in the last 3-4 days, a *massive* amount of spam is making it past
spamassassin to my users and to me. see appended for example. not
all has dkim.
clue?
randy
Randy Bush wrote:
in the last 3-4 days, a *massive* amount of spam is making it past
spamassassin to my users and to me. see appended for example. not
all has dkim.clue?
randy
From: "SmallCapStockPlays" <info@SmallCapStockPlays.com>
Subject: Could VIIC be our biggest play in 2014? Check the stock today
To: <randy@psg.com>
Date: Tue, 18 Feb 2014 20:48:02 -0500
Return-path: <bounces+796782.50654126.285374@icpbounce.com>
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ran.psg.com
X-Spam-Level:
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,HTML_MESSAGE,MIME_QP_LONG_LINE,T_DKIM_INVALID autolearn=ham version=3.3.2
Received: from psg.com ([2001:418:1::62])
by ran.psg.com with esmtp (Exim 4.76)
(envelope-from <bounces+796782.50654126.285374@icpbounce.com>)
id 1WFwGl-0006al-Bu
for randy@ran.psg.com; Wed, 19 Feb 2014 01:48:16 +0000
Received: from [207.254.213.223] (helo=drone166.ral.icpbounce.com)
by psg.com with esmtp (Exim 4.82 (FreeBSD))
(envelope-from <bounces+796782.50654126.285374@icpbounce.com>)
id 1WFwGZ-000Lp8-0W
for randy@psg.com; Wed, 19 Feb 2014 01:48:04 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=default; d=icontactmail3.com; h=Mime-Version:From:To:Date:Subject:List-Unsubscribe:X-Feedback-ID:Content-Type:Message-ID; bh=iihwvTJA/ZrrgzXpk+9Muk0Sqlfk5BqD+aI+mL91kn8=; b=wKHIYdl1BdMRK0Kak5Z/2CwsfFh5Byoe9ZlHaqQz3VK4ltYtLfCI3tg6y8Wq3HuULY+ere7Fzz9Q camnKSvqcSx3u8LQWQGQSZoYkOmzcIemCHNNrsBD+WZhVA9R3W10V2NM6OTuJKFURxtmCNME29kH 5bYunRCoGolocQ5HmAw=
Mime-Version: 1.0
Errors-To: bounces+796782.50654126.285374@icpbounce.com
X-List-Unsubscribe: <https://app.icontact.com/icp/listunsubscribe.php?r=50654126&l=4084&s=FSMC&m=285374&c=796782>
X-Unsubscribe-Web: <https://app.icontact.com/icp/listunsubscribe.php?r=50654126&l=4084&s=FSMC&m=285374&c=796782>
X-Feedback-ID: 01_796782_285374:01_796782:01:vocus
X-ICPINFO:
X-Return-Path-Hint: bounces+796782.50654126.285374@icpbounce.com
Content-Type: multipart/alternative; boundary="cdf82e78-582d-4a55-9037-dacf81ae37d3"
Message-ID: <0.1.F.AFD.1CF2D149FE8FD9E.0@drone166.ral.icpbounce.com>[1 <text/plain; utf-8 (quoted-printable)>]
HOME ABOUT US TRADE IDEAS PENNY STOCK ARTICLES DAILY NEWS[1][png] [2][png] [3][png]
They are smart and dkim sign their messages; even though it's invalid I believe that's why it has such a low bayes score.
It's getting marked as ham and not spam. Are you positive your definitions are still updating?
They are smart and dkim sign their messages; even though it's invalid I
believe that's why it has such a low bayes score.
lots of the spam getting through has no dkim
It's getting marked as ham and not spam. Are you positive your
definitions are still updating?
sa-update has run. and it runs cleanly
randy
It's been a while since i've been in this world, but I wonder whether bayes filters are
using the public key of the dkim selector as a token. if they don't change selectors/keys
they'd probably be s-canned pretty quickly. It would require that the dkim subsystem
talk to the bayes subsystem since the public key isn't in the signature, so i'm guessing
not.
