Re: Invoice phish

Is O365 freemail now? Free from Microsoft is an oxymoron.

Re: training bayes database

On 09/05/18 09:09, Reio Remma wrote: On 09.05.18 9:57, Matthew Broadhead wrote: BAYES_00=-1.9 I've personally set *bayes_sql_override_username = amavis* in my local.cf If at all possible, run amavisd with SA bayes debug to see if/how it's using the database. Good luck, Reio Thanks

Re: training bayes database

(1) [root@ns1 ~]# sudo -H -u amavis bash -c '/usr/bin/sa-learn --dump magic' 0.000  0  3  0  non-token data: bayes db version 0.000  0  32225  0  non-token data: nspam 0.000  0 440420  0  non-token data: nham 0.000  0

Re: training bayes database

On 09.05.18 9:57, Matthew Broadhead wrote: BAYES_00=-1.9 I've personally set *bayes_sql_override_username = amavis* in my local.cf If at all possible, run amavisd with SA bayes debug to see if/how it's using the database. Good luck, Reio

Re: Invoice phish

On 05/09/2018 10:59 AM, Alex wrote: Hi, https://pastebin.com/raw/TfvhUu0X ... What I have had to do is basically increase the score on all invoice emails to try to block the bad ones and then whitelist the good ones. That email was BCC'd which is another suspicious trait which is why I

Re: Invoice phish

On Wed, 9 May 2018, Alex wrote: Hi, Hi, Does anyone have any special techniques for catching these invoice phish emails? https://pastebin.com/raw/TfvhUu0X I've added a few body rules, and even despite training previous similar messages as spam, they continue. These emails very closely

Re: training bayes database

Also: On Wed, 9 May 2018, Matthew Broadhead wrote: your message has X-Spam-Status: No, score=-18.15 tagged_above=-999 required=6.2 Setting the threshold higher will result in more spam getting through. The scores calculated by the masscheck processes are based on the assumption that the

Re: Invoice phish

Hi, >> Hi, >> Does anyone have any special techniques for catching these invoice phish >> emails? >> >> https://pastebin.com/raw/TfvhUu0X >> >> I've added a few body rules, and even despite training previous >> similar messages as spam, they continue. These emails very closely >> resemble

Re: Invoice phish

Hi, > One more thing. I have expanded my definition of FREEMAIL to any Google and > Office 365 senders like this: > > header __RCVD_YAHOOReceived =~ /\.yahoo\.com \[/ > header __RCVD_HOTMAIL Received =~ /\.hotmail\.com \[/ > header __RCVD_GOOGLE

Re: Invoice phish

David Jones wrote: One more thing.  I have expanded my definition of FREEMAIL to any Google and Office 365 senders like this: header  __RCVD_YAHOO    Received =~ /\.yahoo\.com \[/ header  __RCVD_HOTMAIL  Received =~ /\.hotmail\.com \[/ header 

Re: training bayes database

On 09/05/18 16:03, Reio Remma wrote: On 09.05.18 16:59, Matthew Broadhead wrote: setting log_level and sa_debug in /etc/amavisd/amavisd.conf didn't seem to make any difference. should i be doing it in /etc/mail/spamassassin/local.cf? See if $sa_debug=1 works (for full debug)? (and restart

Re: Invoice phish

On 05/09/2018 10:02 AM, Alex wrote: Hi, One more thing. I have expanded my definition of FREEMAIL to any Google and Office 365 senders like this: header __RCVD_YAHOOReceived =~ /\.yahoo\.com \[/ header __RCVD_HOTMAIL Received =~ /\.hotmail\.com \[/

Re: training bayes database

On Wed, 9 May 2018, Matthew Broadhead wrote: [root@ns1 ~]# sudo -H -u amavis bash -c '/usr/bin/sa-learn --dump magic' 0.000  0  3  0  non-token data: bayes db version 0.000  0  32225  0  non-token data: nspam 0.000  0 440420  0 

Re: training bayes database

> On 9 May 2018, at 18:33, John Hardin wrote: > > Also: > >> On Wed, 9 May 2018, Matthew Broadhead wrote: >> >> your message has >> >> X-Spam-Status: No, score=-18.15 tagged_above=-999 required=6.2 > > Setting the threshold higher will result in more spam getting

Re: training bayes database

On Wed, 9 May 2018, Reio Remma wrote: On 9 May 2018, at 18:33, John Hardin wrote: Also: On Wed, 9 May 2018, Matthew Broadhead wrote: your message has X-Spam-Status: No, score=-18.15 tagged_above=-999 required=6.2 Setting the threshold higher will result in more spam

Re: Invoice phish

Hi, >> https://pastebin.com/raw/TfvhUu0X >> ... > What I have had to do is basically increase the score on all invoice emails > to try to block the bad ones and then whitelist the good ones. > > That email was BCC'd which is another suspicious trait which is why I bump > up the score for MISSING

Re: Invoice phish

On 05/09/2018 03:03 AM, Rupert Gallagher wrote: Is O365 freemail now? Free from Microsoft is an oxymoron. If you look at the comments in the rule files (20_freemail_domains.cf) you will find that FREEMAIL is actually any mail provider that is commonly abused and often sends spam. O365 does

Re: Mysterious false positives in inbox

Wild stab - maybe they're entering the system already with ***SPAM*** in the subject? With amavisd-new it's amavisd that modifies the subject, local.cf shouldn't have an effect on that. Good luck, Reio On 09.05.18 14:02, Eggert Ehmke wrote: Hello, I have spamassassin 3.4.1 / amavisd /

