You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by John Hardin <jh...@impsec.org> on 2014/08/12 18:49:04 UTC

Re: Tons of spam getting through

On Tue, 12 Aug 2014, Greg Ledford wrote:

> Can someone tell me why Spamassassin/Amavis are missing these types of 
> very obvious emails? I'm still trying to figure all of this out and I 
> know I missed something somewhere. Thanks.

Those headers don't seem to claim that message was even scanned by SA.

Do messages that SA *does* properly identify have headers indicating 
things like SA version, which rules hit, and the score?

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   The reason it took so long to get Bin Laden is that it took the
   SEALs five years to swim that far into the desert.          -- anon
-----------------------------------------------------------------------
  3 days until the 69th anniversary of the end of World War II

Re: FW: Tons of spam getting through

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>On Tue, 19 Aug 2014, Greg Ledford wrote:
>>What exactly are SA headers supposed to look like?

On 19.08.14 13:05, John Hardin wrote:
>SA headers look like this:

>>X-Spam-Status: No, score=0.138 tagged_above=-100 required=5
>>               tests=[MISSING_MID=0.14, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
>>               autolearn=no autolearn_force=no

This one is actually amavisd header, which means that the MTA uses
spamassassin indirectly. Just FYI.

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!

RE: FW: Tons of spam getting through

Posted by Greg Ledford <gl...@phhwtechnology.com>.
>Changed and Amavis has been restarted. I’ll check the headers on the next piece of spam to come through. Thanks

I’m still trying to figure out how illegitimate stuff like this is getting through. It’s obviously a virus (which was caught) but then why did the email get through? I see the flag was for 4.0 so it wasn’t enough to kick it out based on wording but wouldn’t something in the headers be forged and catch this?

Received: from smtp.phhwtechnology.com (10.0.1.7) by mail.phhwtechnology.com
(10.0.1.5) with Microsoft SMTP Server id 14.3.195.1; Fri, 22 Aug 2014
15:12:59 -0500
Received: from localhost (localhost [127.0.0.1]) by smtp.phhwtechnology.com
(Postfix) with ESMTP id DCC4C194998E for <gl...@phhwtechnology.com>; Fri,
22 Aug 2014 15:01:50 -0500 (CDT)
X-Quarantine-ID: <NDBldcOJqsG1>
X-Virus-Scanned: Debian amavisd-new at smtp.phhwtechnology.com
X-Amavis-Alert: BAD HEADER SECTION, Non-encoded 8-bit data (char C2 hex):
                From: Janna
                \021\303\202\302\261N\303\203\302\276\303\203\302\267\022\303\202\302\256\303\202\302\270\303\203\302\230\303\203\302\273[...]
X-Spam-Flag: NO
X-Spam-Score: 4.803
X-Spam-Level: ****
X-Spam-Status: No, score=4.803 tagged_above=-100 required=5
                tests=[DCC_CHECK=1.1, FROM_ILLEGAL_CHARS=2.059,
                RCVD_IN_BRBL_LASTEXT=1.644] autolearn=no autolearn_force=no
Received: from smtp.phhwtechnology.com ([127.0.0.1])              by localhost
(smtp.phhwtechnology.com [127.0.0.1]) (amavisd-new, port 10024)      with ESMTP id
NDBldcOJqsG1 for <gl...@phhwtechnology.com>; Fri, 22 Aug 2014 15:01:49
-0500 (CDT)
Received-SPF: none (smtp.1-800-optisource.com: No applicable sender policy available) receiver=spamfilter; identity=mailfrom; envelope-from="dqyfzht@smtp.1-800-optisource.com"; helo=smtp.1-800-optisource.com; client-ip=96.56.14.106
Received: from smtp.1-800-optisource.com (smtp.1-800-optisource.com
[96.56.14.106]) by smtp.phhwtechnology.com (Postfix) with ESMTP id
4BDCC194998A for <gl...@phhwtechnology.com>; Fri, 22 Aug 2014 15:01:48
-0500 (CDT)
From:
                <"Janna ??N??????????????????????{|????r???"@??}W????^-??????#??|????????jQ????????Z??+??c??_????1R??????c????????????K??|
/????????]????8'+%??5????u??>,
                <"?...@smtp.phhwtechnology.com>,
                "zS]???????" <dq...@smtp.1-800-optisource.com>
To: <gl...@phhwtechnology.com>
Subject: inovice_AUG_7831915.pdf
Date: Fri, 22 Aug 2014 16:01:06 -0400
Message-ID: <59...@mail.phhwtechnology.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
                boundary="----=_NextPart_000_0025_01CFBE22.48401B00"
Return-Path: dqyfzht@smtp.1-800-optisource.com
X-MS-Exchange-Organization-AuthSource: WEBSERVER01.mail.phhwtechnology.com
X-MS-Exchange-Organization-AuthAs: Anonymous

