Re: HTML (was Re: Sender needs help with false positive)
Dianne Skoll skrev den 2017-08-08 20:09: On Tue, 08 Aug 2017 20:01:52 +0200 Benny Pedersen wrote: why does the OP need to tell sendgrid his users passwords ? That is indeed a very good question. :) +1 It's not as if this is some sort of mass-mailing or marketing-oriented email that needs to be tracked. even if dkim was whitelisted for this mails its still sending passwords in there emails to sendgrid, stupid back to learning android studio here
Re: HTML (was Re: Sender needs help with false positive)
On Tue, 08 Aug 2017 20:01:52 +0200 Benny Pedersen wrote: > why does the OP need to tell sendgrid his users passwords ? That is indeed a very good question. :) It's not as if this is some sort of mass-mailing or marketing-oriented email that needs to be tracked. Regards, Dianne.
Re: HTML (was Re: Sender needs help with false positive)
Dianne Skoll skrev den 2017-08-08 15:05: On Tue, 8 Aug 2017 08:00:04 -0500 David Jones wrote: I absolutely agree but it's possible that this part is out of his control. Sendgrid might be receiving a plain text email from the normal source and adding HTML to get that image in there for tracking. If you can't determine the content of your own messages, time to find another provider, I think. Surely Sendgrid lets you control this sort of thing? let me hold your pocket ? why does the OP need to tell sendgrid his users passwords ?
RE: Sender needs help with false positive
It did. At first I couldn't figure out why it was HTML because the software was sending plain text message. When I realized it was sendgrid tracing method that was converting the messages to HTML in order to embed the img tag so I turned off the tracing. -Original Message- From: Dianne Skoll [mailto:d...@roaringpenguin.com] Sent: Tuesday, August 08, 2017 8:43 AM To: users@spamassassin.apache.org Subject: Re: Sender needs help with false positive On Tue, 8 Aug 2017 07:36:01 -0500 David Jones wrote: > The origin of the email and the path it takes makes a big difference > in how it's filtered. Sure, but doing a plain-text message with no HTML will immediately knock 2.2 points off the score. That's a pretty cheap and easy win. Regards, Dianne.
HTML (was Re: Sender needs help with false positive)
On Tue, 8 Aug 2017 08:00:04 -0500 David Jones wrote: > I absolutely agree but it's possible that this part is out of his > control. Sendgrid might be receiving a plain text email from the > normal source and adding HTML to get that image in there for > tracking. If you can't determine the content of your own messages, time to find another provider, I think. Surely Sendgrid lets you control this sort of thing? Regards, Dianne.
Re: Sender needs help with false positive
On 08/08/2017 07:43 AM, Dianne Skoll wrote: On Tue, 8 Aug 2017 07:36:01 -0500 David Jones wrote: The origin of the email and the path it takes makes a big difference in how it's filtered. Sure, but doing a plain-text message with no HTML will immediately knock 2.2 points off the score. That's a pretty cheap and easy win. Regards, Dianne. I absolutely agree but it's possible that this part is out of his control. Sendgrid might be receiving a plain text email from the normal source and adding HTML to get that image in there for tracking. We (this list) have no way to know for sure without seeing the original unaltered message from the normal source. My point was copy/pasting the same email body and sending it from a different source like a desktop/laptop is not going to be valid for troubleshooting rule hits. I know that you know this but I am just saying it "out loud" for the OP. -- David Jones
Re: Sender needs help with false positive
On Tue, 8 Aug 2017 07:36:01 -0500 David Jones wrote: > The origin of the email and the path it takes makes a big difference > in how it's filtered. Sure, but doing a plain-text message with no HTML will immediately knock 2.2 points off the score. That's a pretty cheap and easy win. Regards, Dianne.
