Re: Why is RP_MATCHES_RCVD so "heavy"?
Matus UHLAR - fantomas <uh...@fantomas.sk> writes: >>Eric Abrahamsen wrote: >>> I get a lot of spam that passes the RP_MATCHES_RCVD test; it wouldn't >>> make it into my inbox otherwise. I see the scoring recently got bumped >>> to -3.0, which makes false negatives even more likely. >>> >>> I'm not expert enough in the nature of spam to really understand why >>> this test is so strong, nor to feel confident in simply whacking a few >>> points off it without knowing more. >>> >>> In the year or so that I've been running my own mail server, I don't >>> think I've seen a *single* false positive (at least not one that I >>> noticed), but get maybe an average of two spam mails into my inbox every >>> day. I've beefed up the BAYES scores, and that helped, but haven't >>> tweaked anything else. >>> >>> Can anyone tell me why it's scored so heavily? Would it be a bad idea to >>> just drop it down to -1.5 or something? > > On 23.11.16 10:29, Kris Deugau wrote: >>This is a rule whose usefulness is likely to vary a lot more for your >>mail stream. >> >>Locally, I found it was firing on enough of the reported false-negatives >>that I squashed it down to a purely advisory -0.001 quite a while ago, >>and I haven't seen any issues with doing so. >> >>I didn't disable it outright as some others do, since it's used in >>several meta rules. > > meta rules should match __RP_MATCHES_RCVD which is exactly the same rule > - blanking RP_MATCHES_RCVD should make no difference > > Thus I (again) recommend blanking it... Thanks to all of you for the responses! I'll weaken the rule a bit and see how it goes -- looking at total scores for the spam that makes it past SA, just a point or two should do it. It was helpful seeing everyone's thought-process here, thanks again. E
Re: Why is RP_MATCHES_RCVD so "heavy"?
Eric Abrahamsen wrote: I get a lot of spam that passes the RP_MATCHES_RCVD test; it wouldn't make it into my inbox otherwise. I see the scoring recently got bumped to -3.0, which makes false negatives even more likely. I'm not expert enough in the nature of spam to really understand why this test is so strong, nor to feel confident in simply whacking a few points off it without knowing more. In the year or so that I've been running my own mail server, I don't think I've seen a *single* false positive (at least not one that I noticed), but get maybe an average of two spam mails into my inbox every day. I've beefed up the BAYES scores, and that helped, but haven't tweaked anything else. Can anyone tell me why it's scored so heavily? Would it be a bad idea to just drop it down to -1.5 or something? On 23.11.16 10:29, Kris Deugau wrote: This is a rule whose usefulness is likely to vary a lot more for your mail stream. Locally, I found it was firing on enough of the reported false-negatives that I squashed it down to a purely advisory -0.001 quite a while ago, and I haven't seen any issues with doing so. I didn't disable it outright as some others do, since it's used in several meta rules. meta rules should match __RP_MATCHES_RCVD which is exactly the same rule - blanking RP_MATCHES_RCVD should make no difference Thus I (again) recommend blanking it... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Despite the cost of living, have you noticed how popular it remains?
Re: Why is RP_MATCHES_RCVD so "heavy"?
Eric Abrahamsen wrote: > I get a lot of spam that passes the RP_MATCHES_RCVD test; it wouldn't > make it into my inbox otherwise. I see the scoring recently got bumped > to -3.0, which makes false negatives even more likely. > > I'm not expert enough in the nature of spam to really understand why > this test is so strong, nor to feel confident in simply whacking a few > points off it without knowing more. > > In the year or so that I've been running my own mail server, I don't > think I've seen a *single* false positive (at least not one that I > noticed), but get maybe an average of two spam mails into my inbox every > day. I've beefed up the BAYES scores, and that helped, but haven't > tweaked anything else. > > Can anyone tell me why it's scored so heavily? Would it be a bad idea to > just drop it down to -1.5 or something? This is a rule whose usefulness is likely to vary a lot more for your mail stream. Locally, I found it was firing on enough of the reported false-negatives that I squashed it down to a purely advisory -0.001 quite a while ago, and I haven't seen any issues with doing so. I didn't disable it outright as some others do, since it's used in several meta rules. -kgd
Re: Why is RP_MATCHES_RCVD so "heavy"?
On 22 Nov 2016, at 17:54, Eric Abrahamsen wrote: I get a lot of spam that passes the RP_MATCHES_RCVD test; it wouldn't make it into my inbox otherwise. I see the scoring recently got bumped to -3.0, which makes false negatives even more likely. I'm not expert enough in the nature of spam to really understand why this test is so strong, nor to feel confident in simply whacking a few points off it without knowing more. In the year or so that I've been running my own mail server, I don't think I've seen a *single* false positive (at least not one that I noticed), but get maybe an average of two spam mails into my inbox every day. I've beefed up the BAYES scores, and that helped, but haven't tweaked anything else. Can anyone tell me why it's scored so heavily? Probably someone more intimate withe the RuleQA process can explain it. To me it looks too noisy to be scored so strongly, and for years I've had it pegged for my systems at -0.3. I suspect that much of the non-matching spam is stuff that many sites exclude well ahead of SA, so it is not as indicative in production systems as it is in RuleQA. Would it be a bad idea to just drop it down to -1.5 or something? In the past 2 years on multiple mail systems I have had no indication of any false positives which would have been cured by a stronger ham score for RP_MATCHES_RCVD. My reduction to -0.3 was based on the rule chronically redeeming a stream of snowshoe spam that was otherwise scoring in the ~6 range. Whether and how far you reduce its power should be based on your local circumstances, but -1.5 strikes me as probably a reasonable & prudent guess in the absence of careful analysis.
Re: Why is RP_MATCHES_RCVD so "heavy"?
On Nov 22, 2016, at 3:54 PM, Eric Abrahamsen <e...@ericabrahamsen.net> wrote: > I get a lot of spam that passes the RP_MATCHES_RCVD test; it wouldn't > make it into my inbox otherwise. I see the scoring recently got bumped > to -3.0, which makes false negatives even more likely. I do see this in spam, but I see it so much more in ham that I’ve not changed the score. The spam that does hit it seems to score very highly in other areas (bayes_99 and bayes_999 especially). I see it in a lot of mail that is often tagged by the user as spam, but os not actually spam. For example, emails from macy’s or target which the user did sign up for, but is too lazy to unsubscribe. But run it against your corpus and adjust the score as needed.
Re: Why is RP_MATCHES_RCVD so "heavy"?
On 2016-11-22 14:54, Eric Abrahamsen wrote: > Can anyone tell me why it's scored so heavily? Would it be a bad idea > to just drop it down to -1.5 or something? I score it as 0, and I think a number of others on this list (with much more expertise than me) do the same. -- Please *no* private Cc: on mailing lists and newsgroups Personal signed mail: please _encrypt_ and sign Don't clear-text sign: http://cr.yp.to/smtp/8bitmime.html
Why is RP_MATCHES_RCVD so "heavy"?
I get a lot of spam that passes the RP_MATCHES_RCVD test; it wouldn't make it into my inbox otherwise. I see the scoring recently got bumped to -3.0, which makes false negatives even more likely. I'm not expert enough in the nature of spam to really understand why this test is so strong, nor to feel confident in simply whacking a few points off it without knowing more. In the year or so that I've been running my own mail server, I don't think I've seen a *single* false positive (at least not one that I noticed), but get maybe an average of two spam mails into my inbox every day. I've beefed up the BAYES scores, and that helped, but haven't tweaked anything else. Can anyone tell me why it's scored so heavily? Would it be a bad idea to just drop it down to -1.5 or something? Thanks, Eric
Re: RP_MATCHES_RCVD
RH> RP_MATCHES_RCVD removed 1.7 points On 11.05.16 16:29, Reindl Harald wrote: which proves again how badly auto-qa works and why you need to adjust some rules up to remove them eniterily with a zero score Am 11.05.2016 um 16:34 schrieb Matus UHLAR - fantomas: afaik, auto-qa scores _are_ justified, just some are missed from this... On 11.05.16 16:42, Reindl Harald wrote: rules like this need a way lower max-score which is just what I have said. /etc/mail/spamassassin/local-*.cf score RP_MATCHES_RCVD -0.001 you can easily turn off that one (set to 0), I did. There's __RP_MATCHES_RCVD that has to be used in metas. the fact that spam comes from compromised account doesn't mean it's less spam ... looks like you don't understand what this rule does Envelope sender domain matches handover relay domain it's a *whitelistng rule* "the fact that spam comes from a domain where the PTR has the same doesn't mean it's less spam" is the fixed version of your sentecne which is (in fact) just what I have said... "spam from acco...@example.com is not less spam just because it's sent from compromised account on example.com mailserver" The mentioned rule just makes sending spam from compromised accounts on companies' mailservers, which is quite common. ... and if someone wants to have this rule in metas, there's __RP_MATCHES_RCVD that doesn't mess up score for spam -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Boost your system's speed by 500% - DEL C:\WINDOWS\*.*
Re: RP_MATCHES_RCVD
Am 11.05.2016 um 16:34 schrieb Matus UHLAR - fantomas: Am 11.05.2016 um 16:14 schrieb Niamh Holding: Friday, September 5, 2014, 7:37:18 AM, you wrote: RH> RP_MATCHES_RCVD removed 1.7 points RH> is that not a little too much? Now running at 2.1 :( On 11.05.16 16:29, Reindl Harald wrote: which proves again how badly auto-qa works and why you need to adjust some rules up to remove them eniterily with a zero score afaik, auto-qa scores _are_ justified, just some are missed from this... rules like this need a way lower max-score [root@mail-gw:~]$ sa-score.sh RP_MATCHES_RCVD /usr/share/spamassassin /var/lib/spamassassin/3.004001/updates_spamassassin_org score RP_MATCHES_RCVD -1.643 -2.079 -1.643 -2.079 /etc/mail/spamassassin/local-*.cf score RP_MATCHES_RCVD -0.001 you can easily turn off that one (set to 0), I did. There's __RP_MATCHES_RCVD that has to be used in metas. the fact that spam comes from compromised account doesn't mean it's less spam ... looks like you don't understand what this rule does Envelope sender domain matches handover relay domain it's a *whitelistng rule* "the fact that spam comes from a domain where the PTR has the same doesn't mean it's less spam" is the fixed version of your sentecne above signature.asc Description: OpenPGP digital signature
Re: RP_MATCHES_RCVD
Am 11.05.2016 um 16:14 schrieb Niamh Holding: Friday, September 5, 2014, 7:37:18 AM, you wrote: RH> RP_MATCHES_RCVD removed 1.7 points RH> is that not a little too much? Now running at 2.1 :( On 11.05.16 16:29, Reindl Harald wrote: which proves again how badly auto-qa works and why you need to adjust some rules up to remove them eniterily with a zero score afaik, auto-qa scores _are_ justified, just some are missed from this... [root@mail-gw:~]$ sa-score.sh RP_MATCHES_RCVD /usr/share/spamassassin /var/lib/spamassassin/3.004001/updates_spamassassin_org score RP_MATCHES_RCVD -1.643 -2.079 -1.643 -2.079 /etc/mail/spamassassin/local-*.cf score RP_MATCHES_RCVD -0.001 you can easily turn off that one (set to 0), I did. There's __RP_MATCHES_RCVD that has to be used in metas. the fact that spam comes from compromised account doesn't mean it's less spam ... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...
