Re: [Mailman-Users] Mailman-Users Digest, Vol 154, Issue 30
We are a Google Apps for Education school so most of our employees and students are using gmail but with our own thet.net http://thet.net/ domain. We have mx records for gmails servers and for our in house mailman server. Recently edited our DNS zones due to SPF record check failures. Also, recently had to change out IP block due to changes at our ISP. Here is the header info from a message that I got from our Dean. It got flagged as Spam somewhere along the way.
It should be noted that some of the lists below are umbrella lists.
{Spam?} [TA Admin] {Spam?} [Employees] {Spam?} [Claws] {Spam?} SNOWBALL IS CANCELLED FOR TONIGHT
To: claws@lists.thet.net students2017@lists.thet.net
X-Thetnet-Mailscanner-Information: Please contact the ISP for more information
Sender: admin-bounces@lists.thet.net
List-Archive: http://lists.thet.net/mailman/private/admin/
Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@thet-net.20150623.gappssmtp.com; spf=fail (google.com: domain of admin-bounces@lists.thet.net does not designate 104.219.98.14 as permitted sender) smtp.mailfrom=admin-bounces@lists.thet.net
X-Received: by 10.55.20.95 with SMTP id e92mr9675564qkh.54.1481993433047; Sat, 17 Dec 2016 08:50:33 -0800 (PST)
X-Received: by 10.13.204.67 with SMTP id o64mr6487069ywd.47.1481993249239; Sat, 17 Dec 2016 08:47:29 -0800 (PST)
Return-Path: admin-bounces@lists.thet.net
List-Help: mailto:admin-request@lists.thet.net?subject=help
X-Original-To: admin@lists.thet.net
X-Original-To: employees@lists.thet.net
X-Original-To: claws@lists.thet.net
X-Thetnet-Mailscanner-Spamscore: sssssss, sssssss, sssss, sssss
X-Gm-Message-State: AKaTC03CGHzT3zezdGpZ3HNvRPiPVZelD2bKmhcA8Wn9WsDZT93E/DWWFFAFrbExpkGdZ0xWfYUPvqPLwJXAyg==
List-Id: Interactive mailing list for TA Administrators
From: Lindsay Haisley fmouse@fmp.com Subject: Re: [Mailman-Users] list mail increasingly flagged as spam Date: December 19, 2016 at 11:01:11 AM EST To: mailman-users@python.org Reply-To: fmouse@fmp.com
On Mon, 2016-12-19 at 07:52 -0500, Glen Page wrote:
I have recently begun to see (and get complaints from some of my users) our list messages being flagged on many users end as spam messages. Wondering if there is anything that i can do on our end to decrease the likelyhood of our messages being flagged as spam. If it would help, I can send some header info from some of our messages.
I'm not a Mailman maintainer, but it might be helpful if you could post any information that would help narrow down the problem. Specifically, are most or all of the users who have this problem using a particular mail provider such as Gmail, or some other service? Have any of these users posted any information to you regarding the reason their mail service has improperly flagged these list posts?
-- Lindsay Haisley | "Everything works if you let it" FMP Computer Services | 512-259-1190 | --- The Roadie http://www.fmp.com |
Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Glen Page Director of Information Technology ThetNet - Thetford Academy 802.785.4805.x231
Every time it rains pennies from heaven, I get down on my hands and knees and try to protect my head because those things really hurt.
Glen Page writes:
We are a Google Apps for Education school so most of our employees and students are using gmail but with our own thet.net http://thet.net/ domain. We have mx records for gmails servers and for our in house mailman server. Recently edited our DNS zones due to SPF record check failures. Also, recently had to change out IP block due to changes at our ISP. Here is the header info from a message that I got from our Dean. It got flagged as Spam somewhere along the way.
You've deleted a bunch of header fields, it seems. That doesn't hurt this time -- it seems pretty clear that a misconfigured SpamAssassin is the problem. But you should tell us about it, and also consider leaving in the fields while redacting specific personal information such as mailboxes and IP addresses if you consider them sensitive.
To the analysis. This appears to be the subject:
{Spam?} [TA Admin] {Spam?} [Employees] {Spam?} [Claws] {Spam?} SNOWBALL IS CANCELLED FOR TONIGHT
SpamAssassin ignores the parenthesized tags, and finds that the subject is all uppercase. 1.5 spam points. Tell your people not to use all uppercase, especially not in the subject, but also not in the body. This is a very good indicator of spam.
This is your addressee list in the "To" field, right?
To: claws@lists.thet.net students2017@lists.thet.net
It happens to be sorted. 2.5 spam points, total 4. You're already almost busted! If you have control over SpamAssassin, this is a stupid rule unless you've got more than 5 addressees, and you should be giving that a lot of points anyway. Take that rule down to 1 point, or disable it.
X-Thetnet-Mailscanner-Spamcheck: spam, SORBS-SPAM,
Dunno what the above line means.
SpamAssassin (cached, score=7.315, required 5, BAYES_00 -1.90,
Content is extremely unspam-like. Congratulate the author. :-)
DNS_FROM_AHBL_RHSBL 2.70,
Ouch. Appears you are on a blacklist ... no, AHBL and RHSBL are deprecated and may not even be operating any more, lots of "too many false positives, how can I disable this rule?" on Google. See this URL:
http://www.emailquestions.com/threads/how-to-disable-dns_from_ahbl_rhsbl-rbl...
HTML_MESSAGE 0.00,
Yeah! "Friends don't let friends send HTML mail."
RCVD_IN_DNSWL_NONE -0.00,
Good.
SORTED_RECIPS 2.50, SUBJ_ALL_CAPS 1.51,
As mentioned above.
SUSPICIOUS_RECIPS 2.51),
I have no idea why you're getting that. Maybe somebody else has an idea, but if not you'll have to ask somebody with access to your SpamAssassin rule base. Anyway, the total above is already 8.2 (then you get 1.9 back for high-value content), you're busted.
Received: from dispatch.thet.net ([104.219.98.14]) by mx.google.com with ESMTPS id n185si342354qke.282.2016.12.17.08.50.32 (version=TLS1 cipher=AES128-SHA bits=128/128); Sat, 17 Dec 2016 08:50:32 -0800 (PST) Received: from dispatch.thet.net (dispatch.thet.net [172.16.0.18]) by dispatch.thet.net (Postfix) with ESMTP id A1013E6103A; Sat, 17 Dec 2016 11:49:56 -0500 (EST) Received: from dispatch.thet.net (dispatch.thet.net [172.16.0.18]) by dispatch.thet.net (Postfix) with ESMTP id BA586E61035; Sat, 17 Dec 2016 11:49:04 -0500 (EST) Received: from dispatch.thet.net (dispatch.thet.net [172.16.0.18]) by dispatch.thet.net (Postfix) with ESMTP id 12323E60FF7; Sat, 17 Dec 2016 11:48:05 -0500 (EST)
I guess this is the chain of umbrella lists. You might want to see if you can get the addressees put in the logs so the you can figure out what's actually happening here.
Received: from mail-yw0-f177.google.com (mail-yw0-f177.google.com [209.85.161.177]) by dispatch.thet.net (Postfix) with ESMTPS id 0F6F3E60FF7 for claws@lists.thet.net; Sat, 17 Dec 2016 11:47:29 -0500 (EST) Received: by mail-yw0-f177.google.com with SMTP id i145so46776688ywg.2 for claws@lists.thet.net; Sat, 17 Dec 2016 08:47:29 -0800 (PST) Received: by 10.37.30.86 with HTTP; Sat, 17 Dec 2016 08:47:28 -0800 (PST) Content-Type: multipart/mixed; boundary="===============0140925220==" X-Thetnet-Mailscanner-Id: A1013E6103A.A0BA7 Delivered-To: glen.page@thet.net.test-google-a.com Delivered-To: admin@lists.thet.net Delivered-To: employees@lists.thet.net Delivered-To: claws@lists.thet.net X-Beenthere: claws@lists.thet.net X-Beenthere: employees@lists.thet.net X-Beenthere: admin@lists.thet.net Received-Spf: fail (google.com: domain of admin-bounces@lists.thet.net does not designate 104.219.98.14 as permitted sender) client-ip=104.219.98.14;
This is misconfigured, I think. lists.thet.net doesn't permit dispatch.thet.net to send for it?
