Hi,
I have enabled txrep on a test spamassassin setup, but on some emails
with malware file attached, txrep assign a positive score:
# zcat spam.eml.gz | spamc -s 2097152 -R
[...]
Content analysis details:?? (52.6 points, 5.0 required)
?pts rule name????????????? description
---- ----------------------
--------------------------------------------------
?1.7 DEAR_SOMETHING???????? BODY: Contains 'Dear (something)'
?3.8 FORGED_RELAY_MUA_TO_MX No description available.
?1.0 RCVD_IN_XBL??????????? RBL: Received via a relay in Spamhaus XBL
???????? [5.230.70.6 listed in xxxx.zen.dq.spamhaus.net]
?6.0 SH_HELO_DBL??????????? The domain used in the HELO string is
listed in DBL
??????????????????????????? [mta2.malware-domain.org]
?6.0 SH_REVERSE_DBL???????? The RDNS of last untrusted relay's IP is listed
??????????????????????????? in DBL
??????????????????????????? [mta2.malware-domain.org]
?6.0 URIBL_DBL_SPAM???????? Contains a spam URL listed in the Spamhaus DBL
??????????????????????????? blocklist
??????????????????????????? [URIs: malware-domain.org]
?6.0 SH_DBL_HEADERS???????? A domain found in headers (mail from, reply-to
??????????????????????????? etc..) is listed in DBL
??????????????????????????? [malware-domain.org]
?6.0 SH_DBL_BODY??????????? The domain of an email address found in body is
??????????????????????????? listed in DBL
??????????????????????????? [malware-domain.org]
?0.1 URIBL_CSS_A??????????? Contains URL's A record listed in the
Spamhaus CSS
??????????????????????????? blocklist
??????????????????????????? [URIs: malware-domain.org]
-0.0 SPF_PASS?????????????? SPF: sender matches SPF record
?0.0 SPF_HELO_NONE????????? SPF: HELO does not publish an SPF Record
?0.0 HTML_MESSAGE?????????? BODY: HTML included in message
?0.1 MIME_HTML_ONLY???????? BODY: Message only has text/html MIME parts
-0.1 DKIM_VALID_AU????????? Message has a valid DKIM or DK signature from
??????????????????????????? author's domain
?5.0 BT_SPAM??????????????? Confirmed spam
?1.0 BT_AV????????????????? File infected
-0.1 DKIM_VALID???????????? Message has at least one valid DKIM or DK
signature
?0.1 DKIM_SIGNED??????????? Message has a DKIM or DK signature, not
necessarily
??????????????????????????? valid
-0.1 DKIM_VALID_EF????????? Message has a valid DKIM or DK signature from
??????????????????????????? envelope-from domain
?1.5 FROM_FMBLA_NEWDOM????? From domain was registered in last 7 days
?3.0 RCVD_IN_SBL_CSS??????? Received via a relay in Spamhaus SBL-CSS
?8.0 RCVD_IN_ZEN_LASTEXTERNAL The last untrusted relay is listed in
??????????????????????????? Spamhaus ZEN
-2.4 TXREP????????????????? TXREP: Score normalizing based on sender's
reputation
and more:
# zcat spam.eml.gz | spamassassin -D 2>&1 | grep -i txrep
Oct 23 15:20:30.409 [23510] dbg: config: read file
/etc/mail/spamassassin/txrep.cf
Oct 23 15:20:30.472 [23510] dbg: plugin: loading
Mail::SpamAssassin::Plugin::TxRep from @INC
Oct 23 15:20:30.475 [23510] dbg: TxRep: new object created
Oct 23 15:20:30.605 [23510] dbg: config: fixed relative path:
/var/lib/spamassassin/3.004004/updates_spamassassin_org/60_txrep.cf
Oct 23 15:20:30.605 [23510] dbg: config: using
"/var/lib/spamassassin/3.004004/updates_spamassassin_org/60_txrep.cf"
for included file
Oct 23 15:20:30.605 [23510] dbg: config: read file
/var/lib/spamassassin/3.004004/updates_spamassassin_org/60_txrep.cf
Oct 23 15:20:32.055 [23510] dbg: check: tagrun - tag TXREPMSG_ID is now
ready, value: 47.7
