docusign fraud using docusign

Hi, Time to remove docusign from RCVD_IN_DNSWL_MED and others that subtract points? This is not cool at all. Even without having these rules, there isn't much in the body to catch a docusign phish that uses docusign directly. https://pastebin.com/ij2MXi6c

Re: docusign fraud using docusign

> > > >Time to remove docusign from RCVD_IN_DNSWL_MED and others that subtract > >points? This is not cool at all. > > correct, have you reported it? > How do I do that? To the DNSWL group? I now have a subscription, but they never respond to support requests, even to numerous emails, including a

Re: docusign fraud using docusign

> I would just score anything DNSWL at 0. I mean no disrespect to the > maintainer of DNSWL but I just don't find it useful these days. Spam is too > complex now. > > > local.cf: > > score ALL_TRUSTED 0 > Isn't this the local trusted servers? score RCVD_IN_DNSWL_NONE 0 > score RCVD_IN_DNSWL_LOW 0

Experimenting with dcc

Hi, I've discovered several emails that hit DCC, most likely because they contain just emails or are entirely empty, so I wanted to whitelist them. However, I'm not sure how to write the checksums to the whiteclnt file so they are consulted by dcc: # /usr/bin/dccproc -QCw whiteclnt < whitelist-em

Re: ATTENTION: DNSWL to be disabled by default.

[abbrieviated version, as gmail rejected my first attempt] Hi,I've been following this thread on allowable query limits and have a few questions. While I don't see any DKIMWL_BLOCKED or other *_BLOCKED rules hitting in my logs, I am seeing timeouts related to their sub-rules like this: Sep 26 12:

training bayes and newsletters

newsletters properly. Thanks, Alex

paypal fraud

Hi, I received a paypal scam invoice using paypal servers that passed DKIM and sent through paypal servers but has the return path of some other server after it went through paypal. Return-Path: Received-SPF: Pass (protection.outlook.com: domain of paypal.com designates 66.211.170.93 as permit

Re: paypal fraud

> > > can I have a copy of the email ? > I am working on improving some KAM Paypal rules. > Sent, thanks. >

User receiving hundreds of subscribe requests

Hi, I have a user who is receiving hundreds of subscribe confirmation requests and password reset requests from legitimate sources like teabox.com, coupon sites, online magazines, travel sites, etc. They're in all different languages and types of sites. They're not bounce messages, but is this so

Blocking by country/ASN/IP/domain

Hi, I have a spamassassin-3.4.4 install with amavisd-2.12 and postfix on fedora32 and would like to be able to block email from an entire country on a per-user or per-domain basis. What is the best way to do this? I'm currently using the RelayCountry plugin and Amavis::Custom to add an X-Relay-Cou

Per-user prefs and rules

Hi, I'm aware of the ability to store user prefs in mysql, like whether to use bayes or razor, but is it possible to have rules on a per-user basis with SA 3.4.4 and amavis? I realize I could write a meta rule that combines a rule with a recipient address, for example, but ideally I'd like to hav

Re: Per-user prefs and rules

> > https://cwiki.apache.org/confluence/display/SPAMASSASSIN/UsingSQL > > create pr user rules, set the scores default to 0 > > in sql, then change scorees pr user, easy :=) > > and amavisd have sa_userprefs maps to sa_user, it's just not that easy to > make work as intended This is kind of what I

bayes and InnoDB read locks

Hi, I recently set up a central database server to store bayes data for a handful of mail relays to query for bayes info. I've done this in the past and don't recall there being a problem with read locks, but hoped someone could explain why I'm now seeing errors/warnings like this when using sa-le

Mailchimp support for spamassassin-esp

Hi, I happened to notice today that the sendgrid spam work being done by Invaluement (https://www.invaluement.com/serviceproviderdnsbl/) and SA developers now apparently supports compromised Mailchimp domains. https://github.com/bigio/spamassassin-esp Is there an ongoing list of compromised mailc

docusign/adobe spark/sendgrid phish

https://pastebin.com/mm2JiT3L Thanks, Alex

Re: SA's bayes with the Redis backend?

