Re: Disabling spamcop plugin

2016-04-06 Thread Jari Fredriksson 

Ian Zimmerman kirjoitti 7.4.2016 5:38:

Is there any way to disable the spamcop plugin for an individual user
(i.e. from ~/.spamassassin/user_prefs) if the plugin is loaded by
/etc/spamassassin/*.pre ?

By comparison, I seem to be able to disable pyzor even if it is loaded,
by writing

  use_pyzor 0

in my user_prefs.


There seems to be code in SpamCop.pm doing some test about 
"dont_report_to_spamcop". I don't know if that can be set in user_prefs 
or something..


sub plugin_report {
  my ($self, $options) = @_;

  return unless $self->{spamcop_available};

  if (!$options->{report}->{options}->{dont_report_to_spamcop}) {
if ($self->spamcop_report($options)) {
  $options->{report}->{report_available} = 1;
  info("reporter: spam reported to SpamCop");
  $options->{report}->{report_return} = 1;
}
else {
  info("reporter: could not report spam to SpamCop");
}
  }
}



--
jarif.bit

Disabling spamcop plugin

2016-04-06 Thread Ian Zimmerman 
Is there any way to disable the spamcop plugin for an individual user
(i.e. from ~/.spamassassin/user_prefs) if the plugin is loaded by
/etc/spamassassin/*.pre ?

By comparison, I seem to be able to disable pyzor even if it is loaded,
by writing

  use_pyzor 0

in my user_prefs.

-- 
Please *no* private copies of mailing list or newsgroup messages.
Rule 420: All persons more than eight miles high to leave the court.

MIME header false positives (was Rule to score word documents)

2016-04-06 Thread Cedric Knight 
On 30/03/16 21:11, @lbutlr wrote:
> On Wed Mar 30 2016 13:34:23 Alex   said:
>>
>> /^(Content-(Type|Disposition)\:|[[:space:]]+).*(file)?name="?.*\.doc"?;?$/
>> REJECT
> 
> /^\s*Content-(Disposition|Type).*name\s*=\s*"?(.*\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ops|pcd|pif|prf|reg|scf|scr\??|sct|shb|shs|shm|swf|vb[esx]?|vxd|wsc|wsf|wsh))(\?=)?"?\s*(;|$)/x
> REJECT Attachment name "$2" may not end with ".$3”

I'd like to take the opportunity to warn that regexes like this (and the
version in the Postfix documentation as "man header_checks") have
started blocking email from iPhones.

This is because some Apple email client adds a parameter to Content-Type
that may end in ".com".  The ".*\." can span between those parameters.
If you block extensions in Postfix, check your logs for
"x-apple-part-url" and you may see something like:

server postfix/cleanup[1234]: 123412341234: reject: header Content-Type:
 application/vnd.ms-publisher;??name="redacted
redacted.pub";??x-apple-part-url="abcd1234-1234-5678--123412341...@yahoo.com"

("??" is the CRLF line break.)

For postfix the rule can be rewritten to specify the parameter value to
avoid this type of false positive:

/^Content-(Disposition|Type).*name\s*=\s*
("(?:[^"]|\\")*|[^();:,\/<>\@\"?=<>\[\]\ ]*)
((?:\.|=2E)(
ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
hlp|ht[at]|
inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
\{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
vb[esx]?|vxd|ws[cfh])(\?=)?"?)\s*(;|$)/x
REJECT Attachment name $2$3 may not end with ".$4"

So far as I can see, no standard SpamAssassin rule checks for .com so
shouldn't cause a false positive, but some rules that are intended to
just check filename extensions and might hit other parts of the header
include OBFU_TEXT_ATTACH, T_OBFU_DOC_ATTACH and __TVD_MIME_ATT_AOPDF.

> Just add the MS Office file extensions to that.
> 
> Then, when your users revolt and are banging on your door with pitchforks and 
> torches, take them out again.

:) or staff the machiolations because you know best.

