Re: Is HAS_X_OUTGOING_SPAM_STAT a useful indicator?

2021-04-26 Thread Alan 



On 2021-04-26 10:07, Bill Cole wrote:

[...]

It is probably worth digging into the cPanel exim.conf editor (I don't 
recall what they call it, but it's there somewhere at the WHM 
level...) to kill the header. You may want to look through the 
deployed exim.conf to make sure that it's not somehow using the header 
for internal communication between different stages of handling.
Alas, there is but one option: scan outbound or don't. Scan it and you 
get the header. If they're using it for some internal purpose, then it 
should have the form x-cpanel-... and leave me out of it.


So, that would likely be a body URI hit, as I see no match in the 
headers.
Indeed, that would be it. Part of the message tells them to use the mail 
subdomain to set up... mail. Can't circumnavigate that one.



At least the NUMERIC_HTTP_ADDR is something I can fix.


MPART_ALT_DIFF should also be fixable simply by making the text/plain 
part of the message a reasonable rendering of the HTML part or by only 
sending a text/plain message, which would be even safer but I find 
hard to get anyone to do. I guess sending only HTML would achieve the 
same thing, but, e.
That's going to be so much fun it might not be worth it. The stupid 
thing is actually sending a blank plain text part, which escalates e 
to arghhh! It's the output of a template driven system so I may be 
limited in what I can do there. At this point dropping the plain text 
would be an improvement. [string of pejoratives redacted]


You also should look at your trusted_networks and internal_networks 
settings. If I'm understanding this correctly through the obfuscation, 
it should have hit ALL_TRUSTED. Keep in mind that trusted_networks is 
machines whose MTAs you trust to not forge Received headers, it is not 
necessarily machines you trust to not send spam. That won't help with 
mail leaving your system, but it will give mail from your machines to 
you a strong advantage.

Good idea. I'll verify that.

--
For SpamAsassin Users List

Re: XM_RANDOM rule seems to hit too often

2021-04-26 Thread jahlives 
John,

found that the following does hit much better

> X-Mailer =~ /^[^\(]+q(?!q?mail|boxmail|\d|[-\w]*=+;)[^u]/i

to ensure that search is never found after '('

Now I get a coffee as well although is almost end-of-working-day coffee
here :-)

Cheers & have a good one

--

tobi

Re: XM_RANDOM rule seems to hit too often

2021-04-26 Thread John Hardin 

On Mon, 26 Apr 2021, John Hardin wrote:

Thanks for your report. I've added some exclusions and resuced the score 
limit.


"reduced". The coffee hasn't reached my fingertips yet.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Rights can only ever be individual, which means that you cannot
  gain a right by joining a mob, no matter how shiny the issued
  badges are, or how many of your neighbors are part of it.  -- Marko
---
 5 days until May Day - Remember 110 million people murdered by Communism

Re: XM_RANDOM rule seems to hit too often

2021-04-26 Thread John Hardin 

On Mon, 26 Apr 2021, jahli...@gmx.ch wrote:


We for the last couples of days we see many hits of XM_RANDOM rule on
legit mail. Samples of X-Mailers it hits



*X-Mailer:* AspQMail 2.0 4.03 (QSM260971F)
X-Mailer: WebService/1.1.18138 YahooMailAndroidMobile YMobile/1.0

(com.yahoo.mobile.client.android
.mail/6.27.0; Android/11;
RP1A.200720.012; a52xq; samsung; SM-A526B; 5.99; 2186x1080;) >
*X-Mailer:* WebService/1.1.18121 YahooMailAndroidMobile YMobile/1.0
(com.yahoo.mobile.client.android.mail/6.10.5; Android/10;
QP1A.190711.020; starlte; samsung; SM-G960F; 5.68; 1450x720;)

*X-Mailer:* Traveler 11.0.2.0 Build 202010261910_30 on server

DETR02/SRV/BAUHAUS/DE at
20210418173104417 by DelQ-18bc[NoticeMgr]

especially the AspQMail (hits on stuff within '()') and the yahoo mailer
are quite common in our message flow.
Think that rule should be revised


Thanks for your report. I've added some exclusions and resuced the score 
limit.