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thet-net.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=8F82G0kwQs0BGWAs4rc0JlbGrQ5jSEAp9BGHHsLlJGQ=; b=z4aCN7tqgI6/fqyUS0996YyJ3h9vBdciKFZDMciilUXU1d1VzpD9MPEw5iFzTvTiBk JboPNIV4zE41HWJcMRL3FIJ2A9ahgpkAD+p48PIxjqveclm4BM92Ioj3LXqrXg6lLs+Q SkqLIEl6DQLzWigaixP49UmPqbQjSbfxLvxq32MXFVldcOF7n/5Q1SfFQkErRq8S14x8 U1Keu94MZCSi2xp7bXj4ARdtdOsOOemWCRRSzrAd0nR+uqsW+aOKPHmqYZqHHz3Ct328 XH+wBOs/CUSe7sOrQCM/RlHb2IQg0rTS0t3V3jhZkYaquDF59rgTYsNyo7BEToSeXDfV QuOg==
This is going to fail, since the subject is signed but you're adding tags all over the place. This is the safest available configuration, so it is not a problem (that you can do anything about), but you will DoS yourself if you ever set a DMARC policy of p=quarantine or p=reject. Just a word to the wise for the future.
Hope this helps,
Steve
-- Associate Professor Department of Policy and Planning Science http://turnbull/sk.tsukuba.ac.jp/ Faculty of Systems and Information Email: turnbull@sk.tsukuba.ac.jp University of Tsukuba Tel: 029-853-5175 Tennodai 1-1-1, Tsukuba 305-8573 JAPAN
Stephen,
Thanks. I am pretty sure that the only thing I deleted was the sender name so not sure which header fields you think are missing.
I will forward this info on to the consultant that built and maintains both my spam-assassin and mailman builds and see what he can figure out.
Thanks again for the help.
Glen
On Dec 20, 2016, at 11:09 AM, Stephen J. Turnbull turnbull.stephen.fw@u.tsukuba.ac.jp wrote:
Glen Page writes:
We are a Google Apps for Education school so most of our employees and students are using gmail but with our own thet.net http://thet.net/ domain. We have mx records for gmails servers and for our in house mailman server. Recently edited our DNS zones due to SPF record check failures. Also, recently had to change out IP block due to changes at our ISP. Here is the header info from a message that I got from our Dean. It got flagged as Spam somewhere along the way.
You've deleted a bunch of header fields, it seems. That doesn't hurt this time -- it seems pretty clear that a misconfigured SpamAssassin is the problem. But you should tell us about it, and also consider leaving in the fields while redacting specific personal information such as mailboxes and IP addresses if you consider them sensitive.
To the analysis. This appears to be the subject:
{Spam?} [TA Admin] {Spam?} [Employees] {Spam?} [Claws] {Spam?} SNOWBALL IS CANCELLED FOR TONIGHT
SpamAssassin ignores the parenthesized tags, and finds that the subject is all uppercase. 1.5 spam points. Tell your people not to use all uppercase, especially not in the subject, but also not in the body. This is a very good indicator of spam.
This is your addressee list in the "To" field, right?
To: claws@lists.thet.net students2017@lists.thet.net
It happens to be sorted. 2.5 spam points, total 4. You're already almost busted! If you have control over SpamAssassin, this is a stupid rule unless you've got more than 5 addressees, and you should be giving that a lot of points anyway. Take that rule down to 1 point, or disable it.
X-Thetnet-Mailscanner-Spamcheck: spam, SORBS-SPAM,
Dunno what the above line means.
SpamAssassin (cached, score=7.315, required 5, BAYES_00 -1.90,
Content is extremely unspam-like. Congratulate the author. :-)
DNS_FROM_AHBL_RHSBL 2.70,
Ouch. Appears you are on a blacklist ... no, AHBL and RHSBL are deprecated and may not even be operating any more, lots of "too many false positives, how can I disable this rule?" on Google. See this URL:
http://www.emailquestions.com/threads/how-to-disable-dns_from_ahbl_rhsbl-rbl...
HTML_MESSAGE 0.00,
Yeah! "Friends don't let friends send HTML mail."
RCVD_IN_DNSWL_NONE -0.00,
Good.
SORTED_RECIPS 2.50, SUBJ_ALL_CAPS 1.51,
As mentioned above.
