Mailing List Archive

Joey J <jacklistmail@gmail.com> writes:

> I'm trying to see if there is a "best way" to provide negative scoring for
> a certain persons email.

That's easy. There are many ways, but not best way.

> As an example if joe@company.com is communicating with paypal or other real
> banking institutions, then at times within the email chain, SA will tag it
> as spam.

It's really not clear what your issue is.

> I want to see if there is if email is from joe@company.com AND is from IP
> address 1.2.3.4, then lets take away 2 from the score, hopefully allowing
> those legitimate types of messages through.
> I couldn't find an example on how to accomplish this dual criteria check.
> Any assistance is apreciated.

welcomelist_from_rcvd joe@company.com [1.2.3.4]

should work, but -100. It would be nice if welcomelist_* could take a
score, but it you are sure you want *your* SA to not mark it as spam,
-100 is the way to spell that.

Re: Whitelist or add negative values for score [ In reply to ]

Dec 19, 2022, 6:43 PM

Post #3 of 21 (753 views)

Thanks,
So welcomelist_from_rcvd joe@company.com [1.2.3.4]
Is saying if it's received from Joe@Company.com and the IP combination?
And then simply score it
welcomelist_from_rcvd score -2
I will try that thank you!

On Mon, Dec 19, 2022 at 8:39 PM Greg Troxel <gdt@lexort.com> wrote:

>
> Joey J <jacklistmail@gmail.com> writes:
>
> > I'm trying to see if there is a "best way" to provide negative scoring
> for
> > a certain persons email.
>
> That's easy. There are many ways, but not best way.
>
> > As an example if joe@company.com is communicating with paypal or other
> real
> > banking institutions, then at times within the email chain, SA will tag
> it
> > as spam.
>
> It's really not clear what your issue is.
>
> > I want to see if there is if email is from joe@company.com AND is from
> IP
> > address 1.2.3.4, then lets take away 2 from the score, hopefully allowing
> > those legitimate types of messages through.
> > I couldn't find an example on how to accomplish this dual criteria check.
> > Any assistance is apreciated.
>
> welcomelist_from_rcvd joe@company.com [1.2.3.4]
>
> should work, but -100. It would be nice if welcomelist_* could take a
> score, but it you are sure you want *your* SA to not mark it as spam,
> -100 is the way to spell that.
>

--
Thanks!
Joey

Re: Whitelist or add negative values for score [ In reply to ]

Dec 19, 2022, 6:45 PM

Post #4 of 21 (753 views)

sausers-20150205 at billmail

Actually, what would be the format, in respect to header for that rule?
so
header welcomelist_from_rcvd joe@company.com [1.2.3.4]

On Mon, Dec 19, 2022 at 8:39 PM Greg Troxel <gdt@lexort.com> wrote:

>
> Joey J <jacklistmail@gmail.com> writes:
>
> > I'm trying to see if there is a "best way" to provide negative scoring
> for
> > a certain persons email.
>
> That's easy. There are many ways, but not best way.
>
> > As an example if joe@company.com is communicating with paypal or other
> real
> > banking institutions, then at times within the email chain, SA will tag
> it
> > as spam.
>
> It's really not clear what your issue is.
>
> > I want to see if there is if email is from joe@company.com AND is from
> IP
> > address 1.2.3.4, then lets take away 2 from the score, hopefully allowing
> > those legitimate types of messages through.
> > I couldn't find an example on how to accomplish this dual criteria check.
> > Any assistance is apreciated.
>
> welcomelist_from_rcvd joe@company.com [1.2.3.4]
>
> should work, but -100. It would be nice if welcomelist_* could take a
> score, but it you are sure you want *your* SA to not mark it as spam,
> -100 is the way to spell that.
>

--
Thanks!
Joey

Re: Whitelist or add negative values for score [ In reply to ]

Dec 19, 2022, 11:27 PM

Post #5 of 21 (753 views)

On 2022-12-19 at 21:43:08 UTC-0500 (Mon, 19 Dec 2022 21:43:08 -0500)
Joey J <jacklistmail@gmail.com>
is rumored to have said:

> Thanks,
> So welcomelist_from_rcvd joe@company.com [1.2.3.4]
> Is saying if it's received from Joe@Company.com and the IP
> combination?
> And then simply score it
> welcomelist_from_rcvd score -2
> I will try that thank you!