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Rights can only ever be individual, which means that you cannot
  gain a right by joining a mob, no matter how shiny the issued
  badges are, or how many of your neighbors are part of it.  -- Marko
---
 5 days until May Day - Remember 110 million people murdered by Communism

How to Easily Set Up a Full-Featured Linux Mail Server on Ubuntu 18.04.5 LTS with iRedMail 1.4.0

2021-04-26 Thread Turritopsis Dohrnii Teo En Ming 
Subject: How to Easily Set Up a Full-Featured Linux Mail Server on
Ubuntu 18.04.5 LTS with iRedMail 1.4.0

Good day from Singapore,

I followed linuxbabe.com's Xiao Guoan's guide and successfully setup a
full featured Linux mail server on Ubuntu 18.04.5 LTS with IRedMail
1.4.0.

Author: Mr. Turritopsis Dohrnii Teo En Ming (TARGETED INDIVIDUAL)
Country: Singapore
Date: 25 April 2021 Sunday

Type of Publication: PDF Manual
Document Version: 20210425.01 (1st release)

***IMPORTANT NOTICE*** Please note that Turritopsis Dohrnii Teo En
Ming’s guide is based on Xiao Guoan’s guide at linuxbabe.com.

Reference Guide Used by Teo En Ming: How to Easily Set Up a
Full-Featured Mail Server on Ubuntu 18.04 with iRedMail
Link: https://www.linuxbabe.com/mail-server/ubuntu-18-04-iredmail-email-server
Original Author: Xiao Guoan

The following is a list of open-source software that will be
automatically installed and configured by iRedMail.

• Postfix SMTP server
• Dovecot IMAP server
• Nginx web server to serve the admin panel and webmail
• OpenLDAP, MySQL/MariaDB, or PostgreSQL for storing user information
• Amavised-new for DKIM signing and verification
• SpamAssassin for anti-spam
• ClamAV for anti-virus
• Roundcube webmail
• SOGo groupware, providing webmail, calendar (CalDAV), contacts
(CardDAV), tasks and ActiveSync services.
• Fail2ban for protecting SSH
• mlmmj mailing list manager
• Netdata server monitoring
• iRedAPD Postfix policy server for greylisting

Redundant Download Links for Teo En Ming's PDF Manual:

[1] 
https://drive.google.com/file/d/1un8sLLmNSMIt7V6blWCvJEgwGvxMbd4B/view?usp=sharing

[2] 
https://drive.google.com/file/d/1i0vY7kfYkobu563qoI3_qCZg7G7BFoYR/view?usp=sharing

[3] 
https://drive.google.com/file/d/1U9MFN1EklLbA8TMweLV5ntiSJuBBVkpQ/view?usp=sharing

[4] https://www.docdroid.net/dW70KtS/iredmail-setup-1st-release-pdf

[5] 
https://www.mediafire.com/file/evar7j28knqyoj6/IRedMail+Setup+1st+Release.pdf/file

[6] https://www.scribd.com/document/504932780/IRedMail-Setup-1st-Release

Mr. Turritopsis Dohrnii Teo En Ming, 43 years old as of 26 April 2021,
is a TARGETED INDIVIDUAL living in Singapore. He is an IT Consultant
with a System Integrator (SI)/computer firm in Singapore. He is an IT
enthusiast.






-BEGIN EMAIL SIGNATURE-

The Gospel for all Targeted Individuals (TIs):

[The New York Times] Microwave Weapons Are Prime Suspect in Ills of
U.S. Embassy Workers

Link:
https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html



Singaporean Targeted Individual Mr. Turritopsis Dohrnii Teo En Ming's
Academic Qualifications as at 14 Feb 2019 and refugee seeking attempts
at the United Nations Refugee Agency Bangkok (21 Mar 2017), in Taiwan
(5 Aug 2019) and Australia (25 Dec 2019 to 9 Jan 2020):

[1] https://tdtemcerts.wordpress.com/

[2] https://tdtemcerts.blogspot.sg/

[3] https://www.scribd.com/user/270125049/Teo-En-Ming

-END EMAIL SIGNATURE-

Re: Is HAS_X_OUTGOING_SPAM_STAT a useful indicator?

