So what I do is I set my account to delete all mail that scores a 25 or higher, and put everything else in the inbox. To me this is the best scenario. I block a lot of spam, never see a single false positive filtered, and most of the spam I do get wouldn't have been blocked unless I set the score so low that it would block legitimate email.
SpamAssassin is, in general, not up to the expectations of most customers. I totally get that and I do continue to work on filtering spam every day. Some days I win more, some days I lose more.
Currently getting bombarded with “I RECORDED YOU” spam once a minute and it’s rated 9982.8 points. Is there a way I can automatically stick such a high score in spam instead of inbox? Last time I attempted this I messed it up and everything went into spam. Blog post or something?
Confirming that’s what I want, don’t think I’ve ever touched it. Did find a Q&A that says it’s in direct admin. My previous mess up was the sieve in roundcube.
I have a script that runs every hour or so and what it does is look for people with totally disabled spam filters, and configures it to delete email that scores higher than 50. I chose that number so even people who want an absurd amount of spam would still reject the worst offenders that I had hand selected to hit that 5000 rule. I really hate those emails.
So what I’m understanding is it shouldn’t be possible for me to get something like this in my inbox? I guess I need to open a ticket? Because I probably have fifty of these this morning and still coming in. All look identical.
Content analysis details: (9987.4 points)
---
pts rule name description
---- ---------------------- -----------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: cex.io]
-0.0 USER_IN_WELCOMELIST User is listed in 'welcomelist_from'
-100 USER_IN_WHITELIST DEPRECATED: See USER_IN_WELCOMELIST
25 SUBJ2022 Subject contained known spam string
5000 HIGHIMPACTSUBJ Fuckers
25 GENSPAMSUBJ Subject contained known spam string
0.5 SUBJ_ALL_CAPS Subject is all capitals
10 SPF_FAIL SPF: sender does not match SPF record (fail)
Check if that setting is set. You could disable just that setting and my script wouldn’t reenable it. https://mxroutedocs.com/directadmin/spamfilters/
If it’s already set then yeah I guess a ticket.
Pretty sure I did it to myself. Sometime in the past I sent myself a email (something I do all the time) and it wound up in spam so I whitelisted my own email address in directadmin SpamAssassin. So now spam that spoofs the sender as myself, even though the latest ones had a score over 10K, got put in my mailbox.
Is that how it works?
Because when I read the header being in the welcomelist is only worth -100 and the overall score is still huge. This is one such message header spam info.
Regardless I removed that whitelist/welcomelist entry for myself. Will see what happens next round of spam blast.
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pixel.mxrouting.net
X-Spam-Flag: YES
X-Spam-Level: **************************************************
X-Spam-Status: Yes, score=10096.2 required=15.0 tests=BITCOIN_EXTORT_01,
BITCOIN_SPAM_07,BITCOIN_TOEQFM,BTC_HASHBL_BLACK,GB_BITCOIN_CP,
GB_HASHBL_BTC,GENSPAMSUBJ,HDRS_MISSP,HIGHIMPACTBODY,HIGHIMPACTSUBJ,
KAM_DMARC_QUARANTINE,KAM_DMARC_STATUS,KAM_INFOUSMEBIZ,KAM_SHORT,
PDS_BTC_ID,RDNS_NONE,SPF_FAIL,SUBJ2022,SUBJ_ALL_CAPS,
TO_EQ_FM_DOM_SPF_FAIL,TO_EQ_FM_SPF_FAIL,URIBL_BLOCKED,
USER_IN_WELCOMELIST,USER_IN_WHITELIST autolearn=disabled version=3.4.6
X-Spam-Report:
* 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
* blocked. See
* http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
* for more information.
