You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by atat <at...@onet.eu> on 2019/03/13 12:50:52 UTC
Regex header_checks rules not always matching
Hi,
Spamassassin 3.4.0-4.el7_5 on centos 7, updated from Base Repo.
My regex rules are not always matching spammers from outside. Please help me understan why it's happening sometimes.
All not matched emails has multipart info in header:
Content-Type: multipart/mixed; boundary="----=_NextPart_000_0012_6D4A727D.1A2015BF" This is a multi-part message in MIME format. ------=_NextPart_000_0012_6D4A727D.1A2015BF Content-Type: multipart/alternative; boundary="----=_NextPart_001_0013_6D4A727D.1A2015BF"
Spamassassin Rules:
blacklist_from *@example.com*
blacklist_from *@example.com
blacklist_from *@example.com*
blacklist_from *@example.com
blacklist_from *@example.com.pl*
blacklist_from *@example.com.pl
blacklist_from *@example.com.pl*
blacklist_from *@example.com.pl
header BLOKOWANIE_EXAMPLE_COM From =~ /example.com\.pl/i
score BLOKOWANIE_EXAMPLE_COM 100.0
header BLOKOWANIE_EXAMPLE_COM1 From =~ /.*example.com.pl\.*/i
score BLOKOWANIE_EXAMPLE_COM1 100.0
header BLOKOWANIE_EXAMPLE_COM2 From =~ /example\.com/i
score BLOKOWANIE_EXAMPLE_COM2 100.0
header BLOKOWANIE_EXAMPLE_COM3 From =~ /.*example\.com\.pl.*/i
score BLOKOWANIE_EXAMPLE_COM3 100.0
01 Not matching rules -----------------------------------------------------------------------
Return-Path: <>
X-Original-To: mailacc@srv01.example.com.pl
Delivered-To: mailacc@srv01.example.com.pl
Received: from localhost (localhost [127.0.0.1])
by srv01.example.com.pl (Postfix) with ESMTP id 01E8A400748ED
for <ma...@srv01.example.com.pl>; Tue, 12 Mar 2019 09:34:57 +0100 (CET)
X-Envelope-From: <gl...@koreaunicom.co.kr>
X-Envelope-To: <ma...@example.com>
X-Envelope-To-Blocked: <ma...@example.com>
X-Quarantine-ID: <OM22wOiFBUgK>
X-Spam-Flag: YES
X-Spam-Score: 23.329
X-Spam-Level: ***********************
X-Spam-Status: Yes, score=23.329 tag=-888 tag2=6 kill=6 tests=[AM.WBL=1.6,
BAYES_999=0.2, BAYES_99=7, DATE_IN_FUTURE_06_12=4.897,
FREEMAIL_FORGED_REPLYTO=2.095, HTML_MESSAGE=0.001,
RCVD_IN_SORBS_DUL=0.001, RDNS_NONE=0.793, SPF_HELO_SOFTFAIL=0.732,
SPF_SOFTFAIL=6, T_ISO_ATTACH=0.01] autolearn=no autolearn_force=no
Received: from srv01.example.com.pl ([127.0.0.1])
by localhost (srv01.example.com.pl [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id OM22wOiFBUgK for <ma...@example.com>;
Tue, 12 Mar 2019 09:34:53 +0100 (CET)
Received: from koreaunicom.co.kr (unknown [178.128.125.68])
by srv01.example.com.pl (Postfix) with ESMTP id 7BDC44011BBB0
for <ma...@example.com>; Tue, 12 Mar 2019 09:34:50 +0100 (CET)
Reply-To: misain.ncube@gmail.com
From: Korea@example.com.pl, Uni@example.com.pl, Com@example.com.pl,
"Co."@example.com.pl, Ltd. <gl...@koreaunicom.co.kr>
To: marketing01@example.com
Subject: FW: Wrong Transfer Payment - Chk Clip Copy
Date: 12 Mar 2019 08:33:58 -0700
Message-ID: <20...@koreaunicom.co.kr>
02 Not matching rules -----------------------------------------------------------------------
Return-Path: <>
X-Original-To: mailacc@srv01.example.com.pl
Delivered-To: mailacc@srv01.example.com.pl
Received: from localhost (localhost [127.0.0.1])
by srv01.example.com.pl (Postfix) with ESMTP id 0A4ED40118229
for <ma...@srv01.example.com.pl>; Mon, 11 Mar 2019 19:47:59 +0100 (CET)
X-Envelope-From: <in...@puresmileborehamwood.co.uk>
X-Envelope-To: <aa...@example.com>
X-Envelope-To-Blocked: <aa...@example.com>
X-Quarantine-ID: <3gOmOfFwP2Re>
X-Spam-Flag: YES
X-Spam-Score: 8.8
X-Spam-Level: ********
X-Spam-Status: Yes, score=8.8 tag=-888 tag2=6 kill=6 tests=[AM.WBL=1.6,
BAYES_999=0.2, BAYES_99=7] autolearn=no autolearn_force=no
Received: from srv01.example.com.pl ([127.0.0.1])
