spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jones <djo...@ena.com>
Subject Re: Flakey spam email. How to filter?
Date Tue, 12 Dec 2017 00:28:23 GMT
On 12/11/2017 02:55 PM, Tobi wrote:
> @Dave
> you're sure that trusted_networks must be changed in case of fetching mails? I fetch
mines from gmail too and sa always has the correct first non trusted relay. Without changing
*_networks. With fetching you do not get an smtp received header so sa jumps to the next relay.
And (at least from what I see in my gmail mails) the first smtp received header without a
private ip address is the one that handsoff to gmail aka the one to feed to sa
> 
> Chees
> 
> tobi
> 

I checked my Gmail account with a mail client and you are correct. 
Google is not adding a Received header for their own mail server so that 
"hop" doesn't have to be skipped over by SA.  I guess I was thinking 
about the forwarding in my mind that would add that "hop" in the 
Received headers.  Thanks for the clarification.

> ----- Originale Nachricht -----
> Von: David Jones <djones@ena.com>
> Gesendet: 11.12.17 - 17:27
> An: users@spamassassin.apache.org
> Betreff: Re: Flakey spam email. How to filter?
> 
>> On 12/11/2017 09:44 AM, Mark London wrote:
>>> I'm getting a lot of flakey spam messages,  that don't trigger any
>>> significant spamassassin rules, even though it obviously looks really
>>> bogus.
>>>
>>> Here's an example.   Any suggestions?
>>>
>>> https://pastebin.com/bZUt0ThS
>>>
>>> These spams are being sent to my gmail account, and then forwarded to my
>>> work address  I tried stripping off all the forwarding headers, but it
>>> doesn't trigger any RBLs
>>>
>>> Thanks for any help.
>>>
>>> - Mark
>>>
>>>
>>>
>>
>> It's going to be very difficult to filter mail properly that has been
>> forwarded from Gmail.  Why would you want to do this anyway?  Report it
>> as Spam at Gmail and let Google block it for you and everyone else on
>> Gmail and G-Suite.
>>
>> If you want to continue this mail flow and use Spamassassin, I would
>> recommend using POP to pull the email from Google and not forward it
>> which breaks a lot of stuff like SPF.  You will need to setup your
>> trusted_networks to cover all of Google's mail servers IPs listed in
>> their SPF record to get RBLs to work correctly which could be challenging.
>>
>> I ran that email through my filters and it scored a 12.5 for me.  Make
>> sure you have DCC installed and working.  I realize that time has passed
>> so DCC may not have hit the original SMTP receive time but still it
>> should have scored well above 6.0 based on properly trained Bayes and
>> some other SA hits:
>>
>>    0.9 DKIM_ADSP_NXDOMAIN     No valid author signature and domain not in DNS
>>    0.0 HTML_MESSAGE           BODY: HTML included in message
>>    1.2 BAYES_50               BODY: Bayes spam probability is 40 to 60%
>>                               [score: 0.5000]
>>    0.7 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
>>    0.8 HTML_TAG_BALANCE_HEAD  BODY: HTML has unbalanced "head" tags
>>    1.5 BODY_8BITS             BODY: Body includes 8 consecutive 8-bit
>> characters
>>    2.2 DCC_CHECK              Detected as bulk mail by DCC (dcc-servers.net)
>>    0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not
>> necessarily valid
>>    0.4 HTML_MIME_NO_HTML_TAG  HTML-only message, but there is no HTML tag
>>    0.0 T_DKIM_INVALID         DKIM-Signature header exists but is not valid
>>    0.2 KAM_HUGEIMGSRC         Message contains many image tags with huge
>> http urls
>>    2.3 S25R_4                 T_S25R: Bottom of rDNS ends w/ num, next
>> lvl has num-num
>>
>> That IP of 158.69.185.128 is not listed on any RBLs so it's pretty much
>> left to SA content-based rules like DCC, Bayes, and a few others above.
>>
>> -- 
>> David Jones
> 


-- 
David Jones

Mime
View raw message