Spam Help (long)

KGMe · April 23, 2022, 3:45pm

So, still dealing with spam issues (although minor so I’ve just been dealing with them). Today decided to look into asking for advice on my two problems, 1) spam getting through and 2) emails getting incorrectly marked as spam. Would love some insight or advice…

Starting with spam getting through, I have SA set to 1. I’m not an SA expert, but here are the SA headers from a spam I received recently and a couple comments (typical html porn spam with images hosted on .ru servers)…

X-SpaX-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on 39d5d113b0b5
X-Spam-Report: 
	* -0.0 BAYES_20 BODY: Bayes spam probability is 5 to 20%
	*      [score: 0.1648]
	*  0.0 T_PDS_PRO_TLD .pro TLD
	*      [URI: prosept.pro (pro)]
	*  0.0 HTML_MESSAGE BODY: HTML included in message
	*  0.0 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image
	*       area
	*  0.1 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME
	*  0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
	*      blocked.  See
	*      http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
	*      for more information.
	*      [URIs: benchmarkemail.com]
	* -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at https://www.dnswl.org/,
	*      high trust
	*      [195.140.146.15 listed in list.dnswl.org]
	*  0.1 URIBL_SBL_A Contains URL's A record listed in the Spamhaus SBL
	*      blocklist
	*      [URIs: images.benchmarkemail.com]
	*  1.6 URIBL_SBL Contains an URL's NS IP listed in the Spamhaus SBL
	*      blocklist
	*      [URIs: images.benchmarkemail.com]
	* -0.0 T_SCC_BODY_TEXT_LINE No description available.
X-Spam-Status: No

A couple of concerns I have with this are the old 2018 version of SA which has a pretty significant DOS vuln (CVE-2019-12420) and a blocked URIBL. Considering that the SA version is not being kept up to date, I’m assuming neither are the URIBL (also concerned about other code on the Helm not being kept current).

Additionally, the -5 points received for the IP in DNSWL is incorrect. Checking with the DNSWL directly…

…and images.benchmarkemail.com is clearly identified in a URIBL (glad to see at least one getting through)…

…but that wasn’t enough to override the incorrect DNSWL -5 score.

@helm_community , is there anyway we can get SA updated to resolve CVE-2019-12420 as well as to update URIBL please? Not sure what can be done about that innacurate dnswl.org score.

OK, now my questions about whitelisting. I’ve been using sieve, but I don’t know if incorrectly or if I’m just not understanding how it works. I’ve never used sieve scripts before, so it’s highly likely.

Using Sieve 0.6.1 add-on for Thunderbird. For some reason it seems that my scripts work for a few days, and then stop. Reconnecting and re-saving my script seems to fix things for a short time. It almost seems like the scripts are working only while the add-on is connected (client side?!?!) or are just ignored after a while.

Here are some examples of if statements I’ve tried that all work for a few days, then begin to fail resulting in all targeted emails getting dropped into spam.

require ["include", "fileinto", "imap4flags"];

if anyof(address :is :domain "from" "wirelesstag.net", address :is :domain "from" "ecowitt.net") {
  fileinto "Inbox";
}
if address :is :domain "from" "wirelesstag.net" {
  fileinto "Inbox";
}
if address :is "from" "support@ecowitt.net" {
  fileinto "Inbox";
}

Any advice on getting something working permanently would be greatly appreciated!

Thanks!

KGMe · April 24, 2022, 2:27pm

So apparently the solution to the DNSWL is two-fold. Report IP’s as false positives to DNSWL (OK, can do that) and to customize the score setting for DNSWL in local.cf (nope, can’t do that ).

Any help with why my sieve filters stop working after a time would be very helpful!

KGMe · April 24, 2022, 2:46pm

Ugh, and I JUST got another false positive thrown into Spam. This is from a domain in my sieve filters (and I’ve also tried filtering the email exactly, not just the domain). I have also manually moved hundreds of emails from this sender out of spam and into Inbox.

X-Spam-Report: 
	*  3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
	*      [score: 1.0000]
	*  0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
	*      [score: 1.0000]
	*  0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
	*      blocked.  See
	*      http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
	*      for more information.
	*      [URIs: mytaglist.com]
	*  0.0 HTML_MESSAGE BODY: HTML included in message
	*  2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of
	*      words
	* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	*      author's domain
	*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
	*       valid
	* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	* -0.0 T_SCC_BODY_TEXT_LINE No description available.
	*  0.0 HTML_SHORT_LINK_IMG_2 HTML is very short with a linked image
X-Spam-Flag: YES
X-Spam-Status: Yes
X-Spam-Level: *****

At this point I think there has to be a problem with my Helm and will open a ticket. Something is wrong with both sieve and SpamAssassin on my Helm. It is not learning, and my filters are not working reliably.

