Email filtering in the "to" field sucks sonic

General discussions and other topics.
10 posts Page 1 of 1
by markf » Thu Apr 19, 2012 7:01 am
Multiple spams in the INBOX and this is a daily occurrence of between five and ten. There is simply no valid excuse to accept any email sent to undisclosed recipient. All spammers have to do is not put an @ in the "TO" field and the recipient has to write all this bullshit to discard the spam.

I have my filters set with variations of undisclosed recipient from time past and sonic ignores these filters completely. I have my filters set up to discard all the spam but none seems to be discarded and in fact makes it's way to my inbox. As you can see, I have the threshold set to 2.0 to discard spam.

I blacklist everything and then whitelist what I want. Sonic, your user controlled filters suck and there is no excuse for the recipient to not be able to block on whatever terms they so desire. It has long been held that the end recipient should have control over their inbox. The spammers wanted the recipient to have control.

The fact is that sonic, the spammers and third parties control the spam filters and will not fix a simple thing like this to give the control to the recipient. Sonic will not reject on the lack of a "TO" filed, Sonic will not allow the recipient to do so except with procmail which is a long and involved process and requires the recipient learn procmail to block this easily blocked spam.

Dane, Eli, John..., there is simply no reason why the recipient should not be able to reject email based on whatever terms they desire.

EDIT: What is the point of this if you do not honor what you say?
https://members.sonic.net/email/spam/filtering/
"Discard messages matching SpamAssassin "blacklist from", "blacklist subject" and "blacklist to" lists"

Return-Path: <alonzo_felipe@milicia.mil.ve>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on f.spam.sonic.net
X-Spam-Level: *
X-Spam-Status: No, score=1.9 required=2.0 tests=LOTS_OF_MONEY,MONEY_ATM_CARD,
RDNS_DYNAMIC,SUBJ_ALL_CAPS autolearn=disabled version=3.3.1
Received: from e.mx.sonic.net (e.mx.sonic.net [69.12.221.235])
by a.lds.sonic.net (8.13.8.Beta0-Sonic/8.13.7) with ESMTP id q3JCNrVF017028
for <root-alias>; Thu, 19 Apr 2012 05:23:53 -0700
Received: from correo.milicia.mil.ve (200-44-119-52.genericrev.cantv.net [200.44.119.52] (may be forged))
by e.mx.sonic.net (8.13.8.Beta0-Sonic/8.13.7) with ESMTP id q3JCNnER029945
for <role-account>; Thu, 19 Apr 2012 05:23:53 -0700
Received: from localhost (localhost.localdomain [127.0.0.1])
by correo.milicia.mil.ve (Postfix) with ESMTP id 5DB7E35079AF;
Thu, 19 Apr 2012 07:51:00 -0430 (VET)
X-Virus-Scanned: amavisd-new at milicia.mil.ve
Received: from correo.milicia.mil.ve ([127.0.0.1])
by localhost (correo.milicia.mil.ve [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id FOqIv5dteZDu; Thu, 19 Apr 2012 07:51:00 -0430 (VET)
Received: from correo.milicia.mil.ve (correo.milicia.mil.ve [200.44.119.52])
by correo.milicia.mil.ve (Postfix) with ESMTP id 4C814350799B;
Thu, 19 Apr 2012 07:50:56 -0430 (VET)
Date: Thu, 19 Apr 2012 07:50:56 -0430 (VET)
From: "U.S FISCAL PAYMENT DESK" <alonzo_felipe@milicia.mil.ve>
Reply-To: APPROVED ATM PAYMENT <u.sfiscalpaymentdesk@kimo.com>
Message-ID: <239849636.30352.1334838056288.JavaMail.root@correo.milicia.mil.ve>
Subject: ATTN: ATM REF: 9229: YOU ARE NEXT ON PAY-ROLL
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Originating-IP: [41.138.171.239]
X-Mailer: Zimbra 7.1.4_GA_2555 (zclient/7.1.4_GA_2555)
To: undisclosed-recipients:;
X-Sonic-SB-IP-RBLs: IP RBLs .
by kgc » Thu Apr 19, 2012 12:11 pm
markf wrote:Multiple spams in the INBOX and this is a daily occurrence of between five and ten. There is simply no valid excuse to accept any email sent to undisclosed recipient.
That is simply not true for many people Mark and if you look at the history of the SA rulesets you'll see that tests for this used to be exposed and then were removed. Rules are removed because they are ineffective for identifying spam on the whole, however effective it may be for your own personal mail flow. You've been provided with solutions to this in the past, as you mention, we let everyone write their own procmail filters so you free to do it whatever you'd like. In fact, you have complete control over your mail at the LDA here, something that few ISPs support.