Re: RP_MATCHES_RCVD
Am 11.05.2016 um 16:14 schrieb Niamh Holding: Hello Reindl, Friday, September 5, 2014, 7:37:18 AM, you wrote: RH> RP_MATCHES_RCVD removed 1.7 points RH> is that not a little too much? Now running at 2.1 :( which proves again how badly auto-qa works and why you need to adjust some rules up to remove them eniterily with a zero score [root@mail-gw:~]$ sa-score.sh RP_MATCHES_RCVD /usr/share/spamassassin /var/lib/spamassassin/3.004001/updates_spamassassin_org score RP_MATCHES_RCVD -1.643 -2.079 -1.643 -2.079 /etc/mail/spamassassin/local-*.cf score RP_MATCHES_RCVD -0.001 signature.asc Description: OpenPGP digital signature
Re: RP_MATCHES_RCVD
Hello Reindl, Friday, September 5, 2014, 7:37:18 AM, you wrote: RH> RP_MATCHES_RCVD removed 1.7 points RH> is that not a little too much? Now running at 2.1 :( -- Best regards, Niamhmailto:ni...@fullbore.co.uk pgpYFLZS4sAsN.pgp Description: PGP signature
Re: RP_MATCHES_RCVD
On 9/5/2014 2:37 AM, Reindl Harald wrote: Hi i got recently a clear spam message which would have a score of 6.9 but RP_MATCHES_RCVD removed 1.7 points is that not a little too much? This has been a problem for about 6 months now. I complained about it back in April 2014, and there was a much larger discussion back in Aug 2013. After the Aug 2013 discussion it was fixed, but then something broke it in Mar/Apr 2014.
RP_MATCHES_RCVD
Hi i got recently a clear spam message which would have a score of 6.9 but RP_MATCHES_RCVD removed 1.7 points is that not a little too much? * X-Spam-Status: Yes, score=5.2, tag-level=4.5, block-level=8 * 5.0 BAYES_95 BODY: Bayes spam probability is 95 to 99% * -1.7 RP_MATCHES_RCVD Envelope sender domain matches, handover relay domain signature.asc Description: OpenPGP digital signature
Re: RP_MATCHES_RCVD
Hi i got recently a clear spam message which would have a score of 6.9 but RP_MATCHES_RCVD removed 1.7 points is that not a little too much? think so too. I set it into local.cf: score RP_MATCHES_RCVD -0.1 Best Regards
Re: RP_MATCHES_RCVD
Am 05.09.2014 um 08:40 schrieb Adi: i got recently a clear spam message which would have a score of 6.9 but RP_MATCHES_RCVD removed 1.7 points is that not a little too much? think so too. I set it into local.cf: score RP_MATCHES_RCVD -0.1 thanks for confirmation i give it even -0.5 but -1.7 even dnswl medium trsut don't get :-) signature.asc Description: OpenPGP digital signature
Re: RP_MATCHES_RCVD
On 05.09.14 08:37, Reindl Harald wrote: i got recently a clear spam message which would have a score of 6.9 but RP_MATCHES_RCVD removed 1.7 points is that not a little too much? yes, it is, mentioned multiple times. * X-Spam-Status: Yes, score=5.2, tag-level=4.5, block-level=8 * 5.0 BAYES_95 BODY: Bayes spam probability is 95 to 99% * -1.7 RP_MATCHES_RCVD Envelope sender domain matches, handover relay domain and I see more things that are way too much 5.0 BAYES_95 tag-level=4.5 ... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Despite the cost of living, have you noticed how popular it remains?
Re: RP_MATCHES_RCVD
Am 05.09.2014 um 09:04 schrieb Matus UHLAR - fantomas: On 05.09.14 08:37, Reindl Harald wrote: i got recently a clear spam message which would have a score of 6.9 but RP_MATCHES_RCVD removed 1.7 points is that not a little too much? yes, it is, mentioned multiple times. * X-Spam-Status: Yes, score=5.2, tag-level=4.5, block-level=8 * 5.0 BAYES_95 BODY: Bayes spam probability is 95 to 99% * -1.7 RP_MATCHES_RCVD Envelope sender domain matches, handover relay domain and I see more things that are way too much 5.0 BAYES_95 tag-level=4.5 # adjust IADB scoring (way too high defaults) score RCVD_IN_IADB_VOUCHED -0.5 score RCVD_IN_IADB_DOPTIN -0.8 score RCVD_IN_IADB_ML_DOPTIN -1.1 ___ defaults: score RCVD_IN_IADB_VOUCHED 0 -2.2 0 -2.2 score RCVD_IN_IADB_DOPTIN 0 -4 0 -4 score RCVD_IN_IADB_ML_DOPTIN 0 -6 0 -6 signature.asc Description: OpenPGP digital signature
Re: RP_MATCHES_RCVD
Am 05.09.2014 um 09:04 schrieb Matus UHLAR - fantomas: and I see more things that are way too much 5.0 BAYES_95 tag-level=4.5 On 05.09.14 09:13, Reindl Harald wrote: # adjust IADB scoring (way too high defaults) score RCVD_IN_IADB_VOUCHED -0.5 score RCVD_IN_IADB_DOPTIN -0.8 score RCVD_IN_IADB_ML_DOPTIN -1.1 are you aware that scores 0 and 2 are defined without network tests, so they should be zero in this case? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Atheism is a non-prophet organization.
Re: RP_MATCHES_RCVD
Am 05.09.2014 um 09:19 schrieb Matus UHLAR - fantomas: Am 05.09.2014 um 09:04 schrieb Matus UHLAR - fantomas: and I see more things that are way too much 5.0 BAYES_95 tag-level=4.5 On 05.09.14 09:13, Reindl Harald wrote: # adjust IADB scoring (way too high defaults) score RCVD_IN_IADB_VOUCHED -0.5 score RCVD_IN_IADB_DOPTIN -0.8 score RCVD_IN_IADB_ML_DOPTIN -1.1 are you aware that scores 0 and 2 are defined without network tests, so they should be zero in this case? yes, but thanks for the hint - the last change was before the first coffee after look again at local.cf, all the time before i used it like below :-( score RCVD_IN_IADB_VOUCHED 0 -0.4 0 -0.4 score RCVD_IN_IADB_DOPTIN 0 -0.7 0 -0.7 score RCVD_IN_IADB_ML_DOPTIN 0 -1.0 0 -1.0 signature.asc Description: OpenPGP digital signature
Re: RP_MATCHES_RCVD
it's not corrected, that's the point... The scoring occurs from automatic corpus checks. The best way to help the rule score better is to help with masscheck. Looking at http://ruleqa.spamassassin.org/?daterev=20140416-r1587834-nrule=RP_MATCHES_RCVDsrcpath=g=Change there does appear to be a hamminess to the rule and it justifies a negative score. A score of -1.05 seems appropriate to me. Regards, KAM
Re: RP_MATCHES_RCVD
it's not corrected, that's the point... On 17.04.14 09:14, Kevin A. McGrail wrote: The scoring occurs from automatic corpus checks. The best way to help the rule score better is to help with masscheck. and still SA people tune some scores manually. Looking at http://ruleqa.spamassassin.org/?daterev=20140416-r1587834-nrule=RP_MATCHES_RCVDsrcpath=g=Change there does appear to be a hamminess to the rule and it justifies a negative score. A score of -1.05 seems appropriate to me. Not to me. The whole fact that @gmail.com spam comming from gmail.com servers does not mean it's not spam, only because millions of @gmail.com ham comming from gmail.com are ham... this logic is braindead to me -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Holmes, what kind of school did you study to be a detective? - Elementary, Watson. -- Daffy Duck Porky Pig
Re: RP_MATCHES_RCVD
On 4/17/2014 10:21 AM, Matus UHLAR - fantomas wrote: it's not corrected, that's the point... On 17.04.14 09:14, Kevin A. McGrail wrote: The scoring occurs from automatic corpus checks. The best way to help the rule score better is to help with masscheck. and still SA people tune some scores manually. Looking at http://ruleqa.spamassassin.org/?daterev=20140416-r1587834-nrule=RP_MATCHES_RCVDsrcpath=g=Change there does appear to be a hamminess to the rule and it justifies a negative score. A score of -1.05 seems appropriate to me. Not to me. The whole fact that @gmail.com spam comming from gmail.com servers does not mean it's not spam, only because millions of @gmail.com ham comming from gmail.com are ham... this logic is braindead to me Then you will likely have to use manual tuning. regards, KAM
Re: RP_MATCHES_RCVD
On 4/17/2014 9:14 AM, Kevin A. McGrail wrote: it's not corrected, that's the point... The scoring occurs from automatic corpus checks. The best way to help the rule score better is to help with masscheck. It's not really a good indicator of spam/ham here either. A moderate amount of spam is being marked as ham due to that rule's weight. This rule was discussed back in Oct/Nov 2013, after which the rule was manually set to -0.001. And it stayed that way until at least Feb 28th of this year. Then during the first few weeks of March 2014, someone converted it to a T_ rule before re-releasing it. (Hopefully next month I can help out with the mass-check.)
