Re: Question about sa-updates
On Sat, 22 Jun 2024, Paul Schmehl wrote: On Jun 22, 2024, at 12:28 AM, Kenneth Porter wrote: On 6/21/2024 8:56 PM, Paul Schmehl wrote: I scratched my head, then looked up the man page for sa-update on the web. Sure enough, that’s where the rules go. Is that where my local.cf file should be located? Right now it’s in /etc/mail/spamassassin. There’s a default local.cf file in /var/lib/….. /var/lib/spamassassin is where channels put their rules. /etc/mail/spamassassin is where the host admin puts her customizations. I like to use separate files for different policies, named after each effect I'm trying to get. SA will load anything there with a .cf extension. It’s not clear to me from your answer. Does SA read rules in both places? Or only in /etc/mail/spamassassin/? Reading the "man" page documentation for spamassassin, it lists several different directories that SA looks for its config files in and the order that it reads them from. The possible directories are distro and version specific so you need to read the docs for your specific instance. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Order of handling whitelist/blacklist
On Thu, 28 Mar 2024, Philip Prindeville via users wrote: On Mar 28, 2024, at 2:39 AM, Matus UHLAR - fantomas wrote: On 27.03.24 20:56, Philip Prindeville via users wrote: I have something that looks like: whitelist_from_rcvd v...@yandex.ru vger.kernel.org blacklist_from *@yandex.ru And I only ever seem to see the 2nd rule being hit, but not the first. [snip..] My config also has: trusted_networks 192.168.6.0/24 trusted_networks 192.168.8.0/24 trusted_networks 127.0.0.1/32 So I don't think that's the problem. What are some steps to troubleshoot how the white/black-listing is happening? whitelist_from_rcvd requires SA to 'see' the envelope from address. Depending on how you have SA glued into your MTA that may not be happening and may require particular configurations. Try creating an entry for a known good address and see if it fires. If that source properly DKIM or SPF signs its messages it may be easier to use 'whitelist_auth' instead of whitelist_from_rcvd. It's also less maintenance headache as whitelist_from_rcvd must have the proper DNS names of their exit-point SMTP servers and in Cloud land that can change with out notice. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Scoring Explanation Please
Denny, If you read the fine manual for the spamassassin configuration file, in section for 'score SYMBOLIC_TEST_NAME n.nn [ n.nn n.nn n.nn ]' You'll see: If only one valid score is listed, then that score is always used for a test. If four valid scores are listed, then the score that is used depends on how SpamAssassin is being used. The first score is used when both Bayes and network tests are disabled (score set 0). The second score is used when Bayes is disabled, but network tests are enabled (score set 1). The third score is used when Bayes is enabled and network tests are disabled (score set 2). The fourth score is used when Bayes is enabled and network tests are enabled (score set 3). So when there are four score values it will use the one relevant to your SA's operating condition. EG: if the rule is senstive to the presence of network type tests, such as DNSRBLs, the score can be adjusted accordingly. On Wed, 30 Aug 2023, Denny Jones via users wrote: Hello, I have looked high and low and can't find an explanation for multi-level scoring: score SCC_CANSPAM_2 3.799 0.001 3.799 0.00 What does this mean? In my simplistic way of doing things I would write this as: score SCC_CANSPAM_2 3.799 Thanks for helping clear the mud in my mind! Denny -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: OT - Re: DNFTEC - was My apologies
On Sat, 5 Aug 2023, Grant Taylor via users wrote: On 8/5/23 6:42 PM, Martin Gregorie wrote: Yes given that he is Sorry, I as asking for differences between Energy Creatures and Trolls. I agree with your advice about the particular EC / T. I'm still trying to understand the conceptual difference between an EC and a T or if they are synonyms for the same type of individual. For the most part they can be pretty much interchangeable but slight shading: EC -> alignment: neutral/chaotic T -> alignment: evil IE an EC can be unpredictable and occasionally positive but at a cost T is pretty predictability undesirable Just my U$0.02, YMMV -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Really hard-to-filter spam
On Wed, 2 Aug 2023, Thomas Cameron via users wrote: Thank you very much. The message that slipped through today was NOT one of the ones being discussed in this thread, it was a different format and totally different message. I only included it to demonstrate that my server was not being rejected for queries as the blocked user intimated. I will dig deeper into the --magic and make sure I'm feeding Bayes with spam and ham. Regardless, if a message has never been seen before and has little correlation to earlier messages its Bayes should hit someplace in the 40% to 60% range. The fact that it hit 00% indicates a strong correlation to lots of ham (or something is screwy with your Bayes). -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Really hard-to-filter spam
On Fri, 28 Jul 2023, Jared Hall wrote: On 7/27/2023 12:08 PM, Ken D'Ambrosio wrote: Hey, all. I've recently started getting spam that's really hard to deal with, and I'm open to suggestions as to how to approach it. Superficially, [snip..] The damn body's been encoded! And there's so little in there that it's not triggering on many rules (e.g., Bayesian doesn't go over 20%). If anyone has a bright idea -- maybe a way to decode the attachments and run a regex against _that_? -- I'm all ears. 1. There are milters/content-filters that decode Base64 message parts (amavisd-new, mimedefang, etc) for processing by SA. 2. There are still sufficiently unique items: First-Name-Only, Mixed-Case word in the Subject (NLP modeling), and a Base-64 encoded HTML attachment (w/ UTF-8 encoding no less). Combined in a Meta rule, these innocuous items will likely hit with good accuracy even without Base64 decoding. Umm, unless I'm really missing something here the usual SA processing decodes such body stuff (QP, Base64, etc) and feeds the "cleaned" text to the rule processing engine. You have to work hard to get matches done on the raw stuff if you want to do special rule matching on the un-decoded body. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Ensuring SPF/DKIM for @gmail.com
If you do that you will guarantee yourself to get bunches of spam that might otherwise be tagged by SA. the "welcomelist" mechanism says: Anybody who matches this criteria we consider strongly not to be spam (regardless of how spammy all the other metrics may say it is). You should "welcomelist" stuff that you want to guarantee passage of, regarless of all other considerations. Given that Google: a) SPF & DKIMs all the stuff that comes out of their system b) has lots of spammers who have Gmail accounts and spew spam from them. c) does not seem to care two hoots about (b) and lets (b) happen even in the case of reports. So if you do those lines (or the more all-encompasing 'welcomelist_auth' form) you guarantee those spammers a free ride into your system. Now if you want to find those critters that forge "n...@gmail.com" as a sender you'll need to create a custom rule set: 1) a non-scoring rule that fires when from == "@gmail.com" 2) a 'meta rule' that says if-from-gmail && not DKIM_VALID then give it a spam score DKIM_SIGNED is a standard SA rule that detects a properly valid DKIM or DK signature. On Tue, 25 Jul 2023, J Doe wrote: Hi, I am currently using SpamAssassin 4.0.0 and I had a question on how I can ensure that any e-mail from @gmail.com has a valid SPF and DKIM signature. I am aware that the following can be easily fooled, because it is not checking SPF and DKIM: welcomelist_from *@gmail.com ... so to ensure valid SPF and DKIM, I believe I would need: welcomelist_from_spf *@gmail.com welcomelist_from_dkim *@gmail.com ... or *two* entries. Is that correct ? Thanks, - J -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Sudden surge in spam appearing to come from my email address
Assuming you own/manage your infrastructure it should be straight-forward. Create SFP records for your domain & SMTP server, set them to either soft or hard fail mode. If you can, also set up DKIM signing of your outgoing mail. Then create rules that looks for your from address in a message and a meta which says "if from me & DKIM-fail/SPF-fail hit it hard" If you can work with the SPF hard fail you will also help to improve your net reputation as spammers will have a harder time trying to "Joe Job" you. On Fri, 14 Jul 2023, Thomas Cameron wrote: All - I am suddenly getting hammered by a BUNCH of spam that appears to be from me. It scores low, and even though I keep feeding it to Bayes, it's still not hitting the threshold to be marked as spam. When I check the headers, it's coming from multiple random email servers, but many appear to originate from hotmail/outlook.com. So from outlook.com, through some unsecured email server, then to my server. I'm trying to figure out how to block this stuff. Something like "if it appears to come from me, but it's not actually coming from my email server," block it. I don't necessarily think this is a job for SA, but if there's a rule I can tweak or a setting I can change, I'm all ears. Thanks, Thomas -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: SpamAssassin repeatedly fails to start
On Wed, 12 Jul 2023, Wingfully Team via users wrote: Hi, I’m using SpamAssassin 3.4.0 on a VPS hosted by Hostinger with CentOS 7. CyberPanel was installed by Hostinger. I am constantly (every 90 seconds) seeing spamassassin fail to start, seemingly because it can’t find the PID file. I’m sending and receiving emails fine (it seems), but this is not only filling up logs/disk space, I’m also worried something else is misconfigured which could potentially be causing other problems. Here are the logs from /var/log/messages: Jul 12 23:14:02 wingfully systemd: spamassassin.service start operation timed out. Terminating. Jul 12 23:14:02 wingfully systemd: Unit spamassassin.service entered failed state. Jul 12 23:14:02 wingfully systemd: spamassassin.service failed. Jul 12 23:14:02 wingfully systemd: spamassassin.service holdoff time over, scheduling restart. Jul 12 23:14:04 wingfully systemd: Can't open PID file /run/spamassassin.pid (yet?) after start: No such file or directory Jul 12 23:15:32 wingfully systemd: spamassassin.service start operation timed out. Terminating. Jul 12 23:15:33 wingfully systemd: Unit spamassassin.service entered failed state. Jul 12 23:15:33 wingfully systemd: spamassassin.service failed. Jul 12 23:15:33 wingfully systemd: spamassassin.service holdoff time over, scheduling restart. Jul 12 23:15:34 wingfully systemd: Can't open PID file /run/spamassassin.pid (yet?) after start: No such file or directory Here’s the output from systemctl status spamassassin -l ● spamassassin.service - Spamassassin daemon Loaded: loaded (/usr/lib/systemd/system/spamassassin.service; enabled; vendor preset: disabled) Drop-In: /etc/systemd/system/spamassassin.service.d └─override.conf Active: activating (start) since Wed 2023-07-12 23:29:07 EDT; 1min 5s ago Process: 5193 ExecStart=/usr/bin/spamd --pidfile /var/run/spamd.pid $SPAMDOPTIONS (code=exited, status=0/SUCCESS) Process: 5191 ExecStartPre=/sbin/portrelease spamd (code=exited, status=0/SUCCESS) CGroup: /system.slice/spamassassin.service ├─5198 /usr/bin/spamd --pidfile /var/run/spamd.pid -d -c -m5 - ├─5199 spamd chil └─5200 spamd chil Jul 12 23:29:07 wingfully.host systemd[1]: Stopped Spamassassin daemon. Jul 12 23:29:07 wingfully.host systemd[1]: Starting Spamassassin daemon... Jul 12 23:29:07 wingfully.host spamd[5193]: logger: removing stderr method Jul 12 23:29:09 wingfully.host spamd[5198]: spamd: server started on IO::Socket::IP [127.0.0.1]:783, IO::Socket::IP [::1]:783 (running version 3.4.0) Jul 12 23:29:09 wingfully.host spamd[5198]: spamd: server pid: 5198 Jul 12 23:29:09 wingfully.host systemd[1]: Can't open PID file /run/spamassassin.pid (yet?) after start: No such file or directory Jul 12 23:29:09 wingfully.host spamd[5198]: spamd: server successfully spawned child process, pid 5199 Jul 12 23:29:09 wingfully.host spamd[5198]: spamd: server successfully spawned child process, pid 5200 Jul 12 23:29:09 wingfully.host spamd[5198]: prefork: child states: IS Jul 12 23:29:09 wingfully.host spamd[5198]: prefork: child states: II I can’t seem to figure this out. Does anyone knows what’s going on? Thanks, Matt spamd & systemd aren't agreeing on where the PID file is. look at spamd argument list: /usr/bin/spamd --pidfile /var/run/spamd.pid Note that "/var/run/" part. Systemd is barking about not finding: "Can't open PID file /run/spamassassin.pid" So either change spamd arguments or systemd spamassassin overrides.conf file so they agree on where the silly '.pid' file is going to live. Note; do NOT change the spamassassin.service file (the next system update will overwrite your changes). Put your customizations in the /etc/systemd/system/spamassassin.service.d/override.conf file Then make sure it actually ends up there. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: comparing sender domain against recipient domain
what useful information would you be looking for from this kind of comparison? All the time I receive mail from people with non-local domains and regularly receive e-mail from co-workers using the same domain as me. The kind of things that might be useful are: 1) detecting local-domain forgeries (IE if you have DKIM/SPF, etc and the message appears to be from your domain but fails those checks) 2) examining the "comment" part of the From: address to see if it contains a misleading 'domain-like' text. EG: From: "b...@my.domain.org" On Thu, 11 May 2023, Marc wrote: I was wondering if spamassassin is applying some sort of algorithm to comparing sender domain against recipient domain to detect a phishing attempt? -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Rule Help - not sure what is wrong with my syntax
On Sat, 14 Jan 2023, Benny Pedersen wrote: Benny Pedersen skrev den 2023-01-14 03:59: header TO_SPECIFIC_DOMAIN To:addr =~ /\@(test|junc)\.(com|net|eu)$/ describe TO_SPECIFIC_DOMAIN Mail sent to test.com or test.net email addresses score TO_SPECIFIC_DOMAIN -0.5 tested works if i mail myself :=) Benny, Does it work if you mail To: Note that having an '>' character at the end of an address is valid if it has a matching '<' but that should fail your "(com|net|eu)$/" test because of the anchoring '$' -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: How do I check for a jpeg attachment?
