in the last 3-4 days, a *massive* amount of spam is making it past spamassassin to my users and to me. see appended for example. not all has dkim. clue? randy From: "SmallCapStockPlays" <info@SmallCapStockPlays.com> Subject: Could VIIC be our biggest play in 2014? Check the stock today To: <randy@psg.com> Date: Tue, 18 Feb 2014 20:48:02 -0500 Return-path: <bounces+796782.50654126.285374@icpbounce.com> X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ran.psg.com X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,HTML_MESSAGE,MIME_QP_LONG_LINE,T_DKIM_INVALID autolearn=ham version=3.3.2 Received: from psg.com ([2001:418:1::62]) by ran.psg.com with esmtp (Exim 4.76) (envelope-from <bounces+796782.50654126.285374@icpbounce.com>) id 1WFwGl-0006al-Bu for randy@ran.psg.com; Wed, 19 Feb 2014 01:48:16 +0000 Received: from [207.254.213.223] (helo=drone166.ral.icpbounce.com) by psg.com with esmtp (Exim 4.82 (FreeBSD)) (envelope-from <bounces+796782.50654126.285374@icpbounce.com>) id 1WFwGZ-000Lp8-0W for randy@psg.com; Wed, 19 Feb 2014 01:48:04 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=default; d=icontactmail3.com; h=Mime-Version:From:To:Date:Subject:List-Unsubscribe:X-Feedback-ID:Content-Type:Message-ID; bh=iihwvTJA/ZrrgzXpk+9Muk0Sqlfk5BqD+aI+mL91kn8=; b=wKHIYdl1BdMRK0Kak5Z/2CwsfFh5Byoe9ZlHaqQz3VK4ltYtLfCI3tg6y8Wq3HuULY+ere7Fzz9Q camnKSvqcSx3u8LQWQGQSZoYkOmzcIemCHNNrsBD+WZhVA9R3W10V2NM6OTuJKFURxtmCNME29kH 5bYunRCoGolocQ5HmAw= Mime-Version: 1.0 Errors-To: bounces+796782.50654126.285374@icpbounce.com List-Unsubscribe: <https://app.icontact.com/icp/listunsubscribe.php?r=50654126&l=4084&s=FSMC&m=285374&c=796782>, <mailto:bounces+796782.50654126.285374@icpbounce.com> X-List-Unsubscribe: <https://app.icontact.com/icp/listunsubscribe.php?r=50654126&l=4084&s=FSMC&m=285374&c=796782> X-Unsubscribe-Web: <https://app.icontact.com/icp/listunsubscribe.php?r=50654126&l=4084&s=FSMC&m=285374&c=796782> X-Feedback-ID: 01_796782_285374:01_796782:01:vocus X-ICPINFO: X-Return-Path-Hint: bounces+796782.50654126.285374@icpbounce.com Content-Type: multipart/alternative; boundary="cdf82e78-582d-4a55-9037-dacf81ae37d3" Message-ID: <0.1.F.AFD.1CF2D149FE8FD9E.0@drone166.ral.icpbounce.com> [1 <text/plain; utf-8 (quoted-printable)>] HOME ABOUT US TRADE IDEAS PENNY STOCK ARTICLES DAILY NEWS [1][png] [2][png] [3][png]
Randy Bush wrote:
in the last 3-4 days, a *massive* amount of spam is making it past spamassassin to my users and to me. see appended for example. not all has dkim.
clue?
