Discussion:
Treat Invalid Watermarks with No Sender as Spam
Shawn Iverson
2014-02-22 01:03:15 UTC
Permalink
I am having issues where legitimate bounces, out of office messages, delivery receipts, and so forth are being marked as spam due to no watermark or sender address.

Treat Invalid Watermarks with No Sender As Spam = high-scoring spam

It appears that these messages indeed to not have a valid watermark or sender address anywhere, even though they are legitimate incoming emails.

Is this expected behavior? It appears that many remote servers strip off the original MIME Header...


Shawn Iverson
Rush County Schools
District Technology Coordinator
iversons at rushville.k12.in.us


--
This message has been scanned by E.F.A. Project and is believed to be clean.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140221/600324cf/attachment.html
Kevin Miller
2014-02-22 01:23:28 UTC
Permalink
What are your watermark settings in MailScanner.conf? The idea behind a watermark is outbound mail gets watermarked. Bounces include the original headers so the watermark should be in it if it came from you. If there's no watermark it implies it's a forged NDR. (You probably already understand all that - just being pedantic.)
Can you check your outbound messages to verify they're getting watermarked? Maybe post some examples to pastebin. It's hard to say w/o seeing the actual message headers. Post your watermark settings too. Naturally you'll want to munge the "Watermark Secret" to something other than the actual value you use.
...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Shawn Iverson
Sent: Friday, February 21, 2014 4:03 PM
To: mailscanner at lists.mailscanner.info
Subject: Treat Invalid Watermarks with No Sender as Spam

I am having issues where legitimate bounces, out of office messages, delivery receipts, and so forth are being marked as spam due to no watermark or sender address.

Treat Invalid Watermarks with No Sender As Spam = high-scoring spam

It appears that these messages indeed to not have a valid watermark or sender address anywhere, even though they are legitimate incoming emails.

Is this expected behavior? It appears that many remote servers strip off the original MIME Header...


Shawn Iverson
Rush County Schools
District Technology Coordinator
iversons at rushville.k12.in.us<mailto:iversons at rushville.k12.in.us>

--
This message has been scanned for viruses and dangerous content by
E.F.A. Project<http://www.efa-project.org>, and is believed to be clean.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140221/95ec55d2/attachment.html
Shawn Iverson
2014-02-24 23:54:16 UTC
Permalink
Use Watermarking = yes
Add Watermark = yes
Check Watermarks With No Sender = yes
Treat Invalid Watermarks With No Sender as Spam = high-scoring spam
Check Watermarks To Skip Spam Checks = yes
Watermark Secret = mysecret
Watermark Lifetime = 604800
Watermark Header = X-%org-name%-MailScanner-EFA-Watermark:

Message sent to my gmail from inside has a watermark...appears to be
watermarking outbound emails ok.
http://pastebin.com/CmiShz59

Valid Delivery Success Notification from remote server that was
blocked, watermark not there...my X headers are gone...
http://pastebin.com/UxnAKb3F


Shawn Iverson
Rush County Schools
District Technology Coordinator
iversons at rushville.k12.in.us
Kevin Miller <Kevin_Miller at ci.juneau.ak.us> 2/21/2014 8:23 PM >>>
What are your watermark settings in MailScanner.conf? The idea behind
a watermark is outbound mail gets watermarked. Bounces include the
original headers so the watermark should be in it if it came from you.
If there?s no watermark it implies it?s a forged NDR. (You probably
already understand all that ? just being pedantic.)
Can you check your outbound messages to verify they?re getting
watermarked? Maybe post some examples to pastebin. It?s hard to say
w/o seeing the actual message headers. Post your watermark settings
too. Naturally you?ll want to munge the ?Watermark Secret? to something
other than the actual value you use.
...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357



