Can anyone see why this is getting through?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Can anyone see why this is getting through?

Robert Chalmers-2
This is the body of a series of similar messages I’ve been getting - very obviously spam. Very rude.

However - I’m struggling now to find why postfix and or postscreen etc is letting it through, when it obviously fails a lot of tests.

My postconf - n follows this email extract.
If anyone has any ideas, I’d love to know.
Thanks



> Return-Path: <[hidden email]>
> Delivered-To: [hidden email]
> Received: from zeus.chalmers.com.au
> by localhost (Dovecot) with LMTP id SUz9BAAETlfBeQAA0J78UA
> for <[hidden email]>; Tue, 31 May 2016 22:37:04 +0100
> Received: by zeus.chalmers.com.au (Postfix, from userid 1000)
> id 0AF133489B4C; Tue, 31 May 2016 22:37:04 +0100 (BST)
> Authentication-Results: zeus.chalmers.com.au;
> dkim=fail reason="key not found in DNS" (0-bit key; unprotected) header.d=windrosetech.com header.i=@windrosetech.com header.b=Tgocccp6
> X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on zeus.localhost
> X-Spam-Level: **
> X-Spam-Status: No, score=2.9 required=3.0 tests=BAYES_50,DKIM_SIGNED,
> FROM_12LTRDOM,HTML_MESSAGE,RDNS_NONE,T_DKIM_INVALID,T_SPF_HELO_TEMPERROR,
> T_SPF_TEMPERROR autolearn=no autolearn_force=no version=3.4.1
> X-Spam-HAM-Report:
> *  0.0 T_SPF_TEMPERROR SPF: test of record failed (temperror)
> *  0.0 T_SPF_HELO_TEMPERROR SPF: test of HELO record failed (temperror)
> *  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
> *      [score: 0.4969]
> *  0.0 HTML_MESSAGE BODY: HTML included in message
> *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
> *      valid
> *  0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
> *  2.0 RDNS_NONE Delivered to internal network by a host with no rDNS
> *  0.0 FROM_12LTRDOM From a 12-letter domain
> Received: from cpanel.intertainmentmedia.com (unknown [64.34.190.110])
> by zeus.chalmers.com.au (Postfix) with ESMTPS id 0CE863489B14
> for <[hidden email]>; Tue, 31 May 2016 22:36:47 +0100 (BST)
> Authentication-Results: localhost; dmarc=none header.from=windrosetech.com
> Authentication-Results: localhost; spf=pass smtp.mailfrom=[hidden email]
> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
> d=windrosetech.com; s=default; h=Content-Transfer-Encoding:Content-Type:
> MIME-Version:Message-ID:From:Date:Subject:To:Sender:Reply-To:Cc:Content-ID:
> Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
> :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
> List-Subscribe:List-Post:List-Owner:List-Archive;
> bh=lhaX8JuJn2MDk80elh120UhilSdPPnH2368ryB9pjRo=; b=Tgocccp6ca7PbwarRSdkbXyzZP
> osv8t7UVzD9qA3+copOZoR1vWQwwXgfiYy2L+IktSGZZVHh+exp5Yz0CLmxEOQTQ7Y/ytFWNAoFLP
> ASMfyQqmPBTp3vXVyIrRflW7XTfMaWMRamhOQPOwjy9qouV/jAZGcQF4CQJ8WIEPgD8M=;
> Received: from windrosetech by cpanel.intertainmentmedia.com with local (Exim 4.87)
> (envelope-from <[hidden email]>)
> id 1b7rLD-00011s-8b
> for [hidden email]; Tue, 31 May 2016 17:36:47 -0400
> To: [hidden email]
> Subject: F%ck the girl next door
> X-PHP-Script: windrosetech.com/ for 127.0.0.1
> Date: Tue, 31 May 2016 21:36:47 +0000
> From: Mae Bennett <[hidden email]>
> Message-ID: <[hidden email]>
> X-Priority: 3
> X-Mailer: PHPMailer 5.2.9 (https://github.com/PHPMailer/PHPMailer/)
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="b1_5d83fbe69f21b9d499ae799fc4444e02"
> Content-Transfer-Encoding: 8bit
> X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
> X-AntiAbuse: Primary Hostname - cpanel.intertainmentmedia.com
> X-AntiAbuse: Original Domain - chalmers.com.au
> X-AntiAbuse: Originator/Caller UID/GID - [513 501] / [47 12]
> X-AntiAbuse: Sender Address Domain - windrosetech.com
> X-Get-Message-Sender-Via: cpanel.intertainmentmedia.com: authenticated_id: windrosetech/from_h
> X-Authenticated-Sender: cpanel.intertainmentmedia.com: [hidden email]
> X-Source: /usr/bin/php
> X-Source-Args: /usr/bin/php /home/windrosetech/public_html/wp-includes/pomo/include.php
> X-Source-Dir: windrosetech.com:/public_html/wp-includes/pomo
>
> --b1_5d83fbe69f21b9d499ae799fc4444e02
> Content-Type: text/plain; charset=us-ascii
>
> It's my urgent h00kup invitation!




