undeliverable tagged incorrectly

Hi, I have spamassassin-4 with amavisd set up and have a message that hit mailspike and a few others that pushed it over my 5 point threshold. Can someone help me understand why this was not properly identified as a bounce message? https://pastebin.com/mc4zgp7S Usually they hit ANY_BOUNCE_MESSAG

ExtractText and docs?

Hi, I'm using ExtractText to identify QR codes in PDFs. # QR-code decoder extracttext_externalzbar/usr/bin/zbarimg -q -D {} extracttext_use zbar.jpg .png .pdf .webp image/(?:jpeg|png) application/pdf add_header all ExtractText-Uris _EXT

Re: Blocking google IPs?

> > > > This also means there isn't much regularity to outgoing mail to subtract > > points. It's usually just one-offs where users check on ordering or ask > > general product questions. > > > > This also doesn't include the businesses using Workspace, which would > most > > likely share the same

Re: Blocking google IPs?

Hi, > > There's nothing my users or the legitimate users sending email to my > users > > can do about it, and it's always reactionary - it's not like I can > explain > > to them that if their users use one particular Google IP that they could > > have incoming mail blocked. > > That's not true.

Re: Blocking google IPs?

> > > avoiding checking google ranges in DNS*Ls could make sense, at least we'd > avoid excessive DNS requests towards them and getting blocked there. > > however the only SA way I can think of is adding > 209.85.128.0/17 and 74.125.0.0/16 to trusted_networks which would result > into ALL_TRUSTED h

Blocking google IPs?

Hi, What should the policy be on blocking Google IPs? * 2.3 RCVD_IN_PSBL RBL: Received via a relay in PSBL * [209.85.208.194 listed in psbl.surriel.com] * 2.2 RCVD_IN_SENDERSCORE_30_49 RBL: Senderscore.org score of 30 to 49 * [209.85.208.194 listed in score.senderscore.com] * 0.0

Re: bayes/txrep questions

> > > > > Is there any benefit to training an email that's already hitting > > bayes99? > > Yes. The tokens which made it hit 99% are already doing their jobs, but > the rest of the message that Bayes isn't seeing as spammy may turn out > to be what makes the next spam hit 99.9% > I have noticed t

bayes/txrep questions

Hi, I'm using SA v4 and trying to find ways to minimize the amount of junk that isn't tagged. Emails like "1-hour free consultation" or "buy this event list" or "salesforce optimization" or "HR consulting" that already hit bayes99 (and bayes999) but are still just shy of 5 points. Is there any ben

opt-out spam

Hi, I have collected a bunch of "opt-out" junk at the bottom of emails similar to this one: Not your thing? Just reply 'no tnx' to opt-out :) Is it worthwhile to try and create a meta using these, or perhaps even a fuzzy rule that matches on 'no tnx' or "leave", etc, in combination with opt-out a

Re: password protected PDF

> > > > It's been a while since I've seen a password-protected zip or PDF, but I > got one today that wasn't tagged and was hoping someone might have some > ideas. > > https://pastebin.com/msPCQHyD > > > > I've created some basic body and attachment rules, but would

password protected PDF

ing thoughts (either directly or using the above to improve your own rules) from others about how to block them. At the least, it should have been identified by clamav. Thanks, Alex

userprefs for 4.0?

Hi all, Does anyone know where I can find an updated MySQL schema for v4? https://cwiki.apache.org/confluence/display/spamassassin/UsingSQL This is for v3. I'd like to make sure I'm implementing it properly for welcomelist and any other v4 changes from v3.

Re: docusign fraud using docusign

> > > >Time to remove docusign from RCVD_IN_DNSWL_MED and others that subtract > >points? This is not cool at all. > > correct, have you reported it? > How do I do that? To the DNSWL group? I now have a subscription, but they never respond to support requests, even to numerous emails, including a

Re: docusign fraud using docusign

> I would just score anything DNSWL at 0. I mean no disrespect to the > maintainer of DNSWL but I just don't find it useful these days. Spam is too > complex now. > > > local.cf: > > score ALL_TRUSTED 0 > Isn't this the local trusted servers? score RCVD_IN_DNSWL_NONE 0 > score RCVD_IN_DNSWL_LOW 0

docusign fraud using docusign

Hi, Time to remove docusign from RCVD_IN_DNSWL_MED and others that subtract points? This is not cool at all. Even without having these rules, there isn't much in the body to catch a docusign phish that uses docusign directly. https://pastebin.com/ij2MXi6c

Re: paypal fraud

> > > can I have a copy of the email ? > I am working on improving some KAM Paypal rules. > Sent, thanks. >

paypal fraud

Hi, I received a paypal scam invoice using paypal servers that passed DKIM and sent through paypal servers but has the return path of some other server after it went through paypal. Return-Path: Received-SPF: Pass (protection.outlook.com: domain of paypal.com designates 66.211.170.93 as permit

training bayes and newsletters

newsletters properly. Thanks, Alex

Re: ATTENTION: DNSWL to be disabled by default.

