Re: check_rbl digging too deep
On Tue, 25 Jun 2019, Matus UHLAR - fantomas wrote: On Mon, 24 Jun 2019, John Schmerold wrote: We had an inbound message get rejected because it was sent from a cell phone, shouldn't SA be checking the most recent hop? Is there a way to make this the default? I have this in local.cf: header RCVD_IN_rbl2spamhausz eval:check_rbl('spamhausz', 'zen.spamhaus.org.') score RCVD_IN_rbl2spamhausz 3.5 On 25.06.19 07:52, John Hardin wrote: I'll let others address SA issues with this, I just want to point out an alternative: Many sites consider Zen reliable enough for it to be used at the SMTP level as a poison-pill DNSBL. That would avoid any chance of it being used "too deeply"... no. Many people consider Zen reliable enough to reject connections from listed IP. Deep header scanning is something very different. Yes, I'm aware of that. Rejecting up front based on the other guy's IP address is *not* deep scanning, so there's no risk of looking *too* deeply when you're doing that. What I was trying to suggest is "maybe you want to use Zen as an MTA-level DNSBL rather than as part of the SA scan." I apologize if I didn't word it clearly. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The ["assault weapons"] ban is the moral equivalent of banning red cars because they look too fast. -- Steve Chapman, Chicago Tribune --- 9 days until the 243rd anniversary of the Declaration of Independence
Re: How to create my personal RBL
On 6/25/19 10:11 AM, David Jones wrote: I use PowerDNS Recursor but Unbound or BIND would work fine. BIND has an option to load zone data from a database. Check out BIND's Dynamically Loadable Zones support. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature
Re: spamass-milter reject?
On 25 Jun 2019, at 22:14, Matus UHLAR - fantomas wrote: >> I simply overcame this by setting SA’s required_score parameter to a desired >> value in mail/spamassassin/local.cf > I have different value in required_score than I use in -r flag. > However that's sendmail installation. There's something strange here. Could it be what milter macros are sent by the MTA (postfix here) to the milter ? -- matt [at] lv223.org GPG key ID: 7D91A8CA signature.asc Description: OpenPGP digital signature
Re: How to create my personal RBL
On Tue, 2019-06-25 at 11:09 -0500, David B Funk wrote: that's way overthinking it. On 25.06.19 17:55, Martin Gregorie wrote: I agree, now that there's a configurable OSS dnsbl server available, that using it is the obvious choice for dealing with a standalone list, but the OP did ask specifically about using database queries to implement a blacklist, so I thought it was worthwhile to tell him what's involved in doing that. No. The OP wanted to store data in DB to avoid restarting SA, not mentioning any other specific reason to use DB. using DNSBL does avoid restarting SA and does not require any plugin, which is a great advantage. we are trying to provide described requirements, while avoiding proposed complicated solutions. For all I know the OP either has a similar archive or is intending to implement one: searching for a specific message with a database tool is a *lot* faster than ferreting through a set of very large mail folders with your MUA, though of course the effort of creating and maintaining the database, mail loader, query tools and SA plugin is non trivial. well, if THIS is the real reason... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Saving Private Ryan... Private Ryan exists. Overwrite? (Y/N)
Re: spamass-milter reject?
On 25 Jun 2019, at 2:57, @lbutlr wrote: These are inbound messages being delivered to local users with high spam scores. I want Spamassassin-milter to honor the -r 10 flag setting to reject messages scoring over 10.0 On 25.06.19 19:36, Matt Anton wrote: After digging on my configuration files I came to the same problem as you when I installed that milter (spamass-milter doesn’t honours the -r flag no matter what I’ve tried). I simply overcame this by setting SA’s required_score parameter to a desired value in mail/spamassassin/local.cf I have different value in required_score than I use in -r flag. However that's sendmail installation. There's something strange here. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. It's now safe to throw off your computer.
Re: spamass-milter reject?
