Mailing List Archive

On Thu, 11 Jun 2020 at 09:20, Marc Roos <M.Roos@f1-outsourcing.eu> wrote:

>
>
> I am sick of this gmail spam. Does anyone know a solution where I can do
> something like this:
>
> 1. received email from adcpni444@gmail.com
> 2. system recognizes this email address has been 'whitelisted', continue
> with 7.
> 3. system recognizes as this email never been seen before
> 4. auto reply with something like (maybe with a wait time of x hours):
> Your message did not receive the final recipient. You are sending
> from a known spam provider
> network that is why we blocked your message. Please confirm that:
> - you are not a spammer and
> - you have permission to use the mail adress you send your message to
> - you and your provider agree to uphold GDPR legislation
> - you and your provider are liable for damages when breaching any of
> the above.
>
>
> Click link to confirm and you agree with the above
> https://www.domainwithoutletsencryptcertificate.com/asdfasdfadsfaf
>
> 5. sender clicks confirm url
> 6. email address is added to some white list.
> 7. email is delivered to recipient.
>

Are you sure these emails are really coming from gmail or are they fakes?
If fakes, they will mostly be stopped if you test with decent rbls such as
zen. Much easier and less intrusive.

I have got lots of shit coming from *.google.com like these:


Microsoft Mail Internet Headers Version 2.0
Received: from spam1.xxxxx.xxx ([212.26.193.45]) by xxxx.xxxxxx.xx with
Microsoft SMTPSVC(6.0.3790.4675);
Thu, 30 Apr 2020 02:35:01 +0200
Received: from mail-wm1-f66.google.com (mail-wm1-f66.google.com
[209.85.128.66])
by spam1.xxxxx.xxx (8.14.4/8.14.4) with ESMTP id 03TKVM5H027351
(version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256 verify=OK)
for <marc@xxxxxx.xx>; Wed, 29 Apr 2020 22:31:25 +0200
Received: by mail-wm1-f66.google.com with SMTP id x4so3514419wmj.1
for <marc@xxxxxx.xx>; Wed, 29 Apr 2020 13:31:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20161025;
h=mime-version:reply-to:from:date:message-id:subject:to;
bh=2NdLKf5rHcCL3IbMH3GuhPFJibYnFLn3P1EiVRDs7vY=;

b=bFr2PRTThfF7Rc6VbfwKNIib8HtpUZY6ETyZxq3yfn2+wpBC2iOt4KV99BS+8bN3qU

eqVXcceSgi/RbKFeDsgLA1ZMDxpzDiaqAQoJNJTwHM/1qme5TpGIOVE7KAjSnB/f540C

dZSOwBVloMm2icCVZrBmhm5dOzslRR9sm6ZqlPCqzcV6aSTZbzfGwGXxSWySIbd4EXBL

XyDQ/8qaPYt7JT6yR9Ds5bbfzMurhvCQdyUImjBQzhzNbqHPUO6RaS0BoEq1kjU68Tvb

Ot0GHfDURBAGHQafA3lqGlko6ERW6TXB7YHkZVDh6TiGYoyvNDbAkZyw3+gnHE5/KhbA
KMCw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:reply-to:from:date:message-id
:subject:to;
bh=2NdLKf5rHcCL3IbMH3GuhPFJibYnFLn3P1EiVRDs7vY=;

