[Systems] Spam spike for list owners (sample header attached)

[Samuel Cantero]

Here it is: https://paste.fedoraproject.org/paste/BythbLi7ZT7MdYoHbnZF9g/raw

Can't copy here, otherwise it gets block by SpamAssassin.

On Tue, Sep 5, 2017 at 9:47 PM, Bernie Innocenti <bernie at codewiz.org> wrote:

> These are probably getting a lower score due to SPF_PASS.
>
> If spammers nowadays learned to pass SPF, we should disable that rule or
> reduce its score. Can you share the full headers please?
>
> Il 5 settembre 2017 10:15:17 GMT-04:00, Samuel Cantero <
> scanterog at gmail.com> ha scritto:
> >Thanks a lot guys!
> >
> >It seems we still have some spam that can't be catched easily by
> >spamassassin. I find some of them in systems at .
> >
> >
> >*X-Spam-Status: No, score=1.3 required=3.5
> >tests=HTML_MESSAGE,RDNS_NONE,
> >SPF_HELO_PASS,SPF_PASS,T_REMOTE_IMAGE *
> >
> >*X-Spam-Status: No, score=3.0 required=3.5
> >tests=RDNS_NONE,SPF_HELO_PASS,
> >SPF_PASS,URIBL_BLACK*
> >
> >Yes, the score is low...
> >
> >
> >On Tue, Sep 5, 2017 at 1:07 AM, Sebastian Silva
> ><sebastian at fuentelibre.org>
> >wrote:
> >
> >> Thanks Bernie for following up and pledging to continue your
> >leadership
> >> in this regard.
> >>
> >> My email-fu is also out of date, but count on me for help.
> >>
> >> Regards,
> >> Sebastian
> >>
> >>
> >> On 05/09/17 00:02, Bernie Innocenti wrote:
> >> > On 09/04/2017 09:26 AM, Sebastian Silva wrote:
> >> >> I'm not aware of how sunjammer treats mail. Bernie, did you set
> >this up
> >> >> originally?
> >> > Yes. We use Postfix + spamass-milter with a bunch of RBLs and other
> >> rules.
> >> >
> >> > The reason we're seeing mail with "X-Spam-Flag: YES" in mailman was
> >that
> >> > there are two distinct thresholds: the one in
> >/etc/spamassassin/local.cf
> >> > causes mail to be flagged as spam when it reaches the score 3.5.
> >This
> >> > doesn't cause the mail to be rejected at SMTP time, just flagged so
> >that
> >> > local delivery rules can move it to a spam folder where users can
> >still
> >> > find it in case it was misclassified.
> >> >
> >> > Mailman doesn't have any knowledge of the SpamAssassin headers, but
> >> > there are per-list spam filtering rules. Looks like the
> >"X-Spam-Flag:
> >> > YES" rule was not present on sugar-devel (it's present on systems@
> >and
> >> > other lists). So I just configured it to silently discard spam. You
> >can
> >> > change it here:
> >> >
> >> >   http://lists.sugarlabs.org/admin/sugar-devel/privacy/spam
> >> >
> >> >
> >> > There's also a second threshold, which was conservatively set to
> >8.0,
> >> > which is used by spamass-milter to refuse incoming mail with a
> >permanent
> >> > error to the sender. The email in question had a score of 7.7, so
> >it
> >> > didn't make the cut. I lowered the threshold to 6, which should be
> >safe
> >> > enough.
> >> >
> >> >
> >> >> Maintaining mailservers is often time consuming and frustrating
> >because
> >> >> of spam.
> >> > Indeed :-(
> >> >
> >> > Even using with a well configured SpamAssassin, with DKIM and RBLs,
> >> > there is way too much spam that makes it through. The only way to
> >filter
> >> > spam effectively is to rely on signals from a massive number of
> >users to
> >> > train an advanced spam classifier (and SpamAssassin is an ancient
> >> > codebase mostly based on manually crafted rules).
> >> >
> >> >
> >> >> I don't even fully understand what James said (does gmail consider
> >this
> >> >> spam as originating from SL?).
> >> >>
> >> >> Perhaps we should disable mail processing altogether if no
> >sysadmin can
> >> >> manage it.
> >> >>
> >> >> While I am in infrastructure team, mail is just too time consuming
> >to
> >> >> configure for me.
> >> >>
> >> >> If there's no other volunteer I can look into scaling our mail
> >services
> >> >> down to just mailing lists.
> >> > My experience administering email is 6 years out of date, but I can
> >> > pledge to keep the current system running until we switch to
> >mailman3
> >> > which (hopefully?) has a modern, well thought way to deal with
> >spam.
> >> >
> >> > There shouldn't be much to do for the forwarding email addresses,
> >since
> >> > spam filtering belongs in the receiving endpoint.
> >> >
> >> > The other thing that can get tricky is ensuring reliable delivery
> >on IPs
> >> > that can be used to send out occasional spam (from local email
> >accounts
> >> > or web apps). This is why we're not encouraging hosted email
> >accounts on
> >> > sunjammer.
> >> >
> >> >
> >> >> Regards,
> >> >>
> >> >> Sebastian
> >> >>
> >> >>
> >> >> On 03/09/17 17:14, James Cameron wrote:
> >> >>> This will do significant reputational damage to Sugar Labs mail
> >> >>> domain, identifying the mailman instance as an open relay, making
> >the
> >> >>> upcoming election harder to run.
> >> >>>
> >> >>> About a thousand messages so far.  I'm intercepting with
> >procmail.
> >> >>>
> >> >>> Each has UTF 6616c.com in subject, with remainder of subject and
> >body
> >> >>> text in Chinese.  6616c.com is an alias for 006cc.com, which
> >looks to
> >> >>> be gambling focused.
> >> >>>
> >> >>
> >> >> _______________________________________________
> >> >> Systems mailing list
> >> >> Systems at lists.sugarlabs.org
> >> >> http://lists.sugarlabs.org/listinfo/systems
> >> >>
> >>
> >> _______________________________________________
> >> Systems mailing list
> >> Systems at lists.sugarlabs.org
> >> http://lists.sugarlabs.org/listinfo/systems
> >>
>
> --
> ベルニー
> Sent from my Android device with K-9 Mail.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sugarlabs.org/archive/systems/attachments/20170905/f3f0be6d/attachment.html>