On 25 Jun 2019, at 2:57, @lbutlr wrote: > These are inbound messages being delivered to local users with high spam > scores. I want Spamassassin-milter to honor the -r 10 flag setting to reject > messages scoring over 10.0 After digging on my configuration files I came to the same problem as you when I installed that milter (spamass-milter doesn’t honours the -r flag no matter what I’ve tried). I simply overcame this by setting SA’s required_score parameter to a desired value in mail/spamassassin/local.cf FWIW this is with spamass-milter-0.4.0_3 on FreeBSD. -- matt [at] lv223.org GPG key ID: 7D91A8CA signature.asc Description: OpenPGP digital signature
Re: How to create my personal RBL
On Tue, 2019-06-25 at 11:09 -0500, David B Funk wrote: > that's way overthinking it. > David & David, I agree, now that there's a configurable OSS dnsbl server available, that using it is the obvious choice for dealing with a standalone list, but the OP did ask specifically about using database queries to implement a blacklist, so I thought it was worthwhile to tell him what's involved in doing that. I've been running a whitelist off my mail archive for around a decade now. My archive contains both incoming and outgoing messages and is held in a PostgreSQL database. My SA plugin whitelists anybody who I've sent mail to, so provides a very low maintenance whitelist since it automatically sees new outgoing messages as well as the effect of archive maintenance. For all I know the OP either has a similar archive or is intending to implement one: searching for a specific message with a database tool is a *lot* faster than ferreting through a set of very large mail folders with your MUA, though of course the effort of creating and maintaining the database, mail loader, query tools and SA plugin is non trivial. Martin
Re: How to create my personal RBL
On 6/25/19 10:20 AM, Martin Gregorie wrote: > On Tue, 2019-06-25 at 16:11 +0200, hg user wrote: >> I'd like to create my own RBL that answers queries about IP, domain or >> address reputation. >> Data should be stored in a database (mysql, postgres, redis, etc) so >> that information can be added/modified/removed without the need to >> restart spamassassin (I think the simpler solution would be a list in >> SA...) >> >> How can I create this setup? >> > You need to build a Perl plugin for Spamassassin that connects to, and > queries the database together with at least one SA rule that triggers > the plugin via an eval:plugin_query() call where plugin_query() is a > plugin function that runs the database query using data extracted from > the message by SA and returns either 1 (the query found a match in the > database) or zero (no matches found). > > > Martin > > Actually the SA part is very simple. Use the AskDNS SA plugin to do the DNS lookup: askdns MYRBL_ENV _SENDERDOMAIN_.dbl.example.com A /^127\.0\.0\.2$/ tflags MYRBL_ENV nice net describeMYRBL_ENV Sender's envelope domain listed in my RBL. score MYRBL_ENV askdns MYRBL_FROM _SENDERDOMAIN_.dbl.example.com A /^127\.0\.0\.2$/ tflags MYRBL_FROM nice net describeMYRBL_FROM Sender's From domain listed in my RBL. score MYRBL_FROM 0.001 The trickier part is to setup the DNS side. If you have a single SA host, you should already have a local caching DNS server and the /etc/resolv.conf and/or the SA DNS setting pointed to 127.0.0.1. I use PowerDNS Recursor but Unbound or BIND would work fine. Install rbldnsd for your distro and get it listening on an alternate port like 127.0.0.1:530. https://rbldnsd.io/ Create a text file with domains to block. This can come from a database with a web front-end or whatever you want. I have a database that I push records into from sources of spam and entries by a web interface. Then a script does a simple SELECT of the domains to a text file, then rsync's it to my 2 DNS servers that my 8 SA servers point to. Cron this for every 2-3 minutes and rbldnsd will gladly detect changes to the files without needing to be restarted/reloaded. I recommend putting a "test" entry at the top of the rbldnsd file so you can query test.dbl.example.com from a monitoring system to make sure it answers with the expected value. Then you setup your local caching DNS server to forward the dbl.example.com to 127.0.0.1:530. Note that this "dbl.example.com" doesn't have to be a real DNS zone. It could be "dbl.local" or whatever since it's only known by the local DNS server(s) that your SA server(s) are pointed to. These DNS servers should not be accessible by the Internet so they should be separate DNS caches dedicated to the SA server(s). If it's only one, then it could all be setup on 127.0.0.1. If it's a few, you could put rbldnsd on all of them and still use 127.0.0.1 and rsync the rbldnsd files to all of them locally. -- David Jones
Re: check_rbl digging too deep