Mike
DKIM serves to authenticate the source of the message. So this is a stock
tip spam sent through an email service provider called icontact, and the
dkim signature declares that. Just that and nothing more.
Says nothing at all about the email's reputation - whether it is spam or
not.
--srs
They are smart and dkim sign their messages; even though it's invalid I
believe that's why it has such a low bayes score.lots of the spam getting through has no dkim
It's getting marked as ham and not spam. Are you positive your
definitions are still updating?sa-update has run. and it runs cleanly
randy
From a posting on NANAE:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
DKIM serves to authenticate the source of the message. So this is a stock
tip spam sent through an email service provider called icontact, and the
dkim signature declares that. Just that and nothing more.Says nothing at all about the email's reputation - whether it is spam or
not.--srs
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
DKIM serves to authenticate the source of the message. So this is a stock
tip spam sent through an email service provider called icontact, and the
dkim signature declares that. Just that and nothing more.Says nothing at all about the email's reputation - whether it is spam or
not.--srs
Yeah, it just validates the domain that the email came from.
But,
"X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ran.psg.com
X-Spam-Level:
X-Spam-Status: No, score=0.8 required=5.0
tests=BAYES_50,HTML_MESSAGE,MIME_QP_LONG_LINE,*T_DKIM_INVALID*
autolearn=ham version=3.3.2"
Spamassassin knows the dkim signature is invalid, so there must be a dns
query that occurs at this point in the message processing.
If that is the case, there must be someway to configure to reject if the
dkim signature is invalid.
"X-Spam-Status: No, score=0.8 required=5.0"
Spamassassin isn't going to block anything until it registers a score of
5. So, just having a dkim signature (even though invalid) is possibly
lowering the score. Maybe you could tweak the settings to pick-off spam
at a lower score. But, setting your levels down to 0.8 would probably
block legitimate email.
You could always block their ip in the helo_access (or iptables) of your
postfix server (I'm assuming that's what you are using). But that's only
going to be a temporary fix.
You could also add a rbl query to your mail server config to spamhaus.
That could always help.
I would not advise that. Plenty of things can render a dkim sig invalid.
Not all of them are evidences of malice.
You might be well advised to check for a DMARC record (which asserts policy
using a combination of DKIM and SPF) and if there's a reject there, feel
free to trash the email if there's a validation failure. But not simply
because a DKIM signature breaks.
--srs
as i said, much of the crap coming through, 10-20 times normal, does not
have dkim. i suggest that focusing on dkim is a red herring. and yes,
i know how dkim works.
If that is the case, there must be someway to configure to reject if the
dkim signature is invalid.
5.0-0.8 is a large valus, at least in this area.
You could always block their ip in the ...
their? you are presuming a single soure.
You could also add a rbl query to your mail server config to spamhaus.
have had that for years
randy
--As of February 19, 2014 9:52:57 AM +0800, Randy Bush is alleged to have said:
in the last 3-4 days, a *massive* amount of spam is making it past
spamassassin to my users and to me. see appended for example. not
all has dkim.clue?
--As for the rest, it is mine.
The spamassassin list has been tracking an issue where a new rule made it out of the testbox accidentally, which lowers scores on a lot of spam. It wasn't in the sample you provided, but the rule name is BAYES_999 - it catches mail that the bayes filter thinks is 99.9-100% sure to be spam. As it got promoted prematurely, it's showing with a score of 1.0. (The default.) It's probably a part of your problem.
A fix should be in the rules update today or tomorrow - or you can rescore it to the same as BAYES_99 (someplace in the 3 range by default, I believe). That's what used to catch that mail: it used to mean 99-100%, and now means 99-99.9%.
More info can be found in the mailing list archives for the spamassassin list.
Daniel T. Staal
A fix should be in the rules update today or tomorrow - or you can rescore
it to the same as BAYES_99 (someplace in the 3 range by default, I
believe). That's what used to catch that mail: it used to mean 99-100%,
and now means 99-99.9%.
trying the copy 99->999 now. thanks!
randy
Daniel is correct, he gets a cookie! The the others: please learn to
recognize when you have no clue.