Oct 23 15:20:32.055 [23510] dbg: TxRep: reputation: 47.659, count: 1,
weight: 1.0, delta: 47.659, MSG_ID:
de380dd4ba12ff8d7113fb51a81debfb5c87764b@sa_generated
Oct 23 15:20:32.055 [23510] dbg: TxRep: message
de380dd4ba12ff8d7113fb51a81debfb5c87764b@sa_generated already scanned,
using old data; post-TxRep score: 52.706
Oct 23 15:20:32.058 [23510] dbg: check:
tests=BT_AV,BT_SPAM,DEAR_SOMETHING,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FORGED_RELAY_MUA_TO_MX,FROM_FMBLA_NEWDOM,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_SBL_CSS,RCVD_IN_XBL,RCVD_IN_ZEN_LASTEXTERNAL,SH_DBL_BODY,SH_DBL_HEADERS,SH_HELO_DBL,SH_REVERSE_DBL,SPF_HELO_NONE,SPF_PASS,TXREP,URIBL_CSS_A,URIBL_DBL_SPAM
Oct 23 15:20:32.058 [23510] dbg: timing: total 1651 ms - init: 555
(33.6%), parse: 25 (1.5%), extract_message_metadata: 42 (2.6%),
get_uri_detail_list: 2.8 (0.2%), tests_pri_-1000: 22 (1.3%),
compile_gen: 47 (2.8%), compile_eval: 19 (1.1%), tests_pri_-950: 2.8
(0.2%), tests_pri_-900: 3.0 (0.2%), tests_pri_-200: 2.4 (0.1%),
tests_pri_-100: 16 (0.9%), tests_pri_-90: 2.5 (0.2%), tests_pri_0: 899
(54.5%), check_spf: 34 (2.1%), poll_dns_idle: 0.10 (0.0%),
dkim_load_modules: 12 (0.7%), check_dkim_signature: 26 (1.6%),
tests_pri_500: 43 (2.6%), tests_pri_1000: 22 (1.3%), total_txrep: 19
(1.1%), check_txrep_msg_id: 1.29 (0.1%), update_txrep_msg_id: 0.02 (0.0%)
SH_REVERSE_DBL,SPF_HELO_NONE,SPF_PASS,TXREP,URIBL_CSS_A,URIBL_DBL_SPAM
??? * -2.5 TXREP TXREP: Score normalizing based on sender's reputation
The sender was domain name "dal corte DOT org" that is sending malware
to many different domains hosted by us.
Is my setup of txrep bad or is "normal"?
Thanks
--
Alessio Cecchi
Postmaster @ http://www.qboxmail.it
https://www.linkedin.com/in/alessice
I have enabled txrep on a test spamassassin setup, but on some emails
with malware file attached, txrep assign a positive score:
# zcat spam.eml.gz | spamc -s 2097152 -R
[...]
Content analysis details:?? (52.6 points, 5.0 required)
?pts rule name????????????? description
---- ----------------------
--------------------------------------------------
?1.7 DEAR_SOMETHING???????? BODY: Contains 'Dear (something)'
?3.8 FORGED_RELAY_MUA_TO_MX No description available.
?1.0 RCVD_IN_XBL??????????? RBL: Received via a relay in Spamhaus XBL
???????? [5.230.70.6 listed in xxxx.zen.dq.spamhaus.net]
?6.0 SH_HELO_DBL??????????? The domain used in the HELO string is
listed in DBL
??????????????????????????? [mta2.malware-domain.org]
?6.0 SH_REVERSE_DBL???????? The RDNS of last untrusted relay's IP is listed
??????????????????????????? in DBL
??????????????????????????? [mta2.malware-domain.org]
?6.0 URIBL_DBL_SPAM???????? Contains a spam URL listed in the Spamhaus DBL
??????????????????????????? blocklist
??????????????????????????? [URIs: malware-domain.org]
?6.0 SH_DBL_HEADERS???????? A domain found in headers (mail from, reply-to
??????????????????????????? etc..) is listed in DBL
??????????????????????????? [malware-domain.org]
?6.0 SH_DBL_BODY??????????? The domain of an email address found in body is
??????????????????????????? listed in DBL
??????????????????????????? [malware-domain.org]
?0.1 URIBL_CSS_A??????????? Contains URL's A record listed in the
Spamhaus CSS
??????????????????????????? blocklist
??????????????????????????? [URIs: malware-domain.org]
-0.0 SPF_PASS?????????????? SPF: sender matches SPF record
?0.0 SPF_HELO_NONE????????? SPF: HELO does not publish an SPF Record
?0.0 HTML_MESSAGE?????????? BODY: HTML included in message
