Mailing List Archive

Can you provide an .eml that will reproduce the hit with a manual
spamassassin invocation?

> i have a mail with REPLYTO_WITHOUT_TO_CC=1.552 but in Mail Header
> there is a "To" why does this rule hit?
>
> From: "Kreditkarte" <ybremmw@spam.tld>
> Reply-To: "Kreditkarte" <ybremmw@spam.tld>
> To: USER@another.tld

Sure.

spamassassin -V
SpamAssassin version 3.4.2
running on Perl version 5.24.1


pts rule name description
---- ---------------------- --------------------------------------------------
3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
[score: 1.0000]
5.0 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
[score: 1.0000]
1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist
[URIs: negosev.site]
1.2 HTML_IMAGE_ONLY_04 BODY: HTML: images with 0-400 bytes of words
0.0 HTML_MESSAGE BODY: HTML included in message
0.8 MPART_ALT_DIFF BODY: HTML and text parts are different
2.5 PYZOR_CHECK Listed in Pyzor
(https://pyzor.readthedocs.io/en/latest/)
1.6 REPLYTO_WITHOUT_TO_CC No description available.
0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
1.0 FSL_BULK_SIG Bulk signature with no Unsubscribe
1.0 MISSING_FROM Missing From: header
0.0 HTML_SHORT_LINK_IMG_1 HTML is very short with a linked image
0.6 BODY_URI_ONLY Message body is only a URI in one line of text or
for an image

Notice:
same mail on Debian 10 Server Rule dont hit....

spamassassin -V
SpamAssassin version 3.4.2
running on Perl version 5.28.1


pts rule name description
---- ---------------------- --------------------------------------------------
1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist
[URIs: negosev.site]
3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
[score: 1.0000]
1.2 HTML_IMAGE_ONLY_04 BODY: HTML: images with 0-400 bytes of words
0.0 HTML_MESSAGE BODY: HTML included in message
0.8 MPART_ALT_DIFF BODY: HTML and text parts are different
5.0 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
[score: 1.0000]
2.5 PYZOR_CHECK Listed in Pyzor
(https://pyzor.readthedocs.io/en/latest/)
0.0 HTML_SHORT_LINK_IMG_1 HTML is very short with a linked image
-1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list
manager
0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
0.0 BODY_URI_ONLY Message body is only a URI in one line of text or
for an image
2.0 TO_NO_BRKTS_HTML_IMG To: lacks brackets and HTML and one image




Am 05.02.20 um 13:55 schrieb Damian:
> Can you provide an .eml that will reproduce the hit with a manual
> spamassassin invocation?
>
>> i have a mail with REPLYTO_WITHOUT_TO_CC=1.552 but in Mail Header
>> there is a "To" why does this rule hit?
>>
>> From: "Kreditkarte" <ybremmw@spam.tld>
>> Reply-To: "Kreditkarte" <ybremmw@spam.tld>
>> To: USER@another.tld

--
Philipp Ewald
Administrator

just saw this error:
Feb 5 14:19:46.438 [6998] warn: rules: failed to compile Mail::SpamAssassin::Plugin::Check::_head_tests_0_4, skipping:
Feb 5 14:19:46.438 [6998] warn: (Global symbol "$Blat" requires explicit package name (did you forget to declare "my $Blat"?) at /etc/spamassassin/70_zmi_german.cf, rule __ZMIfish_ForgedBill01, line 1.)

After delete /etc/spamassassin/70_zmi_german.cf and restart amavis:
---- ---------------------- --------------------------------------------------
3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
[score: 1.0000]
5.0 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
[score: 1.0000]
1.2 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL
blocklist
[URIs: negosev.site]
1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist
[URIs: negosev.site]
0.0 HTML_MESSAGE BODY: HTML included in message
0.8 MPART_ALT_DIFF BODY: HTML and text parts are different
1.2 HTML_IMAGE_ONLY_04 BODY: HTML: images with 0-400 bytes of words
2.5 PYZOR_CHECK Listed in Pyzor
(https://pyzor.readthedocs.io/en/latest/)
0.0 HTML_SHORT_LINK_IMG_1 HTML is very short with a linked image
0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
-1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list
manager
0.6 BODY_URI_ONLY Message body is only a URI in one line of text or
for an image
2.0 TO_NO_BRKTS_HTML_IMG To: lacks brackets and HTML and one image