[abbrieviated version, as gmail rejected my first attempt] Hi,I've been following this thread on allowable query limits and have a few questions. While I don't see any DKIMWL_BLOCKED or other *_BLOCKED rules hitting in my logs, I am seeing timeouts related to their sub-rules like this: Sep 26 12:

Experimenting with dcc

Hi, I've discovered several emails that hit DCC, most likely because they contain just emails or are entirely empty, so I wanted to whitelist them. However, I'm not sure how to write the checksums to the whiteclnt file so they are consulted by dcc: # /usr/bin/dccproc -QCw whiteclnt < whitelist-em

Re: Tips on training bayes?

Is the goal to have every message one of either BAYES_00 or BAYES_99 or is it okay that newsletters (for example) are BAYES_50, and let other rules, like network checks, determine the score? Thanks, Alex

Tips on training bayes?

emails always considered spam? Thanks, Alex

Re: M365 phish with USER_IN_DKIM_WHITELIST

> > > I'm hoping someone can help me understand how what appears to be an > invoice > scam was passed through legitimate MS servers and > even USER_IN_DKIM_WHITELIST. > > USER_IN_DKIM_WHITELIST refers to an explicit (i.e site or user-specific) > welcomelist, so this you did to yourself... > Thanks

M365 phish with USER_IN_DKIM_WHITELIST

Hi, I'm hoping someone can help me understand how what appears to be an invoice scam was passed through legitimate MS servers and even USER_IN_DKIM_WHITELIST. From: Microsoft Date: Fri, 30 Aug 2024 15:50:53 + Subject: Your Microsoft order on August 30, 2024 Message-ID: <1ccff35e-284a-4b08-bef

Re: QR phish missed

> > > dbg: extracttext: [3209409] (/usr/bin/zbarimg) finished: exit 1 > dbg: extracttext: [3209409] (/usr/bin/zbarimg) stderr output: execvp > failed, errno = 2 (No such file or directory) > warn: extracttext: error from /usr/bin/zbarimg, please verify > configuration: execvp failed, errno = 2 (No

Re: QR phish missed

Hi, > On Sat, Aug 17, 2024 at 12:14 PM wrote: > >> On 8/16/24 2:03 PM, Alex wrote: >> > The body was empty with a PDF attachment. It's too big for pastebin. >> > >> https://drive.google.com/file/d/1FzBgTKoBgRp7TWkqjWqSqqESYmCGH0G2/view?usp=sharin

Re: QR phish missed

Hi, On Sat, Aug 17, 2024 at 12:14 PM wrote: > On 8/16/24 2:03 PM, Alex wrote: > > The body was empty with a PDF attachment. It's too big for pastebin. > > > https://drive.google.com/file/d/1FzBgTKoBgRp7TWkqjWqSqqESYmCGH0G2/view?usp=sharing > < >

QR phish missed

Hi, This is a QR phish, and I haven't full set up zbar and ExtractText yet, but I'm hoping someone could look at this and try to identify other issues that would be helpful in blocking this. It hit a couple of my local basic testing rules, but that's about it. X-Spam-Status: No, score=2.457 tagge

Re: Finance spam

> this whole range of 185.3.229.x is on my dns blacklist and everything on > that is either rejected or marked. I can only suggest doing something > similar ;) > Very helpful. Thanks for sharing. > RCVD_IN_HOSTKARMA_W=-2.5 > change to -0.1 That does seem to be a bit heavy-handed. > and lastly i

Finance spam

Hi all, Does anyone have any further ideas on how to block "approved for funding" spam? https://pastebin.com/2rKiAEpt This one is another namecheap domain registered from Reykjavik. I can create body rules, but the language is very much in line with legitimate lending companies. I've also added t