KGMe · April 24, 2022, 6:56pm

I’ve been moving phishing emails from “MetaMask” into spam for months now…

X-Spam-Report: 
	* -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
	*      [score: 0.0000]
	* -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at https://www.dnswl.org/,
	*      high trust
	*      [50.31.63.79 listed in list.dnswl.org]
	*  0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
	*      blocked.  See
	*      http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
	*      for more information.
	*      [URIs: consensys.net]
	*  0.0 HTML_MESSAGE BODY: HTML included in message
	*  0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
	*      identical to background
	* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	*      author's domain
	*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
	*       valid
	* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	* -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
	*      [50.31.63.79 listed in wl.mailspike.net]
	* -0.0 T_SCC_BODY_TEXT_LINE No description available.
	*  0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay
	*      lines
	*  0.0 TVD_PH_BODY_ACCOUNTS_PRE The body matches phrases such as
	*      "accounts suspended", "account credited", "account
	*      verification"
X-Spam-Status: No
X-Spam-Level:

Less than 60 seconds after receiving the email I checked DNSWL’s site…

Is anyone else seeing these problems with spam on their Helm?! I should have dug more into this years ago.

KGMe · April 24, 2022, 7:26pm

OK, last post while I await help from support. These two emails were received just 2 minutes apart. Same sender, almost the same content (alerts from cloud service sensor monitors). One sent to spam, one sent to inbox. One says sender found in DNSWL (it is not), both report 99% chance of spam.

Received: by helm (Postfix, from userid 106)
	id 4ECE16A12B5; Sun, 24 Apr 2022 19:02:27 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on 39d5d113b0b5
X-Spam-Report: 
	*  3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
	*      [score: 1.0000]
	*  0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
	*      [score: 1.0000]
	*  0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
	*      blocked.  See
	*      http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
	*      for more information.
	*      [URIs: wirelesstag.net]
	*  0.0 HTML_MESSAGE BODY: HTML included in message
	*  2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of
	*      words
	* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	*      author's domain
	*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
	*       valid
	* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	* -0.0 T_SCC_BODY_TEXT_LINE No description available.
	*  0.0 HTML_SHORT_LINK_IMG_2 HTML is very short with a linked image
X-Spam-Flag: YES
X-Spam-Status: Yes
X-Spam-Level: *****
Received: from mail.wirelesstag.net (mail.wirelesstag.net [67.227.87.208])

Received: by helm (Postfix, from userid 106)
	id 6FCA86A12B5; Sun, 24 Apr 2022 19:04:16 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on 39d5d113b0b5
X-Spam-Report: 
	*  3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
	*      [score: 1.0000]
	*  0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
	*      [score: 1.0000]
	*  0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
	*      blocked.  See
	*      http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
	*      for more information.
	*      [URIs: mytaglist.com]
	* -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at https://www.dnswl.org/,
	*      high trust
	*      [67.227.87.208 listed in list.dnswl.org]
	*  0.0 HTML_MESSAGE BODY: HTML included in message
	*  2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of
	*      words
	* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	*      author's domain
	*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
	*       valid
	* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	* -0.0 T_SCC_BODY_TEXT_LINE No description available.
	*  0.0 HTML_SHORT_LINK_IMG_2 HTML is very short with a linked image
X-Spam-Status: No
X-Spam-Level: 
Received: from mail.wirelesstag.net (mail.wirelesstag.net [67.227.87.208])

So looking at 3 issues?

SA not actually learning? Lack of sa-learn?
DNSWL false positives? Possibly an issue with response format and old SA version (reaching here)? Option to tune scoring?
Sieve scripts not working?

swpyatt · May 3, 2022, 12:20pm

SA does have an issue with learning. It is also a few versions behind, the latest appears to be 3.4.6.

For Sieve scripts if you are not running Linux I suggest you install WSL for Windows then download sieve-connect and use the for managing Sieve and it’s scripts. If you are running Linux you can still install sieve-connect that way. Keep in mind that Sieve appears to run after Spamassassin. That is a setting I believe that can be adjusted but Helm support would have to do it. So if SA determines it’s spam it files it into that folder before your script can do anything. Sieve only works on valid emails or ones that SA can’t determine.

I’ve thought of writing a how-to for the WSL and the Sieve scripts I’ve been using.

KGMe · May 3, 2022, 12:38pm

I’m running Linux, using a Thunderbird addon…

SA running first explains the issue. I set SA to “1” in order to catch as much spam as possible since it seems pretty inconsistent and planned to just whitelist with sieve. Sieve not running before SA pretty much makes it completely useless as a whitelist.

Support stated that sa-learn is running in a daily cron, but either that function is broken or something is clearing the database. They also stated they are working on an update to SA, but based on previous claims I doubt that happens anytime in the next few years.

swpyatt · May 3, 2022, 2:38pm

I was using that same add-on but have liked using the sieve-connect over it. I had some issues with the it and going directly to Helm to manage the scripts works better for me.

KGMe · May 3, 2022, 10:16pm

I’ll give it a shot, thanks!