the reverse is in gmail to use external mta, if i 
do anything, i might try it

Re: [UPDATE] Changes to Validity Reputation Data Through DNS

[Tom Bartel]

On Thu, Jan 18, 2024 at 6:53 PM Greg Troxel  wrote:

> H
> Tom Bartel  writes:
>
> > Starting March 1, 2024, we will allow up to 10,000 requests per user
> over a
> > 30-day time period. After the 10,000 requests, users must create a
> > MyValidity account to continue using this free service. Upon the creation
> > of a MyValidity account, you will receive continued access to queries
> > through Spam Assassin
>
>
> If a person doesn't have an account, what does "user" mean?  If what you
> really mean is "1 requests from a given IP address over a 30-day
> period" (which seems fine) then just say that.
>

Yes that is what we really mean, I'll update our verbiage accordingly.
Thanks for the clarification!

Tom

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Byung-Hee HWANG]

On Fri, 2024-01-19 at 08:34 +, Marc wrote:
> > > Byung-Hee HWANG skrev den 2024-01-08 12:27:
> > > 
> > > > Gmail is my last INBOX. That's enough for me.
> > > 
> > > +1, so you are ready to setup google mx ? :)
> > > 
> > 
> > Hellow Benny,
> > 
> > Actually i used Google MX for 10 years. Recently, i created
> > dedicated
> > MXs and am continuing to operate them. Plus, the dedicated MXs run
> > on
> > Google Cloud and RimuHosting.
> > 
> > I terminated my Google Workspace commercial account. 2 years ago.
> > 
> 
> Hi Byung and Benny, are you having a nice MX party? :)
> 

Hellow Marc,

I rely on DNSWL for the reputable MX.


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//

RE: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Marc]

> > Byung-Hee HWANG skrev den 2024-01-08 12:27:
> >
> > > Gmail is my last INBOX. That's enough for me.
> >
> > +1, so you are ready to setup google mx ? :)
> >
> 
> Hellow Benny,
> 
> Actually i used Google MX for 10 years. Recently, i created dedicated
> MXs and am continuing to operate them. Plus, the dedicated MXs run on
> Google Cloud and RimuHosting.
> 
> I terminated my Google Workspace commercial account. 2 years ago.
> 

Hi Byung and Benny, are you having a nice MX party? :)

Re: [UPDATE] Changes to Validity Reputation Data Through DNS

[Olivier]

Tom,

Tom Bartel  writes:

> Hello SA Community,
>
> Following is an update on the changes at Validity regarding public query
> access for reputation data in DNS. We're finalizing the implementation in SA
> to enable this. As with Spamhaus DQS, we'll use the response code
> 127.255.255.255 to indicate excessive querying. Any questions and/or
> feedback, LMK.

How/where to find information about using Validity reputation list in
SA?

Thank you,


Olivier

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Byung-Hee HWANG]

On Mon, 2024-01-08 at 17:17 +0100, Benny Pedersen wrote:
> Byung-Hee HWANG skrev den 2024-01-08 12:27:
> 
> > Gmail is my last INBOX. That's enough for me.
> 
> +1, so you are ready to setup google mx ? :)
> 

Hellow Benny,

Actually i used Google MX for 10 years. Recently, i created dedicated
MXs and am continuing to operate them. Plus, the dedicated MXs run on
Google Cloud and RimuHosting.

I terminated my Google Workspace commercial account. 2 years ago. 


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//

Re: [UPDATE] Changes to Validity Reputation Data Through DNS

[Greg Troxel]

H
Tom Bartel  writes:

> Starting March 1, 2024, we will allow up to 10,000 requests per user over a
> 30-day time period. After the 10,000 requests, users must create a
> MyValidity account to continue using this free service. Upon the creation
> of a MyValidity account, you will receive continued access to queries
> through Spam Assassin


If a person doesn't have an account, what does "user" mean?  If what you
really mean is "1 requests from a given IP address over a 30-day
period" (which seems fine) then just say that.

[UPDATE] Changes to Validity Reputation Data Through DNS

[Tom Bartel]

Hello SA Community,

Following is an update on the changes at Validity regarding public query
access for reputation data in DNS. We're finalizing the implementation in
SA to enable this. As with Spamhaus DQS, we'll use the response code
127.255.255.255 to indicate excessive querying.  Any questions and/or
feedback, LMK.

Thanks,

Tom

Dear SpamAssassin user,


We wanted to send you a quick reminder of the upcoming changes to accessing
Validity reputation data through DNS.



Starting March 1, 2024, we will allow up to 10,000 requests per user over a
30-day time period. After the 10,000 requests, users must create a
MyValidity account to continue using this free service. Upon the creation
of a MyValidity account, you will receive continued access to queries
through Spam Assassin



Sign up for an account 



If you have any questions, please visit our FAQ here
.



Best regards,

Validity Data Services


-- 
Phone: 303.517.9655
Website: https://bartelphoto.com
Instagram: https://instagram.com/bartel_photo

"Life's most persistent and urgent question is, 'What are you doing for
others?'" - Martin Luther King Jr.

Re: Dinged for .Date

[Bill Cole]

On 2024-01-16 at 18:33:23 UTC-0500 (Tue, 16 Jan 2024 17:33:23 -0600)
Noel 
is rumored to have said:

This - getting a .com domain to send mail - is really the only choice 
you have.


I have not seen major problems with *.net or *.org domains getting 
deliverability and some ccTLDs have reasonably decent reputations.


But yes, a *.com is how most people would want to go.

If Spamassassin were to whitelist your domain *today*, it will be some 
period of time until all the people running SA have the updated rules. 
I don't know how long, but I'm guessing many months. For some, years.


The long tail is long, but since we encourage all sites to get updates 
daily, the sites which lag more than a week are likely failing in many 
other ways as well. The long tail is very low. If I put a rule into my 
SA sandbox tonight, and it is good enough, it will be on most SA 
machines within 4-5 days and will be essentially everywhere worth caring 
about in 10. If Kevin makes a change in the KAM list, most of his users 
will have the rule the next day, as he does not depend on the RuleQA 
process.


SA removing .date from the lists of suspect TLDs would likely fix all 
noticeable problems the OP has related to SA within a fortnight. That 
*DOES NOT* mean their headaches from using a .date domain would end, 
because most users' mailboxes are not protected by SA directly or 
indirectly.


I also can't imagine that SA is the only software filter preventing 
you from successfully using your .date domain for mail, so fixing SA 
won't do anything for those others.


SA may have more installs than any other spam classification tool, but 
there's a broad understanding amongst the maintainers that none of the 
behemoth mailbox providers (Google, Microsoft, Yahoo/AOL/Oath, GMX, 
Apple, etc.) use SA in any way. Fastmail may, Runbox does (or did a few 
years ago,) Proton probably does, and it is pretty much universal in the 
small-scale mailbox provider/outsourcer world, to the extent that world 
still exists. And yet, we cannot compare in scale to the world that uses 
proprietary secret filters.


The alternative is playing whack-a-mole asking individual sites to 
whitelist you until the end of time.


In theory, yes. In practice, not so much. Once you get the big guys on 
board and educate direct business partners, the numberXsize of sites 
rejecting independently based on a TLD is not so big.




--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Adding IP to report

[Linkcheck via users]

Thanks, Matus, but that does not work. I'm looking for something that 
will show in the spam body or subject so I do not have to view the headers.