--
This message has been scanned by E.F.A. Project and is believed to be clean.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140224/fdeee47a/attachment.html
Kevin Miller
2014-02-26 01:12:33 UTC
Permalink
It might be instructive to look at the original message that Tim McCord sent to Paul Imkamp rather than just the delivery report for it. That way you could verify that the watermark went out on it. Do you have multiple paths out or just the one? Your message to gmail did look fine
Rather than setting the action to high scoring spam, maybe try setting it to a value ? say 1. The other spamassassin tests should push it over the top if it?s actually spam, and if it?s not, adding a little to the score shouldn?t hurt too much. Play with the score until you find a value that catches spam w/o incurring false positive. Ultimately, you can?t control what the far end does.
One thing though. The mail coming in lacking a watermark shouldn?t trigger the rule. My understanding is, it fires when there?s an invalid watermark AND no from user. I have many messages that don?t have anything in the ?from field? (envelope from). That?s a normal thing in an NDR and such but they come right through just fine. I don?t see anything in the post on pastebin to indicate that it failed because of the watermark. Why do you think that?s the case?
...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Shawn Iverson
Sent: Monday, February 24, 2014 2:54 PM
To: 'MailScanner discussion'
Subject: RE: Treat Invalid Watermarks with No Sender as Spam

Use Watermarking = yes
Add Watermark = yes
Check Watermarks With No Sender = yes
Treat Invalid Watermarks With No Sender as Spam = high-scoring spam
Check Watermarks To Skip Spam Checks = yes
Watermark Secret = mysecret
Watermark Lifetime = 604800
Watermark Header = X-%org-name%-MailScanner-EFA-Watermark:

Message sent to my gmail from inside has a watermark...appears to be watermarking outbound emails ok.
http://pastebin.com/CmiShz59

Valid Delivery Success Notification from remote server that was blocked, watermark not there...my X headers are gone...
http://pastebin.com/UxnAKb3F

Shawn Iverson
Rush County Schools
District Technology Coordinator
iversons at rushville.k12.in.us<mailto:iversons at rushville.k12.in.us>
Kevin Miller <Kevin_Miller at ci.juneau.ak.us<mailto:Kevin_Miller at ci.juneau.ak.us>> 2/21/2014 8:23 PM >>>
What are your watermark settings in MailScanner.conf? The idea behind a watermark is outbound mail gets watermarked. Bounces include the original headers so the watermark should be in it if it came from you. If there?s no watermark it implies it?s a forged NDR. (You probably already understand all that ? just being pedantic.)
Can you check your outbound messages to verify they?re getting watermarked? Maybe post some examples to pastebin. It?s hard to say w/o seeing the actual message headers. Post your watermark settings too. Naturally you?ll want to munge the ?Watermark Secret? to something other than the actual value you use.
...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357


--
This message has been scanned for viruses and dangerous content by
E.F.A. Project<http://www.efa-project.org>, and is believed to be clean.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140225/f58d5456/attachment.html
Shawn Iverson
2014-02-26 01:48:05 UTC
Permalink
I only have one path, but I am thinking of putting up a second relay in the path to see the outbound header...

SpamAssassin Score:10.00
Spam Report:spam(no watermark or sender address)

This is what Spamassassin reports on this message.




Shawn Iverson
Rush County Schools
District Technology Coordinator
iversons at rushville.k12.in.us
Kevin Miller <Kevin_Miller at ci.juneau.ak.us> 2/25/2014 8:12 PM >>>
It might be instructive to look at the original message that Tim McCord sent to Paul Imkamp rather than just the delivery report for it. That way you could verify that the watermark went out on it. Do you have multiple paths out or just the one? Your message to gmail did look fine
Rather than setting the action to high scoring spam, maybe try setting it to a value say 1. The other spamassassin tests should push it over the top if its actually spam, and if its not, adding a little to the score shouldnt hurt too much. Play with the score until you find a value that catches spam w/o incurring false positive. Ultimately, you cant control what the far end does.
One thing though. The mail coming in lacking a watermark shouldnt trigger the rule. My understanding is, it fires when theres an invalid watermark AND no from user. I have many messages that dont have anything in the from field (envelope from). Thats a normal thing in an NDR and such but they come right through just fine. I dont see anything in the post on pastebin to indicate that it failed because of the watermark. Why do you think thats the case?
...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357




