Re: X-Relay-Countries not working
On Wed, 28 Nov 2018 at 06:15, Brent Clark wrote: > Thanks for replying > > I did as you asked, here is the pastebin > > https://pastebin.com/XqSXndpW > > I could not see anything like you describe (i.e "I've found that the > plugin will fallback to the 'fast' version ...") > > It looks like KR is getting found but if you look at the pastebin below, > it does not display RELAYCOUNTRY > > https://pastebin.com/sh8S10ph You use a hat ^ so that only the first (or ?last) relay server's country is matched. Maybe this is the problem? Try using: header RELAYCOUNTRY_BAD X-Relay-Countries =~ /(CN|RU|SU|IN|BR|UA|KR)/ I use a similar header match string (but with GeoIP2 database, not the old GeoIP) and it seems to work fine.
Re: X-Relay-Countries not working
Try removing the eval in the actual code that calls the database file temporarily and check if there are perl modules missing. I‘ve been there too and had to install some maxmind reader and database modules. If they are missing, you‘ll see an error in the debug log then. Vitali > Am 28.11.2018 um 07:15 schrieb Brent Clark : > > Thanks for replying > > I did as you asked, here is the pastebin > > https://pastebin.com/XqSXndpW > > I could not see anything like you describe (i.e "I've found that the plugin > will fallback to the 'fast' version ...") > > It looks like KR is getting found but if you look at the pastebin below, it > does not display RELAYCOUNTRY > > https://pastebin.com/sh8S10ph > > I am at a complete loss on this one. > > Thanks in advance for your help. > > Regards > Brent > > > >> On 2018/11/27 16:02, RW wrote: >> On Tue, 27 Nov 2018 12:51:40 +0200 >> Brent Clark wrote: >>> Good day Guys >>> >>> I have the following spam email, and I picked up that the plugin >>> 'Mail::SpamAssassin::Plugin::RelayCountry', is not picking up Korea. >>> >>> https://pastebin.com/i45KsgVk >> Try running it through >> spamassassin -D metadata 1>/dev/null >> and look for debug about what database type is being used. I've found >> that the plugin will fallback to the 'fast' version if anything is >> wrong and it only shows up in detailed debug. >>> >>> header RELAYCOUNTRY_BAD X-Relay-Countries >>> =~ /^(CN|RU|SU|IN|BR|UA|KR)/ describe RELAYCOUNTRY_BAD Relayed >>> through foreign countries scoreRELAYCOUNTRY_BAD 1.0 >>> add_header all Relay-Country _RELAYCOUNTRY_ >>> >>> In my testing, I added ZA, and it picked up for IP 196.35.198.137. >>> >>> Also, does anyone know why the 27.102.212.207 is in square brackets. >> Usually it's to indicate that it's an IP address.
Re: X-Relay-Countries not working
Thanks for replying I did as you asked, here is the pastebin https://pastebin.com/XqSXndpW I could not see anything like you describe (i.e "I've found that the plugin will fallback to the 'fast' version ...") It looks like KR is getting found but if you look at the pastebin below, it does not display RELAYCOUNTRY https://pastebin.com/sh8S10ph I am at a complete loss on this one. Thanks in advance for your help. Regards Brent On 2018/11/27 16:02, RW wrote: On Tue, 27 Nov 2018 12:51:40 +0200 Brent Clark wrote: Good day Guys I have the following spam email, and I picked up that the plugin 'Mail::SpamAssassin::Plugin::RelayCountry', is not picking up Korea. https://pastebin.com/i45KsgVk Try running it through spamassassin -D metadata 1>/dev/null and look for debug about what database type is being used. I've found that the plugin will fallback to the 'fast' version if anything is wrong and it only shows up in detailed debug. header RELAYCOUNTRY_BAD X-Relay-Countries =~ /^(CN|RU|SU|IN|BR|UA|KR)/ describe RELAYCOUNTRY_BAD Relayed through foreign countries scoreRELAYCOUNTRY_BAD 1.0 add_header all Relay-Country _RELAYCOUNTRY_ In my testing, I added ZA, and it picked up for IP 196.35.198.137. Also, does anyone know why the 27.102.212.207 is in square brackets. Usually it's to indicate that it's an IP address.