On 25/06/19 17:42, Matus UHLAR - fantomas wrote: On 25.06.19 07:52, John Hardin wrote: I'll let others address SA issues with this, I just want to point out an alternative: Many sites consider Zen reliable enough for it to be used at the SMTP level as a poison-pill DNSBL. That would avoid any chance of it being used "too deeply"... no. Many people consider Zen reliable enough to reject connections from listed IP. Deep header scanning is something very different. ZEN is safe enough to reject at SMTP level if you can do it on your MTA (avoiding unnecessary CPU usage by SA) It's also useful for deep header scanning, just remember to avoid PBL return codes when you do that :) AuthBL also proved to be useful and doesn't create FPs even if you weight it 80% of your required_score -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: How to create my personal RBL
On Tue, 25 Jun 2019, Martin Gregorie wrote: On Tue, 2019-06-25 at 16:11 +0200, hg user wrote: I'd like to create my own RBL that answers queries about IP, domain or address reputation. Data should be stored in a database (mysql, postgres, redis, etc) so that information can be added/modified/removed without the need to restart spamassassin (I think the simpler solution would be a list in SA...) How can I create this setup? You need to build a Perl plugin for Spamassassin that connects to, and queries the database together with at least one SA rule that triggers the plugin via an eval:plugin_query() call where plugin_query() is a plugin function that runs the database query using data extracted from the message by SA and returns either 1 (the query found a match in the database) or zero (no matches found). that's way overthinking it. SA already has perfectly good DNS query tools built in, why not use those. It's pretty simple to set up your own local private DNS zones using rbldnsd. Adding/updating those kinds of zones is simple as adding or editing lines in a text file (as simple as echo ".this.bad.domain :127.0.0.2:" >> my-zone-file ). No muss no fuss, not server restart, etc. I run two private zones for this purpose, one a IP address RBL list and one a URIBL list. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: check_rbl digging too deep
On Mon, 24 Jun 2019, John Schmerold wrote: We had an inbound message get rejected because it was sent from a cell phone, shouldn't SA be checking the most recent hop? Is there a way to make this the default? I have this in local.cf: header RCVD_IN_rbl2spamhausz eval:check_rbl('spamhausz', 'zen.spamhaus.org.') score RCVD_IN_rbl2spamhausz 3.5 On 25.06.19 07:52, John Hardin wrote: I'll let others address SA issues with this, I just want to point out an alternative: Many sites consider Zen reliable enough for it to be used at the SMTP level as a poison-pill DNSBL. That would avoid any chance of it being used "too deeply"... no. Many people consider Zen reliable enough to reject connections from listed IP. Deep header scanning is something very different. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Your mouse has moved. Windows NT will now restart for changes to take to take effect. [OK]
Re: How to create my personal RBL
On Tue, 2019-06-25 at 16:11 +0200, hg user wrote: > I'd like to create my own RBL that answers queries about IP, domain or > address reputation. > Data should be stored in a database (mysql, postgres, redis, etc) so > that information can be added/modified/removed without the need to > restart spamassassin (I think the simpler solution would be a list in > SA...) > > How can I create this setup? > You need to build a Perl plugin for Spamassassin that connects to, and queries the database together with at least one SA rule that triggers the plugin via an eval:plugin_query() call where plugin_query() is a plugin function that runs the database query using data extracted from the message by SA and returns either 1 (the query found a match in the database) or zero (no matches found). Martin
Re: check_rbl digging too deep
On Mon, 24 Jun 2019, John Schmerold wrote: We had an inbound message get rejected because it was sent from a cell phone, shouldn't SA be checking the most recent hop? Is there a way to make this the default? I have this in local.cf: header RCVD_IN_rbl2spamhausz eval:check_rbl('spamhausz', 'zen.spamhaus.org.') score RCVD_IN_rbl2spamhausz 3.5 I'll let others address SA issues with this, I just want to point out an alternative: Many sites consider Zen reliable enough for it to be used at the SMTP level as a poison-pill DNSBL. That would avoid any chance of it being used "too deeply"... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Poor planning on your part does not create an obligation on my part. --- 9 days until the 243rd anniversary of the Declaration of Independence
Re: check_rbl digging too deep
On 25/06/19 14:42, Benny Pedersen wrote: https://docs.spamhaustech.com/10-data-type-documentation/datasets/040-zones.html add 9 to sbl test ? I'd add a rule like RCVD_IN_SBL_DROP eval:check_rbl_sub('zen', '127.0.0.9') With a score of at least 4 possible aswell new test for authbl ? Well AuthBL (and ZRD) are zones available to people that register with our Data Query Service. We are just in talks with the Apache Foundation to have our plugin that uses our new datasets added to Spamassassin. If you are curious about DQS, it's a service that anyone can subscribe to with a "free for most" license [1], and for which we developed a Spamassassin plugin under Apache license that you can freely download from https://docs.spamhaustech.com/40-real-world-usage/SpamAssassin/000-intro.html We have just been featured on Virus Bulletin [2], where they tested the differences between DQS and Rsync (that are basically our public mirrors). The difference in catch rate is quite substantial. If anyone want to test the plugin I'll do my best to give support either on list (that may benefit others) or our support team is available offlist at datafeed-supp...@spamteq.com [1] https://www.spamhaustech.com/data-access/ [2] https://www.virusbulletin.com/testing/results/latest/vbspam-email-security -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: check_rbl digging too deep