randy
From: "SmallCapStockPlays" <info@SmallCapStockPlays.com> Subject: Could VIIC be our biggest play in 2014? Check the stock today To: <randy@psg.com> Date: Tue, 18 Feb 2014 20:48:02 -0500 Return-path: <bounces+796782.50654126.285374@icpbounce.com> X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ran.psg.com X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,HTML_MESSAGE,MIME_QP_LONG_LINE,T_DKIM_INVALID autolearn=ham version=3.3.2 Received: from psg.com ([2001:418:1::62]) by ran.psg.com with esmtp (Exim 4.76) (envelope-from <bounces+796782.50654126.285374@icpbounce.com>) id 1WFwGl-0006al-Bu for randy@ran.psg.com; Wed, 19 Feb 2014 01:48:16 +0000 Received: from [207.254.213.223] (helo=drone166.ral.icpbounce.com) by psg.com with esmtp (Exim 4.82 (FreeBSD)) (envelope-from <bounces+796782.50654126.285374@icpbounce.com>) id 1WFwGZ-000Lp8-0W for randy@psg.com; Wed, 19 Feb 2014 01:48:04 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=default; d=icontactmail3.com; h=Mime-Version:From:To:Date:Subject:List-Unsubscribe:X-Feedback-ID:Content-Type:Message-ID; bh=iihwvTJA/ZrrgzXpk+9Muk0Sqlfk5BqD+aI+mL91kn8=; b=wKHIYdl1BdMRK0Kak5Z/2CwsfFh5Byoe9ZlHaqQz3VK4ltYtLfCI3tg6y8Wq3HuULY+ere7Fzz9Q camnKSvqcSx3u8LQWQGQSZoYkOmzcIemCHNNrsBD+WZhVA9R3W10V2NM6OTuJKFURxtmCNME29kH 5bYunRCoGolocQ5HmAw= Mime-Version: 1.0 Errors-To: bounces+796782.50654126.285374@icpbounce.com List-Unsubscribe: <https://app.icontact.com/icp/listunsubscribe.php?r=50654126&l=4084&s=FSMC&m=285374&c=796782>, <mailto:bounces+796782.50654126.285374@icpbounce.com> X-List-Unsubscribe: <https://app.icontact.com/icp/listunsubscribe.php?r=50654126&l=4084&s=FSMC&m=285374&c=796782> X-Unsubscribe-Web: <https://app.icontact.com/icp/listunsubscribe.php?r=50654126&l=4084&s=FSMC&m=285374&c=796782> X-Feedback-ID: 01_796782_285374:01_796782:01:vocus X-ICPINFO: X-Return-Path-Hint: bounces+796782.50654126.285374@icpbounce.com Content-Type: multipart/alternative; boundary="cdf82e78-582d-4a55-9037-dacf81ae37d3" Message-ID: <0.1.F.AFD.1CF2D149FE8FD9E.0@drone166.ral.icpbounce.com>
[1 <text/plain; utf-8 (quoted-printable)>] HOME ABOUT US TRADE IDEAS PENNY STOCK ARTICLES DAILY NEWS
[1][png] [2][png] [3][png]
They are smart and dkim sign their messages; even though it's invalid I believe that's why it has such a low bayes score. It's getting marked as ham and not spam. Are you positive your definitions are still updating?
They are smart and dkim sign their messages; even though it's invalid I believe that's why it has such a low bayes score.
lots of the spam getting through has no dkim
It's getting marked as ham and not spam. Are you positive your definitions are still updating?
sa-update has run. and it runs cleanly randy
On 02/18/2014 05:52 PM, Randy Bush wrote:
in the last 3-4 days, a *massive* amount of spam is making it past spamassassin to my users and to me. see appended for example. not all has dkim.
It's been a while since i've been in this world, but I wonder whether bayes filters are using the public key of the dkim selector as a token. if they don't change selectors/keys they'd probably be s-canned pretty quickly. It would require that the dkim subsystem talk to the bayes subsystem since the public key isn't in the signature, so i'm guessing not. Mike
DKIM serves to authenticate the source of the message. So this is a stock tip spam sent through an email service provider called icontact, and the dkim signature declares that. Just that and nothing more. Says nothing at all about the email's reputation - whether it is spam or not. --srs On Tuesday, February 18, 2014, Randy Bush <randy@psg.com> wrote:
in the last 3-4 days, a *massive* amount of spam is making it past spamassassin to my users and to me. see appended for example. not all has dkim.
clue?
-- --srs (iPad)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2/18/2014 7:10 PM, Suresh Ramasubramanian wrote:
DKIM serves to authenticate the source of the message. So this is a stock tip spam sent through an email service provider called icontact, and the dkim signature declares that. Just that and nothing more.
Says nothing at all about the email's reputation - whether it is spam or not.
--srs
On Tuesday, February 18, 2014, Randy Bush <randy@psg.com> wrote:
- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2/18/2014 7:10 PM, Suresh Ramasubramanian wrote:
DKIM serves to authenticate the source of the message. So this is a stock tip spam sent through an email service provider called icontact, and the dkim signature declares that. Just that and nothing more.
