Re: Adding to list of URL shorteners

[Kevin A. McGrail]

I am open to modifying my rules as needed.  Send spamples via pastebin or
see the instructions in KAM.cf.

On Mon, Apr 9, 2018, 21:40 Alex Regan  wrote:

> Hi,
>
> What's the best way to add a URL shortener to the current list? Would I
> have to rewrite __URL_SHORTENER? I also notice this subrule doesn't
> account for the https version of the list. Is that intentional?
>
> More specifically, we've received some spam from back.ly. I could reject
> it outright, but I'd like to create some meta rules that more generally
> include any URL shortener.
>
> I'm using KAMs rules, and it appears he's creating his own subrule based
> on URL shorteners, but it's not even as inclusive as the stock SA subrule.
>
> I'm also using DecodeShortURLs, and have added it to the url_shortener
> list there, but it doesn't hit because the redirect is 404'd:
>
> dbg: DecodeShortURLs: URL is not redirect: http://back.ly/1MMCf = 403
> Forbidden
>
> This means the email would still be received, but will still be
> considered malicious and preventable by the recipient.
>
> Ideas greatly appreciated.
>

Adding to list of URL shorteners

[Alex Regan]

Hi,

What's the best way to add a URL shortener to the current list? Would I 
have to rewrite __URL_SHORTENER? I also notice this subrule doesn't 
account for the https version of the list. Is that intentional?


More specifically, we've received some spam from back.ly. I could reject 
it outright, but I'd like to create some meta rules that more generally 
include any URL shortener.


I'm using KAMs rules, and it appears he's creating his own subrule based 
on URL shorteners, but it's not even as inclusive as the stock SA subrule.


I'm also using DecodeShortURLs, and have added it to the url_shortener 
list there, but it doesn't hit because the redirect is 404'd:


dbg: DecodeShortURLs: URL is not redirect: http://back.ly/1MMCf = 403 
Forbidden


This means the email would still be received, but will still be 
considered malicious and preventable by the recipient.


Ideas greatly appreciated.

Re: Check for valid MX of sender and rspamd testing

[Sebastian Arcus]

On 09/04/18 15:24, David Jones wrote:
I was wondering if anyone knows of an SA plugin or another method to 
determine if the envelope-from domain has a valid MX record that is 
listening on TCP port 25.  I don't think it would be a major scorer but 
it could be useful in meta rules.


This might not really answer your question, but I've had really good 
results leaving all this to the MTA (Exim in my case). I actually go for 
the whole hog full callout verification - checking with the MX that the 
sender really exists. I know that some people are against this and say 
that you get blacklisted - but I've been doing this for about 8 months 
on 4 sites and it has worked very well. I have a local full callout 
verification whitelist - to skip callout verification mainly for 
Microsoft operated domains - which will blacklist you at the drop of the 
hat. Pretty much everybody else on the internet seems to understand the 
full callout verification has more advantages than disadvantages in 
fighting spam. I also use Exim to keep count of how many callout 
verifications have failed for an origin IP address and then start 
rejecting connections after 10/24 hours - to stop spammers from using my 
boxes as dictionary attacks proxies against other domains (and getting 
me blacklisted in the process).


All of this seems to have worked out very well so far - but I realise 
that it will depend on the size of the email system and number of 
mailboxes and all sorts of other things - so it might not work so well 
elsewhere.

Re: Synthesizing an Mbox Header

[Kevin A. McGrail]

formail so far is working exactly as I need.

--
Kevin A. McGrail
Asst. Treasurer & VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

On Mon, Apr 9, 2018 at 1:59 PM, RW  wrote:

> On Mon, 9 Apr 2018 10:48:31 -0400
> Kevin A. McGrail wrote:
>
> > Hi All,
> >
> > I get a lot of spamples submitted to me and it would be nice if there
> > was an automated way to synthesize the mbox separator.  Looking to
> > see if there is an existing process before I reinvent the wheel.
>
> And it's quite easy to get this badly wrong:
>
> https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7445
>
>
>

Re: Synthesizing an Mbox Header

[RW]

On Mon, 9 Apr 2018 10:48:31 -0400
Kevin A. McGrail wrote:

> Hi All,
> 
> I get a lot of spamples submitted to me and it would be nice if there
> was an automated way to synthesize the mbox separator.  Looking to
> see if there is an existing process before I reinvent the wheel.