by localhost (srv01.example.com.pl [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 3gOmOfFwP2Re for <aa...@example.com>;
Mon, 11 Mar 2019 19:47:57 +0100 (CET)
Received: from 495011.vps-10.com (495011.vps-10.com [212.67.214.132])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by srv01.example.com.pl (Postfix) with ESMTPS id E5672400748E8
for <aa...@example.com>; Mon, 11 Mar 2019 19:47:56 +0100 (CET)
Received: from [192.10.19.6] (unknown [146.83.109.33])
by 495011.vps-10.com (Postfix) with ESMTPSA id 002DD283695
for <aa...@example.com>; Mon, 11 Mar 2019 17:45:37 +0000 (GMT)
Date: Mon, 11 Mar 2019 15:42:39 -0400
From: Bell@example.com.pl, Martin <in...@puresmileborehamwood.co.uk>
To: aaa.bbb@example.com
Message-Id: <NL...@example.com>
Subject: facture
MIME-Version: 1.0
03 Not matching rules -----------------------------------------------------------------------
Return-Path: <>
X-Original-To: mailacc@srv01.example.com.pl
Delivered-To: mailacc@srv01.example.com.pl
Received: from localhost (localhost [127.0.0.1])
by srv01.example.com.pl (Postfix) with ESMTP id 6B27740008232
for <ma...@srv01.example.com.pl>; Wed, 13 Mar 2019 10:21:58 +0100 (CET)
X-Envelope-From: <kh...@premiersintl.com>
X-Envelope-To: <jo...@example.com>
X-Envelope-To-Blocked: <jo...@example.com>
X-Quarantine-ID: <QE9zm4o-7hou>
X-Spam-Flag: YES
X-Spam-Score: 22.919
X-Spam-Level: **********************
X-Spam-Status: Yes, score=22.919 tag=-888 tag2=6 kill=6
tests=[ADVANCE_FEE_3_NEW=2.967, BAYES_999=0.2, BAYES_99=7,
DATE_IN_FUTURE_06_12=4.897, DEAR_SOMETHING=1.973, FROM_ADDR_WS=2.999,
HTML_MESSAGE=0.001, RDNS_NONE=0.793, SUBJ_ALL_CAPS=1.506,
T_ISO_ATTACH=0.01, URG_BIZ=0.573] autolearn=no autolearn_force=no
Received: from srv01.example.com.pl ([127.0.0.1])
by localhost (srv01.example.com.pl [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id QE9zm4o-7hou for <jo...@example.com>;
Wed, 13 Mar 2019 10:21:56 +0100 (CET)
Received: from premiersintl.com (unknown [128.199.215.46])
by srv01.example.com.pl (Postfix) with ESMTP id 4D5E34000823A
for <jo...@example.com>; Wed, 13 Mar 2019 10:21:49 +0100 (CET)
From: Donna@example.com.pl, Perry|Accounting@example.com.pl,
Manager@example.com.pl, khalid@premiersintl.com
To: john2.doe2@example.com
Subject: BANK TRANSFER COPY/ WIRE
Date: 13 Mar 2019 09:21:46 -0700
Message-ID: <20...@premiersintl.com>
MIME-Version: 1.0
04 Not matching rules ------------------------------------------------------------------------
But matched simple:
blacklist_from *@example.com*
blacklist_from *@example.com
blacklist_from *@example.com*
blacklist_from *@example.com
blacklist_from *@example.com.pl*
blacklist_from *@example.com.pl
blacklist_from *@example.com.pl*
blacklist_from *@example.com.pl
Return-Path: <>
X-Original-To: mailacc@srv01.example.com.pl
Delivered-To: mailacc@srv01.example.com.pl
Received: from localhost (localhost [127.0.0.1])
by srv01.example.com.pl (Postfix) with ESMTP id A38D540002948
for <ma...@srv01.example.com.pl>; Mon, 11 Mar 2019 19:33:23 +0100 (CET)
X-Envelope-From: <vo...@CC-ShoreTel.example.com.pl>
X-Envelope-To: <jo...@example.com>
X-Envelope-To-Blocked: <jo...@example.com>
X-Quarantine-ID: <uz_8uQBRiKxN>
X-Spam-Flag: YES
X-Spam-Score: 104.983
X-Spam-Level: ****************************************************************
X-Spam-Status: Yes, score=104.983 tag=-888 tag2=6 kill=6 tests=[BAYES_95=4,
HEADER_FROM_DIFFERENT_DOMAINS=0.001, RDNS_DYNAMIC=0.982,
USER_IN_BLACKLIST=100] autolearn=no autolearn_force=no
Received: from srv01.example.com.pl ([127.0.0.1])
by localhost (srv01.example.com.pl [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id uz_8uQBRiKxN for <jo...@example.com>;
Mon, 11 Mar 2019 19:33:22 +0100 (CET)
Received: from CC-ShoreTel.quadra.local (72-24-204-226.cpe.cableone.net [72.24.204.226])
