You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by MySQL Student <my...@gmail.com> on 2009/10/09 19:38:21 UTC

Valid mail from .cn

Hi,

Some portion of our users are from China. I hoped someone could help
me troubleshoot the best way to permit a user from .cn to forward mail
without improperly being tagged as spam, yet still block the majority
of spam from .cn.

Here's the SA report:

X-Spam-Report:
        *  0.1 RELAYCOUNTRY_CN Relayed through China
        *  2.0 RELAYCOUNTRY_HIGH Relayed by a country thats a bad spam source
        *  1.0 EXTRA_MPART_TYPE Header has extraneous
Content-type:...type= entry
        * -0.0 SPF_PASS SPF: sender matches SPF record
        * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
        *  0.0 LOC_URI_CN URI: Contains CN URI
        *  0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
        *      [score: 0.5000]
        *  0.0 HTML_MESSAGE BODY: HTML included in message
        *  0.0 T_TVD_FW_GRAPHIC_ID1 BODY: T_TVD_FW_GRAPHIC_ID1
        *  1.8 MIME_BASE64_TEXT RAW: Message text disguised using
base64 encoding
        *  1.5 MY_CID_AND_ARIAL2 SARE CID and Arial2
        *  1.6 PART_CID_STOCK Has a spammy image attachment (by Content-ID)
        *  1.5 MY_CID_AND_STYLE SARE cid and style
        *  1.6 MY_CID_ARIAL_STYLE SARE cid arial2 style

Bayes could probably use a bit of work, but is there something that I
should be investigating based on this to improve the accuracy, or
should I just whitelist_from_rcvd the user since it's a minority of
valid accounts from China?

Even if I remove the RELAYCOUNTRY_HIGH meta, it's still over the 5.0 threshold.

Thanks,
Alex

Re: Valid mail from .cn

Posted by Andrzej Adam Filip <an...@gmail.com>.

MySQL Student <my...@gmail.com> wrote:
> Some portion of our users are from China. I hoped someone could help
> me troubleshoot the best way to permit a user from .cn to forward mail
> without improperly being tagged as spam, yet still block the majority
> of spam from .cn.
> [...]

Have you considered making your MTA (SMTP server) to reject messages
from hosts in CN without reverse DNS? 
  [closed loop of addr->PTR->name->A->addr ]
Many spam sources in China lack closed RDNS loop.

Which MTA server do you use? [exim/postfix/sendmail/...]

P.S. There are many services to map IP address to "country of origin" 
e.g. zz.countries.nerd.dk, origin.asn.cymru.com.

-- 
[pl>en: Andrew] Andrzej Adam Filip : anfi@onet.eu
If a man had a child who'd gone anti-social, killed perhaps,
he'd still tend to protect that child.
  -- McCoy, "The Ultimate Computer", stardate 4731.3

Re: Valid mail from .cn

Posted by Warren Togami <wt...@redhat.com>.

On 10/09/2009 10:11 PM, MySQL Student wrote:
> Hi,
>
>> Could you ask them to provide ham samples for the automated masschecks?
>>   We currently have none in the corpus so we cannot test the safety of rules
>> against Chinese language mail.
>
> Yes, I know how important that is. I recall you mentioning that a few
> days ago. I think it would be quite difficult for me, though.
>
> I'll evaluate how much mail there really is over the coming work-week,
> and see if there's something I can do.
>
> Best,
> Alex

The easiest way would be to have them put confirmed ham into a folder in 
their own IMAP account, then you run the nightly masscheck script on 
those folders and upload the result log files.

Warren

Re: Valid mail from .cn

Posted by MySQL Student <my...@gmail.com>.

Hi,

> Could you ask them to provide ham samples for the automated masschecks?
>  We currently have none in the corpus so we cannot test the safety of rules
> against Chinese language mail.

Yes, I know how important that is. I recall you mentioning that a few
days ago. I think it would be quite difficult for me, though.

I'll evaluate how much mail there really is over the coming work-week,
and see if there's something I can do.

Best,
Alex

Re: Valid mail from .cn

Posted by Warren Togami <wt...@redhat.com>.

Could you ask them to provide ham samples for the automated masschecks? 
  We currently have none in the corpus so we cannot test the safety of 
rules against Chinese language mail.

Warren

Re: Valid mail from .cn

Posted by John Hardin <jh...@impsec.org>.

On Fri, 9 Oct 2009, MySQL Student wrote:

>        *  1.5 MY_CID_AND_ARIAL2 SARE CID and Arial2
>        *  1.6 PART_CID_STOCK Has a spammy image attachment (by Content-ID)
>        *  1.5 MY_CID_AND_STYLE SARE cid and style
>        *  1.6 MY_CID_ARIAL_STYLE SARE cid arial2 style
>
> Even if I remove the RELAYCOUNTRY_HIGH meta, it's still over the 5.0 
> threshold.

It looks like you might have more than one rule hitting on the same 
condition there. You might want to OR-meta those MY_ rules together into a 
single rule.

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Judicial Activism (n): interpreting the Constitution to grant the
   government powers that are popularly felt to be "needed" but that
   are not explicitly provided for therein (common definition);
   interpreting the Constitution as it is written (Brady definition)
-----------------------------------------------------------------------
  8 days since a sunspot last seen - EPA blames CO2 emissions

Re: Valid mail from .cn

Posted by Karsten Bräckelmann <gu...@rudersport.de>.

>         *  0.1 RELAYCOUNTRY_CN Relayed through China
>         *  2.0 RELAYCOUNTRY_HIGH Relayed by a country thats a bad spam source

Custom rules.

>         *  1.5 MY_CID_AND_ARIAL2 SARE CID and Arial2
>         *  1.5 MY_CID_AND_STYLE SARE cid and style
>         *  1.6 MY_CID_ARIAL_STYLE SARE cid arial2 style

Custom rules. These ancient SARE rules have often been reported to hit
together on ham, resulting in FPs.

> Even if I remove the RELAYCOUNTRY_HIGH meta, it's still over the 5.0 threshold.

Without those custom rules, the score is still quite high, but less than
the required_score spam threshold of 5. I'd review the custom rules'
effectiveness, and if they really apply to your mail in-stream.


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: Valid mail from .cn

Posted by Benny Pedersen <me...@junc.org>.

On fre 09 okt 2009 19:38:21 CEST, MySQL Student wrote

> Hi,
>
> Some portion of our users are from China. I hoped someone could help
> me troubleshoot the best way to permit a user from .cn to forward mail
> without improperly being tagged as spam, yet still block the majority
> of spam from .cn.

>         * -0.0 SPF_PASS SPF: sender matches SPF record
>         * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record

add sender to whitelist_from_spf

check the score after, and maybe adjust it to not be -100

still keep the metas

-- 
xpoint