[HEADS-UP] Changes to Validity SpamAssassin rules

[Giovanni Bechis]

Hi,
if you are using rules that query Validity rbl (RCVD_IN_VALIDITY_* rules), make 
sure you have updated rules (at least dated 2024-04-23),
otherwise you may encounter in FPs instead of hitting an overlimit response.

  Giovanni


OpenPGP_signature.asc
Description: OpenPGP digital signature

Upcoming KAM.cf Ruleset 20th Anniversary

[Giovanni Bechis]

Hi,
very soon we will celebrate KAM.cf Ruleset 20th Anniversary,
are there any stories about how you use the ruleset, any products that include 
the rules you are aware of, or other info about how it has helped with spam and 
email security ?
Glad to receive any info or story about KAM.cf SpamAssassin ruleset.

 Giovanni


OpenPGP_signature.asc
Description: OpenPGP digital signature

Re: OT: Microsoft Breech

[Giovanni Bechis]

Il 19 marzo 2024 15:33:10 CET, Bill Cole 
 ha scritto:
>On 2024-03-19 at 09:51:04 UTC-0400 (Tue, 19 Mar 2024 08:51:04 -0500)
>Thomas Cameron 
>is rumored to have said:
>
>> Does anyone else just block all traffic from *.onmicrosoft.com?
>
>Yes. No collateral damage noticed. That includes a system that has 
>administrative and alerting role accounts which handle email alerts from Azure 
>and MS365.
>
Disposition-Notifications are sent by onmicrosoft.domain.tld domain afaik.
  Giovanni


>> I have literally NEVER gotten anything from that domain which is not obvious 
>> junk.
>>
>> I set up postfix to just flat out refuse anything from that domain.[1] If I 
>> get any complaints, I may ease it up, but I was getting TONS of spam 
>> messages from that domain and I figured it was easiest to just block it.
>>
>> -- 
>> Thomas
>>
>> [1]
>>
>> [root@east ~]# grep onmicrosoft /etc/postfix/sender_access
>> /@*.onmicrosoft\.com/ REJECT
>>
>> [root@east ~]# grep sender_access /etc/postfix/main.cf
>> check_sender_access regexp:/etc/postfix/sender_access
>>
>> On 3/18/24 21:13, Jimmy wrote:
>>>
>>> It's possible that certain email accounts utilizing email services with 
>>> easily guessable passwords were compromised, leading to abuse of the 
>>> .onmicrosoft.com subdomain for sending spam via email.
>>>
>>> I've observed an increase in the blocking of IPs belonging to Microsoft 
>>> Corporation by the SpamCop blacklist since November 2023, with a notable 
>>> spike in activity during February and March 2024.
>>>
>>> Jimmy
>>>
>>>
>>> On Tue, Mar 19, 2024 at 12:10 AM Jared Hall via users 
>>> mailto:users@spamassassin.apache.org>> 
>>> wrote:
>>>
>>> I've several customers whose accounts were used to send spam as a
>>> result
>>> of Microsoft's infrastructure breech.
>>>
>>> Curiously, NOBODY has received any breach notifications from Microsoft,
>>> despite personal information being compromised.
>>>
>>> What has anyone else experienced?
>>>
>>> Thanks,
>>>
>>> -- Jared Hall
>>>
>
>

Mail::SpamAssassin::Plugin::Phishing PhishStats[.]info domain expired

[Giovanni Bechis]

Hi,
phishstats[.]info domain has recently moved to a parking domain, if you are using 
Mail::SpamAssassin::Plugin::Phishing plugin with data downloaded from PhishStats[.]info 
it would be better to comment "phishing_phishstats_feed" configuration line.
If PhishStats[.]info will not find a new home I am going to remove the relevant 
code from the plugin.

 Regards
  Giovanni


OpenPGP_signature
Description: OpenPGP digital signature

Re: Install plugins into embedded spamassassin

[Giovanni Bechis]

On Sat, Feb 25, 2023 at 03:30:13PM +0100, hg user wrote:
> Hi,
> I'd like to install at least one plugin in my embedded spamassassin,
> installed inside Zimbra.
> I'm a bit afraid of breaking stuff, about missing dependencies and so on.
> 
> I'm on SA 3.4.5 and - as a test - I'd like to install ESP plugin.
Zimbra uses standard SA, it's just bundled in their software.
To install an additional plugin you should create /etc/mail/spamassassin/ESP.pre
file with this content:
loadplugin Mail::SpamAssassin::Plugin::Esp Esp.pm
And add Esp.pm and Esp.cf to /etc/mail/spamassassin/.
Same for other plugins you might need.
Zimbra uses amavisd-new, so you need to reload amavisd-new as well when
you change SpamAssassin configurations.

 Giovanni


signature.asc
Description: PGP signature

ESPs spam updates

[Giovanni Bechis]

Hi,
as everybody knows, spam from ESPs continues, some news about my efforts to 
contrast those
spammers:
- new version of Mail::SpamAssassin::Plugin::Esp has been released, you
  can find it at https://github.com/bigio/spamassassin-esp
- my ESPs rbl is now public, rules to use it can be downloaded from 
https://spamassassin.snb.it/Esp-rbl.cf
- if you are using SpamAssassin 4.0, the rbl can be used without loading
  ESP plugin.

 Happy new Year
  Giovanni


signature.asc
Description: PGP signature

Re: 4.0.0 dnsbl_subtests.t test failures

[Giovanni Bechis]

On Mon, Dec 26, 2022 at 10:38:07AM +1300, Sidney Markowitz wrote:
> Philippe Chaintreuil via users wrote on 26/12/22 6:27 am:
> > I'm getting test failures for the dnsbl_subtests.t.  Figured I'd check
> > here before filing a bug.
> > 
> > I'm running Spam Assassin 4.0.0 on Gentoo Linux.  Perl 5.36.0.
> > 
> > Test output:
> > 
> > ==
> >  ...
> > t/dnsbl_subtests.t  1/46 rules: unknown eval
> > 'check_uridnsbl' for X_URIBL_N_3
> > rules: unknown eval 'check_uridnsbl' for X_URIBL_Y_2D
> > rules: unknown eval 'check_uridnsbl' for X_URIBL_N_0B
> 
> I haven't tested on gentoo, but I have tested on different platforms 
> with perl 5.36.0.
> 
> I can get exactly that set of error messages by commenting out the 
> loadplugin for URIDNSBL in rules/init.pre or deleting the file 
> rules/init.pre completely, and running make test with the default 
> setting of run_net_tests=n in t/config.dist. If I change it to 
> run_net_tests=y then the test t/uribl.t also fails where it tries to use 
> check_uridnsbl
> 
> None of the other tests use check_uridnsbl so they don't generate 
> errors. t/spamd_allow_user_rules.t references check_uridnsbl but it is 
> checking something with rule parsing and never tries to run it so it 
> doesn't fail.
> 
dnsbl_subtests.t tests runs even with run_net_tests=n (fixed few minutes
ago in trunk), the "unknown eval" error is unrelated to this bug anyway,
I think in this case the user fails to load init.pre correctly in his
setup.
 Giovanni


signature.asc
Description: PGP signature

Heads up: "Unescaped left brace" warning on SpamAssassin 4.0

[Giovanni Bechis]

Hi,
starting on 08/16 a rule that is using captured tags has been promoted and 
SpamAssassin 4.0 (this rule is disabled for SpamAssassin 3.x) started printing 
log lines like:
Aug 16 01:07:49 spamd-intel1 spamd[1706586]: plugin: eval failed: 
Timeout::_run: Unescaped left brace in regex is illegal here in regex; marked 
by <-- HERE in m/(? line 5.
on every message.

To avoid the warning you should update to a checkout newer then r1903359 
(2022-08-11).

 Giovanni


OpenPGP_signature
Description: OpenPGP digital signature

Re: How to deal with bounce messages

[Giovanni Bechis]

On Mon, Apr 25, 2022 at 12:50:49PM +0300, Henrik K wrote:
> On Mon, Apr 25, 2022 at 11:48:52AM +0200, Matus UHLAR - fantomas wrote:
> > > > >> >https://pastebin.com/s032ndrA
> > > > >> >
> > > > >> >It's not only hitting DMARC_REJ_NO_DKIM and DMARC_FAIL_REJECT, but
> > > > >>
> > > > >> where did you get these from?
> > > > 
> > > > On 22.04.22 10:02, Alex wrote:
> > > > >I just realized these are from my local rules, put together from a
> > > > >conversation many years ago, apparently from before SA had built-in
> > > > >DMARC support.
> > > > >
> > > > >https://www.mail-archive.com/users@spamassassin.apache.org/msg95643.html
> > 
> > > > now I really wonder why these aren't part of stock SA rules.
> > 
> > On 24.04.22 14:39, Alex wrote:
> > > Does this mean you are investigating further?
> > 
> > not me, as I'm not involved in SA deployment more than by being active here.
> > perhaps you could fill a wishlist report...
> > 
> > > Are these rules from the link above useful?
> > 
> > looks like they are. KAM.cf contains similar rules, but having them in stock
> > SA would be nice.
> 
> Soon released 4.0.0 already has a dedicated DMARC plugin, such rules should
> become obsolete.  Testers would be appreciated..
> 
KAM.cf has already all the needed glue, if you update to trunk and enable DMARC 
plugin, DMARC rules will use new plugin code.
 Giovannin

Re: Getting right GPG key for KAM

[Giovanni Bechis]

On 3/21/22 13:31, @lbutlr wrote:
> On 2022 Mar 21, at 04:37, Henrik K  wrote:
>> Right, it does seem you haven't imported the key..
> 
> Thanks! That's what was missing. Odd, considering there were KAM files 
> present, just not recent ones. Anyway, not my system, but all sorted now.
> 
KAM.cf channel started on November 2020, before that date KAM ruleset was not 
signed.
 Giovanni


OpenPGP_signature
Description: OpenPGP digital signature

[OT] Re: fuglu 1.0.1

[Giovanni Bechis]

On 9/25/21 08:32, Jared Hall wrote:
> MIMEDefang might be another program that can help you.  I personally don't 
> know much about it, but it seems to be robust.
MIMEDefang can fix Alex issue ("one domain may wish to allow html files while 
another would like to block them"), 
we can talk about it on the MIMEDefang ml 
(https://lists.mimedefang.org/mailman/listinfo/mimedefang_lists.mimedefang.org) 
or you can send me an email
about it.
 Giovanni


OpenPGP_signature
Description: OpenPGP digital signature

Re: Does anyone know what generates these email headers?

[Giovanni Bechis]

On Wed, Sep 08, 2021 at 06:17:49PM -0700, Loren Wilton wrote:
> > The originating PHP script header helps people who run shared servers 
> > track down the source of problematic mail. The two most common cases are:
> 
> Does this look valid?
> 
> X-PHP-Originating-Script: 48:class.phpmailer.php
> 
> Just looking at a dozen or so of the smpams I've gotten in the last couple 
> days that match this pattern, they all have an x-originating-spam-status 
> of -2.9, which makes me a little suspicious that that header is faked. Maybe 
> the others are too.
> 
class.phpmailer.php means the email has been sent by PHPMailer, one of
the most popular classes used to send emails using Php.
48 is the uid of the user that sent that email, one more info useful to
track down compromized account on shared hosting.
As-is it's not a spam nor a ham sign.

If x-originating-spam-status has always the same value it's suspect
anyway.

 Giovanni


signature.asc
Description: PGP signature

Re: HashBL email_whitelist override?

[Giovanni Bechis]

On 8/18/21 10:55 AM, Lars Einarsen wrote:
> Hi list,
> any suggestion on how to override the whitelist entries in the HashBL plugin?
> 
> We run an in house hashbl dns list and see lots of "administrative" type 
> adresses that matches the whitelist regex in the plugin.
> 
There is no way atm but I thought more than once to add such a feature for the 
same reason.

 Giovanni 



OpenPGP_signature
Description: OpenPGP digital signature

Re: More fake order spam

[Giovanni Bechis]

On 4/28/21 12:59 PM, Matus UHLAR - fantomas wrote:
>>> On 4/28/21 11:44 AM, Matus UHLAR - fantomas wrote:
>>>>> -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list
>>>>>    manager
>>>>
>>>> I have disabled his rule some time ago.
>>>> Many spammers use mailing list or their signatures.
> 
>> On 2021-04-28 11:55, Giovanni Bechis wrote:
>>> Same here, is it worth to keep MAILING_LIST_MULTI to that hardcoded score ?
> 
> On 28.04.21 12:18, Benny Pedersen wrote:
>> i have -20 there :=)
> 
>> but also local uribl enlists to catch spam
>>
>> no dns for me
>>
>> keep it very negative ensures not rejecting maillists
>>
>> maybe harden with !FREEMAIL_FROM
>>
>> or DKIM_VALID_EF
>>
>> if that hits its direct mailling and possible spam, while ! is maillist 
>> often :=)
> 
> I looked around my spam folder, I see that I did:
> 
> score   MAILING_LIST_MULTI  -0.001
> 
> just to see the rule if it hits.
> 
> out of 120 spams currently, I see many spams from google(groups), mailjet
> and other list providers I haven't signed for.
> 
> some do hit FREEMAIL_FROM, some don't.
> 
~8% of my daily spam hits MAILING_LIST_MULTI and only 0.2% hits both 
MAILING_LIST_MULTI and FREEMAIL_FROM for me. 




> funny is that they hit FREEMAIL_FORGED_FROMDOMAIN because of
> @googlegroups.com envelope but gmail.com From, which is expected for mailing
> list.
> 
> some hit DKIM_VALID_EF, some don't
> 
> ...DKIM_VALID_EF is imho useless, because mail should to be signed with DKIM 
> of
> header domain, not envelope.
> 
> 
> while I agree that MAILING_LIST_MULTI can be used in meta rules, it's
> neither of those, and none I currently know of.




OpenPGP_signature
Description: OpenPGP digital signature

Re: More fake order spam

[Giovanni Bechis]

On 4/28/21 11:44 AM, Matus UHLAR - fantomas wrote:
> 
>> -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list
>>    manager
> 
> I have disabled his rule some time ago.
> Many spammers use mailing list or their signatures.
Same here, is it worth to keep MAILING_LIST_MULTI to that hardcoded score ?

 Giovanni



OpenPGP_signature
Description: OpenPGP digital signature

Re: Using spamassassin modules from a git repo

[Giovanni Bechis]

On 4/8/21 7:51 PM, Bill Cole wrote:
>> So clearly it's not ideal to clone a spamassassin module into
>> /etc/spamassassin!
>>
>> I'm curious if someone has a clean solution here that allows updating
>> the module from time to time from git.
> 
> That module? No. I have the utmost respect for and trust in Giovanni Bechis 
> and use his code every day, but that module as it exists at Github is not 
> structured to be used from a git checkout. The 4 significant files all 
> properly belong in different places. The specific proper places would depend 
> on how your Perl and SA installations were configured.

To update SpamAssassin module from time to time from Git I am using 
Puppet/Ansible that will put the code in the right places.
On simpler install I am using a Makefile like this one:


install:
pod2man Esp.pm > 
"/usr/share/man/man3p/Mail::SpamAssassin::Plugin::Esp.3p"
perl -cw Esp.pm && podlint Esp.pm && cp Esp.{cf,pm,pre} 
/etc/mail/spamassassin/


Then I can run git pull from the directory and run make install to copy all 
files to the correct places.

 Giovanni



OpenPGP_signature
Description: OpenPGP digital signature

Re: SA DKIM check

[Giovanni Bechis]

On 4/1/21 3:10 PM, Simon Wilson wrote:
> Does SA always do its "own" DKIM check, or can it be told to use an already 
> written trusted AuthservId-written Authentication-Results header, e.g. from 
> OpenDKIM?
> 
I think Mail::SpamAssassin::Plugin::AuthRes (on trunk) is what you are looking 
for.

