Testing scoring with ham/spam

[LucasRolff]

Hi!

Is there any way we can run a test to check the score a given email would get (ham or spam).

We can call spamassassin directly like:

cat /var/spool/pmg/cluster/1/spam/1A/12075460A6EABB8A01A | spamassassin -D pyzor | less

This will tell us the assigned score (and the info) - but can we do that for the way PMG processes emails (Especially the SA part).

The reason I'm asking, is that we have a bunch of the crypto spam email coming in (bitcoin-related) - PMG gives it a score of 3.5 while SA directly gives it a score of 8.

The only rule missing in the output (and score) is KAM_BITCOIN (which gives a 4.5 score) - so I'm trying to figure out why SA detects it's a bitcoin spam email, but PMG does not.

I've received multiple of those emails throughout the day, SA always detects it with KAM_BITCOIN, PMG doesn't. Even restarting the filter ( systemctl restart pmg-smtp-filter ) doesn't seem to do the trick.

I also don't find anything where the rule is disabled in PMG.

Edit: it might be worth noting that other KAM rules are applied, so I know for sure KAM rules are generally active!

 

[hata_ph]

Have a look at /usr/share/spamassassin-extra/kam.cf and notice it will only trigger KAM_BITCOIN with below condition.

https://code.compassfoundation.io/dave/spamassassin/-/blob/master/KAM.cf

#ODD INFO URL - MATCH A URL-LIKE STRING THAT ENDS IN A QUESTIONABLE TLD, FOLLOWED BY A WORD BOUNDARY OR A SLASH (BUT NOT A DOT, OR IT WILL FP ON SUBDOMAINS LIKE FOO.INFO.LEGIT.COM)
rawbody        __KAM_INFOUSMEBIZ1    /http:\/\/(?:www.)?.{4,30}\.(info|us|me|me\.uk|biz)(?![-\.])(\b|\/)/i
header        __KAM_INFOUSMEBIZ2    From:addr =~ /\.(info|us|me|me\.uk|biz|xyz|id|rocks|life)$/i
header        __KAM_INFOUSMEBIZ3    Return-Path =~ /\.(info|us|me|me\.uk|biz|xyz|id|rocks|life)>?$/i

#BITCOIN
header   __KAM_BITCOIN1 Subject =~ /bitcoin|dumping.?their.?gold|dumped.?the.?dollar/i
body     __KAM_BITCOIN2 /price.of.bitcoin|bitcoin.price|crypto.?currenc(y|ies)|currency.pioneer|cartel|financial.security|abandoned.our.dollar|money.map/i
header   __KAM_BITCOIN3 From =~ /bitcoin/i

meta     KAM_BITCOIN (KAM_INFOUSMEBIZ + __KAM_BITCOIN1 + __KAM_BITCOIN2 + __KAM_BITCOIN3 >= 3)
describe KAM_BITCOIN Spam related to investing in bitcoin and other cryptocurrency
score    KAM_BITCOIN 4.5

