|
FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc. |
|
Thread Tools |
3 Dec 2019, 06:58 PM | #1 | |
Cornerstone of the Community
Join Date: Jan 2003
Location: Oxfordshire, UK
Posts: 603
|
spam in inbox - how
Hi,
For a while now, I have been getting emails in my spam with scores of 6 or higher in the general format of: Quote:
I have put the header below. Can anyone see why it might have got past the spam filters? Code:
Return-Path: <AnisimovAI@mpei.ru> Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by sloti5d1t04 (Cyrus 3.1.7-612-g13027cc-fmstable-20191203v1) with LMTPA; Tue, 03 Dec 2019 04:45:49 -0500 X-Cyrus-Session-Id: sloti5d1t04-1575366349-3735980-2-11184768417430371984 X-Sieve: CMU Sieve 3.0 X-Spam-known-sender: no X-Spam-sender-reputation: 500 (none) X-Spam-score: 0.0 X-Spam-hits: BAYES_40 -0.001, HTML_MESSAGE 0.001, ME_SENDERREP_NEUTRAL 0.001, RCVD_IN_DNSWL_NONE -0.0001, SPF_HELO_PASS -0.001, SPF_PASS -0.001, LANGUAGES en, BAYES_USED user, SA_VERSION 3.4.2 X-Spam-source: IP='193.233.67.19', Host='flogger.mpei.ac.ru', Country='RU', FromHeader='ru', MailFrom='ru' X-Spam-charsets: plain='utf-8', html='utf-8' X-Resolved-to: userID@fastmail.com X-Delivered-to: name@domain.tld X-Mail-from: AnisimovAI@mpei.ru Received: from mx4 ([10.202.2.203]) by compute4.internal (LMTPProxy); Tue, 03 Dec 2019 04:45:49 -0500 Received: from mx4.messagingengine.com (localhost [127.0.0.1]) by mailmx.nyi.internal (Postfix) with ESMTP id C61F11CE00ED for <name@domain.tld>; Tue, 3 Dec 2019 04:45:44 -0500 (EST) Received: from mx4.messagingengine.com (localhost [127.0.0.1]) by mx4.messagingengine.com (Authentication Milter) with ESMTP id B0414A4AE2E; Tue, 3 Dec 2019 04:45:44 -0500 ARC-Seal: i=1; a=rsa-sha256; cv=none; d=messagingengine.com; s=fm1; t= 1575366344; b=YI3+D0Q+s4IJNjd0vyFImIEnq6Xk1k2Rw3vmnKbMSeIftk9X9t NUQjV2r/C++h0fZBctpQFIbRIZ3nfXQ+M8AM7PY42/kzkSSd7tAGhAHuvCquEwac o6Gs9pwhQ2ikpZZBDBtmGWHtt7hnnH7+/UTtVMm1cwWxmUyIXjbLeDgaHlWPJk6O vI5qWoKLMlyqEGhk/wE47x2e93hlxuoKiHn7zpJP4wAPhjxI4+kVJLl0O9hgK3SQ 51vuHcs0eaxjGv8idMoERxBdojA6UtHvYgAdBQKv5xT3e2TFzNUvpPbUm13Edvki NQlEBtfycQggU8/wdMfnrCZH3Tp4DWgSgvZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=subject:from:content-type:message-id:date :to:content-transfer-encoding:mime-version; s=fm1; t=1575366344; bh=a4AEniQk7xcb5x0OMxkXu0+QjWVUYQLqa1SnmvIyO50=; b=OQs/ikWgwtoL tCc3lPEikLz4MVfY2jMjI9bBhjMRnGiAGO/1xrOfA/bSibWpfBV0RdSdwv+y91PT Tha1Zox0w9x0gxEkXWUC0F7TNZz3BC38v3T8aGF091tEUO1OBqvII94NH19YJC0i L9YNw9fTI9GwllDd1Ppn8R1jNn9V06aOTWw1nAtmSM4Z1ADUBAs1fmGB/dXqtwG/ wPpjMiqus6hjEYIhvPcvoLXicn47/D3xSZVbBkwx7hjSR077MvDHFGUjXPcLMjJt tupcYp+da/oMaw2MeiSM7JFwO86mTxxl4Ksx58wUMUlc7fGyDZ+VJQBgqx8HoRha +ye3usOIbQ== ARC-Authentication-Results: i=1; mx4.messagingengine.com; arc=none (no signatures found); dkim=none (no signatures found); dmarc=none policy.published-domain-policy=none policy.applied-disposition=none policy.evaluated-disposition=none (p=none,d=none,d.eval=none) policy.policy-from=p header.from=mpei.ru; iprev=pass smtp.remote-ip=193.233.67.19 (flogger.mpei.ac.ru); spf=pass smtp.mailfrom=AnisimovAI@mpei.ru smtp.helo=flogger.mpei.ac.ru; x-aligned-from=pass (Address match); x-ptr=pass smtp.helo=flogger.mpei.ac.ru policy.ptr=flogger.mpei.ac.ru; x-return-mx=pass header.domain=mpei.ru policy.is_org=yes (MX Records found: mcl.mpei.ac.ru); x-return-mx=pass smtp.domain=mpei.ru policy.is_org=yes (MX Records found: mcl.mpei.ac.ru); x-tls=pass