Hi, > > There is no real question, but what I would like to find out is (and to > > ask), does it scale and are any pitfalls? > > Naturally, we would look at doing HA, but am asking for that any > > comment, any tip, any opinion on using redis for bayes. > > Been using it from day one (I'm party t

Google Forms spam

Hi, It seems Google Forms is being used to send links to malicious sites and junk. It's making it through because of USER_IN_DEF_DKIM_WL. Is it time to remove Google/Gmail from this rule? Perhaps a meta that combines USER_IN_DEF_DKIM_WL with BAYES_99 adds the points back? Perhaps just blocking .

Re: CHAOS Module Released

> >Hope this is useful. Good enough for Noobs, but interesting enough > >for Pros; a little module with a whole lot of 'tude! > >Standard boilerplate introduction: > > looks useful, however, seems that you made checking rules (great) > and mixed them with automatic scoring. > > I'd prefer separati

docusign changes

Hi, I have a number of rules that checks for the existence of legitimate docusign links and general weirdness (like the lack of a legitimate To address or to undisc-recips), but it doesn't work for this legitimate docusign email: https://pastebin.com/tZthJnb2 Somehow it's sending to hel...@gmail

Re: More fake order spam

Hi, > >-1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list > >manager > > I have disabled his rule some time ago. > Many spammers use mailing list or their signatures. Where is the score coming from for this rule? There isn't an explicit "score" va

ExtractText and docx

Hi, I'm trying to use the latest ExtractText plugin, but the docx2txt program the plugin references is no longer available from http://docx2txt.sourceforge.net I've located a working replacement at https://github.com/ankushshah89/python-docx2txt/ (although it's written in python and I don't have

FROMNAME and PDS_FROM_2_EMAILS

Hi, I'm trying to understand the FROMNAME rules and a potential conflict with PDS_FROM_2_EMAILS. I understand FROMNAME_SPOOF is designed to catch differences like: From: "no-re...@amazon.com" but what other spoofs is the FromName.pm plugin designed to catch? And I would assume it would be DKIM

KAM_SENDGRID and SPF_HELO_NONE

Hi, I have an email that matched KAM_SENDGRID because it also matched SPF_HELO_NONE, despite it apparently being a legitimate sendgrid email. This is from SA trunk. 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.1

Re: KAM_SENDGRID and SPF_HELO_NONE

Hi, > > I have an email that matched KAM_SENDGRID because it also matched > > SPF_HELO_NONE, despite it apparently being a legitimate sendgrid > > email. This is from SA trunk. I only meant it as a reference for the version of SA (and SPF.pm) that's being used, in case it was necessary. > > X-En

adobe cloud malicious link

Hi, I received what appears to be a legitimate email from what looks like a compromised adobe account that itself contains no malicious links, but redirects to a malicious link once on the adobe site. https://pastebin.com/thp1Atah I don't suppose there's any protection against this, considering

Office phish

Hi, Would anyone like to help me block this office phish? It includes an HTML file that presents an O365 login page: https://pastebin.com/JMSrY6KU More javascript in an HTML file.

Re: Office phish

Hi, > SpamAssassin has plugins for PhishTank and OpenPhish. I would suggest > you submit the link to them. > You can also reach out to the domain provider, hosting provider(s) and > other companies involved. > > https://pastebin.com/JMSrY6KU We've got to do better than that. These O365 phishing

Re: Office phish

Hi, > > I modified the ExtractText plugin to also process HTML files > > > > extracttext_externalhtmlcat /usr/bin/cat {} > > extracttext_use htmlcat .htm .html > > > > Quite horrible hack, as the result should be _rendered_ text. Inserting raw > HTML for all body rules is probably b

Re: Office phish

Hi, > >> I realize blocking all javascript is prone to error, > > What legitimate email uses javascript? > And more important: which email clients do actually process Javascript > that comes within an email? Thunderbird doesn't since 10 or 20 years > ago. I don't know of any other as well. This ph

freshworks and DKIM and KAM

Hi, I can't figure out why attempts at adding emails from the freshworks.com domain to the welcome list aren't successful. This is from a quarantined message on my amavis/SA/fedora system. I'm not sure why the entirety of freshworks.com would be blocked in the first place? * 9.0 KAM_FROM_URIBL_

Re: freshworks and DKIM and KAM

Hi, > > I can't figure out why attempts at adding emails from the > > freshworks.com domain to the welcome list aren't successful. This is > > from a quarantined message on my amavis/SA/fedora system. > > > > I'm not sure why the entirety of freshworks.com would be blocked in > > the first place?

