Re: [Mimedefang] filter on header from display name

2018-12-19 Thread Kris Deugau 

Marcus Schopen wrote:

Am Montag, den 26.11.2018, 13:02 -0500 schrieb Dianne Skoll:

On Mon, 26 Nov 2018 17:55:57 +0100
Marcus Schopen  wrote:


is always the same, but I can't catch it with blacklist_from. Can I
get
that from $entity->head->get('From') or any better ideas?


That should work, or you can open and read the file ./HEADERS, which
contains the message headers (unwrapped, so exactly one header per
line.)


I use a spamassassin rule now

header MY_HEADER_1  From =~  /^.*\@spammer\.com.*/
describe MY_HEADER_1Header-Spam-Rule 1
score MY_HEADER_1   100


This will more or less work, but keep in mind that "spammer.com" might 
better be shown in examples as "spoofvictim.com".  The whole point of 
this from the spammer's perspective is that mail clients will only 
display the "known"/"trusted" address, hiding the *other* victim (the 
compromised account).  Most of the time *both* addresses in the From: on 
these messages, however arranged, are innocent and unrelated to the 
spammer.  If you block either, you take the risk of blocking legitimate 
mail.


I have a pair of subrules looking for two @ signs in the From: - one 
just looks for two @ signs, the other looks for a specific variant with 
two <>-wrapped normal email addresses.  These get combined with a couple 
of other factors in meta rules to build up the score.


-kgd
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] filter on header from display name

2018-12-18 Thread Marcus Schopen 
Am Montag, den 26.11.2018, 13:02 -0500 schrieb Dianne Skoll:
> On Mon, 26 Nov 2018 17:55:57 +0100
> Marcus Schopen  wrote:
> 
> > is always the same, but I can't catch it with blacklist_from. Can I
> > get
> > that from $entity->head->get('From') or any better ideas?
> 
> That should work, or you can open and read the file ./HEADERS, which
> contains the message headers (unwrapped, so exactly one header per
> line.)

I use a spamassassin rule now

header MY_HEADER_1  From =~  /^.*\@spammer\.com.*/
describe MY_HEADER_1Header-Spam-Rule 1
score MY_HEADER_1   100

Ciao!


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] filter on header from display name

2018-11-26 Thread Dianne Skoll 
On Mon, 26 Nov 2018 17:55:57 +0100
Marcus Schopen  wrote:

> is always the same, but I can't catch it with blacklist_from. Can I get
> that from $entity->head->get('From') or any better ideas?

That should work, or you can open and read the file ./HEADERS, which
contains the message headers (unwrapped, so exactly one header per line.)

Regards,

Dianne.
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] filter on header from display name

2018-11-26 Thread Marcus Schopen 
Hi,

I see a spammer, who sends with different envelope from and header
from, but the "display name" in header from always contains the same
substring, e.g.:

From: "Spammer " 

The part 
  
  From: "Spammer "

is always the same, but I can't catch it with blacklist_from. Can I get
that from $entity->head->get('From') or any better ideas?

Ciao
Marcus



___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] filter on header From:

2017-05-09 Thread Dianne Skoll 
On Tue, 09 May 2017 17:07:58 +0200
Marcus Schopen  wrote:

> Okay. So if I rebuild the hash file I have the reread mimedefang to
> kill idle slaves and forcing reread filter rules or wait until all
> processes are restarted itself by multiplexor, right?

Yes.  The purpose of md-mx-ctrl reread is to have a graceful way to
update the filters without waiting for them to be recycled naturally.

Regards,

Dianne.
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] filter on header From:

2017-05-09 Thread Marcus Schopen 
Hi Dianne,

Am Dienstag, den 09.05.2017, 09:46 -0400 schrieb Dianne Skoll:
[...]

> No, because the filter_recipient and filter_begin/filter_end functions
> may not be called in the same process.
> 
> You can define a function called filter_initialize() that will get called
> once when a new scanning process is started.
> 
> See the section MAINTAINING STATE in the mimedefang-filter(5) man page.

Okay. So if I rebuild the hash file I have the reread mimedefang to kill
idle slaves and forcing reread filter rules or wait until all processes
are restarted itself by multiplexor, right?

Ciao!
Marcus



___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] filter on header From:

2017-05-09 Thread Dianne Skoll 
On Tue, 09 May 2017 10:51:08 +0200
Marcus Schopen  wrote:

> Is there a way to load the key-value hash table file only at
> start/reread/reload of mimedefang and not read it on each incoming
> email in filter_end?

No, because the filter_recipient and filter_begin/filter_end functions
may not be called in the same process.

You can define a function called filter_initialize() that will get called
once when a new scanning process is started.

See the section MAINTAINING STATE in the mimedefang-filter(5) man page.

Regards,

Dianne.
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] filter on header From:

2017-05-09 Thread Marcus Schopen 
Am Dienstag, den 09.05.2017, 14:45 +0200 schrieb Marcus Schopen:
> The hash file is created with 
> 
>  makemap hash testhash.db < testhash.txt 

Just found out, that I can use the -e option using makemap to allow empty value 
on right hand side, so the format now is just one email address per line.

