Re: spamass_milter_localflags

2018-11-26 Thread @lbutlr
On 26 Nov 2018, at 15:35, Bill Cole  
wrote:
> Yes, spamass-milter is apparently abandonware.

Thank you. I’ll look about for something else, but I *think* I have it working 
at this point, other than the one time complaint at startup which it appears I 
can live with.

I do appreciate your knowledge on these topics.

-- 
Knowledge, information, power, words... flying through the air,
invisible... And suddenly the world was tap-dancing on quicksand. In
that case, the prize went to the best dancer. --The Fifth Elephant



Re: spamass_milter_localflags

2018-11-26 Thread @lbutlr
Spam detection software, running on the system "mail.covisp.net",
has identified this incoming email as possible spam.  The original
message has been attached to this so you can view it or label
similar future email.  If you have any questions, see
ad...@covisp.net for details.

Content preview:  On 26 Nov 2018, at 08:21, Bill Cole 

   wrote: > On 26 Nov 2018, at 9:17, @lbutlr wrote: > > [...] >> I have 
spamass-milter
   setup and running, and it is tagging m [...]

Content analysis details:   (5.8 points, 5.0 required)

 pts rule name  description
 -- --
 3.3 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL
[73.14.161.160 listed in zen.spamhaus.org]
-1.9 BAYES_00   BODY: Bayes spam probability is 0 to 1%
[score: 0.]
 0.0 RCVD_IN_SORBS_DUL  RBL: SORBS: sent directly from dynamic IP
address
[73.14.161.160 listed in dnsbl.sorbs.net]
 1.5 BODY_8BITS BODY: Body includes 8 consecutive 8-bit characters
 1.0 RDNS_DYNAMIC   Delivered to internal network by host with
dynamic-looking rDNS
 0.0 HELO_MISC_IP   Looking for more Dynamic IP Relays
 1.9 NO_FM_NAME_IP_HOSTNNo From name + hostname using IP address

BAYES_HT0.000-+--H*Ad:U*users, 0.000-+--UD:conf, 
0.000-+--H*Ad:D*apache.org, 0.000-+--HTo:D*spamassassin.apache.org, 
0.000-+--H*Ad:D*spamassassin.apache.org, 0.000-+--spamassassin, 
0.000-+--H*r:10.0.0, 0.000-+--HTo:U*users, 0.000-+--HTo:D*apache.org, 
0.000-+--D*billmail.scconsult.com, 0.000-+--D*scconsult.com, 
0.000-+--H*UA:2.3445.102.3, 0.000-+--H*x:2.3445.102.3, 0.001-7--postconf, 
0.001-7--i, 0.001-4--H*F:D*kreme.com, 0.001-4--H*m:kreme, 
0.001-4--H*F:U*kremels, 0.001-4--spamc, 0.001-3--sendmail, 
0.002-3--HX-Random-Signature:signatures, 
0.002-3--HX-Random-Signature:sk:www.key, 0.002-3--HX-Random-Signature:Maestro, 
0.002-3--HX-Random-Signature:random, 0.002-3--HX-Random-Signature:https, 
0.002-3--HX-Random-Signature:Broke, 0.002-3--HX-Random-Signature:sigs, 
0.002-3--HX-Random-Signature:access, 0.002-3--HX-Random-Signature:Apple, 
0.002-3--HX-Random-Signature:Keyboard, 0.002-3--HX-Random-Signature:powered, 
0.002-3--HX-Random-Signature:Applescrip, 0.002-3--HX-Random-Signature:Pro, 0.002
 -2--retrieve, 0.002-2--milter, 0.002-+--H*UA:Apple, 0.002-+--H*x:Apple, 
0.003-2--sk:milter_, 0.004-+--bugzilla, 0.004-2--UD:rc.conf, 
0.004-2--sausers-20150...@billmail.scconsult.com, 0.004-2--spamass-milter, 
0.004-2--spamassmilter, 0.004-2--sausers20150205billmailscconsultcom, 
0.004-2--sk:sausers, 0.004-2--U*sausers-20150205, 0.004-2--rc.conf, 
0.004-2--rcconf, 0.004-2--u8:️, 0.005-+--HTo:D*org
BAYES_ST0.993-1--gods, 0.993-1--They're, 0.921-+--H*r:sk:kremels


--- Begin Message ---
On 26 Nov 2018, at 08:21, Bill Cole  
wrote:
> On 26 Nov 2018, at 9:17, @lbutlr wrote:
>
> [...]
>> I have spamass-milter setup and running, and it is tagging mail, but I am 
>> seeing various readme and setup guides that set various things in 
>> rc.conf:spamass_milter_localflags. Trouble is, these settings seem to vary 
>> wildly.
>
> Yes, local details of mail systems do in fact vary wildly. :)

Fair enough, but the various settings I have seen are not even related/similar. 
And it’s working without anything set.

>> Spamd does run as the spamd user, but despite the milter having no flags set 
>> currently and running as root, it is successfully tagging spam.
>
> There is a spamass-milter man page that may help.

Ah yes, that does help.

> Unlike some other milters that use SA (e.g. MIMEDefang, Amavis) 
> spamass-milter actually runs spamc and so it can use all of the features of 
> spamc by simply putting the arguments you would otherwise give spamc in the 
> spamass_milter_localflags after '--' and any spamass-milter args.

So it seems it is picking up the current config without issue.

>> Oh, and I do get this when the miller starts:
>>
>> spamass-milter[27557]: Could not retrieve sendmail macro "i"!.  Please add 
>> it to confMILTER_MACROS_ENVFROM for better spamassassin results
>>
>> (I am not using sendmail, other than postfix’s sendmail replacement)
>
> See the documentation of the milter_*_macros in 'man 5 postconf' and 
> MILTER_README

From postconf -d

milter_data_macros = i
milter_end_of_data_macros = i
milter_end_of_header_macros = i
milter_mail_macros = i {auth_type} {auth_authen} {auth_author} {mail_addr} 
{mail_host} {mail_mailer}
milter_rcpt_macros = i {rcpt_addr} {rcpt_host} {rcpt_mailer}

An i is supposed to return the queue ID. Why this confuses/upsets 
spamass-milter is not clear, nor which of these might be the issue. I did find 
at least two mentions via go

spamass_milter_localflags

2018-11-26 Thread @lbutlr
This is a multi-part message in MIME format.

=_5BFC0066.FF7B25D3
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Spam detection software, running on the system "mail.covisp.net",
has identified this incoming email as possible spam.  The original
message has been attached to this so you can view it or label
similar future email.  If you have any questions, see
ad...@covisp.net for details.

Content preview:  FreeBSD 11.2-RELEASE-p4 ===>>> spamassassin-3.4.2_2 ===>>>
   postfix-current-3.4.20181105,5 ===>>> spamass-milter-0.4.0_3 rc.conf: 
spamass_milter_enable="YES"
   spamass_milter_socket_owner="postfix" spamd_enable=“YES"

Content analysis details:   (5.6 points, 5.0 required)

 pts rule name  description
 -- --
-1.9 BAYES_00   BODY: Bayes spam probability is 0 to 1%
[score: 0.]
 0.0 RCVD_IN_SORBS_DUL  RBL: SORBS: sent directly from dynamic IP
address
[73.14.161.160 listed in dnsbl.sorbs.net]
 3.3 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL
[73.14.161.160 listed in zen.spamhaus.org]
 1.3 TRACKER_ID BODY: Incorporates a tracking ID number
 1.0 RDNS_DYNAMIC   Delivered to internal network by host with
dynamic-looking rDNS
 0.0 HELO_MISC_IP   Looking for more Dynamic IP Relays
 1.9 NO_FM_NAME_IP_HOSTNNo From name + hostname using IP address

BAYES_HT0.000-+--H*Ad:U*users, 0.000-+--UD:conf, 
0.000-+--H*Ad:D*apache.org, 0.000-+--HTo:D*spamassassin.apache.org, 
0.000-+--H*Ad:D*spamassassin.apache.org, 0.000-+--spamassassin, 
0.000-+--H*r:10.0.0, 0.000-+--sk:postfix, 0.000-+--HTo:U*users, 
0.000-+--HTo:D*apache.org, 0.000-+--H*x:2.3445.102.3, 
0.000-+--H*UA:2.3445.102.3, 0.001-6--i, 0.001-+--postfix, 
0.001-4--11.2-RELEASE-p4, 0.001-4--112releasep4, 0.001-4--11.2-release-p4, 
0.001-4--112RELEASEp4, 0.001-4--H*F:U*kremels, 0.001-4--H*m:kreme, 
0.001-4--H*F:D*kreme.com, 0.002-2--HX-Random-Signature:Pro, 
0.002-2--HX-Random-Signature:Applescrip, 0.002-2--HX-Random-Signature:sigs, 
0.002-2--HX-Random-Signature:Broke, 0.002-2--HX-Random-Signature:Apple, 
0.002-2--HX-Random-Signature:Keyboard, 0.002-2--HX-Random-Signature:powered, 
0.002-2--HX-Random-Signature:access, 0.002-2--HX-Random-Signature:sk:www.key, 
0.002-2--HX-Random-Signature:random, 0.002-2--HX-Random-Signature:https, 
0.002-2--HX-Random-Signature:Maestro, 0.002-2--HX-Random-Signa
 ture:signatures, 0.002-2--H*MI:kreme, 0.002-+--H*UA:Apple, 0.002-+--H*x:Apple, 
0.003-+--freebsd, 0.003-+--FreeBSD, 0.003-2--retrieve, 0.004-2--sendmail, 
0.005-+--HTo:D*org, 0.006-+--H*ct:plain, 0.007-+--H*Ad:D*org, 
0.016-1--Hx-languages-length:1300, 0.016-1--milter, 0.016-1--spamd, 
0.016-1--spamassmilter, 0.016-1--spamass-milter, 0.035-5--macro
BAYES_ST0.999-2--recommendations, 0.995-1--prospect, 
0.987-1--H*MI:5246, 0.987-1--heel, 0.987-1--Arms, 0.919-+--H*r:sk:kremels, 
0.912-+--arms, 0.853-2--Men



=_5BFC0066.FF7B25D3
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

X-Envelope-From: 
X-Envelope-To: 
Received: from [10.0.0.11] (c-73-14-161-160.hsd1.co.comcast.net [73.14.161.160])
by mail.covisp.net(Postfix 3.4-20181105/8.13.0) with SMTP id unknown;
Mon, 26 Nov 2018 07:17:05 -0700
(envelope-from )
Content-Type: text/plain;
    charset=utf-8
Subject: spamass_milter_localflags
From: "@lbutlr" 
Date: Mon, 26 Nov 2018 07:17:05 -0700
X-Random-Signature: Apple Broke Applescrip[t access to signatures, random sigs
 now powered by Keyboard Maestro Pro <https://www.keyboardmaestro.com/>
X-Face: )^b5"R:T7U>9~:PEn3YkzMfW*[b1qKeU.fP9C8~8HpU9}lA&6`bH1
Content-Transfer-Encoding: quoted-printable
Message-Id: <8d849e5a-5246-4c71-ac20-02825f3c6...@kreme.com>
To: Mailing-List spamassassin 
X-Mailer: Apple Mail (2.3445.102.3)

FreeBSD 11.2-RELEASE-p4
===>>> spamassassin-3.4.2_2
===>>> postfix-current-3.4.20181105,5
===>>> spamass-milter-0.4.0_3

rc.conf:
spamass_milter_enable="YES"
spamass_milter_socket_owner="postfix"
spamd_enable=“YES"

I have spamass-milter setup and running, and it is tagging mail, but I am 
seeing various readme and setup guides that set various things in 
rc.conf:spamass_milter_localflags. Trouble is, these settings seem to vary 
wildly.