by srv01.example.com.pl (Postfix) with ESMTP id 29EC4400748EE
for <jo...@example.com>; Mon, 11 Mar 2019 19:33:20 +0100 (CET)
Received: from mail pickup service by CC-ShoreTel.quadra.local with Microsoft SMTPSVC;
Mon, 11 Mar 2019 11:23:38 -0700
thread-index: AdTYN4w7x9VrrKKPQR27vx0vwmcnRA==
Thread-Topic: ShoreTel voice message from Jessica Johnson, 204 for mailbox 145
From: "ShoreWare Voice Mail" <vo...@CC-ShoreTel.example.com.pl>
To: <jo...@example.com>
Subject: ShoreTel voice message from Jessica Johnson, 204 for mailbox 145
Date: Mon, 11 Mar 2019 11:23:38 -0700
Keywords: {"SHORETEL_INFO":"VMSync","DN":"145","ID":"DUI0BUMVM","WAV":true,"GUID":"88f56fab-3461-4a1f-be40-2b8bbb025704"}
Message-ID: <05...@quadra.local>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_003C_01D4D7FC.DFDCFFC0"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.24158
X-OriginalArrivalTime: 11 Mar 2019 18:23:38.0819 (UTC) FILETIME=[8C3CE930:01D4D837]
###############################
If I try to reproduce the problem by myself, rules are matching, and message goes to spam with my rules mentioned in header.
Telnet:
220 "EXAMPLE-COM Mail Server"
helo tests
250 srv01.example.com.pl
mail from:<te...@test.pl>
250 2.1.0 Ok
rcpt to:<te...@exapmple.com>
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Date: Mon, 11 Mar 2019 15:42:39 -0400
From: Bell@example.com.pl, Martin <in...@puresmileborehamwood.co.uk>
To: aaa.bbb@example.com
Message-Id: <NL...@kghm.com>
Subject: facture
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Part_62714_4267039113.11868653231
007013837"
dd
.
250 2.0.0 Ok: queued as 9D0F440118237
Re: Re: Regex header_checks rules not always matching
Posted by atat <at...@onet.eu>.
Thanks for reply.
I will check tommorow what You have mentioned to check.
I have obfuscated my domains like this:
mail.mydomain.pl -> example.com.pl
mydomain.com -> example.com
hostname.mail.mydomain.pl -> srv01.example.com.pl
That wopuld be all about obfuscating.
Do You suggest that:
blacklist_from *@example.com - would be enough ?
blacklist_from *@example.com* - doesn't this cover more examples of matching ?
Best Regards!
AtAt
W dniu 2019-03-13 15:00:39 użytkownik Bill Cole <sa...@billmail.scconsult.com> napisał:
> On 13 Mar 2019, at 8:50, atat wrote:
>
> > Hi,
> >
> > Spamassassin 3.4.0-4.el7_5 on centos 7, updated from Base Repo.
> >
> > My regex rules are not always matching spammers from outside. Please
> > help me understan why it's happening sometimes.
> >
> > All not matched emails has multipart info in header:
> >
> > Content-Type: multipart/mixed;
> > boundary="----=_NextPart_000_0012_6D4A727D.1A2015BF" This is a
> > multi-part message in MIME format.
> > ------=_NextPart_000_0012_6D4A727D.1A2015BF Content-Type:
> > multipart/alternative;
> > boundary="----=_NextPart_001_0013_6D4A727D.1A2015BF"
>
> That cannot be relevant.
>
>
> > Spamassassin Rules:
> > blacklist_from *@example.com*
> > blacklist_from *@example.com
> > blacklist_from *@example.com*
> > blacklist_from *@example.com
> > blacklist_from *@example.com.pl*
> > blacklist_from *@example.com.pl
> > blacklist_from *@example.com.pl*
> > blacklist_from *@example.com.pl
> > header BLOKOWANIE_EXAMPLE_COM From =~ /example.com\.pl/i
> > score BLOKOWANIE_EXAMPLE_COM 100.0
> > header BLOKOWANIE_EXAMPLE_COM1 From =~ /.*example.com.pl\.*/i
> > score BLOKOWANIE_EXAMPLE_COM1 100.0
> > header BLOKOWANIE_EXAMPLE_COM2 From =~ /example\.com/i
> > score BLOKOWANIE_EXAMPLE_COM2 100.0
> > header BLOKOWANIE_EXAMPLE_COM3 From =~ /.*example\.com\.pl.*/i
> > score BLOKOWANIE_EXAMPLE_COM3 100.0
>
>
> The fact that you've chosen to obfuscate these rules and the sample
> messages makes it nearly impossible to figure out with any certainty
> what's going wrong.
>
> But I have a wild guess...
