Mailing List Archive: Email coming in being identified as SPAM

Email coming in being identified as SPAM

thomas.anderson at little-beak

Nov 4, 2020, 10:31 AM

Post #1 of 10 (959 views)

Hello,

Email from my child's school is being identified as SPAM, but it's from
his teacher.

Here is the X-SPAM-Report:

X-Spam-Report:
* -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
* [194.25.134.21 listed in wl.mailspike.net]
* 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
* provider (firstname-lastname[at]t-online.de)
* 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
* 0.0 SPF_NONE SPF: sender does not publish an SPF Record
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
* blocked. See
* http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
* for more information.
* [URIs: example.com]
* 1.8 MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE
* 2.5 XPRIO_SHORT_SUBJ Has X-Priority header + short subject
* 1.7 MSM_PRIO_REPTO MSMail priority header + Reply-to + short
* subject
* 1.7 SPOOFED_FREEMAIL No description available.

My best guess is that there was no subject line, but even that would still cause it to fail the spam test.

Researching a little bit the MSMail priority related errors are related to that sender's Email client? And, they should
remove X-MSMail-Priority header? I don't use MS system very often, so a little confused.

Thanks for any infos.

Re: Email coming in being identified as SPAM [ In reply to ]

jhardin at impsec

Nov 4, 2020, 11:16 AM

Post #2 of 10 (959 views)

On Wed, 4 Nov 2020, Thomas Anderson wrote:

> Hello,
>
> Email from my child's school is being identified as SPAM, but it's from
> his teacher.
>
> Here is the X-SPAM-Report:
>
>
> X-Spam-Report:
> * -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
> * [194.25.134.21 listed in wl.mailspike.net]
> * 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
> * provider (firstname-lastname[at]t-online.de)

Your child's school is using a freemail provider rather than a domain
registered to the school system? Or is the teacher using their private
email account for official school-related purposes?

> * 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
> * 0.0 SPF_NONE SPF: sender does not publish an SPF Record
> * 0.0 HTML_MESSAGE BODY: HTML included in message
> * 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
> * blocked. See
> * http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
> * for more information.
> * [URIs: example.com]
> * 1.8 MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE
> * 2.5 XPRIO_SHORT_SUBJ Has X-Priority header + short subject
> * 1.7 MSM_PRIO_REPTO MSMail priority header + Reply-to + short
> * subject
> * 1.7 SPOOFED_FREEMAIL No description available.
>
> My best guess is that there was no subject line, but even that would still cause it to fail the spam test.

Having a long-enough subject would have removed 4.2 points from the total,
giving a total of 3.5 - below the default spam threshold.

> Researching a little bit the MSMail priority related errors are related to that sender's Email client? And, they should
> remove X-MSMail-Priority header? I don't use MS system very often, so a little confused.

Ideally I'd suggest the school use a non-freemail domain and implement SPF
or DKIM so that they can be reliably whitelisted. That's potentially
fairly extensive work on their side, so the immediate recommendation would
be for you to use whitelist_from_rcvd to whitelist the teacher's freemail
account.

There's overlap in the priority-no-subject rules that's unnecessarily
inflating the score, I'll fix that. But that wouldn't bring it down below
the threshold.

Advise the teacher to always provide a meaningful message subject, that's
longer than a word or two.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
5 days until The 82nd anniversary of Kristallnacht - disarmament enables genocide

Re: Email coming in being identified as SPAM [ In reply to ]

sausers-20150205 at billmail

Nov 4, 2020, 3:48 PM

Post #3 of 10 (959 views)

On 4 Nov 2020, at 13:31, Thomas Anderson wrote:

> * 1.8 MISSING_MIMEOLE Message has X-MSMail-Priority, but no
> X-MimeOLE

In addition to what John noted, that one looks like a candidate for
constructing an exception. MISSING_MIMEOLE already has a number of
exceptions based on the fact that other MUAs have adopted
X-MSMail-Priority but have no reason to use X-MimeOLE because it's a
fundamentally bad idea as a header with no real utility. With a sample
of the headers for the message that hit that rule, we could add an
exception for whatever is generating such messages in this case.

