[Mailman-Users] Mailman-Users Digest, Vol 154, Issue 30

Glen Page glen.page at thet.net
Tue Dec 20 11:18:47 EST 2016 

Stephen,

Thanks. I am pretty sure that the only thing I deleted was the sender name so not sure which header fields you think are missing.

I will forward this info on to the consultant that built and maintains both my spam-assassin and mailman builds and see what he can figure out.

Thanks again for the help.

Glen

> On Dec 20, 2016, at 11:09 AM, Stephen J. Turnbull <turnbull.stephen.fw at u.tsukuba.ac.jp> wrote:
> 
> Glen Page writes:
> 
>> We are a Google Apps for Education school so most of our employees
>> and students are using gmail but with our own thet.net
>> <http://thet.net/> domain. We have mx records for gmails servers
>> and for our in house mailman server. Recently edited our DNS zones
>> due to SPF record check failures. Also, recently had to change out
>> IP block due to changes at our ISP. Here is the header info from a
>> message that I got from our Dean. It got flagged as Spam somewhere
>> along the way.
> 
> You've deleted a bunch of header fields, it seems.  That doesn't hurt
> this time -- it seems pretty clear that a misconfigured SpamAssassin
> is the problem.  But you should tell us about it, and also consider
> leaving in the fields while redacting specific personal information
> such as mailboxes and IP addresses if you consider them sensitive.
> 
> To the analysis.  This appears to be the subject:
> 
>> {Spam?} [TA Admin] {Spam?} [Employees] {Spam?} [Claws] {Spam?} SNOWBALL IS CANCELLED FOR	TONIGHT
> 
> SpamAssassin ignores the parenthesized tags, and finds that the
> subject is all uppercase.  1.5 spam points.  Tell your people not to
> use all uppercase, especially not in the subject, but also not in the
> body.  This is a very good indicator of spam.
> 
> This is your addressee list in the "To" field, right?
> 
>> To: claws at lists.thet.net students2017 at lists.thet.net 
> 
> It happens to be sorted.  2.5 spam points, total 4.  You're already
> almost busted!  If you have control over SpamAssassin, this is a
> stupid rule unless you've got more than 5 addressees, and you should
> be giving that a lot of points anyway.  Take that rule down to 1
> point, or disable it.
> 
>> X-Thetnet-Mailscanner-Spamcheck:
>> spam, SORBS-SPAM,
> 
> Dunno what the above line means.
> 
>> SpamAssassin (cached, score=7.315, required 5,
>> BAYES_00 -1.90,
> 
> Content is extremely unspam-like.  Congratulate the author. :-)
> 
>> DNS_FROM_AHBL_RHSBL 2.70,
> 
> Ouch.  Appears you are on a blacklist ... no, AHBL and RHSBL are
> deprecated and may not even be operating any more, lots of "too many
> false positives, how can I disable this rule?" on Google.  See this
> URL:
> 
> http://www.emailquestions.com/threads/how-to-disable-dns_from_ahbl_rhsbl-rbl-envelope-sender-listed-in-dnsbl-ahbl-org.10342/
> 
>> HTML_MESSAGE 0.00,
> 
> Yeah!  "Friends don't let friends send HTML mail."
> 
>> RCVD_IN_DNSWL_NONE -0.00,
> 
> Good.
> 
>> SORTED_RECIPS 2.50,
>> SUBJ_ALL_CAPS 1.51,
> 
> As mentioned above.
> 
>> SUSPICIOUS_RECIPS 2.51),
> 
> I have no idea why you're getting that.  Maybe somebody else has an
> idea, but if not you'll have to ask somebody with access to your
> SpamAssassin rule base.  Anyway, the total above is already 8.2 (then
> you get 1.9 back for high-value content), you're busted.
> 
>> Received: from dispatch.thet.net ([104.219.98.14]) by mx.google.com
