On 12/11/2017 02:55 PM, Tobi wrote:
@Dave
you're sure that trusted_networks must be changed in case of fetching mails? I
fetch mines from gmail too and sa always has the correct first non trusted
relay. Without changing *_networks. With fetching you do not get an smtp
received header so sa jumps to the next relay. And (at least from what I see in
my gmail mails) the first smtp received header without a private ip address is
the one that handsoff to gmail aka the one to feed to sa
Chees
tobi
I checked my Gmail account with a mail client and you are correct.
Google is not adding a Received header for their own mail server so that
"hop" doesn't have to be skipped over by SA. I guess I was thinking
about the forwarding in my mind that would add that "hop" in the
Received headers. Thanks for the clarification.
----- Originale Nachricht -----
Von: David Jones <djo...@ena.com>
Gesendet: 11.12.17 - 17:27
An: users@spamassassin.apache.org
Betreff: Re: Flakey spam email. How to filter?
On 12/11/2017 09:44 AM, Mark London wrote:
I'm getting a lot of flakey spam messages, that don't trigger any
significant spamassassin rules, even though it obviously looks really
bogus.
Here's an example. Any suggestions?
https://pastebin.com/bZUt0ThS
These spams are being sent to my gmail account, and then forwarded to my
work address I tried stripping off all the forwarding headers, but it
doesn't trigger any RBLs
Thanks for any help.
- Mark
It's going to be very difficult to filter mail properly that has been
forwarded from Gmail. Why would you want to do this anyway? Report it
as Spam at Gmail and let Google block it for you and everyone else on
Gmail and G-Suite.
If you want to continue this mail flow and use Spamassassin, I would
recommend using POP to pull the email from Google and not forward it
which breaks a lot of stuff like SPF. You will need to setup your
trusted_networks to cover all of Google's mail servers IPs listed in
their SPF record to get RBLs to work correctly which could be challenging.
I ran that email through my filters and it scored a 12.5 for me. Make
sure you have DCC installed and working. I realize that time has passed
so DCC may not have hit the original SMTP receive time but still it
should have scored well above 6.0 based on properly trained Bayes and
some other SA hits:
0.9 DKIM_ADSP_NXDOMAIN No valid author signature and domain not in DNS
0.0 HTML_MESSAGE BODY: HTML included in message
1.2 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.5000]
0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.8 HTML_TAG_BALANCE_HEAD BODY: HTML has unbalanced "head" tags
1.5 BODY_8BITS BODY: Body includes 8 consecutive 8-bit
characters
2.2 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net)
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily valid
0.4 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
0.2 KAM_HUGEIMGSRC Message contains many image tags with huge
http urls
2.3 S25R_4 T_S25R: Bottom of rDNS ends w/ num, next
lvl has num-num
That IP of 158.69.185.128 is not listed on any RBLs so it's pretty much
left to SA content-based rules like DCC, Bayes, and a few others above.
--
David Jones
--
David Jones