 Giovanni




OpenPGP_signature
Description: OpenPGP digital signature

Re: AskDNS with a DNAME

[Giovanni Bechis]

On Sun, Feb 28, 2021 at 10:33:15AM -0500, Michael Grant wrote:
> On Sun, Feb 28, 2021 at 03:53:33PM +0100, Giovanni Bechis wrote:
> > On Sun, Feb 28, 2021 at 07:38:22AM -0500, Michael Grant wrote:
> > > Ultimately I want the spamassassin report in the headers but I don't
> > > want the license key in there.
> > > 
> > you can set 'tflags net nolog' if you are using trunk.
> > Invaluement uri and license key will be printed as *redacted*.
> >  Giovanni   
> > 
> 
> Hi Giovanni, unfortunately, this did not work either.
> 
> I just pulled from your repo to make sure I was on master.  I added
> nolog, the pertinent lines look like this:
> 
>   askdns   RBL_SENDGRID_ID _SENDGRIDID_.sendgrid-id.MYLICENSE.invaluement.com 
> A 127.0.0.2
>   describe RBL_SENDGRID_ID Sendgrid Id blacklist
>   tflags   RBL_SENDGRID_ID net nolog
> 
>   askdns   RBL_SENDGRID_DOM 
> _SENDGRIDDOM_.sendgrid-efd.MYLICENSE.invaluement.com A 127.0.0.2
>   describe RBL_SENDGRID_DOM Sendgrid domain blacklist
>   tflags   RBL_SENDGRID_DOM net nolog
> 
With SpamAssassin trunk (sorry I probably was not clear) you will have:

 1.0 RBL_SENDGRID_IDASKDNS: Invaluement Sendgrid Id blacklist
 [*REDACTED*]

 Giovanni


signature.asc
Description: PGP signature

Re: AskDNS with a DNAME

[Giovanni Bechis]

On Sun, Feb 28, 2021 at 07:38:22AM -0500, Michael Grant wrote:
> Ultimately I want the spamassassin report in the headers but I don't
> want the license key in there.
> 
you can set 'tflags net nolog' if you are using trunk.
Invaluement uri and license key will be printed as *redacted*.
 Giovanni   

Re: Phishing campaign using nested Google redirect

[Giovanni Bechis]

On 2/19/21 1:09 AM, John Hardin wrote:
> On Thu, 18 Feb 2021, Giovanni Bechis wrote:
> 
>> On 2/18/21 6:37 PM, Ricky Boone wrote:
>>> Just wanted to forward an example of an interesting URL obfuscation
>>> tactic observed yesterday.
>>>
>>> https://www.google.com/url?sa=t=j==s=web=15=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g
>>
>> I just committed a new variation of GB_GOOGLE_OBFUR that should match this 
>> spam as well.
>> If you can send me a spample I could tweak it a bit more.
> 
> We may need to coordinate a little here - there's also a google.com/url redir 
> rule in my sandbox, and they may be overlapping.
> 
I proposed a shared sandbox for that reason when we developed bitcoin rules 
(and we had similar problems with overlapping rules).

 Giovanni
 




OpenPGP_signature
Description: OpenPGP digital signature

Re: Phishing campaign using nested Google redirect

[Giovanni Bechis]

On 2/18/21 6:37 PM, Ricky Boone wrote:
> Just wanted to forward an example of an interesting URL obfuscation
> tactic observed yesterday.
> 
> https://www.google.com/url?sa=t=j==s=web=15=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g
> 
> Google then spits back a response with the redirect target in both
> JavaScript and non-JavaScript forms (meta refresh tag):
> 
> https://www.google.com/url?q=https%3A%2F%2Fwww.tehminadurranifoundation.org%2F1%2F1%2Findex.phpsa=Dsntz=1usg=AFQjCNEa27A724-wMQik8STZvuisHK2G4g
> 
> Slightly different response behavior this time, but ultimately
> redirects the victim to the malicious destination.  The effective
> destination in this case has been taken down, but I'll avoid putting
> the full link.
> 
> Unfortunately, there didn't seem to be any rules that would help catch
> this.  I have a couple thoughts on some that I would need to test, but
> wanted to share to the community.
> 
I just committed a new variation of GB_GOOGLE_OBFUR that should match this spam 
as well.
If you can send me a spample I could tweak it a bit more.

 Giovanni



OpenPGP_signature
Description: OpenPGP digital signature

Re: Points for improbable Received header date?

[Giovanni Bechis]

On Thu, Feb 11, 2021 at 08:52:59AM -0500, Bill Cole wrote:
> On 11 Feb 2021, at 7:00, Loren Wilton wrote:
> 
> > I'm getting a lot of spams that all have a series of completely bogus 
> > Received headers in them. A characteristic of these headers is a 
> > rather improbable datestamp, considering today's date:
> >
> > Received: from 69-171-232-143.mail-mail.facebook.com 
> > ([69.171.232.143])
> > by oxsus1nmtai03p.internal.vadesecure.com with ngmta
> > id 0574d1a8-1628c15907fbaba1; Thu, 06 Aug 2020 18:30:56 +
> >
> > Note that this message must have been in flight for about a year and a 
> > half according to that header.
> 
> Minor pedantry: Actually just a few days more than half a year.
> 
> > Anyone know an easy way to check for a Received header date more than 
> > say a week old and add some points?
> 
> There is a received_within_months() eval in the HeaderEval plugin which 
> someone wrote at some point but failed to suitably document or even use. 
> There are also private functions there (e.g. 
> _get_received_header_times()) which seem potentially useful but which 
>  are also undocumented. If you feel like being a pioneer, you 
> could try creating rules to make use of that code.
> 
and if you want to become an hero patches to document those evals are always
welcome ;-)

 Giovanni


signature.asc
Description: PGP signature

Re: netflix phishing emails forwarded via sendgrid

[Giovanni Bechis]

On 2/9/21 10:03 PM, Benny Pedersen wrote:
> On 2021-02-02 03:25, Kevin A. McGrail wrote:
>> Since it's already hitting 8.9, why do more?
> 
> got one more today
> 
> http://multirbl.valli.org/lookup/167.89.112.86.html
> 
> envelope sender is not sendgrid.net
> 
> spamurls to the phishing is sendgrid redir to hide all detalts of spam domain
> 
> why is so many uribl not blocking phish attemps better ?
> 
With the updated Esp plugin[¹] just committed to trunk you could use Sendgrid 
files downloaded from Invaluement as well as local generated files.
Local files can be generated by looking at the Return-path of the offending 
email.
Return-Path: 
In this case "1234" is the id you are interested in.

  Giovanni

[¹] https://github.com/bigio/spamassassin-esp/releases/tag/esp-v1.2

Re: netflix phishing emails forwarded via sendgrid

[Giovanni Bechis]

On Tue, Feb 09, 2021 at 10:03:57PM +0100, Benny Pedersen wrote:
> On 2021-02-02 03:25, Kevin A. McGrail wrote:
> > Since it's already hitting 8.9, why do more?
> 
> got one more today
> 
> http://multirbl.valli.org/lookup/167.89.112.86.html
> 
> envelope sender is not sendgrid.net
> 
> spamurls to the phishing is sendgrid redir to hide all detalts of spam 
> domain
> 
> why is so many uribl not blocking phish attemps better ?
> 
> i can send sample on request to pmc members
Please send me spamples, I will take a look at them.

 Giovanni


signature.asc
Description: PGP signature

Re: Bayes converstion: SQL--> Redis?

[Giovanni Bechis]

On 2/4/21 10:47 AM, Dan Mahoney (Gushi) wrote:
> Hey there all,
> 
> In looking at my sql server, it looks like the on-disk size of my MySQL DB's 
> is like 9G (because of InnoDB, it's hard to glean just from the filesystem 
> what tables are which).
> 
> Anyway, I'd like to move over to a global redis system, but I don't see an 
> easy way to convert from bayes SQL to redis bayes.
> 
> Is this somewhere and I can't find it?
> 
"sa-learn --backup" with old config and "sa-learn --restore" with new one 
should do what you need.

 Giovanni

Re: BCC Rule and Subject change for specific rule

[Giovanni Bechis]

On 1/6/21 2:40 PM, RW wrote:
> On Tue, 5 Jan 2021 10:14:45 -0800 (PST)
> John Hardin wrote:
> 
>> On Tue, 5 Jan 2021, Dave Funk wrote:
>>
>>> On Tue, 5 Jan 2021, John Hardin wrote:
> 
> subjprefix  FROM_ME [From Me]  

> 
>>>
>>> Does this work if you're using a milter for your glue?
>>>
>>> Is there some special status/command that spamd returns to the
>>> milter for this kind of modification? If so the milters may need to
>>> be recoded to implement it.  
>>
>> No, it's rewriting the message headers before passing the message
>> back to the MTA. It's already adding a [SPAM] tag to the subject by
>> default (if enabled). This just allows customization of that behavior.
> 
> Assuming that the scan itself adds the headers. I was under the
> impression that amavisd adds its own headers. 
> 
> 
> There's also this rather vague remark in the documentation: 
> 
>   "To be able to use this feature a "add_header all Subjprefix
>   _SUBJPREFIX_" configuration line could be needed on some setups."
> 
This is needed to let amavisd (from next released version afaik) or Mimedefang 
(with a custom mimedefang-filter snippet) parse the headers
and correctly rewrite the subject.

  Giovanni

Re: BCC Rule and Subject change for specific rule

[Giovanni Bechis]

On Mon, Jan 04, 2021 at 05:23:30PM -0800, John Hardin wrote:
> On Mon, 4 Jan 2021, Joey J wrote:
> 
> > If I'm understanding things correctly, there is a way for me to BCC spam
> > messages which lets say score 10 and send a BCC to an email address, but
> > I'm trying to do it within only 1 rule, as well as modify the subject.
> >
> > What I don't want is a BCC sent for every messages which is scored a 10,
> > but only the specific rule.
> >
> > Is there a way for me to accomplish this set of actions?
> 
> You can't BCC the message within SpamAssassin, as SA only scores messages. 
> The MTA or glue layer (what ties SA into your MTA) is what determines 
> *delivery* of the message based on SA's score.
> 
> Potentially, your MTA or glue layer could be configured to look for a 
> specific scored rule name appearing in the header that lists rule hits and 
> if found deliver the message to another destination.
> 
> But specifically how to do that depends on your MTA and/or your glue. What 
> are you using?
> 
> I'm pretty sure SA only allows setting the subject tag by language, not 
> based on rule hits. You may beable to modify the subject in the MTA/glue 
> at the same point you do the extra delivery.
> 
Starting from 3.4.3 you can add a prefix to the email subject like that:
header  FROM_ME From:name =~ /Me/
subjprefix  FROM_ME [From Me]

 Giovanni


signature.asc
Description: PGP signature

Re: Happy Thanksgiving and Announcing the Apache SpamAssassin Channel for the KAM Rule Set

[Giovanni Bechis]

On 12/14/20 7:27 PM, AJ Weber wrote:
> 
>> if you are using RH based Linux distros, just put the attached configuration 
>> file under /etc/mail/spamassassin/channels.d/
> 
> Apologies for the naive question;  I'm running CentOS 7, SA 3.4.3.  I don't 
> have that channels.d directory by default.  I've been running a more 
> traditional cron update:
> 
> 9 3 * * * /usr/local/bin/sa-update --gpgkey 6C6191E3 --channel 
> updates.spamassassin.org && /etc/init.d/spamassassin restart
> 
> Can I simplify by putting a conf file for the default updates and the KAM 
> updates config into that location, then just run "sa-update && spamassassin 
> restart" in cron?
> 
The channels.d directory is handled by /usr/share/spamassassin/sa-update.cron 
which is distributed with official RH-based RPM files and executed by 
/etc/cron.d/sa-update.
Stock sa-update doesn't know how to handle channels.d directories.

 Giovanni

Re: Mailchimp support for spamassassin-esp

[Giovanni Bechis]

On Mon, Nov 30, 2020 at 05:40:39PM -0500, Alex wrote:
> Hi,
> 
> I happened to notice today that the sendgrid spam work being done by
> Invaluement (https://www.invaluement.com/serviceproviderdnsbl/) and SA
> developers now apparently supports compromised Mailchimp domains.
> https://github.com/bigio/spamassassin-esp
> 
Hi,
spamassassin-esp plugin has been committed to trunk and I will keep in sync
with my Github repo.

> Is there an ongoing list of compromised mailchimp domains available to
> be used with this? That info is not included with the man page for
> this plugin.
> 
for the moment you should use your own data, Rob replied more extensively 
to this question.

 Giovanni


signature.asc
Description: PGP signature

Re: Happy Thanksgiving and Announcing the Apache SpamAssassin Channel for the KAM Rule Set

[Giovanni Bechis]

On 11/26/20 5:22 PM, Kevin A. McGrail wrote:
[...]
> The KAM rule set is authored by Kevin A. McGrail with contributions from Joe 
> Quinn, Karsten Bräckelmann, Bill Cole, and Giovanni Bechis. It is maintained 
> by The McGrail Foundation.
> 
> The KAM channel is made possible with the support of hosting from Linode and 
> help from PCCC & cPanel. More information about our sponsors can be found at 
> our Sponsor's Page <https://mcgrail.com/template/sponsors> at 
> https://mcgrail.com/template/sponsors
> 
> To enable the KAM rule set via an sa-update channel see the channel page 
> <https://mcgrail.com/template/kam.cf_channel> at 
> https://mcgrail.com/template/kam.cf_channel
> 
if you are using RH based Linux distros, just put the attached configuration 
file under /etc/mail/spamassassin/channels.d/

 Giovanni

CHANNELURL=kam.sa-channels.mcgrail.com
KEYID=24C063D8
# Ignore everything below.
return 0

-BEGIN PGP PUBLIC KEY BLOCK-

mQINBF96bE0BEADsT1xRD2l19kmUSg9XMfRUtJbMGa9YAQ0a2fayT9IdmR38J4o3
Ln2fIR0CMa81Q+mi7pSdTpHGqR3t5GjmDGcCN8kwoHbmm0t5F9gK0tFAXThf+e40
kMdzLNzled4+5D83VyKCNaPm1tmogzYKKIEzTHCqQ7TdahWZDRDFiZJWFkd/9miE
kURY2uWLCttF+4Aa2AOHUg/7q00NSR8S0jWpLzpVNjbgi/jjkCafhpSZ56aqXHk3
QrTwJj3sznrLb9TkVZoXFKbBCh15m7mf5VVJVEZpj3BsvbcZJPnBFkCrzPjfShRz
lttRyiCFflOIcDrClg62tA/a1BmdUuIB5ktdCX8gB0F4t+9MhqgF89vT/OQpxywv
/QmuvKZzl77TQcLFHDlS+TKjLI6RdM3xuto1B8aSIYpKslnVpYuMpxNsvouAiQig
5qKBzYMbFCVge8Kjvcs6znxsPyjkCWgZVbf7ev7v+h71kkVfJ2TRR52ty/vsh82c
LYEaIB8CKYTstf69EOEQEhqMVNfhzuEb22ueYtAQSsnpLgGii0PwAFfSB4puzEUI
ItJVmD4DviD7ZfZnT8dR2bsysV4BF8s2dKX0KDnBAkzhlc30/iwt8j8bZXx3Evau
Ci+sFvBRMbpJJbVH8AJT7/dImn1ZqbK7jaZkFMticGBBWaKee8NYmF+KKwARAQAB
tDdLZXZpbiBBLiBNY0dyYWlsIChLQU0gQ2hhbm5lbCkgPGthbWNoYW5uZWxAbWNn
cmFpbC5jb20+iQJOBBMBCAA4FiEEIdlxQicskGb8qnkrShVtpSTAY9gFAl96bE0C
GwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQShVtpSTAY9hQZRAA5i8RkBCH
zjY/xHAoIUa4u9Di52I8t8IKHuIbH5a1TfShT8uj38ucmc/gRWMoOu1Tef9G2DdJ
FQc7KOA9GcGyGl1C2gfoTJEqBSNJTgJVfmHQ1Ef0ucNSjYFD3H0eFGTIuoSFy3Mi
g7CzxfhIJXIn4JW9sNwICH/7pOLke5Ihd5WvyOqU13FrfGemRbilviG73HYoy+Fh
4R9A1MLF3I0zVG5nszfn5CjSVG3c+Buj7Gk1d67noINbhCs2IPnyuOSvfrZc5wx1
ImCS8BpmGjXqaXZAIWLIhpMXvRiboGxX1zzRZLoz7Y5Y5h1MfnY2ASDMddmJpgOv
Vey/acAB4+6TtCgXmA6Wy8xmsqlId4qBocxX/jCMJ8OsuueYE6eF2jzS/JfbTndA
7pHOnCoR+ndMra5vaX8MYyGKqxxWyBoKWGgeBs8fSMwHAqRIo9GHWK67nBX0x39U
x9G0yn/A2dhaGqhui8xrcAHg/OGJErOlDw7YBeVX0RiS6awPyk9fo0IsGN0po2VX
bd9H8DKz1CXBLNZRG0vn5mViSOBzZeGU+K9aAs58GZ46LKA3YfWJ4s5W8BS+J3Ia
TFpq8U+OO/BSmOkMHZ+OPKWSlxNitFTyQsIdtS1PfqqYc+MK312LdmvrG2KWXE3N
EnuBffLm6uSOHJA6/0r6THJkffDSuvqM5yU=
=GVCC
-END PGP PUBLIC KEY BLOCK-

Re: What can one do abut outlook.com?