SUSPICIOUS_RECIPS 2.51),
I have no idea why you're getting that. Maybe somebody else has an idea, but if not you'll have to ask somebody with access to your SpamAssassin rule base. Anyway, the total above is already 8.2 (then you get 1.9 back for high-value content), you're busted.
Received: from dispatch.thet.net ([104.219.98.14]) by mx.google.com with ESMTPS id n185si342354qke.282.2016.12.17.08.50.32 (version=TLS1 cipher=AES128-SHA bits=128/128); Sat, 17 Dec 2016 08:50:32 -0800 (PST) Received: from dispatch.thet.net (dispatch.thet.net [172.16.0.18]) by dispatch.thet.net (Postfix) with ESMTP id A1013E6103A; Sat, 17 Dec 2016 11:49:56 -0500 (EST) Received: from dispatch.thet.net (dispatch.thet.net [172.16.0.18]) by dispatch.thet.net (Postfix) with ESMTP id BA586E61035; Sat, 17 Dec 2016 11:49:04 -0500 (EST) Received: from dispatch.thet.net (dispatch.thet.net [172.16.0.18]) by dispatch.thet.net (Postfix) with ESMTP id 12323E60FF7; Sat, 17 Dec 2016 11:48:05 -0500 (EST)
I guess this is the chain of umbrella lists. You might want to see if you can get the addressees put in the logs so the you can figure out what's actually happening here.
Received: from mail-yw0-f177.google.com (mail-yw0-f177.google.com [209.85.161.177]) by dispatch.thet.net (Postfix) with ESMTPS id 0F6F3E60FF7 for claws@lists.thet.net; Sat, 17 Dec 2016 11:47:29 -0500 (EST) Received: by mail-yw0-f177.google.com with SMTP id i145so46776688ywg.2 for claws@lists.thet.net; Sat, 17 Dec 2016 08:47:29 -0800 (PST) Received: by 10.37.30.86 with HTTP; Sat, 17 Dec 2016 08:47:28 -0800 (PST) Content-Type: multipart/mixed; boundary="===============0140925220==" X-Thetnet-Mailscanner-Id: A1013E6103A.A0BA7 Delivered-To: glen.page@thet.net.test-google-a.com Delivered-To: admin@lists.thet.net Delivered-To: employees@lists.thet.net Delivered-To: claws@lists.thet.net X-Beenthere: claws@lists.thet.net X-Beenthere: employees@lists.thet.net X-Beenthere: admin@lists.thet.net Received-Spf: fail (google.com: domain of admin-bounces@lists.thet.net does not designate 104.219.98.14 as permitted sender) client-ip=104.219.98.14;
This is misconfigured, I think. lists.thet.net doesn't permit dispatch.thet.net to send for it?
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thet-net.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=8F82G0kwQs0BGWAs4rc0JlbGrQ5jSEAp9BGHHsLlJGQ=; b=z4aCN7tqgI6/fqyUS0996YyJ3h9vBdciKFZDMciilUXU1d1VzpD9MPEw5iFzTvTiBk JboPNIV4zE41HWJcMRL3FIJ2A9ahgpkAD+p48PIxjqveclm4BM92Ioj3LXqrXg6lLs+Q SkqLIEl6DQLzWigaixP49UmPqbQjSbfxLvxq32MXFVldcOF7n/5Q1SfFQkErRq8S14x8 U1Keu94MZCSi2xp7bXj4ARdtdOsOOemWCRRSzrAd0nR+uqsW+aOKPHmqYZqHHz3Ct328 XH+wBOs/CUSe7sOrQCM/RlHb2IQg0rTS0t3V3jhZkYaquDF59rgTYsNyo7BEToSeXDfV QuOg==
This is going to fail, since the subject is signed but you're adding tags all over the place. This is the safest available configuration, so it is not a problem (that you can do anything about), but you will DoS yourself if you ever set a DMARC policy of p=quarantine or p=reject. Just a word to the wise for the future.
