From: Stefan Hertenberger <stefan@alarum.de>
To: 9front@9front.org
Subject: Re: *****SPAM***** [9front] test
Date: Tue, 22 Sep 2020 20:57:21 +0200 [thread overview]
Message-ID: <20200922205721.27248d34@lenovo.sphairon.box> (raw)
In-Reply-To: <20200921203300.GD43872@wopr>
Am Mon, 21 Sep 2020 13:33:00 -0700
schrieb Kurt H Maier <khm@sciops.net>:
> Your SpamAssassin installation is misconfigured. Notes inline.
>
>
> On Mon, Sep 21, 2020 at 07:54:29PM +0200, Stefan Hertenberger wrote:
> > > 0.9 SPF_FAIL SPF: sender does not match SPF record
> > > 0.1 DKIM_SIGNED Message has a DKIM or DK signature,
> > > not necessarily valid 0.1 DKIM_INVALID DKIM or DK
> > > signature exists, but is not valid
>
> These are caused by invalid forwarding confix on a-b.xyz. It needs to
> strip DKIM and rewrite From: if it's going to behave like this. I
> suspect but cannot prove that migadu is adding the dkim signatures,
> which then don't match the Fron: line since 9front.org mail doesn't
> come from migadu.
>
> > > 2.0 FROM_SUSPICIOUS_NTLD_FP From abused NTLD
> > > 1.3 RDNS_NONE Delivered to internal network by a
> > > host with no rDNS 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD
>
> These are the majority of the weights causing the SPAM tag from SA,
> and again it's because xyz is a spam hotbed and also because
> a-b.xyz's IP address reverse-resolves to ten.a-b.xyz.
>
> If you intend to continue receiving 9front mail through this domain,
> it's probably simplest to whitelist the domain in your sa-spamd rules,
> since nothing sl does to the 9front list will change any of these
> things. Dropping a 'whitelist_from_rcvd *@9front.org a-b.xyz' into
> your spamassassin rules may do it, but without seeing the full
> headers of the as-delivered message I can't be sure.
>
> khm
Hello,
sorry for the late reply! alarum.de is my personal playground, so a
misconfiguration is possible.
Here is the complete source for the email.
Return-Path: <9front-bounces@ewsd.inri.net>
X-Original-To: stefan@alarum.de
Delivered-To: stefan@alarum.de
Received: from ewsd.inri.net (ewsd.inri.net [107.191.116.128])
by alarum.de (Postfix) with ESMTP id 4FFC71B8D67
for <stefan@alarum.de>; Mon, 21 Sep 2020 17:41:37 +0200 (CEST)
Received: from out0.migadu.com ([94.23.1.103]) by ewsd; Mon Sep 21
11:40:32 EDT 2020 Message-ID: <1E3083B627E4EDD1DF08AA61E95E4DA2@a-b.xyz>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=a-b.xyz; s=key1;
t=1600702823;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding;
bh=InrW//k9HspT0nLKA/dQBT2lattjYFTpecCGszIrIiY=;
b=couXgEp+X7wJBDGXNfssrxirjlVxqS5+SFgUFvN47oWZZKlkw6M4iZl1pkh42DE+T/DkgS
AfbdwbJKX88GnoJcQGgwnb+JMcq+WjTznq/guqIvl3mGx4t8QIu+2KJQQAPegF7P9eZIAW
e4cTtZQoA2VpyX1v4SO5OuWX22vnHPE60TwBUcNtOGoJPAAEJMbF0LXcGt5dU1/3Txl54g
xMfYxrxkZtbs8shWEzqw+Fr6wNM39K4E8SVX2YXPlgHONj32rkqvbea7SBzOEA7TiDS0vf
X+qWVL+97pLy9Vo1SivCeOqR519dU9tWY+qcEaUg62MKTmYPAPE4Bzr3oRNYnw==
To: 9front@9front.org
Date: Mon, 21 Sep 2020 17:40:20 +0200
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and
include these headers. From: kvik@a-b.xyz
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_5F68C9B3.6CD1B719"
Content-Transfer-Encoding: 7bit
X-Spam-Score: -0.10
List-ID: <9front.9front.org>
List-Help: <http://lists.9front.org>
X-Glyph: ➈
X-Bullshit: virtualized metadata metadata-based dependency-aware
backend Subject: *****SPAM***** [9front] test
Reply-To: 9front@9front.org
Precedence: bulk
X-Spam-Flag: YES
X-Spam-Status: Yes, score=5.1 required=5.0
tests=DKIM_INVALID,DKIM_SIGNED,
FROM_SUSPICIOUS_NTLD,FROM_SUSPICIOUS_NTLD_FP,
HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,
RDNS_NONE,SPF_FAIL,SPF_HELO_NONE,T_PDS_OTHER_BAD_TLD,UNPARSEABLE_RELAY,
URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.4
X-Spam-Level: ***** X-Spam-Checker-Version: SpamAssassin 3.4.4
(2020-01-24) on vbsd.alarum.de
This is a multi-part message in MIME format.
------------=_5F68C9B3.6CD1B719
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Spam detection software, running on the system "vbsd.alarum.de",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
postmaster for details.