Return-path: <user1@gmail.com>
Received: from pmg.mydomain.com ([192.168.40.106])
    by mail.mydomain.com with ESMTP; Fri, 21 May 2021 13:18:16 +0800
Received: from pmg.mydomain.com (localhost.localdomain [127.0.0.1])
    by pmg.mydomain.com (Proxmox) with ESMTP id 3271D42055
    for <luser1@mydomain.com>; Fri, 21 May 2021 13:18:04 +0800 (+08)
Received-SPF: pass (gmail.com ... _spf.google.com: Sender is authorized to use 'user1@gmail.com' in 'mfrom' identity (mechanism 'include:_netblocks.google.com' matched)) receiver=pmg.eadeco.local; identity=mailfrom; envelope-from="user1@gmail.com"; helo=mail-ej1-f52.google.com; client-ip=209.85.218.52
Received: from mail-ej1-f52.google.com (mail-ej1-f52.google.com [209.85.218.52])
    by pmg.mydomain.com (Proxmox) with ESMTP
    for <luser1@mydomain.com>; Fri, 21 May 2021 13:17:58 +0800 (+08)
Received: by mail-ej1-f52.google.com with SMTP id lz27so28626744ejb.11
        for <luser1@mydomain.com>; Thu, 20 May 2021 22:17:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:from:date:message-id:subject:to;
        bh=0TSiXX1AxpH9R95vqMggMEr4OZYpSXEAuq1MtojoW80=;
        b=d/FNyix71qXUq+uoQZnaqPFMvoqWoh1VXk5xueZR8aMsEvREaN9vpZKkmI5mGO9oV5
         tmZuvQESIz3pLClidV0ETes2GwCKaxT1Pl8GmwMz1goAWo2qJXYRf2Z8spi9kZFlmUCO
         uKKnkg8ph8FMBWNfq2/lLFjHTtoU5T66OA+XhrA2jbkJQmhZNG4LcsNfaFWCvhM0HokA
         IJRlRN4VV9AbFbgqj+vPHikOZs0WqnEX4Hi086gLFof3t//fPcoJ8mMZ2v9qzoPe+ZZC
         pJZ+JUKFgT+EGNmzPCqttaUaw7evq1Vc4qg5Imnen1bqqP5QFZgEIbs1sJ5RID2AmuAh
         7/uw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=0TSiXX1AxpH9R95vqMggMEr4OZYpSXEAuq1MtojoW80=;
        b=WeHACNUaNoTE+EjyIlbC2Z1mPapiKm+ZTp0U8jeOsMs5HwZ4IiDXOjyiANKJxWDU7f
         VxE4DmdIIeFg7BWReNLrfTcojEnLYTxfhUOa7Qi9ho9LOCL3Vu8H1exVprF/8VEQxQxY
         /LffEfMMz+deRY9DG0I3wwdEN7zEQLgSdQ5a/H4wd7cpVV2tGRl97dvCSccTv+LLQjq9
         T/JpVn0V7AOfRQp5njmCH9gL9y1SrNP099Lnjxv6spFes7JZXhWCgJOyJtGBMvcyQWxV
         JzNKVDPl1ZxR6YAh6GiaYZSRHcUsMqBewzVy7efLdVAur3fce6nZBHnhgK2o+qA3aHFG
         VBAw==
X-Gm-Message-State: AOAM5323xtSR0zo0Y4Y+PWhdvCQ0yQxAcRB6FqjtRsZ66Xc34Hx9RCWO
    el1Mbq5XI8XvqHt/Pv58JWuxYt0J1tarh/UiJ2aoAXue
X-Google-Smtp-Source: ABdhPJxCOIaxw6tj3sWoxzbPiqip4fdl4Yf4MYq2l58vBKLdG9gWxXQM566A5AU+UlGD40G7S+aYRedPWfUBh07V/O4=
X-Received: by 2002:a17:906:87d0:: with SMTP id zb16mr8303837ejb.467.1621574271876;
 Thu, 20 May 2021 22:17:51 -0700 (PDT)
MIME-Version: 1.0
From: user1 <user1@gmail.com>
Date: Fri, 21 May 2021 13:17:40 +0800
Message-ID: <CAKETK8EF3aRBkAJ2pUZCDf0Vid_DMP3DYMuXJK4gP70K9fh9Sg@mail.gmail.com>
Subject: give me bitcoin
To: "user1" <user1@mydomain.com>
Content-Type: multipart/alternative; boundary="00000000000073c2e205c2d02eed"
X-SPAM-LEVEL: Spam detection results:  0
    AWL                    -2.207 Adjusted score from AWL reputation of From: address
    BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
    DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
    DKIM_VALID               -0.1 Message has at least one valid DKIM or DK signature
    DKIM_VALID_AU            -0.1 Message has a valid DKIM or DK signature from author's domain
    DKIM_VALID_EF            -0.1 Message has a valid DKIM or DK signature from envelope-from domain
    FREEMAIL_FROM           0.001 Sender email is commonly abused enduser mail provider
    HTML_MESSAGE            0.001 HTML included in message
    KAM_BITCOIN               4.5 Spam related to investing in bitcoin and other cryptocurrency
    KAM_INFOUSMEBIZ          0.75 Prevalent use of .info|.us|.me|.me.uk|.biz|xyz|id|rocks|life domains in spam/malware
    RCVD_IN_DNSWL_NONE     -0.0001 Sender listed at https://www.dnswl.org/, no trust
    RCVD_IN_MSPIKE_H3       0.001 Good reputation (+3)
    RCVD_IN_MSPIKE_WL       0.001 Mailspike good senders
    SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
    SPF_PASS               -0.001 SPF: sender matches SPF record