Re: namechep and DOB

On Mon, Jul 8, 2024 at 7:33 PM Matija Nalis wrote: > On Mon, Jul 08, 2024 at 05:13:29PM -0400, Alex wrote: > > Are there RBLs available that can be used to determine registrar or date > of > > registration? I understand the limits of querying a registrar but thought > > t

Re: namechep and DOB

Hi, Alex - Check out the FROM_FMBLA_NEWDOM rules. Are you seeing any emails > hitting them? > Yes, got them, from here: https://github.com/fmbla/spamassassin/blob/master/FMBLA.cf Didn't hit. Jul 8 18:02:53.537 [4189153] dbg: dnseval: checking [sendersrv.com] / FROM_NEWDOMAIN_FMBL

namechep and DOB

Hi, I'm seeing emails from smartlendingclub dot com getting through that are clearly spam. It's a namecheap domain registered in the last two weeks or so. IIRC, in the past there was more flexibility with the URIBL_RHS_DOB rules to penalize domains recently registered, but now it doesn't appear t

Re: MSGID_BELONGS_RECIPIENT and DKIMWL

Kris, thanks so much for the direction. It was enough for me to investigate and make some changes. I hadn't realized I still had Paul Stead's rules locally as well as updated rules in SA proper. Thanks, Alex On Thu, Jun 20, 2024 at 11:23 AM Kris Deugau wrote: > Alex wrote: >

Using -t to test rule changes

Hi, I'm using the latest version of SA from trunk (although I don't think that matters) and trying to make adjustments to rules on a particular false-positive email that was quarantined by amavis so I can adjust the rules to prevent it from being quarantined. The problem is that amavis manipulates

Tips for improving bounce message deliverability?

Hi, I'm using SA 4.0.1 and amavisd with postfix. I've identified a few bounce messages in the quarantine because they weren't identified properly. Here's one: https://pastebin.com/RMNkcyhF For example, it matches on * 3.1 URI_IMG_CWINDOWSNET Non-MSFT image hosted by Microsoft Azure infra, possibl

Re: dcc on empty email

Hi, > I'm noticing DCC is triggering on emails with an empty body. I'd like to > create a hash that matches messages with an empty body and other simple > messages. > > What am I doing wrong? I've tried it with a zero-length file as well as > one with just a few characters. It looks like I don't u

dcc on empty email

Hi, I'm noticing DCC is triggering on emails with an empty body. I'd like to create a hash that matches messages with an empty body and other simple messages. What am I doing wrong? I've tried it with a zero-length file as well as one with just a few characters. It looks like I don't understand wh

Re: QR code phish?

Hi, On Thu, Feb 1, 2024 at 5:01 PM Kevin A. McGrail wrote: > Hi Alex, we are definitely seeing them. There is code in trunk for this > with one of the plugins and rules in the KAM ruleset using the new > code. LMK if you need more info. > It looks like it's tied to the Rapto

QR code phish?

Hi, I'm just wondering if there is any mechanism for detecting and blocking QR code emails? Would that require using image detection? Perhaps instead it's a database of known malicious QR codes? Has anyone even really seen any?

wellsfargo/google drive

Hi, Google Drive is being used to send links with malicious content. I know, shocking. But should Google Drive be in the DKIM WL? What more can be done to stop these? I have a few body filters, but these are just links sent using Google to PDFs with malicious links. https://pastebin.com/Qpj1drSa

Spreadsheet::Excel ?

Hi, Barracuda recently announced they've identified a vulnerability in the Spreadsheet::Excel library used by amavis in their appliances. I didn't realize they were still using amavis and open source (and presumably spamassassin?). https://www.barracuda.com/company/legal/esg-vulnerability I don't

Re: Too many dots?

les, so it also seemed somewhat punitive to award so many points and to be expected to offset them for a completely benign email. Thanks, Alex

Too many dots?

Hi, I recently had an account activation email blocked due to AC_FROM_MANY_DOTS in the From address: From: VitalSource It also hit KAM_SENDGRID and BAYES_50 and KAM_MARKETINGBL_PCCC, pushing it over to spam. * 1.5 KAM_SENDGRID Sendgrid being exploited by scammers * 0.8 BAYES_50 BODY: Bayes s

Re: sorbs :/

> https://www.irccloud.com/pastebin/XPl5OZ0y/sorbs.pl > > lets just test more dns fails, please fix qname, reduce zones that ends > in same nameserver ip > Yes, seeing that here, too, for months and months. Spamhaus also sucks real bad. 06-Oct-2023 13:57:12.880 resolver: loop detected resolving '

DMARC and SA4

Hi, All the way back in 2016, RW posted these rules on pastebin for DMARC, before it was part of SA proper: https://pastebin.com/gr41CvCc Is this effectively what's been implemented in functions in the latest SA? The scores from the above are a lot more aggressive than what's currently in SA 50_ru

Re: uninitialized value $result in string eq at AuthRes.pm line 302

Hi, > > Aug 19 23:02:27 xavier amavis[3615]: (03615-10) _WARN: Use of > uninitialized value $result in string eq at > /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/AuthRes.pm line 302. > >292 sub check_authres_result { >293my ($self, $pms, $method, $wanted_result) = @_; >2

uninitialized value $result in string eq at AuthRes.pm line 302

Hi, Just upgraded to fedora38, using the spamassassin included with it and have the following warning: Aug 19 23:02:27 xavier amavis[3615]: (03615-10) _WARN: Use of uninitialized value $result in string eq at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/AuthRes.pm line 302. 292 sub

unsubscore down?

Hi all, anyone else having problems with unsubscore? Aug 9 15:57:41 polaris postfix-126/dnsblog[3671494]: warning: dnsblog_query: lookup error for DNS query 154.51.76.80.ubl.unsubscore.com: Host or domain name not found. Name service error for name= 154.51.76.80.ubl.unsubscore.com type=A: Host n

URL Time-of-Click Protection

Hi all, I'm curious what people think of URL rewriting or otherwise having some kind of idea of whether a URL could or should be scanned at some later time to determine if it's potentially malicious at the current time where it may not have been initially? Is anyone implementing that in open sour

Re: AuthRes plugin test rules

306my ($self, $opts) = @_; 307 Any idea how to troubleshoot this? Thanks, Alex On Sun, Mar 12, 2023 at 11:41 AM Matus UHLAR - fantomas wrote: > >>>Matus UHLAR - fantomas skrev den 2023-03-12 10:15: > >>>>I have also commited patch to bug 6918 to handle

SHORT_WORD_LINES & KAM_LINEPADDING

Hi, I'm curious about the SHORT_WORD_LINES, KAM_LINEPADDING and HK_RANDOM rules. I received a legitimate email from a gmail sender that was pushed beyond 5.0 because of these rules. It hit both SCC_5_SHORT_WORD_LINES and SCC_10_SHORT_WORD_LINES, and because a score isn't explicitly set, the two ru

Re: ExtractText tuning

Hi, I have successfully set up ExtractText plugin with proposed settings (those > in pod/manual page) and here's a tip: > > - put extracttext.pm into /etc/spamassassin or similar directory >(extracttest settings aren't loaded from user_prefs) > > - tesseract takes too much time to process (at

Re: BAYES_00 BODY. Negative score?

Hi, > > However, many of tokens in even Forbes and WP newsletters may occure in > different spamy newsletters, so be careful when traning even these. > This is exactly what I was thinking. When going through the quarantine, it's also very difficult to always not only identify which newsletters ma

Re: BAYES_00 BODY. Negative score?

Hi, >*-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% > >* [score: 0.] > > This indicates a mistrained database, which means you have trained too > many > spams or spam-like messages (commercial messages) as ham. > > Proper training of spams should help. Just keep your spam (and opt

FROM_GOV_SPOOF and Zix SPF softfail?

Hi, I received an email from ncua.gov sent through Zix that apparently was an SPF softfail. It also hit FROM_GOV_SPOOF. I wanted to see if the two were related, or what the reason was for this email hitting so many spam rules. meta FROM_GOV_SPOOF !__NOT_SPOOFED && __FROM_ADDRLIST_GOV && (! N

Re: sharepoint phish routed through sharepointonline/outlook

Hi, > RBL checks for FQDN not just domains would be a good idea... > ... > > I assume you are not running SA4. That does this. (And the sharepoint > domain you have in your mail is listed on SURBL ) > Yes, I am running SA4 and have been for probably more than a year. What am I doing wrong th

sharepoint phish routed through sharepointonline/outlook

Hi, X-Spam-Status: No, score=1.102 tagged_above=-200 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.1, FMBLA_HELO_OUTMX=-0.01, FMBLA_RDNS_OUTMX=-0.01, HTML_MESSAGE=0.001, LOC_CDIS_INLINE=0.1, LOC_FILE_SHARE_PHISH1=0.75, L

