RP_MATCHES_RCVD letting in SPAM

[Quanah Gibson-Mount <qu...@zimbra.com>]

Some of our users are getting a ton of SPAM from .br domains.  If it 
weren't for RP_MATCHES_RCVD they would actually end up in their junk folder 
rather than their Inbox.  Is there a general suggested adjustment I can 
make catch these without tweaking RP_MATCHES_RCVD?

Return-Path: self@uptop.com.br
Received: from edge01-zcs.vmware.com (LHLO edge01-zcs.vmware.com)
 (10.113.208.51) by mbs03-zcs.vmware.com with LMTP; Thu, 15 Aug 2013
 11:27:16 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
	by edge01-zcs.vmware.com (Postfix) with ESMTP id A8C1A1931;
	Thu, 15 Aug 2013 11:27:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at edge01-zcs.vmware.com
X-Spam-Flag: NO
X-Spam-Score: 2.069
X-Spam-Level: **
X-Spam-Status: No, score=2.069 tagged_above=-10 required=3
	tests=[BAYES_99=3.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
	DKIM_VALID_AU=-0.1, HTML_IMAGE_RATIO_08=0.001, HTML_MESSAGE=0.001,
	LOTS_OF_MONEY=0.001, RP_MATCHES_RCVD=-1.344,
	T_KHOP_FOREIGN_CLICK=0.01] autolearn=no
Authentication-Results: edge01-zcs.vmware.com (amavisd-new);
	dkim=pass (1024-bit key) header.d=uptop.com.br
Received: from edge01-zcs.vmware.com ([127.0.0.1])
	by localhost (edge01-zcs.vmware.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id vjdqouuXTjs0; Thu, 15 Aug 2013 11:27:15 -0700 (PDT)
Received: from vmta31.uptop.com.br (vmta31.uptop.com.br [5.135.117.31])
	by edge01-zcs.vmware.com (Postfix) with ESMTP id 5502699B
	for <xx...@zimbra.com>; Thu, 15 Aug 2013 11:27:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=upkey; d=uptop.com.br;
 h=To:Subject:Message-ID:Date:From:Reply-To:MIME-Version:List-Unsubscribe:Con
tent-Type:Content-Transfer-Encoding; 
i=auth@uptop.com.br;
 bh=T9iP2DjK/6AQ4Vs6z6J5Ns129Jg=;
 b=FmrfkS17Bdb5zaJItp0+1hdmmlIoC8TXdgt/Z1/8/dPdT5K5yBka+jdLfLWKiJhR18koFcHgBl
f2
 
5p9CbRL25dr012hmqmgH5O/auyGb2HGHNxmAv5GgthtRuCTynO2oyUJ1Ykz/fQ6wnvsReynaz8oi
   pj4Oy7qviqGVdBzZZ4c=
To: xxxx@zimbra.com
Subject: 
=?UTF-8?B?QW5pdmVyc8OhcmlvIExhIEN1aXNpbmU6IDEwJSsxMCUgZGUgRGVzY29udG8gcGFyYSBWb2PDqiA=?=
Message-ID: <32...@www.uptop.com.br>
Date: Thu, 15 Aug 2013 15:08:05 -0300
From: "=?UTF-8?B?U2hvcHRpbWUuY29tLmJyIC0gTcOtZGlhTWFpbA==?=" 
<ma...@uptop.com.br>
Reply-To: mail@uptop.com.br
MIME-Version: 1.0
X-Mailer-LID: 3
List-Unsubscribe: 
<http://www.uptop.com.br/unsubscribe.php?M=1938765&C=b8da7e6dcf057fc02a0cb072c0312e6f&L=3&N=379>
X-Mailer-RecptId: 1938765
X-Mailer-SID: 379
X-Mailer-Sent-By: 1
Content-Type: multipart/alternative; charset="UTF-8"; 
boundary="b1_bb546d207080f5562bf4cdc2c79bfd11"
Content-Transfer-Encoding: 8bit


