Re: Avoid processing of email with specific headers
Pietro a écrit : In my installation, SA is called by Postfix. Any idea? Thanks in advance. This is really a postfix question. Follow up on the postfix-users list if needed. you can skip filtering using header_checks. for example /^X-Spam-Status: Yes/ FILTER smtp:[127.0.0.1]:10025 assuming you have an smtpd listening on port 10025 (with filtering disabled). but make sure not to give spammers a free ride: don't skip filtering just because you see X-Spam-Status: No While I am in, using amavisd-new is preferred over running SA directly from postfix.
SA Not Checking emails
So I (think) I know that if SA is sent a message of a specific large size, SA will not process it (Recent thread here) and I also (think) I know that if the server is overyly busy, etc. that SA will not check the email. Now I may be totally wrong about this, but my assumptions are based on feedback from others. So, I get a few obvious SPAM emails that, as has happened several times previously, are not checked by SA. So I look at the header closely and see that there is a particular header string, i.e. Received-SPF: pass (mail.myserver.com: SPF record at askdoccindy.com designates 94.23.153.215 as permitted sender) and: Received-SPF: pass (mail.myserver.com: SPF record at finalbidinc.com designates 76.76.104.114 as permitted sender) and: Received-SPF: pass (mail.myserver.com: SPF record at ridediscount.com designates 94.76.234.27 as permitted sender) and: Received-SPF: pass (mail.myserver.com: SPF record at allradiohead.com designates 67.208.74.216 as permitted sender) So I am not sure if this has something to do with this SPAM not being checked or what? Here is a full header to one of the emails. Maybe someone can tell me what may be going on. Thanks. Wes Received: (qmail 32062 invoked by uid 110); 25 Jul 2009 09:20:14 -0400 Delivered-To: 15-gmha...@x.com Received: (qmail 32044 invoked from network); 25 Jul 2009 09:20:14 -0400 Received: from 67-208-74-216.reliablehostingservices.net (HELO mx1.allradiohead.com) (67.208.74.216) by mail.x.com with SMTP; 25 Jul 2009 09:20:12 -0400 Received-SPF: pass (mail.x.com: SPF record at allradiohead.com designates 67.208.74.216 as permitted sender) From: Super DISH Packages qlpack...@allradiohead.com To: gmha...@x.com Subject: RE: DISH Network - Packages starting at $9.99/month! Start saving! Date: Sat, 25 Jul 2009 11:22:41 -0500 Message-ID: 20090725112241.cklzecmm...@mx1.allradiohead.com MIME-Version: 1.0 Content-Type: multipart/related; boundary==_NextPart_000_0004_b260f8c.b260f8c X-Mailer: Microsoft Office Outlook 12.0 Content-Language: en-us This is a multi-part message in MIME format. --=_NextPart_000_0004_b260f8c.b260f8c Content-Type: multipart/alternative; boundary==_NextPart_001_0005_b260f8c.b260f8c
Re: Avoid processing of email with specific headers
Pietro a écrit : In my installation, SA is called by Postfix. Any idea? Thanks in advance. This is really a postfix question. Follow up on the postfix-users list if needed. you can skip filtering using header_checks. for example /^X-Spam-Status: Yes/ FILTER smtp:[127.0.0.1]:10025 assuming you have an smtpd listening on port 10025 (with filtering disabled). but make sure not to give spammers a free ride: don't skip filtering just because you see X-Spam-Status: No While I am in, using amavisd-new is preferred over running SA directly from postfix. Got the following error, when tried that. I'm using stock postfix on Debian Lenny w/ backports. postfix/cleanup[1602]: fatal: dict_open: unsupported dictionary type: pcre: Is the postfix-pcre package installed?
