Re: improving detection to cloudmark-like levels?

2017-10-12 Thread AJ Weber 

On 10/12/2017 11:33 AM, Ian Zimmerman wrote:

I don't know how you got the supposition about pyzor.

pyzor is completely independent of Cloudmark (unlike razor) and AFAIK
pyzor scores are  based on participating users' reports and nothing
else.
Sorry.  It is razor2 that is (or was - according to the website) 
supported by Cloudmark.

Re: improving detection to cloudmark-like levels?

2017-10-12 Thread John Hardin 

On Thu, 12 Oct 2017, AJ Weber wrote:

Using the standard rule updates channel and "sought.rules.yerp.org". 
(I don't see those updated too often, maybe I need to check on that 
update process.)


As far as I know, the Sought rules aren't being generated any more, and 
haven't been for a few years now. They may still be useful, but they are 
increasingly stale.


The standard rules are blocked by score generation issues in the masscheck 
system that are resisting analysis... :)



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Vista is at best mildly annoying and at worst makes you want to
  rush to Redmond, Wash. and rip somebody's liver out.  -- Forbes
---
 196 days since the first commercial re-flight of an orbital booster (SpaceX)

Re: improving detection to cloudmark-like levels?

2017-10-12 Thread Ian Zimmerman 
On 2017-10-12 09:25, AJ Weber wrote:

> So I'm sure they have some "secret sauce" and I'm not asking for that
> to be revealed, but since pyzor is supposedly using their database,
> I'm just trying to figure out if there's a way to get my SA filter to
> improve even further and close the gap?

I don't know how you got the supposition about pyzor.

pyzor is completely independent of Cloudmark (unlike razor) and AFAIK
pyzor scores are  based on participating users' reports and nothing
else.

pyzor is also libre software, including the server (unlike razor).  That
means anyone can run their own server.  I started doing so a couple of
weeks ago, see [1].  You're welcome to join :-)

[1]
https://lists.gt.net/spamassassin/users/205264

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
Do obvious transformation on domain to reply privately _only_ on Usenet.

Re: improving detection to cloudmark-like levels?

2017-10-12 Thread David Jones 

On 10/12/2017 09:32 AM, AJ Weber wrote:

On 10/12/2017 10:07 AM, Kevin A. McGrail wrote:

On 10/12/2017 9:25 AM, AJ Weber wrote:
I'm open to new rules, plug-ins, etc. Spam volume is only getting 
worse, and these spammers are getting more creative. 


Hi AJ,

I have to say that 3.3.0 is pretty old.  I'd look to run a newer 
version, invest some time into researching a few RBLs and consider 
adding my KAM.cf file.
OK, I'll look into the update procs.  I don't see an updated package 
available via yum (CentOS), but maybe I'm not looking in the right place.


I do use an RBL or two, I think "bl.mailspike.net", but I haven't 
figured out how to test that they're working correctly.


Thanks for the quick reply.


I have found that looking at other good configs is very helpful.  Check 
out the Postfix and SpamAssassin settings of these projects for ideas:


https://efa-project.org/
http://www.iredmail.org/

If you run an edge mail filter server, then put as much spam-blocking 
logic (RBLs, DNS checks, SMTP HELO checks, FCrDNS checks, domain 
existance checks) as possible in the MTA configs and let SpamAssassin 
handle a much smaller percentage of mostly clean messages.


If you run Postfix, enable Postscreen and it's RBL weighting along with 
postwhite to bypass major mail providers.  This will allow you to 
combine the power of many RBLs and increase the sensitivity of all RBLs. 
 See this mailing list's archives for many discussions on postscreen 
and adding the senderscore.org RBL.


Make sure you are using a local recursive DNS server and not pointing to 
another DNS server.  Again see the mailing list archives for a lengthy 
discussion on this topic related to URIBL_BLOCKED.


Definitely download the KAM.cf a couple of times a day into your 
/etc/mail/spamassasin directory.  It's a must.


Setup ClamAV with the extra UNOFFICIAL signatures.

Try to implement greylisting if possible.  It can be rolled out in a 
slow, phased approach so that your users don't even notice the delay it 
causes for new senders.  The benefits far outweigh the occasional delay 
in email.  Make sure to exclude Google's mail servers from greylisting.


Add Steve Freegard's DecodeShortURLs.cf plugin by dropping the .pm and 
.cf file in /etc/mail/spamassassin.


https://github.com/smfreegard/DecodeShortURLs/blob/master/DecodeShortURLs.cf

Purchase a subscription to the IVM RBL feed.  If you are filtering mail 
for more than a few mailboxes, it's very valuable and well worth the 
price to save you and your users from dealing with a lot of spam.  See 
https://www.invaluement.com


Add other RBLs to SA like senderscore.org, lashback, mailspike, etc. and 
enable the Shortcircuit plugin in v320.pre:


# cat /etc/mail/spamassassin/lashback.cf
ifplugin Mail::SpamAssassin::Plugin::DNSEval

header  __RCVD_IN_LASHBACK  eval:check_rbl('lashback', 
'ubl.unsubscore.com.')
describe	__RCVD_IN_LASHBACK	Received is listed in Lashback 
ubl.unsubscore.com

tflags  __RCVD_IN_LASHBACK  net

header  RCVD_IN_LASHBACKeval:check_rbl_sub('lashback', 
'127.0.0.2')
describeRCVD_IN_LASHBACKReceived is listed in Lashback 
ubl.unsubscore.com
score   RCVD_IN_LASHBACK0.8
tflags  RCVD_IN_LASHBACKnet

header		RCVD_IN_LASHBACK_LASTEXT	eval:check_rbl('lashback-lastexternal', 
'ubl.unsubscore.com.')
describe 	RCVD_IN_LASHBACK_LASTEXT	Last external is listed in Lashback 
ubl.unsubscore.com

score   RCVD_IN_LASHBACK_LASTEXT1.2
tflags  RCVD_IN_LASHBACK_LASTEXTnet

endif

# cat /etc/mail/spamassassin/senderscore.cf
ifplugin Mail::SpamAssassin::Plugin::DNSEval

header		__RCVD_IN_SENDERSCORE_90_100 
eval:check_rbl('senderscore90-lastexternal','score.senderscore.com.','^127\.0\.4\.(9[0-9]|100)$')

metaRCVD_IN_SENDERSCORE_90_100  SPF_PASS && 
__RCVD_IN_SENDERSCORE_90_100
describeRCVD_IN_SENDERSCORE_90_100  Senderscore.org score of 90 to 
100
score   RCVD_IN_SENDERSCORE_90_100  -1.2
tflags  RCVD_IN_SENDERSCORE_90_100  net

header		__RCVD_IN_SENDERSCORE_80_89 
eval:check_rbl('senderscorer80-lastexternal','score.senderscore.com.','^127\.0\.4\.(8[0-9])$')

metaRCVD_IN_SENDERSCORE_80_89   SPF_PASS && 
__RCVD_IN_SENDERSCORE_80_89
describeRCVD_IN_SENDERSCORE_80_89   Senderscore.org score of 80 to 
89
score   RCVD_IN_SENDERSCORE_80_89   -0.2
tflags  RCVD_IN_SENDERSCORE_80_89   net

header		RCVD_IN_SENDERSCORE_70_79 
eval:check_rbl('senderscorer70-lastexternal','score.senderscore.com.','^127\.0\.4\.(7[0-9])$')

describeRCVD_IN_SENDERSCORE_70_79   Senderscore.org score of 70 to 
79
score   RCVD_IN_SENDERSCORE_70_79   0.2
tflags  RCVD_IN_SENDERSCORE_70_79   net

header		RCVD_IN_SENDERSCORE_60_69 
eval:check_rbl('senderscorer60-lastexternal','score.senderscore.com.','^127\.0\.4\.(6[0-9])$')

describeRCVD_IN_SENDERSCORE_60_69

Re: improving detection to cloudmark-like levels?

2017-10-12 Thread AJ Weber 

On 10/12/2017 10:07 AM, Kevin A. McGrail wrote:

On 10/12/2017 9:25 AM, AJ Weber wrote:
I'm open to new rules, plug-ins, etc. Spam volume is only getting 
worse, and these spammers are getting more creative. 


Hi AJ,

I have to say that 3.3.0 is pretty old.  I'd look to run a newer 
version, invest some time into researching a few RBLs and consider 
adding my KAM.cf file.
OK, I'll look into the update procs.  I don't see an updated package 
available via yum (CentOS), but maybe I'm not looking in the right place.


I do use an RBL or two, I think "bl.mailspike.net", but I haven't 
figured out how to test that they're working correctly.


Thanks for the quick reply.

Re: improving detection to cloudmark-like levels?

2017-10-12 Thread Kevin A. McGrail 

On 10/12/2017 9:25 AM, AJ Weber wrote:
I'm open to new rules, plug-ins, etc.  Spam volume is only getting 
worse, and these spammers are getting more creative. 


Hi AJ,

I have to say that 3.3.0 is pretty old.  I'd look to run a newer 
version, invest some time into researching a few RBLs and consider 
adding my KAM.cf file.


Regards,
KAM

improving detection to cloudmark-like levels?

2017-10-12 Thread AJ Weber 

OK, please, this is meant with all good intentions...

I have been running SA 3.3.0 on my server for years.  Using the standard 
rule updates channel and "sought.rules.yerp.org".  (I don't see those 
updated too often, maybe I need to check on that update process.)  Also 
enabled:  DCC, Pyzor and Razor2.


This does a very good job as currently configured.  However, I also have 
Cloudmark's "DesktopOne" client-product installed for years.  They are 
discontinuing that product on Dec 1.  I certainly would see the 
cloudmark-product catch _additional_ spam on a daily basis (very 
accurately).


So I'm sure they have some "secret sauce" and I'm not asking for that to 
be revealed, but since pyzor is supposedly using their database, I'm 
just trying to figure out if there's a way to get my SA filter to 
improve even further and close the gap?


So it's a very open-ended ask, but I thought maybe I could start a 
conversation and see if there are any ideas out there.  I'm open to new 
rules, plug-ins, etc.  Spam volume is only getting worse, and these 
spammers are getting more creative.


Thanks in advance,

AJ

Re: Whitelisting DKIM-signed domains

2017-10-12 Thread Matthias Leisi 
I’ll just pick out one particular argument, as RW touched upon the others:

| Why would you trust list B and W knowing that they can be corrupted? 

That was one specific concern in the design of dnswl.org , 
which we documented eg here: https://www.dnswl.org/?page_id=23 
 („How is this different from other 
whitelisting services?“)

Like many other lists, the cost of running dnswl.org  is 
paid by receivers - those doing more than 100’000 queries per day on the 
IP-based list in our case are asked to get a subscription and to rsync the data 
locally (we may extend that to the domain-based list, but that is still in 
experimental stage anyway). Thus the commercial incentives of the organisation 
(to the degree that they would actually matter) are very much aligned with the 
receivers, basically ruling out any benefits of corruption.

Yes, about once a year there is someone claiming „i just paid a subscription, 
now list me!“. In these cases, we send them a „thanks, but no thanks“ note, 
give them a refund on the subscription, and remove their account.

— Matthias