Some that I seriously would add are .mso, .xl, .ocx and .jar.

CK

Re: Macro virus fun

2016-04-06 Thread Alex 
Hi,

On Wed, Apr 6, 2016 at 12:14 PM, Matt Garretson
 wrote:
> On 4/5/2016 8:40 PM, Alex wrote:
>> These targeted macro viruses are killing us. I hoped someone would
>> [...]
>> What strategy are other people using to block zero-day macro viruses?
>
> I quarantine these before they get to SA with some logic in mimedefang
> that combines the OLE2 result from clamav with bogofilter scores and a
> couple arbitary pattern matches that i update as needed.

Can you tell us more about the OLE2 result, and how you obtained it
from clamav, in hopes I could do something similar with amavis?

Re: Macro virus fun

2016-04-06 Thread Alex 
Hi,

On Wed, Apr 6, 2016 at 11:39 AM, John Hardin  wrote:
> On Wed, 6 Apr 2016, Alex wrote:
>
>> Yes, blocking all .doc files would be tough for us. However, maybe a
>> rule that weights their existence them more heavily combined with
>> something involving finance+money+invoices would be helpful.
>
> Would blocking with whitelist exceptions for expected sources work for you?

Unfortunately not. It's a business with a lot of little vendors,
apparently. I'm surprised at just how many legitimate senders use junk
email addresses like jo...@cox.net to send actual invoices for
services.

Thanks,
Alex

Re: Macro virus fun

2016-04-06 Thread Matt Garretson 
On 4/5/2016 8:40 PM, Alex wrote:
> These targeted macro viruses are killing us. I hoped someone would
> [...]
> What strategy are other people using to block zero-day macro viruses?


I quarantine these before they get to SA with some logic in mimedefang
that combines the OLE2 result from clamav with bogofilter scores and a
couple arbitary pattern matches that i update as needed.

Re: Macro virus fun

2016-04-06 Thread John Hardin 

On Wed, 6 Apr 2016, Alex wrote:


Yes, blocking all .doc files would be tough for us. However, maybe a
rule that weights their existence them more heavily combined with
something involving finance+money+invoices would be helpful.


Would blocking with whitelist exceptions for expected sources work for 
you?


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The Tea Party wants to remove the Crony from Crony Capitalism.
  OWS wants to remove Capitalism from Crony Capitalism.
-- Astaghfirullah
---
 7 days until Thomas Jefferson's 273rd Birthday

Re: Macro virus fun

2016-04-06 Thread Alex 
Hi,

On Wed, Apr 6, 2016 at 9:56 AM, Reindl Harald  wrote:
> Am 06.04.2016 um 15:53 schrieb RW:
>>
>> On Tue, 5 Apr 2016 20:40:20 -0400
>> Alex wrote:
>>
>>> These targeted macro viruses are killing us. I hoped someone would
>>> like to take a shot at suggestions on how to stop these.
>>>
>>> http://pastebin.com/FTzbQcHb
>>>
>>> The Heuristics.OLE2.ContainsMacros rule is added by amavisd+clamav,
>>> but it's apparently not something that spamassassin can manipulate
>>> once it's been added. In other words, it can't be used in a meta or to
>>> make spam/ham decisions, only add to the existing score.
>>
>>
>> Do you need to allow attachments with a .doc extension?
>>
>> The last version of word that saved in this format was in Office 2003
>> and the last version of wordpad was in XP. Both have been out of
>> mainstream support for 7 years and stopped getting security updates 2
>> years ago
>
>
> sadly in the real world if it comes to business customers you don't get rid
> of .doc in a near future, be it because outdated office versions or in the
> past changed defaults to save in teh old formats to ensure others with older
> (at that moment supported versions) can open your documents

Yes, blocking all .doc files would be tough for us. However, maybe a
rule that weights their existence them more heavily combined with
something involving finance+money+invoices would be helpful.