Re: fuglu 1.0.1

I also like fuglu for it being coded in python - it's much easier to find python developers than perl developers these days. > But I doubt this mailing list is the best place to talk about fuglu. Yes, not strictly related, but I'm hoping it's closely related enough for someone

DCC/pyzor questions

Hi, I'm seeing a lot of DCC/pyzor mail being marked as spam that shouldn't be, and want to see what can be done to prevent that. For example, many emails with just an image attachment and an empty body are hitting DCC. I thought I recalled a way to create a checksum of these empty messages and ad

Microsoft to block Office VBA macros by default

Hi, I'm just curious if this announcement has changed anyone's thinking about how we should be handling docx/xlsx/etc attachments in email? This obviously doesn't prevent someone from emailing a document with a malicious macro, but is this going to provide sufficient protection once a potentially

How to deal with bounce messages

I've seen that before or have defined it. The description says the BOUNCE_MESSAGE won't fire if this isn't defined, yet this rule was triggered. It's also somehow hitting BAYES_99 - do you train your bounce messages? Thanks, Alex

Re: How to deal with bounce messages

> >https://pastebin.com/s032ndrA > > > >It's not only hitting DMARC_REJ_NO_DKIM and DMARC_FAIL_REJECT, but > > where did you get these from? I just realized these are from my local rules, put together from a conversation many years ago, apparently from before SA had built-in DMARC support. https:

Re: How to deal with bounce messages

Hi, > >> >https://pastebin.com/s032ndrA > >> > > >> >It's not only hitting DMARC_REJ_NO_DKIM and DMARC_FAIL_REJECT, but > >> > >> where did you get these from? > > On 22.04.22 10:02, Alex wrote: > >I just realized these are

Untrustworthy TLDs and KAM

Hi, Four points for a .online TLD with KAM rules * 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs * [URI: www.lci-mtc.online (online)] * 2.0 KAM_SOMETLD_ARE_BAD_TLD .bar, .buzz, .cam, .casa, .cfd, .club, * .date, .guru, .live, .online, .press, .pw, .quest, .rest, .sbs, * .shop, .

Re: Untrustworthy TLDs and KAM

On Sun, May 1, 2022 at 9:47 PM Kevin A. McGrail wrote: > > Did it cause a fp with a score of 5.0 or higher? Yes. https://pastebin.com/AqezMHjQ Thanks!

SPF skipped for whitelisted relay domain

pport.meridianlink.com "v=spf1 include:spf.protection.outlook.com include:_spf.salesforce.com -all" Thanks, Alex

Re: SPF skipped for whitelisted relay domain

> >I'm trying to understand why some domains are not whitelisted even > >though they pass SPF and are in my local welcomelist_auth entries. I'm > >using policyd-spf with postfix, and it appears to be adding the > >following header: > > > >X-Comment: SPF skipped for whitelisted relay domain - > >cli

Re: SPF skipped for whitelisted relay domain

Hi, > >https://pastebin.com/TvTx6KzY > > X-Comment: SPF skipped for whitelisted relay domain - > client-ip=13.110.6.221; helo=smtp14-ph2-sp4.mta.salesforce.com; > envelope-from=re...@support.meridianlink.com; receiver= > X-Greylist: whitelisted by SQLgrey-1.8.0 > > isn't it possible that it's sql

Re: SPF skipped for whitelisted relay domain

Hi, > this is question for policyd-spf and its configuration. > > >The problem here is that something appears to be preventing my > >welcomelist_auth entries from working properly, but I don't really > >understand how. > > I guess it's the whitelist in policyd-spf. Is it possible that it's some

DMARC fails for valid record?

Hi, I'm trying to understand why this email from a bank fails DMARC when mxlookup says the DMARC record is just fine. https://pastebin.com/0T4Gjn3v * 1.8 DMARC_REJECT DMARC reject policy * 6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message * and the domain has a DMAR

Re: DMARC fails for valid record?

Hi, On Tue, May 10, 2022 at 7:00 PM Kevin A. McGrail wrote: > I believe this is a bug and fixed in trunk. > > On 5/10/2022 1:55 PM, Bill Cole wrote: > > Looks like a bug. It should not be possible to hit DKIM_VALID_AU and > also DMARC_REJECT and/or KAM_DMARC_REJECT > This was from svn version

Re: DMARC fails for valid record?

der.b="UglVB1nr" $ spamassassin --version SpamAssassin version 4.0.0-r1900583 running on Perl version 5.34.1 On Wed, May 11, 2022 at 9:01 AM Alex wrote: > Hi, > > On Tue, May 10, 2022 at 7:00 PM Kevin A. McGrail > wrote: > >> I believe this is a bug and fixed i

Re: DMARC fails for valid record?