[Giovanni Bechis]

Il 26 ottobre 2020 20:09:52 CET, Benny Pedersen  ha scritto:
>Giovanni Bechis skrev den 2020-10-26 09:05:
>
>>> amavisd have penpal, if that is possible to track with TxRep ?
>> maybe something is doable by reading _TXREPEMAILCOUNT_ tag.
>
>with 3.4.4 it does not work, so is it trunk ?

TxRep tags are broken on 3.4.4, they have been fixed in trunk and 3.4 tree 
(available when 3.4.5 will be released).
   Giovanni

Re: What can one do abut outlook.com?

[Giovanni Bechis]

On 10/25/20 7:12 PM, Benny Pedersen wrote:
> Bob Proulx skrev den 2020-10-25 19:08:
> 
>>> I also have a tool for weeding undesirables from the correspondent list
>>> because spamming addresses can creep onto the list, but its very
>>> infrequently needed.
>>
>> It is a clever idea!  I might add something similar to my own setup. :-)
> 
> amavisd have penpal, if that is possible to track with TxRep ?
> 
maybe something is doable by reading _TXREPEMAILCOUNT_ tag.

 Giovanni

Re: TXREP: positive score on malware emails

[Giovanni Bechis]

On 10/23/20 3:30 PM, Alessio Cecchi wrote:
> Hi,
> 
> I have enabled txrep on a test spamassassin setup, but on some emails with 
> malware file attached, txrep assign a positive score:
> 
> # zcat spam.eml.gz | spamc -s 2097152 -R
> 
> [...]
> 
> Content analysis details:   (52.6 points, 5.0 required)
> 
[...]
> The sender was domain name "dal corte DOT org" that is sending malware to 
> many different domains hosted by us.
> 
> Is my setup of txrep bad or is "normal"?
> Thanks
> 
txrep add positive/negative score based on the reputation of the sender, if 
this sender normally send ham email it is normal that a negative score will be 
applied.
If spam from this sender keep coming score will change from a negative to a 
positive value.
You can tweak txrep_learn_penalty and txrep_learn_bonus if you want to speedup 
the process.

 Regards
  Giovanni

Re: Template variable to get the score of a single check.

[Giovanni Bechis]

On 10/23/20 2:44 PM, RW wrote:
> On Fri, 23 Oct 2020 12:49:10 +0200 (CEST)
> Matthias Rieber wrote:
> 
> 
>> is it possible to get, for instance txrep, the score of single test
>> to write it in a header like this:
>>
>> X-Spam-Reputation: _TXREP_SCORE_
>>
>> The man page lists the following variables:
>>
>>> _TXREP_XXX_Y_  TXREP modifier
>>> _TXREP_XXX_Y_MEAN_ Mean score on which TXREP modification is
>>> based _TXREP_XXX_Y_COUNT_Number of messages on which TXREP
>>> modification is based _TXREP_XXX_Y_PRESCORE_ Score before TXREP
>>> _TXREP_XXX_Y_UNKNOW_   New sender (not found in the TXREP list)  
>>
>> I guess none of them is the final TXREP score. Maybe there's some
>> generic template variable to access this values?
> 
> Why would you want that? The score isn't a reputation, it's an
> adjustment that has no meaning outside of the score arithmetic. For any
> given reputation the TxRep score can be positive or negative, high or
> low. 
> 
> _TXREP_XXX_Y_MEAN_ represents the reputation.
> 
note that this tag will work only on 3.4.5+ (where it has been renamed to 
_TXREPXXXYMEAN_), see bz #7749.

 Giovanni

Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!

[Giovanni Bechis]

On Tue, Aug 25, 2020 at 08:29:55PM +0200, Benny Pedersen wrote:
> Rob McEwen skrev den 2020-08-25 19:20:
> 
> > PRO TIP: Instead of complaining about this problem on this thread -
> > why not go to the discussion list or forum of your preferred MTA - and
> > ask them to implement it?
> 
> maybe make clamav sigs ?
> 
> is mimedefang working still ?, special plugins needed ?, i just use 
> fuglu
Mimedefang is still alive on a new home:
https://github.com/The-McGrail-Foundation/MIMEDefang
I think it should not be complicated to implement it.
  Giovanni 

Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!

[Giovanni Bechis]

On 8/21/20 9:28 PM, Rob McEwen wrote:
> ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for 
> Sendgrid-spams!
> 
> ...a collection of a new TYPE of DNSBL, with the FIRST of these having a 
> focus on Sendgrid-sent spams. AND - there is a FREE version of this - that 
> can be used NOW! (/well... might need a SpamAssassin rule or two! Your help 
> appreciated!)/:
> 
SpamAssassin plugin available at:
https://github.com/bigio/spamassassin-esp/archive/esp-v0.1.tar.gz

We will work on improving this new type of DNSBL with more data and more 
features, stay tuned.

 Giovanni

> INFO AND INSTRUCTIONS HERE:
> 
> https://www.invaluement.com/serviceproviderdnsbl/
> 
> This provides a way to surgically block Sendgrid's WORST spammers, yet 
> without the massive collateral damage that would happen if blocking Sendgrid 
> domains and IP addresses. But we're NOT stopping at the phishes and viruses - 
> and we're not finished! There will be some well-deserved economic pain, that 
> puts the recipients' best interests at heart. Therefore, flagrant "cold 
> email" spamming to recipients who don't even know the sender - is also being 
> targeted - first with the absolute worst - and then progressing to other 
> offenders as we make adjustments in the coming weeks.
> 
> -- Rob McEwen https://www.invaluement.com
> 

Re: base64 encoded sextorsion

[Giovanni Bechis]

On 4/22/20 5:43 PM, Henrik K wrote:
> 
> I've updated replace_tags with these 4-byte UTF-8 characters, whatever they
> are, will look more indepth later..
> 
you have been faster, I have the same diff on my tree and I was going to commit 
it :-)

 Giovanni

> For example replace_tag A [\xf0][\x9d][\x97][\xae]
> 
> Now your example hits atleast these rules
> 
>  3.6 FUZZY_BITCOIN  BODY: Obfuscated "Bitcoin"
>  1.0 BITCOIN_EXTORT_02  Extortion spam, pay via BitCoin
> 
> Will take a day or two to end up in sa-update..
> 
> 
> On Wed, Apr 22, 2020 at 04:44:25PM +0200, Brent Clark wrote:
>> I want to add, I tried this as well, and it *did* match. But it feels
>> clunky.
>>
>> https://pastebin.com/raw/7FaqnByB
>>
>> Regards
>> Brent
>>
>> On 2020/04/22 16:14, Brent Clark wrote:
>>> Sorry in that example I copied body.
>>> I tried rawbody and body.
>>>
>>> Regards
>>> Brent
>>>
>>> On 2020/04/22 16:11, Brent Clark wrote:
 Good day Guys

 I would like to ask it someone could help write a rule for the following
 base64 encoded sextorsion.

 https://pastebin.com/raw/MWYmfkuh

 I tried using rawbody. But it was proving to not work and be the right
 solution. Below is it me testing.

 i.e.
 body BASESEX /8J2XrvCdmIHwnZiB8J2XsvCdl7vwnZiB8J2XtvCdl7zwnZe7/
 describe BASESEX Base64 Sextorsion
 score    BASESEX 2.0

 If anyone could assist, it would be appreciated.

 King regards
 Brent Clark

Re: Spam Mail

[Giovanni Bechis]

On Tue, Mar 24, 2020 at 12:01:46PM +0530, KADAM, SIDDHESH wrote:
> Team,
> 
> Anyway of blocking attached spam mail of Corona.
> 
it's hitting more than 9 points for me with updated rules.
Most relevant hits are:
 1.0 FORGED_SPF_HELONo description available.
 0.5 KAM_NUMSUBJECT Subject ends in numbers excluding current years
 0.6 HTML_MIME_NO_HTML_TAG  HTML-only message, but there is no HTML
tag
 0.2 KAM_DMARC_NONE DKIM has Failed or SPF has failed on the message
and the domain has no DMARC policy
 1.3 BITCOIN_SPAM_01BitCoin spam pattern 01
 1.3 BITCOIN_EXTORT_01  Extortion spam, pay via BitCoin
 0.5 PDS_BTC_ID FP reduced Bitcoin ID
 2.5 BITCOIN_SPAM_05BitCoin spam pattern 05

Do you have updated rules ?
Are you using KAM.cf rules as well ?
Which rules does this message hits for you ?

 Giovanni


signature.asc
Description: PGP signature

Re: Some new SQL activity with 3.4.3?

[Giovanni Bechis]

Il 15 dicembre 2019 13:27:03 CET, Jari Fredriksson  ha scritto:
>
>On 15.12.2019 7.54, Bill Cole wrote:
>> On 15 Dec 2019, at 0:08, Jari Fredriksson wrote:
>>
>>> I suddenly find stuff like this in mail.log. What is this? Where can
>
>>> I get the schema?
>>>
>>> Dec 15 07:03:04 gauntlet spamd[19176]: auto-whitelist: sql-based 
>>> get_addr_entry 
>>> 5c2a750a32f249155ecf3ade17358fa1a98b2db7@sa_generated|1576386183:
>SQL 
>>> error: Unknown column 'msgcount' in 'field list'[wtc...]
>>
>> Read the UPGRADE file. It includes steps required for anyone using 
>> SQL-based AWL or TxRep.
>>
>Hmm. Need to somehow find that file. I upgraded using CPAN so I do not 
>have the files. Maybe they are somewhere in /root/.cpan on some box...
>
>br. jarif

you can find it here:
https://svn.apache.org/repos/asf/spamassassin/tags/spamassassin_release_3_4_3/UPGRADE
  Giovanni

Re: Bitcoin ransom mail

[Giovanni Bechis]

On 12/13/19 3:21 PM, Dean Carpenter wrote:
> On 2019-12-11 1:58 pm, Giovanni Bechis wrote:
>> On 12/11/19 3:17 PM, Bill Cole wrote:
>>> On 11 Dec 2019, at 2:39, Giovanni Bechis wrote:
>>>
>>>> On 12/11/19 6:21 AM, KADAM, SIDDHESH wrote:
>>>>> Hi PFA...
>>>>>
>>>>> On 12/11/2019 12:36 AM, Giovanni Bechis wrote:
>>>>>> On 12/10/19 7:49 PM, Michael Storz wrote:
>>>>>> [...]
>>>>>>> My copy hit
>>>>>>>
>>>>>>> BODY_SINGLE_WORD=1.347, HTML_IMAGE_ONLY_04=1.172, MPART_ALT_DIFF=0.79
>>>>>>>
>>>>>>> not enough to mark it as spammy.
>>>>>
>>>> FuzzyOcr + bayes is killing this kind of emails for me:
>>>
>>> FuzzyOcr is unmaintained and doesn't even have an authoritative repository 
>>> as far as I can tell. It is computationally very expensive, to the degree 
>>> that it isn't safe to just add it to an existing mail system which does not 
>>> have a lot of idle CPU and memory capacity.
>>>
>> it's true that it's unmaintained but I have it running on Perl 5.28
>> with some patches and it's still useful every now and then (if you
>> have some spare cpu cycles and you know what you are doing).
>> A new ocr plugin could be definetely a better choice.
>>   Giovanni
> 
> fuzzyocr is available from the standard repos for Ubuntu 18.04.  It's
> v3.6.0-10, with a homepage listed as
> 
> https://web.archive.org/web/20130117050640/http://fuzzyocr.own-hero.net/
> 
> Interestingly I just got one of those bitcoin spams, but fuzzyocr didn't pick 
> up on it.  This is the spam report for it :
> 
If I remember well, by default fuzzyocr skips images with resolution higher 
than 800x800, the spam I received had a bigger image.
 Giovanni

Re: Bitcoin ransom mail

[Giovanni Bechis]

On 12/11/19 8:00 PM, Mauricio Tavares wrote:
> On Wed, Dec 11, 2019 at 1:58 PM Giovanni Bechis  wrote:
>>
>> On 12/11/19 3:17 PM, Bill Cole wrote:
>>> On 11 Dec 2019, at 2:39, Giovanni Bechis wrote:
>>>
>>>> On 12/11/19 6:21 AM, KADAM, SIDDHESH wrote:
>>>>> Hi PFA...
>>>>>
>>>>> On 12/11/2019 12:36 AM, Giovanni Bechis wrote:
>>>>>> On 12/10/19 7:49 PM, Michael Storz wrote:
>>>>>> [...]
>>>>>>> My copy hit
>>>>>>>
>>>>>>> BODY_SINGLE_WORD=1.347, HTML_IMAGE_ONLY_04=1.172, MPART_ALT_DIFF=0.79
>>>>>>>
>>>>>>> not enough to mark it as spammy.
>>>>>
>>>> FuzzyOcr + bayes is killing this kind of emails for me:
>>>
>>> FuzzyOcr is unmaintained and doesn't even have an authoritative repository 
>>> as far as I can tell. It is computationally very expensive, to the degree 
>>> that it isn't safe to just add it to an existing mail system which does not 
>>> have a lot of idle CPU and memory capacity.
>>>
>> it's true that it's unmaintained but I have it running on Perl 5.28 with 
>> some patches and it's still useful every now and then (if you have some 
>> spare cpu cycles and you know what you are doing).
>> A new ocr plugin could be definetely a better choice.
>>   Giovanni
> 
> I asked the project owner if I could put fuzzyocr on github. He said
> go for it, so it is now at https://github.com/raubvogel/FuzzyOcr.
> 
Cool,
you can grab my patches (if they are needed) here:
http://cvsweb.openbsd.org/ports/mail/p5-FuzzyOcr/patches/

 Giovanni

Re: Bitcoin ransom mail

[Giovanni Bechis]

On 12/11/19 3:17 PM, Bill Cole wrote:
> On 11 Dec 2019, at 2:39, Giovanni Bechis wrote:
> 
>> On 12/11/19 6:21 AM, KADAM, SIDDHESH wrote:
>>> Hi PFA...
>>>
>>> On 12/11/2019 12:36 AM, Giovanni Bechis wrote:
>>>> On 12/10/19 7:49 PM, Michael Storz wrote:
>>>> [...]
>>>>> My copy hit
>>>>>
>>>>> BODY_SINGLE_WORD=1.347, HTML_IMAGE_ONLY_04=1.172, MPART_ALT_DIFF=0.79
>>>>>
>>>>> not enough to mark it as spammy.
>>>
>> FuzzyOcr + bayes is killing this kind of emails for me:
> 
> FuzzyOcr is unmaintained and doesn't even have an authoritative repository as 
> far as I can tell. It is computationally very expensive, to the degree that 
> it isn't safe to just add it to an existing mail system which does not have a 
> lot of idle CPU and memory capacity.
> 
it's true that it's unmaintained but I have it running on Perl 5.28 with some 
patches and it's still useful every now and then (if you have some spare cpu 
cycles and you know what you are doing).
A new ocr plugin could be definetely a better choice.
  Giovanni

Re: Bitcoin ransom mail

[Giovanni Bechis]

On 12/11/19 6:21 AM, KADAM, SIDDHESH wrote:
> Hi PFA...
> 
> On 12/11/2019 12:36 AM, Giovanni Bechis wrote:
>> On 12/10/19 7:49 PM, Michael Storz wrote:
>> [...]
>>> My copy hit
>>>
>>> BODY_SINGLE_WORD=1.347, HTML_IMAGE_ONLY_04=1.172, MPART_ALT_DIFF=0.79
>>>
>>> not enough to mark it as spammy.
>
FuzzyOcr + bayes is killing this kind of emails for me:

 5.0 FUZZY_OCR  BODY: Mail contains an image with common spam text
inside
[Words found:]
["cialis" in 2 lines]
[(2 word occurrences found)]

   Giovanni

Re: Bitcoin ransom mail

[Giovanni Bechis]

On 12/10/19 7:49 PM, Michael Storz wrote:
[...]
> My copy hit
> 
> BODY_SINGLE_WORD=1.347, HTML_IMAGE_ONLY_04=1.172, MPART_ALT_DIFF=0.79
> 
> not enough to mark it as spammy.
> 
>
could you share a spample (as a pastebin uri or in private) ?