smtp.version=TLSv1 smtp.cipher=AES128-SHA smtp.bits=128/128; x-vs=clean score=23 state=0 Authentication-Results: mx4.messagingengine.com; arc=none (no signatures found); dkim=none (no signatures found); dmarc=none policy.published-domain-policy=none policy.applied-disposition=none policy.evaluated-disposition=none (p=none,d=none,d.eval=none) policy.policy-from=p header.from=mpei.ru; iprev=pass smtp.remote-ip=193.233.67.19 (flogger.mpei.ac.ru); spf=pass smtp.mailfrom=AnisimovAI@mpei.ru smtp.helo=flogger.mpei.ac.ru; x-aligned-from=pass (Address match); x-ptr=pass smtp.helo=flogger.mpei.ac.ru policy.ptr=flogger.mpei.ac.ru; x-return-mx=pass header.domain=mpei.ru policy.is_org=yes (MX Records found: mcl.mpei.ac.ru); x-return-mx=pass smtp.domain=mpei.ru policy.is_org=yes (MX Records found: mcl.mpei.ac.ru); x-tls=pass smtp.version=TLSv1 smtp.cipher=AES128-SHA smtp.bits=128/128; x-vs=clean score=23 state=0 X-ME-VSCause: gggruggvucftvghtrhhoucdtuddrgedufedrudejjedgtdelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucgfrhhlucfvnfffucdlvd efmdenucfjughrpefuhfgtoffkfffvgfggsegrjehmrehhtdejnecuhfhrohhmpehmihgt hhgvlhgvucifrghkvghfihgvlhguuceorghnihhsihhmohhvrghisehmphgvihdrrhhuqe enucffohhmrghinhepsggvnhgusghulhhlvghtrdighiiinecukfhppeduleefrddvfeef rdeijedrudelpdduleefrddvfeefrdeikedrudefudenucfrrghrrghmpehinhgvthepud elfedrvdeffedrieejrdduledphhgvlhhopehflhhoghhgvghrrdhmphgvihdrrggtrdhr uhdpmhgrihhlfhhrohhmpeeotehnihhsihhmohhvtefksehmphgvihdrrhhuqecuuffkkg fgpeefuddvfecuuefqffgjpeejuefkvfenucevlhhushhtvghrufhiiigvpedt X-ME-VSScore: 23 X-ME-VSCategory: clean Received-SPF: pass (mpei.ru: 193.233.67.19 is authorized to use 'AnisimovAI@mpei.ru' in 'mfrom' identity (mechanism 'ip4:193.233.67.19' matched)) receiver=mx4.messagingengine.com; identity=mailfrom; envelope-from="AnisimovAI@mpei.ru"; helo=flogger.mpei.ac.ru; client-ip=193.233.67.19 Received: from flogger.mpei.ac.ru (flogger.mpei.ac.ru [193.233.67.19]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mx4.messagingengine.com (Postfix) with ESMTPS for <name@domain.tld>; Tue, 3 Dec 2019 04:45:42 -0500 (EST) MailScanner-NULL-Check: 1575971059.69816@bgV+7Hj7CEejLMewLLqwRg Received: from SMTP2.public.mpei.local (mpei-lan-68-131.mpei.ac.ru [193.233.68.131]) by flogger.mpei.ac.ru (8.13.6/8.13.6/SuSE Linux 0.8) with ESMTP id xB39iCEn032608 for <name@domain.tld>; Tue, 3 Dec 2019 12:44:17 +0300 Received: from HUB3.public.mpei.local (10.1.1.49) by SMTP2.public.mpei.local (10.1.1.26) with Microsoft SMTP Server (TLS) id 8.3.515.0; Tue, 3 Dec 2019 12:44:10 +0300 Received: from smtp.mpei.ru (10.1.114.11) by HUB3.public.mpei.local (10.1.1.49) with Microsoft SMTP Server (TLS) id 8.3.485.1; Tue, 3 Dec 2019 12:44:07 +0300 Subject: michele wakefield From: michele wakefield <anisimovai@mpei.ru> Content-Type: multipart/alternative; boundary="Apple-Mail-B233C799-E58C-4B78-B1A1-B506BE9EE1DA" X-Mailer: iPhone Mail (16G77) Message-ID: <100CF5A6-C712-4F80-BD35-99D9F199A327@mpei.ru> Date: Tue, 3 Dec 2019 02:44:04 -0700 To: james <name@domain.tld> Content-Transfer-Encoding: 7bit MIME-Version: 1.0 (1.0) X-MPEI-MailScanner-Information: MPEInet administration http://net.mpei.ru X-MPEI-MailScanner: Found to be clean X-MPEI-MailScanner-From: anisimovai@mpei.ru X-Remote-Spam-Status: No |
|
3 Dec 2019, 08:37 PM | #2 |
Essential Contributor
Join Date: Dec 2017
Location: Scotland
Posts: 483
|
You certainly need to raise this with Support @ FM.