Hope this helps,
Steve
-- Associate Professor Department of Policy and Planning Science http://turnbull/sk.tsukuba.ac.jp/ Faculty of Systems and Information Email: turnbull@sk.tsukuba.ac.jp University of Tsukuba Tel: 029-853-5175 Tennodai 1-1-1, Tsukuba 305-8573 JAPAN
Glen Page Director of Information Technology ThetNet - Thetford Academy 802.785.4805.x231
"If a guy can dream up a way to cause an explosion, it will happen." — Newton's Seventh Corrolary of Physics
Glen Page writes:
Thanks. I am pretty sure that the only thing I deleted was the sender name so not sure which header fields you think are missing.
I thought MIME-Version was missing, but it's in your post so I must have deleted that early, and forgot I did that.
According to Mark his up-to-date SpamAssassin doesn't have the AHBL rule which was the one with the most spam points. If you can keep users from writing Subjects with all caps, updating SpamAssassin's rule base should do the trick. If the "sorted addresses" rule can't be restricted to a larger number of addresses, I would recommend decreasing its score still.
On 12/20/2016 05:11 AM, Glen Page wrote:
Here is the header info from a message that I got from our Dean. It got flagged as Spam somewhere along the way. ... {Spam?} [TA Admin] {Spam?} [Employees] {Spam?} [Claws] {Spam?} SNOWBALL IS CANCELLED FOR TONIGHT To: claws@lists.thet.net students2017@lists.thet.net X-Thetnet-Mailscanner-Information: Please contact the ISP for more information Sender: admin-bounces@lists.thet.net List-Archive: http://lists.thet.net/mailman/private/admin/ Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@thet-net.20150623.gappssmtp.com; spf=fail (google.com: domain of admin-bounces@lists.thet.net does not designate 104.219.98.14 as permitted sender) smtp.mailfrom=admin-bounces@lists.thet.net X-Received: by 10.55.20.95 with SMTP id e92mr9675564qkh.54.1481993433047; Sat, 17 Dec 2016 08:50:33 -0800 (PST) X-Received: by 10.13.204.67 with SMTP id o64mr6487069ywd.47.1481993249239; Sat, 17 Dec 2016 08:47:29 -0800 (PST) Return-Path: admin-bounces@lists.thet.net List-Help: mailto:admin-request@lists.thet.net?subject=help X-Original-To: admin@lists.thet.net X-Original-To: employees@lists.thet.net X-Original-To: claws@lists.thet.net X-Thetnet-Mailscanner-Spamscore: sssssss, sssssss, sssss, sssss X-Gm-Message-State: AKaTC03CGHzT3zezdGpZ3HNvRPiPVZelD2bKmhcA8Wn9WsDZT93E/DWWFFAFrbExpkGdZ0xWfYUPvqPLwJXAyg== List-Id: Interactive mailing list for TA Administrators
X-Mailman-Version: 2.1.12 X-Greylist: whitelisted by SQLgrey-1.7.6 X-Google-Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=8F82G0kwQs0BGWAs4rc0JlbGrQ5jSEAp9BGHHsLlJGQ=; b=XDw9OtI9GY0saYUhV9g6nVzCeS2/FHyuJUbb3YrEZtrQAg+GOI9B1chbVDYuIDm9Ip EpVs8ERwixZfcbO+hRhz21h6dmm1kRorFGHjVKUjt9fOONcqX0C3i0FPy+VHgxf4nPnT 5wzEquSIGU7I5YoUNFK7AR6pqPCRXqEaS4t9Aa0Q9njL2Y2XEh+dw1z1e3XreibJMMr6 kYmbFTM6YcxBprB6XJCHzVI4R51a9L2CmxJCHn8X+ULXsligpbAIr8vnMxT8QjAxejM6 A1kiQZG57hSs4B/8R8TQeX3jj2QpF1XULvdkLgxDlskybV2LdQP2tTpDf9aI0TnXO+bg ralw== X-Thetnet-Mailscanner-Spamcheck: spam, SORBS-SPAM, SpamAssassin (cached, score=7.315, required 5, BAYES_00 -1.90, DNS_FROM_AHBL_RHSBL 2.70, HTML_MESSAGE 0.00, RCVD_IN_DNSWL_NONE -0.00, SORTED_RECIPS 2.50, SUBJ_ALL_CAPS 1.51, SUSPICIOUS_RECIPS 2.51), spam, SpamAssassin (cached, score=7.315, required 5, BAYES_00 -1.90, DNS_FROM_AHBL_RHSBL 2.70, HTML_MESSAGE 0.00, RCVD_IN_DNSWL_NONE -0.00, SORTED_RECIPS 2.50, SUBJ_ALL_CAPS 1.51, SUSPICIOUS_RECIPS 