Re: SA Not Checking emails
On Sat, July 25, 2009 16:19, twofers wrote: Here is a full header to one of the emails. Maybe someone can tell me what may be going on. http://old.openspf.org/wizard.html?mydomain=allradiohead.comsubmit=Go! do you see any softfails at all ?, or even fail ?, is spf_helo_pass seen in spamassassin ? if so try contact the postmaster at the spf domain also see that ?all in the wizard is suggested to -all on multiple subdomains if postmaster need help give him the openspf url :) -- xpoint
Re: SA Not Checking emails
On Sat, July 25, 2009 16:59, Benny Pedersen wrote: On Sat, July 25, 2009 16:19, twofers wrote: Here is a full header to one of the emails. Maybe someone can tell me what may be going on. http://old.openspf.org/wizard.html?mydomain=allradiohead.comsubmit=Go! ups i forgot to say non fqdn mx records -- xpoint
Re: anchor forgery
Mike Cardwell a écrit : Just checking through my Spam folder and I came across a message that contained this in the html: a target=_blank href=http://www.kanotiser.se/images/logo.html;https://www.paypal.co/us/webscr.php?cmd=_login-runcmd=_secure /a Yet, there was no mention of this obvious forgery in the spamassassin rules which caught the email. How would you create a rule which matched when the anchor text is a url which uses a different domain to the anchor href? this has been discussed a (very) long time ago. the outcome is that a mismatch also happens in legitimate mail. you can do the check for selected domains such as paypal. but then I'd simply look for the presence of paypal (or variant) in the message then look for patterns that confirm it is from paypal, otherwise tag as spam.
Re: whitelist_from questions
On 25.07.09 01:25, jida...@jidanni.org wrote: Actually there should be one or two more whitelists, so one can e.g., score -100 one's friends -10 one's schools -1 one's country we still have def_whitelist_* with score of -15. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. He who laughs last thinks slowest.
Re: anchor forgery
mouss wrote: Mike Cardwell a écrit : Just checking through my Spam folder and I came across a message that contained this in the html: censored example, Verizon won't let me send it Yet, there was no mention of this obvious forgery in the spamassassin rules which caught the email. How would you create a rule which matched when the anchor text is a url which uses a different domain to the anchor href? this has been discussed a (very) long time ago. the outcome is that a mismatch also happens in legitimate mail. Not just happens, it happens quite a lot. Sometimes in nonspam it is differences that are easy to compensate for, like the link being to hosting.example.com, but the anchor text is www.example.com. Other times it's difficult to compensate for, where they first send you to a link at their ESP, which then redirects you to the actual site. Some ESPs prefer to do this, either for billing (charge extra for clicks) or spam control reasons (if the sender violates the ToS, the ESP will disable the redirect, which isn't much, but it does prevent the sender from profiting at the ESPs expense.). Regardless of reasons, Senders tend to make the text match what your browser will show after the redirect occurs, not the ESP target in some totally different domain.
Re: anchor forgery
On Sat, 2009-07-25 at 15:59 +0100, Mike Cardwell wrote:
Just checking through my Spam folder and I came across a message that
contained this in the html:
Hey, it was classified spam. ;) And it's a phish anyway...
a target=_blank href=http://www.example.net;https://www.example.com/a
How would you create a rule which matched when the anchor text is a url
which uses a different domain to the anchor href?
I'm with mouss and Matt, that is FP prone. *Might* make a somewhat
decent meta, with carefully picked rules, though.
Anyway, there's something better than the domain mis-match. It's a
protocol mis-match, pretending false security.
For either one, URIDetail [1] would be the way to go. Specifically, have
a look at its FAKE_HTTPS example. ;)
guenther
[1]
http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Plugin_URIDetail.html
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
pilz spammers with new variations
Looks like the pilz spammers have finally ditched the letters+numbers format.
I'm now using this rule:
body__MED_OB
/\bw{2,3}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})[[:alnum:]]{2,10}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)[[:punct:]]?\b/i
body__MED_NOT_OB/\bw{2,3}\.[[:alnum:]]{2,10}\.(?:com|net|org)\b/i
metaAE_MED47(__MED_OB ! __MED_NOT_OB)
describeAE_MED47Shorter rule to catch spam obfuscation
score AE_MED474.0
Re: Avoid processing of email with specific headers
Jari Fredriksson a écrit : snip did you see this: This is really a postfix question. Follow up on the postfix-users list if needed. did you see that? [snip] Got the following error, when tried that. I'm using stock postfix on Debian Lenny w/ backports. postfix/cleanup[1602]: fatal: dict_open: unsupported dictionary type: pcre: Is the postfix-pcre package installed? # apt-get install postfix-pcre Please move this to the postfix-users list. This is my last response here.
Re: Avoid processing of email with specific headers
On Sun, July 26, 2009 00:06, mouss wrote: Please move this to the postfix-users list. This is my last response here. truly a lie :) -- xpoint
RE: whitelist_from questions
There are no doubt lots of ways, but how about:
egrep 'whitelist_from[^_]' local.cf | awk '{FS=@; print $2
TXT;}' | xargs dig | grep v=spf1
John.
john,
what is this supposed to do?
