You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by JP Kelly <li...@jpkvideo.net> on 2011/03/06 19:51:35 UTC
AWL scoring positive?
I just found an incoming message which is ham but marked as spam.
It received a score of 14 because it is in the auto white-list.
Shouldn't it receive a negative score?
Content analysis details: (7.1 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
trust
[72.21.212.35 listed in list.dnswl.org]
-2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.0000]
14 AWL AWL: From: address is in the auto white-list
Re: AWL scoring positive?
Posted by RW <rw...@googlemail.com>.
On Sun, 06 Mar 2011 22:32:02 +0100
Karsten Bräckelmann <gu...@rudersport.de> wrote:
> On Sun, 2011-03-06 at 12:48 -0800, JP Kelly wrote:
> > I'm not familiar enough to tell if an address is forged or not.
> > Here is the scoring from one of the spam messages from
> > autoconfirm@amazon.com which I suspect tainted AWL:
>
> Nope. The originating IP isn't even close to the Amazon net-block, let
> alone in the same /16.
Unless the AWL has changed, it's based on the first non-private IP
address, which is usually not trustworthy and in this case is a forged
amazon address.
I haven't checked recently, there was some talk of changing it to the
first trusted address. Either nothing happened or this is an old SA
version.
Re: AWL scoring positive?
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Sun, 2011-03-06 at 12:48 -0800, JP Kelly wrote:
> I'm not familiar enough to tell if an address is forged or not. Here is
> the scoring from one of the spam messages from autoconfirm@amazon.com
> which I suspect tainted AWL:
Nope. The originating IP isn't even close to the Amazon net-block, let
alone in the same /16.
Kind of start wondering which internal / trusted networks you just
added...
> 1.5 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
> [95.134.111.12 listed in zen.spamhaus.org]
> Received: (qmail 25679 invoked from network); 22 Aug 2010 06:47:56 -0600
> Received: from 12-111-134-95.pool.ukrtel.net (95.134.111.12)
> by mail.smallgod.net with SMTP; 22 Aug 2010 06:47:55 -0600
^^^^^^^^^^^^^^^^^
Your MX, I assume?
You cannot trust Received headers beyond this. The from is the last
trustworthy information.
> Received-SPF: unknown (mail.smallgod.net: domain at spf.smallgod.net does not designate permitted sender hosts)
Uhm, doesn't that mean the Envelope From is from YOUR domain? Yeah, that
would be forged. ;) You didn't include the Return-Path header in your
snippet, though.
> Received: from mm-notify-out-209-84.amazon.com (mm-notify-out-209-84.amazon.com [72.21.209.84])
> by server94.appriver.com with asmtp
> id 8064CA-0003F6-18;
> for <ho...@jpkvideo.net>; Sun, 22 Aug 2010 15:47:34 +0200
The receiving server has address 204.232.236.150. Compare that to the
machine your MX has received the message from. This entire Received
header is forged, and the dial-up IP above is the originator.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: AWL scoring positive?
Posted by JP Kelly <li...@jpkvideo.net>.
I'm not familiar enough to tell if an address is forged or not.