?0.1 MIME_HTML_ONLY???????? BODY: Message only has text/html MIME parts
-0.1 DKIM_VALID_AU????????? Message has a valid DKIM or DK signature from
??????????????????????????? author's domain
?5.0 BT_SPAM??????????????? Confirmed spam
?1.0 BT_AV????????????????? File infected
-0.1 DKIM_VALID???????????? Message has at least one valid DKIM or DK
signature
?0.1 DKIM_SIGNED??????????? Message has a DKIM or DK signature, not
necessarily
??????????????????????????? valid
-0.1 DKIM_VALID_EF????????? Message has a valid DKIM or DK signature from
??????????????????????????? envelope-from domain
?1.5 FROM_FMBLA_NEWDOM????? From domain was registered in last 7 days
?3.0 RCVD_IN_SBL_CSS??????? Received via a relay in Spamhaus SBL-CSS
?8.0 RCVD_IN_ZEN_LASTEXTERNAL The last untrusted relay is listed in
??????????????????????????? Spamhaus ZEN
-2.4 TXREP????????????????? TXREP: Score normalizing based on sender's
reputation
and more:
# zcat spam.eml.gz | spamassassin -D 2>&1 | grep -i txrep
Oct 23 15:20:30.409 [23510] dbg: config: read file
/etc/mail/spamassassin/txrep.cf
Oct 23 15:20:30.472 [23510] dbg: plugin: loading
Mail::SpamAssassin::Plugin::TxRep from @INC
Oct 23 15:20:30.475 [23510] dbg: TxRep: new object created
Oct 23 15:20:30.605 [23510] dbg: config: fixed relative path:
/var/lib/spamassassin/3.004004/updates_spamassassin_org/60_txrep.cf
Oct 23 15:20:30.605 [23510] dbg: config: using
"/var/lib/spamassassin/3.004004/updates_spamassassin_org/60_txrep.cf"
for included file
Oct 23 15:20:30.605 [23510] dbg: config: read file
/var/lib/spamassassin/3.004004/updates_spamassassin_org/60_txrep.cf
Oct 23 15:20:32.055 [23510] dbg: check: tagrun - tag TXREPMSG_ID is now
ready, value: 47.7
Oct 23 15:20:32.055 [23510] dbg: TxRep: reputation: 47.659, count: 1,
weight: 1.0, delta: 47.659, MSG_ID:
de380dd4ba12ff8d7113fb51a81debfb5c87764b@sa_generated
Oct 23 15:20:32.055 [23510] dbg: TxRep: message
de380dd4ba12ff8d7113fb51a81debfb5c87764b@sa_generated already scanned,
using old data; post-TxRep score: 52.706
Oct 23 15:20:32.058 [23510] dbg: check:
tests=BT_AV,BT_SPAM,DEAR_SOMETHING,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FORGED_RELAY_MUA_TO_MX,FROM_FMBLA_NEWDOM,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_SBL_CSS,RCVD_IN_XBL,RCVD_IN_ZEN_LASTEXTERNAL,SH_DBL_BODY,SH_DBL_HEADERS,SH_HELO_DBL,SH_REVERSE_DBL,SPF_HELO_NONE,SPF_PASS,TXREP,URIBL_CSS_A,URIBL_DBL_SPAM
Oct 23 15:20:32.058 [23510] dbg: timing: total 1651 ms - init: 555
(33.6%), parse: 25 (1.5%), extract_message_metadata: 42 (2.6%),
get_uri_detail_list: 2.8 (0.2%), tests_pri_-1000: 22 (1.3%),
compile_gen: 47 (2.8%), compile_eval: 19 (1.1%), tests_pri_-950: 2.8
(0.2%), tests_pri_-900: 3.0 (0.2%), tests_pri_-200: 2.4 (0.1%),
tests_pri_-100: 16 (0.9%), tests_pri_-90: 2.5 (0.2%), tests_pri_0: 899
(54.5%), check_spf: 34 (2.1%), poll_dns_idle: 0.10 (0.0%),
dkim_load_modules: 12 (0.7%), check_dkim_signature: 26 (1.6%),
tests_pri_500: 43 (2.6%), tests_pri_1000: 22 (1.3%), total_txrep: 19
(1.1%), check_txrep_msg_id: 1.29 (0.1%), update_txrep_msg_id: 0.02 (0.0%)
SH_REVERSE_DBL,SPF_HELO_NONE,SPF_PASS,TXREP,URIBL_CSS_A,URIBL_DBL_SPAM
??? * -2.5 TXREP TXREP: Score normalizing based on sender's reputation
The sender was domain name "dal corte DOT org" that is sending malware
to many different domains hosted by us.
Is my setup of txrep bad or is "normal"?
Thanks
--
Alessio Cecchi
Postmaster @ http://www.qboxmail.it
https://www.linkedin.com/in/alessice