>>    with ESMTPS id n185si342354qke.282.2016.12.17.08.50.32
>>    (version=TLS1 cipher=AES128-SHA bits=128/128); Sat, 17 Dec 2016
>>    08:50:32 -0800 (PST)
>> Received: from dispatch.thet.net (dispatch.thet.net [172.16.0.18])
>>    by dispatch.thet.net (Postfix) with ESMTP id A1013E6103A; Sat, 17
>>    Dec 2016 11:49:56 -0500 (EST)
>> Received: from dispatch.thet.net (dispatch.thet.net [172.16.0.18])
>>    by dispatch.thet.net (Postfix) with ESMTP id BA586E61035; Sat, 17
>>    Dec 2016 11:49:04 -0500 (EST)
>> Received: from dispatch.thet.net (dispatch.thet.net [172.16.0.18])
>>    by dispatch.thet.net (Postfix) with ESMTP id 12323E60FF7; Sat, 17
>>    Dec 2016 11:48:05 -0500 (EST)
> 
> I guess this is the chain of umbrella lists.  You might want to see if
> you can get the addressees put in the logs so the you can figure out
> what's actually happening here.
> 
>> Received: from mail-yw0-f177.google.com (mail-yw0-f177.google.com [209.85.161.177]) by dispatch.thet.net (Postfix) with ESMTPS id 0F6F3E60FF7 for <claws at lists.thet.net>; Sat, 17 Dec 2016 11:47:29 -0500 (EST)
>> Received: by mail-yw0-f177.google.com with SMTP id i145so46776688ywg.2 for <claws at lists.thet.net>; Sat, 17 Dec 2016 08:47:29 -0800 (PST)
>> Received: by 10.37.30.86 with HTTP; Sat, 17 Dec 2016 08:47:28 -0800 (PST)
>> Content-Type: multipart/mixed; boundary="===============0140925220=="
>> X-Thetnet-Mailscanner-Id: A1013E6103A.A0BA7
>> Delivered-To: glen.page at thet.net.test-google-a.com
>> Delivered-To: admin at lists.thet.net
>> Delivered-To: employees at lists.thet.net
>> Delivered-To: claws at lists.thet.net
>> X-Beenthere: claws at lists.thet.net
>> X-Beenthere: employees at lists.thet.net
>> X-Beenthere: admin at lists.thet.net
>> Received-Spf: fail (google.com: domain of admin-bounces at lists.thet.net does not designate 104.219.98.14 as permitted sender) client-ip=104.219.98.14;
> 
> This is misconfigured, I think.  lists.thet.net doesn't permit
> dispatch.thet.net to send for it?
> 
>> Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thet-net.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=8F82G0kwQs0BGWAs4rc0JlbGrQ5jSEAp9BGHHsLlJGQ=; b=z4aCN7tqgI6/fqyUS0996YyJ3h9vBdciKFZDMciilUXU1d1VzpD9MPEw5iFzTvTiBk JboPNIV4zE41HWJcMRL3FIJ2A9ahgpkAD+p48PIxjqveclm4BM92Ioj3LXqrXg6lLs+Q SkqLIEl6DQLzWigaixP49UmPqbQjSbfxLvxq32MXFVldcOF7n/5Q1SfFQkErRq8S14x8 U1Keu94MZCSi2xp7bXj4ARdtdOsOOemWCRRSzrAd0nR+uqsW+aOKPHmqYZqHHz3Ct328 XH+wBOs/CUSe7sOrQCM/RlHb2IQg0rTS0t3V3jhZkYaquDF59rgTYsNyo7BEToSeXDfV QuOg==
> 
> This is going to fail, since the subject is signed but you're adding
> tags all over the place.  This is the safest available configuration,
> so it is not a problem (that you can do anything about), but you will
> DoS yourself if you ever set a DMARC policy of p=quarantine or
> p=reject.  Just a word to the wise for the future.
> 
> Hope this helps,
> 
> Steve
> 
> -- 
> Associate Professor            Department of Policy and Planning Science
> http://turnbull/sk.tsukuba.ac.jp/     Faculty of Systems and Information
> Email: turnbull at sk.tsukuba.ac.jp                   University of Tsukuba
> Tel: 029-853-5175                 Tennodai 1-1-1, Tsukuba 305-8573 JAPAN

Glen Page
Director of Information Technology
ThetNet - Thetford Academy
802.785.4805.x231



"If a guy can dream up a way to cause an explosion, it will happen." — Newton's Seventh Corrolary of Physics

More information about the Mailman-Users mailing list