Flashlight spam (and others)
Dominic Raferd
dominic at timedicer.co.uk
Sun Dec 18 09:59:46 CET 2016
On 17 December 2016 at 17:59, Mike Hodson <mystica at gmail.com> wrote:
> (and here is the post that was supposed to go to the mailinglist, but
> didn't, because of bloody gmail not replying-all by default. grr.)
>
>
> On Sat, Dec 17, 2016 at 10:40 AM, Dino Edwards
> <dino.edwards at mydirectmail.net> wrote:
> Am I looking at this right? Does BAYES_00 assign a score of -4 on these
> messages?
>
> I believe you are; and I do not believe this is how a bayes score should be
> set..
>
>
> -----Original Message-----
> * 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
> * 0.8 RDNS_NONE Delivered to internal network by a host with no
> rDNS
>
> These 2 tests are not doing anything useful IMHO: if DKIM exists, and _is_
> invalid, it should be an immediate spam flag.
> No RDNS is a huge flag for an illegitamite mail spam server.
>
> These should both be adding _way_ more points than the bayes_00 is
> dropping...and bayes should not be dropping so much if at all.
> 
>
> Mike
>
> On Sat, Dec 17, 2016 at 10:40 AM, Dino Edwards
> <dino.edwards at mydirectmail.net> wrote:
>>
>> Am I looking at this right? Does BAYES_00 assign a score of -4 on these
>> messages?
>>
>>
>>
>> -----Original Message-----
>> From: amavis-users
>> [mailto:amavis-users-bounces+dino.edwards=mydirectmail.net at amavis.org] On
>> Behalf Of @lbutlr
>> Sent: Saturday, December 17, 2016 12:12 PM
>> To: amavis-users at amavis.org
>> Subject: Flashlight spam (and others)
>>
>> I keep getting a rash of multiples of flashlight spam and gift card spam,
>> all of which go sailing right through amavisd/postfix. Has anyone figured
>> out a way to have amavis be more aggressive in tagging spam like this?
>> Obviously BAYES_00 doesn't help, but even without that this spam would not
>> have gotten tagged. There are hundreds of these hitting the server every
>> day. and dozens just to me.
>>
>> I run these through sa-learn but the bayes score never changes.
>>
>> Return-Path: <nighthawk_gear-kreme=kreme.com at webmasterbond.com>
>> X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mail.covisp.net
>> X-Spam-Level:
>> X-Spam-Status: No, score=0.3 required=5.0
>> tests=BAYES_00,DCC_CHECK,DKIM_SIGNED,
>> HTML_IMAGE_ONLY_24,HTML_MESSAGE,MIME_HEADER_CTYPE_ONLY,RDNS_NONE,
>> T_DKIM_INVALID,T_REMOTE_IMAGE autolearn=no autolearn_force=no
>> version=3.4.1
>> X-Spam-Report:
>> * -4.0 BAYES_00 BODY: Bayes spam probability is 0 to 1%
>> * [score: 0.0005]
>> * 1.6 HTML_IMAGE_ONLY_24 BODY: HTML: images with 2000-2400 bytes
>> of words
>> * 0.0 HTML_MESSAGE BODY: HTML included in message
>> * 1.1 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net)
>> * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
>> necessarily
>> * valid
>> * 0.7 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without
>> required MIME
>> * headers
>> * 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not
>> valid
>> * 0.8 RDNS_NONE Delivered to internal network by a host with no
>> rDNS
>> * 0.0 T_REMOTE_IMAGE Message contains an external image
>> X-Original-To: kreme at covisp.net
>> Delivered-To: kreme at covisp.net
>> Received: from mail.covisp.net (localhost [127.0.0.1])
>> by mail.covisp.net (Postfix) with ESMTP id 3tdYyT1XkSzv9rl
>> for <kreme at covisp.net>; Tue, 13 Dec 2016 15:18:57 -0700 (MST)
>> X-Virus-Scanned: amavisd-new at covisp.net
>> Authentication-Results: mail.covisp.net (amavisd-new);
>> dkim=fail (1024-bit key) reason="fail (message has been altered)"
>> header.d=webmasterbond.com; domainkeys=fail (1024-bit key)
>> reason="fail (message has been altered)"
>> header.from=nighthawk_gear at webmasterbond.com
>> header.d=webmasterbond.com
>> Received: from mail.covisp.net ([127.0.0.1])
>> by mail.covisp.net (mail.covisp.net [127.0.0.1]) (amavisd-new,
>> port 10024)
>> with ESMTP id r-XqbA5JCtTg; Tue, 13 Dec 2016 15:18:56 -0700 (MST)
>> Received: from mail.webmasterbond.com (unknown [198.8.81.152])
>> by mail.covisp.net (Postfix) with ESMTP id 3tdYyS2Ml3zv9nS
>> for <kreme at kreme.com>; Tue, 13 Dec 2016 15:18:56 -0700 (MST)
>> DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim;
>> d=webmasterbond.com;
>> h=Date:From:To:Subject:MIME-Version:Content-Type:List-Unsubscribe:Message-ID;
>> i=nighthawk_gear at webmasterbond.com;
>> bh=Nfvn/X9O8Y5jCQWPbZvyxy5pEJs=;
>>
>> b=08U1qR944mcwcnBaCEjkN1b8iN4XtgEfXueH4gFGbi0qj9w/JjTSYcZPFCYLdbEVqvGEDFEC6g62
>>
>> 5q6vcIw7XmAay+1m/fDVL2FI92BknfLIqfzkz8d0fOjMoaV1S7QzK/MrOvMk6EPdKAag/vpGlJl1
>> bNoPkwyDMhgF/lXublE=
>> DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=dkim;
>> d=webmasterbond.com;
>> b=r8P3mRUN7wdwD7vtnsIBOjXmsHlvX3P0+vEKGYk5ps4fCy6wG6EIO3tNDMnl++qDIFoNfkuC1eiT
>>
>> CqFTK97eGEjVLqLP8CA9fKmPL/3Cc+bO4Y0vUmZj8CzDxWieatvHhpHyTN6oIb0RYqtnEjfmsngo
>> czhaTSi1tu24k+xFKK4=;
>> Received: by mail.webmasterbond.com id ha1pt00001gf for <kreme at kreme.com>;
>> Tue, 13 Dec 2016 16:17:04 -0600 (envelope-from
>> <nighthawk_gear-kreme=kreme.com at webmasterbond.com>)
>> Date: Tue, 13 Dec 2016 16:17:04 -0600
>> From: "NightHawk Gear" <nighthawk_gear at webmasterbond.com>
>> To: <kreme at kreme.com>
>> Subject: New LED flashlight technology released
>> Content-Type: multipart/alternative;
>> boundary="----=_Part_463_1589181058.1481667409330"
>> X-SMTPAPI: {"category": "20161213-161042-880-4573"}
>> List-Unsubscribe:
>> <http://www.webmasterbond.com/green/6488G9C11BKT1163qwlOgOFwlOgOzMig964/call>
>> Feedback-ID: 201612131610428804573
>> Message-ID: <0.0.0.4C.1D2558EA2A0749A.6C0649 at mail.webmasterbond.com>
>>
>
I can't help with OP's problem but I note that we don't use Bayes
(use_bayes 0 in /etc/spamassassin/local.cf - because we have no
practical way of training it) and we set $sa_kill_level_deflt = 4.0;
the email given as example would have been caught with these settings.
We do get some false positives with this setting (including several
earlier posts in this thread, perhaps because of the discussion
contents?), but few.
More information about the amavis-users
mailing list