No, there is no score line for a 'welcomelist_from_rcvd' directive.

The syntax for all of the welcomelist/blocklist directives is documented
in Mail::SpamAssassin::Conf. You can see that with:

perldoc Mail::SpamAssassin::Conf

In previous versions, these directives all used 'whitelist' and
'blacklist' so if you are not running 3.4.6 or 4.0.0 those names will be
in the docs.

The scores for the various wl/bl settings are controlled by a set of
rules distributed and described in rules/60_welcomelist.cf. As Greg
indicated, welcomelist_from_rcvd causes a hit on USER_IN_WELCOMELIST,
which has a default score of -100. You can change that locally in your
local.cf file, but it will change for ALL addresses you've used with
welcomelist_from_rcvd or (not recommended) welcomelist_from. You can
also use def_welcomelist_from_rcvd, which is used for the addresses in
the "default" welcomelist which is part of the rules distribution. That
is scored via USER_IN_DEF_WELCOMELIST, set at -15 in the distribution.

A better tool for this would be welcomelist_from_auth, which you can use
if the sender's SPF authorizes the IP you see the mail from or if their
mail is signed with DKIM.

The BEST solution would be to figure out specifically why the mail is
sometimes being tagged as spam, and fix that.

>
> On Mon, Dec 19, 2022 at 8:39 PM Greg Troxel <gdt@lexort.com> wrote:
>
>>
>> Joey J <jacklistmail@gmail.com> writes:
>>
>>> I'm trying to see if there is a "best way" to provide negative
>>> scoring
>> for
>>> a certain persons email.
>>
>> That's easy. There are many ways, but not best way.
>>
>>> As an example if joe@company.com is communicating with paypal or
>>> other
>> real
>>> banking institutions, then at times within the email chain, SA will
>>> tag
>> it
>>> as spam.
>>
>> It's really not clear what your issue is.
>>
>>> I want to see if there is if email is from joe@company.com AND is
>>> from
>> IP
>>> address 1.2.3.4, then lets take away 2 from the score, hopefully
>>> allowing
>>> those legitimate types of messages through.
>>> I couldn't find an example on how to accomplish this dual criteria
>>> check.
>>> Any assistance is apreciated.
>>
>> welcomelist_from_rcvd joe@company.com [1.2.3.4]
>>
>> should work, but -100. It would be nice if welcomelist_* could take
>> a
>> score, but it you are sure you want *your* SA to not mark it as spam,
>> -100 is the way to spell that.
>>
>
>
> --
> Thanks!
> Joey

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Whitelist or add negative values for score [ In reply to ]

Dec 20, 2022, 3:13 AM

Post #6 of 21 (753 views)

On 19.12.22 20:05, Joey J wrote:
>I'm trying to see if there is a "best way" to provide negative scoring for
>a certain persons email.
>As an example if joe@company.com is communicating with paypal or other real
>banking institutions, then at times within the email chain, SA will tag it
>as spam.

do you have an example?

>I want to see if there is if email is from joe@company.com AND is from IP
>address 1.2.3.4, then lets take away 2 from the score, hopefully allowing
>those legitimate types of messages through.

there are techniques like SPF and DKIM to authenticate e-mail.
In such case you should be able to "welcomelist_auth joe@company.com" without
providing outgoing mailserver IP

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease

Re: Whitelist or add negative values for score [ In reply to ]

Dec 20, 2022, 3:59 PM

Post #7 of 21 (753 views)

Thanks to Bill and Matus for your responses.

Basically, the client is talking about real money transactions, airplanes,
paypal etc, but he is a legit sender with these often flagged topics.
Sometimes the message goes through, but by the time you reply 2 or 3 times,
there are more of the buzz words that SA looks at based on rules.