I dug a little deeper and found that SA does have an internal rule to check for undisclosed recipients that is used as part of several meta-rules. You cannot use our web front end to associate a score with this rule but I'm pretty sure that if you use the flat file base SA you could add a score to it.

Code: Select all

score   __TO_UNDISCLOSED  1000.0
EDIT: What is the point of this if you do not honor what you say?
https://members.sonic.net/email/spam/filtering/
"Discard messages matching SpamAssassin "blacklist from", "blacklist subject" and "blacklist to" lists"
...

X-Spam-Status: No, score=1.9 required=2.0 tests=LOTS_OF_MONEY,MONEY_ATM_CARD,
RDNS_DYNAMIC,SUBJ_ALL_CAPS autolearn=disabled version=3.3.1
That message did not match any of the rules that would lead to it being discarded. I'm not sure why SA will not match "undisclosed-recipients" with any obvious supplied pattern to blacklist_to but that's the way it is.
Kelsey Cummings
System Architect, Sonic.net, Inc.
by markf » Fri Apr 20, 2012 9:57 am
Kelsey,

91% of all my spam is sent to "undisclosed recipient" or some variation of that or has no "TO FIELD" at all. That is one rule to kill 91% of all the spam I get. Now, through SA, I cannot filter by the fact that the "TO FIELD" does not contain a valid email address or even contain an "@" symbol.

SA will no longer accept any character string that does not have an "@" symbol. SA declines the entry stating the entry does not appear to be a valid email address. All spammers have to do is stop using valid email addresses and the recipient has to jump through hoops and write a multitude of filters using SA to stop this spam.

Each person might have a different load of spam, that is true. This won't stop the snow shoe spam but it will stop the majority of fraud and scam spam.

I haven't written any procmail in years, maybe a decade. I haven't done any telnetting for a long time either. For me, and I suspect for most users, to discard email that has no valid email address or even a valid "TO FIELD" is easier.

On that note, why does the end user not have control over what character strings to filter on? What difference does it make if a user uses a character string that does not contain an "@" symbol or not? The end user should have that choice and should not have to learn procmail to filter spam when you have SA.

You can't say this is a great and useful tool when it the end user is not in control of what they are allowed to filter.

As always Kelsey, I hope you take this as constructive because I have respect for sonic staff. I have none for SA the way it is set up.
by Michael » Wed Apr 25, 2012 1:13 pm
Marvelous, I had written a complete reply, but due to the overwhelming crappiness of this forum software it was lost.


Basically I wrote, raise the "SUBJ_ALL_CAPS" rule to 1000. Anyone that stupid to type in all caps doesn't deserve your attention. Then tweak the value assigned to "LOTS_OF_MONEY" and "MONEY_ATM_CARD". That should reduce the chances of seeing this type of e-Mail in the future.