2.51), spam, SpamAssassin (not cached, score=5.809, required 5, BAYES_00 -1.90, DNS_FROM_AHBL_RHSBL 2.70, HTML_MESSAGE 0.00, RCVD_IN_DNSWL_NONE -0.00, SORTED_RECIPS 2.50, SUSPICIOUS_RECIPS 2.51), spam, SpamAssassin (not cached, score=5.809, required 5, BAYES_00 -1.90, DNS_FROM_AHBL_RHSBL 2.70, HTML_MESSAGE 0.00, RCVD_IN_DNSWL_NONE -0.00, SORTED_RECIPS 2.50, SUSPICIOUS_RECIPS 2.51) X-Thetnet-Mailscanner: Found to be clean, Found to be clean, Found to be clean, Found to be clean List-Post: mailto:admin@lists.thet.net Errors-To: admin-bounces@lists.thet.net Message-Id: CACaqBRtUd-HAaOF54gcWrQQffha6q3gMQVbnEcrMnZvNGFikjg@mail.gmail.com X-Spam-Status: Yes, Yes, Yes, Yes X-Thetnet-Mailscanner-From: admin-bounces@lists.thet.net Mime-Version: 1.0 Precedence: list Received: by 10.80.136.105 with SMTP id c38csp743701edc; Sat, 17 Dec 2016 08:50:33 -0800 (PST) Received: from dispatch.thet.net ([104.219.98.14]) by mx.google.com with ESMTPS id n185si342354qke.282.2016.12.17.08.50.32 (version=TLS1 cipher=AES128-SHA bits=128/128); Sat, 17 Dec 2016 08:50:32 -0800 (PST) Received: from dispatch.thet.net (dispatch.thet.net [172.16.0.18]) by dispatch.thet.net (Postfix) with ESMTP id A1013E6103A; Sat, 17 Dec 2016 11:49:56 -0500 (EST) Received: from dispatch.thet.net (dispatch.thet.net [172.16.0.18]) by dispatch.thet.net (Postfix) with ESMTP id BA586E61035; Sat, 17 Dec 2016 11:49:04 -0500 (EST) Received: from dispatch.thet.net (dispatch.thet.net [172.16.0.18]) by dispatch.thet.net (Postfix) with ESMTP id 12323E60FF7; Sat, 17 Dec 2016 11:48:05 -0500 (EST) Received: from mail-yw0-f177.google.com (mail-yw0-f177.google.com [209.85.161.177]) by dispatch.thet.net (Postfix) with ESMTPS id 0F6F3E60FF7 for claws@lists.thet.net; Sat, 17 Dec 2016 11:47:29 -0500 (EST) Received: by mail-yw0-f177.google.com with SMTP id i145so46776688ywg.2 for claws@lists.thet.net; Sat, 17 Dec 2016 08:47:29 -0800 (PST) Received: by 10.37.30.86 with HTTP; Sat, 17 Dec 2016 08:47:28 -0800 (PST) Content-Type: multipart/mixed; boundary="===============0140925220==" X-Thetnet-Mailscanner-Id: A1013E6103A.A0BA7 Delivered-To: glen.page@thet.net.test-google-a.com Delivered-To: admin@lists.thet.net Delivered-To: employees@lists.thet.net Delivered-To: claws@lists.thet.net X-Beenthere: claws@lists.thet.net X-Beenthere: employees@lists.thet.net X-Beenthere: admin@lists.thet.net Received-Spf: fail (google.com: domain of admin-bounces@lists.thet.net does not designate 104.219.98.14 as permitted sender) client-ip=104.219.98.14; List-Unsubscribe: http://lists.thet.net/mailman/options/admin List-Unsubscribe: mailto:admin-request@lists.thet.net?subject=unsubscribe List-Subscribe: http://lists.thet.net/mailman/listinfo/admin, mailto:admin-request@lists.thet.net?subject=subscribe Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thet-net.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=8F82G0kwQs0BGWAs4rc0JlbGrQ5jSEAp9BGHHsLlJGQ=; b=z4aCN7tqgI6/fqyUS0996YyJ3h9vBdciKFZDMciilUXU1d1VzpD9MPEw5iFzTvTiBk JboPNIV4zE41HWJcMRL3FIJ2A9ahgpkAD+p48PIxjqveclm4BM92Ioj3LXqrXg6lLs+Q SkqLIEl6DQLzWigaixP49UmPqbQjSbfxLvxq32MXFVldcOF7n/5Q1SfFQkErRq8S14x8 U1Keu94MZCSi2xp7bXj4ARdtdOsOOemWCRRSzrAd0nR+uqsW+aOKPHmqYZqHHz3Ct328 XH+wBOs/CUSe7sOrQCM/RlHb2IQg0rTS0t3V3jhZkYaquDF59rgTYsNyo7BEToSeXDfV QuOg==
This message was scanned by MailScanner on thet.net 4 times, once before the Claws list, once between that and the Employees list, once between that and the TA Admin list and once on the way out.