--

Quanah Gibson-Mount
Lead Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Re: RP_MATCHES_RCVD letting in SPAM

[Benny Pedersen <me...@junc.eu>]

John Hardin skrev den 2013-08-15 21:41:

> the score noticeably. It's intended to be used in metas with other
> rules that make a mention of a large amount of money suspicious.

also why i used soft blacklists, i have not seen the real problem yet, 
but imho anyone can soft score adjust if needed, or even make more 
specific rules to detect spams localy, i loosed to check if the mails 
was really from a maillist with "opt-out" problematic, only the 
recipient can tell

Re: RP_MATCHES_RCVD letting in SPAM

[John Hardin <jh...@impsec.org>]

On Thu, 15 Aug 2013, Benny Pedersen wrote:

> meta LOTS_OF_MONEY (3) (3) (3) (3)

I *do not recommend* doing that. There is a lot of legitimate email that 
mentions large monetary amounts (e.g. a newsletter discussing the US 
budget deficit). That rule's score is informational on purpose, so that 
the description will appear in the rule hits without affecting the score 
noticeably. It's intended to be used in metas with other rules that make a 
mention of a large amount of money suspicious.

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Maxim IX: Never turn your back on an enemy.
-----------------------------------------------------------------------
  Today: the 68th anniversary of the end of World War II

Re: RP_MATCHES_RCVD letting in SPAM

[Joe Acquisto-j4 <jo...@j4computers.com>]

>>> On 8/19/2013 at 6:54 PM, John Hardin <jh...@impsec.org> wrote:
> On Mon, 19 Aug 2013, Joe Acquisto-j4 wrote:
> 
>> So, I have this in my /etc/mail/spamassassin/local.cf:
>>
>> score RP_MATCHES_RCVD 0
>>
>> Yet, even after restart of spamd, mail comes thru with a -2.8.
> 
> I assume you mean by that, RP_MATCHES_RCVD is still hitting and scoring 
> points?

You assume correctly, Sir.

> 
>> What should I look at?
> 
> Silly question: are you using Amavis?

No. ISP is, tho.

> Are you sure that spamd is using that configuration file?

I thought so, as I put in the PW_IS_BAD_TLD rule someone on list provided,
but now I see it is scoring 3.0, while I have it set to 4.0 in the config I think
it is using.

Has PW_IS_BAD_TLD been incorporated in to the base rule set?  

I guess I need to dig in and refresh myself on where the config file to use
is defined.

joe a.

>> I know other stuff is read as I changed trusted and local network IP's 
>> and had a typo in one.  lint called me out on it.
> 
> The command-line SA environment is not necessarily the same environment as 
> the daemon uses.
> 
> -- 
>   John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/ 
>   jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org 
>   key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
>    Windows Genuine Advantage (WGA) means that now you use your
>    computer at the sufferance of Microsoft Corporation. They can
>    kill it remotely without your consent at any time for any reason;
>    it also shuts down in sympathy when the servers at Microsoft crash.
> -----------------------------------------------------------------------
>   5 days until the 1934th anniversary of the destruction of Pompeii

Re: RP_MATCHES_RCVD letting in SPAM

[John Hardin <jh...@impsec.org>]

On Mon, 19 Aug 2013, Joe Acquisto-j4 wrote:

> So, I have this in my /etc/mail/spamassassin/local.cf:
>
> score RP_MATCHES_RCVD 0
>
> Yet, even after restart of spamd, mail comes thru with a -2.8.

I assume you mean by that, RP_MATCHES_RCVD is still hitting and scoring 
points?

> What should I look at?

Silly question: are you using Amavis?

Are you sure that spamd is using that configuration file?

> I know other stuff is read as I changed trusted and local network IP's 
> and had a typo in one.  lint called me out on it.

The command-line SA environment is not necessarily the same environment as 
the daemon uses.

