Reading Logs

Get Help
Anonymous
2014-06-25
2014-06-25

  • Anonymous
    2014-06-25

    Hi,
    Can someone tell me what this logs say ?


    Content analysis details: (6.5 points, 4.5 required)

    pts rule name description


    0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
    See
    http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
    for more information.
    [URIs: instagram.com]
    0.5 SO_HELO_LDOM HELO forging a local domain
    0.3 SO_RDNS_UNKNOWN Unspecified hostname
    -0.1 SO_LOCAL_RETURN_PATH Return-Path is a local domain
    -0.1 SO_LOCAL_FROM From is a local domain
    0.7 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
    0.7 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail)
    1.1 MPART_ALT_DIFF_COUNT BODY: HTML and text parts are different
    0.4 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image area
    0.0 HTML_MESSAGE BODY: HTML included in message
    0.8 MPART_ALT_DIFF BODY: HTML and text parts are different
    -0.0 BAYES_20 BODY: Bayes spam probability is 5 to 20%
    [score: 0.0856]
    0.4 _EXTERNAL_CONTENT RAW: Externaly linked content
    0.3 _EXTERNAL_IMG RAW: Linked image
    0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
    0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines
    0.7 SO_FROM_HJPC From possible exploited computer

     
  • Marius Gologan
    Marius Gologan
    2014-06-25

    Those are the matched rues totaling the score of 6.5 (Spam).
    The minimum score required to classify a message as spam, in this case, is 4.5 - set in Route > Quarantine per each domain or for all domains in Secure > Spamassassin.

    URIBL_BLOCKED ADMINISTRATOR NOTICE means you are using a public DNS which is not allowed to query RBL providers for links
    or
    your are using a local DNS while you have a high email volume and, again, the limits have been reached.

    Every other rule is explained in short, just to suggest its role (valid/invalid SPF, HELO, RDNS, external links in the body, external images in the body)
    BAYES_20 BODY - few elements in the body are learnt as spam elements.

     
    Last edit: Marius Gologan 2014-06-25

  • Anonymous
    2014-06-25

    So basically the recipient did get the email but with Spam Tag.

    I was trying to find out what actually triggered the spam. This email is one of the email from our mailing list, which is complete in HTML.

    I thought it had something to do with SPF failing, though I do have it configured.

    I'm using my local and google DNS..

     
  • Marius Gologan
    Marius Gologan
    2014-06-25

    Let's see if I got it right:
    1) The message is sent from internal system via Scrollout and misinterpreted as spam. Is that right?
    In this case, the SPF will always fail since the internal IP has no Spf, same for other tests such as rdns.
    2) Using local DNS every day with high volume messages leads to same poor results as using public DNS. RBLs will eventually fail. That's why I provided rotation per days. I plan for hours soon, just to help learning. It must be a balance between high traffic (including SPAM) and local DNS usage.
    3) most SO_ rules are not quite suitable for outbound scanning. I worked on them, but still require more adjustments against local/trusted networks.

     
  • aRiyano
    aRiyano
    2014-06-25

    Yes, you're right on point number 1. My email server sends out emails via SO and these Spam tagged emails were to users on the internet. On my DNS settings i've got google first then second is my local DNS and then google again.

    If these blocking are happening cause of no SPF on local DNS I can create them no issues there.

    Do you think if i enabled internal DNS under connect and select alternate days, that should help ?

    Thanks for all the efforts and help.
    Aj

     
  • Marius Gologan
    Marius Gologan
    2014-06-25

    I adjusted those rules few hours ago, an update should allow those outbound messages with a lower score.

    Having Google DNS, Local DNS, Google DNS was not the scope of that feature.
    You canceled the local DNS since Google's first DNS will, most of the time, provide an answer from RBLs, but null. Still, a null answer from RBLs is an answer, but not an error causing a fallback on the second (internal) DNS.

    That is the scope, use internal DNS by alternating days in order to help spam learning.

     


Anonymous


Cancel   Add attachments