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Email coming in being identified as SPAM [ In reply to ]

rwmaillists at googlemail

Nov 4, 2020, 4:20 PM

Post #4 of 10 (959 views)

On Wed, 04 Nov 2020 18:48:48 -0500
Bill Cole wrote:

> On 4 Nov 2020, at 13:31, Thomas Anderson wrote:
>
> > * 1.8 MISSING_MIMEOLE Message has X-MSMail-Priority, but
> > no X-MimeOLE
>
> In addition to what John noted, that one looks like a candidate for
> constructing an exception. MISSING_MIMEOLE already has a number of
> exceptions based on the fact that other MUAs have adopted
> X-MSMail-Priority but have no reason to use X-MimeOLE because it's a
> fundamentally bad idea as a header with no real utility. With a
> sample of the headers for the message that hit that rule, we could
> add an exception for whatever is generating such messages in this
> case.
>

it was sent via t-online.de see:

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7306

Re: Email coming in being identified as SPAM [ In reply to ]

jhardin at impsec

Nov 4, 2020, 7:31 PM

Post #5 of 10 (959 views)

On Thu, 5 Nov 2020, RW wrote:

> On Wed, 04 Nov 2020 18:48:48 -0500
> Bill Cole wrote:
>
>> On 4 Nov 2020, at 13:31, Thomas Anderson wrote:
>>
>>> * 1.8 MISSING_MIMEOLE Message has X-MSMail-Priority, but
>>> no X-MimeOLE
>>
>> In addition to what John noted, that one looks like a candidate for
>> constructing an exception. MISSING_MIMEOLE already has a number of
>> exceptions based on the fact that other MUAs have adopted
>> X-MSMail-Priority but have no reason to use X-MimeOLE because it's a
>> fundamentally bad idea as a header with no real utility. With a
>> sample of the headers for the message that hit that rule, we could
>> add an exception for whatever is generating such messages in this
>> case.
>>
>
> it was sent via t-online.de see:
>
> https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7306

t-online.de obviously haven't changed their client in the last four years,
so perhaps we should reopen that bug and add the exception.

AXB - any comments??

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
5 days until The 82nd anniversary of Kristallnacht - disarmament enables genocide

Re: Email coming in being identified as SPAM [ In reply to ]

axb.lists at gmail

Nov 4, 2020, 11:02 PM

Post #6 of 10 (959 views)

On 11/5/20 4:31 AM, John Hardin wrote:
> On Thu, 5 Nov 2020, RW wrote:
>
>> On Wed, 04 Nov 2020 18:48:48 -0500
>> Bill Cole wrote:
>>
>>> On 4 Nov 2020, at 13:31, Thomas Anderson wrote:
>>>
>>>> * 1.8 MISSING_MIMEOLE Message has X-MSMail-Priority, but
>>>> no X-MimeOLE
>>>
>>> In addition to what John noted, that one looks like a candidate for
>>> constructing an exception. MISSING_MIMEOLE already has a number of
>>> exceptions based on the fact that other MUAs have adopted
>>> X-MSMail-Priority but have no reason to use X-MimeOLE because it's a
>>> fundamentally bad idea as a header with no real utility. With a
>>> sample of the headers for the message that hit that rule, we could
>>> add an exception for whatever is generating such messages in this
>>> case.
>>>
>>
>> it was sent via t-online.de see:
>>
>> https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7306
>
> t-online.de obviously haven't changed their client in the last four
> years, so perhaps we should reopen that bug and add the exception.
>
> AXB - any comments??

I'd lower the rule's score a bit. That way we don't have to track what
t-online.de does/or not does.
comments?
AXB

Re: Email coming in being identified as SPAM [ In reply to ]

thomas.anderson at little-beak

Nov 5, 2020, 1:50 AM

Post #7 of 10 (958 views)

Thanks for all the informative replies.

For the short term, I will just whitelist the address in question.

Perhaps my setup is crap. I don't have enough SPAM to train bayes. In
the past two years, I have gotten maybe, 10? spam emails. Basically, the
server is for myself and a couple family members, so the traffic is minimal.

I have not setup a Caching nameserver, but I will look into that being
necessary in the future.

Thanks all!

