You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2013/04/27 13:00:46 UTC
[Bug 6931] New: RP rules helping spam get through
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6931
Bug ID: 6931
Summary: RP rules helping spam get through
Product: Spamassassin
Version: 3.3.1
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Rules
Assignee: dev@spamassassin.apache.org
Reporter: sa-bugzilla@ak4life.com
Classification: Unclassified
Hello,
Today a spam message from livingsocial.com got through. It was sent to a honey
pot address (e.g. used to trap spam not for legitimate mail). I don't even have
an account with livingsocial.com. This spam message would have been caught had
SA not credited it -5 points with two RP rules:
RCVD_IN_RP_CERTIFIED=-3
RCVD_IN_RP_SAFE=-2
I've overridden the scores for the above tests in my SA configuration, but
wanted to report this so it might benefit others.
Thanks,
Alain
P.S. Here's the spam message:
Return-Path: <re...@bounces.livingsocial.com>
Received: from [REMOVED] ([unix socket])
by [REMOVED] (Cyrus v2.2.13-Debian-2.2.13-19+squeeze3) with LMTPA;
Sat, 27 Apr 2013 01:48:01 -0700
X-Sieve: CMU Sieve 2.2
Received: from localhost (localhost [127.0.0.1])
by [REMOVED] (Postfix) with ESMTP id 51ED157ADB
for <[REMOVED]>; Sat, 27 Apr 2013 01:48:01 -0700 (PDT)
X-Virus-Scanned: Debian amavisd-new at [REMOVED]
X-Spam-Flag: NO
X-Spam-Score: -2.277
X-Spam-Level:
X-Spam-Status: No, score=-2.277 required=4 tests=[BAYES_05=-3,
DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723,
MIME_HTML_ONLY_MULTI=0.001, MPART_ALT_DIFF=0.79, MXCOW_SPAMTRAP=4.1,
RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_RP_CERTIFIED=-3,
RCVD_IN_RP_SAFE=-2, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001,
T_DKIM_INVALID=0.01] autolearn=no
Received: from [REMOVED] ([127.0.0.1])
by localhost ([REMOVED] [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 9d1f7y+swmdQ for <[REMOVED]>;
Sat, 27 Apr 2013 01:47:57 -0700 (PDT)
Received: from mta-34c9.livingsocial.com (mta-34c9.livingsocial.com
[199.91.52.201])
by [REMOVED] (Postfix) with ESMTP id 3F84757ADA
for <[REMOVED]>; Sat, 27 Apr 2013 01:47:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=ls3; d=livingsocial.com;
h=Date:List-Unsubscribe:from:To:Message-ID:Subject:MIME-Version:Content-Type;
bh=MeSEhi/r/Te6TwcICMCrN+cn7RI=;
b=q6eqSXDJtFSpF31Wb9TlDte5QIjEuc7Kxjo56psPTu6fKHshnyyzsyzJz38BRtdXAzOl+dwcKzst
9L2zaRYhdF+WXOSy0IKdZyedIjJ7qxiCCoJ37/uv64ky4EzSy1X7s10n9s0j4G/kpZN3Z2e1z5uo
3f/CDVsk2IJReXPVnC0=
Received: from app-mail02.iad.livingsocial.net (172.17.4.94) by
mta-34c9.livingsocial.com id hfe8bq1ilg0v for <[REMOVED]>; Sat, 27 Apr 2013
08:45:22 +0000 (envelope-from <re...@bounces.livingsocial.com>)
Date: Sat, 27 Apr 2013 08:45:22 +0000
X-MSFBL:
c3BtdHJwQGFrNGxpZmUuY29tQGJpbmRpbmdAYmluZGluZ19ncm91cEBnX044VlVKMThGQjBFTTc0OEJVVlA5VlVQNDlRMkgwODRJUEMzUUZQMlRJUjVUR0VUSjVKVUc9PT09
X-score: 1
X-Ls-Send-Id: g_N8VUJ18FB0EM748BUVP9VUP49Q2H084IPC3QFP2TIR5TGETJ5JUG====
X-Mailer: Syringe 1.0.0
List-Unsubscribe:
<ma...@bounces.livingsocial.com>
from: LivingSocial <up...@livingsocial.com>
To: [REMOVED]
Message-ID:
<89...@app-mail02.iad.livingsocial.net>
Subject: An important update on your LivingSocial.com account
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_1017_1518702247.1367052321167"
reply_to: noreplies@livingsocial.com
x-avocado-domain: hungrymachine.com
x-ls-priority: whale
------=_Part_1017_1518702247.1367052321167
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>Important Information</title>
<style type="text/css">
body { width: 100% !important; }
.appleDevice a, .ii a, .ReadMsgBody a {color:#1D81C1;
text-decoration:none;}
#header img {color:#f1c52c;}
/* mobile styles */
@media only screen and (max-device-width: 480px) {
table[class="container"],
table[class="main_container"],
td[class="main_content"], td[class="main_content"] p,
td[class="footer_container"], td[class="footer_content"] { width: 100%
!important;}