Re: DNS to mirror failed when running sa-update

2016-04-06 Thread RW 
On Wed, 6 Apr 2016 15:48:03 +0200
Reindl Harald wrote:

> Am 06.04.2016 um 15:35 schrieb Yu Qian:
> > i tried to run sa-update to refresh rules, but the update
> > channel(mirrors.updates.spamassassin.org
> > ) is not found.
> >
> >Is there anyone can help me with this problem
> >
> > A screenshot for the error is attached
> >
> > Thanks a lot!  
> 
> the domains DNS is obviously broken for anything related to the 
> "updates" subdomain
> 

> [harry@rh:~]$ nslookup mirrors.updates.spamassassin.org

Wrong type of query

$ dig +short  mirrors.updates.spamassassin.org txt
"http://spamassassin.apache.org/updates/MIRRORED.BY;

Re: Macro virus fun

2016-04-06 Thread Reindl Harald 



Am 06.04.2016 um 15:53 schrieb RW:

On Tue, 5 Apr 2016 20:40:20 -0400
Alex wrote:


These targeted macro viruses are killing us. I hoped someone would
like to take a shot at suggestions on how to stop these.

http://pastebin.com/FTzbQcHb

The Heuristics.OLE2.ContainsMacros rule is added by amavisd+clamav,
but it's apparently not something that spamassassin can manipulate
once it's been added. In other words, it can't be used in a meta or to
make spam/ham decisions, only add to the existing score.


Do you need to allow attachments with a .doc extension?

The last version of word that saved in this format was in Office 2003
and the last version of wordpad was in XP. Both have been out of
mainstream support for 7 years and stopped getting security updates 2
years ago


sadly in the real world if it comes to business customers you don't get 
rid of .doc in a near future, be it because outdated office versions or 
in the past changed defaults to save in teh old formats to ensure others 
with older (at that moment supported versions) can open your documents


as mailadmin you are hardly in the position to educate all the outside 
world sending mails to your customers




signature.asc
Description: OpenPGP digital signature

Re: Macro virus fun

2016-04-06 Thread RW 
On Tue, 5 Apr 2016 20:40:20 -0400
Alex wrote:

> Hi all,
> 
> These targeted macro viruses are killing us. I hoped someone would
> like to take a shot at suggestions on how to stop these.
> 
> http://pastebin.com/FTzbQcHb
> 
> The Heuristics.OLE2.ContainsMacros rule is added by amavisd+clamav,
> but it's apparently not something that spamassassin can manipulate
> once it's been added. In other words, it can't be used in a meta or to
> make spam/ham decisions, only add to the existing score.

Do you need to allow attachments with a .doc extension? 

The last version of word that saved in this format was in Office 2003
and the last version of wordpad was in XP. Both have been out of
mainstream support for 7 years and stopped getting security updates 2
years ago.

Re: DNS to mirror failed when running sa-update

2016-04-06 Thread Reindl Harald 



Am 06.04.2016 um 15:35 schrieb Yu Qian:

i tried to run sa-update to refresh rules, but the update
channel(mirrors.updates.spamassassin.org
) is not found.

   Is there anyone can help me with this problem

A screenshot for the error is attached

Thanks a lot!


the domains DNS is obviously broken for anything related to the 
"updates" subdomain


;; ANSWER SECTION:
spamassassin.org.   3600IN  NS  b.auth-ns.sonic.net.
spamassassin.org.   3600IN  NS  c.auth-ns.sonic.net.
spamassassin.org.   3600IN  NS  ns.hyperreal.org.
spamassassin.org.   3600IN  NS  a.auth-ns.sonic.net.