Here is the scoring from one of the spam messages from autoconfirm@amazon.com which I suspect tainted AWL:
Content analysis details: (29.4 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.9 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
[URIs: bestcomputerized.com]
1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
[URIs: bestcomputerized.com]
1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
[URIs: bestcomputerized.com]
3.5 URIBL_BLACK Contains an URL listed in the URIBL blacklist
[URIs: bestcomputerized.com]
4.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
2.5 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr
2)
1.0 FH_HELO_EQ_D_D_D_D Helo is d-d-d-d
0.4 HTML_MESSAGE BODY: HTML included in message
1.5 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
[95.134.111.12 listed in zen.spamhaus.org]
4.1 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
3.0 URIBL_SBL Contains an URL listed in the SBL blocklist
[URIs: bestcomputerized.com]
3.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[URIs: bestcomputerized.com]
[Blocked - see <http://www.spamcop.net/bl.shtml?95.134.111.12>]
1.5 RDNS_DYNAMIC Delivered to trusted network by host with
dynamic-looking rDNS
--- and the headers:
Received: (qmail 25679 invoked from network); 22 Aug 2010 06:47:56 -0600
Received: from 12-111-134-95.pool.ukrtel.net (95.134.111.12)
by mail.smallgod.net with SMTP; 22 Aug 2010 06:47:55 -0600
Received-SPF: unknown (mail.smallgod.net: domain at spf.smallgod.net does not designate permitted sender hosts)
Received: from mm-notify-out-209-84.amazon.com (mm-notify-out-209-84.amazon.com [72.21.209.84])
by server94.appriver.com with asmtp
id 8064CA-0003F6-18;
for <ho...@jpkvideo.net>; Sun, 22 Aug 2010 15:47:34 +0200
Date: Sun, 22 Aug 2010 15:47:34 +0200
From: "auto-confirm@amazon.com" <au...@amazon.com>
To: <ho...@jpkvideo.net>
Message-ID: <00...@na-mm-relay.amazon.com>
Subject: Your Order with Amazon.com
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_9404548_33090959.9063490075401"
Bounces-to: DA5F1995B875DED4537402D6B10DA455CF04FA500AA16D@bounces.amazon.com
X-AMAZON-MAIL-RELAY-TYPE: notification
X-AMAZON-RTE-VERSION: 2.0
On Mar 6, 2011, at 12:33 PM, Karsten Bräckelmann wrote:
> On Sun, 2011-03-06 at 11:39 -0800, JP Kelly wrote:
>> Yeah that sender's email address had been forged for a bunch of spam I
>> received.
>
> Without reading the following paragraph, I'd immediately suspect a
> cracked account, not address forgery. The AWL is limited by address and
> originating net-block (default /16, configurable since 3.3), thus it is
> rather unlikely, spam with that address forged is sent from a nearby
> address...
>
>> I used spamasassin --remove-addr-from-whitelist for that address
>> Also I did not have internal_networks and trusted_networks lines in my
>> local.cf, which I added. Hopefully that will help. Thanks!
>
> Bad internal and trusted networks settings would also explain this,
> though.
>
> If those are missing a forwarding / relay system, that one will be
> considered the handing-over machine -- which renders most DNSBLs as well
> as a lot of rules useless. Plus, as far as AWL is concerned, the
> net-block constraint effectively is disabled.
>
>
> Kind of wonder though, why that Amazon outgoing SMTP cluster should be
> part of your internal network. Or, how a forged address ended up being
> sent through it...
>
>>>> -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium trust
>>>> [72.21.212.35 listed in list.dnswl.org]
>
> --
> char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
> main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
> (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
>
Re: AWL scoring positive?
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Sun, 2011-03-06 at 11:39 -0800, JP Kelly wrote:
> Yeah that sender's email address had been forged for a bunch of spam I
> received.
Without reading the following paragraph, I'd immediately suspect a
cracked account, not address forgery. The AWL is limited by address and
originating net-block (default /16, configurable since 3.3), thus it is
rather unlikely, spam with that address forged is sent from a nearby
address...
> I used spamasassin --remove-addr-from-whitelist for that address
> Also I did not have internal_networks and trusted_networks lines in my
> local.cf, which I added. Hopefully that will help. Thanks!
Bad internal and trusted networks settings would also explain this,
though.
If those are missing a forwarding / relay system, that one will be
considered the handing-over machine -- which renders most DNSBLs as well
as a lot of rules useless. Plus, as far as AWL is concerned, the
net-block constraint effectively is disabled.
Kind of wonder though, why that Amazon outgoing SMTP cluster should be
part of your internal network. Or, how a forged address ended up being
sent through it...
> > > -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium trust
> > > [72.21.212.35 listed in list.dnswl.org]
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: AWL scoring positive?
Posted by JP Kelly <li...@jpkvideo.net>.
Yeah that sender's email address had been forged for a bunch of spam I received.
I used spamasassin --remove-addr-from-whitelist for that address
Also I did not have internal_networks and trusted_networks lines in my local.cf, which I added.
Hopefully that will help.
Thanks!