And it's quite easy to get this badly wrong:

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7445

Re: Check for valid MX of sender and rspamd testing

[RW]

On Mon, 9 Apr 2018 09:24:23 -0500
David Jones wrote:

> I was wondering if anyone knows of an SA plugin or another method to 
> determine if the envelope-from domain has a valid MX record that is 
> listening on TCP port 25.  I don't think it would be a major scorer
> but it could be useful in meta rules.

There's NO_DNS_FOR_FROM which tests for MX or A.  I don't know if it's
still true, but historically this has, in my experience, been largely a
surrogate test for made-up domains.

Having a single test for DNS and port 25 doesn't sound like a good
idea since you can't determine how much benefit come from each of the
two parts or score them separately.   

Re: MSGID_SPAM_CAPS fp's hitting messages from The Pension Regulator in UK

[RW]

On Sun, 8 Apr 2018 07:41:50 -0500
David Jones wrote:

> On 04/07/2018 10:42 AM, Sebastian Arcus wrote:

> > I've enclosed one of the messages received here:
> > 
> > https://pastebin.com/9Bmu3pj1  
> 
> I added this to the 60_whitelist_auth.cf to trust this sender:
> 
> def_whitelist_auth *@*.tpr.gov.uk
> 
> This will get pushed out in a couple of days by sa-update.
> 
> I know it's not directly addressing your question about the rule's
> high score 

FWIW with the defaults it would have scored only 1.04. Even with
BAYES_50 instead of BAYES_00 or without RCVD_IN_DNSWL_MED, it's still
comfortably under threshold.  


That said, perhaps someone could see how this compares with the existing
version:

  /^\s*

Re: bayes: cannot open bayes databases lock failed: File exists

[Emanuel Gonzalez]

Hello, thanks for the reply. I use one database bayes for all email accounts 
(not sites, sorry for the error)


here i show some spamassassin configuration


local.cf


bayes_expiry_max_db_size 15
bayes_learn_to_journal 1
bayes_auto_learn 0

include custom_rules
include whitelist
include blacklist
include hostname


I have two questions:


1- How do I configure? I can not find a tutorial, only information about 
spamassassin and mysql, not spamassassin and redis


2- why the bayes is empty?

sa-learn --dump all
0.000  0  3  0  non-token data: bayes db version
0.000  0  0  0  non-token data: nspam
0.000  0  0  0  non-token data: nham
0.000  0  0  0  non-token data: ntokens
0.000  0  0  0  non-token data: oldest atime
0.000  0  0  0  non-token data: newest atime
0.000  0  0  0  non-token data: last journal sync atime
0.000  0  0  0  non-token data: last expiry atime
0.000  0  0  0  non-token data: last expire atime delta
0.000  0  0  0  non-token data: last expire reduction 
count

du -sh /.spamassassin/bayes_*
8,0K/.spamassassin/bayes_journal
513M/.spamassassin/bayes_seen
4,0M/.spamassassin/bayes_toks

Regards and thanks for the reply.



De: Matus UHLAR - fantomas 
Enviado: lunes, 9 de abril de 2018 13:00:49
Para: users@spamassassin.apache.org
Asunto: Re: bayes: cannot open bayes databases lock failed: File exists

On 09.04.18 11:01, Emanuel Gonzalez wrote:
>I use one bayes database to all sites in my server.

sites? afaik spamd and MTAs differ between mailboxes, not sites.

>What would be the best way to avoid my problem?? create a database of bayes
> by email account?  Or create a unique database of bayes for all email
> accounts?

so, do you use one or multipler BAYES databases?


>De: Pedro David Marco 
>Enviado: viernes, 6 de abril de 2018 19:01:53
>Para: users@spamassassin.apache.org
>Asunto: Re: bayes: cannot open bayes databases lock failed: File exists
>
>
>>under such load, yes.
>>if you use per-site bayes database, you can try redis - even faster than
>>mysql.
>
>Much much much faster

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Silvester Stallone: Father of the RISC concept.

Re: bayes: cannot open bayes databases lock failed: File exists

[Matus UHLAR - fantomas]

On 09.04.18 11:01, Emanuel Gonzalez wrote:

I use one bayes database to all sites in my server.


sites? afaik spamd and MTAs differ between mailboxes, not sites.


What would be the best way to avoid my problem?? create a database of bayes
by email account?  Or create a unique database of bayes for all email
accounts?


so, do you use one or multipler BAYES databases?



De: Pedro David Marco 
Enviado: viernes, 6 de abril de 2018 19:01:53
Para: users@spamassassin.apache.org
Asunto: Re: bayes: cannot open bayes databases lock failed: File exists



under such load, yes.
if you use per-site bayes database, you can try redis - even faster than
mysql.