Am 05.02.20 um 14:22 schrieb Philipp Ewald:
> Sure.
>
> spamassassin -V
> SpamAssassin version 3.4.2
>   running on Perl version 5.24.1
>
>
> pts rule name              description
> ---- ---------------------- --------------------------------------------------
>  3.5 BAYES_99               BODY: Bayes spam probability is 99 to 100%
>                             [score: 1.0000]
>  5.0 BAYES_999              BODY: Bayes spam probability is 99.9 to 100%
>                             [score: 1.0000]
>  1.7 URIBL_BLACK            Contains an URL listed in the URIBL blacklist
>                             [URIs: negosev.site]
>  1.2 HTML_IMAGE_ONLY_04     BODY: HTML: images with 0-400 bytes of words
>  0.0 HTML_MESSAGE           BODY: HTML included in message
>  0.8 MPART_ALT_DIFF         BODY: HTML and text parts are different
>  2.5 PYZOR_CHECK            Listed in Pyzor
>                             (https://pyzor.readthedocs.io/en/latest/)
>  1.6 REPLYTO_WITHOUT_TO_CC  No description available.
>  0.8 RDNS_NONE              Delivered to internal network by a host with no rDNS
>  1.0 FSL_BULK_SIG           Bulk signature with no Unsubscribe
>  1.0 MISSING_FROM           Missing From: header
>  0.0 HTML_SHORT_LINK_IMG_1  HTML is very short with a linked image
>  0.6 BODY_URI_ONLY          Message body is only a URI in one line of text or
>                             for an image
>
> Notice:
> same mail on Debian 10 Server Rule dont hit....
>
> spamassassin -V
> SpamAssassin version 3.4.2
>   running on Perl version 5.28.1
>
>
>  pts rule name              description
> ---- ---------------------- --------------------------------------------------
>  1.7 URIBL_BLACK            Contains an URL listed in the URIBL blacklist
>                             [URIs: negosev.site]
>  3.5 BAYES_99               BODY: Bayes spam probability is 99 to 100%
>                             [score: 1.0000]
>  1.2 HTML_IMAGE_ONLY_04     BODY: HTML: images with 0-400 bytes of words
>  0.0 HTML_MESSAGE           BODY: HTML included in message
>  0.8 MPART_ALT_DIFF         BODY: HTML and text parts are different
>  5.0 BAYES_999              BODY: Bayes spam probability is 99.9 to 100%
>                             [score: 1.0000]
>  2.5 PYZOR_CHECK            Listed in Pyzor
>                             (https://pyzor.readthedocs.io/en/latest/)
>  0.0 HTML_SHORT_LINK_IMG_1  HTML is very short with a linked image
> -1.0 MAILING_LIST_MULTI     Multiple indicators imply a widely-seen list
>                             manager
>  0.8 RDNS_NONE              Delivered to internal network by a host with no rDNS
>  0.0 BODY_URI_ONLY          Message body is only a URI in one line of text or
>                             for an image
>  2.0 TO_NO_BRKTS_HTML_IMG   To: lacks brackets and HTML and one image
>
>
>
>
> Am 05.02.20 um 13:55 schrieb Damian:
>> Can you provide an .eml that will reproduce the hit with a manual
>> spamassassin invocation?
>>
>>> i have a mail with REPLYTO_WITHOUT_TO_CC=1.552 but in Mail Header
>>> there is a "To" why does this rule hit?
>>>
>>> From: "Kreditkarte" <ybremmw@spam.tld>
>>> Reply-To: "Kreditkarte" <ybremmw@spam.tld>
>>> To: USER@another.tld
>

--
Philipp Ewald
Administrator

DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln
Telefon: +49 221 6500-532, Fax: +49 221 6500-690, E-Mail: philipp.ewald@digionline.de

AG Köln HRB 27711, St.-Nr. 5215 5811 0640
Geschäftsführer: Werner Grafenhain

Informationen zum Datenschutz: www.digionline.de/ds

That is strange. Do you have a copy of that file? Is it identical to
[1]? What exact SA codebase is this; linux-distribution package, CPAN,
other?