Re: RP_MATCHES_RCVD
Thomas Harold skrev den 2014-04-17 19:01: (Hopefully next month I can help out with the mass-check.) should it not be like meta RP_UNLISTED_HAM (!RP_MATCHES_RCVD) if it should score as spam ? if just scores are changed, then its another problem imho
Re: RP_MATCHES_RCVD
Thomas Harold skrev den 2014-04-15 05:49: Mar 24th - RP_MATCHES_RCVD = -0.535 Mar 27th - RP_MATCHES_RCVD = -0.371 Apr 7th - RP_MATCHES_RCVD = -0.271 Apr 14th - RP_MATCHES_RCVD = -0.989 Running 3.3.1 on CentOS 6 (from the @updates channel). Running sa-update daily. On 15.04.14 07:18, Benny Pedersen wrote: what is the problem ?, the scores is adjusted by public corpus, so if there is score that is not correct its a sign of missing ham/spam to correct it the problem with this rule is (and was) that it often pushes score under the spam threshold. It was complained here more times IIRC. I have complained about this too, and I still have in my cf: /etc/spamassassin/local.cf:score RP_MATCHES_RCVD 0 This rule is imho just something that should not be used as a whole. No complaints against metas for now. other then that spamassassin does not just counts on one rule, so even if that rule seems incorrect hitting then it corrected by other rules it's not corrected, that's the point... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Posli tento mail 100 svojim znamim - nech vidia aky si idiot Send this email to 100 your friends - let them see what an idiot you are
Re: RP_MATCHES_RCVD
On 11/8/2013 4:38 PM, John Hardin wrote: On Fri, 8 Nov 2013, Kris Deugau wrote: LuKreme wrote: Some spam has been matching the rule RP_MATCHES_RCVD which is worth -2.8 points. I wanted to look at this rule, so I went to /usr/local/etc/mail/spamassassin and gripped for the name, but no hits. There was a thread on this rule not too long ago; check the list archives Yeah, I thought we'd killed that in favor of a subrule. I guess we never actually pulled the trigger on that change... Mark? It seems to be back, and the value is changing from week to week. Feb 28th - RP_MATCHES_RCVD = -0.001 (during first few weeks of March it was showing as T_RP_MATCHES_RCVD, -0.01) Mar 24th - RP_MATCHES_RCVD = -0.535 Mar 27th - RP_MATCHES_RCVD = -0.371 Apr 7th - RP_MATCHES_RCVD = -0.271 Apr 14th - RP_MATCHES_RCVD = -0.989 Running 3.3.1 on CentOS 6 (from the @updates channel). Running sa-update daily.
Re: RP_MATCHES_RCVD
Thomas Harold skrev den 2014-04-15 05:49: (during first few weeks of March it was showing as T_RP_MATCHES_RCVD, -0.01) note rules that begins with T_ is corpus testing rules, also why it score just 0.01 here Mar 24th - RP_MATCHES_RCVD = -0.535 Mar 27th - RP_MATCHES_RCVD = -0.371 Apr 7th - RP_MATCHES_RCVD = -0.271 Apr 14th - RP_MATCHES_RCVD = -0.989 Running 3.3.1 on CentOS 6 (from the @updates channel). Running sa-update daily. what is the problem ?, the scores is adjusted by public corpus, so if there is score that is not correct its a sign of missing ham/spam to correct it other then that spamassassin does not just counts on one rule, so even if that rule seems incorrect hitting then it corrected by other rules
RP_MATCHES_RCVD
Some spam has been matching the rule RP_MATCHES_RCVD which is worth -2.8 points. I wanted to look at this rule, so I went to /usr/local/etc/mail/spamassassin and gripped for the name, but no hits. Where's the rule defined? I thought there was a rules folder, but the only one I can find it one in the source for SA 3.0 (`locate 10_misc.cf`). # find /usr/local -name *cf | grep -v postfix /usr/local/etc/mail/spamassassin/local.cf /usr/local/etc/mail/spamassassin/whitelist.cf # /usr/local/share/spamassassin contains a template, a txt file of the public key., and a file named languages, no rules. /usr/share/spamassassin does not exist SpamAssasin version is 3.3.2 -- He was Igor, son of Igor, nephew of several Igors, brother of Igors and cousin of more Igors than he could remember without checking up in his diary. Igors did not change a winning formula. {Footnote: Especially if it was green, and bubbled.}
Re: RP_MATCHES_RCVD
LuKreme wrote: Some spam has been matching the rule RP_MATCHES_RCVD which is worth -2.8 points. I wanted to look at this rule, so I went to /usr/local/etc/mail/spamassassin and gripped for the name, but no hits. There was a thread on this rule not too long ago; check the list archives and in the meantime score it down or disable it completely. A fair bit of spam hits this here. :( It's also been scored down in more recent rule updates; as of a few minutes ago it looks like it's *way* down: score RP_MATCHES_RCVD -1.501 -0.001 -1.501 -0.001 Run sa-update regularly to get rule and score updates. # find /usr/local -name *cf | grep -v postfix /usr/local/etc/mail/spamassassin/local.cf /usr/local/etc/mail/spamassassin/whitelist.cf # SA stock rules haven't been shipped in the tarball for quite a while, and IIRC most packages don't include them any more either. They're downloaded by sa-update. spamassassin -D --lint 21 |grep LOCAL_STATE should show the path they're under. On most systems where SA is installed from package, this looks something like /var/lib/spamassassin. -kgd
Re: RP_MATCHES_RCVD
On Fri, 8 Nov 2013, Kris Deugau wrote: LuKreme wrote: Some spam has been matching the rule RP_MATCHES_RCVD which is worth -2.8 points. I wanted to look at this rule, so I went to /usr/local/etc/mail/spamassassin and gripped for the name, but no hits. There was a thread on this rule not too long ago; check the list archives Yeah, I thought we'd killed that in favor of a subrule. I guess we never actually pulled the trigger on that change... Mark? and in the meantime score it down or disable it completely. A fair bit of spam hits this here. :( I'd score it as -0.001 (advisory), as there may still be other meta rules using it rather than the unscored subrule so you don't want to completely disable it. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- From the Liberty perspective, it doesn't matter if it's a jackboot or a Birkenstock smashing your face. -- Robb Allen --- 3 days until Veterans Day
Re: RP_MATCHES_RCVD
On 08 Nov 2013, at 13:53 , Kris Deugau kdeu...@vianet.ca wrote: SA is installed from package, this looks something like /var/lib/spamassassin. Ah, /var/db/spamassassin I would never have found them. thanks! -- Everything you read on the Internet is false -- Glenn Fleishman
Re: RP_MATCHES_RCVD
On 08 Nov 2013, at 13:53 , Kris Deugau kdeu...@vianet.ca wrote: It's also been scored down in more recent rule updates; as of a few minutes ago it looks like it's *way* down: score RP_MATCHES_RCVD -1.501 -0.001 -1.501 -0.001 I saw that after I ran sa-update, which was shortly after I posted. I've set it to -0.1 for now. -- Every absurdity has a champion to defend it.
RP_MATCHES_RCVD
b Trying to figure out why RP_MATCHES_RCVD scored so low. Is it because Return-Path: se...@c001n01.zahost.ru and the last Received matches that domain? if so, anything I can do to score t as the proper spam it is? Original Message Return-Path: se...@c001n01.zahost.ru Delivered-To: r...@domain.com Received: from localhost (localhost [127.0.0.1]) by mail.domain.com (Postfix) with ESMTP id CAE8980058; Sun, 20 Oct 2013 22:10:19 -0400 (EDT) X-Virus-Scanned: Debian amavisd-new at mail.domain.com X-Spam-Flag: NO X-Spam-Score: 4.1 X-Spam-Level: X-Spam-Status: No, score=4.1 required=4.7 tests=[BAYES_99=4.2, HTML_MESSAGE=1.27, RP_MATCHES_RCVD=-1.37] autolearn=no Received: from mail.domain.com ([127.0.0.1]) by localhost (mail.domain.com [127.0.0.1]) (amavisd-new, port 10024) with SMTP id Fzg7udDKz5bJ; Sun, 20 Oct 2013 22:10:17 -0400 (EDT) Received: from c001n01.zahost.ru (c001n01.zahost.ru [88.212.201.48]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.domain.com (Postfix) with ESMTPS id 669DC80051 for i...@domain.com; Sun, 20 Oct 2013 22:10:15 -0400 (EDT) Received: from localhost.zahost.ru ([127.0.0.1] helo=c001n01.zahost.ru) by c001n01.zahost.ru with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from se...@c001n01.zahost.ru) id 1VY1ND-0005fT-Kk for i...@domain.com; Mon, 21 Oct 2013 02:21:23 +0400 Received: (from semik@localhost) by c001n01.zahost.ru (8.14.4/8.13.8/Submit) id r9KMLM0s021783; Mon, 21 Oct 2013 02:21:22 +0400 (MSD) (envelope-from semik) Date: Mon, 21 Oct 2013 02:21:22 +0400 (MSD) Message-Id: 201310202221.r9kmlm0s021...@c001n01.zahost.ru To: i...@domain.com Subject: 4 New Voicemail(s) X-PHP-Script: 35x35.ru/ for 127.0.0.1 From: WhatsApp Messaging Service serv...@35x35.ru X-Mailer: Spmailver8.5 Reply-To: WhatsApp Messaging Service serv...@35x35.ru Mime-Version: 1.0 Content-Type: multipart/alternative;boundary=--138230768252645762B1112 WhatsApp You have a new voicemail! *Details* Time of Call: Oct-15 2013 07:55:57 Lenth of Call: 57 seconds Play http link has been removed *If you cannot play, move message to the Inbox folder. 2013 WhatsApp Inc
Re: RP_MATCHES_RCVD
On Mon, 21 Oct 2013, Mauricio Tavares wrote: b Trying to figure out why RP_MATCHES_RCVD scored so low. Is it because Return-Path: se...@c001n01.zahost.ru and the last Received matches that domain? if so, anything I can do to score t as the proper spam it is? RP_MATCHES_RCVD is a check that the message metadata is internally consistent. While giving it a negative score may not be justified, don't think that it's useful as a spam indicator and should have a positive score. In fact, as spams usually exhibit internal *inconsistencies* due to being largely forged, a message *not* hitting RP_MATCHES_RCVD may actually be a better spam indicator - that's probably the reason that it has a negative score. Given the surge in WhatsApp spams recently (I've been getting a lot) I think I should add some specific rules to my sandbox for testing. For the time being, you might want to do this in your local rules: body __VOICEMAIL/\bYou have a new voicemail!/i body __WHATSAPP /\bWhatsApp\b/ meta LCL_WHATSAPP __WHATSAPP __VOICEMAIL score LCL_WHATSAPP 1.000 That should be enough to push it over the threshold without FPs on legitimate (non-WhatsApp) voicemail notifications. Pointers from anyone who actually uses WhatsApp about how to distinguish legitimate voicemail notifications from these spams are solicited. Original Message Return-Path: se...@c001n01.zahost.ru Delivered-To: r...@domain.com Received: from localhost (localhost [127.0.0.1]) by mail.domain.com (Postfix) with ESMTP id CAE8980058; Sun, 20 Oct 2013 22:10:19 -0400 (EDT) X-Virus-Scanned: Debian amavisd-new at mail.domain.com X-Spam-Flag: NO X-Spam-Score: 4.1 X-Spam-Level: X-Spam-Status: No, score=4.1 required=4.7 tests=[BAYES_99=4.2, HTML_MESSAGE=1.27, RP_MATCHES_RCVD=-1.37] autolearn=no Received: from mail.domain.com ([127.0.0.1]) by localhost (mail.domain.com [127.0.0.1]) (amavisd-new, port 10024) with SMTP id Fzg7udDKz5bJ; Sun, 20 Oct 2013 22:10:17 -0400 (EDT) Received: from c001n01.zahost.ru (c001n01.zahost.ru [88.212.201.48]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.domain.com (Postfix) with ESMTPS id 669DC80051 for i...@domain.com; Sun, 20 Oct 2013 22:10:15 -0400 (EDT) Received: from localhost.zahost.ru ([127.0.0.1] helo=c001n01.zahost.ru) by c001n01.zahost.ru with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from se...@c001n01.zahost.ru) id 1VY1ND-0005fT-Kk for i...@domain.com; Mon, 21 Oct 2013 02:21:23 +0400 Received: (from semik@localhost) by c001n01.zahost.ru (8.14.4/8.13.8/Submit) id r9KMLM0s021783; Mon, 21 Oct 2013 02:21:22 +0400 (MSD) (envelope-from semik) Date: Mon, 21 Oct 2013 02:21:22 +0400 (MSD) Message-Id: 201310202221.r9kmlm0s021...@c001n01.zahost.ru To: i...@domain.com Subject: 4 New Voicemail(s) X-PHP-Script: 35x35.ru/ for 127.0.0.1 From: WhatsApp Messaging Service serv...@35x35.ru X-Mailer: Spmailver8.5 Reply-To: WhatsApp Messaging Service serv...@35x35.ru Mime-Version: 1.0 Content-Type: multipart/alternative;boundary=--138230768252645762B1112 WhatsApp You have a new voicemail! *Details* Time of Call: Oct-15 2013 07:55:57 Lenth of Call: 57 seconds Play http link has been removed *If you cannot play, move message to the Inbox folder. 2013 WhatsApp Inc -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Gun Control laws aren't enacted to control guns, they are enacted to control people: catholics (1500s), japanese peasants (1600s), blacks (1860s), italian immigrants (1911), the irish (1920s), jews (1930s), blacks (1960s), the poor (always) --- 508 days since the first successful private support mission to ISS (SpaceX)
Re: RP_MATCHES_RCVD
On Mon, 21 Oct 2013, Mauricio Tavares wrote: b Trying to figure out why RP_MATCHES_RCVD scored so low. Is it because Return-Path: se...@c001n01.zahost.ru and the last Received matches that domain? if so, anything I can do to score t as the proper spam it is? On 21.10.13 10:24, John Hardin wrote: RP_MATCHES_RCVD is a check that the message metadata is internally consistent. While giving it a negative score may not be justified, don't think that it's useful as a spam indicator and should have a positive score. Giving this rule positive value would uselessly add score to correct mail, but any negative score increases possibility of false negative. I don't think this should have any score, imho __RP_MATCHES_RCVD for meta rules is just enough. It can be T_ rule if anyone wants, imho. I have set score of this rule to 0 because of those. In fact, as spams usually exhibit internal *inconsistencies* due to being largely forged, a message *not* hitting RP_MATCHES_RCVD may actually be a better spam indicator - that's probably the reason that it has a negative score. not hitting is very common by any hosted domains. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. A day without sunshine is like, night.