Much much much faster


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Silvester Stallone: Father of the RISC concept.

Re: Synthesizing an Mbox Header

[Kevin A. McGrail]

I'm receiving attachments from webforms primarily that are just the message
headers & body but missing the mbox separator.  However, most of my tooling
is designed for mbox.  I'll try the formail idea, thanks!

--
Kevin A. McGrail
Asst. Treasurer & VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

On Mon, Apr 9, 2018 at 11:37 AM, Kris Deugau  wrote:

> Kevin A. McGrail wrote:
>
>> Hi All,
>>
>> I get a lot of spamples submitted to me and it would be nice if there was
>> an automated way to synthesize the mbox separator.  Looking to see if there
>> is an existing process before I reinvent the wheel.
>>
>
> formail < messagefile >> mboxfile
>
> However, whatever magic formail uses may not be able to locate the correct
> information - the envelope sender in particular is IME not always preserved
> well in the message itself, so the (re)generated "From " line may not match
> the original delivery information.
>
> I'm curious why you need to do this though;  if you're receiving these to
> a mbox mail folder then the delivery agent should be correctly generating
> one.  If you're filing them in a maildir mail folder, then it's not needed.
>
> -kgd
>

Re: Check for valid MX of sender and rspamd testing

[Benny Pedersen]

Kevin A. McGrail skrev den 2018-04-09 16:46:


If you are interested, let me know.


i am interested to learn how to setup mimedefang, not how to test mx :=)

that will always be a job for mta to make sure this is valid

Re: Synthesizing an Mbox Header

[Kris Deugau]

Kevin A. McGrail wrote:

Hi All,

I get a lot of spamples submitted to me and it would be nice if there 
was an automated way to synthesize the mbox separator.  Looking to see 
if there is an existing process before I reinvent the wheel.


formail < messagefile >> mboxfile

However, whatever magic formail uses may not be able to locate the 
correct information - the envelope sender in particular is IME not 
always preserved well in the message itself, so the (re)generated "From 
" line may not match the original delivery information.


I'm curious why you need to do this though;  if you're receiving these 
to a mbox mail folder then the delivery agent should be correctly 
generating one.  If you're filing them in a maildir mail folder, then 
it's not needed.


-kgd

Re: Check for valid MX of sender and rspamd testing

[Benny Pedersen]

David Jones skrev den 2018-04-09 16:24:

I was wondering if anyone knows of an SA plugin or another method to
determine if the envelope-from domain has a valid MX record that is
listening on TCP port 25.  I don't think it would be a major scorer
but it could be useful in meta rules.


thats a job of mta, not content filters

so if postfix reject non existing senders, then it remain received in sa 
valid mx/a/



Been playing around with rspamd over the weekend to see how it
compares and so far not that impressed.  It has a few features that
are interesting like the MX check but other than that it's not as
impressive as the author makes it out to be on he website comparing
it to SA


if it's still just check that a mx exists, without A/ then its buggy 
and should not be used, i do not need a mx, but there is fools around 
that say homepage as well must start with www


i give up with this fools not understanding it


It claims to have better Bayes but so far I am seeing identical
results after identical training.


marketing is better :=)


The Universal Configuration Language is terrible and hard to wrap your
head around it when the structure is so loose.  Since it's not well
defined nor well documented it takes a lot of trial and error to
figure it out.


xml files is very hard to manage so the ucl was created to make it even 
more hard to make it right :=)



It doesn't seem to be as flexible as SA in many regards.


yep, thats why i only tested rspamd live as a second spam filter, not 
take off spamassing while tested it, so i could see errors fast in both 
content filters, and later use the best of both, this stopped me as a 
rspamd ebuild maintainer aswell on gentoo, i was the first one adding 
rspamd / rmilter to gentoo, i still love what i did, but the kids have 
to learn why i use spamassassin now :=)



Right now I have rspamd only adding headers so I can compare with SA.
Tuning it out to match SA's accuracy is proving to be very challenging
and time consuming.


yep one more faktor why i stopped using it

Re: Check for valid MX of sender and rspamd testing

[Daniele Duca]

On 09/04/2018 16:24, David Jones wrote:



Been playing around with rspamd over the weekend to see how it 
compares and so far not that impressed.  It has a few features that 
are interesting like the MX check but other than that it's not as 
impressive as the author makes it out to be on the website comparing 
it to SA.


