Friday, August 19, 2016

reverse dns - Spamassassin - how to get a better score




I am testing a contact form, but I am getting a too high score for the emails sent from the contact/booking form.



Here is the header:



Return-Path: 
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mail01
X-Spam-Flag: YES
X-Spam-Level: **************************************************
X-Spam-Report:
* 0.2 CK_HELO_GENERIC Relay used name indicative of a Dynamic Pool or

* Generic rPTR
* 0.4 NO_DNS_FOR_FROM DNS: Envelope sender has no MX or A DNS records
* 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
* domains are different
* 1000 GTUBE BODY: Generic Test for Unsolicited Bulk Email
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
* 0.6 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag

* 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
* 2.5 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From
X-Spam-Status: Yes, score=1005.0 required=8.0 tests=CK_HELO_GENERIC,
DKIM_SIGNED,FREEMAIL_FORGED_REPLYTO,GTUBE,HEADER_FROM_DIFFERENT_DOMAINS,
HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,NO_DNS_FOR_FROM,
T_DKIM_INVALID autolearn=no autolearn_force=no version=3.4.0
Delivered-To: yyy@glmr.in
Received: by yyy.glmr.in (Postfix, from userid 994)
id 65C36C71; Fri, 24 Aug 2018 08:42:21 +0000 (UTC)
X-Sieve: Pigeonhole Sieve 0.4.2

X-Sieve-Redirected-From: yyy@tantramassageamsterdam.net
Delivered-To: yyy@tantramassageamsterdam.net
Received: from host49-253-177-94.static.arubacloud.com (sergioloporto.com [94.177.253.49])
by yyy.glmr.in (Postfix) with ESMTP id D6D09C63
for ; Fri, 24 Aug 2018 10:42:20 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=tantramassageamsterdam.net; s=default; t=1535100140;
bh=WSOTVXfvkyyb1gOOG6N6iGnxfvNm9xMtd9vuIZPexBE=;
h=To:Subject:Date:From:Reply-To;
b=f4EDlRfPzqqFBDdiR7FIRldS9u4Ru7nT1DwGSCkeThQ4zgzQ2pRfjwb7pSAE5RzPW

8MNnUgnwXcTPFXub/w88ouOTt9icozT3DGgyJ5SuzxNjYjH5qe8SRDaFuZc2Xzy/iG
SlpxFBuOYaqdtgqjJez5JHgVW4I8Q0RU2iGmMIos=
Received: by host49-253-177-94.static.arubacloud.com (Postfix, from userid 996)
id F1E89DE4; Fri, 24 Aug 2018 04:42:19 -0400 (EDT)
To: yyy@tantramassageamsterdam.net
Subject: [SPAM] New booking information
X-PHP-Originating-Script: 996:class-phpmailer.php
Date: Fri, 24 Aug 2018 08:42:19 +0000
From: Tantra Massage Amsterdam
Reply-To: test test

Message-ID: <4a51f7be34f3bd9dfda9eb17a94d4168@www.tantramassageamsterdam.net>
X-Mailer: PHPMailer 5.2.22 (https://github.com/PHPMailer/PHPMailer)
MIME-Version: 1.0
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Prev-Subject: New booking information
X-Spam-Prev-Subject: [SPAM] New booking information
X-EsetId: 37303A29DFC05762617D64



I replaced some parts of the emails above with YYYY.
I sent a GTUBE test spam mail on purpose to get a high score in order to have details in the header.



I understand that FREEMAIL_FORGED_REPLYTO can't be fixed - because customers will have a free email address and the form puts it in "reply to".
Is there any way to fix that?



What about these? Can they be fixed?:



*  0.2 CK_HELO_GENERIC Relay used name indicative of a Dynamic Pool or Generic rPTR
* 0.4 NO_DNS_FOR_FROM DNS: Envelope sender has no MX or A DNS records

* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
* 0.6 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML ta


Both mail server and web server have set up rDNS! Thus I can't understand the rDNS x-spam-reports...



I would appreciate if you could:




  • better explain those points


  • tell me what to check

  • what/how to fix



Thanks in advance


Answer



Since you own the contact form, you can just whitelist the from-address in your local.cf, either with




whitelist_from yyy@tantramassageamsterdam.net





or better yet, with




whitelist_from_rcvd yyy@tantramassageamsterdam.net yyy.glmr.in




whitelist_from_rcvd also checks the Received-header, so that spammers can't just fake the From-address.




The checks you mentioned can all be overridden with custom scores, if that is what you meant:




score FREEMAIL_FORGED_REPLYTO 0 # will now give 0 points instead of the default.




The reason you get the different statuses is




  • FREEMAIL_FORGED_REPLYTO: Your send address doesn't match the reply address, and google is a free service. Free services means more spammers, so that is why it's there. You could just have the reply address in the mail sent to yyy@tantramassageamsterdam.net so that they copy/click the reply address and write the answer there.


  • CK_HELO_GENERIC = Received: by host49-253-177-94.static.arubacloud.com, this is typically how you do reverse DNS for endusers, not servers, especially mailservers should have a proper PTR. This is typically set by some interface in your hosting provider.

  • NO_DNS_FOR_FROM DNS = since you have no PTR, I guess you also don't have an MX setup to point to your mailserver. This is also typically for spam since they don't user servers, they use other client computers.

  • DKIM_SIGNED = it is what is says on the tin, there is a DKIM signature.

  • HTML_MIME_NO_HTML_TAG = also what it says, there was only HTML message in this mail, no HTML tag to specify the mail.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...