Re: spoofing mail
On Wed, 28 Nov 2018 at 01:57, Rick Gutierrez wrote: > El mar., 27 nov. 2018 a las 16:22, David Jones () > escribió: > > > > > Can you send a copy of the original email lightly redacted via pastebin > > so I can run it through my filters to give some pointers? > > > > -- > > David Jones > > Hi David , the email is very simple, but I attach it in the following link > > https://pastebin.com/cYaLibt1 > > and the trace for a better reading > > https://pastebin.com/8vpVejPc > > the name of one of my users is Ariana Molina and the valid mail of > another of my users is lvasquez. > So the real user's name and email (Ariana Molina mol...@domain.com) occurs only in the body of the email, and not anywhere in the headers, nor in the SMTP transaction? I think this is hard to catch because a real user's name and email may legitimately be found in the body of an email from another user.
Re: spoofing mail
El mar., 27 nov. 2018 a las 16:22, David Jones () escribió: > > Can you send a copy of the original email lightly redacted via pastebin > so I can run it through my filters to give some pointers? > > -- > David Jones Hi David , the email is very simple, but I attach it in the following link https://pastebin.com/cYaLibt1 and the trace for a better reading https://pastebin.com/8vpVejPc the name of one of my users is Ariana Molina and the valid mail of another of my users is lvasquez. regards -- rickygm http://gnuforever.homelinux.com
Re: spoofing mail
On 11/27/18 11:22 AM, Rick Gutierrez wrote: > El mar., 27 nov. 2018 a las 11:14, Alan Hodgson > () escribió: > >> >> Wow, that's hard to read. >> >> It was close to being tagged because of the Pakistan relay. Just add a few >> points for Word docs and you should be good. Word docs from spammy countries >> should really get a lot of points. > > Hi Alan , I think it's a valid point, except for one thing, what > happens if you do not attach a document? > > Something I want to ask you, where can I increase this score or in what rules? > > Can you send a copy of the original email lightly redacted via pastebin so I can run it through my filters to give some pointers? -- David Jones
Re: Custom DMARC_FAIL rule
On 11/27/18 7:46 AM, RW wrote: > On Mon, 26 Nov 2018 20:13:12 -0500 > Robert Fitzpatrick wrote: > >> I have the following custom rules working pretty well in testing, but >> ran into this message with two "Authentication-Results" headers: >> >>> Authentication-Results: mx3.webtent.org; dmarc=none (p=none >>> dis=none) header.from=email.monoprice.com >>> Authentication-Results: mx3.webtent.org; >>> dkim=fail reason="signature verification failed" (2048-bit >>> key; unprotected) header.d=email.monoprice.com >>> header.i=@email.monoprice.com header.b=JvTxQQIc >> >> This triggers DMARC_FAIL in my custom rules below, but all I want to >> pick up on is 'header.from' failures. What do I need to change the >> regular expression to also pick up on header.from in the header? >> Would I just add '.*header.form' after =fail? >> >>> # DMARC rules >>> header __DMARC_FAIL Authentication-Results =~ /webtent.org; >>> (dmarc|dkim)=fail / > > > dkim=fail doesn't imply the email failed DMARC. Just look for > dmarc=fail. Using header.from is just a roundabout way of eliminating > the unneccessary dkim=fail matches. > > Correct. For DMARC to pass _either_ SPF_PASS and aligns with the envelope-from domain _OR_ DKIM_VALID_AU which is a pass and alignment with the From: header domain. If both pass and align then that is even better. Keep it simple. (Adjust the "smtp.ena.net" for your own OpenDMARC AuthservID value.) header DMARC_PASS Authentication-Results =~ /smtp\.ena\.net; dmarc=pass/ describeDMARC_PASS DMARC check passed score DMARC_PASS -0.01 header DMARC_FAIL Authentication-Results =~ /smtp\.ena\.net; dmarc=fail/ describeDMARC_FAIL DMARC check failed score DMARC_FAIL 0.01 header DMARC_NONE Authentication-Results =~ /smtp\.ena\.net; dmarc=none/ describeDMARC_NONE DMARC check neutral score DMARC_NONE 0.01 header __DMARC_FAIL_REJECT Authentication-Results =~ /smtp\.ena\.net; dmarc=fail \(p=reject/ metaDMARC_FAIL_REJECT __DMARC_FAIL_REJECT && !ENA_TRUSTED_LIST describeDMARC_FAIL_REJECT DMARC check failed and the sending domains says to reject this message score DMARC_FAIL_REJECT 8.2 Adjust the ENA_TRUSTED_LIST above to whatever you want to do to exclude certain senders or mailing lists from DMARC checks. -- David Jones
