You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Marc <Ma...@f1-outsourcing.eu> on 2022/03/04 13:01:05 UTC
how sendgrid is abusing the ukraine crisis (or they are still to dumb to filter for spam)
Is anyone blocking already connections from outbound-mail.sendgrid.net? Does that generate a lot of false positives?
PS. just posting this so it is on web archives and people searching for sendgrid hopefully chose a better service.
Received: from dhtrpcqr.outbound-mail.sendgrid.net (dhtrpcqr.outbound-mail.sendgrid.net [208.117.60.69])
by xxxxxxx (8.14.4/8.14.4) with ESMTP id 224Cgj7a012830
(version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256 verify=NO)
for <xxxxxxxxxx>; Fri, 4 Mar 2022 13:42:48 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sendgrid.net;
h=content-type:from:mime-version:subject:reply-to:to:list-unsubscribe;
s=smtpapi; bh=qYfolUzMHBeXH0Bfilq/4SMu1M6iCAeAoXMLn/+2FDQ=;
b=ONiVQB9tFd/rNuQLwLs6BI5WZhlxM3fGxANnk/frAY+9IqydSOIkC/7pvrUn83wdxJiH
3N2UCtehU38fwc7xSWBS87oFtD7kfJeeZ61PUsLtGQR0rPn3szEabnno9aB4r2DusM99Jj
xfJGMwzxZ2+Y/sK9OIXQ5HF7ULb7J+p8Y=
Received: by filterdrecv-6b4b75bfd9-qkswm with SMTP id filterdrecv-6b4b75bfd9-qkswm-1-62220942-67
2022-03-04 12:42:42.792424637 +0000 UTC m=+15862904.198835649
Received: from MjU1OTQ0NzY (unknown)
by ismtpd0195p1iad2.sendgrid.net (SG)
with HTTP
id CZyMAly8Q-S9ndmHDf5WzA
Fri, 04 Mar 2022 12:42:42.772 +0000 (UTC)
> -----Original Message-----
> From: Svitlana Vasylyna <fi...@ukr.net>
> Sent: Friday, March 04, 2022 1:43 PM
> To: xxxxxxxxxxxxxxxxxx
> Subject: Soliciting for your urgent assistance on this
>
> Greetings,
> My name is Svitlana Vasylyna, I, my family of 2 kids and my husband live
> in Kharkiv close to the City Hall building in Kharkiv.
> Shelling has turned our city into dust, we lost my husband's brother and
> the army has taken my husband away to fight for our country.
> My kids and I are on the Polish border with more than 1M of our citizens
> with nothing to eat or drink not to talk of shelter. We are asked to pay
> 5k Euro per person and 12k for a family of 3 to cross the border.
>
> I copied down all email contacts from my office database to be able to
> write this letter to you. I work as an IT Admin to a few governmental
> agencies in Ukraine.
>
> Please me and my kids are seriously asking for help to let us feed and
> remain here because we can not raise such an asking amount at the moment.
> Our story is not good to tell at this time because no one can understand
> what is happening here if you are not here.
> Polish police are here also to determine what jurnalist transmit. They
> refuse to allow them to transmit to the world that Poland is requesting
> payment from our citizens to enter poland.
>
> We can only get money through bitcoin from friends and most people that I
> worked with in Europe, USA, Asia to feed and pay for a few medications for
> my kids.
>
> Here is my Bitcoin wallet to please assist us with 10$-20-50-100$ none is
> too little at this moment.
>
> BTC WALLET: 3CqQrmKjoqf6VLMYa7S1KHYxX8KR5h1q8h
>
> I will never forget this help no matter the amount when all this ends.
>
> Here is the picture of our house after the attack. The man lying here is
> my husband's brother. The second pic is me and my kids.
>
> Thank you so much as you do this.
>
> Svitlana Vasylyna
>
> PHOTOS OF WAR
> https://www.dropbox.com/s/xabmlf22lxw6rqo/Our%20Home.jpg?dl=0
> https://www.dropbox.com/s/3angu8pwby8ipqt/kiev%20Ukraine.jpg?dl=0
> https://www.dropbox.com/s/av3yqx8piyvtuzz/images.jpg?dl=0
Re: how sendgrid is abusing the ukraine crisis (or they are still to dumb to filter for spam)
Posted by Benny Pedersen <me...@junc.eu>.
On 2022-03-04 14:01, Marc wrote:
> Is anyone blocking already connections from
> outbound-mail.sendgrid.net? Does that generate a lot of false
> positives?
> PS. just posting this so it is on web archives and people searching
> for sendgrid hopefully chose a better service.
first define better service
Re: how sendgrid is abusing the ukraine crisis (or they are still to dumb to filter for spam)
Posted by Alan <sp...@ambitonline.com>.