 Giovanni

Re: Spamassassin reporting

[Giovanni Bechis]

On 12/4/19 5:22 PM, Dave Goodrich wrote:
> Good morning,
> 
> Many years ago, in previous jobs, I used several scripts to report spam 
> statistics daily. Some I wrote, some I downloaded. I need to create some 
> reporting on our current zimbra/postfix/spamassassin server. The supplied 
> stats are pretty for managers if you have Flash, but not useful.
> 
> Can anyone recommend a ready to run OSS script, or set of scripts, for basic 
> maillog stats concerning Spam? Just thought I would ask before I wrote 
> something. Internet searching is not turning up anything for me.
> 
It's not a "ready to run" set of scripts, but I am using ELK to analyze maillog 
stats; it will take a bit to setup all the stack but it's a very good software 
and you can extract all kind of info with that.

 Giovanni

Re: False positives due to __BITCOIN_ID

[Giovanni Bechis]

On Wed, Dec 04, 2019 at 08:59:42AM +0100, Benny Pedersen wrote:
> On 2019-12-03 20:15, RW wrote:
> > On Tue, 3 Dec 2019 14:05:10 -0500
> > Mark London wrote:
> > 
> >> It seems to me that the rule for detecting a BITCOIN in an email, is
> >> incorrect.   See below:
> >> 
> >> body __BITCOIN_ID /\b(? >> 
> >> Why is there a \s in this rule?I didn't think that a BITCOIN id
> >> has a space.
> > 
> > It doesn't, but spammers have started splitting them up to evade
> > detections.
> 
> if clients begin to pay to splitted btc it works :=)
> 
> i noted every btc spam have uniq btc address, so maybe its not mean for 
> payment but only hidded tracking
unfortunately it is meant for payment, here a spample:
https://pastebin.com/uBzPeXcX

 Giovanni


signature.asc
Description: PGP signature

Re: Hint to write a [raw]body rule

[Giovanni Bechis]

On 10/16/19 4:11 PM, Bill Cole wrote:
> On 16 Oct 2019, at 8:44, Giovanni Bechis wrote:
> 
>> I have lot of emails like this one (redacted):
>> https://pastebin.com/v5NCRK9d
>> and I would like to write a rule that matches the "=0D" that appears on some 
>> lines,
> 
> Are you sure?
> 
> That's a QP-encoded carriage return. I would expect a lot of them in both 
> spam and ham.
> 
it is a part of a meta-experiment

>> any hints ?
> 
> You could try matching it as '\r' in a rawbody rule, but I'm not sure that 
> would work. If it does, you probably want '\r[^\n]' to exclude CRLFs, but you 
> should test that carefully
> 
> What should work better is to use a 'full' rule and look for the undecoded 
> '=D0', probably with '=0D(?!=0A)' or even '=0D(?!(=0A|=?$)'
> 
> e.g.:
> 
> full QP_BARE_CR /=0D(?!(=0A|=?$))/m
> 
> CAVEAT: not well tested...
> 
Seems to work, more tests later.
thanks
 Giovanni

Hint to write a [raw]body rule

[Giovanni Bechis]

I have lot of emails like this one (redacted):
https://pastebin.com/v5NCRK9d
and I would like to write a rule that matches the "=0D" that appears on some 
lines, any hints ?
 
 Giovanni 

Re: List of available query templates?

[Giovanni Bechis]

On 10/4/19 3:01 PM, Bill Cole wrote:
> On 4 Oct 2019, at 3:36, Tobi wrote:
> 
>> Hi list
>>
>> is there any doc where one can find a list of supported DNS query
>> templates?
> 
> What does that even mean???
> 
> SpamAssassin does many different sorts of DNS query. I am unaware of any 
> "template" construct in SA used for its many possible DNS queries.
> 
> 
I think the user is referring to rules such as:
askdns __FROM_FMBLA_NEWDOM_AUTHORDOMAIN_.fresh.fmb.la. A 
/^127\.2\.0\.2$/

In Mail::SpamAssassin::Conf you have docs about what _AUTHORDOMAIN_ and other 
tags means.

 Giovanni

Re: possible FORGED_GMAIL_RCVD false positive

[Giovanni Bechis]

On Wed, Sep 18, 2019 at 08:40:55PM +0100, RW wrote:
> On Wed, 18 Sep 2019 12:29:43 +0200
> Matus UHLAR - fantomas wrote:
> 
> > Hello,
> > 
> > I have received following spam:
> > 
> > https://pastebin.com/SkvkVWik
> > 
> > This hits FORGED_GMAIL_RCVD although the message came from google mail
> > servers.
> > 
> > According to HeaderEval.pm, message apparently misses
> > X-Google-Smtp-Source header
> > 
> > is there any reason to expect that header in mail from gmail?
> 
> It seems to always be there. The posts on the list have it, and I sent
> some test messages from webmail and the Android app.
both headers should be there, anyway the fp has been fixed in r1867159.
 Giovanni


signature.asc
Description: PGP signature

Re: How to block mails from unknown ip addresses?

[Giovanni Bechis]

On 8/26/19 9:01 AM, Dominic Raferd wrote:
> 
> 
> On Sun, 25 Aug 2019 at 20:16, mailto:tba...@txbweb.de>> 
> wrote:
> 
> Am 2019-08-25 20:54, schrieb Matus UHLAR - fantomas:
> 
> > I don't think you should download geoip postgres modules when what you
> > really need is apparently more recent database.
> >
> > Debian SA package suggests installing libgeo-ip-perl which further
> > recommends geoip-database.
> >
> > buster contains version 20181108-1, while buster-backports contains
> > version
> > 20190724-1~bpo10+1
> > Your problem could apparently be solves installing backported
> > geoip-database
> > version.
> 
> I tried this already (described in e-Mail at 4:53 pm), but the ip
> address 45.141.151.5 wasn't in the backport geoip-database.
> 
> >> Maybe I have tomatoes on my eyes. I can't find the right debian
> >> package with the DB_File-Module. Do you or someone else know which
> >> package does contain the module? I don't use the cpan shell for
> >> installing modules.
> >
> > it's very good that you don't use these. They can make mess on debian
> > system. Onlly install debian packages unless you really need and can
> > take
> > care of manually installed packages.
> 
> Yes, as you can see I got a warnung and I installed the
> liblocale-codes-perl package.
> 
> # ./pgeoiplookup.pl  -f /opt/ipcc/ipcc.db 
> 45.141.151.5
> Locale::Country will be removed from the Perl core distribution in the
> next major release. Please install the separate liblocale-codes-perl
> package. It is being used at ./pgeoiplookup.pl , 
> line 35.
> Locale::Codes will be removed from the Perl core distribution in the
> next major release. Please install the separate liblocale-codes-perl
> package. It is being used at /usr/share/perl/5.28/Locale/Country.pm,
> line 22.
> GeoIP version 1566699945: TR, Turkey
> 
> 
> This has worked for me on Debian derivatives (Ubuntu...) to install GeoIP2 
> with the much faster XS implementation:
> 
> cpan App::cpanminus &&\
> add-apt-repository -y ppa:maxmind/ppa &&\
> apt install libmaxminddb0 libmaxminddb-dev mmdb-bin &&\
> cpanm Math::Int128 &&\
> cpanm Net::Works::Network &&\
> cpanm MaxMind::DB::Reader::XS &&\
> cpanm GeoIP2::Database::Reader
> 
Updated geo databases are DB_File and GeoIP2 (fast does not support ipv6 and 
geoip is outdated).
For DB_File you can/should update whenever you want but you do not have city 
info, for GeoIP2 you have more info but you
should wait Maxmind to update the database.

 Giovanni

Re: How to block mails from unknown ip addresses?

[Giovanni Bechis]

On Sun, Aug 25, 2019 at 04:53:36PM +0200, tba...@txbweb.de wrote:
> Am 2019-08-25 10:18, schrieb Giovanni Bechis:
> > geoip 1.x is no more updated, with 3.4.2+ you can use country_db_type
> > DB_File and it would
> > have matched that ip.
> > 
> > -
> > $ pgeoiplookup 45.141.151.5
> > GeoIP version 1566720869: TR, Turkey
> > -
> 
> Hello, I can't find pgeoiplookup in the repository. I'm using Debian 
> Buster (10.0), but the geoip database in this release is from 
> 2018-11-08. So I actived backports to get a newer version from testing 
> (https://tracker.debian.org/pkg/geoip-database).
> 
sorry, it's a tool I wrote to check ip addresses using ipcc.db databases.
https://github.com/bigio/pgeoiplookup

> # aptitude -t buster-backports install geoip-database
> 
> Get: 1 http://deb.debian.org/debian buster-backports/main amd64 
> geoip-database all 20190724-1~bpo10+1
> 
GeoIP databases are no more updated by Maxmind, you should use a different
country_db_type in RelayCouuntry plugin (db_file or geoip2) to detect new ip 
addresses.
 
 Giovanni

Re: How to block mails from unknown ip addresses?

[Giovanni Bechis]

On Sat, Aug 24, 2019 at 08:27:03PM +0200, tba...@txbweb.de wrote:
> Hello,
> 
> I would like to block mails from ip addresses that cant be found. There 
> is a tricky spam serie getting a low score. Currently I can block the 
> mails just be scoring the tdl.
> 
> I use the RelayCountry Plugin, but it dosnt work if the ip address is 
> not available.
> 
> header  RELAYCOUNTRY_BAD X-Relay-Countries =~ /(List of country 
> codes)/
> describeRELAYCOUNTRY_BAD Relayed through spam country at some 
> point
> score   RELAYCOUNTRY_BAD 3.5
> 
> 
> Here some infos of an header examples
> 
> X-Spam-Status: Yes, score=11.891 tag=2 tag2=6.31 kill=6.31 
> tests=[AM.WBL=7,
>  BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, 
> DKIM_VALID_AU=-0.1,
>  DKIM_VALID_EF=-0.1, FROMSPACE=0.001, FROM_SUSPICIOUS_NTLD=0.5,
>  FSL_BULK_SIG=1.596, HTML_MESSAGE=0.001, PYZOR_CHECK=1.392,
>  RDNS_NONE=0.793, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
>  T_REMOTE_IMAGE=0.01] autolearn=no autolearn_force=no
> 
> DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mail; 
> d=strapdebut.pro;
>   h=From:Date:MIME-Version:Subject:To:Message-ID:Content-Type; 
> i=nonse...@strapdebut.pro;
>   bh=p2qRX9+f0yHDj3jqqnVU4hoNG58=;
>   
> b=MmuxhWP6r2xfmasBMUUXqDc0ai2/zlR9ZgmBZPvsbo3fgl6m4dBkmpVvVqZo2DMgiee7I6Msp07c
> 
> 3xIc7SbGGs9QOFGZYkaQpYpY56zW8AqjIWQvbC6D6jVq43P/7yF6nwrI7GrHTKgeL6/SAtzCUpf2
> HOR8Zr3N45GuMa5iHdc=
> DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=mail; 
> d=strapdebut.pro;
>   
> b=UH6pdk+pAUj1o9TF7Z0RySxRb7AFJUL4yori8RZ99Wd4nxABrPXndv88xSVu2rfBPTlQO/8KbdP4
> 
> O2fJMJeSMRS+4Q7IFkjbMSkwYi+wGXZkcU10diEVt24i7bQf9l1zRNMQ9zV7GlAs4XeqAjEqGvV1
> SmcUvgGYccNp65I07nQ=;
>  From: " Carol Yates" 
> Date: Sat, 24 Aug 2019 12:48:11 -0500
> MIME-Version: 1.0
> Subject: ACs are going to be extinct after this discovery
> 
> 
> 
> Aug 24 19:54:38 mx2 amavis[3405]: (03405-11) Blocked SPAM 
> {RejectedOpenRelay,Quarantined}, [45.141.151.5]:2812 [45.141.151.5] 
>  -> , quarantine: 
> N/spam-NHIkGYse9Osv.gz, Message-ID: 
> ,
>  
> mail_id: NHIkGYse9Osv, Hits: 11.891, size: 9352, 2697 ms
> 
> 
> # geoiplookup 45.141.151.5
> GeoIP Country Edition: IP Address not found
> GeoIP City Edition, Rev 1: IP Address not found
> GeoIP ASNum Edition: IP Address not found
> 
geoip 1.x is no more updated, with 3.4.2+ you can use country_db_type DB_File 
and it would
have matched that ip.

-
$ pgeoiplookup 45.141.151.5
GeoIP version 1566720869: TR, Turkey
-

 Giovanni


signature.asc
Description: PGP signature

Re: PDS_NO_HELO_DNS is not helpful at all.

[Giovanni Bechis]

On 7/10/19 5:54 PM, Mark London wrote:
> I'm sorry for not using bugzilla, but the new rule for PDS_NO_HELO_DNS is 
> mostly hittng real emails at my site 1168 real emails versus 219 spam mls.   
> Luckily, the score is not high, to be making any difference.   FWIW. - Mark
> 
ruleqa has the same opinion:
https://ruleqa.spamassassin.org/?daterev=20190709-r1862790-n=PDS_NO_HELO_DNS==Change
 Giovanni

Re: Spamhaus Technology contributions to SpamAssassin

[Giovanni Bechis]

On 7/3/19 7:11 PM, Riccardo Alfieri wrote:
> On 03/07/19 17:59, atat wrote:
> 
>> You say in documentation:
>>
>>  You should also drop, by default, all Office documents with macros.
>>
>> What plugin / method do You reccomend for that ?
> 
> I'm no expert in detecting macros, but there at least two ways of doing that 
> that comes to mind:
> 
> - Clamav with the option OLE2BlockMacros
> 
> - This package https://github.com/bigio/spamassassin-vba-macro
>
This has been superseded by 
https://svn.apache.org/repos/asf/spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/OLEMacro.pm
the plugin is for trunk but it works out of the box in 3.4.3rc3 as well (some 
work is needed to let it work on 3.4.2)
 
  Giovanni

Re: Rules for invisible div and 0pt font?

