Mailing List Archive

Trouble with XM_RANDOM rule
Hi,

I noticed that email sent from our webmail are catched always by
XM_RANDOM rule.

The reason is that we add an header:

X-Mailer: Qboxmail Webmail 1.2.3

that match "X-Mailer =~ /q(?!q?mail|\d|[-\w]*=+;)[^u]/i"

Is "Qboxmail" the problem? Since this is the name of our company are
there any chances to keep it without catching the rule?

Thanks

--
Alessio Cecchi
Postmaster @ http://www.qboxmail.it
https://www.linkedin.com/in/alessice
Re: Trouble with XM_RANDOM rule [ In reply to ]
On 24 Feb 2021, at 7:10, Alessio Cecchi wrote:

> Hi,
>
> I noticed that email sent from our webmail are catched always by
> XM_RANDOM rule.

And what is the score of that rule?

> that match "X-Mailer =~ /q(?!q?mail|\d|[-\w]*=+;)[^u]/i"
>
> Is "Qboxmail" the problem?

Yes.

> Since this is the name of our company are there any chances to keep it
> without catching the rule?

Score the rule down, of create a specific rule that counters that score
to match you own header.

(Also, “are caught” and “hitting the rule” or “triggering the
rule” or “being caught by the rule” would be grammatical, if you
care.)



script execution error (#1): /Users/lbutlr/mysisg: No such file or
directory

##
Re: Trouble with XM_RANDOM rule [ In reply to ]
On Wed, 24 Feb 2021, Alessio Cecchi wrote:

> Hi,
>
> I noticed that email sent from our webmail are catched always by XM_RANDOM
> rule.
>
> The reason is that we add an header:
>
> X-Mailer: Qboxmail Webmail 1.2.3
>
> that match "X-Mailer =~ /q(?!q?mail|\d|[-\w]*=+;)[^u]/i"
>
> Is "Qboxmail" the problem? Since this is the name of our company are there
> any chances to keep it without catching the rule?

The chances are very good now that you've reported the FP. I will add an
exception. It will take a day or two to be published.

Thank you!

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
News flash: Lowest Common Denominator down 50 points
-----------------------------------------------------------------------
270 days since the first private commercial manned orbital mission (SpaceX)
Re: Trouble with XM_RANDOM rule [ In reply to ]
On Wed, 24 Feb 2021, lbutlr wrote:

> On 24 Feb 2021, at 7:10, Alessio Cecchi wrote:
>
>> Since this is the name of our company are there any chances to keep it
>> without catching the rule?
>
> Score the rule down, of create a specific rule that counters that score to
> match you own header.

That helps for their internal mail, but not to anyone else they send mail
to.

I am adding an exception for that.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
News flash: Lowest Common Denominator down 50 points
-----------------------------------------------------------------------
270 days since the first private commercial manned orbital mission (SpaceX)
Re: Trouble with XM_RANDOM rule [ In reply to ]
On Wed, 24 Feb 2021 08:10:48 -0700
lbutlr wrote:

> On 24 Feb 2021, at 7:10, Alessio Cecchi wrote:
>
> > that match "X-Mailer =~ /q(?!q?mail|\d|[-\w]*=+;)[^u]/i"
> >
> > Is "Qboxmail" the problem?
>
> Yes.

> > Since this is the name of our company are there any chances to keep
> > it without catching the rule?
>
> Score the rule down, of create a specific rule that counters that
> score to match you own header.

It's other SA installations that are the problem.

Someone should make an additional exception for 'box' IMO.
Re: Trouble with XM_RANDOM rule [ In reply to ]
On 2/24/2021 9:10 AM, Alessio Cecchi wrote:
>
> that match "X-Mailer =~ /q(?!q?mail|\d|[-\w]*=+;)[^u]/i"
>

AND the body DOESN'T have has Invisible Text Styles AND there is no
In-Reply-To header.
Seems a little excessive to me.? Points added for good behavior?? Am I
reading that right?
I am a guy that gets befuddled with endless metas.??? I get a headache;
the same kind I
get when having to (watch|Suffer through) a Gilmore Girls marathon. I'm
really asking.

Perhaps: /q(?!q?mail|bo|\d|[-\w]*=+;)[^u]/i might be appropriate, at
least as an workaround.? Or something similar.

Is there a genuine use for CASE-Insensitive rules in a X-Mailer
definition?? They don't seem
to switch case very often.

> Is "Qboxmail" the problem? Since this is the name of our company are
> there any chances to keep it without catching the rule?
>

Yes, you should change the name of your company! ? ;)

I see that JH and the SpamAssassin crew will address your problem. In
the meantime, it won't
hurt to add a local rule like:

header??? MY_XM_RANDOM???????????????? X-Mailer =~ /Qboxmail Webmail/
score??? ??? MY_XM_RANDOM??? ??? ??? ??? -1.154

-- Jared Hall
Re: Trouble with XM_RANDOM rule [ In reply to ]
On Wed, 24 Feb 2021, Jared Hall wrote:

> On 2/24/2021 9:10 AM, Alessio Cecchi wrote:
>>
>> that match "X-Mailer =~ /q(?!q?mail|\d|[-\w]*=+;)[^u]/i"
>
> AND the body DOESN'T have has Invisible Text Styles AND there is no
> In-Reply-To header. Seems a little excessive to me.? Points added for
> good behavior?? Am I reading that right?