--
This message has been scanned by E.F.A. Project and is believed to be clean.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140225/6d4f4906/attachment.html
Kevin Miller
2014-02-26 18:42:57 UTC
Permalink
Well, that's a curious thing. The delivery report you posted had these for spam reporting:
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 4
X-NAI-Spam-Score: 0.5
X-NAI-Spam-Rules: 2 Rules triggered
CTYPE_GTONE_UNDRSCOPE_PART=0.5, RV4863=0

I don't' know if they're yours or zone.com's. I think the latter. With what you posted there aren't any spam reports.

I implemented watermarks a year or two ago, but being cautious, and wanting to watch it a bit first, had the action set to nothing and forgot to every go back and set it to something else. Fat lot of good that did me! <g>

After you posted I set it to "1" on my primary mx gateway, and "spam" on my backup gateways. I noticed in my reports (via MailWatch) that I would get this:
SpamAssassin Score: -0.70
or
SpamAssassin Score: 40.99
Spam Report:
address no watermark or sender
but no other spam scores. The first score above is from a legitimate message, the other from one that's clearly spam. The other spam messages all seem to have similar scores in the high 30s or low 40s. I'm only adding one point on this gateway, so the other 39.99 must have been from other spam checks but why they're not listed I don't know. I'm thinking at this point that perhaps your problem isn't the watermarking, but some other spam scores that are triggered, but don't show up in the spam report. I don't think MailScanner is assigning a default score of 10 to the messages.

The trick is to figure out how to see the rest of the spam report.

?...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Shawn Iverson
Sent: Tuesday, February 25, 2014 4:48 PM
To: 'MailScanner discussion'
Subject: RE: Treat Invalid Watermarks with No Sender as Spam

I only have one path, but I am thinking of putting up a second relay in the path to see the outbound header...
?
SpamAssassin Score:10.00
Spam Report:spam(no watermark or sender address)

This is what Spamassassin reports on this message.
?
Shawn Iverson
Rush County Schools
District Technology Coordinator
iversons at rushville.k12.in.us
Kevin Miller <Kevin_Miller at ci.juneau.ak.us> 2/25/2014 8:12 PM >>>
It might be instructive to look at the original message that Tim McCord sent to Paul Imkamp rather than just the delivery report for it.? That way you could verify that the watermark went out on it.? Do you have multiple paths out or just the one?? Your message to gmail did look fine?
Rather than setting the action to high scoring spam, maybe try setting it to a value say 1.? The other spamassassin tests should push it over the top if its actually spam, and if its not, adding a little to the score shouldnt hurt too much.? Play with the score until you find a value that catches spam w/o incurring false positive.? Ultimately, you cant control what the far end does.
One thing though.? The mail coming in lacking a watermark shouldnt trigger the rule.? My understanding is, it fires when theres an invalid watermark AND no from user.? I have many messages that dont have anything in the from field (envelope from).? Thats a normal thing in an NDR and such but they come right through just fine.? I dont see anything in the post on pastebin to indicate that it failed because of the watermark.? Why do you think thats the case?
...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
--
This message has been scanned for viruses and dangerous content by
E.F.A. Project, and is believed to be clean.
Shawn Iverson
2014-02-26 22:37:51 UTC
Permalink
Yep, NAI is zones.com

My X headers are X-Rushville but not there...

Here's the full message in the quarantine at the filesystem level...

http://pastebin.com/KqqweaZY

Still scratching my head on this one.

When I disable the Treat Invalid Watermarks With No Sender as Spam, the messages do pass through just fine.



