Bad List-Id from SparkPost mailing service

2019-05-01 Thread Kenneth Porter 
You may recall I have a local rule that flags badly-formatted List-Id 
headers as probable spam. It works quite well. However, I've seen a couple 
false positives recently from my bank and credit card companies. The 
Message-IDs make it clear that both are coming from SparkPost, which seems 
to be a company that handles bulk email for enterprise. Of course, none of 
these companies make it easy to alert the people responsible for such mail 
that they're sending spammy messages. While the credit card email was just 
marketing, the bank email was from their account activity alert system, and 
that I very much want. In any case, if you use SparkPost, please let them 
know that they're sending broken List-Id headers.


The bad List-Id's look like this:

List-Id: 
List-Id: 

Previous discussion of my custom rule can be found here:

Re: Spammer in white list aka USER_IN_DEF_SPF_WL

2019-05-01 Thread David Jones 
On 5/1/19 6:04 PM, RW wrote:
> On Wed, 1 May 2019 10:39:08 -0700 (MST)
> jandev wrote:
> 
>> David,
>>
>> I tried to send the original email to the email address you
>> requested. But your mail hoster blocks (554 5.7.1) my TLDs.
> 
> I doesn't really matter, you posted a link to pastebin on the list.
> 
> It passed SPF with the envelope domain bounce.comm06.simpliv.com
> which matches:
> 
> def_whitelist_auth *@*.simpliv.com
> 

129.41.222.236 has a senderscore.org score of 94 currently and is listed 
in dnswl.org as score but do not block outright.  More importantly, it's 
listed in Invaluement (IVM or IVM24):

http://multirbl.valli.org/lookup/129.41.222.236.html

The email headers that were posted in pastebein.com are from mass 
marketer that has a valid unsubscribe header/link.

I wouldn't classify that email as spam unless there were multiple 
reports of them not honoring the unsubscribe or not handling abuse 
reports.  Every platform has the occassional bad customer that needs to 
be kicked off so most RBLs (good ones anyway) will allow for a small 
amount of UCE before hitting the threshold to be listed/blocked.

-- 
David Jones

Re: running a private SA-Mirror

2019-05-01 Thread RW 
On Wed, 1 May 2019 10:05:16 +0200
A. Schulze wrote:

> Hello,
> 
> we've a number of SA instances that need rule updates. For now we
> configured them to use a proxy. Works...

I doesn't work well because there's no way to specify that all instances
of sa-update using a cache use the same seed for the random selection of
a mirror. With 10 mirrors there's little benefit unless there are dozens
of SA instance.

Re: Spammer in white list aka USER_IN_DEF_SPF_WL

2019-05-01 Thread RW 
On Wed, 1 May 2019 10:39:08 -0700 (MST)
jandev wrote:

> David, 
> 
> I tried to send the original email to the email address you
> requested. But your mail hoster blocks (554 5.7.1) my TLDs. 

I doesn't really matter, you posted a link to pastebin on the list.

It passed SPF with the envelope domain bounce.comm06.simpliv.com
which matches:

def_whitelist_auth *@*.simpliv.com

Re: running a private SA-Mirror

2019-05-01 Thread David Jones 
> W dniu 2019-05-01 o 10:05, A. Schulze pisze:
>> Hello,
>>
>> we've a number of SA instances that need rule updates. For now we configured 
>> them to use a proxy. Works...
>> But there are also instances that can't us a proxy at all.
>>
>> My idea was to setup a private SA-Mirror (apache+rsync) but, I've to manage
>> DNS-Data for mirrors.spamassassin-mirror.example and 
>> 2.3.4.spamassassin-mirror.example.
>> :-/
>>
>> Are there other methods to distribute current ruleset to SA-instances using 
>> sa-update?

There are many ways to accomplish this.  The best one will depend on 
your network layout and what tools you have available.

I suspect you already manage your SA local/custom 
rules/plugins/add-ons/etc from a central location and sync them out from 
there.  This would work very similar to that.

Pick one central server that will be your sa-update "master" then rsync 
the /var/lib/spamassassin//updates_spamassassin_org from it 
using native rsyncd or rsync over SSH with empty passphrase keys.

If you are using spamd, amavis-new, etc. then setup monit to detect a 
checksum/timestamp change on the updates_spamassassin_org directory then 
reload/restart the daemon that is the "glue" to SpamAssassin.

https://mmonit.com/monit/

-- 
David Jones

Re: Spammer in white list aka USER_IN_DEF_SPF_WL

2019-05-01 Thread jandev 
David, 

I tried to send the original email to the email address you requested. But
your mail hoster blocks (554 5.7.1) my TLDs. And an email to your postmaster
to activate my TLD/domain has never been replied.