Re: Dinged for .Date

[Andy Smith]

Hi,

On Mon, Jan 15, 2024 at 05:06:11PM -0800, Cabel Sasser wrote:
> If you believe every new gTLD is garbage (and I get that!), why isn’t 
> SpamAssassin automatically dinging, say, 1,200+ of them?

I have to second the advice to send email from a different domain.
It's just going to be the case that the .date TLD is abused by
people sending shadier dating-related emails and the operators of
that TLD have poisoned the well by making it cheap and easy to do
so.

Even if you somehow got negative scoring in SpamAssassin fixed for
your specific domain, there's going to be countless private,
non-SpamAssassin-based rule sets out there that penalise .date
domains.

It is a similar argument to "why can't I send email out from
$ARBITRARY_GHETTO_HOSTER ? I'm not a spammer!" You can argue forever
that as you're not a spammer and can prove you've never sent any
spam, ever, why would receivers penalise you just for being at an
hoster that is popular with a problematic class of clientele? The
answer being that recipients are just working with what info they
have, and it'll be hard work to convince a significant number of
them that you're different. Is the work worth it? Generally not;
other options exist.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: Dinged for .Date

[Noel]

On 1/16/2024 4:49 PM, Cabel Sasser wrote:

HI Josh,

Thank you so much for your reply!


Most likely, SA specifically whitelisting legit domains in those poisonous TLDs 
which are brought to our attention by, for instance, reports like yours. Less 
likely but possible: seeing enough ham claiming to be from those TLDs in the 
masscheck contributors' corpora that the scores for those rules are 
automatically reduced.

A possible alternative that is under your control and will likely get faster positive 
results than SA rules changes: register the domain playdatesupport.com for your support 
department's use. They can still *receive* email at supp...@play.date, but for outbound 
email that wouldn't be the From: domain and thus wouldn't suffer the TLD reputational 
hit. (If you do that, avoid setting "ReplyTo: supp...@play.date", as that would 
also take a reputation hit.)

Great thoughts, and I’ll discuss them with the crew.



This - getting a .com domain to send mail - is really the only 
choice you have.


If Spamassassin were to whitelist your domain *today*, it will be 
some period of time until all the people running SA have the updated 
rules. I don't know how long, but I'm guessing many months. For 
some, years.


I also can't imagine that SA is the only software filter preventing 
you from successfully using your .date domain for mail, so fixing SA 
won't do anything for those others.


The alternative is playing whack-a-mole asking individual sites to 
whitelist you until the end of time.



  -- Noel Jones

Re: Dinged for .Date

[Cabel Sasser]

HI Josh,

Thank you so much for your reply!

> Most likely, SA specifically whitelisting legit domains in those poisonous 
> TLDs which are brought to our attention by, for instance, reports like yours. 
> Less likely but possible: seeing enough ham claiming to be from those TLDs in 
> the masscheck contributors' corpora that the scores for those rules are 
> automatically reduced.
> 
> A possible alternative that is under your control and will likely get faster 
> positive results than SA rules changes: register the domain 
> playdatesupport.com for your support department's use. They can still 
> *receive* email at supp...@play.date, but for outbound email that wouldn't be 
> the From: domain and thus wouldn't suffer the TLD reputational hit. (If you 
> do that, avoid setting "ReplyTo: supp...@play.date", as that would also take 
> a reputation hit.)

Great thoughts, and I’ll discuss them with the crew.

Regarding a (potential) whitelist of play.date — The Only Good .Date Domain® — 
would I… file a bug on that idea?

Best,
Cabel
Panic

PS: my last curiosity question: is there any built-in process within SA for 
re-reviewing the 22 “bad domains” periodically? Is it possible some get 
“better” over time or is that a pipe dream on my part?

Re: Adding IP to report

[Matus UHLAR - fantomas]

On 16.01.24 15:29, Linkcheck via users wrote:
When receiving a report in a spam the reported rules state reason and 
score but it would be useful if, either on one of those rules or a 
separate rule (or even in the Subject) there could be a report of the 
final Received IP. Depending on the IP and its country of origin I 
sometimes block the sending IP by some method.


perhaps you could add to your SA config or user_prefs:

add_header spam LastIP _LASTEXTERNALIP_

https://spamassassin.apache.org/full/4.0.x/doc/Mail_SpamAssassin_Conf.html



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Quantum mechanics: The dreams stuff is made of.

Adding IP to report

[Linkcheck via users]

When receiving a report in a spam the reported rules state reason and 
score but it would be useful if, either on one of those rules or a 
separate rule (or even in the Subject) there could be a report of the 
final Received IP. Depending on the IP and its country of origin I 
sometimes block the sending IP by some method.

Re: Dinged for .Date

[Ralph Seichter]

* Michael Orlitzky:

> the result for me at least is that it's less work (i.e. less
> expensive) to just block every new gTLD and whitelist the few
> legitimate senders brave enough to live there.

My guess is that a significant number of mail service administrators use
the same approach. I definitely do, and my experience with suspecting
every new gTLD to be abused by spammers has been a good one. It is not
nice for the few legitimate users out there to be required to prove
their legitimacy before being permitted to send mail to our servers, but
these users are so few and far between that I cannot even remember the
last time I cleared a sender's domain.

-Ralph

Re: Rule to identify quoted-printable text

[Jimmy]

Hello Laurent,

I wanted to express my gratitude for sharing the tip on rawbody matching.
Your assistance is greatly appreciated.

Thank you,
Jimmy


On Tue, Jan 16, 2024 at 4:01 PM Laurent S. <
110ef9e3086d8405c2929e34be5b4...@protonmail.ch> wrote:

> Hi Jimmy,
>
> If you want to get that exact version using rawbody, here's how it would
> need to look like:
> rawbody  __PASSWORD_IN_QP   /\bp\x{D0}\x{B0}ssword/i
>
> As a trick to know what to use in such a case, I added this rule on my
> debug/rule testing machine:
> rawbody   __ALLRAWBODY  /.+/
> tflags__ALLRAWBODY  multiple
>
> If you want to cover more variations of obfuscated ways to write
> password, I'd recommend using the replace tags.
>
> body  __OBFU_PASS  /\b(?!password)\b/i
> replace_rules __OBFU_PASS
>
> If you want more informations about it use perldoc:
> perldoc Mail::SpamAssassin::Plugin::ReplaceTags
>
> Best regards,
> Laurent
>
> On 16.01.24 05:15, Jimmy wrote:
> > --
> > Content-Transfer-Encoding: quoted-printable
> >
> > Login  p=D0=B0ssword is s=D0=B5t to =D0=B5xpir=D0=B5
> > --
> >
> > In the provided email snippet, I aim to match the text "p=D0=B0ssword"
> using the
> > following rule:
> >
> > rawbody  __PASSWORD_IN_QP   /\bp=D0=B0ssword/i
> >
> > Despite my efforts, the rule doesn't seem to correctly identify the
> specified
> > text. I'm uncertain whether there is an error in the rule, or if I've
> overlooked
> > something crucial.
> >
> > Thank you
> > Jimmy
> >
>
>

Re: Rule to identify quoted-printable text

[Laurent S.]

