Skip to content

Seeing "X-Spam-SNF-Result: 54 (Porn/Adult)" in headers, how can I stop them?

General discussions and other topics.
11 posts Page 1 of 2
Post a reply

Seeing "X-Spam-SNF-Result: 54 (Porn/Adult)" in headers, how can I stop them?

by tensigh » Sat Oct 08, 2016 11:55 pm
Hello,

I'm getting a lot of "Let's hookup" type spams. When I look at the headers, I see the following line:

X-Spam-SNF-Result: 54 (Porn/Adult)

Clearly the spam filter is considering this porn/adult, but true to fashion, SpamAssassin is allowing this through. Is there any way I can adjust this so if this gets triggered these emails WON'T show up in my Inbox? Sonic is getting increasingly separated from its customers so I'm guessing I'm just screwed (no pun intended) but I thought I would just ask.

Anyone see this and know how to prevent it?
by drew.phillips » Mon Oct 10, 2016 9:02 am
I was helping a friend with similar emails he was getting and there was little we could do on the member tools / spam scores side because these messages weren't triggering more than one, if any, other spam rules.

The "X-Spam-SNF-Result" header is added by a plugin and therefore those scores are not configurable per mailbox.

What we did end up doing that is working very well was set up some procmail* rules to match that header along with some other things and move to Graymail.

A procmail file is essentially a set of rules that get run against each message being delivered to you. If certain rules match, messages can be discarded, moved, or processed in some other way.

The following rule will move messages tagged by the SNF (Sniffer) plugin to Graymail if they have a spam score of at least 1 and match any "50" class sniffer rule (there are all spam/scam/phish messages).

Code: Select all

# Sniffer class 50-59 (Media Theft, Spamware, Snake Oil, Scam Patterns, Porn/Adult, Scumware etc)
:0
* ^X-Spam-SNF-Result: 5.
* ^X-Spam-Level: \*
${DEFAULT}.Graymail/
If you want to only match the adult content, change "5." to "54". You can also delete the line with X-Spam-Level if you just want to move anything matched by that regardless of spam score.

I hope that helps - let me know if you have any questions.

* Link to a semi-long, technical article. You'll need to use FTP or request shell access in order to create/edit procmail files in your home directory.
Drew Phillips
Programmer / System Operations, Sonic.net
by tensigh » Mon Oct 10, 2016 2:42 pm
Thanks for the reply. That looks really cool.

Do I copy that code and put it in a .procmail file in my shell account? If not, how do I implement the change?

Thank you
by drew.phillips » Mon Oct 10, 2016 3:49 pm
You would save that content in a file called ".procmailrc" in your home directory from shell.

As soon as that file is in place it will start being used. After setting it up, I'd recommend sending yourself a test email to make sure it goes through as any broken procmail files can result in all mail getting discarded!
Drew Phillips
Programmer / System Operations, Sonic.net
by tensigh » Mon Oct 10, 2016 5:49 pm
Thanks, I really appreciate the help. That's a really cool solution.

Will any discarded emails go into a stash file just to ensure that none are ham?
by drew.phillips » Tue Oct 11, 2016 8:37 am
All this will do is move those messages with the SNF header into Graymail and everything else will continue to flow to the inbox.

The only time messages get discarded is with an explicit rule or major error in the procmail file that prevents it from processing rules correctly. That's why I always recommend a generic email test after modifying procmail - as long as it gets delivered you're good!
Drew Phillips
Programmer / System Operations, Sonic.net
by tensigh » Wed Oct 12, 2016 6:15 am
Thank you. I did that and tested it. I got my test mail so all looks good.
by drew.phillips » Wed Oct 12, 2016 8:12 am
Awesome, let me know how it works out!

If you find other things still getting through we can work on some additional rules. It may eventually be nice to have a thread for a general set of procmail rules that handle trickier spam that doesn't quite score high enough to get quarantined but have other factors we can detect with filter rules.
Drew Phillips
Programmer / System Operations, Sonic.net
by tensigh » Sun Oct 16, 2016 5:01 am
Hey Drew,

I just got another similar type spam. This one starts off with "5" and "scam" as the type - shouldn't these be blocked too?

X-Spam-Status: No, score=3.4 required=4.0 tests=HTML_MESSAGE,SNF4SA
autolearn=disabled version=3.4.0
X-Spam-SNF-Result: 53 (Scam Patterns)
X-Spam-MessageSniffer-Scan-Result:
X-Spam-MessageSniffer-Rules:
53-7618636-711-743-m
54-7619435-1158-1179-m
54-7620290-1182-1215-m
54-7360679-1241-1248-m
54-7619435-1520-1541-m
54-7620290-1548-1581-m
54-7360679-1607-1614-m
54-7619435-1971-1992-m
54-7620290-1994-2027-m
54-7360679-2052-2059-m
54-7619435-2304-2325-m
54-7620290-2327-2360-m
54-7360679-2385-2392-m
53-7618636-0-2497-f
X-Spam-GBUdb-Analysis: 1, 188.128.136.131, Ugly c=0 p=0 Source New
by Guest » Sun Oct 16, 2016 1:28 pm
You just need to edit your regular expression to include 53. If you just entered 54, enter

Code: Select all

5.
as Drew advised how to get rid of all 50 series or

Code: Select all

5[34]
to include only 53 and 54.
11 posts Page 1 of 2

Return to “General”