It appears from the
X-Thetnet-Mailscanner-Spamscore: sssssss, sssssss, sssss, sssss
header that after the first two times, the score decreased.
The header
X-Thetnet-Mailscanner-Spamcheck: spam, SORBS-SPAM, SpamAssassin (cached, score=7.315, required 5, BAYES_00 -1.90, DNS_FROM_AHBL_RHSBL 2.70, HTML_MESSAGE 0.00, RCVD_IN_DNSWL_NONE -0.00, SORTED_RECIPS 2.50, SUBJ_ALL_CAPS 1.51, SUSPICIOUS_RECIPS 2.51), spam, SpamAssassin (cached, score=7.315, required 5, BAYES_00 -1.90, DNS_FROM_AHBL_RHSBL 2.70, HTML_MESSAGE 0.00, RCVD_IN_DNSWL_NONE -0.00, SORTED_RECIPS 2.50, SUBJ_ALL_CAPS 1.51, SUSPICIOUS_RECIPS 2.51), spam, SpamAssassin (not cached, score=5.809, required 5, BAYES_00 -1.90, DNS_FROM_AHBL_RHSBL 2.70, HTML_MESSAGE 0.00, RCVD_IN_DNSWL_NONE -0.00, SORTED_RECIPS 2.50, SUSPICIOUS_RECIPS 2.51), spam, SpamAssassin (not cached, score=5.809, required 5, BAYES_00 -1.90, DNS_FROM_AHBL_RHSBL 2.70, HTML_MESSAGE 0.00, RCVD_IN_DNSWL_NONE -0.00, SORTED_RECIPS 2.50, SUSPICIOUS_RECIPS 2.51)
Reflects the SpamAssassin hits from each pass. The first report is
spam, SORBS-SPAM, SpamAssassin (cached, score=7.315, required 5, BAYES_00 -1.90, DNS_FROM_AHBL_RHSBL 2.70, HTML_MESSAGE 0.00, RCVD_IN_DNSWL_NONE -0.00, SORTED_RECIPS 2.50, SUBJ_ALL_CAPS 1.51, SUSPICIOUS_RECIPS 2.51)
and the last is
spam, SpamAssassin (not cached, score=5.809, required 5, BAYES_00 -1.90, DNS_FROM_AHBL_RHSBL 2.70, HTML_MESSAGE 0.00, RCVD_IN_DNSWL_NONE -0.00, SORTED_RECIPS 2.50, SUSPICIOUS_RECIPS 2.51)
The score dropped because after the initial passes, tags/prefixes got added that caused SUBJ_ALL_CAPS to miss (it should have missed on the second scan, but a cached result was used).
The big hits besides SUBJ_ALL_CAPS are DNS_FROM_AHBL_RHSBL, SORTED_RECIPS and SUSPICIOUS_RECIPS
DNS_FROM_AHBL_RHSBL looks like a blacklist of some sort, but it is not in my up to date spamassassin. The others are standard rules in 20_head_tests.cf described as
describe SORTED_RECIPS Recipient list is sorted by address describe SUSPICIOUS_RECIPS Similar addresses in recipient list
Were it not for the DNS_FROM_AHBL_RHSBL hit, the score would have been < 5 all 4 times.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (3)
-
Glen Page -
Mark Sapiro -
Stephen J. Turnbull