Hi Jimmy,

If you want to get that exact version using rawbody, here's how it would 
need to look like:
rawbody  __PASSWORD_IN_QP   /\bp\x{D0}\x{B0}ssword/i

As a trick to know what to use in such a case, I added this rule on my 
debug/rule testing machine:
rawbody   __ALLRAWBODY  /.+/
tflags__ALLRAWBODY  multiple

If you want to cover more variations of obfuscated ways to write 
password, I'd recommend using the replace tags.

body  __OBFU_PASS  /\b(?!password)\b/i
replace_rules __OBFU_PASS

If you want more informations about it use perldoc:
perldoc Mail::SpamAssassin::Plugin::ReplaceTags

Best regards,
Laurent

On 16.01.24 05:15, Jimmy wrote:
> --
> Content-Transfer-Encoding: quoted-printable
> 
> Login  p=D0=B0ssword is s=D0=B5t to =D0=B5xpir=D0=B5
> --
> 
> In the provided email snippet, I aim to match the text "p=D0=B0ssword" using 
> the
> following rule:
> 
> rawbody  __PASSWORD_IN_QP   /\bp=D0=B0ssword/i
> 
> Despite my efforts, the rule doesn't seem to correctly identify the specified
> text. I'm uncertain whether there is an error in the rule, or if I've 
> overlooked
> something crucial.
> 
> Thank you
> Jimmy
> 

Rule to identify quoted-printable text

[Jimmy]

--
Content-Transfer-Encoding: quoted-printable

Login  p=D0=B0ssword is s=D0=B5t to =D0=B5xpir=D0=B5
--

In the provided email snippet, I aim to match the text "p=D0=B0ssword"
using the following rule:

rawbody  __PASSWORD_IN_QP   /\bp=D0=B0ssword/i

Despite my efforts, the rule doesn't seem to correctly identify the
specified text. I'm uncertain whether there is an error in the rule, or if
I've overlooked something crucial.

Thank you
Jimmy

Re: Dinged for .Date

[Michael Orlitzky]

On Mon, 2024-01-15 at 17:06 -0800, Cabel Sasser wrote:
> 
> There are 1,239 gTLDs. The SpamAssassin source* blocks just *22* of them.
> 

The official unofficial KAM ruleset blocks a few more, and there are
plenty of third-party URIBLs that essentially block gTLDs through SA,
albeit at one level of abstraction.


> If you believe every new gTLD is garbage (and I get that!), why isn’t 
> SpamAssassin automatically dinging, say, 1,200+ of them?
> 
> Or put another way, why _these_ 22, and _only_ these 22, and not the rest?

Be careful what you wish for :P

Re: Dinged for .Date

[John Hardin]

On Mon, 15 Jan 2024, Cabel Sasser wrote:


There are 1,239 gTLDs. The SpamAssassin source* blocks just *22* of them.

If you believe every new gTLD is garbage (and I get that!), why isn’t 
SpamAssassin automatically dinging, say, 1,200+ of them?

Or put another way, why _these_ 22, and _only_ these 22, and not the rest?

That’s the “science” I’m trying to understand! :)


Primarily it's the real-world email traffic that scoring contributors use 
to evaluate the effectiveness of the rules and automatically assign their 
scores (called "masscheck"). We basically see a lot of spam from those 22 
TLDs, and little or no ham, so rules that penalize those TLDs perform well 
with few "false positives" in that corpora.



(And I’m still curious if there is any path of redemption for these 22. )


Most likely, SA specifically whitelisting legit domains in those poisonous 
TLDs which are brought to our attention by, for instance, reports like 
yours. Less likely but possible: seeing enough ham claiming to be from 
those TLDs in the masscheck contributors' corpora that the scores for 
those rules are automatically reduced.


A possible alternative that is under your control and will likely get 
faster positive results than SA rules changes: register the domain 
playdatesupport.com for your support department's use. They can still 
*receive* email at supp...@play.date, but for outbound email that wouldn't 
be the From: domain and thus wouldn't suffer the TLD reputational hit. (If 
you do that, avoid setting "ReplyTo: supp...@play.date", as that would 
also take a reputation hit.)




--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  People that keep dreaming about the wasteland, labyrinths and
  quick cash, die in amusing ways. -- Root the Dragon
---
 2 days until Benjamin Franklin's 318th Birthday

Re: Dinged for .Date

[Cabel Sasser]

Hi MIchael!

I totally understand what you’re saying. I get it 100%. But your math doesn’t 
quite add up for me.

There are 1,239 gTLDs. The SpamAssassin source* blocks just *22* of them.

If you believe every new gTLD is garbage (and I get that!), why isn’t 
SpamAssassin automatically dinging, say, 1,200+ of them?

Or put another way, why _these_ 22, and _only_ these 22, and not the rest?

That’s the “science” I’m trying to understand! :)

(And I’m still curious if there is any path of redemption for these 22. )

Best,
Cabel
Panic

PS: In the future, believe me, we won’t pick any of the gTLDs in this list. 
It’s also possible we can just send email from panic.com which we’ve now owned 
for nearly 30 years, but I'm still really curious!

* Assuming I’m reading this right at 
https://apache.googlesource.com/spamassassin/+/refs/tags/sa-update_3.4.4_20220326083106/rulesrc/sandbox/pds/20_ntld.cf


> On Jan 15, 2024, at 4:35 PM, Michael Orlitzky  wrote:
> 
> On Mon, 2024-01-15 at 15:58 -0800, Cabel Sasser wrote:
>> 
>> Can anyone help me understand “the science”? And how these domains are 
>> chosen for such a heavy punishment?
> 
> What you're facing is essentially an economic problem. Everyone knows
> dot-com, and to a lesser extent dot-net and dot-org. But everything
> else is junk: if you're the fifth guy to try to buy example.com, you're
> probably not who people are looking for when they type www.example.com
> into their web browsers. The other TLDs are also much harder for people
> to remember if they see it on a commercial. As a result, dot-info, dot-
> biz, and everything after have always been considered knock-offs.
> 
> When the wave of new gTLDs hit, the value of each successive one became
> diluted even further. By the time you get to dot-date, you're at what
> should be, like, somebody's 40th choice for a domain name. How to you
> sell that? At a huge fucking discount, if you want anyone to buy it!
> 
> That's one half of your economic problem.
> 
> Now imagine you're trying to block spammers by domain name, and there's
> one particular set of domain names that they can get at a 90% discount
> because nobody wants them otherwise. Regardless of how many legitimate
> companies use those domains, the signal to noise ratio is going to be
> crap.
> 
> So, the other half of your economic problem is: how much money does it
> cost me (as a recipient) to block dot-date, versus how much does it
> cost me to not block it? We have customers who complain about spam and
> customers who complain about blocked messages. It's a pretty easy
> calculation for a recipient to make, and the result for me at least is
> that it's less work (i.e. less expensive) to just block every new gTLD
> and whitelist the few legitimate senders brave enough to live there.

Re: Dinged for .Date

[Michael Orlitzky]

On Mon, 2024-01-15 at 15:58 -0800, Cabel Sasser wrote:
> 
> Can anyone help me understand “the science”? And how these domains are chosen 
> for such a heavy punishment?

What you're facing is essentially an economic problem. Everyone knows
dot-com, and to a lesser extent dot-net and dot-org. But everything
else is junk: if you're the fifth guy to try to buy example.com, you're
probably not who people are looking for when they type www.example.com
into their web browsers. The other TLDs are also much harder for people
to remember if they see it on a commercial. As a result, dot-info, dot-
biz, and everything after have always been considered knock-offs.

When the wave of new gTLDs hit, the value of each successive one became
diluted even further. By the time you get to dot-date, you're at what
should be, like, somebody's 40th choice for a domain name. How to you
sell that? At a huge fucking discount, if you want anyone to buy it!

That's one half of your economic problem.

Now imagine you're trying to block spammers by domain name, and there's
one particular set of domain names that they can get at a 90% discount
because nobody wants them otherwise. Regardless of how many legitimate
companies use those domains, the signal to noise ratio is going to be
crap.