On Mon, 3 Oct 2022, Loren Wilton wrote: I'm getting a bunch of spams from fake gmail accounts that consist of one short line of text and a 2 MB jpg file. The subject and body text are pretty much random beyond that. How do I check for the following? --e345f305ea2680cd Content-Type: image/jpeg; name="MMM.jpg" Content-Disposition: attachment; filename="MMM.jpg" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_l8t6clr50 I want to match on /^Content-Type: image\/jpeg;/ but I can't figure out how to do that. rawbody doesn't seem to work. Use the specific 'mimeheader' rule type: mimeheader L_IMAGE3eContent-Type =~ m!image/jpe?g;!i describe L_IMAGE3e Has JPG image attachment score L_IMAGE3e 0.2 -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Aw: Re: info: dns: bad dns reply: bgread: recv() failed
On Thu, 29 Sep 2022, Maurizio Caloro wrote: First let me thanks for your quick help, yes now are running:-) mistake: named.conf.options -listen-on { A.B.C.D, localhost; }; +listen-on { any; }; After this, the error in Spamd.log disapper, greate! Your mistake is that 'localhost', you need to have a real IP address there. use '127.0.0.1' instead of localhost in that listen-on statement, and also use ';' for component separators, not ',' IE listen-on { A.B.C.D; 127.0.0.1; }; the key-word 'any' means to discover and bind to all possible interfaces on the machine. but now i see in main.log, this message: Sep 29 21:15:05 nmail postfix/smtp[26109]: warning: DNSSEC validation may be unavailable Sep 29 21:15:05 nmail postfix/smtp[26109]: warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated i see this as warning, and i think i dont need intervention here? If you want your postfix to be able to validate DNSSEC signed DNS replys you need to set up DNSSEC infrastructure. (postfix issue, not spamd). -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: info: dns: bad dns reply: bgread: recv() failed
On Thu, 29 Sep 2022, Matus UHLAR - fantomas wrote: [snip..] /usr/local/share/perl/5.28.1/Mail/SpamAssassin/DnsResolver.pm line 742, line 189. Wed Sep 28 21:46:55 2022 [9418] info: dns: bad dns reply: bgread: recv() failed: Connection refused at /usr/local/share/perl/5.28.1/Mail/SpamAssassin/DnsResolver.pm line 742. That looks like BIND or a packet filter refusing the query packet or possibly a case of failed fallback to TCP when a reply was too big for UDP. Are you certain that BIND is configured to do recursion for 127.0.0.1 and doesn't have anything blocking port 53 for both UDP and TCP? root@nmail:/var/log# cat /etc/resolv.conf nameserver 127.0.0.1 sure it is BIND running on localhost? sudo netstat -unlpe bind9 running Sep 28 21:45:49 nmail named[12447]: zone 127.in-addr.arpa/IN: loaded serial 1 Sep 28 21:45:49 nmail named[12447]: zone 255.in-addr.arpa/IN: loaded serial 1 Sep 28 21:45:49 nmail named[12447]: zone domain.nmail/IN: sig-re-signing-interval less than 3 * refresh. Sep 28 21:45:49 nmail named[12447]: zone domain.nmail/IN: loaded serial 1 (DNSSEC signed) Sep 28 21:45:49 nmail named[12447]: zone 190.120.37.in-addr.arpa/IN: loaded serial 1 Sep 28 21:45:49 nmail named[12447]: zone localhost/IN: loaded serial 2 Sep 28 21:45:49 nmail named[12447]: all zones loaded Sep 28 21:45:49 nmail named[12447]: running Sep 28 21:45:49 nmail named[12447]: zone domain.nmail/IN: reconfiguring zone keys Sep 28 21:45:49 nmail named[12447]: zone domain.nmail/IN: next key event: 28-Sep-2022 22:45:49.345 Does: dig @localhost google.com get you a valid answer or does it give you an error message: dbfunk@a-lnx000:bin> dig @localhost google.com ; <<>> DiG 9.11.2 <<>> @localhost google.com ; (2 servers found) ;; global options: +cmd ;; connection timed out; no servers could be reached If you get that kind of an error message that tends to indicate that either your bind is not configured to listen on 'localhost' or there's some strange firewall issue going on. locate your bind's "named.conf" file and look for a "listen-on" parameter. It should contain the value "any" or explicitly list the various appropriate addresses, including the "127.0.0.1" localhost address. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Emails from gmail.com bypassing Spamassassin scoring
How big was the message? (attached images can be pretty big). Depending on the "glue" you use to connect your mail MTA to SA, it may have some kind of size restriction. For example, the 'spamc' client has a 'max-size' parameter (which defaults to 500KB). Any message larger than that size will not be passed to SA (IE it will skip scanning). Does your MTA log the SA processing? Can you see any logged errors associated with that particular message? On Mon, 7 Feb 2022, Chad wrote: All of the other emails that were sent before and after this particular email have the X-Spam-Status and X-spam-Report scoring, So Spamassassin was running correctly. -Original Message- From: Marc Date: Monday, February 7, 2022 at 1:49 PM To: Chad , "users@spamassassin.apache.org" Subject: RE: Emails from gmail.com bypassing Spamassassin scoring I have been getting numerous emails lately from various gmail.com accounts. They are spam or phishing emails and today I got one that had a subject of RECEIPT 5454 and only a JPG image of an invoice. There was no content in the email. It bypassed Spamassassin scoring. Do you know why or what setting I need to set so EVERY email goes through Spamassassin scoring procedures? I do not see X-Spam headers[1], so your spamassassin was not working? [1] X-Spam-Status: No, score=-0.4 required=3.0 tests=ALL_TRUSTED,SPF_NEUTRAL, TVD_SPACE_RATIO,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on 4422b522-8a2b-4864-9498-4f2d06aca485 -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: handle_user and connect to spamd failed
On Tue, 19 Oct 2021, Linkcheck wrote: Ok, thanks, Dave. '--helper-home-dir' option needs an '=' Also, --max-children? I have been playing with options based on suggestions here. I now have the spamassassin options as: OPTIONS="--nouser-config -4 -i 127.0.0.1 --max-children=5 --helper-home-dir=/var/lib/spamassassin -u debian-spamd" and the spamass-milter options: OPTIONS="-u spamass-milter -- -d 127.0.0.1" Once I remembered that spamass-milter also needed to be restarted, along with spamassassin and postfix, I made more progress. :( That has fixed both warnings but the warning message "Could not retrieve sendmail macro 'i'" has returned; thought I'd got rid of that one for good. I tried adding 'i' to the postfix milter_connect_macros but no difference. I've never discovered what that macro is supposed to be nor whence/how it derives. Thanks to everyone who has contributed to this thread. If someone could round it off with the i macro solution that should be it. spamass-milter wants the 'i' macro in both the milter_mail_macros and milter_rcpt_macros postfix config parameters. Putting it in the milter_connect_macros doesn't do any good, that's not where spamass-milter looks for it. (at least in the version 0.3.2 code that I looked at, YMMV version wise, grep the Source Luke). The 'i' macro is supposed to be the message queue-id value. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: CVD_IN_DNSWL_HI ?
On Mon, 11 Oct 2021, David B Funk wrote: On Mon, 11 Oct 2021, Jerry Malcolm wrote: I am getting tons of emails that are very obviously spam (elongation, russian beauties, etc) that are getting a -5 score added on the white list tes t: CVD_IN_DNSWL_HIRBL: Sender listed at https://www.dnswl.org/, high trust I'm curious about the usefulness of a white list that spammers have obviously been able to defeat. And with the -5.0 score added (subtracted) in to the total, there's almost no chance for other tests to overcome it with 10 points to get the score to 5.0 Whaat is the easiest way to disable this 'trusted white list' tester that is sabotaging so many of my spam scores? That's one of the several sets of evals derived from the __RCVD_IN_DNSWL test of the "list.dnswl.org" rbl. You can disable just the RCVD_IN_DNSWL_HI rule by setting its score to 0 EG: in your local.cf add a like that looks like: # disable RCVD_IN_DNSWL_HI score RCVD_IN_DNSWL_HI 0 You can disable the whole kit of rules derived from that rbl by setting the base rule to 0: score __RCVD_IN_DNSWL 0 The other thing you should do is to report false-positives to the dnswl.org site. See: https://www.dnswl.org/?page_id=17 You first might want to verify that your FPs aren't being generated by some upstream relay that is is trusted but due to some configuration issue is "masking" the spam source. If you put a copy of one of the offending spams in pastebin.com and post the URL here we can look at it with you to see if we can spot your issue. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: CVD_IN_DNSWL_HI ?
On Mon, 11 Oct 2021, Jerry Malcolm wrote: I am getting tons of emails that are very obviously spam (elongation, russian beauties, etc) that are getting a -5 score added on the white list tes t: CVD_IN_DNSWL_HIRBL: Sender listed at https://www.dnswl.org/, high trust I'm curious about the usefulness of a white list that spammers have obviously been able to defeat. And with the -5.0 score added (subtracted) in to the total, there's almost no chance for other tests to overcome it with 10 points to get the score to 5.0 Whaat is the easiest way to disable this 'trusted white list' tester that is sabotaging so many of my spam scores? That's one of the several sets of evals derived from the __RCVD_IN_DNSWL test of the "list.dnswl.org" rbl. You can disable just the RCVD_IN_DNSWL_HI rule by setting its score to 0 EG: in your local.cf add a like that looks like: # disable RCVD_IN_DNSWL_HI score RCVD_IN_DNSWL_HI 0 You can disable the whole kit of rules derived from that rbl by setting the base rule to 0: score __RCVD_IN_DNSWL 0 -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Customise hostname shown in X-Spam-Checker-Version?
On Fri, 30 Jul 2021, David Bürgin wrote: David Bürgin: Resolved. Perhaps the documentation should be updated. There are notes for options ‘remove_header’ and ‘clear_headers’ that ‘X-Spam-Checker-Version is not removable’, so a straightforward fix to the documentation would be replacing sentence note that Checker-Version can not be changed or removed with note that Checker-Version can not be removed More to the point: the X-Spam-Checker-Version header is not removable and the Version-number WITHIN the header is not changeable, the rest of the header is customizable. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Identifying Amazon hosts...
On Wed, 28 Jul 2021, Antony Stone wrote: On Wednesday 28 July 2021 at 19:51:49, Pedro David Marco wrote: Hi! i have spam with this header: Received: from a48-115.smtp-out.amazonses.com (HELO a48-115.smtp-out.amazonses.com) (54.240.48.115) Is there any way, based on its fqdn, to know whether an Amazon smtp host is public or dedicated? Apologies for what may seem like a silly question, but what's the difference? I'm assuming he's asking if there's a chance that it's an open-relay SMTP server or one dedicated to Amazon client systems. I'd be shocked if it was an open-relay, it'd probably be hammered by now if it were. There's enough spam coming from AWS clients as-is. I've seen malware and phishes coming out of AWS, I wouldn't wouldn't unconditionally trust anything from them. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Another evil number
On Fri, 25 Jun 2021, Greg Troxel wrote: RW writes: You can reach out to our Customer Support Team+1 (800) 781 - 2511. Is it common in the US to put 800 in brackets like that? In my experience brackets normally go around either country codes or area codes, digits that may be optional. Yes, it common. The proper form is +1 800 782 2511 but people in the US do not write numbers like that. The normal way in the US would be (800) 782-2511 and i find the spaces around the - to be unusual. But really there is a fair degree of variation. And then there's the obfuscation that spammers/phishers use. Here's an example from a recent message I found in one of my spam traps: if you have any issue regarding your order. Reach us at +1 [805} 429-6748 Thanks & Regards +1 [805} 429-6748 Those bracket/brace mismatching are verbatium. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Why single periods in regex in spamassassin rules?
On Fri, 23 Apr 2021, Steve Dondley wrote: I'm looking at KAM.cf. There is this rule: body__KAM_WEB2 /INDIA based IT|indian.based.website|certified.it.company/i I'm wondering if there is a good reason why a singe period is used instead of something like \s+ which would catch multiple spaces whereas a singe period doesn't. Because '/indian.based.website'/ will match 'indian-based_website' but \s will not. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: SA seems powerless against marketing emails for SEO/web development
On Thu, 22 Apr 2021, Matus UHLAR - fantomas wrote: On 22.04.21 14:21, Steve Dondley wrote: pts rule name description -- -- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.210.44 listed in list.dnswl.org] -1.0 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.] [snip..] -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders This email is bit of an outlier as most of these emails will get flagged with bayes_99 and bayes_999 but this one actually gives it bayes_00. My bayes filter has been trained with about 2000 examples of spam and ham. now, train as needed - this one as spam. In that spam there was a tracking link at the bottom with a URL of the form: https://name-company-track.appspot.com/Firebase?bunch-of-long-tracking-variables How hard would it be to modify the uribl lookup code so that it did not truncate hosts names, so we could create uribl entries of the form "name-company-track.appspot.com" or would that be prohibitively expensive in lookups? I regularly see phish/spam that has URL hosts of the form some-name.blogspot.com or other-name.webhosting.com and it would be nice to be able to slam those things into a uribl list (I run my own). -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Problem installing sa on my pi 3b+
On Fri, 9 Apr 2021, spamassas...@mach2.franken.de wrote: Am 07.04.2021 um 12:27 schrieb Antony Stone: I am running said packet install from an internet tutorial. Who wrote that tutorial and where does it point you to get the packages from? Antony. Hmm, it says execute the following commands: sudo apt-get update sudo apt-get install spamassassin Without any further params. How am I supposed to know where that command does get its package from??? Christian Christian, Use the "apt show spamassassin" command to show the information about the spamassassin package. One of the lines of output will be something like: APT-Sources: http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages That will tell you the package repository that it's getting that particular package from. For more info about the collection of sources that 'apt' & 'apt-get' are using look at the "sources.list" config files in /etc/apt/ directory. HTH Dave -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Moving Spam to Junk Folder
On Thu, 3 Sep 2020, bobby wrote: I am following this tutorial: https://www.linuxbabe.com/redhat/spamassassin-centos-rhel-block-email-spam.I followed the steps in "Move Spam into the Junk Folder". When I send an email from a blacklisted e-mail address, I get a bounce e-mail from my e-mail server. Here is what is in my spamass-milter file: EXTRA_FLAGS="-m -r 8 -R NO_SPAM -i 127.0.0.1 -g sa-milt -- --max-size=512" I would prefer it to go into my Junk folder. How can I make this happen? Bobby, You need to read the spamass-milter documentation to understand what those options are doing. That "-r 8" tells spamass-milter to return a 'SMIFS_REJECT' status to postfix if the spam score is over 8. This causes postfix to refuse to accept the message at all (sort of like when somebody tries to send a message to a bogus recipient). So if postfix never lets spam get in the front door it cannot be delivered to any kind of "Junk Folder" -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: From Spoofed
On Wed, 26 Feb 2020, Benny Pedersen wrote: Robert A. Ober skrev den 2020-02-26 02:28: I have a user that is getting many emails with obscene subjects. Someone is spoofing the From to include the users domain so the email is hitting "USER_IN_WHITELIST". I have installed the plugins from extremeshok and it has not stopped the problem. remove whitelist_from in spamassassin, or change it to score -0.1 i will not argue on why whitelist_from even exists The SUBJECT_FUCKBUDDY rule has a score of 3.0 . change score to 300 upgrade to 3.4.4 btw I won't argue with the recommendation to upgrade but his real problem is: Someone is spoofing the From to include the users domain so the email is hitting "USER_IN_WHITELIST" That says somebody has taken the users' domain and added it to a "whitelist_from" statement. That is -not- a SA default. So first kill that ill-advised whitelist_from Then find out why somebody did that and fix that problem properly, not with the easily subverted "whitelist_from" sledge-hammer. If they -must- have some form of whitelist_from, use something that is less easily subverted (such as setting up DKIM or SPF for their domain and using def_whitelist_auth or at least whitelist_from_rcvd ). Even better, use def_whitelist_auth & def_whitelist_from_rcvd so it's not such a sledge-hammer but just a mild "bump" to make sure locally generated messages get a little extra help. If it weren't from that bad "whitelist_from" the OP's message would have been spam-tagged, it hit plenty of RBLs etc. It was just that sledge-hammer that got it thru. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Rule for detecting two email addresses in From: field.