>
> > 01 Not matching rules
> > -----------------------------------------------------------------------
> > Return-Path: <>
> > X-Original-To: mailacc@srv01.example.com.pl
> > Delivered-To: mailacc@srv01.example.com.pl
> > Received: from localhost (localhost [127.0.0.1])
> > by srv01.example.com.pl (Postfix) with ESMTP id 01E8A400748ED
> > for <ma...@srv01.example.com.pl>; Tue, 12 Mar 2019 09:34:57
> > +0100 (CET)
> > X-Envelope-From: <gl...@koreaunicom.co.kr>
> > X-Envelope-To: <ma...@example.com>
> > X-Envelope-To-Blocked: <ma...@example.com>
> > X-Quarantine-ID: <OM22wOiFBUgK>
> > X-Spam-Flag: YES
> > X-Spam-Score: 23.329
> > X-Spam-Level: ***********************
> > X-Spam-Status: Yes, score=23.329 tag=-888 tag2=6 kill=6
> > tests=[AM.WBL=1.6,
> > BAYES_999=0.2, BAYES_99=7, DATE_IN_FUTURE_06_12=4.897,
> > FREEMAIL_FORGED_REPLYTO=2.095, HTML_MESSAGE=0.001,
> > RCVD_IN_SORBS_DUL=0.001, RDNS_NONE=0.793,
> > SPF_HELO_SOFTFAIL=0.732,
> > SPF_SOFTFAIL=6, T_ISO_ATTACH=0.01] autolearn=no
> > autolearn_force=no
> > Received: from srv01.example.com.pl ([127.0.0.1])
> > by localhost (srv01.example.com.pl [127.0.0.1]) (amavisd-new,
> > port 10024)
> > with ESMTP id OM22wOiFBUgK for <ma...@example.com>;
> > Tue, 12 Mar 2019 09:34:53 +0100 (CET)
> > Received: from koreaunicom.co.kr (unknown [178.128.125.68])
> > by srv01.example.com.pl (Postfix) with ESMTP id 7BDC44011BBB0
> > for <ma...@example.com>; Tue, 12 Mar 2019 09:34:50 +0100
> > (CET)
> > Reply-To: misain.ncube@gmail.com
> > From: Korea@example.com.pl, Uni@example.com.pl, Com@example.com.pl,
> > "Co."@example.com.pl, Ltd. <gl...@koreaunicom.co.kr>
> [SNIP]
>
> This looks like you have a broken header masquerade configured in your
> MTA (apparently Postfix) or some other associated tool which is
> mis-parsing the From header and appending '@example.com.pl' to each
> token in a display name part of the From header. Since this is happening
> AFTER SA scans the message (i.e. in the Postfix smtpd instance behind
> the amavisd-new SMTP proxy or ensuing cleanup process) SA does not see
> the mangled header.
>
> The original From header was probably:
>
> From: Korea Uni Com Co., Ltd. <gl...@koreaunicom.co.kr>
>
>
> > 02 Not matching rules
> > -----------------------------------------------------------------------
> > Return-Path: <>
> > X-Original-To: mailacc@srv01.example.com.pl
> > Delivered-To: mailacc@srv01.example.com.pl
> > Received: from localhost (localhost [127.0.0.1])
> > by srv01.example.com.pl (Postfix) with ESMTP id 0A4ED40118229
> > for <ma...@srv01.example.com.pl>; Mon, 11 Mar 2019 19:47:59
> > +0100 (CET)
> > X-Envelope-From: <in...@puresmileborehamwood.co.uk>
> > X-Envelope-To: <aa...@example.com>
> > X-Envelope-To-Blocked: <aa...@example.com>
> > X-Quarantine-ID: <3gOmOfFwP2Re>
> > X-Spam-Flag: YES
> > X-Spam-Score: 8.8
> > X-Spam-Level: ********
> > X-Spam-Status: Yes, score=8.8 tag=-888 tag2=6 kill=6
> > tests=[AM.WBL=1.6,
> > BAYES_999=0.2, BAYES_99=7] autolearn=no autolearn_force=no
> > Received: from srv01.example.com.pl ([127.0.0.1])
> > by localhost (srv01.example.com.pl [127.0.0.1]) (amavisd-new,
> > port 10024)
> > with ESMTP id 3gOmOfFwP2Re for <aa...@example.com>;
> > Mon, 11 Mar 2019 19:47:57 +0100 (CET)
> > Received: from 495011.vps-10.com (495011.vps-10.com [212.67.214.132])
> > (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
> > bits))
> > (No client certificate requested)
> > by srv01.example.com.pl (Postfix) with ESMTPS id E5672400748E8