We can't whitelist joe@company.com because of course everyone pretending to
be him will more than likely get whitelisted and you know the rest.
This is why I thought if user joe@company.com from ip 1.2.3.4 condition
would allow me to add some negative score to get over the total flagging it
as spam.

You guys would know better than I as to which would be the best method, I
like scoring it some and going to -100.

Within the reject to the user it had the following:

Spam detection results: 3

ClamAVHeuristics 3 ClamAV heuristic test:
Phishing.Email.SpoofedDomain (clamav)

AWL -0.969 Adjusted score from AWL reputation of From:
address

BAYES_00 -1.9 Bayes spam probability is 0 to 1%

BIGNUM_EMAILS_MANY 2.999 Lots of email addresses/leads, over and over

DKIM_INVALID 0.1 DKIM or DK signature exists, but is not valid

DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not
necessarily valid

HTML_FONT_LOW_CONTRAST 0.001 HTML font color similar or identical to
background

HTML_MESSAGE 0.001 HTML included in message

KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict
Alignment

SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record

SPF_PASS -0.001 SPF: sender matches SPF record

T_FILL_THIS_FORM_SHORT 0.01 Fill in a short form with personal information
URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was
blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block

On Tue, Dec 20, 2022 at 6:14 AM Matus UHLAR - fantomas <uhlar@fantomas.sk>
wrote:

> On 19.12.22 20:05, Joey J wrote:
> >I'm trying to see if there is a "best way" to provide negative scoring for
> >a certain persons email.
> >As an example if joe@company.com is communicating with paypal or other
> real
> >banking institutions, then at times within the email chain, SA will tag it
> >as spam.
>
> do you have an example?
>
> >I want to see if there is if email is from joe@company.com AND is from IP
> >address 1.2.3.4, then lets take away 2 from the score, hopefully allowing
> >those legitimate types of messages through.
>
> there are techniques like SPF and DKIM to authenticate e-mail.
> In such case you should be able to "welcomelist_auth joe@company.com"
> without
> providing outgoing mailserver IP
>
> --
> Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
>

--
Thanks!
Joey

Re: Whitelist or add negative values for score [ In reply to ]

lwilton at earthlink

Dec 20, 2022, 11:28 PM

Post #8 of 21 (753 views)

Personally I'd look at why BIGNUM_EMAILS_MANY is hitting and see if there is something the sender could do to avoid it. I'm pretty sure I've never seen that rule hit in any of my spam, so it must be something a bit unique.

Loren

Re: Whitelist or add negative values for score [ In reply to ]

Dec 20, 2022, 11:43 PM

Post #9 of 21 (753 views)

On 20.12.22 18:59, Joey J wrote:
>Basically, the client is talking about real money transactions, airplanes,
>paypal etc, but he is a legit sender with these often flagged topics.
>Sometimes the message goes through, but by the time you reply 2 or 3 times,
>there are more of the buzz words that SA looks at based on rules.
>
>We can't whitelist joe@company.com because of course everyone pretending to
>be him will more than likely get whitelisted and you know the rest.

You have misunderstood that welcomelist_auth means.

It means that the sender has to pass SPF or DKIM, which means that random
people can NOT just send joe@company.com.

>Within the reject to the user it had the following:
>Spam detection results: 3

was this the legitimate mail? If so, your sender has multiple problems.

>ClamAVHeuristics 3 ClamAV heuristic test:
>Phishing.Email.SpoofedDomain (clamav)

this is at least not nice, problematic I'd say.

>AWL -0.969 Adjusted score from AWL reputation of From:
>address
>
>BAYES_00 -1.9 Bayes spam probability is 0 to 1%
>
>BIGNUM_EMAILS_MANY 2.999 Lots of email addresses/leads, over and over

this is very common with spam.