On Fri, 4 Oct 2019, Philip wrote: Morning List, Lately I'm getting a bunch of emails that are showing up with two email addresses in the From: field. From: "Persons Name " When you look in your mail client (Outlook, Thunderbird) it's showing only "Persons Name " Is there a way I can mark From: that has 2 email addresses in it as spam? Pro's Cons? Phil I seem to remember past discussions of this sort of thing. Bottom line, it's a mixed bag. There are legitimate messages that include an address'ey looking in the "comment" part of the 'From:' header. Use the "header rule_name From:name =~ /target\@some\.place/" format rule (IE use the From:name field). This works best when looking for spear-phishing type messages where you're looking for specific kinds of deception, EG: header T_PAPAL_PHISH4From:name =~ /\b(?:Pay[Pp]al|service)\@paypal\.com\b/ For a general rule, I wouldn't treat it as a hard spam sign but use it in combination with meta's -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Setting Threshold
Jerry, One other potential point of confusion; when you say: But when I stop and start the service and process an email through it, headers still say 5.0 as the threshold. What particular service did you stop and restart? Specifically did you restart just the Apache James service or did you stop & restart the spamd daemon? The spamd daemon is the thing that you need to restart to get it to process the config files. On Fri, 27 Sep 2019, David B Funk wrote: Jerry, That looks like a functional implementation of the "spamc" client. So that implies your system is using "spamd" daemon for actual processing of the spam. (as opposed to something like "amavis" which directly incorporates the SA scanning engine) Did you restart the spamd daemon after you changed that config file? If you did and the change still isn't working this implies that your spamd system is using a different set of config files -or- there's another config file which is overriding your customization. At startup spamd processes config files in sequence and a setting in a later one will override corresponding values set in an earlier one. Look at your spamd's process list to see if there are any explicit config files specified in the command line arguments. Also you can try starting your spamd with debugging enabled which will cause it to log config file processing. Add the following to your spamd start up command line arguments: --debug config Then restart and look at the logging output to see which config files it's processing and in which order. On Fri, 27 Sep 2019, Jerry Malcolm wrote: Hi Bill, Thanks for the quick response. I'm using Apache James 3.3.0. I investigated the class that calls spamd. There is a class SpamAssassinInvoker in the James distribution that actually calls spamd. Relevant code excerpt from that class is below. It doesn't appear that any threshold info is being sent on the call. out = socket.getOutputStream(); in = new BufferedReader(new InputStreamReader(socket.getInputStream())); out.write("CHECK SPAMC/1.2\r\n\r\n".getBytes()); // pass the message to spamd message.writeTo(out); out.flush(); socket.shutdownOutput(); String s = null; while ((s = in.readLine()) != null) { On 9/27/2019 3:21 PM, Bill Cole wrote: On 27 Sep 2019, at 15:14, Jerry Malcolm wrote: I am setting up SA on an AWS Linux EC2. I am trying to change the results threshold from 5.0 to 4.0. I went to /usr/share/spamassassin/local.cf, uncommented and changed: "required_score 4.0". But when I stop and start the service and process an email through it, headers still say 5.0 as the threshold. What am I doing wrong? Is there some other place I need to change it as well? It is certainly possible. How are you integrating SA with your mail system, i.e. what software is getting mail that it uses SA to filter? Different mechanisms can end up using software-specific or user-specific configurations that override local.cf. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Setting Threshold
Unfortunately the answer to those questions tends to be OS distro specific. Usually logs go someplace under "/var/log/" but there's nothing to prevent your particular distro's creators putting them elsewhere. The startup stuff is often very OS distro & version specific; is yours an "init script" based system, or a "systemd" based system (or something else)? Do this, in a shell execute the command: cat /etc/os-release That should output several lines of text that contain data about the specific distro/version you're running. (if it cannot find /etc/os-release try /usr/lib/os-release ). Using that data, you should be able to track down forums/FAQs/wikis specific to your distro which have answers to those two questions. On Fri, 27 Sep 2019, Jerry Malcolm wrote: Oh yes... and the location of the actual SA startup command file as well. Thx On 9/27/2019 7:01 PM, Jerry Malcolm wrote: Thanks. I'll try all of that. But unfortunately I'm coming into AWS Linux from a Windows background. I'm having a heck of a time finding the configuration and log file folders that linux server implementations seem to like splattering all over the hard drive... :-). Where should I be looking to find the SA log files? Thanks again. Jerry On 9/27/2019 6:46 PM, David B Funk wrote: Jerry, That looks like a functional implementation of the "spamc" client. So that implies your system is using "spamd" daemon for actual processing of the spam. (as opposed to something like "amavis" which directly incorporates the SA scanning engine) Did you restart the spamd daemon after you changed that config file? If you did and the change still isn't working this implies that your spamd system is using a different set of config files -or- there's another config file which is overriding your customization. At startup spamd processes config files in sequence and a setting in a later one will override corresponding values set in an earlier one. Look at your spamd's process list to see if there are any explicit config files specified in the command line arguments. Also you can try starting your spamd with debugging enabled which will cause it to log config file processing. Add the following to your spamd start up command line arguments: --debug config Then restart and look at the logging output to see which config files it's processing and in which order. On Fri, 27 Sep 2019, Jerry Malcolm wrote: Hi Bill, Thanks for the quick response. I'm using Apache James 3.3.0. I investigated the class that calls spamd. There is a class SpamAssassinInvoker in the James distribution that actually calls spamd. Relevant code excerpt from that class is below. It doesn't appear that any threshold info is being sent on the call. out = socket.getOutputStream(); in = new BufferedReader(new InputStreamReader(socket.getInputStream())); out.write("CHECK SPAMC/1.2\r\n\r\n".getBytes()); // pass the message to spamd message.writeTo(out); out.flush(); socket.shutdownOutput(); String s = null; while ((s = in.readLine()) != null) { On 9/27/2019 3:21 PM, Bill Cole wrote: On 27 Sep 2019, at 15:14, Jerry Malcolm wrote: I am setting up SA on an AWS Linux EC2. I am trying to change the results threshold from 5.0 to 4.0. I went to /usr/share/spamassassin/local.cf, uncommented and changed: "required_score 4.0". But when I stop and start the service and process an email through it, headers still say 5.0 as the threshold. What am I doing wrong? Is there some other place I need to change it as well? It is certainly possible. How are you integrating SA with your mail system, i.e. what software is getting mail that it uses SA to filter? Different mechanisms can end up using software-specific or user-specific configurations that override local.cf. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Setting Threshold
Jerry, That looks like a functional implementation of the "spamc" client. So that implies your system is using "spamd" daemon for actual processing of the spam. (as opposed to something like "amavis" which directly incorporates the SA scanning engine) Did you restart the spamd daemon after you changed that config file? If you did and the change still isn't working this implies that your spamd system is using a different set of config files -or- there's another config file which is overriding your customization. At startup spamd processes config files in sequence and a setting in a later one will override corresponding values set in an earlier one. Look at your spamd's process list to see if there are any explicit config files specified in the command line arguments. Also you can try starting your spamd with debugging enabled which will cause it to log config file processing. Add the following to your spamd start up command line arguments: --debug config Then restart and look at the logging output to see which config files it's processing and in which order. On Fri, 27 Sep 2019, Jerry Malcolm wrote: Hi Bill, Thanks for the quick response. I'm using Apache James 3.3.0. I investigated the class that calls spamd. There is a class SpamAssassinInvoker in the James distribution that actually calls spamd. Relevant code excerpt from that class is below. It doesn't appear that any threshold info is being sent on the call. out = socket.getOutputStream(); in = new BufferedReader(new InputStreamReader(socket.getInputStream())); out.write("CHECK SPAMC/1.2\r\n\r\n".getBytes()); // pass the message to spamd message.writeTo(out); out.flush(); socket.shutdownOutput(); String s = null; while ((s = in.readLine()) != null) { On 9/27/2019 3:21 PM, Bill Cole wrote: On 27 Sep 2019, at 15:14, Jerry Malcolm wrote: I am setting up SA on an AWS Linux EC2. I am trying to change the results threshold from 5.0 to 4.0. I went to /usr/share/spamassassin/local.cf, uncommented and changed: "required_score 4.0". But when I stop and start the service and process an email through it, headers still say 5.0 as the threshold. What am I doing wrong? Is there some other place I need to change it as well? It is certainly possible. How are you integrating SA with your mail system, i.e. what software is getting mail that it uses SA to filter? Different mechanisms can end up using software-specific or user-specific configurations that override local.cf. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
who is IADB and why does this spam get a -3.8 score?
This afternoon I found a spam in one of my spam-traps that was sent via constantcontact.com and got a whopping -3.8 from IADB rules. Why does this spam source get such a boost? -0.0 RCVD_IN_IADB_LISTEDRBL: Participates in the IADB system -0.1 RCVD_IN_IADB_SPF RBL: IADB: Sender publishes SPF record -1.5 RCVD_IN_IADB_OPTIN RBL: IADB: All mailing list mail is opt-in -2.2 RCVD_IN_IADB_VOUCHED RBL: ISIPP IADB lists as vouched-for sender -0.0 RCVD_IN_IADB_SENDERID RBL: IADB: Sender publishes Sender ID record In particular how can they claim "All mailing list mail is opt-in" for a message sent to a spam-trap address that has never been used in any way other than a spam-trap? (IE never used to send mail, never listed as a contact address, etc). The message had a "unsubscribe" link but no "report spam" functions. Why should we have to "unsubscribe" an address that was never subscribed at all? (that would tend to give legitimacy to the spammer's claims that it was subscribed/opt-in ). who should I report this travesty to? -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: How to create my personal RBL
On Tue, 25 Jun 2019, Martin Gregorie wrote: On Tue, 2019-06-25 at 16:11 +0200, hg user wrote: I'd like to create my own RBL that answers queries about IP, domain or address reputation. Data should be stored in a database (mysql, postgres, redis, etc) so that information can be added/modified/removed without the need to restart spamassassin (I think the simpler solution would be a list in SA...) How can I create this setup? You need to build a Perl plugin for Spamassassin that connects to, and queries the database together with at least one SA rule that triggers the plugin via an eval:plugin_query() call where plugin_query() is a plugin function that runs the database query using data extracted from the message by SA and returns either 1 (the query found a match in the database) or zero (no matches found). that's way overthinking it. SA already has perfectly good DNS query tools built in, why not use those. It's pretty simple to set up your own local private DNS zones using rbldnsd. Adding/updating those kinds of zones is simple as adding or editing lines in a text file (as simple as echo ".this.bad.domain :127.0.0.2:" >> my-zone-file ). No muss no fuss, not server restart, etc. I run two private zones for this purpose, one a IP address RBL list and one a URIBL list. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Mail to local users
On Mon, 17 Jun 2019, David B Funk wrote: Are you feeding spamass-milter the necessary information (via milter-macros in your MTA config) so that -it- knows that particular session is authenticated? It needs that info if it's going to synthesize the correct header so that SpamAssassin knows that session was authenticated. Specifically: In your config for Milter.macros.envfrom you need to include "{auth_type}, {auth_authen}, {auth_ssf}, {auth_author}" (note that is sendmail syntax, translate into postfix as appropriate). If you don't pass those {auth_*} macros into spamass-milter it has no way to know a particular session is authenticated. Taking a quick look at the source code for spamass-milter (I use a different milter) I can see that it explicitly needs '{auth_type}' and '{auth_ssf}' so you can ignore {auth_authen} & {auth_author}. But with out that '{auth_type}' macro info it assumes the session isn't authenticated, and won't pass that on to SA. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Mail to local users
On Mon, 17 Jun 2019, @lbutlr wrote: On 17 Jun 2019, at 11:06, Reindl Harald wrote: Am 17.06.19 um 16:30 schrieb @lbutlr: Received: from darth.lan (c-73-14.161.160.hsd1.co.comcast.net [73.14.161.160]) by mail.covisp.net(Postfix 3.4.5/8.13.0) with SMTP id unknown; Sun, 16 Jun 2019 15:26:32 -0600 (envelope-from ) The first has an ESMTPS id and the other has SMTP id unknown. a) ESMTPS is *not* authentication I didn’t say it was, but the change in the header seems to be triggering spamass-milter in ways that it was not being triggered before. On 17 Jun 2019, at 02:07, Matus UHLAR - fantomas wrote: if the mail was authenticated, it should contain ESMTPA or ESMTPSA instead of SMTP. Note that spamass-milter fakes the first Received: header (because milter must get message as it is received from mail client), but lack of "A" in the SMTP indicates that your mail is not really authenticated. The message WAS sent via an authenticated connection: Jun 16 15:26:32 mail postfix/submit/smtpd[52711]: 45RnTh0J8KzdrvJ: client=c-73-14-161-160.hsd1.co.comcast.net[73.14.161.160], sasl_method=PLAIN, sasl_username=kr...@kreme.com Jun 16 15:26:32 mail postfix/cleanup[52845]: 45RnTh0J8KzdrvJ: message-id=<0c3be5f6-c5b4-4b07-853d-fad6dcbb6...@kreme.com> Jun 16 15:26:33 mail postfix/qmgr[27634]: 45RnTh0J8KzdrvJ: from=, size=3259, nrcpt=2 (queue active) Jun 16 15:26:33 mail postfix/lmtp[53026]: 45RnTh0J8KzdrvJ: to=, orig_to=, relay=mail.covisp.net[private/dovecot-lmtp], delay=1.9, delays=1.7/0.01/0.19/0.01, dsn=2.0.0, status=sent (250 2.0.0 1QOYNQm0Bl1fzwAAIdGjjQ:2 Saved) Jun 16 15:26:33 mail postfix/qmgr[27634]: 45RnTh0J8KzdrvJ: removed Are you feeding spamass-milter the necessary information (via milter-macros in your MTA config) so that -it- knows that particular session is authenticated? It needs that info if it's going to synthesize the correct header so that SpamAssassin knows that session was authenticated. Specifically: In your config for Milter.macros.envfrom you need to include "{auth_type}, {auth_authen}, {auth_ssf}, {auth_author}" (note that is sendmail syntax, translate into postfix as appropriate). If you don't pass those {auth_*} macros into spamass-milter it has no way to know a particular session is authenticated. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Amazon continues to get tagged as spam
On Mon, 1 Apr 2019, @lbutlr wrote: I have whitelisted amazon in /usr/local/etc/mail/spamassassin/local.cf whitelist_auth *@*.amazon.com whitelist_auth *@amazon.com whitelist_from *@bounces.amazon.com whitelist_from order-upd...@amazon.com whitelist_from_rcvd @amazon.com amazon.com whitelist_from_rcvd @amazon.com amazonses.com Seems this last should have matched the received header below, but it doesn't. pts rule name description -- -- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [54.240.13.15 listed in list.dnswl.org] 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.] 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% [score: 1.] 1.8 DKIM_ADSP_DISCARD No valid author signature, domain signs all mail and suggests discarding the rest 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not necessarily valid 0.7 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required MIME headers 0.1 DKIM_INVALID DKIM There's something wrong with your mail system which is trashing not only your DKIM processing but your SPF processing too. In the normal course of things, those Amazon messages should pass both DKIM and SPF checks. An Amazon message received here looks like: pts rule name description -- -- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [54.240.15.92 listed in list.dnswl.org] 0.0 RCVD_IN_HOSTKARMA_YE RBL: HostKarma: relay in yellow list (varies) [54.240.15.92 listed in hostkarma.junkemailfilter.com] 0.0 T__BOTNET_NOTRUST Message has no trusted relays -0.0 SPF_PASS SPF: sender matches SPF record 0.5 BOTNET_IPINHOSTNAMEHostname contains its own IP address [botnet_ipinhosntame,ip=54.240.15.92,rdns=a15-92.smtp-out.amazonses.com] 0.0 BOTNET_SERVERWORDS Hostname contains server-like substrings [botnet_serverwords,ip=54.240.15.92,rdns=a15-92.smtp-out.amazonses.com] -7.5 USER_IN_DEF_SPF_WL From: address is in the default SPF white-list -7.5 USER_IN_DEF_DKIM_WLFrom: address is in the default DKIM white-list 0.0 HTML_MESSAGE BODY: HTML included in message -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.] 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain Note both the DKIM_VALID,DKIM_VALID_AU and SPF_PASS It hit both USER_IN_DEF_SPF_WL & USER_IN_DEF_DKIM_WL which are standard SA rules, I didn't add those. Bottom line, what is going on with your system which is causing DKIM & SPF to fail? Does it fail for other properly signed messages or only fail for Amazon? If you post a complete unaltered Amazon message on pastbin we can take a crack at it. (only post something which you can publish with out redaction, any alterations will invalidate the DKIM sig). -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Bug or feature? ;-)