Says nothing at all about the email's reputation - whether it is spam or not.
--srs
On Tuesday, February 18, 2014, Randy Bush <randy@psg.com> wrote:
Yeah, it just validates the domain that the email came from. But, "X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ran.psg.com X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,HTML_MESSAGE,MIME_QP_LONG_LINE,*T_DKIM_INVALID* autolearn=ham version=3.3.2" Spamassassin knows the dkim signature is invalid, so there must be a dns query that occurs at this point in the message processing. If that is the case, there must be someway to configure to reject if the dkim signature is invalid. "X-Spam-Status: No, score=0.8 required=5.0" Spamassassin isn't going to block anything until it registers a score of 5. So, just having a dkim signature (even though invalid) is possibly lowering the score. Maybe you could tweak the settings to pick-off spam at a lower score. But, setting your levels down to 0.8 would probably block legitimate email. You could always block their ip in the helo_access (or iptables) of your postfix server (I'm assuming that's what you are using). But that's only going to be a temporary fix. You could also add a rbl query to your mail server config to spamhaus. That could always help. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTBCy2AAoJEMBLKVFKNw4KFDUH/RktUI0ybOj0ruWw06RZUzcD bHiFb/QUahqXihFQMkSwofjV/WovcGkSQgCpzM3XFyGdoo79KzgJ9ByrlPLfIOdI m/pvcRSODl+rOsaXR1VS0bUyTtdRzEdRZ2EQxvXeaSIOnsZCegG+noY+7GJ5U70o NyctfgEod0sxFqeJKTzjXpCaXJsuwFBUL3PlLXVWE6ilAtaxh8KBCmIG/kFMrtoG P+DlTm17d63WZeVBvsZ7YHe/moVm57gBLCsmA8aI6qgqdCGbpkT3p/rKAEcqeV6z RyyIC4vm9gaaJmuh7Cz7hoM2whGsWSxfrNaGV0hCRoNGBAup5NFIQQfsTn858Dc= =Aztz -----END PGP SIGNATURE-----
I would not advise that. Plenty of things can render a dkim sig invalid. Not all of them are evidences of malice. You might be well advised to check for a DMARC record (which asserts policy using a combination of DKIM and SPF) and if there's a reject there, feel free to trash the email if there's a validation failure. But not simply because a DKIM signature breaks. --srs On Tuesday, February 18, 2014, Private Sender <nobody@snovc.com> wrote:
Spamassassin knows the dkim signature is invalid, so there must be a dns query that occurs at this point in the message processing.
If that is the case, there must be someway to configure to reject if the dkim signature is invalid.
-- --srs (iPad)
as i said, much of the crap coming through, 10-20 times normal, does not have dkim. i suggest that focusing on dkim is a red herring. and yes, i know how dkim works.
If that is the case, there must be someway to configure to reject if the dkim signature is invalid.
5.0-0.8 is a large valus, at least in this area.
You could always block their ip in the ...
their? you are presuming a single soure.
You could also add a rbl query to your mail server config to spamhaus.
have had that for years randy
--As of February 19, 2014 9:52:57 AM +0800, Randy Bush is alleged to have said:
in the last 3-4 days, a *massive* amount of spam is making it past spamassassin to my users and to me. see appended for example. not all has dkim.
clue?
--As for the rest, it is mine. The spamassassin list has been tracking an issue where a new rule made it out of the testbox accidentally, which lowers scores on a lot of spam. It wasn't in the sample you provided, but the rule name is BAYES_999 - it catches mail that the bayes filter thinks is 99.9-100% sure to be spam. As it got promoted prematurely, it's showing with a score of 1.0. (The default.) It's probably a part of your problem. A fix should be in the rules update today or tomorrow - or you can rescore it to the same as BAYES_99 (someplace in the 3 range by default, I believe). That's what used to catch that mail: it used to mean 99-100%, and now means 99-99.9%. More info can be found in the mailing list archives for the spamassassin list. Daniel T. Staal --------------------------------------------------------------- This email copyright the author. Unless otherwise noted, you are expressly allowed to retransmit, quote, or otherwise use the contents for non-commercial purposes. This copyright will expire 5 years after the author's death, or in 30 years, whichever is longer, unless such a period is in excess of local copyright law. ---------------------------------------------------------------
Daniel is correct, he gets a cookie! The the others: please learn to recognize when you have no clue. We've been having the same problem here for the last three days. I tracked it down to BAYES_999. Glad to see other people are suffering as much as I am. :) Simon Le 2014-02-19 01:46, Daniel Staal a écrit :
--As of February 19, 2014 9:52:57 AM +0800, Randy Bush is alleged to have said:
in the last 3-4 days, a *massive* amount of spam is making it past spamassassin to my users and to me. see appended for example. not all has dkim.
clue?