> Feb  5 14:19:46.438 [6998] warn:  (Global symbol "$Blat" requires
> explicit package name (did you forget to declare "my $Blat"?) at
> /etc/spamassassin/70_zmi_german.cf, rule __ZMIfish_ForgedBill01, line 1.)

[1] http://zmi.at/x/70_zmi_german.cf

> That is strange. Do you have a copy of that file? Is it identical to
> [1]
no really... i have remove all lines with starting "#"
sed -i '/^#.*/d' /etc/spamassassin/70_zmi_german.cf

File comes from: http://sa.zmi.at/sa-update-german/402.tar.gz

> linux-distribution package, CPAN, other?
Debian 9.11
CPAN = not changed?
spamassassin 3.4.2

after reinstall from http://sa.zmi.at/sa-update-german rule dont hint and no errors in debug



Am 05.02.20 um 15:37 schrieb Damian:
> That is strange. Do you have a copy of that file? Is it identical to
> [1]? What exact SA codebase is this; linux-distribution package, CPAN,
> other?
>
>> Feb  5 14:19:46.438 [6998] warn:  (Global symbol "$Blat" requires
>> explicit package name (did you forget to declare "my $Blat"?) at
>> /etc/spamassassin/70_zmi_german.cf, rule __ZMIfish_ForgedBill01, line 1.)
>
> [1] http://zmi.at/x/70_zmi_german.cf
>

--
Philipp Ewald
Administrator

DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln
Telefon: +49 221 6500-532, Fax: +49 221 6500-690, E-Mail: philipp.ewald@digionline.de

AG Köln HRB 27711, St.-Nr. 5215 5811 0640
Geschäftsführer: Werner Grafenhain

Informationen zum Datenschutz: www.digionline.de/ds

The error can only happen if there was unquoted $ in regex.

header __ZMIfish_ForgedBill01 Message-ID =~ /$Blat.v3/

Newer 3.4.4 don't care about such things, you should upgrade asap since
there are vulnerabilities.


On Wed, Feb 05, 2020 at 04:08:43PM +0100, Philipp Ewald wrote:
> >That is strange. Do you have a copy of that file? Is it identical to
> >[1]
> no really... i have remove all lines with starting "#"
> sed -i '/^#.*/d' /etc/spamassassin/70_zmi_german.cf
>
> File comes from: http://sa.zmi.at/sa-update-german/402.tar.gz
>
> >linux-distribution package, CPAN, other?
> Debian 9.11
> CPAN = not changed?
> spamassassin 3.4.2
>
> after reinstall from http://sa.zmi.at/sa-update-german rule dont hint and no errors in debug
>
>
>
> Am 05.02.20 um 15:37 schrieb Damian:
> >That is strange. Do you have a copy of that file? Is it identical to
> >[1]? What exact SA codebase is this; linux-distribution package, CPAN,
> >other?
> >
> >>Feb? 5 14:19:46.438 [6998] warn:? (Global symbol "$Blat" requires
> >>explicit package name (did you forget to declare "my $Blat"?) at
> >>/etc/spamassassin/70_zmi_german.cf, rule __ZMIfish_ForgedBill01, line 1.)
> >
> >[1] http://zmi.at/x/70_zmi_german.cf
> >
>
> --
> Philipp Ewald
> Administrator
>
> DigiOnline GmbH, Probsteigasse 15 - 19, 50670 K?ln
> Telefon: +49 221 6500-532, Fax: +49 221 6500-690, E-Mail: philipp.ewald@digionline.de
>
> AG K?ln HRB 27711, St.-Nr. 5215 5811 0640
> Gesch?ftsf?hrer: Werner Grafenhain
>
> Informationen zum Datenschutz: www.digionline.de/ds

So this must have been an old version of the file, the current regex is
quoted. Also Stretch has backported 3.4.4 fixes, but maybe Philipp did
not include debian-security sources?
> The error can only happen if there was unquoted $ in regex.
>
> header __ZMIfish_ForgedBill01 Message-ID =~ /$Blat.v3/
>
> Newer 3.4.4 don't care about such things, you should upgrade asap since
> there are vulnerabilities.