(From a list of local IPS in some examples to -u spamd in others, and many in 
between.)

Spamd does run as the spamd user, but despite the milter having no flags set 
currently and running as root, it is successfully tagging spam.

Oh, and I do get 

Re: Lost mail during update

2018-11-26 Thread @lbutlr
On 26 Nov 2018, at 06:42, David Gibbs  wrote:
> On 11/21/2018 12:56 AM, @lbutlr wrote:
>> While updating spamassassin, several emails were destructive lost
>> because of the absence of spamc. To be fair, the date did get stuck
>> unexpectedly asking for a confirmation, but still I’d like to avoid
>> this happening again.
> 
> Maybe I'm missing something, but perhaps you should shut down the MTA before 
> performing the upgrade?

Normally it is not a problem, the upgrade happens and the service restarts and 
all is good, the difference this time was it got stuck on a confirmation line 
log enough for it to be a problem.

I’ve enabled spamass-milter

-- 
How do you feel? I'm lonely What do you think? Cant take it all Whatcha
gonna do? Gonna live my life




Re: semi-OT - reporting an organization that ignores unsubscribe requests

2018-11-24 Thread @lbutlr
This is a very excessive signature block. I’m glad your proud of your resume, 
but inflicting itnon a mailing list with every post is a bit much. 

On Nov 21, 2018, at 12:39, Anne P. Mitchell, Esq.  wrote:
> Anne P. Mitchell, 
> Attorney at Law
> GDPR, CCPA (CA) & CCDPA (CO) Compliance Consultant
> Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
> Legislative Consultant
> CEO/President, Institute for Social Internet Public Policy
> Board of Directors, Denver Internet Exchange
> Board of Directors, Asilomar Microcomputer Workshop
> Legal Counsel: The CyberGreen Institute
> Legal Counsel: The Earth Law Center
> California Bar Association
> Cal. Bar Cyberspace Law Committee
> Colorado Cyber Committee
> Ret. Professor of Law, Lincoln Law School of San Jose
> Ret. Chair, Asilomar Microcomputer Workshop


Sought Rules

2018-11-21 Thread @lbutlr
The page at https://wiki.apache.org/spamassassin/ImproveAccuracy lists Sought 
rules as recommended. The link leads to 
https://wiki.apache.org/spamassassin/SoughtRules which states "this is no 
longer active, and should not be used.”


-- 
"I hate to advocate drugs, alcohol, violence, or insanity to anyone, but
they've always worked for me." — Hunter Thompson



Lost mail during update

2018-11-20 Thread @lbutlr
While updating spamassassin, several emails were destructive lost because of 
the absence of spamc. To be fair, the date did get stuck unexpectedly asking 
for a confirmation, but still I’d like to avoid this happening again.

Nov 20 10:20:34 mail postfix/pipe[73448]: 42zsss3jHVzcfQ1: 
to=, orig_to=, relay=spam-filter, 
delay=0.63, delays=0.61/0/0/0.02, dsn=2.0.0, status=sent (delivered via 
spam-filter service (/usr/local/bin/spam-filter: line 23: /usr/local/bin/spamc: 
No such file or directory))
Nov 20 10:20:34 mail postfix/qmgr[85457]: 42zsss3jHVzcfQ1: removed

The result is a message that has a minimal set of headers and no content.

-- 
'There's Mr Dibbler.' 'What's he selling this time?' 'I don't think he's
trying to sell anything, Mr Poons.' 'It's that bad? Then we're probably
in lots of trouble.' --Reaper Man



Port Spamass-rules?

2018-11-20 Thread @lbutlr
When updating Spam Assassin today I noticed that the notes at the end of the 
port install still recommend installing mail/spamass-rules.

This should not be done, right?

-- 
Get in there you big furry oaf! I don't care what you smell!



Re: Non-ascii subjects with images

2018-09-06 Thread @lbutlr
On 03 Sep 2018, at 10:51, Antony Stone 
 wrote:
> It still sounds like a strange way of identifying spam to me:
> 
> 1. surely there are far stronger indicators in the Received headers and/or 
> the 
> body itself
> 
> 2. people are going to be using glyphs such as this more and more commonly in 
> non-spam emails
> 
> There may be an argument for "every little helps", but that sounds like 
> something better left to Bayes to me.

Based on my mail, emojis in the subject would be a strong ham indicator.

-- 
U is for UNA who slipped down a drain
V is for VICTOR squashed by a train



Re: Amazon failing DKIM?

2018-06-26 Thread @lbutlr
On 25 Jun 2018, at 16:41, RW  wrote
> On Mon, 25 Jun 2018 13:01:52 -0400
> Bill Cole wrote:
> 
>> On 25 Jun 2018, at 3:35 (-0400), @lbutlr wrote:
> 
>>>> 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not 
>>>> necessarily valid
>>>> 0.7 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required
>>>> MIME headers  
>> 
>> That's very broken. Amazon is apparently building bad messages. I
>> have not seen them do that.
> 
> It's a bit suspicious IMO. Amazon signed MIME-Version, so if something
> later stripped or corrupted it, it would account for both
> MIME_HEADER_CTYPE_ONLY and T_DKIM_INVALID.

Yeah, I am wondering if I did something to the headers, but they look untouched.

I’ll turn down the DKIM_ADSP_DISCARD score for now, though it’s been pretty 
reliable for me.

-- 
THE PLEDGE OF ALLEGIANCE DOES NOT END WITH HAIL SATAN Bart chalkboard
Ep. 1F16



Amazon failing DKIM?

2018-06-25 Thread @lbutlr
order confirmation mails from Amazon are getting tagged as spam:

> On 24 Jun 2018, at 22:16, Amazon.com  wrote:
> 
> -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
>trust
>[54.240.13.20 listed in list.dnswl.org]
> 5.0 DKIM_ADSP_DISCARD  No valid author signature, domain signs all mail
>and suggests discarding the rest
> 1.5 BAYES_95   BODY: Bayes spam probability is 95 to 99%
>[score: 0.9856]
> 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not 
> necessarily valid
> 0.7 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required MIME
>headers
> 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

This isn't an isolated email, it's all of the order confirmations.

Headers:
Return-Path: <2018062504165721b3950ea2304849a8e23f62a110p...@bounces.amazon.com>
Received: from a13-20.smtp-out.amazonses.com (a13-20.smtp-out.amazonses.com 
[54.240.13.20])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
(No client certificate requested)
by mail.covisp.net (Postfix) with ESMTPS id 41DbV54JB6zbRTs
for ; Sun, 24 Jun 2018 22:17:01 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=yg4mwqurec7fkhzutopddd3ytuaqrvuz; d=amazon.com; t=1529900218;
h=From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type:Date;
bh=ZqyVYib8vrje0tC+LusohQNnwC+4buzayCt9asRgygI=;
b=EZbTvozCYlMbxbNimZm6CljR/1Q2xIBMz3iPnNv8ja0+Xz6OzFd0r8B+I5dLU2WB
0a65kRzsMYbcEmTGRk2x8iglmv7CNUPJU+uAxCqTyJGywYY0QlbcCm1KiX+22XMwtc5
6iYzUoAXzu93OnUV01ZXjn+Uw3ztWwKfVMvuGHe4=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1529900218;

h=From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type:Date:Feedback-ID;
bh=ZqyVYib8vrje0tC+LusohQNnwC+4buzayCt9asRgygI=;
b=L6DMPXt3b6ujpbpAPpbKcXdlsdDUeVo999u9u6BkEhDpsN5EurM5XkIJ72DfOaH+
GCGRJK6/sdTmf8muZVS0RWFo7JcR4o7CdOyLLEtBnXyFjEbHLrL6UVUkTUrifdzBKI7
+ozoNn+RxLDpq3kpWl0MJ4YAKAR/x9yWiOe8SSz8=
From: "Amazon.com" 
Reply-To: no-re...@amazon.com
To: m...@mine.tld
Message-ID: 
<010001643528b75a-a17ff281-32b3-4874-84fb-1fe1e48eac51-000...@email.amazonses.com>
Subject: Your Amazon.com order of "...".
Content-Type: multipart/alternative; 
boundary="=_Part_22448454_1319981108.1529900218214"
X-AMAZON-MAIL-RELAY-TYPE: notification
Bounces-to: 2018062504165721b3950ea2304849a8e23f62a110p...@bounces.amazon.com
X-AMAZON-METADATA: CA=C3K6JZ19ME7GV-CU=APPPSMZDNGWEV-RI=ASBCBE1U94KXT
X-Original-MessageID: 

Date: Mon, 25 Jun 2018 04:16:58 +
X-SES-Outgoing: 2018.06.25-54.240.13.20
Feedback-ID: 1.us-east-1.ZHcGJK6s+x+i9lRHKog4RW3tECwWIf1xzTYCZyUaiec=:AmazonSES



Re: Remove SA tagging when learning as ham

2018-06-18 Thread @lbutlr
On 18 Jun 2018, at 10:13, @lbutlr  wrote:
> #!/bin/sh
> exec /usr/local/bin/spamassassin -d ${1} && /usr/local/bin/sa-learn -u ${1} 
> --ham

Sorry, tyop from memory.

#!/bin/sh
exec /usr/local/bin/spamassassin -d && /usr/local/bin/sa-learn -u ${1} --ham


I think what I am going to do is enable report_safe 1 and remove the subject 
tagging and see how that goes.



Re: Remove SA tagging when learning as ham

2018-06-18 Thread @lbutlr


On 18 Jun 2018, at 08:47, RW  wrote:
> On Mon, 18 Jun 2018 06:13:06 -0600
> @lbutlr wrote:
> 
>> I have a script that runs when a mail is moved out of the Junk folder
>> to pass the mail through sa-learn --ham, 
> 
> 
> Whether this is the Dovecot plugin or something local it's a poor way
> of training Bayes. You're training on SA errors not Bayes errors. Most
> imperfect Bayes results don't translate into misclassifications.

I’m not sure what you’re trying too say here/ Certainly SA does misclassify 
mail as spam at times, usually bulk mail the the user wants (for example, it 
marks Comixology mails as spam for me). Training the messages as ham is useful.

The script that runs is running out of dovecot, so procmail is not an option. 
What I have currently, but it doesn’t work well and I’m considering abandoning 
it entirely:

#!/bin/sh
exec /usr/local/bin/spamassassin -d ${1} && /usr/local/bin/sa-learn -u ${1} 
--ham



Remove SA tagging when learning as ham

2018-06-18 Thread @lbutlr
I have a script that runs when a mail is moved out of the Junk folder to pass 
the mail through sa-learn --ham, but it doesn’t removed the subject tagging 
(Spam: 05.5) nor does it remove the X-Spam-Flag header.

What would I need to do in the script to remove the SA tags on messages that 
are processed by this script?

-- 
Stone circles were common enough everywhere in the mountains. Druids
built them as weather computers, and since it was always cheaper to
build a new 33-Megalith circle than to upgrade an old slow one, there
were generally plenty of ancient ones around --Lords and Ladies



Re: List From and Reply-To

2018-06-01 Thread @lbutlr
On 30 May 2018, at 15:34, Luis E. Muñoz  wrote:
> To further the point, one of the mailboxes I manage on this box has 95K+ 
> messages. Apple Mail would choke to dead on this one.