Re: spoofing mail
El mar., 27 nov. 2018 a las 11:54, Alan Hodgson () escribió: > > > > Malware/phishes are usually either in an attachment or the message has a > link. Personally I add a lot of points to either if they come through > questionable countries. Users can dig them out of their Junk if they happen > to be expecting a resume from Algeria. Ok > You'd probably have to write your own. I'm not even sure where you got that > RELAY_PK rule from but I'd guess a download from Ironport or something. > > Personally I have one set of rules for classifying countries and a few metas > on top of those. > > But you probably wouldn't want to use my rules; my servers are small with > homegenous user bases and they don't get real mail from, say, Russia or > Pakistan or the Sudan. You can tag a lot of real mail if you're not careful > writing rules. I have is a file where I have scores on the countries, including Pakistan look the rule header RELAYCOUNTRY_PKX-Relay-Countries =~/\bPK\b/ describeRELAYCOUNTRY_PKRelayed through Pakistan score RELAYCOUNTRY_PK3.0 you have some example of a rule, how to assign scores to doc , xls files, ppt regards. -- rickygm http://gnuforever.homelinux.com
Re: spoofing mail
On Tue, 2018-11-27 at 11:22 -0600, Rick Gutierrez wrote: > El mar., 27 nov. 2018 a las 11:14, Alan Hodgson > () escribió: > > > Wow, that's hard to read. > > > > It was close to being tagged because of the Pakistan relay. Just > > add a few points for Word docs and you should be good. Word docs > > from spammy countries should really get a lot of points. > > Hi Alan , I think it's a valid point, except for one thing, what > happens if you do not attach a document? > Malware/phishes are usually either in an attachment or the message has a link. Personally I add a lot of points to either if they come through questionable countries. Users can dig them out of their Junk if they happen to be expecting a resume from Algeria. > Something I want to ask you, where can I increase this score or in > what rules? > > You'd probably have to write your own. I'm not even sure where you got that RELAY_PK rule from but I'd guess a download from Ironport or something. Personally I have one set of rules for classifying countries and a few metas on top of those. But you probably wouldn't want to use my rules; my servers are small with homegenous user bases and they don't get real mail from, say, Russia or Pakistan or the Sudan. You can tag a lot of real mail if you're not careful writing rules.
Re: spoofing mail
El mar., 27 nov. 2018 a las 11:14, Alan Hodgson () escribió: > > Wow, that's hard to read. > > It was close to being tagged because of the Pakistan relay. Just add a few > points for Word docs and you should be good. Word docs from spammy countries > should really get a lot of points. Hi Alan , I think it's a valid point, except for one thing, what happens if you do not attach a document? Something I want to ask you, where can I increase this score or in what rules? -- rickygm http://gnuforever.homelinux.com
Re: spoofing mail
On Tue, 2018-11-27 at 10:42 -0600, Rick Gutierrez wrote: > Hi , I have a situation a little complicated, I have emails from > spammers that come with the name of one of my users, but the email > address is not from my domain , they send it from a valid domain, > which complies with spf, DKIM etc etc, some idea that could help me to > adjust my spamassassin and stop this kind of post, someone has had > experience in this type of evasion? > > my user is lvelasquez > Wow, that's hard to read. It was close to being tagged because of the Pakistan relay. Just add a few points for Word docs and you should be good. Word docs from spammy countries should really get a lot of points.
