You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Rob McEwen <ro...@invaluement.com> on 2018/10/02 13:36:42 UTC
FPs on FORGED_MUA_MOZILLA (for my own hand-typed messages from my
latest-version Thunderbird)
A client of mine wasn't getting my own hand-typed messages.
Unfortunately, they had their SA set to block on a score of 3 (which is
aggressive), and this particular rule hit plus a tiny bit of other
things put it above 3. But what is weird - is that it was hitting on
hand typed-messages from me - that I sent directly from my
latest-version of Thunderbird. So this was NOT "forged" at all! (Also, I
suspect that the bayes hit was due to previous such messages from me
getting blocked and feeding his bayes?)
Any suggestions? Could my client be using a very old version of SA -
where this is fixed already? (they are using SA from Kerio).
Here are the headers:
X-Kerio-Anti-Spam: Build: [Engines: 2.15.8.1169, Stamp: 3], Multi:
[Enabled, t: (0.000012,0.017258)], BW: [Enabled, t: (0.000013)], RTDA:
[Enabled, t: (0.052863), Hit: No, Details: v2.7.15; Id:
15.1i65djr.1conscun2.ocr1k], total: 0(700)
X-Spam-Status: Yes, hits=3.8 required=3.0
tests=KERIO_ANTI_SPAM: -0.000, AWL: -0.000, BAYES_50: 1.567,
FORGED_MUA_MOZILLA: 2.309, HTML_MESSAGE: 0.001, URIBL_BLOCKED: 0.001,
TOTAL_SCORE: 3.878,autolearn=no
Suggestions?
SIDE NOTE: I don't think there was any domain my message that was
blacklisted on URIBL - so I can't explain the "URIBL_BLOCKED", but that
only scored 0.001, so that was innocuous. I suspect that that rule is
malfunctioning on their end, and then they changed the score to .001 -
so just please ignore that for the purpose of this discussion.
--
Rob McEwen
https://www.invaluement.com
Re: FPs on FORGED_MUA_MOZILLA (for my own hand-typed messages from my
latest-version Thunderbird)
Posted by Dave Warren <dw...@thedave.ca>.
> On Oct 2, 2018, at 13:49, Bill Cole <sa...@billmail.scconsult.com> wrote:
>
> On 2 Oct 2018, at 13:39, Matus UHLAR - fantomas wrote:
>
>>> On 2 Oct 2018, at 9:36, Rob McEwen wrote:
>>>> SIDE NOTE: I don't think there was any domain my message that was blacklisted on URIBL - so I can't explain the "URIBL_BLOCKED", but that only scored 0.001, so that was innocuous. I suspect that that rule is malfunctioning on their end, and then they changed the score to .001 - so just please ignore that for the purpose of this discussion.
>>
>> On 02.10.18 11:48, Bill Cole wrote:
>>> No, "URIBL_BLOCKED" means that the URIBL DNS returned a value that is supposed to be a message to a mail admin that they are using URIBL wrong
>>
>>> A mail filtering system that gets URIBL_BLOCKED hits is broken. A mail filtering system that gets them chronically is mismanaged.
>>
>> Nonsense. There is no such implication here. While URIBL_BLOCKED may and
>> most of the time apparently does mean that system uses DNS server shared
>> with too many clients, any system that receives and checks too much mail may
>> get URIBL_BLOCKED just because they have crossed the limit, withous using it
>> wrong or being broken.
>
> Operating a system in a manner which chronically crosses that limit is abusive.
>
> The DNS reply that results in URIBL_BLOCKED is not "free" for the URIBL operators and depending on their software may be as expensive as sending a real reply. It has the advantage over simply dropping abusive queries that it does not impose timeout delays on abusive queriers and sends a clear signal that can and should be acted upon.
The DNSBL operator can also choose to use a frontend firewall/router/etc system to redirect the queries to a dedicated server which can reduce the packet per second rate that the authoritative DNS servers need to cope with.
Abusive queries can almost definitely be handled much faster by a small/dedicated server that does nothing but return one single wild carded response, reducing the impact that abusive users can have on the primary infrastructure.