> > for <aa...@example.com>; Mon, 11 Mar 2019 19:47:56 +0100
> > (CET)
> > Received: from [192.10.19.6] (unknown [146.83.109.33])
> > by 495011.vps-10.com (Postfix) with ESMTPSA id 002DD283695
> > for <aa...@example.com>; Mon, 11 Mar 2019 17:45:37 +0000
> > (GMT)
> > Date: Mon, 11 Mar 2019 15:42:39 -0400
> > From: Bell@example.com.pl, Martin <in...@puresmileborehamwood.co.uk>
>
> Same explanation. Original From:
>
> From: Bell, Martin <in...@puresmileborehamwood.co.uk>
>
>
> > 03 Not matching rules
> > -----------------------------------------------------------------------
> > Return-Path: <>
> > X-Original-To: mailacc@srv01.example.com.pl
> > Delivered-To: mailacc@srv01.example.com.pl
> > Received: from localhost (localhost [127.0.0.1])
> > by srv01.example.com.pl (Postfix) with ESMTP id 6B27740008232
> > for <ma...@srv01.example.com.pl>; Wed, 13 Mar 2019 10:21:58
> > +0100 (CET)
> > X-Envelope-From: <kh...@premiersintl.com>
> > X-Envelope-To: <jo...@example.com>
> > X-Envelope-To-Blocked: <jo...@example.com>
> > X-Quarantine-ID: <QE9zm4o-7hou>
> > X-Spam-Flag: YES
> > X-Spam-Score: 22.919
> > X-Spam-Level: **********************
> > X-Spam-Status: Yes, score=22.919 tag=-888 tag2=6 kill=6
> > tests=[ADVANCE_FEE_3_NEW=2.967, BAYES_999=0.2, BAYES_99=7,
> > DATE_IN_FUTURE_06_12=4.897, DEAR_SOMETHING=1.973,
> > FROM_ADDR_WS=2.999,
> > HTML_MESSAGE=0.001, RDNS_NONE=0.793, SUBJ_ALL_CAPS=1.506,
> > T_ISO_ATTACH=0.01, URG_BIZ=0.573] autolearn=no
> > autolearn_force=no
> > Received: from srv01.example.com.pl ([127.0.0.1])
> > by localhost (srv01.example.com.pl [127.0.0.1]) (amavisd-new,
> > port 10024)
> > with ESMTP id QE9zm4o-7hou for <jo...@example.com>;
> > Wed, 13 Mar 2019 10:21:56 +0100 (CET)
> > Received: from premiersintl.com (unknown [128.199.215.46])
> > by srv01.example.com.pl (Postfix) with ESMTP id 4D5E34000823A
> > for <jo...@example.com>; Wed, 13 Mar 2019 10:21:49 +0100
> > (CET)
> > From: Donna@example.com.pl, Perry|Accounting@example.com.pl,
> > Manager@example.com.pl, khalid@premiersintl.com
>
> Originally:
>
> From: Donna Perry|Accounting Manager, khalid@premiersintl.com
>
> The commonality in these 3 is misinterpretation of commas in the From
> headers and over-aggressive masquerading.
>
> Also I see that each of these (despite the bogus "Return-Path: <>" which
> is probably a delivery artifact,) seems to have had an envelope sender
> (preserved in the X-Envelope-From: header) NOT using whatever you've
> replaced with example.com.pl.
>
> > 04 Not matching rules
> > ------------------------------------------------------------------------
> > But matched simple:
> > blacklist_from *@example.com*
> > blacklist_from *@example.com
> > blacklist_from *@example.com*
> > blacklist_from *@example.com
> > blacklist_from *@example.com.pl*
> > blacklist_from *@example.com.pl
> > blacklist_from *@example.com.pl*
> > blacklist_from *@example.com.pl
>
> Note that these are duplicative, so your mangling has probably lost some
> useful details...
>
> > Return-Path: <>
> > X-Original-To: mailacc@srv01.example.com.pl
> > Delivered-To: mailacc@srv01.example.com.pl
> > Received: from localhost (localhost [127.0.0.1])
> > by srv01.example.com.pl (Postfix) with ESMTP id A38D540002948
> > for <ma...@srv01.example.com.pl>; Mon, 11 Mar 2019 19:33:23
> > +0100 (CET)
> > X-Envelope-From: <vo...@CC-ShoreTel.example.com.pl>
>
> This envelope sender may match one of your *actual* blacklist_from
> directives.
>
> > X-Envelope-To: <jo...@example.com>
> > X-Envelope-To-Blocked: <jo...@example.com>
> > X-Quarantine-ID: <uz_8uQBRiKxN>
> > X-Spam-Flag: YES
> > X-Spam-Score: 104.983
> > X-Spam-Level:
> > ****************************************************************
> > X-Spam-Status: Yes, score=104.983 tag=-888 tag2=6 kill=6
> > tests=[BAYES_95=4,
> > HEADER_FROM_DIFFERENT_DOMAINS=0.001, RDNS_DYNAMIC=0.982,
> > USER_IN_BLACKLIST=100] autolearn=no autolearn_force=no
> > Received: from srv01.example.com.pl ([127.0.0.1])
> > by localhost (srv01.example.com.pl [127.0.0.1]) (amavisd-new,
> > port 10024)
> > with ESMTP id uz_8uQBRiKxN for <jo...@example.com>;
> > Mon, 11 Mar 2019 19:33:22 +0100 (CET)
> > Received: from CC-ShoreTel.quadra.local
> > (72-24-204-226.cpe.cableone.net [72.24.204.226])
> > by srv01.example.com.pl (Postfix) with ESMTP id 29EC4400748EE
> > for <jo...@example.com>; Mon, 11 Mar 2019 19:33:20 +0100
> > (CET)
> > Received: from mail pickup service by CC-ShoreTel.quadra.local with
> > Microsoft SMTPSVC;
> > Mon, 11 Mar 2019 11:23:38 -0700
> > thread-index: AdTYN4w7x9VrrKKPQR27vx0vwmcnRA==
> > Thread-Topic: ShoreTel voice message from Jessica Johnson, 204 for
> > mailbox 145
> > From: "ShoreWare Voice Mail"
> > <vo...@CC-ShoreTel.example.com.pl>
>
> This may be the header masquerading operating as intended, qualifying
> the bare hostname "CC-ShoreTel" by tacking on ".example.com.pl"
>
> Again, this would be happening AFTER the SA scan, so SA can't see it.
>
> IN SUMMARY:
>
> None of these (except *maybe* the last one) actually should match your
> blacklist_from directives or header rules, because what you're trying to
> match (apparently a local domain) is being added to From headers by
> something local that acts after the SA scan. Generally speaking, that
> sort of tactic is a misguided effort to use a MTA and/or delivery agent
> to "fix" a problem caused by other software generating bogus unqualified
> addresses, and the proper solution is to just stop doing it and instead
> fix the source of the problem.
>
Re: Regex header_checks rules not always matching
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 13 Mar 2019, at 8:50, atat wrote:
> Hi,
>
> Spamassassin 3.4.0-4.el7_5 on centos 7, updated from Base Repo.
>
> My regex rules are not always matching spammers from outside. Please
> help me understan why it's happening sometimes.
>
> All not matched emails has multipart info in header:
>
> Content-Type: multipart/mixed;
> boundary="----=_NextPart_000_0012_6D4A727D.1A2015BF" This is a
> multi-part message in MIME format.
> ------=_NextPart_000_0012_6D4A727D.1A2015BF Content-Type:
> multipart/alternative;
> boundary="----=_NextPart_001_0013_6D4A727D.1A2015BF"
That cannot be relevant.
> Spamassassin Rules:
> blacklist_from *@example.com*
> blacklist_from *@example.com
> blacklist_from *@example.com*
> blacklist_from *@example.com
> blacklist_from *@example.com.pl*
> blacklist_from *@example.com.pl
> blacklist_from *@example.com.pl*
> blacklist_from *@example.com.pl
> header BLOKOWANIE_EXAMPLE_COM From =~ /example.com\.pl/i
> score BLOKOWANIE_EXAMPLE_COM 100.0
> header BLOKOWANIE_EXAMPLE_COM1 From =~ /.*example.com.pl\.*/i
> score BLOKOWANIE_EXAMPLE_COM1 100.0
> header BLOKOWANIE_EXAMPLE_COM2 From =~ /example\.com/i
> score BLOKOWANIE_EXAMPLE_COM2 100.0
> header BLOKOWANIE_EXAMPLE_COM3 From =~ /.*example\.com\.pl.*/i
> score BLOKOWANIE_EXAMPLE_COM3 100.0
The fact that you've chosen to obfuscate these rules and the sample
messages makes it nearly impossible to figure out with any certainty
what's going wrong.
But I have a wild guess...