On Sun, May 22, 2022 at 11:10 AM Alex wrote: > Hi, is it possible the DMARC_REJECT problem still exists? > > https://pastebin.com/DCu9cq4t > > * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature > * 0.1 DKIM_SIGNED Message has a DKIM or DK sig

Re: DMARC fails for valid record?

it in production and we are working on edge cases from my end. > > Alex (OP), do you have Mail::DMARC installed? > May 22 15:12:59.482 [865542] dbg: plugin: loading Mail::SpamAssassin::Plugin::DMARC from @INC I have perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch installed.

Re: DMARC fails for valid record?

> > > > >I have perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch installed. > > ... and this is the perl library. > > I see you have both KAM_DMARC_REJECT and DMARC_REJECT > - KAM_DMARC_REJECT has workarounds if Mail::SpamAssassin::Plugin::DMARC > isn't available, but uses the library if it does.

Re: DMARC fails for valid record?

On Mon, May 23, 2022 at 8:16 PM Alex wrote: > >> >> >I have perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch installed. >> >> ... and this is the perl library. >> >> I see you have both KAM_DMARC_REJECT and DMARC_REJECT >> - KAM_DMARC_REJECT has

Re: DMARC fails for valid record?

CT and DMARC_REJECT > >>> - KAM_DMARC_REJECT has workarounds if Mail::SpamAssassin::Plugin::DMARC > >>> isn't available, but uses the library if it does. > >>> > >>> could you (temporarily) uninstall the > >>> perl-Mail-Dmarc-PurePerl-1

Re: DMARC fails for valid record?

> > > > >On Tue, May 24, 2022 at 1:09 PM Matus UHLAR - fantomas > > >wrote: > >> have there been rejects often before? > > On 24.05.22 13:58, Alex wrote: > >I have hundreds of these over the last few days (week?), but they could go > >back

Re: DMARC fails for valid record?

Hi, > > >I also haven't any references to DMARC whatsoever from any SA rules since > >it was uninstalled. > > >I otherwise have no way of telling if there should have been any hits, but > >I'd imagine there should have been at least one in 24-hours. > > > >It appears to have disabled DMARC functio

Re: DMARC fails for valid record?

Hi, > > Any further thoughts on this? It appears removing the DMARC perl library > > > has disabled any DMARC support altogether. > > > > disabling Mail::SpamAssassin::Plugin::DMARC should > > make KAM.cf revert to it's simpler DMARC > > functioality > > > > note that it requires: > > Mail::SpamAs

Re: DMARC fails for valid record?

On Thu, May 26, 2022 at 10:40 AM Alex wrote: > Hi, > > > > Any further thoughts on this? It appears removing the DMARC perl >> library >> > > has disabled any DMARC support altogether. >> > >> > disabling Mail::SpamAssassin::Plugin::DMARC s

Re: DMARC fails for valid record?

Hi, >> no matter if you have Mail::SpamAssassin::Plugin::DMARC loaded or not. > >> > >> Latest trunk has fix for DMARC waiting for SPF and DKIM results. Might > be > >> relevant to this thread. > > according to: > > https://github.com/apache/spamassassin/commit/63fa58d814837f5d12b5d587ab4b72fa3c7

Re: DMARC fails for valid record?

Hi, On Thu, May 26, 2022 at 1:15 PM Bill Cole < sausers-20150...@billmail.scconsult.com> wrote: > On 2022-05-26 at 10:59:29 UTC-0400 (Thu, 26 May 2022 10:59:29 -0400) > Alex > is rumored to have said: > > [...] > > Ugh, and again we already have DKIM_AU and SPF_PA

Re: DMARC fails for valid record?

Hi, just wondering if anyone else has any ideas on how to solve this? Is everyone with any v4 having problems with DMARC now or is it something specific to my environment? On Thu, May 26, 2022 at 2:36 PM Alex wrote: > Hi, > > > On Thu, May 26, 2022 at 1:15 PM Bill Cole <

Re: DMARC fails for valid record?