Sorry guys, I don't know what happened, my client sent a lot of emails during drafting :( Apologies -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: How to create my personal RBL
On 25.06.19 16:11, hg user wrote: I'd like to create my own RBL that answers queries about IP, domain or address reputation. Data should be stored in a database (mysql, postgres, redis, etc) so that information can be added/modified/removed without the need to restart spamassassin (I think the simpler solution would be a list in SA...) you don't need restart SA to refresh RBL data. rbldnsd stores data in simple files but is able to reload them automatically. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. (R)etry, (A)bort, (C)ancer
How to create my personal RBL
I'd like to create my own RBL that answers queries about IP, domain or address reputation. Data should be stored in a database (mysql, postgres, redis, etc) so that information can be added/modified/removed without the need to restart spamassassin (I think the simpler solution would be a list in SA...) How can I create this setup? Thank you Francesco
Re: check_rbl digging too deep
Henrik K skrev den 2019-06-25 14:16: On Tue, Jun 25, 2019 at 11:34:33AM +, Riccardo Alfieri wrote: I take this opportunity to point out that the correct rule for XBL should be: header RCVD_IN_XBL eval:check_rbl('zen-lastexternal', 'zen.spamhaus.org.', '^127\.0\.0\.[4567]$') The return code 127.0.0.8 has been dropped a long time ago. More infos on https://docs.spamhaustech.com/10-data-type-documentation/datasets/030-datasets.html#xbl Thanks for the info, I've removed .8 from RCVD_IN_XBL rule. https://docs.spamhaustech.com/10-data-type-documentation/datasets/040-zones.html add 9 to sbl test ? possible aswell new test for authbl ?
Re: check_rbl digging too deep
On Tue, Jun 25, 2019 at 11:34:33AM +, Riccardo Alfieri wrote: > I take this opportunity to point out that the correct rule for XBL should > be: > > header RCVD_IN_XBL eval:check_rbl('zen-lastexternal', 'zen.spamhaus.org.', > '^127\.0\.0\.[4567]$') > > The return code 127.0.0.8 has been dropped a long time ago. > > More infos on > https://docs.spamhaustech.com/10-data-type-documentation/datasets/030-datasets.html#xbl Thanks for the info, I've removed .8 from RCVD_IN_XBL rule. Cheers, Henrik
Re: check_rbl digging too deep
Hi, On 25/06/19 11:00, Matus UHLAR - fantomas wrote: header RCVD_IN_XBL eval:check_rbl('zen-lastexternal', 'zen.spamhaus.org.', '^127\.0\.0\.[45678]$') I take this opportunity to point out that the correct rule for XBL should be: header RCVD_IN_XBL eval:check_rbl('zen-lastexternal', 'zen.spamhaus.org.', '^127\.0\.0\.[4567]$') The return code 127.0.0.8 has been dropped a long time ago. More infos on https://docs.spamhaustech.com/10-data-type-documentation/datasets/030-datasets.html#xbl -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: check_rbl digging too deep
On 24.06.19 17:15, John Schmerold wrote: We had an inbound message get rejected because it was sent from a cell phone, shouldn't SA be checking the most recent hop? Is there a way to make this the default? I have this in local.cf: header RCVD_IN_rbl2spamhausz eval:check_rbl('spamhausz', 'zen.spamhaus.org.') score RCVD_IN_rbl2spamhausz 3.5 You have explicitly configured SA to check deeply by using this rule, which caused the hits. These are the default rules that do not check deeply: header __RCVD_IN_ZENeval:check_rbl('zen', 'zen.spamhaus.org.') header RCVD_IN_XBL eval:check_rbl('zen-lastexternal', 'zen.spamhaus.org.', '^127\.0\.0\.[45678]$') header RCVD_IN_PBL eval:check_rbl('zen-lastexternal', 'zen.spamhaus.org.', '^127\.0\.0\.1[01]$') -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Silvester Stallone: Father of the RISC concept.
Re: check_rbl digging too deep
Hi On 25/06/19 00:15, John Schmerold wrote: We had an inbound message get rejected because it was sent from a cell phone, shouldn't SA be checking the most recent hop? Is there a way to make this the default? I have this in local.cf: header RCVD_IN_rbl2spamhausz eval:check_rbl('spamhausz', 'zen.spamhaus.org.') score RCVD_IN_rbl2spamhausz 3.5 Please do *not* use ZEN in all the received chain without checking return codes (https://docs.spamhaustech.com/10-data-type-documentation/datasets/040-zones.html) ZEN includes PBL, that is a list mantained by ISP all over the world, and it is perfectly legit to find the first public IP in the received chain to be listed in PBL. You should only reject mail from ZEN if you use the -lastexternal flag -- Best regards, Riccardo Alfieri Spamhaus Technologies https://www.spamhaustech.com/