SA not honoring customs in local.cf - was Re: RP_MATCHES_RCVD letting in SPAM
I'd like to revisit this, now that I have sufficient energy to devote to some hard sleuthing. Despite the fact that I was less than sharp (ahem) when first looking at this, I do feel I have covered all the obvious suspects. Some gentle nudges (or not) might get me rolling again. I suppose I should repost this with details of what I have done so far, as even those of kind and gentle nature may not be inclined to search it out. But I won't clutter further, if there is no interest. joe a. Joe Acquisto-j4 j...@j4computers.com 08/21/13 9:45 AM Bear in mind, that will tell you whether those configuration files are syntactically correct; that does not tell you anything about whether or not those are the files the spamd daemon is using. Take a look at the script that starts spamd. It may have a hardcoded path to the configuration directory. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ The /etc/init.d/spamd file has a hardcoded reference to that specific file. I'm pretty sure it is the one being read. However, I am not so certain others are not being read later. I find a lot of references, for example, to BAYES_99 in /usr/share/spamassassin/blah.cf. I certainly don't know if these would override the setting in /etc/mail/spamassassin/local.cf. joe a.
Re: SA not honoring customs in local.cf - was Re: RP_MATCHES_RCVD letting in SPAM
if you need help, the best way is to: - stay *concise* at all times - verbose blah can drive ppl away - post config and then explain issue, *concisely* - don't revive old threads. - help ppl help you - their time is precious and few have unlimited patience. - keep it down to facts - if you have a problem, I thought, I assumed, I hoped are of little value. On 09/06/2013 03:20 PM, Joe Acquisto-j4 wrote: I'd like to revisit this, now that I have sufficient energy to devote to some hard sleuthing. Despite the fact that I was less than sharp (ahem) when first looking at this, I do feel I have covered all the obvious suspects. Some gentle nudges (or not) might get me rolling again. I suppose I should repost this with details of what I have done so far, as even those of kind and gentle nature may not be inclined to search it out. But I won't clutter further, if there is no interest. joe a. Joe Acquisto-j4 j...@j4computers.com 08/21/13 9:45 AM Bear in mind, that will tell you whether those configuration files are syntactically correct; that does not tell you anything about whether or not those are the files the spamd daemon is using. Take a look at the script that starts spamd. It may have a hardcoded path to the configuration directory. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ The /etc/init.d/spamd file has a hardcoded reference to that specific file. I'm pretty sure it is the one being read. However, I am not so certain others are not being read later. I find a lot of references, for example, to BAYES_99 in /usr/share/spamassassin/blah.cf. I certainly don't know if these would override the setting in /etc/mail/spamassassin/local.cf. joe a.
Re: SA not honoring customs in local.cf - was Re: RP_MATCHES_RCVD letting in SPAM
Joe Acquisto-j4 wrote: I'd like to revisit this, now that I have sufficient energy to devote to some hard sleuthing. Despite the fact that I was less than sharp (ahem) when first looking at this, I do feel I have covered all the obvious suspects. Some gentle nudges (or not) might get me rolling again. I suppose I should repost this with details of what I have done so far, as even those of kind and gentle nature may not be inclined to search it out. I read back a bit in the thread; you've definitely got something strange going on. I don't see a couple of bits of information that might help narrow it down: - which distribution? - is this a packaged SA, or installed from source? - where did the init script come from? - how are you calling SA for normal scanning? Next: You should have, in the first few lines from spamassassin -D --lint, a line like this (this is from CentOS, self-built package derived at one time from the RPMForge package): Sep 6 09:35:26.372 [30447] dbg: generic: Perl 5.008008, PREFIX=/usr, DEF_RULES_DIR=/usr/share/spamassassin, LOCAL_RULES _DIR=/etc/mail/spamassassin, LOCAL_STATE_DIR=/var/lib/spamassassin SA reads rules from all of these locations, and the processes them from the DEF_RULES_DIR, LOCAL_STATE_DIR, and then LOCAL_RULES_DIR locations, sorted alphabetically within each grouping. Unfortunately -D doesn't actually indicate when it parses any given specific file from one of those locations. Try grep -r RP_MATCHES_RCVD /etc - compare that with the list of files spamassassin -D --lint reports that it's read. The /etc/init.d/spamd file has a hardcoded reference to that specific file. I'm pretty sure it is the one being read. Take a message that triggered this rule, and run spamassassin message; does it still trigger the rule? If not then try removing the arguments that set any of the configuration paths from the init script. For most cases this is redundant anyway; SA knows which directories it should look in. -kgd
Re: RP_MATCHES_RCVD letting in SPAM
On 21 Aug 2013, at 16:33 , Joe Acquisto-j4 j...@j4computers.com wrote: OK. That's what I thought. However, lint shows it reading /etc/mail/spamassassing/local.cf near the top of lint output and all the others, further down, which suggests it is reading them after. Perhaps that is a poor conclusion. I can't think of a reason that --lint would need to check the files in the same order than SA applies them. -- Adolescence is the period between childhood and adultery
Re: RP_MATCHES_RCVD letting in SPAM
Bear in mind, that will tell you whether those configuration files are syntactically correct; that does not tell you anything about whether or not those are the files the spamd daemon is using. Take a look at the script that starts spamd. It may have a hardcoded path to the configuration directory. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ The /etc/init.d/spamd file has a hardcoded reference to that specific file. I'm pretty sure it is the one being read. However, I am not so certain others are not being read later. I find a lot of references, for example, to BAYES_99 in /usr/share/spamassassin/blah.cf. I certainly don't know if these would override the setting in /etc/mail/spamassassin/local.cf. joe a.
Re: RP_MATCHES_RCVD letting in SPAM
On Wed, 21 Aug 2013, Joe Acquisto-j4 wrote: Bear in mind, that will tell you whether those configuration files are syntactically correct; that does not tell you anything about whether or not those are the files the spamd daemon is using. Take a look at the script that starts spamd. It may have a hardcoded path to the configuration directory. The /etc/init.d/spamd file has a hardcoded reference to that specific file. I'm pretty sure it is the one being read. OK. However, I am not so certain others are not being read later. There should be a reference to a directory, SA will read all the .cf files in that directory. Does it have a -C, --configpath or --siteconfigpath option defined with a directory? I find a lot of references, for example, to BAYES_99 in /usr/share/spamassassin/blah.cf. I certainly don't know if these would override the setting in /etc/mail/spamassassin/local.cf. Local settings should override standard settings, so no. /usr/share/spamassassin is the base install directory. There is another directory that sa-update populates that is read after the base directory. Then the local configs are read. Last one read, wins. spamassassin --lint -D should output all the directories being used; you can use the same command-line options given to spamd to configure spamassin --lint -D the same way -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Yet another example of a Mexican doing a job Americans are unwilling to do. -- Reno Sepulveda, on UniVision reporters asking President Obama some pointed questions about the BATFE Fast and Furious scandal. --- 3 days until the 1934th anniversary of the destruction of Pompeii
Re: RP_MATCHES_RCVD letting in SPAM
. . . I find a lot of references, for example, to BAYES_99 in /usr/share/spamassassin/blah.cf. I certainly don't know if these would override the setting in /etc/mail/spamassassin/local.cf. Local settings should override standard settings, so no. OK. That's what I thought. However, lint shows it reading /etc/mail/spamassassing/local.cf near the top of lint output and all the others, further down, which suggests it is reading them after. Perhaps that is a poor conclusion. /usr/share/spamassassin is the base install directory. There is another directory that sa-update populates that is read after the base directory. Then the local configs are read. Last one read, wins. spamassassin --lint -D should output all the directories being used; you can use the same command-line options given to spamd to configure spamassin --lint -D the same way Since both the root user (me) and the defined spam user (whose name I do see in logs) use /etc/spamassassin/local.cf (per lint), is that still worth trying? joe a. John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Yet another example of a Mexican doing a job Americans are unwilling to do. -- Reno Sepulveda, on UniVision reporters asking President Obama some pointed questions about the BATFE Fast and Furious scandal. --- 3 days until the 1934th anniversary of the destruction of Pompeii
Re: RP_MATCHES_RCVD letting in SPAM
On 19.08.13 18:23, Joe Acquisto-j4 wrote: So, I have this in my /etc/mail/spamassassin/local.cf: is that the same as /etc/spamassassin/local.cf? score RP_MATCHES_RCVD 0 Yet, even after restart of spamd, mail comes thru with a -2.8. What should I look at? I know other stuff is read as I changed trusted and local network IP's and had a typo in one. lint called me out on it. what happens then you pipe a mail into spamassassin -D? What spamassassin --lint produce? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I wonder how much deeper the ocean would be without sponges.