It has been spam-processed, judging by the spam-related headers, but you'll noticed that the 'weights' (numeric values associated with each rule) are hundreds or thousands times smaller than normal. So they've added up values like -0.0001 rather than 0.1 or 1, and the number they ended up with was way less than 0.0 (or maybe less than 0.00) so was rounded to 0, so the mail wasn't classed as spam. There must be a problem with their spam system. |
3 Dec 2019, 11:33 PM | #3 |
Essential Contributor
Join Date: Jan 2017
Posts: 278
|
There's no problem with the scores. The rules that were hit were all informational.
BAYES_40 is the neutral result between the negative BAYES_20 and the positive BAYES_50. I wouldn't report it if the others got caught. Last edited by SideshowBob : 4 Dec 2019 at 12:16 AM. |
4 Dec 2019, 03:00 AM | #4 |
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 8,917
|
My guess is that those earlier messages were classified as spam not based on the content but instead based on other characteristics (such as the sender IP). It's very hard for a spam filter to differentiate between normal message content and random text, which is why spammers use that technique. In general, content-based spam filtering is very difficult if the content is simple text without any obvious triggers.
Bill |
4 Dec 2019, 05:25 AM | #5 | |
Essential Contributor
Join Date: Dec 2017
Location: Scotland
Posts: 483
|
Quote:
I suppose the OP has not kept any examples that did achieve reasonable spam scores? |
|
4 Dec 2019, 06:36 PM | #6 | |
Cornerstone of the Community
Join Date: Jan 2003
Location: Oxfordshire, UK
Posts: 603
|
Quote:
Here's one: Code:
Return-Path: <raj_paramasivum@itego.com.ar> Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by sloti5d1t04 (Cyrus 3.1.7-578-g826f590-fmstable-20191119v1) with LMTPA; Sun, 01 Dec 2019 18:24:07 -0500 X-Cyrus-Session-Id: sloti5d1t04-1575242647-1889689-5-17294243987228074421 X-Sieve: CMU Sieve 3.0 X-Spam-known-sender: no X-Spam-sender-reputation: 500 (none) X-Spam-score: 8.1 X-Spam-hits: BAYES_80 2, DCC_CHECK 1.1, FREEMAIL_FORGED_REPLYTO 2.095, FSL_BULK_SIG 0.264, HTML_MESSAGE 0.001, ME_SENDERREP_NEUTRAL 0.001, ME_VADESPAM_MED 2.5, PP_MIME_FAKE_ASCII_TEXT 0.195, SPF_HELO_NONE 0.001, SPF_PASS -0.001, LANGUAGES unknown, BAYES_USED user, SA_VERSION 3.4.2 X-Spam-source: IP='170.78.75.231', Host='mail.itego.com.ar', Country='AR', FromHeader='ar', MailFrom='ar' X-Spam-charsets: plain='us-ascii', html='us-ascii' X-Resolved-to: userID@fastmail.com X-Delivered-to: name@domain.tld X-Mail-from: raj_paramasivum@itego.com.ar Received: from mx2 ([10.202.2.201]) by compute4.internal (LMTPProxy); Sun, 01 Dec 2019 18:24:07 -0500 Received: from mx2.messagingengine.com (localhost [127.0.0.1]) by mailmx.nyi.internal (Postfix) with ESMTP id BF1458A0065 for <name@domain.tld>; Sun, 1 Dec 2019 18:24:06 -0500 (EST) Received: from mx2.messagingengine.com (localhost [127.0.0.1]) by mx2.messagingengine.com (Authentication Milter) with ESMTP id 2FB22F06FF6; Sun, 1 Dec 2019 18:24:06 -0500 ARC-Seal: i=1; a=rsa-sha256; cv=none; d=messagingengine.com; s=fm1; t= 