> 01 Not matching rules
> -----------------------------------------------------------------------
> Return-Path: <>
> X-Original-To: mailacc@srv01.example.com.pl
> Delivered-To: mailacc@srv01.example.com.pl
> Received: from localhost (localhost [127.0.0.1])
> by srv01.example.com.pl (Postfix) with ESMTP id 01E8A400748ED
> for <ma...@srv01.example.com.pl>; Tue, 12 Mar 2019 09:34:57
> +0100 (CET)
> X-Envelope-From: <gl...@koreaunicom.co.kr>
> X-Envelope-To: <ma...@example.com>
> X-Envelope-To-Blocked: <ma...@example.com>
> X-Quarantine-ID: <OM22wOiFBUgK>
> X-Spam-Flag: YES
> X-Spam-Score: 23.329
> X-Spam-Level: ***********************
> X-Spam-Status: Yes, score=23.329 tag=-888 tag2=6 kill=6
> tests=[AM.WBL=1.6,
> BAYES_999=0.2, BAYES_99=7, DATE_IN_FUTURE_06_12=4.897,
> FREEMAIL_FORGED_REPLYTO=2.095, HTML_MESSAGE=0.001,
> RCVD_IN_SORBS_DUL=0.001, RDNS_NONE=0.793,
> SPF_HELO_SOFTFAIL=0.732,
> SPF_SOFTFAIL=6, T_ISO_ATTACH=0.01] autolearn=no
> autolearn_force=no
> Received: from srv01.example.com.pl ([127.0.0.1])
> by localhost (srv01.example.com.pl [127.0.0.1]) (amavisd-new,
> port 10024)
> with ESMTP id OM22wOiFBUgK for <ma...@example.com>;
> Tue, 12 Mar 2019 09:34:53 +0100 (CET)
> Received: from koreaunicom.co.kr (unknown [178.128.125.68])
> by srv01.example.com.pl (Postfix) with ESMTP id 7BDC44011BBB0
> for <ma...@example.com>; Tue, 12 Mar 2019 09:34:50 +0100
> (CET)
> Reply-To: misain.ncube@gmail.com
> From: Korea@example.com.pl, Uni@example.com.pl, Com@example.com.pl,
> "Co."@example.com.pl, Ltd. <gl...@koreaunicom.co.kr>
[SNIP]
This looks like you have a broken header masquerade configured in your
MTA (apparently Postfix) or some other associated tool which is
mis-parsing the From header and appending '@example.com.pl' to each
token in a display name part of the From header. Since this is happening
AFTER SA scans the message (i.e. in the Postfix smtpd instance behind
the amavisd-new SMTP proxy or ensuing cleanup process) SA does not see
the mangled header.
The original From header was probably:
From: Korea Uni Com Co., Ltd. <gl...@koreaunicom.co.kr>
> 02 Not matching rules
> -----------------------------------------------------------------------
> Return-Path: <>
> X-Original-To: mailacc@srv01.example.com.pl
> Delivered-To: mailacc@srv01.example.com.pl
> Received: from localhost (localhost [127.0.0.1])
> by srv01.example.com.pl (Postfix) with ESMTP id 0A4ED40118229
> for <ma...@srv01.example.com.pl>; Mon, 11 Mar 2019 19:47:59
> +0100 (CET)
> X-Envelope-From: <in...@puresmileborehamwood.co.uk>
> X-Envelope-To: <aa...@example.com>
> X-Envelope-To-Blocked: <aa...@example.com>
> X-Quarantine-ID: <3gOmOfFwP2Re>
> X-Spam-Flag: YES
> X-Spam-Score: 8.8
> X-Spam-Level: ********
> X-Spam-Status: Yes, score=8.8 tag=-888 tag2=6 kill=6
> tests=[AM.WBL=1.6,
> BAYES_999=0.2, BAYES_99=7] autolearn=no autolearn_force=no
> Received: from srv01.example.com.pl ([127.0.0.1])
> by localhost (srv01.example.com.pl [127.0.0.1]) (amavisd-new,
> port 10024)
> with ESMTP id 3gOmOfFwP2Re for <aa...@example.com>;
> Mon, 11 Mar 2019 19:47:57 +0100 (CET)
> Received: from 495011.vps-10.com (495011.vps-10.com [212.67.214.132])
> (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
> bits))
> (No client certificate requested)
> by srv01.example.com.pl (Postfix) with ESMTPS id E5672400748E8
> for <aa...@example.com>; Mon, 11 Mar 2019 19:47:56 +0100
> (CET)
> Received: from [192.10.19.6] (unknown [146.83.109.33])
> by 495011.vps-10.com (Postfix) with ESMTPSA id 002DD283695
> for <aa...@example.com>; Mon, 11 Mar 2019 17:45:37 +0000
> (GMT)
> Date: Mon, 11 Mar 2019 15:42:39 -0400
> From: Bell@example.com.pl, Martin <in...@puresmileborehamwood.co.uk>
Same explanation. Original From:
From: Bell, Martin <in...@puresmileborehamwood.co.uk>
> 03 Not matching rules
> -----------------------------------------------------------------------
> Return-Path: <>
> X-Original-To: mailacc@srv01.example.com.pl
> Delivered-To: mailacc@srv01.example.com.pl
> Received: from localhost (localhost [127.0.0.1])
> by srv01.example.com.pl (Postfix) with ESMTP id 6B27740008232
> for <ma...@srv01.example.com.pl>; Wed, 13 Mar 2019 10:21:58
> +0100 (CET)
> X-Envelope-From: <kh...@premiersintl.com>
> X-Envelope-To: <jo...@example.com>
> X-Envelope-To-Blocked: <jo...@example.com>
> X-Quarantine-ID: <QE9zm4o-7hou>
> X-Spam-Flag: YES
> X-Spam-Score: 22.919
> X-Spam-Level: **********************
> X-Spam-Status: Yes, score=22.919 tag=-888 tag2=6 kill=6
> tests=[ADVANCE_FEE_3_NEW=2.967, BAYES_999=0.2, BAYES_99=7,
> DATE_IN_FUTURE_06_12=4.897, DEAR_SOMETHING=1.973,
> FROM_ADDR_WS=2.999,
> HTML_MESSAGE=0.001, RDNS_NONE=0.793, SUBJ_ALL_CAPS=1.506,
> T_ISO_ATTACH=0.01, URG_BIZ=0.573] autolearn=no
> autolearn_force=no
> Received: from srv01.example.com.pl ([127.0.0.1])
> by localhost (srv01.example.com.pl [127.0.0.1]) (amavisd-new,
> port 10024)
> with ESMTP id QE9zm4o-7hou for <jo...@example.com>;
> Wed, 13 Mar 2019 10:21:56 +0100 (CET)
> Received: from premiersintl.com (unknown [128.199.215.46])
> by srv01.example.com.pl (Postfix) with ESMTP id 4D5E34000823A
> for <jo...@example.com>; Wed, 13 Mar 2019 10:21:49 +0100
> (CET)
> From: Donna@example.com.pl, Perry|Accounting@example.com.pl,
> Manager@example.com.pl, khalid@premiersintl.com
Originally:
From: Donna Perry|Accounting Manager, khalid@premiersintl.com
The commonality in these 3 is misinterpretation of commas in the From
headers and over-aggressive masquerading.
