You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Chris Lear <ch...@laculine.com> on 2006/12/01 12:33:32 UTC
Easyjet e-mail scoring very high
I got an EasyJet confirmation E-mail that scored like this:
BAYES_00=-2.599
DNS_FROM_RFC_ABUSE=0.2
FORGED_RCVD_HELO=0.135
HTML_FONT_FACE_BAD=0.156
HTML_MESSAGE=0.001
HTML_TINY_FONT=2.324
MARKETING_PARTNERS=1.765
MIME_HTML_MOSTLY=1.102
SARE_OBFU_AMP2B=2.555
SARE_SPEC_LEO_LINE03a=0.408
Which adds to 6.0, and only the Bayes score stopped it being rejected
(I'm rejecting at 6.5). [SA 3.1.3 with recent sa-update+SARE rules]
What's the recommended practice here? Whitelist? Lower the SARE scores?
Remove some less-safe SARE rules? Lower the HTML_TINY_FONT score [which
looks right, but if it's right for me, why not everyone else]? I'd like
all ham to score under 2, ideally. And almost all of it does. But I'd
prefer not to whitelist if possible. I like to feel I can trust SA
without introducing special cases.
Here are the received headers:
Received: from s217124rg180-p.uklond6.savvis.net ([213.174.202.180]
helo=easyjet.com)
by mail.barcombe.net with esmtp (Exim 4.60)
(envelope-from <bl...@easyJet.com>)
id 1GpoFF-0007fV-Ne
for sarahlear@barcombe.net; Thu, 30 Nov 2006 15:54:47 +0000
Received: from mail pickup service by easyjet.com with Microsoft SMTPSVC;
Thu, 30 Nov 2006 15:54:50 +0000
I think the "Received: from mail pickup service" line is causing the
SARE_OBFU_AMP2B rule to fire. Am I right? If so, isn't this likely to be
a reasonably common cause of false positives?
Chris
Re: Easyjet e-mail scoring very high
Posted by Kevin Golding <ke...@caomhin.demon.co.uk>.
In article <Pi...@d-is00.icaen.uiowa.edu>,
David B Funk <db...@engineering.uiowa.edu> writes
>FYI, easyjet.com appears to have a valid SPF record, so
>
> whitelist_from_spf *@easyjet.com
>
>should also work with out the hastle of trying to stay ahead
>of mailserver changes.
Unfortunately it looks like savvis.net wouldn't be covered by EasyJet's
SPF record:
easyjet.com. 14297 IN TXT "v=spf1" "a" "mx"
"include:dartmail.net" "~all"
So we're all still screwed.
Kevin
Re: Easyjet e-mail scoring very high
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Fri, 1 Dec 2006, Nick Leverton wrote:
> On Friday 01 December 2006 11:33, Chris Lear wrote:
> > I got an EasyJet confirmation E-mail that scored like this:
>
> whitelist_from_rcvd *@easyjet.com savvis.net
>
FYI, easyjet.com appears to have a valid SPF record, so
whitelist_from_spf *@easyjet.com
should also work with out the hastle of trying to stay ahead
of mailserver changes.
I've got a file of hundreds of whitelist_from_rcvd records built up
over the years and as businesses change their mailing servces it becomes
a maintanence issue, whitelist_from_spf takes care of that. ;)
Dave
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: Easyjet e-mail scoring very high
Posted by "John D. Hardin" <jh...@impsec.org>.
On Fri, 1 Dec 2006, Nick Leverton wrote:
> On Friday 01 December 2006 11:33, Chris Lear wrote:
> > I got an EasyJet confirmation E-mail that scored like this:
>
> whitelist_from_rcvd *@easyjet.com savvis.net
...which should probably go in the SARE Known Whitelists ruleset?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
It is not the business of government to make men virtuous or
religious, or to preserve the fool from the consequences of his own
folly. -- Henry George
-----------------------------------------------------------------------
14 days until Bill of Rights day
Re: Easyjet e-mail scoring very high
Posted by Nick Leverton <nj...@leverton.org>.