b=icJ/PlxxtnwmdowH5ii9SM/8EHHh86jsGLE6OTECSCFANj5JZQPbsbYYLCWphiwDGU

OcI0bv4O9RclGpAoscodnI4t/HKWmkuHWw9hwt7qit0g+hn8zdVNUFPJiogdsFoSh7eu

K9SA41XmqagjAL1/jljqv58l3t7QQogCtfASW3zw64si7X0tHfL9Bf+PsdvP8kX5Os71

UZDRxKHrCyIt4bQAzd4fr29CM5Sz9vhWO4FgpA2/6o2LAgTFZ/HEwJ9hAol+2HWuLNnf

hvHm3AkdPWT6x7lvMXzW0m4oXnwI16Cz092yzZKEJ9sSLhNAYt2rcMMxmTz7ts/KrdZz
dkiw==
X-Gm-Message-State:
AGi0PuYGZyhIWZVcSGYP5XXSKtoOT4PoqKwH9NhaanpW8fL/vkeeI3kB
m9mqeW7pPNmzRp5X/MEOgSlgJyxfj3S4B5WnFH0=
X-Google-Smtp-Source:
APiQypJL/6q6R4LD6d5CsdvsnhXqXOsIRt5mlsYYqBaC2JGYtMzbERXl3F/rqaotdGYvx3X+
lbM/crorMi+6QthoFNU=
X-Received: by 2002:a1c:2dc7:: with SMTP id
t190mr4898627wmt.129.1588192282560;
Wed, 29 Apr 2020 13:31:22 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:adf:ec81:0:0:0:0:0 with HTTP; Wed, 29 Apr 2020
13:31:22
-0700 (PDT)
Reply-To: makebajuliet09@gmail.com
From: JULIET MAKEBA <richardshoffmann1964@gmail.com>
Date: Thu, 30 Apr 2020 04:31:22 +0800
Message-ID:
<CAH6st6Gs9Pw=BZ0nkKYs5Ft48-mGJh1fOqbBRbzVvkWscGu2ag@mail.gmail.com>
Subject: Reply
To: undisclosed-recipients:;
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=2.1 required=3.0 tests=BAYES_00,
FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,FREEMAIL_REPLYTO,LOTS_OF_M
ONEY,
MILLION_HUNDRED,MONEY_FRAUD_3,RCVD_IN_DNSWL_NONE,T_MONEY_PERCENT
autolearn=no
version=3.3.1
X-Spam-Level: **
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
spam1.xxxxx.xxx
Return-Path: richardshoffmann1964@gmail.com
X-OriginalArrivalTime: 30 Apr 2020 00:35:01.0888 (UTC)
FILETIME=[2F69A800:01D61E87]




Return-Path: <adil@webrework.in>
Delivered-To: xxxxxx
Received: from mail03.xxxxxxx.eu
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
by mail03 with LMTP id kKoHMcov2149JAAAI7dPvA for <xxxxxx>; Sat, 06 Jun
2020 07:55:22 +0200
Return-Path: <adil@webrework.in>
Received: from spam1.xxxxxxx.eu (spam1.xxxxxxx.eu [xxx.xx.xxx.45]) by
mail03.xxxxxxx.eu (8.14.7/8.14.7) with ESMTP id 0565tMac009275
(version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=NO) for <info@xxxxxxxxxxx.com>; Sat, 6 Jun 2020 07:55:22 +0200
Received: from mail-pj1-f66.google.com (mail-pj1-f66.google.com
[209.85.216.66]) by spam1.xxxxxxx.eu (8.14.4/8.14.4) with ESMTP id
0565tIdi058802
(version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256 verify=OK) for
<info@xxxxxxxxxxx.com>; Sat, 6 Jun 2020 07:55:21 +0200
Received: by mail-pj1-f66.google.com with SMTP id a45so3807702pje.1
for <info@xxxxxxxxxxx.com>; Fri, 05 Jun 2020 22:55:21 -0700
(PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=webrework-in.20150623.gappssmtp.com; s=20150623;
h=from:to:subject:date:message-id:mime-version:thread-index
:content-language;
bh=7qGcZf45bVmQTosUOEZzOlhqXsW80r8JYANlWV6lMcU=;

b=nRq4BwRoIoCimYmoABa565TtsoINAu77KS84HZ8y5JU0nj/fqO+oWmljluP4/KlFRr

P38IwasOHw6K4zPYNUORPLj+akF5dcn/OvbpBJolZLJF7bSLty8sm6i4pJVbS7Cxaphk

qkm3HG2kKjkKV13xA9hoqRBqHYeqyY1BJqwLwwVAxXhvP3fRyObY5ZcKt5Z7DHI68+7R

LSQ1zZbyJ98RDPXYyEgaUvvNxfbqpAnR8loBIxedAEuQqZefgIkRrW6th0oYF5acLnfh

olY9/cj1B5L0IzREZ3iqo2blQEQA+RRe/SncEoFEQLmJJwmA6D5Xns/AwG2I4wwbhgQf
OHng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;

h=x-gm-message-state:from:to:subject:date:message-id:mime-version
:thread-index:content-language;
bh=7qGcZf45bVmQTosUOEZzOlhqXsW80r8JYANlWV6lMcU=;