Re: FPs on FORGED_MUA_MOZILLA (for my own hand-typed messages from my
latest-version Thunderbird)
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 2 Oct 2018, at 13:39, Matus UHLAR - fantomas wrote:
>> On 2 Oct 2018, at 9:36, Rob McEwen wrote:
>>> SIDE NOTE: I don't think there was any domain my message that was
>>> blacklisted on URIBL - so I can't explain the "URIBL_BLOCKED", but
>>> that only scored 0.001, so that was innocuous. I suspect that that
>>> rule is malfunctioning on their end, and then they changed the score
>>> to .001 - so just please ignore that for the purpose of this
>>> discussion.
>
> On 02.10.18 11:48, Bill Cole wrote:
>> No, "URIBL_BLOCKED" means that the URIBL DNS returned a value that is
>> supposed to be a message to a mail admin that they are using URIBL
>> wrong
>
>> A mail filtering system that gets URIBL_BLOCKED hits is broken. A
>> mail filtering system that gets them chronically is mismanaged.
>
> Nonsense. There is no such implication here. While URIBL_BLOCKED may
> and
> most of the time apparently does mean that system uses DNS server
> shared
> with too many clients, any system that receives and checks too much
> mail may
> get URIBL_BLOCKED just because they have crossed the limit, withous
> using it
> wrong or being broken.
Operating a system in a manner which chronically crosses that limit is
abusive.
The DNS reply that results in URIBL_BLOCKED is not "free" for the URIBL
operators and depending on their software may be as expensive as sending
a real reply. It has the advantage over simply dropping abusive queries
that it does not impose timeout delays on abusive queriers and sends a
clear signal that can and should be acted upon.
Re: FPs on FORGED_MUA_MOZILLA (for my own hand-typed messages from
my latest-version Thunderbird)
Posted by John Hardin <jh...@impsec.org>.
On Tue, 2 Oct 2018, Matus UHLAR - fantomas wrote:
>> On 2 Oct 2018, at 9:36, Rob McEwen wrote:
>>> SIDE NOTE: I don't think there was any domain my message that was
>>> blacklisted on URIBL - so I can't explain the "URIBL_BLOCKED", but that
>>> only scored 0.001, so that was innocuous. I suspect that that rule is
>>> malfunctioning on their end, and then they changed the score to .001 - so
>>> just please ignore that for the purpose of this discussion.
>
> On 02.10.18 11:48, Bill Cole wrote:
>> No, "URIBL_BLOCKED" means that the URIBL DNS returned a value that is
>> supposed to be a message to a mail admin that they are using URIBL wrong
>
>> A mail filtering system that gets URIBL_BLOCKED hits is broken. A mail
>> filtering system that gets them chronically is mismanaged.
>
> Nonsense. There is no such implication here. While URIBL_BLOCKED may and
> most of the time apparently does mean that system uses DNS server shared
> with too many clients, any system that receives and checks too much mail may
> get URIBL_BLOCKED just because they have crossed the limit, withous using it
> wrong or being broken.
And just to actually provide useful information to the OP:
Tell them that they need to set up a local, recursive,
***NON-FORWARDING*** DNS server for the use of SA (and likely their MTA).
Searching for URIBL_BLOCKED in the mailing list archives will cover it in
*excruciating* detail. It's a VFAQ.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Win95: Where do you want to go today?
Vista: Where will Microsoft allow you to go today?
-----------------------------------------------------------------------
551 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: FPs on FORGED_MUA_MOZILLA (for my own hand-typed messages from
my latest-version Thunderbird)
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>On 2 Oct 2018, at 9:36, Rob McEwen wrote:
>>SIDE NOTE: I don't think there was any domain my message that was
>>blacklisted on URIBL - so I can't explain the "URIBL_BLOCKED", but
>>that only scored 0.001, so that was innocuous. I suspect that that
>>rule is malfunctioning on their end, and then they changed the score
>>to .001 - so just please ignore that for the purpose of this
>>discussion.
On 02.10.18 11:48, Bill Cole wrote:
>No, "URIBL_BLOCKED" means that the URIBL DNS returned a value that is
>supposed to be a message to a mail admin that they are using URIBL
>wrong
>A mail filtering system that gets URIBL_BLOCKED hits is broken. A mail
>filtering system that gets them chronically is mismanaged.
Nonsense. There is no such implication here. While URIBL_BLOCKED may and
most of the time apparently does mean that system uses DNS server shared
with too many clients, any system that receives and checks too much mail may
get URIBL_BLOCKED just because they have crossed the limit, withous using it
wrong or being broken.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Support bacteria - they're the only culture some people have.
Re: FPs on FORGED_MUA_MOZILLA (for my own hand-typed messages from my
latest-version Thunderbird)
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 2 Oct 2018, at 9:36, Rob McEwen wrote:
> SIDE NOTE: I don't think there was any domain my message that was
> blacklisted on URIBL - so I can't explain the "URIBL_BLOCKED", but
> that only scored 0.001, so that was innocuous. I suspect that that
> rule is malfunctioning on their end, and then they changed the score
> to .001 - so just please ignore that for the purpose of this
> discussion.
No, "URIBL_BLOCKED" means that the URIBL DNS returned a value that is
supposed to be a message to a mail admin that they are using URIBL wrong
and will nevewr get a useful answer without either (1) paying for a feed
to support their usage volume or (2) using their own recursive resolver
instead of forwarding queries to the likes of Google, OpenDNS, &
CloudFlare.
A mail filtering system that gets URIBL_BLOCKED hits is broken. A mail
filtering system that gets them chronically is mismanaged.
Re: FPs on FORGED_MUA_MOZILLA (for my own hand-typed messages from
my latest-version Thunderbird)
Posted by RW <rw...@googlemail.com>.
On Wed, 3 Oct 2018 12:31:32 -0400
Rob McEwen wrote:
> I really don't think I've done anything unusual with my setup of
> Thunderbird. Does anyone have other suggestions? Is there anything I
> can do with my Thunderbird settings to mitigate this?
My guess is that your client hasn't updated the the rules in the 16
months since __MOZILLA_MSGID was updated for the new format, or has an
old version of SA that is no longer gets rule updates.
Re: FPs on FORGED_MUA_MOZILLA (for my own hand-typed messages from my
latest-version Thunderbird)
Posted by Rob McEwen <ro...@invaluement.com>.
The thread has gone somewhat off-topic, which is partly my own fault.
The issues with URIBL misusage is a "side note", NOT the main purpose of
this thread. (again, that is party my fault since I mentioned that to
begin with). Also, I want to make sure that everyone knows that it was
my client (NOT ME!) that was using URIBL incorrectly. I'll educate my
client to hopefully fix that problem soon.
NOW... BACK ON THE MAIN TOPIC:
On 10/2/2018 1:52 PM, Matus UHLAR - fantomas wrote:
>
>> Message-ID: <39...@invaluement.com>
>
> this does seem to match:
> MESSAGEID =~
> /^<(?:[a-f\d]{8}-(?:[a-f\d]{4}-){3}[a-f\d]{12}|[A-F\d]{8}\.[A-F1-9][A-F\d]{0,7})\@\S+>$/m
>
> 8h-4h-4h-4h-12h@
>
> hmmm we need to look at
>
> (__LYRIS_EZLM_REMAILER || __GATED_THROUGH_RCVD_REMOVER ||
> __WACKY_SENDMAIL_VERSION || __IPLANET_MESSAGING_SERVER ||
> __HOTMAIL_BAYDAV_MSGID || __SYMPATICO_MSGID)
I really don't think I've done anything unusual with my setup of
Thunderbird. Does anyone have other suggestions? Is there anything I can
do with my Thunderbird settings to mitigate this?
Thanks!
--
Rob McEwen
https://www.invaluement.com
+1 (478) 475-9032
Re: FPs on FORGED_MUA_MOZILLA (for my own hand-typed messages from
my latest-version Thunderbird)
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>On 10/2/2018 9:59 AM, Matus UHLAR - fantomas wrote:
>>can you post the headers?
>>or at least the Message-Id?
On 02.10.18 11:07, Rob McEwen wrote:
>Here is the message as THEIR system saw it (with my client's info
>masked) - but it looks like their Kerio (or the customer's email
>client?) might be not be storing everything as it was originally sent?
it's possible. It _could_ cause the problem.
