Re: using existing score value in new rule's score

[David Jones]

On 2/22/19 4:37 PM, David B Funk wrote:
> Is there a rule "score" syntax that allows you to use the score assigned 
> to an existing rule to calculate the value assigned to another rule?
> 
> Specifically what I'm trying to do is to negate the "damage" a 
> particular rule does for messages that meet particular local criteria.
> 
> For example: "HTML_IMAGE_ONLY_28" is a rule that will assign a modest 
> number of points to a message that contains a small amount of HTML and 
> an image.
> 
> What I want to do is to create a local rule:
> 
> meta L_HTML_IMAGE_ONLY_28_FIX  ( HTML_IMAGE_ONLY_28 && L_O365_USER )
> describe L_HTML_IMAGE_ONLY_28_FIX   Fix damage from 
> HTML_IMAGE_ONLY_28 for local O-365 users
> score L_HTML_IMAGE_ONLY_28_FIX ( -1.0 * HTML_IMAGE_ONLY_28 )
> 
> Where if HTML_IMAGE_ONLY_28 fires and another rule which detects that 
> the message was generated by a local Office-365 user, negate the score 
> from the HTML_IMAGE_ONLY_28 rule.
> 
> My problem is that our campus has switched the bulk of our user 
> population to Office-365 and many outlook users like to "decorate" their 
> messages with images (wall-paper, deparmental logos, etc).
> When one of these people sends a short message (1~5 lines of text) in 
> their outlook, it's not unusual for several of SA's rules to fire (EG 
> DC_GIF_UNO_LARGO, HTML_IMAGE_ONLY_28, SARE_GIF_STOX, etc) which pushes 
> the messages into spam score range.
> 
> I'd like to automate the un-doing of this damage w/o having to 
> continually chase after changes in the scoring.
> Thus the desire for syntax to calculate the score value. It doesn't have 
> to be evaluated dynamically, just calculate the score at reload time.
> 
> Thanks.
> 

I use the X-OriginatorOrg header in a meta rule with other headers to 
subtract a few points (trust) certain Office 365 senders.  Otherwise, I 
treat Office 365 like other "FREEMAIL" sources that are mostly untrusted 
(add a point or two).  You don't have to do the later but the former 
might be helpful.

-- 
David Jones

Re: using existing score value in new rule's score

[David B Funk]

On Sat, 23 Feb 2019, RW wrote:


On Fri, 22 Feb 2019 16:37:30 -0600 (CST)
David B Funk wrote:


Is there a rule "score" syntax that allows you to use the score
assigned to an existing rule to calculate the value assigned to
another rule?

...

What I want to do is to create a local rule:

meta L_HTML_IMAGE_ONLY_28_FIX  ( HTML_IMAGE_ONLY_28 && L_O365_USER )
describe L_HTML_IMAGE_ONLY_28_FIX   Fix damage from
HTML_IMAGE_ONLY_28 for local O-365 users score
L_HTML_IMAGE_ONLY_28_FIX ( -1.0 * HTML_IMAGE_ONLY_28 )


IIWY I'd just redefine the HTML_IMAGE_ONLY_XX rules in the form


body __HTML_IMAGE_ONLY_28 eval:html_image_only('2400','2800')
meta HTML_IMAGE_ONLY_28   __HTML_IMAGE_ONLY_28 && !L_O365_USER


That's one way, but given that HTML_IMAGE_ONLY_28 is a core SA rule I'd prefer 
not to hack at it.


I could totally over-ride it with local redefinitions but then I'd miss out on 
any updates/improvements to the core rule defs and not know about it.


By just adding my local "repair" rule who's score is derived from that 
calculation of the core rule def, I don't need to worry about updates damaging 
my intended functionality.
EG: if the system rule is re-scored (up or down) my "repair" will still do the 
right thing.