2021-04-26 Thread John Hardin 

On Sun, 25 Apr 2021, Alan wrote:

I've posted to a 13 month old thread on the cPanel forums that was left at 
"we'll update you", asking for an update. I can't see any useful purpose to 
having that header in there.


There isn't. Why should the spam score provided by the sender be trusted 
by anyone else?


If you're scanning outbound messages then use the results in your decision 
whether to send the message on from your system, but don't include the 
results as they aren't useful to anyone downstream and are trivially 
abusable.


I've reduced the score limit to 2.0 and I'm looking for more ham 
exclusions.



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Rights can only ever be individual, which means that you cannot
  gain a right by joining a mob, no matter how shiny the issued
  badges are, or how many of your neighbors are part of it.  -- Marko
---
 5 days until May Day - Remember 110 million people murdered by Communism

Re: Is HAS_X_OUTGOING_SPAM_STAT a useful indicator?

2021-04-26 Thread Bill Cole 

On 25 Apr 2021, at 22:26, Alan wrote:


On 2021-04-25 19:31, Bill Cole wrote:

On 25 Apr 2021, at 18:40, Alan wrote:

[...]
If I recall correctly, the "X-OutGoing-Spam-Status" header which 
triggers that rule (with some exemptions) is not actually used by 
anything within cPanel, and a non-spam result in that header 
certainly should not be trusted anywhere but the system generating 
it. So it may be helpful to do the scan but to forego adding the 
header or to at least make cPanel use a local name.


I've posted to a 13 month old thread on the cPanel forums that was 
left at "we'll update you", asking for an update. I can't see any 
useful purpose to having that header in there.


It is probably worth digging into the cPanel exim.conf editor (I don't 
recall what they call it, but it's there somewhere at the WHM level...) 
to kill the header. You may want to look through the deployed exim.conf 
to make sure that it's not somehow using the header for internal 
communication between different stages of handling.


Obfuscated headers follow. Haven't dug into it but it looks like 
another FP on KAM_MXURI, I'm guessing that's because the message is 
coming from my.our-domain.net and "my" is close enough to "mx", which 
would be unfortunate.


If KAM_MXURI is hitting on 'my' then it is not from the current version 
of KAM.cf. I have a vague recollection of a 'my.' URI match somewhere 
being removed recently for too many FPs, but I can't find evidence of it 
being here. The current version of that rule is:


uri KAM_MXURI   /^(?:http:\/\/)?(mail|mx)\..{1,40}\..{1,8}/i

So, that would likely be a body URI hit, as I see no match in the 
headers.



At least the NUMERIC_HTTP_ADDR is something I can fix.


MPART_ALT_DIFF should also be fixable simply by making the text/plain 
part of the message a reasonable rendering of the HTML part or by only 
sending a text/plain message, which would be even safer but I find hard 
to get anyone to do. I guess sending only HTML would achieve the same 
thing, but, e.


You also should look at your trusted_networks and internal_networks 
settings. If I'm understanding this correctly through the obfuscation, 
it should have hit ALL_TRUSTED. Keep in mind that trusted_networks is 
machines whose MTAs you trust to not forge Received headers, it is not 
necessarily machines you trust to not send spam. That won't help with 
mail leaving your system, but it will give mail from your machines to 
you a strong advantage.