Also I see that each of these (despite the bogus "Return-Path: <>" which
is probably a delivery artifact,) seems to have had an envelope sender
(preserved in the X-Envelope-From: header) NOT using whatever you've
replaced with example.com.pl.
> 04 Not matching rules
> ------------------------------------------------------------------------
> But matched simple:
> blacklist_from *@example.com*
> blacklist_from *@example.com
> blacklist_from *@example.com*
> blacklist_from *@example.com
> blacklist_from *@example.com.pl*
> blacklist_from *@example.com.pl
> blacklist_from *@example.com.pl*
> blacklist_from *@example.com.pl
Note that these are duplicative, so your mangling has probably lost some
useful details...
> Return-Path: <>
> X-Original-To: mailacc@srv01.example.com.pl
> Delivered-To: mailacc@srv01.example.com.pl
> Received: from localhost (localhost [127.0.0.1])
> by srv01.example.com.pl (Postfix) with ESMTP id A38D540002948
> for <ma...@srv01.example.com.pl>; Mon, 11 Mar 2019 19:33:23
> +0100 (CET)
> X-Envelope-From: <vo...@CC-ShoreTel.example.com.pl>
This envelope sender may match one of your *actual* blacklist_from
directives.
> X-Envelope-To: <jo...@example.com>
> X-Envelope-To-Blocked: <jo...@example.com>
> X-Quarantine-ID: <uz_8uQBRiKxN>
> X-Spam-Flag: YES
> X-Spam-Score: 104.983
> X-Spam-Level:
> ****************************************************************
> X-Spam-Status: Yes, score=104.983 tag=-888 tag2=6 kill=6
> tests=[BAYES_95=4,
> HEADER_FROM_DIFFERENT_DOMAINS=0.001, RDNS_DYNAMIC=0.982,
> USER_IN_BLACKLIST=100] autolearn=no autolearn_force=no
> Received: from srv01.example.com.pl ([127.0.0.1])
> by localhost (srv01.example.com.pl [127.0.0.1]) (amavisd-new,
> port 10024)
> with ESMTP id uz_8uQBRiKxN for <jo...@example.com>;
> Mon, 11 Mar 2019 19:33:22 +0100 (CET)
> Received: from CC-ShoreTel.quadra.local
> (72-24-204-226.cpe.cableone.net [72.24.204.226])
> by srv01.example.com.pl (Postfix) with ESMTP id 29EC4400748EE
> for <jo...@example.com>; Mon, 11 Mar 2019 19:33:20 +0100
> (CET)
> Received: from mail pickup service by CC-ShoreTel.quadra.local with
> Microsoft SMTPSVC;
> Mon, 11 Mar 2019 11:23:38 -0700
> thread-index: AdTYN4w7x9VrrKKPQR27vx0vwmcnRA==
> Thread-Topic: ShoreTel voice message from Jessica Johnson, 204 for
> mailbox 145
> From: "ShoreWare Voice Mail"
> <vo...@CC-ShoreTel.example.com.pl>
This may be the header masquerading operating as intended, qualifying
the bare hostname "CC-ShoreTel" by tacking on ".example.com.pl"
Again, this would be happening AFTER the SA scan, so SA can't see it.
IN SUMMARY:
None of these (except *maybe* the last one) actually should match your
blacklist_from directives or header rules, because what you're trying to
match (apparently a local domain) is being added to From headers by
something local that acts after the SA scan. Generally speaking, that
sort of tactic is a misguided effort to use a MTA and/or delivery agent
to "fix" a problem caused by other software generating bogus unqualified
addresses, and the proper solution is to just stop doing it and instead
fix the source of the problem.