--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: using existing score value in new rule's score

[RW]

On Fri, 22 Feb 2019 16:37:30 -0600 (CST)
David B Funk wrote:

> Is there a rule "score" syntax that allows you to use the score
> assigned to an existing rule to calculate the value assigned to
> another rule?
...
> What I want to do is to create a local rule:
> 
> meta L_HTML_IMAGE_ONLY_28_FIX  ( HTML_IMAGE_ONLY_28 && L_O365_USER )
> describe L_HTML_IMAGE_ONLY_28_FIX   Fix damage from
> HTML_IMAGE_ONLY_28 for local O-365 users score
> L_HTML_IMAGE_ONLY_28_FIX ( -1.0 * HTML_IMAGE_ONLY_28 )

IIWY I'd just redefine the HTML_IMAGE_ONLY_XX rules in the form 


body __HTML_IMAGE_ONLY_28 eval:html_image_only('2400','2800')
meta HTML_IMAGE_ONLY_28   __HTML_IMAGE_ONLY_28 && !L_O365_USER

using existing score value in new rule's score

[David B Funk]

Is there a rule "score" syntax that allows you to use the score assigned to an 
existing rule to calculate the value assigned to another rule?


Specifically what I'm trying to do is to negate the "damage" a particular rule 
does for messages that meet particular local criteria.


For example: "HTML_IMAGE_ONLY_28" is a rule that will assign a modest number of 
points to a message that contains a small amount of HTML and an image.


What I want to do is to create a local rule:

meta L_HTML_IMAGE_ONLY_28_FIX  ( HTML_IMAGE_ONLY_28 && L_O365_USER )
describe L_HTML_IMAGE_ONLY_28_FIX   Fix damage from HTML_IMAGE_ONLY_28 for 
local O-365 users
score L_HTML_IMAGE_ONLY_28_FIX ( -1.0 * HTML_IMAGE_ONLY_28 )

Where if HTML_IMAGE_ONLY_28 fires and another rule which detects that the 
message was generated by a local Office-365 user, negate the score from the 
HTML_IMAGE_ONLY_28 rule.


My problem is that our campus has switched the bulk of our user population to 
Office-365 and many outlook users like to "decorate" their messages with images 
(wall-paper, deparmental logos, etc).
When one of these people sends a short message (1~5 lines of text) in their 
outlook, it's not unusual for several of SA's rules to fire (EG 
DC_GIF_UNO_LARGO, HTML_IMAGE_ONLY_28, SARE_GIF_STOX, etc) which pushes the 
messages into spam score range.


I'd like to automate the un-doing of this damage w/o having to continually 
chase after changes in the scoring.
Thus the desire for syntax to calculate the score value. It doesn't have to be 
evaluated dynamically, just calculate the score at reload time.


Thanks.

--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: Semi Off-topic: VFEMail destroyed

[Antony Stone]

On Friday 22 February 2019 at 21:44:07, Alex Woick wrote:

> In the end, it comes back to trust. Don't employ people you don't trust.

How do you know you don't trust them until you find out you can't?


Antony.

-- 
The truth is rarely pure, and never simple.

 - Oscar Wilde

   Please reply to the list;
 please *don't* CC me.

Re: Semi Off-topic: VFEMail destroyed

[Alex Woick]

Kevin A. McGrail schrieb am 16.02.2019 um 17:59:
Insider threat detection is a whole different ball of wax from backup 
and disaster recovery.  However, there are numerous protocols to help 
for that threat. Specifically Principle of Least Privilege (POLP) and 
Separation of Duties.  I consider this part and parcel of a Zero Trust 
network design.
I work for the last 20 years for a banking company that has the mantra 
of Principle of Least Privilege and Separation of Duties in their 
policies for years. This becomes more paranoid year after year, all by 
European law, and now this has reached a state where I, if I were an 
inside blackhat hacker, would not try to compromise data and backups but 
instead the security systems that enforce the security and safety 
policies. All these monitoring and supervising systems you have to 
authenticate and go through to get your administrative work done.


These are a fragile framework and establish the point of failure. They 
are highly custom built, higly complex, highly non-standard systems, and 
if one part of it fails, the whole system fails. Attack some part of the 
security and authentication systems, so they are unusable as a whole. 
Disturb some part of the silent and innocent infrastructure they rely 
on. DNS, some database, switch, firewall, whatever. You are not able to 
administer the servers any more as a result, company-wide.
Disaster recovery plans come into action to reclaim immediate access to 
the productive systems for the admins, so production can continue. You 
get the emergency access keys that are stored in a vault for disaster 
recovery. They are few. They are mighty. They are global. They cannot be 
as fine-tuned and tuned down as your standard accounts. Now you can 
strike and destroy the productive systems and backups. You are covered 
by the chaos that is a real disaster recovery process. You don't have to 
follow all details of the formal change process, because it's an 
emergency. You are not monitored, since you bypass the monitoring 
systems due to the emergency. You have to document afterwards what you 
did of course, but you can lie.


If you didn't manage to do something bad, you still have your chance in 
the aftermath of the disaster recovery. Your job as admin is to clean up 
systems, close the open doors the disaster recovery keys opened. New 
disaster recovery keys have to be put in the vault. All chances to again 
do something malicious, to plant something for some time later.


I don't feel the network data security is much better these days.

Unfortunately, I don't have a proposal to make it better, either. It's a 
dilemma.

In the end, it comes back to trust. Don't employ people you don't trust.

Re: Problem with spamassassin update at /usr/bin/sa-update line 1603

[Kevin A. McGrail]

On 2/22/2019 5:36 AM, mbaldov wrote:
> So I ask you if it's possible to intervene on the mirror's list with
> some option so that to exclude the bad mirrors.

Escalating that issue to our sysadmins list.  Thanks for reporting the
problem.

-- 
Kevin A. McGrail
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

Re: Problem with spamassassin update at /usr/bin/sa-update line 1603

[RW]

On Fri, 22 Feb 2019 11:36:38 +0100
mbaldov wrote:

> Hello,
> I have a mailserver with postfix installed (v.2.11.0) on Ubuntu 14.04
> LTS with Amavis, ClamAV and Spamassasins (v. 3.004002)
> Since the last upgrade that I have done next week, the upgrade of new
> signatures fails

The SA rules are not signatures as such. The core rules tend to be
fairly generic, so missing an update here and there isn't that much of a
problem - it's not like missing an antivirus update. 

If you have a problem with reliability there nothing to stop you
running sa-update several times a night. If the rules are up-to-date
sa-update is just a single DNS lookup. 

> Here below there are two manual attempts (wgets):
> One with a bad mirror (1) and one with a good one (2):
> 
> 1)
> wget http://sa-update.spamassassin.org/1853564.tar.gz
...
> HTTP request sent, awaiting response... *503 Service Unavailable*
> 2019-02-15 12:47:51 *ERROR 503*: Service Unavailable

This worked for me when I just tried it, and I don't have any recent
sa-update failures.

> 
> So I ask you if it's possible to intervene on the mirror's list with
> some option so that to exclude the bad mirrors.

In the short term you can edit unwanted mirrors out of the MIRRORED.BY
file. It will get replaced after a week (if you don't touch it).
It's worth trying just to see what happens.

Problem with spamassassin update at /usr/bin/sa-update line 1603

[mbaldov]

Hello,
I have a mailserver with postfix installed (v.2.11.0) on Ubuntu 14.04 LTS
with Amavis, ClamAV and Spamassasins (v. 3.004002)
Since the last upgrade that I have done next week, the upgrade of new
signatures fails with this messages:
"/etc/cron.daily/spamassassin:Cannot open file
/var/lib/spamassassin/3.004002/updates_spamassassin_org/1854020.tar.gz: No
such file or directory at /usr/bin/sa-update line 1603."

The problem isn't the file that clearly  doesn't exist but some mirrors
that it seems have problems when they are called.
I have seen many post where they spoke about permission but I have checked
and all it's correct.

Debugging the perl file called spamassasins, you get to a point where it
appears the mirror's list and their weight;
the first attempts is done on sa-update.spamassassin.org but the response
is 503 as highlighted below:

