From frank.oehmke at web.de Sun Nov 12 09:08:37 2017 From: frank.oehmke at web.de (Frank Oehmke) Date: Sun, 12 Nov 2017 10:08:37 +0100 Subject: Mailscanner / Spamassassin - Spam ist not marked Message-ID: An HTML attachment was scrubbed... URL: From iversons at rushville.k12.in.us Mon Nov 13 00:27:09 2017 From: iversons at rushville.k12.in.us (Shawn Iverson) Date: Sun, 12 Nov 2017 19:27:09 -0500 Subject: Mailscanner / Spamassassin - Spam ist not marked In-Reply-To: References: Message-ID: Looks like it scored it properly, but the email is whitelisted, which causes mailscanner to ignore the spam score: X-ElektroMusswesselsGmbH-MailScanner-MW24MAILGATE-SpamCheck: not spam (whitelisted), On Sun, Nov 12, 2017 at 4:08 AM, Frank Oehmke wrote: > Hi, > > > > i recently setup MailScanner/Spamassassin on a new virtual machine - but i > can't get Mailscanner / Spamassassin to mark spam. > > > > For example: i send me a message with "XJS*C4JDBQADN1.NSBN3*2IDNEN* > GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X" in the body: > > > > X-ElektroMusswesselsGmbH-MailScanner-MW24MAILGATE-Information: Please > contact administrator at elektro-musswessels.de for more information > > X-ElektroMusswesselsGmbH-MailScanner-MW24MAILGATE-ID: 47028100395.A4673 > > X-ElektroMusswesselsGmbH-MailScanner-MW24MAILGATE: Found to be clean > > X-ElektroMusswesselsGmbH-MailScanner-MW24MAILGATE-SpamCheck: not spam > (whitelisted), > > SpamAssassin (not cached, score=1004.562, required 6, > DCC_CHECK 1.10, > > DIGEST_MULTIPLE 0.00, GTUBE 1000.00, HTML_MESSAGE 0.00, > > KB_WAM_FROM_NAME_SINGLEWORD 0.20, PYZOR_CHECK 1.98, > > RCVD_IN_DNSWL_NONE -0.00, RDNS_NONE 1.27, TVD_SPACE_RATIO > 0.00) > > X-ElektroMusswesselsGmbH-MailScanner-MW24MAILGATE-From: > frank.oehmke at oehmke-familie.de > > X-Spam-Status: Not recognized as Spam by MW24MailGate > > > > But the message is delivered without marking ist as Spam {*Spam*} - wehere > i have to look in the config files to debug this ? > > I read a lot in the documentation the last days, but i don't get it. I e > > > > > > ________________________________ > > Frank Oehmke > > IT Administrator > > Elektro Musswessels GmbH > > Luedeweg 8 > > > 26871 Papenburg - Germany > > > www.elektro-musswessels.de > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > -- Shawn Iverson, CETL Director of Technology Rush County Schools 765-932-3901 x1171 iversons at rushville.k12.in.us -------------- next part -------------- An HTML attachment was scrubbed... URL: From marek.gorny at bolix.pl Tue Nov 14 09:12:48 2017 From: marek.gorny at bolix.pl (=?iso-8859-2?Q?Marek_G=F3rny?=) Date: Tue, 14 Nov 2017 09:12:48 +0000 Subject: SA complaints Message-ID: Hi, On openSUSE Leap 42.3 with MailScanner 5.0.6 , Postfix 3.2.0, SA 3.4.1 and perl 5.18.2 I have error: You want to use SpamAssassin but have not installed it. at /usr/share/MailScanner/perl/MailScanner/SA.pm line 170. I will run without SpamAssassin for now, you will not detect much spam until you install SpamAssassin. at /usr/share/MailScanner/perl/MailScanner/SA.pm line 171. WARNING: You are trying to use the Processing Attempts Database but your DBI and/or DBD::SQLite Perl modules are not properly installed! at /usr/sbin/MailScanner line 1745. ERROR: Could not connect to SQLite database /var/spool/MailScanner/incoming/Processing.db, either I cannot write to that location or your SQLite installation is screwed. at /usr/sbin/MailScanner line 1756. Using locktype = posix spamassassin -D -lint looks fine to me rights to Processing.db file: -rw------- 1 postfix postfix 4096 Nov 13 15:18 /var/spool/MailScanner/incoming/Processing.db DBI and SQLite version: perl-DBI-1.628-8.11.x86_64 