--virtual-config-dir=pattern is not substituted
I have Spamassassin running on Debian with Postfix, Dovecot etc. It seems to work, Spam is filtered to my Quarantine. I have some virtual mailboxes in /var/mail/vhosts and have set up the Option -x --virtual-config-dir=/var/mail/vhosts/%d/%l/spamassassin This does not work, in the log file /var/log/spamassassin/spamd.log I find these lines: warn: plugin: eval failed: bayes: (in learn) locker: safe_lock: cannot create tmp lockfile /var/ mail/vhosts///spamassassin/bayes.lock.domain.de.3653 for /var/mail/vhosts///spa So the user name and the domain are not replaced in the pattern. What may be wrong?? Cheers, Eggert
spoofing mail
Hi , I have a situation a little complicated, I have emails from spammers that come with the name of one of my users, but the email address is not from my domain , they send it from a valid domain, which complies with spf, DKIM etc etc, some idea that could help me to adjust my spamassassin and stop this kind of post, someone has had experience in this type of evasion? my user is lvelasquez attached the trace Nov 27 03:21:07 scmspam postfix/smtpd[30321]: warning: hostname cloud.casasponty.com does not resolve to address 206.189.74.145: Name or service not known Nov 27 03:21:07 scmspam postfix/smtpd[30321]: connect from unknown[206.189.74.145] Nov 27 03:21:07 scmspam policyd-spf[30325]: None; identity=helo; client-ip=206.189.74.145; helo=cloud.casasponty.com; envelope-from=acha...@casasponty.com; receiver=lvelasq...@mydomain.com Nov 27 03:21:07 scmspam policyd-spf[30325]: Pass; identity=mailfrom; client-ip=206.189.74.145; helo=cloud.casasponty.com; envelope-from=acha...@casasponty.com; receiver=lvelasq...@mydomain.com Nov 27 03:21:07 scmspam postfix/smtpd[30322]: warning: hostname cloud.casasponty.com does not resolve to address 206.189.74.145: Name or service not known Nov 27 03:21:07 scmspam postfix/smtpd[30322]: connect from unknown[206.189.74.145] Nov 27 03:21:07 scmspam policyd-spf[30326]: None; identity=helo; client-ip=206.189.74.145; helo=cloud.casasponty.com; envelope-from=acha...@casasponty.com; receiver=yr...@mydomain.com Nov 27 03:21:07 scmspam policyd-spf[30326]: Pass; identity=mailfrom; client-ip=206.189.74.145; helo=cloud.casasponty.com; envelope-from=acha...@casasponty.com; receiver=yr...@mydomain.com Nov 27 03:21:08 scmspam postfix/smtpd[30321]: 2D19A1089D: client=unknown[206.189.74.145] Nov 27 03:21:08 scmspam postfix/smtpd[30322]: 32F15108A7: client=unknown[206.189.74.145] Nov 27 03:21:08 scmspam postfix/cleanup[30327]: 2D19A1089D: message-id=<18301625705448019599.084a539583f0b...@mydomain.com> Nov 27 03:21:08 scmspam postfix/cleanup[30351]: 32F15108A7: message-id=<40635101623011819320.2fc59783b4b6f...@mydomain.com> Nov 27 03:21:08 scmspam postfix/qmgr[24718]: 2D19A1089D: from=, size=127129, nrcpt=1 (queue active) Nov 27 03:21:08 scmspam amavis[30276]: (30276-05) LMTP:[127.0.0.1]:10024 /var/amavis/tmp/amavis-20181127T031602-30276-giUj8Gm1: -> SIZE=127129 Received: from scmspam.mydomain.com ([127.0.0.1]) by localhost (scmspam.mydomain.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP for ; Tue, 27 Nov 2018 03:21:08 -0600 (CST) Nov 27 03:21:08 scmspam postfix/qmgr[24718]: 32F15108A7: from=, size=127113, nrcpt=1 (queue active) Nov 27 03:21:08 scmspam postfix/smtpd[30321]: disconnect from unknown[206.189.74.145] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 Nov 27 03:21:08 scmspam amavis[30291]: (30291-04) LMTP:[127.0.0.1]:10024 /var/amavis/tmp/amavis-20181127T031805-30291-C1blwKk0: -> SIZE=127113 Received: from scmspam.mydomain.com ([127.0.0.1]) by localhost (scmspam.mydomain.