On Mon, 25 Mar 2019, Axb wrote: On 3/25/19 7:01 PM, Henrik K wrote: On Mon, Mar 25, 2019 at 06:49:49PM +0100, Tobi wrote: Am 25.03.19 um 15:18 schrieb Henrik K: On Mon, Mar 25, 2019 at 03:00:30PM +0100, Tobi wrote: [snip..] uri __HAS_URI /./ tflags __HAS_URI multiple meta __REALLY_HAS_URI (DKIM_SIGNED && __HAS_URI > 1) || (!DKIM_SIGNED && __HAS_URI) seems to me everybody is making an effort in disregarding the fact that the URI rule was hitting on a header and imo, that should not happen. This makes the whole uri behaviour even more unpredictable. However sometimes headers contain valuable URI targets. For example, I've seen increasing amounts of spam which contain cloud based URLs in the body of the message (worthless for URIBL filtering) which may also contain URLs in the headers that are specific to the spammer source (thus viable targets for URIBL filters). A blanket prohibition against header URI mining would miss out on that data. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: using existing score value in new rule's score
On Sat, 23 Feb 2019, RW wrote: On Fri, 22 Feb 2019 16:37:30 -0600 (CST) David B Funk wrote: Is there a rule "score" syntax that allows you to use the score assigned to an existing rule to calculate the value assigned to another rule? ... What I want to do is to create a local rule: meta L_HTML_IMAGE_ONLY_28_FIX ( HTML_IMAGE_ONLY_28 && L_O365_USER ) describe L_HTML_IMAGE_ONLY_28_FIX Fix damage from HTML_IMAGE_ONLY_28 for local O-365 users score L_HTML_IMAGE_ONLY_28_FIX ( -1.0 * HTML_IMAGE_ONLY_28 ) IIWY I'd just redefine the HTML_IMAGE_ONLY_XX rules in the form body __HTML_IMAGE_ONLY_28 eval:html_image_only('2400','2800') meta HTML_IMAGE_ONLY_28 __HTML_IMAGE_ONLY_28 && !L_O365_USER That's one way, but given that HTML_IMAGE_ONLY_28 is a core SA rule I'd prefer not to hack at it. I could totally over-ride it with local redefinitions but then I'd miss out on any updates/improvements to the core rule defs and not know about it. By just adding my local "repair" rule who's score is derived from that calculation of the core rule def, I don't need to worry about updates damaging my intended functionality. EG: if the system rule is re-scored (up or down) my "repair" will still do the right thing. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
using existing score value in new rule's score
Is there a rule "score" syntax that allows you to use the score assigned to an existing rule to calculate the value assigned to another rule? Specifically what I'm trying to do is to negate the "damage" a particular rule does for messages that meet particular local criteria. For example: "HTML_IMAGE_ONLY_28" is a rule that will assign a modest number of points to a message that contains a small amount of HTML and an image. What I want to do is to create a local rule: meta L_HTML_IMAGE_ONLY_28_FIX ( HTML_IMAGE_ONLY_28 && L_O365_USER ) describe L_HTML_IMAGE_ONLY_28_FIX Fix damage from HTML_IMAGE_ONLY_28 for local O-365 users score L_HTML_IMAGE_ONLY_28_FIX ( -1.0 * HTML_IMAGE_ONLY_28 ) Where if HTML_IMAGE_ONLY_28 fires and another rule which detects that the message was generated by a local Office-365 user, negate the score from the HTML_IMAGE_ONLY_28 rule. My problem is that our campus has switched the bulk of our user population to Office-365 and many outlook users like to "decorate" their messages with images (wall-paper, deparmental logos, etc). When one of these people sends a short message (1~5 lines of text) in their outlook, it's not unusual for several of SA's rules to fire (EG DC_GIF_UNO_LARGO, HTML_IMAGE_ONLY_28, SARE_GIF_STOX, etc) which pushes the messages into spam score range. I'd like to automate the un-doing of this damage w/o having to continually chase after changes in the scoring. Thus the desire for syntax to calculate the score value. It doesn't have to be evaluated dynamically, just calculate the score at reload time. Thanks. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: -Suggestion. Develop a List of examples of SpamAssassin Headers...
On Thu, 31 Jan 2019, Noel wrote: On 1/31/2019 3:03 PM, Don Saklad wrote: $ perldoc Mail::SpamAssassin::Conf No documentation found for "Mail::SpamAssassin::Conf". "Bill Cole" writes: This is not really possible. Run 'perldoc Mail::SpamAssassin::Conf' Am 31.01.19 um 21:34 schrieb Don Saklad: How is it run?... Reindl Harald writes: > by just type it in a terminal? $ perldoc Mail::SpamAssassin::Conf No documentation found for "Mail::SpamAssassin::Conf". Apparently the docs aren't installed on your system. Perhaps there's a separate spamassassin-docs package that needs to be installed. There's a copy on the web if that's more convenient for you. This is the first hit if you google mail::spamassassin::conf https://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html SA 3.1.x is over a decade old. Don't mess with obsolete versions, go with the current kit: https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html (Unless for some strange reason you -are- running an obsolete version, then go to: https://spamassassin.apache.org/full and drill down to the docs that match the version you are running.) -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: SPF weirdness...
On Tue, 15 Jan 2019, Bill Cole wrote: On 15 Jan 2019, at 15:05, Grant Taylor wrote: I will investigate to see if spamass-milter can fabricate a satisfactory Received: header. A quick look at the issue tracker for it implies that it does so. A milter that actually works with SA really needs to. Unfortunately, it is a nuisance to debug spamass-milter because it talks to spamc which talks to spamd, so you need to give debug flags to the spamass-milter process and spamd to see exactly what's going on. This is a very real question. It's a bit tricky to implement a milter correctly because people often don't understand that the message which sendmail hands to a milter is as-received from the incoming network connection. Any locally added stuff (EG the "Received:" header) isn't in that milter stream. Thus the milter must completely/correctly synthesize all locally added headers. Actually the spamass-milter method (calling spamc) makes it easier to debug. Just create a script which wraps spamc in-between a couple of "tee"s to capture stdin & stdout and you'll have everything you want to know. A simple example which ignores signal handling: #!/bin/sh # 'spamc' debugging script FILE_NAME="/var/tmp/spamc-transcript-$$" echo "spamc args: $*" "" > ${FILE_NAME}.in tee -a ${FILE_NAME}.in | /real/path/to/spamc "$@" | tee ${FILE_NAME}.out Adjust paths as needed. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: rule for docx o xlsx
On Mon, 17 Dec 2018, RW wrote: On Mon, 17 Dec 2018 13:18:12 -0600 Rick Gutierrez wrote: Hi list , happy holidays to all, I am trying to make this rule work that a friend wrote in github, to be able to give a high score to documents sent from different countries, like pakistan, china or india , I have it in my spamassassin and I do not see it working, to see if someone on the list helps me improve it RuleWordORExcel.cf mimeheader __MIME_WORDOREXCEL Content-Type =~ /msword|excel/i ... https://pastebin.com/bmRq7v7h Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document, doesn't contain msword|excel Not to mention that rule doesn't match "Application/OCTET-STREAM" All too often I see mail clients use the catch-all MimeTyping of "Application/OCTET-STREAM' and assume the recipient will 'do the right thing' based on the file extension. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Spamassassin using remote rules definition source?
On Mon, 10 Dec 2018, ozgurerdogan wrote: I simply need to write custom rules to block certain mails, domain names. Do I have to learn programming language for this? Is not it easy like create a conf file and let Sa update rules from that source remotely via http? If your primary need is to block certain domain names it might be easier to create your own custom DNS-RBL and add rules to your SA configuration to score against that. Once you've got the DNS-RBL built (I recommend rbldnsd, http://www.corpit.ru/mjt/rbldnsd.html) and the querying rules added to your SA config, then updating is just a matter of adding new names to your DNS-RBL. If you use rbldnsd, it's as easy as just "echoing" names onto the end of a text file. By clever usage of the IP address associated with the name and the scoring rules it is possible to have different scores assigned to specific names. EG: if a name has the address 127.0.0.2 then give it a score of +2 if 127.0.0.4 then give it a score of 10. So if a host is a bit spammy then the 127.0.0.2 address will not outright black-list it but help score with other indications (EG Bayes, etc). Whereas if you give it a 127.0.0.4 then it's a one-shot kill. I actually run two local RBLs, one for DNS/Hostnames and one for URI-RBL to hit specific URLs within messages. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: SpamSender with 2 @-signs in the address
On Mon, 3 Dec 2018, Grant Taylor wrote: On 12/03/2018 11:53 AM, Alan Hodgson wrote: I've been watching these for a while, and unfortunately there are a lot of customer-service type systems that send From: addresses with quoted @domain addresses in them. Many of them do "user@address via" , but not all. Sorry, I was talking about the SMTP envelope. The unquoted part between angle brackets. Are you talking about the SMTP-envelope From address or the 'Header' from addreses? It's possible to set those two different pieces of information to the same value but note that they are -not- the same attribute. Depending upon how your SA is glued into your mail system your SA may not even have any visibility into the SMTP-envelope From address. Under ordinary circumstances you will not see the SMTP-envelope From address in an e-mail message. All the parts you see following that "From: " header element in a message are the 'Header' from. [snip...] So you will definitely get false positives just looking at @'s. I was talking about only counting the @ signs in the unquoted part between angle brackets. The in the following example. That's the "from:addr" component of the header from address. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Rule for a link with an numeric IP in body?
On Mon, 29 Oct 2018, Martin Gregorie wrote: On Mon, 2018-10-29 at 15:55 +0200, Anders Gustafsson wrote: Is there such a rule already in 3.3.x? I would ideally want a version of that that adds to the spam score if it sees a x.x.x.x/unsubscribe link, possibly translated. [snip..] describe MG_BARE_IP Bare IP in a URI body __MG_BAI0 /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/ uri __MG_BAI1 /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\w*/ meta MG_BARE_IP (__MG_BAI0 || __MG_BAI1) scoreMG_BARE_IP 0.01 Note that the bare IP - n.n.n.n - is NOT a URI and so must be a body text rule while the bare IP with a '/name' suffix is a URI and so is found by a URI rule. This is why I used two subrules joined by the meta-rule. Note that technical computing discussions may validly contain bare IPs, e.g. 127.0.0.1 is never a spam indication since it is the IP of 'localhost' and so its appearance is not a spam indication. There are other well-known IPs that are also not spam indications. Not to mention all the other ways that dotted-number strings can be used; EG version numbers of sofware. I have libwmf installed on my machine and if I was discussing a programming issue with it I might mention that the RPM I have is: libwmf-0_2-7-0.2.8.4-lp150.2.6.x86_64 -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Is fuzzyocr i.e. Image scanning
On Wed, 17 Oct 2018, Rupert Gallagher wrote: IC is an effort to dig a hole in the water, because the problem of image spam with obfuscated text cannot be solved by ocr. My approach is a "better safe than sorry" best practice that anyone can implement with existing software: 1. do not display inline the content of attachments and linked resources; 2. give high spam score (>=5) to any email with very low text to image ratio. Your system, your rules, but it won't work for everybody. We routinely receive messages from users needing help which contain 1~2 lines of text describing the issue (like: 'my computer crashed' ) and then a screen-shot taken with a cellphone camera (10~20 megapixel) which is 4~8 MB in size. Sometimes the text is only in the subject and the screen-shot is the only thing in the body. I agree about not displaying inline attachments by default but that is a client configuration issue and we cannot control our users' clients. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Non-ascii subjects with images
On Sat, 1 Sep 2018, David B Funk wrote: On Sat, 1 Sep 2018, Rupert Gallagher wrote: This is a subject line: Re: Habemus APP LG 😉 Do you understand that is not an image (EG jpg, png, or tiff) but a UTF-8 code point ("emoji" character) glyph. We cannot tell because you haven't provided us with an actual message but I'm going to guess that subject line was represented in Base-64 encoded UTF-8 (IE raw message looked like: Subject: =?utf-8?B?THVjayBvZiB0aGUgUmlkZSDwn42A?= ). I just thought of another possibility, rather than Base-64 they could use quoted-printable encoding. EG: Subject: =?UTF-8?Q?Re=3A_Habemus_APP_LG_=F0=9F=98=89?= Either way that's still not an "image" but a single UTF-8 glyph. Give that there are over a million UTF-8 glyphs, do you really want to go to the trouble of trying to pick on a particular small subset of them? Are you saying that there's a particular emoji (UTF-8 glyph) which is a strong spam indicator? If so you could write a specific pattern match rule for it or feed it to bayes and let bayes do the heavy lifting. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Non-ascii subjects with images
On Sat, 1 Sep 2018, Rupert Gallagher wrote: This is a subject line: Re: Habemus APP LG 😉 Do you understand that is not an image (EG jpg, png, or tiff) but a UTF-8 code point ("emoji" character) glyph. We cannot tell because you haven't provided us with an actual message but I'm going to guess that subject line was represented in Base-64 encoded UTF-8 (IE raw message looked like: Subject: =?utf-8?B?THVjayBvZiB0aGUgUmlkZSDwn42A?= ). Given internationalization these days, we see an increasing amount of =?utf-8?B? stuff in subject lines in legitimate messages, even if they aren't using emojies. So if you're going to create a rule to fire against just that it will have a lot of FPs, unless you just want it to use in METAs. On the other-hand, if you want to decode the subject line and then pattern-match against all the possible UTF-8 emojies, you're going to end up with a rather unwieldy rule. End of the day, what's the point? Lots of people put emojies in their communications. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Best practice for learning submissions
On Mon, 23 Jul 2018, Nick Bright wrote: On 7/23/2018 7:55 PM, Reindl Harald wrote: and even if - whats the point to store the surrounding messages in the corpus which you should keep forever if you need rebuild from scratch later? what is the problem you try to solveand why can't you just store the attachment instead the whole mail containg it? The problem I'm trying to solve is "how to implement a training system on my server". I suppose i could de-encapsulate an attachment with a script, before feeding it to sa-learn? If your mail-box server is imap, has public folders capability and you have access to the back-end storage (EG Dovecot) then you could implement a report-spam folder submission system. EG your users drop spam messages into the report-spam folder and your script runs on the back-side, extracting the messages, feeding them to "spamc -l" and then moving them into a "report-done" folder for archival purposes. That or you have to glue together some kind of de-mimifying scripts inside procmail to feed 'spamc -l' and hope that your users use some predictable kind of mime labeling so you can automate the unwrapping process. (good luck). Either way you are at the mercy of your users to make valid judgments about whether a particular message is actual spam (and not just some marketing/newsletter thing they signed up for and then forgot). -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Help with own RBL