perl-DBD-SQLite-1.50-3.11.x86_64 Any advice, please ? Thanks Marek [Bolix] Bolix SA Ul. Stolarska 8 34-300 ?ywiec, Poland Bolix S.A. jest wiod?cym polskim producentem chemii budowlanej, specjalizuj?cym si? w produkcji system?w elewacyjnych. Marka BOLIX istnieje ju? od 1991 roku i jest synonimem najwy?szej jako?ci rozwi?za? budowlanych. [Bolix_Teraz_Polska] ________________________________ Nr KRS: 0000230009 - S?d Rejonowy w Bielsku-Bia?ej, VIII Wydzia? Gospodarczy Krajowego Rejestru S?dowego Kapita? zak?adowy: 10 000 000 z?.; REGON: 015433210; NIP: 526-26-85-697 UWAGA: Niniejsza korespondencja przeznaczona jest wy??cznie dla osoby lub podmiotu, do kt?rego jest zaadresowana i mo?e zawiera? tre?ci chronione przepisami prawa. Wgl?d w tre?? wiadomo?ci otrzymanej omy?kowo, dalsze jej przekazywanie, rozpowszechnianie lub innego rodzaju wykorzystanie, b?d? podj?cie jakichkolwiek dzia?a? w oparciu o zawarte w niej informacje przez osob? lub podmiot nie b?d?cy adresatem, jest niedozwolone. Odbiorca korespondencji, kt?ry otrzyma? j? omy?kowo, proszony jest o zawiadomienie nadawcy i usuni?cie tego materia?u z komputera. ATTENTION: The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, Or taking of any action in reliance upon, this information by person or entity other than the intended recipient is not permitted. If you received this in error, please contact the sender and delete the material from any computer. [Las] Prosz? pomy?l o ?rodowisku przed wydrukowaniem tego maila. Please Consider the Environment before printing this Email -------------- next part -------------- An HTML attachment was scrubbed... URL: From Conz at B0x.nl Wed Nov 15 11:51:36 2017 From: Conz at B0x.nl (Conz) Date: Wed, 15 Nov 2017 12:51:36 +0100 Subject: SA complaints In-Reply-To: References: Message-ID: <000001d35e08$173e8940$45bb9bc0$@B0x.nl> I'm not too familiar with OpenSUSE but it kinda sounds like a perl or (selinux style) permission issue ? What happens if you run 'perldoc -l Mail::SpamAssassin' as root and as the user MS runs at ? Do you by chance have multiple perl versions installed ? Can you post the output of 'MailScanner -V' ? (should list perl versions) The Processing.db error is due to the line above where it can't find DBD::SQLite and not file permissions, basically this all seems to be 1 problem where it cannot find your perl modules. - Arjan Verzonden: dinsdag 14 november 2017 10:13 Aan: MailScanner Discussion Onderwerp: SA complaints Hi, On openSUSE Leap 42.3 with MailScanner 5.0.6 , Postfix 3.2.0, SA 3.4.1 and perl 5.18.2 I have error: You want to use SpamAssassin but have not installed it. at /usr/share/MailScanner/perl/MailScanner/SA.pm line 170. I will run without SpamAssassin for now, you will not detect much spam until you install SpamAssassin. at /usr/share/MailScanner/perl/MailScanner/SA.pm line 171. WARNING: You are trying to use the Processing Attempts Database but your DBI and/or DBD::SQLite Perl modules are not properly installed! at /usr/sbin/MailScanner line 1745. ERROR: Could not connect to SQLite database /var/spool/MailScanner/incoming/Processing.db, either I cannot write to that location or your SQLite installation is screwed. at /usr/sbin/MailScanner line 1756. Using locktype = posix spamassassin -D -lint looks fine to me rights to Processing.db file: -rw------- 1 postfix postfix 4096 Nov 13 15:18 /var/spool/MailScanner/incoming/Processing.db DBI and SQLite version: perl-DBI-1.628-8.11.x86_64 perl-DBD-SQLite-1.50-3.11.x86_64 Any advice, please ? Thanks Marek From richard at fastnet.co.uk Fri Nov 17 11:49:30 2017 From: richard at fastnet.co.uk (Richard Mealing) Date: Fri, 17 Nov 2017 11:49:30 +0000 Subject: Rebuilding - no spam score. Message-ID: <6EE47AF64C339A4F8F7F50507241B37970C95F68@BTN-EXCHANGE-V1.fastnet.local> Hi all, happy Friday! Not sure if this is a bug or not, but I've noticed on occasion some emails just get through our scanners with no score at all. When checking mailwatch I can see in the SA Score is just says 'Rebuilding'. A while ago I disabled Bayes as it was causing too many problems. I am filtering 100's of domains, so I find it difficult to make it work properly (tips welcome). I noticed in the maillog that MailScanner rebuilt Bayes just before this message ID, so I have now changed - Rebuild Bayes Every = 7200 To this - Rebuild Bayes Every = 0 I think this has fixed it, but I am not 100% sure. I haven't seen a problem since making this change. Why does MailScanner let the email through without SA scoring it? Maybe it is because I disabled Bayes, but likely there is a code problem. I am running this on FreeBSD, so since there are no new builds that work with my OS, I am using 4.85.2. Thanks, Rich -------------- next part -------------- An HTML attachment was scrubbed... URL: From djones at ena.com Fri Nov 17 12:13:40 2017 From: djones at ena.com (David Jones) Date: Fri, 17 Nov 2017 06:13:40 -0600 Subject: Rebuilding - no spam score. In-Reply-To: <6EE47AF64C339A4F8F7F50507241B37970C95F68@BTN-EXCHANGE-V1.fastnet.local> References: <6EE47AF64C339A4F8F7F50507241B37970C95F68@BTN-EXCHANGE-V1.fastnet.local> Message-ID: <268b244d-0ddd-9634-17a6-942041e26d20@ena.com> On 11/17/2017 05:49 AM, Richard Mealing wrote: > Hi all, happy Friday! > > Not sure if this is a bug or not, but I?ve noticed on occasion some > emails just get through our scanners with no score at all. > > When checking mailwatch I can see in the SA Score is just says ?Rebuilding?. > > A while ago I disabled Bayes as it was causing too many problems. I am > filtering 100?s of domains, so I find it difficult to make it work > properly (tips welcome). > Definitely enable a global Bayes. Control your ham/spam training and don't let users determine the classification -- they think everything unwanted at the time is spam but that is not true. I setup an iRedmail server VM and tell MailScanner to send copies of email to an internal-only domain hosted on that iRedmail box. Then I use inbox rules to move mail with certain rule hits into "Ham" and "Spam" folders. After a quick check to verify the classification based on a quick subject scan, I mark the folders as read. A nightly script runs to training my Bayes from the maildir "cur" directories in each ham and spam directories. Initially you can start out by simply dragging and dropping into your ham and spam folders just to get going. Later you will start seeing patterns in SpamAssassin rule hits that help classification with inbox rules. Very high/low scores can be used as the primary pre-sorting rules. I am using Redis storage for my Bayes DB so I can easily share across 8 MailScanner filters and the iRedMail training instance. Each MailScanner filter can also train Bayes from the MailWatch web interface if I come across something with an incorrect BAYES_ rule hit. This used to be often but now it's pretty accurate. > I noticed in the maillog that MailScanner rebuilt Bayes just before this > message ID, so I have now changed - > > Rebuild Bayes Every = 7200 > > To this ? > > Rebuild Bayes Every = 0 > My setting is 0 since I am using Redis which automatically handles expiration of tokens. > I think this has fixed it, but I am not 100% sure. I haven?t seen a > problem since making this change. > > Why does MailScanner let the email through without SA scoring it? Maybe > it is because I disabled