Spam/Spam Assassin Revisited

Wow! --they don’t half expire threads quickly here. This is a follow up to previous:

Right. Fast forward several weeks and my MIAB server is ticking along like a Swiss watch… apart from one thing: the dreaded SPAM.

Spam Assassin [or whatever the default setup uses] seems to be ‘sort of’ working --quite a lot of spam gets filtered. But there are about half a dozen senders whose junk gets through, no matter how many times I ‘move it to Spam’ --whether on my laptop, desktop or mobile devices, all of which are syncing all folders via IMAP with my MIAB.

There are a couple of particularly annoying spammers who send me their crappy ‘newsletters’ at least once day. I must literally have marked these as spam 20 or 30 times, if not more. And they still get through!

The really odd thing is that MIAB will often pre-emptively catch spam from people who have rarely or never emailed me before. Yet will let pass emails from these few senders, no matter how many times I flag them up.

Anyone any ideas how to force MIAB to ‘learn’ to reject these annoying emails?

Please post the spam score sections of some emails you have been marking as spam.

Where do I find the spam score?

The email message headers are where servers record various different transactions related to a message.

I don’t know what client you are using, but in Roundcube you can just click Headers and it will pop up a window with all of the headers, and in there you will see the spam sections, among others.

I recommend getting know header sections by just glancing through them with every email you receive and searching on stuff you see there that you are not familiar with. I’ve learned a lot this way.

Right. Here are some examples.

  • First annoying email: those ones that Amazon sends me about products they think I might be interested in. Sender store-news@amazon.co.uk
X-Spam-Level: 
X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DMARC_PASS,HTML_FONT_FACE_BAD,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
	autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Report: 
	* -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
	*      [score: 0.0000]
	* -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
	*      https://www.dnswl.org/, no trust
	*      [54.240.0.102 listed in list.dnswl.org]
	* -0.1 SPF_PASS SPF check passed
	* -0.1 DMARC_PASS DMARC check passed
	*  0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
	*  0.0 HTML_MESSAGE BODY: HTML included in message
	*  0.0 HTML_FONT_FACE_BAD BODY: HTML font face is not a word
	*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
	*       valid
	* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	*      author's domain
	* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	* -0.0 T_SCC_BODY_TEXT_LINE No description available.
X-Spam-Score: -2.2

Now , obviously Amazon won’t be listed by places like spamhaus.org as a spammer. And the SpamAssassin scores are low. But why is SpamAssassin [seemingly] not taking any notice of my flagging these messages as spam? An email sender might have the finest reputation in the world with organisations like spamhaus. But if I don’t want emails from that source then shouldn’t my marking them as spam override those ‘centralised’ settings?

  • Another example. Nifty gateway. Some crap concerning NFTs i get on an almost daily basis. Sender hello@niftygateway.com
X-Spam-Level: ***
X-Spam-Status: No, score=3.8 required=5.0 tests=BAYES_99,BAYES_999,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DMARC_PASS,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	SPF_HELO_PASS,SPF_PASS,T_KAM_HTML_FONT_INVALID,T_SCC_BODY_TEXT_LINE,
	URIBL_GREY autolearn=no autolearn_force=no version=3.4.2
X-Spam-Report: 
	* -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
	*      https://www.dnswl.org/, no trust
	*      [148.105.15.222 listed in list.dnswl.org]
	*  0.4 URIBL_GREY Contains an URL listed in the URIBL greylist
	*      [URIs: list-manage.com]
	*  3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
	*      [score: 1.0000]
	*  0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
	*      [score: 1.0000]
	* -0.1 SPF_PASS SPF check passed
	* -0.1 DMARC_PASS DMARC check passed
	* -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
	*  0.0 HTML_MESSAGE BODY: HTML included in message
	*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
	*       valid
	* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	*      author's domain
	* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	*  0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted
	*      Colors in HTML
	* -0.0 T_SCC_BODY_TEXT_LINE No description available.
X-Spam-Score: 3.8

These seem to actually set off some alarm bells [if my interpretation of these headers is correct]. But still they arrive. In spite of the fact that every day I mark them as spam and must have done so dozens of times. Again, why is marking them as spam not enough to override whatever reputation they enjoy from external sources?

X-Spam-Level: 
X-Spam-Status: No, score=-3.2 required=5.0 tests=BAYES_99,BAYES_999,
	DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DMARC_PASS,
	HTML_FONT_LOW_CONTRAST,HTML_IMAGE_RATIO_02,HTML_MESSAGE,MIME_HTML_ONLY,
	PYZOR_CHECK,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS,
	TVD_RCVD_IP,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-Report: 
	*  0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
	*      [69.171.232.145 listed in wl.mailspike.net]
	*  3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
	*      [score: 1.0000]
	*  0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
	*      [score: 1.0000]
	* -0.1 SPF_PASS SPF check passed
	* -0.1 DMARC_PASS DMARC check passed
	*  0.0 TVD_RCVD_IP Message was received from an IP address
	* -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
	* -7.5 USER_IN_DEF_DKIM_WL From: address is in the default DKIM
	*      welcome-list
	*  0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
	*  0.0 HTML_MESSAGE BODY: HTML included in message
	*  0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
	*      identical to background
	*  0.0 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image
	*       area
	*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
	*       valid
	* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	*      author's domain
	* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	*  1.4 PYZOR_CHECK Listed in Pyzor
	*      (https://pyzor.readthedocs.io/en/latest/)
	*  0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
	* -0.0 T_SCC_BODY_TEXT_LINE No description available.
	* -0.6 DKIMWL_WL_HIGH DKIMwl.org - High trust sender
X-Spam-Score: -3.2

as per Nifty Gateway, seems to score quite highly in some of those headers but [again!] still gets through, even though I constantly mark these as spam.

Have you attempted to use the unsubscitbe options?

No. Because I don’t believe in ‘unsubscribing’ from crap I’ve never subscribed to in the first place. Quite apart from which, it’s generally considered bad form to respond to spammers as it lets them know their junk has landed in an active inbox.

If it is just these two senders, you can create a sieve rule using the filters in Roundcube. Those are applied to all messages sent to the account and does not require to be logged into Roundcube.

I can also confirm if there is an actual Unsubscribe page that actually loads, even if you haven’t subscribed to it, it does seem to reduce the emails.

I agree though that overall Spam Assassin isn’t as good as postini (what google uses, I think they might have bought the company?)

I have done a bit on this page to block a few trouble domains, like xyz

1 Like