It claims to have better Bayes but so far I am seeing identical 
results after identical training.
It's a few months that I'm using rspamd. I wrote a dedicated plugin for 
amavisd-new and I use it's scoring together with SA's.


IMHO to reach satisfying results you have to train it a lot more that 
SA, but in the long run it's a nice addition. My empirical observations 
suggests that it gets better after at least 3000 ham and spam email 
learned. It's also cool that you can train both global and per-domain 
bayes, very useful if you have a multitenant installation with a lot of 
different domains.


Daniele

Re: Check for valid MX of sender and rspamd testing

[Kevin A. McGrail]

Well, here's the code I use in filter_sender in MD to check for a validMX.
The module needs a public release with some updates and doesn't work great
with IPv6 but the code is solid and been in use for a long time at my firm.

 #IF NOT A BOUNCE, THEN CHECK VALID MX RECORDS
  if ($sender ne '<>') {
#CHECK IF SENDER HAS VALID MX RECORDS
($rv, $reason) = &check_valid_mx($sender);

#IF WE GOT A RETURN VALUE OF 1 CHECK WHAT IT IS
if ($rv) {
  #RESOLUTION ISSUE? LOG ERROR AND CONTINUE AS A SAFETY VALVE
  if ($reason =~ /Resolution Problem/i) {
md_syslog('error', "ERROR: check valid MX Resolution Problem:
$sender - $reason.");
  } else {
#OTHERWISE PASSED CHECK VALID MX
md_syslog('info', "DEBUG: Passed check valid MX: $sender");
  }
} else {
  #FAILED CHECK VALID MX
  md_syslog('warning', "DEBUG: Rejecting $sender - Invalid MX:
$reason.");
  return ('REJECT', "$QueueID: Sorry, mail not accepted. $sender has an
invalid MX record: $reason.");
}
  }

For the check against port 25, Diane's caveat aside, look
at md_check_against_smtp_server which you can run in filter_recipient.  I
can share how we use a Redis backend to store the data and our routines.

The validmx check hits about 90% of the issues and the cached check really
helps us shutdown DDoS and dictionary attacks.

Regards,
KAM

--
Kevin A. McGrail
Asst. Treasurer & VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

On Mon, Apr 9, 2018 at 10:58 AM, Dianne Skoll 
wrote:

> On Mon, 9 Apr 2018 09:56:20 -0500
> David Jones  wrote:
>
> > On 04/09/2018 09:44 AM, Reindl Harald wrote:
> > > you simply don't want connect to every innocent MX which inbound
> > > mail is forged because for the sake of god you are attacking the
> > > victim of spoofed mails and you are easily part of a distributed
> > > DOS when your few connections back are only a small part
>
> Also, if an innocent domain's MX server just happens to be down
> when you check, you could get a FP.
>
> Checking for the existence of a sane MX record is good practice.
> I'm not so sure about actually trying to connect to said MX, even if
> you take basic precautions to minimize connections.
>
> Regards,
>
> Dianne.
>

Re: Check for valid MX of sender and rspamd testing

[David Jones]

On 04/09/2018 09:58 AM, Dianne Skoll wrote:

On Mon, 9 Apr 2018 09:56:20 -0500
David Jones  wrote:


On 04/09/2018 09:44 AM, Reindl Harald wrote:

you simply don't want connect to every innocent MX which inbound
mail is forged because for the sake of god you are attacking the
victim of spoofed mails and you are easily part of a distributed
DOS when your few connections back are only a small part


Also, if an innocent domain's MX server just happens to be down
when you check, you could get a FP.

Checking for the existence of a sane MX record is good practice.
I'm not so sure about actually trying to connect to said MX, even if
you take basic precautions to minimize connections.

Regards,

Dianne.



https://rspamd.com/doc/modules/mx_check.html

I guess I could check the X-Spamd-Result header in SA from rspamd for 
/MX_GOOD/ and let rspamd do the heavy lifting.