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Windows Genuine Advantage (WGA) means that now you use your
   computer at the sufferance of Microsoft Corporation. They can
   kill it remotely without your consent at any time for any reason;
   it also shuts down in sympathy when the servers at Microsoft crash.
-----------------------------------------------------------------------
  5 days until the 1934th anniversary of the destruction of Pompeii

Re: RP_MATCHES_RCVD letting in SPAM

[Matus UHLAR - fantomas <uh...@fantomas.sk>]

On 19.08.13 18:23, Joe Acquisto-j4 wrote:
>So, I have this in my /etc/mail/spamassassin/local.cf:

is that the same as /etc/spamassassin/local.cf?

>score RP_MATCHES_RCVD 0
>
>Yet, even after restart of spamd, mail comes thru with a -2.8.
>
>What should I look at?
>
>I know other stuff is read as I changed trusted and local network IP's and had a typo in one.  lint called me out on it.

what happens then you pipe a mail into "spamassassin -D"?
What "spamassassin --lint" produce?
-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I wonder how much deeper the ocean would be without sponges. 

Re: RP_MATCHES_RCVD letting in SPAM

[Joe Acquisto-j4 <jo...@j4computers.com>]

So, I have this in my /etc/mail/spamassassin/local.cf:

score RP_MATCHES_RCVD 0

Yet, even after restart of spamd, mail comes thru with a -2.8.

What should I look at?

I know other stuff is read as I changed trusted and local network IP's and had a typo in one.  lint called me out on it.  

joe a.

Re: RP_MATCHES_RCVD letting in SPAM

[Quanah Gibson-Mount <qu...@zimbra.com>]

--On Thursday, August 15, 2013 10:07 PM +0200 Benny Pedersen wrote:

> Quanah Gibson-Mount skrev den 2013-08-15 21:25:
>>
>> Hm, that won't catch our other BR spam though. :(
>
>> List-Unsubscribe:
>>
>> <http://www.registraclique.com.br/iem/unsubscribe.php?M=1531174&C=77d064
>> e695a19edb4155caf4c244402a&L=11&N=72>
>
> unsubscribe ?
>
> if recipient was not opt-in then block sender domain with mta rule, dont
> accept "opt-out" !

Thanks Benny, I will just blacklist them.

--Quanah

--

Quanah Gibson-Mount
Lead Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Re: RP_MATCHES_RCVD letting in SPAM

[Benny Pedersen <me...@junc.eu>]

Quanah Gibson-Mount skrev den 2013-08-15 21:25:
>
> Hm, that won't catch our other BR spam though. :(

> List-Unsubscribe:
> 
> <http://www.registraclique.com.br/iem/unsubscribe.php?M=1531174&C=77d064e695a19edb4155caf4c244402a&L=11&N=72>

unsubscribe ?

if recipient was not opt-in then block sender domain with mta rule, 
dont accept "opt-out" !

Re: RP_MATCHES_RCVD letting in SPAM

[Quanah Gibson-Mount <qu...@zimbra.com>]

--On Thursday, August 15, 2013 12:21 PM -0700 Quanah Gibson-Mount 
<qu...@zimbra.com> wrote:

> --On Thursday, August 15, 2013 9:16 PM +0200 Benny Pedersen <> wrote:
>
>> Quanah Gibson-Mount skrev den 2013-08-15 21:05:
>>> Some of our users are getting a ton of SPAM from .br domains.  If it
>>> weren't for RP_MATCHES_RCVD they would actually end up in their junk
>>> folder rather than their Inbox.  Is there a general suggested
>>> adjustment I can make catch these without tweaking RP_MATCHES_RCVD?
>>
>> meta LOTS_OF_MONEY (3) (3) (3) (3)
>> meta RP_MATCHES_RCVD (1) (1) (1) (1)
>
> Perfect, thanks!