On Mon, 23 Jul 2018, Pedro David Marco wrote: Not exactly a SA question but... i am planning to run my own RBL with a nameserver, that when queried for an IP that is not in its database, does some calculations with that IP and replies accordingly (caching the results)... Please, does anyone know of any nameserver that can do that? To my knowledge RBLDNSD cannot do it... Thanks in advance! What kind of 'calculations with that IP' ? Is it dynamic factored with some kind of external coefficients or is it a more static mapping? If the latter you may be able to use something like RBLDNSD. With RBLDNSD you can define overlapping zones and it will pick the most specific one. EG: 0.0.0/0 == some default value 41.0.0.0/8 == some other value 41.23.0.0/16 == yet another value etc... Put your coding into a map generator, then push the results into RBLDNSD. It can handle 10^5+ entires with no sweat. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Line too long [rfc 2822, section 2.1.1]
On Fri, 13 Jul 2018, Rupert Gallagher wrote: A little survey on your local policies... What do you do when a subject line is longer than 78 characters? A. Reject B. Accept as spam C. Accept That clause for 78 chars is a "SHOULD", the "MUST" is for 998 chars. It then also says: Again, even though this limitation is put on messages, it is encumbant upon implementations which display messages to handle an arbitrarily large number of characters in a line (certainly at least up to the 998 character limit) for the sake of robustness. I've regularly seen "important" messages with subjects over 500 chars (ones that our users complain about if not delivered normally). So subject length > 78 is not a hard spam sign. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Whitelisting envelope-from
On Fri, 1 Jun 2018, Martin Gregorie wrote: On Fri, 2018-06-01 at 15:37 -0400, Alex wrote: Hi, I have an email with an address as follows that I'd like to whitelist: X-Envelope-From: Using whitelist_auth doesn't appear to work: whitelist_auth FredSavage*@cmail19.com Try whitelist_auth FredSavage.*@cmail19.com ^ You used UNIX shell notation where '*' represents any number of chars. In Perl regexes '*' repeats the previous pattern element - in this case 'e'. Martin Martin what you say is true for general perl code but the 'whitelist' stuff explicitly does -NOT- use perl regexes. If you read the Mail::SpamAssassin::Conf docs for that stuff you'll see: Whitelist and blacklist addresses are now file-glob-style patterns, so "fri...@somewhere.com", "*@isp.com", or "*.domain.net" will all work. Specifically, "*" and "?" are allowed, but all other metacharacters are not. Regular expressions are not used for security reasons. Matching is case-insensitive. If the whitelist_auth does not work it may be the case that the necessary 'auth' stuff (either SPF or DKIM ) isn't working for that particular address. Save a copy of one of those messages and run it thru "spamassassin -D" to see the debugging report on that process. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Invoice phish
On Tue, 15 May 2018, Alex wrote: Hi, [snip..] Train bayes, look for custom URIBL lists that might hit that powned website. The IP (216.32.180.23) is listed on sorbs, but that's it, and the domain (peabodyenergy.com) is not listed anywhere. I wasn't referring to the site that was the source of the message but the website that was hosting that PHISH login page. (EG that "https://euphqobeofnetwork . com/example.survey/question/login.php" ) I don't hold it against a company if one of their LLusers gets p0wned and used to send out spam/phishes. What I do hold accountable is if some website gets p0wned and then (ab)used to host phish pages. Whos's to say that the next page the black-hats put up is a malware page? -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Invoice phish
On Tue, 15 May 2018, Alex wrote: Hi, We received another of those phishes as a result of a compromised O365 account. https://pastebin.com/raw/Fv5NKRAP Anyone able to take a look and provide ideas on how to block them? It passes with DKIM_VALID_AU, RCVD_IN_SENDERSCORE_90_100 and SPF_PASS. It's missing headers, and I've written a rule to account for that, but it would be great to have some other input. Interestingly, it was passed through a mimecast system first. The amount of Outlook/O365/Exchange headers in this email is enormous! Thanks, Alex For openers either totally lose "RCVD_IN_HOSTKARMA_W" & "RCVD_IN_DNSWL_LOW" rules, or set their score to something minimal (EG -0.1 instead of that honking -2.5) or create a rule that detects the message being from O365 and meta it with RCVD_IN_HOSTKARMA_W to then add an offsetting score to nullify the damage from RCVD_IN_HOSTKARMA_W WRT O365. (Can we get the maintainers of RCVD_IN_HOSTKARMA_W to remove that contagion pit called O365 from their list of "good guy" sites?). I've done a bit of all of the above so an incoming O365 message ends up with no "brownie points" at all, so it's only scored on the merits of its contents. Then look for custom anti-phish rulesets. Your example hit a rule "RULEGEN_PHISH2" which was in a file 90_rulegen_phish.cf on my server. (I'm sorry I don't remember where I got that from). Train bayes, look for custom URIBL lists that might hit that powned website. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: training bayes database
On Thu, 10 May 2018, John Hardin wrote: On Thu, 10 May 2018, Matthew Broadhead wrote: On 09/05/18 20:43, David Jones wrote: On 05/09/2018 01:29 PM, Matthew Broadhead wrote: On 09/05/18 16:37, Reindl Harald wrote: quoting URIBL_BLOCKED is a joke - setup a *recursion* *non-forwarding* nameserver, no dnsmasq or such crap http://uribl.com/refused.shtml with your setup you excedd *obviously* rate-limits and have most DNSBL/URIBL not working and so you can't expect useful results at all X-Spam-Status: No, score=-18.15 tagged_above=-999 required=6.2 tests=[AM.WBL=-3, BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no i followed the guidance at that url and it gave me [root@ns1 ~]# host -tTXT 2.0.0.127.multi.uribl.com 2.0.0.127.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: 213.171.193.134]" i guess my dns is set to use my isp's dns server. do i need to set up dns relay on my machine so it comes from my ip? there is no way we send more than 500k emails from our domain so i should qualify for the free lookup? Yes. Setup BIND, unbound, or pdns_recursor on your SA server that is not forwarding to another DNS server then set your /etc/resolv.conf or SA dns_server to 127.0.0.1. This will make your DNS queries isolated from your IP to stay under their daily limit. Keep in mind that if your SA box is behind NAT that is not dedicated to your server then other DNS queries could get combined with your shared public IP. This is not likely since others are not going to query RBL/URIBL servers but it's possible. If your SA server is directly on the Internet as an edge mail gateway then this won't be a problem. i already had bind handling my dns. i just had to add to /etc/named.conf allow-query-cache {localhost; any;}; recursion yes; Don't forget to *turn off forwarding*. and to /etc/resolv.conf nameserver 127.0.0.1 That is the most important point in this whole discussion. It doesn't matter (much) what DNS server/software you use so long as it supports recursive NON-FORWARDED queries. Caching is desirable but is only a secondary consideration VS the first point. Security point; when you run a recursive server it is a potential DDOS risk, so protect it from being used/abused by untrusted clients. (best if it only listens on the loopback address, 127.* or has strong ACL/access control support that is properly configured). -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Invoice phish
On Wed, 9 May 2018, Vincent Fox wrote: I see an interesting dichotomy. Students are on Google, fac/staff on O365 now. Guess which group is phished most often? If you said students, bzzzt. It’s the O365 users, by a large margin. Faculty and staff should be best trained. Also protected by “Advanced Threat Protection”. Our university drank the Microsoft Kool-Aid completely and threw everybody into the O-365 ocean. (except for us already entrenched hold-outs ;). We've seen a major up-tick of phished O-365 accounts of all flavors (faculty, staff, students). I attribute it to several factors: 1) phish attacks have become increasingly sophisticated (quality of duplicating 'sign in' sites, looking a institutional service announcements so they can craft credible decptive scenarios, etc). 2) the 'Outlook' mail client hides technical details of messages and makes it hard to determine the validity of a messages 3) O-365/Exchange has a "Big Brother" attitude to RFC mail info, it wants to 'bowdlerize' those ugly messages and replace them with simplistic, soothing verbiage to not confuse the end users. 4) Less technical sophistication of the server side filtering VS google. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Just to lighten your day?
On Wed, 2 May 2018, John Hardin wrote: On Wed, 2 May 2018, David Jones wrote: On 05/02/2018 01:21 PM, Joe Acquisto-j4 wrote: One slipped through, with this subtle sig line (thought it might brighten someones day . . . ) "Note: Failure to Verify will lead to final termination of your email account. Technical Team Email Administrator All Right Reversed 2018.(c)" - Please post the full email, with all headers, minimally redacted to pastebin.com and send us a link. You need your humor detector recalibrated. His humor detector caught that one. He didn't say if it caught the one in the body of the message: "will lead to final termination of your email" The first three terminations weren't good enough, so we're going to do it one more time. And if -that- one doesn't do it, we'll proceed to the final ultimate termination... -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Just to lighten your day?
On Wed, 2 May 2018, Joe Acquisto-j4 wrote: On 5/2/2018 at 2:57 PM, in message <0e5889ab-b61a-36ba-6b28-549f2c365...@ena.com>, David Jones wrote: On 05/02/2018 01:21 PM, Joe Acquisto-j4 wrote: One slipped through, with this subtle sig line (thought it might brighten someones day . . . ) "Note: Failure to Verify will lead to final termination of your email account. Technical Team Email Administrator All Right Reversed 2018.(c)" Please post the full email, with all headers, minimally redacted to pastebin.com and send us a link. -- David Jones It's been a while, but I think I did it properly: https://pastebin.com/Sw8R0QPe Do you have the DecodeShortURLs plugin installed in your SA? The target of that tinyurl.com is listed in URIBLs and SA will fire on it if you have DecodeShortURLs functional. For that message I get: hecker-Version SpamAssassin 3.4.1 (2015-04-28) on s-l107.engr.uiowa.edu Content analysis details: (8.1 points, 6.0 required, autolearn=no) pts rule name description -- -- 0.0 HAS_SHORT_URL Message contains one or more shortened URLs 2.5 SEM_FRESH Contains a domain registered less than 5 days ago [URIs: erumsadet.info] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [40.92.2.16 listed in list.dnswl.org] 0.1 L_BANK_PHISH3 BODY: Possible bank phish 0.3 L_UI_PHISHb3 BODY: possible email acct phish 0.0 T__BOTNET_NOTRUST Message has no trusted relays 0.9 FORGED_HOTMAIL_RCVD2 hotmail.com 'From' address, but no 'Received:' 0.5 BOTNET_IPINHOSTNAMEHostname contains its own IP address [botnet_ipinhosntame,ip=40.92.2.16,rdns=mail-oln040092002016.outbound.protection.outlook.com] 0.0 RCVD_IN_HOSTKARMA_YE RBL: HostKarma: relay in yellow list (varies) [40.92.2.16 listed in hostkarma.junkemailfilter.com] 0.0 URIBL_RED Contains an URL listed in the URIBL redlist [URIs: erumsadet.info] 0.0 BOTNET_SERVERWORDS Hostname contains server-like substrings [botnet_serverwords,ip=40.92.2.16,rdns=mail-oln040092002016.outbound.protection.outlook.com] 0.7 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (jln4deafkids[at]hotmail.com) 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.5000] 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not necessarily valid 0.6 SARE_HTML_COLOR_B RAW: BAD STYLE: color: too light (rgb(n)) 0.0 T__KAM_SHORT KAM URL shortner fired 0.8 KAM_INFOUSMEBIZPrevalent use of .info|.us|.me|.me.uk|.biz domains in spam/malware 0.0 T__FROM_OUTLOOKFrom microsoft outlook/hotmail servers 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines 0.0 T__RECEIVED_2 More than one untrusted relay 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS 0.2 L_FROM_OUTLOOK From microsoft outlook/hotmail servers -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Dropping mail
On Fri, 27 Apr 2018, Dianne Skoll wrote: On Fri, 27 Apr 2018 14:39:43 -0500 (CDT) David B Funk wrote: [snip] Define two classes of recipients: class A == all users who want everything class B == all users who want "standard" filtering This works if you have a limited number of classes, but in some cases users can make their own rules and settings so the number of classes can be the same as the number of RCPTs. Even in the two-class case, there's still a delay for the subsequent class(es). If you have that many different classes of recipients, just set the number of allowed recipients/transaction to one and be done with it. The delay is entirely up to the sending side, they could immediately retry the subsequent recipients. I was just trying to suggest a solution to your conundrum that didn't require you to drop messages. I didn't say it was optimal, just avoiding the loss of messages. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: regexp dealing with display name don't work
On Fri, 27 Apr 2018, Joëlle Pfeffer wrote: I have progressed. If my rule is header REGLE_HF002 From:name =~ /@A/i e-mails containing From: @A or From: "@AB" or From: "@Ab" are not blocked but if my rule is header REGLE_HF002 From:name =~ /@.b/i e-mails containing From: "@Ab" or From: "@ABc" < jopfef...@free.fr > are blocked [snip..] If you want to match a literal '@' in a SA regex you need to escape it. Try: header REGLE_HF002 From:name =~ /\@a/i (note the trailing 'i' makes the regex be case-insenstive so /\@A/i doesn't make sense). -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Dropping mail
On Fri, 27 Apr 2018, Dianne Skoll wrote: Hi, I have reluctantly come to the conclusion that in some cases, it is necessary to silently drop spam rather than reject it. This is the situation: An email comes in for two recipients in one SMTP trasaction (ie, a MAIL, two RCPTs and then DATA). One recipient's rules say to accept. The other recipient's says to reject. You can't reject post-DATA because then it looks like both recipients received the mail. You can accept and create a failure message for one recipient, but then you risk generating backscatter. You can tempfail all but the first RCPT to force the message to be split up into individual messages per recipient, allowing you to accept or reject individually. But this will delay mail and possibly cause it not to be delivered if there are many recipients and the sending relay is impatient. So I reluctantly conclude that in all but the smallest of installations, dropping the mail for the recipient whose rules say to do so is the best thing to do. There have been SMTP extensions proposed to combat this. I recall an extension that had you issue RCPTs until one of the RCPTs was accepted, then DATA, then additional RCPTs with a "also send the foregoing to this one" keyword so you could have per-recipient data filtering, but of course spammers could not be obliged to use the extension. :( One possible way to deal with this situation (which would require some additional complexity on the server and require good behavior on the senders) is: Define two classes of recipients: class A == all users who want everything class B == all users who want "standard" filtering At 'RCPT' phase of the SMTP transaction note if the first valid recipient is class "A" or class "B", set a flag to remember it. For each subsequent valid recipient see if their class is the same as the first recipient. If not then return a "452 Too many recipients" reply code for that one and all subsequent valid recipients. Ideally the sender should then move on to the DATA phase, complete the processing for the first batch of recipients, and then try again for the remainder. If all goes well, this should split up the different classes of recipients into separate SMTP transactions allowing for appropriate processing with out loss. Your classifications can be expanded upon to meet your site requirements but the processing logic should be the same. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: dropping other's email(s) as a "best practice" for hosted email? (was: "anyone recognize these headers? ...")
On Fri, 27 Apr 2018, Matus UHLAR - fantomas wrote: On 26.04.18 13:41, L A Walsh wrote: To my way of thinking, dropping someone else's email, telling the sender the email is being rejected for having spam-like characteristics and telling the recipient nothing seems like it might have legal liability for the for the user potentially missing vital email. Refusing to take a mail is not dropping. Noone is required by any means to accept anything because there may be many reasons a mail can't be accepted. The place where dropping is a risk is if the next-to-last hop is Dain Bramaged and doesn't handle SMTP rejects properly. But that isn't your server's fault, it's the poor service the sender's using. (unfortunately the sender may not know of that bad link in their chain). Also it's entirely possible that the NtLH server may strip off useful info from the SMTP reject message and leave the poor sender wondering what went wrong. (I'm looking at you MS Exchange). -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: anyone recognize these headers? From SA or are they from another spam product?
On Tue, 24 Apr 2018, L A Walsh wrote: These headers (not these values) are in most or all of my emails. In one email on the net they were adjacent to SA's headers (but they aren't in my emails). I was wondering if anyone knew what product might be inserting these headers: X-CSC: 0 X-CHA: v=1.1 cv=6jkfEoj2u7Yj9etNrzOg8LH7MfGxzbc6Xn0EJkmycus= c=1 sm=1 a=nDghuxUhq_wA:10 a=CxQU8S3nryls5r8B3V4N1Q==:17 a=3Y9Ew-73vc-33Fzs_NIA:9 a=wPNLvfGTeEIA:10 a=z11Dn8fxQD8A:10 a=Pmo6RyrIMpYA:10 a=zoqau9DHoPcA:10 a=zE7RolXeqPMA:10 a=CxQU8S3nryls5r8B3V4N1Q==:117 X-CTCH-Spam: Unknown X-CTCH-RefID: str=0001.0A020207.521CE122.0254,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0 X-WHL: SLR I don't know if it is related, but some evidence of scanning by something called 'ironport', as well as by Semantec. I'm trying to track down what is scanning my email at an upstream mail host as they've rejected random emails on initial rcpt of the msg -- without accepting the message and bouncing it, but just not accepting it with the message: User and password not set, continuing without authentication. 64.29.145.41 failed after I sent the message. Remote host said: 550 5.7.1 vB73jgO3003858 This message has been blocked for containing SPAM-like characteristics. What email SW censors things by rejecting them before accepting them? Um that should be: "What email SW censors things by rejecting them -INSTEAD- of accepting them?" (rejecting and accepting are mutually exclusive) Most email SW rejects messages it cannot/does-not want to deliver; EG: rejecting messages addressed to invalid or no-longer present users. rejecting messages that violate some policy limits (EG an overly-large message). Best practice recommends this behavior. Far better to not even let in the front door things you're not going to be able to deliver on the back side. So it's not unusual to find anti-virus/anti-spam filtering systems that SMTP reject unwanted messages. Bottom line, you need to talk to your ISP/MSP to find out who's running the filtering system and what their parameters are. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Can't Get Removed From List
On Thu, 1 Mar 2018, John Hardin wrote: A bunch of Javascript to display a *single image*? And it doesn't display *any content at all* if javascript is disabled for that site? That's what I hate about the web these days, there's too much crap surrounding the useful content. "too much -vulnerable- crap" ... it's one thing if the javascript is coming from the base site, but these days it often is coming from a bunch of cloud based aggregation servers that could be full of who-knows-what. Can you say AWS Bucket-brigade? -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)
On Sun, 25 Feb 2018, LeandroCarlosRodrigues wrote: Amir Caspi wrote On that note -- regardless of what OTHER HW/SW solutions might do, since this is a SpamAssassin mailing list ... is there any facility to implement this in SA? That is, when calling the URIBL plugin, could it check both the shortened URL and the expanded URL (for known shorteners) ? Does that facility already exist and I missed it? Hi Guys! We provide an URIBL that already have a script in Perl to expand redirections until no more redirections: [snip..] Just be careful how you do that "expand redirections until no more redirections" or you may get caught in a spammer trap. If you're going thru a professional redirect site like goo.gl or bit.ly you're probably pretty safe but if it's a dedicated spammer site be ware. I was testing some redirection expantions on URLs from spam and found a site that clearly had been crafted to foil this kind of thing. It was in one of those "check this out" spams which contains one line of greeting and then a URL. When I grabbed it using curl it returned a 301 redirect, so I grabbed that target, which lead to another 301, lather-rinse-repeat ad nausium. However if you used a browser it went to the target "burn fat pills" site in just two redirects. So my bet is that the spammers are crafty enough to check things like browser referrer, cookies, etc to detect/differentiate a browser vs a link-checker. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Bayes not auto-learning?
On Fri, 23 Feb 2018, Amir Caspi wrote: Hi all, So, I've been trying to tweak my setup and noticed that VERY few of my emails are being autolearned as spam, even when their spam threshold is far above the autolearn threshold. The threshold is set to 12; I just saw a spam with score >25 not being autolearned. Are there rules that prevent autolearning? If so, why? If a spam scores really high because it hits (let's say) 10 or more rules, but just one of those rules is enough to prevent autolearning, that seems overly restrictive, no? For example, for one of my users, out of about 650 spams received in the last month, only 10 have been autolearned. For another user, only 12 of nearly 1400. That seems like a very low percentage, and clearly some high-scoring spams are not being auto-learned. Any explanation is appreciated! Thanks! --- Amir If you read the spamassassin documentation about Bayes auto-learning you will see that there are several conditions that must be satisfied. For example, there are some types of rules which aren't considered at all when computing the auto-learning threshold score (such as white/black list scores or rules tagged with the noautolearn tflag or the actual Bayes score itself). Of the types of rules which are allowed, at least 3 of those points must come from header type rules and at least 3 of those points must come from body type rules. So a spam can have 100 points from a blacklist and not auto-learn. It could have 20 points from a whole bunch of body rules but if it only hit 2 points via header rules it still will not auto-learn. Another possible factor, if you have "bayes_auto_learn_on_error" enabled, then autolearn will be skipped if Bayes already agrees with the condition of the message. IE: if the message is already classifed as BAYES_99 then it won't bother auto-learning it as yet another high-ranking spam. What I usually see in auto-learned spam is that they hit a number of network RBL rules (spamhaus, SORBS, etc) and a number of body rules such as RAZOR, URIBLS, etc. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Custom rule don't match without empty line before the string!
On Thu, 22 Feb 2018, RW wrote: On Thu, 22 Feb 2018 15:54:45 +0100 saqariden wrote: Hello guys, I have the following SA rule which is supposed to block base64 encoded mails: This may be dangerous. If someone doesn't wish to use 8bit text then base64 encoding of UTF-8 is a sensible choice; QP is very inefficient unless the text is almost completely ASCII. bodyEN_BASE64_B/(Content-Transfer-Encoding: base64\sContent-Type: text\/(plain|html); charset="?utf-8"?)|(Content-Type: text\/(plain|html); charset="?utf-8"?\sContent-Transfer-Encoding: base64)/i describe EN_BASE64_BTEXT OR HTML B64 ENCODED score EN_BASE64_B5 this is the mail that i want to stop: the rule don't match for this mail, but it match when i had an empty line like this: .. How can i do to match the both, with the empty line and without it? body rules check only the text that's visible in a mail client (including the subject text). This rule only works at all if you make the mime unparsable. For mime you need "full" instead of "body". You then need an explicit \n between lines. I agree with RW about the risk of FPs from that approach, particularly if you have international correspondents. However if you really want to do that, you need to use the "mimeheader" kind of rule. It works like a regular message 'header' type of rule but processes mime headers within the message contents. For example, to catch messages with a particular mime attachment file name I have a rule: mimeheader L_BANK_PHISH1Content-Disposition =~ m!attachment; filename="[\w\s\d._-]{1,30}verification\.html?"$!i -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: catch today's PDF pillz spam
On Mon, 19 Feb 2018, Axb wrote: oooppps - missing a backslash mimeheader AXB_CTYPE_SPELLHERO Content-Type =~ /\bapplictaion\/pdf\b/ On 02/19/2018 05:24 PM, Axb wrote: catch today's PDF pillz spam mimeheader AXB_CTYPE_SPELLHERO Content-Type =~ /bapplictaion\/pdf\b/ the typo is the trait ;) enjoy while it lasts FYI: If you use an explicit pattern-match delimeter you can avoid the "leaning toothpicks" syndrome. (particularly relevant for URIs). EG: uri MY_URL_FILTER1 /\bhttp:\/\/this-is\.adomain\.com\/this\/is\/a\/path\b/ uri MY_URL_FILTER2 m!\bhttp://this-is\.adomain\.com/this/is/a/path\b! Still need to escape those meta-chars (EG: \b) and explicit matches on dots, but otherwise makes it more readable. I realise this wouldn't have helped you with your type-o, but it does make it easier to see at a glance. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: URIBL_BLOCKED
If you read that informational spamassassin wiki page referenced in that message you'd know that it has nothing to do with querying a Russian RBL. That Russian URI is what the query to URIBL was asking. So your use of URIBL (via spamassassin) hit a threshold and was blocked. Read that spamassassin wiki page for more information. On Tue, 13 Feb 2018, @lbutlr wrote: 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: cz-salda.ru] So, I’ve never heard of cz-salda.ru, is that the RBL that is blocking me? If so, where is it listed in SA’s configuration (FreeBSD 11.1-RELEASE)? (tried a `grep salda.ru /usr/local/etc/mail/spamassassin/*` for no results) Also, why would anything be checking a Russian RBL? Supposedly I can disable this with a line like Score RCVD_IN_ORBS 0 But “ORBS” wouldn’t be right and there’s nothing in the text above to indicate what it might be. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Barracuda Reputation Block List (BRBL) removal from the SA ruleset
On Tue, 6 Feb 2018, Kris Deugau wrote: Alex wrote: These phishes we've received were all from otherwise trusted sources like salesforce, amazonses and sendgrid. These are examples that I believe were previously whitelisted because of having received a phish through these systems but have no been disabled. whitelist_auth *@bounce.mail.salesforce.com whitelist_auth *@sendgrid.net whitelist_auth *@*.mcdlv.net I've seen enough spam sent through all three - both by way of whole apparently spammer-owned accounts and cracked-but-otherwise-legitimate accounts - that I would never blanket-whitelist whole bulk email providers. Legitimate mail sent through them generally gets through anyway IME. An alternative is to use "def_whitelist_auth" instead of "whitelist_auth" That gives a -7.5 point bump to usually good sources which may occasionally get abused. That way if one of their accounts gets p0wned your anti-phish rules have a chance of pulling the junk into the spam-tagged range. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Scoring Issues
On Fri, 26 Jan 2018, John Hardin wrote: On Fri, 26 Jan 2018, b...@inter-control.com wrote: Oh, here is the X-SPAM status from the command line: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on M1-2.dettenwanger.inter-control.com X-Spam-Flag: YES X-Spam-Level: *** X-Spam-Status: Yes, score=23.0 required=4.0 tests=DKIM_SIGNED, RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_SBL_CSS,RDNS_NONE,T_DKIM_INVALID, URIBL_ABUSE_SURBL,URIBL_BLACK,URIBL_DBL_SPAM autolearn=no autolearn_force=no version=3.4.0 MIME-Version: 1.0 Bob RAZOR and URIBL hits. Is amavis perhaps configured to disable network tests? On 1/26/18 2:48 PM, David Jones wrote: On 01/26/2018 02:39 PM, b...@inter-control.com wrote: The headers that get through are usually along the lines of: X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=- required=5 tests=[HTML_MESSAGE=0.001, SPF_HELO_PASS=-1, SPF_PASS=-1, T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no Regardless, giving -1 score for SPF_PASS and another -1 for SPF_HELO_PASS is nontrivial DainBRamage. It's trivial for a spammer to set up SPF on a throw-away domain and thus waltz thru that kind of filtering. Who set up amavis with that kind of idiocy? -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: check utf-8 subjects/from?
On Wed, 13 Dec 2017, AJ Weber wrote: Is there an easy way to check if the Subject or From is UTF-8 -- or non-ASCII -- char set? I see in some of my recent spam, either the Subject or the From (sometimes both) starts with "=?UTF-8?" (in these cases the rest is Base64 encoded, but I don't want to qualify on that). If I check a header with a "header ... =~" regex rule, is it the raw text that I will check, or is it the decoded characters I will be checking against? If it's the raw text, I can probably just look for that prefix to indicate the UTF-8 encoding. I do get some legitimate emails with encoded chars and emojis, etc...but I think I'd like a rule to support it being SPAM in general. As other people have said, the header ":raw" rule form will let you match on that. There are two commonly used encoding methods for UTF-8: Base64 "=?utf-8?B?" Quoted-Printable "=?utf-8?Q?" There's nothing that prevents a mailer from using either for purely 7-bit ASCII, even though it isn't necessary. You are more likely to see that used by international clients. They may just utf-8 encode by default so not to have to do special processing for non 7-bit ASCII headers. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: help with phishing email?