Not at all. I have folders in mail.app with more than twice that number of 
messages.

-- 
"Two years from now, spam will be solved," -- Bill Gates, January, 2004



Re: List From and Reply-To

2018-06-01 Thread @lbutlr
On 30 May 2018, at 08:25, Bill Cole  
wrote:
> I can't speak to it as a MUA for mailing lists.

It is, as it always has been and by design, a very bad mail client for mailing 
lists.

(I use Apple Mail. But I use procmail to fix some of its stupidity, which is 
why this message goes to the list by default)

-- 
TYPOS AR EHT FAULT OF GIN



Re: Dynamic clients

2018-06-01 Thread @lbutlr
On 31 May 2018, at 01:52, Rupert Gallagher  wrote:
> How much do you pay for it?

Someone has a stiff piece of cellulose in a downward facing bodily orifice 
about spamhaus, it appears.

-- 
Mirrors contain infinity. Infinity contains more things than you think.
Everything, for a start. Including hunger. Because there's a million
billion images, but only one soul to go around. --Witches Abroad



Re: rejection w/o sender (or recipient) knowing == dropping

2018-04-29 Thread @lbutlr
On 2018-04-29 (21:02 MDT), L A Walsh  wrote:

> Until the past few years, email that was sent to me was either received by me 
> or the sender got a rejection message.


Few? No, more like 20 years ago, when spam became a huge problem. If a message 
is spammy or contains dangerous attachments, it is discarded. The user targeted 
with the attack will never know. This is because this is what users WANT.

Also, it is *my* mail server. My hardware. My bandwidth. I can do whatever I 
want with it. If users do not like what I am doing, they are free to get 
services elsewhere. I've had users "insist" that I allow MS Office files in 
attachments. I've informed them otherwise.

> Apparently you don't know what "rejecting" is, vs. silently dropping it into 
> the trash.  The latter is dropping. The former tells the sender there was a 
> problem delivering the email -- usually accompanied by the type of error.

The VAST majority of senders are fraudulent.

> In the former case, the sender knows something is refusing to deliver the 
> email and knows the sender didn't get it.  In the latter case, the sender 
> "expects" that the user is likely to have received it (because there was no 
> message send back that there was a problem delivering it).

If the message is discovered to be unwanted before it is delivered, the sender 
(the REAL sender) gets a notification the email wasn't accepted. If the message 
isn't discovered to be unwanted until after it is accepted, then discarding is 
the only possible action.

> If the sender gets a rejected message, they can tell the listed-recipient 
> that the email was rejected and to please correct the problem.  If they don't 
> get anything back, they won't even know what is wrong with the email should 
> they want to resend it.


The world is an imperfect place. Emails fall out all the time.

> To compound the issue, the recipient may not know their email is being 
> filtered since they asked for it NOT to be.

I know of no mail service that will allow unfiltered mail. I mean, maybe they 
exist, but I seriously doubt it. *I* would never use one myself.

-- 
And Super Heroes come to feast
To taste the flesh not yet deceased
And all I know is still the beast is feeding.



Re: dropping other's email(s) as a "best practice" for hosted email? (was: "anyone recognize these headers? ...")

2018-04-27 Thread @lbutlr
On 2018-04-26 (14:41 MDT), L A Walsh  wrote:
> 
> To my way of thinking, dropping someone else's email, telling the sender the 
> email is being rejected for having spam-like characteristics and telling the 
> recipient nothing seems like it might have legal liability for the for the 
> user potentially missing vital email.

I agree that once the mail has been ACCEPTED the recent has to either receive 
the mail or know why the mail isn't there. For example, most spammy mail is 
delivered to a users Junk box, where they have a week to check it for mistagged 
mail, but after a certain threshold, users know that the email will be 
discarded (scoring over 10 in my case). However, this is very rare because most 
mail that is that spammy is rejected at the SMTP phase.

> It also would seem to violate what used to be a basic expectation of internet 
> email -- that it is either delivered to the recipient's inbox OR you'll 
> receive a non-delivery notification (a "bounce").

Or you will receive a rejection immediately.

Thin about it this way, if you send an email to da...@example.com and there is 
no such account because you intended to send it to d...@example.com you do not 
get an NDN, you get a rejection.

-- 
I want a party where all the women wear new dresses and all the men
drink beer. -- Jason Gaes



Re: anyone recognize these headers? From SA or are they from another spam product?

2018-04-26 Thread @lbutlr
On 2018-04-24 (18:10 MDT), L A Walsh  wrote:
> 
> What email SW censors things by rejecting them before accepting them?

As other have said, the proper behavior for any mail server is to reject mail 
that is not desired. This may because of spam, size, types of attachments, 
origin, or even virus/malware scanning.

On my mail server, 97% of the connections are rejected (or dropped) before mail 
is accepted.

-- 
Puny god!



Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)

2018-04-01 Thread @lbutlr
On 2018-02-20 (08:30 MST), Rob McEwen  wrote:
> 
> RE: The "goo.gl
> " shortner is OUT OF CONTROL (+ invaluement's response)




-- 
Technically, Aziraphale was a Principality, but people made jokes about
that these days



Re: skipping nameserver '0.ns.spamhaus.org' because it is a CNAME

2018-03-20 Thread @lbutlr
On 2018-03-20 (04:56 MDT), Uwe Schindler  wrote:
> 
> why they not simply blocked the Hetzner recursive name servers instead of 
> everything

I would have to assume bad behavior on Hetzner's part.


-- 
'And stars don't care what you wish, and magic don't make things better,
and no-one doesn't get burned who sticks their hand in a fire.'



Re: Spammers, IPv6 addresses, and dnsbls

2018-03-08 Thread @lbutlr

On 2018-03-07 (13:12 MST), Philip  wrote:
> 
> ps your server blocks .nz domains :P

Mine too.

I have a short list of TLDs I accept mail from, and everything else gets 
rejected. New Zealand hasn't come up as a country accounts on my server get 
mail from…

basically, in help checks:

/.*\.(com|net|org|edu|gov|ca|mx|de|dk|fi|uk|us|tv|info|biz|eu|es|il|it|nl|name|jp|host)$/
 DUNNO
/.*\.*/ 550 Mail to/from this TLD is not allowed

(There's a bit more too it than that, but it's reduce my spam load by massive 
amounts and I got to completely avoid the .top spamsplosion).

-- 
Competent? How are we going to compete with that?




Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)

2018-03-03 Thread @lbutlr
On Feb 26, 2018, at 09:55, sha...@shanew.net wrote:
> 
> This is why the DecodeShortURLs plugin has an explicit limit of 10
> lookups (and penalizes such with a total of 8 points).

I’d guess more than one redirect is highly suspicious and more than two is 
probably a waste of time, just score 5.0 and be done with it. 

Has anyone done any analysis on multi-redirects?

-- 
This is my signature. There are many like it, but this one is mine.


Re: Custom rule don't match without empty line before the string!

2018-02-23 Thread @lbutlr
On 2018-02-23 (02:15 MST), saqariden  wrote:
> 
> our mailing service is not for external use, So the users are not supposed to 
> send or receive B64 encoded mails.

I've never seen anyone *intentionally* sent base64 mails (I mean, people, not 
spammers). That is a decision made by the MUA. Sounds like you may be trying to 
solve the wrong problem.

-- 
I've got a sonic screwdriver!
Yeah? I've got a chair!
 ...
Chairs *are* useful.



Re: ENCRYPTED_MESSAGE rule

2018-02-22 Thread @lbutlr
On 2018-02-22 (17:39 MST), RW  wrote:
> 
> Is it genuinely encrypted though? I'm wondering if it's just base64
> encoded, and possibly signed.

application/pkcs7-mime is S/MIME

-- 
Vi Veri Veniversum Vivus Vici



Re: Custom rule don't match without empty line before the string!

2018-02-22 Thread @lbutlr
On 2018-02-22 (07:54 MST), saqariden  wrote:
> 
> I have the following SA rule which is supposed to block base64 encoded mails:


Wow. You are going to block a lot of legitimate email that way.

> bodyEN_BASE64_B/(Content-Transfer-Encoding: 
> base64\sContent-Type: text\/(plain|html); charset="?utf-8"?)|(Content-Type: 
> text\/(plain|html); charset="?utf-8"?\sContent-Transfer-Encoding: base64)/i

you need to be looking at the mime headers, not simply scanning the plaintext 
body. In fact, Don't think the plaintext body is even available to spam 
assassin rules, so those lines will never match as you have them. Heck, don't 
know if the encoding type is available at all to SA because... well, why would 
it. How a message is encoded is not a spam indicator.

You can do this with other tools in your MTA (postfix) or you LDA (procmail), 
but it's a very bad idea.

My personal account has 1,770 base64 encoded messages out of 90,111. I know I 
would not be happy to have missed those 1,770 message.

-- 
We are born naked, wet and hungry; then it's all downhill.



Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)

2018-02-21 Thread @lbutlr
On 2018-02-21 (09:27 MST), Alex  wrote:
> 
> This is what DecodeShortURLs is for
> https://github.com/smfreegard/DecodeShortURLs

Aha! I knew something like that must exist! 

-- 
EIR OWN DESTINY. THEY TOUCH THE EARTH LIGHTLY.



Re: Custom Rulesets

2018-02-21 Thread @lbutlr
On 2018-02-21 (07:21 MST), Rajkiran Rajkumar  wrote:
> 
> Hi Spamassassin community,
> My first message here, so kindly excuse any missing etiquette. I am exploring 
> custom rulesets and I have gone through the wiki article on it. However, it 
> doesn't contain any information about the up-to-date-ness of the rulesets 
> except a few. What does the community usually use? Any help is greatly 
> appreciated.

KAM is still popular and supported.

I think the recommendation is that the best results come from enabling DCC, 
Pyzor, and Razor plugins. I haven't gotten around to setting up DCC myself.

If you are using postfix for your mail server, enabling postscreen mitigates a 
*lot* of the most egregious spam.

-- 
'There's Mr Dibbler.' 'What's he selling this time?' 'I don't think he's
trying to sell anything, Mr Poons.' 'It's that bad? Then we're probably
in lots of trouble.' --Reaper Man



Re: Report AmazonSES spam?

2018-02-21 Thread @lbutlr
On 2018-02-21 (06:50 MST), David Jones  wrote:
> 
> I think it's best if we all report to Spamcop first to concentrate all of 
> that information into a single database which increases our effectiveness.  
> Then if you want to report directly to the platform/sender's abuse contact, 
> that is good too.


I will do that. The form posted upthread is obviously for network abuse, not 
for spam email.

-- 
And now, the rest of the story



Re: Report AmazonSES spam?

2018-02-21 Thread @lbutlr
On 2018-02-21 (05:37 MST), Tom Hendrikx  wrote:
> 
> How about: https://aws.amazon.com/forms/report-abuse


Isn't amazon SES separate from amazon AWS?

-- 
Nothing gold can stay -- Robert Frost Stay gold -- Johnny Cade



Report AmazonSES spam?

2018-02-21 Thread @lbutlr
I've been trying to find a way to report a spammer to Amazon SES (Simple Email 
Service), but I haven't found anywhere to report this spam.

(SA is tagging the messages, but I'm tired of Amazon allowing this company to 
continue doing this).

X-Spam-Status: Yes, score=7.3 required=5.0 tests=BAYES_95,DKIM_SIGNED,
HEADER_FROM_DIFFERENT_DOMAINS,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,

KAM_LOTSOFHASH,MIME_HEADER_CTYPE_ONLY,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,
RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_PASS,
T_DKIM_INVALID,T_RP_MATCHES_RCVD,URIBL_BLACK autolearn=no 
autolearn_force=no
version=3.4.1



Re: Blacklist for reply-to?