1575242646; b=fN8RDTI7ffyseVcQESP0TAQOSROTAcdX5TZzZbNkMigsSpiIKa CMR97sO+z3i+0KC+s0jGpTgK98AiKUuZRYIKY5oEsPCnA5vnfPqm77G3bVVW3mO2 FA3ZU+Oq3lOWGxLV62RwqytjCF9OBYANEr3axmMbGcMH/Z5HICAtK5m+n1yLakJF m5fOVGSvDTO7jD/e7I02AfEmBqUFrLnqMtUFAieff3NzA/ihznMZshrSWjlfyJ74 aNmW31pBGgcM98KEBfccHWICObGvAAMxg1r050/ay2k1x6SXMeK0a+ZfJCrC7prZ i1TjmXwAMYsXUBDhgKW1LHER7vL/ozn+dGDg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=from:to:reply-to:subject:date:message-id :mime-version:content-type; s=fm1; t=1575242646; bh=2qZy90OuYpGg 1UyQ7LGo5CNK+ftTHzvOaNMRbbs6umI=; b=EhodP+oJ+R1hR7YU3S3yMo3UN7a0 LfleMmjcV/n+Z4LgNyMs1edmAFY79FickUw43WO0ZpjjxapyP/QARasdEQ32iS2U kqJBChL6yp5wWuRlkTWpvjBa8IPndBeQLItE31Z/Qkqp+mN8dp5A4/6UjZRTry9c hr8kE0v4n4TAU5Zv1u5q/yK7amu9NWN6u5JCebSXyn9Kop5KBT9p892+8w9QJqUv SyeY6fJ5PTZ7FAJ1l+qOIqW7F7HXJhpqoOZzshvOsASRSYTEeXgEWUlnNAly3mAe ihPqCDhxRSXy6KjSRz6O5KUVdpa6jwecFnKqkTOVNL4wpm8gIO1hpDK/6A== ARC-Authentication-Results: i=1; mx2.messagingengine.com; arc=none (no signatures found); dkim=pass (1024-bit rsa key sha256) header.d=itego.com.ar header.i=@itego.com.ar header.b=GiSx7NWk header.a=rsa-sha256 header.s=dkim x-bits=1024; dmarc=pass policy.published-domain-policy=none policy.applied-disposition=none policy.evaluated-disposition=none (p=none,d=none,d.eval=none) policy.policy-from=p header.from=itego.com.ar; iprev=pass smtp.remote-ip=170.78.75.231 (mail.itego.com.ar); spf=pass smtp.mailfrom=raj_paramasivum@itego.com.ar smtp.helo=mail.itego.com.ar; x-aligned-from=pass (Address match); x-ptr=pass smtp.helo=mail.itego.com.ar policy.ptr=mail.itego.com.ar; x-return-mx=pass header.domain=itego.com.ar policy.is_org=yes (MX Records found: mail.itego.com.ar); x-return-mx=pass smtp.domain=itego.com.ar policy.is_org=yes (MX Records found: mail.itego.com.ar); x-vs=spam:medium score=359 state=1 Authentication-Results: mx2.messagingengine.com; arc=none (no signatures found); dkim=pass (1024-bit rsa key sha256) header.d=itego.com.ar header.i=@itego.com.ar header.b=GiSx7NWk header.a=rsa-sha256 header.s=dkim x-bits=1024; dmarc=pass policy.published-domain-policy=none policy.applied-disposition=none policy.evaluated-disposition=none (p=none,d=none,d.eval=none) policy.policy-from=p header.from=itego.com.ar; iprev=pass smtp.remote-ip=170.78.75.231 (mail.itego.com.ar); spf=pass smtp.mailfrom=raj_paramasivum@itego.com.ar smtp.helo=mail.itego.com.ar; x-aligned-from=pass (Address match); x-ptr=pass smtp.helo=mail.itego.com.ar policy.ptr=mail.itego.com.ar; x-return-mx=pass header.domain=itego.com.ar policy.is_org=yes (MX Records found: mail.itego.com.ar); x-return-mx=pass smtp.domain=itego.com.ar policy.is_org=yes (MX Records found: mail.itego.com.ar); x-vs=spam:medium score=359 state=1 X-ME-VSCause: gggruggvucftvghtrhhoucdtuddrgedufedrudejgedgtdelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucgoufhushhpvggtthffoh hmrghinhculdegledmnefgmhhpthihuchsuhgsjhgvtghtucdluddtmdenogfuphgrmhgs ohhtqdeugeduuddqtdduucdlfedttddmnecujfgurhephffvrhfufffkgggtofhtsegrtd ervcdvtddvnecuhfhrohhmpedftfgrjhgrnhcurfgrrhgrmhgrshhivhhumhdfuceorhgr