Spam Question

Use this forum for discussions about SpamAssassin and anti-spam in general.
Post Reply
comp1mp
New user
New user
Posts: 21
Joined: 2013-11-26 03:51

Spam Question

Post by comp1mp » 2014-10-17 04:36

Hello All,

I have configured my Spam settings per Doom's post, except I do not have Spam Assassin installed.

viewtopic.php?f=12&t=15442

After doing this I have received approx 20 spam messages with only 1 being marked in the subject as Spam.

However, the status page in hMail admin displays 20 spam messages.

Only the email with marked with [SPAM] in the subject line contains any x-HMailServer spam headers.

What could be the reason for the inconsistency?

Thanks

User avatar
mattg
Moderator
Moderator
Posts: 20799
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Spam Question

Post by mattg » 2014-10-17 05:04

perhaps 19 have been deleted
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

comp1mp
New user
New user
Posts: 21
Joined: 2013-11-26 03:51

Re: Spam Question

Post by comp1mp » 2014-10-17 05:10

My spam delete threshold is set at 100.

Using Doom's configuration, if every test failed, the score would be 15.

My hunch is that if a single test fails, it shows up in the count displayed on the status screen. But the other 19 did not reach a score of 6 which is my mark threshold.

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: Spam Question

Post by percepts » 2014-10-17 05:35

have you selected antispam on all of your IP ranges?

are some of these spam mails coming from your own webmail system (being sent from ip 127.0.0.1) (if you have one)

are they being sent from local domains ?

have you switched on all logging options including debug and looked ta your logs to see whats happening?

which version of hmail are running.

comp1mp
New user
New user
Posts: 21
Joined: 2013-11-26 03:51

Re: Spam Question

Post by comp1mp » 2014-10-17 06:05

Yes
No
No
Yes (Teach a man to fish...)
5.3.2-B1769 (Almost two years without a shutdown:))

OK so my hunch may be correct. All other message had scores of 5 or less indicated in the logs.

Without knowing the code though, I can't be 100% sure that if spam scores greater than 0, it shows up in the status counter regardless if it meets the mark threshold.

As far as only 5% of my spam being identified, guess I need to do a little more research on scoring configuration.

Is using just Spam Assassin and disabling everything else in hMailServer spam configuration a viable path?

User avatar
mattg
Moderator
Moderator
Posts: 20799
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Spam Question

Post by mattg » 2014-10-17 06:49

I don't use Spam Assassin
I do use greylisting to great effect.
(But it comes at a cost)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

comp1mp
New user
New user
Posts: 21
Joined: 2013-11-26 03:51

Re: Spam Question

Post by comp1mp » 2014-10-17 07:06

I will read up on grey listing.

Any particular reasons for not using SA?

User avatar
mattg
Moderator
Moderator
Posts: 20799
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Spam Question

Post by mattg » 2014-10-17 12:29

Just don't need to.
hMailserver does very well on it's own.

You may need to tune your SPM settings though. Doom's post was a couple of years ago, and your incoming SPAM may not be of the same level as his was then
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 3567
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spam Question

Post by SorenR » 2014-10-17 16:05

I guess it depends on who your users are and what part of the world you are in... My rules cover my needs 112%, the only issue I have presently are false-positives due to my slightly "anal" Blacklist :wink:

Since November 1, I have registered 713 UCE's in my SPAM account (I forward a copy of all SPAM to this account in order to fine-tune my settings)

I have the INBOX divided into the following priority:

"Tagged as SPAM" = 463 mails (SpamAssassin)
"Blacklisted" = 209 mails
"SPAM" = 41 mails (hMailServer)

When I sort messages, "Tagged as SPAM" wins over "Blacklisted" and "Blacklisted" wins over "SPAM"

212 mails in "Tagged as SPAM" are also tagged as "Blacklisted"
165 mails in "Tagged as SPAM" are also tagged as "SPAM"
8 mails in "Blacklisted" are also tagged as "SPAM"

Without going deeper into the numbers It seems to me that SpamAssassin is more effective..

I also have GreyListing active (5 minutes wait, 1 day timeout and keep 60 days) and it removes 100 x more UCE's than the rest.

I have a rule on my SPAM account that will look in the headers for "List-Unsubscribe" and if tagged as "Blacklisted" or SpamAssassin have a score of 5+ stars, the rule (script function) will find the "html" part in the "List-Unsubscribe" header and execute it. The rule has about an 80% success rate in unsubscribing users :mrgreen:

Oh, and... I do also have a "Whitelist" for my "Blacklist" but that because I don't always blacklist on "From", I use other header values like f.x. "Message-ID" to catch the common distributors of UCE and maillists 8)
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

LesD
Senior user
Senior user
Posts: 343
Joined: 2009-01-15 20:22
Location: London, UK.

Re: Spam Question

Post by LesD » 2014-10-24 11:14

SorenR wrote:I also have GreyListing active (5 minutes wait, 1 day timeout and keep 60 days) and it removes 100 x more UCE's than the rest.
The one time I tried to turn off greylisting, I got many hundreds (maybe thousands?) of spam instead of the regular handful. A very powerful tool. The cost is very much worth the benefit.
SorenR wrote:I have a rule on my SPAM account that will look in the headers for "List-Unsubscribe" and if tagged as "Blacklisted" or SpamAssassin have a score of 5+ stars, the rule (script function) will find the "html" part in the "List-Unsubscribe" header and execute it. The rule has about an 80% success rate in unsubscribing users
I have always avoided using the unsubscribe link on spam for the fear that all I am doing is confirming to the spammer that he has a good live email address and so he will redouble his efforts.

I am surprised at your results.

How do you know measure 'success'?

User avatar
SorenR
Senior user
Senior user
Posts: 3567
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spam Question

Post by SorenR » 2014-10-24 14:19

LesD wrote:
SorenR wrote:I also have GreyListing active (5 minutes wait, 1 day timeout and keep 60 days) and it removes 100 x more UCE's than the rest.
The one time I tried to turn off greylisting, I got many hundreds (maybe thousands?) of spam instead of the regular handful. A very powerful tool. The cost is very much worth the benefit.
SorenR wrote:I have a rule on my SPAM account that will look in the headers for "List-Unsubscribe" and if tagged as "Blacklisted" or SpamAssassin have a score of 5+ stars, the rule (script function) will find the "html" part in the "List-Unsubscribe" header and execute it. The rule has about an 80% success rate in unsubscribing users
I have always avoided using the unsubscribe link on spam for the fear that all I am doing is confirming to the spammer that he has a good live email address and so he will redouble his efforts.

I am surprised at your results.

How do you know measure 'success'?
I count the numbers of Blacklisted mails copied to my SPAM account and the numbers are dropping fast ;-)

August: 301 blacklisted emails in SPAM account
September: 176 blacklisted emails in SPAM account
October: 41 blacklisted emails in SPAM account

I started developing the "unsubscribe" rule around the end of August and have been refining it during September.

I have even added senders to the blacklist during that period.

There will always be someone out there using "unsubscribe" for harvesting addresses but with the current laws within EU and USA, more and more legit list servers have to adhere to legislation or loose business... Marketing on paper is declining rapidly in favor of electronic marketing and list servers cannot afford to loose customers due to complaints. The worst thing you can do to a list server is put them on a SURBL or RBL list - it will affect their whole business.

Anyways, using the Blacklist filter to capture on fx. part of the Message-ID ("ccemails" or "mcsv.net"), the IP address of the server and the sending domain become unimportant... But since some of these list server also send out emails that you want (like ComputerWorld and a few others) you also need to have a Whitelist for your Blacklist. :wink:

I only have a few users on my server, so it is manageable, but I can imagine a larger set-up would be a nightmare...
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

LesD
Senior user
Senior user
Posts: 343
Joined: 2009-01-15 20:22
Location: London, UK.

Re: Spam Question

Post by LesD » 2014-10-24 14:27

I take on board your comments about un-subscribing. I won't be doing it automatically, but I can check if the link looks genuine or not.

Thanks.

User avatar
SorenR
Senior user
Senior user
Posts: 3567
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spam Question

Post by SorenR » 2014-10-24 14:33

LesD wrote:I take on board your comments about un-subscribing. I won't be doing it automatically, but I can check if the link looks genuine or not.

