I would report this to Microsoft Abuse and setup local rules that add a point
or two something like this:
header BAD_O365_SENDER X-OriginatorOrg =~ /.*\.onmicrosoft\.com$/
With a threshold of 6.2, you might want to consider either lowering that a
little or bumping up some default scores for so
Do you have anything modifying the Subject or altering the message body (like a
signature/disclaimer or external email warning) after opendkim and before the
spamass-milter?
From: Alex Woick
Date: Tuesday, January 14, 2020 at 7:38 AM
To: "users@spamassassin.apache.org"
Subject: Spamassassin al
On 11/16/19 12:19 AM, Dominic Raferd wrote:
>
>
> On Fri, 15 Nov 2019 at 21:17, Kevin A. McGrail <mailto:kmcgr...@apache.org>> wrote:
>
> Good idea. This is done.
>
> On 11/15/2019 11:49 AM, David Jones wrote:
> > Perhaps it needs to be named
filtering
can change the content to remove potentially bad attachments, add an
"EXTERNAL" warning to the Subject or body, etc. which will break DKIM
signing.
--
David Jones
feedback and testing. Please grab rc6
> and give feedback.
>
I have been running 3.4.3 rc6 for a few days in production and no
problems so far on my cluster of 12 SA servers with a pretty good volume
of emails (about 600,000 per day hit SA).
--
David Jones
RS,MISSING_MID,MISSING_SUBJECT,PP_MIME_FAKE_ASCII_TEXT,
SPF_HELO_SOFTFAIL,UNPARSEABLE_RELAY shortcircuit=no autolearn=no
autolearn_force=no version=3.4.2
This would solve the problem locally if you want to put this in your
local.cf:
blacklist_from *@computer-news.pro
--
David Jones
On 7/5/19 11:30 AM, Henrik K wrote:
> On Fri, Jul 05, 2019 at 03:59:41PM +0000, David Jones wrote:
>> My understanding of the proposed X-Relay-Countries-MUA would be
>> identical to the current X-Relay-Countries except when there is an
>> authenticated MSA, then it would
On 7/5/19 9:55 AM, Bill Cole wrote:
> On 5 Jul 2019, at 10:30, David Jones wrote:
>
>> On 7/5/19 9:09 AM, Bill Cole wrote:
>>> On 5 Jul 2019, at 9:37, David Jones wrote:
>>>
>>
>> I believe the only change would be the Relay-Countries value would have
On 7/5/19 9:51 AM, Henrik K wrote:
> On Fri, Jul 05, 2019 at 02:46:16PM +0000, David Jones wrote:
>>
>> I am completely OK with switching to a new X-Relay-Countries-MUA header
>> as long as it works just like the current X-Relay-Countries when there
>> is no MUA. I
On 7/5/19 9:36 AM, Henrik K wrote:
> On Fri, Jul 05, 2019 at 02:32:42PM +0000, David Jones wrote:
>> On 7/5/19 9:03 AM, Henrik K wrote:
>>> On Fri, Jul 05, 2019 at 01:37:50PM +, David Jones wrote:
>>>>
>>>> For the sake of others, it would be benefici
On 7/5/19 9:03 AM, Henrik K wrote:
> On Fri, Jul 05, 2019 at 01:37:50PM +0000, David Jones wrote:
>>
>> For the sake of others, it would be beneficial if the default behavior
>> of X-Relay-Countries changed to the X-Relay-Countries-MSA.
>
> I renamed it X-Relay-Co
On 7/5/19 9:09 AM, Bill Cole wrote:
> On 5 Jul 2019, at 9:37, David Jones wrote:
>
>> For the sake of others, it would be beneficial if the default behavior
>> of X-Relay-Countries changed to the X-Relay-Countries-MSA.
>
> Definitely not for 3.4.3. Preferably not
On 7/5/19 1:54 AM, Henrik K wrote:
> On Fri, Jul 05, 2019 at 09:50:35AM +0300, Henrik K wrote:
>> On Fri, Jul 05, 2019 at 02:42:28AM +0000, David Jones wrote:
>>> Maybe allow the RelayCountry check to happen on the msa network or the
>>> first relay?
>>>
>
On 7/4/19 6:35 PM, Bill Cole wrote:
> On 4 Jul 2019, at 16:59, David Jones wrote:
>
>> It seems like authenticated mail submission should only apply to
>> internal_networks and not extend out to the trusted_networks.
>
> No. See https://wiki.apache.org/spamassassin/Dynab
On 7/4/19 2:28 PM, RW wrote:
> On Thu, 4 Jul 2019 19:11:43 +
> David Jones wrote:
>
>> Just had a compromised account on one of my customer's mail servers
>> (96.4.156.21) try to blast out phishing email. This 96.4 IP is our
>> customer space so it's in
h ESMTP id DF9421480F90
for ; Thu, 4 Jul 2019 12:56:42 -0500 (CDT)
Received: from 192.168.1.2 (unknown [88.233.47.16])
by mail.lced.net (Postfix) with ESMTPA id 8F22630961D6D
for ; Thu, 4 Jul 2019 12:56:40 -0500 (CDT)
--
David Jones
UA, though of course the effort of creating and maintaining
> >the database, mail loader, query tools and SA plugin is non trivial.
>
> well, if THIS is the real reason...
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk <mailto:uh...@fantomas.sk>
> ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Saving Private Ryan...
> Private Ryan exists. Overwrite? (Y/N)
>
--
David Jones
te DNS caches dedicated to the SA
server(s). If it's only one, then it could all be setup on 127.0.0.1.
If it's a few, you could put rbldnsd on all of them and still use
127.0.0.1 and rsync the rbldnsd files to all of them locally.
--
David Jones
On 6/16/19 4:41 PM, @lbutlr wrote:
> When I send an mail from my home machine to a user who is local to my mail
> server, SpamAssassin (via spmass-milter) tags the mail as spam entirely
> because my home IP is in the PBL blacklist. Which of course, it is and it
> should be.
>
> However, since t
the:
meta __STYLE_GIBBERISH_1 0
line but does that need to be:
score __STYLE_GIBBERISH_1 0
to completely disable it?
--
David Jones
to -0.001 and disable it from shortcircuit'ing.
score ALL_TRUSTED -0.001
shortcircuit ALL_TRUSTED off
--
David Jones
On 5/12/19 9:29 PM, Kurt Fitzner wrote:
> On 2019-05-11 23:25, David Jones wrote:
>
> I don't have anything nearly so elaborate. But then I don't have the
> spam volume either.
>
That's fine. Just wanted to point out that "one size doesn't fit al
d mail, and they have a strong "it's our
> way or the highway" policy.
>
> On 10.05.19 14:48, David Jones wrote:
>
>>> I caution against this since non-DKIM signed email has no relation to
>>> spam or ham. How did you come up with the "about 90%&qu
Did you
grep logs to get real numbers over a couple of months?
Any compromised account from Office 365 (and there are a lot) is going
to have DKIM_SIGNED by Microsoft's "tenant.onmicrosoft.com" domain which
means absolutely nothing when determining ham/spam. All that means is
it was signed by Microsoft mail servers on the way out. If DKIM_VALID
was hit, then it means the spam wasn't modified.
--
David Jones
n
spamassassin
spamd
spamc
I tried symlinks first but some apps didn't like it. I could have tried
a hard link but I didn't as they can be confusing and bite you later.
--
David Jones
ot changed in transit. I'm not (yet)
> comfortable drawing any conclusions about authentication.
>
Analyze your email based on DKIM_VALID_AU hits and look for patterns.
Based on your definition of spam vs UCE vs ham. If there is enough
volume, you should see how DKIM_VALID_AU and DMARC can enhance/extend
SPF accuracy which was your original question.
--
David Jones
f what comes in to detect
> modification down stream.
>
I am not completely clear on ARC but I though it's objective is to
provide a "chain of custody" as email goes through mail servers so
receiving mail servers can authenticate the origin. I was thinking it's
somethi
check failed
score DMARC_FAIL 0.001
headerDMARC_NONE Authentication-Results =~ /smtp\.ena\.net; dmarc=none/
describe DMARC_NONE DMARC check neutral
score DMARC_NONE 0.001
--
David Jones
t; online training provided by third-party trainers. In that situation
> simpliv should be managing the lists and enforcing opt-in.