[Giovanni Bechis]

On 6/17/19 9:14 PM, Amir Caspi wrote:
> Hi all,
> 
> In reviewing today's FNs I came across the following spample:
> https://pastebin.com/9QQVwUY6
> 
> There is a div here with display:none, as well as font-size:0px.  The spample 
> hits HTML_FONT_LOW_CONTRAST but does not appear to hit any rule relating to a 
> hidden div or tiny font.
> 
> Does LOW_CONTRAST include font-size too small, or just color too light?  Is 
> there a rule for matching display:none?
> 
> If not, may I propose that the following rules be sandboxed?
> 
> rawbody   AC_HIDDEN_ELEMENT   /display\s*:\s*none\s*;/
> 
> rawbody   AC_HIDDEN_FONT  /font-size\s*:\s*0\s*(?:em|pt|px|%)\s*;/
> 
> The font one above could be modified for [0-3] or similar, if we want to 
> catch tiny versus literally hidden fonts.
> 
> Cheers.
> 
> --- Amir
> 
There is T_HIDDEN_WORD on my sandbox 
(https://ruleqa.spamassassin.org/20190617-r1861495-n/T_HIDDEN_WORD/detail)
I have just committed a more generic version.
 Giovanni

Re: bad arg length for Socket::unpack_sockaddr_in

[Giovanni Bechis]

On 5/22/19 7:37 AM, @lbutlr wrote:
> With spamassassin-3.4.2_3 and spamass-milter-0.4.0_3 and perl5-5.28.2 running 
> on FreeBSD 11.2 I am getting the following in the mail.log when postfix tries 
> to feed a mail to spamass-milter. At least I think that's when it is.
> 
> May 21 23:20:56 mail spamd[22787]: spamd: error: Bad arg length for 
> Socket::unpack_sockaddr_in, length is 28, should be 16 at 
> /usr/local/lib/perl5/5.28/mach/Socket.pm line 848.
> May 21 23:20:56 mail spamd[22787]:  , continuing at /usr/local/bin/spamd line 
> 1419.
> 
there should be message like
"spamd: connection from %s [%s]:%s to port %d, fd %d" in your log files at that 
time, could you post the relevant info ?

 Thanks
   Giovanni

Re: Check equal headers

[Giovanni Bechis]

On 5/21/19 3:48 AM, Jari Fredriksson wrote:
> 
> 
>> Giovanni Bechis  kirjoitti 20.5.2019 kello 17.00:
>>
>> Hi,
>> in a rule I would like to check if "From:" != "Reply-To:", is this possible 
>> without writing any code or should I add a new function in HeaderEval ?
>> Thanks & Cheers
>>  Giovanni
>>
> 
> Hello!
> 
> I have this in my /etc/spamassassin/local-rules.cf
> 
[...]
> header __FROM_V_REPLY   eval:check_for_from_v_replyto_dom()
>
warn: rules: error: unknown eval 'check_for_from_v_replyto_dom' for 
__FROM_V_REPLY
Do you have some custom code maybe ?
Anyway I wrote what I have in mind in a different way, thanks.
http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/gbechis/20_freemail.cf?view=diff=1859609=1859610=1859610

 Thanks & Cheers
  Giovanni

Check equal headers

[Giovanni Bechis]

Hi,
in a rule I would like to check if "From:" != "Reply-To:", is this possible 
without writing any code or should I add a new function in HeaderEval ?
 Thanks & Cheers
  Giovanni

Re: running a private SA-Mirror

[Giovanni Bechis]

Il 1 maggio 2019 10:05:16 CEST, "A. Schulze"  ha 
scritto:
>Hello,
>
>we've a number of SA instances that need rule updates. For now we
>configured them to use a proxy. Works...
>But there are also instances that can't us a proxy at all.
>
>My idea was to setup a private SA-Mirror (apache+rsync) but, I've to
>manage
>DNS-Data for mirrors.spamassassin-mirror.example and
>2.3.4.spamassassin-mirror.example.
>:-/
>
>Are there other methods to distribute current ruleset to SA-instances
>using sa-update?
>
>Andreas

Hi,
I would use sa-update on puppet master (or ansible, or whatever), then deploy 
rules without using sa-update at all on mail servers.
   Giovanni

EU-FOSSA 2 ASF Hackathon

[Giovanni Bechis]

Hi,
4-5 May 2019 at Silverquare Triomphe/Brussels the EU-FOSSA project is 
organizing an ASF hackathon and I will represent the SpamAssassin project.

Join the ASF Hackathon hosted by EU-FOSSA 2 project!
Meet members of the Apache community and get your hands on @SpamAssassin, 
@TheApacheTomcat, @ApachePlc4x and more.
FREE to participate; PRE-REGISTRATION REQUIRED 
https://eufossahackathon.bemyapp.com/

Hope to see you in Brussels.
  Giovanni

Re: How add ITA channel to sa-update?

[Giovanni Bechis]

On 3/26/19 9:05 AM, Alessio Cecchi wrote:
> Hello,
> 
> I'm interesting into add the italian channel to spamassassin from 
> https://spamassassin.snb.it/, but what is the right way?
> 
> I download ITA.conf in /etc/spamassassin/channel.d/ and run sa-update but I 
> don't see any new files in /var/lib/spamassassin/3.004002/.
> 
you can use
sa-update --channel spamassassin.snb.it to update from the specific channel,
otherwise "/usr/share/spamassassin/sa-update.cron" (scheduled daily by default) 
will do that for you.
 Giovanni

> Thanks (to Giovanni for the channel :-) )
> 
> -- 
> Alessio Cecchi
> Postmaster @ http://www.qboxmail.it
> https://www.linkedin.com/in/alessice
> 

RE: Filtering at border routers: Is it possible?

[Giovanni Bechis]

Il 23 marzo 2019 12:53:52 CET, Giovanni Bechis  ha scritto:
>Il 22 marzo 2019 21:31:40 CET, bruno.carva...@xervers.pt ha scritto:
>>Thank you all for your suggestions.
>>I will follow the path of using a whitelist and block everyone.
>>I can track the IPs, but i taught i could put in place something (like
>>OVH by example) do (If their system detects spam being sent, the port
>>on that ip is automatically blocked and the client alerted).
>>
>>Cheers
>>
>>
>>Bruno Carvalho (CEO xervers) | +41 79 884 00 44
>> Please consider the environment before printing this email
>>
>>
>>
>>
>>-Mensagem original-
>>De: Benny Pedersen  
>>Enviada: sexta-feira, 22 de março de 2019 20:55
>>Para: users@spamassassin.apache.org
>>Assunto: Re: Filtering at border routers: Is it possible?
>>
>>Anthony Hoppe skrev den 2019-03-22 18:23:
>>> Not knowing the details of your environment...
>>> 
>>> Instead of taking on the job of filtering email for all of your 
>>> clients (this, to me, will open up a can of worms), why not set a 
>>> policy that port 25 is blocked by default and customers must request
>
>>> for it to be unblocked?
>>
>>dont relay mail from port 25, mails there is final recipient only, not
>>forwared
>>
>>> You can then build a list of who may be using your services to send 
>>> mail and better track if/when undesirable mail is sent from your 
>>> network?
>>
>>ask custommers to use port 587 or 465 as common pratice
>>
>>but do require sasl auth on this ports, reject all else
>>
>>sadly i see mtas try to use 587, and 465, i like to know with book
>thay
>>read
>
>Hi,
>this is what OVH does (article in french, sorry):
>https://www.numerama.com/magazine/26297-ovh-copie-et-analyse-tous-les-e-mails-sortant-de-ses-serveurs.html
>  Giovanni

In short you should duplicate outbound smtp traffic to a dedicated box that 
will analyze traffic and drop all emails.
This can be done with amavisd and SA.
Then you should do some accounting and you should find the correct way to 
integrate this with your corporate firewalls to block offending ip addresses.
 Giovanni

RE: Filtering at border routers: Is it possible?

[Giovanni Bechis]

Il 22 marzo 2019 21:31:40 CET, bruno.carva...@xervers.pt ha scritto:
>Thank you all for your suggestions.
>I will follow the path of using a whitelist and block everyone.
>I can track the IPs, but i taught i could put in place something (like
>OVH by example) do (If their system detects spam being sent, the port
>on that ip is automatically blocked and the client alerted).
>
>Cheers
>
>
>Bruno Carvalho (CEO xervers) | +41 79 884 00 44
> Please consider the environment before printing this email
>
>
>
>
>-Mensagem original-
>De: Benny Pedersen  
>Enviada: sexta-feira, 22 de março de 2019 20:55
>Para: users@spamassassin.apache.org
>Assunto: Re: Filtering at border routers: Is it possible?
>
>Anthony Hoppe skrev den 2019-03-22 18:23:
>> Not knowing the details of your environment...
>> 
>> Instead of taking on the job of filtering email for all of your 
>> clients (this, to me, will open up a can of worms), why not set a 
>> policy that port 25 is blocked by default and customers must request 
>> for it to be unblocked?
>
>dont relay mail from port 25, mails there is final recipient only, not
>forwared
>
>> You can then build a list of who may be using your services to send 
>> mail and better track if/when undesirable mail is sent from your 
>> network?
>
>ask custommers to use port 587 or 465 as common pratice
>
>but do require sasl auth on this ports, reject all else
>
>sadly i see mtas try to use 587, and 465, i like to know with book thay
>read

Hi,
this is what OVH does (article in french, sorry):
https://www.numerama.com/magazine/26297-ovh-copie-et-analyse-tous-les-e-mails-sortant-de-ses-serveurs.html
  Giovanni

Re: White text + white background

[Giovanni Bechis]

On 3/21/19 1:46 PM, Pedro David Marco wrote:
> 
> 
>>On Thursday, March 21, 2019, 1:16:31 PM GMT+1, Martin Gregorie 
>> wrote:
>>When I've seen white text used, its been set via a  tag, i.e, 
>> .. text .. 
>>or
>> .. text .. 
>>
>>Its easy enough to match either in a body rule.
> 
> Thanks Martin,
> 
> the problem is that i want to detect white text ONLY when the background of 
> that text is white as well, because then the text is invisible...
> 
> 
Do you have a sample you can share ?
 Giovanni

Re: Having trouble getting Spamassassin to work on Ubuntu Server 18.10

[Giovanni Bechis]

On Sun, Feb 10, 2019 at 02:30:28AM -0500, Ken Wright wrote:
> I've been trying to set up an email server and I want to use
> Spamassassin to prevent it from becoming Spam Central.  I've installed
> SA and spamass-milter, but when I try to restart it after customizing
> the config files, I get this:
> 
> Job for spamassassin.service failed because the control process exited
> with error code.
> See "systemctl status spamassassin.service" and "journalctl -xe" for
> details.
> 
> So I checked journalctl and got this:
> 
> -- Unit spamassassin.service has begun starting up.
> Feb 08 02:19:31 grace spamd[6289]: logger: removing stderr method
> Feb 08 02:19:32 grace spamd[6314]: Timeout::_run: check: no loaded
> plugin implements 'check_main': cannot scan!
> Feb 08 02:19:32 grace spamd[6314]: Check that the necessary '.pre' files
> are in the config directory.
> Feb 08 02:19:32 grace spamd[6314]: At a minimum, v320.pre loads the
> Check plugin which is required.
what is the content of the "v320.pre" file ?
It seems you have disabled too many plugins.
 Giovanni


signature.asc
Description: PGP signature

Re: auto-whitelist file corrupted

[Giovanni Bechis]

On 1/20/19 8:33 AM, Palvelin Postmaster wrote:
> My auto-whitelist file appears corrupted. File size is about 5 megabytes. 
> Spamassassin says it can’t be opened. So does sa-awl.
> 
> Is there any other way to try to recover the file or should I just accept my 
> losses and recreate it?
> 
I think you can try using db4_recover on a copy of the file to try recovering 
it.
 Giovanni

Re: Mail::SpamAssassin::Plugin::Phishing relevant ?

[Giovanni Bechis]

Il 16 gennaio 2019 09:43:13 CET, Brent Clark  ha 
scritto:
>Good day Guys
>
>Just would like to double check something with the community.
>
>Is the plugin Mail::SpamAssassin::Plugin::Phishing still relevant in 
>this day and age?
>
>I have a daily cron entry that wgets the following feed(s):
>https://openphish.com/feed.txt
>http://data.phishtank.com/data/online-valid.csv
>
>Reason for my concern / question is, I have never seen anything hit.
>I tried a few spams from my google spam box, still nothing triggers.
>
>Regards
>Brent Clark

I have some code/ideas to let Phishing.pm catch more uris, I hope to commit it 
soon (after 3.4.3 anyway).
   Giovanni

Re: Phishing.pm

[Giovanni Bechis]

Il 13 gennaio 2019 21:52:19 CET, Giovanni Bechis  ha 
scritto:
>Il 13 gennaio 2019 20:22:40 CET, Ian Evans  ha
>scritto:
>>Running 3.4.2, spamd daemon.
>>
>>Just enabled the new Phishing.pm plugin but wondering about the data
>>feeds.
>>Is that something we need to set up a cron to wget or does the plugin
>>handle it? Unless my google fu is weak due to a lack of caffeine, I
>>couldn't find any doc on setting it up.
>>
>>Thanks for any advice.
>
>try Mail::SpamAssassin::Plugin::Phishing
>
>  Cheers
> Giovanni

man Mail::SpamAssassin::Plugin::Phishing
to be precise.
   Giovanni

Re: Phishing.pm

[Giovanni Bechis]

Il 13 gennaio 2019 20:22:40 CET, Ian Evans  ha scritto:
>Running 3.4.2, spamd daemon.
>
>Just enabled the new Phishing.pm plugin but wondering about the data
>feeds.
>Is that something we need to set up a cron to wget or does the plugin
>handle it? Unless my google fu is weak due to a lack of caffeine, I
>couldn't find any doc on setting it up.
>
>Thanks for any advice.

try Mail::SpamAssassin::Plugin::Phishing

  Cheers
 Giovanni

Re: New bitcoin ransom message today

[Giovanni Bechis]

On Thu, Dec 13, 2018 at 09:33:58PM -, Chip M. wrote:
> As requested:
>   http://puffin.net/software/spam/samples/0061_bitcoin_splosion.txt
> I MUNGED the "To".
> It's the latest of two sent to me by an awesome volunteer. :)
> 
> First thoughts:
> Both were base64 encoded.
> Both have "disclaimers" that they're not terrorists. :roll-eyes:
> 
this rule works iff you are using SA 4.x:

body HASHBL_BTC eval:check_hashbl_bodyre('bl.btcblack.it', 
'raw/max=10/shuffle', '\b([13][a-km-zA-HJ-NP-Z1-9]{25,34})\b')
describe HASHBL_BTC Message contains BTC address found on BTCBL
priority HASHBL_BTC -100 # required priority to launch async lookups

It will check if the btc address has been used for fraudolent purposes and it 
has been reported to
bitcoinabuse or bitcoinwhoswho web sites.

