Re: *****SPAM***** [9front] test

[Stefan Hertenberger <stefan@alarum.de>]

Am Mon, 21 Sep 2020 13:33:00 -0700
schrieb Kurt H Maier <khm@sciops.net>:

> Your SpamAssassin installation is misconfigured.  Notes inline.
> 
> 
> On Mon, Sep 21, 2020 at 07:54:29PM +0200, Stefan Hertenberger wrote:
> > > 0.9 SPF_FAIL               SPF: sender does not match SPF record
> > > 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
> > > not necessarily valid 0.1 DKIM_INVALID           DKIM or DK
> > > signature exists, but is not valid 
> 
> These are caused by invalid forwarding confix on a-b.xyz.  It needs to
> strip DKIM and rewrite From: if it's going to behave like this.  I
> suspect but cannot prove that migadu is adding the dkim signatures,
> which then don't match the Fron: line since 9front.org mail doesn't
> come from migadu.
> 
> > >  2.0 FROM_SUSPICIOUS_NTLD_FP From abused NTLD
> > >  1.3 RDNS_NONE              Delivered to internal network by a
> > > host with no rDNS 0.5 FROM_SUSPICIOUS_NTLD   From abused NTLD
> 
> These are the majority of the weights causing the SPAM tag from SA,
> and again it's because xyz is a spam hotbed and also because
> a-b.xyz's IP address reverse-resolves to ten.a-b.xyz.  
> 
> If you intend to continue receiving 9front mail through this domain,
> it's probably simplest to whitelist the domain in your sa-spamd rules,
> since nothing sl does to the 9front list will change any of these
> things.  Dropping a 'whitelist_from_rcvd *@9front.org a-b.xyz' into
> your spamassassin rules may do it, but without seeing the full
> headers of the as-delivered message I can't be sure.
> 
> khm

Hello,

sorry for the late reply! alarum.de is my personal playground, so a
misconfiguration is possible.

Here is the complete source for the email.


Return-Path: <9front-bounces@ewsd.inri.net>
X-Original-To: stefan@alarum.de
Delivered-To: stefan@alarum.de
Received: from ewsd.inri.net (ewsd.inri.net [107.191.116.128])
	by alarum.de (Postfix) with ESMTP id 4FFC71B8D67
	for <stefan@alarum.de>; Mon, 21 Sep 2020 17:41:37 +0200 (CEST)
Received: from out0.migadu.com ([94.23.1.103]) by ewsd; Mon Sep 21
11:40:32 EDT 2020 Message-ID: <1E3083B627E4EDD1DF08AA61E95E4DA2@a-b.xyz>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=a-b.xyz; s=key1;
	t=1600702823;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=InrW//k9HspT0nLKA/dQBT2lattjYFTpecCGszIrIiY=;
	b=couXgEp+X7wJBDGXNfssrxirjlVxqS5+SFgUFvN47oWZZKlkw6M4iZl1pkh42DE+T/DkgS
	AfbdwbJKX88GnoJcQGgwnb+JMcq+WjTznq/guqIvl3mGx4t8QIu+2KJQQAPegF7P9eZIAW
	e4cTtZQoA2VpyX1v4SO5OuWX22vnHPE60TwBUcNtOGoJPAAEJMbF0LXcGt5dU1/3Txl54g
	xMfYxrxkZtbs8shWEzqw+Fr6wNM39K4E8SVX2YXPlgHONj32rkqvbea7SBzOEA7TiDS0vf
	X+qWVL+97pLy9Vo1SivCeOqR519dU9tWY+qcEaUg62MKTmYPAPE4Bzr3oRNYnw==
To: 9front@9front.org
Date: Mon, 21 Sep 2020 17:40:20 +0200
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and
include these headers. From: kvik@a-b.xyz
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_5F68C9B3.6CD1B719"
Content-Transfer-Encoding: 7bit
X-Spam-Score: -0.10
List-ID: <9front.9front.org>
List-Help: <http://lists.9front.org>
X-Glyph: ➈
X-Bullshit: virtualized metadata metadata-based dependency-aware
backend Subject: *****SPAM***** [9front] test
Reply-To: 9front@9front.org
Precedence: bulk
X-Spam-Flag: YES
X-Spam-Status: Yes, score=5.1 required=5.0
tests=DKIM_INVALID,DKIM_SIGNED,
FROM_SUSPICIOUS_NTLD,FROM_SUSPICIOUS_NTLD_FP,
HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,
RDNS_NONE,SPF_FAIL,SPF_HELO_NONE,T_PDS_OTHER_BAD_TLD,UNPARSEABLE_RELAY,
URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.4
X-Spam-Level: ***** X-Spam-Checker-Version: SpamAssassin 3.4.4
(2020-01-24) on vbsd.alarum.de

This is a multi-part message in MIME format.