b=Jz5FzHzFsGgLza4kth56USl8ZVmFNZBLm5nkXEUROkkA3nIz8dvVpW52YMYHBioUSj

sNrByKY9HVHTorVYNMoJs/OfMGwgGwv+EiOBccQ1v0l3SGurD7bD0lo98SGZMi64lwaD

4AvYU29OOtMZKEDkjmmqboLDB9JlLi9EjsHPPSpZBg78eYWvTj87JFUozmbus0mrEGFc

cR830qZDgcjMmq0Ou4sTDI7DpNA7nMoKcQFSV5HH16cxqtXPyqdFUxMPHqVJ3oLun1Ak

w0um7MmYeBhvoCqZ7nuIeZElSgJMiL3aExUHJ3SL9y947lyntL5P/6L+6Vpym8IX+h9q
Nf/Q==
X-Gm-Message-State:
AOAM533HB9mZF6dzBHLBVGtCw/DhSSaMUUiIgvOcrewViw8pmKctIkAJ
e/KAKyApJNn4KdxbL2WUhrgzkcHnky72Gw==
X-Google-Smtp-Source:
ABdhPJwE27YG87ETpbsaII/Twpy1jRl4RWRtyNW7LCftdFwEaRCFrLrTMd+E2iwaskk7KVNO
MPM1pA==
X-Received: by 2002:a17:90a:714c:: with SMTP id
g12mr6949366pjs.31.1591422917419;
Fri, 05 Jun 2020 22:55:17 -0700 (PDT)
Received: from VishalPalPC ([2402:3a80:15ed:8821:30ec:258b:d3ca:3641])
by smtp.gmail.com with ESMTPSA id
c9sm393900pfr.72.2020.06.05.22.55.16
for <info@xxxxxxxxxxx.com>
(version=TLS1 cipher=ECDHE-ECDSA-AES128-SHA bits=128/128);
Fri, 05 Jun 2020 22:55:17 -0700 (PDT)
From: "Adil" <adil@webrework.in>

On 11.06.20 11:04, Marc Roos wrote:
>I have got lots of shit coming from *.google.com like these:


>Received: from spam1.xxxxx.xxx ([212.26.193.45]) by xxxx.xxxxxx.xx with
>Microsoft SMTPSVC(6.0.3790.4675);
> Thu, 30 Apr 2020 02:35:01 +0200

I guess this is your mail relay


>Received: from mail-wm1-f66.google.com (mail-wm1-f66.google.com
>[209.85.128.66])
> by spam1.xxxxx.xxx (8.14.4/8.14.4) with ESMTP id 03TKVM5H027351
> (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256 verify=OK)
> for <marc@xxxxxx.xx>; Wed, 29 Apr 2020 22:31:25 +0200

yes, it comes from google.

>Reply-To: makebajuliet09@gmail.com
>From: JULIET MAKEBA <richardshoffmann1964@gmail.com>

>Subject: Reply
>X-Spam-Status: No, score=2.1 required=3.0 tests=BAYES_00,
> FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,FREEMAIL_REPLYTO,LOTS_OF_M
>ONEY,
> MILLION_HUNDRED,MONEY_FRAUD_3,RCVD_IN_DNSWL_NONE,T_MONEY_PERCENT
>autolearn=no
> version=3.3.1


BAYES_00 indicates bad training.

version=3.3.1 is too old SA version, you should upgrade - this version of SA
does not have current rule updates (3.4.2 needed).



--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux is like a teepee: no Windows, no Gates and an apache inside...

I know I need to update, moving to containerized or centos8 when ready.
However I do not think it will solve much, that is why I am asking for
this procedure.




-----Original Message-----
From: Matus UHLAR - fantomas [mailto:uhlar@fantomas.sk]
Sent: donderdag 11 juni 2020 11:24
To: users@spamassassin.apache.org
Subject: Re: handling spam from gmail.

On 11.06.20 11:04, Marc Roos wrote:
>I have got lots of shit coming from *.google.com like these:


>Received: from spam1.xxxxx.xxx ([212.26.193.45]) by xxxx.xxxxxx.xx with

>Microsoft SMTPSVC(6.0.3790.4675);
> Thu, 30 Apr 2020 02:35:01 +0200

I guess this is your mail relay


>Received: from mail-wm1-f66.google.com (mail-wm1-f66.google.com
>[209.85.128.66])
> by spam1.xxxxx.xxx (8.14.4/8.14.4) with ESMTP id 03TKVM5H027351
> (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256 verify=OK)
> for <marc@xxxxxx.xx>; Wed, 29 Apr 2020 22:31:25 +0200

yes, it comes from google.

>Reply-To: makebajuliet09@gmail.com
>From: JULIET MAKEBA <richardshoffmann1964@gmail.com>

>Subject: Reply
>X-Spam-Status: No, score=2.1 required=3.0 tests=BAYES_00,
>
FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,FREEMAIL_REPLYTO,LOTS_OF_M
>ONEY,
> MILLION_HUNDRED,MONEY_FRAUD_3,RCVD_IN_DNSWL_NONE,T_MONEY_PERCENT
>autolearn=no
> version=3.3.1


BAYES_00 indicates bad training.

version=3.3.1 is too old SA version, you should upgrade - this version
of SA does not have current rule updates (3.4.2 needed).