X-Spamd-Result: default: False [1.18 / 999.00]
  TO_DN_NONE(0.00)[]
  NEURAL_HAM(-0.00)[-0.792,0]
  DKIM_TRACE(0.00)[email.symantec.com:+]
  ASN(0.00)[asn:7160, ipnet:142.0.160.0/21, country:US]
  RCVD_NO_TLS_LAST(0.00)[]
  R_SPF_ALLOW(-0.20)[+ip4:142.0.160.0/20]
  DMARC_POLICY_ALLOW(-0.25)[email.symantec.com,none]
  MID_RHS_NOT_FQDN(0.50)[]

FROM_NEQ_ENVFROM(0.00)[co...@email.symantec.com,boun...@email.symantec.com]
  ARC_NA(0.00)[]
  RCVD_IN_DNSWL_NONE(0.00)[28.163.0.142.list.dnswl.org : 127.0.15.0]
  RCVD_COUNT_TWO(0.00)[2]
  MX_GOOD(-0.01)[cached: S912704989.m.en25.com]
  HTML_SHORT_LINK_IMG_2(1.00)[]
  MIME_GOOD(-0.10)[multipart/alternative,text/plain]
  FROM_HAS_DN(0.00)[]
  FORGED_SENDER(0.30)[]
  REPLYTO_DN_EQ_FROM_DN(0.00)[]
  HAS_REPLYTO(0.00)[symantec_communications-...@symantec.com]
  TO_MATCH_ENVRCPT_ALL(0.00)[]
  REPLYTO_DOM_NEQ_FROM_DOM(0.00)[]
  RCPT_COUNT_ONE(0.00)[1]
  HAS_LIST_UNSUB(-0.01)[]
  IP_SCORE(0.05)[ipnet: 142.0.160.0/21(0.08), asn: 7160(0.13), 
country: US(0.02)]

  MIME_BASE64_TEXT(0.10)[]
  R_DKIM_ALLOW(-0.20)[email.symantec.com]

--
David Jones

Re: Check for valid MX of sender and rspamd testing

[Dianne Skoll]

On Mon, 9 Apr 2018 09:56:20 -0500
David Jones  wrote:

> On 04/09/2018 09:44 AM, Reindl Harald wrote:
> > you simply don't want connect to every innocent MX which inbound
> > mail is forged because for the sake of god you are attacking the
> > victim of spoofed mails and you are easily part of a distributed
> > DOS when your few connections back are only a small part

Also, if an innocent domain's MX server just happens to be down
when you check, you could get a FP.

Checking for the existence of a sane MX record is good practice.
I'm not so sure about actually trying to connect to said MX, even if
you take basic precautions to minimize connections.

Regards,

Dianne.

Re: Check for valid MX of sender and rspamd testing

[David Jones]

On 04/09/2018 09:46 AM, Kevin A. McGrail wrote:

Hi Dave,

I do similar work in MIMEDefang using the a redis backend for caching 
valid recipients combined with Net::validMX that can check to see if a 
sender has valid MX before sending.  I have a release of Net::validMX 
I'm about to post this week in fact.


If you are interested, let me know.

Regards,
KAM



I am interested in both learning MIMEDefang and your valid MX check.


--
Kevin A. McGrail
Asst. Treasurer & VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

On Mon, Apr 9, 2018 at 10:24 AM, David Jones > wrote:


I was wondering if anyone knows of an SA plugin or another method to
determine if the envelope-from domain has a valid MX record that is
listening on TCP port 25.  I don't think it would be a major scorer
but it could be useful in meta rules.

Been playing around with rspamd over the weekend to see how it
compares and so far not that impressed.  It has a few features that
are interesting like the MX check but other than that it's not as
impressive as the author makes it out to be on the website comparing
it to SA.

It claims to have better Bayes but so far I am seeing identical
results after identical training.

The Universal Configuration Language is terrible and hard to wrap
your head around it when the structure is so loose.  Since it's not
well defined nor well documented it takes a lot of trial and error
to figure it out.

It doesn't seem to be as flexible as SA in many regards.

Right now I have rspamd only adding headers so I can compare with
SA. Tuning it out to match SA's accuracy is proving to be very
challenging and time consuming.

-- 
David Jones






--
David Jones

Re: Check for valid MX of sender and rspamd testing

[David Jones]

On 04/09/2018 09:44 AM, Reindl Harald wrote:



Am 09.04.2018 um 16:24 schrieb David Jones:

I was wondering if anyone knows of an SA plugin or another method to
determine if the envelope-from domain has a valid MX record that is
listening on TCP port 25.  I don't think it would be a major scorer but
it could be useful in meta rules.


you simply don't want connect to every innocent MX which inbound mail is
forged because for the sake of god you are attacking the victim of
spoofed mails and you are easily part of a distributed DOS when your few
connections back are only a small part

at least combine it with SPF_PASS and let alone domains without SPF



Rspamd is doing this and caching the information in Redis so it doesn't 
check every single email.  I am sure that it's only checking the valid 
MX once it has passed some basic checks to prevent "attacking the victim 
of spoofed emails."


