SpamAssassin Bug??

[modem]

Has anyone else seen this before:

----
X-Spam-Status: No, hits=-94.1 required=4.0
----

I'm getting quite a few messages that I think SA should catch as spam but when I have outlook show the options, it shows negative numbers for hits. Obviously they are below 0 so they don't get flagged as spam, but is it me or is this an issue? I have SA 2.63.

Brad

 

[nobaloney]

They are negative because certain SA rules are marking them negative.

If they are spam and if they have negative numbers, then the spammers are getting really good at tricking SA, or your SA rules are faulty.

Figuring out which would require examining all the headers SA adds to the incoming email.

Jeff

 

[modem]

I'd say 2-3 out of every 100 spams that come through have the negative numbers. That is 100 of the 0.0 - 4.5 pt level spams that is. Next one that comes through I'll display the headers because I doubt my rules are bad if only so few are being marked as negative.

 

[nobaloney]

I look forward to seeing those headers.

We don't analyze spam that makes it through SA to determine why; it's more effective for us to just check the headers and add the servers to our own private RBL which we run for our own servers and for commercial subscribers to SpamBlocker.

Jeff

 

[modem]

I noticed that too, but wasn't sure if not seeing any RBL info was normal or not. I did send a test message to: [email protected] to run one of those RBL tests. Here is the reply I got from the test:

----------------------------------------
Here's how the conversation looked from sbl.crynwr.com.
Note that some sites don't apply the SBL block to postmaster, so I use your envelope sender as the To: address.

I connected to 192.216.133.217 and here's the conversation I had:

220 stargatesg1.modemnet.biz ESMTP Exim 4.34 Mon, 11 Oct 2004 14:18:37 -0400 helo sbl.crynwr.com 250 stargatesg1.modemnet.biz Hello sbl.crynwr.com [192.203.178.107] mail from:<> 250 OK rcpt to:<[email protected]> 550 to unblock sbl.crynwr.com see http://www.example.com/ Terminating conversation
-----------------------------------------

Appearantly from that it says that the RBL's are working fine...?

 

[nobaloney]

Looks right from here.

Hopefully you don't really try to direct people to example.com.

The DA folk have never bothered to tell anyone that they need to edit the exim.conf file.

If you haven't done so already, please read the comments in the eixm.conf file and prepare a website.

Thanks.

Jeff

 

[modem]

I'm already working on that and getting a PHP page setup to allow someone to contact me to add their domain to a whitelist, etc. Although my primary concern is making sure the majority of spam is filtered out at first.

 

[modem]

It took me 2 days, but finally another one with a negative value came through. Here are the headers for it. Hopefully it provides something useful:


Return-path: <********@modemnet.net>
Envelope-to: ********@modemnet.org
Delivery-date: Wed, 13 Oct 2004 01:51:21 -0400
Received: from mail by stargatesg1.modemnet.biz with spam-scanned (Exim 4.34)
id 1CHc2j-0005yV-DM
for ********@modemnet.org; Wed, 13 Oct 2004 01:51:21 -0400
Received: from sitemail2.everyone.net ([216.200.145.36] helo=omta12.mta.everyone.net)
by stargatesg1.modemnet.biz with esmtp (Exim 4.34)
id 1CHc2j-0005yS-5l
for ********@modemnet.org; Wed, 13 Oct 2004 01:51:21 -0400
Received: from imta01.mta.everyone.net (bigip34 [216.200.145.26])
by omta12.mta.everyone.net (Postfix) with ESMTP id 8C3CA4175C
for <********@modemnet.org>; Tue, 12 Oct 2004 22:51:36 -0700 (PDT)
Received: by imta01.mta.everyone.net (Postfix)
id 6BE8750855; Tue, 12 Oct 2004 22:51:36 -0700 (PDT)
Delivered-To: [email protected]
Received: from pmta03.mta.everyone.net (bigiplb-dsnat [172.16.0.19])
by imta01.mta.everyone.net (Postfix) with ESMTP id 2127950853
for <********@modemnet.net>; Tue, 12 Oct 2004 22:51:36 -0700 (PDT)
Received: from modemnet.net (68.201.10.25 [68.201.10.25])
by pmta03.mta.everyone.net (EON-PMTA) with SMTP id 67877A80
for <********@modemnet.net>; Tue, 12 Oct 2004 22:51:36 -0700
Message-ID: <029f01c4b0e9$6e59414a$f9660af3@NetworkServer>
From: "Jessica Smith" <********@modemnet.net>
Cc: <[email protected]>
Subject: Want to enlarge your penis up to 5 inches? YE0F
Date: Wed, 13 Oct 2004 01:51:38 -0400
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
X-Priority: 2
X-Mailer: SMTP
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on
stargatesg1.modemnet.biz
X-Spam-Level:
X-Spam-Status: No, hits=-96.1 required=3.5 tests=HTML_40_50,
HTML_FONTCOLOR_UNSAFE,HTML_IMAGE_ONLY_04,HTML_MESSAGE,MIME_HTML_ONLY,
PENIS_ENLARGE,PENIS_ENLARGE2,USER_IN_WHITELIST autolearn=no
version=2.63

 

[fusionictnl]

Well as you can see:

X-Spam-Status: No, hits=-96.1 required=3.5 tests=HTML_40_50,
HTML_FONTCOLOR_UNSAFE,HTML_IMAGE_ONLY_04,HTML_MESSAGE,MIME_HTML_ONLY,
PENIS_ENLARGE,PENIS_ENLARGE2,USER_IN_WHITELIST autolearn=no
version=2.63

HTML_40_50,
HTML_FONTCOLOR_UNSAFE,HTML_IMAGE_ONLY_04,HTML_MESSAGE,MIME_HTML_ONLY,
PENIS_ENLARGE,PENIS_ENLARGE2

These give let's say +50 Points, but this:


USER_IN_WHITELIST

Will let spamassassin pass the spam ( - 100 maybe 150 points)

So this email adres it's comming from is in the whitelist!

I would recommend exaiming you're whitelist.

 

[modem]

I did some checking and it says it came from my own address when obviously that is not possible. modemnet.net is in my whitelist because it is my own domain name, but in the following part of the header it has: (those blanked out addresses is my personal one)

Message-ID: <029f01c4b0e9$6e59414a$f9660af3@NetworkServer>
From: "Jessica Smith" <********@modemnet.net>
Cc: <********@modemnet.net>

Which it says it's coming from me... but like I said it's obviously not. New spamming trick we are seeing?

 

[fusionictnl]

We'll don't know I've got plenty of mail that are comming from me and my server and they are still tagged.

I use the Spamblocker config on this forum, and let it do a reverse lookup on the host, so it will kill the connection when it says. Hi I'm server01.fusion-ict.nl Coz it's ip doesn't match.

 

[nobaloney]

Which it says it's coming from me... but like I said it's obviously not. New spamming trick we are seeing?

Let's just call it a 'work-around' .

Is your from address whitelisted?

If so, un-whitelist it.

if not, then you've found a hole in SpamAssassin. You could bring it to the SpamAssassin group (for example, by joining and posting to their mailing list), or perhaps you could fix it for them .

Jeff

 

[fusionictnl]

This isn't a bug. He just needs to add reverse DNS lookup to check if the origin mail server is who he says he is.

This can be done simple in the spamblocker exim config.

# DO HOST LOOKUP
# OPTIONAL MODIFICATIONS:
# The setting below causes Exim to do a reverse DNS lookup on all incoming
# IP calls, in order to get the true host name. If you feel this is too
# expensive, you can specify the networks for which a lookup is done, or
# remove the setting entirely.

host_lookup = *

 

[modem]

That reverse lookup part is already turned on in the exim.conf config file. Although I'm wondering if I need to make modifications in BIND because it seems like it's not working.