Ciao!
Marcus


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] filter on header From:

2017-05-09 Thread Marcus Schopen 
Hi Kris,

Am Dienstag, den 09.05.2017, 10:51 +0200 schrieb Marcus Schopen:
> Is there a way to load the key-value hash table file only at
> start/reread/reload of mimedefang and not read it on each incoming email
> in filter_end?

Haha, we had a similar discussion three years a ago ;)

http://lists.roaringpenguin.com/pipermail/mimedefang/2014-March/037274.html


This is my mimedefang-filter now:

sub filter_initialize {
   require DB_File;
   use Fcntl;
   tie %testhash_list, "DB_File", "/etc/mail/testhash.db", O_RDONLY;
}

sub filter_cleanup {
untie %testhash_list;
}

sub filter_end {
[...]

# get header From and compare to hash 
my $fromaddr = $entity->head->get('From');
$fromaddr =~ s/.+<([^>]+)>/$1/;
$fromaddr =~ s/\s+$//;

if(exists $testhash_list{lc $fromaddr}) {
   action_add_header("X-SpecialHeader", "$fromaddr is in
testhast_list");
}

The hash file is created with 

 makemap hash testhash.db < testhash.txt 

The format of the hash file is just

 myemailaddr...@domain.de1

What I don't understand is, why there is an ending white space on the
header From variable $fromaddr, so I have to trim it with  

  $fromaddr =~ s/\s+$//;

Ciao
Marcus


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] filter on header From:

2017-05-09 Thread Marcus Schopen 
Hi Kris,

Am Montag, den 08.05.2017, 17:27 -0400 schrieb Kris Deugau:
> You would have to fill it in first, by extracting it from the 
> MIME::Entity passed to the filter_end sub;  something like (untested, 
> check MIME::Tools documentation):
> 
> $fromaddr = $entity->head->get('From');
> $fromaddr =~ s/.+<([^>]+)>/$1/;
[...]

Ah, yes. This is working. I thought "fromaddr" is a globally available
variable. Sorry for misunderstanding.

Is there a way to load the key-value hash table file only at
start/reread/reload of mimedefang and not read it on each incoming email
in filter_end?

Ciao
Marcus


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] filter on header From:

2017-05-08 Thread Kris Deugau 

Marcus Schopen wrote:

Hi Kris,

Am Montag, den 08.05.2017, 11:13 -0400 schrieb Kris Deugau:

if ($hashfile{$fromaddr}) {
   action_add_header("SpecialHeader", "$fromaddr found in list");
}



Ah, good idea. Thanks!

But if I just add this to filter_end

  action_add_header("X-SpecialHeader", "$fromAddr test");

to read out $fromAddr, the variable is empty in my case.


You would have to fill it in first, by extracting it from the 
MIME::Entity passed to the filter_end sub;  something like (untested, 
check MIME::Tools documentation):


$fromaddr = $entity->head->get('From');
$fromaddr =~ s/.+<([^>]+)>/$1/;

If you just want to test, you can try $Sender instead, which is the 
envelope sender.


See the man page for mimedefang-filter to see which globals are provided.

-kgd
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] filter on header From:

2017-05-08 Thread Marcus Schopen 
Hi Kris,

Am Montag, den 08.05.2017, 11:13 -0400 schrieb Kris Deugau:
> if ($hashfile{$fromaddr}) {
>action_add_header("SpecialHeader", "$fromaddr found in list");
> }
> 

Ah, good idea. Thanks!

But if I just add this to filter_end

  action_add_header("X-SpecialHeader", "$fromAddr test");

to read out $fromAddr, the variable is empty in my case.

Ciao!


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] filter on header From:

2017-05-08 Thread Kris Deugau 

Marcus Schopen wrote:

Hei,

I have a text base list of email addresses (one email per line). Where
would I best filter on header "From: " (not envelope from) in
mimedefang-filter and add an additional mail header in case of a hit? At
the moment I use spamassassin rules to tag such mails in filter_end, but
spamassassin catches only mails if their "./INPUTMSG" smaller than the
global given message size, which I don't want to increase.


You should be able to use the MIME::Entity passed to filter_end to 
retrieve the From: header.


Unless it's fairly short, I'd recommend converting your text file into 
your favourite flavour of key-value hash table file, accessible from MD 
as a tied hash via the matching Perl *DB_File module.


Then it's just a matter of:

if ($hashfile{$fromaddr}) {
  action_add_header("SpecialHeader", "$fromaddr found in list");
}

-kgd
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] filter on header From:

2017-05-08 Thread Marcus Schopen 
Hei,

I have a text base list of email addresses (one email per line). Where
would I best filter on header "From: " (not envelope from) in
mimedefang-filter and add an additional mail header in case of a hit? At
the moment I use spamassassin rules to tag such mails in filter_end, but
spamassassin catches only mails if their "./INPUTMSG" smaller than the
global given message size, which I don't want to increase.

Ciao!
Marcus



___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang