Why do SpamAssassin and Razor2 penalize for specific domain name in HTML body

emailrazorspamspamassassin

We are an ESP provider from Czech Republic, Europe. Our clients are regular Czech companies with their own client database. Since yesterday, we have a problem with our domains used in emails for online version, logout link and tracking the links. We are receiving a bad score because of these domain names.

The score is, e.g.:

RAZOR2_CF_RANGE_51_100 = 0.365

RAZOR2_CF_RANGE_E8_51_100 = 2.43

RAZOR2_CHECK = 1.729

We found out that one of our client probably sent a campaign on bought DB (100.000 addresses), so we blocked him, but now we need to solve this issue.

To buy a new domains is a solution, but not long-term solution. Do you have any idea how to solve it?

Would it help that every user of our system would have (for these links in email) a subdomain like username.redirectdomain.com Or another solution—registering to some whitelist?

There should be a solution when you from 95% do not send spam and you don't want to replace your domains every week. HW and IP addresses we have solved well, we have problem with this penalization in email body—especially for domain names used for tracking the links (official links are replaced with ours).

Best Answer

Razor2 is a hash sharing system based on fuzzy checksums. It builds a feature vector from the content of the email and then makes a distance comparison between it and known spams in a cloud database. AFAIK, it does not consult domain blocklists, though I don't have intimate details of its feature selection.

Regarding blocklisted domains, you'll have to reach out to each DNSBL service that lists your domains and ask for them to remove your entries. Many of these will automatically retract your domains after some buffer period following the end of the spam campaigns that used them. M³AAWG's documents, especially the Help – I'm on a Blocklist guide, could provide the exact guidance you need.

If you want further help, specifically from within this industry, I'd suggest that your employer joins M³AAWG, which creates a venue for well-behaved ESPs to meet with ISPs and other receivers as well as security companies (including Cloudmark, which owns and operates Razor2).

M³AAWG meets three times a year; San Francisco, East Coast US, and Europe. The next meeting will be in San Francisco in February and the meeting after that will be in Dublin this June. Maybe I'll see you there.

Related Solutions

Exim not sending email to our own email addresses

man update-exim4.conf
   dc_other_hostnames
          is  used to build the local_domains list, together with "localhost".  This is the list of domains
          for which this machine should consider itself the final destination. The local_domains list  ends
          up in the macro MAIN_LOCAL_DOMAINS.

check in autogenerated exim.conf for smth like this:

dnslookup:
  driver = dnslookup
  domains = ! +local_domains
  transport = remote_smtp
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
  no_more

This means that message is routed through remote delivery (remote_smtp transport) if domain in rcpt address is different than local_domains. If not, message goes to another router, some router accepts it and in your case it ends up in local delivery transport.

I'm sorry, but in your case you should go full hog on Exim and learn configuring Exim manually. update-exim4.conf is for typical cases.

Automatically rescan email with SpamAssassin after it has been received

This is indeed a very good technique, especially for fighting snowshoe, a type of spam where the entire email blast is out the door in a matter of minutes. This is because anti-spam servers take about that long to process anything that arrives and then pump out their spam definitions.

I don't know of any ready-to-use software that can do this locally, but IMAP Spam Begone may suit your needs. It connects to your mailbox server via IMAP (the way a standard mail client would) and runs SpamAssassin to clean it up for you.

If you wanted something that runs locally, you could probably write a simple wrapper around SpamAssassin that does this. Maildir stores each message in its own file, so something like this should be decent:

Contents of sa-bootstrap.sh:

#!/bin/sh
for email in "$@"; do
  if ! spamassassin -e < "$email" > /dev/null 2>&1; then
    mv "$email" /full/path/to/spam/folder
  fi
done

Now you can run:

find /path/to/maildir -type f -print0 |xargs -0 sa-bootstrap.sh

Don't forget to verify your spam and to use sa-learn on your spam and ham before deleting them.

(spamassassin -e will exit with a non-zero error code when the given message is determined to be spam.)

Best Answer

Related Solutions

Exim not sending email to our own email addresses

Automatically rescan email with SpamAssassin after it has been received

Related Topic