POSTCONF-N output  attached






Robert Chalmers
[hidden email]  
Mac mini 6.2 - 2012, Intel Core i7,2.3 GHz, Memory:16 GB. El-Capitan 10.11.  XCode 7.2.1
2TB: Drive 0:HGST HTS721010A9E630. Upper bay. Drive 1:ST1000LM024 HN-M101MBB. Lower Bay





postconf-n.txt (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Can anyone see why this is getting through?

Wietse Venema
Robert Chalmers:
> This is the body of a series of similar messages I?ve been getting - very obviously spam. Very rude.
>
> However - I'm struggling now to find why postfix and or postscreen
> etc is letting it through, when it obviously fails a lot of tests.

What postscreen tests does it fail?

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Can anyone see why this is getting through?

Robert Chalmers-2
Ah well, this is the problem - I can’t figure out what test it’s failing that is letting it through. This, and other email like it, possibly the same actual source, is the only spam getting through.
Robert


On 1 Jun 2016, at 15:38, Wietse Venema <[hidden email]> wrote:

Robert Chalmers:
This is the body of a series of similar messages I?ve been getting - very obviously spam. Very rude.

However - I'm struggling now to find why postfix and or postscreen
etc is letting it through, when it obviously fails a lot of tests.

What postscreen tests does it fail?

Wietse

Robert Chalmers
Mac mini 6.2 - 2012, Intel Core i7,2.3 GHz, Memory:16 GB. El-Capitan 10.11.  XCode 7.2.1
2TB: Drive 0:HGST HTS721010A9E630. Upper bay. Drive 1:ST1000LM024 HN-M101MBB. Lower Bay




Reply | Threaded
Open this post in threaded view
|

Re: Can anyone see why this is getting through?

@lbutlr
On Jun 1, 2016, at 9:14 AM, Robert Chalmers <[hidden email]> wrote:
> Ah well, this is the problem - I can’t figure out what test it’s failing that is letting it through.

Are you perhaps unclear as to what postscreen is?

--
Beautiful dawn / Lights up the shore for me / There is nothing else in the
world I'd rather see with you.

Reply | Threaded
Open this post in threaded view
|

Re: Can anyone see why this is getting through?

Robert Chalmers-2
There seems to be some confusion here.

I know what postscreen is. I know what postfix is. I know what dovecot, dkim, dmarc and spf are. Also spamassassin, and amavvisd - I have them all enabled and working on my mail server. Almost nothing untoward gets through...

All I am trying to discover is what it is about the enclosed message that is enabling it to get through all of that blockading.

simple

Robert


On 1 Jun 2016, at 16:21, @lbutlr <[hidden email]> wrote:

On Jun 1, 2016, at 9:14 AM, Robert Chalmers <[hidden email]> wrote:
Ah well, this is the problem - I can’t figure out what test it’s failing that is letting it through.

Are you perhaps unclear as to what postscreen is?

--
Beautiful dawn / Lights up the shore for me / There is nothing else in the
world I'd rather see with you.


Robert Chalmers
Mac mini 6.2 - 2012, Intel Core i7,2.3 GHz, Memory:16 GB. El-Capitan 10.11.  XCode 7.2.1
2TB: Drive 0:HGST HTS721010A9E630. Upper bay. Drive 1:ST1000LM024 HN-M101MBB. Lower Bay




Reply | Threaded
Open this post in threaded view
|

Re: Can anyone see why this is getting through?