>DKIM_INVALID 0.1 DKIM or DK signature exists, but is not valid
>
>DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not
>necessarily valid
>
>HTML_FONT_LOW_CONTRAST 0.001 HTML font color similar or identical to
>background
>
>HTML_MESSAGE 0.001 HTML included in message
>
>KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict
>Alignment

this rule indicates that mail would NOT pass welcomelist_auth

If this is the mail you want then yes, you need welcomelist_from_rcvd, but
that's sender's faule.

>T_FILL_THIS_FORM_SHORT 0.01 Fill in a short form with personal information
>URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was
>blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block

this usually means you need to configure your own DNS server and not use
public google/cloudflage/quad9 or your ISPs DNS servers.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Nothing is fool-proof to a talented fool.

Re: Whitelist or add negative values for score [ In reply to ]

hege at hege

Dec 21, 2022, 1:19 AM

Post #10 of 21 (753 views)

On Wed, Dec 21, 2022 at 08:43:18AM +0100, Matus UHLAR - fantomas wrote:
> > DKIM_INVALID 0.1 DKIM or DK signature exists, but is not valid
> >
> > DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not
> > necessarily valid
> >
> > HTML_FONT_LOW_CONTRAST 0.001 HTML font color similar or identical to
> > background
> >
> > HTML_MESSAGE 0.001 HTML included in message
> >
> > KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict
> > Alignment
>
> this rule indicates that mail would NOT pass welcomelist_auth
>
> If this is the mail you want then yes, you need welcomelist_from_rcvd, but
> that's sender's faule.

It will pass welcomelist_auth, since there is SPF_PASS, which you missed:

SPF_PASS?????????????? -0.001 SPF: sender matches SPF record

Re: Whitelist or add negative values for score [ In reply to ]

Dec 21, 2022, 9:02 AM

Post #11 of 21 (752 views)

>> > DKIM_INVALID 0.1 DKIM or DK signature exists, but is not valid
>> >
>> > DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not
>> > necessarily valid
>> >
>> > HTML_FONT_LOW_CONTRAST 0.001 HTML font color similar or identical to
>> > background
>> >
>> > HTML_MESSAGE 0.001 HTML included in message
>> >
>> > KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict
>> > Alignment

>On Wed, Dec 21, 2022 at 08:43:18AM +0100, Matus UHLAR - fantomas wrote:
>> this rule indicates that mail would NOT pass welcomelist_auth
>>
>> If this is the mail you want then yes, you need welcomelist_from_rcvd, but
>> that's sender's faule.

On 21.12.22 11:19, Henrik K wrote:
>It will pass welcomelist_auth, since there is SPF_PASS, which you missed:
>
>SPF_PASS?????????????? -0.001 SPF: sender matches SPF record

I understood KAM_DMARC_STATUS as failing SPF alignment.

in such case From: is not the same as envelope From, so while SPF matches
the envelope from, From: domain is different from the one that has to be
listed in welcomelist_auth for it to work.

was I wrong?

We still miss example of original e-mail headers to decide better.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
LSD will make your ECS screen display 16.7 million colors

Re: Whitelist or add negative values for score [ In reply to ]

dominic at timedicer

Dec 21, 2022, 9:59 AM

Post #12 of 21 (752 views)

sausers-20150205 at billmail

On 20/12/2022 23:59, Joey J wrote:
> Thanks to Bill and Matus for your responses.
>
> Basically, the client is talking about real money transactions,
> airplanes, paypal etc, but he is a legit sender with these often
> flagged topics.
> Sometimes the message goes through, but by the time you reply 2 or 3
> times, there are more of the buzz words that SA looks at based on rules.
>
> We can't whitelist joe@company.com because of course everyone
> pretending to be him will more than likely get whitelisted and you
> know the rest.
> This is why I thought if user joe@company.com from ip 1.2.3.4
> condition would allow me to add some negative score to get over the
> total flagging it as spam.
>
> You guys would know better than I as to which would be the best
> method, I like scoring it some and going to -100.
>
> Within the reject to the user it had the following:
>
> Spam detection results: 3
>
> ClamAVHeuristics 3 ClamAV heuristic test: Phishing.Email.SpoofedDomain
> (clamav)
>
> AWL -0.969 Adjusted score from AWL reputation of From: address
>
> BAYES_00 -1.9 Bayes spam probability is 0 to 1%
>
> BIGNUM_EMAILS_MANY 2.999 Lots of email addresses/leads, over and over
>
> DKIM_INVALID 0.1 DKIM or DK signature exists, but is not valid
>
> DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid
>
> HTML_FONT_LOW_CONTRAST 0.001 HTML font color similar or identical to
> background
>
> HTML_MESSAGE 0.001 HTML included in message
>
> KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict
> Alignment
>
> SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
>
> SPF_PASS -0.001 SPF: sender matches SPF record
>
> T_FILL_THIS_FORM_SHORT 0.01 Fill in a short form with personal information
>
> URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was
> blocked. See
> http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block