Hm, that won't catch our other BR spam though. :(

Return-Path: retorno@registraclique.com.br
Received: from edge01-zcs.vmware.com (LHLO edge01-zcs.vmware.com)
 (10.113.208.51) by mbs03-zcs.vmware.com with LMTP; Thu, 15 Aug 2013
 11:15:55 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
	by edge01-zcs.vmware.com (Postfix) with ESMTP id CB83A1968;
	Thu, 15 Aug 2013 11:15:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at edge01-zcs.vmware.com
X-Spam-Flag: NO
X-Spam-Score: 2.833
X-Spam-Level: **
X-Spam-Status: No, score=2.833 tagged_above=-10 required=3
	tests=[BAYES_99=3.5, DKIM_SIGNED=0.1, HTML_IMAGE_RATIO_04=0.556,
	HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-1.344, T_DKIM_INVALID=0.01,
	T_KHOP_FOREIGN_CLICK=0.01] autolearn=no
Authentication-Results: edge01-zcs.vmware.com (amavisd-new); dkim=neutral
	reason="invalid (public key: not available)"
	header.d=registraclique.com.br
Received: from edge01-zcs.vmware.com ([127.0.0.1])
	by localhost (edge01-zcs.vmware.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id Qup1pMAcaDgg; Thu, 15 Aug 2013 11:15:53 -0700 (PDT)
Received: from registraclique.com.br (s175.registraclique.com.br 
[141.105.64.175])
	by edge01-zcs.vmware.com (Postfix) with ESMTPS id 90F8A1940
	for <xx...@zimbra.com>; Thu, 15 Aug 2013 11:15:52 -0700 (PDT)
Received: by registraclique.com.br (Postfix, from userid 0)
	id 2BAEB8860B8; Thu, 15 Aug 2013 10:22:21 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
	d=registraclique.com.br; s=default; t=1376590475;
	bh=nUoQ44WhTVHL4zF0mcmuHnMTLjLNO1sgscswqFRg/0g=;
	h=To:Subject:Date:From:Reply-To:List-Unsubscribe;
	b=ovlYK4eRDyhcbVMwLbd+TqVjdXO2pwQyko4Kc0FKjdan2k8tz9uO6y2633kIBG+fb
	 NJLigYccPUTrD/2B6MYTgWzXulw8pQtVbXSKnuzXAq0pZmwx5a+jXiVJOWH8gsW1e7
	 FW+Qaxu0aIrmfOkPLOzGHALhLkg8JIxWLiAbe/lE=
To: xxxxx@zimbra.com
Subject: Fale Ilimitado Com Todo O Brasil Por R$19,90!
Message-ID: <35...@www.registraclique.com.br>
Date: Thu, 15 Aug 2013 09:16:29 -0400
From: "=?UTF-8?B?Q2xhcm8gRmFsZSDDoCBWb250YWRl?=" 
<co...@registraclique.com.br>
Reply-To: contato@registraclique.com.br
MIME-Version: 1.0
X-Mailer-LID: 11
List-Unsubscribe: 
<http://www.registraclique.com.br/iem/unsubscribe.php?M=1531174&C=77d064e695a19edb4155caf4c244402a&L=11&N=72>
X-Mailer-RecptId: 1531174
X-Mailer-SID: 72
X-Mailer-Sent-By: 1
Content-Type: multipart/alternative; charset="UTF-8"; 
boundary="b1_bb3d14c03992adb6a28e84dfa3fb4b7d"
Content-Transfer-Encoding: 8bit

--b1_bb3d14c03992adb6a28e84dfa3fb4b7d
Content-Type: text/plain; format=flowed; charset="UTF-8"
Content-Transfer-Encoding: 8bit

--

Quanah Gibson-Mount
Lead Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Re: RP_MATCHES_RCVD letting in SPAM

[Quanah Gibson-Mount <qu...@zimbra.com>]

--On Thursday, August 15, 2013 9:16 PM +0200 Benny Pedersen <> wrote:

> Quanah Gibson-Mount skrev den 2013-08-15 21:05:
>> Some of our users are getting a ton of SPAM from .br domains.  If it
>> weren't for RP_MATCHES_RCVD they would actually end up in their junk
>> folder rather than their Inbox.  Is there a general suggested
>> adjustment I can make catch these without tweaking RP_MATCHES_RCVD?
>
> meta LOTS_OF_MONEY (3) (3) (3) (3)
> meta RP_MATCHES_RCVD (1) (1) (1) (1)

Perfect, thanks!