The descriptions for Spam Assassin are cryptic at best. What does "FROM_MISSP_TO_UNDISC" accomplish?
by Michael » Wed Apr 25, 2012 1:15 pm
Crap forum software, nearly lost it again. Keep getting a forbidden when clicking 'Submit'.
by Michael » Wed Apr 25, 2012 1:18 pm
Due to the second Forbidden, part of the text was lost. The above should read:

The descriptions for Spam Assassin are cryptic at best. What does "FROM_MISSP_TO_UNDISC" accomplish and would it help Mark?
by thulsa_doom » Wed Apr 25, 2012 1:20 pm
Michael wrote:Marvelous, I had written a complete reply, but due to the overwhelming crappiness of this forum software it was lost.
I think you might be running into a mod_security problem. What was the error you were presented?
John Fitzgerald
Sonic Technical Support
by Michael » Wed Apr 25, 2012 3:26 pm
To get past the authentication part of posting; typically I enter the name, CAPTCHA and type a few characters in the editor so that I can click the Preview button. If the test of the CAPTCHA is accepted as valid, I then start to actually composed the draft.

In this particular case, during the draft I pressed Preview several times without issue. When the final was completed, I clicked Submit and that's when I received the Forbidden error. When I clicked the Back button on the browser, I received the following sucky dialog:

Code: Select all

To display this page, Firefox must send information that will repeat any action (such as a search or order confirmation) that was performed earlier.

Resend  Cancel
When I click Resend, all of the last changes to the final message were gone. Which happened to be 90 percent of the changes to the final after the last Preview.

Lets see if I get the Forbidden error and if so, I'll post the complete error message.


Update:

Got it. Thankfully this time I copied into the clipboard the entire post before clicking Submit. Here is the 403 error message:

Code: Select all

Forbidden

You don't have permission to access /posting.php on this server.
Apache/2.2.15 (Scientific Linux) Server at forums.sonic.net Port 443
I've now received Forbidden 3 times and it's happening now when I click the Preview button. I'm also losing 100 percent of the text in the editor and having to re-enter the CAPTCHA each time. Pasting clipboard into editor and attempting to Submit again.

4 times. 100 percent loss, paste.
5 times. 100 percent loss, paste.
6 times. 100 percent loss, paste.

Canceled post, went back and click the Post Reply button to start fresh. Pasted text into editor.

7 times. 100 percent loss, paste.
8 times. 100 percent loss, paste.
9 Times. 100 percent loss, paste. If it happens one more time, I'll give up until later.
10 times. 100 percent loss, pausing.

11 times. 100 percent loss, paste.
12 times. 100 percent loss, paste.
13 times. 100 percent loss, paste.
14 times. 100 percent loss, paste.
15 times. 100 percent loss, paste.

Trying new topic.

16 times. 100 percent loss, pausing.

Attempt 17....
by kbenson » Wed Apr 25, 2012 4:27 pm
We recently enabled some extra security mechanisms in the forum web server (because a few forums scrapers that didn't handle redirects correctly were getting caught in loops causing resource problems), and it's resulted in a few false positives. We're working to tweak the system to make it less likely to cause problems, and your bug reports are welcome.
by markf » Wed May 02, 2012 10:29 am
Michael wrote:Marvelous, I had written a complete reply, but due to the overwhelming crappiness of this forum software it was lost.


Basically I wrote, raise the "SUBJ_ALL_CAPS" rule to 1000. Anyone that stupid to type in all caps doesn't deserve your attention. Then tweak the value assigned to "LOTS_OF_MONEY" and "MONEY_ATM_CARD". That should reduce the chances of seeing this type of e-Mail in the future.

The descriptions for Spam Assassin are cryptic at best. What does "FROM_MISSP_TO_UNDISC" accomplish?
These might work:


* 2.7 FROM_MISSP_MSFT From misspaced + supposed Microsoft tool
* 2.8 FROM_MISSP_NO_TO From misspaced, To missing

These might catch the missing "TO" fields. They don't seem to catch any of he undisclosed recipient spam.
10 posts Page 1 of 1

Who is online

In total there are 27 users online :: 0 registered, 0 hidden and 27 guests (based on users active over the past 5 minutes)
Most users ever online was 999 on Mon May 10, 2021 1:02 am

Users browsing this forum: No registered users and 27 guests