Configuring spamassassin scoring

M

MopeyGecko

Verified User
Joined
Apr 6, 2022
Messages
29
Hi All,

I'm new to spamassassin configuration and would be grateful of some help with scoring. I am trying to work out why an email with the following headers was not flagged as spam


Delivery-date: Wed, 06 Apr 2022 15:23:09 +0100
Received: from mail.strivereel.net ([23.184.48.40])
by xxxx with esmtps (TLS1.2) tls TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
(Exim 4.95)
(envelope-from [PII-REMOVED])
id 1nc6Ya-0001Ip-Ue
for [PII-REMOVED];
Wed, 06 Apr 2022 15:23:09 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=default; d=strivereel.net;
h=Mime-Version:Content-Type:Message-ID:To:From:Reply-To:Subject:Date;
[email protected];
bh=uXXAVWKUjmXdVBhsuwp0XDig0C7klyvIn+Eo/Smm4LY=;
b=KJhwVS6szcOfWML89II4mVzSI/yRkJVgN01RlOaPf+bib/ABB/DSBwXku6VvfhOlDZ1qhr3lhXgh
CnQy62pJ+7ZzR23urJqT5rO3LsCXWLLdz8qDSp57CL8yQWGrhUp6ly406yVIXihCFZqYwnv2iwkb
au9Qip51FL4vSh57cP8=
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="H0PSITHIXCAXP7K8XI93YYJP6EUV7FSN21JZYGT5UR90JDLDS"
Message-ID: [email protected]
To: [PII-REMOVED]
From: Preston Studios [email protected]
Reply-To: [email protected]
Subject: New apartments from 82,000 pounds with assured 9% NET per annum
Date: Wed, 6 Apr 2022 15:25:20 +0100
Forward-Confirmed-ReverseDNS: Reverse and forward lookup success on 23.184.48.40, -10 Spam score
SPFCheck: Server passes SPF test, -30 Spam score
X-DKIM: signer='strivereel.net' status='pass' reason=''
DKIMCheck: Server passes DKIM test, -20 Spam score
X-DKIM: signer='[email protected]' status='pass' reason=''
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software, running on the system "xxx",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: New apartments from 82,000 with assured 9% NET per annum
Exceptionally rare dual-use studio apartments in prosperous Preston Pre-launch
offer - limited availability - cash only
Content analysis details: (-0.2 points, 1.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: strivereel.net]
0.0 RCVD_IN_MSPIKE_L4 RBL: Bad reputation (-4)
[23.184.48.40 listed in bl.mailspike.net]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 HTML_MESSAGE BODY: HTML included in message
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
envelope-from domain
0.0 RCVD_IN_MSPIKE_BL Mailspike blacklisted
0.0 LOTS_OF_MONEY Huge... sums of money
-0.0 T_SCC_BODY_TEXT_LINE No description available.
SpamTally: Final spam score: -81
Click to expand...

From this I've been able to work out there was an issue with URIBL which I believe is now resolved by updating resolv.conf with the local name server details. Would that alone be enough for this mail to not be flagged as spam?

In addition to this however it looks like the spam scoring for the MSPIKE checks is not right? If I'm understanding correctly the sender is listed in the L4 and BL lists but this is not affecting the score? Should this be adding to the score and if so where do I configure the values?

Finally how does the X-Spam-Score relate to the SpamTally header?

Many thanks for any help.

Andy
 
It tell you why it fails
[URIs: strivereel.net]
0.0 RCVD_IN_MSPIKE_L4 RBL: Bad reputation (-4)
[23.184.48.40 listed in bl.mailspike.net]
Click to expand...

Code: 
0.0 RCVD_IN_MSPIKE_BL Mailspike blacklisted


BlacklistReasonTTLResponseTime
problem.png
LISTED		Spamhaus DBL strivereel.net was listed

Simple Guide to Email Blacklist

All: I am no wizard. Dont claim to be. If this helps someone awesome. If you all want me to add to it just say add this..
forum.directadmin.com forum.directadmin.com
 
It is not failing. That is the issue. It is saying it is listed in the blacklist but as far as I can tell the spam score for the email is not being affected.

0.0 RCVD_IN_MSPIKE_BL

0 points
 
I think I found the cause.
If you go and lookup strivereel.net then indeed you get a bad list. That domain is blacklisted. However.... you have to really look good at the headers.
The domain strivereel.net has as ip address 50.7.105.236.
The mail is send from mail.strivereel.net with ip 23.184.48.40.

If you check the blacklists for that ip, you will see that it's not in commonly used blacklist, so that is the reason the mail still passes.

The spammers were smart doing it this way, because this way the SPF and DKIM of the domain is used, which lowers the spamscore, and the new ip is not yet known as spamming so not in known blacklist.

Resolution: Report that mail with headers to Spamcop.
 
You must log in or register to reply here.
Back
Top