- rh
RE: whitelist_from questions
From: Robert [mailto:list...@abbacomm.net]
There are no doubt lots of ways, but how about:
egrep 'whitelist_from[^_]' local.cf | awk '{FS=@; print $2
TXT;}' | xargs dig | grep v=spf1
what is this supposed to do?
select all of your whitelist_from entries, parse out the domain part, dig the
TXT record for each domain, then display only the ones that have a v=spf1
notation. That would give you a list of all of the domains in your
whitelist_from that could be migrated to whitelist_from_spf
bayes not active although enabled?
In /etc/mail/spamassassin/local.cf bayes_auto_learn 1 But when I examine the message headers, X-Spam-Status: No, score=3.0 required=4.7 tests=ALL_TRUSTED,AWL,HTML_MESSAGE, MIME_HTML_ONLY,TVD_RCVD_IP autolearn=no version=3.2.4 Is there anywhere else that I need to switch this on? -- View this message in context: http://www.nabble.com/bayes-not-active-although-enabled--tp24663548p24663548.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Score -71 for VERY spammy message!
This is the result, X-Spam-Level: X-Spam-Status: No, score=-71.4 required=4.7 tests=HELO_DYNAMIC_IPADDR, HTML_IMAGE_ONLY_20,HTML_IMAGE_RATIO_02,HTML_MESSAGE,HTML_SHORT_LINK_IMG_3, MIME_HTML_ONLY,MISSING_DATE,MISSING_MID,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL, RCVD_IN_SORBS_DUL,RCVD_IN_XBL,RDNS_NONE,RELAYCOUNTRY_PE,SARE_FROM_DRUGS, SARE_UNI,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_WS_SURBL, USER_IN_WHITELIST autolearn=no version=3.2.4 X-Spam-Relay-Country: PE I can't understand what is going on here! How can it get a score like that? The message contained just an image and a link. -- View this message in context: http://www.nabble.com/Score--71-for-VERY-spammy-message%21-tp24663641p24663641.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Score -71 for VERY spammy message!
This is the result, X-Spam-Level: X-Spam-Status: No, score=-71.4 required=4.7 tests=HELO_DYNAMIC_IPADDR, HTML_IMAGE_ONLY_20,HTML_IMAGE_RATIO_02,HTML_MESSAGE,HTML_SHORT_LINK_IMG_3, MIME_HTML_ONLY,MISSING_DATE,MISSING_MID,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL, RCVD_IN_SORBS_DUL,RCVD_IN_XBL,RDNS_NONE,RELAYCOUNTRY_PE,SARE_FROM_DRUGS, SARE_UNI,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_WS_SURBL, USER_IN_WHITELIST autolearn=no version=3.2.4 X-Spam-Relay-Country: PE I can't understand what is going on here! How can it get a score like that? The message contained just an image and a link. -- USER_IN_WHITELIST Terry
Re: Score -71 for VERY spammy message!
On Jul 25, 2009, at 9:07 PM, snowweb wrote: X-Spam-Status: No, score=-71.4 required=4.7 tests=HELO_DYNAMIC_IPADDR, HTML_IMAGE_ONLY_20 ,HTML_IMAGE_RATIO_02,HTML_MESSAGE,HTML_SHORT_LINK_IMG_3, MIME_HTML_ONLY ,MISSING_DATE,MISSING_MID,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL, RCVD_IN_SORBS_DUL ,RCVD_IN_XBL,RDNS_NONE,RELAYCOUNTRY_PE,SARE_FROM_DRUGS, SARE_UNI,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_WS_SURBL, USER_IN_WHITELIST autolearn=no version=3.2.4 X-Spam-Relay-Country: PE It scored 28.6. The USER_IN_WHITELIST subtracted 100 points from that. -- Mickey and Mallory know the difference between right and wrong; the just don't give a damn.
Re: Score -71 for VERY spammy message!