>
>
>
>
It's removed in SVN so it should get taken out tomorrow night as long as
the rules promotion is working.
--
David Jones
On 5/1/19 10:15 PM, David Jones wrote:
> On 5/1/19 6:04 PM, RW wrote:
>> On Wed, 1 May 2019 10:39:08 -0700 (MST)
>> jandev wrote:
>>
>>> David,
>>>
>>> I tried to send the original email to the email address you
>>> requested. But your mail
ail as spam unless there were multiple
reports of them not honoring the unsubscribe or not handling abuse
reports. Every platform has the occassional bad customer that needs to
be kicked off so most RBLs (good ones anyway) will allow for a small
amount of UCE before hitting the threshold to be listed/blocked.
--
David Jones
hecksum/timestamp change on the updates_spamassassin_org directory then
reload/restart the daemon that is the "glue" to SpamAssassin.
https://mmonit.com/monit/
--
David Jones
technical reasons. Recently I started another private DWL to handle
o365 senders similarly to the "notrust" list above and so far it seems
to be working out.
Hope this helps,
Dave
> On 2019/04/18 15:52, David Jones wrote:
>> On 4/18/19 1:55 AM, Brent Clark wrote:
>>>
compromised account from
our network through our mail relays. These should be fairly obvious
based on their names as to what they do.
Hope this helps,
--
David Jones
ustworthy. They were at the time it was added but things do change
over time. This would be the second entry in a couple of years to be
removed out of the hundreds of entries.
P.S. blacklist_from entries should override any whitelist_* entry, if I
remember correctly.
--
David Jones
I would like to use the AskDNS plugin to query a private DBL that I can
populate/manage. The idea is to subtract a few points for inbound O365 domains
that have been seen before in an effort to help block compromised O365 accounts
from domains that have never been seen before.
Ideally a new ta
om quarantine as an attachment
- etc...
--
David Jones
on is there are many different ways to use SA
and you didn't say how you were using SA so we can't give helpful advice
on tuning SA.
--
David Jones
it has good FCrDNS. If that mail server doesn't have good FCrDNS,
then use:
whitelist_from_rcvd *@*.comixology.com [ip.ad.dr.ess]
whitelist_from should be the last option and I only use it on a full
email address that is very unique so spammers won't be able to match
that by accident from any source server or IP address.
--
David Jones
't want it. (A major problem in email support today
is not having good contacts of admins on the other end. End users don't
know what to do with bounce messages and mail admins can't easily get
together to work on delivery problems.)
--
David Jones
gt; to be evaluated dynamically, just calculate the score at reload time.
>
> Thanks.
>
I use the X-OriginatorOrg header in a meta rule with other headers to
subtract a few points (trust) certain Office 365 senders. Otherwise, I
treat Office 365 like other "FREEMAIL" sources that are mostly untrusted
(add a point or two). You don't have to do the later but the former
might be helpful.
--
David Jones
VD_RCVD_SINGLE Message was received from localhost
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 1.2 BAYES_50 BODY: Bayes spam probability is 40 to 60%
* [score: 0.4993]
* 2.1 TO_MALFORMED To: has a malformed address
* 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay
lines
* 0.1 TO_IN_SUBJ To address is in Subject
--
David Jones
ign/match the From: header domain to pass which is DKIM_VALID_AU in SA.
In the case of SPF, DMARC will pass if the envelope-from domain check
hits SPF_PASS in SA.
DMARC_PASS = SPF_PASS || DKIM_VALID_AU
DMARC_FAIL = !SPF_PASS && !DKIM_VALID_AU
DMARC_REJECT = DMARC_FAIL && DMARC record contains p=reject
--
David Jones
pam -- just that it came from
that domain unmodified. If you trust the domain like paypal.com to not
send UCE or spam from compromised accounts, then you can whitelist_auth
that domain.