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP for ; Tue, 27 Nov 2018 03:21:08 -0600 (CST) Nov 27 03:21:08 scmspam postfix/smtpd[30322]: disconnect from unknown[206.189.74.145] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 Nov 27 03:21:08 scmspam amavis[30276]: (30276-05) dkim: VALID Author+Sender+MailFrom signature by d=casasponty.com, From: , a=rsa-sha256, c=relaxed/relaxed, s=default, i=@casasponty.com Nov 27 03:21:08 scmspam amavis[30276]: (30276-05) Checking: 1SgjFC6nhGVK [206.189.74.145] -> Nov 27 03:21:08 scmspam amavis[30291]: (30291-04) dkim: VALID Author+Sender+MailFrom signature by d=casasponty.com, From: , a=rsa-sha256, c=relaxed/relaxed, s=default, i=@casasponty.com Nov 27 03:21:08 scmspam amavis[30276]: (30276-05) p003 1 Content-Type: multipart/mixed Nov 27 03:21:08 scmspam amavis[30276]: (30276-05) p001 1/1 Content-Type: text/plain, size: 162 B, name: Nov 27 03:21:08 scmspam amavis[30291]: (30291-04) Checking: 22udI1Q-h9lr [206.189.74.145] -> Nov 27 03:21:08 scmspam amavis[30276]: (30276-05) p002 1/2 Content-Type: application/msword, size: 90752 B, name: Contrato.doc Nov 27 03:21:08 scmspam amavis[30291]: (30291-04) p003 1 Content-Type: multipart/mixed Nov 27 03:21:08 scmspam amavis[30291]: (30291-04) p001 1/1 Content-Type: text/plain, size: 162 B, name: Nov 27 03:21:08 scmspam amavis[30291]: (30291-04) p002 1/2 Content-Type: application/msword, size: 90752 B, name: Contrato.doc Nov 27 03:21:10 scmspam amavis[30291]: (30291-04) spam-tag, -> , No, score=4.673 tagged_above=-990 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RDNS_NONE=1.274, RELAYCOUNTRY_PK=3, RELAYCOUNTRY_US=0.5, SPF_PASS=-0.001] autolearn=no autolearn_force=no Nov 27 03:21:10 scmspam postfix/smtpd[30334]: connect from localhost[127.0.0.1] Nov 27 03:21:10 scmspam postfix/smtpd[30334]: B9B79108A8: client=localhost[127.0.0.1] Nov 27 03:21:10 scmspam postfix/cleanup[30327]: B9B79108A8: message-id=<40635101623011819320.2fc59783b4b6f...@mydomain.com> Nov 27 03:21:10 scmspam amavis[30276]: (30276-05)
Re: Is $THIS possible?
Hi Giovanni, On 11/27/2018 12:56 AM, Giovanni Bechis wrote: I do not know if it's viable for your own use but amavisd penpal feature could be an option (https://www.ijs.si/software/amavisd/#features-spam) It creates a redis database where it correlates outbound msg-id and replies so it can subtract score if an email msg it's a reply to a known sender. Intriguing. I'll have to check that out. It sounds like it's conceptually similar to a stateful firewall for email. As in if there is known email conversation state (akin to connection state) then a (small?) value is deducted from the spam score. Thus meaning messages that might be flagged as spam on their own might pass through unmodified if they are part of an ongoing conversation. Very interesting. Thank you for sharing amavisd penpal with me. :-) -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature
Re: X-Relay-Countries not working
On Tue, 27 Nov 2018 12:51:40 +0200 Brent Clark wrote: > Good day Guys > > I have the following spam email, and I picked up that the plugin > 'Mail::SpamAssassin::Plugin::RelayCountry', is not picking up Korea. > > https://pastebin.com/i45KsgVk Try running it through spamassassin -D metadata 1>/dev/null and look for debug about what database type is being used. I've found that the plugin will fallback to the 'fast' version if anything is wrong and it only shows up in detailed debug. > > header RELAYCOUNTRY_BAD X-Relay-Countries > =~ /^(CN|RU|SU|IN|BR|UA|KR)/ describe RELAYCOUNTRY_BAD Relayed > through foreign countries scoreRELAYCOUNTRY_BAD 1.0 > add_header all Relay-Country _RELAYCOUNTRY_ > > In my testing, I added ZA, and it picked up for IP 196.35.198.137. > > Also, does anyone know why the 27.102.212.207 is in square brackets. Usually it's to indicate that it's an IP address.