My approach is like this:

describe LOCAL_WELCOMING_4 Pseudo-welcomelist (case-insensitive)
score LOCAL_WELCOMING_4 -4
header LOCAL_WELCOMING_4 From =~ /(fred\@bloggs\.com|\@jones\.com)>?\s*$/i

I have a few of these with different score reductions (4,6,8,10 etc) all
held in /etc/spamassassin/local_welcoming.cf. If you end up with a lot
of addresses to be 'welcomed' (as I do) you need some code to manage
them, but the principle is simple enough: they act to reduce the score
of any email where the 'From:' address matches the regex. They do not
guarantee acceptance (the spam score is still calculated, only some
amount (4 in the case above) is deducted, and they do not (in my case
anyway) apply to virus-laden emails.

Re: Whitelist or add negative values for score [ In reply to ]

Dec 21, 2022, 10:11 AM

Post #13 of 21 (752 views)

On 2022-12-21 at 12:02:27 UTC-0500 (Wed, 21 Dec 2022 18:02:27 +0100)
Matus UHLAR - fantomas <uhlar@fantomas.sk>
is rumored to have said:
[...]>
> On 21.12.22 11:19, Henrik K wrote:
>> It will pass welcomelist_auth, since there is SPF_PASS, which you missed:
>>
>> SPF_PASS -0.001 SPF: sender matches SPF record
>
> I understood KAM_DMARC_STATUS as failing SPF alignment.

KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment

Note that 'or' is not 'and' in that description. The message in question had a bad DKIM signature.

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Whitelist or add negative values for score [ In reply to ]

Dec 21, 2022, 11:01 AM

Post #14 of 21 (752 views)

Thanks Everyone.
Within all of the responses, I will try to reply here.
1. The legit sender will talk about big numbers because of the real things
he is involved with so big numbers is still a valid method to score, just
not in this case.
2. The SPF record is set to fail on no match, however this does not
automatically say, ok it's the approved source everything is ok, let them
spam out, SA will still score content, and simply not score for bad SPF.
3. The goal is to say for user joe@company.com, if we can confirm the
source is their mail server IP, the lets add some negative value, lets say
-2, to allow message that might be scored such as the above #1 because they
are legit.

Unless there is something I'm missing, I'm not sure how to better explain
it.
Yes, I can provide the full headers, but I thought the spam info was enough
to provide the SA aspect of the scoring.

This is why I thought of the extra rule based on email address and IP
combo, almost confirming its legit, to add ot the negative score.

On Wed, Dec 21, 2022 at 1:12 PM Bill Cole <
sausers-20150205@billmail.scconsult.com> wrote:

> On 2022-12-21 at 12:02:27 UTC-0500 (Wed, 21 Dec 2022 18:02:27 +0100)
> Matus UHLAR - fantomas <uhlar@fantomas.sk>
> is rumored to have said:
> [...]>
> > On 21.12.22 11:19, Henrik K wrote:
> >> It will pass welcomelist_auth, since there is SPF_PASS, which you
> missed:
> >>
> >> SPF_PASS -0.001 SPF: sender matches SPF record
> >
> > I understood KAM_DMARC_STATUS as failing SPF alignment.
>
> KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict
> Alignment
>
> Note that 'or' is not 'and' in that description. The message in question
> had a bad DKIM signature.
>
>
> --
> Bill Cole
> bill@scconsult.com or billcole@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Not Currently Available For Hire
>