--As for the rest, it is mine.
The spamassassin list has been tracking an issue where a new rule made it out of the testbox accidentally, which lowers scores on a lot of spam. It wasn't in the sample you provided, but the rule name is BAYES_999 - it catches mail that the bayes filter thinks is 99.9-100% sure to be spam. As it got promoted prematurely, it's showing with a score of 1.0. (The default.) It's probably a part of your problem.
A fix should be in the rules update today or tomorrow - or you can rescore it to the same as BAYES_99 (someplace in the 3 range by default, I believe). That's what used to catch that mail: it used to mean 99-100%, and now means 99-99.9%.
More info can be found in the mailing list archives for the spamassassin list.
Daniel T. Staal
-- DTN made easy, lean, and smart --> http://postellation.viagenie.ca NAT64/DNS64 open-source --> http://ecdysis.viagenie.ca STUN/TURN server --> http://numb.viagenie.ca
Daniel is correct, he gets a cookie! The the others: please learn to recognize when you have no clue.
simon, you just do not understand the purpose of the nanog list
We've been having the same problem here for the last three days. I tracked it down to BAYES_999. Glad to see other people are suffering as much as I am. :)
as the fix is not yet out, would be cool if someone with more fu than i posted a recipe to hack for the moment. randy
Yo Randy! On Thu, 20 Feb 2014 10:48:49 +0800 Randy Bush <randy@psg.com> wrote:
We've been having the same problem here for the last three days. I tracked it down to BAYES_999. Glad to see other people are suffering as much as I am. :)
as the fix is not yet out, would be cool if someone with more fu than i posted a recipe to hack for the moment.
http://www.gossamer-threads.com/lists/spamassassin/users/183433 body BAYES_99 eval:check_bayes('0.99', '0.999') body BAYES_999 eval:check_bayes('0.999', '1.00') score BAYES_99 0 0 3.8 3.5 score BAYES_999 0 0 4.0 3.7 RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97701 gem@rellim.com Tel:+1(541)382-8588
http://www.gossamer-threads.com/lists/spamassassin/users/183433
as blabby as nanog, and not really specific
body BAYES_99 eval:check_bayes('0.99', '0.999') body BAYES_999 eval:check_bayes('0.999', '1.00') score BAYES_99 0 0 3.8 3.5 score BAYES_999 0 0 4.0 3.7
and this is a replacement for both 999 and 99? randy
On 02/19/14 22:22, Randy Bush wrote:
http://www.gossamer-threads.com/lists/spamassassin/users/183433
as blabby as nanog, and not really specific
body BAYES_99 eval:check_bayes('0.99', '0.999') body BAYES_999 eval:check_bayes('0.999', '1.00') score BAYES_99 0 0 3.8 3.5 score BAYES_999 0 0 4.0 3.7
and this is a replacement for both 999 and 99?
You should be able to just whack it into local.cf and it'll override whatever other instances there are, Michael
--As of February 20, 2014 11:22:34 AM +0800, Randy Bush is alleged to have said:
http://www.gossamer-threads.com/lists/spamassassin/users/183433
as blabby as nanog, and not really specific
body BAYES_99 eval:check_bayes('0.99', '0.999') body BAYES_999 eval:check_bayes('0.999', '1.00') score BAYES_99 0 0 3.8 3.5 score BAYES_999 0 0 4.0 3.7
and this is a replacement for both 999 and 99?