2018-02-21 Thread @lbutlr
On 2018-02-21 (00:20 MST), Rupert Gallagher  wrote:
> 
> Beware that companies use a legal note in their signature as advised by their 
> lawyers, and many individuals do the same, to inform the reader about laws 
> that apply regardless of where or when you are reading their note.

Mostly they lie about what their claimed rights are.

> A mail from Europe is subject to data protection. It does not matter if you 
> disagree.

It does. I am not subject to European laws on data protection.

-- 
"There's sex and death and human grime in monochrome for one thin dime
and at least the trains all run on time but they don't go anywhere."



Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)

2018-02-21 Thread @lbutlr
On 2018-02-21 (00:52 MST), Charles Sprickman  wrote:
> 
> You can also see all the analytics by appending “.info” to the URL, eg: 
> http://goo.gl/ylUAd.info

True, but that is a web browser solution, not something that could, for 
example, be scripted (well, not easily or realistically for this sort of task).

Also, appending a "+" I believe does the same thing, and is easier to type. 
http://goo.gl/ylUAd+

Either way, that redirects to a URL in the form



So that could probably be scraped as well if you really wanted to scrape a web 
page.

Still, this isn't a viable solution for spam checking, though I suspect there 
is a low-cost "get redirect URI" library that would have less overhead than 
curl and could grab the Location from the 301 (or 302?) redirect, much like 
curl can do with a -I or -i flags.

Regardless, Reindl was clearly wrong that checking the shortner targets would 
require loading the target URL.

Maybe curl ain't so bad?

# time curl -sI http://goo.gl/ylUAd | grep -o "http.*"
http://www.hollywoodreporter.com/thr-esq/donald-trump-threatens-sue-macy-422135

real0m0.098s
user0m0.000s
sys 0m0.008s

I threw this together in a few minutes and it seems to work:

---
#!/bin/bash

  if [ "$1" = "" ]; then
   echo "usage $0 "
   exit 1
  else 
   URL="$1"
  fi

myInfo=$(curl -sI $URL | grep -o "http.*")
if [ "$myInfo" = "" ]; then
   exit 404
else
   echo $myInfo
fi
---

 # curlri www.covisp.net # This uses rewrite
https://www.covisp.net/
 # curlri www.google.com # No redirect, so returned 404
 # curlri http://goo.gl/ylUAd # Voila!
http://www.hollywoodreporter.com/thr-esq/donald-trump-threatens-sue-macy-422135

It even works for the t.co link:

 # curlri http://t.co/UShCXQG
http://www.youtube.com/watch?v=dfJ6oCdjY9Y

-- 
It is one thing to be mistaken; it is quite another to be willfully
ignorant ~Cecil Adams



Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)

2018-02-20 Thread @lbutlr
On 2018-02-20 (22:10 MST), Reindl Harald  wrote:
> 
> you may hit confirmation-urls (both ham and spam), trigger actions, trigger 
> *one-time* urls which are invalid for the user after a dumb bot used them not 
> talking about that it would be illegal in many countries in case of private 
> ham-mails

As I suspected, it is possible to get the goo.gl target URL without loading the 
site, though using curl is probably not realistic in this specific case.

$ curl -s "http://goo.gl/ylUAd; | grep -o "http[^\"]*"
http://www.hollywoodreporter.com/thr-esq/donald-trump-threatens-sue-macy-422135

$ curl -s "http://bit.ly/savecastle; | grep -o "http[^\"]*"
http://community.livejournal.com/castle_tv/28872.html

Doesn't work with t.co, but that is not surprising since twitter uses that 
specifically to hide URLs, considering them all their property that must go 
through their servers.

-- 
Mos Eisley spaceport. You will never find a more wretched hive of scum
and villainy. We must be cautious.



Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)

2018-02-20 Thread @lbutlr
On 2018-02-20 (19:42 MST), Rob McEwen  wrote:
> 
> I ran stats on a sample set of a few thousand mailboxes, over a period of 
> several hours today (mostly during business hours for these particular 
> organizations who use these mailboxes) - and this produced a combined 24K 
> legit messages, and 5K spams (I'm guessing that most systems have more spams 
> per amount of hams? But those were the numbers for this server.)

goo.gl (and other shorteners) are used for far more than email.

That said, most my incoming email is rejected long before it get to any sort of 
URI lookups based on just the transaction information, That is to say, upwards 
of 90% of incoming mail is rejected before DATA.

> 286 total spams blocked that had a shortner,

That's not enough to have any sort of reliable statistical data.

> 187 total legit messages had a hit on at least one of hundreds of URL 
> shortners 

So the use of a shortner is a poor spam indicator. Even in your corpus, and a 
negligible indicator even when specifically looking at goo.gl.

> Google's shortner is DOMINATING in its spam usage, where 92% (262 of 286) of 
> ALL spam that contained shortners used Google. 

But about 25% of goo.gl containing email is not spam, by your own numbers. So, 
a very poor metric.

-- 
"You can speak soon and write like a graduate college if me let you help
for a day of 15 minutes" "1963" Issue #1



Re: Blacklist for reply-to?

2018-02-20 Thread @lbutlr
On 2018-02-20 (06:02 MST), Rupert Gallagher  wrote:
> 
> Do you have the legal right to do so?

Absolutely.

No one gets to inflict a contract on me. Especially not a entirely stupid 
nonsense thing that like that piece of crap that has no legal weight whatsoever.

-- 
We are born naked, wet and hungry; then it's all downhill.



Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)

2018-02-20 Thread @lbutlr
On 2018-02-20 (08:30 MST), Rob McEwen  wrote:
> 
> Spammers are starting to use this to evade spam filters,

This is not news. Spammers have been using shortness since 3 seconds after 
tinyurl.com launched.

> Keep in mind that, if a marketer is doing things the right way, they should 
> have no need to obfuscate their own domain name. They should instead proudly 
> use it and not feel the need to hide behind Google's shortner.

No, that is not at all true. The primary use of a shorter is to shorten a long 
URL to something that someone can type in.

Clicking a URL in an email is the height of stupidity, so having a short URL 
that someone can realistically type into a browser is much better.

> Yes, there are many legitimate uses of Google's shortner, too. However, we 
> are now at a point where a VERY large % (a majority?) of uses of these headed 
> to a typical user's mailbox are egregious spams, and a significant additional 
> portion are likely-spams.


Any evidence of this?

> THEREFORE: If you like having NOT-blacklisted IPs, be advised that the 
> invaluement anti-spam DNSBL system is now adding "bad" points to the scoring 
> of all messages that use the "goo.gl" shortner, and we're amplifying other 
> "bad" points.


Well, at least you are warning people. However, what you are doing is, frankly, 
dumb; if you think there's a huge problem, you can simply check the target URLs.

-- 
I've always had a flair for stage directions.



Re: Blacklist for reply-to?

2018-02-19 Thread @lbutlr
On 2018-02-19 (09:57 MST), Paul Stead  wrote:
> 
> This message is private and confidential. If you have received this message 
> in error, please notify us and remove it from your system.
> 
> Zen Internet Limited may monitor email traffic data to manage billing, to 
> handle customer enquiries and for the prevention and detection of fraud. We 
> may also monitor the content of emails sent to and/or from Zen Internet 
> Limited for the purposes of security, staff training and to monitor quality 
> of service.

I reject your terms.

-- 
Rid yourself of doubt -- or should you? -George Carlin



Re: URIBL_BLOCKED

2018-02-15 Thread @lbutlr
On 2018-02-15 (02:10 MST), Tobi  wrote:
> 
> and does your bind server use other forward servers?

Nope. It is its own thing. Nor forwarders. Dunno what the issue was, but it was 
transient AFAICT.

-- 
Forever was over. All the sands had fallen. The great race between
entropy and energy had been run, and the favourite had been the winner
after all. Perhaps he ought to sharpen the blade again?  No. Not much
point, really.



Re: URIBL_BLOCKED

2018-02-14 Thread @lbutlr
On 2018-02-14 (09:55 MST), Tobi <jahli...@gmx.ch> wrote:
> 
> Am 14.02.2018 um 17:16 schrieb @lbutlr:
>> I can't imagine why i'd be over limit, my mail server is tiny.
> 
> its not the mailserver that got blocked by limits, but the dns resolver
> your mailserver uses!

I use my own DNS on Bind 9.12, however the block error is not appearing today, 
so...



-- 
"...and that's not incense"



Re: URIBL_BLOCKED

2018-02-14 Thread @lbutlr
On 2018-02-13 (14:45 MST), Reindl Harald <h.rei...@thelounge.net> wrote:
> 
> Am 13.02.2018 um 21:21 schrieb @lbutlr:
>> 0.0 URIBL_BLOCKED  ADMINISTRATOR NOTICE: The query to URIBL was 
>> blocked.
>> See
>> 
>> http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
>>  for more information.
>> [URIs: cz-salda.ru]
>> So, I’ve never heard of cz-salda.ru, is that the RBL that is blocking me? If 
>> so, where is it listed in SA’s configuration (FreeBSD 11.1-RELEASE)? (tried 
>> a `grep salda.ru /usr/local/etc/mail/spamassassin/*` for no results)
> 
> jesus christ click on the link you even quote

I did click on the link.

> "cz-salda.ru" was the domain which would have been checked against URIBL and 
> URIBL said "you are over limit, go away"

Ah, I didn't know URIBL was a blacklist, I thought it was being used as a 
generic abbreviation variant of RBL.

I can't imagine why i'd be over limit, my mail server is tiny.

-- 
Women like silent men, they think they're listening.



URIBL_BLOCKED

2018-02-13 Thread @lbutlr
0.0 URIBL_BLOCKED  ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See

http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
 for more information.
[URIs: cz-salda.ru]

So, I’ve never heard of cz-salda.ru, is that the RBL that is blocking me? If 
so, where is it listed in SA’s configuration (FreeBSD 11.1-RELEASE)? (tried a 
`grep salda.ru /usr/local/etc/mail/spamassassin/*` for no results)

Also, why would anything be checking a Russian RBL?

Supposedly I can disable this with a line like

Score RCVD_IN_ORBS 0

But “ORBS” wouldn’t be right and there’s nothing in the text above to indicate 
what it might be.




Re: Email filtering theory and the definition of spam

2018-02-13 Thread @lbutlr
On 13 Feb 2018, at 06:57, Rupert Gallagher  wrote:
> Not sure why you guys are still discussing RFCs, though,

Because one person keeps insisting that RFC822 is the relevant active standard 
despite being shown multiple times that it’s been obsoleted. Twice.

-- 
If you [Carrot] were dice, you'd always roll sixes. And the dice don't
roll themselves. If it wasn't against everything he wanted to be true
about the world, Vimes might just then have believed in destiny
controlling people. And gods help the other people who were around when
a big destiny was alive in the world, bending every poor bugger around
itself...



Re: smtp.centurylink.net 206.152.134.66

2018-02-11 Thread @lbutlr
On 2018-02-11 (12:37 MST), David Jones  wrote:
> 
> Anyone on this list that knows the mail admins/contacts for centurylink.net 
> and embarqmail.com?  This mail server has legit email for centurylink.net and 
> embarqmail.com plus a lot of other spam coming out of it.


As a customer of CenturyLink (we have symmetric Gigabit through them) I can say 
that their support personal are less than worthless.

They still have a very "Bell telephone" attitude where everything they do is 
automatically correct because they are the telephone company, so any problem 
issue, or misconfiguration is someone else's fault.

Whatever solutions you need, you'll have to manage them on your own and do your 
best to work around their incompetence.

-- 
'Today Is A Good Day For Someone Else To Die!' --Feet of Clay



Re: Email filtering theory and the definition of spam

2018-02-11 Thread @lbutlr
On 2018-02-11 (11:15 MST), Rupert Gallagher  wrote:
> 
> To you, and those like you, who claim better knowledge, read twice yourself, 
> because the actual standard is still rfc 822.  

This statement is entirely false, irresponsibly so. RFC 822 was obsoleted by 
RFC 2822 and RFC 2822 was obsoleted by RFC 5322, which is the current standard 
(along with some updates in 6854). You are wrong.

RFC 2822
Obsoleted by: 5322 Updated by: 5335, 5336
Obsoletes: 822


RFC 5322:
Updated by: 6854 
Obsoletes: 2822
Updates: 
4021

Category: Standards Track

-- 
Penny! *Everything* is better with BlueTooth



Re: Email filtering theory and the definition of spam

2018-02-11 Thread @lbutlr
On 2018-02-11 (00:13 MST), Rupert Gallagher  wrote:
> 
> Interesting to kreme. 

Not actually interesting to me, no.

> We are not in USA, where RFC loopholes are written to allow the NSA to send 
> anonymous email with spyware, or companies to profit from massmail marketing. 
> Spam assassins we are for real.

RFC's have nothing to do with the USA, and are written by (and contributed to 
by) anyone with expertise who cares to work on them. Your delusions about them 
are concerning as they expose deep faults in your knowledge.

Any mail admin who thinks s/he can ignore RFC because "they're Americans" is 
likely going to cause problems, not just for themselves and their unfortunate 
users, but for other servers as well.

-- 
"I don't care if Bill Gates is the world's biggest philanthropist. The
pain he has inflicted on the world in the past 20 years through lousy
products easily outweighs any good he has done Apple is as arrogant
as Microsoft but at least its stuff works as advertised" - Graem Philipson



Re: Email filtering theory and the definition of spam

2018-02-10 Thread @lbutlr
On 2018-02-10 (15:26 MST), Rupert Gallagher  wrote:
> 
> Interesting... 
> 
> 
> Final-Recipient: rfc822; krem...@kreme.com
> Original-Recipient: rfc822;krem...@kreme.com
> Action: failed
> Status: 5.7.1
> Remote-MTA: dns; mail.covisp.net
> Diagnostic-Code: smtp; 550 5.7.1 : Helo command rejected:
> Mail for this TLD is not allowed

Your point?

-- 
...but the senator, while insisting he was not intoxicated, could not
explain his nudity.



Re: Email filtering theory and the definition of spam

2018-02-10 Thread @lbutlr
On 2018-02-10 (12:07 MST), Joseph Brennan <bren...@columbia.edu> wrote:
> 
> --On February 9, 2018 at 5:46:39 PM -0700 "@lbutlr" <krem...@kreme.com> wrote:
>> RFC 822 hasn't been valid for nearly two decades.
> 
> Yes of course. My point was that even decades ago, To and Cc headers were not 
> required by RFC 822, so our contributor should not say that he is blocking 
> for violating RFC 822.

But even if they were required in RFC 822, RFC 822 has been obsoleted not just 
once, but twice.

So, someone claiming to be blocking based on RFC 822 in 2018 is showing their 
total ignorance of RFCs since it matters not at all what RFC 822 says. and 
hasn't since 2822 was accepted (and that has been obsoleted in turn, so it is 
also not valid).

> He can say he is blocking because he wants mail to have a To header. He can 
> block because a subject line contains the letter Z if he wants to. That is a 
> different line of argument than calling an RFC violation.

Sure, but calling an RFC violation is also different from calling an RFC 
violation for an INVALID RFC.

-- 
NOBODY LIKES SUNBURN SLAPPERS Bart chalkboard Ep. 7F23



Re: Email filtering theory and the definition of spam

2018-02-10 Thread @lbutlr
On 2018-02-10 (00:01 MST), Rupert Gallagher  wrote:
> 
> The RFC should be amended. If not, we still reject on common sense. Our mail, 
> our rules.

My rule is that I do everything I can to reject mail. I look at the IPs, 
headers, Subject, and content. I look for suspicious attachments, dangerous 
attachment types, and scan for the millions of Windows viruses. I compare the 
message to other messages and if at all possible I do not accept the mail. In 
fact, my main job is trying to come up with new and innovative and effective 
ways to reject even more mail. I'm up to about 97% rejection rate now.

However, once I accept the mail, it is delivered to the recipient, no matter 
what.

Now, it might be delivered to a "Probably spam" folder, and that folder may 
expire mail after a week or so, but it is *delivered* and the recipient has the 
opportunity to reclassify that mail as being "ham".

-- 
I mistook thee for thy better Hamlet Act III scene 4



Re: Email filtering theory and the definition of spam

2018-02-09 Thread @lbutlr
On 2018-02-09 (14:26 MST), Joseph Brennan  wrote:
> 
> RFC 822,

RFC 822 hasn't been valid for nearly two decades.

The current RFC is 5322.

"The only required header fields are the origination date field and the 
originator address field(s). All other header fields are syntactically 
optional."


-- 
'Witches just aren't like that,' said Magrat. 'We live in harmony with
the great cycles of Nature, and do no harm to anyone, and it's wicked of
them to say we don't. We ought to fill their bones with hot lead.'



Re: Email filtering theory and the definition of spam

2018-02-09 Thread @lbutlr
On 2018-02-08 (08:23 MST), David Jones  wrote:
> 
> But how can you tell the difference based on content then?  You can't. Two 
> different senders could send the exact same email and one could be spam from 
> tricking the recipient to opt-in and another could be ham the recipient 
> consciously opted into.

That wasn't the question you asked. Is it spam and how do you mark it as spam 
are entirely different question and different issues.

-- 
Gehm's Corollary to Clarke's law: Any technology distinguishable from
magic is insufficiently advanced.



Re: Body rules hit on Subject

2018-02-03 Thread @lbutlr
On 2 Feb 2018, at 14:27, Kris Deugau  wrote:
> The only "solution" I've ever come up with is to create a meta rule group to 
> account for the Subject hit:
> 
> body __FOO /foo/
> header __SUBJ_FOO  Subject =~ /foo/
> meta FOO  __FOO && !__SUBJ_FOO
> 
> I have to admit it's annoyed me on occasion that I can't create a single 
> simple rule that ONLY matches on the message body, but TBH it's never been 
> important enough in context for me to even commit the above horror.

It seems the the number of times you want to match ONLY the body and not the 
body+subject is low enough math this workaround is reasonable.

I mean, you could have a new category bodyonly, or something, but I doubt it's 
necessary.

Certainly changing the behavior of body now would be a mistake.

-- 
You start a conversation you can't even finish it
You're talkin' a lot, but you're not sayin' anything
When I have nothing to say, my lips are sealed
Say something once, why say it again?



Re: OT - 18 months and I'm still alive

2018-02-02 Thread @lbutlr
On 2 Feb 2018, at 13:44, Marc Perkel supp...@junkemailfilter.com> wrote:
> The keto diet is very counterintuitive. Bacon good, fruit bad. You have to 
> eat fat to lose fat. But I'm losing weight and women should find me even more 
> irresistible. It's a diet that seems to work well for anyone contemplating 
> dieting.

First, congratulations, if that is appropriate. I forgot to check Miss Manners 
on the protocol for "You aren't dead yet" but congratulations seems in order.

The zero carb diet is one that several friends (and at least two family 
members) have done. One is a 96 year old friend of the family who is still 
going strong and still working, he's been carb free since the mid 1960s. Others 
have used it sporadically as a weight loss regime.

The trouble with it, of course, is that you pretty much have to cut all carbs 
and that means no packaged foods (even sausage often contains carbs) and of 
course no breads, grains, or a lot of vegetables (corn, carrots, peas, and many 
more).

But, if you can manage to live off steak and eggs and bacon and a few vitamins, 
you will shed weight at an alarming rate (alarming to most Doctors who are 
still in the 'fat and salt are bad for you' camp).

-- 
Competent? How are we going to compete with that?



Re: kam corpus

2018-01-24 Thread @lbutlr
On 24 Jan 2018, at 04:08, Rupert Gallagher  wrote:
> Is this the "official" version of kam.cf? 
> 
> http://www.pccc.com/downloads/SpamAssassin/contrib/
> 
> The file is huge, and consists of ad-hoc rules against spammy keywords. 

Is less than 300K huge?

That does remind me, though, does SpamAssassin automatically load *.cf in 
/usr/local/etc/mail/SpamAssassin or do extra cf files like KAM need to be added 
somewhere to be loaded?

I seem to recall having to do something, but ti's been a long time since I did 
anything outside of local.cf

-- 
...but the senator, while insisting he was not intoxicated, could not
explain his nudity.



Re: Mail flagged as spam on command line getting passed through as ham

2018-01-20 Thread @lbutlr
On 18 Jan 2018, at 12:52, Andy Howell  wrote:
> Any ideas what I'm doing wrong?

The headers for your original message will show you , most likely, how 
Spamassassin was called which is not the same way that it is called on your 
command line test.

Probably you are using something like amavisd or a milter to invoke SA and that 
is using a different configuration location or is set to load a different 
configuration (that ignores local.cf, perhaps).

I’d start by checking your headers for received lines that contains 127.0.0.1. 
For example, I see the following on my incoming mail:

Received: from mail.covisp.net (localhost [127.0.0.1])
by mail.covisp.net (Postfix) with ESMTP id 3zMvkL61dHzxbCl;
Thu, 18 Jan 2018 12:52:26 -0700 (MST)
Received: from mail.covisp.net ([127.0.0.1])
by mail.covisp.net (mail.covisp.net [127.0.0.1]) (amavisd-new, port 
10024)
with ESMTP id bwx-NVnJBvTg; Thu, 18 Jan 2018 12:52:25 -0700 (MST)


-- 
Bishops move diagonally. That's why they often turn up where the kings
don't expect them to be.



Re: Malformed spam email gets through.

2018-01-04 Thread @lbutlr
On 4 Jan 2018, at 11:47, Bill Cole <sausers-0150...@billmail.scconsult.com> 
wrote:
> On 3 Jan 2018, at 15:42, @lbutlr wrote:
>> There is no requirement that the right side be globally unique, just that 
>> the entire message ID is globally unique.
> 
> Right. And any software that can use localhost (or any other unqualified name 
> whose meaning is contextually variable) as the right hand side is likely to 
> be doing so on multiple machines that don't know about each other and so 
> generally cannot know that they are not generating duplicate MIDs.

Sure, but depending on how the MID is generated it can certainly be 
statistically unique. As I said earlier, it only takes 256 bits to get an ID 
within spitting distance of the number of atoms in the universe. Should be 
unique enough.

> The reason for the RHS=FQDN tradition is to establish a namespace for each 
> domain whereby global uniqueness can be guaranteed deterministically.

OH, I absolutely agree that using the domain for the RHS is a great idea, and 
there's really no reason not to. But there are other ways.

>>> An additional ~1% has a MID header with either no dots or no '@'.
>> 
>> Dots are irrelevant, but the way I read the RFC, ‘@‘ is required.
> 
> See the message I was responding too, which asked about the feasibility of 
> enforcing a "valid domain" rule. For that, dots are absolutely relevant. My 
> point, in short, is that doing so may result in 2 orders of magnitude more 
> rejection of wanted mail than most sites would deem tolerable.

Yep. Requiring MIDs to conform to out-of-spec requirements is sure to cause 
trouble.


-- 
You and me Sunday driving Not arriving



Re: Malformed spam email gets through.

2018-01-03 Thread @lbutlr
On 03 Jan 2018, at 04:57, Matus UHLAR - fantomas  wrote:
> while it's "only" recommended that the right part is a domain name, but
> there must be right part.

Yes, there must be a left and a right and an ‘@‘ in-between.

On 03 Jan 2018, at 12:36, Bill Cole  
wrote:
> About 1.5% of my personal non-spam email over the past 20 years has had 
> "localhost" as the right hand side of the MID. This implies a de facto RFC 
> violation because it poses a real risk of duplication.

There is no requirement that the right side be globally unique, just that the 
entire message ID is globally unique.

> An additional ~1% has a MID header with either no dots or no '@'.

Dots are irrelevant, but the way I read the RFC, ‘@‘ is required.

-- 
No Sigs. Blame Apple.



Re: Malformed spam email gets through.

2018-01-02 Thread @lbutlr
On 2 Jan 2018, at 04:26, Rupert Gallagher r...@protonmail.com> wrote:
> Note taken. We still abide to the duties and recommendations, and expect 
> well-behaved servers do the same, by identifying themselves. We cross-check, 
> and if they lie, we block them. 

rejecting because they spoof a domain in the MID is one thing. Rejecting an 
email because you misunderstood the RFC and don't see a valid domain name is an 
entirely different thing.


-- 
And, while it was regarded as pretty good evidence of criminality to be
living in a slum, for some reason owning a whole street of them merely
got you invited to the very best social occasions.



Re: Question about BAYES_999

2018-01-02 Thread @lbutlr
On 2 Jan 2018, at 07:17, David Jones djo...@ena.com> wrote:
> I haven't redefined these rules from what I can tell by searching my local 
> rules.  I would think that if I had done this, then there would be consistent 
> non-hits of BAYES_99 with BAYES_999 all of the time.  This is only happening 
> a small percentage of the time.

Checking my mail I see an incidence rate of this of about 0.5%, which matches 
the rate you posted earlier.

-- 
Hey, how come Andrew gets to get up? If he gets up, we'll all get up!
It'll be anarchy!



Re: Malformed spam email gets through.

2018-01-02 Thread @lbutlr
On 2 Jan 2018, at 03:12, Rupert Gallagher  wrote:
> RFC 822, pg. 30, section 6.2.3

Which is "Obsoleted by: 2822" which is "Obsoleted by: 5322"

So, please find the description in RFC 5322. Helpfully, I've posted it twice in 
this thread.

-- 
You know, Calculus is sort of like measles. Once you've had it, you
probably won't get it again, and you're glad of it. -- W. Carr



Re: Malformed spam email gets through.

2018-01-02 Thread @lbutlr
On 1 Jan 2018, at 10:47, Matus UHLAR - fantomas uh...@fantomas.sk> wrote:
> 
>> On 1 Jan 2018, at 11:41 (-0500), Matus UHLAR - fantomas wrote:
>>> the gross format in RFCs 822,2822 and 5322 describes message-id consisting
>>> of local and domain part, thus is must contain "@".
> 
> On 01.01.18 12:17, Bill Cole wrote:
>> No, it does not. Re-read the cited sections. From RFC5322, the ABNF 
>> definition:
>> 
>>  msg-id  =   [CFWS] "<" id-left "@" id-right ">" [CFWS]
> 
> this is the part that says message-id must consist of local and domain
> parts.

No, it doesn't say anything like that.

As I already posted:

> 5322 specifically states: "Though other algorithms will work, it is 
> RECOMMENDED that the right-hand side contain some domain identifier (either 
> of the host itself or otherwise) such that the generator of the message 
> identifier can guarantee the uniqueness of the left-hand side within the 
> scope of that domain."
> 
> There is no requirement to include a local and domain part in any part of a 
> Message-ID.

-- 
'How come you know all that stuff?' 'I ain't just a pretty face.' 'You
aren't even a pretty face, Gaspode.'



Re: Malformed spam email gets through.

2018-01-01 Thread @lbutlr
On 1 Jan 2018, at 09:41, Matus UHLAR - fantomas  wrote:
> the gross format in RFCs 822,2822 and 5322 describes message-id consisting
> of local and domain part,

You are misreading the RFC.

The Message-ID itself is a *should* and there is no MUST un any of the 
description of the construction of the Message-ID, only that it MUST be 
globally unique.

5322 specifically states: "Though other algorithms will work, it is RECOMMENDED 
that the right-hand side contain some domain identifier (either of the host 
itself or otherwise) such that the generator of the message identifier can 
guarantee the uniqueness of the left-hand side within the scope of that domain."

There is no requirement to include a local and domain part in any part of a 
Message-ID.

A 256-bit would be unique to some significant fraction of the atoms in the 
universe. I'd posit that meets any reasonable definition of "must be globally 
unique."

But, in practice, the simplest way to guarantee uniqueness is to generate a 
timestamp and add it to a domain/IP/local ID.

-- 
"We take off our Republican hats and put on our American hats" -- Many 
Republicans in Sep 2008



Re: Spam with tons of lines with garbage characters, preceded by

2017-12-30 Thread @lbutlr
On 20 Jul 2017, at 01:31, Henrik K  wrote:
> Or simply apply my Node.pm patch..
> https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6582

Stupid question, I am sure, but that patch is limiting the rendered body to 
30,000 bytes, yes?

Has there been any movement on incorporating this into SA main in the last half 
decade? I see mention on the big page for 3.4.2.

I would guess this would be incorporated with a passed value for the maximum 
size to pass?

(Not that I think 30,000 is extreme, but I wouldn't be surprised if the results 
were nearly as good at say… 20,000 or maybe 10,000?)

-- 
No Sigs. Blame Apple.



Re: Sa-update failed

2017-12-16 Thread @lbutlr
On 15 Dec 2017, at 07:21, Herbert J. Skuhra <herb...@gojira.at> wrote:
> On Fri, Dec 15, 2017 at 04:26:45AM -0700, @lbutlr wrote:
>> FreeBSD system on 11.2-RELEASE with all packages updates as of this morning
>> (including a complete recompile of SA from ports).
> 
> FreeBSD 11.1-RELEASE! You probably upgraded from 10.x

No, from 11.0.

> and executed 'make delete-old-libs'

No, I've never seen that command before.

> !? Did you install packages for 10.x?
> Wrong pkg url? You have to rebuild gpg.

I did reinstall both SA and gnuPG via postmaster. If that's not a 'rebuild' 
what is? 

> Temporarily install misc/compat10x and rebuild all ports.
> 
> This is not a SA issue and should be discussed on a FreeBSD mailing
> list.

Will do.

-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.



Sa-update failed

2017-12-15 Thread @lbutlr
FreeBSD system on 11.2-RELEASE with all packages updates as of this morning 
(including a complete recompile of SA from ports).

# sa-update --refreshmirrors -v -D
[…]
Shared object "libreadline.so.8" not found, required by "gpg"
gpg: process '/usr/local/bin/gpg' finished: exit 1
error: GPG validation failed!
The update downloaded successfully, but the GPG signature verification
failed.

I can manually link libreadline.so to libreadline.so.8, and run sa-update 
successfully, but I’m concerned that is going to come back and bite me.

$ ldd /usr/local/bin/gpg
/usr/local/bin/gpg:
libiconv.so.2 => /usr/local/lib/libiconv.so.2 (0x2814d000)
libintl.so.8 => /usr/local/lib/libintl.so.8 (0x28242000)
libz.so.6 => /lib/libz.so.6 (0x2824b000)
libbz2.so.4 => /usr/lib/libbz2.so.4 (0x28261000)
libreadline.so.8 => not found (0)
libc.so.7 => /lib/libc.so.7 (0x2827)
# ln -s libreadline.so libreadline.so.8
# ldd /usr/local/bin/gpg
/usr/local/bin/gpg:
libiconv.so.2 => /usr/local/lib/libiconv.so.2 (0x2814d000)
libintl.so.8 => /usr/local/lib/libintl.so.8 (0x28242000)
libz.so.6 => /lib/libz.so.6 (0x2824b000)
libbz2.so.4 => /usr/lib/libbz2.so.4 (0x28261000)
libreadline.so.8 => /usr/local/lib/libreadline.so.8 (0x2827)
libc.so.7 => /lib/libc.so.7 (0x282ae000)
libncursesw.so.8 => /lib/libncursesw.so.8 (0x2840d000)

-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.



Re: SA-Update not updating DB

2017-11-19 Thread @lbutlr
On 17 Nov 2017, at 05:32, David Jones  wrote:
> If I don't hear any objections or negative feedback in the next 36 hours, I 
> will enable DNS updates tomorrow so sa-update will start automatically 
> updating rulesets on Sunday morning.



Excellent!



-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.



Re: Your header "To: undisclosed-recipients:;" is RFC 822 compliant

2017-10-26 Thread @lbutlr
On 25 Oct 2017, at 08:29, Rupert Gallagher  wrote:
> Reading RFC 822 again, I spotted the endorsement for the case at hand. 
> The named header is compliant to the standard, as quoted below. 

RFC 822 is obsolete, replaced by RFC 2822.

-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.



Re: 7.ly?

2017-10-22 Thread @lbutlr
On 20 Oct 2017, at 15:32, Shane Williams  wrote:
> Has anyone seen the 7.ly URL shortening service or had any interaction
> with them?  I don't see any clear way to report abuse, but before a
> create a URI blacklist, I thought I'd see if maybe they're legitimate.

If they don’t have a way to report abuse it hardly matters if they are 
legitimate in themselves, they will be used for spamming and porn.


-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.



blacklist_from with whitelist

2017-07-29 Thread @lbutlr
Would this work to blacklist mail with a "From: " claiming to be PayPal, but 
sent from fakedomain.tld?

blacklist_from *@paypal.com
whitelist_from_rcvd *@paypal.com paypal.com


-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.



Re: "bout u" campaign

2017-07-13 Thread @lbutlr
On Jul 12, 2017, at 8:18 PM, David Jones  wrote:
> -2.2 RCVD_IN_SENDERSCORE_90_100 Senderscore.org score of 90 to 100

I haven’t seen that before (or not that I’ve noticed). Is it part fo the base 
SA package or something that was added?


-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.



Re: Update Release & ApacheCon: May 16 to 18 in Miami

2017-04-22 Thread @lbutlr
On 21 Apr 2017, at 14:58, Kevin A. McGrail  wrote:
> My hopes is to have them ready to announce at ApacheCon

Excellent!

-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.



Re: List of legit mass mailers

2017-03-08 Thread @lbutlr
On 2017-03-08 (07:23 MST), Ruga  wrote:
> 
> This is spamassassin... 
> We are against mass mailers. 

That’s absurd. No one with any sense at all is against mass mailers.


-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.



Re: Yahoo - Can't figure out a server is down?