--
David Jones
s*|<\/\w+>|--[\w_\-\.\=]{2,}--)+$/s
meta SPOOF_NAME_LAST_THING (__PLUGIN_FROMNAME_SPOOF &&
__FROM_NAME_LAST_THING)
describe SPOOF_NAME_LAST_THING From 2 emails and fake from name as
last thing
score SPOOF_NAME_LAST_THING 2.2
endif
--
David Jones
files in /etc/mail/spamassassin. Amavis can create it's own files to
customize settings in /etc/mail/spamassassin so compare a vanilla SA
installation to what you have to find the best place to put your local
settings.
--
David Jones
n what rules?
>
>
Can you send a copy of the original email lightly redacted via pastebin
so I can run it through my filters to give some pointers?
--
David Jones
DMARC_FAIL_REJECT DMARC check failed and the sending
domains
says to reject this message
score DMARC_FAIL_REJECT 8.2
Adjust the ENA_TRUSTED_LIST above to whatever you want to do to exclude
certain senders or mailing lists from DMARC checks.
--
David Jones
hance my
regex that blocks these types of emails not just from SES.
--
David Jones
-4] (past 5 weeks) masscheckers are still the
majority of the overall masscheck corpora. I need some help planting
email addresses out there that will attract more spam of differing types
or something. I definitely need to get more non-English spam in there.
--
David Jones
hit that will offset this. I try to make legit
invoice senders score just below the block threshold so anything
suspicious like that From: or Message-ID: header will push it over the
limit.
You can setup logwatch or grep your mail logs often from cron to alert
you when your invoice-related r
they need to start using
SpamAssassin and hire some of us to do their mail filtering. :)
--
David Jones
On 10/11/18 7:00 PM, Alex wrote:
> Hi,
>
> On Thu, Oct 11, 2018 at 5:15 PM David Jones wrote:
>>
>> On 10/11/18 3:30 PM, Alex wrote:
>>> Hi,
>>>
>>> I'm curious what people think of this:
>>>
>>> https://pastebin.com/1X
content
rule and Bayes training would be the best option. Maybe get these into
the nightly masscheck so others can work on some rules to go into the
default ruleset.
--
David Jones
Ls for better results.
I also mentioned implementing postwhite at the same time to bypass
postscreen for some senders so you can increase the sensitivity of your
postscreen_dnsbl_sites safely.
https://github.com/stevejenkins/postwhite
--
David Jones
can be compromised to send spam, then that
def_whitelist_auth entry is safe.
Once we find evidence that any def_whitelist_auth sender fails to follow
all 3 rules above then post an example here via pastebin.com and we will
take appropriate action.
--
David Jones
m name + hostname using IP address
0.0 ENA_BAD_SPAM Spam hitting really bad rules.
--
David Jones
This method has shown to keep my Bayes scores
very accurate.
Hope someone finds this information helpful.
Dave
On 01/20/2017 01:02 PM, Tom Hendrikx wrote:
On 20-01-17 19:46, David Jones wrote:
From: Kevin Golding
Sent: Friday, January 20, 2017 11:59 AM
To: users@spamassassin.apache.org
I handle this locally with OpenDMARC adding headers used in an SA meta
rule. This is the best way to handle this until SA natively supports DMARC.
--
David Jones
/blocks have
worked out to be spot on for my mail flow.
--
David Jones
o influence whoever made these recent rule changes to
revert things back to how they were?
I guess someone needs to look back through the SVN commits to see when
this was introduced.
Thanks
I filter for about 60,000 mailboxes and I don't see any hits in my mail
logs for either of those
e IVM_URI BL is catching onto these very quickly. Good job, Rob!
--
David Jones
and not on
whitelists
2.2 ENA_SPF_NONE Add points for suspicious emails that don't
have an SPF
setup.
0.0 ENA_BAD_SPAM Spam hitting really bad rules.
--
David Jones
to have the IP address of
the host it is running on and ignore the warning from --lint or …
— Should I not set trusted_networks and ignore the warning from
--debug ?
On 16.06.18 06:33, David Jones wrote:
internal_networks should be any RFC 1918 networks that your mail
server sees plus any
On 06/16/2018 06:33 AM, David Jones wrote:
On 06/15/2018 05:44 PM, J Doe wrote:
Hello,
I am currently using SpamAssassin 3.4.1 on Ubuntu Linux 16.04.4 LTS.