Re: Sender needs help with false positive
On 08/07/2017 07:36 PM, Jacek Osuchowski wrote: David, Thanks a lot. I will try to modify the email text to have more 'meat on the bone'. I am just surprised email with no links, no adds, no attempts to sell anything can be interpreted as a spam. That img in the email is a tag from SendGrid email services used to trace the emails. I don't know if I can get rid of it. The folks at Sendgrid know how to properly send out mass emails without getting blocked by spam filters. They should have some resources to help with your email delivery. Check with them since you are paying for that service. That's his PC which is the MSA. As it's the first hop, it's not surprising it hits Zen PBL (it should, given a host name like ool-44c047bf.dyn.optonline.net). About those headers you put in pastebin, is that an actual mail from the same source that normally generates these password reset emails or was that a test of the same message body from your desktop? We need to see the headers from an exact message sent from the same source as it normally would be. The origin of the email and the path it takes makes a big difference in how it's filtered. -- David Jones
Re: Sender needs help with false positive
Required score -20 on inbound scanning to protect outbound spam? Op MSG was dkim signed and valid au, why was it not ADD to whitelist auth, maybe i was sleeping :(
Re: Sender needs help with false positive
Avoid marketing mass-mailers when sending administrative messages. Sent from ProtonMail Mobile On Tue, Aug 8, 2017 at 12:56 AM, Jacek Osuchowski wrote: > We use emails to allow users to reset their passwords to our website. We send > very brief emails containing the reset password. Example between : > >> > > Your password to access your account is: > > S]U3bC7k > > Upon successful login you may change your password by going to Modify Account > / Change Your Password. > >> > > The emails are marked as spam. Sample report from IsnotSpam.com: > > SpamAssassin check details: > > -- --- > > * 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% > > * [score: 0.9995] > > * -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) > > * [50.31.63.50 listed in wl.mailspike.net] > > * -0.0 SPF_PASS SPF: sender matches SPF record > > * 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% > > * [score: 0.9995] > > * 2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words > > * 0.1 HTML_MESSAGE BODY: HTML included in message > > * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's > > * domain > > * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily > > * valid > > * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature > > * -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders > > X-Spam-Status: Yes, hits=5.7 required=-20.0 tests=BAYES_99,BAYES_999, > > DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_IMAGE_ONLY_12,HTML_MESSAGE, > > RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_PASS autolearn=no autolearn_force=no > > version=3.4.0 > > X-Spam-Score: 5.7 > > I understand you trying to provide great software to fight email spam but you > are making my live miserable. I am having more problems with our emails > marked as spam then from the spam itself. Any help on how avoid being marked > as spam would help. Is there a way to be whitelisted by SpamAssasin globally. > Most emails are blocked by internet providers like Cablevision or comcast and > getting them to help is IMPOSSIBLE. They just install the software and let it > run as it is. > > Thank You
Re: Sender needs help with false positive
On Tue, 8 Aug 2017, Benny Pedersen wrote: Jacek Osuchowski skrev den 2017-08-08 00:56: I understand you trying to provide great software to fight email spam stop using bad amavisd.conf, ask for help on amavisd maillist since your issue is not spamassassin if you like to get a better life use spampd instaed of amavisd, amavisd is so simple to configure to bad results, where spampd is following spamassassin rule on tag only and do nothing more ...none of which helps him get his messages through **other people's** MTAs... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...we talk about creating "millions of shovel-ready jobs" for a society that doesn't really encourage people to pick up a shovel. -- Mike Rowe, testifying before Congress --- 8 days until the 72nd anniversary of the end of World War II
Re: Sender needs help with false positive
On Mon, 2017-08-07 at 19:15 -0400, Alex wrote: > > version=3.4.0 > > Version 3.4.0 is like ten years old. I also don't recall BAYES_999 > being available in that version, so one thing or the other is not > correct. Minor nitpick: 3.4.0 was released in Feb 2014, slightly less than 10 years ago. ;) But that's code only anyway, with sa-update rules' version and age are kept up-to-date independently. Similarly the BAYES_999 test indeed is not part of the original 3.4.0 release. It has been published via sa-update though, and even older 3.3.x installations with sa-update have that rule today. The check_bayes() eval rule always supported the 99.9% variant, it's just a float number less than 1.0... -- char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RE: Sender needs help with false positive
David, Thanks a lot. I will try to modify the email text to have more 'meat on the bone'. I am just surprised email with no links, no adds, no attempts to sell anything can be interpreted as a spam. That img in the email is a tag from SendGrid email services used to trace the emails. I don't know if I can get rid of it. Dianne, I have the same concerns with links in the email. We do train our people how to spot 'funny' emails and to avoid clicking links in the emails unless they are absolutely sure of what they are doing and they still do stupid things. Thank you all. -Original Message- From: David B Funk [mailto:dbf...@engineering.uiowa.edu] Sent: Monday, August 07, 2017 7:54 PM To: users@spamassassin.apache.org Subject: Re: Sender needs help with false positive On Mon, 7 Aug 2017, David Jones wrote: [snip..] > This IP is listed on SORBS and Spamhaus ZEN which are going to cause > problems with delivery to many receiving mail filters, not just SpamAssassin. > > http://multirbl.valli.org/lookup/68.192.71.191.html > That's his PC which is the MSA. As it's the first hop, it's not surprising it hits Zen PBL (it should, given a host name like ool-44c047bf.dyn.optonline.net). That shouldn't score against him except in broken SA installations. His problem is the small amount of text that looks like a phish spam and the embedded image. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