--
Thanks!
Joey

Re: Whitelist or add negative values for score [ In reply to ]

gdt at lexort

Dec 21, 2022, 11:39 AM

Post #15 of 21 (752 views)

The other thing that should be done for joe@company.com is that
company.com should sign their mail with DKIM, and then you can

welcomelist_from_dkim *@company.com

I find that many companies I deal with that produce semi-spammy mail
(most big companies :-) have DKIM signatures and I can welcomelist on
that, without welcomelisting forgeries.

You can of course use _rcvd for the IP address. DKIM is just nicer if
you can get them to do it.

Re: Whitelist or add negative values for score [ In reply to ]

kdeugau at vianet

Dec 21, 2022, 12:24 PM

Post #16 of 21 (752 views)

Joey J wrote:
> Thanks Everyone.
> Within all of the responses, I will try to reply here.
> 1. The legit sender will talk about big numbers because of the real
> things he is involved with so big numbers is still a valid method to
> score, just not in this case.
> 2. The SPF record is set to fail on no match, however this does not
> automatically say, ok it's the approved source everything is ok, let
> them spam out, SA will still score content, and simply not score for bad
> SPF.
> 3. The goal is to say for user joe@company.com <mailto:joe@company.com>,
> if we can confirm the source is their mail server IP, the lets add some
> negative value, lets say -2, to allow message that might be scored such
> as the above #1 because they are legit.
>
> Unless there is something I'm missing, I'm not sure how to better
> explain it.
> Yes, I can provide the full headers, but I thought the spam info was
> enough to provide the SA aspect of the scoring.
>
> This is why I thought of the extra rule based on email address and IP
> combo, almost confirming its legit, to add ot the negative score.

If you really want to go down this road, and assign small or
individualized scores for senders like this instead of just using
welcomelist_from_(rcvd|dkim|spf) or welcomelist_auth, use something like
this:

header __FROM_GOODGUY From:addr =~ /^joe\@company\.com$/
header __RCVD_GOODGUY X-Spam-Relays-External =~ /^\[ ip=1\.2\.3\.4 /
meta NOTSPAM_GOODGUY __FROM_GOODGUY && __RCVD_GOODGUY
describe NOTSPAM_GOODGUY Score nudge for joe@company.com
score NOTSPAM_GOODGUY -2

Have a long read through "man Mail::SpamAssassin::Conf" to deconstruct
those.

But that doesn't scale well to very many senders, where welcomelist_*
seem to scale pretty well to at least low thousands of entries. _spf
and _dkim in particular also rely on other information published by the
sender, so *you* don't have to keep manually updating your rules if
their mail sending infrastructure changes.

I'd be more inclined to to some per-user score setting on the
*recipient* account - ie, whoever is receiving these can have a line
added to ~/.spamassassin/user_prefs (or whereever you're storing SA
userprefs) saying "score BIGNUM_EMAILS_MANY (-1)".

I'd also see if you can narrow down exactly what
Phishing.Email.SpoofedDomain is hitting on, IME it's all too likely to
fire on a certain class of legitimate mail and what you've described
sounds like a prime place for FPs. Calling ClamAV like this either
requires a plugin or relies on ClamAV being called earlier, and leaving
a header for SA to check. You'll have to do a bit more digging to find
out how it's configured.

Locally I started with the plugin on the wiki
(https://cwiki.apache.org/confluence/display/SPAMASSASSIN/ClamAVPlugin)
and extended it quite a bit. I've just posted the current production
version at http://deepnet.cx/~kdeugau/spamtools/clamav.pm. I have that
particular Clam hit scored at 1.5 due to the FP potential.

-kgd

Re: Whitelist or add negative values for score [ In reply to ]

Dec 21, 2022, 12:48 PM

Post #17 of 21 (752 views)

Kris & Greg,

Thank you for pointing me in the better direction.
Since not many people are typing these types of email , I could do the one
off rule and it would be manageable.
But in better seeing the welcomelist_from_spf option, I think this will be
my first try.