jhgpphgrrhgrmhgrshhivhhumhesihhtvghgohdrtghomhdrrghrqeenucffohhmrghinh eptghltghkrdhruhenucfkphepudejtddrjeekrdejhedrvdefuddpudehiedrvddttddr udehjedrgedtnecurfgrrhgrmhepihhnvghtpedujedtrdejkedrjeehrddvfedupdhhvg hlohepmhgrihhlrdhithgvghhordgtohhmrdgrrhdpmhgrihhlfhhrohhmpeeorhgrjhgp phgrrhgrmhgrshhivhhumhesihhtvghgohdrtghomhdrrghrqeenucevlhhushhtvghruf hiiigvpedt X-ME-VSScore: 359 X-ME-VSCategory: spam:medium Received-SPF: pass (itego.com.ar: 170.78.75.231 is authorized to use 'raj_paramasivum@itego.com.ar' in 'mfrom' identity (mechanism 'ip4:170.78.75.231' matched)) receiver=mx2.messagingengine.com; identity=mailfrom; envelope-from="raj_paramasivum@itego.com.ar"; helo=mail.itego.com.ar; client-ip=170.78.75.231 Received: from mail.itego.com.ar (mail.itego.com.ar [170.78.75.231]) by mx2.messagingengine.com (Postfix) with SMTP for <name@domain.tld>; Sun, 1 Dec 2019 18:24:04 -0500 (EST) dkim-signature: v=1; a=rsa-sha256; d=itego.com.ar; s=dkim; c=relaxed/relaxed; q=dns/txt; h=From:Reply-To:Date:Message-ID:To:MIME-Version:Content-Type; bh=2qZy90OuYpGg1UyQ7LGo5CNK+ftTHzvOaNMRbbs6umI=; b=GiSx7NWkDklCZ8g8FPB9GYnbhjjzN5IhtB7UQKrxy1qcWQ9LAZGjAUXuKULyMEm5LVkCn9Jm1/CAI4bcjukxsLSBWqUrmrb4Dn1DYnaoRlIZFHrO9oL7j1xOQynsOCNqIslz8PNKUEzwFXqacBtbv6t8hcGmQed6io1vR1sSjQ4= Received: from mail.itego.com.ar (host-156.200.157.40.tedata.net [156.200.157.40]) by mail.itego.com.ar ; Sun, 1 Dec 2019 20:24:00 -0300 From: "Rajan Paramasivum" <raj_paramasivum@itego.com.ar> To: "James" <name@domain.tld> Reply-To: "Rajan Paramasivum" <raj_paramasivumv@yahoo.co.uk> Subject: Date: Mon, 2 Dec 2019 02:23:55 +0300 Message-Id: <826941fz2au5$pm07mrw8$kypev6p1$@itego.com.ar> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0028_A25EHE0Q.59B1GEYQ" X-Mailer: Microsoft Outlook 15.0 Thread-Index: IXNhMC02OHlAdWg0bSttKyljMXVfQA== Content-Language: en-us |
|
4 Dec 2019, 08:18 PM | #7 |
Essential Contributor
Join Date: Dec 2017
Location: Scotland
Posts: 483
|
According to the chart at https://www.futurequest.net/docs/SA/
your positive SA scores, ordered from biggest to smallest are for ME_VADESPAM_MED 2.5, FREEMAIL_FORGED_REPLYTO 2.095, Freemail in Reply-To, but not From BAYES_80 2, DCC_CHECK 1.1, bulk mail FSL_BULK_SIG 0.264, Bulk signature with no Unsubscribe PP_MIME_FAKE_ASCII_TEXT 0.195, MIME text/plain claims to be ASCII but isn't There was a discussion here a while ago about VADESPAM scores but I don't understand enough about the x-vs- headers in your mails to see why this mail is thought medium-likely to be spam whereas your earlier example was thought to be clean. See: http://www.emaildiscussions.com/showthread.php?t=74033 That aside that BAYES_80 presumably means you've seen fairly similar mail bodies before and classed them as spam, but for some reason the earlier example wasn't? Maybe those lists of random words are not randomly picked from many thousands but from much smaller pools and the spammer is using a different pool? |
4 Dec 2019, 08:28 PM | #8 |
Cornerstone of the Community
Join Date: Jan 2003
Location: Oxfordshire, UK
Posts: 603
|
|
Thread Tools | |
|
|