Re: Hits on item with " No description available"
On 2022-01-20 23:35, Bill Cole wrote: (and probably should) add that machine to your internal_networks setting, since an RFC1918 address is pretty much the definition of internal. another pmc member say to me all rfc1918 is hardcoded in spamassassin sure if its still missing ?
Re: Hits on item with " No description available"
> On 2022-01-20 at 16:21:40 UTC-0500 (Thu, 20 Jan 2022 16:21:40 -0500) > Joe Acquisto-j4 > is rumored to have said: > . . . . . > To figure out what matched, you'll need to check a message with the > "rules" debug channel on: > > spamassassin -t -D rules < suspect.eml > > HOWEVER: In looking at your message, I'm 99.9% sure that what matched > was a Received header recording a client calling itself simply 'mail' > using an RFC1918 IP address which is also constructing a Message-Id > using just 'mail' as the hostname part. Whatever that machine is, it > should be using a FQDN instead of a bare hostname. Also, you could (and > probably should) add that machine to your internal_networks setting, > since an RFC1918 address is pretty much the definition of internal. > > > > -- > Bill Cole > b...@scconsult.com or billc...@apache.org > (AKA @grumpybozo and many *@billmail.scconsult.com addresses) > Not Currently Available For Hire Thanks for the debug tip. I've meant to fix that "mail" issue for some time. guess now is as good as any. Anyway the original whine has been resolved. joe a.
Re: Hits on item with " No description available"
>> On 2022-01-20 15:47, Joe Acquisto-j4 wrote: >> X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) >> >> old version >> >>> * 1.8 FSL_HELO_NON_FQDN_1 No description available >> >> have you configured internal_networks, trusted_networks ? > > Yes, keeping up to date is not my strong suit. Or perhaps any other. > > I did configure them, but may have buggered them up while messing > around. But, a-hunting we will go. > > joe a. And, just like that . . . trusted_networks was missing one of the IP used on the machine. internal_networks was not. Odd. I don't recall doing that. Hopefully I have only been pwned and this is not an indication of diminishing mental capa . . cap... err , , stuff. Thanks to all for the tolerant assistance. joe a.
Re: Hits on item with " No description available"
Greg Troxel writes:
> From: Greg Troxel
> Date: Thu, 20 Jan 2022 16:32:53 -0500
>
> I followed my own advice about egrep -R and found this immediately
>
> it's in
>
> 3.004006/updates_spamassassin_org/72_active.cf
>
> and it is
>
> ##{ FSL_HELO_NON_FQDN_1
> header FSL_HELO_NON_FQDN_1 X-Spam-Relays-External =~ /^[^\]]+
> helo=[a-zA-Z0-9-_]+ /i
> ##} FSL_HELO_NON_FQDN_1
>
> with score
>
> score FSL_HELO_NON_FQDN_1 2.361 0.001 1.783 0.001
BTW: You can create tags (using Exuberant ctags) for spamassassin rules:
I create the tags using:
ctags -f SPAMASSASSIN_TAGS --langdef=CF --langmap=CF:.cf --languages=CF
--regex-CF='/^[
\t]*(header|mimeheader|describe|body|rawbody|full|meta|uri|urirhssub|uridnsbl|urirhsbl|tflags|score|replace_rules)[
\t]+([^ \t]+)/\2/' ~/.spamassassin /var/lib/spamassassin
/usr/share/spamassassin
So, I can do Meta-. in Emacs and it goes directly to the 'header
FSL_HELO_NON_FQDN_1' definition
-jeff
Re: Hits on item with " No description available"
On 2022-01-20 at 16:21:40 UTC-0500 (Thu, 20 Jan 2022 16:21:40 -0500) Joe Acquisto-j4 is rumored to have said: Am 20.01.22 um 15:47 schrieb Joe Acquisto-j4: Where can I get some idea of what the rule below actually checks for? I noticed some normally passed email was flagged as SPAM. Started seeing it sometime after making some configuration changes to local settings on postfix, attempting to isolate a "bug". But before reverting them all, or one at a time, I'd rather have a clue. Semi-informed hacking about can be problematic. X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) * 1.8 FSL_HELO_NON_FQDN_1 No description available in most cases by read the name with common sense HELO: should be known what it is NON: none should be clear FQDN: should be known what it is the description would be something like "HELO with no full qualified domain name" and won't help you either if you don't know that standard things when it comes to email the FSL_ prefix is as usual a shortname of the guy who wrote the rule I would still like to examine that rule, but have not found it despite some effort to do so. Are they in "plain text" file or obfuscated/indexed in some manner? Doing a text search across the system might take time, but is a wasted effort if not in plain text. The exact location is distro/build-specific, but in someplace like /var/db/spamassassin/3.004006 you should have a directory tree of rules in 'channels' including updates_spamassassin_org, which includes a file named 72_active.cf, with this line: header FSL_HELO_NON_FQDN_1 X-Spam-Relays-External =~ /^[^\]]+ helo=[a-zA-Z0-9-_]+ /i Essentially: a SMTP handoff was recorded by a trustworthy reciever in which the sender used a HELO/EHLO argument which had no '.' in it, and so cannot be a fully-qualified domain name. The X-Spam-Relays-* pseudo-headers are synthesized by SpamAssassin from the Received headers of the message. Reason is, I do not see anything that should trigger this rule, based on the suggestions. Even reverted a couple of setting, see them reflected in headers, but it still triggers. So, I am missing something. To figure out what matched, you'll need to check a message with the "rules" debug channel on: spamassassin -t -D rules < suspect.eml HOWEVER: In looking at your message, I'm 99.9% sure that what matched was a Received header recording a client calling itself simply 'mail' using an RFC1918 IP address which is also constructing a Message-Id using just 'mail' as the hostname part. Whatever that machine is, it should be using a FQDN instead of a bare hostname. Also, you could (and probably should) add that machine to your internal_networks setting, since an RFC1918 address is pretty much the definition of internal. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: Hits on item with " No description available"
>>> > On 2022-01-20 15:47, Joe Acquisto-j4 wrote: > >> X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) > > old version > >> * 1.8 FSL_HELO_NON_FQDN_1 No description available > > have you configured internal_networks, trusted_networks ? Yes, keeping up to date is not my strong suit. Or perhaps any other. I did configure them, but may have buggered them up while messing around. But, a-hunting we will go. joe a.