Hi, We have been DMARC issues so no, it is not you Are you running the latest > trunk right now? There have been a flurry of patches and some of them are > for this issue. > Yes, just downloaded, compiled, and installed the latest as of this moment and still seeing the same problems initially.

Re: DMARC fails for valid record?

Hi, On Sun, May 29, 2022 at 8:10 PM Kevin A. McGrail wrote: > There is also a rule update for priority levels. Did you install the > latest rules too? > Yes, sa-update runs every day. Last run was 00:29 this morning.

Re: DMARC fails for valid record?

> > >X-Spam-Status: No, score=-2.383 tagged_above=-200 required=5 > >tests=[BAYES_00=-1.9, DCC_REPUT_00_12=-0.4, DKIM_SIGNED=0.1, > >DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DMARC_REJECT=0.1, > >FROM_EXCESS_BASE64=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, > >HTML_IMAGE_

Re: DMARC fails for valid record?

> > > > >> did you reload/restart amavis after installing new SA? > >> This header is added by amavis which uses SA libraries internally. > > On 30.05.22 09:50, Alex wrote: > >Yes, thanks. This has been ongoing for weeks. > > doesn't amavisd by

Re: DMARC fails for valid record?

Hi, > >> doesn't amavisd by any chance use old SA installation/libraries? > > On 30.05.22 15:12, Alex wrote: > >I don't think so - the current paths it uses are: > > > >/usr/share/spamassassin > >/var/lib/spamassassin/4.00/updates_spamassa

Re: block emails with fake FROM

Hi, seems it did not catch this one: > > From: " Dr Perfect "@mail.gepesdaru.hu > > but still it's a leap forward > Is it designed to also identify From addresses that have no name component? From: l...@beroe-inc.com This is an invoice phish that isn't tagged. Ideas on how to block these would

DKIM fails on v4

Hi, I've been having problems with DMARC failing over the past few weeks using the latest SA, even on sites I know have passed. It appears to have coincided with an update to DMARC.pm related to timing. I just now happened to notice that maybe the problem is with DKIM, or there's a separate DKIM pr

Re: DKIM fails on v4

ckout http://svn.apache.org/repos/asf/spamassassin/trunk Mail-SpamAssassin-4.0.0 On Sat, Jun 25, 2022 at 3:07 PM Alex wrote: > Hi, > I've been having problems with DMARC failing over the past few weeks using > the latest SA, even on sites I know have passed. It appears to have >

Re: DKIM fails on v4

> > Amavisd-new works fine here. Maybe $enable_dkim_verification or something > is different. > It's good to know you're using amavisd. It's very dependent upon the SA version you're using, though. It appears both DKIM and DMARC worked until the May 29th version from svn (1901385). At some point

Re: DKIM fails on v4

Hi, >> At some point after that, and even until yesterday's version, DKIM > stopped > >> working. DMARC still passes with SPF, but there are no longer any > occurrences > >> of DKIM. > > > > I think Giovannis changes don't work when amavisd is passing > $suppl_attrib: > > > > https://svn.apache.or

Attachment policy

Hi, I'm looking for input from people on how they handle attachments, and people using email as a file transfer service. One of our users must have posted to a job site recently, soliciting resumes from people internationally. This resulted in 100+ emails from random people who had never emailed th

Re: Attachment policy

achments. Please keep us updated on the progress of the ExtractText plugin. Thanks, Alex

Matching on missing To field?

ances that shouldn't be. Can someone explain how this rule works and if something similar would apply to my situation? header __HDRS_MISSP ALL:raw =~ /^(?:Subject|From|To|Reply-To):\S/ism Thanks, Alex

Re: Matching on missing To field?

ea in some way. It does match on "ALL", but I think I need to be more specific than that, to avoid matching on "From:" or Return-Path or EnvelopeFrom./ Thanks, Alex

Mail with image marked as spam

Hi, I've asked variations of this question in the past, but I'm still not sure what to do about it. Should an email with just an image attachment, with no subject and no body be treated as spam? This is the circumstance where users are using email as a file transfer device. There seems to be one

Re: Mail with image marked as spam

On Sun, Sep 25, 2022 at 1:56 PM Matus UHLAR - fantomas wrote: > On 25.09.22 13:35, Alex wrote: > >I've asked variations of this question in the past, but I'm still not sure > >what to do about it. Should an email with just an image attachment, with > no > >subj