Return-Path: 
Delivered-To: our-domain.supp...@our-domain.com
Received: from ssc010.our-domain.net
by ssc010.our-domain.net with LMTP
id KGkdFSHVhWBRCgAAk/bwIA
(envelope-from )
	for ; Sun, 25 Apr 2021 16:46:25 
-0400

Return-path: 
Envelope-to: our-domain.supp...@our-domain.com
Delivery-date: Sun, 25 Apr 2021 16:46:25 -0400
Received: from our-server.our-domain.net ([100.101.102.103]:34044)
	by ssc010.our-domain.net with esmtps  (TLS1.2) tls 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

(Exim 4.94)
(envelope-from )
id 1lale4-0002xo-LD
	for our-domain.supp...@our-domain.com; Sun, 25 Apr 2021 16:46:25 
-0400

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=my.our-domain.net; s=default; 
h=Content-Transfer-Encoding:Content-Type:


MIME-Version:Message-ID:Subject:Reply-To:From:To:Date:Sender:Cc:Content-ID:

Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc

:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
	bh=j53ixXbMXzxOWOuh7uN7dlHw0Vr6LfiGnD/j577LPKs=; 
b=0nJJlFR/3NPsGrwKOpTGdc+6Vu


YO7UqkOwYydYNQijRJqe0dxqUwdHt06x57tx1DhoAJC/EmM6buHejeghdXLO+K+X3Di9rQ/hU85bj

uvZnd2jvf4kn/Hg47bCEw7/3oByYNbTJ8VK2WhNTb6x3q0zsbT//ODf5t2afLOM1SqWNW65i2YR2J

OvoY+VLh6dH44zhssa0XWuDZ+JYJYKoDMYKLN5SQ9PLqu+tQo50frwLmvfULLqP5scNCir9xWvDHH

/WRF490NRwD5ljrTNxAxT6xQgTQV2KGM/ND6WnajJJpT5JeAsGP41C/YzNUOZyhX62DNB4XbYId6b
Mgj3eN4w==;
Received: from [100.101.102.103] (port=54664 helo=my.our-domain.net)
	by our-server.our-domain.net with esmtpsa  (TLS1.2) tls 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

(Exim 4.94)
(envelope-from )
id 1lale3-0002hS-Sp; Sun, 25 Apr 2021 16:46:24 -0400
Date: Sun, 25 Apr 2021 20:46:23 +
To: "First Last (Customer, Inc.)" 
From: "our-domain Inc." 
Reply-To: "our-domain Inc." 
Message-ID: 


X-Mailer: our-domain Inc.
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="b1_rqx1wOkfk2HPwH7li3bl39DQAjYTzhuJiJOD1cfpxU"
Content-Transfer-Encoding: 8bit
X-OutGoing-Spam-Status: No, score=1.3
X-AntiAbuse: This header was added to track abuse, please include it 
with any abuse report

X-AntiAbuse: Primary Hostname - our-server.our-domain.net
X-AntiAbuse: Original Domain - our-domain.com
X-AntiAbuse: Originator/Caller UID/GID - [xx yy] / [xx yy]
X-AntiAbuse: Sender Address Domain - our-domain.co

XM_RANDOM rule seems to hit too often

2021-04-26 Thread jahlives 
We for the last couples of days we see many hits of XM_RANDOM rule on
legit mail. Samples of X-Mailers it hits


> *X-Mailer:* AspQMail 2.0 4.03 (QSM260971F)
> X-Mailer: WebService/1.1.18138 YahooMailAndroidMobile YMobile/1.0
(com.yahoo.mobile.client.android
.mail/6.27.0; Android/11;
RP1A.200720.012; a52xq; samsung; SM-A526B; 5.99; 2186x1080;) >
*X-Mailer:* WebService/1.1.18121 YahooMailAndroidMobile YMobile/1.0
(com.yahoo.mobile.client.android.mail/6.10.5; Android/10;
QP1A.190711.020; starlte; samsung; SM-G960F; 5.68; 1450x720;)
> *X-Mailer:* Traveler 11.0.2.0 Build 202010261910_30 on server
DETR02/SRV/BAUHAUS/DE at
20210418173104417 by DelQ-18bc[NoticeMgr]

especially the AspQMail (hits on stuff within '()') and the yahoo mailer
are quite common in our message flow.
Think that rule should be revised


--
Cheers

tobi