--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux is like a teepee: no Windows, no Gates and an apache inside...

On 11.06.20 11:27, Marc Roos wrote:
>I know I need to update, moving to containerized or centos8 when ready.
>However I do not think it will solve much, that is why I am asking for
>this procedure.

I agree that training spam on that machine will help more.
BAYES_999 gives score of 3.7, while BAYES_00 -1.9.

That means with BAYES_999 the message would get scored 7.7 at least.

plugins like razor,pyzor,dcc could move the score over a sane limit to
reject.

however, upgrading should help becaue of new rules.

>-----Original Message-----
>From: Matus UHLAR - fantomas [mailto:uhlar@fantomas.sk]
>Sent: donderdag 11 juni 2020 11:24
>To: users@spamassassin.apache.org
>Subject: Re: handling spam from gmail.
>
>>Subject: Reply
>>X-Spam-Status: No, score=2.1 required=3.0 tests=BAYES_00,
>> FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,FREEMAIL_REPLYTO,LOTS_OF_MONEY,
>> MILLION_HUNDRED,MONEY_FRAUD_3,RCVD_IN_DNSWL_NONE,T_MONEY_PERCENT autolearn=no
>> version=3.3.1
>
>
>BAYES_00 indicates bad training.
>
>version=3.3.1 is too old SA version, you should upgrade - this version
>of SA does not have current rule updates (3.4.2 needed).

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows 2000: 640 MB ought to be enough for anybody

On Thu, 2020-06-11 at 11:27 +0200, Marc Roos wrote:
>
> I know I need to update, moving to containerized or centos8 when
> ready.
> However I do not think it will solve much, that is why I am asking
> for
> this procedure.
>
You could always write a private rule the adds points to gmail users you
don't want mail from.

Martin

On 11/06/20 10:19, Marc Roos wrote:

>
> I am sick of this gmail spam. Does anyone know a solution where I can do
> something like this:
>
> 1. received email from adcpni444@gmail.com
> 2. system recognizes this email address has been 'whitelisted', continue
> with 7.
> 3. system recognizes as this email never been seen before
> 4. auto reply with something like (maybe with a wait time of x hours):

Respectfully, this is a recipe for disaster. I've lost count of
misconfigured antispam appliances that do something like you want to and
ended up either

- Having the outbound queue full of undeliverables
- Bounceback spamming innocent users

So, no, please don't do that :)

As others suggested, start by upgrading your SA and do some targeted
training to the bayes.

--
Best regards,
Riccardo Alfieri

Spamhaus Technology
https://www.spamhaustech.com/

Marc Roos wrote:
> 4. auto reply with something like (maybe with a wait time of x hours):
> Your message did not receive the final recipient. You are sending
> from a known spam provider
> network that is why we blocked your message. Please confirm that:
> - you are not a spammer and
> - you have permission to use the mail adress you send your message to
> - you and your provider agree to uphold GDPR legislation
> - you and your provider are liable for damages when breaching any of
> the above.
>
>
> Click link to confirm and you agree with the above
> https://www.domainwithoutletsencryptcertificate.com/asdfasdfadsfaf
>
This is bad practice on multiple levels, please don't do this.

- arbitrary valid email addresses are used as sender address by spammers
to avoid being blocking as unknown sender. Whenever one of your users
gets a spam mail, some innocent unknown user gets the "click on the
link" message by your mail system. It's not spammers are using always
their own usernames. Many spammers also use their spammer address
database as sender addresses as well.
- by sending the "click on the link" message you acknowledge to a
spammer some email he spammed is valid and not unknown. This is a kind
of information that should not be disclosed to spammers.
- two persons who are both behind such a system are not able to
communicate to each other, because they never receive the "click on the
link" message. It is blocked by the other mail system and replied
automatically by another "click on the link" message. Both mail systems
are sending these messages endlessly to each other. It's the "chicken or
egg" problem.
- "click on the link" messages are considered bad practice, because
users must not be educated to click on links in unexpected emails.

