You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by @lbutlr,
kr...@kreme.com on 2019/04/01 23:11:08 UTC
Amazon continues to get tagged as spam
I have whitelisted amazon in /usr/local/etc/mail/spamassassin/local.cf
whitelist_auth *@*.amazon.com
whitelist_auth *@amazon.com
whitelist_from *@bounces.amazon.com
whitelist_from order-update@amazon.com
whitelist_from_rcvd @amazon.com amazon.com
whitelist_from_rcvd @amazon.com amazonses.com
Seems this last should have matched the received header below, but it doesn't.
pts rule name description
---- ---------------------- --------------------------------------------------
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
no trust
[54.240.13.15 listed in list.dnswl.org]
3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
[score: 1.0000]
0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
[score: 1.0000]
1.8 DKIM_ADSP_DISCARD No valid author signature, domain signs all
mail and suggests discarding the rest
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
valid
0.7 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required
MIME headers
0.1 DKIM_INVALID DKIM
BAYES_HT 0.030-+--sk:_______
BAYES_ST 0.993-1--sk:112-489, 0.993-1--11248911789733852, 0.993-1--Hx-languages-length:1432, 0.993-1--sk:112489, 0.993-1--112-4891178-9733852, 0.987-1--lkr_804_us, 0.987-1--hedwig_ppp_collected_email_order, 0.987-1--hedwig_ppp_collected_email_invoice, 0.987-1--HX-AMAZON-METADATA:sk:C35VGVQ, 0.987-1--hedwig_ppp_collected_email_tax, 0.974-+--HTo:U*ebay, 0.957-+--H*MI:000000, 0.953-+--H*Ad:U*ebay, 0.951-+--H*MI:amazonses, 0.947-+--H*M:000000, 0.940-+--H*M:amazonses, 0.940-+--HFeedback-ID:AmazonSES, 0.921-9--H*F:D*amazon.com, 0.920-+--HX-AMAZON-MAIL-RELAY-TYPE:notification, 0.920-+--HX-Original-MessageID:sk:urn.rtn, 0.919-+--ref_, 0.917-+--Amazoncom, 0.916-+--Amazon.com, 0.912-+--H*M:sk:0100016, 0.910-+--UD:Amazon.com, 0.900-+--H*MI:sk:0100016, 0.897-+--HFeedback-ID:sk:1.us-ea, 0.888-+--sk:notific, 0.875-+--amazonses.com, 0.875-+--UD:amazonses.com, 0.875-+--amazonsescom, 0.846-3--H*ct:PHrt
headers:
X-Envelope-From: <*s...@bounces.amazon.com>
Received: from a13-15.smtp-out.amazonses.com (a13-15.smtp-out.amazonses.com [54.240.13.15])...
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=eaxkvsyelrnxjh4cicqyjjmtjpetuwjx; d=amazon.com; t=1554046875;
h=From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type:Date;
bh=tyEE1tloF3KLKi7PqHu/WpkOBsy/z9v37qjJXqknyKo=;
b=eeZ4NQ7Ywg6gcKJCO1qQDvTMzb5CLjtfIjHXUTWSxpmOQ4ENhB1mwb9EmSFM1pMY
rsyYD1aEjhmZbwKKHAvDYVoV0F4EtQNZxysiJ4kSX38V4i2I7nJG4lH1IuO7Na4E2a5
n62x5lBBcgimkT3PliDVpq9cRW8npDB0A4kucxxI=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1554046875;
h=From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type:Date:Feedback-ID;
bh=tyEE1tloF3KLKi7PqHu/WpkOBsy/z9v37qjJXqknyKo=;
b=DV5VVyKT71xN/Nl6cWMxm/7A60ohBK690Xy5Yfk+Jrr/PXspVGeqCBCsLc1vs7VQ
eMocVzR4qB6HC0u7VgbDpdMdy8vofbkqp4pFOTnW2YbOYpGsBRkPKjZe67qTV3LXvdB
gwrxFDWw6oEFSAwILi1mp2UuyLXKsno1n/SgQM3E=
From: "Amazon.com" <or...@amazon.com>
Re: Amazon continues to get tagged as spam
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>On 2 Apr 2019, at 09:49, @lbutlr <kr...@kreme.com> wrote:
>> Ah, yes, Good point.
>
>Maybe it will work now, I rand the message from two days ago through spamc and got:
>
>X-Spam-Status: No, score=-94.6 required=5.0 tests=BAYES_99,BAYES_999,
> DKIM_ADSP_ALL,DKIM_INVALID,DKIM_SIGNED,MIME_HEADER_CTYPE_ONLY,
> RCVD_IN_DNSWL_NONE,USER_IN_WHITELIST autolearn=no autolearn_force=no
> version=3.4.2
>X-Spam-Report:
> * -100 USER_IN_WHITELIST From: address is in the user's white-list
> * 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
> * [score: 0.9999]
> * 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
> * [score: 0.9999]
> * -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
> * https://www.dnswl.org/, no trust
> * [54.240.13.1 listed in list.dnswl.org]
> * 0.8 DKIM_ADSP_ALL No valid author signature, domain signs all mail
> * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
> * valid
> * 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid
> * 0.7 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required
> * MIME headers
>
>So there it has picked up the whitelist. I will await the next delivery notification and see what happens.
>
>I did update several packages on my freeBSD install.
On 02.04.19 10:08, @lbutlr wrote:
>Could this be an issue in how SpamAssassin-milter and spamassasin interact? like the filter not picking up the local.cf file?
spamass-milter can make spamd use receiving user's user_prefs if you user
"-u defaultuser" option. When there are multiple receiving users, the
"defaultuser" is used. Can't user_prefs clear whitelists?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
REALITY.SYS corrupted. Press any key to reboot Universe.
Re: Amazon continues to get tagged as spam
Posted by "@lbutlr" <kr...@kreme.com>.
On 2 Apr 2019, at 09:49, @lbutlr <kr...@kreme.com> wrote:
> Ah, yes, Good point.
Maybe it will work now, I rand the message from two days ago through spamc and got:
X-Spam-Status: No, score=-94.6 required=5.0 tests=BAYES_99,BAYES_999,
DKIM_ADSP_ALL,DKIM_INVALID,DKIM_SIGNED,MIME_HEADER_CTYPE_ONLY,
RCVD_IN_DNSWL_NONE,USER_IN_WHITELIST autolearn=no autolearn_force=no
version=3.4.2
X-Spam-Report:
* -100 USER_IN_WHITELIST From: address is in the user's white-list
* 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
* [score: 0.9999]
* 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
* [score: 0.9999]
* -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
* https://www.dnswl.org/, no trust
* [54.240.13.1 listed in list.dnswl.org]
* 0.8 DKIM_ADSP_ALL No valid author signature, domain signs all mail
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
* 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid
* 0.7 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required
* MIME headers
So there it has picked up the whitelist. I will await the next delivery notification and see what happens.
I did update several packages on my freeBSD install.
Could this be an issue in how SpamAssassin-milter and spamassasin interact? like the filter not picking up the local.cf file?
--
Over 3,500 gay marriages and, what, no hellfire? I was promise hellfire.
And riots. What gives? -- Mark Morford
Re: Amazon continues to get tagged as spam
Posted by "@lbutlr" <kr...@kreme.com>.
On 2 Apr 2019, at 07:10, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
> you can pass the same mail through SA after delivery, to see if anything
> changed. Can't you?
Ah, yes, Good point.
--
"He is not only dull himself; he is the cause of dullness in others."
Samuel Johnson
Re: Amazon continues to get tagged as spam
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>On 2 Apr 2019, at 03:52, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
>> whitelist_from_rcvd @amazon.com amazonses.com should apparently be:
>> whitelist_from_rcvd *@amazon.com amazonses.com
On 02.04.19 04:11, @lbutlr wrote:
>I'll try that.
>> and why doesn't whitelist_from order-update@amazon.com
>> work could be shown in SA debug mode.
>But I'd have to run SA in debug ahead of the emails.
you can pass the same mail through SA after delivery, to see if anything
changed. Can't you?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...
Re: Amazon continues to get tagged as spam
Posted by "@lbutlr" <kr...@kreme.com>.