--Quanah


--

Quanah Gibson-Mount
Lead Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Re: RP_MATCHES_RCVD letting in SPAM

[Benny Pedersen <me...@junc.eu>]

Quanah Gibson-Mount skrev den 2013-08-15 21:05:
> Some of our users are getting a ton of SPAM from .br domains.  If it
> weren't for RP_MATCHES_RCVD they would actually end up in their junk
> folder rather than their Inbox.  Is there a general suggested
> adjustment I can make catch these without tweaking RP_MATCHES_RCVD?

meta LOTS_OF_MONEY (3) (3) (3) (3)
meta RP_MATCHES_RCVD (1) (1) (1) (1)

Re: RP_MATCHES_RCVD letting in SPAM

[Matus UHLAR - fantomas <uh...@fantomas.sk>]

>Matus UHLAR - fantomas skrev den 2013-08-15 22:33:
>
>>score RP_MATCHES_RCVD 0
>
>hard scoreing
>
>>there is __RP_MATCHES_RCVD that has to be used in metas. I don't 
>>see any
>>poing in giving positive score to mail just because it's not any 
>>kind of
>>forged...

On 15.08.13 22:41, Benny Pedersen wrote:
>__foo have no scores, no point in setting it, well if rules gives 
>negative scores for spam it would make sense to add (softblacklist) 
>that rule until its detected as spam, or create another rule so it 
>works specific to the spam
>
>with hard scoreing one loose corpus scoreing from apache.org :)

I have said it already: There's no point in decreasing score just because
the sender domain is the same as the mail server.  That's why I set
RP_MATCHES_RCVD to 0 so it will not hit.

If anyone wants to use this in meta rules, we have __RP_MATCHES_RCVD (with
default score of 0) for such usage.

Since RP_MATCHES_RCVD has score of 0, it won' hit any metas since it's
disabled by setting the score to 0.

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Save the whales. Collect the whole set.

Re: RP_MATCHES_RCVD letting in SPAM

[Benny Pedersen <me...@junc.eu>]

Matus UHLAR - fantomas skrev den 2013-08-15 22:33:

> score RP_MATCHES_RCVD 0

hard scoreing

> there is __RP_MATCHES_RCVD that has to be used in metas. I don't see 
> any
> poing in giving positive score to mail just because it's not any kind 
> of
> forged...

__foo have no scores, no point in setting it, well if rules gives 
negative scores for spam it would make sense to add (softblacklist) that 
rule until its detected as spam, or create another rule so it works 
specific to the spam

with hard scoreing one loose corpus scoreing from apache.org :)

Re: RP_MATCHES_RCVD letting in SPAM

[Matus UHLAR - fantomas <uh...@fantomas.sk>]

On 15.08.13 12:05, Quanah Gibson-Mount wrote:
>Some of our users are getting a ton of SPAM from .br domains.  If it 
>weren't for RP_MATCHES_RCVD they would actually end up in their junk 
>folder rather than their Inbox.  Is there a general suggested 
>adjustment I can make catch these without tweaking RP_MATCHES_RCVD?

I have

score RP_MATCHES_RCVD 0

in /etc/mail/local.cf

there is __RP_MATCHES_RCVD that has to be used in metas. I don't see any
poing in giving positive score to mail just because it's not any kind of
forged... 

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fighting for peace is like fucking for virginity...