Re: Mail with image marked as spam

Hi, > * 1.8 MIME_IMAGE_JPG contains wrong MIME type image\\/jpg > > That rule is nowhere in the current standard rules or the KAM rules. > > If you don't like your custom local rules, only you can change them. > Ah, thanks. Usually my local rules are indicated as such, so I didn't even realize

Gmail confidential mode

Hi, What do you know about "Gmail confidential mode" emails? I'm starting to see a few of these come in to users now, and not sure how to treat them. They are sent through gmail, but require a one-time passcode sent to the recipient, so any potential threat is not transferred through the same emai

Re: Gmail confidential mode

> > > > What do you know about "Gmail confidential mode" emails? I'm starting to > > see a few of these come in to users now, and not sure how to treat them. > > They are sent through gmail, but require a one-time passcode sent to the > > recipient, > > Did you actually look at them? What do they

PBL and rejects

Hi, I'm hoping I can ask this question here. Somehow the PBL considered the IP addresses given to us by our ISP (I can share this if needed) as ineligible to send email, resulting in any recipient domain that checks the PBL to reject our email, including every email sent to a Microsoft 365 domain.

Re: PBL and rejects

Hi, > > > I'm hoping I can ask this question here. Somehow the PBL considered the > IP > > addresses given to us by our ISP (I can share this if needed) as > ineligible > > to send email, resulting in any recipient domain that checks the PBL to > > reject our email, > > AIUI, PBL is supposed to be

Re: PBL and rejects

Hi, > > >These aren't new netblocks for us from them, but it seems awfully weird > >that we would be operating on these IPs for 2+ years then all of the > sudden > >have them listed like they're dialup IPs. > > generic/dialup DNS names can help here. If they aren't dynamically > allocated, their D

FMBLA_NDBLOCKED and DKIMWL_BLOCKED

Hi, I just noticed I've apparently hit the regular limits of use for fmbla and dkimwl for my few domains and honeypots. I believe this is a service provided by Paul Stead - does anyone know if there's a "pro" version or how I might be able increase the permissible capacity allowed? Given it's int

Re: FMBLA_NDBLOCKED and DKIMWL_BLOCKED

Hi, > Boring Stuff > We have some restrictions on the usage of our data. You can read all > about it here. > Yeah, turns out not so much. I'm working with Paul directly, thanks,

pyzor and failure to parse response

Hi, I'm using the latest SA from trunk and trying to get pyzor working. It runs correctly to check a message from the command-line, but SA apparently fails to properly parse the output? Nov 20 11:55:13.213 [2531397] dbg: pyzor: network tests on, attempting Pyzor Nov 20 11:55:15.756 [2531397] dbg:

Re: pyzor and failure to parse response

On Sun, Nov 20, 2022 at 12:54 PM Henrik K wrote: > On Sun, Nov 20, 2022 at 11:58:31AM -0500, Alex wrote: > > Hi, > > I'm using the latest SA from trunk and trying to get pyzor working. It > runs > > correctly to check a message from the command-line, but SA appar

Mial hits MISSING rules despite presence of headers

Hi, I have emails from wayfair and Dell that hit many of the MISSING_* rules but these headers are clearly displayed. * 0.5 MISSING_MID Missing Message-Id: header * 1.0 MISSING_FROM Missing From: header * 1.8 MISSING_SUBJECT Missing Subject: header * 1.4 MISSING_DATE Missing Date: header

Re: Mial hits MISSING rules despite presence of headers

Hi, > I have emails from wayfair and Dell that hit many of the MISSING_* > > rules > > but these headers are clearly displayed. > > > > * 0.5 MISSING_MID Missing Message-Id: header > > * 1.0 MISSING_FROM Missing From: header > > * 1.8 MISSING_SUBJECT Missing Subject: header > > * 1.4 MISSI

Re: Mial hits MISSING rules despite presence of headers

Hi, > I have emails from wayfair and Dell that hit many of the MISSING_* >> > rules >> > but these headers are clearly displayed. >> > >> > * 0.5 MISSING_MID Missing Message-Id: header >> > * 1.0 MISSING_FROM Missing From: header >> > * 1.8 MISSING_SUBJECT Missing Subject: header >> > * 1.