Regards
Jan



--
Sent from: http://spamassassin.1065346.n5.nabble.com/SpamAssassin-Users-f3.html

Re: running a private SA-Mirror

2019-05-01 Thread Marcin Mirosław 
W dniu 2019-05-01 o 10:05, A. Schulze pisze:
> Hello,
> 
> we've a number of SA instances that need rule updates. For now we configured 
> them to use a proxy. Works...
> But there are also instances that can't us a proxy at all.
> 
> My idea was to setup a private SA-Mirror (apache+rsync) but, I've to manage
> DNS-Data for mirrors.spamassassin-mirror.example and 
> 2.3.4.spamassassin-mirror.example.
> :-/
> 
> Are there other methods to distribute current ruleset to SA-instances using 
> sa-update?

Hi,
I'm using rbldns as dns server (beacuse I've got own bl rbl) so my
script can't be used 1:1. Maybe you will adopt it for your environment.


unbound-control flush_zone sa.mejor.pl # flushing resolver cache
current_version="$(dnsget -q -t txt 0.4.3.sa.mejor.pl)" || { echo
"Error: can't get current rules version" ; exit 1; }

set -e
spamassassin --lint
cd /etc/spamassassin/sa.mejor.pl
new_version="$((${current_version}+1))"
tar --owner=spamassassin --group=spamassassin -czf
"//sa.mejor.pl/htdocs/sa-updates/${new_version}".tar.gz.new *cf
sha1sum
"//sa.mejor.pl/htdocs/sa-updates/${new_version}".tar.gz.new >>
"//sa.mejor.pl/htdocs/sa-updates/${new_version}".tar.gz.sha1.new
sha256sum
"//sa.mejor.pl/htdocs/sa-updates/${new_version}".tar.gz.new >>
"//sa.mejor.pl/htdocs/sa-updates/${new_version}".tar.gz.sha256.new
# remove old versions
rm -f //sa.mejor.pl/htdocs/sa-updates/*.tar.gz
rm -f //sa.mejor.pl/htdocs/sa-updates/*.tar.gz.sha1
rm -f //sa.mejor.pl/htdocs/sa-updates/*.tar.gz.sha256
mv "//sa.mejor.pl/htdocs/sa-updates/${new_version}".tar.gz.new
"//sa.mejor.pl/htdocs/sa-updates/${new_version}".tar.gz
mv
"//sa.mejor.pl/htdocs/sa-updates/${new_version}".tar.gz.sha1.new
"//sa.mejor.pl/htdocs/sa-updates/${new_version}".tar.gz.sha1
mv
"//sa.mejor.pl/htdocs/sa-updates/${new_version}".tar.gz.sha256.new
"//sa.mejor.pl/htdocs/sa-updates/${new_version}".tar.gz.sha256

echo "Modyfikuję dns"
cat << EOF > /var/db/rbldnsd/sa.mejor.pl.zone
\$TTL 60
\$NS 7200 rb.mejor.pl.

*.4.3   ${new_version}
*.3.3   ${new_version}

mirrors http://update.sa.mejor.pl/MIRRORED.BY
:193.33.111.90:
update
EOF



(You can use rndc to update bind, if you use bind)

Re: running a private SA-Mirror

2019-05-01 Thread Kevin A. McGrail 
On 5/1/2019 4:05 AM, A. Schulze wrote:
> Are there other methods to distribute current ruleset to SA-instances using 
> sa-update?
>
You can install files by getting the rules, gpg and hash files and
install with a parameter, I think --file.  You could download once to a
file server and trigger an update that way.

-- 
Kevin A. McGrail
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

Re: running a private SA-Mirror

2019-05-01 Thread Giovanni Bechis 
Il 1 maggio 2019 10:05:16 CEST, "A. Schulze"  ha 
scritto:
>Hello,
>
>we've a number of SA instances that need rule updates. For now we
>configured them to use a proxy. Works...
>But there are also instances that can't us a proxy at all.
>
>My idea was to setup a private SA-Mirror (apache+rsync) but, I've to
>manage
>DNS-Data for mirrors.spamassassin-mirror.example and
>2.3.4.spamassassin-mirror.example.
>:-/
>
>Are there other methods to distribute current ruleset to SA-instances
>using sa-update?
>
>Andreas

Hi,
I would use sa-update on puppet master (or ansible, or whatever), then deploy 
rules without using sa-update at all on mail servers.
   Giovanni

running a private SA-Mirror

2019-05-01 Thread A. Schulze 
Hello,

we've a number of SA instances that need rule updates. For now we configured 
them to use a proxy. Works...
But there are also instances that can't us a proxy at all.

My idea was to setup a private SA-Mirror (apache+rsync) but, I've to manage
DNS-Data for mirrors.spamassassin-mirror.example and 
2.3.4.spamassassin-mirror.example.
:-/

Are there other methods to distribute current ruleset to SA-instances using 
sa-update?

Andreas