Content preview: I've changed DMARC policy to 'none'. Let's see if
this mail still gets to spam. P.S. Sorry for spamming the list.
Content analysis details: (5.1 points, 5.0 required)
pts rule name description
---- ----------------------
-------------------------------------------------- -0.0
RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4) [94.23.1.103
listed in wl.mailspike.net] 0.0 URIBL_BLOCKED ADMINISTRATOR
NOTICE: The query to URIBL was blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: a-b.xyz]
0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
mail domains are different
0.0 T_PDS_OTHER_BAD_TLD Untrustworthy TLDs
[URI: a-b.xyz (xyz)]
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
0.9 SPF_FAIL SPF: sender does not match SPF record (fail)
[SPF failed: Please see
http://www.openspf.org/Why?s=mfrom;id=9front-bounces%40ewsd.inri.net;ip=94.23.1.103;r=vbsd.alarum.de]
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily valid 0.1 DKIM_INVALID DKIM or DK signature
exists, but is not valid 0.0 UNPARSEABLE_RELAY Informational:
message has unparseable relay lines
-0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
2.0 FROM_SUSPICIOUS_NTLD_FP From abused NTLD
1.3 RDNS_NONE Delivered to internal network by a host
with no rDNS 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD
------------=_5F68C9B3.6CD1B719
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
X-Envelope-From: <9front-bounces@ewsd.inri.net>
X-Envelope-To: <stefan@alarum.de>
Received: from ewsd.inri.net (unknown)
by alarum.de(Postfix 3.1.4/8.13.0) with SMTP id unknown;
Mon, 21 Sep 2020 17:41:37 +0200
(envelope-from <9front-bounces@ewsd.inri.net>)
Received: from out0.migadu.com ([94.23.1.103]) by ewsd; Mon Sep 21
11:40:32 EDT 2020 Message-ID: <1E3083B627E4EDD1DF08AA61E95E4DA2@a-b.xyz>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=a-b.xyz; s=key1;
t=1600702823;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding;
bh=InrW//k9HspT0nLKA/dQBT2lattjYFTpecCGszIrIiY=;
b=couXgEp+X7wJBDGXNfssrxirjlVxqS5+SFgUFvN47oWZZKlkw6M4iZl1pkh42DE+T/DkgS
AfbdwbJKX88GnoJcQGgwnb+JMcq+WjTznq/guqIvl3mGx4t8QIu+2KJQQAPegF7P9eZIAW
e4cTtZQoA2VpyX1v4SO5OuWX22vnHPE60TwBUcNtOGoJPAAEJMbF0LXcGt5dU1/3Txl54g
xMfYxrxkZtbs8shWEzqw+Fr6wNM39K4E8SVX2YXPlgHONj32rkqvbea7SBzOEA7TiDS0vf
X+qWVL+97pLy9Vo1SivCeOqR519dU9tWY+qcEaUg62MKTmYPAPE4Bzr3oRNYnw==
To: 9front@9front.org
Date: Mon, 21 Sep 2020 17:40:20 +0200
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and
include these headers. From: kvik@a-b.xyz
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Spam-Score: -0.10
List-ID: <9front.9front.org>
List-Help: <http://lists.9front.org>
X-Glyph: ➈
X-Bullshit: virtualized metadata metadata-based dependency-aware
backend Subject: [9front] test
Reply-To: 9front@9front.org
Precedence: bulk
I've changed DMARC policy to 'none'.
Let's see if this mail still gets to spam.
P.S. Sorry for spamming the list.
------------=_5F68C9B3.6CD1B719--
next prev parent reply other threads:[~2020-09-22 18:57 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-21 15:40 test kvik
2020-09-21 17:12 ` [9front] test Stanley Lieber
2020-09-21 17:16 ` hiro
2020-09-21 17:36 ` ori
2020-09-21 17:40 ` Stanley Lieber
2020-09-21 17:51 ` ori
2020-09-21 17:59 ` ori
2020-09-21 18:27 ` Kurt H Maier
2020-09-21 17:58 ` hiro
2020-09-21 18:42 ` Stanley Lieber
2020-09-21 21:40 ` hiro
2020-09-21 22:20 ` hiro
2020-09-22 12:57 ` Ethan Gardener
2020-09-22 13:12 ` hiro
2020-09-21 17:59 ` Lyndon Nerenberg
2020-09-21 17:54 ` *****SPAM***** " Stefan Hertenberger
2020-09-21 20:33 ` Kurt H Maier
2020-09-21 21:23 ` kvik
2020-09-21 21:36 ` Kurt H Maier
2020-09-21 21:42 ` kvik
2020-09-21 21:57 ` Kurt H Maier
2020-09-21 22:32 ` kvik
2020-09-22 1:04 ` Kurt H Maier
2020-09-21 22:16 ` hiro
2020-09-22 18:57 ` Stefan Hertenberger [this message]
2020-09-22 19:38 ` Kurt H Maier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200922205721.27248d34@lenovo.sphairon.box \
--to=stefan@alarum.de \
--cc=9front@9front.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).