Re: welcomelist_auth and SPF

Hi, On Fri, Dec 16, 2022 at 5:35 PM Marc wrote: > > The sender's SPF record includes the sending IP (40.107.96.128) in the > > secureserver.net entry, and SPF_PASS is hit. > > > > Without even checking anything I can already remember that this > secureserver.net is shi

welcomelist_auth and SPF

Hi, This GoDaddy/M365 quarantined email passes SPF, but despite now adding it to my welcomelist, it is still marked as spam. https://pastebin.com/VpPmgGN4 Only when I create a welcomelist_from_rcvd does it get delivered. The sender's SPF record includes the sending IP (40.107.96.128) in the sec

RBL timeouts

Hi, Is anyone (everyone?) also experiencing DNS timeouts with barracuda? 02-Dec-2022 07:03:02.229 query-errors: client @0x7fd19d26c968 127.0.0.1#37098 (168.22.111.13.bb.barracudacentral.org): query failed (timed out) for 168.22.111.13.bb.barracudacentral.org/IN/A at ../../../lib/ns/query.c:7729 0

Re: Mial hits MISSING rules despite presence of headers

On Mon, Nov 28, 2022 at 10:42 AM Kevin A. McGrail wrote: > What's the score on that short circuit Validity rule? > -2.0 RCVD_IN_VALIDITY_SAFE RBL: Sender in Validity Safe - Contact certificat...@validity.com [Return Path SenderScore Safe L

Re: Mial hits MISSING rules despite presence of headers

Hi, > Well, a short circuit rule kind of breaks things in the middle so I do not > think you should really spend too much time on rules that hit/didn't hit. > > I like validity but I don't think it justifies a short circuit, FYI. > Okay, it's been removed, but somehow the presence of that didn't

Re: Mial hits MISSING rules despite presence of headers

Hi, > I have emails from wayfair and Dell that hit many of the MISSING_* >> > rules >> > but these headers are clearly displayed. >> > >> > * 0.5 MISSING_MID Missing Message-Id: header >> > * 1.0 MISSING_FROM Missing From: header >> > * 1.8 MISSING_SUBJECT Missing Subject: header >> > * 1.

Re: Mial hits MISSING rules despite presence of headers

Hi, > I have emails from wayfair and Dell that hit many of the MISSING_* > > rules > > but these headers are clearly displayed. > > > > * 0.5 MISSING_MID Missing Message-Id: header > > * 1.0 MISSING_FROM Missing From: header > > * 1.8 MISSING_SUBJECT Missing Subject: header > > * 1.4 MISSI

Mial hits MISSING rules despite presence of headers

Hi, I have emails from wayfair and Dell that hit many of the MISSING_* rules but these headers are clearly displayed. * 0.5 MISSING_MID Missing Message-Id: header * 1.0 MISSING_FROM Missing From: header * 1.8 MISSING_SUBJECT Missing Subject: header * 1.4 MISSING_DATE Missing Date: header

Re: pyzor and failure to parse response

On Sun, Nov 20, 2022 at 12:54 PM Henrik K wrote: > On Sun, Nov 20, 2022 at 11:58:31AM -0500, Alex wrote: > > Hi, > > I'm using the latest SA from trunk and trying to get pyzor working. It > runs > > correctly to check a message from the command-line, but SA appar

pyzor and failure to parse response

Hi, I'm using the latest SA from trunk and trying to get pyzor working. It runs correctly to check a message from the command-line, but SA apparently fails to properly parse the output? Nov 20 11:55:13.213 [2531397] dbg: pyzor: network tests on, attempting Pyzor Nov 20 11:55:15.756 [2531397] dbg:

Re: FMBLA_NDBLOCKED and DKIMWL_BLOCKED

Hi, > Boring Stuff > We have some restrictions on the usage of our data. You can read all > about it here. > Yeah, turns out not so much. I'm working with Paul directly, thanks,

FMBLA_NDBLOCKED and DKIMWL_BLOCKED

Hi, I just noticed I've apparently hit the regular limits of use for fmbla and dkimwl for my few domains and honeypots. I believe this is a service provided by Paul Stead - does anyone know if there's a "pro" version or how I might be able increase the permissible capacity allowed? Given it's int

Re: PBL and rejects

Hi, > > >These aren't new netblocks for us from them, but it seems awfully weird > >that we would be operating on these IPs for 2+ years then all of the > sudden > >have them listed like they're dialup IPs. > > generic/dialup DNS names can help here. If they aren't dynamically > allocated, their D