Shawn Iverson
Rush County Schools
District Technology Coordinator
iversons at rushville.k12.in.us
Kevin Miller <Kevin_Miller at ci.juneau.ak.us> 2/26/2014 1:42 PM >>>
Well, that's a curious thing. The delivery report you posted had these for spam reporting:
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 4
X-NAI-Spam-Score: 0.5
X-NAI-Spam-Rules: 2 Rules triggered
CTYPE_GTONE_UNDRSCOPE_PART=0.5, RV4863=0

I don't' know if they're yours or zone.com's. I think the latter. With what you posted there aren't any spam reports.

I implemented watermarks a year or two ago, but being cautious, and wanting to watch it a bit first, had the action set to nothing and forgot to every go back and set it to something else. Fat lot of good that did me! <g>

After you posted I set it to "1" on my primary mx gateway, and "spam" on my backup gateways. I noticed in my reports (via MailWatch) that I would get this:
SpamAssassin Score:-0.70
or
SpamAssassin Score:40.99
Spam Report:
addressno watermark or sender
but no other spam scores. The first score above is from a legitimate message, the other from one that's clearly spam. The other spam messages all seem to have similar scores in the high 30s or low 40s. I'm only adding one point on this gateway, so the other 39.99 must have been from other spam checks but why they're not listed I don't know. I'm thinking at this point that perhaps your problem isn't the watermarking, but some other spam scores that are triggered, but don't show up in the spam report. I don't think MailScanner is assigning a default score of 10 to the messages.

The trick is to figure out how to see the rest of the spam report.






--
This message has been scanned by E.F.A. Project and is believed to be clean.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140226/ef780f06/attachment.html
Kevin Miller
2014-02-26 23:48:38 UTC
Permalink
Post by Shawn Iverson
When I disable the Treat Invalid Watermarks With No Sender as Spam, the messages do pass through just fine.
What happens when you assign it a numeric value?

?...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
Shawn Iverson
2014-02-27 00:02:16 UTC
Permalink
Just set a numeric...will observe and see what happens.


Shawn Iverson
Rush County Schools
District Technology Coordinator
iversons at rushville.k12.in.us
Post by Shawn Iverson
Kevin Miller <Kevin_Miller at ci.juneau.ak.us> 2/26/2014 6:48 PM >>>
When I disable the Treat Invalid Watermarks With No Sender as Spam, the messages do pass through just fine.
What happens when you assign it a numeric value?

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357



--
This message has been scanned by E.F.A. Project and is believed to be clean.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140226/34740b00/attachment.html
Shawn Iverson
2014-02-27 15:11:51 UTC
Permalink
Setting to a low score has helped immensely. Messages are still getting caught by the other algorithms while allowing legit emails through.

I will make a feature request, though.

It appears in the MailScanner code that when Treat Invalid Watermarks with No Sender As Spam equals anything spam or higher, further rule processing is halted. This is taking precedence over whitelisting/blacklisting and probably should not.


Shawn Iverson
Rush County Schools
District Technology Coordinator
iversons at rushville.k12.in.us
Post by Shawn Iverson
"Shawn Iverson" <IversonS at rushville.k12.in.us> 2/26/2014 7:02 PM >>>
Just set a numeric...will observe and see what happens.


Shawn Iverson
Rush County Schools
District Technology Coordinator
iversons at rushville.k12.in.us
Post by Shawn Iverson
Kevin Miller <Kevin_Miller at ci.juneau.ak.us> 2/26/2014 6:48 PM >>>
When I disable the Treat Invalid Watermarks With No Sender as Spam, the messages do pass through just fine.
What happens when you assign it a numeric value?

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
--
This message has been scanned for viruses and dangerous content by
E.F.A. Project ( http://www.efa-project.org ), and is believed to be clean.


