You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by MySQL Student <my...@gmail.com> on 2009/10/09 19:38:21 UTC
Valid mail from .cn
Hi,
Some portion of our users are from China. I hoped someone could help
me troubleshoot the best way to permit a user from .cn to forward mail
without improperly being tagged as spam, yet still block the majority
of spam from .cn.
Here's the SA report:
X-Spam-Report:
* 0.1 RELAYCOUNTRY_CN Relayed through China
* 2.0 RELAYCOUNTRY_HIGH Relayed by a country thats a bad spam source
* 1.0 EXTRA_MPART_TYPE Header has extraneous
Content-type:...type= entry
* -0.0 SPF_PASS SPF: sender matches SPF record
* -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
* 0.0 LOC_URI_CN URI: Contains CN URI
* 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
* [score: 0.5000]
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.0 T_TVD_FW_GRAPHIC_ID1 BODY: T_TVD_FW_GRAPHIC_ID1
* 1.8 MIME_BASE64_TEXT RAW: Message text disguised using
base64 encoding
* 1.5 MY_CID_AND_ARIAL2 SARE CID and Arial2
* 1.6 PART_CID_STOCK Has a spammy image attachment (by Content-ID)
* 1.5 MY_CID_AND_STYLE SARE cid and style
* 1.6 MY_CID_ARIAL_STYLE SARE cid arial2 style
Bayes could probably use a bit of work, but is there something that I
should be investigating based on this to improve the accuracy, or
should I just whitelist_from_rcvd the user since it's a minority of
valid accounts from China?
Even if I remove the RELAYCOUNTRY_HIGH meta, it's still over the 5.0 threshold.
Thanks,
Alex
Re: Valid mail from .cn
Posted by Andrzej Adam Filip <an...@gmail.com>.
MySQL Student <my...@gmail.com> wrote:
> Some portion of our users are from China. I hoped someone could help
> me troubleshoot the best way to permit a user from .cn to forward mail
> without improperly being tagged as spam, yet still block the majority
> of spam from .cn.
> [...]
Have you considered making your MTA (SMTP server) to reject messages
from hosts in CN without reverse DNS?
[closed loop of addr->PTR->name->A->addr ]
Many spam sources in China lack closed RDNS loop.
Which MTA server do you use? [exim/postfix/sendmail/...]
P.S. There are many services to map IP address to "country of origin"
e.g. zz.countries.nerd.dk, origin.asn.cymru.com.
--
[pl>en: Andrew] Andrzej Adam Filip : anfi@onet.eu
If a man had a child who'd gone anti-social, killed perhaps,
he'd still tend to protect that child.
-- McCoy, "The Ultimate Computer", stardate 4731.3
Re: Valid mail from .cn
Posted by Warren Togami <wt...@redhat.com>.
On 10/09/2009 10:11 PM, MySQL Student wrote:
> Hi,
>
>> Could you ask them to provide ham samples for the automated masschecks?
>> We currently have none in the corpus so we cannot test the safety of rules
>> against Chinese language mail.
>
> Yes, I know how important that is. I recall you mentioning that a few
> days ago. I think it would be quite difficult for me, though.
>
> I'll evaluate how much mail there really is over the coming work-week,
> and see if there's something I can do.
>
> Best,
> Alex
The easiest way would be to have them put confirmed ham into a folder in
their own IMAP account, then you run the nightly masscheck script on
those folders and upload the result log files.
Warren
Re: Valid mail from .cn
Posted by MySQL Student <my...@gmail.com>.
Hi,
> Could you ask them to provide ham samples for the automated masschecks?
> We currently have none in the corpus so we cannot test the safety of rules
> against Chinese language mail.
Yes, I know how important that is. I recall you mentioning that a few
days ago. I think it would be quite difficult for me, though.
I'll evaluate how much mail there really is over the coming work-week,
and see if there's something I can do.
Best,
Alex
Re: Valid mail from .cn
Posted by Warren Togami <wt...@redhat.com>.
Could you ask them to provide ham samples for the automated masschecks?
We currently have none in the corpus so we cannot test the safety of
rules against Chinese language mail.
Warren
Re: Valid mail from .cn
Posted by John Hardin <jh...@impsec.org>.
On Fri, 9 Oct 2009, MySQL Student wrote:
> * 1.5 MY_CID_AND_ARIAL2 SARE CID and Arial2
> * 1.6 PART_CID_STOCK Has a spammy image attachment (by Content-ID)
> * 1.5 MY_CID_AND_STYLE SARE cid and style
> * 1.6 MY_CID_ARIAL_STYLE SARE cid arial2 style
>
> Even if I remove the RELAYCOUNTRY_HIGH meta, it's still over the 5.0
> threshold.
It looks like you might have more than one rule hitting on the same
condition there. You might want to OR-meta those MY_ rules together into a
single rule.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Judicial Activism (n): interpreting the Constitution to grant the
government powers that are popularly felt to be "needed" but that
are not explicitly provided for therein (common definition);
interpreting the Constitution as it is written (Brady definition)
-----------------------------------------------------------------------
8 days since a sunspot last seen - EPA blames CO2 emissions
Re: Valid mail from .cn
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
> * 0.1 RELAYCOUNTRY_CN Relayed through China
> * 2.0 RELAYCOUNTRY_HIGH Relayed by a country thats a bad spam source
Custom rules.
> * 1.5 MY_CID_AND_ARIAL2 SARE CID and Arial2
> * 1.5 MY_CID_AND_STYLE SARE cid and style
> * 1.6 MY_CID_ARIAL_STYLE SARE cid arial2 style
Custom rules. These ancient SARE rules have often been reported to hit
together on ham, resulting in FPs.
> Even if I remove the RELAYCOUNTRY_HIGH meta, it's still over the 5.0 threshold.
Without those custom rules, the score is still quite high, but less than
the required_score spam threshold of 5. I'd review the custom rules'
effectiveness, and if they really apply to your mail in-stream.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Valid mail from .cn
Posted by Benny Pedersen <me...@junc.org>.
On fre 09 okt 2009 19:38:21 CEST, MySQL Student wrote
> Hi,
>
> Some portion of our users are from China. I hoped someone could help
> me troubleshoot the best way to permit a user from .cn to forward mail
> without improperly being tagged as spam, yet still block the majority
> of spam from .cn.
> * -0.0 SPF_PASS SPF: sender matches SPF record
> * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
add sender to whitelist_from_spf
check the score after, and maybe adjust it to not be -100
still keep the metas
--
xpoint