RE: FW: Tons of spam getting through

Posted by John Hardin <jh...@impsec.org>.
On Tue, 19 Aug 2014, Greg Ledford wrote:

> What exactly are SA headers supposed to look like?

SA headers look like this:

> X-Spam-Flag: NO
> X-Spam-Score: 0.138
> X-Spam-Level:
> X-Spam-Status: No, score=0.138 tagged_above=-100 required=5
>                tests=[MISSING_MID=0.14, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
>                autolearn=no autolearn_force=no

> I’m still getting quite a bit of spam coming through. It’s blocking 
> quite a bit but I’m not so sure SA is even doing its job.

Messages are apparently being scanned, though they don't appear to be 
hitting much in the way of rules...

> Is there maybe a way to just block everything from anything .us?

That would probably be easier to do in your MTA before the message is 
even passed to SA.

> Stuff like this is being missed (what’s really amusing is this list 
> blocked my original response because IT sure seems to know what spam 
> is!) :

If that's a spam, then please post the entire message, with all headers 
intact in their raw form, to pastebin and post the URL here. That will let 
us take a look at what rules are hit in our environment and suggest 
possible fixes.

Note: if the headers look like this:

> From: Fast-Funds684 <qu...@onlyfastslans.us>>

i.e., with <mailto:...> injected, they probably are not "raw". I don't 
know of the best way to get a raw RFC-822-format message out of Exchange, 
but I assume there is a way.

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   People think they're trading chaos for order [by ceding more and
   more power to the Government], but they're just trading normal
   human evil for the really dangerous organized kind of evil, the
   kind that simply does not give a shit. Only bureaucrats can give
   you true evil.                                     -- Larry Correia
-----------------------------------------------------------------------
  5 days until the 1935th anniversary of the destruction of Pompeii

RE: FW: Tons of spam getting through

Posted by Greg Ledford <gl...@phhwtechnology.com>.
What exactly are SA headers supposed to look like? I’m still getting quite a bit of spam coming through. It’s blocking quite a bit but I’m not so sure SA is even doing its job. Is there maybe a way to just block everything from anything .us?  Stuff like this is being missed (what’s really amusing is this list blocked my original response because IT sure seems to know what spam is!) :