 Giovanni

Re: mysql 8 database problem

[Giovanni Bechis]

On 12/8/18 1:20 PM, Csaba Banhalmi wrote:
> Hi,
> 
> I upgraded to mysql and since then I can’t use bases db to score my mails. 
> Spam assassin -D says the following:
> 
> [12254] dbg: bayes: tok_get_all: SQL error: Illegal mix of collations
> for operation ' IN '
> [12254] dbg: bayes: cannot use bayes on this message; none of the
> tokens were found in the database
> [12254] dbg: bayes: not scoring message, returning undef
> 
> Collation is the same as before, moreover I dumped the db and imported in a 
> mysql 5.6 which works fine, I get my bayes scoring just fine.
> I use spamassassin 3.4.2 and mysql 8.0.12
> 
> Any help is appreciated, thank you!
> 
> Best regards,
> Csaba
> 
Can you post on pastebin the bayes table definition (SHOW CREATE TABLE) ?
 Thanks
  Giovanni

Re: Txrep problem

[Giovanni Bechis]

Can you try to run spamassassin -D  Hello all!
> 
> I have tried to implement TxRep into my system.
> 
> My configuration for it is
> 
> # Enable awl
> user_awl_dsnDBI:mysql:spamassassin:spamassassin
> user_awl_sql_usernamespamassassin
> user_awl_sql_passwordamazing
> 
> use_txrep 1
> 
> 
> My v341.pre says
> 
> # TxRep - Reputation database that replaces AWL
> loadplugin Mail::SpamAssassin::Plugin::TxRep
> 
> Spamassassin -D —lint tells no problems.
> 
> I have a database in MySQL named as ”spamassassin” and there I have table 
> txrep as
> 
> +--+--+--+-+-+---+
> | Field    | Type         | Null | Key | Default | Extra |
> +--+--+--+-+-+---+
> | username | varchar(100) | NO   | PRI |         |       |
> | email    | varchar(255) | NO   | PRI |         |       |
> | ip       | varchar(40)  | NO   | PRI |         |       |
> | count    | int(11)      | NO   |     | 0       |       |
> | totscore | float        | NO   |     | 0       |       |
> | signedby | varchar(255) | NO   | PRI |         |       |
> +--+--+--+-+-+---+
> 6 rows in set (0.00 sec)
> 
> 
> The table is empty!
> 
> And in addition to that I today saw a spam that was pretty hammy, but had a 
> score from TxRep as 8 points and It was marked as spam. What gave that score 
> and why I do not get anything into table txrep?
> 
> The table txrep is the only table in MariaDB database spamassassin, as my 
> bayes is in Redis.
> 
> Thanks,  jarif  

Re: Patch: txrep_ipv4_mask_len ignored

[Giovanni Bechis]

Committed with r1843622 on 2018-10-12 in 3.4 and trunk,
thanks anyway.
 Cheers
  Giovanni

On 12/1/18 6:29 PM, John Capo wrote:
> With the correct sender address this time :(
> 
> --- 
> /usr/local/src/Mail-SpamAssassin-3.4.2/lib/Mail/SpamAssassin/Plugin/TxRep.pm  
>   2018-12-01 12:19:53.067968000 -0500
> +++ /usr/local/lib/perl5/site_perl/Mail/SpamAssassin/Plugin/TxRep.pm
> 2018-12-01 12:23:42.183385000 -0500
> @@ -1739,7 +1739,7 @@
>if (!defined $origip) {
>  # could not find an IP address to use
>} elsif ($origip =~ /^ (\d{1,3} \. \d{1,3}) \. \d{1,3} \. \d{1,3} $/xs) {
> -my $mask_len = $self->{ipv4_mask_len};
> +my $mask_len = $self->{conf}->{txrep_ipv4_mask_len};
>  $mask_len = 16  if !defined $mask_len;
>  # handle the default and easy cases manually
>  if($mask_len == 32) {$result = $origip;}
> @@ -1757,7 +1757,7 @@
> $origip =~
> /^ [0-9a-f]{0,4} (?: : [0-9a-f]{0,4} | \. [0-9]{1,3} ){2,9} 
> $/xsi) {
>  # looks like an IPv6 address
> -my $mask_len = $self->{ipv6_mask_len};
> +my $mask_len = $self->{conf}->{txrep_ipv6_mask_len};
>  $mask_len = 48  if !defined $mask_len;
>  my $origip_obj = NetAddr::IP->new6($origip . '/' . $mask_len);
>  if (!defined $origip_obj) { # invalid IPv6 
> address
> 
> 
> 
> 

Re: Is $THIS possible?

[Giovanni Bechis]

On 11/26/18 11:10 PM, Grant Taylor wrote:
> On 11/26/2018 02:33 PM, Martin Gregorie wrote:
>> I think that fear is unfounded
> 
> Please don't mistake my laziness as fear.  I simply am not motivated enough 
> to construct a solution that will harvest outgoing recipient addresses.
> 
I do not know if it's viable for your own use but amavisd penpal feature could 
be an option (https://www.ijs.si/software/amavisd/#features-spam)
It creates a redis database where it correlates outbound msg-id and replies so 
it can subtract score if an email msg it's a reply to a known sender.

 Giovanni


> I might be interested and motivated enough to (eventually) construct 
> something to check against an LDAP address book.  —  I've been pontificating 
> creating an LDAP address book anyway.  So if something else can make use of 
> it, all the better.  Especially if said something else is directly related to 
> email (filtering).
> 
>> IOW, if you build a whitelist containing just the addresses your outgoing 
>> mail is addressed to and periodically trim it to retain only addresses that 
>> stuff has been sent to in the last 24 months years I predict that your list 
>> size will stabilise despite user churn simply because most people's address 
>> lists don't change much from year to year.
> 
> That all makes sense and I tend to agree with it.  It's just not what I'm 
> currently pontificating doing.
> 
>> And, of course, mail concerning online purchases is 99% incoming, so the 
>> addresses on it will never get into this type of whitelist.
> 
> I initially think the same thing about address books.  But some MUAs have an 
> option (maybe on by default) that automatically add senders and / or outgoing 
> recipients to their address book.  I prefer to manually manage my address 
> book.  —  But that's just me and I do realize that I'm odd like that.
> 
> 
> 

Re: Macros now replaced by XML

[Giovanni Bechis]

On 11/16/18 7:11 PM, Alex wrote:
> Hi,
> 
> It seems spammers are now using XML Word documents instead of ones
> containing macro viruses. Virtually no antivirus scanners are catching
> this now.
> 
> These are hacked Outlook accounts sending virus/phish attachments.
> 
> https://pastebin.com/8QxujfAt
> 
New OLEMacro plugin just committed catches it.
 Cheers
  Giovanni

Re: Warnings when enabling URILocalBL plugin

[Giovanni Bechis]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 11/8/18 11:57 PM, Giovanni Bechis wrote:
> On Thu, Nov 08, 2018 at 01:43:15PM -0600, qu...@strangecode.com wrote:
>> So, these warnings may be unrelated to URILocalBL: I disabled that plugin 
>> and the errors are still appearing.
>>
> ...
>> Here is the output from `spamassassin -D --lint`:
>> https://pastebin.com/raw/Zr7umPQv
>>
>>  perl-Geo-IP-1.38-1.el6.rf.x86_64
>>
> it's a bug in RelayCountry.pm that can be triggered only if GeoIP is < 1.39 
> (without ipv6 support).
> It'is fixed in current tree and will be released with 3.4.3.
> 
> If you can use country_db_type = Fast/DB_File/GeoIP2 it will work.
> I think that only IP-Country-Fast could be available due to the age of the 
> distribution you are using;
> IP-Contry-DB_File can be also easily build using cpan, GeoIP2 requires more 
> modules and I do not know if it could
> be compatible with other modules provided by the distribution you are using.
>  Cheers
>   Giovanni
> 
For the records, from a private email from the original submitter:
- 
---
I switched to IP-Country-Fast and the errors stopped:

country_db_type Fast
country_db_path /usr/share/perl5/vendor_perl/IP/Country/Fast
- 
---
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEqg3TnG6R3qYMxl94+r7qCYlyWOUFAlvlOi4ACgkQ+r7qCYly
WOX2GxAAitfdziWp/NgBDzk5oVXM163INmHCjWeCCy7+sHVtJc8OBjh5Z9qRflM3
1csMcqpXV2AlrI4lFWnzkwIvRNvhxairgDm73G6I3RbujqP/8F7loKTESOgSFEHJ
eLoETi9Tskn0Xzrz9O+zcRa7EI5+jS0YnRLY8SJPJjZY5ioNjPT3Mp6JBp3pV8tE
XVrf8/ta4Ebi3mKCvbnZjxo12L7dZhuWZzQKbspITAHW2tXDtAh+Ff10AJiBl2vg
6KgYmyHHuOJ421k7xsoexzL8qkKtGVKX0KcLsAV42V8twZEIIiZLQ0zmj6bo3BRz
2igzeCQoH2QEY+zMJ5XU+0UPIZvuQI5rHOHTaiR6blidVvbbDVLA4ZyOjZrXy60R
Yaz8GiN9ACUcXo8uoF/UC+FTOQDnZGCze+lVF1/PxooVzi+GQIFeQpSap98lf1lu
27r7IYvjSYxDlUOnBpxJQJwpktxGtG/xs3wVdz2rXFz21wQvNz35yKQeM0Nc/lgG
bPKgxXCaXb3jGTD6p4/8m/ngjRB1sjhV/mpPROJRMUzuhVqpd+Z5HLdQHNFsf8zr
r8DABpRr6JoxU2gb/Im5KIEQFEXUCElPHmRDIHlMjkdONYmWt2863RyIgrl/Bl+M
sHqnEMgqjqJipD+jbJvOVQeCL1g9ZpF2N0y7G0LjSiCWTEJsiZc=
=dfy6
-END PGP SIGNATURE-

Re: Warnings when enabling URILocalBL plugin

[Giovanni Bechis]

On Thu, Nov 08, 2018 at 01:43:15PM -0600, qu...@strangecode.com wrote:
> So, these warnings may be unrelated to URILocalBL: I disabled that plugin and 
> the errors are still appearing.
> 
...
> Here is the output from `spamassassin -D --lint`:
> https://pastebin.com/raw/Zr7umPQv
> 
>   perl-Geo-IP-1.38-1.el6.rf.x86_64
>
it's a bug in RelayCountry.pm that can be triggered only if GeoIP is < 1.39 
(without ipv6 support).
It'is fixed in current tree and will be released with 3.4.3.

If you can use country_db_type = Fast/DB_File/GeoIP2 it will work.
I think that only IP-Country-Fast could be available due to the age of the 
distribution you are using;
IP-Contry-DB_File can be also easily build using cpan, GeoIP2 requires more 
modules and I do not know if it could
be compatible with other modules provided by the distribution you are using.
 Cheers
  Giovanni


signature.asc
Description: PGP signature

Re: Warnings when enabling URILocalBL plugin

[Giovanni Bechis]

On 11/8/18 1:18 AM, Quinn Comendant wrote:
> I'm getting warnings when enabling Mail::SpamAssassin::Plugin::URILocalBL:
> 
> warn: Use of uninitialized value in subroutine entry at 
> /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/RelayCountry.pm line 
> 219.
> warn: plugin: eval failed: Can't use string ("") as a subroutine ref while 
> "strict refs" in use at 
> /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/RelayCountry.pm line 
> 219.
> warn: Use of uninitialized value $countries in split at 
> /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/RelayCountry.pm line 
> 274.
> 
> I have these GeoIP packages installed:
> 
> GeoIP-1.6.5-1.el6.x86_64
> GeoIP-devel-1.6.5-1.el6.x86_64
> GeoIP-GeoLite-data-2018.04-1.el6.noarch
> GeoIP-GeoLite-data-extra-2018.04-1.el6.noarch
> geoipupdate-2.2.1-2.el6.x86_64
> perl-Geo-IP-1.38-1.el6.rf.x86_64
> perl-Geo-IPfree-0.8-1.el6.rf.noarch
> 
> Anything missing?
> 
> Quinn
> 
Try running with spamassassin -D and post the results, it will give us some 
more info.
 Thanks & Cheers
  Giovanni

Re: txrep doesn't respect txrep_ipv4_mask_len

[Giovanni Bechis]

On 10/04/18 09:38, Daniele Duca wrote:
> Hi,
> 
> I'm experimenting an odd behaviour while using TxRep. I have set in my 
> local.cf "txrep_ipv4_mask_len 24" , but the database is populated by /16 
> instead of the expected /24.
> 
> Digging in TxRep.pm I started using dbg() to see if it would at least read 
> the correct value "24" from the .cf , and confirmed that, around line 528, 
> the code
> 
Completely untested patch attached, will double check it later.
 Cheers 
  Giovanni

> $self->{txrep_ipv4_mask_len} = $value;
> 
> is correctly working, meaning that $value has the value of "24"
> 
> The problem arise around line 1727, in the following snippet:
> 
> my $mask_len = $self->{txrep_ipv4_mask_len};
> $mask_len = 16  if !defined $mask_len;
> 
> In this case "$self->{txrep_ipv4_mask_len}" is empty, and the value is set to 
> the default of "16".
> 
> This behaviour is consistent in nine different installations with the 
> following specs:
> 
> Ubuntu 16.04.4 - SA 3.4.1 - Perl v5.22.1
> Ubuntu 18.04.1 - SA 3.4.2 (CPAN) - Perl v5.26.1
> 
> Any thoughts? My perl-fu is not good enough to debug this :/
> 
> Thanks
> Daniele Duca

Index: lib/Mail/SpamAssassin/Plugin/TxRep.pm
===
--- lib/Mail/SpamAssassin/Plugin/TxRep.pm	(revision 1842596)
+++ lib/Mail/SpamAssassin/Plugin/TxRep.pm	(working copy)
@@ -523,7 +523,7 @@
 {return $Mail::SpamAssassin::Conf::MISSING_REQUIRED_VALUE;}
 elsif ($value !~ /^\d+$/ || $value < 0 || $value > 32)
 {return $Mail::SpamAssassin::Conf::INVALID_VALUE;}
-$self->{txrep_ipv4_mask_len} = $value;
+$self->{ipv4_mask_len} = $value;
 }
   });
 
@@ -556,7 +556,7 @@
 {return $Mail::SpamAssassin::Conf::MISSING_REQUIRED_VALUE;}
 elsif ($value !~ /^\d+$/ || $value < 0 || $value > 128)
 {return $Mail::SpamAssassin::Conf::INVALID_VALUE;}
-$self->{txrep_ipv6_mask_len} = $value;
+$self->{ipv6_mask_len} = $value;
 }
   });
 

Re: deleting old data from txrep

[Giovanni Bechis]

On 10/04/18 04:30, Alex wrote:
> Hi,
> 
> I need to delete some of the old entries from my txrep database as
> it's grown to 3GB, oops. When attempting to do this, it fails with
> "error 14":
>
do you have enough space for tmp tables ? What if you try to delete less data ? 
Does mysqlcheck(1) spots anything wrong ?
 Cheers
   Giovanni
 
> # rpm -q mariadb
> mariadb-10.2.17-2.fc28.x86_64
> 
> # ls -l
> total 3141664
> -rw-rw 1 mysql mysql 65 Oct 19  2017 db.opt
> -rw-rw 1 mysql mysql    Oct 19  2017 txrep.frm
> -rw-rw 1 mysql mysql 3217031168 Oct  3 22:29 txrep.ibd
> 
> MariaDB [txrepdb]> delete from txrep where last_hit <= '2018-01-01 00:00:00';
> ERROR 14 (HY000): Can't change size of file (Errcode: -1048710496
> "Internal error < 0 (Not system error)")
> 
> Searches show this can happen when the filesystem is full, but it's
> not. Any ideas of what could be wrong? Maybe write the last, say, 120
> days to another database then rename it?
> 

Re: Hints needed for spf rule

[Giovanni Bechis]

I forgot about KAM.cf, just grepped in rulesrc and found nothing.
 Giovanni

On 09/18/18 19:01, Kevin A. McGrail wrote:
> It's in KAM.cf, I believe:
> 
> # SPF THAT DOESN'T REALLY CARE IF EMAIL IS A FORGERY
> ifplugin Mail::SpamAssassin::Plugin::AskDNS
>   askdns   JMQ_SPF_NEUTRAL_ALL _SENDERDOMAIN_ TXT /^v=spf1 .+\?all$/
>   describe JMQ_SPF_NEUTRAL_ALL SPF set to ?all!
>   score    JMQ_SPF_NEUTRAL_ALL 0.5
> endif
> 
> --
> Kevin A. McGrail
> VP Fundraising, Apache Software Foundation
> Chair Emeritus Apache SpamAssassin Project
> https://www.linkedin.com/in/kmcgrail - 703.798.0171
> 
> 
> On Tue, Sep 18, 2018 at 12:16 PM Giovanni Bechis  <mailto:giova...@paclan.it>> wrote:
> 
> Hi,
> I noticed that Google servers started blocking emails with "suspicious 
> spf records" like for example:
> "v=spf1 include:musvc.com <http://musvc.com> include:turbo-smtp.com 
> <http://turbo-smtp.com> mx a +all".
> 
> Any idea on how to write a rule to catch something like that ?
> 
>  Thanks & Cheers
>   Giovanni
> 

Hints needed for spf rule

[Giovanni Bechis]

Hi,
I noticed that Google servers started blocking emails with "suspicious spf 
records" like for example:
"v=spf1 include:musvc.com include:turbo-smtp.com mx a +all".

Any idea on how to write a rule to catch something like that ?