Bayes, but likely there is a code problem. > > I am running this on FreeBSD, so since there are no new builds that work > with my OS, I am using 4.85.2. > > Thanks, > > Rich > Check your MailScanner.conf for: Max Spam Check Size = 1200k The default is much lower than my setting above. Spam is typically small so it can be sent out as fast as possible but sometimes you will see a large attachment or something which makes it large possible to get pass SpamAssassin's default setting. When this happens it should be logged and the score is 0.0. -- David Jones From pparsons at techeez.com Fri Nov 24 20:55:11 2017 From: pparsons at techeez.com (Philip Parsons) Date: Fri, 24 Nov 2017 20:55:11 +0000 Subject: I have not been getting any mailing list emails so testing to see if it is still active ? Message-ID: <11D8E491D9562549A61FD3186F36342002AC982983@exchange.techeez.com> Thank you. Philip Parsons -------------- next part -------------- An HTML attachment was scrubbed... URL: From jason at geeknocity.com Fri Nov 24 20:55:56 2017 From: jason at geeknocity.com (Jason Waters) Date: Fri, 24 Nov 2017 15:55:56 -0500 Subject: I have not been getting any mailing list emails so testing to see if it is still active ? In-Reply-To: <11D8E491D9562549A61FD3186F36342002AC982983@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F36342002AC982983@exchange.techeez.com> Message-ID: Yep! It is still active. On Nov 24, 2017 3:55 PM, "Philip Parsons" wrote: > > > > > > > Thank you. > Philip Parsons > > > > > > -- > MailScanner mailing list > mailscanner at lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark at msapiro.net Fri Nov 24 21:38:20 2017 From: mark at msapiro.net (Mark Sapiro) Date: Fri, 24 Nov 2017 13:38:20 -0800 Subject: I have not been getting any mailing list emails so testing to see if it is still active ? In-Reply-To: <11D8E491D9562549A61FD3186F36342002AC982983@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F36342002AC982983@exchange.techeez.com> Message-ID: You can always visit the archive at if in doubt. And if you can't remember that URL, you can get there from www.mailscanner.info via Support -> Mail List Archive. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From pramod at mindspring.co.za Tue Nov 28 06:27:39 2017 From: pramod at mindspring.co.za (Pramod Daya) Date: Tue, 28 Nov 2017 06:27:39 +0000 Subject: Spam Score Message-ID: Hi, On MailScanner 5.0.6, is there a setting that lets me view the spam score on ALL emails ? I'm getting them only on those emails above the "Required Spamassassin Score" threshold. I've tried editing /etc/mail/spamassassin/local.cf to include "add_header score=_SCORE_", but that's not showing it either. Thanks, Pramod -------------- next part -------------- An HTML attachment was scrubbed... URL: From Conz at B0x.nl Tue Nov 28 07:31:38 2017 From: Conz at B0x.nl (Conz) Date: Tue, 28 Nov 2017 08:31:38 +0100 Subject: Spam Score In-Reply-To: References: Message-ID: # Do you want to always include the Spam Report in the SpamCheck # header, even if the message wasn't spam? # This can also be the filename of a ruleset. Always Include SpamAssassin Report = yes This perhaps ? Its in MailScanner.conf. On 11/28/2017 07:27 AM, Pramod Daya wrote: > > Hi, > > On MailScanner 5.0.6, is there a setting that lets me view the spam > score on ALL emails ?? I?m getting them only on those emails above the > ?Required Spamassassin Score? threshold. > > I?ve tried editing /etc/mail/spamassassin/local.cf to include > ?add_header score=_SCORE_?, but that?s not showing it either. > > Thanks, > > Pramod > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pramod at mindspring.co.za Tue Nov 28 07:47:12 2017 From: pramod at mindspring.co.za (Pramod Daya) Date: Tue, 28 Nov 2017 07:47:12 +0000 Subject: Spam Score In-Reply-To: References: Message-ID: It?s already enabled ?. From: MailScanner [mailto:mailscanner-bounces+pramod=mindspring.co.za at lists.mailscanner.info] On Behalf Of Conz Sent: Tuesday, 28 November 2017 9:32 AM To: mailscanner at lists.mailscanner.info Subject: Re: Spam Score # Do you want to always include the Spam Report in the SpamCheck # header, even if the message wasn't spam? # This can also be the filename of a ruleset. Always Include SpamAssassin Report = yes This perhaps ? Its in MailScanner.conf. On 11/28/2017 07:27 AM, Pramod Daya wrote: Hi, On MailScanner 5.0.6, is there a setting that lets me view the spam score on ALL emails ? I?m getting them only on those emails above the ?Required Spamassassin Score? threshold. I?ve tried editing /etc/mail/spamassassin/local.cf to include ?add_header score=_SCORE_?, but that?s not showing it either. Thanks, Pramod -------------- next part -------------- An HTML attachment was scrubbed... URL: From Conz at B0x.nl Tue Nov 28 07:59:34 2017 From: Conz at B0x.nl (Conz) Date: Tue, 28 Nov 2017 08:59:34 +0100 Subject: Spam Score In-Reply-To: References: Message-ID: <162fa9ee-d81d-f1b6-9a66-fe7d76a57589@B0x.nl> I just tested this on my server and it's working just fine for me on 5.0.6 .. Is it possible that you have a rogue MS process that's running on an old config or possibly double config lines ? Those 2 issues have kept me occupied for a few hours in the past to try and figure out why something wasn't working .. On 11/28/2017 08:47 AM, Pramod Daya wrote: > > It?s already enabled ?. > > *From:*MailScanner > [mailto:mailscanner-bounces+pramod=mindspring.co.za at lists.mailscanner.info]*On > Behalf Of *Conz > *Sent:* Tuesday, 28 November 2017 9:32 AM > *To:* mailscanner at lists.mailscanner.info > *Subject:* Re: Spam Score > > # Do you want to always include the Spam Report in the SpamCheck > # header, even if the message wasn't spam? > # This can also be the filename of a ruleset. > Always Include SpamAssassin Report = yes > > This perhaps ? > > Its in MailScanner.conf. > > On 11/28/2017 07:27 AM, Pramod Daya wrote: > > Hi, > > On MailScanner 5.0.6, is there a setting that lets me view the > spam score on ALL emails ?? I?m getting them only on those emails > above the ?Required Spamassassin Score? threshold. > > I?ve tried editing /etc/mail/spamassassin/local.cf to include > ?add_header score=_SCORE_?, but that?s not showing it either. > > Thanks, > > Pramod > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pramod at mindspring.co.za Tue Nov 28 13:39:29 2017 From: pramod at mindspring.co.za (Pramod Daya) Date: Tue, 28 Nov 2017 13:39:29 +0000 Subject: Spam Score In-Reply-To: <162fa9ee-d81d-f1b6-9a66-fe7d76a57589@B0x.nl> References: <162fa9ee-d81d-f1b6-9a66-fe7d76a57589@B0x.nl> Message-ID: I get the spam score in the e-mail headers of non-spam: X-Mindspring-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-0.182, required 5, HTML_IMAGE_ONLY_32 0.00, HTML_IMAGE_RATIO_04 0.61, HTML_MESSAGE 0.00, RCVD_IN_DNSWL_LOW -0.70, RCVD_IN_MSPIKE_H2 -0.09) and in the logfile for spam? SpamAssassin (not cached, score=5.551, required 5, BAD_CREDIT 1.66, DKIM_SIGNED 0.10, DKIM_VALID -0.10, DKIM_VALID_AU -0.10, HTML_FONT_LOW_CONTRAST 0.00, HTML_MESSAGE 0.00, LOCAL_CS_REPLYTO 4.00, LOTS_OF_MONEY 0.00, RCVD_IN_MSPIKE_H4 -0.01, RCVD_IN_MSPIKE_WL -0.01, T_MONEY_PERCENT 0.01) But no /var/log/maillog entries for non-spam, which is what I want. Is that expected behaviour ? From: MailScanner [mailto:mailscanner-bounces+pramod=mindspring.co.za at lists.mailscanner.info] On Behalf Of Conz Sent: Tuesday, 28 November 2017 10:00 AM To: mailscanner at lists.mailscanner.info Subject: Re: Spam Score I just tested this on my server and it's working just fine for me on 5.0.6 .. Is it possible that you have a rogue MS process that's running on an old config or possibly double config lines ? Those 2 issues have kept me occupied for a few hours in the past to try and figure out why something wasn't working .. On 11/28/2017 08:47 AM, Pramod Daya wrote: It?s already enabled ?. From: MailScanner [mailto:mailscanner-bounces+pramod=mindspring.co.za at lists.mailscanner.info]On Behalf Of Conz Sent: Tuesday, 28 November 2017 9:32 AM To: mailscanner at lists.mailscanner.info Subject: Re: Spam Score # Do you want to always include the Spam Report in the SpamCheck # header, even if the message wasn't spam? # This can also be the filename of a ruleset. Always Include SpamAssassin Report = yes This perhaps ? Its in MailScanner.conf. On 11/28/2017 07:27 AM, Pramod Daya wrote: Hi, On MailScanner 5.0.6, is there a setting that lets me view the spam score on ALL emails ? I?m getting them only on those emails above the ?Required Spamassassin Score? threshold. I?ve tried editing /etc/mail/spamassassin/local.cf to include ?add_header score=_SCORE_?, but that?s not showing it either. Thanks, Pramod -------------- next part -------------- An HTML attachment was scrubbed... URL: From thomas.braun at wekal.de Tue Nov 28 08:07:31 2017 From: thomas.braun at wekal.de (Braun, Thomas [WEKAL]) Date: Tue, 28 Nov 2017 08:07:31 +0000 Subject: Quarantine From Header differ From Body Message-ID: Hello List, is there an option/way to simply quarantine all faked Body-From Mails when this differ case insensitive to the Header-From? Best regards Thomas From mark at msapiro.net Wed Nov 29 06:47:08 2017 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 28 Nov 2017 22:47:08 -0800 Subject: Quarantine From Header differ From Body In-Reply-To: References: Message-ID: <578b7f60-5e52-6b0f-5c63-97dfa19d649a@msapiro.net> On 11/28/2017 12:07 AM, Braun, Thomas [WEKAL] wrote: > Hello List, > > is there an option/way to simply quarantine all faked Body-From Mails when this differ case insensitive to the Header-From? What do you mean by faked Body-From Mails as opposed to Header-From? Do you mean the From: header as opposed to the envelope sender? If so, you could probably create SpamAssassin rules to do it, but I think it is a bad idea, Many legitimate emails have a From: header address different from the envelope sender. This reply as you receive it from the list is but one example. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Wed Nov 29 06:53:14 2017 From: mark at msapiro.net (Mark Sapiro) Date: Tue, 28 Nov 2017 22:53:14 -0800 Subject: Spam Score In-Reply-To: References: <162fa9ee-d81d-f1b6-9a66-fe7d76a57589@B0x.nl> Message-ID: On 11/28/2017 05:39 AM, Pramod Daya wrote: > > *But no /var/log/maillog ?entries for non-spam, which is what I want.? > Is that expected behaviour ? * Yes. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From thomas.braun at wekal.de Wed Nov 29 07:26:16 2017 From: thomas.braun at wekal.de (Braun, Thomas [WEKAL]) Date: Wed, 29 Nov 2017 07:26:16 +0000 Subject: AW: Quarantine From Header differ From Body In-Reply-To: <578b7f60-5e52-6b0f-5c63-97dfa19d649a@msapiro.net> References: <578b7f60-5e52-6b0f-5c63-97dfa19d649a@msapiro.net> Message-ID: <601a26306d2b428b8f33e92e32c254ad@wekal.de> >> Hello List, >> >> is there an option/way to simply quarantine all faked Body-From Mails when this differ case insensitive to the Header-From? > > What do you mean by faked Body-From Mails as opposed to Header-From? > > Do you mean