On Friday 01 December 2006 11:33, Chris Lear wrote:
> I got an EasyJet confirmation E-mail that scored like this:
whitelist_from_rcvd *@easyjet.com savvis.net
Nick
Re: Easyjet e-mail scoring very high
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Fri, 1 Dec 2006, Loren Wilton wrote:
> > HTML_FONT_FACE_BAD=0.156
> > HTML_MESSAGE=0.001
> > HTML_TINY_FONT=2.324
> > MARKETING_PARTNERS=1.765
> > MIME_HTML_MOSTLY=1.102
> > SARE_OBFU_AMP2B=2.555
> > SARE_SPEC_LEO_LINE03a=0.408
> >
> > I think the "Received: from mail pickup service" line is causing the
> > SARE_OBFU_AMP2B rule to fire. Am I right? If so, isn't this likely to be
>
> Nope. All of the rules above are effectively body rules, dealing mostly
> with various forms of HTML obfuscation.
FYI, I had to reduce the score on HTML_TINY_FONT as it was hitting
legitimate newsletters from BusinessWeek
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: Easyjet e-mail scoring very high
Posted by Bart Schaefer <ba...@gmail.com>.
On 12/1/06, Chris Lear <ch...@laculine.com> wrote:
> In fact, every full stop in the html is
> represented as . for some reason.
In SMTP, a dot all by itself on a line is interpreted as the end of
the message. The SMTP client is supposed to double any such dot that
is truly present in the message body, and the SMTP server then removes
the extra dot for final delivery. My guess would be that (a) they
have a crappy SMTP cllient, probably something written in Java by a
junior programmer who doesn't know a protocol from a parsnip, to send
mail directly from a web server platform; and (b) they once had a
message truncated because there was a dot in the wrong place; so (c)
because they don't know how to fix the crappy SMTP client, they encode
all the dots instead.
> Still wondering though... how do you solve a problem like EasyJet?
By doing what you don't want to do: whitelisting.
Re: Easyjet e-mail scoring very high
Posted by Craig Morrison <cr...@2cah.com>.
Chris Lear wrote:
> * Loren Wilton wrote (01/12/06 14:54):
>>> The html contains this sort of thing:
>>> http://www.easyjet.com/EN/Members/
>>>
>>> Which looks like the culprit. In fact, every full stop in the html is
>>> represented as . for some reason.
>>>
>>> Still wondering though... how do you solve a problem like EasyJet?
>>
>> Sure looks like spam to me. ;-)
>>
>> Which also looks like just about every airline message I've seen from any
>> airline. :-( Apparently they hired spammers to design their marketing
>> campain mail.
>>
>> You could try sending to mostmaster or whatever at whichever marketing
>> company is really sending that mail and see if you can get any attention
>> from them. Probably not, but it might be worth trying.
>
> The trouble is, it's not marketing. It's a confirmation of a flight
> booking, which I paid for. The airline doesn't issue tickets. So it's
> something I genuinely want in my inbox. It looks like it's generated
> directly by the easyjet.com web server.
>
If its just a one time thing, there's probably nothing you'll want to
spend the time doing about it.
If its going to be recurring, it might be worth the effort to dust off
your PCRE and write a rule or two to offset the score.
--
Craig
Re: Easyjet e-mail scoring very high
Posted by Chris Lear <ch...@laculine.com>.
* Chris Lear wrote (01/12/06 16:57):
> * Adam Stephens wrote (01/12/06 16:10):
>> Chris Lear wrote:
>>> * Loren Wilton wrote (01/12/06 14:54):
>>>
>>>>> The html contains this sort of thing:
>>>>> http://www.easyjet.com/EN/Members/
>>>>>
>>>>> Which looks like the culprit. In fact, every full stop in the html is
>>>>> represented as . for some reason.
>>>>>
>>>>> Still wondering though... how do you solve a problem like EasyJet?
>>>>>
>>>> Sure looks like spam to me. ;-)
>>>>
>>>> Which also looks like just about every airline message I've seen from any
>>>> airline. :-( Apparently they hired spammers to design their marketing
>>>> campain mail.