@lbutlr
On Jun 1, 2016, at 9:53 AM, Robert Chalmers <[hidden email]> wrote:
> All I am trying to discover is what it is about the enclosed message that is enabling it to get through all of that blockading.

OK, let’s try it this way. What does that message have that you think postscreen should have blocked?

--
In Genua, stories came to life. In Genua, someone set out to make dreams
come true. Remember some of your dreams?

Reply | Threaded
Open this post in threaded view
|

Re: Can anyone see why this is getting through?

Robert Chalmers-2
hmmm. :-) 

 I’m just trying to discover how anything let it through.

I don’t care about postscreen?





On 1 Jun 2016, at 16:59, @lbutlr <[hidden email]> wrote:

On Jun 1, 2016, at 9:53 AM, Robert Chalmers <[hidden email]> wrote:
All I am trying to discover is what it is about the enclosed message that is enabling it to get through all of that blockading.

OK, let’s try it this way. What does that message have that you think postscreen should have blocked?

--
In Genua, stories came to life. In Genua, someone set out to make dreams
come true. Remember some of your dreams?


Robert Chalmers
Mac mini 6.2 - 2012, Intel Core i7,2.3 GHz, Memory:16 GB. El-Capitan 10.11.  XCode 7.2.1
2TB: Drive 0:HGST HTS721010A9E630. Upper bay. Drive 1:ST1000LM024 HN-M101MBB. Lower Bay




Reply | Threaded
Open this post in threaded view
|

Re: Can anyone see why this is getting through?

@lbutlr
On Jun 1, 2016, at 10:04 AM, Robert Chalmers <[hidden email]> wrote:
>  I’m just trying to discover how anything let it through.
>
> I don’t care about postscreen?

Well then I am still confused by your original post:

> "I’m struggling now to find why postfix and or postscreen etc is letting it through, when it obviously fails a lot of tests.”


First off, postfix is designed to let everything through except the things you tell it specifically not to let through. So, postfix should not block the mail.

Second, postscreen has a number of specific light-weight tests, none of which seem to be triggered by that email on your system.

Third of all, no one has the slightest idea how you’ve configured postfix and postscreen on your system.

Fourth of all, you seem to think that postscreen is going to notice that an email “fails a lot of tests” when this is not at all what postscreen does.

--
"He loves Nature in spite of what it did to him." - Forrest Tucker

Reply | Threaded
Open this post in threaded view
|

Re: Can anyone see why this is getting through?

Paul Enlund-2
In reply to this post by Robert Chalmers-2
RBL ix.dnsbl.manitu.net which you have configured with postscreen  with no weight factor (default = 1)
appears to be the only rbl listing the sender IP of the mail which bugs you.

See http://www.anti-abuse.org/multi-rbl-check-results/?host=64.34.190.110

Perhaps you may want to add some weight to this RBL

Paul


On 01/06/2016 17:04, Robert Chalmers wrote:
hmmm. :-) 

 I’m just trying to discover how anything let it through.

I don’t care about postscreen?





On 1 Jun 2016, at 16:59, @lbutlr <[hidden email]> wrote:

On Jun 1, 2016, at 9:53 AM, Robert Chalmers <[hidden email]> wrote:
All I am trying to discover is what it is about the enclosed message that is enabling it to get through all of that blockading.

OK, let’s try it this way. What does that message have that you think postscreen should have blocked?

--
In Genua, stories came to life. In Genua, someone set out to make dreams
come true. Remember some of your dreams?


Robert Chalmers
Mac mini 6.2 - 2012, Intel Core i7,2.3 GHz, Memory:16 GB. El-Capitan 10.11.  XCode 7.2.1
2TB: Drive 0:HGST HTS721010A9E630. Upper bay. Drive 1:ST1000LM024 HN-M101MBB. Lower Bay





Reply | Threaded
Open this post in threaded view
|

Re: Can anyone see why this is getting through?

Robert Chalmers-2
@Paul Thanks for the pointers. That's what I needed to put me back on the right track.
I'll work through a few others as well, but you are right. It's those subtle little ones that are slip past.