Re: training bayes database

On 09/05/18 15:48, Reio Remma wrote: On 09.05.18 16:33, Matthew Broadhead wrote: On 08/05/18 21:53, Reio Remma wrote: On 08.05.2018 22:08, John Hardin wrote: On Tue, 8 May 2018, Matthew Broadhead wrote: system setup centos-release-7-4.1708.el7.centos.x86_64, spamassassin-3.4.0-2.el7.x86_64,

Re: training bayes database

On 09.05.18 16:59, Matthew Broadhead wrote: setting log_level and sa_debug in /etc/amavisd/amavisd.conf didn't seem to make any difference. should i be doing it in /etc/mail/spamassassin/local.cf? See if $sa_debug=1 works (for full debug)? (and restart amavisd). Reio ok now i am getting a

Mysterious false positives in inbox

Hello, I have spamassassin 3.4.1 / amavisd / postfix / dovecot installed on my Debian 9.4 server. I also run a mailman mailing list. Most of the time, all runs very well, but occasionally I get mails marked ***SPAM*** in my inbox. These are indeed no spam, but valid mails forwarded by

Re: Mysterious false positives in inbox

The mail also originated from the same server. Ok, I look into the amavisd config. Thanks, Eggert Am Mittwoch, 9. Mai 2018, 14:06:08 CEST schrieb Reio Remma: > Wild stab - maybe they're entering the system already with ***SPAM*** in > the subject? > > With amavisd-new it's amavisd that

Re: training bayes database

On 09.05.18 16:33, Matthew Broadhead wrote: On 08/05/18 21:53, Reio Remma wrote: On 08.05.2018 22:08, John Hardin wrote: On Tue, 8 May 2018, Matthew Broadhead wrote: system setup centos-release-7-4.1708.el7.centos.x86_64, spamassassin-3.4.0-2.el7.x86_64, amavisd-new-2.11.0-3.el7.noarch

Re: training bayes database

On 08/05/18 21:53, Reio Remma wrote: On 08.05.2018 22:08, John Hardin wrote: On Tue, 8 May 2018, Matthew Broadhead wrote: system setup centos-release-7-4.1708.el7.centos.x86_64, spamassassin-3.4.0-2.el7.x86_64, amavisd-new-2.11.0-3.el7.noarch /etc/mail/spamassassin/local.cf: required_hits 5

Re: Mysterious false positives in inbox

On 2018-05-09 13:08, Eggert Ehmke wrote: > > Wild stab - maybe they're entering the system already with > > ***SPAM*** in the subject? > The mail also originated from the same server. All the more reason to suspect the "wild stab" is correct. In my experience this is quite common on some

Re: Invoice phish

Hi, >>> header __RCVD_OFFICE365Received =~ >>> /\.outbound\.protection\.outlook\.com \[/ >>> header __RCVD_OFFICE365_PROXY X-ClientProxiedBy =~ >>> /\.outlook\.com >>> \(/ >>> >>> header __OFFICE365_TRUST_ORG X-OriginatorOrg =~ >>> /^(ena\.com|example\.com)/ >> >> >> You've

Re: training bayes database

On 09/05/18 16:37, Reindl Harald wrote: Am 09.05.2018 um 16:28 schrieb Matthew Broadhead: it looks like it is working.  so maybe it is just not flagging or moving the spam? in a differnt post you showed this status header which *clearly* shows bayes is working - bayes alone don't flag, the

Re: training bayes database

On 05/09/2018 01:29 PM, Matthew Broadhead wrote: On 09/05/18 16:37, Reindl Harald wrote: Am 09.05.2018 um 16:28 schrieb Matthew Broadhead: it looks like it is working.  so maybe it is just not flagging or moving the spam? in a differnt post you showed this status header which *clearly* shows

Re: Mysterious false positives in inbox

Perhaps this is a misunderstanding. By "same" I mean "this server". The mail was originally received by my server via TLS, processed by mailman and then delivered with the ***SPAM*** subject line to the recipients of the mailing list, but not to the Quarantine. One of the recipients is my own

Re: Invoice phish

On 05/09/2018 12:39 PM, Alex wrote: Hi, header __RCVD_OFFICE365Received =~ /\.outbound\.protection\.outlook\.com \[/ header __RCVD_OFFICE365_PROXY X-ClientProxiedBy =~ /\.outlook\.com \(/ header __OFFICE365_TRUST_ORG X-OriginatorOrg =~ /^(ena\.com|example\.com)/

Re: training bayes database

On 09/05/18 16:37, Reindl Harald wrote: Am 09.05.2018 um 16:28 schrieb Matthew Broadhead: it looks like it is working.  so maybe it is just not flagging or moving the spam? in a differnt post you showed this status header which *clearly* shows bayes is working - bayes alone don't flag, the

Re: Invoice phish

On Wed, 9 May 2018, Vincent Fox wrote: I see an interesting dichotomy. Students are on Google, fac/staff on O365 now. Guess which group is phished most often? If you said students,  bzzzt.  It’s the O365 users, by a large margin.  Faculty and staff should be best trained.  Also protected by

Re: Invoice phish

I see an interesting dichotomy. Students are on Google, fac/staff on O365 now. Guess which group is phished most often? If you said students, bzzzt. It’s the O365 users, by a large margin. Faculty and staff should be best trained. Also protected by “Advanced Threat Protection”. Sent from

Re: Invoice phish

So "free" here refers to something else than paid for service. What does it refer to then? Perhaps FREEMAIL is best renamed as CAMP, for Commonly Abused Mail Provider. On Wed, May 9, 2018 at 13:37, David Jones wrote: > On 05/09/2018 03:03 AM, Rupert Gallagher wrote: > Is O365