>>>>
>>>> You could try sending to mostmaster or whatever at whichever marketing
>>>> company is really sending that mail and see if you can get any attention
>>>> from them. Probably not, but it might be worth trying.
>>>>
>>>
>>> The trouble is, it's not marketing. It's a confirmation of a flight
>>> booking, which I paid for. The airline doesn't issue tickets. So it's
>>> something I genuinely want in my inbox. It looks like it's generated
>>> directly by the easyjet.com web server.
>>>
>>
>> I had some complaints about that this week; it's obviously a new issue,
>> and it looks like it only applies to the ticket confirmations. Since
>> people really need these booking confirmations I've whitelisted it -
>> using a whitelist_from_rcvd rule seems to catch the booking
>> confirmations only as the marketing material is sent from a different
>> machine.
>
> Thanks for all the advice. I've reluctantly whitelisted them and written
> a polite message to postmaster@easyjet.com. It doesn't seem to have
> bounced, so maybe someone will read it. I'll let you know if I get a
> response.
> Meanwhile, I suppose this is something for others to be aware of if you
> run an mta that rejects on high SA scores (and have users that might
> want to fly EasyJet).
This thread is ancient now, but here's a followup: I never got a
response from Easyjet, but I did get (today) a replica of the original
e-mail. It's almost identical (same appalling html, still from
savvis.net, but from a different ip), but missing a chunk of advertising
(hotels, car rental, etc), and with some very slightly different wording
about hand luggage.
The new version hits these rules:
DNS_FROM_RFC_ABUSE,
FORGED_RCVD_HELO, [this is new]
HTML_FONT_FACE_BAD,
HTML_MESSAGE,
HTML_TINY_FONT,
MIME_HTML_MOSTLY,
SARE_OBFU_AMP2B,
SARE_SPEC_LEO_LINE03a,
USER_IN_WHITELIST [because I whitelisted them]
DNS_FROM_RFC_ABUSE
HTML_FONT_FACE_BAD
HTML_MESSAGE
HTML_TINY_FONT
MARKETING_PARTNERS [This has gone]
MIME_HTML_MOSTLY
MPART_ALT_DIFF [This has gone]
SARE_OBFU_AMP2B
SARE_SPEC_LEO_LINE03a
Chris
Re: Easyjet e-mail scoring very high
Posted by Kris Deugau <kd...@vianet.ca>.
Chris Lear wrote:
> Thanks for all the advice. I've reluctantly whitelisted them and written
> a polite message to postmaster@easyjet.com. It doesn't seem to have
> bounced, so maybe someone will read it. I'll let you know if I get a
> response.
> Meanwhile, I suppose this is something for others to be aware of if you
> run an mta that rejects on high SA scores (and have users that might
> want to fly EasyJet).
*nod* FYI, I would personally not reject lower than 8 (the threshold
I've been using on several ISP role accounts), and IIRC a number of
people have several thresholds for different actions (depending on
what's calling SA) - eg SMTP reject at 15, tag-and-divert at 10,
tag-and-deliver at 5. As an ISP mail filter admin, I've had far too
many FP reports with scores in the 7-10 range. :(
(I also didn't have to option of SMTP-rejecting mail originally, because
the filter server was a second hop internally, and the machine relaying
*to* it was, erm, grumpy about its outbound relay rejecting anything.)
-kgd
Re: Easyjet e-mail scoring very high
Posted by Chris Lear <ch...@laculine.com>.
* Adam Stephens wrote (01/12/06 16:10):
> Chris Lear wrote:
>> * Loren Wilton wrote (01/12/06 14:54):
>>
>>>> The html contains this sort of thing:
>>>> http://www.easyjet.com/EN/Members/
>>>>
>>>> Which looks like the culprit. In fact, every full stop in the html is
>>>> represented as . for some reason.
>>>>
>>>> Still wondering though... how do you solve a problem like EasyJet?
>>>>
>>> Sure looks like spam to me. ;-)
>>>
>>> Which also looks like just about every airline message I've seen from any
>>> airline. :-( Apparently they hired spammers to design their marketing
>>> campain mail.