On 2 Apr 2019, at 03:52, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
> whitelist_from_rcvd @amazon.com amazonses.com should apparently be:
> whitelist_from_rcvd *@amazon.com amazonses.com
I'll try that.
> and why doesn't whitelist_from order-update@amazon.com
> work could be shown in SA debug mode.
But I'd have to run SA in debug ahead of the emails.
> (maybe you put it there after the mail came?)
No, I added it 4 or 5 days ago and the email was from yesterday.
--
I WILL NOT GREASE THE MONKEY BARS Bart chalkboard Ep. 7F17
Re: Amazon continues to get tagged as spam
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>On 1 Apr 2019, at 17:58, David B Funk <db...@engineering.uiowa.edu> wrote:
>> There's something wrong with your mail system which is trashing not only
>> your DKIM processing but your SPF processing too.
On 02.04.19 03:14, @lbutlr wrote:
>OK, but the whitelist is till not working and should be applying a -100
> score, so the DKIM and SPF issues would stillness immanuel to tag the
> email.
whitelisting does not apply
- the DKIM fails, so whitelist_auth doesn't apply
whitelist_from_rcvd @amazon.com amazonses.com
should apparently be:
whitelist_from_rcvd *@amazon.com amazonses.com
and why doesn't whitelist_from order-update@amazon.com
work could be shown in SA debug mode.
(maybe you put it there after the mail came?)
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95
Re: Amazon continues to get tagged as spam
Posted by "@lbutlr" <kr...@kreme.com>.
On 2 Apr 2019, at 03:14, @lbutlr <kr...@kreme.com> wrote:
> stillness immanuel to tag the email.
Sorry, not sure what happened there. I think I meant to type "would still not have the impact to tag the email" or something like that.
--
Wife: Who are you talking to?
Husb: [on phone] Jon
Wife: Aren't you going to talk to me?
Husb: I talked to you at dinner, do I need to talk to you again?
Re: Amazon continues to get tagged as spam
Posted by "@lbutlr" <kr...@kreme.com>.
On 1 Apr 2019, at 17:58, David B Funk <db...@engineering.uiowa.edu> wrote:
>
> There's something wrong with your mail system which is trashing not only your DKIM processing but your SPF processing too.
OK, but the whitelist is till not working and should be applying a -100 score, so the DKIM and SPF issues would stillness immanuel to tag the email.
--
-=>
<http://xkcd.com/241/>
<http://xkcd.com/304/>
<http://xkcd.com/635/>
<=-
Re: Amazon continues to get tagged as spam
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Mon, 1 Apr 2019, @lbutlr wrote:
> I have whitelisted amazon in /usr/local/etc/mail/spamassassin/local.cf
>
> whitelist_auth *@*.amazon.com
> whitelist_auth *@amazon.com
> whitelist_from *@bounces.amazon.com
> whitelist_from order-update@amazon.com
> whitelist_from_rcvd @amazon.com amazon.com
> whitelist_from_rcvd @amazon.com amazonses.com
>
> Seems this last should have matched the received header below, but it doesn't.
>
> pts rule name description
> ---- ---------------------- --------------------------------------------------
> -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
> no trust
> [54.240.13.15 listed in list.dnswl.org]
> 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
> [score: 1.0000]
> 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
> [score: 1.0000]
> 1.8 DKIM_ADSP_DISCARD No valid author signature, domain signs all
> mail and suggests discarding the rest
> 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
> valid
> 0.7 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required
> MIME headers
> 0.1 DKIM_INVALID DKIM
There's something wrong with your mail system which is trashing not only your
DKIM processing but your SPF processing too.
In the normal course of things, those Amazon messages should pass both DKIM and
SPF checks.