Received: from smtp.phhwtechnology.com (10.0.1.7) by mail.phhwtechnology.com
(10.0.1.5) with Microsoft SMTP Server id 14.3.195.1; Mon, 18 Aug 2014
10:56:42 -0500
Received: from localhost (localhost [127.0.0.1]) by smtp.phhwtechnology.com
(Postfix) with ESMTP id 0F1811948379   for <gl...@phhwtechnology.com>>; Mon,
18 Aug 2014 10:45:28 -0500 (CDT)
X-Virus-Scanned: Debian amavisd-new at smtp.phhwtechnology.com
X-Spam-Flag: NO
X-Spam-Score: 0.138
X-Spam-Level:
X-Spam-Status: No, score=0.138 tagged_above=-100 required=5
                tests=[MISSING_MID=0.14, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
                autolearn=no autolearn_force=no
Received: from smtp.phhwtechnology.com ([127.0.0.1])              by localhost
(smtp.phhwtechnology.com [127.0.0.1]) (amavisd-new, port 10024)      with ESMTP id
f63HgJVgBWwg for <gl...@phhwtechnology.com>>;               Mon, 18 Aug 2014 10:45:23
-0500 (CDT)
Received-SPF: pass (onlyfastsloans.us: 107.158.196.226 is authorized to use 'quick.apprvals@onlyfastslans.us' in 'mfrom' identity (mechanism 'a' matched)) receiver=spamfilter; identity=mailfrom; envelope-from="quick.approvals@onlyfastslans.us<ma...@onlyfastslans.us>"; helo=onlyfastslans.us; client-ip=107.158.196.226
Received: from onlyfastslans.us (items.onlyfastslans.us [107.158.196.226])
                by smtp.phhwtechnology.com (Postfix) with ESMTP id A4EE81948385    for
<gl...@phhwtechnology.com>>; Mon, 18 Aug 2014 10:45:23 -0500 (CDT)
Date: Mon, 18 Aug 2014 08:45:25 -0700
Subject: Fnds Up to 5000dollars on 8-18-2014. Notic #14258781
From: Fast-Funds684 <qu...@onlyfastslans.us>>
To: <gl...@phhwtechnology.com>>
Message-ID: <20...@smtp.phhwtechnology.com>>
MIME-Version: 1.0
Content-Type: text/plain
Return-Path: quick.apprvals@onlyfastslans.us<ma...@onlyfastslans.us>
X-MS-Exchange-Organization-AuthSource: WEBSERVER01.mail.phhwtechnology.com
X-MS-Exchange-Organization-AuthAs: Anonymous

>>Use sa_tag_level_deflt  = -100;
>>All your emails will have the SpamAssassin headers.
>Changed and Amavis has been restarted. I’ll check the headers on the next piece of spam to come through. Thanks

RE: FW: Tons of spam getting through

Posted by Greg Ledford <gl...@phhwtechnology.com>.
>Use sa_tag_level_deflt  = -100;
>All your emails will have the SpamAssassin headers.

Changed and Amavis has been restarted. I’ll check the headers on the next piece of spam to come through. Thanks for the great help!

Re: FW: Tons of spam getting through

Posted by Karl Johnson <ka...@gmail.com>.
On Tue, Aug 12, 2014 at 2:50 PM, Greg Ledford <gl...@phhwtechnology.com>
wrote:

>    >Take a look at the "sa_tag_level_deflt" in your amavisd configuration
> file.
>
> $sa_tag_level_deflt     = 5.5;
>
> $sa_tag2_level_deflt    = 6.0;
>
> $sa_spam_subject_tag    = '***POSSIBLE SPAM***';
>
> $sa_kill_level_deflt    = 7.0;
>
>
>
> I did. I bumped the levels a bit because they were catching some
> legitimate emails. I may bump them back down some as a test.
>

Use sa_tag_level_deflt  = -100;

All your emails will have the SpamAssassin headers.

Karl

FW: Tons of spam getting through

Posted by Greg Ledford <gl...@phhwtechnology.com>.
>Take a look at the "sa_tag_level_deflt" in your amavisd configuration file.

$sa_tag_level_deflt     = 5.5;
$sa_tag2_level_deflt    = 6.0;
$sa_spam_subject_tag    = '***POSSIBLE SPAM***';
$sa_kill_level_deflt    = 7.0;

I did. I bumped the levels a bit because they were catching some legitimate emails. I may bump them back down some as a test.

Re: Tons of spam getting through

Posted by Karl Johnson <ka...@gmail.com>.
On Tue, Aug 12, 2014 at 1:27 PM, Greg Ledford <gl...@phhwtechnology.com>
wrote:

>
> It should just be called by Amavis directly. Sometimes it scans and
> sometimes it doesn't. I just found another obvious piece of email that SA
> and Amavis scanned and missed. I tried to attach the headers but they are
> so blatant that the list kicked it back! I'll try to modify it to get them
> through for info purposes. Maybe there's a timeout issue between Amavis and
> SA that won't allow it time to scan?
>

Take a look at the "sa_tag_level_deflt" in your amavisd configuration file.

