Mailing List Archive

Recent experience with RCVD_IN_SORBS_NR_SPAM and others
I lost track of checking my spam folders recently for almost a week (I
filter to a maybe-spam folder on scores that are lower than what
doctrine says, splitting into really-ham, iffy, and really-spam -- it
was the iffy I didn't look at). On checking, I refiled a bunch of ham
that had from 2 to 6 points. There was much more of this than normal,
at all scores.

There are lots of reasons for the scores, some of which is just how it
is (MIME HTML with no HTML tag), and rDNS lookup failures on google
MTAs. But one thing jumped out at me: a fair number of
RCVD_IN_SORBS_NR_SPAM hits, including for yahoo servers. It seems to me
a bit much to apply that and 2.5 points for MTAs from freemails that
have mostly ham and some spam -- that's what 1 point for FREEMAIL_FROM
is for. As usual, I look up rules that hit on my ham and think about
changing the score, but I can't find it.

So: was this rule in trunk or KAM, and was it withdrawn in the last
week? Perhaps because of listing yahoo and maybe others? I didn't find
anything about this on the users list.


The other problem on a small number of messages was RCVD_DOTEDU_SHORT.
I realize this must have passed masscheck, but getting a message of
1-1.5 kB from an address in .edu is to me not at all suspicious, and 2.5
points is a lot for something likely to appear in legitimate mail. (In
my case it was a notification of air conditioning shutdown in a
particular building, and that's all there was to say.)

Thanks,
Greg
Re: Recent experience with RCVD_IN_SORBS_NR_SPAM and others [ In reply to ]
On Thu, 27 May 2021 20:40:28 -0400
Greg Troxel wrote:


> The other problem on a small number of messages was RCVD_DOTEDU_SHORT.
> I realize this must have passed masscheck, but getting a message of
> 1-1.5 kB from an address in .edu is to me not at all suspicious, and
> 2.5 points is a lot for something likely to appear in legitimate
> mail. (In my case it was a notification of air conditioning shutdown
> in a particular building, and that's all there was to say.)

If SA were running on an institution's mail system, that would most
likely be an internal email. The intention seem to be that the .edu has
to be in the external network.

There is a minor problem:

header __RCVD_DOTEDU_EXT X-Spam-Relays-External =~ /\.edu\s/i

allows a match on "by=" from the LE header, when it should just be on
helo/rdns.

Probably the .edu is genuinely external for you, in which case I'd
suggest overriding __RCVD_DOTEDU_EXT, either to turn it off or exclude
specifc domains.
Re: Recent experience with RCVD_IN_SORBS_NR_SPAM and others [ In reply to ]
On Thu, 27 May 2021, Greg Troxel wrote:

> The other problem on a small number of messages was RCVD_DOTEDU_SHORT.
> I realize this must have passed masscheck, but getting a message of
> 1-1.5 kB from an address in .edu is to me not at all suspicious, and 2.5
> points is a lot for something likely to appear in legitimate mail. (In
> my case it was a notification of air conditioning shutdown in a
> particular building, and that's all there was to say.)

Score limit adjusted. Do you know whether it happened to hit ALL_TRUSTED?
I added an exclusion for that.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The ["assault weapons"] ban is the moral equivalent of banning red
cars because they look too fast. -- Steve Chapman, Chicago Tribune
-----------------------------------------------------------------------
4 days until Memorial Day - honor those who sacrificed for our liberty
Re: Recent experience with RCVD_IN_SORBS_NR_SPAM and others [ In reply to ]
On Fri, 28 May 2021, RW wrote:

> There is a minor problem:
>
> header __RCVD_DOTEDU_EXT X-Spam-Relays-External =~ /\.edu\s/i
>
> allows a match on "by=" from the LE header, when it should just be on
> helo/rdns.