On Mar 6, 2011, at 11:33 AM, Karsten Bräckelmann wrote:
> On Sun, 2011-03-06 at 10:51 -0800, JP Kelly wrote:
>> I just found an incoming message which is ham but marked as spam.
>> It received a score of 14 because it is in the auto white-list.
>> Shouldn't it receive a negative score?
>
> http://wiki.apache.org/spamassassin/AwlWrongWay
>
> Despite its name, the AWL is a score averager, based on the sender's
> history (limited by net-block).
>
>
> Given the rather high AWL score, this sender previously scored even much
> higher. You (or the sender) didn't happen to use it for sending some
> "test spam", checking SA is working?
>
> As a quick fix, I'd remove the AWL record for that address. Also see the
> spamassassin-run man-page.
>
> spamasassin --remove-addr-from-whitelist=user@example.net
>
>
>> Content analysis details: (7.1 points, 5.0 required)
>>
>> pts rule name description
>> ---- ---------------------- --------------------------------------------------
>> -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
>> trust
>> [72.21.212.35 listed in list.dnswl.org]
>> -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
>> [score: 0.0000]
>> 14 AWL AWL: From: address is in the auto white-list
>
> --
> char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
> main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
> (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
>
Re: Describing "AWL"
Posted by Lucio Chiappetti <lu...@lambrate.inaf.it>.
On Mon, 7 Mar 2011, Adam Katz wrote:
> Even if we don't change what "AWL" means,
Curious that in English "awl" is a tool of the shoe-maker (in italian
called "lesina" : since it was used to cut off tiny pieces, it even
generated a verb "lesinare" which means to save money at the point to be
stingy ... the expression "awl policy" was used in late '800 to indicate
the government policy of (selective) public expenditure cuts ... see the
reference in my signature) :-)
--
------------------------------------------------------------------------
Lucio Chiappetti - INAF/IASF - via Bassini 15 - I-20133 Milano (Italy)
------------------------------------------------------------------------
Italian Research at risk. La Ricerca italiana a rischio !
see http://sax.iasf-milano.inaf.it/~lucio/WWW/Opinions/nobrain.html cfr.
Re: Describing "AWL"
Posted by Benny Pedersen <me...@junc.org>.
> I also have some thoughts about discarding "hammers" at the end of that
> document.
if awl had unixtime stamp for last change time, one could add time test
for at least x days where its was score aveageing, but if less then x days
dont give negative for ham
that would hardened it more to be more strong, btw is it really not a
simple ip reputation based with email senders ?
if not whar changes are needed so ?`
Re: Describing "AWL"
Posted by Dennis German <DG...@Real-World-Systems.com>.
On 3/7/11 4:13 PM, John Hardin wrote:
On Mon, 7 Mar 2011, Adam Katz wrote:
On 03/06/2011 11:33 AM, Karsten Br�ckelmann wrote:
On Sun, 2011-03-06 at 10:51 -0800, JP Kelly wrote:
>>>> I just found an incoming message which is ham but marked as spam.
>>>> It received a score of 14 because it is in the auto white-list.
>>>> Shouldn't it receive a negative score?
>>> http://wiki.apache.org/spamassassin/AwlWrongWay
>>>
>>> Despite its name, the AWL is a score averager, based on the sender's
>>> history (limited by net-block).
>> I encountered that misconception so much that I altered its description
>> it in my local.cf:
>> describe AWL Adjust score towards average for this sender
>> As a reminder, SVN trunk uses:
>> describe AWL From: address is in the auto white-list
>> Even if we don't change what "AWL" means, we don't need to spell it out
>> as often. Cleaning up the docs would certainly be useful, but simply
>> changing the description would cover most of the ground for us.
> Open a boog for it.
I prefer to call AWL HEAT ( Heuristic Email Address Tracking )
You might be interested in my version of a utility sa-heatu documented at
http://www.real-world-systems.com/mail/sa-heatu.html
I have tried to clarify how HEAT works at
http://www.real-world-systems.com/mail/sa-heatu.html#backgrnd
which adds aging so as to loose old entries otherwise kept forever.
I also have some thoughts about discarding "hammers" at the end of that
document.
Any feedback on this would be welcome.