Re: Hits on item with " No description available"
> I followed my own advice about egrep -R and found this immediately
>
> it's in
>
> 3.004006/updates_spamassassin_org/72_active.cf
>
> and it is
>
> ##{ FSL_HELO_NON_FQDN_1
> header FSL_HELO_NON_FQDN_1 X-Spam-Relays-External =~ /^[^\]]+
> helo=[a-zA-Z0-9-_]+ /i
> ##} FSL_HELO_NON_FQDN_1
>
> with score
>
> score FSL_HELO_NON_FQDN_1 2.361 0.001 1.783 0.001
No 3.004006 around here, but with your hints I did find location of the rules
set and
found the rules in a couple of earlier files.
Thanks.
Re: Hits on item with " No description available"
On 2022-01-20 15:47, Joe Acquisto-j4 wrote: X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) old version * 1.8 FSL_HELO_NON_FQDN_1 No description available have you configured internal_networks, trusted_networks ?
Re: Hits on item with " No description available"
I followed my own advice about egrep -R and found this immediately
it's in
3.004006/updates_spamassassin_org/72_active.cf
and it is
##{ FSL_HELO_NON_FQDN_1
header FSL_HELO_NON_FQDN_1 X-Spam-Relays-External =~ /^[^\]]+
helo=[a-zA-Z0-9-_]+ /i
##} FSL_HELO_NON_FQDN_1
with score
score FSL_HELO_NON_FQDN_1 2.361 0.001 1.783 0.001
signature.asc
Description: PGP signature
Re: Hits on item with " No description available"
> > Am 20.01.22 um 15:47 schrieb Joe Acquisto-j4: >> Where can I get some idea of what the rule below actually checks for? I > noticed some normally passed email was flagged as SPAM. >> >> Started seeing it sometime after making some configuration changes to local > settings on postfix, attempting to isolate a "bug". But before reverting > them all, or one at a time, I'd rather have a clue. Semi-informed hacking > about can be problematic. >> >> X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) >> >> * 1.8 FSL_HELO_NON_FQDN_1 No description available > > in most cases by read the name with common sense > > HELO: should be known what it is > NON: none should be clear > FQDN: should be known what it is > > the description would be something like "HELO with no full qualified > domain name" and won't help you either if you don't know that standard > things when it comes to email > > the FSL_ prefix is as usual a shortname of the guy who wrote the rule I would still like to examine that rule, but have not found it despite some effort to do so. Are they in "plain text" file or obfuscated/indexed in some manner? Doing a text search across the system might take time, but is a wasted effort if not in plain text. Reason is, I do not see anything that should trigger this rule, based on the suggestions. Even reverted a couple of setting, see them reflected in headers, but it still triggers. So, I am missing something. joe a.
Re: Hits on item with " No description available"
"Joe Acquisto-j4" writes: > Where can I get some idea of what the rule below actually checks for? I > noticed some normally passed email was flagged as SPAM. > > Started seeing it sometime after making some configuration changes to local > settings on postfix, attempting to isolate a "bug". But before reverting > them all, or one at a time, I'd rather have a clue. Semi-informed hacking > about can be problematic. > > X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) > > * 1.8 FSL_HELO_NON_FQDN_1 No description available cd /var/spamassassin egrep -R FSL_HELO_NON_FQDN_1 . Find the rules file and read it. (rules may be someplace else on your system; that's where they are on mine) signature.asc Description: PGP signature
Re: XM_RANDOM hits for Qi Mail Connector
On Thu, 20 Jan 2022, Matus UHLAR - fantomas wrote: Hello, looks like there's mailer hitting XM_RANDOM from multiple mails: X-mailer: Qi Mail Connector 101.21 X-mailer: Qi Mail Connector 103.2 apparently generated by czech company information system: https://www.qi.cz/system-qi/ Will update, thanks for the report. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- What the hell is an "Aluminum Falcon"??-- Emperor Palpatine --- 3 days until John Moses Browning's 167th Birthday
Hits on item with " No description available"
Where can I get some idea of what the rule below actually checks for? I noticed some normally passed email was flagged as SPAM. Started seeing it sometime after making some configuration changes to local settings on postfix, attempting to isolate a "bug". But before reverting them all, or one at a time, I'd rather have a clue. Semi-informed hacking about can be problematic. X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) * 1.8 FSL_HELO_NON_FQDN_1 No description available Thanks joe a.
XM_RANDOM hits for Qi Mail Connector
Hello, looks like there's mailer hitting XM_RANDOM from multiple mails: X-mailer: Qi Mail Connector 101.21 X-mailer: Qi Mail Connector 103.2 apparently generated by czech company information system: https://www.qi.cz/system-qi/ -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are...