--00000000000073c2e205c2d02eed
Content-Type: text/plain; charset="UTF-8"

give me bitcoin for cartel for http://www.givemebitcoincartel.info

thanks

--00000000000073c2e205c2d02eed
Content-Type: text/html; charset="UTF-8"

<div dir="ltr"><div>give me bitcoin for cartel for <a href="http://www.givemebitcoincartel.info">http://www.givemebitcoincartel.info</a></div><div><br></div><div>thanks<br></div></div>

--00000000000073c2e205c2d02eed--

 

[LucasRolff]

Hi @hata_ph

Thanks for your reply! I'm aware of the condition itself, but the same email going through PMG and being manually tested with spamassassin gives two different results, one (spamassassin direct) triggers the rule, the other one does not - I would expect the condition to be equal, since it's the same exact email.

On the raw email that passed through PMG, I even took the source and ran the regex's, following rules matches:

header        __KAM_INFOUSMEBIZ2    From:addr =~ /\.(info|us|me|me\.uk|biz|xyz|id|rocks|life)$/i
header        __KAM_INFOUSMEBIZ3    Return-Path =~ /\.(info|us|me|me\.uk|biz|xyz|id|rocks|life)>?$/i

header   __KAM_BITCOIN1 Subject =~ /bitcoin|dumping.?their.?gold|dumped.?the.?dollar/i
body     __KAM_BITCOIN2 /price.of.bitcoin|bitcoin.price|crypto.?currenc(y|ies)|currency.pioneer|cartel|financial.security|abandoned.our.dollar|money.map/i

That should be enough to satisfy the KAM_BITCOIN triggering, and spamassassin agrees with that.

Spamassassin for a particular email received this morning:

Content analysis details:   (11.8 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 3.5 BAYES_99               BODY: Bayes spam probability is 99 to 100%
                            [score: 1.0000]
 0.2 BAYES_999              BODY: Bayes spam probability is 99.9 to 100%
                            [score: 1.0000]
-0.0 SPF_PASS               SPF: sender matches SPF record
-0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily
                            valid
-0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
 1.1 DCC_CHECK              Detected as bulk mail by DCC (dcc-servers.net)
 0.1 DCC_REPUT_70_89        DCC reputation between 70 and 89 %
 0.9 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
 1.9 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                            [cf: 100]
 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted
                            Colors in HTML
 0.2 KAM_LOTSOFHASH         Emails with lots of hash-like gibberish
 0.0 LOTS_OF_MONEY          Huge... sums of money
 0.0 KAM_SHORT              Use of a URL Shortener for very short URL
 0.3 DIGEST_MULTIPLE        Message hits more than one network digest check
 0.8 KAM_INFOUSMEBIZ        Prevalent use of
                            .info|.us|.me|.me.uk|.biz|xyz|id|rocks|life
                             domains in spam/malware
 4.5 KAM_BITCOIN            Spam related to investing in bitcoin and other
                            cryptocurrency
-1.7 TXREP                  TXREP: Score normalizing based on sender's reputation

But for PMG it looks like this:

X-SPAM-LEVEL: Spam detection results:  8
    BAYES_99                  3.5 Bayes spam probability is 99 to 100%
    BAYES_999                 0.2 Bayes spam probability is 99.9 to 100%
    DCC_CHECK                 1.1 Detected as bulk mail by DCC (dcc-servers.net)
    DCC_REPUT_70_89           0.1 DCC reputation between 70 and 89 %
    DIGEST_MULTIPLE         0.293 Message hits more than one network digest check
    DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
    DKIM_VALID               -0.1 Message has at least one valid DKIM or DK signature
    DKIM_VALID_EF            -0.1 Message has a valid DKIM or DK signature from envelope-from domain
    HEADER_FROM_DIFFERENT_DOMAINS  0.249 From and EnvelopeFrom 2nd level mail domains are different
    HTML_MESSAGE            0.001 HTML included in message
    KAM_LOTSOFHASH           0.25 Emails with lots of hash-like gibberish
    KAM_SHORT               0.001 Use of a URL Shortener for very short URL
    LOTS_OF_MONEY           0.001 Huge... sums of money
    RAZOR2_CF_RANGE_51_100  1.886 Razor2 gives confidence level above 50%
    RAZOR2_CHECK            0.922 Listed in Razor2 (http://razor.sf.net/)
    SPF_HELO_PASS          -0.001 SPF: HELO matches SPF record
    SPF_PASS               -0.001 SPF: sender matches SPF record
    TXREP                   0.000 Score normalizing based on sender's reputation
    T_KAM_HTML_FONT_INVALID   0.01 Test for Invalidly Named or Formatted Colors in HTML

Obviously TXREP is different, because of how it's calculated.

