[Systems] Spam spike for list owners (sample header attached)

Bernie Innocenti bernie at codewiz.org
Tue Sep 5 21:47:53 EDT 2017


These are probably getting a lower score due to SPF_PASS.

If spammers nowadays learned to pass SPF, we should disable that rule or reduce its score. Can you share the full headers please?

Il 5 settembre 2017 10:15:17 GMT-04:00, Samuel Cantero <scanterog at gmail.com> ha scritto:
>Thanks a lot guys!
>
>It seems we still have some spam that can't be catched easily by
>spamassassin. I find some of them in systems at .
>
>
>*X-Spam-Status: No, score=1.3 required=3.5
>tests=HTML_MESSAGE,RDNS_NONE,
>SPF_HELO_PASS,SPF_PASS,T_REMOTE_IMAGE *
>
>*X-Spam-Status: No, score=3.0 required=3.5
>tests=RDNS_NONE,SPF_HELO_PASS,
>SPF_PASS,URIBL_BLACK*
>
>Yes, the score is low...
>
>
>On Tue, Sep 5, 2017 at 1:07 AM, Sebastian Silva
><sebastian at fuentelibre.org>
>wrote:
>
>> Thanks Bernie for following up and pledging to continue your
>leadership
>> in this regard.
>>
>> My email-fu is also out of date, but count on me for help.
>>
>> Regards,
>> Sebastian
>>
>>
>> On 05/09/17 00:02, Bernie Innocenti wrote:
>> > On 09/04/2017 09:26 AM, Sebastian Silva wrote:
>> >> I'm not aware of how sunjammer treats mail. Bernie, did you set
>this up
>> >> originally?
>> > Yes. We use Postfix + spamass-milter with a bunch of RBLs and other
>> rules.
>> >
>> > The reason we're seeing mail with "X-Spam-Flag: YES" in mailman was
>that
>> > there are two distinct thresholds: the one in
>/etc/spamassassin/local.cf
>> > causes mail to be flagged as spam when it reaches the score 3.5.
>This
>> > doesn't cause the mail to be rejected at SMTP time, just flagged so
>that
>> > local delivery rules can move it to a spam folder where users can
>still
>> > find it in case it was misclassified.
>> >
>> > Mailman doesn't have any knowledge of the SpamAssassin headers, but
>> > there are per-list spam filtering rules. Looks like the
>"X-Spam-Flag:
>> > YES" rule was not present on sugar-devel (it's present on systems@
>and
>> > other lists). So I just configured it to silently discard spam. You
>can
>> > change it here:
>> >
>> >   http://lists.sugarlabs.org/admin/sugar-devel/privacy/spam
>> >
>> >
>> > There's also a second threshold, which was conservatively set to
>8.0,
>> > which is used by spamass-milter to refuse incoming mail with a
>permanent
>> > error to the sender. The email in question had a score of 7.7, so
>it
>> > didn't make the cut. I lowered the threshold to 6, which should be
>safe
>> > enough.
>> >
>> >
>> >> Maintaining mailservers is often time consuming and frustrating
>because
>> >> of spam.
>> > Indeed :-(
>> >
>> > Even using with a well configured SpamAssassin, with DKIM and RBLs,
>> > there is way too much spam that makes it through. The only way to
>filter
>> > spam effectively is to rely on signals from a massive number of
>users to
>> > train an advanced spam classifier (and SpamAssassin is an ancient
>> > codebase mostly based on manually crafted rules).
>> >
>> >
>> >> I don't even fully understand what James said (does gmail consider
>this
>> >> spam as originating from SL?).
>> >>
>> >> Perhaps we should disable mail processing altogether if no
>sysadmin can
>> >> manage it.
>> >>
>> >> While I am in infrastructure team, mail is just too time consuming
>to
>> >> configure for me.
>> >>
>> >> If there's no other volunteer I can look into scaling our mail
>services
>> >> down to just mailing lists.
>> > My experience administering email is 6 years out of date, but I can
>> > pledge to keep the current system running until we switch to
>mailman3
>> > which (hopefully?) has a modern, well thought way to deal with
>spam.
>> >
>> > There shouldn't be much to do for the forwarding email addresses,
>since
>> > spam filtering belongs in the receiving endpoint.
>> >
>> > The other thing that can get tricky is ensuring reliable delivery
>on IPs
>> > that can be used to send out occasional spam (from local email
>accounts
>> > or web apps). This is why we're not encouraging hosted email
>accounts on
>> > sunjammer.
>> >
>> >
>> >> Regards,
>> >>
>> >> Sebastian
>> >>
>> >>
>> >> On 03/09/17 17:14, James Cameron wrote:
>> >>> This will do significant reputational damage to Sugar Labs mail
>> >>> domain, identifying the mailman instance as an open relay, making
>the
>> >>> upcoming election harder to run.
>> >>>
>> >>> About a thousand messages so far.  I'm intercepting with
>procmail.
>> >>>
>> >>> Each has UTF 6616c.com in subject, with remainder of subject and
>body
>> >>> text in Chinese.  6616c.com is an alias for 006cc.com, which
>looks to
>> >>> be gambling focused.
>> >>>
>> >>
>> >> _______________________________________________
>> >> Systems mailing list
>> >> Systems at lists.sugarlabs.org
>> >> http://lists.sugarlabs.org/listinfo/systems
>> >>
>>
>> _______________________________________________
>> Systems mailing list
>> Systems at lists.sugarlabs.org
>> http://lists.sugarlabs.org/listinfo/systems
>>

-- 
ベルニー
Sent from my Android device with K-9 Mail.


More information about the Systems mailing list