An Amazon message received here looks like:
pts rule name description
---- ---------------------- ------------------------------------------
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
trust
[54.240.15.92 listed in list.dnswl.org]
0.0 RCVD_IN_HOSTKARMA_YE RBL: HostKarma: relay in yellow list (varies)
[54.240.15.92 listed in hostkarma.junkemailfilter.com]
0.0 T__BOTNET_NOTRUST Message has no trusted relays
-0.0 SPF_PASS SPF: sender matches SPF record
0.5 BOTNET_IPINHOSTNAME Hostname contains its own IP address
[botnet_ipinhosntame,ip=54.240.15.92,rdns=a15-92.smtp-out.amazonses.com]
0.0 BOTNET_SERVERWORDS Hostname contains server-like substrings
[botnet_serverwords,ip=54.240.15.92,rdns=a15-92.smtp-out.amazonses.com]
-7.5 USER_IN_DEF_SPF_WL From: address is in the default SPF white-list
-7.5 USER_IN_DEF_DKIM_WL From: address is in the default DKIM white-list
0.0 HTML_MESSAGE BODY: HTML included in message
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
Note both the DKIM_VALID,DKIM_VALID_AU and SPF_PASS
It hit both USER_IN_DEF_SPF_WL & USER_IN_DEF_DKIM_WL which are standard SA rules, I didn't add those.
Bottom line, what is going on with your system which is causing DKIM & SPF to fail?
Does it fail for other properly signed messages or only fail for Amazon?
If you post a complete unaltered Amazon message on pastbin we can take a crack
at it. (only post something which you can publish with out redaction, any
alterations will invalidate the DKIM sig).
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: Amazon continues to get tagged as spam
Posted by Dave Warren <dw...@thedave.ca>.
On 2019-04-02 06:01, RW wrote:
> On Mon, 01 Apr 2019 20:14:13 -0400
> Dave Warren wrote:
>
>
>>> 1.8 DKIM_ADSP_DISCARD No valid author signature, domain signs
>>> all mail and suggests discarding the rest
>>
>>
>> This is a bit odd too, I don't see ADSP records on Amazon's
>> various .com domains (although there is one on at least one
>> country-specific domain, but I only see .com in the pasted header).
>>
>> Perhaps someone else can comment if SpamAssassin overloads the
>> DKIM_ADSP_DISCARD rule with other meanings beyond literal ADSP
>> records? I don't have a good way to read through the .cf files from
>> this location.
>
>
> There are overrides in 60_adsp_override_dkim.cf. They were put there
> to give ADSP rules something to work with until ADSP caught on, which
> it never really did.
>
Ahh. Well that's unfortunate, it really should note that it failed an
invented test -- Or better yet, consider dropping the whole thing now
that DMARC has replaced what ADSP tried to accomplish.
Re: Amazon continues to get tagged as spam
Posted by RW <rw...@googlemail.com>.
On Mon, 01 Apr 2019 20:14:13 -0400
Dave Warren wrote:
> > 1.8 DKIM_ADSP_DISCARD No valid author signature, domain signs
> > all mail and suggests discarding the rest
>
>
> This is a bit odd too, I don't see ADSP records on Amazon's
> various .com domains (although there is one on at least one
> country-specific domain, but I only see .com in the pasted header).
>
> Perhaps someone else can comment if SpamAssassin overloads the
> DKIM_ADSP_DISCARD rule with other meanings beyond literal ADSP
> records? I don't have a good way to read through the .cf files from
> this location.
There are overrides in 60_adsp_override_dkim.cf. They were put there
to give ADSP rules something to work with until ADSP caught on, which
it never really did.
Re: Amazon continues to get tagged as spam
Posted by Dave Warren <dw...@thedave.ca>.
On Mon, Apr 1, 2019, at 17:11, @lbutlr wrote:
> 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
> [score: 1.0000]
> 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
> [score: 1.0000]
These two are both a bit of a bad sign, this indicates that the bayes system is very *very* sure that this message is spam. While this shouldn't override whitelisting, I would probably investigate the training methods being used here.
> 1.8 DKIM_ADSP_DISCARD No valid author signature, domain signs all
> mail and suggests discarding the rest
This is a bit odd too, I don't see ADSP records on Amazon's various .com domains (although there is one on at least one country-specific domain, but I only see .com in the pasted header).
Perhaps someone else can comment if SpamAssassin overloads the DKIM_ADSP_DISCARD rule with other meanings beyond literal ADSP records? I don't have a good way to read through the .cf files from this location.