Everything else seems to match, except spamassassin directly adds the KAM_INFOUSMEBIZ and KAM_BITCOIN. That's why I'm a bit lost and ideally try to figure out how PMG sends things though spamassassin, since the result differs.

Another interesting thing is actually __KAM_INFOUSMEBIZ1 only targets https:// and not http+https, but that's something for KAM to update I think!

 

[hata_ph]

Pls share your spam mail content for testing.

 

[Stoiko Ivanov]

This is odd - which spamassassin are you running? (asking since PMG in does not enable TXREP for example) - ` dpkg -S $(which spamassassin)`
I'd check the output of `spamassassin -D all --lint` - to get all paths were spamassassin checks for rules.

Else - what's the current update-status of SA in PMG? (GUI->Spam Detector->Status)

If both rule-sets are uptodate I'd restart pmg-smtp-filter (although this should happen on each SA rule-update)

I hope this helps!

 

[LucasRolff]

asking since PMG in does not enable TXREP for example

I'm guilty here for TXREP - I implemented it in favor of AWL, in my specific case it seems to get more accurate in fixing judging mistakes quicker (both for ham and spam) than AWL did - I know it requires actual training, and I'm aware it modifies what PMG ships with

For the sake of it:

root@pmg1:~# dpkg -S $(which spamassassin)
proxmox-spamassassin: /usr/bin/spamassassin

I'd check the output of `spamassassin -D all --lint` - to get all paths were spamassassin checks for rules.

Doing a -D all --lint indeed shows the correct file gets included (/var/lib/spamassassin/3.004006/kam_sa-channels_mcgrail_com/KAM.cf being the one containing the KAM_BITCOIN).

Else - what's the current update-status of SA in PMG? (GUI->Spam Detector->Status)

Both are up to date, with last update being 3 and 5am this morning (GMT+2)

If both rule-sets are uptodate I'd restart pmg-smtp-filter (although this should happen on each SA rule-update)

I'll give it a try, thanks!

Checking logs, I do see a few hits for KAM_BITCOIN (like 3-4 on the two servers), so I might just be unlucky that somehow the conditions doesn't really apply when it actually comes in, but does apply when I run it through spamassassin directly (Since here it's already somewhat processed, and have been modified).

I'm still pretty new to actually working with PMG and Spamassassin, so still plenty to understand and info to grasp and understand!

So far I'm liking it and PMG is rock solid

 

[LucasRolff]

Pls share your spam mail content for testing.

It's attached! Sorry for the late reply - I missed the notification

- Lucas

 

[hata_ph]

It's attached! Sorry for the late reply - I missed the notification

- Lucas

Based on your spam mail, it only trigger the header __KAM_BITCOIN3.
To trigger KAM_BITCOIN, you need multiple condition to hit over 3 score to register.

Check out spamassassin meta rules https://cwiki.apache.org/confluence/display/spamassassin/WritingRules

header   __KAM_BITCOIN3 From =~ /bitcoin/i

meta     KAM_BITCOIN (KAM_INFOUSMEBIZ + __KAM_BITCOIN1 + __KAM_BITCOIN2 + __KAM_BITCOIN3 >= 3)
describe KAM_BITCOIN Spam related to investing in bitcoin and other cryptocurrency
score    KAM_BITCOIN 4.5

 

[LucasRolff]

Based on your spam mail, it only trigger the header __KAM_BITCOIN3.
To trigger KAM_BITCOIN, you need multiple condition to hit over 3 score to register.