On Fri, 8 Dec 2017, John Hardin wrote: On Fri, 8 Dec 2017, AJ Weber wrote: I'm trying to decide the best way to detect something like this. https://pastebin.com/hCX9MWNg That appears to be corrupt. I downloaded it and ran it through my testbed and it wouldn't decode the body. Don't know if it was the pastbin, but the MIME headers were mangled. Fixing those (and removing the space at the beginning of the base64 lines) made it parse-able. It's clearly misleading spam, not sure where the phish is. (but then I didn't go thru their "survey"). There's a bunch of anomalous things about that message; 3 Message-ID: headers, one of which tries to look like from outlook.com 2 Reply-To: headers, one of which has a clearly bogus address: 3 Received: from relay167.mysmtp.mobi (relay167.mysmtp.mobi [93.90.117.141]) lines. MIME-Version: 4.0 50 blank lines at the start of the message, borked HTML (mismatched tags, code after the closing , etc). That "http://email dot turnaroundbaby dot be" site looks new & bogus, I just tossed it in my personal RBL list. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Whitelisting Sprint with no domain security
On Wed, 6 Dec 2017, Alex wrote: Hi, sprintpcs.com has no domain security and for some reason I can't whitelist them using whitelist_from_rcvd, or even whitelist_from just to make it even more simple. Can someone help me figure out what I'm doing wrong? Ideally I'd like to avoid whitelisting them, but many people using their cell phones to email pictures and otherwise empty messages and missing subject. This causes it to hit pyzor and others which makes an email with just an image marked as spam. What is TVD_SPACE_RATIO_MINFP? That appears to be a complex rule, but adds 2.5 points to a basic email with just an image attachment. https://pastebin.com/cYtygBY9 I've tried: whitelist_from_rcvd *@pm.sprintpcs.com sprintpcs.com Ideas greatly appreciated. Try to capture an example message as close to the version that gets fed to your SA as you can. (Your pastebin example has "Resent" stuff in it that I'm betting the original did not). Take the capture file and feed it directly into SA with the debug flag set: spamassassin -D < mail.eml > mail-out.txt 2>&1 examine the output file to see if you can find any clues from the debug stuff as to why SA didn't honor your whitelist_from_rcvd statement. (probably something like it doesn't trust the header/DNS stuff, or cannot find the envelope 'From' address). whitelist_from_rcvd is a bit crufty but should work. You can craft some rules (probably have to be meta) that detect cell phone messages and negate those annoying rules (EG: TVD_SPACE_RATIO_MINFP & TO_NO_BRKTS_HTML_IMG ) -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Your header "To: undisclosed-recipients:;" is RFC 822 compliant
On Fri, 27 Oct 2017, A. Schulze wrote: Am 27.10.2017 um 07:15 schrieb @lbutlr: RFC 822 is obsolete, replaced by RFC 2822. ... which is obsoleted by RFC 5322 and updated some other RFCs see https://tools.ietf.org/html/rfc5322 And it still explicitly says that construct is legal: rfc5322:3.4 ... This is done by giving a display name for the group, followed by a colon, followed by a comma-separated list of any number of mailboxes (including zero and one), and ending with a semicolon. Because the list of mailboxes can be empty, using the group construct is also a simple way to communicate to recipients that the message was sent to one or more named sets of recipients, without actually providing the individual mailbox address for any of those recipients. Anybody can block mail for any reason they want ("my server, my rules"). But if they claim to do so with RFC justification for this case, then they're playing in the realm of "Alternative Facts" -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Bank fraud phish
On Tue, 24 Oct 2017, Pedro David Marco wrote: Out of curiosity... "account is deactivated due to inactive," is this correct in english? shouldn't it be "inactivity"? It isn't good English, but I've seen worse from official notices. Now the fact that it claims to be a US financial company being served from a South African website with a cPanel SSL certificate which has a ONE MONTH life span is darned fishy. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Bank fraud phish
On Tue, 24 Oct 2017, Rupert Gallagher wrote: Easy one. The Message-ID is not well formed / RFC compliant. We reject such junk upfront. Sent from ProtonMail Mobile On Tue, Oct 24, 2017 at 8:32 PM, Alex wrote: Hi all, I'm wondering if someone has some ideas to handle bank fraud phishing emails, and in particular this one: https://pastebin.com/wxFtKK16 It doesn't hit bayes99 because we haven't seen one before, and txrep subtracts points. It also doesn't hit any blacklists. Ideas for blocking these, and more general advice for blocking banking fraud/phish attacks would be appreciated. I'm sorry, what RFC does that message-id fail to comply with? It's of the form : "Message-ID: " Looks darned correct to me. It's a bit on the long side but I've seen worse and is still not too long. The fact that there's folded-whitespace in there is totally permissable as long as done correctly, which it looks like it is. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: OT - Hotmail/Outlook.com marking most of our email as Junk
On Wed, 20 Sep 2017, Rupert Gallagher wrote: > 10. The emails we send are operational and notices emails to customers - who need them. They call on the phone and complain they haven't received them - just to discover they were sent, but ended up in the junk. Tell them to send you a copy of the header, then look for clues in their anti-spam report. Good luck with that. Have you ever seen the kind of stuff that M$ adds to Hotmail/Outlook.com/Office365 etc.. messages? Then when you try to track down any info on how to iterpret the dense pile of stuff in a 'x-forefront-antispam-report' header you run into this page: https://technet.microsoft.com/en-us/library/dn205071(v=exchg.150).aspx Note the paragraph: After accessing the message header information, search for X-Forefront-Antispam-Report and then look for these fields. Other fields in this header are used exclusively by the Microsoft anti-spam team for diagnostic purposes. IE, we're not tellin.. Having been in the same situation as the OP (Done the full Monty monkey dance, MX, DKIM, SPF, abuse@, etc) the only thing that I can say is it's all VouDoo. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: ISIPP - Re: bb.barracudacentral.org
On Tue, 19 Sep 2017, Chris wrote: On Wed, 2017-09-20 at 00:40 +0100, Martin Gregorie wrote: On Tue, 2017-09-19 at 16:44 -0500, Chris wrote: Thanks Martin, here's what I get, it appears to not be running. sudo systemctl stop dnsmasq [sudo] password for chris: Failed to stop dnsmasq.service: Unit dnsmasq.service not loaded. OK, that makes sense sudo systemctl disable dnsmasq Failed to execute operation: No such file or directory That's interesting: I've never seen that before: [snip..] It would be interesting to know what 'systemctl status' shows on your system, though its quite possible it looks similar to what 'systemctl disable' showed. I can only guess that your system is a transitional systemd setup, i.e. systemctl is used for service management but some services (dnsmasq for one) are still running under the old systemV init scripts. Fedora installations used to work that way for some services, but that was a few versions ago (F21 or 22 at the latest). Martin Hi Martin, here's what I see: sudo systemctl status dnsmasq [sudo] password for chris: ● dnsmasq.service Loaded: not-found (Reason: No such file or directory) Active: inactive (dead) chris@localhost:~$ sudo systemctl enable dnsmasq Failed to execute operation: No such file or directory chris@localhost:~$ sudo systemctl status dnsmasq ● dnsmasq.service Loaded: not-found (Reason: No such file or directory) Active: inactive (dead) I then installed dnsmasq (apparently it wasn't installed) Results are here - https://pastebin.com/MRR4NCMp dnsmasq was already there (see your own previous posts) just not put there via the "apt" package management system. Thus "apt" didn't know about the rogue dnsmasq process, and it failed to start the newly installed one. (as the rogue dnsmasq process was already there, running, and bound to the DNS socket). So now you have -two- dnsmasq kits, one installed by "apt" and managed thru the "systemctl" tools, and another one that somebody put there which is outside the realm of "apt" & "systemctl" (thus they don't know how to manange it). You should really pick one method of installing/managing software and stick with it. This is similar to the mess you get when you mix CPAN with yum/yast/rpm/apt for installing Perl modules. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: In anyone else getting 325KB spams from cont...@cron-job.org?
On Thu, 14 Sep 2017, Dianne Skoll wrote: On Thu, 14 Sep 2017 11:27:27 -0700 "Loren Wilton" wrote: Other than being obvious spam, they seem to be set up as though they were legitimate commercial mailing list stuff, often containing things like contact-id and the like in the links. Is anyone else seeing these? A small number. The cont...@cron-job.org address is only in the From: header; the envelope recipients look randomly-generated and sometimes from unrelated domains. Should be easy to block. Just block the cron-job.org domain. Not to mention that the target URL "proffbuilder DOT com" is listed in several URIBLs. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: TxRep can't use SQLBasedAddrList factory module
On Tue, 15 Aug 2017, Christopher Engelhard wrote: On 08/14/2017 05:24 PM, Kevin A. McGrail wrote: does mysql -u -p localhost spamdb work? Yes, that works. The user has INSERT, DELETE, UPDATE, SELECT privileges. Does it need CREATE? The table 'txrep' exists with columns username, email, ip, count, totscore, signedby. The Bayes-related tables reside in the same DB, and those can be accessed (though I've only tried it with amavis, not with pure spamd/spamc). christopher I've not looked at the TxRep code but some kinds of SQL operations need to be able to create temporary tables. I'd start by giving it all perms (excepting things like GRANT), see if it works, and then scale back the perms until you find the minimal necessary set. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
RE: Sender needs help with false positive
On Mon, 7 Aug 2017, Jacek Osuchowski wrote: This is an email I sent to IsNotSpam.com. They list the whole thing when testing for spam. I am getting a lot of complains from our customers that our emails are not received. Our domain is not blacklisted anywhere so I suspect it is the spam filtering (as IsNotSpam tool indicates). Is there anything in the email we send that could trigger flagging as a spam. THANK YOU https://pastebin.com/J1cdCHAe Try this experiment. Take that same message, add two paragraphs of text describing your business/organization to the end and DELETE that embedded image. Re-test and I'll bet that you get a passing score. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Sender needs help with false positive
On Mon, 7 Aug 2017, David Jones wrote: [snip..] This IP is listed on SORBS and Spamhaus ZEN which are going to cause problems with delivery to many receiving mail filters, not just SpamAssassin. http://multirbl.valli.org/lookup/68.192.71.191.html That's his PC which is the MSA. As it's the first hop, it's not surprising it hits Zen PBL (it should, given a host name like ool-44c047bf.dyn.optonline.net). That shouldn't score against him except in broken SA installations. His problem is the small amount of text that looks like a phish spam and the embedded image. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Sender needs help with false positive
On Mon, 7 Aug 2017, Alex wrote: Hi, On Mon, Aug 7, 2017 at 6:56 PM, Jacek Osuchowski wrote: We use emails to allow users to reset their passwords to our website. We send very brief emails containing the reset password. Example between : Your password to access your account is: S]U3bC7k Upon successful login you may change your password by going to Modify Account / Change Your Password. * 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% * 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% You can't control their bayes training so there's nothing you can do here. You -can- control the content of your message. I'm guessing that short password reset message doesn't have very many tokens, and the ones that it does have may be too close a match to things like password phish spams. (something that we train heavily on). Put more text in there that is related to your business/organization which will be unique and thus unlike other spammy message. * 2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words Are you sending these emails as an image or text? Do you have a text component to your message as well? More to the point do you have an image attached/embedded in your message? If so, either drop it altogether or add a few Kbytes of text to balance it out. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Results of Individual Tests on spamd "CHECK"
On Mon, 7 Aug 2017, Jerry Malcolm wrote: I'm invoking spamd using: CHECK SPAMC/1.2\r\n I'm getting the expected response such as: Spam: False ; -1.8 / 4.0 I am trying to figure out how to get the TESTS= results of the individual tests returned as well. (e.g.tests=[AWL=-1.103, BAYES_00=-2.599, HTML_MESSAGE=0.001,URIBL_BLACK=1.955, URIBL_GREY=0.25]) I see there's an option in spamc that appears to do that. But I can't figure out how to make that happen when I do a direct socket invoke of spamd. Can someone tell me what I need to add to the spamd call (and the syntax) in order to get the results of the individual tests returned as part of the status? Thanks, Jerry Jerry, the spamd 'CHECK' command just returns the status+score, nothing else. the spamd 'REPORT' command returns the status+score and report. So replace 'CHECK' with 'REPORT' in your spamd call. Then be ready to read an arbitrary number of additonal lines in the return connection. Note that it will not return any part of the original message. If you want to use any of the SA report features that add additional headers (such as the relays header) you will need to use a different spamd command: 'HEADERS'. BTW, I cannot tell from your posting if you have one detail correct; you need the command, (and any addtional optional arguments) then a blank line, then the message. EG: REPORT SPAMC/1.2\r\n User: joe-blow\r\n \r\n -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: tflags
On Thu, 3 Aug 2017, Kris Deugau wrote: Ian Zimmerman wrote: On 2017-08-03 10:38, sha...@shanew.net wrote: The most common ones that I make use of are "multiple" and "maxhits" in order to allow a rule to be scored for each time it hits, but to stop counting after some threshold. I also use the "net" tflag so that RBL checks only run when a net-based ruleset is loaded. Where is the concept of "ruleset" in general documented, and in particular what makes it "net-based"? Not in Mail::SpamAssassin::Conf. "Ruleset" is a somewhat fuzzy term that depends on context - it could refer to a single rule, a cluster of rules in a single file, a group of files, or "all active rules files". It's not a formal definition within SpamAssassin. In this case it's referring to one rule - tflags are only set on a per-rule basis. Any net-based rule is one that relies on a working Internet connection to do a data lookup - most commonly DNS lookups, but rules for eg Vipul's Razor (RAZOR_* rules), DCC, or Pyzor are also considered net rules since they do a lookup against a network service somewhere. More to the point, if you look at the "spamd" documentation for the "-L" flag you'll see: -L, --local Perform only local tests on all mail. In other words, skip DNS and other network tests. Works the same as the "-L" flag to spamassassin(1). So all "net-based" rules (as indicated by intrinsic coding or the tflags 'net') get ignored when running in --local mode. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Spam with tons of lines with garbage characters, preceded by
On Thu, 20 Jul 2017, Andrzej A. Filip wrote: By default messages bigger than 500KB are not sent to spamd for processing/scanning => the tactics you describe frequently "turns off" spam filtering. IMHO SA should design procedures to deal with big messages. I personally use "sacan headers only" approach => it seems to be a quite good first step. That can be done in the "glue" that connects your mail system to SA. In my milter I take in the first 'N' bytes (configurable) of the message, pass them to SA and then discard the rest (IE truncating the body of the message). I had to code it to keep track of the MIME headers (if any) and fabricate a mime closing tag after the truncation point to maintain the logical integrity of the message. Another way to do it would be to take a mime-aware filter (like mimedefang) and use it to strip off non-textural parts of the message to reduce it down in size and feed SA the parts that it actually looks at. This won't help if they embed insane amounts of garbage text (then only the truncation scheme will help) but will help with spam that has lots of images and junk. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: ramsonware URI list
On Sat, 15 Jul 2017, Antony Stone wrote: On Saturday 15 July 2017 at 11:19:54, mastered wrote: Hi Nicola, I'm not good at SHELL script language, but this might be fine: 1 - Save file into lista.txt 2 - trasform lista.txt in spamassassin rules: cat lista.txt | sed s'/http:\/\///' | sed s'/\/.*//' | sed s'/\./\\./g' | sed s'/^/\//' | sed s'/$/\\b\/i/' | nl | awk '{print "uri;RULE_NR_"$1";"$2" describe;RULE_NR_"$1";Url;presente;nella;Blacklist;Ramsonware score;RULE_NR_"$1";5.0" }' > listone.txt ;for i in $(sed -n p listone.txt) ; do echo "$i" ; done | sed s'/;/ /g' > blacklist.cf [snip..] One observation; that list has over 10,000 entries which means that you're going to be adding thousands of additional rules to SA on an automated basis. Some time in the past other people had worked up automated mechanisms to add large numbers of rules derived from example spam messages (Hi Chris;) and there were performance issues (significant increase in SA load time, memory usage, etc). Be aware, you may run into that situation. Using a URI-dnsbl avoids that risk. I see that list gets updated frequently. How quickly do stale entries get removed from it? I couldn't find a policy statement about that other than the note about the 30 days retention for the RW_IPBL list. Checking a random sample of the URLs on that list, the majority of them hit 404 errors. If that list grows with out bound and isn't periodically pruned of stale entries then it will become problematic for automated rule generation. I'm not saying that this isn't an idea worth pursuing, just be aware there may be issues. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: ramsonware URI list
