You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jose Borges Ferreira <un...@gmail.com> on 2013/10/28 17:27:23 UTC
AXB_X_ORIG_OMNIMS is causing too many FPs
I was wondering why MS costumers will have a 2.696+ penalty .
header AXB_X_ORIG_OMNIMS X-OriginatorOrg =~ /\.onmicrosoft\.com$/
describe AXB_X_ORIG_OMNIMS outbound.protection.outlook.com forwarders
score AXB_X_ORIG_OMNIMS 2.696 2.799 2.696 2.799
Any idea why is high ?
José Borges Ferreira
Re: AXB_X_ORIG_OMNIMS is causing too many FPs
Posted by "David F. Skoll" <df...@roaringpenguin.com>.
This is a rather late followup, but...
Axb <ax...@gmail.com> wrote:
> Microsoft sends them with empty env-sender and the PTR used for these
> spams have a distinct patttern
> There's also a distinct Forefront tag which identifies them nicely.
The distinct Forefront tag, in case anyone's intersted, is
X-Forefront-Antispam-Report: SFV:SPM;
(lots of stuff following SPM;)
According to Microsoft itself at http://technet.microsoft.com/en-us/library/dn205071%28v=exchg.150%29.aspx,
SFV:SPM means "The message was marked as spam by the spam filter."
So Microsoft is recognizing the outbound messages as spam and relaying
them anyway. It's so bad that (at least) 10 of their IPs wound up
our spam-source RBL... for example:
$ canit-reputation-check 157.56.116.99
157.56.116.99: emea01-am1-ndr.ptr.protection.outlook.com
SpamSource
hs=1150 hh=49 as=7420 ah=1729 vr=20023 ir=16499
1150 hand-votes: spam
49 hand-votes: ham
7420 auto-detected: spam
1729 auto-detected: ham
20023 valid recipients seen
16499 invalid recipients seen (spammers have dirty lists)
Regards,
David.
Re: AXB_X_ORIG_OMNIMS is causing too many FPs
Posted by Axb <ax...@gmail.com>.
On 10/29/2013 06:25 PM, Adam Katz wrote:
> On 10/28/2013 12:30 PM, John Hardin wrote:
>> On Mon, 28 Oct 2013, Axb wrote:
>>> I'll disable this rule.
>>
>> Convert it to a subrule, it may be useful in metas.
I've disabled it - Those spams are easier to detect and reject at MTA level.
Microsoft sends them with empty env-sender and the PTR used for these
spams have a distinct patttern
There's also a distinct Forefront tag which identifies them nicely.
I forgot the nopublish tflag on my rule - it was never supposed to be
published, in the first place.
>
> It is useful. I added the domain to freemail_domains (see r1533678
> <https://svn.apache.org/viewvc?view=revision&revision=1533678>) to catch
> an old spam signature
> <http://ruleqa.spamassassin.org/?rule=FREEMAIL_REPLYTO> that the ISC
> noted
> <https://isc.sans.edu/diary/New+spamming+technique+-+onmicrosoft.com/16841>
> it is exhibiting. I don't think our list had been updated for a while,
> either; I found one site
> <http://www.zemskov.net/free-email-domains.html> that lists hundreds of
> domains we were missing. Either it was especially comprehensive or
> we're missing lots more.
>
> This should do it:
>
> header __ONMICROSOFT_REPLYTO Reply-To =~ /\@\w{5,30}\.onmicrosoft\.com\b/i
> meta KHOP_ONMS_REPLYTO_FREEMAIL AXB_X_ORIG_OMNIMS && !__ONMICROSOFT_REPLYTO && __freemail_replyto
watch it, AXB_X_ORIG_OMNIMS won't be published after the next update.
Re: AXB_X_ORIG_OMNIMS is causing too many FPs
Posted by Adam Katz <an...@khopis.com>.
On 10/28/2013 12:30 PM, John Hardin wrote:
> On Mon, 28 Oct 2013, Axb wrote:
>> I'll disable this rule.
>
> Convert it to a subrule, it may be useful in metas.
It is useful. I added the domain to freemail_domains (see r1533678
<https://svn.apache.org/viewvc?view=revision&revision=1533678>) to catch
an old spam signature
<http://ruleqa.spamassassin.org/?rule=FREEMAIL_REPLYTO> that the ISC
noted
<https://isc.sans.edu/diary/New+spamming+technique+-+onmicrosoft.com/16841>
it is exhibiting. I don't think our list had been updated for a while,
either; I found one site
<http://www.zemskov.net/free-email-domains.html> that lists hundreds of
domains we were missing. Either it was especially comprehensive or
we're missing lots more.