Check out spamassassin meta rules https://cwiki.apache.org/confluence/display/spamassassin/WritingRules

header   __KAM_BITCOIN3 From =~ /bitcoin/i

meta     KAM_BITCOIN (KAM_INFOUSMEBIZ + __KAM_BITCOIN1 + __KAM_BITCOIN2 + __KAM_BITCOIN3 >= 3)
describe KAM_BITCOIN Spam related to investing in bitcoin and other cryptocurrency
score    KAM_BITCOIN 4.5

hmm, from my spamassassin command on the exact file (wget it onto my PMG server):

root@pmg1:~# cat spam.txt | spamassassin -D
.... snipped ...
Received: from localhost by pmg1.cluster.eu
    with SpamAssassin (version 3.4.6);
    Fri, 21 May 2021 17:20:16 +0200
From: DailyCrypto News <news@dailycrypto.news>
To: "user@customer.com" <user@customer.com>
Subject: Bitcoin whales feast as BTC price and the wider market melt down
Date: Thu, 20 May 2021 23:03:12 +0000
Message-Id: <25b9fc9760d2d9023162aee205fb2949@22n.biz>
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pmg1.cluster.eu
X-Spam-Flag: YES
X-Spam-Level: ***********
X-Spam-Status: Yes, score=12.0 required=5.0 tests=BAYES_99,BAYES_999,DCC_CHECK,
    DCC_REPUT_70_89,DIGEST_MULTIPLE,DKIM_INVALID,DKIM_SIGNED,HTML_MESSAGE,
    KAM_BITCOIN,KAM_DMARC_STATUS,KAM_INFOUSMEBIZ,KAM_LOTSOFHASH,KAM_SHORT,
    LOTS_OF_MONEY,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,SPF_HELO_PASS,
    SPF_PASS,TXREP,T_KAM_HTML_FONT_INVALID autolearn=no autolearn_force=no
    version=3.4.6
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_60A7CFB0.DCE80511"

This is a multi-part message in MIME format.

------------=_60A7CFB0.DCE80511
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Spam detection software, running on the system "pmg1.cluster.eu",
has identified this incoming email as possible spam.  The original
message has been attached to this so you can view it or label
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  Bears, bulls, or something else altogether? Crypto experts
   weigh in on recent volatility   https://t.22n.biz/index.php/campaigns/f78a581fa8b63/track-url/39c91e2fb9881/c34e3239f81000972e35ed23f39b2a3f
   [...]

Content analysis details:   (12.0 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 0.2 BAYES_999              BODY: Bayes spam probability is 99.9 to 100%
                            [score: 1.0000]
 3.5 BAYES_99               BODY: Bayes spam probability is 99 to 100%
                            [score: 1.0000]
-0.0 SPF_PASS               SPF: sender matches SPF record
-0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily
                            valid
 0.1 DCC_REPUT_70_89        DCC reputation between 70 and 89 %
 1.1 DCC_CHECK              Detected as bulk mail by DCC (dcc-servers.net)
 0.9 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
 1.9 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                            [cf: 100]
 0.0 LOTS_OF_MONEY          Huge... sums of money
 0.0 KAM_SHORT              Use of a URL Shortener for very short URL
 0.0 KAM_DMARC_STATUS       Test Rule for DKIM or SPF Failure with Strict
                            Alignment
 0.2 KAM_LOTSOFHASH         Emails with lots of hash-like gibberish
 0.1 DKIM_INVALID           DKIM or DK signature exists, but is not valid
 0.3 DIGEST_MULTIPLE        Message hits more than one network digest check
 0.8 KAM_INFOUSMEBIZ        Prevalent use of
                            .info|.us|.me|.me.uk|.biz|xyz|id|rocks|life
                             domains in spam/malware
 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted
                            Colors in HTML
 4.5 KAM_BITCOIN            Spam related to investing in bitcoin and other
                            cryptocurrency
-1.8 TXREP                  TXREP: Score normalizing based on sender's reputation
.... snipped ...

KAM_BITCOIN as you mention need 3 or over.

