You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Marc Richter <sp...@marc-richter.info> on 2010/08/15 15:57:57 UTC

Initial setup of SA - please help.

Hello,

I'm using SA since 5 years now. Yesterday I was switching my Debian 
system to a gentoo Server and had to reinstall SA this way. I thought I 
transfered the config nearly identical, but it seems to not be the case, 
since I get results in filtering, which I dont understand:

http://pastebin.com/Rhj2UMLS

I don't understand 3 things:

1)
Why is it recognized as not beeing spam, although the required score is 
3.0 and the actual score is 101.0?
Is this because of points 2) and 3)?

2)
Why does ALL_TRUSTED hit here? I haven't configured mx0.gmx.net anywhere.

3)
Why does USER_IN_WHITELIST apply here? "iyeboxfzpfj <zy...@alxhkv.com>" 
is noone I've put onto any whitelist.

In the user_prefs of user "ww" the only "WHITE" - Thing is:
whitelist_from          *@web-factory.de
whitelist_from          *@marketing-factory.de

which is my company's domain.

Here's my whole global SA config:

http://pastebin.com/DixnLNmv

Could anybody please give me a hint with this?

Thank you.

Best regards,
Marc

Re: Initial setup of SA - please help.

Posted by Marc Richter <sp...@marc-richter.info>.

Hi J.K.

No, it seemes as if my server really sent it, not only that the from - 
matched. Seems as if an open Webformular sent it.

But thank you anyway.

Am 15.08.2010 18:54, schrieb Josef Karliak:
>   If it looks like you send spam to you, I've simple solution. SPF
> record in your domain zone and you tell in your SPF record that for your
> domain could send email your servers and any others are possibly
> spammers - see http://www.openspf.org/
>
> For example for my domain could send emails only two servers and any
> others are denied. Postfix controls SPF on recieving, if somebody from
> net could send me spam and "from" is my domain, by my policy in the SPF
> record - "-all" - this mail is rejected. SPF helped very much to us. Lot
> of spammers use the same To: and From: ...
>
> J.K.
>
> Cituji Benny Pedersen <me...@junc.org>:
>
>> On søn 15 aug 2010 15:57:57 CEST, Marc Richter wrote
>>> Could anybody please give me a hint with this?
>>
>> do you send spam to your own email address ?
>>
>> to solve it, remove any instance of whitelist_from
>>
>> or if you like to track this change score on user_in_whitelist to
>> something that is not -100
>>
>> --
>> xpoint http://www.unicom.com/pw/reply-to-harmful.html
>>
>>
>
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.

Re: Initial setup of SA - please help.

Posted by Josef Karliak <ka...@ajetaci.cz>.

   If it looks like you send spam to you, I've simple solution. SPF  
record in your domain zone and you tell in your SPF record that for  
your domain could send email your servers and any others are possibly  
spammers - see http://www.openspf.org/

   For example for my domain could send emails only two servers and  
any others are denied. Postfix controls SPF on recieving, if somebody  
from net could send me spam and "from" is my domain, by my policy in  
the SPF record - "-all" - this mail is rejected. SPF helped very much  
to us. Lot of spammers use the same To: and From: ...

   J.K.

Cituji Benny Pedersen <me...@junc.org>:

> On søn 15 aug 2010 15:57:57 CEST, Marc Richter wrote
>> Could anybody please give me a hint with this?
>
> do you send spam to your own email address ?
>
> to solve it, remove any instance of whitelist_from
>
> or if you like to track this change score on user_in_whitelist to  
> something that is not -100
>
> -- 
> xpoint http://www.unicom.com/pw/reply-to-harmful.html
>
>



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Re: Initial setup of SA - please help.

Posted by Benny Pedersen <me...@junc.org>.

On søn 15 aug 2010 15:57:57 CEST, Marc Richter wrote
> Could anybody please give me a hint with this?

do you send spam to your own email address ?

to solve it, remove any instance of whitelist_from

or if you like to track this change score on user_in_whitelist to  
something that is not -100

-- 
xpoint http://www.unicom.com/pw/reply-to-harmful.html

Re: Initial setup of SA - please help.

Posted by Wolfgang Zeikat <wo...@desy.de>.

In an older episode, on 2010-08-15 15:57, Marc Richter wrote:

> http://pastebin.com/Rhj2UMLS
> 
> I don't understand 3 things:
> 
> 1)
> Why is it recognized as not beeing spam, although the required score is 
> 3.0 and the actual score is 101.0?

It says "score=-101.0", that is *not* the same as "score=101.0". A 
negative score is "positive" == non spam.

> Is this because of points 2) and 3)?

AFAIK, that is because of USER_IN_WHITELIST, yes.

> 3)
> Why does USER_IN_WHITELIST apply here? "iyeboxfzpfj <zy...@alxhkv.com>" 
> is noone I've put onto any whitelist.

If I am not mistaken, a score of -100 indicates that a 
whitelist_from_rcvd rule has matched - that is a combination of sender 
address plus received header, see
  man Mail::SpamAssassin::Conf

Maybe try to grep for whitelist_from_rcvd in your configuration direcotries.

Hope this helps,

wolfgang

Re: Initial setup of SA - please help.

Posted by Marc Richter <sp...@marc-richter.info>.