 Thanks & Cheers
  Giovanni

[autopromotion] SA talk in Edimburgh

[Giovanni Bechis]

Hi,
fyi I will give a talk about new features in SA at Open Source Summit
in Edimburgh this October.
There will be also other Apache-related talks.
More info here: https://osseu18.sched.com/event/FxWQ?iframe=no

 Cheers
  Giovanni

Re: GeoIP2::Database::Reader dependency

[Giovanni Bechis]

On 08/06/18 02:00, Alex wrote:
> Hi,
> 
> On Sun, Aug 5, 2018 at 4:45 PM Giovanni Bechis  wrote:
>>
>> Il 5 agosto 2018 22:14:04 CEST, Alex  ha scritto:
>>> Hi,
>>> Trying to compile the latest branch from svn and it appears to now
>>> require GeoIP2::Database::Reader. Is that correct? Is this a new
>>> requirement or am I doing something wrong?
>>>
>>> It doesn't appear to be included with fedora, so I've compiled it
>>> myself (from CPAN, into an RPM), but installing it has a ton of
>>> dependencies. Is this a design change so late in the development
>>> cycle?
> ...
>> GeoIP2::Database::Reader is a new optional dependency, it's required only 
>> iff activated with a specific option.
> 
> Would you explain the benefits of enabling it? Is it replacing the
> existing GeoIP support? Is it experimental?
> 
Starting from 01/04/2018 GeoIP legacy databases are no more updated, Maxmind 
will update only new "GeoIP2" database
format.
If you do not want to install GeoIP2 and all his dependencies there is support 
also for IP::Country::DB_File, an alternative
to IP::Country::Fast but with ipv6 support. If you are using URILocalBL plugin 
GeoIP[2] is needed.
I have contacted some Spamassassin package maintainers to tell them to start 
packaging GeoIP2 for easier installation of SA new features.
 Cheers
  Giovanni

Re: GeoIP2::Database::Reader dependency

[Giovanni Bechis]

Il 5 agosto 2018 22:14:04 CEST, Alex  ha scritto:
>Hi,
>Trying to compile the latest branch from svn and it appears to now
>require GeoIP2::Database::Reader. Is that correct? Is this a new
>requirement or am I doing something wrong?
>
>It doesn't appear to be included with fedora, so I've compiled it
>myself (from CPAN, into an RPM), but installing it has a ton of
>dependencies. Is this a design change so late in the development
>cycle?
>
>$ grep GeoIP2 RelayCountry.pm
>This plugin requires the GeoIP2, Geo::IP, IP::Country::DB_File or
>Valid database types are GeoIP, GeoIP2, DB_File and Fast.
>  if ( $value !~ /GeoIP|GeoIP2|DB_File|Fast/) {
>This option tells SpamAssassin where to find MaxMind GeoIP2 or
>IP::Country::DB_File database.
>  } elsif ( $conf_country_db_type eq "GeoIP2" ) {
> require GeoIP2::Database::Reader;
> $db = GeoIP2::Database::Reader->new(
> $db_info = sub { return "GeoIP2 " .
>($db->metadata()->description()->{en} || '?') };
>} elsif ($conf_country_db_type eq "GeoIP2" ) {
>
>Thanks,
>Alex

GeoIP2::Database::Reader is a new optional dependency, it's required only iff 
activated with a specific option.
Giovanni

Re: SA MySQL DB maintenance

[Giovanni Bechis]

Txrep does not have autocleaning support, bayes have it if auto_bayes_expire is 
set.
 Giovanni

On 07/17/18 14:35, Kevin A. McGrail wrote:
> To me, no, it doesn't.
> 
> For example, I clean out txrep stuff with crons like this -e 'DELETE FROM 
> txrep WHERE last_hit <= (now() - INTERVAL 90 day);'
> 
> I also don't use autolearning bayes but some people like to cull there bayes. 
>  I think Bayes should be in redis though not SQL.
> 
> What are you using in a db?
> 
> Regards,
> KAM
> 
> --
> Kevin A. McGrail
> VP Fundraising, Apache Software Foundation
> Chair Emeritus Apache SpamAssassin Project
> https://www.linkedin.com/in/kmcgrail - 703.798.0171
> 
> On Mon, Jul 16, 2018 at 11:53 PM, Michael Hallager (personal) 
> mailto:mich...@nettrust.nz>> wrote:
> 
> Hi all,
> 
> Does SA self-maintain the records in the DB or is there a script I should 
> run periodically for this?
> 
> Michael
> 
> 

Italian spamassassin channel

[Giovanni Bechis]

Hi,
for work and for fun I made a channel to deploy some rules to match some spam 
written in italian language.
It is available at https://spamassassin.snb.it and signed with gpg key A96BF255.

 Have fun !!
  Giovanni
 

Re: FORGED_GMAIL_RCVD via IMAP.

[Giovanni Bechis]

On 05/10/18 21:11, Reio Remma wrote:
> Hello!
> 
> I just noticed if I mail myself via my Gmail account, I'm hitting 
> FORGED_GMAIL_RCVD.
> 
> Apparently it happens only if I use my Gmail account via IMAP, but not when I 
> mailed from their webmail for testing.
> 
> Should that be so? I suspect it's the following that trips it:
> 
> Return-Path: 
> Received: from [192.168.0.148] (85.xxx.xxx.xxx.cable.isp.ee. [85.xxx.xxx.xxx])
>     by smtp.googlemail.com with ESMTPSA id 
> b65-v6sm298081lff.5.2018.05.10.11.58.19
>     for 
>     (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
>     Thu, 10 May 2018 11:58:19 -0700 (PDT)
> 
> 
Could you post full headers on pastebin ?
 Thanks
   Giovanni

Re: spamc --reporttype= not working and curious log message.

[Giovanni Bechis]

On 04/20/18 13:53, Kevin A. McGrail wrote:
> FYI, I'm well aware of the 3.4 test issue with rulesrc.  I have it symlinked 
> to a checkout for my purposes.  I'll document that more.
> 
> I am using CentOS 7 as well for testing and not aware of these perl 
> dependency issues you are having.  Please elaborate further.
> 
I cannot find Devel::Size on Centos7 standard repositories.
As for RabinKarpAccel, the author says "Unfortunately, while it's great for 
many parallel-match tasks, it's not so hot with SpamAssassin rules, which is 
what I wrote it for" on his web page[¹] and I cannot find it on cpan.
Is this plugin really useful ? From svn logs I can find that 12 years ago jm@ 
wrote:
"reactivate RabinKarpBody plugin, which uses the Rabin-Karp algorithm to 
perform fast body searches; not as fast as re2xs though".

 Giovanni

[¹] http://taint.org/wk/JustinsSoftware

> --
> Kevin A. McGrail
> Asst. Treasurer & VP Fundraising, Apache Software Foundation
> Chair Emeritus Apache SpamAssassin Project
> https://www.linkedin.com/in/kmcgrail - 703.798.0171
> 
> On Fri, Apr 20, 2018 at 5:03 AM, Reio Remma <r...@mrstuudio.ee 
> <mailto:r...@mrstuudio.ee>> wrote:
> 
> On 20.04.18 9:50, Giovanni Bechis wrote:
> 
> On 04/19/18 09:24, Reio Remma wrote:
> [...]
> 
> *Update:* none of the --option= switches work.
> 
> handle_user (userdir) unable to find user: '' is caused because I 
> have the -username switch as --username=amavis instead of --username amavis
> 
> It worked in 3.4.1.
> 
> Is it at all possible that I botched the RPM for 3.4.2?
> 
> no, I botched it.
> Fixed in r1829628.
>   Thanks
>    Giovanni
> 
> 
> I can confirm that it works.
> 
> Two things I wanted to point out that I noticed when building the RPM for 
> CentOS 7. There seem to be a few things in 3.4.2 branch that have 
> dependencies that don't exist in CentOS 7.
> 
> --> Processing Dependency: perl(RabinKarpAccel) for package: 
> spamassassin-3.4.2-0.el7.centos.x86_64
> --> Finished Dependency Resolution
> Error: Package: spamassassin-3.4.2-0.el7.centos.x86_64 
> (/spamassassin-3.4.2-0.el7.centos.x86_64)
>            Requires: perl(RabinKarpAccel)
> Error: Package: spamassassin-3.4.2-0.el7.centos.x86_64 
> (/spamassassin-3.4.2-0.el7.centos.x86_64)
>            Requires: perl(Devel::Size)
> 
> To get around those I had to remove these (as I undersand they're 
> experimental anyway):
> 
> Mail-SpamAssassin-3.4.2/lib/Mail/SpamAssassin/Plugin/NetCache.pm 
> <http://e.pm>
> Mail-SpamAssassin-3.4.2/lib/Mail/SpamAssassin/Util/MemoryDump.pm 
> <http://p.pm>
> Mail-SpamAssassin-3.4.2/lib/Mail/SpamAssassin/Plugin/RabinKarpBody.pm
> 
> At first I tried removing all in MANIFEST.SKIP, but that seemed to be too 
> much for it. :)
> 
> Also there are a couple of warnings when building:
> 
> make -f spamc/Makefile spamc/spamc
> make[1]: Entering directory 
> `/home/reio/rpmbuild/BUILD/Mail-SpamAssassin-3.4.2'
> make[1]: warning: jobserver unavailable: using -j1.  Add `+' to parent 
> make rule.
> gcc -DSPAMC_SSL -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions 
> -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   
> -m64 -mtune=generic spamc/spamc.c spamc/getopt.c spamc/libspamc.c 
> spamc/utils.c \
>         -o spamc/spamc  -lssl -lcrypto  -ldl -lz
> spamc/libspamc.c: In function '_try_to_connect_tcp':
> spamc/libspamc.c:491:19: warning: variable 'family' set but not used 
> [-Wunused-but-set-variable]
>              char *family = NULL;
>                    ^
> spamc/libspamc.c: In function 'transport_setup':
> spamc/libspamc.c:1911:35: warning: unused variable 'addrp' 
> [-Wunused-variable]
>      struct addrinfo hints, *res, *addrp;
>                                    ^
> spamc/libspamc.c: In function 'libspamc_log':
> spamc/libspamc.c:2239:9: warning: ignoring return value of 'write', 
> declared with attribute warn_unused_result [-Wunused-result]
>          (void) write (2, buf, len);
>          ^
> make[1]: Leaving directory 
> `/home/reio/rpmbuild/BUILD/Mail-SpamAssassin-3.4.2'
> 
> 

Re: spamc --reporttype= not working and curious log message.

[Giovanni Bechis]

On 04/19/18 09:24, Reio Remma wrote:
[...] 
> *Update:* none of the --option= switches work.
> 
> handle_user (userdir) unable to find user: '' is caused because I have the 
> -username switch as --username=amavis instead of --username amavis
> 
> It worked in 3.4.1.
> 
> Is it at all possible that I botched the RPM for 3.4.2?
> 
no, I botched it.
Fixed in r1829628.
 Thanks
  Giovanni

Re: spamc --reporttype= not working and curious log message.

[Giovanni Bechis]

On 04/19/18 18:54, Reio Remma wrote:
> I ran make test now - not exactly a pass.
>
cc dev@, I think this is a regression.
 
> There were lots of complaints about: "Maybe you need to kill a running spamd 
> process?" There was no spamd running.
> 
> The RPM is actually working nicely on our production system (after I removed 
> the = from spamc options).
> 
> This is all on CentOS 7.
>
Some tests fails on 3.4 because rulesrc directory has moved only to trunk, 
restoring rulesrc dir fixes the broken test.
 
$ make test TEST_FILES=t/basic_lint_without_sandbox.t  
"/usr/bin/perl" build/mkrules --exit_on_no_src --src rulesrc --out rules 
--manifest MANIFEST --manifestskip MANIFEST.SKIP
no source directory found: exiting

 Giovanni

> Test Summary Report
> 
> ---
> 
> t/basic_lint_without_sandbox.t  (Wstat: 256 Tests: 3 Failed: 1)
> 
>   Failed test:  1
> 
>   Non-zero exit status: 1
> 
> t/debug.t   (Wstat: 256 Tests: 3 Failed: 1)
> 
>   Failed test:  3
> 
>   Non-zero exit status: 1
> 
> t/lang_lint.t   (Wstat: 1536 Tests: 8 Failed: 6)
> 
>   Failed tests:  1, 3, 5-8
> 
>   Non-zero exit status: 6
> 
> t/sa_check_spamd.t  (Wstat: 768 Tests: 7 Failed: 3)
> 
>   Failed tests:  1, 6-7
> 
>   Non-zero exit status: 3
> 
> t/spamc_x_e.t   (Wstat: 256 Tests: 7 Failed: 1)
> 
>   Failed test:  1
> 
>   Non-zero exit status: 1
> 
> t/spamc_x_E_R.t (Wstat: 768 Tests: 49 Failed: 3)
> 
>   Failed tests:  1, 10, 12
> 
>   Non-zero exit status: 3
> 
> t/spamd.t   (Wstat: 512 Tests: 14 Failed: 2)
> 
>   Failed tests:  1, 14
> 
>   Non-zero exit status: 2
> 
> t/spamd_allow_user_rules.t  (Wstat: 512 Tests: 5 Failed: 2)
> 
>   Failed tests:  1, 3
> 
>   Non-zero exit status: 2
> 
> t/spamd_client.t    (Wstat: 5120 Tests: 52 Failed: 20)
> 
>   Failed tests:  2, 18-19, 31-32, 35, 37-42, 44, 46-52
> 
>   Non-zero exit status: 20
> 
> t/spamd_maxchildren.t   (Wstat: 512 Tests: 22 Failed: 2)
> 
>   Failed tests:  1, 22
> 
>   Non-zero exit status: 2
> 
> t/spamd_report.t    (Wstat: 512 Tests: 6 Failed: 2)
> 
>   Failed tests:  1, 6
> 
>   Non-zero exit status: 2
> 
> t/spamd_report_ifspam.t (Wstat: 512 Tests: 10 Failed: 2)
> 
>   Failed tests:  1, 10
> 
>   Non-zero exit status: 2
> 
> t/spamd_user_rules_leak.t   (Wstat: 512 Tests: 28 Failed: 2)
> 
>   Failed tests:  1, 19
> 
>   Non-zero exit status: 2
> 
> t/spamd_whitelist_leak.t    (Wstat: 512 Tests: 8 Failed: 2)
> 
>   Failed tests:  1, 8
> 
>   Non-zero exit status: 2
> 
> Files=169, Tests=3081, 793 wallclock secs ( 0.93 usr  0.69 sys + 174.60 cusr 
> 30.48 csys = 206.70 CPU)
> 
> Result: FAIL
> 
> Failed 14/169 test programs. 49/3081 subtests failed.
> 
> make: *** [test_dynamic] Error 255
> 
> 
> 
> On 19.04.2018 16:33, Kevin A. McGrail wrote:
>> Certainly sounds odd.  Does make test pass before you build the RPM?
>>
>> --
>> Kevin A. McGrail
>> Asst. Treasurer & VP Fundraising, Apache Software Foundation
>> Chair Emeritus Apache SpamAssassin Project
>> https://www.linkedin.com/in/kmcgrail - 703.798.0171
>>
>> On Thu, Apr 19, 2018 at 3:24 AM, Reio Remma > > wrote:
>>
>> On 19.04.18 9:45, Reio Remma wrote:
>>> Hello!
>>>
>>> I'm trying to use this to report spam:
>>>
>>> spamc --reporttype=report --username=amavis < mail
>>>
>>> However all I get is:
>>>
>>> spamc[9632]: Please specify a legal report type
>>>
>>> It works if I omit the = after --reporttype. This is with SA 3.4.2 from 
>>> SVN, iirc it worked the other day with --reporttype=report in 3.4.1.
>>>
>>> I'm also curious about a log message when reporting:
>>>
>>> spamd[9506]: spamd: handle_user (userdir) unable to find user: ''
>>
>> *Update:* none of the --option= switches work.
>>
>> handle_user (userdir) unable to find user: '' is caused because I have 
>> the -username switch as --username=amavis instead of --username amavis
>>
>> It worked in 3.4.1.
>>
>> Is it at all possible that I botched the RPM for 3.4.2?
>>
>> Reio
>>
>>
> 

Re: URI_TRY_3LD fp's with QuickBooks Intuit emails

[Giovanni Bechis]

On 04/13/18 09:06, Sebastian Arcus wrote:
> Hello all. I am getting some fp's with emails from QuickBooks / Intuit with 
> the above rule:
> 
> Apr 13 08:00:30.853 [5768] dbg: rules: ran uri rule URI_TRY_3LD ==> got 
> hit: "https://myturbotax.intuit.com;
> 
> On a slightly different note, and mainly for my curiosity to understand SA 
> rules syntax, in 72_active.cf, the score seems to be commented out:
> 
> #score   URI_TRY_3LD   2.000   # limit
> 
> But when it hits, it still adds 2.0 to the score (and I haven't customized 
> the score anywhere else). Is this a special form of SA syntax?
> 
the score is present in rulesrc/sandbox/jhardin/20_misc_testing.cf with tflags 
publish.
 Giovanni

Re: This sucks

[Giovanni Bechis]

On Mon, Apr 02, 2018 at 03:09:34AM +0200, Michael Brunnbauer wrote:
[...]
> So being in /root when started changes the behavior of spamd. Is it possible
> that this is a timing issue? Could "\# 4 7f03" be some unprocessed
> response that would be converted to 127.0.0.3 a moment later? Or is there
> some other explanation for this?
> 
if you start spamd from /root and you use a perl module that is using "use lib 
'lib';" or similar piece of code the relevant code will not load because the 
user spamd is running on (spamd or whichever you have configured) will not have 
access to $PWD.
 