Re: PBL and rejects

Hi, > > > I'm hoping I can ask this question here. Somehow the PBL considered the > IP > > addresses given to us by our ISP (I can share this if needed) as > ineligible > > to send email, resulting in any recipient domain that checks the PBL to > > reject our email, > > AIUI, PBL is supposed to be

PBL and rejects

Hi, I'm hoping I can ask this question here. Somehow the PBL considered the IP addresses given to us by our ISP (I can share this if needed) as ineligible to send email, resulting in any recipient domain that checks the PBL to reject our email, including every email sent to a Microsoft 365 domain.

Re: Gmail confidential mode

> > > > What do you know about "Gmail confidential mode" emails? I'm starting to > > see a few of these come in to users now, and not sure how to treat them. > > They are sent through gmail, but require a one-time passcode sent to the > > recipient, > > Did you actually look at them? What do they

Gmail confidential mode

Hi, What do you know about "Gmail confidential mode" emails? I'm starting to see a few of these come in to users now, and not sure how to treat them. They are sent through gmail, but require a one-time passcode sent to the recipient, so any potential threat is not transferred through the same emai

Re: Mail with image marked as spam

Hi, > * 1.8 MIME_IMAGE_JPG contains wrong MIME type image\\/jpg > > That rule is nowhere in the current standard rules or the KAM rules. > > If you don't like your custom local rules, only you can change them. > Ah, thanks. Usually my local rules are indicated as such, so I didn't even realize

Re: Mail with image marked as spam

On Sun, Sep 25, 2022 at 1:56 PM Matus UHLAR - fantomas wrote: > On 25.09.22 13:35, Alex wrote: > >I've asked variations of this question in the past, but I'm still not sure > >what to do about it. Should an email with just an image attachment, with > no > >subj

Mail with image marked as spam

Hi, I've asked variations of this question in the past, but I'm still not sure what to do about it. Should an email with just an image attachment, with no subject and no body be treated as spam? This is the circumstance where users are using email as a file transfer device. There seems to be one

Re: Matching on missing To field?

ea in some way. It does match on "ALL", but I think I need to be more specific than that, to avoid matching on "From:" or Return-Path or EnvelopeFrom./ Thanks, Alex

Matching on missing To field?

ances that shouldn't be. Can someone explain how this rule works and if something similar would apply to my situation? header __HDRS_MISSP ALL:raw =~ /^(?:Subject|From|To|Reply-To):\S/ism Thanks, Alex

Re: Attachment policy

achments. Please keep us updated on the progress of the ExtractText plugin. Thanks, Alex

Attachment policy

Hi, I'm looking for input from people on how they handle attachments, and people using email as a file transfer service. One of our users must have posted to a job site recently, soliciting resumes from people internationally. This resulted in 100+ emails from random people who had never emailed th

Re: DKIM fails on v4

Hi, >> At some point after that, and even until yesterday's version, DKIM > stopped > >> working. DMARC still passes with SPF, but there are no longer any > occurrences > >> of DKIM. > > > > I think Giovannis changes don't work when amavisd is passing > $suppl_attrib: > > > > https://svn.apache.or

Re: DKIM fails on v4

> > Amavisd-new works fine here. Maybe $enable_dkim_verification or something > is different. > It's good to know you're using amavisd. It's very dependent upon the SA version you're using, though. It appears both DKIM and DMARC worked until the May 29th version from svn (1901385). At some point

Re: DKIM fails on v4

ckout http://svn.apache.org/repos/asf/spamassassin/trunk Mail-SpamAssassin-4.0.0 On Sat, Jun 25, 2022 at 3:07 PM Alex wrote: > Hi, > I've been having problems with DMARC failing over the past few weeks using > the latest SA, even on sites I know have passed. It appears to have >

DKIM fails on v4

Hi, I've been having problems with DMARC failing over the past few weeks using the latest SA, even on sites I know have passed. It appears to have coincided with an update to DMARC.pm related to timing. I just now happened to notice that maybe the problem is with DKIM, or there's a separate DKIM pr

Re: block emails with fake FROM

Hi, seems it did not catch this one: > > From: " Dr Perfect "@mail.gepesdaru.hu > > but still it's a leap forward > Is it designed to also identify From addresses that have no name component? From: l...@beroe-inc.com This is an invoice phish that isn't tagged. Ideas on how to block these would

Re: DMARC fails for valid record?