Re: RP_MATCHES_RCVD letting in SPAM
On 8/20/2013 at 5:00 AM, Matus UHLAR - fantomas uh...@fantomas.sk wrote: On 19.08.13 18:23, Joe Acquisto-j4 wrote: So, I have this in my /etc/mail/spamassassin/local.cf: is that the same as /etc/spamassassin/local.cf? Don't have one of those. /etc/mail/spamassassin is where bayes_db, sa-update-keys and the assorted .pre files are. score RP_MATCHES_RCVD 0 Yet, even after restart of spamd, mail comes thru with a -2.8. What should I look at? I know other stuff is read as I changed trusted and local network IP's and had a typo in one. lint called me out on it. what happens then you pipe a mail into spamassassin -D? Never tried it. What spamassassin --lint produce? Quite a lot. You want me to post the entire output? joe a. Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I wonder how much deeper the ocean would be without sponges. l
Re: RP_MATCHES_RCVD letting in SPAM
On 8/20/2013 at 5:00 AM, Matus UHLAR - fantomas uh...@fantomas.sk wrote: On 19.08.13 18:23, Joe Acquisto-j4 wrote: So, I have this in my /etc/mail/spamassassin/local.cf: is that the same as /etc/spamassassin/local.cf? On 20.08.13 08:05, Joe Acquisto-j4 wrote: Don't have one of those. /etc/mail/spamassassin is where bayes_db, sa-update-keys and the assorted .pre files are. OK, I wasn't just sure if you change the correct file. score RP_MATCHES_RCVD 0 Yet, even after restart of spamd, mail comes thru with a -2.8. What should I look at? maybe any other file in /etc/mail/spamassassin? I know other stuff is read as I changed trusted and local network IP's and had a typo in one. lint called me out on it. what happens then you pipe a mail into spamassassin -D? Never tried it. What spamassassin --lint produce? Quite a lot. You want me to post the entire output? here it produces nothing. Maybe there's really syntax error in your configuration files? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Eagles may soar, but weasels don't get sucked into jet engines.
Re: RP_MATCHES_RCVD letting in SPAM
What spamassassin --lint produce? Quite a lot. You want me to post the entire output? here it produces nothing. Maybe there's really syntax error in your configuration files? -- Oh, sorry, it produces nothing here as well. I was thinking (not!) of spamassassin -D --lint file 21, which is quite verbose. But has not lead me to a solution. It may be trying to . . . joe a.
Re: RP_MATCHES_RCVD letting in SPAM
On Tue, 20 Aug 2013, Joe Acquisto-j4 wrote: On 8/20/2013 at 5:00 AM, Matus UHLAR - fantomas uh...@fantomas.sk wrote: what happens then you pipe a mail into spamassassin -D? Never tried it. What spamassassin --lint produce? Quite a lot. You want me to post the entire output? Bear in mind, that will tell you whether those configuration files are syntactically correct; that does not tell you anything about whether or not those are the files the spamd daemon is using. Take a look at the script that starts spamd. It may have a hardcoded path to the configuration directory. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- We are hell-bent and determined to allocate the talent, the resources, the money, the innovation to absolutely become a powerhouse in the ad business. -- Microsoft CEO Steve Ballmer ...because allocating talent to securing Windows isn't profitable? --- 4 days until the 1934th anniversary of the destruction of Pompeii
Re: RP_MATCHES_RCVD letting in SPAM
So, I have this in my /etc/mail/spamassassin/local.cf: score RP_MATCHES_RCVD 0 Yet, even after restart of spamd, mail comes thru with a -2.8. What should I look at? I know other stuff is read as I changed trusted and local network IP's and had a typo in one. lint called me out on it. joe a.
Re: RP_MATCHES_RCVD letting in SPAM
On Mon, 19 Aug 2013, Joe Acquisto-j4 wrote: So, I have this in my /etc/mail/spamassassin/local.cf: score RP_MATCHES_RCVD 0 Yet, even after restart of spamd, mail comes thru with a -2.8. I assume you mean by that, RP_MATCHES_RCVD is still hitting and scoring points? What should I look at? Silly question: are you using Amavis? Are you sure that spamd is using that configuration file? I know other stuff is read as I changed trusted and local network IP's and had a typo in one. lint called me out on it. The command-line SA environment is not necessarily the same environment as the daemon uses. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Windows Genuine Advantage (WGA) means that now you use your computer at the sufferance of Microsoft Corporation. They can kill it remotely without your consent at any time for any reason; it also shuts down in sympathy when the servers at Microsoft crash. --- 5 days until the 1934th anniversary of the destruction of Pompeii
Re: RP_MATCHES_RCVD letting in SPAM
On 8/19/2013 at 6:54 PM, John Hardin jhar...@impsec.org wrote: On Mon, 19 Aug 2013, Joe Acquisto-j4 wrote: So, I have this in my /etc/mail/spamassassin/local.cf: score RP_MATCHES_RCVD 0 Yet, even after restart of spamd, mail comes thru with a -2.8. I assume you mean by that, RP_MATCHES_RCVD is still hitting and scoring points? You assume correctly, Sir. What should I look at? Silly question: are you using Amavis? No. ISP is, tho. Are you sure that spamd is using that configuration file? I thought so, as I put in the PW_IS_BAD_TLD rule someone on list provided, but now I see it is scoring 3.0, while I have it set to 4.0 in the config I think it is using. Has PW_IS_BAD_TLD been incorporated in to the base rule set? I guess I need to dig in and refresh myself on where the config file to use is defined. joe a. I know other stuff is read as I changed trusted and local network IP's and had a typo in one. lint called me out on it. The command-line SA environment is not necessarily the same environment as the daemon uses. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Windows Genuine Advantage (WGA) means that now you use your computer at the sufferance of Microsoft Corporation. They can kill it remotely without your consent at any time for any reason; it also shuts down in sympathy when the servers at Microsoft crash. --- 5 days until the 1934th anniversary of the destruction of Pompeii
RP_MATCHES_RCVD letting in SPAM
Some of our users are getting a ton of SPAM from .br domains. If it weren't for RP_MATCHES_RCVD they would actually end up in their junk folder rather than their Inbox. Is there a general suggested adjustment I can make catch these without tweaking RP_MATCHES_RCVD? Return-Path: s...@uptop.com.br Received: from edge01-zcs.vmware.com (LHLO edge01-zcs.vmware.com) (10.113.208.51) by mbs03-zcs.vmware.com with LMTP; Thu, 15 Aug 2013 11:27:16 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by edge01-zcs.vmware.com (Postfix) with ESMTP id A8C1A1931; Thu, 15 Aug 2013 11:27:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at edge01-zcs.vmware.com X-Spam-Flag: NO X-Spam-Score: 2.069 X-Spam-Level: ** X-Spam-Status: No, score=2.069 tagged_above=-10 required=3 tests=[BAYES_99=3.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_RATIO_08=0.001, HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001, RP_MATCHES_RCVD=-1.344, T_KHOP_FOREIGN_CLICK=0.01] autolearn=no Authentication-Results: edge01-zcs.vmware.com (amavisd-new); dkim=pass (1024-bit key) header.d=uptop.com.br Received: from edge01-zcs.vmware.com ([127.0.0.1]) by localhost (edge01-zcs.vmware.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vjdqouuXTjs0; Thu, 15 Aug 2013 11:27:15 -0700 (PDT) Received: from vmta31.uptop.com.br (vmta31.uptop.com.br [5.135.117.31]) by edge01-zcs.vmware.com (Postfix) with ESMTP id 5502699B for xx...@zimbra.com; Thu, 15 Aug 2013 11:27:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=upkey; d=uptop.com.br; h=To:Subject:Message-ID:Date:From:Reply-To:MIME-Version:List-Unsubscribe:Con tent-Type:Content-Transfer-Encoding; i=a...@uptop.com.br; bh=T9iP2DjK/6AQ4Vs6z6J5Ns129Jg=; b=FmrfkS17Bdb5zaJItp0+1hdmmlIoC8TXdgt/Z1/8/dPdT5K5yBka+jdLfLWKiJhR18koFcHgBl f2 5p9CbRL25dr012hmqmgH5O/auyGb2HGHNxmAv5GgthtRuCTynO2oyUJ1Ykz/fQ6wnvsReynaz8oi pj4Oy7qviqGVdBzZZ4c= To: x...@zimbra.com Subject: =?UTF-8?B?QW5pdmVyc8OhcmlvIExhIEN1aXNpbmU6IDEwJSsxMCUgZGUgRGVzY29udG8gcGFyYSBWb2PDqiA=?= Message-ID: 32c1d84426a44ac5e446b2a57d539...@www.uptop.com.br Date: Thu, 15 Aug 2013 15:08:05 -0300 From: =?UTF-8?B?U2hvcHRpbWUuY29tLmJyIC0gTcOtZGlhTWFpbA==?= m...@uptop.com.br Reply-To: m...@uptop.com.br MIME-Version: 1.0 X-Mailer-LID: 3 List-Unsubscribe: http://www.uptop.com.br/unsubscribe.php?M=1938765C=b8da7e6dcf057fc02a0cb072c0312e6fL=3N=379 X-Mailer-RecptId: 1938765 X-Mailer-SID: 379 X-Mailer-Sent-By: 1 Content-Type: multipart/alternative; charset=UTF-8; boundary=b1_bb546d207080f5562bf4cdc2c79bfd11 Content-Transfer-Encoding: 8bit -- Quanah Gibson-Mount Lead Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: RP_MATCHES_RCVD letting in SPAM
Quanah Gibson-Mount skrev den 2013-08-15 21:05: Some of our users are getting a ton of SPAM from .br domains. If it weren't for RP_MATCHES_RCVD they would actually end up in their junk folder rather than their Inbox. Is there a general suggested adjustment I can make catch these without tweaking RP_MATCHES_RCVD? meta LOTS_OF_MONEY (3) (3) (3) (3) meta RP_MATCHES_RCVD (1) (1) (1) (1)
Re: RP_MATCHES_RCVD letting in SPAM