The regex (as you posted earlier), it matches __KAM_INFOUSMEBIZ3:

meta        KAM_INFOUSMEBIZ    (__KAM_INFOUSMEBIZ1 + __KAM_INFOUSMEBIZ2 + __KAM_INFOUSMEBIZ3 >= 1)

KAM_INFOUSMEBIZ is set if BIZ1, 2 or 3 matches (in this case BIZ3 matches) - so that's our first point.

spamassassin debug output:

May 21 17:23:14.534 [19163] dbg: rules: ran header rule __KAM_INFOUSMEBIZ3 ======> got hit: ".biz"

BITCOIN1 and BITCOIN2 also matches:

May 21 17:23:14.510 [19163] dbg: rules: ran header rule __KAM_BITCOIN1 ======> got hit: "Bitcoin"
May 21 17:23:14.002 [19163] dbg: rules: ran one_line_body rule __KAM_BITCOIN2 ======> got hit: "cryptocurrencies"
May 21 17:23:14.007 [19163] dbg: rules: ran one_line_body rule __KAM_BITCOIN2 ======> got hit: "cryptocurrencies"

So we got 1 point for KAM_INFOUSMEBIZ, and KAM_BITCOIN1 and KAM_BITCOIN2 - that's 3 points, so it should apply, and it does indeed apply when testing directly with spamassassin CLI.

It's just odd that it doesn't detect it within PMG - I'll keep an eye on the next email coming in that (should) match it, and hope it indeed will

- Lucas

 

[hata_ph]

I do a mail test with an url link using http:\\ and https:\\xxx.biz. Based on my default PMG spamassassin setup it only detect http:\\ for header __KAM_INFOUSMEBIZ1, not https:\\.

Pls show content of your /usr/share/spamassassin-extra/KAM.cf

less /usr/share/spamassassin-extra/KAM.cf | grep __KAM_INFOUSMEBIZ1

X-SPAM-LEVEL: Spam detection results:  0
    AWL                    -1.186 Adjusted score from AWL reputation of From: address
    BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
    DKIM_INVALID              0.1 DKIM or DK signature exists, but is not valid
    DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
    FREEMAIL_FROM           0.001 Sender email is commonly abused enduser mail provider
    HTML_MESSAGE            0.001 HTML included in message
    KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
    KAM_SHORT               0.001 Use of a URL Shortener for very short URL
    RAZOR2_CF_RANGE_51_100  1.886 Razor2 gives confidence level above 50%
    RAZOR2_CHECK            0.922 Listed in Razor2 (http://razor.sf.net/)
    RCVD_IN_DNSWL_NONE     -0.0001 Sender listed at https://www.dnswl.org/, no trust
    RCVD_IN_MSPIKE_H2      -0.001 Average reputation (+2)
    SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
    SPF_PASS               -0.001 SPF: sender matches SPF record
    TVD_SPACE_RATIO         0.001 -

--0000000000008786d405c2d8fc5c
Content-Type: text/plain; charset="UTF-8"

testing
https://t.22n.biz/index.=php/campaigns/f78a581fa8b63/track-url/39c91e2fb9881/15973610e37823e4be23200=a7aa971be08e8b4fb

X-SPAM-LEVEL: Spam detection results:  0
    AWL                    -1.359 Adjusted score from AWL reputation of From: address
    BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
    DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
    DKIM_VALID               -0.1 Message has at least one valid DKIM or DK signature
    DKIM_VALID_AU            -0.1 Message has a valid DKIM or DK signature from author's domain
    DKIM_VALID_EF            -0.1 Message has a valid DKIM or DK signature from envelope-from domain
    FREEMAIL_FROM           0.001 Sender email is commonly abused enduser mail provider
    FSL_BULK_SIG            0.001 Bulk signature with no Unsubscribe
    HTML_MESSAGE            0.001 HTML included in message
    KAM_INFOUSMEBIZ          0.75 Prevalent use of .info|.us|.me|.me.uk|.biz|xyz|id|rocks|life domains in spam/malware
    KAM_SHORT               0.001 Use of a URL Shortener for very short URL
    RAZOR2_CF_RANGE_51_100  1.886 Razor2 gives confidence level above 50%
    RAZOR2_CHECK            0.922 Listed in Razor2 (http://razor.sf.net/)
    RCVD_IN_MSPIKE_H2      -0.001 Average reputation (+2)
    SPF_PASS               -0.001 SPF: sender matches SPF record
    TVD_SPACE_RATIO         0.001 -
    T_SPF_HELO_TEMPERROR     0.01 SPF: test of HELO record failed (temperror)