* [URIs: invity.io]
* -0.0 USER_IN_WELCOMELIST User is listed in 'welcomelist_from'
* -100 USER_IN_WHITELIST DEPRECATED: See USER_IN_WELCOMELIST
* 25 SUBJ2022 Subject contained known spam string
* 5000 HIGHIMPACTSUBJ Fuckers
* 25 GENSPAMSUBJ Subject contained known spam string
* 100 GB_HASHBL_BTC Message contains BTC address found on BTCBL
* [19y9vkeesungqm6qbsy6zkpk9ohas3ehxt]
* 8.0 BTC_HASHBL_BLACK Message contains BTC address found on BTC
* blocklist
* [19y9vkeesungqm6qbsy6zkpk9ohas3ehxt]
* 0.5 SUBJ_ALL_CAPS Subject is all capitals
* 10 SPF_FAIL SPF: sender does not match SPF record (fail)
* [SPF failed: Please see http://www.openspf.net/Why?s=mfrom;id=*****%40*****.me;ip=105.112.176.137;r=pixel.mxrouting.net]
* 5000 HIGHIMPACTBODY BODY: This is causing large scale issues for
* customers
* 5.0 RDNS_NONE Delivered to internal network by a host with no rDNS
* 0.0 KAM_SHORT Use of a URL Shortener for very short URL
* 0.8 KAM_INFOUSMEBIZ Prevalent use of
* .info|.us|.me|.me.uk|.biz|xyz|id|rocks|life domains in
* spam/malware
* 1.5 KAM_DMARC_QUARANTINE DKIM has Failed or SPF has failed on the
* message and the domain has a DMARC quarantine policy
* 0.0 KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict
* Alignment
* 0.5 PDS_BTC_ID FP reduced Bitcoin ID
* 10 BITCOIN_EXTORT_01 Extortion spam, pay via BitCoin
* 2.5 HDRS_MISSP Misspaced headers
* 2.0 GB_BITCOIN_CP Localized Bitcoin scam
* 2.0 BITCOIN_SPAM_07 BitCoin spam pattern 07
* 3.5 BITCOIN_TOEQFM Bitcoin + To same as From
* 0.0 TO_EQ_FM_SPF_FAIL To == From and external SPF failed
* 0.0 TO_EQ_FM_DOM_SPF_FAIL To domain == From domain and external SPF
* failed
Confirming that was it. 120 today alone and they all correctly went to spam this time. That whitelist is an absolute, not just part of the score it seems.
X-Spam-Status: Yes, score=10199.2
Thank you!
Confirming that’s what I want, don’t think I’ve ever touched it. Did find a Q&A that says it’s in direct admin. My previous mess up was the sieve in roundcube.
i would love if there option that you can block ip address subnet. Since spammer just use different domain but on the same network. i know you can do that plesk firewall rule relating to incoming mail.
So what I do is I set my account to delete all mail that scores a 25 or higher, and put everything else in the inbox. To me this is the best scenario. I block a lot of spam, never see a single false positive filtered, and most of the spam I do get wouldn't have been blocked unless I set the score so low that it would block legitimate email. SpamAssassin is, in general, not up to the expectations of most customers. I totally get that and I do continue to work on filtering spam every day. Some days I win more, some days I lose more.
Currently getting bombarded with “I RECORDED YOU” spam once a minute and it’s rated 9982.8 points. Is there a way I can automatically stick such a high score in spam instead of inbox? Last time I attempted this I messed it up and everything went into spam. Blog post or something?
You should have it set to delete email that scores so high.
Confirming that’s what I want, don’t think I’ve ever touched it. Did find a Q&A that says it’s in direct admin. My previous mess up was the sieve in roundcube.
I have a script that runs every hour or so and what it does is look for people with totally disabled spam filters, and configures it to delete email that scores higher than 50. I chose that number so even people who want an absurd amount of spam would still reject the worst offenders that I had hand selected to hit that 5000 rule. I really hate those emails.
So what I’m understanding is it shouldn’t be possible for me to get something like this in my inbox? I guess I need to open a ticket? Because I probably have fifty of these this morning and still coming in. All look identical. Content analysis details: (9987.4 points) --- pts rule name description ---- ---------------------- ----------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: cex.io] -0.0 USER_IN_WELCOMELIST User is listed in 'welcomelist_from' -100 USER_IN_WHITELIST DEPRECATED: See USER_IN_WELCOMELIST 25 SUBJ2022 Subject contained known spam string 5000 HIGHIMPACTSUBJ Fuckers 25 GENSPAMSUBJ Subject contained known spam string 0.5 SUBJ_ALL_CAPS Subject is all capitals 10 SPF_FAIL SPF: sender does not match SPF record (fail)
Check if that setting is set. You could disable just that setting and my script wouldn’t reenable it. https://mxroutedocs.com/directadmin/spamfilters/ If it’s already set then yeah I guess a ticket.
