Re: replay RBL queries one hour later
Thank you to everybody that replied to my request. I knew I was not clear in my message... :-)) sorry about it. I have 2 paid RBL (so I don't care about number of queries) at the frontier MTA. These RBLs reject a ton of connections and so the number of messages reaching SA is already reduced. Unfortunately, I can't greylist at the moment... well, actually I answer with a 4xx code with one of the paid RBL... it's not *me* that greylists but an external, official, specialized source. I know, borderline. Back to my request, I see two possibilities. A. In the logs of the frontier MTA I have the connection IPs of the messages that went through. A simple script can extract the IPs, |sort|uniq and then dig/nslookup and note if they are now listed. Unfortunately I don't know if the message was reported spam or quarantined later but it may be detected spam not for RBL B. On the backend, zimbra logs all the messages stored in the mailboxes. A bit more complex script can dump the not spam and not quarantined messages received in a time range in a specific dir and submit each one to SA, the production one or one dedicated to this job. In this way I will also check the URL RBLs. Using a different SA server allows us to use SA 4.0, or a different set of plugins and rules, or for example enabling only RBLs checks, adding the paid ones. Still don't know if all this is worth the effort. > >
Re: Install plugins into embedded spamassassin
Grazie Giovanni, bundled is probably a better word than embedded. Probably the dirs are different but the steps are those. I suppose the RBLs used by esp plugin are free to use... are them? Antony, zimbra people will come next week to clean up some errors in the setup they left after an upgrade :-) so I'd like to understand myself what to do. What plugins should be "mandatory" in 2023 ? And also useful for the italian language? On Sun, Feb 26, 2023 at 4:30 PM Giovanni Bechis wrote: > On Sat, Feb 25, 2023 at 03:30:13PM +0100, hg user wrote: > > Hi, > > I'd like to install at least one plugin in my embedded spamassassin, > > installed inside Zimbra. > > I'm a bit afraid of breaking stuff, about missing dependencies and so on. > > > > I'm on SA 3.4.5 and - as a test - I'd like to install ESP plugin. > Zimbra uses standard SA, it's just bundled in their software. > To install an additional plugin you should create > /etc/mail/spamassassin/ESP.pre > file with this content: > loadplugin Mail::SpamAssassin::Plugin::Esp Esp.pm > And add Esp.pm and Esp.cf to /etc/mail/spamassassin/. > Same for other plugins you might need. > Zimbra uses amavisd-new, so you need to reload amavisd-new as well when > you change SpamAssassin configurations. > > Giovanni >
Re: replay RBL queries one hour later
Rob McEwen skrev den 2023-02-26 19:45: Benny, All I know for sure is this - for MANY legit emails - DKIM fails some days later - when it had originally worked/validated at the time the message was sent. when i begined dkim signing i did that tought why would it be valid after delivery, could it be good to only be valid until recipient forwarder have recieved it ?, into days senario could harden arc more to be used in forwards that on it self breaks dkim postfix have queue life time 5d, so make dkim valid for 6 days ? :) since then i do not expire this anymore I see this often in the real world when I rescan a message to try to verify the impact on a message that a spam filtering change caused - then notice that a very legit email that original passed DKIM at the time the message was received - now suddenly fails DKIM during this days-later rescan - and without ANY changes to the message itself. why rescan ? add reuse foo into local.cf for spamassassin so it not retesting dkim I think that this is most likely caused by DNS records for that DKIM being changed/updated. But whatever the cause, this is STILL a reality that's worth noting, for anyone who is rescanning messages later. correct, how to solve that world on steriods ? :)
Re: replay RBL queries one hour later
Benny, All I know for sure is this - for MANY legit emails - DKIM fails some days later - when it had originally worked/validated at the time the message was sent. I see this often in the real world when I rescan a message to try to verify the impact on a message that a spam filtering change caused - then notice that a very legit email that original passed DKIM at the time the message was received - now suddenly fails DKIM during this days-later rescan - and without ANY changes to the message itself. I think that this is most likely caused by DNS records for that DKIM being changed/updated. But whatever the cause, this is STILL a reality that's worth noting, for anyone who is rescanning messages later. Rob McEwen, invaluement -- Original Message -- From "Benny Pedersen" To users@spamassassin.apache.org Date 2/26/2023 1:37:53 PM Subject Re: replay RBL queries one hour later Rob McEwen skrev den 2023-02-26 19:03: .. sent. This can lead to many egregious false positives. But doing this "one hour later" shouldn't have this problem. message-id is timebased, so why invalidate it ? :) i did that mistake on not dkim sign that header in that regard i now have 2048 kbit size, where 4096 is a bit overkill
Re: replay RBL queries one hour later
Rob McEwen skrev den 2023-02-26 19:03: ... sent. This can lead to many egregious false positives. But doing this "one hour later" shouldn't have this problem. message-id is timebased, so why invalidate it ? :) i did that mistake on not dkim sign that header in that regard i now have 2048 kbit size, where 4096 is a bit overkill
Re: replay RBL queries one hour later
Something to keep in mind about this idea of rescanning messages later - once more anti-spam data is available - for use in training/reporting spams - this probably should NOT be done days later because SOME senders aggressively expire/recycle DKIM dns records. I guess that is to minimize the ability for criminals to spoof DKIM? The result is that if you implement this idea on days-old messages, you can end up with some spam scoring that was ONLY due to the DKIM not being valid anymore, where it was valid at the time the message was sent. This can lead to many egregious false positives. But doing this "one hour later" shouldn't have this problem. Rob McEwen, invaluement
Re: replay RBL queries one hour later
On 2023-02-25 at 09:34:52 UTC-0500 (Sat, 25 Feb 2023 15:34:52 +0100) hg user is rumored to have said: The last time I was hit by a not-recognized phishing campaign, no Ips nor domains were present in RBL. When I took action one hour later I found that several of them were listed. So my idea is; is it possible to replay the queries one/two hours later? If you write the code to do it, based on however you manage your mail, you can do this. There's no way to put that sort of site-specific tooling into SA itself. SA does not know anything about mail other than the messages it is given. SA has no way to know what has happened to a message after it has made its judgment. I envision two methods: - logging the queries, with Message-ids - storing a copy of the message If the second run hits new RBL, report to me, to take action. It's certainly something that one could do. It is not something that SpamAssassin itself does or ever will do. A useful tool for doing this sort of thing involving SA is the MIMEDdefang milter, which can use SA for filtering and also can do anything else you can tell Perl to do with mail. I believe MailMunge (a descendant of MIMEDefang) also has that capacity. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: Install plugins into embedded spamassassin
On Sat, Feb 25, 2023 at 03:30:13PM +0100, hg user wrote: > Hi, > I'd like to install at least one plugin in my embedded spamassassin, > installed inside Zimbra. > I'm a bit afraid of breaking stuff, about missing dependencies and so on. > > I'm on SA 3.4.5 and - as a test - I'd like to install ESP plugin. Zimbra uses standard SA, it's just bundled in their software. To install an additional plugin you should create /etc/mail/spamassassin/ESP.pre file with this content: loadplugin Mail::SpamAssassin::Plugin::Esp Esp.pm And add Esp.pm and Esp.cf to /etc/mail/spamassassin/. Same for other plugins you might need. Zimbra uses amavisd-new, so you need to reload amavisd-new as well when you change SpamAssassin configurations. Giovanni signature.asc Description: PGP signature