Karl

RE: Tons of spam getting through

Posted by John Hardin <jh...@impsec.org>.
On Tue, 12 Aug 2014, Greg Ledford wrote:

>> They may take a couple of different forms depending on how SA is hooked into your mail infrastructure.
>
>> Basic SA headers start with "X-Spam", like X-Spam-Status and X-Spam-Report.
>
>> If you're using Amavis, then there would be some Amavis headers. (Note 
>> that the mention of Amavis in the Received header that the sender added 
>> - "Received: by 02942887.pygmyweed.somedaystoday.in" - is irrelevant.)
>
>> How is SpamAssassin hooked into your email infrastructure?
>
> It should just be called by Amavis directly. Sometimes it scans and 
> sometimes it doesn't.

Bummer. That, however, is probably an issue in Amavis rather than SA.

> I just found another obvious piece of email that SA and Amavis scanned 
> and missed.

I note that the tagged/required score has been increased from the SA 
default. Was that done intentionally?

The SA base rules are scored with the assumption that the "spam" threshold 
score is 5; if you increase that then FNs will necessarily increase.

> I tried to attach the headers but they are so blatant that the list
> kicked it back! I'll try to modify it to get them through for info 
> purposes.

Best practice is to paste the entire message to something like pastebin 
and post the URL for that to the list.

> Maybe there's a timeout issue between Amavis and SA that won't 
> allow it time to scan?

If that was the case I'd still expect to see Amavis headers - for example, 
the virus scan isn't related to SA.

There may be an upper limit to the size of messages Amavis will scan, 
check for that being set to an unrealistically small value.

> X-Virus-Scanned: Debian amavisd-new at smtp.phhwtechnology.com
> X-Spam-Flag: NO
> X-Spam-Score: 5.945
> X-Spam-Level: *****
> X-Spam-Status: No, score=5.945 tagged_above=5.5 required=6
> 	tests=[DCC_CHECK=1.1, RDNS_NONE=1.274, SPF_HELO_PASS=-0.001,
> 	SPF_PASS=-0.001, THIS_AD=1.073, URIBL_DBL_SPAM=2.5]
> 	autolearn=no autolearn_force=no

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Warning Labels we'd like to see #1: "If you are a stupid idiot while
  using this product you may hurt yourself. And it won't be our fault."
-----------------------------------------------------------------------
  3 days until the 69th anniversary of the end of World War II

RE: Tons of spam getting through

Posted by Greg Ledford <gl...@phhwtechnology.com>.
>They may take a couple of different forms depending on how SA is hooked into your mail infrastructure.

>Basic SA headers start with "X-Spam", like X-Spam-Status and X-Spam-Report.

>If you're using Amavis, then there would be some Amavis headers. (Note that the mention of Amavis in the Received header that the sender added -
>"Received: by 02942887.pygmyweed.somedaystoday.in" - is irrelevant.)

>How is SpamAssassin hooked into your email infrastructure?

It should just be called by Amavis directly. Sometimes it scans and sometimes it doesn't. I just found another obvious piece of email that SA and Amavis scanned and missed. I tried to attach the headers but they are so blatant that the list kicked it back! I'll try to modify it to get them through for info purposes. Maybe there's a timeout issue between Amavis and SA that won't allow it time to scan? 

Received: from smtp.phhwtechnology.com (10.0.1.7) by mail.phhwtechnology.com
 (10.0.1.5) with Microsoft SMTP Server id 14.3.195.1; Tue, 12 Aug 2014
 10:14:54 -0500
Received: from localhost (localhost [127.0.0.1])	by smtp.phhwtechnology.com
 (Postfix) with ESMTP id BDF9B1946D25	for <gl...@phhwtechnology.com>; Tue,
 12 Aug 2014 10:03:44 -0500 (CDT)
X-Virus-Scanned: Debian amavisd-new at smtp.phhwtechnology.com
X-Spam-Flag: NO
X-Spam-Score: 5.945
X-Spam-Level: *****
X-Spam-Status: No, score=5.945 tagged_above=5.5 required=6
	tests=[DCC_CHECK=1.1, RDNS_NONE=1.274, SPF_HELO_PASS=-0.001,
	SPF_PASS=-0.001, THIS_AD=1.073, URIBL_DBL_SPAM=2.5]
	autolearn=no autolearn_force=no
Received: from smtp.phhwtechnology.com ([127.0.0.1])	by localhost
 (smtp.phhwtechnology.com [127.0.0.1]) (amavisd-new, port 10024)	with ESMTP id
 Dogs62WB5R0G for <gl...@phhwtechnology.com>;	Tue, 12 Aug 2014 10:03:38
 -0500 (CDT)
Received-SPF: pass (impvewidowutters.mobi: 162.222.193.53 is authorized to use 'appeal.487@iproindowtters.mobi' in 'mfrom' identity (mechanism 'a' matched)) receiver=spamfilter; identity=mailfrom; envelope-from=" appeal.487@imprwinwshters.mobi"; helo=imovewdowshute.rmobi; client-ip=162.222.193.53
Received: from impovewinoshuers.mobi (unknown [162.222.193.53])	by
 smtp.phhwtechnology.com (Postfix) with ESMTP id 190631946D2C	for
 <gl...@phhwtechnology.com>; Tue, 12 Aug 2014 10:03:37 -0500 (CDT)
Date: Tue, 12 Aug 2014 08:04:42 -0700
Message-ID: <0-...@impvewiowshuers.mobi>
Subject: Re: Tiberae - The World???s Fist Hadcrted Shutt   
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
From: Tberne-ofer.17779
	<ap...@irovindowshuers.mobi>
To: <gl...@phhwtechnology.com>
Content-Type: text/plain; charset="utf-8"
Return-Path: appeal.487@impvewiowshers.mobi
X-MS-Exchange-Organization-AuthSource: WEBSERVER01.mail.phhwtechnology.com
X-MS-Exchange-Organization-AuthAs: Anonymous

RE: Tons of spam getting through

Posted by John Hardin <jh...@impsec.org>.
On Tue, 12 Aug 2014, Greg Ledford wrote:

>>> Can someone tell me why Spamassassin/Amavis are missing these types of
>>> very obvious emails? I'm still trying to figure all of this out and I
>>> know I missed something somewhere. Thanks.
>
>> Those headers don't seem to claim that message was even scanned by SA.
>
>> Do messages that SA *does* properly identify have headers indicating 
>> things like SA version, which rules hit, and the score?
>
> What should the headers look like if SA scanned them? I just assumed it was working.

They may take a couple of different forms depending on how SA is hooked 
into your mail infrastructure.

Basic SA headers start with "X-Spam", like X-Spam-Status and 
X-Spam-Report.

If you're using Amavis, then there would be some Amavis headers. (Note 
that the mention of Amavis in the Received header that the sender added - 
"Received: by 02942887.pygmyweed.somedaystoday.in" - is irrelevant.)

How is SpamAssassin hooked into your email infrastructure?

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   The reason it took so long to get Bin Laden is that it took the
   SEALs five years to swim that far into the desert.          -- anon
-----------------------------------------------------------------------
  3 days until the 69th anniversary of the end of World War II

RE: Tons of spam getting through

Posted by Greg Ledford <gl...@phhwtechnology.com>.
>> Can someone tell me why Spamassassin/Amavis are missing these types of 
>> very obvious emails? I'm still trying to figure all of this out and I 
>> know I missed something somewhere. Thanks.

>Those headers don't seem to claim that message was even scanned by SA.

>Do messages that SA *does* properly identify have headers indicating things like SA version, which rules hit, and the score?

What should the headers look like if SA scanned them? I just assumed it was working.