 Giovanni


signature.asc
Description: PGP signature

Re: Junk mixed in with ham on whitelists

[Giovanni Bechis]

On 02/22/18 15:56, David Jones wrote:
> On 02/22/2018 08:52 AM, Benny Pedersen wrote:
>> Giovanni Bechis skrev den 2018-02-22 15:39:
>>
>>>> sub check_dkim_valid {
>>>>   my ($self, $pms, $full_ref, @acceptable_domains) = @_;
>>>>   $self->_check_dkim_signature($pms)  if !$pms->{dkim_checked_signature};
>>>>   my $result = 0;
>>>>   if (!$pms->{dkim_valid}) {
>>>>     # don't bother
>>>>   } elsif (!@acceptable_domains) {
>>>>     $result = 1;  # no additional constraints, any signing domain will do,
>>>>   # also any signing key size will do
>>>>   } else {
>>>>     $result = $self->_check_dkim_signed_by($pms,1,0,\@acceptable_domains);
>>>>   }
>>>>   return $result;
>>>> }
>>>>
>>>> there we go :(
>>>>
>>>> dkim signed should be any key bits allowed, but dkim valid should not 
>>>> allow under minimal key bits
>>>
>>> $self->_check_dkim_signed_by already checks for miminal key bits
>>
>> elsif part is correct ?
>>
>> i read code as any key bits can make valid dkim
> 
> That is also my finding based on:
> 
> https://pastebin.com/mjvB0MKg
> 
> which hit DKIM_VALID with a 768-bit key.
> 
It doesn't for me:
-
X-Spam-Checker-Version: SpamAssassin 3.4.2-pre3-r1823175 (2018-02-05) on
bigio.paclan.it
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=5.0 tests=DKIM_SIGNED,HTML_MESSAGE,
RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_PASS,T_DKIM_INVALID 
autolearn=no
autolearn_force=no version=3.4.2-pre3-r1823175
X-Spam-ASN: AS46606 69.89.16.0/20
X-Spam-Report: 
* -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
*  [69.89.18.3 listed in wl.mailspike.net]
* -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, 
no
*  trust
*  [69.89.18.3 listed in list.dnswl.org]
* -0.0 SPF_PASS SPF: sender matches SPF record
*  0.0 HTML_MESSAGE BODY: HTML included in message
*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
*  valid
*  0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
X-Spam-Relay-Country: US ** US
-
SpamAssassin version 3.4.2-pre3-r1823175
  running on Perl version 5.24.3
with Mail-DKIM-0.40 and Net-DNS-1.14

witch Mail::DKIM and Net::DNS version are you using ?
 
 Giovanni

Re: Junk mixed in with ham on whitelists

[Giovanni Bechis]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 02/22/18 15:34, Benny Pedersen wrote:
> Benny Pedersen skrev den 2018-02-21 17:55:
>> David Jones skrev den 2018-02-21 17:41:
>>
>>> I have that same code in my DKIM.pm and I am running 3.4.1.  Maybe the
>>> size acceptable for whitelisting is different from the DKIM_VALID
>>> check?
>>
>> minimal key bits could be a plugin test yes, but imho it never made to do 
>> this
>>
>>> Does the check_dkim_valid function need to also check for the
>>> dkim_minimum_key_bits size to consider it DKIM_VALID?
>>
>> i cant figure out where problem is either, since i am more a comal
>> programmer then a perl :=)
>>
>> DKIM_VALID and DKIM_VALID_AU should not give pass if minimal key bits is to 
>> low
> 
> sub check_dkim_valid {
>   my ($self, $pms, $full_ref, @acceptable_domains) = @_;
>   $self->_check_dkim_signature($pms)  if !$pms->{dkim_checked_signature};
>   my $result = 0;
>   if (!$pms->{dkim_valid}) {
> # don't bother
>   } elsif (!@acceptable_domains) {
> $result = 1;  # no additional constraints, any signing domain will do,
>   # also any signing key size will do
>   } else {
> $result = $self->_check_dkim_signed_by($pms,1,0,\@acceptable_domains);
>   }
>   return $result;
> }
> 
> there we go :(
> 
> dkim signed should be any key bits allowed, but dkim valid should not allow 
> under minimal key bits

$self->_check_dkim_signed_by already checks for miminal key bits

 Giovanni
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEqg3TnG6R3qYMxl94+r7qCYlyWOUFAlqO1hgACgkQ+r7qCYly
WOWbzQ//ZmOupz9AmyVV/155HcYOY9KpSN3FPNUxzNbfpQK/zEA2XK4XPIEKcsYn
qr7e81PlWnW/dKgquItylHxk3DOHUbn/+yUJ0WzVpbXXGWlW7Byf/PibzYSQa1tg
7RvQXgVBFjC+O67BhDxQH3JnHswf4H9pRjuF0jtErA/rgDEG8g8MV/3DG0jj0FpD
qRNKpkRy1pkS1lTe+yV9kvcz9pwiRygPjMGvMlEr+1pQ3T8iEgFTPSiBdwyVnaEc
JcgtpO/JQeGMcblIy+jF0ZJQbBYeHxD/W3S8gFcKbo0OT1CBdG/qARvA6TnUrTqb
J/kC4HfRgsWRe86SFSMOSmOCyhLuuKIv95Xsq+u9cqu9vPlJ80eY8Gf/bEg8wT5f
zlqecksTYN6Dl7GW7eKl11luQm6OM29p+a9woZ+i5K+pFokEfISg8LlpyUOVMb4O
AmHLE5O7xI+lvyK4g0CcQpbLC0EHaYCas/8q/0zKVCyws0gb5Pg8XB7K/VLDjtWP
etw6Qj8VGUPER1Kidh8VVH/My0kr9sRdFIhcJqCT4ISUfUjEELXzrLqcGdMxBoQg
/vTg/wnyfrxjIe6H9HuSEFiP0KWwlmwa0YPR0tU1SmxIm/fsOAuXaJDQiJdJZWEF
Koto7UjxXilu//X29y+ClF4DtwqYNO3zhDAO3eujwu5y3BSoOgo=
=iKOh
-END PGP SIGNATURE-

Re: Junk mixed in with ham on whitelists

[Giovanni Bechis]

On 02/21/18 00:24, Benny Pedersen wrote:
> David Jones skrev den 2018-02-21 00:14:
> 
>> https://pastebin.com/mjvB0MKg  (scored 10.96)
>> -0.10    DKIM_VALID    Message has at least one valid DKIM or DK signature
> 
> Authentication-Results: smtp3i.ena.net;
> dkim=policy reason="signing key too small" (768-bit key) 
> header.d=mails-express.com header.i=@mails-express.com header.b="Mv82gS9m"
> 
> why diffrent results ?

I have those result on my laptop for that message and T_DKIM_INVALID is 
triggered.

X-Spam-Checker-Version: SpamAssassin 4.0.0-r1823176 (2018-02-05) on 
bigio.paclan.it
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=5.0 tests=DKIM_SIGNED,HTML_MESSAGE,
RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_PASS,T_DKIM_INVALID 
autolearn=no
autolearn_force=no version=4.0.0-r1823176
X-Spam-ASN: AS46606 69.89.16.0/20
X-Spam-Report: 
* -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, 
no
*  trust
*  [69.89.18.3 listed in list.dnswl.org]
* -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
*  [69.89.18.3 listed in wl.mailspike.net]
* -0.0 SPF_PASS SPF: sender matches SPF record
*  0.0 HTML_MESSAGE BODY: HTML included in message
*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
*  valid
*  0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
X-Spam-Relay-Country: US ** US

Re: Email filtering theory and the definition of spam

[Giovanni Bechis]

On 02/08/18 16:23, David Jones wrote:
> On 02/07/2018 06:28 PM, Dave Warren wrote:
>> On Wed, Feb 7, 2018, at 15:52, Martin Gregorie wrote:
 Technically, you asked for the email and they have a valid opt-out
 process that will stop sending you email.  Yes, the site has scummy
 practices but that is not spam by my definition.

>>> Yes, under EU/UK that counts as spam because the regulations say that
>>> the signer-upper must explicitly choose to receive e-mail from the
>>> site, and by-default sign-in doesn't count as 'informed sign-in'.
>>
>> Canadian law is the same, this is absolutely spam without any ambiguity.
>>
> 
> But how can you tell the difference based on content then?  You can't. Two 
> different senders could send the exact same email and one could be spam from 
> tricking the recipient to opt-in and another could be ham the recipient 
> consciously opted into.
> 
> This would have to be blocked or allowed based on reputation.  One would 
> train the message as spam in their Bayes database and allow trusted senders 
> via something like a domain whitelist, URI whitelist, or a whitelist_auth 
> entry.
> 
> We are back to needing a curated WL based on something like DKIM.  Alex just 
> made me aware of http://dkimwl.org/ which looks brilliant.  Exactly lines up 
> with how I filter and what I have been wanted to do for a couple of years 
> now.  A community-driven clearing house for trusted senders.
> 
dkimwl.org looks promising, but tell them their https cert has expired.
 Giovanni 

Re: SA-Update error "failed to run FORGED_GMAIL_RCVD test"

[Giovanni Bechis]

On 01/30/18 12:43, A. Schulze wrote:
> 
> Hello all,
> 
> shortly (since around 09:30 UTC) I get such notifications on sa-update:
> 
> rules: failed to run FORGED_GMAIL_RCVD test, skipping:
> (Can't locate object method "check_for_forged_gmail_received_headers" via 
> package "Mail::SpamAssassin::PerMsgStatus" at (eval 1277) line 253.
> )
> channel: lint check of update failed, channel failed
> 
> 
> looks like the new version "1822617" is `other the former releases` :-)
> 
Just spotted by others,
this diff fixes the problem:
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7540
 Giovanni


> Here some logs.
> 
> Jan 30 12:37:24.803 [21958] dbg: rules: ran header rule __HAS_MSGID ==> 
> got hit: "<"
> Jan 30 12:37:24.804 [21958] dbg: rules: ran header rule __SANE_MSGID ==> 
> got hit: "<1517312243@lint_rules>
> Jan 30 12:37:24.804 [21958] dbg: rules: [...] "
> Jan 30 12:37:24.804 [21958] dbg: rules: ran header rule __TO_NO_ARROWS_R 
> ==> got hit: "3.4"
> Jan 30 12:37:24.804 [21958] dbg: rules: ran header rule __HAS_FROM ==> 
> got hit: ""
> Jan 30 12:37:24.805 [21958] dbg: rules: running head_eval tests; score so 
> far=0
> Jan 30 12:37:24.806 [21958] dbg: rules: run_eval_tests - compiling eval code: 
> 9, priority 0
> Jan 30 12:37:24.811 [21958] dbg: FreeMail: RULE (FREEMAIL_FROM) 
> check_freemail_from
> Jan 30 12:37:24.811 [21958] dbg: FreeMail: all from-addresses: 
> ign...@compiling.spamassassin.taint.org
> rules: failed to run FORGED_GMAIL_RCVD test, skipping:
>     (Can't locate object method "check_for_forged_gmail_received_headers" 
> via package "Mail::SpamAssassin::PerMsgStatus" at (eval 1279) line 271.
> )
> Jan 30 12:37:24.812 [21958] dbg: FreeMail: RULE (__freemail_reply) 
> check_freemail_replyto
> Jan 30 12:37:24.812 [21958] dbg: FreeMail: From address: 
> ign...@compiling.spamassassin.taint.org
> Jan 30 12:37:24.812 [21958] dbg: FreeMail: No Reply-To and From is not 
> freemail, skipping check
> Jan 30 12:37:24.812 [21958] dbg: rules: ran eval rule NO_RELAYS ==> got 
> hit (1)
> Jan 30 12:37:24.813 [21958] dbg: rules: ran eval rule 
> __GATED_THROUGH_RCVD_REMOVER ==> got hit (1)
> 
> SA-Version: 3.4.1
> perl-Version: 5.01 (old, yes, I know ...)
> 
> 
> 
> 
> Andreas
> 

Re: (was: FORGED_HOTMAIL_RCVD2 false positive) Can't locate object method "check_for_forged_gmail_received_headers" via package "Mail::SpamAssassin::PerMsgStatus" at (eval 1360) line 1587.

[Giovanni Bechis]

On 01/30/18 10:11, Marcin Mirosław wrote:
> W dniu 29.01.2018 o 08:26, Giovanni Bechis pisze:
>> On 01/29/18 06:00, Alex wrote:
>>> Hi,
>>>
>>>> FORGED_HOTMAIL_RCVD2 (hotmail.com 'From' address, but no 'Received:')
>>>> triggers for valid hotmail messages...  (SA 3.4.1)
>>>>
>>>> This small change solves the problem but i do not know whether it is the
>>>> correct way...maybe "hotmail" string should be changed widelly to
>>>> "outlook|hotmail"...
>>>>
>>>> /usr/local/share/perl/5.14.2/Mail/SpamAssassin/Plugin/HeaderEval.pm.orig
>>>> 357c357
>>>> <   if ($rcvd =~ /from \S*\.hotmail.com \(\[$IP_ADDRESS\][ \):]/ && $ip)
>>>> ---
>>>>>   if ($rcvd =~ /from \S*\.(?:outlook|hotmail)\.com \(\[$IP_ADDRESS\][
>>>>> \):]/ && $ip)
>>>
>>> Any status on this? I believe you were going to open a bug report? It
>>> doesn't appear this fix (or any fix) has been included to address the
>>> hotmail fp's.
>>>
>> Committed yesterday by davej@
>> https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7534
> 
> 
> Hi!
> Can error pasted below be related to this commit?
> # sa-update -vD
> [...]
> sty 30 10:10:00.540 [3276] dbg: FreeMail: RULE (__freemail_reply)
> check_freemail_replyto
> sty 30 10:10:00.540 [3276] dbg: FreeMail: From address:
> ign...@compiling.spamassassin.taint.org
> sty 30 10:10:00.540 [3276] dbg: FreeMail: No Reply-To and From is not
> freemail, skipping check
> rules: failed to run FORGED_GMAIL_RCVD test, skipping:
> (Can't locate object method
> "check_for_forged_gmail_received_headers" via package
> "Mail::SpamAssassin::PerMsgStatus" at (eval 1360) line 1587.
> )
> sty 30 10:10:00.540 [3276] dbg: rules: running body tests; score so
> far=0.914
> [...]
> "check_for_forged_gmail_received_headers" is only available on 3.4.2, this 
> fixes the issue.
  Giovanni
Index: rules/20_head_tests.cf
===
--- rules/20_head_tests.cf	(revision 1822623)
+++ rules/20_head_tests.cf	(working copy)
@@ -475,8 +475,10 @@
 header FORGED_YAHOO_RCVD	eval:check_for_forged_yahoo_received_headers()
 describe FORGED_YAHOO_RCVD	'From' yahoo.com does not match 'Received' headers
 
+if (version >= 3.004002)
 header FORGED_GMAIL_RCVD	eval:check_for_forged_gmail_received_headers()
 describe FORGED_GMAIL_RCVD	'From' gmail.com does not match 'Received' headers
+endif
 
 header __FORGED_JUNO_RCVD	eval:check_for_forged_juno_received_headers()