>...but this is what my client sent me, fwiw:
>------------------------------------------------------------
>
>Received: from mail.powerviewmail.com
><http://mail.powerviewmail.com>([204.9.77.40])
>by XXXXXXXXwith ESMTPS
>(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256 bits))
>for XXXXXXXX;
>Mon, 1 Oct 2018 15:17:10 +0200
>DKIM-Signature: a=rsa-sha256; t=1538399816; x=1539004616;
>s=ivm_invaluement; d=invaluement.com <http://invaluement.com>;
>c=relaxed/relaxed; v=1;
>bh=C6QzEUsPRf8EoiIEIhSF1hnXxy9JIlmjGFO/079v4QQ=; h=From:Subject:Date:Message-ID:To:MIME-Version:Content-Type:In-Reply-To:References;
>b=V5Sv2lZUWL4P29pcEVY6r/8uFRcuNL1hR794r6M1TJZcvw+i4vTgrvWf+CKSN/F1f2FS/0CdF4UCux+dS/vFjj3X9fdmwv9jpizZqwvJseyCYEmT2HItdeqo0NfNIoQwziEPDMgYS3f35iWlcb7wqrPjfx5EslHr+oC0eoeGBaA=
>Received: from [204.9.77.40] ([204.9.77.40])
> by mail.powerviewmail.com
><http://mail.powerviewmail.com>(IceWarp 12.0.2.1 x64) with ASMTP id
>201810010916565985
> for <XXXXXXXX>; Mon, 01 Oct 2018 09:16:
No message-id here, but also no X-Spam headers.
>Here is an excerpt from the headers, copied from the message in my
>Thunderbird "sent" folder:
unwrapped:
>Message-ID: <39...@invaluement.com>
this does seem to match:
MESSAGEID =~ /^<(?:[a-f\d]{8}-(?:[a-f\d]{4}-){3}[a-f\d]{12}|[A-F\d]{8}\.[A-F1-9][A-F\d]{0,7})\@\S+>$/m
8h-4h-4h-4h-12h@
hmmm we need to look at
(__LYRIS_EZLM_REMAILER || __GATED_THROUGH_RCVD_REMOVER ||
__WACKY_SENDMAIL_VERSION || __IPLANET_MESSAGING_SERVER ||
__HOTMAIL_BAYDAV_MSGID || __SYMPATICO_MSGID)
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam = (S)tupid (P)eople's (A)dvertising (M)ethod
Re: FPs on FORGED_MUA_MOZILLA (for my own hand-typed messages from my
latest-version Thunderbird)
Posted by Rob McEwen <ro...@invaluement.com>.
On 10/2/2018 9:59 AM, Matus UHLAR - fantomas wrote:
> can you post the headers?
> or at least the Message-Id?
Matus... first, THANKS for your help with this!
Here is the message as THEIR system saw it (with my client's info
masked) - but it looks like their Kerio (or the customer's email
client?) might be not be storing everything as it was originally sent?
...but this is what my client sent me, fwiw:
------------------------------------------------------------
Received: from mail.powerviewmail.com
<http://mail.powerviewmail.com>([204.9.77.40])
by XXXXXXXXwith ESMTPS
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256 bits))
for XXXXXXXX;
Mon, 1 Oct 2018 15:17:10 +0200
DKIM-Signature: a=rsa-sha256; t=1538399816; x=1539004616;
s=ivm_invaluement; d=invaluement.com <http://invaluement.com>;
c=relaxed/relaxed; v=1; bh=C6QzEUsPRf8EoiIEIhSF1hnXxy9JIlmjGFO/079v4QQ=;
h=From:Subject:Date:Message-ID:To:MIME-Version:Content-Type:In-Reply-To:References;
b=V5Sv2lZUWL4P29pcEVY6r/8uFRcuNL1hR794r6M1TJZcvw+i4vTgrvWf+CKSN/F1f2FS/0CdF4UCux+dS/vFjj3X9fdmwv9jpizZqwvJseyCYEmT2HItdeqo0NfNIoQwziEPDMgYS3f35iWlcb7wqrPjfx5EslHr+oC0eoeGBaA=
Received: from [204.9.77.40] ([204.9.77.40])
by mail.powerviewmail.com
<http://mail.powerviewmail.com>(IceWarp 12.0.2.1 x64) with ASMTP id
201810010916565985
for <XXXXXXXX>; Mon, 01 Oct 2018 09:16:
Here is an excerpt from the headers, copied from the message in my
Thunderbird "sent" folder:
------------------------------------------------------------
References: <55...@invaluement.com>
<7c...@invaluement.com>
<c3...@invaluement.com>
<1b...@invaluement.com> Message-ID:
<39...@invaluement.com>
Disposition-Notification-To: Rob McEwen <ro...@invaluement.com> Date: Mon,
1 Oct 2018 09:16:55 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0;
WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0
In-Reply-To: <1b...@invaluement.com>
Content-Type: multipart/mixed;
boundary="------------54AEB3A413950E8E0A41E1A8" Content-Language: en-US
------------------------------------------------------------
The time difference makes sense because their time zone is 6 hours ahead of mine.