Hi @all,

I just had a chat with wolfgang by phone, and we discovered, that a 
Webformular on my own site seems to deliver this spam to my GMX - 
Account richter_marc -at- gmx.net .
This would explaid this result: When my own server is the initial 
sender, it's clear why the USER_IN_WHITELIST - Test hits.
It seems as if I just read the header wrong, sorry.

I'll have a closer look to this, and I'll write again if I'm still 
experiencing something, I don't get.

Thank you all so far!

Am 15.08.2010 16:46, schrieb John Hardin:
> On Sun, 15 Aug 2010, Marc Richter wrote:
>
>> http://pastebin.com/Rhj2UMLS
>>
>> I don't understand 3 things:
>>
>> 1) Why is it recognized as not beeing spam, although the required score
>> is 3.0 and the actual score is 101.0?
>
> Look a little closer. The actual score is -101.0 (negative).

Yeah, I already saw my error, thank you. 1) is 100% solved because of 
that ;)

>> Is this because of points 2) and 3)?
>>
>> 2) Why does ALL_TRUSTED hit here? I haven't configured mx0.gmx.net
>> anywhere.
>
> Odd. I'd have expected pop.gmx.net to have prevented ALL_TRUSTED. I
> can't suggest why this might have occurred, perhaps one of the devs a
> little closer to that code will comment.
>
> ALL_TRUSTED isn't by itself contributing to the problem, but it is
> useful as a symptom.
>
>> 3) Why does USER_IN_WHITELIST apply here? "iyeboxfzpfj
>> <zy...@alxhkv.com>" is noone I've put onto any whitelist.
>>
>> In the user_prefs of user "ww" the only "WHITE" - Thing is:
>> whitelist_from *@web-factory.de
>> whitelist_from *@marketing-factory.de
>>
>> which is my company's domain.
>
> As I just recommended to someone else, do not use whitelist_from except
> as a last resort. It is trivially easy for a spammer to leverage as it
> does not verification that the From address is not forged.

You're right. Up till today (may be subject to change, since I told it 
here in public ;) ) there has not a single spam arrived my because of 
this whitelist.

>> Here's my whole global SA config:
>>
>> http://pastebin.com/DixnLNmv
>
> I note you're using whitelist_from_rcvd in your global config. Good.
>
> However, changing the required_score to 3.0 is not recommended. All of
> the scores assigned by the masscheck system are targeted at a
> required_score of 5.0, and if you lower that without making any
> adjustment to rule scores then you are likely going to increase your
> false positive rate.

I know, but the suggested 5.0 result in a too high false ham rate to me. 
I'm having an eye to the filtered ones. They're not deleted, but 
collected in a seperate box, which I check frequently. The FP - Rate is 
extreemely low (2-5 in a whole year!) and even when this happens, they 
had never been "autolearned" as spam up to today.

> Can you post the ww user's config too?

I's nearly empty. Just the two whitelist_from entrys are from that file.

>> Could anybody please give me a hint with this?
>
> The whitelist hit is what's hurting the most.
>
> You should also take a look at your bayes, after we resolve the
> whitelist problem.
>

OK, I'll keep that in mind :)

Thank you!

Best Regards,
Marc

Re: Initial setup of SA - please help.

Posted by John Hardin <jh...@impsec.org>.

On Sun, 15 Aug 2010, Marc Richter wrote:

> http://pastebin.com/Rhj2UMLS
>
> I don't understand 3 things:
>
> 1)  Why is it recognized as not beeing spam, although the required score
>  is 3.0 and the actual score is 101.0?

Look a little closer. The actual score is -101.0 (negative).

> Is this because of points 2) and 3)?
>
> 2)  Why does ALL_TRUSTED hit here? I haven't configured mx0.gmx.net
>  anywhere.

Odd. I'd have expected pop.gmx.net to have prevented ALL_TRUSTED. I can't 
suggest why this might have occurred, perhaps one of the devs a little 
closer to that code will comment.

ALL_TRUSTED isn't by itself contributing to the problem, but it is useful 
as a symptom.

> 3)  Why does USER_IN_WHITELIST apply here? "iyeboxfzpfj
>  <zy...@alxhkv.com>" is noone I've put onto any whitelist.
>
> In the user_prefs of user "ww" the only "WHITE" - Thing is:
> whitelist_from          *@web-factory.de
> whitelist_from          *@marketing-factory.de
>
> which is my company's domain.

As I just recommended to someone else, do not use whitelist_from except as 
a last resort. It is trivially easy for a spammer to leverage as it does 
not verification that the From address is not forged.

> Here's my whole global SA config:
>
> http://pastebin.com/DixnLNmv

I note you're using whitelist_from_rcvd in your global config. Good.

However, changing the required_score to 3.0 is not recommended. All of the 
scores assigned by the masscheck system are targeted at a required_score 
of 5.0, and if you lower that without making any adjustment to rule scores 
then you are likely going to increase your false positive rate.

Can you post the ww user's config too?

> Could anybody please give me a hint with this?

The whitelist hit is what's hurting the most.

You should also take a look at your bayes, after we resolve the whitelist 
problem.

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Vista is at best mildly annoying and at worst makes you want to
   rush to Redmond, Wash. and rip somebody's liver out.      -- Forbes
-----------------------------------------------------------------------
  Today: the 65th anniversary of the end of World War II