td[class="inner_container"] { padding: 10px 0px !important;}
td[class="main_content"], td[class="main_content"] p { font-size: 24px
!important;}
td[class="header_headline"] { font-size: 30px !important;}
td[class="footer_content"], td[class="footer_content"] p { font-size:
16px !important;}
/* deal info blocks */
td[class="deal_image_container"] { width: 130px !important;}
td[class="deal_info_container"] { padding-right: 10px !important;
padding-left: 10px !important; width: 100% !important; }
img[class="deal_image"] { height: 186px !important; width: 130px
!important; }
a[class="deal_merchant"] { font-size: 24px !important; }
span[class="deal_title"] {font-size: 20px !important; }
p[class="deal_description"] { font-size: 18px !important; }
td[class="button_container"] { height: 60px !important; margin: 10px
0px 0px 0px !important; width: 100% !important; }
td[class="button"] {
background-color: #58cef9 !important;
background-image: -webkit-gradient(linear, left top, left bottom,
color-stop(0%, #58cef9), color-stop(100%, #3eabd6)) !important;
background-image: -webkit-linear-gradient(top, #58cef9, #3eabd6)
!important;
background-image: -moz-linear-gradient(top, #58cef9, #3eabd6)
!important;
background-image: -ms-linear-gradient(top, #58cef9, #3eabd6)
!important;
background-image: -o-linear-gradient(top, #58cef9, #3eabd6)
!important;
background-image: linear-gradient(top, #58cef9, #3eabd6)
!important;
-webkit-box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.4)
!important;
-moz-box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.4) !important;
-ms-box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.4) !important;
-o-box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.4) !important;
box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.4) !important;
-webkit-border-radius: 4px !important;
-moz-border-radius: 4px !important;
-ms-border-radius: 4px !important;
-o-border-radius: 4px !important;
border-radius: 4px !important;
border: 1px solid #298eb6 !important;
color: white !important;
display: inherit !important;
display: -moz-inline-box !important;
-moz-box-orient: vertical !important;
display: inline-block !important;
font: 22px/100% "arial rounded mt bold", helvetica, arial,
sans-serif !important;
line-height: 18px !important;
padding: 10px 15px !important;
outline: none !important;
text-align: center !important;
text-decoration: none !important;
text-transform: lowercase !important;
vertical-align: baseline !important;
zoom: 1 !important;
*display: inline !important;
*margin-left: .3em !important;
*vertical-align: auto !important;
}
div[class="online-redemption"] { width: 98% !important; }
div[class="online-redemption"] div[class="or_deal_img_title"] { margin:
0px; padding: 0px; }
div[class="online-redemption"] div[class="or_deal_image_container"] {
display: none !important; }
div[class="online-redemption"] div[class="or_deal_image_container"]
img[class="deal_image"] { display: none !important; }
div[class="online-redemption"] div[class="or_deal_img_title"]
div[class="or_deal_title"] h2 { font-size: 24px !important; margin-bottom: 5px
!important; }
div[class="online-redemption"] div[class="or_deal_img_title"]
div[class="expiration-notice"] { font-size: 14px !important; }
div[class="online-redemption"] ol[class="or_redemption_instructions"] {
margin-left: 10px !important; }
div[class="online-redemption"] ol[class="or_redemption_instructions"]
li[class="instruction_steps"] { margin-bottom: 10px !important;}
div[class="online-redemption"] ol[class="or_redemption_instructions"]
li[class="instruction_steps"] img { max-width: 300px !important; margin: 0px
!important; padding: 15px 0px !important;}
div[class="online-redemption"]
div[class="or_redemption_code_container"] h3 { font-size: 20px !important; }
div[class="online-redemption"]
div[class="or_redemption_code_container"] div[class="or_redemption_code"] {
margin: 0px !important; padding: 5px 0px !important;}