On 05.02.20 17:18, Henrik K wrote:
>The error can only happen if there was unquoted $ in regex.
>
>header __ZMIfish_ForgedBill01 Message-ID =~ /$Blat.v3/
>
>Newer 3.4.4 don't care about such things, you should upgrade asap since
>there are vulnerabilities.

the OP reported using debian, which has those bugs fixed in 3.4.2.
developers have backported fixed into the old version.

such regex should be fixed, recommendation to use current version because it
doesn't care about invalid regular expressions is a bit silly...

>On Wed, Feb 05, 2020 at 04:08:43PM +0100, Philipp Ewald wrote:
>> >That is strange. Do you have a copy of that file? Is it identical to
>> >[1]
>> no really... i have remove all lines with starting "#"
>> sed -i '/^#.*/d' /etc/spamassassin/70_zmi_german.cf
>>
>> File comes from: http://sa.zmi.at/sa-update-german/402.tar.gz
>>
>> >linux-distribution package, CPAN, other?
>> Debian 9.11
>> CPAN = not changed?
>> spamassassin 3.4.2
>>
>> after reinstall from http://sa.zmi.at/sa-update-german rule dont hint and no errors in debug
>>
>>
>>
>> Am 05.02.20 um 15:37 schrieb Damian:
>> >That is strange. Do you have a copy of that file? Is it identical to
>> >[1]? What exact SA codebase is this; linux-distribution package, CPAN,
>> >other?
>> >
>> >>Feb? 5 14:19:46.438 [6998] warn:? (Global symbol "$Blat" requires
>> >>explicit package name (did you forget to declare "my $Blat"?) at
>> >>/etc/spamassassin/70_zmi_german.cf, rule __ZMIfish_ForgedBill01, line 1.)
>> >
>> >[1] http://zmi.at/x/70_zmi_german.cf

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows 2000: 640 MB ought to be enough for anybody

On Wed, Feb 05, 2020 at 04:55:33PM +0100, Matus UHLAR - fantomas wrote:
> On 05.02.20 17:18, Henrik K wrote:
> >The error can only happen if there was unquoted $ in regex.
> >
> >header __ZMIfish_ForgedBill01 Message-ID =~ /$Blat.v3/
> >
> >Newer 3.4.4 don't care about such things, you should upgrade asap since
> >there are vulnerabilities.
>
> the OP reported using debian, which has those bugs fixed in 3.4.2.
> developers have backported fixed into the old version.

It's clearly not using debian version or then the backport is lacking fixes.
I have not reviewed it personally so there are no guarantees.

>> On 05.02.20 17:18, Henrik K wrote:
>> >The error can only happen if there was unquoted $ in regex.
>> >
>> >header __ZMIfish_ForgedBill01 Message-ID =~ /$Blat.v3/
>> >
>> >Newer 3.4.4 don't care about such things, you should upgrade asap since
>> >there are vulnerabilities.

>On Wed, Feb 05, 2020 at 04:55:33PM +0100, Matus UHLAR - fantomas wrote:
>> the OP reported using debian, which has those bugs fixed in 3.4.2.
>> developers have backported fixed into the old version.

On 05.02.20 17:58, Henrik K wrote:
>It's clearly not using debian version or then the backport is lacking fixes.
>I have not reviewed it personally so there are no guarantees.

it's possible that the OP doesn't have security updates installed.

Philipp, please check which SA version you have:

% apt-cache policy spamassassin
spamassassin:
Installed: 3.4.2-1+deb10u2
Candidate: 3.4.2-1+deb10u2
Version table:
*** 3.4.2-1+deb10u2 500
500 http://security.debian.org/debian-security buster/updates/main i386 Packages
100 /var/lib/dpkg/status
3.4.2-1 500
500 file:/mount/mirrors/debian buster/main i386 Packages


if it's not 3.4.2-1+deb10u2 (or 3.4.2-1~deb9u3 on Debian 9), try installing
security updated.