So, the other half of your economic problem is: how much money does it
cost me (as a recipient) to block dot-date, versus how much does it
cost me to not block it? We have customers who complain about spam and
customers who complain about blocked messages. It's a pretty easy
calculation for a recipient to make, and the result for me at least is
that it's less work (i.e. less expensive) to just block every new gTLD
and whitelist the few legitimate senders brave enough to live there.

Dinged for .Date

[Cabel Sasser]

Hello friends!

We make a handheld game system called Playdate, and our site lives at 
play.date. We find that our support email often doesn’t get delivered, making 
for occasionally very angry customers.

In debugging this, we’re looking at spam score.

In SA, .date is one of the “bad domains” that gets a heavily punished score 
(4.497) right out of the gate:

FROM_SUSPICIOUS_NTLD 0.499
FROM_SUSPICIOUS_NTLD_FP 1.999
PDS_OTHER_BAD_TLD 1.999

I found this bug on this topic:

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7915

And a poster says "Unfortunately, the science backs up that the TLDs are 
problematic.”

I was trying to research “the science” to understand it. The SA code references 
the following four sources:

# new TLDs used for spamming
# https://www.spamhaus.org/statistics/tlds/
# http://www.surbl.org/tld
# https://ntldstats.com/fraud
# https://dnslytics.com/tld

Looking at these:

1. Spamhaus says that .date is 3.1% bad. (.com is 1.3% bad.)
2. SURBL ranks .date at #187.
3. The nTLDStats page is just returning a 404, idk
4. DNSlytics just returns basic information about .date, like that it has 6,977 
domains

Can anyone help me understand “the science”? And how these domains are chosen 
for such a heavy punishment?

Is there any path to redemption, or is it that once they’re added, they're 
dinged forever?

Thanks for your help!

Best,
Cabel Sasser
Panic

Re: milter vs spamc

[Mike Bostock via users]

In your message regarding Re: milter vs spamc dated 15/01/2024, Mike
Bostock said ...

> In your message regarding Re: milter vs spamc dated 15/01/2024, Benoit
> Panizzon said ...

> > Hi

> > > What are the pros and cons?

> > In my opinion, an email should either be received by a MTA and
> > delivered to the recipient, or rejected during the SMTP phase.

> Thanks everyone for the good advice.  spamass-milter it is then!

Except it appears to be broken with Sendmail 

Keeps complaining that "spamass-milter[1905195]: Could not retrieve
sendmail macro "auth_type"!.  Please add it to confMILTER_MACROS_ENVRCPT
for better spamassassin results"

and {auth_type} doesn't belong in MACROS_ENVRCP and even when it is in
define(`confMILTER_MACROS_ENVFROM',`{auth_authen}, {auth_type}')dnl as
well as MACROS_ENVRCP it *still* complains

--
Mike

wellsfargo/google drive

[Alex]

Hi,
Google Drive is being used to send links with malicious content. I know,
shocking. But should Google Drive be in the DKIM WL?

What more can be done to stop these? I have a few body filters, but these
are just links sent using Google to PDFs with malicious links.

https://pastebin.com/Qpj1drSa

Re: milter vs spamc

[Mike Bostock via users]

In your message regarding Re: milter vs spamc dated 15/01/2024, Benoit
Panizzon said ...

> Hi

> > What are the pros and cons?

> In my opinion, an email should either be received by a MTA and
> delivered to the recipient, or rejected during the SMTP phase.

Thanks everyone for the good advice.  spamass-milter it is then!


--
Mike

Re: milter vs spamc

[Benoit Panizzon]

Hi

> The only con is that milter can't apply multiple SA settings when single 
> mail has multiple destination users - it only has to use single setting for 
> them.

We found a way around this, we use MIMEDefang as Milter and have
built database lookups in the config.

Usually, per user SA settings are:

* Score Level on which an email is considered spam
* Action to perform on email considered spam

In the RCPT TO Milter Phase (check_recipient routine of MIMEDefang)

We load those two values, for the first recipient.

Then on each subsequent recipient we compare:

=> Values identical to first recipient: Accept recipient.
=> Values different: REJECT Recipient with error 452 

What happens is a bit depending on the sending MTA. Some try every
recipient, some stop after the first rejected recipient.

452 is used to tell the sender 'too many recipients' which causes the
sending MTA to send the email to the recipients that were accepted and
re-open a new connection to send the same email to the remaining
recipients.

This may cause some delays in email delivery if an email is sent to may
recipients but else works flawlessly.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

Re: milter vs spamc

[Matus UHLAR - fantomas]

On 14.01.24 22:22, Mike Bostock via users wrote:

I currently have users set up with spamc called in .procmailrc

However, I have quite a few aliases/redirects in sendmail virtusertable
who are not being protected by Spamassassin.


spamass-milter has setting for default user (-U username) that is used when 
the destination mailbox does not exist.


(to be precise, local user with same name as LHS of e-mail address, e.g. if 
any of your virtusers has address daemon@[example.com], local user "daemon" 
may be used).



Would I be better using the milter?


Yes, you can reject mail this way so you don't have deal with it not with 
the bounce.



What are the pros and cons?


The only con is that milter can't apply multiple SA settings when single 
mail has multiple destination users - it only has to use single setting for 
them. spamass-milter has option "



How do I redirect spam to a mailbox if I use the milter?


spamass-miter supports "-b spamaddress" option to redirect spam.
I prefer "-r nn" option that rejects mail if it scores over "nn" SA points.
I use reject score 8 on tuned systems, 10 on non-tuned.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."

Re: milter vs spamc

[Benoit Panizzon]

Hi

> What are the pros and cons?

In my opinion, an email should either be received by a MTA and
delivered to the recipient, or rejected during the SMTP phase.

This eliminates:

* Emails 'disappearing' (false positives as example)
* Sending late bounces to fake sender when rejected by the LDA

So this leaves only one option: Filter on the MTA Milter, never on the
LDA.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

Re: milter vs spamc

[Benny Pedersen]

Mike Bostock via users skrev den 2024-01-14 23:22:

I currently have users set up with spamc called in .procmailrc


virtual users is hard to support then


However, I have quite a few aliases/redirects in sendmail virtusertable
who are not being protected by Spamassassin.


good, move all system users over to be virtual then, not a mix of system 
and virtual



Would I be better using the milter?


yes, so all users is same route


What are the pros and cons?


this depens on lda, sieve, procmail, or mix of that, i prefer dovecot 
sieve, so its for me lmtp, same route for system users, and virtual



How do I redirect spam to a mailbox if I use the milter?


create a sieve rule in roundcube

but keep it local, not remote mailbox

milter vs spamc

[Mike Bostock via users]

I currently have users set up with spamc called in .procmailrc

However, I have quite a few aliases/redirects in sendmail virtusertable
who are not being protected by Spamassassin.

Would I be better using the milter?

What are the pros and cons?

How do I redirect spam to a mailbox if I use the milter?

Thanks

--
Mike

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Benny Pedersen]

Byung-Hee HWANG skrev den 2024-01-08 12:27:


Gmail is my last INBOX. That's enough for me.


+1, so you are ready to setup google mx ? :)

https://support.google.com/a/answer/140034?hl=en

i don't like it yet, missing dnssec and dane, tlsa, google is not 
friendly there


if google wants my money its required payment for me

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Matus UHLAR - fantomas]

This is not a good advice. Whoever filters SPF at SMTP time will
reject that
message. Gmail is not the only mail service available.