--000000000000d8203a05c2d90848
Content-Type: text/plain; charset="UTF-8"

testing
http://t.22n.biz/index.=php/campaigns/f78a581fa8b63/track-url/39c91e2fb9881/15973610e37823e4be23200=a7aa971be08e8b4fb

 

[LucasRolff]

Pls show content of your /usr/share/spamassassin-extra/KAM.cf

less /usr/share/spamassassin-extra/KAM.cf | grep __KAM_INFOUSMEBIZ1

# less /usr/share/spamassassin-extra/KAM.cf | grep __KAM_INFOUSMEBIZ1
rawbody        __KAM_INFOUSMEBIZ1    /http:\/\/(?:www.)?.{4,30}\.(info|us|me|me\.uk|biz)(?![-\.])(\b|\/)/i
meta        KAM_INFOUSMEBIZ    (__KAM_INFOUSMEBIZ1 + __KAM_INFOUSMEBIZ2 + __KAM_INFOUSMEBIZ3 >= 1)

It indeed won't match __KAM_INFOUSMEBIZ1, since that's looking for http only - but __KAM_INFOUSMEBIZ3 does get matched for sure:

header        __KAM_INFOUSMEBIZ3    Return-Path =~ /\.(info|us|me|me\.uk|biz|xyz|id|rocks|life)>?$/i

Return-Path of the email:

Return-Path: info@22n.biz

That return path would match it due to .biz being in there:

 

[hata_ph]

I just notice my first test is wrong.
I have send another test mail and able to trigger the KAM_BITCOIN score on my default PMG spamassassin setup.
Do take note I cannot reproduce header __KAM_INFOUSMEBIZ3 so I trigger __KAM_INFOUSMEBIZ1 instead but the condition should be the same.

Subject: Bitcoin whales feast as BTC price and the wider market melt down
To: "users" <user1@mydomain.com>
Content-Type: multipart/alternative; boundary="000000000000448ffa05c2d93dc6"
X-SPAM-LEVEL: Spam detection results:  2
    AWL                    -3.607 Adjusted score from AWL reputation of From: address
    BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
    DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
    DKIM_VALID               -0.1 Message has at least one valid DKIM or DK signature
    DKIM_VALID_AU            -0.1 Message has a valid DKIM or DK signature from author's domain
    DKIM_VALID_EF            -0.1 Message has a valid DKIM or DK signature from envelope-from domain
    FREEMAIL_FROM           0.001 Sender email is commonly abused enduser mail provider
    HTML_MESSAGE            0.001 HTML included in message
    KAM_BITCOIN               4.5 Spam related to investing in bitcoin and other cryptocurrency
    KAM_INFOUSMEBIZ          0.75 Prevalent use of .info|.us|.me|.me.uk|.biz|xyz|id|rocks|life domains in spam/malware
    KAM_SHORT               0.001 Use of a URL Shortener for very short URL
    RAZOR2_CF_RANGE_51_100  1.886 Razor2 gives confidence level above 50%
    RAZOR2_CHECK            0.922 Listed in Razor2 (http://razor.sf.net/)
    RCVD_IN_DNSWL_NONE     -0.0001 Sender listed at https://www.dnswl.org/, no trust
    RCVD_IN_MSPIKE_H2      -0.001 Average reputation (+2)
    SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
    T_SPF_TEMPERROR          0.01 SPF: test of record failed (temperror)


--000000000000448ffa05c2d93dc6
Content-Type: text/plain; charset="UTF-8"

most popular cryptocurrencies.
http://t.22n.biz/index.=php/campaigns/f78a581fa8b63/track-url/39c91e2fb9881/15973610e37823e4be23200=a7aa971be08e8b4fb

 

[LucasRolff]

Just out of curiosity, how do you test it via PMG directly? I know how to do it via spamassassin, but if I can test it via PMG (somehow), then obviously I can try that - my result without KAM_BITCOIN is simply an email from earlier that went into quarantine

Best Regards,
Lucas R

 

[hata_ph]

Just out of curiosity, how do you test it via PMG directly? I know how to do it via spamassassin, but if I can test it via PMG (somehow), then obviously I can try that - my result without KAM_BITCOIN is simply an email from earlier that went into quarantine

Best Regards,
Lucas R

I send from my gmail to another email behind PMG.