;; Query time: 96 msec
;; SERVER: 10.0.0.6#53(10.0.0.6)
;; WHEN: Mi Apr 06 15:44:25 CEST 2016
;; MSG SIZE  rcvd: 137

[harry@rh:~]$ nslookup mirrors.updates.spamassassin.org b.auth-ns.sonic.net.
Server: b.auth-ns.sonic.net.
Address:184.173.92.18#53 






*** Can't find mirrors.updates.spamassassin.org: No answer 






[harry@rh:~]$ nslookup mirrors.updates.spamassassin.org c.auth-ns.sonic.net.
Server: c.auth-ns.sonic.net. 



Address:69.9.186.104#53 






*** Can't find mirrors.updates.spamassassin.org: No answer 






[harry@rh:~]$ nslookup mirrors.updates.spamassassin.org ns.hyperreal.org.
Server: ns.hyperreal.org. 



Address:209.237.226.92#53

*** Can't find mirrors.updates.spamassassin.org: No answer

[harry@rh:~]$ nslookup mirrors.updates.spamassassin.org a.auth-ns.sonic.net.
Server: a.auth-ns.sonic.net.
Address:184.23.168.53#53

*** Can't find mirrors.updates.spamassassin.org: No answer

[harry@rh:~]$ dig mirrors.updates.spamassassin.org @a.auth-ns.sonic.net.
; <<>> DiG 9.10.3-P4-RedHat-9.10.3-12.P4.fc23 <<>> 
mirrors.updates.spamassassin.org @a.auth-ns.sonic.net.

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10357
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;mirrors.updates.spamassassin.org. IN   A

;; AUTHORITY SECTION:
spamassassin.org.   3600IN  SOA ns.hyperreal.org. 
pmc.spamassassin.apache.org. 2016040600 86400 3600 2678400 3600


;; Query time: 171 msec
;; SERVER: 184.23.168.53#53(184.23.168.53)
;; WHEN: Mi Apr 06 15:45:05 CEST 2016
;; MSG SIZE  rcvd: 134



signature.asc
Description: OpenPGP digital signature

Re: Macro virus fun

2016-04-06 Thread Alex 
Hi,

On Wed, Apr 6, 2016 at 3:12 AM,   wrote:
> Alex skrev den 2016-04-06 02:40:
>
>> http://pastebin.com/FTzbQcHb
>>
>> The Heuristics.OLE2.ContainsMacros rule is added by amavisd+clamav,
>> but it's apparently not something that spamassassin can manipulate
>
> change clamd to block this mail, or score this with highter score in
> amavisd, but blocking only make sense if you use amavisd-milter so it would
> reject if it contains macros, here i just use clamav-milter not amavisd
>
> its not spam, its really malware, handle is so is suggested

This one may be spam/malware, but the vast majority of them are not.
Blocking all files with macros is an obvious solution, but not a good
one.

Is it even possible to use SA to create a rule based on whether it
contains an attachment that has macros? At least then we could create
more aggressive meta rules.

Thanks,
Alex

Re: DMARC auto-away rejects (updated)

2016-04-06 Thread A. Schulze 


Alan Hodgson:

I really believe that's incorrect. Relaxed alignment specifically  
means you can

sign with a subdomain's key or use a subdomain for SPF.

Read sections 3.1.2 and 10.4 of that same document, for instance.


Alan,

you're write! DMARC folks told me so, too.

DMARC Relax alignment is true for:
   - RFC5322.From: example.com
   - DKIM or SPF authentication identifier: sub.example.com

an even true for:
   - RFC5322.From: a.example.com
   - DKIM or SPF authentication identifier: b.example.com

that was new to me. So I vote now for "not AOL's fault"

Andreas

Re: Macro virus fun

2016-04-06 Thread me 

Alex skrev den 2016-04-06 02:40:


http://pastebin.com/FTzbQcHb

The Heuristics.OLE2.ContainsMacros rule is added by amavisd+clamav,
but it's apparently not something that spamassassin can manipulate


change clamd to block this mail, or score this with highter score in 
amavisd, but blocking only make sense if you use amavisd-milter so it 
would reject if it contains macros, here i just use clamav-milter not 
amavisd


its not spam, its really malware, handle is so is suggested