I recommend you installing unattended-upgrades package and enabling security
updates, so security updates are installed automatically.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"The box said 'Requires Windows 95 or better', so I bought a Macintosh".

Thanks for help!

> Notice:
> same mail on Debian 10 Server Rule dont hit....
>
> spamassassin -V
> SpamAssassin version 3.4.2
> running on Perl version 5.28.1

on this server i have installed updates

Debian 9.11 Server which rule was hit: # damn this sounds so wrong

spamassassin -V
SpamAssassin version 3.4.2
running on Perl version 5.24.1

apt list --upgradable
spamassassin/oldstable 3.4.2-1~deb9u3 all [upgradable from: 3.4.2-1~deb9u1]


Am 05.02.20 um 17:14 schrieb Matus UHLAR - fantomas:
>>> On 05.02.20 17:18, Henrik K wrote:
>>> >The error can only happen if there was unquoted $ in regex.
>>> >
>>> >header   __ZMIfish_ForgedBill01 Message-ID =~ /$Blat.v3/
>>> >
>>> >Newer 3.4.4 don't care about such things, you should upgrade asap since
>>> >there are vulnerabilities.
>
>> On Wed, Feb 05, 2020 at 04:55:33PM +0100, Matus UHLAR - fantomas wrote:
>>> the OP reported using debian, which has those bugs fixed in 3.4.2.
>>> developers have backported fixed into the old version.
>
> On 05.02.20 17:58, Henrik K wrote:
>> It's clearly not using debian version or then the backport is lacking fixes.
>> I have not reviewed it personally so there are no guarantees.
>
> it's possible that the OP doesn't have security updates installed.
>
> Philipp, please check which SA version you have:
>
> % apt-cache policy spamassassin
> spamassassin:
>  Installed: 3.4.2-1+deb10u2
>  Candidate: 3.4.2-1+deb10u2
>  Version table:
> *** 3.4.2-1+deb10u2 500
>        500 http://security.debian.org/debian-security buster/updates/main i386 Packages
>        100 /var/lib/dpkg/status
>     3.4.2-1 500
>        500 file:/mount/mirrors/debian buster/main i386 Packages
>
>
> if it's not 3.4.2-1+deb10u2 (or 3.4.2-1~deb9u3 on Debian 9), try installing
> security updated.
>
> I recommend you installing unattended-upgrades package and enabling security
> updates, so security updates are installed automatically.
>

--
Philipp Ewald
Administrator

DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln
Telefon: +49 221 6500-532, Fax: +49 221 6500-690, E-Mail: philipp.ewald@digionline.de

AG Köln HRB 27711, St.-Nr. 5215 5811 0640
Geschäftsführer: Werner Grafenhain

Informationen zum Datenschutz: www.digionline.de/ds

>>Notice:
>>same mail on Debian 10 Server Rule dont hit....
>>
>>spamassassin -V
>>SpamAssassin version 3.4.2
>> running on Perl version 5.28.1

On 05.02.20 17:38, Philipp Ewald wrote:
>on this server i have installed updates

apparently not enough...

>Debian 9.11 Server which rule was hit: # damn this sounds so wrong
>
>spamassassin -V
>SpamAssassin version 3.4.2
> running on Perl version 5.24.1
>
>apt list --upgradable
>spamassassin/oldstable 3.4.2-1~deb9u3 all [upgradable from: 3.4.2-1~deb9u1]

so I return to my recommendation:

>Am 05.02.20 um 17:14 schrieb Matus UHLAR - fantomas:
>>if it's not 3.4.2-1+deb10u2 (or 3.4.2-1~deb9u3 on Debian 9), try installing
>>security updated.
>>
>>I recommend you installing unattended-upgrades package and enabling security
>>updates, so security updates are installed automatically.

note that new spamassassin was available 3 days ago.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows 2000: 640 MB ought to be enough for anybody