EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 22 Jan 2019, 12:09 AM   #16
paleolith
Cornerstone of the Community
 
Join Date: Mar 2002
Location: Florida
Posts: 541
I had not checked in a few days. Just now found a false positive from Jan 16.

I have reopened my ticket, and also created a filter to save all emails with the ME_VADESPAM tag for review. If I get too many, I'll have to add a score cutoff.

Edward
paleolith is offline   Reply With Quote
Old 23 Jan 2019, 07:25 PM   #17
paleolith
Cornerstone of the Community
 
Join Date: Mar 2002
Location: Florida
Posts: 541
Reply from Yassar Ali a few minutes ago:
This issue has been mitigated now. So the emails should no longer be filtered as spam.

However, we are continuing to work with our spam filtering service to avoid false positives like these.
paleolith is offline   Reply With Quote
Old 24 Jan 2019, 05:53 AM   #18
Lesslame
Junior Member
 
Join Date: Aug 2007
Posts: 9
I received the same answer to my ticket today.
Still surprising to see that one single "spam-factor" has such an enormous weight (5 points!) on the total spam score - especially as this factor is obviously far from working perfectly!
Cheers,
lesslame
Lesslame is offline   Reply With Quote
Old 29 Jan 2019, 10:39 AM   #19
paleolith
Cornerstone of the Community
 
Join Date: Mar 2002
Location: Florida
Posts: 541
Two more, sent Jan 24, only a day after Yassar told me it's fixed. Both emails were from AffordableRxMeds.com, a reputable Canadian dealer.

Edward
paleolith is offline   Reply With Quote
Old 30 Jan 2019, 05:54 AM   #20
xyzzy
Senior Member
 
Join Date: May 2018
Posts: 175
I'm getting a little concerned about this ME_VADESPAM 5 thing too. I raised my spam threshold to 6.2 because of it and still got a false positive with a score of 7.2 because of it. I'm cutting of at 9.1 but I am beginning to wonder if I should raise that too.
xyzzy is offline   Reply With Quote
Old 30 Jan 2019, 07:40 AM   #21
elvey
The "e" in e-mail
 
Join Date: Jan 2002
Location: San Francisco
Posts: 2,421
Speaking of headers ...

Speaking of headers - what are these for?

X-ME-VSCause: [A long, interesting string - all lower case letters; matches [cdefghijklmnopqrstuv]* and most of the letters are in [deghru]*]
X-ME-VSCategory: clean
X-ME-ZSResult: clean

Guesses:
X- means nonstandard/locally defined, as I recall. ME = MessagingEngine?
VS=Virus Scan
ZS=????? Scan

The string is very curious!!

I found 0 Google hits.
elvey is offline   Reply With Quote
Old 1 Feb 2019, 10:34 PM   #22
paleolith
Cornerstone of the Community
 
Join Date: Mar 2002
Location: Florida
Posts: 541
FM engineers have changed my profile to assign a score of 2 instead of 5 for the VADESPAM hit, using a tag ME_VADESPAM_LOW. For me, this is sufficient; had the score been 2 from the start, I'd have seen no false positives and would not even have noticed the new test. Presumably they can do the same for others who have trouble with the test. It has to be done through support and requires a few hours to take effect.

I received more information from an FM engineer, who gave me permission to repost the info. The following is a mixture of the engineer's explanations and my own words.

I think that all tags containing the string "VS" refer to Vade Secure. I don't know whether it's coincidental or intentional that VS can also stand for Virus Scan. Vade Secure is a spam filtering service which FM has begun using. I don't know many details about Vade Secure. In particular, I have no idea what they are doing that the traditional tests don't, except that they are getting data from a variety of sources and thus have the potential to react to fast-developing spam situations far more quickly.

Info from the engineer:
  • X-ME-VSCategory is the classification category of a message by VadeSecure;
  • X-ME-VSCause is an encoding of the reasons for that classification;
  • X-ME-ZSResult is the classification of the message sending IP address by another product we are investigating, at present this is for data gathering only.

I'm also told that they are working on ways to mitigate false positives more quickly, though with no promises of dates or other specifics, just that FM is aware of the issues which have arisen.

Edward
paleolith is offline   Reply With Quote
Old 4 Feb 2019, 10:03 PM   #23
SideshowBob
Member
 
Join Date: Jan 2017
Posts: 73
I think ZS is probably ZEROSPAM.
SideshowBob is offline   Reply With Quote
Old 5 Feb 2019, 03:37 AM   #24
elvey
The "e" in e-mail
 
Join Date: Jan 2002
Location: San Francisco
Posts: 2,421
Cool

Thanks! Super helpful info, and I'm glad to hear fastmail is on the ball, as usual, re. spam detection.
A user tell me more sex solicitation-type spam is evading detection lately. (But it's being forwarded here, which, I explained, makes spam detection tougher.)
elvey is offline   Reply With Quote
Old 22 Apr 2019, 01:22 AM   #25
snsh
Cornerstone of the Community
 
Join Date: Dec 2002
Location: Boston
Posts: 610
My FM mailbox just received false-positive spam email because of VADESPAM.

Code:
X-Spam-hits: BAYES_50 0.8, DCC_CHECK 1.1, ME_VADESPAM 5, ME_ZS_CLEAN -0.001, RCVD_IN_DNSWL_MED -2.3, SPF_PASS -0.001, LANGUAGES en, BAYES_USED user, SA_VERSION 3.4.2
This is surprising since it's a plaintext message from a .GOV sender containing no URLs at all, just a one-time code for 2FA. SPF, DKIM, and DMARC all pass. Only failure I see in the headers is x-ptr due to HELO misalignment.

Please consider adding rules that help .GOV and .MIL senders. Those two TLDs are tightly locked down.
snsh is offline   Reply With Quote
Old 22 Apr 2019, 01:38 AM   #26
elvey
The "e" in e-mail
 
Join Date: Jan 2002
Location: San Francisco
Posts: 2,421
Quote:
Originally Posted by snsh View Post
My FM mailbox just received false-positive spam email because of VADESPAM.

Code:
X-Spam-hits: BAYES_50 0.8, DCC_CHECK 1.1, ME_VADESPAM 5, ME_ZS_CLEAN -0.001, RCVD_IN_DNSWL_MED -2.3, SPF_PASS -0.001, LANGUAGES en, BAYES_USED user, SA_VERSION 3.4.2
This is surprising since it's a plaintext message from a .GOV sender containing no URLs at all, just a one-time code for 2FA. SPF, DKIM, and DMARC all pass. Only failure I see in the headers is x-ptr due to HELO misalignment.

Please consider adding rules that help .GOV and .MIL senders. Those two TLDs are tightly locked down.
If they’re not tightly locked down, actually. The amount of spam and botnet traffic coming from .gov and.mil controlled IP addresses is astounding. Astoundingly large that is. And as you mention they can’t even get HELO aligned?

And the (net) spam score was only three point something.

But I agree if there is some room for tweaking. SPF, DKIM, and DMARC all pass should be worth a bit more than -0.001. -0.1, perhaps?
(I suppose the weights can be customized with some complex sieve scripting but) I think that the defaults should have some more reasonable values.
elvey is offline   Reply With Quote
Old 22 Apr 2019, 01:55 AM   #27
elvey
The "e" in e-mail
 
Join Date: Jan 2002
Location: San Francisco
Posts: 2,421
Quote:
Originally Posted by SideshowBob View Post
I think ZS is probably ZEROSPAM.
I’m not impressed by a company that misspelled ransomware “randomware” on its HOME page! In spam fighting, attention to detail is ESSENTIAL. I wonder if this is just mostly, or 100% marketing: “...all email-borne threats including ransomware and spear phishing”. I’d put money on it they have no evidence of effectiveness against spear phishing!

We really need a blog post from FastMail on what’s going on with spam fighting.
elvey is offline   Reply With Quote
Old 22 Apr 2019, 03:06 AM   #28
snsh
Cornerstone of the Community
 
Join Date: Dec 2002
Location: Boston
Posts: 610
Quote:
Originally Posted by elvey View Post
The amount of spam and botnet traffic coming from .gov and.mil controlled IP addresses is astounding.
Anecdotally, I've only ever received a couple of spam messages that had .GOV DKIM signatures. I have never once received spam with a valid .MIL signature.

Agree, there may be plenty of botnet traffic coming from gov/mil associated IP address space. However, the ratio of spam:ham sending from .GOV/.MIL mailservers (i.e. an SMTP server official enough that somebody holding DOTGOV/DISA credentials set up DKIM) is tiny compared to all to other TLDs available to the general public. It's trivial for any random person to send a spam/phishing email that is .COM signed. You could do that with a free AOL account. That's not true for .GOV and especially not true for .MIL.

I don't advocate for whitelisting those TLDs, but bias the total score. Say, -10 for .MIL signatures and -5 for .GOV signatures.
snsh is offline   Reply With Quote
Old 22 Apr 2019, 09:52 AM   #29
paleolith
Cornerstone of the Community
 
Join Date: Mar 2002
Location: Florida
Posts: 541
Quote:
Originally Posted by snsh View Post
My FM mailbox just received false-positive spam email because of VADESPAM.
Please submit your email to FM support if you didn't already. They did engage in conversation with me about it. They need to know how many users are affected by the ridiculously high score assigned to this hit. If they would just give it a reasonable score, that would alleviate the problem -- since they assigned my account a profile which scores it at 2 instead of 5, I've had no related false positives.

Edward
paleolith is offline   Reply With Quote
Old 22 Apr 2019, 10:19 PM   #30
SideshowBob
Member
 
Join Date: Jan 2017
Posts: 73
Quote:
Originally Posted by elvey View Post
But I agree if there is some room for tweaking. SPF, DKIM, and DMARC all pass should be worth a bit more than -0.001. -0.1, perhaps?
Lots of spam passes those tests these days. It's only worth anything if it's combined with some kind of domain reputation information.
SideshowBob is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 04:12 AM.

 

Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy