From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from alarum.de ([159.69.146.68]) by ewsd; Tue Sep 22 14:57:29 EDT 2020 Received: from lenovo.sphairon.box (p4fe74979.dip0.t-ipconnect.de [79.231.73.121]) by alarum.de (Postfix) with ESMTPSA id D1C2B1B8BAE for <9front@9front.org>; Tue, 22 Sep 2020 20:57:22 +0200 (CEST) Date: Tue, 22 Sep 2020 20:57:21 +0200 From: Stefan Hertenberger To: 9front@9front.org Subject: Re: *****SPAM***** [9front] test Message-ID: <20200922205721.27248d34@lenovo.sphairon.box> In-Reply-To: <20200921203300.GD43872@wopr> References: <1E3083B627E4EDD1DF08AA61E95E4DA2@a-b.xyz> <20200921195429.4839eb21@lenovo.sphairon.box> <20200921203300.GD43872@wopr> X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=1.0 required=5.0 tests=T_PDS_OTHER_BAD_TLD, UNPARSEABLE_RELAY,URIBL_BLOCKED,URI_OPTOUT_3LD autolearn=no autolearn_force=no version=3.4.4 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on vbsd.alarum.de List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: TOR deep-learning-scale interface engine strategy Am Mon, 21 Sep 2020 13:33:00 -0700 schrieb Kurt H Maier : > Your SpamAssassin installation is misconfigured. Notes inline. >=20 >=20 > On Mon, Sep 21, 2020 at 07:54:29PM +0200, Stefan Hertenberger wrote: > > > 0.9 SPF_FAIL SPF: sender does not match SPF record > > > 0.1 DKIM_SIGNED Message has a DKIM or DK signature, > > > not necessarily valid 0.1 DKIM_INVALID DKIM or DK > > > signature exists, but is not valid=20 >=20 > These are caused by invalid forwarding confix on a-b.xyz. It needs to > strip DKIM and rewrite From: if it's going to behave like this. I > suspect but cannot prove that migadu is adding the dkim signatures, > which then don't match the Fron: line since 9front.org mail doesn't > come from migadu. >=20 > > > 2.0 FROM_SUSPICIOUS_NTLD_FP From abused NTLD > > > 1.3 RDNS_NONE Delivered to internal network by a > > > host with no rDNS 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD >=20 > These are the majority of the weights causing the SPAM tag from SA, > and again it's because xyz is a spam hotbed and also because > a-b.xyz's IP address reverse-resolves to ten.a-b.xyz. =20 >=20 > If you intend to continue receiving 9front mail through this domain, > it's probably simplest to whitelist the domain in your sa-spamd rules, > since nothing sl does to the 9front list will change any of these > things. Dropping a 'whitelist_from_rcvd *@9front.org a-b.xyz' into > your spamassassin rules may do it, but without seeing the full > headers of the as-delivered message I can't be sure. >=20 > khm Hello, sorry for the late reply! alarum.de is my personal playground, so a misconfiguration is possible. Here is the complete source for the email. Return-Path: <9front-bounces@ewsd.inri.net> X-Original-To: stefan@alarum.de Delivered-To: stefan@alarum.de Received: from ewsd.inri.net (ewsd.inri.net [107.191.116.128]) by alarum.de (Postfix) with ESMTP id 4FFC71B8D67 for ; Mon, 21 Sep 2020 17:41:37 +0200 (CEST) Received: from out0.migadu.com ([94.23.1.103]) by ewsd; Mon Sep 21 11:40:32 EDT 2020 Message-ID: <1E3083B627E4EDD1DF08AA61E95E4DA2@a-b.xyz> DKIM-Signature: v=3D1; a=3Drsa-sha256; c=3Drelaxed/relaxed; d=3Da-b.xyz; s= =3Dkey1; t=3D1600702823; h=3Dfrom:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=3DInrW//k9HspT0nLKA/dQBT2lattjYFTpecCGszIrIiY=3D; b=3DcouXgEp+X7wJBDGXNfssrxirjlVxqS5+SFgUFvN47oWZZKlkw6M4iZl1pkh42DE+T/DkgS AfbdwbJKX88GnoJcQGgwnb+JMcq+WjTznq/guqIvl3mGx4t8QIu+2KJQQAPegF7P9eZIAW e4cTtZQoA2VpyX1v4SO5OuWX22vnHPE60TwBUcNtOGoJPAAEJMbF0LXcGt5dU1/3Txl54g xMfYxrxkZtbs8shWEzqw+Fr6wNM39K4E8SVX2YXPlgHONj32rkqvbea7SBzOEA7TiDS0vf X+qWVL+97pLy9Vo1SivCeOqR519dU9tWY+qcEaUg62MKTmYPAPE4Bzr3oRNYnw=3D=3D To: 9front@9front.org Date: Mon, 21 Sep 2020 17:40:20 +0200 X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: kvik@a-b.xyz MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=3D"----------=3D_5F68C9B3.6CD1B719" Content-Transfer-Encoding: 7bit X-Spam-Score: -0.10 List-ID: <9front.9front.org> List-Help: X-Glyph: =E2=9E=88 X-Bullshit: virtualized metadata metadata-based dependency-aware backend Subject: *****SPAM***** [9front] test Reply-To: 9front@9front.org Precedence: bulk X-Spam-Flag: YES X-Spam-Status: Yes, score=3D5.1 required=3D5.0 tests=3DDKIM_INVALID,DKIM_SIGNED, FROM_SUSPICIOUS_NTLD,FROM_SUSPICIOUS_NTLD_FP, HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL, RDNS_NONE,SPF_FAIL,SPF_HELO_NONE,T_PDS_OTHER_BAD_TLD,UNPARSEABLE_RELAY, URIBL_BLOCKED autolearn=3Dno autolearn_force=3Dno version=3D3.4.4 X-Spam-Level: ***** X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on vbsd.alarum.de This is a multi-part message in MIME format. ------------=3D_5F68C9B3.6CD1B719 Content-Type: text/plain; charset=3Diso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit Spam detection software, running on the system "vbsd.alarum.de", has identified this incoming email as possible spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see postmaster for details. Content preview: I've changed DMARC policy to 'none'. Let's see if this mail still gets to spam. P.S. Sorry for spamming the list.=20 Content analysis details: (5.1 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4) [94.23.1.103 listed in wl.mailspike.net] 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklis= ts#dnsbl-block for more information. [URIs: a-b.xyz] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 T_PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: a-b.xyz (xyz)] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.9 SPF_FAIL SPF: sender does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?s=3Dmfrom;id=3D9front-bounces%40ewsd.inri.net;i= p=3D94.23.1.103;r=3Dvbsd.alarum.de] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 2.0 FROM_SUSPICIOUS_NTLD_FP From abused NTLD 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD ------------=3D_5F68C9B3.6CD1B719 Content-Type: message/rfc822; x-spam-type=3Doriginal Content-Description: original message before SpamAssassin Content-Disposition: inline Content-Transfer-Encoding: 8bit X-Envelope-From: <9front-bounces@ewsd.inri.net> X-Envelope-To: Received: from ewsd.inri.net (unknown) by alarum.de(Postfix 3.1.4/8.13.0) with SMTP id unknown; Mon, 21 Sep 2020 17:41:37 +0200 (envelope-from <9front-bounces@ewsd.inri.net>) Received: from out0.migadu.com ([94.23.1.103]) by ewsd; Mon Sep 21 11:40:32 EDT 2020 Message-ID: <1E3083B627E4EDD1DF08AA61E95E4DA2@a-b.xyz> DKIM-Signature: v=3D1; a=3Drsa-sha256; c=3Drelaxed/relaxed; d=3Da-b.xyz; s= =3Dkey1; t=3D1600702823; h=3Dfrom:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=3DInrW//k9HspT0nLKA/dQBT2lattjYFTpecCGszIrIiY=3D; b=3DcouXgEp+X7wJBDGXNfssrxirjlVxqS5+SFgUFvN47oWZZKlkw6M4iZl1pkh42DE+T/DkgS AfbdwbJKX88GnoJcQGgwnb+JMcq+WjTznq/guqIvl3mGx4t8QIu+2KJQQAPegF7P9eZIAW e4cTtZQoA2VpyX1v4SO5OuWX22vnHPE60TwBUcNtOGoJPAAEJMbF0LXcGt5dU1/3Txl54g xMfYxrxkZtbs8shWEzqw+Fr6wNM39K4E8SVX2YXPlgHONj32rkqvbea7SBzOEA7TiDS0vf X+qWVL+97pLy9Vo1SivCeOqR519dU9tWY+qcEaUg62MKTmYPAPE4Bzr3oRNYnw=3D=3D To: 9front@9front.org Date: Mon, 21 Sep 2020 17:40:20 +0200 X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: kvik@a-b.xyz MIME-Version: 1.0 Content-Type: text/plain; charset=3D"US-ASCII" Content-Transfer-Encoding: 7bit X-Spam-Score: -0.10 List-ID: <9front.9front.org> List-Help: X-Glyph: =E2=9E=88 X-Bullshit: virtualized metadata metadata-based dependency-aware backend Subject: [9front] test Reply-To: 9front@9front.org Precedence: bulk I've changed DMARC policy to 'none'. Let's see if this mail still gets to spam. P.S. Sorry for spamming the list. ------------=3D_5F68C9B3.6CD1B719--