We've been having the same problem here for the last three days. I
tracked it down to BAYES_999. Glad to see other people are suffering as
much as I am. 
Simon
Le 2014-02-19 01:46, Daniel Staal a �crit :
Daniel is correct, he gets a cookie! The the others: please learn to
recognize when you have no clue.
simon, you just do not understand the purpose of the nanog list
We've been having the same problem here for the last three days. I
tracked it down to BAYES_999. Glad to see other people are suffering
as much as I am.
as the fix is not yet out, would be cool if someone with more fu than i
posted a recipe to hack for the moment.
randy
Yo Randy!
> We've been having the same problem here for the last three days. I
> tracked it down to BAYES_999. Glad to see other people are suffering
> as much as I am.as the fix is not yet out, would be cool if someone with more fu than
i posted a recipe to hack for the moment.
http://www.gossamer-threads.com/lists/spamassassin/users/183433
body BAYES_99 eval:check_bayes('0.99', '0.999')
body BAYES_999 eval:check_bayes('0.999', '1.00')
score BAYES_99 0 0 3.8 3.5
score BAYES_999 0 0 4.0 3.7
RGDS
GARY
Daniel is correct, he gets a cookie! The the others: please learn to
recognize when you have no clue.simon, you just do not understand the purpose of the nanog list
We've been having the same problem here for the last three days. I
tracked it down to BAYES_999. Glad to see other people are suffering
as much as I am.as the fix is not yet out, would be cool if someone with more fu than i
posted a recipe to hack for the moment.
I found this config. block in the file "50_scores.cf" and added
the BAYES_999 entry:
http://www.gossamer-threads.com/lists/spamassassin/users/183433
as blabby as nanog, and not really specific
body BAYES_99 eval:check_bayes('0.99', '0.999')
body BAYES_999 eval:check_bayes('0.999', '1.00')
score BAYES_99 0 0 3.8 3.5
score BAYES_999 0 0 4.0 3.7
and this is a replacement for both 999 and 99?
randy
You should be able to just whack it into local.cf and it'll override
whatever other instances there are,
Michael
Le 2014-02-19 21:48, Randy Bush a �crit :
as the fix is not yet out, would be cool if someone with more fu than i
posted a recipe to hack for the moment.
The fix is out now! 
Simon
--As of February 20, 2014 11:22:34 AM +0800, Randy Bush is alleged to have said:
http://www.gossamer-threads.com/lists/spamassassin/users/183433
as blabby as nanog, and not really specific
body BAYES_99 eval:check_bayes('0.99', '0.999')
body BAYES_999 eval:check_bayes('0.999', '1.00')
score BAYES_99 0 0 3.8 3.5
score BAYES_999 0 0 4.0 3.7and this is a replacement for both 999 and 99?
--As for the rest, it is mine.
It's a redefinition of both, yes. It was partly given in the original thread as a help to understand what was happening - and it was listed as a *temporary* fix, until the rule has been stabilized.
Discussion on both of these rules is ongoing at the moment, and I wouldn't advise the above fix unless you are following it. It's likely that it will double-score some of your spam, or drastically change the meanings of the rules from what is shipped, if not now than soon. Putting the 'score' lines in your local.cf or user_prefs should be fine, but I'd avoid the definition lines. (`/etc/mail/spmassassin/local.cf` is the usual main editable config file for spamassissin, and `~/.spamassassin/user_prefs` is per-user configs, if you have that.)
The correct score has been pushed, as Simon Perreault mentioned. Taking out anything you've done and running sa-update should get you a working ruleset. (If you've increased the score of either one in the normal fashions - using local.cf or user_prefs - that should be fine.)
Daniel T. Staal
I'm going to forward on what's probably a 'final disposition' post on this below. Note the behavior of the BAYES_999 rule is going to change dramatically. (It will be *in addition* to the BAYES_99 rule, instead of replacing it for messages with the appropriate bayes score.)