div[class="online-redemption"]
div[class="or_redemption_code_container"] h2 { font-size: 20px !important;
padding-left: 0px !important;}
}
</style>
</head>
<body style="padding: 0; margin: 0; background-color: #262626;">
<table bgcolor="#262626" border="0" cellspacing="0" cellpadding="0"
id="newsletter" width="100%">
<tbody>
<tr>
<td style="padding-top: 10px; vertical-align: top;">
<table align="center" border="0" cellspacing="0" cellpadding="0"
width="600" class="container">
<tbody>
<tr>
<td class="inner_container" style="padding-top: 10px; padding-right:
10px; padding-bottom: 10px; padding-left: 10px; vertical-align: top;">
<table border="0" cellspacing="0" cellpadding="0" width="600"
class="main_container">
<tbody>
<tr>
<td colspan="2" width="600" align="center"
style="color:#f0f0f0;font-family:helvetica,arial,sans-serif;font-size:11px"><p
style="margin:0px;padding:0px 0px 10px 0px;color:#999999"> LivingSocial Account
Update <br /><span style="font-style:italic">You are receiving this message
based on your relationship with LivingSocial, even though you may have
previously unsubscribed. If you have unsubscribed you will not receive any
other messages from us.</span></p></td>
</tr>
<tr>
<td id="header" style="vertical-align: bottom;
padding-bottom:10px;"> <img
src="http://a4.ak.lscdn.net/imgs/8b538ad9-933a-41d8-89fb-59570b5e4f9d"
style="border:none;" alt="LivingSocial" width="112" height="42" /> </td>
</tr>
<tr>
<td class="header_headline" style="color: #ffffff; font-family:
'Arial Rounded MT Bold', Helvetica, Arial, sans-serif; font-size: 40px;
font-weight: bold;"> </td>
</tr>
<tr>
<td bgcolor="#ffffff" class="main_content" style="border: 1px
solid #d6d6d6; color: #666666; font-family: Helvetica, Arial, sans-serif;
font-size: 14px; padding:20px; vertical-align: top;">
<table width="600" border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2" valign="top" style="padding-right: 20px;"> <p
style="font-family: 'arial rounded mt bold', helvetica, arial, sans-serif;
margin-top: 0px; color: #262626; font-size: 18px;"> IMPORTANT INFORMATION<br
/></p> <p style="color: #373332; font-family: helvetica, arial, sans-serif;
font-size: 12px; line-height: 140%;">LivingSocial recently experienced a
cyber-attack on our computer systems that resulted in unauthorized access to
some customer data from our servers. We are actively working with law
enforcement to investigate this issue. </p> <p style="color: #373332;
font-family: helvetica, arial, sans-serif; font-size: 12px; line-height:
140%;">The information accessed includes names, email addresses, date of birth
for some users, and encrypted passwords -- technically ‘hashed’ and ‘salted’
passwords. We never store passwords in plain text.</p> <p style="color:
#373332; font-family: helvetica, arial, sans-serif; font-size: 12px;
line-height: 14
0%;">Two things you should know: </p>
<ol style="color: #373332; font-family: helvetica, arial,
sans-serif; font-size: 12px; line-height: 140%;">
<li>The database that stores customer credit card
information was not affected or accessed.</li>
<li>If you connect to LivingSocial using Facebook Connect,
your Facebook credentials were not compromised.</li>
</ol> <span style="color: #373332; font-family: helvetica,
arial, sans-serif; font-size: 12px; line-height: 140%;">You do not need to take
any action at this time, but we wanted to be sure you were fully informed of
what happened.</span><p></p> <p style="color: #373332; font-family: helvetica,
arial, sans-serif; font-size: 12px; line-height: 140%;"><strong>The security of
your information is our priority.</strong> We always strive to ensure the
security of our customer information, and we are redoubling efforts to prevent
any issues in the future.</p> <p style="color: #373332; font-family: helvetica,
arial, sans-serif; font-size: 12px; line-height: 140%;">Please note that
LivingSocial will never ask you directly for personal or account information in