------------=_5F68C9B3.6CD1B719
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Spam detection software, running on the system "vbsd.alarum.de",
has identified this incoming email as possible spam.  The original
message has been attached to this so you can view it or label
similar future email.  If you have any questions, see
postmaster for details.

Content preview:  I've changed DMARC policy to 'none'. Let's see if
this mail still gets to spam. P.S. Sorry for spamming the list. 

Content analysis details:   (5.1 points, 5.0 required)

 pts rule name              description
---- ----------------------
 -------------------------------------------------- -0.0
 RCVD_IN_MSPIKE_H4      RBL: Very Good reputation (+4) [94.23.1.103
 listed in wl.mailspike.net] 0.0 URIBL_BLOCKED          ADMINISTRATOR
 NOTICE: The query to URIBL was blocked.  See
                            http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                             for more information.
                            [URIs: a-b.xyz]
 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
                            mail domains are different
 0.0 T_PDS_OTHER_BAD_TLD    Untrustworthy TLDs
                            [URI: a-b.xyz (xyz)]
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.9 SPF_FAIL               SPF: sender does not match SPF record (fail)
[SPF failed: Please see
 http://www.openspf.org/Why?s=mfrom;id=9front-bounces%40ewsd.inri.net;ip=94.23.1.103;r=vbsd.alarum.de]
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not
 necessarily valid 0.1 DKIM_INVALID           DKIM or DK signature
 exists, but is not valid 0.0 UNPARSEABLE_RELAY      Informational:
 message has unparseable relay lines
-0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
 2.0 FROM_SUSPICIOUS_NTLD_FP From abused NTLD
 1.3 RDNS_NONE              Delivered to internal network by a host
 with no rDNS 0.5 FROM_SUSPICIOUS_NTLD   From abused NTLD



------------=_5F68C9B3.6CD1B719
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

X-Envelope-From: <9front-bounces@ewsd.inri.net>
X-Envelope-To: <stefan@alarum.de>
Received: from ewsd.inri.net (unknown)
	by alarum.de(Postfix 3.1.4/8.13.0) with SMTP id unknown;
	Mon, 21 Sep 2020 17:41:37 +0200
	(envelope-from <9front-bounces@ewsd.inri.net>)
Received: from out0.migadu.com ([94.23.1.103]) by ewsd; Mon Sep 21
11:40:32 EDT 2020 Message-ID: <1E3083B627E4EDD1DF08AA61E95E4DA2@a-b.xyz>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=a-b.xyz; s=key1;
	t=1600702823;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=InrW//k9HspT0nLKA/dQBT2lattjYFTpecCGszIrIiY=;
	b=couXgEp+X7wJBDGXNfssrxirjlVxqS5+SFgUFvN47oWZZKlkw6M4iZl1pkh42DE+T/DkgS
	AfbdwbJKX88GnoJcQGgwnb+JMcq+WjTznq/guqIvl3mGx4t8QIu+2KJQQAPegF7P9eZIAW
	e4cTtZQoA2VpyX1v4SO5OuWX22vnHPE60TwBUcNtOGoJPAAEJMbF0LXcGt5dU1/3Txl54g
	xMfYxrxkZtbs8shWEzqw+Fr6wNM39K4E8SVX2YXPlgHONj32rkqvbea7SBzOEA7TiDS0vf
	X+qWVL+97pLy9Vo1SivCeOqR519dU9tWY+qcEaUg62MKTmYPAPE4Bzr3oRNYnw==
To: 9front@9front.org
Date: Mon, 21 Sep 2020 17:40:20 +0200
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and
include these headers. From: kvik@a-b.xyz
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Spam-Score: -0.10
List-ID: <9front.9front.org>
List-Help: <http://lists.9front.org>
X-Glyph: ➈
X-Bullshit: virtualized metadata metadata-based dependency-aware
backend Subject: [9front] test
Reply-To: 9front@9front.org
Precedence: bulk

I've changed DMARC policy to 'none'.

Let's see if this mail still gets to spam.

P.S. Sorry for spamming the list.

------------=_5F68C9B3.6CD1B719--