Dennis German
Re: Describing "AWL"
Posted by John Hardin <jh...@impsec.org>.
On Mon, 7 Mar 2011, Adam Katz wrote:
> On 03/06/2011 11:33 AM, Karsten Br�ckelmann wrote:
>> On Sun, 2011-03-06 at 10:51 -0800, JP Kelly wrote:
>>> I just found an incoming message which is ham but marked as spam.
>>> It received a score of 14 because it is in the auto white-list.
>>> Shouldn't it receive a negative score?
>>
>> http://wiki.apache.org/spamassassin/AwlWrongWay
>>
>> Despite its name, the AWL is a score averager, based on the sender's
>> history (limited by net-block).
>
> I encountered that misconception so much that I altered its description
> it in my local.cf:
>
> describe AWL Adjust score towards average for this sender
>
> As a reminder, SVN trunk uses:
>
> describe AWL From: address is in the auto white-list
>
>
> Even if we don't change what "AWL" means, we don't need to spell it out
> as often. Cleaning up the docs would certainly be useful, but simply
> changing the description would cover most of the ground for us.
Open a boog for it.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Failure to plan ahead on someone else's part does not constitute
an emergency on my part. -- David W. Barts in a.s.r
-----------------------------------------------------------------------
6 days until Daylight Saving Time begins in U.S. - Spring Forward
Describing "AWL"
Posted by Adam Katz <an...@khopis.com>.
On 03/06/2011 11:33 AM, Karsten Bräckelmann wrote:
> On Sun, 2011-03-06 at 10:51 -0800, JP Kelly wrote:
>> I just found an incoming message which is ham but marked as spam.
>> It received a score of 14 because it is in the auto white-list.
>> Shouldn't it receive a negative score?
>
> http://wiki.apache.org/spamassassin/AwlWrongWay
>
> Despite its name, the AWL is a score averager, based on the sender's
> history (limited by net-block).
I encountered that misconception so much that I altered its description
it in my local.cf:
describe AWL Adjust score towards average for this sender
As a reminder, SVN trunk uses:
describe AWL From: address is in the auto white-list
Even if we don't change what "AWL" means, we don't need to spell it out
as often. Cleaning up the docs would certainly be useful, but simply
changing the description would cover most of the ground for us.
Re: AWL scoring positive?
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Sun, 2011-03-06 at 10:51 -0800, JP Kelly wrote:
> I just found an incoming message which is ham but marked as spam.
> It received a score of 14 because it is in the auto white-list.
> Shouldn't it receive a negative score?
http://wiki.apache.org/spamassassin/AwlWrongWay
Despite its name, the AWL is a score averager, based on the sender's
history (limited by net-block).
Given the rather high AWL score, this sender previously scored even much
higher. You (or the sender) didn't happen to use it for sending some
"test spam", checking SA is working?
As a quick fix, I'd remove the AWL record for that address. Also see the
spamassassin-run man-page.
spamasassin --remove-addr-from-whitelist=user@example.net
> Content analysis details: (7.1 points, 5.0 required)
>
> pts rule name description
> ---- ---------------------- --------------------------------------------------
> -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
> trust
> [72.21.212.35 listed in list.dnswl.org]
> -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
> [score: 0.0000]
> 14 AWL AWL: From: address is in the auto white-list
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: AWL scoring positive?
Posted by Da...@chaosreigns.com.
Not necessarily. AWL both increases and decreases scores, based on
previous emails: http://wiki.apache.org/spamassassin/AutoWhitelist
On 03/06, JP Kelly wrote:
> I just found an incoming message which is ham but marked as spam.
> It received a score of 14 because it is in the auto white-list.
> Shouldn't it receive a negative score?
>
> Content analysis details: (7.1 points, 5.0 required)
>
> pts rule name description
> ---- ---------------------- --------------------------------------------------
> -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
> trust
> [72.21.212.35 listed in list.dnswl.org]
> -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
> [score: 0.0000]
> 14 AWL AWL: From: address is in the auto white-list
>
--
"Whom God wishes to destroy, he first makes mad."
- Euripides (c.480 - 406 BC).
http://www.ChaosReigns.com