an email. We will always direct you to the LivingSocial website – and require
you to login – before making any changes to your account. Please disregard any
emails claiming to be from LivingSocial that requ
est such information or direct you to a website that asks for such
information.</p> <p style="color: #373332; font-family: helvetica, arial,
sans-serif; font-size: 12px; line-height: 140%;">If you have additional
questions about this process, the "Create New Password" button on
LivingSocial.com will direct you to a page that has instructions on creating a
new password and answers to frequently asked questions. </p> <p style="color:
#373332; font-family: helvetica, arial, sans-serif; font-size: 12px;
line-height: 140%;">We are sorry this incident occurred, and we look forward to
continuing to introduce you to new and exciting things to do in your
community.</p> <p style="color: #373332; font-family: helvetica, arial,
sans-serif; font-size: 12px; line-height: 140%;">Sincerely, <br />Tim
O'Shaughnessy, CEO</p> </td>
</tr>
</tbody>
</table> </td>
</tr>
</tbody>
</table> <br />
<table width="600" class="footer_container">
<tbody>
<tr>
<td class="footer_content" style="font-size: 10px;
padding:20px;font-family: Helvetica, Arial, sans-serif; color:#d1d1d1;
text-align:center;"> <p style="margin-bottom:10px;"> This message was sent by
LivingSocial, 1445 New York Ave NW, Suite 200, Washington, DC 20005. </p> <p
style="margin-bottom: 0"> You are receiving this email because you have an
existing relationship with http://www.livingsocial.com/. </p> </td>
</tr>
</tbody>
</table>
<!-- end footer_container --> </td>
</tr>
</tbody>
</table>
<!-- end container --> </td>
</tr>
</tbody>
</table>
<img height="0" width="0" border="0" alt=""
src="http://t.livingsocial.com/track/g_N8VUJ18FB0EM748BUVP9VUP49Q2H084IPC3QFP2TIR5TGETJ5JUG===="
/>
</body>
</html>
------=_Part_1017_1518702247.1367052321167--
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 6931] RP rules helping spam get through
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6931
Alain Kelder <sa...@ak4life.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |sa-bugzilla@ak4life.com
--- Comment #2 from Alain Kelder <sa...@ak4life.com> ---
Ok, thanks. I'll report it in the user's mailing list. Sorry about that.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 6931] RP rules helping spam get through
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6931
--- Comment #3 from Karsten Bräckelmann <gu...@rudersport.de> ---
(In reply to comment #0)
> [...] This spam message would have
> been caught had SA not credited it -5 points with two RP rules:
> X-Spam-Status: No, score=-2.277 required=4 tests=[BAYES_05=-3,
Sorry, no. This mail would have passed anyway.
With an overall score of -2.277, even without the bad RCVD_IN_RP_SAFE and
RCVD_IN_RP_CERTIFIED hits this mail would not have exceeded the default
threshold of 5, neither your lower threshold of 4.
AFAIK, Return Path did work on ways to report abuse, specifically on demand by
the SA community. The latest rule descriptions in trunk mention to contact
cert-sa@ and safe-sa@ returnpath.net respectively.
Alain, please feel free to report the issue to RP, so they can either work on
the customer's mail practice, or even terminate him.
Another not-SA-specific address for reporting abuse seems to be mentioned in
the "Sender Abuse and Complaint Reporting" section of
http://www.returnpath.com/support/
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 6931] RP rules helping spam get through
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6931
AXB <ax...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |INVALID
--- Comment #1 from AXB <ax...@gmail.com> ---
Out of the box, default scores work for most setups.
SpamAssassin is a framework and allows you to modify every score.
This is not a bug but something that belongs in the users's mailing list.
--
You are receiving this mail because:
You are the assignee for the bug.