On Sat, 15 Jul 2017, Antony Stone wrote: On Saturday 15 July 2017 at 11:19:54, mastered wrote: Hi Nicola, I'm not good at SHELL script language, but this might be fine: 1 - Save file into lista.txt 2 - trasform lista.txt in spamassassin rules: cat lista.txt | sed s'/http:\/\///' | sed s'/\/.*//' | sed s'/\./\\./g' | sed s'/^/\//' | sed s'/$/\\b\/i/' | nl | awk '{print "uri;RULE_NR_"$1";"$2" describe;RULE_NR_"$1";Url;presente;nella;Blacklist;Ramsonware score;RULE_NR_"$1";5.0" }' > listone.txt ;for i in $(sed -n p listone.txt) ; do echo "$i" ; done | sed s'/;/ /g' > blacklist.cf If anyone can optimize it, i'm happy. My first comment would be "useless use of cat" :) My second comment would be that you can combine sed commands into a single string, separated by ; so that you only have to call sed itself once at the start of all that: sed "s'/http:\/\///'; s'/\/.*//'; s'/\./\\./g'; s'/^/\//'; s'/$/\\b\/i/'" lista.txt | nl . Another observation/optimization; use the perl pattern-match separator character specifier to avoid delimiter collision. (EG "m!" ). The following two regexes are functionally equivalent but one is easier to write/read: /http:\/\/site\.com\/this\/that\/the\other\//i m!http://site\.com/this/that/the/other/!i Second one avoids the "Leaning toothpick syndrome" https://en.wikipedia.org/wiki/Leaning_toothpick_syndrome Another way to use that data is to extract the hostnames and feed them into a local URI-dnsbl. Using "rbldnsd" is an easy to maintain, lightweight (low CPU/RAM overhead) way to implement a local DNSbl for multiple purposes (EG an IP-addr based list for RBLDNSd or host-name based URI-dnsbl). The URI-dnsbl has an advantage of being easy to add names (just 'cat' them on to the end of the data-file with appropriate suffix) and doesn't require a restart of any daemon to take effect. Clearly it has a greater risk of FPs than a targeted rule that matches on the specific URL of the malware. However if the site is purpose created by blackhats to disseminate malware or a legitimate site that has been compromised and isn't being maintained then there's a high probability that it will be (ab)used again for other payloads. In that case blacklisting the host name gets all future garbage too. IMHO: any site on that list with more than 3 entries or a registration age of less than a year is fair game for URIdnsbl listing. Looking at that data there are clearly several patterns that could be used to create targeted rules. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Somewhat OT: DMARC and this list
On Fri, 19 May 2017, David Jones wrote: From: David B Funk On Fri, 19 May 2017, RW wrote: On Fri, 19 May 2017 14:13:22 -0500 (CDT) David B Funk wrote: ne. My read on this is that "@ena.com" is living dangerously. They publish SPF records and DMARC records (with p=reject) but do NOT DKIM sign their mail. Most of them pass DKIM, a minority aren't signed. Urgg, I see that now. I looked at a few of David Jones' posts to this list and saw that they weren't DKIM signed, so I extrapolated that to a general asumption. They are DKIM signed so something must be striping the headers. I see that they're using Office-365. This is one of the issues I have with 0-365, it's a black box which is hard to second guess. Sometimes they DKIM sign, some times they don't. Sometimes they will score incoming messasge that are properly DKIM signed as spam (for no reason other than the DKIM signature, as far as I can tell). Bottom line; If you put yourself at the mercy of Office-365, using a DKIM policy of "reject" is risky. I don't. Our inbound to and outbound from Office 365 is handled by our own mail servers that are properly DKIM signing. I have been reviewing DMARC reports for years now to make sure we had good SPF, DKIM and DMARC before recently moving to p=reject. Dave I hate to break it to you but you are at the mercy of Office-365 and its erratic DKIM policy. The message from you that I'm replying to here (both the one that came directly to me and the copy I got thru the Apache list server) are -totally- devoid of DKIM headers. (If you'd like to see it I can put it up in paste-bin.) Looking at some of your other posts to this list, many of them do have DKIM headers but not all. The interesting part is that the DKIM headers are interpolated with the O-365 headers so it looks like O-365 is taking your original message, stripping off the DKIM headers and sometimes re-adding them. Good luck with this, welcome to the O-365 world. Dave -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Somewhat OT: DMARC and this list
On Fri, 19 May 2017, RW wrote: On Fri, 19 May 2017 14:13:22 -0500 (CDT) David B Funk wrote: ne. My read on this is that "@ena.com" is living dangerously. They publish SPF records and DMARC records (with p=reject) but do NOT DKIM sign their mail. Most of them pass DKIM, a minority aren't signed. Urgg, I see that now. I looked at a few of David Jones' posts to this list and saw that they weren't DKIM signed, so I extrapolated that to a general asumption. I see that they're using Office-365. This is one of the issues I have with 0-365, it's a black box which is hard to second guess. Sometimes they DKIM sign, some times they don't. Sometimes they will score incoming messasge that are properly DKIM signed as spam (for no reason other than the DKIM signature, as far as I can tell). Bottom line; If you put yourself at the mercy of Office-365, using a DKIM policy of "reject" is risky. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Somewhat OT: DMARC and this list
On Fri, 19 May 2017, Dianne Skoll wrote: Hi, Tons of list traffic keeps getting quarantined because of DMARC. For example, a recent message from David Jones : DMARC policy for domain ena.com suggests Rejection as DMARC_POLICY_REJECT, but quarantined due to rule settings $ host -t txt _dmarc.ena.com _dmarc.ena.com descriptive text "v=DMARC1\; p=reject\; sp=reject\; rua=mailto:dm...@ena.net\;"; (In this instance, we've overridden the DMARC policy and converted it to quarantine instead of reject, so I was able to retrieve the email, but...) I'm pretty sure Mailman can do DMARC-munging. Can ezmlm do the equivalent of Mailman's "ALLOW_FROM_IS_LIST" feature? Regards, Dianne. My read on this is that "@ena.com" is living dangerously. They publish SPF records and DMARC records (with p=reject) but do NOT DKIM sign their mail. In general it's dangerous to expect SPF to work thru a maillist or other forwarder. Often DKIM will but you cannot count on it (particularly if the list engages in Subject munging). If they're only going to use SPF then publishing a DMARC policy of "reject" is risky. See: https://dmarc.org/2017/03/can-i-use-dmarc-if-i-have-only-deployed-spf/ Please let me know if I'm misinterpreting the signs. Dave -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service
On Fri, 19 May 2017, John Hardin wrote: On Thu, 18 May 2017, Rob McEwen wrote: In many cases, they explain to me that their settings got auto-overwritten by their hoster - who just HAD to switch their resolv.conf file back to 8.8.8.8 cron. job. Wouldn't the SA config parameter "dns_server" over-ride what's in the resolv.conf, or doesn't that work for RBL queries? EG, set: dns_server 127.0.0.1 in your local.cf file and don't worry about what's in the resolv.conf -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Negative rule score not working as expected
On Thu, 11 May 2017, Benny Pedersen wrote: Anthony Hoppe skrev den 2017-05-11 00:55: I'm trying to implement a very simple rule that looks at the "Received" header(s) and if a string is found apply a negative score. The rule is as follows: headerAH_KNOWBE4 Received=~ /phishtest\.knowbe4\.com/ score AH_KNOWBE4 score -10.0 above line, remove 2nd score describe AH_KNOWBE4 Prevents KnowBe4 campaign emails from falling into users Junk folders The rule triggers as expected, but a score of 1 is applied as opposed to the desired -10. What am I doing wrong? Thanks! Why didn't "spamassassin --lint" bark about this syntax error? -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: block Bayes autolearn for specific messages
On Wed, 10 May 2017, John Hardin wrote: On Wed, 10 May 2017, David B Funk wrote: Is there any way to use Bayes autolearn in general but prevent it from learning specific messages? I have a specific source of messages (Office-365) which I would like to prevent from being autolearn (with out scoring them as spam). I still want those messages to be SA scored using the normal methods, just not be considered -at-all- for autolearning. bayes_ignore_from u...@example.com bayes_ignore_to u...@example.com John, Thanks for the suggestion but I still want Bayes classifier run on those messages, just no autolearning. bayes_ignore_(to|from) prevents both. I've already got a rule that adds a small score (0.3) to those messages but unfortunately they hit minus-score rules (EG: RCVD_IN_MSPIKE_*, KHOP_RCVD_TRUST, etc) often enough that they still get learned. I could jack up the local score add but then I run the risk of FPing O365 messages that don't hit the minus-score rules. Is there some kind of score calculation rule that does something along the line of "if total score is less than N, add M" Dave -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
block Bayes autolearn for specific messages
Is there any way to use Bayes autolearn in general but prevent it from learning specific messages? I have a specific source of messages (Office-365) which I would like to prevent from being autolearn (with out scoring them as spam). I still want those messages to be SA scored using the normal methods, just not be considered -at-all- for autolearning. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: US-CERT message FP
On Mon, 8 May 2017, Chris wrote: whitelist_auth *@*.us-cert.gov us-cert.gov This should be: whitelist_auth *@*.us-cert.gov I don't know why I keep putting the second entry in my 'my- whitelist.cf' file. I must have read it or something a long, long time ago in order to be doing this. Possibly got the format of whitelist_from_rcvd stuck in your brain. ;) There is an optional second argument to whitelist_from_dkim which provides the domain of a third-party signatory. EG: whitelist_from_dkim j...@example.com vs: whitelist_from_dkim j...@example.net example.org -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: US-CERT message FP
On Mon, 8 May 2017, John Hardin wrote: On Mon, 8 May 2017, Chris wrote: I get various posts from US-CERT none so far have been tagged as spam until today. The raw message with the SA tags is here - https://pastebi n.com/f71A2FfW What it hit on was: pts rule name description -- - 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.8,ip=208.42.190.173,maildomain=ncas.us- cert.gov,nordns] That's a bit worrying. ...but that looks like a local rule, I can't find "BOTNET" by itself as a rule in SVN. Is it local? How is it defined? [snip..] How did ncas.us-cert.gov get classified as a botnet host? "Botnet" is a SA plugin that was written several years ago by John Rudd which tries to look for spammyness clues derived from the DNS/hostname of the first untrusted relay. From the source code comments: # Botnet - perform DNS validations on the first untrusted relay #looking for signs of a Botnet infected host, such as no reverse #DNS, a hostname that would indicate an ISP client or domain #workstation, or other hosts that aren't intended to be acting as #a direct mail submitter outside of their own domain. One of its heurisitcs is to look for signs of the IP address embedded in the hostname (EG looking for things like "client-201.240.187.107.speedy.net.pe") as a sign of an infected PC doing direct mail delivery. This fired on the host name of that site: mailer190173.service.govdelivery.com because part of its IP address [208.42.190.173] was found in the name. Years ago I dropped the default Botnet score (5.0) way down because of FPs like this. I'd be concerned with what caused the DKIM signature to fail validation. (DKIM_SIGNED, T_DKIM_INVALID). If something in the mail chain is breaking DKIM validation then attempts to use things like whitelist_auth are doomed to failure. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Today's Google Docs phish
On Wed, 3 May 2017, Alex wrote: Hi, If you haven't heard, there was a huge Google Docs phishing attack today. Several hundred bypassed our filters in the hour or so before we were able to identify them. The To address is always "h...@mailinator.com" and the subject is always " has shared a document on Google Docs with you" where "user name" is some random user. https://www.theatlantic.com/technology/archive/2017/05/did-someone-just-share-a-random-google-doc-with-you/525279/ I wanted to provide an example in case it helps, even though chances are the campaign is dead. We've seen Google proxy and redirect attacks before and will probably see them again. https://pastebin.com/aWVaMMni [snip..] The LOC_FRAUD_DOC is a local rule and the LOC_URI_RARE_TLD was for '.pro' from John's rules some time ago. They're only scored at 0.6. Obviously training these would be enough to put them over to spam, but would someone like to look at the URI in the body to create a possible rule? It's likely Google is looking at this more closely - do you think they will put an end to the redirect that's being used? Should the score for .pro domains and other rare TLDs be higher? Have you received any of these? Have you done anything to prevent them next time or from being received this time? That target domain "g-docs . pro" was registered 12 days ago via namecheap.com which was enough to earn it a few extra points at our site. It's now sitting in a high-scoring local URIBL here (which is enough to get a SMTP-REJECT). -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: MISSING_MIMEOLE and X-MimeOLE
On Mon, 1 May 2017, Alex wrote: Hi, On Mon, May 1, 2017 at 8:44 AM, David Jones wrote: From: Alex I've taken a more conservative, but also more time-consuming approach by creating rules that subtract a few points with the right combination. I was also hoping there was a more general approach that would make these rules with such high scores less prone to FPs in the first place, or at least create a greater burden by default before adding such high scores to rules involving just a regex. * 3.3 MSGID_NOFQDN1 Message-ID with no domain name This one catches even automated reports generated by HP to many of our users, as well as a common email fax service. They just don't consider proper RFC compliance in their shell scripts, and to basically turn it into spam just for that is unreasonable. Also unfortunately, they don't comply with SPF or DKIM conventions, and one might argue simply passing SPF_PASS isn't sufficient for a meta rule before whitelisting. It's more time-consuming to maintain, but whitelist_from_rcvd lets you reasonably safely (safe from spoofing) whitelist a given sender that doesn't have DKIM/SPF. (I'm partial to the "def_whitelist*" version of local whitelists because it will save good messages from quarantine but can be over-ridden by heavy-duty spam rules (such as malware being sent from a compromised Yahoo user's account). -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Can someone post some real-world examples of whitelist_auth, whitelist_spf, and whitelist_dkim?
On Thu, 23 Mar 2017, fitz wrote: I am attempting to tighten up my whitelists, replacing whitelist_from with whitelist_auth, whitelist_spf, and/or whitelist_dkim. And having trouble. The simplistic example of whitelist_auth b...@example.com example.net does not really cut it. For example, I have the following headers: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=76.74.244.76; helo=outbound076.dcm8.com; envelope-from=qd_pat_ba7cce6de305fce6b09be229f71e639fdebb287253d1e...@inbound.dcm8.com; receiver=some...@bebop.com DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key1; d=inbound.dcm8.com; h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding:List-Unsubscribe; bh=glCJ7SPuJhI+sBNWpIcLUzww974=; b=xtADEde9s1pYTVT8IBwjLVjOiDNCjf8GY3vaqk7HmMMgRtOzRhRcGZkT+yeKNHwlIOk8iYD9Y6uX mMrOwIYFJ1H5iX1hn5Mj+Pd3BTpdhxPDd0YUBbfvmoa/W7hj2plUYDtSKt5wGYU8GRjSNj7xK5zx juMZm6vlWkfFTwRdyM8= DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=key1; d=questdiagnosticssurvey.com; b=mC5TtAPZBG0FwqfSaoAAFEn2hGO193KMoqpRbx/C3CmZ1KTfhcBz+9MsDi5z2dma4tkwLeGXYmMU IyL3l2Y9bZD5MhpdA3daN8Z2o23QKgHFM7KHxfovtClAniOhoNDukdWhLAumDMlsmg4GG/iutulk TbSLKC7h4SYaWu/Y1js=; Received: from parking.hostmonster.com (10.0.95.23) by outbound076.dcm8.com (PowerMTA(TM) v3.5r15) id hqfm400lr5gd for ; Thu, 23 Mar 2017 15:39:28 + (envelope-from ) Date: Thu, 23 Mar 2017 15:39:28 + From: Quest Diagnostics Reply-To: Quest Diagnostics I have tried whitelist_(spf|auth|dkim) *@QuestDiagnosticsSurvey.com (questdiagnosticssurvey.com | inbound.dcm8.com | outbound076.dcm8.com | dcm8.com) and none seem to work. I get SPF AUTH and DKIM_VALID_AU but no USER_IN_WHITELIST. I have been able to get the whitelist_auth to work for gmail, comcast, and a few other places, but this one does not seem to work using the same rules. From WHERE is one supposed to pull the second parameter for these rules? I think you are confusing whitelist_(spf|auth|dkim) with whitelist_from_received The former only requires single addresses/address-patterns the latter requires pairs of configuration data. EG for your example try: whitelist_auth sur...@questdiagnosticssurvey.com whitelist_spf *@inbound.dcm8.com One slight potential point of confusion, whitelist_(spf|auth|dkim) allows for multiple addresses on one line, so it can look a little like whitelist_from_received which -requires- pairs of conf data but whitelist_(spf|auth|dkim) actuall works on single address/patterns. FWIW, I personally like the "def_whitelist_*" form. The def_whitelist_* varient only gives an addtional -15 score (instead of the -100 from the full varient). This usually gives the necessary boost to get mis-classified messages past filtering with out totally swamping nasty spam that sometimes gets emitted from ordinarily whitelisted sources. (EG when a whitehat business gets compromised or one of their staff gets phished). -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{