--On Thursday, August 15, 2013 9:16 PM +0200 Benny Pedersen wrote: Quanah Gibson-Mount skrev den 2013-08-15 21:05: Some of our users are getting a ton of SPAM from .br domains. If it weren't for RP_MATCHES_RCVD they would actually end up in their junk folder rather than their Inbox. Is there a general suggested adjustment I can make catch these without tweaking RP_MATCHES_RCVD? meta LOTS_OF_MONEY (3) (3) (3) (3) meta RP_MATCHES_RCVD (1) (1) (1) (1) Perfect, thanks! --Quanah -- Quanah Gibson-Mount Lead Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: RP_MATCHES_RCVD letting in SPAM
--On Thursday, August 15, 2013 12:21 PM -0700 Quanah Gibson-Mount qua...@zimbra.com wrote: --On Thursday, August 15, 2013 9:16 PM +0200 Benny Pedersen wrote: Quanah Gibson-Mount skrev den 2013-08-15 21:05: Some of our users are getting a ton of SPAM from .br domains. If it weren't for RP_MATCHES_RCVD they would actually end up in their junk folder rather than their Inbox. Is there a general suggested adjustment I can make catch these without tweaking RP_MATCHES_RCVD? meta LOTS_OF_MONEY (3) (3) (3) (3) meta RP_MATCHES_RCVD (1) (1) (1) (1) Perfect, thanks! Hm, that won't catch our other BR spam though. :( Return-Path: reto...@registraclique.com.br Received: from edge01-zcs.vmware.com (LHLO edge01-zcs.vmware.com) (10.113.208.51) by mbs03-zcs.vmware.com with LMTP; Thu, 15 Aug 2013 11:15:55 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by edge01-zcs.vmware.com (Postfix) with ESMTP id CB83A1968; Thu, 15 Aug 2013 11:15:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at edge01-zcs.vmware.com X-Spam-Flag: NO X-Spam-Score: 2.833 X-Spam-Level: ** X-Spam-Status: No, score=2.833 tagged_above=-10 required=3 tests=[BAYES_99=3.5, DKIM_SIGNED=0.1, HTML_IMAGE_RATIO_04=0.556, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-1.344, T_DKIM_INVALID=0.01, T_KHOP_FOREIGN_CLICK=0.01] autolearn=no Authentication-Results: edge01-zcs.vmware.com (amavisd-new); dkim=neutral reason=invalid (public key: not available) header.d=registraclique.com.br Received: from edge01-zcs.vmware.com ([127.0.0.1]) by localhost (edge01-zcs.vmware.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qup1pMAcaDgg; Thu, 15 Aug 2013 11:15:53 -0700 (PDT) Received: from registraclique.com.br (s175.registraclique.com.br [141.105.64.175]) by edge01-zcs.vmware.com (Postfix) with ESMTPS id 90F8A1940 for xx...@zimbra.com; Thu, 15 Aug 2013 11:15:52 -0700 (PDT) Received: by registraclique.com.br (Postfix, from userid 0) id 2BAEB8860B8; Thu, 15 Aug 2013 10:22:21 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=registraclique.com.br; s=default; t=1376590475; bh=nUoQ44WhTVHL4zF0mcmuHnMTLjLNO1sgscswqFRg/0g=; h=To:Subject:Date:From:Reply-To:List-Unsubscribe; b=ovlYK4eRDyhcbVMwLbd+TqVjdXO2pwQyko4Kc0FKjdan2k8tz9uO6y2633kIBG+fb NJLigYccPUTrD/2B6MYTgWzXulw8pQtVbXSKnuzXAq0pZmwx5a+jXiVJOWH8gsW1e7 FW+Qaxu0aIrmfOkPLOzGHALhLkg8JIxWLiAbe/lE= To: xx...@zimbra.com Subject: Fale Ilimitado Com Todo O Brasil Por R$19,90! Message-ID: 350297cb0672e79fdb9aa53472cca...@www.registraclique.com.br Date: Thu, 15 Aug 2013 09:16:29 -0400 From: =?UTF-8?B?Q2xhcm8gRmFsZSDDoCBWb250YWRl?= cont...@registraclique.com.br Reply-To: cont...@registraclique.com.br MIME-Version: 1.0 X-Mailer-LID: 11 List-Unsubscribe: http://www.registraclique.com.br/iem/unsubscribe.php?M=1531174C=77d064e695a19edb4155caf4c244402aL=11N=72 X-Mailer-RecptId: 1531174 X-Mailer-SID: 72 X-Mailer-Sent-By: 1 Content-Type: multipart/alternative; charset=UTF-8; boundary=b1_bb3d14c03992adb6a28e84dfa3fb4b7d Content-Transfer-Encoding: 8bit --b1_bb3d14c03992adb6a28e84dfa3fb4b7d Content-Type: text/plain; format=flowed; charset=UTF-8 Content-Transfer-Encoding: 8bit -- Quanah Gibson-Mount Lead Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: RP_MATCHES_RCVD letting in SPAM
On Thu, 15 Aug 2013, Benny Pedersen wrote: meta LOTS_OF_MONEY (3) (3) (3) (3) I *do not recommend* doing that. There is a lot of legitimate email that mentions large monetary amounts (e.g. a newsletter discussing the US budget deficit). That rule's score is informational on purpose, so that the description will appear in the rule hits without affecting the score noticeably. It's intended to be used in metas with other rules that make a mention of a large amount of money suspicious. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Maxim IX: Never turn your back on an enemy. --- Today: the 68th anniversary of the end of World War II
Re: RP_MATCHES_RCVD letting in SPAM
John Hardin skrev den 2013-08-15 21:41: the score noticeably. It's intended to be used in metas with other rules that make a mention of a large amount of money suspicious. also why i used soft blacklists, i have not seen the real problem yet, but imho anyone can soft score adjust if needed, or even make more specific rules to detect spams localy, i loosed to check if the mails was really from a maillist with opt-out problematic, only the recipient can tell
Re: RP_MATCHES_RCVD letting in SPAM
Quanah Gibson-Mount skrev den 2013-08-15 21:25: Hm, that won't catch our other BR spam though. :( List-Unsubscribe: http://www.registraclique.com.br/iem/unsubscribe.php?M=1531174C=77d064e695a19edb4155caf4c244402aL=11N=72 unsubscribe ? if recipient was not opt-in then block sender domain with mta rule, dont accept opt-out !
Re: RP_MATCHES_RCVD letting in SPAM
On 15.08.13 12:05, Quanah Gibson-Mount wrote: Some of our users are getting a ton of SPAM from .br domains. If it weren't for RP_MATCHES_RCVD they would actually end up in their junk folder rather than their Inbox. Is there a general suggested adjustment I can make catch these without tweaking RP_MATCHES_RCVD? I have score RP_MATCHES_RCVD 0 in /etc/mail/local.cf there is __RP_MATCHES_RCVD that has to be used in metas. I don't see any poing in giving positive score to mail just because it's not any kind of forged... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fighting for peace is like fucking for virginity...
Re: RP_MATCHES_RCVD letting in SPAM
Matus UHLAR - fantomas skrev den 2013-08-15 22:33: score RP_MATCHES_RCVD 0 hard scoreing there is __RP_MATCHES_RCVD that has to be used in metas. I don't see any poing in giving positive score to mail just because it's not any kind of forged... __foo have no scores, no point in setting it, well if rules gives negative scores for spam it would make sense to add (softblacklist) that rule until its detected as spam, or create another rule so it works specific to the spam with hard scoreing one loose corpus scoreing from apache.org :)
Re: RP_MATCHES_RCVD letting in SPAM
Matus UHLAR - fantomas skrev den 2013-08-15 22:33: score RP_MATCHES_RCVD 0 hard scoreing there is __RP_MATCHES_RCVD that has to be used in metas. I don't see any poing in giving positive score to mail just because it's not any kind of forged... On 15.08.13 22:41, Benny Pedersen wrote: __foo have no scores, no point in setting it, well if rules gives negative scores for spam it would make sense to add (softblacklist) that rule until its detected as spam, or create another rule so it works specific to the spam with hard scoreing one loose corpus scoreing from apache.org :) I have said it already: There's no point in decreasing score just because the sender domain is the same as the mail server. That's why I set RP_MATCHES_RCVD to 0 so it will not hit. If anyone wants to use this in meta rules, we have __RP_MATCHES_RCVD (with default score of 0) for such usage. Since RP_MATCHES_RCVD has score of 0, it won' hit any metas since it's disabled by setting the score to 0. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Save the whales. Collect the whole set.
Re: RP_MATCHES_RCVD letting in SPAM
--On Thursday, August 15, 2013 10:07 PM +0200 Benny Pedersen wrote: Quanah Gibson-Mount skrev den 2013-08-15 21:25: Hm, that won't catch our other BR spam though. :( List-Unsubscribe: http://www.registraclique.com.br/iem/unsubscribe.php?M=1531174C=77d064 e695a19edb4155caf4c244402aL=11N=72 unsubscribe ? if recipient was not opt-in then block sender domain with mta rule, dont accept opt-out ! Thanks Benny, I will just blacklist them. --Quanah -- Quanah Gibson-Mount Lead Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Malformed envelope-from triggering RP_MATCHES_RCVD
Hello, Recently I got a pump-and-dump spam that got through because of a significant score amount being subtracted by matching the RP_MATCHES_RCVD rule. When investigating the headers, I've observed the following: ... Received: from unknown (HELO localhost) (ed...@hiwaay.net@223.229.72.179) by diply-magpie.volia.net with ESMTPA; Tue, 13 Aug 2013 06:51:46 +0200 X-Originating-IP: 223.229.72.179 From: ed...@hiwaay.net ... I suspect that the intentionally malformed address in Received triggers the rule. Regards, Adrian
Re: Malformed envelope-from triggering RP_MATCHES_RCVD
Hi, Recently I got a pump-and-dump spam that got through because of a significant score amount being subtracted by matching the RP_MATCHES_RCVD rule. Many of us have reduced that rule to a very low score for this reason. Too many legitimate mail servers lack a proper rDNS. score RP_MATCHES_RCVD-0.001 Regards, Alex
Re: Malformed envelope-from triggering RP_MATCHES_RCVD
On Tue, 13 Aug 2013 08:38:50 -0400 Alex wrote: Hi, Recently I got a pump-and-dump spam that got through because of a significant score amount being subtracted by matching the RP_MATCHES_RCVD rule. Many of us have reduced that rule to a very low score for this reason. Too many legitimate mail servers lack a proper rDNS. That's not the reason it fails, it requires rnds to match. It fails because a lot of spam has rdns that does match the mail from domain - particularly abused free email providers. I think this is a sign of a skewed corpus rather that a useful rule.