--
David Jones

Synthesizing an Mbox Header

[Kevin A. McGrail]

Hi All,

I get a lot of spamples submitted to me and it would be nice if there was
an automated way to synthesize the mbox separator.  Looking to see if there
is an existing process before I reinvent the wheel.

Regards,
KAM

Re: Check for valid MX of sender and rspamd testing

[Kevin A. McGrail]

Hi Dave,

I do similar work in MIMEDefang using the a redis backend for caching valid
recipients combined with Net::validMX that can check to see if a sender has
valid MX before sending.  I have a release of Net::validMX I'm about to
post this week in fact.

If you are interested, let me know.

Regards,
KAM

--
Kevin A. McGrail
Asst. Treasurer & VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

On Mon, Apr 9, 2018 at 10:24 AM, David Jones  wrote:

> I was wondering if anyone knows of an SA plugin or another method to
> determine if the envelope-from domain has a valid MX record that is
> listening on TCP port 25.  I don't think it would be a major scorer but it
> could be useful in meta rules.
>
> Been playing around with rspamd over the weekend to see how it compares
> and so far not that impressed.  It has a few features that are interesting
> like the MX check but other than that it's not as impressive as the author
> makes it out to be on the website comparing it to SA.
>
> It claims to have better Bayes but so far I am seeing identical results
> after identical training.
>
> The Universal Configuration Language is terrible and hard to wrap your
> head around it when the structure is so loose.  Since it's not well defined
> nor well documented it takes a lot of trial and error to figure it out.
>
> It doesn't seem to be as flexible as SA in many regards.
>
> Right now I have rspamd only adding headers so I can compare with SA.
> Tuning it out to match SA's accuracy is proving to be very challenging and
> time consuming.
>
> --
> David Jones
>

Check for valid MX of sender and rspamd testing

[David Jones]

I was wondering if anyone knows of an SA plugin or another method to 
determine if the envelope-from domain has a valid MX record that is 
listening on TCP port 25.  I don't think it would be a major scorer but 
it could be useful in meta rules.


Been playing around with rspamd over the weekend to see how it compares 
and so far not that impressed.  It has a few features that are 
interesting like the MX check but other than that it's not as impressive 
as the author makes it out to be on the website comparing it to SA.


It claims to have better Bayes but so far I am seeing identical results 
after identical training.


The Universal Configuration Language is terrible and hard to wrap your 
head around it when the structure is so loose.  Since it's not well 
defined nor well documented it takes a lot of trial and error to figure 
it out.


It doesn't seem to be as flexible as SA in many regards.

Right now I have rspamd only adding headers so I can compare with SA. 
Tuning it out to match SA's accuracy is proving to be very challenging 
and time consuming.


--
David Jones

Re: bayes: cannot open bayes databases lock failed: File exists

[Emanuel Gonzalez]

Hello, thans for the reply.

I use one bayes database to all sites in my server.

What would be the best way to avoid my problem?? create a database of bayes by 
email account? Or create a unique database of bayes for all email accounts?

Thanks,



De: Pedro David Marco 
Enviado: viernes, 6 de abril de 2018 19:01:53
Para: users@spamassassin.apache.org
Asunto: Re: bayes: cannot open bayes databases lock failed: File exists


>under such load, yes.
>if you use per-site bayes database, you can try redis - even faster than
>mysql.

Much much much faster


PedroD

Re: MSGID_SPAM_CAPS fp's hitting messages from The Pension Regulator in UK

[Sebastian Arcus]

On 08/04/18 13:41, David Jones wrote:

On 04/07/2018 10:42 AM, Sebastian Arcus wrote:
I'm not entirely sure what is the cause of this - notification emails 
from The Pension Regulator in UK (a government body overseeing 
pensions) have the destination email in upper case as part of the 
Message-ID. I don't know if the user has input their email address in 
caps when creating the account with TPR, and the system at TPR just 
preserves caps - or maybe their email software does that on purpose 
somehow. In all events, all email notifications from them go straight 
to the Junk folder. Do the standards really require a message id to be 
in all lower case?


I've enclosed one of the messages received here:

https://pastebin.com/9Bmu3pj1


I added this to the 60_whitelist_auth.cf to trust this sender:

def_whitelist_auth *@*.tpr.gov.uk

This will get pushed out in a couple of days by sa-update.

I know it's not directly addressing your question about the rule's high 
score but this is how I address these types of issues.  If you create a 
"fast lane" for trusted senders then this allows for more aggressive 
tactics/scores for new and untrusted senders.


Thank you David. It sounds like a reasonable solution to me.