--
This message has been scanned by E.F.A. Project and is believed to be clean.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140227/b5927d85/attachment.html
Kevin Miller
2014-02-27 17:40:51 UTC
Permalink
Glad the value setting is helping. I agree with you that continued spam processing would be beneficial, although it is probably more efficient to just deep-six the message once it's determined it's spam. For me, with just a few thousand messages per day it isn't a problem. If I was moving millions of mail messages it might be better to continue the current action. What would be best is to have a toggle so the admin can decide whether they want mark it as spam and be done or continue further processing for more granular evaluation and tweaking.
Hopefully the folks that are maintaining MailScanner can take this up. I appreciate what they do but know they're busy with day jobs and such. I miss Jules...
...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Shawn Iverson
Sent: Thursday, February 27, 2014 6:12 AM
To: 'MailScanner discussion'
Subject: RE: Treat Invalid Watermarks with No Sender as Spam

Setting to a low score has helped immensely. Messages are still getting caught by the other algorithms while allowing legit emails through.

I will make a feature request, though.

It appears in the MailScanner code that when Treat Invalid Watermarks with No Sender As Spam equals anything spam or higher, further rule processing is halted. This is taking precedence over whitelisting/blacklisting and probably should not.

Shawn Iverson
Rush County Schools
District Technology Coordinator
iversons at rushville.k12.in.us<mailto:iversons at rushville.k12.in.us>
Post by Shawn Iverson
"Shawn Iverson" <IversonS at rushville.k12.in.us<mailto:IversonS at rushville.k12.in.us>> 2/26/2014 7:02 PM >>>
Just set a numeric...will observe and see what happens.

Shawn Iverson
Rush County Schools
District Technology Coordinator
iversons at rushville.k12.in.us<mailto:iversons at rushville.k12.in.us>
Post by Shawn Iverson
Kevin Miller <Kevin_Miller at ci.juneau.ak.us<mailto:Kevin_Miller at ci.juneau.ak.us>> 2/26/2014 6:48 PM >>>
When I disable the Treat Invalid Watermarks With No Sender as Spam, the messages do pass through just fine.
What happens when you assign it a numeric value?

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357

--
This message has been scanned for viruses and dangerous content by
E.F.A. Project<http://www.efa-project.org>, and is believed to be clean.
--
This message has been scanned for viruses and dangerous content by
E.F.A. Project<http://www.efa-project.org>, and is believed to be clean.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140227/64952d32/attachment.html
Shawn Iverson
2014-03-13 12:30:55 UTC
Permalink
I spoke too soon, now I am having the opposite effect.
Treat Invalid Watermarks with No Sender As Spam
is halting subsequent rule processing on my system. As soon as an email matches this rule, spam checks do not proceed.
So, if I set a low score, all matching emails are non-spam (becuase Spamassassin doesn't get a chance to scan further)
And, if I set a high score, all matching emails are spam by default.
Catch 22
I'm going to dive into the MailScanner code and see what is actually happening....

From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Shawn Iverson
Sent: Thursday, February 27, 2014 6:12 AM
To: 'MailScanner discussion'
Subject: RE: Treat Invalid Watermarks with No Sender as Spam



Setting to a low score has helped immensely. Messages are still getting caught by the other algorithms while allowing legit emails through.



I will make a feature request, though.



It appears in the MailScanner code that when Treat Invalid Watermarks with No Sender As Spam equals anything spam or higher, further rule processing is halted. This is taking precedence over whitelisting/blacklisting and probably should not.



Shawn Iverson
Rush County Schools
District Technology Coordinator
iversons at rushville.k12.in.us
Shawn Iverson
Rush County Schools
District Technology Coordinator
iversons at rushville.k12.in.us
Post by Shawn Iverson
"Shawn Iverson" <IversonS at rushville.k12.in.us> 2/26/2014 7:02 PM >>>
Just set a numeric...will observe and see what happens.



Shawn Iverson
Rush County Schools
District Technology Coordinator
iversons at rushville.k12.in.us
Post by Shawn Iverson
Kevin Miller <Kevin_Miller at ci.juneau.ak.us> 2/26/2014 6:48 PM >>>
When I disable the Treat Invalid Watermarks With No Sender as Spam, the messages do pass through just fine.
What happens when you assign it a numeric value?