I appreciate all of your points and it makes us all better evaluate what we
are doing and consider efficiency and effectiveness.

Thanks!!

On Wed, Dec 21, 2022 at 2:39 PM Greg Troxel <gdt@lexort.com> wrote:

> The other thing that should be done for joe@company.com is that
> company.com should sign their mail with DKIM, and then you can
>
> welcomelist_from_dkim *@company.com
>
> I find that many companies I deal with that produce semi-spammy mail
> (most big companies :-) have DKIM signatures and I can welcomelist on
> that, without welcomelisting forgeries.
>
> You can of course use _rcvd for the IP address. DKIM is just nicer if
> you can get them to do it.
>

--
Thanks!
Joey

Re: Whitelist or add negative values for score [ In reply to ]

Dec 21, 2022, 11:23 PM

Post #18 of 21 (752 views)

On 21.12.22 15:48, Joey J wrote:
>Thank you for pointing me in the better direction.
>Since not many people are typing these types of email , I could do the one
>off rule and it would be manageable.
>But in better seeing the welcomelist_from_spf option, I think this will be
>my first try.

welcomelist_auth does the same as welcomelist_from_spf and welcomelist_from_dkim
both.

Note that SPF is related to envelope from address and if it's different from
header From:, it won't help you much.

You haven't provided example of mail (headers) we are talking about.
Without it, we can only guess what your problem really is and what the
solution should be.

>On Wed, Dec 21, 2022 at 2:39 PM Greg Troxel <gdt@lexort.com> wrote:
>> The other thing that should be done for joe@company.com is that
>> company.com should sign their mail with DKIM, and then you can
>>
>> welcomelist_from_dkim *@company.com
>>
>> I find that many companies I deal with that produce semi-spammy mail
>> (most big companies :-) have DKIM signatures and I can welcomelist on
>> that, without welcomelisting forgeries.
>>
>> You can of course use _rcvd for the IP address. DKIM is just nicer if
>> you can get them to do it.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
2B|!2B, that's a question!

Re: Whitelist or add negative values for score [ In reply to ]

jhardin at impsec

Dec 22, 2022, 8:05 AM

Post #19 of 21 (752 views)

On Wed, 21 Dec 2022, Joey J wrote:

> But in better seeing the welcomelist_from_spf option, I think this will be
> my first try.

If you are *really* worried about getting faked mail from that
correspondent, you can do something like:

whitelist_from_spf joe@company.com
blacklist_from joe@company.com

I have a bunch of these sort of entries in my local config:

whitelist_auth *@wellsfargo.com
blacklist_from *@wellsfargo.com
whitelist_auth *@*.wellsfargo.com
blacklist_from *@*.wellsfargo.com
whitelist_auth *@netflix.com
blacklist_from *@netflix.com
whitelist_auth *@*.netflix.com
blacklist_from *@*.netflix.com

You may need to dial back the blacklist score a bit for it to work
reliably:

score USER_IN_BLACKLIST 85.000 # let whitelist override blacklist

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
3 days until Christmas

Re: Whitelist or add negative values for score [ In reply to ]

Dec 23, 2022, 6:24 PM

Post #20 of 21 (752 views)

Hello All,

This is the best I can grab header wise, Names/IP's have changed here to
protect privacy.
Know the following:
The senders real server (1.2.3.4), (1.2.3.4 is the SPF match) sends the
mail to the gateway, and the gateway blocked it as shown.
Yes, legit going to paypal.

Based on your response, will assist in making the best choice.

Thanks everyone!