>>>
>>> You could try sending to mostmaster or whatever at whichever marketing
>>> company is really sending that mail and see if you can get any attention
>>> from them. Probably not, but it might be worth trying.
>>>
>>
>> The trouble is, it's not marketing. It's a confirmation of a flight
>> booking, which I paid for. The airline doesn't issue tickets. So it's
>> something I genuinely want in my inbox. It looks like it's generated
>> directly by the easyjet.com web server.
>>
>
> I had some complaints about that this week; it's obviously a new issue,
> and it looks like it only applies to the ticket confirmations. Since
> people really need these booking confirmations I've whitelisted it -
> using a whitelist_from_rcvd rule seems to catch the booking
> confirmations only as the marketing material is sent from a different
> machine.
Thanks for all the advice. I've reluctantly whitelisted them and written
a polite message to postmaster@easyjet.com. It doesn't seem to have
bounced, so maybe someone will read it. I'll let you know if I get a
response.
Meanwhile, I suppose this is something for others to be aware of if you
run an mta that rejects on high SA scores (and have users that might
want to fly EasyJet).
Chris
Re: Easyjet e-mail scoring very high
Posted by Adam Stephens <ad...@bristol.ac.uk>.
Chris Lear wrote:
> * Loren Wilton wrote (01/12/06 14:54):
>
>>> The html contains this sort of thing:
>>> http://www.easyjet.com/EN/Members/
>>>
>>> Which looks like the culprit. In fact, every full stop in the html is
>>> represented as . for some reason.
>>>
>>> Still wondering though... how do you solve a problem like EasyJet?
>>>
>> Sure looks like spam to me. ;-)
>>
>> Which also looks like just about every airline message I've seen from any
>> airline. :-( Apparently they hired spammers to design their marketing
>> campain mail.
>>
>> You could try sending to mostmaster or whatever at whichever marketing
>> company is really sending that mail and see if you can get any attention
>> from them. Probably not, but it might be worth trying.
>>
>
> The trouble is, it's not marketing. It's a confirmation of a flight
> booking, which I paid for. The airline doesn't issue tickets. So it's
> something I genuinely want in my inbox. It looks like it's generated
> directly by the easyjet.com web server.
>
I had some complaints about that this week; it's obviously a new issue,
and it looks like it only applies to the ticket confirmations. Since
people really need these booking confirmations I've whitelisted it -
using a whitelist_from_rcvd rule seems to catch the booking
confirmations only as the marketing material is sent from a different
machine.
Adam.
--
--------------------------------
Adam Stephens
Network Specialist - Email & DNS
adam.stephens@bristol.ac.uk
Re: Easyjet e-mail scoring very high
Posted by Chris Lear <ch...@laculine.com>.
* Loren Wilton wrote (01/12/06 14:54):
>> The html contains this sort of thing:
>> http://www.easyjet.com/EN/Members/
>>
>> Which looks like the culprit. In fact, every full stop in the html is
>> represented as . for some reason.
>>
>> Still wondering though... how do you solve a problem like EasyJet?
>
>
> Sure looks like spam to me. ;-)
>
> Which also looks like just about every airline message I've seen from any
> airline. :-( Apparently they hired spammers to design their marketing
> campain mail.
>
> You could try sending to mostmaster or whatever at whichever marketing
> company is really sending that mail and see if you can get any attention
> from them. Probably not, but it might be worth trying.
The trouble is, it's not marketing. It's a confirmation of a flight
booking, which I paid for. The airline doesn't issue tickets. So it's
something I genuinely want in my inbox. It looks like it's generated
directly by the easyjet.com web server.
Re: Easyjet e-mail scoring very high
Posted by Loren Wilton <lw...@earthlink.net>.
> The html contains this sort of thing:
> http://www.easyjet.com/EN/Members/
>
> Which looks like the culprit. In fact, every full stop in the html is
> represented as . for some reason.
>
> Still wondering though... how do you solve a problem like EasyJet?
Sure looks like spam to me. ;-)
Which also looks like just about every airline message I've seen from any
airline. :-( Apparently they hired spammers to design their marketing
campain mail.