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
--
This message has been scanned for viruses and dangerous content by
E.F.A. Project ( http://www.efa-project.org ), and is believed to be clean.
--
This message has been scanned for viruses and dangerous content by
E.F.A. Project ( http://www.efa-project.org ), and is believed to be clean.
--
This message has been scanned for viruses and dangerous content by
E.F.A. Project ( http://www.efa-project.org ), and is believed to be clean.
Click here to report this message as spam. ( https://efa.rushville.k12.in.us/cgi-bin/learn-msg.cgi?id=218A3808FF.A2412&token=ac54c1dd7c3f3c9747f5e9ed461934e7 )
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140313/e1d3fca7/attachment.html
Shawn Iverson
2014-03-13 18:57:02 UTC
Permalink
Upon even closer observation....I seem to be insane.

If Treat Invalid Watermarks with No Sender as Spam = spam (or high-scoring spam), Messages.pm does indeed exit without moving forward, which makes sense.

When it is a number, processing continues. The messages that are getting through are indeed sliding past SpamAssassin undetected and with a 0 score. :/ Specifically, they are forged emails coming from Google, sent out to random recipients, with the DSNs landing squarely on the mail user whose email address was forged.



Shawn Iverson
Rush County Schools
District Technology Coordinator
iversons at rushville.k12.in.us
Post by Shawn Iverson
"Shawn Iverson" <IversonS at rushville.k12.in.us> 3/13/2014 8:30 AM >>>
I spoke too soon, now I am having the opposite effect.
Treat Invalid Watermarks with No Sender As Spam
is halting subsequent rule processing on my system. As soon as an email matches this rule, spam checks do not proceed.
So, if I set a low score, all matching emails are non-spam (becuase Spamassassin doesn't get a chance to scan further)
And, if I set a high score, all matching emails are spam by default.
Catch 22
I'm going to dive into the MailScanner code and see what is actually happening....

From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Shawn Iverson
Sent: Thursday, February 27, 2014 6:12 AM
To: 'MailScanner discussion'
Subject: RE: Treat Invalid Watermarks with No Sender as Spam



Setting to a low score has helped immensely. Messages are still getting caught by the other algorithms while allowing legit emails through.



I will make a feature request, though.



It appears in the MailScanner code that when Treat Invalid Watermarks with No Sender As Spam equals anything spam or higher, further rule processing is halted. This is taking precedence over whitelisting/blacklisting and probably should not.



Shawn Iverson
Rush County Schools
District Technology Coordinator
iversons at rushville.k12.in.us
Shawn Iverson
Rush County Schools
District Technology Coordinator
iversons at rushville.k12.in.us
Post by Shawn Iverson
"Shawn Iverson" <IversonS at rushville.k12.in.us> 2/26/2014 7:02 PM >>>
Just set a numeric...will observe and see what happens.



Shawn Iverson
Rush County Schools
District Technology Coordinator
iversons at rushville.k12.in.us
Post by Shawn Iverson
Kevin Miller <Kevin_Miller at ci.juneau.ak.us> 2/26/2014 6:48 PM >>>
When I disable the Treat Invalid Watermarks With No Sender as Spam, the messages do pass through just fine.
What happens when you assign it a numeric value?

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
--
This message has been scanned for viruses and dangerous content by
E.F.A. Project ( http://www.efa-project.org ), and is believed to be clean.
--
This message has been scanned for viruses and dangerous content by
E.F.A. Project ( http://www.efa-project.org ), and is believed to be clean.
--
This message has been scanned for viruses and dangerous content by
E.F.A. Project ( http://www.efa-project.org ), and is believed to be clean.
Click here to report this message as spam. ( https://efa.rushville.k12.in.us/cgi-bin/learn-msg.cgi?id=218A3808FF.A2412&token=ac54c1dd7c3f3c9747f5e9ed461934e7 )
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140313/9d9ccdba/attachment.html
Shawn Iverson
2014-02-26 22:40:48 UTC
Permalink
Interestingly, I noticed as I am emailing this Listserv that the delivery notifications come through just fine and my watermark is there. I am really wondering if the remote site is not returning a complete original MIME header in this case.

