Re: Spamssassin seems to append .com TLD to uri link domains found
John, > Because I think that suppressing that behavior for valid TLDs would be an appropriate modification to avoid potential URIBL FPs fully agree. SA should not append .com if the domain has a valid tld and a domain label. We know of at least one FP related to "www.ch" when (the expanded version) "ch.com" was checked on uribl lists. Cheers tobi On 11/7/20 8:04 PM, John Hardin wrote: > On Sat, 7 Nov 2020, RW wrote: > >> On Sat, 7 Nov 2020 10:05:21 -0800 (PST) >> John Hardin wrote: >> >>> On Sat, 7 Nov 2020, RW wrote: >>> On Fri, 6 Nov 2020 16:10:18 + RW wrote: > However, I can't get an up-to-date Firefox to add .com, so the > feature may already be obsolete. I take that back, it does. >>> >>> What does it do for the example at hand, http://www.ch ? >> >> Firefox only adds .com if the domain doesn't resolve. >> >> www.ch resolves and then redirects to https://meteo.ch/ >> >> If SA is to allow for what Firefox does then I think the behaviour is >> reasonable. A DNS lookup would be overkill, > > Agreed. > >> and there's no particular reason to exclude labels that happen to be >> TLDs. > > Do you mean *valid* TLDs? Because I think that suppressing that behavior > for valid TLDs would be an appropriate modification to avoid potential > URIBL FPs (which, granted, is probably fairly unlikely) and to avoid the > overhead of extra lookups. > >
Re: Crap getting through
On Sun, 8 Nov 2020, Daryl Rose wrote: I'm getting obvious phishing attempts. This one was made to look like it was from Wells Fargo with an obvious spoofed email address. However, when I examined the headers, the From Address was this garbage: *=?utf-8?B?V+G7hWxsc+G4nmFyZ28gQmFuaw==?= * Easy enough to write a "FUZZY_WELLSFARGO" rule for that, but it probably won't pass masscheck and get published because there are probably few examples of that in the corpus. Added to my sandbox: ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __FUZZY_WELLSFARGO_BODY /(?!ells[-\s]?Fargo)[-\s]?/i replace_rules __FUZZY_WELLSFARGO_BODY header__FUZZY_WELLSFARGO_FROM From:name =~ /(?!ells[-\s]?Fargo)[-\s]?/i replace_rules __FUZZY_WELLSFARGO_FROM meta FUZZY_WELLSFARGO __FUZZY_WELLSFARGO_BODY || __FUZZY_WELLSFARGO_FROM endif Do you have something like this in place? whitelist_auth *@wellsfargo.com blacklist_from *@wellsfargo.com whitelist_auth *@*.wellsfargo.com blacklist_from *@*.wellsfargo.com whitelist_auth *@bankofamerica.com blacklist_from *@bankofamerica.com whitelist_auth *@*.bankofamerica.com blacklist_from *@*.bankofamerica.com -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Sheep have only two speeds: graze and stampede. -- LTC Grossman --- Tomorrow: The 82nd anniversary of Kristallnacht - disarmament enables genocide
Re: Crap getting through
Daryl Rose skrev den 2020-11-08 23:00: I'm getting obvious phishing attempts. report to https://phishtank.com/ then This one was made to look like it was from Wells Fargo with an obvious spoofed email address. so what did spamassassin say about that ? However, when I examined the headers, the From Address was this garbage: =?utf-8?B?V+G7hWxsc+G4nmFyZ28gQmFuaw==?= nice trick to avoid testing ? developpers of sa, utf-8 and qp is basicly fucked everywhere :/ but this one is base64 I received another one that was meant to be an Amazon Prime Membership failure. maybe amazon prime hands out to many free accounts ? :-) How can I block these? if you like me to answer that i could give next weeks lotto numbers in return :-) The last time I inquired about phishing, it was suggested to install KAM, now it seems you need to build corpus without rescoreing anything in kam.cf make a DR.cf to build localy on you self control which I did, but this crap is still getting through. Any other suggestions? without any samples no one can help you have all that is needed to make DR.cf ?
Re: Crap getting through
Daryl, Can you please post a copy of the raw email message - with headers - perhaps with your own user's email address (and name?) masked out (change to "") - to pastebin, or to a similar site - then reply here with the link. It is difficult to give specific suggestions without having the raw underlying text of the message (w/headers). But please try to avoid pasting that directly to this list. Thanks! Rob McEwen On 11/8/2020 5:00 PM, Daryl Rose wrote: I'm getting obvious phishing attempts. This one was made to look like it was from Wells Fargo with an obvious spoofed email address. However, when I examined the headers, the From Address was this garbage: *=?utf-8?B?V+G7hWxsc+G4nmFyZ28gQmFuaw==?= * I received another one that was meant to be an Amazon Prime Membership failure. How can I block these? The last time I inquired about phishing, it was suggested to install KAM, which I did, but this crap is still getting through. Any other suggestions? Thank you. Daryl -- Rob McEwen, invaluement
Crap getting through
I'm getting obvious phishing attempts. This one was made to look like it was from Wells Fargo with an obvious spoofed email address. However, when I examined the headers, the From Address was this garbage: *=?utf-8?B?V+G7hWxsc+G4nmFyZ28gQmFuaw==?= * I received another one that was meant to be an Amazon Prime Membership failure. How can I block these? The last time I inquired about phishing, it was suggested to install KAM, which I did, but this crap is still getting through. Any other suggestions? Thank you. Daryl