Re: X-Relay-Countries not working
On 27.11.18 12:51, Brent Clark wrote: I have the following spam email, and I picked up that the plugin 'Mail::SpamAssassin::Plugin::RelayCountry', is not picking up Korea. https://pastebin.com/i45KsgVk header RELAYCOUNTRY_BAD X-Relay-Countries =~ /^(CN|RU|SU|IN|BR|UA|KR)/ describe RELAYCOUNTRY_BAD Relayed through foreign countries scoreRELAYCOUNTRY_BAD 1.0 add_header all Relay-Country _RELAYCOUNTRY_ In my testing, I added ZA, and it picked up for IP 196.35.198.137. Also, does anyone know why the 27.102.212.207 is in square brackets. Geoip pics up: $ geoiplookup 27.102.212.207 GeoIP Country Edition: KR, Korea, Republic of Would anyone please share a rule, I can use to catch the above spam. tried runinning "spamassassin -D" over the e-mail? just to see if it picks the rule, if it finds the database etc -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam = (S)tupid (P)eople's (A)dvertising (M)ethod
Re: Custom DMARC_FAIL rule
On Mon, 26 Nov 2018 20:13:12 -0500 Robert Fitzpatrick wrote: > I have the following custom rules working pretty well in testing, but > ran into this message with two "Authentication-Results" headers: > > > Authentication-Results: mx3.webtent.org; dmarc=none (p=none > > dis=none) header.from=email.monoprice.com > > Authentication-Results: mx3.webtent.org; > > dkim=fail reason="signature verification failed" (2048-bit > > key; unprotected) header.d=email.monoprice.com > > header.i=@email.monoprice.com header.b=JvTxQQIc > > This triggers DMARC_FAIL in my custom rules below, but all I want to > pick up on is 'header.from' failures. What do I need to change the > regular expression to also pick up on header.from in the header? > Would I just add '.*header.form' after =fail? > > > # DMARC rules > > header __DMARC_FAIL Authentication-Results =~ /webtent.org; > > (dmarc|dkim)=fail / dkim=fail doesn't imply the email failed DMARC. Just look for dmarc=fail. Using header.from is just a roundabout way of eliminating the unneccessary dkim=fail matches. > > meta WT_FORGED_SENDER (DMARC_FAIL && !DKIM_VALID) Valid DKIM doesn't imply an email is not forged, the signature could be unrelated to the author. If you want a sanity check you can use DKIM_VALID_AU. > >header __DMARC_PASS Authentication-Results =~ /webtent.org; > > (dmarc|dkim)=pass / Again remove the dkim pass.
X-Relay-Countries not working
Good day Guys I have the following spam email, and I picked up that the plugin 'Mail::SpamAssassin::Plugin::RelayCountry', is not picking up Korea. https://pastebin.com/i45KsgVk header RELAYCOUNTRY_BAD X-Relay-Countries =~ /^(CN|RU|SU|IN|BR|UA|KR)/ describe RELAYCOUNTRY_BAD Relayed through foreign countries scoreRELAYCOUNTRY_BAD 1.0 add_header all Relay-Country _RELAYCOUNTRY_ In my testing, I added ZA, and it picked up for IP 196.35.198.137. Also, does anyone know why the 27.102.212.207 is in square brackets. Geoip pics up: $ geoiplookup 27.102.212.207 GeoIP Country Edition: KR, Korea, Republic of Would anyone please share a rule, I can use to catch the above spam. Regards Brent Clark P.s. Im running spamassassin 3.4.2-1~deb9u1