FWIW at least I've found them to be responsive to abuse reports, unlike
Amazon SES.
On 2022-03-04 08:01, Marc wrote:
> Is anyone blocking already connections from outbound-mail.sendgrid.net? Does that generate a lot of false positives?
> PS. just posting this so it is on web archives and people searching for sendgrid hopefully chose a better service.
>
--
For SpamAssassin Users List
Re: how sendgrid is abusing the ukraine crisis (or they are still to dumb to filter for spam)
Posted by Greg Troxel <gd...@lexort.com>.
Bill Cole <sa...@billmail.scconsult.com> writes:
> On 2022-03-04 at 09:18:08 UTC-0500 (Fri, 04 Mar 2022 09:18:08 -0500)
> Greg Troxel <gd...@lexort.com>
> is rumored to have said:
>
>> Greg Troxel <gd...@lexort.com> writes:
>>
>>> With stock scores, sendgrid gets
>>>
>>> 2.1 URIBL_GREY Contains an URL listed in the URIBL greylist
>>> [URIs: sendgrid.net]
>>> 1.5 KAM_SENDGRID Sendgrid being exploited by scammers
>>>
>>> and I find 3.6 a bit much.
(sorry, URIBL_GREY is only 1.1, so that's 2.6 between them)
> Note that those are quasi-independent rules. URIBL looks at all of the
> URIs in a message. KAM_SENDGRID only hits mail transferred through
> Sendgrid where the From header and envelope sender addresses are in
> unrelated domains.
I meant only that I find that for this particular sender, both rules
hit.
> I may be wrong, but I do not believe that all Sendgrid ham will hit
> either of those rules, although much surely will hit both. The KAM
> rules don't go through QA that would reveal their overlap/independence
> as the stock rules do, so there's not a good way that I can check.
I am unclear on if KAM_SENDGRID is supposed to hit on legit mail from
sendgrid; it is for this particular class of ham. It sounds like you
think at least some sendgrid ham will hit this.
Return-Path: seems like it matches __KAM_SENDGRID1A, Received looks like
it matches __KAM_SENDGRID2, and the From: is from the government
office's domain.
>>> But maybe 72% of what sendgrid sends is
>>> spam? (Knowing the spam % is actually a serious question.)
>>
>> sorry, didn't quite get back to stock for that test, so I think it's
>> only 1.1+1.5=2.6, so tuned for 52% spam...
>
> FWIW, that is NOT how the math works for score determination. Even for
> the stock rules which get programmatically adjusted as a set, that's
> not a "tuning" target that would be useful or even have a calculable
> solution.
Sorry, I do know that, but what I was trying to get at, and did so
badly, was that if a rule has a score of 2.5, then I would expect that a
fairly large amount of the messages that trigger it would be spam.
Otherwise, I would expect that score to be reduced by the tuning
algorithms.
> The rule score tuning doesn't really pay any attention to aggregate
> score values except in >/< relation to the threshold. If 100% of a
> sender's mail is ham that just happens to score 4.2, that's great. If
> it is 100% spam, all scoring 5.2, that's also great. If it is a 50/50
> mix that SA scores perfectly at either 4.2 or 5.2, that would be
> astoundingly good. Message scores do NOT have a score distribution
> that can be approximated by any combination of statistically useful
> distributions which could support the sort of score arithmetic you are
> positing.
I see your point but it would be interesting to see the %spam data (out
of some background ham/spam a priori rate) per rule, somehow in a
scatter plot with score.
Also given how things are, if ham scored 4.2 it would take very little
in terms of a 1-point rule or 2 x .5 rules triggering vs not to push it
over. So while 4.2 is a good score for ham in the metrics, it's not in
my view a good score for a ham message viewed over the ensemble of other
things that are likely to happen.
All I'm really trying to say is that ham getting 2.5 from one rule moves
it halfway to threshold, where it gets marked as spam if the rest of the
rules give it >=2.5.
> I wish Justin had originally made the base score -5 and the threshold
> 0. It's 20 years too late to fix that, but it would have made it
> easier for people to avoid wrong mathematical assumptions about the
> value of the aggregate score of a message.
I do know how scores are determined for the base ruleset (and above you
said that the KAM scores aren't determined that way, I think).
And I know it's against doctrine, but I find that the odds of spam
change from near 0 at -2 to near 1 at >=4. Just above about 2, its
roughly 50%, and it's not linear. Because of that I treat 3 different
from <1, putting 3 in a maybe-spam folder not allowed to show up on my
phone. I know that's not how SA's "was this message scored
correctly" is defined, but I find this sort of sorting very useful.
The message in question did actually get to 5.0. I've tweaked scores,
up and down, so I know that doesn't technically count.