I have SA running on a server with Postfix as the MTA on the same server.
I have a question regarding the trusted_networks
rough your SA server.
--
David Jones
ke the
approach of potentially over blocking them to be on the safe side then
whitelist the good ones since these are causing major economical damage
in finance departments from social engineering.
--
David Jones
ins and
try to move toward DMARC p=reject to prevent spoofing. This primarily
needs to be done by high profile domains first that are common
candidates to be spoofed. I doubt that anyone would really want to
spoof ena.com on a large scale but bestwesternnwcc.com could be valuable
to spoof.
--
David Jones
On 06/09/2018 07:08 AM, Pedro David Marco wrote:
>On Saturday, June 9, 2018, 8:03:31 AM GMT+2, Rupert Gallagher
wrote:
>On Fri, Jun 8, 2018 at 23:05, David Jones <mailto:djo...@ena.com>> wrote:
2.2 MISSING_HEADERS Missing To: header
The fillowing is all on
NA_FREEMAIL and KAM_SHORT to add a
couple more points.
--
David Jones
'whitelist_auth *@cmail19.com' entry and have experienced no
problems/complaints with createsend.com. They have a valid unsubscribe
link and appear to take abuse reports seriously. Until I have any
problems from them, I will keep this whitelist_auth entry.
--
David Jones
in reports...
Does this mean you are accurately blocking them then if the reports are
showing them and there are no complaints from users about missing email?
I would skim over these subjects to make sure you aren't overblocking.
Also I usually check the rule hits to make sure they look consistent
with spam.
--
David Jones
like to see some examples via pastebin to check my mail
filtering logs.
--
David Jones
powned
website.
I have seen quite a bit of junk coming out of mimecast.com's servers in
recent months. I am about to add them to my NOTRUST list which puts
them in the FREEMAIL category of commonly abused mail service providers.
Then my meta rules based on ENA_FREEMAIL will bump up points for email
coming through any NOTRUST servers.
--
David Jones
On 05/10/2018 01:32 PM, RW wrote:
On Thu, 10 May 2018 09:55:00 -0500
David Jones wrote:
On 05/10/2018 09:39 AM, RW wrote:
Microsoft has a list of domains it hosts and a list of hosted
domains (and/or its own addresses) tied to each account. Given how
much reliance MS place on DMARC&#
On 05/10/2018 09:39 AM, RW wrote:
On Thu, 10 May 2018 13:49:15 + (UTC)
Pedro David Marco wrote:
David Jones wrote:>It's not only compromised well-established
accounts. Based on the odd
domain names I have seen, I am pretty sure that Microsoft allows
trials of O365 so spam
On 05/10/2018 07:37 AM, RW wrote:
On Thu, 10 May 2018 06:50:46 -0500
David Jones wrote:
I am pretty sure that Microsoft allows
trials of O365 so spammers are signing up and blasting out
junk/phishing emails until they are discovered. These spammers can
spoof anyone on O365 like toysrus.com
On 05/10/2018 07:12 AM, Reio Remma wrote:
On 10.05.18 15:08, David Jones wrote:
On 05/10/2018 07:02 AM, Reio Remma wrote:
On 10.05.18 14:58, Matus UHLAR - fantomas wrote:
Am 09.05.2018 um 16:28 schrieb Matthew Broadhead:
i guess my dns is set to use my isp's dns server. do i need to
s
more than 500k emails from our domain so i
should qualify for the free lookup?
On 09/05/18 20:43, David Jones wrote:
Yes. Setup BIND, unbound, or pdns_recursor on your SA server that
is not forwarding to another DNS server then set your
/etc/resolv.conf or SA dns_server to 127.0.0.1. This will
s will pass.
They really need to enable rate limiting and unusual GeoIP-usage
detection. Maybe they need to setup a well-tuned SpamAssassin platform
internally to properly detect spam and lock compromised/abusive accounts
quickly. :)
--
David Jones
ble. If your SA server is directly on
the Internet as an edge mail gateway then this won't be a problem.
--
David Jones
amage.