Re: Malformed envelope-from triggering RP_MATCHES_RCVD
W dniu 13.08.2013 15:00, RW pisze: On Tue, 13 Aug 2013 08:38:50 -0400 Alex wrote: Hi, Recently I got a pump-and-dump spam that got through because of a significant score amount being subtracted by matching the RP_MATCHES_RCVD rule. Many of us have reduced that rule to a very low score for this reason. Too many legitimate mail servers lack a proper rDNS. That's not the reason it fails, it requires rnds to match. It fails because a lot of spam has rdns that does match the mail from domain - particularly abused free email providers. I think this is a sign of a skewed corpus rather that a useful rule. Thanks for clarifying. I've just lowered score to minimum for this rule altogether per Alex's advice. -- Adrian
Re: URL spam and RP_MATCHES_RCVD
Hello Kris, Friday, April 12, 2013, 4:23:55 PM, you wrote: KD I see the score showing a little less in the current update: KD score RP_MATCHES_RCVD -0.551 -1.344 -0.551 -1.344 Since gone back up :( score RP_MATCHES_RCVD -0.553 -2.438 -0.553 -2.438 After this morning's update- Apr 29 04:23:04.159 [25316] dbg: channel: metadata version = 1476108 Apr 29 04:23:04.287 [25316] dbg: dns: 2.3.3.updates.spamassassin.org = 1476532, parsed as 1476532 -- Best regards, Niamhmailto:ni...@fullbore.co.uk pgpo2WYFTtoxf.pgp Description: PGP signature
Re: URL spam and RP_MATCHES_RCVD
Hello Kris, Monday, April 15, 2013, 8:34:55 PM, you wrote: KD There seems to be a lame server: Still is! dig +short 2.3.3.updates.spamassassin.org txt @ns.hyperreal.org. 1462428 dig +short 2.3.3.updates.spamassassin.org txt @a.auth-ns.sonic.net. 1468800 -- Best regards, Niamhmailto:ni...@fullbore.co.uk pgpqERxEMYtwC.pgp Description: PGP signature
Re: URL spam and RP_MATCHES_RCVD
On Wed, 17 Apr 2013 19:07:39 -0400 Alex wrote: we'll continue to monitor the stock values. I didn't realize the corpus could lack the volume to get a more accurate calculation. It's more a matter of balance and diversity than volume.
Re: URL spam and RP_MATCHES_RCVD
Hi, we'll continue to monitor the stock values. I didn't realize the corpus could lack the volume to get a more accurate calculation. It's more a matter of balance and diversity than volume. Ah, okay, that makes sense. Somewhat related, but can I ask if anyone has rules to score the junk from constantcontact.com or vresp.com or verticalresponse.com? How would that be included with the masschecks, since so much of it is junk, but really classified as marketing emails? Those three domains (and other popular email marketing companies) seem to be a legitimate way for spammers to reach their targets with a free pass. Thanks, Alex
Re: URL spam and RP_MATCHES_RCVD
Hi, I can understand adjusting the values slightly for each user's particular situation, but doesn't it generally throw off the balance of how the email as a whole is weighted when you adjust values in that way? If a rule is causing undesired behaviour (for this particular rule, false negatives due to this hitting eg Hotmail or Yahoo mail), then the stock score is not suitable for that mail flow. I add a score override on a stock rule a couple of times a month (usually due to a FP report); I review them every couple of months to see if a) the stock score is now closer to the local override or b) the rule has been removed completely. Thanks for everyone's input. We did get an FP with it set to zero, so we'll continue to monitor the stock values. I didn't realize the corpus could lack the volume to get a more accurate calculation. Wish we could help there. Thanks, Alex
Re: URL spam and RP_MATCHES_RCVD
On 16/04/13 00:07, Alex wrote: Hi, But I stand by my local.cf entry reducing RP_MATCHES_RCVD to an advisory -0.001; it may be useful in combination with other rules, but I don't think it's valuable enough on its own to have even -0.5 points. I can't say I've seen any evidence in the mail stream I deal with that scoring down like that is causing either FPs or FNs. These values are automatically generated from presumably tens or hundreds of thousands of messages to determine exactly how it should be weighted, just like all other stock rules, correct? I can understand adjusting the values slightly for each user's particular situation, but doesn't it generally throw off the balance of how the email as a whole is weighted when you adjust values in that way? In an ideal world, yes. But I suspect the SA auto-generated scoring system is far from an ideal world due to the limited number of contributors to the spam/ham corpus and the fact that your or my mail streams might not accurately reflect those contributed to the corpus. So, if a high scoring (positive or negative) rule hit is clearly causing FP's or FN's in your mail stream then it's generally better to simply nullify that rule, either disabling it by setting the score to zero or by assigning an arbitrary low score for informational purposes thus allowing you to continue to track it's performance whilst not otherwise affecting the overall scoring of the system.
Subject: Fusemail Technical Support for Case - 03278437 ref:_00D301Siv._50060Ppgo5:ref – Re: URL spam and RP_MATCHES_RCVD
On 16/04/13 14:28, Ned Slider wrote: In an ideal world, yes. But I suspect the SA auto-generated scoring system is far from an ideal world due to the limited number of contributors to the spam/ham corpus and the fact that your or my mail streams might not accurately reflect those contributed to the corpus. So, if a high scoring (positive or negative) rule hit is clearly causing FP's or FN's in your mail stream then it's generally better to simply nullify that rule, either disabling it by setting the score to zero or by assigning an arbitrary low score for informational purposes thus allowing you to continue to track it's performance whilst not otherwise affecting the overall scoring of the system. Perhaps someone could unsubscribe the role account @fusemail.com that appears to open a support ticket and auto-replies in response to posts to this mailing list :-D Original Message Subject: Subject: Fusemail Technical Support for Case - 03278437 ref:_00D301Siv._50060Ppgo5:ref – Re: URL spam and RP_MATCHES_RCVD Date: Tue, 16 Apr 2013 13:29:34 + (GMT) From: techsupp...@fusemail.com techsupp...@fusemail.com To: n...@unixmail.co.uk n...@unixmail.co.uk Thank you for your inquiry Customer, Thank you for contacting FuseMail® Technical Support with your inquiry. A support agent will respond as soon as possible with more information to help you resolve your issue. In the meantime if you need to contact us again regarding this issue please refer to Case - 03278437. We appreciate your time and consideration and look forward to speaking with you soon. Sincerely, The FuseMail® team www.fusemail.com This email, its contents and attachments contain information from j2 Global Communications, Inc. and/or its affiliates which may be privileged, confidential or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you're not an addressee, any disclosure, copy, distribution, or use of the contents of this message is prohibited. If you've received this email in error please notify the sender by reply e-mail and delete the original message and any copies. Thank you. www.j2.com.
Re: URL spam and RP_MATCHES_RCVD
Alex wrote: I can understand adjusting the values slightly for each user's particular situation, but doesn't it generally throw off the balance of how the email as a whole is weighted when you adjust values in that way? If a rule is causing undesired behaviour (for this particular rule, false negatives due to this hitting eg Hotmail or Yahoo mail), then the stock score is not suitable for that mail flow. I add a score override on a stock rule a couple of times a month (usually due to a FP report); I review them every couple of months to see if a) the stock score is now closer to the local override or b) the rule has been removed completely. -kgd
Re: URL spam and RP_MATCHES_RCVD
Hello Kris, Friday, April 12, 2013, 4:23:55 PM, you wrote: KD score RP_MATCHES_RCVD -0.551 -1.344 -0.551 -1.344 I'm seeing- score RP_MATCHES_RCVD -0.552 -2.373 -0.552 -2.373 But perhaps there is something odd, I'm seeing that my current version is higher than thr new version- Apr 15 18:44:52.484 [17403] dbg: channel: current version is 1463883, new version is 1462428, skipping channel -- Best regards, Niamhmailto:ni...@fullbore.co.uk pgpEE7luyqRsQ.pgp Description: PGP signature
Re: URL spam and RP_MATCHES_RCVD
On 15/04/13 18:46, Niamh Holding wrote: Hello Kris, Friday, April 12, 2013, 4:23:55 PM, you wrote: KD score RP_MATCHES_RCVD -0.551 -1.344 -0.551 -1.344 I'm seeing- score RP_MATCHES_RCVD -0.552 -2.373 -0.552 -2.373 But perhaps there is something odd, I'm seeing that my current version is higher than thr new version- Apr 15 18:44:52.484 [17403] dbg: channel: current version is 1463883, new version is 1462428, skipping channel I was seeing that too, but the latest update (as of now) gives: score RP_MATCHES_RCVD -0.550 -0.556 -0.550 -0.556 dbg: channel: current version is 1467748, new version is 1467748, skipping channel
Re: URL spam and RP_MATCHES_RCVD
Niamh Holding wrote: Friday, April 12, 2013, 4:23:55 PM, you wrote: KD score RP_MATCHES_RCVD -0.551 -1.344 -0.551 -1.344 I'm seeing- score RP_MATCHES_RCVD -0.552 -2.373 -0.552 -2.373 But perhaps there is something odd, I'm seeing that my current version is higher than thr new version- Apr 15 18:44:52.484 [17403] dbg: channel: current version is 1463883, new version is 1462428, skipping channel There seems to be a lame server: # dig +short 2.3.3.updates.spamassassin.org txt @ns.hyperreal.org. 1462428 # dig +short 2.3.3.updates.spamassassin.org txt @a.auth-ns.sonic.net. 1467748 # dig +short 2.3.3.updates.spamassassin.org txt @b.auth-ns.sonic.net. 1467748 # dig +short 2.3.3.updates.spamassassin.org txt @c.auth-ns.sonic.net. 1467748 But I stand by my local.cf entry reducing RP_MATCHES_RCVD to an advisory -0.001; it may be useful in combination with other rules, but I don't think it's valuable enough on its own to have even -0.5 points. I can't say I've seen any evidence in the mail stream I deal with that scoring down like that is causing either FPs or FNs. -kgd
Re: URL spam and RP_MATCHES_RCVD
Hi, But I stand by my local.cf entry reducing RP_MATCHES_RCVD to an advisory -0.001; it may be useful in combination with other rules, but I don't think it's valuable enough on its own to have even -0.5 points. I can't say I've seen any evidence in the mail stream I deal with that scoring down like that is causing either FPs or FNs. These values are automatically generated from presumably tens or hundreds of thousands of messages to determine exactly how it should be weighted, just like all other stock rules, correct? I can understand adjusting the values slightly for each user's particular situation, but doesn't it generally throw off the balance of how the email as a whole is weighted when you adjust values in that way? Thanks, Alex
Re: URL spam and RP_MATCHES_RCVD