Will fire up a secondary relay and capture the outbound message later tonight...


Shawn Iverson
Rush County Schools
District Technology Coordinator
iversons at rushville.k12.in.us
Kevin Miller <Kevin_Miller at ci.juneau.ak.us> 2/26/2014 1:42 PM >>>
Well, that's a curious thing. The delivery report you posted had these for spam reporting:
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 4
X-NAI-Spam-Score: 0.5
X-NAI-Spam-Rules: 2 Rules triggered
CTYPE_GTONE_UNDRSCOPE_PART=0.5, RV4863=0

I don't' know if they're yours or zone.com's. I think the latter. With what you posted there aren't any spam reports.

I implemented watermarks a year or two ago, but being cautious, and wanting to watch it a bit first, had the action set to nothing and forgot to every go back and set it to something else. Fat lot of good that did me! <g>

After you posted I set it to "1" on my primary mx gateway, and "spam" on my backup gateways. I noticed in my reports (via MailWatch) that I would get this:
SpamAssassin Score:-0.70
or
SpamAssassin Score:40.99
Spam Report:
addressno watermark or sender
but no other spam scores. The first score above is from a legitimate message, the other from one that's clearly spam. The other spam messages all seem to have similar scores in the high 30s or low 40s. I'm only adding one point on this gateway, so the other 39.99 must have been from other spam checks but why they're not listed I don't know. I'm thinking at this point that perhaps your problem isn't the watermarking, but some other spam scores that are triggered, but don't show up in the spam report. I don't think MailScanner is assigning a default score of 10 to the messages.

The trick is to figure out how to see the rest of the spam report.



--
This message has been scanned by E.F.A. Project and is believed to be clean.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140226/f8002f8d/attachment.html
Kevin Miller
2014-02-26 23:40:02 UTC
Permalink
It looks like all your X-headers are being stripped. I don't see any of these (which are present on our outgoing messages:
X-Rushville-MailScanner-EFA-Information: Please contact postmaster at rushville.k12.in.us for more information
X-Rushville-MailScanner-EFA-ID: B3A7A80085.AF60E
X-Rushville-MailScanner-EFA: Found to be clean
X-Rushville-MailScanner-EFA-From: iversons at rushville.k12.in.us
X-Rushville-MailScanner-EFA-Watermark: 1393889850.17369 at 8yKbOlpq7bdTT0q0qeBUZg
X-Spam-Status: No

Could be their Exchange server. Sometimes they do funny things.

In MailScanner.conf, what do you have for the "Remove These Headers" line?

Since you can use a ruleset, as a last resort you might just want to not check watermarks from zone.com and other domains that are screwy. If there's just a few, that's workable. If not, then it becomes a game of whack-a-mole and quickly becomes a chore...

?...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Shawn Iverson
Sent: Wednesday, February 26, 2014 1:41 PM
To: 'MailScanner discussion'
Subject: RE: Treat Invalid Watermarks with No Sender as Spam

Interestingly, I noticed as I am emailing this Listserv that the delivery notifications come through just fine and my watermark is there.? I am really wondering if the remote site is not returning a complete original MIME header in this case.
?
Will fire up a secondary relay and capture the outbound message later tonight...
?
Shawn Iverson
Rush County Schools
District Technology Coordinator
iversons at rushville.k12.in.us
Kevin Miller <Kevin_Miller at ci.juneau.ak.us> 2/26/2014 1:42 PM >>>
Well, that's a curious thing.? The delivery report you posted had these for spam reporting:
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 4
X-NAI-Spam-Score: 0.5
X-NAI-Spam-Rules: 2 Rules triggered
??????? CTYPE_GTONE_UNDRSCOPE_PART=0.5, RV4863=0

I don't' know if they're yours or zone.com's.? I think the latter.? With what you posted there aren't any spam reports.