the From: header as opposed to the envelope sender? If so, you could probably create SpamAssassin rules to do it, but I think it is a bad idea, Many legitimate emails have a From: header address different from the envelope sender. This reply as you receive it from the list is but one example. Hi Mark, we get phishing Mails where supposedly our own employees write another one, want him to click a link. Not all of our employees are clever enough to check this. I am searching for a solution to filter mails with a visible From: "MyKnownFellow " and an invisible envelope Those mails getting more and more lately. And they even fake our signature and having better grammar. So it is hard to spot. Perhaps there is a better way... From mark at msapiro.net Wed Nov 29 08:04:28 2017 From: mark at msapiro.net (Mark Sapiro) Date: Wed, 29 Nov 2017 00:04:28 -0800 Subject: AW: Quarantine From Header differ From Body In-Reply-To: <601a26306d2b428b8f33e92e32c254ad@wekal.de> References: <578b7f60-5e52-6b0f-5c63-97dfa19d649a@msapiro.net> <601a26306d2b428b8f33e92e32c254ad@wekal.de> Message-ID: <24b57151-744a-9e05-5798-6d514770bcde@msapiro.net> On 11/28/2017 11:26 PM, Braun, Thomas [WEKAL] wrote: > > we get phishing Mails where supposedly our own employees write another one, want him to click a link. Not all of our employees are clever enough to check this. > I am searching for a solution to filter mails with a visible > From: "MyKnownFellow " and an invisible envelope > > Those mails getting more and more lately. And they even fake our signature and having better grammar. So it is hard to spot. > Perhaps there is a better way... This is exactly what DMARC is for. See . -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mailscanner at replies.cyways.com Wed Nov 29 15:34:20 2017 From: mailscanner at replies.cyways.com (Peter Lemieux) Date: Wed, 29 Nov 2017 10:34:20 -0500 Subject: AW: Quarantine From Header differ From Body In-Reply-To: <601a26306d2b428b8f33e92e32c254ad@wekal.de> References: <578b7f60-5e52-6b0f-5c63-97dfa19d649a@msapiro.net> <601a26306d2b428b8f33e92e32c254ad@wekal.de> Message-ID: <1f797925-8eb1-1f7f-fa3b-a1c6bf15c374@replies.cyways.com> Are these nessages coming in from outside your network but appear to be coming from people inside? If there are no legitimate reasons why mail carrying your domain should come from the outside, then the simplest solution is to block them at the doorstep with either access rules in sendmail or PCRE rules in Postfix. You can also permit specific addresses, say mail from an external webserver, while blocking any other mail allegedly coming from your domain. Peter On 11/29/2017 02:26 AM, Braun, Thomas [WEKAL] wrote: >>> Hello List, >>> >>> is there an option/way to simply quarantine all faked Body-From Mails when this differ case insensitive to the Header-From? >> >> What do you mean by faked Body-From Mails as opposed to Header-From? >> >> Do you mean the From: header as opposed to the envelope sender? If so, you could probably create SpamAssassin rules to do it, but I think it is a bad idea, Many legitimate emails have a From: header address different from the envelope sender. This reply as you receive it from the list is but one example. > > Hi Mark, > > we get phishing Mails where supposedly our own employees write another one, want him to click a link. Not all of our employees are clever enough to check this. > I am searching for a solution to filter mails with a visible > From: "MyKnownFellow " and an invisible envelope > > Those mails getting more and more lately. And they even fake our signature and having better grammar. So it is hard to spot. > Perhaps there is a better way... > > >