eb 15 12:45:10.992 [10243] dbg: channel: protocol family available:
inet,inet6
Feb 15 12:45:10.992 [10243] dbg: channel: file
/var/lib/spamassassin/3.004002/updates_spamassassin_org/MIRRORED.BY is too
old, refreshing mirrors file
Feb 15 12:45:10.992 [10243] dbg: channel: DNS lookup on
mirrors.updates.spamassassin.org
Feb 15 12:45:11.156 [10243] dbg: http: url:
http://spamassassin.apache.org/updates/MIRRORED.BY
Feb 15 12:45:11.156 [10243] dbg: http: downloading to:
/var/lib/spamassassin/3.004002/updates_spamassassin_org/MIRRORED.BY, replace
Feb 15 12:45:11.156 [10243] dbg: util: executable for curl was found at
/usr/bin/curl
Feb 15 12:45:11.156 [10243] dbg: http: /usr/bin/curl -s -L -O --remote-time
-g --max-redirs 2 --connect-timeout 30 --max-time 300 --fail -o MIRRORED.BY
-- http://spamassassin.apache.org/updates/MIRRORED.BY
Feb 15 12:45:11.332 [10243] dbg: http: process [10244], exit status: exit 0
Feb 15 12:45:11.333 [10243] dbg: channel: MIRRORED.BY file for channel
updates.spamassassin.org retrieved
Feb 15 12:45:11.333 [10243] dbg: channel: parsing MIRRORED.BY file for
channel updates.spamassassin.org
Feb 15 12:45:11.333 [10243] dbg: channel: found mirror
http://sa-update.dnswl.org/ weight=3
Feb 15 12:45:11.333 [10243] dbg: channel: found mirror
http://www.sa-update.pccc.com/ weight=5
Feb 15 12:45:11.334 [10243] dbg: channel: found mirror
http://sa-update.secnap.net/ weight=5
Feb 15 12:45:11.334 [10243] dbg: channel: found mirror
http://sa-update.space-pro.be/ weight=1
Feb 15 12:45:11.334 [10243] dbg: channel: found mirror
http://sa-update.ena.com/ weight=5
Feb 15 12:45:11.334 [10243] dbg: channel: found mirror
http://sa-update.razx.cloud/ weight=5
Feb 15 12:45:11.334 [10243] dbg: channel: found mirror
http://sa-update.fossies.org/ weight=1
Feb 15 12:45:11.334 [10243] dbg: channel: found mirror
http://sa-update.bitwell.fi/ weight=5
Feb 15 12:45:11.335 [10243] dbg: channel: found mirror
http://sa-update.spamassassin.org/ weight=10
Feb 15 12:45:11.338 [10243] dbg: channel: selected mirror
http://sa-update.spamassassin.org
Feb 15 12:45:11.338 [10243] dbg: http: url:
*http://sa-update.spamassassin.org/1853564.tar.gz
*
Feb 15 12:45:11.338 [10243] dbg: http: downloading to:
/var/lib/spamassassin/3.004002/updates_spamassassin_org/1853564.tar.gz, new
Feb 15 12:45:11.338 [10243] dbg: util: executable for curl was found at
/usr/bin/curl
Feb 15 12:45:11.338 [10243] dbg: http: /usr/bin/curl -s -L -O --remote-time
-g --max-redirs 2 --connect-timeout 30 --max-time 300 --fail -o
1853564.tar.gz -- http://sa-update.spamassassin.org/1853564.tar.gz
Feb 15 12:45:11.543 [10243] dbg: http: process [10246], exit status: exit 22
Cannot open file
/var/lib/spamassassin/3.004002/updates_spamassassin_org/1853564.tar.gz: No
such file or directory at /usr/bin/sa-update line 1603.
##

Here below there are two manual attempts (wgets):
One with a bad mirror (1) and one with a good one (2):

1)
wget http://sa-update.spamassassin.org/1853564.tar.gz
--2019-02-15 12:47:51--  http://sa-update.spamassassin.org/1853564.tar.gz
Resolving sa-update.spamassassin.org (sa-update.spamassassin.org)...
64.142.56.146
Connecting to sa-update.spamassassin.org
(sa-update.spamassassin.org)|64.142.56.146|:80...
connected.
HTTP request sent, awaiting response... *503 Service Unavailable*
2019-02-15 12:47:51 *ERROR 503*: Service Unavailable

2)
wget http://sa-update.dnswl.org/1853564.tar.gz
--2019-02-15 12:48:08--  http://sa-update.dnswl.org/1853564.tar.gz
Resolving sa-update.dnswl.org (sa-update.dnswl.org)... 78.47.167.123,
2a01:4f8:d15:2fc0:::20
Connecting to sa-update.dnswl.org (sa-update.dnswl.org)|78.47.167.123|:80...
connected.
HTTP request sent, awaiting response... *200 OK*
Length: 295185 (288K) [application/x-gzip]
Saving to: ‘1853564.tar.gz’
100%[==>]

So I ask you if it's possible to intervene on the mirror's list with some
option so that to exclude the bad mirrors.

Thanks in advance for who will answer me.

Regards.