I implemented watermarks a year or two ago, but being cautious, and wanting to watch it a bit first, had the action set to nothing and forgot to every go back and set it to something else.? Fat lot of good that did me! <g>?

After you posted I set it to "1" on my primary mx gateway, and "spam" on my backup gateways.? I noticed in my reports (via MailWatch) that I would get this:
? SpamAssassin Score:-0.70
or
? SpamAssassin Score:40.99
? Spam Report:
??? addressno watermark or sender
but no other spam scores.? The first score above is from a legitimate message, the other from one that's clearly spam.? The other spam messages all seem to have similar scores in the high 30s or low 40s.? I'm only adding one point on this gateway, so the other 39.99 must have been from other spam checks but why they're not listed I don't know.? I'm thinking at this point that perhaps your problem isn't the watermarking, but some other spam scores that are triggered, but don't show up in the spam report.? I don't think MailScanner is assigning a default score of 10 to the messages.

The trick is to figure out how to see the rest of the spam report.?
--
This message has been scanned for viruses and dangerous content by
E.F.A. Project, and is believed to be clean.
Shawn Iverson
2014-02-26 23:55:04 UTC
Permalink
Remove These Headers = X-Mozilla-Status: X-Mozilla-Status2: Disposition-Notification-To: Return-Receipt-To:


Shawn Iverson
Rush County Schools
District Technology Coordinator
iversons at rushville.k12.in.us
Kevin Miller <Kevin_Miller at ci.juneau.ak.us> 2/26/2014 6:40 PM >>>
It looks like all your X-headers are being stripped. I don't see any of these (which are present on our outgoing messages:
X-Rushville-MailScanner-EFA-Information: Please contact postmaster at rushville.k12.in.us for more information
X-Rushville-MailScanner-EFA-ID: B3A7A80085.AF60E
X-Rushville-MailScanner-EFA: Found to be clean
X-Rushville-MailScanner-EFA-From: iversons at rushville.k12.in.us
X-Rushville-MailScanner-EFA-Watermark: 1393889850.17369 at 8yKbOlpq7bdTT0q0qeBUZg
X-Spam-Status: No

Could be their Exchange server. Sometimes they do funny things.

In MailScanner.conf, what do you have for the "Remove These Headers" line?

Since you can use a ruleset, as a last resort you might just want to not check watermarks from zone.com and other domains that are screwy. If there's just a few, that's workable. If not, then it becomes a game of whack-a-mole and quickly becomes a chore...

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357




--
This message has been scanned by E.F.A. Project and is believed to be clean.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140226/4a17c9c3/attachment.html
Kevin Miller
2014-02-26 19:37:53 UTC
Permalink
Just out of curiosity, what version of MailScanner are you running?
...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140226/1fcf54bb/attachment.html
Shawn Iverson
2014-02-26 22:28:58 UTC
Permalink
4.84.6-1


Shawn Iverson
Rush County Schools
District Technology Coordinator
iversons at rushville.k12.in.us
Kevin Miller <Kevin_Miller at ci.juneau.ak.us> 2/26/2014 2:37 PM >>>
Just out of curiosity, what version of MailScanner are you running?
...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
--
This message has been scanned for viruses and dangerous content by
E.F.A. Project ( http://www.efa-project.org ), and is believed to be clean.
Click here to report this message as spam. ( https://efa.rushville.k12.in.us/cgi-bin/learn-msg.cgi?id=5576E8099E.A171B&token=bcc2527a0f2553713686784641821df0 )


--
This message has been scanned by E.F.A. Project and is believed to be clean.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140226/0ae36204/attachment.html
Loading...