Dec 19 19:39:42 mgw postfix/smtpd[1070732]: connect from
Sender.MailServer.com[1.2.3.4]
Dec 19 19:39:42 mgw postfix/smtpd[1070732]: Anonymous TLS connection
established from Sender.MailServer.com[1.2.3.4]: TLSv1.2 with cipher
ECDHE-RSA-AES256-SHA384 (256/256 bits)
Dec 19 19:39:42 mgw postfix/smtpd[1070732]: 1270980A01: client=
Sender.MailServer.com[1.2.3.4]
Dec 19 19:39:42 mgw postfix/cleanup[1070437]: 1270980A01: message-id=<
MN0PR22MB3689503197A395D549EE6D0DAAEA9@MN0PR22MB3689.namprd22.prod.outlook.com
>
Dec 19 19:39:42 mgw postfix/qmgr[5368]: 1270980A01:
from=<Sender@Customer.com>, size=673334, nrcpt=1 (queue active)
Dec 19 19:39:42 mgw postfix/smtpd[1070732]: disconnect from
Sender.MailServer.com[1.2.3.4] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=1
quit=1 commands=7
Dec 19 19:39:42 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: new mail
message-id=<
MN0PR22MB3689503197A395D549EE6D0DAAEA9@MN0PR22MB3689.namprd22.prod.outlook.com
>#012
Dec 19 19:39:42 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: virus
detected: Heuristics.Phishing.Email.SpoofedDomain (clamav)
Dec 19 19:39:47 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: SA
score=3/5 time=4.186 bayes=0.00 autolearn=no autolearn_force=no
hits=ClamAVHeuristics(3),AWL(-0.969),BAYES_00(-1.9),BIGNUM_EMAILS_MANY(2.999),DKIM_INVALID(0.1),DKIM_SIGNED(0.1),HTML_FONT_LOW_CONTRAST(0.001),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),T_FILL_THIS_FORM_SHORT(0.01),URIBL_BLOCKED(0.001)
Dec 19 19:39:47 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: notify
<Sender@Customer.com> (rule: Block outgoing Spam, 342C580C8D)
Dec 19 19:39:47 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: block
mail to <Recipient@paypal.com> (rule: Block outgoing Spam)
Dec 19 19:39:47 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D:
processing time: 5.04 seconds (4.186, 0.664, 0)
Dec 19 19:39:47 mgw postfix/lmtp[1070520]: 1270980A01: to=<
Recipient@paypal.com>, relay=127.0.0.1[127.0.0.1]:10023, delay=5.2,
delays=0.06/0/0.05/5.1, dsn=2.7.0, status=sent (250 2.7.0 BLOCKED
(A760963A1044E2E16D))
Dec 19 19:39:47 mgw postfix/qmgr[5368]: 1270980A01: removed

________________________________

On Thu, Dec 22, 2022 at 2:24 AM Matus UHLAR - fantomas <uhlar@fantomas.sk>
wrote:

> On 21.12.22 15:48, Joey J wrote:
> >Thank you for pointing me in the better direction.
> >Since not many people are typing these types of email , I could do the one
> >off rule and it would be manageable.
> >But in better seeing the welcomelist_from_spf option, I think this will be
> >my first try.
>
> welcomelist_auth does the same as welcomelist_from_spf and
> welcomelist_from_dkim
> both.
>
> Note that SPF is related to envelope from address and if it's different
> from
> header From:, it won't help you much.
>
> You haven't provided example of mail (headers) we are talking about.
> Without it, we can only guess what your problem really is and what the
> solution should be.
>
>
> >On Wed, Dec 21, 2022 at 2:39 PM Greg Troxel <gdt@lexort.com> wrote:
> >> The other thing that should be done for joe@company.com is that
> >> company.com should sign their mail with DKIM, and then you can
> >>
> >> welcomelist_from_dkim *@company.com
> >>
> >> I find that many companies I deal with that produce semi-spammy mail
> >> (most big companies :-) have DKIM signatures and I can welcomelist on
> >> that, without welcomelisting forgeries.
> >>
> >> You can of course use _rcvd for the IP address. DKIM is just nicer if
> >> you can get them to do it.
> --
> Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> 2B|!2B, that's a question!
>

--
Thanks!
Joey

Re: Whitelist or add negative values for score [ In reply to ]

Dec 24, 2022, 8:54 AM

Post #21 of 21 (752 views)