Plus off topic it seems like the RBL's aren't working. I'm spending this week recording the amount of SA tagged spams, untagged spams, and false positives that I get at different point levels. Starting at 2.0 and working to 10 based on every .5 increase. For example yesterday I went for 24 hours catching all spam and by the end of the time period I had 93 untagged spams, 106 that SA had tagged all on the 3.5 point level. Is it me, but it seems like those 93 are way too many to be getting through, either through SA or RBL's

 

[nobaloney]

That reverse lookup part is already turned on in the exim.conf config file. Although I'm wondering if I need to make modifications in BIND because it seems like it's not working.

If BIND works otherwise there's no modification that need be made.

If you're using your local DNS server in /etc/resolv.conf, then you need to make sure it's a recursive server, and by default, it is.

I've explained why that test will not work as fusionictnl expects in another post today. You can't (and we don't, and exim doesn't) reject email because the reverse DNS doesn't match. You can reject it if there is no reverse DNS, and you can temporarily reject it if you can't resolve the forward or reverse DNS.

Plus off topic it seems like the RBL's aren't working.

The way to tell if SpamBlocker is working is to check the /var/log/exim/rejectlog file to see if the SpamBlocker error message (you can see it in the exim.conf file) is appearing in the logs.

If it's not, then you need to make sure the necessary files have been created in /etc/virtual directory (instructions are in comments in the SpamBlocker exim.conf file), and that you've restarted Exim since you changed the exim.conf file and/or created the files.

If that still doesn't work, then you probably require help with SpamBlocker. We give away SpamBlocker, and it works for a lot of people, and we're happy to support it here as best we're able, but when we have to log on to your system, we do charge for commercial support, so perhaps it's best you check out every other option first.

I'm spending this week recording the amount of SA tagged spams, untagged spams, and false positives that I get at different point levels. Starting at 2.0 and working to 10 based on every .5 increase. For example yesterday I went for 24 hours catching all spam and by the end of the time period I had 93 untagged spams, 106 that SA had tagged all on the 3.5 point level. Is it me, but it seems like those 93 are way too many to be getting through, either through SA or RBL's

Perhaps, but unless we know how much total spam is being blocked, and/or how much total email you're receiving, we can't tell if that's a lot or not. In 24 hours we get about 15,000 emails on the one server we watch closely. So 93 getting through would be a 99.37% catch rate. Which would be excellent.

Jeff

 

[modem]

It appears things are starting to work now. I checked my reject log in exim and I now have a ton of:

2004-10-20 12:16:12 H=(umrkmarketing.com) [209.236.1.237] F=<[email protected]> rejected RCPT <[email protected]>: to unblock see http://www.example.com/

So that tells me the RBL's are working. I've also been getting a ton of the following and I'm wondering what it means when it can not verify sender. I mean I know what that in and of itself means, but is that an RBL doing it's job, or is exim unable to verify something or is reverse DNS unable to verify something?

2004-10-20 14:32:05 H=sitemail.everyone.net (omta10.mta.everyone.net) [216.200.145.35] F=<[email protected]> temporarily rejected RCPT <[email protected]>: Could not complete sender verify

 

[nobaloney]

The DA exim.conf file (which I wrote) will try to determine if a sender is real.

It uses a rather simplistic method. For local domains, it checks to see if the sender can actually receive email, but for foreign domains, it just checks to make sure the domain can receive mail.

So it won't accept spam, viruses, etc., usw, from nonexistent senders/domains. All perfectly legal, because RFCs require you to return undeliverable email. So if you can't return an email because the sender isn't valid, you can refuse it. And we do.

Jeff

 

[modem]

Gotcha! Thanks for the great work in doing the exim.conf file. The rejectlog does show a ton of those rejected messages and by using SA (using a 2.0 level) I'm down to receiving about 25 or so spams every 24 hours now. So far only 2 false positives.

Any word if the DA guys have checked into SA 3.0?