--
Rob McEwen
https://www.invaluement.com
+1 (478) 475-9032
Re: FPs on FORGED_MUA_MOZILLA (for my own hand-typed messages from
my latest-version Thunderbird)
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 02.10.18 09:36, Rob McEwen wrote:
>A client of mine wasn't getting my own hand-typed messages.
>Unfortunately, they had their SA set to block on a score of 3 (which
>is aggressive), and this particular rule hit plus a tiny bit of other
>things put it above 3. But what is weird - is that it was hitting on
>hand typed-messages from me - that I sent directly from my
>latest-version of Thunderbird. So this was NOT "forged" at all! (Also,
>I suspect that the bayes hit was due to previous such messages from me
>getting blocked and feeding his bayes?)
>
>Any suggestions? Could my client be using a very old version of SA -
>where this is fixed already? (they are using SA from Kerio).
>
>Here are the headers:
>
>X-Kerio-Anti-Spam: Build: [Engines: 2.15.8.1169, Stamp: 3], Multi:
>[Enabled, t: (0.000012,0.017258)], BW: [Enabled, t: (0.000013)], RTDA:
>[Enabled, t: (0.052863), Hit: No, Details: v2.7.15; Id:
>15.1i65djr.1conscun2.ocr1k], total: 0(700)
>X-Spam-Status: Yes, hits=3.8 required=3.0
>tests=KERIO_ANTI_SPAM: -0.000, AWL: -0.000, BAYES_50: 1.567,
>FORGED_MUA_MOZILLA: 2.309, HTML_MESSAGE: 0.001, URIBL_BLOCKED: 0.001,
>TOTAL_SCORE: 3.878,autolearn=no
>
>Suggestions?
can you post the headers?
or at least the Message-Id?
meta FORGED_MUA_MOZILLA (__MOZILLA_MUA && !__UNUSABLE_MSGID && !__MOZILLA_MSGID)
header __MOZILLA_MUA User-Agent =~ /^mozilla\b/i
header __MOZILLA_MSGID MESSAGEID =~ /^<(?:[a-f\d]{8}-(?:[a-f\d]{4}-){3}[a-f\d]{12}|[A-F\d]{8}\.[A-F1-9][A-F\d]{0,7})\@\S+>$/m
meta __UNUSABLE_MSGID (__LYRIS_EZLM_REMAILER || __GATED_THROUGH_RCVD_REMOVER || __WACKY_SENDMAIL_VERSION || __IPLANET_MESSAGING_SERVER || __HOTMAIL_BAYDAV_MSGID || __SYMPATICO_MSGID)
header __HOTMAIL_BAYDAV_MSGID MESSAGEID =~ /^<[A-Z]{3}\d+-(?:DAV|SMTP)\d+[A-Z0-9]{25}\@phx\.gbl>$/m
header __IPLANET_MESSAGING_SERVER Received =~ /iPlanet Messaging Server/
header __LYRIS_EZLM_REMAILER List-Unsubscribe =~ /<mailto:(?:leave-\S+|\S+-unsubscribe)\@\S+>$/
header __SYMPATICO_MSGID MESSAGEID =~ /^<BAYC\d+-PASMTP\d+[A-Z0-9]{25}\@CEZ\.ICE>$/m
header __WACKY_SENDMAIL_VERSION Received =~ /\/CWT\/DCE\)/
>SIDE NOTE: I don't think there was any domain my message that was
>blacklisted on URIBL - so I can't explain the "URIBL_BLOCKED", but
>that only scored 0.001, so that was innocuous. I suspect that that
>rule is malfunctioning on their end, and then they changed the score
>to .001 - so just please ignore that for the purpose of this
>discussion.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The only substitute for good manners is fast reflexes.