On 05/11/2020 08:02, Axb wrote:
> On 11/5/20 4:31 AM, John Hardin wrote:
>> On Thu, 5 Nov 2020, RW wrote:
>>
>>> On Wed, 04 Nov 2020 18:48:48 -0500
>>> Bill Cole wrote:
>>>
>>>> On 4 Nov 2020, at 13:31, Thomas Anderson wrote:
>>>>
>>>>> * 1.8 MISSING_MIMEOLE Message has X-MSMail-Priority, but
>>>>> no X-MimeOLE
>>>>
>>>> In addition to what John noted, that one looks like a candidate for
>>>> constructing an exception. MISSING_MIMEOLE already has a number of
>>>> exceptions based on the fact that other MUAs have adopted
>>>> X-MSMail-Priority but have no reason to use X-MimeOLE because it's a
>>>> fundamentally bad idea as a header with no real utility. With a
>>>> sample of the headers for the message that hit that rule, we could
>>>> add an exception for whatever is generating such messages in this
>>>> case.
>>>>
>>>
>>> it was sent via t-online.de see:
>>>
>>> https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7306
>>
>> t-online.de obviously haven't changed their client in the last four
>> years, so perhaps we should reopen that bug and add the exception.
>>
>> AXB - any comments??
>
> I'd lower the rule's score a bit. That way we don't have to track what
> t-online.de does/or not does.
> comments?
> AXB
>

Re: Email coming in being identified as SPAM [ In reply to ]

jhardin at impsec

Nov 5, 2020, 8:08 AM

Post #8 of 10 (957 views)

On Thu, 5 Nov 2020, Thomas Anderson wrote:

> Thanks for all the informative replies.
>
> For the short term, I will just whitelist the address in question.
>
> Perhaps my setup is crap. I don't have enough SPAM to train bayes. In
> the past two years, I have gotten maybe, 10? spam emails. Basically, the
> server is for myself and a couple family members, so the traffic is minimal.
>
> I have not setup a Caching nameserver, but I will look into that being
> necessary in the future.

One tiny nit: it's not the "caching" part that's important for SA, it's
the "does not forward DNS requests to ISP's nameservers" part...

For small environments like this, the DNS resolver that you use for SA
needs to do all the queries itself rather than passing them off to be
aggregated by the ISP's nameservers, and hit the DNSBL free use limits due
to that aggregation.

> Thanks all!

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
4 days until The 82nd anniversary of Kristallnacht - disarmament enables genocide

Re: Email coming in being identified as SPAM [ In reply to ]

jhardin at impsec

Nov 5, 2020, 8:08 AM

Post #9 of 10 (957 views)

On Thu, 5 Nov 2020, Axb wrote:

> On 11/5/20 4:31 AM, John Hardin wrote:
>> On Thu, 5 Nov 2020, RW wrote:
>>
>>> On Wed, 04 Nov 2020 18:48:48 -0500
>>> Bill Cole wrote:
>>>
>>>> On 4 Nov 2020, at 13:31, Thomas Anderson wrote:
>>>>
>>>>> ????*? 1.8 MISSING_MIMEOLE Message has X-MSMail-Priority, but
>>>>> no X-MimeOLE
>>>>
>>>> In addition to what John noted, that one looks like a candidate for
>>>> constructing an exception. MISSING_MIMEOLE already has a number of
>>>> exceptions based on the fact that other MUAs have adopted
>>>> X-MSMail-Priority but have no reason to use X-MimeOLE because it's a
>>>> fundamentally bad idea as a header with no real utility. With a
>>>> sample of the headers for the message that hit that rule, we could
>>>> add an exception for whatever is generating such messages in this
>>>> case.
>>>>
>>>
>>> it was sent via t-online.de see:
>>>
>>> https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7306
>>
>> t-online.de obviously haven't changed their client in the last four years,
>> so perhaps we should reopen that bug and add the exception.
>>
>> AXB - any comments??
>
> I'd lower the rule's score a bit. That way we don't have to track what
> t-online.de does/or not does.
> comments?
> AXB

How about we pull it from 50_scores.cf and let the masschecks consider it?
With a score limit of 1.5, perhaps?

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
4 days until The 82nd anniversary of Kristallnacht - disarmament enables genocide

Re: Email coming in being identified as SPAM [ In reply to ]

rwmaillists at googlemail

Nov 5, 2020, 8:43 AM

Post #10 of 10 (957 views)

On Thu, 5 Nov 2020 10:50:08 +0100
Thomas Anderson wrote:

> Thanks for all the informative replies.
>
> For the short term, I will just whitelist the address in question.
>
> Perhaps my setup is crap. I don't have enough SPAM to train bayes. In
> the past two years, I have gotten maybe, 10? spam emails. Basically,
> the server is for myself and a couple family members, so the traffic
> is minimal.

Since you get very little spam, IIWY I'd set the threshold to 8 or even
higher. I don't think it's worth accepting any FPs for 5 spams a year.