Thanks
Robert

Sent from my iPad

On 1 Jun 2016, at 17:54, Paul <[hidden email]> wrote:

RBL ix.dnsbl.manitu.net which you have configured with postscreen  with no weight factor (default = 1)
appears to be the only rbl listing the sender IP of the mail which bugs you.

See http://www.anti-abuse.org/multi-rbl-check-results/?host=64.34.190.110

Perhaps you may want to add some weight to this RBL

Paul


On 01/06/2016 17:04, Robert Chalmers wrote:
hmmm. :-) 

 I’m just trying to discover how anything let it through.

I don’t care about postscreen?





On 1 Jun 2016, at 16:59, @lbutlr <[hidden email][hidden email]> wrote:

On Jun 1, 2016, at 9:53 AM, Robert Chalmers <[hidden email]> wrote:
All I am trying to discover is what it is about the enclosed message that is enabling it to get through all of that blockading.

OK, let’s try it this way. What does that message have that you think postscreen should have blocked?

--
In Genua, stories came to life. In Genua, someone set out to make dreams
come true. Remember some of your dreams?


Robert Chalmers
Mac mini 6.2 - 2012, Intel Core i7,2.3 GHz, Memory:16 GB. El-Capitan 10.11.  XCode 7.2.1
2TB: Drive 0:HGST HTS721010A9E630. Upper bay. Drive 1:ST1000LM024 HN-M101MBB. Lower Bay





Reply | Threaded
Open this post in threaded view
|

Re: Can anyone see why this is getting through?

Bill Cole-3
In reply to this post by @lbutlr
On 1 Jun 2016, at 12:11, @lbutlr wrote:

> Third of all, no one has the slightest idea how you’ve configured
> postfix and postscreen on your system.

In Robert's defense: he *did*  include postconf -n output as a text
attachment.
Reply | Threaded
Open this post in threaded view
|

Re: Can anyone see why this is getting through?

Bill Cole-3
In reply to this post by Robert Chalmers-2
On 1 Jun 2016, at 10:10, Robert Chalmers wrote:

> This is the body of a series of similar messages I’ve been getting -
> very obviously spam. Very rude.
>
> However - I’m struggling now to find why postfix and or postscreen
> etc is letting it through, when it obviously fails a lot of tests.
>
> My postconf - n follows this email extract.
> If anyone has any ideas, I’d love to know.
[...]
>> Received: from cpanel.intertainmentmedia.com (unknown
>> [64.34.190.110])
>> by zeus.chalmers.com.au (Postfix) with ESMTPS id 0CE863489B14
>> for <[hidden email]>; Tue, 31 May 2016 22:36:47 +0100 (BST)

If you had reject_unknown_reverse_client_hostname in
smtpd_recipient_restrictions or smtpd_client_restrictions this would
have been rejected without bothering Amavis & SpamAssassin.

That restriction is very low-risk, as it requires an explicit negative
reply to a PTR query to permanently reject a message. If it gets a DNS
timeout or SERVFAIL (i.e. a failure to resolve a name that may exist)
the client gets a 450 reply, so legitimate clients will retry later.


Reply | Threaded
Open this post in threaded view
|

Re: Can anyone see why this is getting through?

David Benfell
In reply to this post by Robert Chalmers-2
On 06/01/2016 08:53 AM, Robert Chalmers wrote:
I know what postscreen is. I know what postfix is. I know what dovecot, dkim, dmarc and spf are. Also spamassassin, and amavvisd - I have them all enabled and working on my mail server. Almost nothing untoward gets through...
All I see in the headers of the message you posted are spamassassin results. The scores for each failed test sum up to something far below the default threshold score of 5.0. It therefore passes the spamassassin check.

Spamassassin further indicates that the SPF failure is temporary and scores it a zero.

We have absolutely no information, at least that I saw, about how those other programs and protocols should cause any of them to reject the message.

It seems to me this is only partly a postfix problem (via postscreen, which is why others are asking about it).

Sadly, no matter what you do, some spam will always get through. The war on spam is ongoing with each side continuing to develop in an attempt to evade their opponents' efforts. It will probably never be won, at least with SMTP.

-- 
David Benfell, Ph.D.
[hidden email]

signature.asc (836 bytes) Download Attachment