Hi, > >> doesn't amavisd by any chance use old SA installation/libraries? > > On 30.05.22 15:12, Alex wrote: > >I don't think so - the current paths it uses are: > > > >/usr/share/spamassassin > >/var/lib/spamassassin/4.00/updates_spamassa

Re: DMARC fails for valid record?

> > > > >> did you reload/restart amavis after installing new SA? > >> This header is added by amavis which uses SA libraries internally. > > On 30.05.22 09:50, Alex wrote: > >Yes, thanks. This has been ongoing for weeks. > > doesn't amavisd by

Re: DMARC fails for valid record?

> > >X-Spam-Status: No, score=-2.383 tagged_above=-200 required=5 > >tests=[BAYES_00=-1.9, DCC_REPUT_00_12=-0.4, DKIM_SIGNED=0.1, > >DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DMARC_REJECT=0.1, > >FROM_EXCESS_BASE64=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, > >HTML_IMAGE_

Re: DMARC fails for valid record?

Hi, On Sun, May 29, 2022 at 8:10 PM Kevin A. McGrail wrote: > There is also a rule update for priority levels. Did you install the > latest rules too? > Yes, sa-update runs every day. Last run was 00:29 this morning.

Re: DMARC fails for valid record?

Hi, We have been DMARC issues so no, it is not you Are you running the latest > trunk right now? There have been a flurry of patches and some of them are > for this issue. > Yes, just downloaded, compiled, and installed the latest as of this moment and still seeing the same problems initially.

Re: DMARC fails for valid record?

Hi, just wondering if anyone else has any ideas on how to solve this? Is everyone with any v4 having problems with DMARC now or is it something specific to my environment? On Thu, May 26, 2022 at 2:36 PM Alex wrote: > Hi, > > > On Thu, May 26, 2022 at 1:15 PM Bill Cole <

Re: DMARC fails for valid record?

Hi, On Thu, May 26, 2022 at 1:15 PM Bill Cole < sausers-20150...@billmail.scconsult.com> wrote: > On 2022-05-26 at 10:59:29 UTC-0400 (Thu, 26 May 2022 10:59:29 -0400) > Alex > is rumored to have said: > > [...] > > Ugh, and again we already have DKIM_AU and SPF_PA

Re: DMARC fails for valid record?

Hi, >> no matter if you have Mail::SpamAssassin::Plugin::DMARC loaded or not. > >> > >> Latest trunk has fix for DMARC waiting for SPF and DKIM results. Might > be > >> relevant to this thread. > > according to: > > https://github.com/apache/spamassassin/commit/63fa58d814837f5d12b5d587ab4b72fa3c7

Re: DMARC fails for valid record?

On Thu, May 26, 2022 at 10:40 AM Alex wrote: > Hi, > > > > Any further thoughts on this? It appears removing the DMARC perl >> library >> > > has disabled any DMARC support altogether. >> > >> > disabling Mail::SpamAssassin::Plugin::DMARC s

Re: DMARC fails for valid record?

Hi, > > Any further thoughts on this? It appears removing the DMARC perl library > > > has disabled any DMARC support altogether. > > > > disabling Mail::SpamAssassin::Plugin::DMARC should > > make KAM.cf revert to it's simpler DMARC > > functioality > > > > note that it requires: > > Mail::SpamAs

Re: DMARC fails for valid record?

Hi, > > >I also haven't any references to DMARC whatsoever from any SA rules since > >it was uninstalled. > > >I otherwise have no way of telling if there should have been any hits, but > >I'd imagine there should have been at least one in 24-hours. > > > >It appears to have disabled DMARC functio

Re: DMARC fails for valid record?

> > > > >On Tue, May 24, 2022 at 1:09 PM Matus UHLAR - fantomas > > >wrote: > >> have there been rejects often before? > > On 24.05.22 13:58, Alex wrote: > >I have hundreds of these over the last few days (week?), but they could go > >back

Re: DMARC fails for valid record?

CT and DMARC_REJECT > >>> - KAM_DMARC_REJECT has workarounds if Mail::SpamAssassin::Plugin::DMARC > >>> isn't available, but uses the library if it does. > >>> > >>> could you (temporarily) uninstall the > >>> perl-Mail-Dmarc-PurePerl-1

  1   2   3   4   5   6   7   8   9   10   >