This should do it:
header __ONMICROSOFT_REPLYTO Reply-To =~ /\@\w{5,30}\.onmicrosoft\.com\b/i
meta KHOP_ONMS_REPLYTO_FREEMAIL AXB_X_ORIG_OMNIMS && !__ONMICROSOFT_REPLYTO && __freemail_replyto
Re: AXB_X_ORIG_OMNIMS is causing too many FPs
Posted by John Hardin <jh...@impsec.org>.
On Mon, 28 Oct 2013, Axb wrote:
>
> I'll disable this rule.
Convert it to a subrule, it may be useful in metas.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
3 days until Halloween
Re: AXB_X_ORIG_OMNIMS is causing too many FPs
Posted by José Borges Ferreira <un...@gmail.com>.
On 10/28/2013 04:57 PM, Axb wrote:
> I'll disable this rule.
Please follow John Hardin's advice and convert it to subrule..
> It shows that Microsoft has a massive spam problem and very litte is
> being to done to solve it.
For the same reason Y!Mail should have similar score ( or worse :p ) .
If you have exchange emails with companies hosted there, you realize
that MS is no different than the others. Or else you end up with a huge
FP rate like Gmail ( i.e, Jari response to this thread ended up in my
spam folder ) .
10x
José Borges Ferreira
Re: AXB_X_ORIG_OMNIMS is causing too many FPs
Posted by Axb <ax...@gmail.com>.
On 10/28/2013 05:51 PM, Kevin A. McGrail wrote:
> On 10/28/2013 12:48 PM, Jari Fredriksson wrote:
>> 28.10.2013 18:27, Jose Borges Ferreira kirjoitti:
>>> I was wondering why MS costumers will have a 2.696+ penalty .
>>>
>>> header AXB_X_ORIG_OMNIMS X-OriginatorOrg =~ /\.onmicrosoft\.com$/
>>> describe AXB_X_ORIG_OMNIMS outbound.protection.outlook.com forwarders
>>> score AXB_X_ORIG_OMNIMS 2.696 2.799 2.696 2.799
>>>
>>> Any idea why is high ?
>>>
>>> José Borges Ferreira
>>>
>> http://ruleqa.spamassassin.org/
>>
> While that is factual, I think a ceiling needs to be added to this rule
> perhaps 1 or 1.25. It seems pretty high scoring for what appears to be
> microsoft's hosting solution. What am I missing?
I'll disable this rule.
It shows that Microsoft has a massive spam problem and very litte is
being to done to solve it.
Re: AXB_X_ORIG_OMNIMS is causing too many FPs
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 10/28/2013 12:48 PM, Jari Fredriksson wrote:
> 28.10.2013 18:27, Jose Borges Ferreira kirjoitti:
>> I was wondering why MS costumers will have a 2.696+ penalty .
>>
>> header AXB_X_ORIG_OMNIMS X-OriginatorOrg =~ /\.onmicrosoft\.com$/
>> describe AXB_X_ORIG_OMNIMS outbound.protection.outlook.com forwarders
>> score AXB_X_ORIG_OMNIMS 2.696 2.799 2.696 2.799
>>
>> Any idea why is high ?
>>
>> José Borges Ferreira
>>
> http://ruleqa.spamassassin.org/
>
While that is factual, I think a ceiling needs to be added to this rule
perhaps 1 or 1.25. It seems pretty high scoring for what appears to be
microsoft's hosting solution. What am I missing?
Re: AXB_X_ORIG_OMNIMS is causing too many FPs
Posted by Jari Fredriksson <ja...@iki.fi>.
28.10.2013 18:27, Jose Borges Ferreira kirjoitti:
> I was wondering why MS costumers will have a 2.696+ penalty .
>
> header AXB_X_ORIG_OMNIMS X-OriginatorOrg =~ /\.onmicrosoft\.com$/
> describe AXB_X_ORIG_OMNIMS outbound.protection.outlook.com forwarders
> score AXB_X_ORIG_OMNIMS 2.696 2.799 2.696 2.799
>
> Any idea why is high ?
>
> José Borges Ferreira
>
http://ruleqa.spamassassin.org/
--
jarif.bit