Alex

On Thu, 2020-06-11 at 18:50 +0200, Alex Woick wrote:
> Marc Roos wrote:
> > 4. auto reply with something like (maybe with a wait time of x
> > hours):
> > Your message did not receive the final recipient. You are
> > sending
> > from a known spam provider
> > network that is why we blocked your message. Please confirm
> > that:
> > - you are not a spammer and
> > - you have permission to use the mail adress you send your
> > message to
> > - you and your provider agree to uphold GDPR legislation
> > - you and your provider are liable for damages when breaching
> > any of
> > the above.
> >
> >
> > Click link to confirm and you agree with the above
> >
> > https://www.domainwithoutletsencryptcertificate.com/asdfasdfadsfaf
> >
>
> This is bad practice on multiple levels, please don't do this.
>
> - arbitrary valid email addresses are used as sender address by
> spammers
> to avoid being blocking as unknown sender. Whenever one of your
> users
> gets a spam mail, some innocent unknown user gets the "click on the
> link" message by your mail system. It's not spammers are using
> always
> their own usernames. Many spammers also use their spammer address
> database as sender addresses as well.
> - by sending the "click on the link" message you acknowledge to a
> spammer some email he spammed is valid and not unknown. This is a
> kind
> of information that should not be disclosed to spammers.
> - two persons who are both behind such a system are not able to
> communicate to each other, because they never receive the "click on
> the
> link" message. It is blocked by the other mail system and replied
> automatically by another "click on the link" message. Both mail
> systems
> are sending these messages endlessly to each other. It's the "chicken
> or
> egg" problem.
> - "click on the link" messages are considered bad practice, because
> users must not be educated to click on links in unexpected emails.

Additional reasons this is a bad practice:

- you are placing the burden of reducing the spam in your system on all
the non-spam-sending users who wish to communicate with your users.
- by raising the "cost" of sending legitimate mail to your users, you
will of course receive less legitimate mail along with less spam.
- for business transactions this costs business/money; eg. if faced
with such a system upon initial contact, I myself would choose to not
"click the link" and merely go to a competitor if there are other
reasonably equivalent businesses. not an absolute deal breaker, but
definitely a strong turn-off.


--
Jesse Norell
Kentec Communications, Inc.
970-522-8107 - www.kci.net

Hi Alex thanks for the on topic response. Bare with my thoughts.

>
> - arbitrary valid email addresses are used as sender address by
spammers
> to avoid being blocking as unknown sender. Whenever one of your users

> gets a spam mail, some innocent unknown user gets the "click on the
> link" message by your mail system. It's not spammers are using always

> their own usernames. Many spammers also use their spammer address
> database as sender addresses as well.

I think this argument cannot be used. Because when blocking a connection
via rbl or so. The connection hosts gets the error code and message
response and is and that host is generating the NDR not me.
In my procedure the error code could have the message with the url.

> - by sending the "click on the link" message you acknowledge to a
> spammer some email he spammed is valid and not unknown. This is a
kind
> of information that should not be disclosed to spammers.

No it does not. It also depends on when you invoke this check. Same
again with an rbl check. The block is done even before headers are
received.

> - two persons who are both behind such a system are not able to
> communicate to each other, because they never receive the "click on
the
> link" message. It is blocked by the other mail system and replied
> automatically by another "click on the link" message. Both mail
systems
> are sending these messages endlessly to each other. It's the "chicken
or
> egg" problem.

This is not true. Because mail servers should deliver these NDR's
especially when it is one's own environment.

> - "click on the link" messages are considered bad practice, because
> users must not be educated to click on links in unexpected emails.
>

Hi Jesse, what do you think of my point of view?

>
>
> - you are placing the burden of reducing the spam in your system on
all
> the non-spam-sending users who wish to communicate with your users.

If people want to have their free email, why not let them know about
that
their provider is harassing other providers and they have to take this
action because of this.
That is the price you have to pay for using free email or are at a
provider that sends out large amounts of spam.
Hopefully this will force people to move to a provider that does not
send out spam?

> - by raising the "cost" of sending legitimate mail to your users, you
> will of course receive less legitimate mail along with less spam.

Only from the spam network. And the spam network clients are informed
about that the service they get there, is maybe not as it should be.
Lots of people do not know about such things.

> - for business transactions this costs business/money; eg. if faced
> with such a system upon initial contact, I myself would choose to not
> "click the link" and merely go to a competitor if there are other
> reasonably equivalent businesses. not an absolute deal breaker, but
> definitely a strong turn-off.

If you get notified that you are hosting your business with a provider
that mixes your emails with spam emails. Are you not thinking about
to move your business to a different service provider?
I would definitely ask myself wtf is. By staying at such a provider
you indirectly support their behaviour.

>
> bullshit - your crap idea is sending active messages and that's not a
> NDR and always wrong in case of fighting spam

When my mta generates an 554 5.7.1, my server does not even have the
senders
email address at that time. So it is impossible to send 'active
messages'
(what ever those might be). The message/url is in the error description.

> what about do your homewortk and just stop score spam with BAYES_00?
are
> you really that dumb?
>