It's avoiding combinations in masscheck that hit only ham, or, absent
that, hit far more ham than spam, in an attempt to reduce false positives.

The __XM_RANDOM header rule is intended to catch the specific condition of
the email, the scored XM_RANDOM meta is intended to add points for when
that condition indicates spam.

> Perhaps: /q(?!q?mail|bo|\d|[-\w]*=+;)[^u]/i might be appropriate, at
> least as an workaround.? Or something similar.

I've already added an exclusion for it.

> Is there a genuine use for CASE-Insensitive rules in a X-Mailer
> definition?? They don't seem to switch case very often.

If you're looking for a specific X-Mailer value, sure. If you're writing a
general rule then focusing on case can miss spam signs.

>> Is "Qboxmail" the problem? Since this is the name of our company are
>> there any chances to keep it without catching the rule?
>
> Yes, you should change the name of your company! ? ;)
>
> I see that JH and the SpamAssassin crew will address your problem. In
> the meantime, it won't hurt to add a local rule like:
>
> header??? MY_XM_RANDOM???????????????? X-Mailer =~ /Qboxmail Webmail/
> score??? ??? MY_XM_RANDOM??? ??? ??? ??? -1.154

Which, again, doesn't help anyone outside his company.

IMHO you shouldn't be scanning internal-only email anyway.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
People who are unable to figure out how to make change without
the help of a cash register are demanding a $15/hr minimum wage?
-----------------------------------------------------------------------
270 days since the first private commercial manned orbital mission (SpaceX)
Re: Trouble with XM_RANDOM rule [ In reply to ]
On 2/24/2021 9:43 PM, John Hardin wrote:

> The __XM_RANDOM header rule is intended to catch the specific
> condition of the email, the scored XM_RANDOM meta is intended to add
> points for when that condition indicates spam.

Ouch, I figured as much.? With a name like XM_RANDOM, it's gotta be good :)

I recall about 10 years ago getting floods with (pseudo)random (eg:
qxvfdgeexcfffdf, etc) type mailers.? I was just wondering if this was
artifactual.? I don't know if you Guys (pc: and Gals)? keep notes when
each rule gets developed and what not.? But that's not really a question
for this list, so No Big Deal.

Now I'm off to find out why Thunderbird's spell checker doesn't like the
word "artifactual", yet has no issue with "gotta".? That's a great
mystery; like UFOs, Crop Circles, Bigfoot,? Pyramids, Plains of Nazca,
and Microsoft Fax Server.

> I've already added an exclusion for it.

Awesome.? Speedy, and the patience of a saint.? All qualities that I lack :)

>> header??? MY_XM_RANDOM X-Mailer =~ /Qboxmail Webmail/
>> score??? ??? MY_XM_RANDOM??? ??? ??? ??? -1.154
>
> Which, again, doesn't help anyone outside his company.
>
> IMHO you shouldn't be scanning internal-only email anyway.

Understood;? I've opined the same.? I feel like Sam the bartender on a
very old episode of Cheers.? He has his one (and only) guest
Sportscaster appearance to discuss natural grass versus artificial
turf.? Sam concludes his broadcast with something like, "This is one
man's two opinions".? LMAO.

I've been scanning all outbound Email for 3-1/2 years now.? I scan at
the SMTP level, with no discernible performance hit.? It certainly has
saved my butt on a few occasions.? Now I *opine* this:? There is
something to the? ZERO-TRUST security model.


Thank you, John.? "You do that voodoo that you do so well".

-- Jared Hall
Re: Trouble with XM_RANDOM rule [ In reply to ]
On Thu, 25 Feb 2021, Jared Hall wrote:

> On 2/24/2021 9:43 PM, John Hardin wrote:
>
>> The __XM_RANDOM header rule is intended to catch the specific condition of
>> the email, the scored XM_RANDOM meta is intended to add points for when
>> that condition indicates spam.
>
> Ouch, I figured as much.? With a name like XM_RANDOM, it's gotta be good :)
>
> I recall about 10 years ago getting floods with (pseudo)random (eg:
> qxvfdgeexcfffdf, etc) type mailers.? I was just wondering if this was
> artifactual.

It's current. Somebody decided to send a large spam campaign using forged
sender addresses in my wife's domain, so I got a lot of NDA bounces with
spam content I don't usually see. There were a lot of random gibberish
mailers, as well as some that look plausible at a glance but suspicious
upon further consideration.

I got a bunch of new rules off that so I'm not complaining too hard.

>? I don't know if you Guys (pc: and Gals)? keep notes when each
> rule gets developed and what not.? But that's not really a question for
> this list, so No Big Deal.

For myself, not beyond the SVN history.

> I've been scanning all outbound Email for 3-1/2 years now.? I scan at the
> SMTP level, with no discernible performance hit.? It certainly has saved my
> butt on a few occasions.? Now I *opine* this:? There is something to the?
> ZERO-TRUST security model.

Hm, yeah.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Where are my space habitats? Where is my flying car?
It's 2010 and all I got from the SF books of my youth
is the lousy dystopian government. -- perlhaqr
-----------------------------------------------------------------------
271 days since the first private commercial manned orbital mission (SpaceX)