2017-03-07 Thread @lbutlr
On 2017-03-06 (04:38 MST), Reindl Harald <h.rei...@thelounge.net> wrote:
> 
> Am 06.03.2017 um 12:35 schrieb @lbutlr:
>> On 2017-03-04 (23:32 MST), Rob Gunther <red...@gmail.com> wrote:
>>> 
>>> In the last few weeks we are finding that SOME (but not all) of Yahoo's 
>>> outbound servers are not dealing with this correctly.
>> 
>> This may not work for you, but I solved all my yahoo problems by simply 
>> blocking their servers with a nice message about over a billion accounts 
>> being leaked.
>> 
>> But yahoo was less than 1% of my traffic (and most of that was spam or at 
>> least unwanted email). The only things I get “from” Yahoo anymore are list 
>> messages.
> 
> fine for a server hosting email for you, your wife and your dog but not for 
> anybody else on the server for your wife and dog you could even reject 
> anything which is not whitelisted to start with...

I have a few more accounts than that, but yes, as I said, “this might not work 
for you.”

I blacklisted Roadrunner about 20 years ago and they are still blocked. I’m not 
sure roadrunner still exists, but I haven’t seen them hit the block in years (I 
do see them hit the RBLs, so either they exist and are still spam-friendly or 
they are used as fake helo’s by spammers, I haven’t looked into it.

-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.



Re: New whitelisting trick using from and spf

2017-03-06 Thread @lbutlr
On 2017-03-06 (04:45 MST), David Jones <djo...@ena.com> wrote:
> 
>> From: @lbutlr <krem...@kreme.com>
>> Sent: Monday, March 6, 2017 5:24 AM
>> To: users@spamassassin.apache.org
>> Subject: Re: New whitelisting trick using from and spf
> 
>> On 2017-03-05 (18:59 MST), David Jones <djo...@ena.com> wrote:
>>> 
>>> whitelist_auth does this against SPF_PASS and DKIM_VALID_AU
> 
>> I tired to do something along these lines at some point in the past by
>> adding some lines to my local.cf like these:
> 
>> blacklist_from *@amazon.com
>> whitelist_auth *@amazon.com
>> blacklist_from *@paypal.com
>> whitelist_auth *@paypal.com
> 
>> It didn’t have the desired effect and simply blacklisted all PayPal mail.
>> While *I* was ok with blacklisting PayPal, others not so much...
> 
> Spam/phishing emails pretending to be from Paypal won't have an
> envelope-from of *@paypal.com which is why you didn't get the
> desired effect.  You rarely use the blacklist_from only when there
> is very dumb senders that you want to block.
> 
> A multi-level approach will give you the results you expect:
> Level 1: RBLs, other DNS checks, postscreen, greylisting, etc.
> Level 2: SA bayes, ClamAV w extra sigs, meta rules, RBL scores, etc.

Do all of that and fake PayPal/amazon/apple/{random bank} emails are received 
every day.

It seems it should be easy to setup “If mail claims to be From: PayPal.com and 
is not from PayPal, score +100” but it is not.


-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.



Re: Yahoo - Can't figure out a server is down?

2017-03-06 Thread @lbutlr
On 2017-03-04 (23:32 MST), Rob Gunther  wrote:
> 
> In the last few weeks we are finding that SOME (but not all) of Yahoo's 
> outbound servers are not dealing with this correctly.

This may not work for you, but I solved all my yahoo problems by simply 
blocking their servers with a nice message about over a billion accounts being 
leaked.

But yahoo was less than 1% of my traffic (and most of that was spam or at least 
unwanted email). The only things I get “from” Yahoo anymore are list messages.

-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.



Re: New whitelisting trick using from and spf

2017-03-06 Thread @lbutlr
On 2017-03-05 (18:59 MST), David Jones  wrote:
> 
> whitelist_auth does this against SPF_PASS and DKIM_VALID_AU

I tired to do something along these lines at some point in the past by adding 
some lines to my local.cf like these:

blacklist_from *@amazon.com
whitelist_auth *@amazon.com
blacklist_from *@paypal.com
whitelist_auth *@paypal.com

It didn’t have the desired effect and simply blacklisted all PayPal mail. While 
*I* was ok with blacklisting PayPal, others not so much...

-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.



Re: Filtering outbound mail

2017-02-17 Thread @lbutlr
On 2017-02-17 (14:51 MST), David Jones <djo...@ena.com> wrote:
> 
>> From: @lbutlr <krem...@kreme.com>
> .Sent: Friday, February 17, 2017 3:41 PM
>> To: users@spamassassin.apache.org
>> Subject: Re: Filtering outbound mail
> 
>> On 2017-02-16 (07:21 MST), David Jones <djo...@ena.com> wrote:
>>> 
>>>> From: Christian Grunfeld <christian.grunf...@gmail.com>
>>>> Sent: Thursday, February 16, 2017 7:50 AM
>>>> To: Spamassassin List
>>>> Subject: Re: Filtering outbound mail
>>>> 
>>>> Are you using postfix as MTA? I use cluebringer suite which
>>>> has a lot of functionality (spf checks, helo checks, greylist
>>>> and quotas)
>>> 
>>> I am using Postfix and cluebringer does looks pretty slick
>>> so I will check into that.
>>> 
>>>> Quotas are fully configurable by tracking inbound and
>>>> outbound trafic by ip, sasl user, etc
>>> 
>>> These outbound senders are my own internal customers
>>> smarthosting through my mail relays so I can't do things
>>> like rate limiting, greylisting, SPF checks, HELO checks,
>>> etc. on them like I do for Internet inbound mail.
> 
>> Oh yes you can, and yes you should. At the very least a
>> sane rate-limit will catch instances where customers get
>> compromised.
> 
> Not all compromised accounts these days blast out at a
> high rate like we used to see years ago.  I have had a few
> sneaky ones recently trickle spam through to stay below
> the radar so rate-limiting is not the answer with outbound
> mail

I never said it was THE answer, but it most certainly is AN answer.


-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.



Re: Filtering outbound mail

2017-02-17 Thread @lbutlr
On 2017-02-16 (07:21 MST), David Jones  wrote:
> 
>> From: Christian Grunfeld 
>> Sent: Thursday, February 16, 2017 7:50 AM
>> To: Spamassassin List
>> Subject: Re: Filtering outbound mail
> 
>> Are you using postfix as MTA? I use cluebringer suite which
>> has a lot of functionality (spf checks, helo checks, greylist
>> and quotas)
> 
> I am using Postfix and cluebringer does looks pretty slick
> so I will check into that.
> 
>> Quotas are fully configurable by tracking inbound and
>> outbound trafic by ip, sasl user, etc
> 
> These outbound senders are my own internal customers
> smarthosting through my mail relays so I can't do things
> like rate limiting, greylisting, SPF checks, HELO checks,
> etc. on them like I do for Internet inbound mail.

Oh yes you can, and yes you should. At the very least a sane rate-limit will 
catch instances where customers get compromised.


-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.



Re: New type of monstrosity

2017-02-07 Thread @lbutlr
On Feb 7, 2017, at 12:57 AM, Ruga  wrote:
> The spample would never make it to our SA. It would be rejected upstream for 
> at least two reasons:
> 
> > To: undisclosed recipients: ; 
> The To header is not RFC compliant.

Where do you get that idea? “Undisclosed recipient: ;” is a group address.

RFS 2822 A.1.3:
From: Pete 
To: A Group:Chris Jones ,j...@where.test,John ;
Cc: Undisclosed recipients:;
Date: Thu, 13 Feb 1969 23:32:54 -0330
Message-ID: 

Testing.


   In this message, the "To:" field has a single group recipient named A
   Group which contains 3 addresses, and a "Cc:" field with an empty
   group recipient named Undisclosed recipients.

Please note that in the example given the To field contains a SINGLE group 
recipient.

Also, in 3.4: " An address may either be an individual mailbox, or a group of 
mailboxes.”

and in 3.6.3: "The destination fields of a message consist of three possible 
fields, each of the same form: The field name, which is either "To", "Cc", or 
"Bcc", followed by a comma-separated list of one or more addresses (either 
mailbox or group syntax).”

So, yes, Undiscloded recipients: ; is absolutely valid.

> The Subject header exceeds the maximum line length, being another RFC 
> constraints. 

2.1.1: "There are two limits that this standard places on the number of 
characters in a line. Each line of characters MUST be no more than 998 
characters, and SHOULD be no more than 78 characters, excluding the CRLF.”

While I am here, ‘+’ is a perfectly valid character in the user portion of an 
email, a fact that seems to elude many email “admins”.


-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.



Re: Does spamc unwrap spam reports?

2017-01-05 Thread @lbutlr
On Dec 28, 2016, at 3:01 AM, Lukas Erlacher  wrote:
> I'm calling "spamc --learntype=spam/ham" from a script, passing in emails 
> fetched from imap (I'm using ISBG with --learnspambox / --learnhambox and 
> --spamc actually).

Why are you calling spamc instead of sa-learn?

-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.




Re: Why is RP_MATCHES_RCVD so "heavy"?

2016-11-23 Thread @lbutlr
On Nov 22, 2016, at 3:54 PM, Eric Abrahamsen  wrote:
> I get a lot of spam that passes the RP_MATCHES_RCVD test; it wouldn't
> make it into my inbox otherwise. I see the scoring recently got bumped
> to -3.0, which makes false negatives even more likely.

I do see this in spam, but I see it so much more in ham that I’ve not changed 
the score. The spam that does hit it seems to score very highly in other areas 
(bayes_99 and bayes_999 especially). I see it in a lot of mail that is often 
tagged by the user as spam, but os not actually spam. For example, emails from 
macy’s or target which the user did sign up for, but is too lazy to unsubscribe.

But run it against your corpus and adjust the score as needed.




Re: sa-update failing

2016-11-22 Thread @lbutlr
On Nov 22, 2016, at 10:22 AM, Larry Starr  wrote:
> For the past few days my daily "sa-update" job has been failing:

Please do not post tiny styled HTML messages. While 9pt text may look great on 
your system, forcing that horrendous choice on others should be avoided.

On *my* screen with my eyes your message is entirely unreadable.





Re: Best place to filter spam (x-original-to, no_address_mappings)

2016-11-21 Thread @lbutlr
On Nov 18, 2016, at 10:18 PM, MRob  wrote:
> I am looking at a system where SpamAssassin is called out from the delivery 
> agent. I know there will be a difference here in terms of the envelope 
> information but I'm not familiar enough to know the pitfalls of this versus 
> calling SA from the postfix content_filter.

It’s unclear why you are doing this, but if you want to run SA after delivery 
then the time to do that is in your LDA. *HOW* to do that, depends on your LDA. 
If you are using dovecot, then you can call SA from sieve. If not, you can 
setup procmail as an LDA (or others), and call SA from there.

A quick google on setting up SA with procmail or sieve or maildrop should lead 
to profit.

(I use procmail, but do not recommend it as it has ceased active development. 
Still works fine, but maildrop is probably a better choice).




Re: Anyone else just blocking the ".top" TLD?

2016-11-05 Thread @lbutlr
On 05 Nov 2016, at 11:54, @lbutlr <krem...@kreme.com> wrote:
> 
> tad’s will be quite efferent

tld’s will be quite different

dunno what happened there.

Re: Anyone else just blocking the ".top" TLD?

2016-11-05 Thread @lbutlr
On 03 Nov 2016, at 10:27, Vincent Fox  wrote:
> XYZ insights anyone?  They have been on my reject list
> for a long time, but claim to be cleaning it up.  Thinking to
> drop my shields on this one.

I am still blocking most any TLDs via postfix:

/.*\.(com|net|org|edu|gov|ca|mx|de|dk|fi|uk|us|tv|info|biz|eu|es|il|it|nl|name|jp)$/
 DUNNO
/.*\.*/ 550 Mail for this TLD is not allowed

We get some (very little) real mail from info, biz, and name domains. All the 
other new domains are on a “prove you’re not terrible” status. So far the only 
one to graduated is .name.

