[Mailman-Users] Mailman-Users Digest, Vol 154, Issue 30
Stephen J. Turnbull
turnbull.stephen.fw at u.tsukuba.ac.jp
Tue Dec 20 11:09:56 EST 2016
Glen Page writes:
> We are a Google Apps for Education school so most of our employees
> and students are using gmail but with our own thet.net
> <http://thet.net/> domain. We have mx records for gmails servers
> and for our in house mailman server. Recently edited our DNS zones
> due to SPF record check failures. Also, recently had to change out
> IP block due to changes at our ISP. Here is the header info from a
> message that I got from our Dean. It got flagged as Spam somewhere
> along the way.
You've deleted a bunch of header fields, it seems. That doesn't hurt
this time -- it seems pretty clear that a misconfigured SpamAssassin
is the problem. But you should tell us about it, and also consider
leaving in the fields while redacting specific personal information
such as mailboxes and IP addresses if you consider them sensitive.
To the analysis. This appears to be the subject:
> {Spam?} [TA Admin] {Spam?} [Employees] {Spam?} [Claws] {Spam?} SNOWBALL IS CANCELLED FOR TONIGHT
SpamAssassin ignores the parenthesized tags, and finds that the
subject is all uppercase. 1.5 spam points. Tell your people not to
use all uppercase, especially not in the subject, but also not in the
body. This is a very good indicator of spam.
This is your addressee list in the "To" field, right?
> To: claws at lists.thet.net students2017 at lists.thet.net
It happens to be sorted. 2.5 spam points, total 4. You're already
almost busted! If you have control over SpamAssassin, this is a
stupid rule unless you've got more than 5 addressees, and you should
be giving that a lot of points anyway. Take that rule down to 1
point, or disable it.
> X-Thetnet-Mailscanner-Spamcheck:
> spam, SORBS-SPAM,
Dunno what the above line means.
> SpamAssassin (cached, score=7.315, required 5,
> BAYES_00 -1.90,
Content is extremely unspam-like. Congratulate the author. :-)
> DNS_FROM_AHBL_RHSBL 2.70,
Ouch. Appears you are on a blacklist ... no, AHBL and RHSBL are
deprecated and may not even be operating any more, lots of "too many
false positives, how can I disable this rule?" on Google. See this
URL:
http://www.emailquestions.com/threads/how-to-disable-dns_from_ahbl_rhsbl-rbl-envelope-sender-listed-in-dnsbl-ahbl-org.10342/
> HTML_MESSAGE 0.00,
Yeah! "Friends don't let friends send HTML mail."
> RCVD_IN_DNSWL_NONE -0.00,
Good.
> SORTED_RECIPS 2.50,
> SUBJ_ALL_CAPS 1.51,
As mentioned above.
> SUSPICIOUS_RECIPS 2.51),
I have no idea why you're getting that. Maybe somebody else has an
idea, but if not you'll have to ask somebody with access to your
SpamAssassin rule base. Anyway, the total above is already 8.2 (then
you get 1.9 back for high-value content), you're busted.
> Received: from dispatch.thet.net ([104.219.98.14]) by mx.google.com
> with ESMTPS id n185si342354qke.282.2016.12.17.08.50.32
> (version=TLS1 cipher=AES128-SHA bits=128/128); Sat, 17 Dec 2016
> 08:50:32 -0800 (PST)
> Received: from dispatch.thet.net (dispatch.thet.net [172.16.0.18])
> by dispatch.thet.net (Postfix) with ESMTP id A1013E6103A; Sat, 17
> Dec 2016 11:49:56 -0500 (EST)
> Received: from dispatch.thet.net (dispatch.thet.net [172.16.0.18])
> by dispatch.thet.net (Postfix) with ESMTP id BA586E61035; Sat, 17
> Dec 2016 11:49:04 -0500 (EST)
> Received: from dispatch.thet.net (dispatch.thet.net [172.16.0.18])
> by dispatch.thet.net (Postfix) with ESMTP id 12323E60FF7; Sat, 17
> Dec 2016 11:48:05 -0500 (EST)
I guess this is the chain of umbrella lists. You might want to see if
you can get the addressees put in the logs so the you can figure out
what's actually happening here.
> Received: from mail-yw0-f177.google.com (mail-yw0-f177.google.com [209.85.161.177]) by dispatch.thet.net (Postfix) with ESMTPS id 0F6F3E60FF7 for <claws at lists.thet.net>; Sat, 17 Dec 2016 11:47:29 -0500 (EST)
> Received: by mail-yw0-f177.google.com with SMTP id i145so46776688ywg.2 for <claws at lists.thet.net>; Sat, 17 Dec 2016 08:47:29 -0800 (PST)
> Received: by 10.37.30.86 with HTTP; Sat, 17 Dec 2016 08:47:28 -0800 (PST)
> Content-Type: multipart/mixed; boundary="===============0140925220=="
> X-Thetnet-Mailscanner-Id: A1013E6103A.A0BA7
> Delivered-To: glen.page at thet.net.test-google-a.com
> Delivered-To: admin at lists.thet.net
> Delivered-To: employees at lists.thet.net
> Delivered-To: claws at lists.thet.net
> X-Beenthere: claws at lists.thet.net
> X-Beenthere: employees at lists.thet.net
> X-Beenthere: admin at lists.thet.net
> Received-Spf: fail (google.com: domain of admin-bounces at lists.thet.net does not designate 104.219.98.14 as permitted sender) client-ip=104.219.98.14;
This is misconfigured, I think. lists.thet.net doesn't permit
dispatch.thet.net to send for it?
> Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thet-net.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=8F82G0kwQs0BGWAs4rc0JlbGrQ5jSEAp9BGHHsLlJGQ=; b=z4aCN7tqgI6/fqyUS0996YyJ3h9vBdciKFZDMciilUXU1d1VzpD9MPEw5iFzTvTiBk JboPNIV4zE41HWJcMRL3FIJ2A9ahgpkAD+p48PIxjqveclm4BM92Ioj3LXqrXg6lLs+Q SkqLIEl6DQLzWigaixP49UmPqbQjSbfxLvxq32MXFVldcOF7n/5Q1SfFQkErRq8S14x8 U1Keu94MZCSi2xp7bXj4ARdtdOsOOemWCRRSzrAd0nR+uqsW+aOKPHmqYZqHHz3Ct328 XH+wBOs/CUSe7sOrQCM/RlHb2IQg0rTS0t3V3jhZkYaquDF59rgTYsNyo7BEToSeXDfV QuOg==
This is going to fail, since the subject is signed but you're adding
tags all over the place. This is the safest available configuration,
so it is not a problem (that you can do anything about), but you will
DoS yourself if you ever set a DMARC policy of p=quarantine or
p=reject. Just a word to the wise for the future.
Hope this helps,
Steve
--
Associate Professor Department of Policy and Planning Science
http://turnbull/sk.tsukuba.ac.jp/ Faculty of Systems and Information
Email: turnbull at sk.tsukuba.ac.jp University of Tsukuba
Tel: 029-853-5175 Tennodai 1-1-1, Tsukuba 305-8573 JAPAN
More information about the Mailman-Users
mailing list