On 08.01.24 20:27, Byung-Hee HWANG wrote:

Gmail is my last INBOX. That's enough for me.


that's what I wanted to say - enough for someone, but not generally enough.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Byung-Hee HWANG]

> 
> This is not a good advice. Whoever filters SPF at SMTP time will
> reject that 
> message. Gmail is not the only mail service available.

Hellow Matus,

Gmail is my last INBOX. That's enough for me.


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Matus UHLAR - fantomas]

I built email servers for a non-profit I volunteer for.  If email comes 
into the server for presid...@myassociation.org, I would normally just 
create an alias in /etc/aliases so that emails to president@ get 
forwarded to the president's "real" email address, say 
presidents_real_em...@gmail.com.


postfix supports expand_owner_alias, which, when you are sending to 
al...@example.com, will set sender to owner-al...@example.com.


That way SPF should pass.

The problem is, when I send email to presid...@myassociation.org, gmail 
rejects the forwarded email because it appears to come from my personal 
domain, not the mythical myassociation.org domain.  DKIM, DMARC, and SPF 
all fail, which I totally understand.


How can I make this work?


DKIM should not fail, unless you modify the message. Do you modify the 
message?



On 07.01.24 19:07, Byung-Hee HWANG wrote:

See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043539#88


Cite:


If your dkim signature is OK, then Gmail does accept all
mails. So never use SRS. DKIM is enough.


This is not a good advice. Whoever filters SPF at SMTP time will reject that 
message. Gmail is not the only mail service available.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Eagles may soar, but weasels don't get sucked into jet engines.

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Byung-Hee HWANG]

> 
> I built email servers for a non-profit I volunteer for. If email
> comes 
> into the server for presid...@myassociation.org, I would normally
> just 
> create an alias in /etc/aliases so that emails to president@ get 
> forwarded to the president's "real" email address, say 
> presidents_real_em...@gmail.com.
> 
> The problem is, when I send email to presid...@myassociation.org,
> gmail 
> rejects the forwarded email because it appears to come from my
> personal 
> domain, not the mythical myassociation.org domain. DKIM, DMARC, and
> SPF 
> all fail, which I totally understand.
> 
> How can I make this work? 


Hellow Thomas,

See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043539#88


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//

Re: symlinking config files

[Kris Deugau]

Thomas Krichel wrote:


   Hi gang,

   my first post here.

   I'm running version 4.0.0-8 on debian testing. This is for
   Mailman. I have a script that creates a welcomelist for all my
   Mailman members. I include it via a symlink.

# ls -l /etc/spamassassin/88_mailman_members.cf
lrwxrwxrwx 1 root root 57 Jan  5 15:52 /etc/spamassassin/88_mailman_members.cf 
-> ../../home/mailman/opt/spamassassin/88_mailman_members.cf

   Clearly spamassassin follows the symlink and reads the file. I can
   see by just making a mistake in it, mistyping welcomelist as
   wlcomelist

root@tagol~# spamassassin --lint
Jan  5 17:58:51.081 [783424] warn: config: failed to parse line in 
/etc/spamassassin/88_mailman_members.cf (line 1248): wlcomelist_from 
kric...@openlib.org
root@tagol~#

   But
   
# spamc -R < /tmp/test.mail


Did you restart spamd after adding the symlink but before this call? 
Can you find the startup log entries for the last spamd start before 
this call, and see if there were any errors logged that might be relevant?


The only slightly suspect item from above is the relative symlink 
starting with ../ - I would suggest remaking that symlink with an 
absolute path instead.  Another thing to check is if there is some 
security component (Apparmor/SELinux usually, IME) active - it may 
object to spamd following the symlink where it allows the "spamassassin" 
script.


I don't recall ever having any issues symlinking SA configuration like 
this myself.


-kgd

Re: symlinking config files

[Thomas Krichel]

  Bill Cole writes

> You probably only needed to restart spamd.

  I think I did this every time I tested, and I tested many times
  over.

-- 
  Written by Thomas Krichel http://openlib.org/home/krichel on his 21399th day.

Re: symlinking config files

[Bill Cole]

On 2024-01-05 at 13:53:00 UTC-0500 (Fri, 5 Jan 2024 18:53:00 +)
Thomas Krichel 
is rumored to have said:


  Hi gang,

  my first post here.

  I'm running version 4.0.0-8 on debian testing. This is for
  Mailman. I have a script that creates a welcomelist for all my
  Mailman members. I include it via a symlink.

# ls -l /etc/spamassassin/88_mailman_members.cf
lrwxrwxrwx 1 root root 57 Jan  5 15:52 
/etc/spamassassin/88_mailman_members.cf -> 
../../home/mailman/opt/spamassassin/88_mailman_members.cf


  Clearly spamassassin follows the symlink and reads the file. I can
  see by just making a mistake in it, mistyping welcomelist as
  wlcomelist

root@tagol~# spamassassin --lint
Jan  5 17:58:51.081 [783424] warn: config: failed to parse line in 
/etc/spamassassin/88_mailman_members.cf (line 1248): wlcomelist_from 
kric...@openlib.org

root@tagol~#

  But

# spamc -R < /tmp/test.mail

  does not see the welcomelisted user. It's only when I remove the
  syslink, and replace it with the file


Why would you think spamc ever sees any SA rules file? That would pretty 
much destroy any excuse for using spamc/spamd.


You probably only needed to restart spamd.



rm /etc/spamassassin/88_mailman_members.cf
cp /home/mailman/opt/spamassassin/88_mailman_members.cf 
/etc/spamassassin/88_mailman_members.cf


  and restart

# systemctl restart spamd


Should have tried that first...



  that

# spamc -R < /tmp/test.mail

  sees the welcomelisted user. I am puzzled by this.


--
  Written by Thomas Krichel http://openlib.org/home/krichel on his 
21399th day.



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: symlinking config files

[Thomas Krichel]

  Antony Stone writes

> Check the user which spamc runs

  Thank you for this!
  
root@tagol~# ps axf | grep spam
 789246 ?S  0:00  \_ spamd child
root@tagol~# ps axf | grep spam
 662102 ?Ss 0:00 gpg-agent --homedir 
/etc/spamassassin/sa-update-keys --use-standard-socket --daemon
 778204 pts/20   T  0:00  \_ emacs -nw /etc/spamassassin/local.cf
 790063 pts/20   S+ 0:00  \_ grep --color=auto spam
 789238 ?Ss 0:01 /usr/bin/perl -T -w /usr/sbin/spamd 
--pidfile=/run/spamd.pid --create-prefs --max-children 5 --helper-home-dir
 789245 ?S  0:00  \_ spamd child
 789246 ?S  0:00  \_ spamd child

  for better or worse it seems it's running as root.
  
> as and ensure that this user can read the file 
> which is symlinked to.
> 
> Testing stuff as root can be misleading.

  Sure. I also tested spamasssin from a completely plain vanilla user

$ spamassassin --lint
Jan  5 19:15:42.326 [792794] warn: config: failed to parse line in 
/etc/spamassassin/88_mailman_members.cf (line 1248): wlcomelist_from 
kric...@openlib.org


-- 
  Written by Thomas Krichel http://openlib.org/home/krichel on his 21399th day.

Re: symlinking config files

[Antony Stone]

On Friday 05 January 2024 at 19:53:00, Thomas Krichel wrote:

>   I'm running version 4.0.0-8 on debian testing. This is for
>   Mailman. I have a script that creates a welcomelist for all my
>   Mailman members. I include it via a symlink.

>   Clearly spamassassin follows the symlink and reads the file.