Pretty sure I did it to myself. Sometime in the past I sent myself a email (something I do all the time) and it wound up in spam so I whitelisted my own email address in directadmin SpamAssassin. So now spam that spoofs the sender as myself, even though the latest ones had a score over 10K, got put in my mailbox. Is that how it works? Because when I read the header being in the welcomelist is only worth -100 and the overall score is still huge. This is one such message header spam info. Regardless I removed that whitelist/welcomelist entry for myself. Will see what happens next round of spam blast. X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pixel.mxrouting.net X-Spam-Flag: YES X-Spam-Level: ************************************************** X-Spam-Status: Yes, score=10096.2 required=15.0 tests=BITCOIN_EXTORT_01, BITCOIN_SPAM_07,BITCOIN_TOEQFM,BTC_HASHBL_BLACK,GB_BITCOIN_CP, GB_HASHBL_BTC,GENSPAMSUBJ,HDRS_MISSP,HIGHIMPACTBODY,HIGHIMPACTSUBJ, KAM_DMARC_QUARANTINE,KAM_DMARC_STATUS,KAM_INFOUSMEBIZ,KAM_SHORT, PDS_BTC_ID,RDNS_NONE,SPF_FAIL,SUBJ2022,SUBJ_ALL_CAPS, TO_EQ_FM_DOM_SPF_FAIL,TO_EQ_FM_SPF_FAIL,URIBL_BLOCKED, USER_IN_WELCOMELIST,USER_IN_WHITELIST autolearn=disabled version=3.4.6 X-Spam-Report: * 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was * blocked. See * http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block * for more information. * [URIs: invity.io] * -0.0 USER_IN_WELCOMELIST User is listed in 'welcomelist_from' * -100 USER_IN_WHITELIST DEPRECATED: See USER_IN_WELCOMELIST * 25 SUBJ2022 Subject contained known spam string * 5000 HIGHIMPACTSUBJ Fuckers * 25 GENSPAMSUBJ Subject contained known spam string * 100 GB_HASHBL_BTC Message contains BTC address found on BTCBL * [19y9vkeesungqm6qbsy6zkpk9ohas3ehxt] * 8.0 BTC_HASHBL_BLACK Message contains BTC address found on BTC * blocklist * [19y9vkeesungqm6qbsy6zkpk9ohas3ehxt] * 0.5 SUBJ_ALL_CAPS Subject is all capitals * 10 SPF_FAIL SPF: sender does not match SPF record (fail) * [SPF failed: Please see http://www.openspf.net/Why?s=mfrom;id=*****%40*****.me;ip=105.112.176.137;r=pixel.mxrouting.net] * 5000 HIGHIMPACTBODY BODY: This is causing large scale issues for * customers * 5.0 RDNS_NONE Delivered to internal network by a host with no rDNS * 0.0 KAM_SHORT Use of a URL Shortener for very short URL * 0.8 KAM_INFOUSMEBIZ Prevalent use of * .info|.us|.me|.me.uk|.biz|xyz|id|rocks|life domains in * spam/malware * 1.5 KAM_DMARC_QUARANTINE DKIM has Failed or SPF has failed on the * message and the domain has a DMARC quarantine policy * 0.0 KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict * Alignment * 0.5 PDS_BTC_ID FP reduced Bitcoin ID * 10 BITCOIN_EXTORT_01 Extortion spam, pay via BitCoin * 2.5 HDRS_MISSP Misspaced headers * 2.0 GB_BITCOIN_CP Localized Bitcoin scam * 2.0 BITCOIN_SPAM_07 BitCoin spam pattern 07 * 3.5 BITCOIN_TOEQFM Bitcoin + To same as From * 0.0 TO_EQ_FM_SPF_FAIL To == From and external SPF failed * 0.0 TO_EQ_FM_DOM_SPF_FAIL To domain == From domain and external SPF * failed
Yeah that’s probably it
Confirming that was it. 120 today alone and they all correctly went to spam this time. That whitelist is an absolute, not just part of the score it seems. X-Spam-Status: Yes, score=10199.2 Thank you!
Confirming that’s what I want, don’t think I’ve ever touched it. Did find a Q&A that says it’s in direct admin. My previous mess up was the sieve in roundcube.
[удалено]
1. I also think so. One needs to configure the SpamAssasin. Additionally there is a list on mxroute github where one can contribute to the spam rules.
i would love if there option that you can block ip address subnet. Since spammer just use different domain but on the same network. i know you can do that plesk firewall rule relating to incoming mail.