Re: Mial hits MISSING rules despite presence of headers

Hi, > Well, a short circuit rule kind of breaks things in the middle so I do not > think you should really spend too much time on rules that hit/didn't hit. > > I like validity but I don't think it justifies a short circuit, FYI. > Okay, it's been removed, but somehow the presence of that didn't

Re: Mial hits MISSING rules despite presence of headers

On Mon, Nov 28, 2022 at 10:42 AM Kevin A. McGrail wrote: > What's the score on that short circuit Validity rule? > -2.0 RCVD_IN_VALIDITY_SAFE RBL: Sender in Validity Safe - Contact certificat...@validity.com [Return Path SenderScore Safe L

RBL timeouts

Hi, Is anyone (everyone?) also experiencing DNS timeouts with barracuda? 02-Dec-2022 07:03:02.229 query-errors: client @0x7fd19d26c968 127.0.0.1#37098 (168.22.111.13.bb.barracudacentral.org): query failed (timed out) for 168.22.111.13.bb.barracudacentral.org/IN/A at ../../../lib/ns/query.c:7729 0

welcomelist_auth and SPF

Hi, This GoDaddy/M365 quarantined email passes SPF, but despite now adding it to my welcomelist, it is still marked as spam. https://pastebin.com/VpPmgGN4 Only when I create a welcomelist_from_rcvd does it get delivered. The sender's SPF record includes the sending IP (40.107.96.128) in the sec

Re: welcomelist_auth and SPF

Hi, On Fri, Dec 16, 2022 at 5:35 PM Marc wrote: > > The sender's SPF record includes the sending IP (40.107.96.128) in the > > secureserver.net entry, and SPF_PASS is hit. > > > > Without even checking anything I can already remember that this > secureserver.net is shi

sharepoint phish routed through sharepointonline/outlook

Hi, X-Spam-Status: No, score=1.102 tagged_above=-200 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.1, FMBLA_HELO_OUTMX=-0.01, FMBLA_RDNS_OUTMX=-0.01, HTML_MESSAGE=0.001, LOC_CDIS_INLINE=0.1, LOC_FILE_SHARE_PHISH1=0.75, L

Re: sharepoint phish routed through sharepointonline/outlook

Hi, > RBL checks for FQDN not just domains would be a good idea... > ... > > I assume you are not running SA4. That does this. (And the sharepoint > domain you have in your mail is listed on SURBL ) > Yes, I am running SA4 and have been for probably more than a year. What am I doing wrong th

FROM_GOV_SPOOF and Zix SPF softfail?

Hi, I received an email from ncua.gov sent through Zix that apparently was an SPF softfail. It also hit FROM_GOV_SPOOF. I wanted to see if the two were related, or what the reason was for this email hitting so many spam rules. meta FROM_GOV_SPOOF !__NOT_SPOOFED && __FROM_ADDRLIST_GOV && (! N

Re: BAYES_00 BODY. Negative score?

Hi, >*-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% > >* [score: 0.] > > This indicates a mistrained database, which means you have trained too > many > spams or spam-like messages (commercial messages) as ham. > > Proper training of spams should help. Just keep your spam (and opt

Re: BAYES_00 BODY. Negative score?

Hi, > > However, many of tokens in even Forbes and WP newsletters may occure in > different spamy newsletters, so be careful when traning even these. > This is exactly what I was thinking. When going through the quarantine, it's also very difficult to always not only identify which newsletters ma

Re: ExtractText tuning

Hi, I have successfully set up ExtractText plugin with proposed settings (those > in pod/manual page) and here's a tip: > > - put extracttext.pm into /etc/spamassassin or similar directory >(extracttest settings aren't loaded from user_prefs) > > - tesseract takes too much time to process (at

SHORT_WORD_LINES & KAM_LINEPADDING

Hi, I'm curious about the SHORT_WORD_LINES, KAM_LINEPADDING and HK_RANDOM rules. I received a legitimate email from a gmail sender that was pushed beyond 5.0 because of these rules. It hit both SCC_5_SHORT_WORD_LINES and SCC_10_SHORT_WORD_LINES, and because a score isn't explicitly set, the two ru

Re: AuthRes plugin test rules

306my ($self, $opts) = @_; 307 Any idea how to troubleshoot this? Thanks, Alex On Sun, Mar 12, 2023 at 11:41 AM Matus UHLAR - fantomas wrote: > >>>Matus UHLAR - fantomas skrev den 2023-03-12 10:15: > >>>>I have also commited patch to bug 6918 to handle

  1   2   3   4   5   6   7   8   9   10   >