>   But
> 
> # spamc -R < /tmp/test.mail
> 
>   does not see the welcomelisted user. It's only when I remove the
>   syslink, and replace it with the file

>   and restart that
> 
> # spamc -R < /tmp/test.mail
> 
>   sees the welcomelisted user. I am puzzled by this.

I would look at the ownership / permissions of the file, and the directories it 
is under, in both cases.

Check the user which spamc runs as and ensure that this user can read the file 
which is symlinked to.

Testing stuff as root can be misleading.


Antony.

-- 
Pavlov is in the pub enjoying a pint.
The barman rings for last orders, and Pavlov jumps up exclaiming "Damn!  I 
forgot to feed the dog!"

   Please reply to the list;
 please *don't* CC me.

symlinking config files

[Thomas Krichel]

  Hi gang,

  my first post here.

  I'm running version 4.0.0-8 on debian testing. This is for
  Mailman. I have a script that creates a welcomelist for all my
  Mailman members. I include it via a symlink.

# ls -l /etc/spamassassin/88_mailman_members.cf 
lrwxrwxrwx 1 root root 57 Jan  5 15:52 /etc/spamassassin/88_mailman_members.cf 
-> ../../home/mailman/opt/spamassassin/88_mailman_members.cf

  Clearly spamassassin follows the symlink and reads the file. I can
  see by just making a mistake in it, mistyping welcomelist as
  wlcomelist

root@tagol~# spamassassin --lint 
Jan  5 17:58:51.081 [783424] warn: config: failed to parse line in 
/etc/spamassassin/88_mailman_members.cf (line 1248): wlcomelist_from 
kric...@openlib.org
root@tagol~#

  But
  
# spamc -R < /tmp/test.mail

  does not see the welcomelisted user. It's only when I remove the
  syslink, and replace it with the file
  
rm /etc/spamassassin/88_mailman_members.cf
cp /home/mailman/opt/spamassassin/88_mailman_members.cf 
/etc/spamassassin/88_mailman_members.cf

  and restart

# systemctl restart spamd

  that 

# spamc -R < /tmp/test.mail

  sees the welcomelisted user. I am puzzled by this. 


-- 
  Written by Thomas Krichel http://openlib.org/home/krichel on his 21399th day.

Re: Gift Card Scam

[Matus UHLAR - fantomas]

On 04.01.24 22:57, Matija Nalis wrote:

bodyGIFT_CARD   /gift card/i
score   GIFT_CARD   1.5

metaFREEMAIL_GIFTCARDSGIFT_CARD && (FREEMAIL_FROM || 
!DKIM_VALID)



Matus UHLAR - fantomas skrev den 2024-01-05 09:06:

shouldn't that be  !DKIM_VALID_AU ?

valid DKIM signature means nothing by itself


On 05.01.24 14:52, Benny Pedersen wrote:
pointless comment, reason valid_au is not used here is that its still 
valid, be carefull


!foo means its not pass, take fokus next time


!DKIM_VALID produces true if there's no valid DKIM signature

!DKIM_VALID_AU produces true if there is no valid signature, OR if there is 
valid signature, but not from domain in header From:


so, !DKIM_VALID_AU is a superset of !DKIM_VALID thus should produce more 
hits.


The question is, if we want this.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
We are but packets in the Internet of life (userfriendly.org)

Re: Gift Card Scam

[Benny Pedersen]

Matus UHLAR - fantomas skrev den 2024-01-05 09:06:

On 04.01.24 22:57, Matija Nalis wrote:

bodyGIFT_CARD   /gift card/i
score   GIFT_CARD   1.5

metaFREEMAIL_GIFTCARDSGIFT_CARD && (FREEMAIL_FROM || 
!DKIM_VALID)


shouldn't that be  !DKIM_VALID_AU ?

valid DKIM signature means nothing by itself


pointless comment, reason valid_au is not used here is that its still 
valid, be carefull


!foo means its not pass, take fokus next time

Re: Gift Card Scam

[Matus UHLAR - fantomas]

On 04.01.24 22:57, Matija Nalis wrote:

bodyGIFT_CARD   /gift card/i
score   GIFT_CARD   1.5

metaFREEMAIL_GIFTCARDSGIFT_CARD && (FREEMAIL_FROM || !DKIM_VALID)


shouldn't that be  !DKIM_VALID_AU ?

valid DKIM signature means nothing by itself

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
99 percent of lawyers give the rest a bad name.

Re: Gift Card Scam

[Kirk Ismay]

On 2024-01-04 1:57 p.m., Matija Nalis wrote:

bodyGIFT_CARD   /gift card/i
score   GIFT_CARD   1.5

metaFREEMAIL_GIFTCARDSGIFT_CARD && (FREEMAIL_FROM || !DKIM_VALID)
score   FREEMAIL_GIFTCARDS6.0

If you're not big on gift cards.

Also, you might want to enable and train Bayes...
  


Thanks!

I'll add these rules to my other "VIP rules".   I actually want to have 
a couple rules that can work in tandem, so that I don't have to have 
everything riding on just one.


I've given GIFT_CARD a score of 0.5, and the FREEMAIL_GIFTCARDS a score 
of 1.5.  I have a "Not Boss" rule, but I hadn't revised it for 
$newboss.   That has a score of 4, so all rules combined gives us a 
score of 6.


Works for me. Will look at bayes next.

Kirk

Re: Gift Card Scam

[Noel]

On 1/4/2024 3:19 PM, Kirk Ismay wrote:
I'm wondering if anyone has any good ideas to catch gift card scam 
emails.  This latest version came from Gmail, and has valid DKIM 
records and the IPs are whitelisted.


Thanks,
Kirk

Here's the hits from SpamAssassin:

X-Spam-Status: No, score=0.3 required=5.0 
tests=DKIM_SIGNED,DKIM_VALID,

    DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
    T_SCC_BODY_TEXT_LINE autolearn=disabled version=3.4.6

And here's the body:


(link to the body in a paste bin next time)

I catch the vast majority of these in postfix header_checks that 
look for the boss' name and a few minor variants in From: and reject 
if the sending address isn't the right one. This works well enough 
for us since there are a limited number of $boss targets here.  This 
has also cut down on the "send a payment to" and other social 
engineering scams that claim to be from the boss.


You could do the same thing in SA if you don't have too many $boss 
targets.


I've not had much success with generalized rules - too many folks 
here talk about gift cards in legit mail, some of it actually 
business-related.


Good luck.


  -- Noel Jones

Re: Gift Card Scam

[Matija Nalis]

bodyGIFT_CARD   /gift card/i
score   GIFT_CARD   1.5

metaFREEMAIL_GIFTCARDSGIFT_CARD && (FREEMAIL_FROM || !DKIM_VALID)
score   FREEMAIL_GIFTCARDS6.0

If you're not big on gift cards.

Also, you might want to enable and train Bayes...
 