D'oh! Fixed, thanks for catching that.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The ["assault weapons"] ban is the moral equivalent of banning red
cars because they look too fast. -- Steve Chapman, Chicago Tribune
-----------------------------------------------------------------------
4 days until Memorial Day - honor those who sacrificed for our liberty
Re: Recent experience with RCVD_IN_SORBS_NR_SPAM and others [ In reply to ]
On 2021-05-27 at 20:40:28 UTC-0400 (Thu, 27 May 2021 20:40:28 -0400)
Greg Troxel <gdt@lexort.com>
is rumored to have said:

> But one thing jumped out at me: a fair number of
> RCVD_IN_SORBS_NR_SPAM hits, including for yahoo servers. It seems to me
> a bit much to apply that and 2.5 points for MTAs from freemails that
> have mostly ham and some spam -- that's what 1 point for FREEMAIL_FROM
> is for. As usual, I look up rules that hit on my ham and think about
> changing the score, but I can't find it.
>
> So: was this rule in trunk or KAM, and was it withdrawn in the last
> week? Perhaps because of listing yahoo and maybe others? I didn't find
> anything about this on the users list.

That rule does not now exist in trunk and IT NEVER HAS, according to the Subversion history.

It is not in the current KAM channel rules and I see no evidence in my logs of any such rule ever hitting within the past 3 months.

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: Recent experience with RCVD_IN_SORBS_NR_SPAM and others [ In reply to ]
"Bill Cole" <sausers-20150205@billmail.scconsult.com> writes:

> That rule does not now exist in trunk and IT NEVER HAS, according to the Subversion history.
>
> It is not in the current KAM channel rules and I see no evidence in my logs of any such rule ever hitting within the past 3 months.

Totally my fault. I added it to local several weeks ago and managed to
forget about it. I have been seeing it hit on spam quite well, and
until last week it was not unreasonably hitting ham.

Sorry for the noise about that.
Re: Recent experience with RCVD_IN_SORBS_NR_SPAM and others [ In reply to ]
John Hardin <jhardin@impsec.org> writes:

> On Thu, 27 May 2021, Greg Troxel wrote:
>
>> The other problem on a small number of messages was
>> RCVD_DOTEDU_SHORT. I realize this must have passed masscheck, but
>> getting a message of 1-1.5 kB from an address in .edu is to me not at
>> all suspicious, and 2.5 points is a lot for something likely to
>> appear in legitimate mail. (In my case it was a notification of air
>> conditioning shutdown in a particular building, and that's all there
>> was to say.)
>
> Score limit adjusted.

Thanks.

> Do you know whether it happened to hit
> ALL_TRUSTED? I added an exclusion for that.

It did not hit ALL_TRUSTED, and I'd say that's not really wrong. The
edu in question has outlook hosted mail which has a lot of servers. I'm
not actually part of the edu, but am on some lists, and have something
to do with it.

I expanded trusted_networks and then it did hit, but the rule still
fired. I will see if after the regexp fixes just made arrive on my
system, it's still the case.


(I realize everybody's mail stream is different. Part of where I'm
coming from is knowing a fairly large number of people using edu
addresses, so to me this seemed sort of like 2.5 point for a message
being from gmail and 1-1.5 kB.)
Re: Recent experience with RCVD_IN_SORBS_NR_SPAM and others [ In reply to ]
On Fri, 28 May 2021, Greg Troxel wrote:

>
> John Hardin <jhardin@impsec.org> writes:
>
>> On Thu, 27 May 2021, Greg Troxel wrote:
>>
>>> The other problem on a small number of messages was
>>> RCVD_DOTEDU_SHORT. I realize this must have passed masscheck, but
>>> getting a message of 1-1.5 kB from an address in .edu is to me not at
>>> all suspicious, and 2.5 points is a lot for something likely to
>>> appear in legitimate mail. (In my case it was a notification of air
>>> conditioning shutdown in a particular building, and that's all there
>>> was to say.)
>>
>> Score limit adjusted.
>
> Thanks.
>
>> Do you know whether it happened to hit
>> ALL_TRUSTED? I added an exclusion for that.
>
> It did not hit ALL_TRUSTED, and I'd say that's not really wrong. The
> edu in question has outlook hosted mail which has a lot of servers. I'm
> not actually part of the edu, but am on some lists, and have something
> to do with it.
>
> I expanded trusted_networks and then it did hit, but the rule still
> fired.

That exclusion won't be published until sometime today.

I wasn't suggesting expanding ALL_TRUSTED, I was just curious as to
whether you had a relationship to the school and had added their MTAs to
your trusted list because of that.

> I will see if after the regexp fixes just made arrive on my
> system, it's still the case.

I also modified the header check to restrict it to .edu RDNS, so if their
email is hosted by Outlook it probably isn't going to hit any longer
anyway.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
3 days until Memorial Day - honor those who sacrificed for our liberty