Thanks.
The thing is, since it is automatic, it will happen every time an email comes in - until I delete the rule - or the unsubscribe go through ;-)

Even if they do add me to another list - it too will attempt to unsubscribe me if captured by SpamAssassin or Blacklist 8)

It's going to be an unsubscribe war - machine vs. machine :mrgreen:
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

LesD
Senior user
Senior user
Posts: 343
Joined: 2009-01-15 20:22
Location: London, UK.

Re: Spam Question

Post by LesD » 2014-10-24 14:36

If the unsibscribe link is an email address, would you also use that?

e.g.

List-Unsubscribe: unsubscribe@abestcoupon.com

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key; d=abestcoupon.com; h=From:Sender:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type:List-Unsubscribe:Date; i=vicentevancuren@abestcoupon.com; etc...

LesD
Senior user
Senior user
Posts: 343
Joined: 2009-01-15 20:22
Location: London, UK.

Re: Spam Question

Post by LesD » 2014-10-24 14:44

SorenR wrote:
LesD wrote:It's going to be an unsubscribe war - machine vs. machine
They may go on with the game of ping-pong with each other till SMTP2 is born. :)

My solution to shops who keep emailing me just because I purchased something there is to use the 'Send Later' add-on to Thunderbird. Primary use for me is to give a 60 second breathing space to retrieve an email before it goes, but it also has a feature for repeatedly sending out the same email on a given cycle.

I just find out a live email address at the company and keep emailing, steadily shortening the cycle. It always works.

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: Spam Question

Post by percepts » 2014-10-24 17:32

LesD wrote:
SorenR wrote:
LesD wrote:It's going to be an unsubscribe war - machine vs. machine
They may go on with the game of ping-pong with each other till SMTP2 is born. :)

My solution to shops who keep emailing me just because I purchased something there is to use the 'Send Later' add-on to Thunderbird. Primary use for me is to give a 60 second breathing space to retrieve an email before it goes, but it also has a feature for repeatedly sending out the same email on a given cycle.

I just find out a live email address at the company and keep emailing, steadily shortening the cycle. It always works.
My solution to that is to create an alias address for the shop and give them that as my email address. Then when the purchase is complete and goods delivered, I just disable the alias which can be enabled again if I make another purchase from them. That way I don't get any of their spam once transaction is complete (or any spam from people they pass my email address to)

User avatar
SorenR
Senior user
Senior user
Posts: 3567
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spam Question

Post by SorenR » 2014-10-24 18:05

percepts wrote:My solution to that is to create an alias address for the shop and give them that as my email address. Then when the purchase is complete and goods delivered, I just disable the alias which can be enabled again if I make another purchase from them. That way I don't get any of their spam once transaction is complete (or any spam from people they pass my email address to)
That would work for people you and me... Not for my wife and kids :mrgreen:

A lot of the stuff I see have a notice like...

Translated from Danish...
You are subscribed with <wife's email> and receive it because you have participated in a contest or survey we have sponceret where you have agreed to receive it. If you no longer wish to receive this newsletter you can unsubscribe here.
Problem is, she did not... :roll:

It may have been a Facebook link or something she looked at - what do I know... :|
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

LesD
Senior user
Senior user
Posts: 343
Joined: 2009-01-15 20:22
Location: London, UK.

Re: Spam Question

Post by LesD » 2014-10-25 19:39

percepts wrote:My solution to that is to create an alias address for the shop and give them that as my email address. Then when the purchase is complete and goods delivered, I just disable the alias which can be enabled again if I make another purchase from them. That way I don't get any of their spam once transaction is complete (or any spam from people they pass my email address to)
I used to do similar in the old days when I accepted any address to my domains, unless specifically blocked. Now that my ASSP rejects any name not on its list of authorised email names, its a bit of a pain to keep adding names, especially as I then also have to add it to my backup mail server's ASSP.

If I used just hMS it would obviously be simpler. [**]

So I have a few semi disposable addresses which I share with the various shops. Generally it is not an issue. I have not had to ditch an address for a long time but very occasionally I get a company that is genuine but probably just incompetent when dealing with unsubscribe requests.

[**] Life would be simpler if I could remove ASSP and rely totally on hMS. I no longer even remember what made me introduce it many years ago. Maybe I should review it sometime.

Post Reply