(Of course your list of acceptable tad’s will be quite efferent, I’m sure. I 
don’t have users who get mail from France, for example).




Re: Anyone else just blocking the ".top" TLD?

2016-09-08 Thread @lbutlr
On 09 Jul 2016, at 08:32, jaso...@mail-central.com wrote:
> 
> Fwiw, atm I block all of the following TLDs

> [big list]

> That list is auto-generated.  Any & all TLDs that have sent > 100 messages 
> within the last year *AND* have a spam/reject rate >= 99% get blocked by TLD, 
> never get past by mail server's 'edge', and don't impose any further load on 
> my server.

That’s a good list, but I take a different approach, I block ALL tlds except 
for a few that I actually get mail from.

(com|net|org|edu|gov|mx|de|dk|uk|us|info|biz|eu|es|il|it|nl|name|jp)

(and I’m not sure about name anymore, I don’t think I get legit mail from that 
anymore.)

Of course, other people will have other lists, but this one works well for me.

.top is the biggest offender though, we get thousands of those.

I should write up an awk script that searches my maillog for all the tlds that 
try to connect. Well, I can throw something together in a 

Here are all the tlds that I’ve seen in the last week (only searching in 
from=<…> not helo):

.ae, .ar, .at, .au, .bd, .be, .bg, .bid, .biz, .bo, .br, .ca, .cc, .ch, .cl, 
.club, .cn, .co, .com, .coop, .cz, .date, .de, .dk, .ec, .edu, .es, .eu, .fi, 
.firewall, .fr, .gdn, .gov, .gr, .hk, .hr, .hu, .id, .ie, .il, .in, .info, .ir, 
.is, .it, .jp, .kh, .kornet, .kr, .lan, .localdomain, .lt, .lv, .ma, .mail, 
.md, .me, .men, .mk, .mobi, .mv, .mx, .my, .name, .net, .ng, .nl, .no, .nz, 
.online, .org, .orgt, .pa, .pe, .pl, .pt, .pw, .ro, .rs, .ru, .se, .sk, 
.stream, .tk, .tn, .top, .tr, .tw, .uk, .us, .vn, .website, .win, .xyz, .za

And this is the list from helo (ignoring all the IPs):

adsl, ae, ao, ar, arpa, au, bd, be, bg, bid, biz, bo, br, c, ca, cc, cl, club, 
cm, cn, co, com, cy, date, de, do, ec, edu, eg, es, eu, fi, firewall, gdn, gh, 
gov, gr, hu, id, il, in, info, internal, io, ir, it, jp, ke, kh, kornet, kr, 
la, lan, local, localdomain, lt, lv, ly, ma, mail, md, me, men, mobi, mv, mx, 
my, name, net, ni, nl, no, np, online, org, orgt, pe, pk, pl, pt, pw, rs, ru, 
sg, sk, so, space, stream, th, tk, top, tr, tv, tw, uk, us, uy, vn, website, 
win, ws, xyz, za, zw

How are people doing spam counts on a tld basis?




Re: I have some bad news

2016-09-05 Thread @lbutlr
On Sep 1, 2016, at 7:41 PM, David Niklas  wrote:Would you like to go out to lunch?Other than your message, that phrase does not appear in 7 years of my mail.

Re: What are the T_ rules ?

2016-09-05 Thread @lbutlr
On 05 Sep 2016, at 13:36, li...@rhsoft.net wrote:
> but -1.653 is just a bad joke because it means every homeuser which manages 
> to get some DNS records fine (as well as every spammer which registers a ton 
> of domains and cheap hosts) get a large benefit compared to any professional 
> mainatained server hosting hundrets of domains with responsibility


RP_MATCHES_RCVD scores a -0.1 and T_RP_MATCHES_RCVD scores a -0.0 on my system. 
I see those scores in emails from 2011.

Don’t know where you are finding -1.653, but that is not the score that is 
getting applied here.



Re: I have some bad news

2016-08-25 Thread @lbutlr
On 15 Aug 2016, at 23:22, Marc Perkel  wrote:
> Well, this is kind of hard to say so just going to say it. I have stage 4 
> lung cancer and the probably spectrum is not good. I've been fighting spam 
> for the last 15 years and I'd like to keep fighting spam from the grave. So 
> I'm willing to share my technology with anyone interested.

I encourage you to concentrate of fighting cancer right now, and while the 
prognosis for stage-4 anything is not good, it is neither certain. It appears 
that attitude does help, so pump yourself up to beat it.



Re: Is greylisting effective? (was Re: Using Postfix and Postgrey - not scanning after hold)

2016-08-01 Thread @lbutlr
On 01 Aug 2016, at 11:02, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
>> On 31 Jul 2016, at 22:12, Benny Pedersen <m...@junc.eu> wrote:
>>> i bet greylist is cough invalid mailservers at the doorstep, it could be 
>>> that postscreen is bad aswell ?
> 
> On 01.08.16 07:46, @lbutlr wrote:
>> Sure, if by “invalid” you mean Amazon, most banks, several airlines, large
>> mail services, and many many others.
>> 
>> Nearly any company with multiple mail servers will send mail from any of
>> their servers, and may retry from a different server than the initial
>> attempt, thus resetting the greylist.
> 
> while we're at it, I really don't understand why they do it like this.
> what's the point behind changing IP address after each delivery attempt?

It’s not necessarily intentional.

I have 100 mail servers. I send a mail to someone. It goes to one of the 100 
mail servers to get sent out. It has a temp fail. I queue the mail up send 
again in 15 minutes. It goes to one of the 100 mail server to get sent out.

Lather, rinse, repeat.



Re: Is greylisting effective? (was Re: Using Postfix and Postgrey - not scanning after hold)

2016-08-01 Thread @lbutlr
On 31 Jul 2016, at 22:12, Benny Pedersen <m...@junc.eu> wrote:
> On 2016-08-01 05:55, @lbutlr wrote:
>> On 31 Jul 2016, at 01:06, Robert Schetterer <r...@sys4.de> wrote:
>>> But thats historic, bots are recoded, better antibot tecs were invented.
>>> The only problem now is people still believe in historic stuff.
>> Yeah, that about sums it up. Greylisting never worked well, always
>> caused problems with lost email, and in 2016 is simply a bad idea. Not
>> just a not good idea, but a bad idea.
> 
> back to basic then, why would a mta like postfix not deliver later when it 
> get a tempfail ?

Where did you get the idea that postfix will not deliver later?

> i bet greylist is cough invalid mailservers at the doorstep, it could be that 
> postscreen is bad aswell ?

Sure, if by “invalid” you mean Amazon, most banks, several airlines, large mail 
services, and many many others.

Nearly any company with multiple mail servers will send mail from any of their 
servers, and may retry from a different server than the initial attempt, thus 
resetting the greylist.

There is a reason that greylist software comes with default exclusions, because 
greylisting is known to cause missed email if used as designed.





Re: Is greylisting effective? (was Re: Using Postfix and Postgrey - not scanning after hold)

2016-07-31 Thread @lbutlr
On 31 Jul 2016, at 01:06, Robert Schetterer  wrote:
> But thats historic, bots are recoded, better antibot tecs were invented.
> The only problem now is people still believe in historic stuff.

Yeah, that about sums it up. Greylisting never worked well, always caused 
problems with lost email, and in 2016 is simply a bad idea. Not just a not good 
idea, but a bad idea.




Re: Using Postfix and Postgrey - not scanning after hold

2016-07-29 Thread @lbutlr
On 29 Jul 2016, at 09:20, sha...@shanew.net wrote:
> I would generalize that even more to say that greylisting should come
> before any other content-based filtering (virus scanners, defanging,
> etc.).

Greylisting is a great idea, in theory. In practice there are so many large 
emailers who can’t do email properly that is causes more trouble than it 
prevents.







Re: Spamassassin not capturing obvious Spam

2016-05-30 Thread @lbutlr
On May 30, 2016, at 11:06 PM, Shivram Krishnan  wrote:
> 2) I have set a threshold of -10 to see how spamassassin assigns a score for 
> every mail. 

No. Do not do this.

-- 
When the routine bites hard / and ambitions are low And the resentment
rides high / but emotions won't grow And we're changing our ways, /
taking different roads Then love, love will tear us apart again



Re: SA cannot block messages with attached zip

2016-05-21 Thread @lbutlr
On May 21, 2016, at 1:18 PM, Reindl Harald <h.rei...@thelounge.net> wrote:
> Am 21.05.2016 um 21:16 schrieb @lbutlr:
>> On May 20, 2016, at 6:11 AM, Reindl Harald <h.rei...@thelounge.net> wrote:
>>> no it is not, look at the sanesecurity foxhole signatures
>>> http://sanesecurity.com/usage/signatures/
>> 
>> I have looked at those, but there are so many it’s kind of overwhelming on 
>> where to start
> 
> 4 is many and overwhelming?
> 
> foxhole_generic.cdb   See Foxhole page for more details   Low
> foxhole_filename.cdb  See Foxhole page for more details   Low
> foxhole_js.cdbSee Foxhole page for more details   
> Med
> foxhole_all.cdb   See Foxhole page for more details   High
> 
> http://sanesecurity.com/foxhole-databases/

Sure, there are 4 foxhole ones, but there are dozens on the main page there.


-- 

Re: SA cannot block messages with attached zip

2016-05-21 Thread @lbutlr
On May 20, 2016, at 6:11 AM, Reindl Harald  wrote:
> no it is not, look at the sanesecurity foxhole signatures
> http://sanesecurity.com/usage/signatures/

I have looked at those, but there are so many it’s kind of overwhelming on 
where to start.

-- 
NO. I CANNOT BE BIDDEN. I CANNOT BE FORCED. I WILL DO ONLY THAT WHICH I
KNOW TO BE RIGHT. --Mort



Re: SA cannot block messages with attached zip

2016-05-20 Thread @lbutlr
On May 20, 2016, at 2:46 AM, Reindl Harald  wrote:
> postscreen_dnsbl_action = enforce
> postscreen_greet_action = enforce

[long list]

What do you set postscreen_dnsbl_threshold to?


-- 
"Give a man a fire and he's warm for a day, but set fire to him an he's
warm for the rest of his life."



Re: Way to set user-prefs without a database?

2016-05-19 Thread @lbutlr
On May 18, 2016, at 9:06 PM, Dan Mahoney, System Admin  
wrote:
> We have a couple of user accounts (really, role aliases) that need a 
> different required_score from our global defaults.  Since they're role 
> accounts, they don't have a homedir.  We're using a milter that passes the 
> whole username (including domain name) along, anyway.
> 
> Is there a dead-simple way to make this work using only the config files, or 
> do I have to go to the trouble of setting up all of mysql just to make this 
> happen?

Set your default required_score at the level your role accounts need and then 
change that default for accounts that have home directories?

-- 
"One of the great tragedies of life is the murder of a beautiful theory
by a gang of brutal facts." - Benjamin Franklin



Re: DCC doesn't seem to be doing anything

2016-04-29 Thread @lbutlr
On Apr 29, 2016, at 1:12 PM, RW  wrote:
> I got the same, it only records the number scanned. I'm not sure what
> the reason for the zeros is, possibly it's  because dccifd isn't
> working as a proxy.

Thanks. I’ll just ignore the log line.

-- 
"Alas, earwax."



  1   2   >