Re: how sendgrid is abusing the ukraine crisis (or they are still to dumb to filter for spam)
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 2022-03-04 at 09:18:08 UTC-0500 (Fri, 04 Mar 2022 09:18:08 -0500)
Greg Troxel <gd...@lexort.com>
is rumored to have said:
> Greg Troxel <gd...@lexort.com> writes:
>
>> With stock scores, sendgrid gets
>>
>> 2.1 URIBL_GREY Contains an URL listed in the URIBL greylist
>> [URIs: sendgrid.net]
>> 1.5 KAM_SENDGRID Sendgrid being exploited by scammers
>>
>> and I find 3.6 a bit much.
Note that those are quasi-independent rules. URIBL looks at all of the URIs in a message. KAM_SENDGRID only hits mail transferred through Sendgrid where the From header and envelope sender addresses are in unrelated domains.
I may be wrong, but I do not believe that all Sendgrid ham will hit either of those rules, although much surely will hit both. The KAM rules don't go through QA that would reveal their overlap/independence as the stock rules do, so there's not a good way that I can check.
>> But maybe 72% of what sendgrid sends is
>> spam? (Knowing the spam % is actually a serious question.)
>
> sorry, didn't quite get back to stock for that test, so I think it's
> only 1.1+1.5=2.6, so tuned for 52% spam...
FWIW, that is NOT how the math works for score determination. Even for the stock rules which get programmatically adjusted as a set, that's not a "tuning" target that would be useful or even have a calculable solution.
The rule score tuning doesn't really pay any attention to aggregate score values except in >/< relation to the threshold. If 100% of a sender's mail is ham that just happens to score 4.2, that's great. If it is 100% spam, all scoring 5.2, that's also great. If it is a 50/50 mix that SA scores perfectly at either 4.2 or 5.2, that would be astoundingly good. Message scores do NOT have a score distribution that can be approximated by any combination of statistically useful distributions which could support the sort of score arithmetic you are positing.
I wish Justin had originally made the base score -5 and the threshold 0. It's 20 years too late to fix that, but it would have made it easier for people to avoid wrong mathematical assumptions about the value of the aggregate score of a message.
--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: how sendgrid is abusing the ukraine crisis (or they are still to dumb to filter for spam)
Posted by Greg Troxel <gd...@lexort.com>.
Greg Troxel <gd...@lexort.com> writes:
> With stock scores, sendgrid gets
>
> 2.1 URIBL_GREY Contains an URL listed in the URIBL greylist
> [URIs: sendgrid.net]
> 1.5 KAM_SENDGRID Sendgrid being exploited by scammers
>
> and I find 3.6 a bit much. But maybe 72% of what sendgrid sends is
> spam? (Knowing the spam % is actually a serious question.)
sorry, didn't quite get back to stock for that test, so I think it's
only 1.1+1.5=2.6, so tuned for 52% spam...
Re: how sendgrid is abusing the ukraine crisis (or they are still to dumb to filter for spam)
Posted by Greg Troxel <gd...@lexort.com>.
CC: trimmed as my message is not an abuse report.
You asked about outright blocking, but you didn't ask if people thought
that was wise.
I received a piece of ham today, and the received line added by my MTA is:
Received: from o1678989x80.outbound-mail.sendgrid.net (o1678989x80.outbound-mail.sendgrid.net [167.89.89.80])
This was a legitimate message from an agency of a local government, and
solidly ham.
I'm not going to claim that sendgrid is or isn't ok -- I don't
personally have any data. But it's clear that at least one legitimate
entity uses them and that I receive some ham from them.
With stock scores, sendgrid gets
2.1 URIBL_GREY Contains an URL listed in the URIBL greylist
[URIs: sendgrid.net]
1.5 KAM_SENDGRID Sendgrid being exploited by scammers
and I find 3.6 a bit much. But maybe 72% of what sendgrid sends is
spam? (Knowing the spam % is actually a serious question.)
I find ham misfiled as spam just due to sendgrid is fairly rare, and I
just welcomelist them. So that's probably a clue that I get little ham
from sendgrid.
But an outright block doesn't seem like a good idea. It certainly would
result in me losing ham.
Re: how sendgrid is abusing the ukraine crisis (or they are still to dumb to filter for spam)
Posted by Alan Hodgson <ah...@lists.simkin.ca>.
On Fri, 2022-03-04 at 13:01 +0000, Marc wrote:
> Is anyone blocking already connections from outbound-
> mail.sendgrid.net? Does that generate a lot of false positives?
> PS. just posting this so it is on web archives and people searching
> for sendgrid hopefully chose a better service.
>
Unfortunately, a lot of legitimate senders still use Sendgrid.