On Thu, Jan 04, 2024 at 01:19:28PM -0800, Kirk Ismay wrote:
> I'm wondering if anyone has any good ideas to catch gift card scam emails. 
> This latest version came from Gmail, and has valid DKIM records and the IPs
> are whitelisted.
> 
> Thanks,
> Kirk
> 
> Here's the hits from SpamAssassin:
> 
> X-Spam-Status: No, score=0.3 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
>     DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
> RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
>     T_SCC_BODY_TEXT_LINE autolearn=disabled version=3.4.6
> 
> And here's the body:
> 
> It’s incredible to see you all consistently pushing the bar to greatness.
> The outcomes you've all achieved are remarkable, especially in light of the
> difficult circumstances we're in. I am so grateful to have everyone as a
> member of the team, and I really value your great skills. My words can never
> express how much I appreciate what you do; the effort and skill you
> contribute consistently go above and beyond what I had anticipated. I'm
> grateful.
> 
> Most times, a simple THANK YOU is what every employee wants to get from
> their "big boss" for their hard work. This is why I'm planning on
> recognizing the efforts of some staff and appreciating them with a little
> surprise gesture. I believe I can count on you to help get this little
> appreciation surprise done in a discreet manner.
> 
> What do you think would be the ideal gift for such a celebration? I'm
> considering gift cards like Visa or Mastercard, given their universal
> acceptance and functionality. I believe this would cater to the diverse
> tastes of our staff, allowing them to use the gift as they prefer without
> being limited to specific stores or locations. I would appreciate your help
> in making these purchases on my behalf, and I need you to check what store
> we have around to make this purchase from.
> 
> Indeed, you all have been great assets to the organization and really
> deserve this recognition.
> 
> 
> Kind Regards,
> 
> The Boss
> Executive Director
> Victim Company
> 
> Sent from my iPhone
> 
> END
> 

-- 
Opinions above are GNU-copylefted.

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Andy Smith]

Hello,

On Wed, Jan 03, 2024 at 01:24:02PM -0600, Thomas Cameron via users wrote:
> On 1/2/24 17:51, Andy Smith wrote:
> > - Have your users collect their your-org email by some means other
> >than SMTP, such as running an IMAP server and having them view
> >both their gmail mailbox and their your-org inbox in one place (I
> >have no idea if that is feasible with gmail).
> 
> This is what *I* would do, for sure. But the members of the association are
> incredibly non-technical, and trying to walk them through setting up an
> email client like Thunderbird or Outlook is a recipe for disaster.

I understand their point of view but maybe it needs putting to them
from the angle that the org is like any other workplace. They would
not expect their employer's internal emails to be forwarded to them
at $freemail.

Though then that does invite them to ask if they can have a
dedicated device to manage org email then. 

(Which in many ways in not unreasonable either…)

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Thomas Cameron]

On 1/4/24 06:35, Matus UHLAR - fantomas wrote:

On 03.01.24 20:36, Thomas Cameron wrote:
Fair point. But I'm guessing that because it has two DKIM signatures, 
it's not passing the DKIM check.


only one of those DKIM dignatures needs to pass, with the domain in From:


Yup, and it seems to be working now. After about an hour, it suddenly 
started working as expected.



GMail doesn't flag it as "passed" for DKIM. I am looking to see if
PostSRSd has any sort configuration option to delete the DKIM of the
original sending server so that it will "pass" DKIM checks.


Not sure why pass is in quotes.   But again if you don't change headers
the original signature should be valid.


Well, it's not marked as failed, and it's not marked as passed, but I 
am looking at the OpenDKIM headers. It's in a weird limbo where I can 
see the email got marked but GMail is not marking it either way.


can we see headers From: and Authentication-Results as they were seen on 
your server?


I absolutely can send them, but since it's working now, I'm going to 
blame this on Google and run. :-D


--
Thanks!
Thomas

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Thomas Cameron]

On 1/4/24 06:31, Matus UHLAR - fantomas wrote:

On 03.01.24 19:30, Thomas Cameron wrote:
Thanks for the advice on SRS - I have set it up and it's mostly 
working. At least GMail accepts the emails, although it seems to be 
failing DKIM and DMARC tests. I'm digging into what, if anything, can 
be done to make PostSRSd fix this issue.


DKIM fails if the message is modified in your server (or, if DKIM failed 
already when it came to it)


DMARC fails if neither DKIM nor SPF succeed, where DKIM signature or the 
SPF record must be from the domain in From:


When you forward e-mail, SRS makes sure SPF record is from your domain, 
but the DKIM signature must be made by sending server, so forwarded 
messages without valid DKIM signature will not pass.


The weird thing is, after a little while, everything seems to be working 
just fine. When I send an email to one of the aliases on the server, it 
sends it to the "real" email address at GMail. It now passes SPF, DMARC, 
and DKIM tests. Looking in the headers on GMail, I see both DKIM 
signatures, from the server which sent the original email, and the one 
on our mail server.


I have no idea why GMail was saying it didn't pass checks earlier. I saw 
the same DKIM signatures in the headers before.


Anyway, SRS is very cool, and I appreciate all the folks who pointed me 
to it.


--
Thanks for the advice, Matus!
Thomas

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Matus UHLAR - fantomas]

Thomas Cameron  writes:

Yeah, the weird thing is, when I check the forwarded email on GMail, I
see in the headers that both the original sending email server (call
it mail.somedomain.com) and the relay server (call it
mail.myassociation.org) put DKIM signatures in the message.



On 1/3/24 19:45, Greg Troxel wrote:

That's more or less broken in my opinion.   I think an MTA should only
DKIM-sign messages that it is responsible for in the sense of
origination, because it is from an authenticated sender.


On 03.01.24 20:36, Thomas Cameron wrote:
Fair point. But I'm guessing that because it has two DKIM signatures, 
it's not passing the DKIM check.


only one of those DKIM dignatures needs to pass, with the domain in From:


GMail doesn't flag it as "passed" for DKIM. I am looking to see if
PostSRSd has any sort configuration option to delete the DKIM of the
original sending server so that it will "pass" DKIM checks.


Not sure why pass is in quotes.   But again if you don't change headers
the original signature should be valid.


Well, it's not marked as failed, and it's not marked as passed, but I 
am looking at the OpenDKIM headers. It's in a weird limbo where I can 
see the email got marked but GMail is not marking it either way.


can we see headers From: and Authentication-Results as they were seen on 
your server?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I'm not interested in your website anymore.
If you need cookies, bake them yourself.

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Matus UHLAR - fantomas]

On 1/3/24 15:44, Bill Cole wrote:
Indeed: your solution is known as "SRS" (Sender Rewriting Scheme) 
and it has multiple implementations. If you forward mail, you will 
break SPF unless you fix the envelope sender so that it uses a 
domain  that permits the example.org server to send for it.


OR, you could instead deliver to a POP mailbox locally and have 
users fetch from there instead of simply forwarding mail to them. 
This also avoids a completely distinct problem of places like GMail 
deciding that your org's mail server is a spamming service because 
it is forwarding spam. If users POP their mail instead of having it 
forwarded via SMTP, that does not happen.


On 03.01.24 19:30, Thomas Cameron wrote:
Thanks for the advice on SRS - I have set it up and it's mostly 
working. At least GMail accepts the emails, although it seems to be 
failing DKIM and DMARC tests. I'm digging into what, if anything, can 
be done to make PostSRSd fix this issue.


DKIM fails if the message is modified in your server (or, if DKIM failed 
already when it came to it)


DMARC fails if neither DKIM nor SPF succeed, where DKIM signature or the SPF 
record must be from the domain in From:


When you forward e-mail, SRS makes sure SPF record is from your domain, but 
the DKIM signature must be made by sending server, so forwarded messages 
without valid DKIM signature will not pass.



Many thanks for your help, it's genuinely appreciated!


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I intend to live forever - so far so good.

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Thomas Cameron]

On 1/3/24 19:45, Greg Troxel wrote:

Thomas Cameron  writes:


Yeah, the weird thing is, when I check the forwarded email on GMail, I
see in the headers that both the original sending email server (call
it mail.somedomain.com) and the relay server (call it
mail.myassociation.org) put DKIM signatures in the message.