I have customers that will blindly pay invoices without matching POs or
any confirmation if the company name sounds familiar. I am seeing a lot
of construction-related phishing emails. Since there is always
construction going on, they just assume these are legit.
--
David Jones
shouldn't have put
"ena.com" in there for me but you could put it in there for your local
rules if you think our email is trustworthy. :)
--
David Jones
d idea, we could open a feature
request to do this properly where any MTA header could be parsed by SA,
not just Postfix-style Received headers. Maybe there is already
something in SA that is very close that can be easily extended.
--
David Jones
fall into this category.
--
David Jones
On 05/08/2018 03:47 PM, David Jones wrote:
On 05/08/2018 03:02 PM, Alex wrote:
Hi,
Does anyone have any special techniques for catching these invoice
phish emails?
https://pastebin.com/raw/TfvhUu0X
I've added a few body rules, and even despite training previous
similar messages as
c other commercial invoices so they
will not change it too much.
--
David Jones
that IP is Google's.
It's now listed on dnsbl.spfbl.net probably because of your original
posting. :)
--
David Jones
uld highly recommend switching from sendmail to postfix with
postscreen and postwhite when you migrate to CentOS. You will see a
major improvement in your mail filtering just from that change.
--
David Jones
for
a valid email.
I agree. Whitelisting or subtracting points should be tied to domain
authentication or IP reputation. Spammers are reading this email thread
and are already crafting emails to match this rule.
--
David Jones
18.(c)"
Please post the full email, with all headers, minimally redacted to
pastebin.com and send us a link.
--
David Jones
MailScanner became very mature and didn't need any major updates for years then
Jules turned it over to Jerry Benton who had a commercial product based on it.
It's still being updated and runs fine now on systemd-based OSes and newer
versions of Perl. One of our customers, Shawn Iversion, is h
Phish Rules
On Thu, 26 Apr 2018, David Jones wrote:
> header __BAD_FROM_NAME From:name =~
> /(^chase$|chase\.com|Internal Revenue Service|banking|Bank of
> America|American Express|Wells Fargo|NavyFederal|Geico|E-fax|Share.oint|UPS
> Delivery|FedEx|PayPal|Apple Support|
I have a local rule that adds a few points for commonly spoofed companies like
Paypal, Bank of America, Chase, Fedex, etc. since all of these will have good
SPF/DKIM and now have def_whitelist_auth entries in the 60_whitelist_auth.cf.
Maybe we need to consider putting these in the SA core rules
MailScanner
the past week and would like to know how to troubleshoot these timeouts.
I have never been able to catch problem messages in the act to figure
out what is causing them.
--
David Jones
On 04/17/2018 05:19 PM, Bill Cole wrote:
On 17 Apr 2018, at 16:54, John Hardin wrote:
On Tue, 17 Apr 2018, David Jones wrote:
On 04/17/2018 03:29 PM, Kevin A. McGrail wrote:
Dave, why would it go into EPEL? SpamAssassin is a core RPM.
I will be updating my main SA platform servers to
On 04/17/2018 04:39 PM, Bill Cole wrote:
On 17 Apr 2018, at 16:38, David Jones wrote:
On 04/17/2018 03:29 PM, Kevin A. McGrail wrote:
Dave, why would it go into EPEL? SpamAssassin is a core RPM.
Oh yeh. I guess because it's been so long since we had an update and
my main boxe
pr 17, 2018, at 1:12 PM, David Jones mailto:djo...@ena.com>> wrote:
>
> Once 3.4.2 comes out soon, we need to get an official version in EPEL or something. Hopefully someone knows someone at EPEL to make this happen. I think everyone had to build 3.4.1 themselves from the Fedora RP
quires you to build it yourself from scratch, but it compiles and
builds easily.
https://wiki.apache.org/spamassassin/DownloadFromSvn
<https://wiki.apache.org/spamassassin/DownloadFromSvn>
>
> Reio
>
--
David Jones
RBL/URIBL.
P.S. I would love to help with any RBL/URIBLs with honeypot/spamtrap
accounts if anyone would like to contact me off list.
--
David Jones
1 - 100 of 608 matches
Mail list logo