--As for the rest, it is mine. It's a redefinition of both, yes. It was partly given in the original thread as a help to understand what was happening - and it was listed as a *temporary* fix, until the rule has been stabilized. Discussion on both of these rules is ongoing at the moment, and I wouldn't advise the above fix unless you are following it. It's likely that it will double-score some of your spam, or drastically change the meanings of the rules from what is shipped, if not now than soon. Putting the 'score' lines in your local.cf or user_prefs should be fine, but I'd avoid the definition lines. (`/etc/mail/spmassassin/local.cf` is the usual main editable config file for spamassissin, and `~/.spamassassin/user_prefs` is per-user configs, if you have that.) The correct score has been pushed, as Simon Perreault mentioned. Taking out anything you've done and running sa-update should get you a working ruleset. (If you've increased the score of either one in the normal fashions - using local.cf or user_prefs - that should be fine.) Daniel T. Staal --------------------------------------------------------------- This email copyright the author. Unless otherwise noted, you are expressly allowed to retransmit, quote, or otherwise use the contents for non-commercial purposes. This copyright will expire 5 years after the author's death, or in 30 years, whichever is longer, unless such a period is in excess of local copyright law. ---------------------------------------------------------------
I'm going to forward on what's probably a 'final disposition' post on this below. Note the behavior of the BAYES_999 rule is going to change dramatically. (It will be *in addition* to the BAYES_99 rule, instead of replacing it for messages with the appropriate bayes score.) From: "Kevin A. McGrail" <KMcGrail@PCCC.com>
As of about 10:30EST Tonight, I expect that versions 3.3.X will be able to use sa-update to receive an update that includes BAYES_99 as it used to exist + BAYES_999 which overlaps with BAYES_99 and adds 0.2 to the score.
By about 4AM tomorrow, version 3.4.1 will have an update though likely no one can access that update.
Tomorrow morning by about 10AM, I will update 3.4.0 manually to receive the 3.4.1 update.
So as of ~1 hour past the times above based on the version in use to allow for DNS ttl and mirror updates, I would recommend people run sa-update and remove any manual edits for rules named BAYES_99 or BAYES_999. If they have manual scoring for these, they will want to review those scores for their own installation. BAYES_99 scores in the 3.75 range and BAYES_999 will score in the 0.25 range. Anything outside of those scores should be done understanding your own Bayesian database.
They can confirm they received the correct update if the rule score for BAYES_999 changes to 0.2, i.e. for a default path 3.4.0 installation:
grep BAYES_999 /var/lib/spamassassin/3.004000/updates_spamassassin_org/50_scores.cf
gives
score BAYES_999 0 0 4.0 3.7
Tomorrow, this should change to 0.2.
regards, KAM
On 2/19/2014 6:48 PM, Randy Bush wrote:
Daniel is correct, he gets a cookie! The the others: please learn to recognize when you have no clue.
simon, you just do not understand the purpose of the nanog list
We've been having the same problem here for the last three days. I tracked it down to BAYES_999. Glad to see other people are suffering as much as I am. :)
as the fix is not yet out, would be cool if someone with more fu than i posted a recipe to hack for the moment.
I found this config. block in the file "50_scores.cf" and added the BAYES_999 entry:
# make the Bayes scores unmutable (as discussed in bug 4505) ifplugin Mail::SpamAssassin::Plugin::Bayes score BAYES_00 0 0 -1.5 -1.9 score BAYES_05 0 0 -0.3 -0.5 score BAYES_20 0 0 -0.001 -0.001 score BAYES_40 0 0 -0.001 -0.001 score BAYES_50 0 0 2.0 0.8 score BAYES_60 0 0 2.5 1.5 score BAYES_80 0 0 2.7 2.0 score BAYES_95 0 0 3.2 3.0 score BAYES_99 0 0 3.8 3.5 score BAYES_999 0 0 4.0 3.9 endif
------ Andris
Le 2014-02-19 21:48, Randy Bush a écrit :
as the fix is not yet out, would be cool if someone with more fu than i posted a recipe to hack for the moment.
The fix is out now! :D Simon -- DTN made easy, lean, and smart --> http://postellation.viagenie.ca NAT64/DNS64 open-source --> http://ecdysis.viagenie.ca STUN/TURN server --> http://numb.viagenie.ca
participants (9)
-
Andris Kalnozols
-
Daniel Staal
-
Gary E. Miller
-
Michael Butler
-
Michael Thomas
-
Private Sender
-
Randy Bush
-
Simon Perreault
-
Suresh Ramasubramanian