That's more or less broken in my opinion.   I think an MTA should only
DKIM-sign messages that it is responsible for in the sense of
origination, because it is from an authenticated sender.


Fair point. But I'm guessing that because it has two DKIM signatures, 
it's not passing the DKIM check.



GMail doesn't flag it as "passed" for DKIM. I am looking to see if
PostSRSd has any sort configuration option to delete the DKIM of the
original sending server so that it will "pass" DKIM checks.


Not sure why pass is in quotes.   But again if you don't change headers
the original signature should be valid.


Well, it's not marked as failed, and it's not marked as passed, but I am 
looking at the OpenDKIM headers. It's in a weird limbo where I can see 
the email got marked but GMail is not marking it either way.


Thomas

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Greg Troxel]

Thomas Cameron  writes:

> Yeah, the weird thing is, when I check the forwarded email on GMail, I
> see in the headers that both the original sending email server (call
> it mail.somedomain.com) and the relay server (call it
> mail.myassociation.org) put DKIM signatures in the message.

That's more or less broken in my opinion.   I think an MTA should only
DKIM-sign messages that it is responsible for in the sense of
origination, because it is from an authenticated sender.

> GMail doesn't flag it as "passed" for DKIM. I am looking to see if
> PostSRSd has any sort configuration option to delete the DKIM of the
> original sending server so that it will "pass" DKIM checks.

Not sure why pass is in quotes.   But again if you don't change headers
the original signature should be valid.

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Thomas Cameron]

On 1/3/24 17:41, Greg Troxel wrote:

You are overlooking that DKIM from the original From: is the
responsibility of that domain and that if you do not modify the message
then it should still pass.  Domains sending without DKIM are going to be
a mess.


Yeah, the weird thing is, when I check the forwarded email on GMail, I 
see in the headers that both the original sending email server (call it 
mail.somedomain.com) and the relay server (call it 
mail.myassociation.org) put DKIM signatures in the message.


GMail doesn't flag it as "passed" for DKIM. I am looking to see if 
PostSRSd has any sort configuration option to delete the DKIM of the 
original sending server so that it will "pass" DKIM checks.


Thomas

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Thomas Cameron]

On 1/3/24 15:44, Bill Cole wrote:


Indeed: your solution is known as "SRS" (Sender Rewriting Scheme) and it 
has multiple implementations. If you forward mail, you will break SPF 
unless you fix the envelope sender so that it uses a domain  that 
permits the example.org server to send for it.


OR, you could instead deliver to a POP mailbox locally and have users 
fetch from there instead of simply forwarding mail to them. This also 
avoids a completely distinct problem of places like GMail deciding that 
your org's mail server is a spamming service because it is forwarding 
spam. If users POP their mail instead of having it forwarded via SMTP, 
that does not happen.


Thanks for the advice on SRS - I have set it up and it's mostly working. 
At least GMail accepts the emails, although it seems to be failing DKIM 
and DMARC tests. I'm digging into what, if anything, can be done to make 
PostSRSd fix this issue.


Many thanks for your help, it's genuinely appreciated!

Thomas

[SOLVED] Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Thomas Cameron]

On 1/3/24 18:16, Michael Grant wrote:

Here's what I have done in the past from my server to get around this
situation you are having:

1. In my .procmailrc file

:0c:
!exam...@gmail.com

This sends a copy (the c flag in first line) of the message to the
gmail account and leaves a copy in your inbox.

2. From your exam...@gmail.com acct, go to Settings -> Accounts and
Import.  Under the section 'Check email from other accounts', Add an
email account.  Then add your server's account and use POP to suck
over emails as they arrive.  Have it delete the emails once they are
sucked over.

What this does is it causes messages to be forwarded to gmail, but
some small number of them bounce because of whatever decision gmail
makes.  But those messages are popped in later, so there's no lost
mail.  Gmail de-duplicates the messages so you don't get messages
twice, and it never refuses to pop the messages in.  Popping in
messages is slow, so when the forward works (which seems to be most of
the time), mail comes in quick, unless it bounces, in which case, it's
popped in a few minutes, sometimes 10s of minutes, later.

If you are concerned about the bounce messages going back into your
mailbox (gmail doesn't loop here fortunately), you can write a
procmail rule to siphon those off into another folder or into
/dev/null.  (Left as exercise for the reader...)

3. You *may* need to do one further thing, you may need to go back
into gmail's Account and Import settings and set up 'Send mail as' and
set up to send mail as your email address on your server.  I can't
remember if gmail does this automatically for you in step 2 above or
not.

4. You probably want to then click the radio button "Reply from the
same address to which the message was sent".  Otherwise, when you
reply, it'll come from your gmail address and not your server's email
address. These radio buttons only appear once you have at least one
Send As address set up.

Michael Grant


This is super helpful, thank you very much! I was not aware you could 
configure GMail to pull from another account, that's incredibly helpful!


I wound up installing PostSRSd 
(https://github.com/roehling/postsrsd/tree/main). Now, when I send email 
to one of the officers in the non-profit, I have their actual email 
address set up in /etc/aliases, and SRSd rewrites the headers so that 
GMail at least accepts them now. Before, it was just flat out rejecting 
them.


The annoying thing is that when I send email from the mail server I set 
up, even though it *passes* SPF, DKIM, and DMARC 
(https://imgur.com/a/FuA6HiK), GMail is still dumping into the Spam 
folder. It's incredibly irritating. After I marked a handful of them 
"not spam," it stopped doing it, but we're going to be sending emails to 
the members of the association (and I know several use GMail). I really 
don't know what the heck I am supposed to do to get GMail to stop 
dropping the messages into the spam folder. I thought you could set up 
some sort of DNS TXT record for Google to show that you're a legit 
sender, but I can't find documentation for it except for Google Workplaces.


Anyway, thanks everyone for the great suggestions! I learned a lot doing 
this, and I was unaware of SRS... That's fantastic info!


--
Thomas

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Michael Grant via users]

Here's what I have done in the past from my server to get around this
situation you are having:

1. In my .procmailrc file

:0c:
!exam...@gmail.com

This sends a copy (the c flag in first line) of the message to the
gmail account and leaves a copy in your inbox.

2. From your exam...@gmail.com acct, go to Settings -> Accounts and
Import.  Under the section 'Check email from other accounts', Add an
email account.  Then add your server's account and use POP to suck
over emails as they arrive.  Have it delete the emails once they are
sucked over.

What this does is it causes messages to be forwarded to gmail, but
some small number of them bounce because of whatever decision gmail
makes.  But those messages are popped in later, so there's no lost
mail.  Gmail de-duplicates the messages so you don't get messages
twice, and it never refuses to pop the messages in.  Popping in
messages is slow, so when the forward works (which seems to be most of
the time), mail comes in quick, unless it bounces, in which case, it's
popped in a few minutes, sometimes 10s of minutes, later.

If you are concerned about the bounce messages going back into your
mailbox (gmail doesn't loop here fortunately), you can write a
procmail rule to siphon those off into another folder or into
/dev/null.  (Left as exercise for the reader...)

3. You *may* need to do one further thing, you may need to go back
into gmail's Account and Import settings and set up 'Send mail as' and
set up to send mail as your email address on your server.  I can't
remember if gmail does this automatically for you in step 2 above or
not.

4. You probably want to then click the radio button "Reply from the
same address to which the message was sent".  Otherwise, when you
reply, it'll come from your gmail address and not your server's email
address. These radio buttons only appear once you have at least one
Send As address set up.

Michael Grant


signature.asc
Description: PGP signature