On 11.04.13 18:56, Alex wrote: I'm now receiving spam that contains little more than a URL that keeps it from matching my body uri only rules because of a little additional junk in the body, and apparently is sent from legitimate compromised yahoo accounts, resulting in -2.4 points being subtracted. Has anyone else come across this, or also think -2.4 points is quite a bit for simply having the sender address matching the received header? Just a few days ago I have disabled RP_MATCHES_RCVD (set score to 0) rule on my machine, because it has too agressive negative value and spam was repeatedly leaking thanks to it. I agree that with such check belonging to e-mail, but no direct negative score should be applied here. there's __RP_MATCHES_RCVD meta available. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Two words: Windows survives. - Craig Mundie, Microsoft senior strategist So does syphillis. Good thing we have penicillin. - Matthew Alton
Re: URL spam and RP_MATCHES_RCVD
Alex wrote: Hi, I'm now receiving spam that contains little more than a URL that keeps it from matching my body uri only rules because of a little additional junk in the body, and apparently is sent from legitimate compromised yahoo accounts, resulting in -2.4 points being subtracted. Has anyone else come across this, or also think -2.4 points is quite a bit for simply having the sender address matching the received header? I see the score showing a little less in the current update: score RP_MATCHES_RCVD -0.551 -1.344 -0.551 -1.344 but I agree that it's really not worth that much with the volume of spam coming from Yahoo! and Hotmail. local.cf: score RP_MATCHES_RCVD -0.001 -kgd
URL spam and RP_MATCHES_RCVD
Hi, I'm now receiving spam that contains little more than a URL that keeps it from matching my body uri only rules because of a little additional junk in the body, and apparently is sent from legitimate compromised yahoo accounts, resulting in -2.4 points being subtracted. Has anyone else come across this, or also think -2.4 points is quite a bit for simply having the sender address matching the received header? Here's an example. I'd appreciate any ideas. If you think v3.4 would address this, please let me know, and I'll install it, even though it's not yet released. http://pastebin.com/d4RnYQww Thanks, Alex
Re: URL spam and RP_MATCHES_RCVD
On Thu, 2013-04-11 at 18:56 -0400, Alex wrote: Hi, I'm now receiving spam that contains little more than a URL that keeps it from matching my body uri only rules because of a little additional junk in the body, and apparently is sent from legitimate compromised yahoo accounts, resulting in -2.4 points being subtracted. But this isn't Yahoo - weirdly, it looks like its faking Hotmail. Its been sent through Hotmail but neither the Message-ID not the Return-Path match a Hotmail origin. You might get somewhere with a meta combining those or 'doing a Yahoo FS' with a rule that fires if Sender domain != Message-ID domain, but you'd need to check several messages to see if that looks reliable. OTOH you might see a common factor in the message bodies that is worth writing a rule for. I haven't seen anything like youe example, but then again I didn't see your two extension candidates for the MG-YAHOO_FS rule either. Everybody's spam stream tends to be different: for the last couple of weeks I've been seeing pump-and-dump equity spam and sex medication offers which both are causing the BOBAX-GEN3 rule to fire and its all ending up in the bit bucket where it belongs. As I haven't seen that rule trigger for a few years, I'm wondering if anybody else has noticed this type of spam recently. Maybe some bot herder is flogging off his old junk? Martin
Re: URL spam and RP_MATCHES_RCVD
Hi, I'm now receiving spam that contains little more than a URL that keeps it from matching my body uri only rules because of a little additional junk in the body, and apparently is sent from legitimate compromised yahoo accounts, resulting in -2.4 points being subtracted. But this isn't Yahoo - weirdly, it looks like its faking Hotmail. Its been sent through Hotmail but neither the Message-ID not the Return-Path match a Hotmail origin. Yes, that's what I meant but somehow typed yahoo. You might get somewhere with a meta combining those or 'doing a Yahoo FS' with a rule that fires if Sender domain != Message-ID domain, but you'd need to check several messages to see if that looks reliable. OTOH you might see a common factor in the message bodies that is worth writing a rule for. Considering my typo, I'll investigate possibly creating a body rule, unless someone else has some possible suggestions for how to do this. Everybody's spam stream tends to be different: for the last couple of weeks I've been seeing pump-and-dump equity spam and sex medication offers which both are causing the BOBAX-GEN3 rule to fire and its all ending up in the bit bucket where it belongs. I'm starting to see a lot of new garden hose spam, and still getting the 2012 Cars spam. Thanks, Alex
RP_MATCHES_RCVD
There seems to be a consensus that SPF and DKIM passes aren't worth significant scores. So how is it that RP_MATCHES_RCVD, scores -1.2 when it just a circumstantial version of what SPF does explicitly. For me it's hitting more spam that ham, and what's worse, it's mostly hitting low-scoring freemail spam. Is it just me that's seeing this, or is there maybe some kind of bias the test corpora?
Re: RP_MATCHES_RCVD
On 28/07/11 15:28, RW wrote: There seems to be a consensus that SPF and DKIM passes aren't worth significant scores. So how is it that RP_MATCHES_RCVD, scores -1.2 when it just a circumstantial version of what SPF does explicitly. For me it's hitting more spam that ham, and what's worse, it's mostly hitting low-scoring freemail spam. Is it just me that's seeing this, or is there maybe some kind of bias the test corpora? Yes, I've noticed this too recently and had knocked the score down to 0.001 for information only about a week ago. I've found it hitting on spam and didn't find it useful on ham (i.e, I don't generally suffer from ham being mis-classified as spam).
Re: RP_MATCHES_RCVD
On 07/28/2011 09:28 AM the voices made RW write: There seems to be a consensus that SPF and DKIM passes aren't worth significant scores. So how is it that RP_MATCHES_RCVD, scores -1.2 when it just a circumstantial version of what SPF does explicitly. For me it's hitting more spam that ham, and what's worse, it's mostly hitting low-scoring freemail spam. Is it just me that's seeing this, or is there maybe some kind of bias the test corpora? +1 RP_MATCHES_RCVD hits tons of (snowshoe?) spam here. Different senders different IPs, but often the same /16 or /24 networks. I had some local meta rules that used T_RP_MATCHES_RCVD, but evidently the name was changed to RP_MATCHES_RCVD and the spam started flying in.
Re: RP_MATCHES_RCVD
On 7/28/11 9:48 AM, Mike Grau m.g...@kcc.state.ks.us wrote: On 07/28/2011 09:28 AM the voices made RW write: There seems to be a consensus that SPF and DKIM passes aren't worth significant scores. So how is it that RP_MATCHES_RCVD, scores -1.2 when it just a circumstantial version of what SPF does explicitly. For me it's hitting more spam that ham, and what's worse, it's mostly hitting low-scoring freemail spam. Is it just me that's seeing this, or is there maybe some kind of bias the test corpora? +1 RP_MATCHES_RCVD hits tons of (snowshoe?) spam here. Different senders different IPs, but often the same /16 or /24 networks. I had some local meta rules that used T_RP_MATCHES_RCVD, but evidently the name was changed to RP_MATCHES_RCVD and the spam started flying in. I see a lot of messages hitting RP_MATCHES_RCVD that also hits one of the Invaluement rbls. Invaluement primarily targets snowshoe spammers. $ grep RP_MATCHES_RCVD /var/log/mail/info.log | grep -vc INVL 41618 $ grep RP_MATCHES_RCVD /var/log/mail/info.log | grep -c INVL 55033 So I have also changed the score to 0.01 -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: RP_MATCHES_RCVD
On Thu, 28 Jul 2011 15:28:37 +0100, RW wrote: There seems to be a consensus that SPF and DKIM passes aren't worth significant scores. So how is it that RP_MATCHES_RCVD, scores -1.2 when it just a circumstantial version of what SPF does explicitly. For me it's hitting more spam that ham, and what's worse, it's mostly hitting low-scoring freemail spam. Is it just me that's seeing this, or is there maybe some kind of bias the test corpora? add in local.cf: score RP_MATCHES_RCVD (1.1) if that solves the problem, make a bug
Re: RP_MATCHES_RCVD
On Thu, 28 Jul 2011, Daniel McDonald wrote: I see a lot of messages hitting RP_MATCHES_RCVD that also hits one of the Invaluement rbls. Invaluement primarily targets snowshoe spammers. $ grep RP_MATCHES_RCVD /var/log/mail/info.log | grep -vc INVL 41618 $ grep RP_MATCHES_RCVD /var/log/mail/info.log | grep -c INVL 55033 So I have also changed the score to 0.01 Dan, your last masscheck only had 6 spam hits for that rule... http://ruleqa.spamassassin.org/20110727-r1151385-n/RP_MATCHES_RCVD/detail Care to drop a few thousand of those into your corpus? :) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- One difference between a liberal and a pickpocket is that if you demand your money back from a pickpocket he will not question your motives. -- William Rusher --- 8 days until the 276th anniversary of John Peter Zenger's acquittal
Re: RP_MATCHES_RCVD
On 7/28/11 11:47 AM, John Hardin jhar...@impsec.org wrote: On Thu, 28 Jul 2011, Daniel McDonald wrote: I see a lot of messages hitting RP_MATCHES_RCVD that also hits one of the Invaluement rbls. Invaluement primarily targets snowshoe spammers. $ grep RP_MATCHES_RCVD /var/log/mail/info.log | grep -vc INVL 41618 $ grep RP_MATCHES_RCVD /var/log/mail/info.log | grep -c INVL 55033 So I have also changed the score to 0.01 Dan, your last masscheck only had 6 spam hits for that rule... http://ruleqa.spamassassin.org/20110727-r1151385-n/RP_MATCHES_RCVD/detail That's my home mail, not $DAYJOB... Care to drop a few thousand of those into your corpus? :) I might be able to figure out a way to extract them from quarantine. But they haven't been hand-checked I've got 33,084 of them that hit RP_MATCHES_RCVD and an Invaluement list that are in this week's quarantine. I'll see what I can do... -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: RP_MATCHES_RCVD
On 07/28, John Hardin wrote: On Thu, 28 Jul 2011, Daniel McDonald wrote: I see a lot of messages hitting RP_MATCHES_RCVD that also hits one of the Invaluement rbls. Invaluement primarily targets snowshoe spammers. http://ruleqa.spamassassin.org/20110727-r1151385-n/RP_MATCHES_RCVD/detail Care to drop a few thousand of those into your corpus? :) As John is kind of pointing out here, the spamassassin score generation system is capable of handling this kind of problem automatically, if more of you participate in masschecks: http://wiki.apache.org/spamassassin/NightlyMassCheck -- Immorality: The morality of those who are having a better time - Henry Louis Mencken http://www.ChaosReigns.com