Terry Carmen wrote: This is the result, X-Spam-Level: X-Spam-Status: No, score=-71.4 required=4.7 tests=HELO_DYNAMIC_IPADDR, HTML_IMAGE_ONLY_20,HTML_IMAGE_RATIO_02,HTML_MESSAGE,HTML_SHORT_LINK_IMG_3, MIME_HTML_ONLY,MISSING_DATE,MISSING_MID,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL, RCVD_IN_SORBS_DUL,RCVD_IN_XBL,RDNS_NONE,RELAYCOUNTRY_PE,SARE_FROM_DRUGS, SARE_UNI,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_WS_SURBL, USER_IN_WHITELIST autolearn=no version=3.2.4 X-Spam-Relay-Country: PE I can't understand what is going on here! How can it get a score like that? The message contained just an image and a link. -- USER_IN_WHITELIST Ah ok. I hadn't seen that. By that does it mean sender or user? The spammer is actually in my whitelist? Where can I check entries in my whitelist please? -- View this message in context: http://www.nabble.com/Score--71-for-VERY-spammy-message%21-tp24663641p24663739.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Score -71 for VERY spammy message!
snowweb wrote: USER_IN_WHITELIST That probably has something to do with it. And make sure you haven't whitelisted your own user because it is common for spammers to put the recipient's address in there as the from address, knowing that some portion of administrators will have whitelisted their own e-mail address. This then become a free trip to the inbox when the spammer puts that address in the FROM header.. If you want to make sure you don't block your own users outgoing mail, use SMTP password authentication instead. Don't rely on an easily forged FROM e-mail address. -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032
Solved: Tnx. Re: Score -71 for VERY spammy message!
Rob McEwen wrote: snowweb wrote: USER_IN_WHITELIST That probably has something to do with it. And make sure you haven't whitelisted your own user because it is common for spammers to put the recipient's address in there as the from address, knowing that some portion of administrators will have whitelisted their own e-mail address. This then become a free trip to the inbox when the spammer puts that address in the FROM header.. If you want to make sure you don't block your own users outgoing mail, use SMTP password authentication instead. Don't rely on an easily forged FROM e-mail address. -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032 Eternally grateful. Thanks guys. -- View this message in context: http://www.nabble.com/Score--71-for-VERY-spammy-message%21-tp24663641p24663895.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: bayes not active although enabled?
Sorry, got mixed up. In /etc/mail/spamassassin/local.cf use_bayes 1 Is there anywhere else that I need to switch this on since it does not appear to be doing bayesian testing at all for any messages. -- View this message in context: http://www.nabble.com/bayes-not-active-although-enabled--tp24663548p24663913.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Score -71 for VERY spammy message!
snowweb wrote: Terry Carmen wrote: This is the result, X-Spam-Level: X-Spam-Status: No, score=-71.4 required=4.7 tests=HELO_DYNAMIC_IPADDR, HTML_IMAGE_ONLY_20,HTML_IMAGE_RATIO_02,HTML_MESSAGE,HTML_SHORT_LINK_IMG_3, MIME_HTML_ONLY,MISSING_DATE,MISSING_MID,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL, RCVD_IN_SORBS_DUL,RCVD_IN_XBL,RDNS_NONE,RELAYCOUNTRY_PE,SARE_FROM_DRUGS, SARE_UNI,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_WS_SURBL, USER_IN_WHITELIST autolearn=no version=3.2.4 X-Spam-Relay-Country: PE I can't understand what is going on here! How can it get a score like that? The message contained just an image and a link. -- USER_IN_WHITELIST Ah ok. I hadn't seen that. By that does it mean sender or user? The spammer is actually in my whitelist? Where can I check entries in my whitelist please? USER_IN_WHITELIST would be sender. Check your whitelist_from and whitelist_from_* statements in your local.cf. In particular, make sure you didn't make this common mistake: whitelist_from insert your own address or domain here Spammers *WILL* abuse this, regularly.
Re: bayes not active although enabled?
snowweb wrote: Sorry, got mixed up. In /etc/mail/spamassassin/local.cf use_bayes 1 Is there anywhere else that I need to switch this on since it does not appear to be doing bayesian testing at all for any messages. check your sa-learn --dump magic SA won't activate bayes until it has learned at least 200 spam, and 200 nonspam messages. (under the general premise that until you have a decent amount of mail learned, the statistics are going to be a bit erratic and not worthwhile using)
Re: Avoid processing of email with specific headers
# apt-get install postfix-pcre Please move this to the postfix-users list. This is my last response here. There is no need joining postfix-users, as the solutions is there already for me. Thank You :)