RE: Sender needs help with false positive
On Mon, 7 Aug 2017, Jacek Osuchowski wrote: This is an email I sent to IsNotSpam.com. They list the whole thing when testing for spam. I am getting a lot of complains from our customers that our emails are not received. Our domain is not blacklisted anywhere so I suspect it is the spam filtering (as IsNotSpam tool indicates). Is there anything in the email we send that could trigger flagging as a spam. THANK YOU https://pastebin.com/J1cdCHAe Try this experiment. Take that same message, add two paragraphs of text describing your business/organization to the end and DELETE that embedded image. Re-test and I'll bet that you get a passing score. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Sender needs help with false positive
On Mon, 7 Aug 2017, David Jones wrote: [snip..] This IP is listed on SORBS and Spamhaus ZEN which are going to cause problems with delivery to many receiving mail filters, not just SpamAssassin. http://multirbl.valli.org/lookup/68.192.71.191.html That's his PC which is the MSA. As it's the first hop, it's not surprising it hits Zen PBL (it should, given a host name like ool-44c047bf.dyn.optonline.net). That shouldn't score against him except in broken SA installations. His problem is the small amount of text that looks like a phish spam and the embedded image. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Sender needs help with false positive
On Mon, 7 Aug 2017 19:28:04 -0400 "Jacek Osuchowski" wrote: > This is an email I sent to IsNotSpam.com. They list the whole thing > when testing for spam. I am getting a lot of complains from our > customers that our emails are not received. Our domain is not > blacklisted anywhere so I suspect it is the spam filtering (as > IsNotSpam tool indicates). Is there anything in the email we send > that could trigger flagging as a spam. THANK YOU Don't send HTML. Just send a plain-text message. That'll knock 2.2 points off the score and bring it to 3.6. Simple fix, no? Regards, Dianne.
Re: Sender needs help with false positive
Jacek Osuchowski skrev den 2017-08-08 00:56: I understand you trying to provide great software to fight email spam stop using bad amavisd.conf, ask for help on amavisd maillist since your issue is not spamassassin if you like to get a better life use spampd instaed of amavisd, amavisd is so simple to configure to bad results, where spampd is following spamassassin rule on tag only and do nothing more
Re: Sender needs help with false positive
On 08/07/2017 06:28 PM, Jacek Osuchowski wrote: This is an email I sent to IsNotSpam.com. They list the whole thing when testing for spam. I am getting a lot of complains from our customers that our emails are not received. Our domain is not blacklisted anywhere so I suspect it is the spam filtering (as IsNotSpam tool indicates). Is there anything in the email we send that could trigger flagging as a spam. THANK YOU https://pastebin.com/J1cdCHAe -Original Message- From: Alex [mailto:mysqlstud...@gmail.com] Sent: Monday, August 07, 2017 7:16 PM To: ja...@osuchowski.net; SA Mailing list Subject: Re: Sender needs help with false positive Hi, On Mon, Aug 7, 2017 at 6:56 PM, Jacek Osuchowski wrote: We use emails to allow users to reset their passwords to our website. We send very brief emails containing the reset password. Example between >>>>: Your password to access your account is: S]U3bC7k Upon successful login you may change your password by going to Modify Account / Change Your Password. * 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% * 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% You can't control their bayes training so there's nothing you can do here. * 2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words Are you sending these emails as an image or text? Do you have a text component to your message as well? Are you able to post an entire message that includes the headers to pastebin.com, as it appears when it leaves your network then forward the resulting link to the list? version=3.4.0 Version 3.4.0 is like ten years old. I also don't recall BAYES_999 being available in that version, so one thing or the other is not correct. This IP is listed on SORBS and Spamhaus ZEN which are going to cause problems with delivery to many receiving mail filters, not just SpamAssassin. http://multirbl.valli.org/lookup/68.192.71.191.html -- David Jones
Password reset strategies (was Re: Sender needs help with false positive)
[Just replying to one aspect of the original message.] On Mon, 7 Aug 2017 18:26:00 -0500 David Jones wrote: > First, it's a bad idea for a number of reasons to send passwords via > email. Most modern "lost password" mail loops use a unique URL that > expires after a short period of time. As long as both methods expire, both methods require answering a prearranged question (or some out-of-band method of authentication), and both methods require immediate changing of the password, a link is no more secure than sending the temporary password. In fact, a link may eventually lead to *less* security as it's easier to phish people if legitimate messages include a link rather than not including a link. Encouraging people not to click links in messages like legitimate password recovery emails is a Good Thing, IMO, as it'll make them less likely to click links in fake ones. I realize I'm tilting at windmills. Regards, Dianne.
Re: Sender needs help with false positive
On Mon, 7 Aug 2017, Alex wrote: Hi, On Mon, Aug 7, 2017 at 6:56 PM, Jacek Osuchowski wrote: We use emails to allow users to reset their passwords to our website. We send very brief emails containing the reset password. Example between : Your password to access your account is: S]U3bC7k Upon successful login you may change your password by going to Modify Account / Change Your Password. * 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% * 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% You can't control their bayes training so there's nothing you can do here. You -can- control the content of your message. I'm guessing that short password reset message doesn't have very many tokens, and the ones that it does have may be too close a match to things like password phish spams. (something that we train heavily on). Put more text in there that is related to your business/organization which will be unique and thus unlike other spammy message. * 2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words Are you sending these emails as an image or text? Do you have a text component to your message as well? More to the point do you have an image attached/embedded in your message? If so, either drop it altogether or add a few Kbytes of text to balance it out. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Sender needs help with false positive
On 08/07/2017 05:56 PM, Jacek Osuchowski wrote: We use emails to allow users to reset their passwords to our website. We send very brief emails containing the reset password. Example between : Your password to access your account is: S]U3bC7k Upon successful login you may change your password by going to Modify Account / Change Your Password. The emails are marked as spam. Sample report from IsnotSpam.com: SpamAssassin check details: -- --- * 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% * [score: 0.9995] * -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) * [50.31.63.50 listed in wl.mailspike.net] * -0.0 SPF_PASS SPF: sender matches SPF record * 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% * [score: 0.9995] * 2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words * 0.1 HTML_MESSAGE BODY: HTML included in message * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's * domain * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily * valid * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature * -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Spam-Status: Yes, hits=5.7 required=-20.0 tests=BAYES_99,BAYES_999, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_IMAGE_ONLY_12,HTML_MESSAGE, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 X-Spam-Score: 5.7 I understand you trying to provide great software to fight email spam but you are making my live miserable. I am having more problems with our emails marked as spam then from the spam itself. Any help on how avoid being marked as spam would help. Is there a way to be whitelisted by SpamAssasin globally. Most emails are blocked by internet providers like Cablevision or comcast and getting them to help is IMPOSSIBLE. They just install the software and let it run as it is. Thank You Perhaps you should take a little time to figure out what should be changed in that message body to make those emails not score so high. First, it's a bad idea for a number of reasons to send passwords via email. Most modern "lost password" mail loops use a unique URL that expires after a short period of time. Secondly, that text in the body is very commonly used by bad actors trying to phish passwords. Why not change the text a bit and run it through the isnotspam.com site until it doesn't hit such a high Bayesian rule. This won't guarantee the Bayesian score of other SpamAssassin platforms but should give a good hint as to what wording is not good to use. Third, if you could send us complete headers, then we may be able to provide more help. The SPF and DKIM look good and you seem to be doing all of the reputation stuff properly. It comes down to content checks (BAYES) then. -- David Jones
RE: Sender needs help with false positive
This is an email I sent to IsNotSpam.com. They list the whole thing when testing for spam. I am getting a lot of complains from our customers that our emails are not received. Our domain is not blacklisted anywhere so I suspect it is the spam filtering (as IsNotSpam tool indicates). Is there anything in the email we send that could trigger flagging as a spam. THANK YOU https://pastebin.com/J1cdCHAe -Original Message- From: Alex [mailto:mysqlstud...@gmail.com] Sent: Monday, August 07, 2017 7:16 PM To: ja...@osuchowski.net; SA Mailing list Subject: Re: Sender needs help with false positive Hi, On Mon, Aug 7, 2017 at 6:56 PM, Jacek Osuchowski wrote: > We use emails to allow users to reset their passwords to our website. > We send very brief emails containing the reset password. Example between >>>>: > >>>>>> > Your password to access your account is: > > S]U3bC7k > > Upon successful login you may change your password by going to Modify > Account / Change Your Password. >>>>>> > > * 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% > * 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% You can't control their bayes training so there's nothing you can do here. > * 2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of > words Are you sending these emails as an image or text? Do you have a text component to your message as well? Are you able to post an entire message that includes the headers to pastebin.com, as it appears when it leaves your network then forward the resulting link to the list? > version=3.4.0 Version 3.4.0 is like ten years old. I also don't recall BAYES_999 being available in that version, so one thing or the other is not correct.
Re: Sender needs help with false positive
Hi, On Mon, Aug 7, 2017 at 6:56 PM, Jacek Osuchowski wrote: > We use emails to allow users to reset their passwords to our website. We > send very brief emails containing the reset password. Example between : > >> > Your password to access your account is: > > S]U3bC7k > > Upon successful login you may change your password by going to Modify > Account / Change Your Password. >> > > * 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% > * 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% You can't control their bayes training so there's nothing you can do here. > * 2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words Are you sending these emails as an image or text? Do you have a text component to your message as well? Are you able to post an entire message that includes the headers to pastebin.com, as it appears when it leaves your network then forward the resulting link to the list? > version=3.4.0 Version 3.4.0 is like ten years old. I also don't recall BAYES_999 being available in that version, so one thing or the other is not correct.