You could try sending to mostmaster or whatever at whichever marketing
company is really sending that mail and see if you can get any attention
from them. Probably not, but it might be worth trying.
Loren
Re: Easyjet e-mail scoring very high
Posted by Chris Lear <ch...@laculine.com>.
* Loren Wilton wrote (01/12/06 13:57):
>> HTML_FONT_FACE_BAD=0.156
>> HTML_MESSAGE=0.001
>> HTML_TINY_FONT=2.324
>> MARKETING_PARTNERS=1.765
>> MIME_HTML_MOSTLY=1.102
>> SARE_OBFU_AMP2B=2.555
>> SARE_SPEC_LEO_LINE03a=0.408
>>
>> I think the "Received: from mail pickup service" line is causing the
>> SARE_OBFU_AMP2B rule to fire. Am I right? If so, isn't this likely to be
>
> Nope. All of the rules above are effectively body rules, dealing mostly
> with various forms of HTML obfuscation.
Thanks for pointing that out. I was being rather dim.
The html contains this sort of thing:
http://www.easyjet.com/EN/Members/
Which looks like the culprit. In fact, every full stop in the html is
represented as . for some reason.
Still wondering though... how do you solve a problem like EasyJet?
Chris
Re: Easyjet e-mail scoring very high
Posted by Loren Wilton <lw...@earthlink.net>.
> HTML_FONT_FACE_BAD=0.156
> HTML_MESSAGE=0.001
> HTML_TINY_FONT=2.324
> MARKETING_PARTNERS=1.765
> MIME_HTML_MOSTLY=1.102
> SARE_OBFU_AMP2B=2.555
> SARE_SPEC_LEO_LINE03a=0.408
>
> I think the "Received: from mail pickup service" line is causing the
> SARE_OBFU_AMP2B rule to fire. Am I right? If so, isn't this likely to be
Nope. All of the rules above are effectively body rules, dealing mostly
with various forms of HTML obfuscation.
Loren
Re: Easyjet e-mail scoring very high
Posted by Kris Deugau <kd...@vianet.ca>.
Chris Lear wrote:
> I got an EasyJet confirmation E-mail that scored like this:
>
> BAYES_00=-2.599
> DNS_FROM_RFC_ABUSE=0.2
> FORGED_RCVD_HELO=0.135
> HTML_FONT_FACE_BAD=0.156
> HTML_MESSAGE=0.001
> HTML_TINY_FONT=2.324
> MARKETING_PARTNERS=1.765
> MIME_HTML_MOSTLY=1.102
> SARE_OBFU_AMP2B=2.555
> SARE_SPEC_LEO_LINE03a=0.408
>
> Which adds to 6.0, and only the Bayes score stopped it being rejected
> (I'm rejecting at 6.5). [SA 3.1.3 with recent sa-update+SARE rules]
> What's the recommended practice here? Whitelist? Lower the SARE scores?
> Remove some less-safe SARE rules? Lower the HTML_TINY_FONT score [which
> looks right, but if it's right for me, why not everyone else]?
HTML_TINY_FONT refers to HTML fontsizes of 0 or 1. (My own similar
local rule for this also triggers on size 2.) I honestly can't figure
out why that should be considered legitimate usage for any legitimate
content- unfortunately, as you're seeing, it does. >:(
> I'd like
> all ham to score under 2, ideally. And almost all of it does. But I'd
> prefer not to whitelist if possible. I like to feel I can trust SA
> without introducing special cases.
I'd send them a politely worded nastygram that sums up as "Your legit
mail looks like spam - fix it so your customers don't complain". Most
legitimate companies will appreciate knowing when their mail is getting
tagged by a spam filter. (Several people have posted on this list with
sucess stories about just that, IIRC.)
A few will be obstinate enough to just reply "Add us to you whitelist,
dumbass", but most won't.
-kgd
Re: Easyjet e-mail scoring very high
Posted by Nick Leverton <nj...@leverton.org>.
On Friday 01 December 2006 11:33, Chris Lear wrote:
> I got an EasyJet confirmation E-mail that scored like this:
whitelist_from_rcvd *@easyjet.com savvis.net
Nick