Re: rbl for smtp auth hosts
On 15/09/23 17:51, Reindl Harald (privat) wrote: limit the connections per hour on smtp-ports with iptables xt_recent and configure postfix properly anvil_rate_time_unit = 1800s smtpd_client_connection_rate_limit = 100 smtpd_client_recipient_rate_limit = 400 smtpd_client_message_rate_limit = 400 smtpd_recipient_limit = 100 Wont help much if you have 100k different IPs connecting, and you also have high volume legit customers -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaus.com/
Re: rbl for smtp auth hosts
On 15/09/23 17:49, Marc wrote: Is this a freely available list? It's included in all DQS accounts, free ones too -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaus.com/
Re: rbl for smtp auth hosts
On 15/09/23 17:35, Matus UHLAR - fantomas wrote: On 15.09.23 15:31, Riccardo Alfieri wrote: Yes, at previous $dayjob. Applied on the submission MSA, it proved to be useful in mitigating the fallout when users got their credentials compromised. can you describe it more? Well, I checked the connecting IP of a client againts AuthBL *before* "permit_sasl_authenticated" (IIRC) in postifx and when users got their credential compromised (that happened more times than I would have liked) I'd say more than 95% of connections from auth abusing botnet were denied. This mitigated a lot the spam exiting from our outbounds and helped us not ending up being listed in the more "trigger happy" dnsbls around :) -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaus.com/
Re: rbl for smtp auth hosts
On 15/09/23 17:01, Marc wrote: Anyone have any experience with a dns blacklist specific to known smtp auth abuse? Yes, at previous $dayjob. Applied on the submission MSA, it proved to be useful in mitigating the fallout when users got their credentials compromised. -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaus.com/
Re: Which commercial engine to combine with SpamAssassin?
Apologies, this was meant to be a direct email to Alessio... On 24/03/23 11:33, Riccardo Alfieri wrote: Buongiorno Alessio, se ti interessa noi abbiamo un plugin per SA (https://github.com/spamhaus/spamassassin-dqs) e delle subscription commerciali per accedere a feed non pubblici. Se ti interessa fammi sapere che ti faccio parlare con qualcuno di sales Ciao On 24/03/23 09:12, Alessio Cecchi wrote: Hi, we were using the Cyren SDK with a custom plugin for SpamAssassin, now we are looking for an alternative commercial SDK engine to combine with our SpamAssassin. I know that Cloudmark have a plugin for SpamAssassin but in the past I remember it was more expensive than Cyren. MailShell have an SDK for antispam and I will probably contact them. Do you know any other companies developing an antispam SDK to be combined with spamassassin? Thanks -- Alessio Cecchi Postmaster @http://www.qboxmail.it https://www.linkedin.com/in/alessice -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaus.com/ -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaus.com/
Re: Which commercial engine to combine with SpamAssassin?
Buongiorno Alessio, se ti interessa noi abbiamo un plugin per SA (https://github.com/spamhaus/spamassassin-dqs) e delle subscription commerciali per accedere a feed non pubblici. Se ti interessa fammi sapere che ti faccio parlare con qualcuno di sales Ciao On 24/03/23 09:12, Alessio Cecchi wrote: Hi, we were using the Cyren SDK with a custom plugin for SpamAssassin, now we are looking for an alternative commercial SDK engine to combine with our SpamAssassin. I know that Cloudmark have a plugin for SpamAssassin but in the past I remember it was more expensive than Cyren. MailShell have an SDK for antispam and I will probably contact them. Do you know any other companies developing an antispam SDK to be combined with spamassassin? Thanks -- Alessio Cecchi Postmaster @http://www.qboxmail.it https://www.linkedin.com/in/alessice -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaus.com/
Re: Install plugins into embedded spamassassin
If you'd like you can take inspiration from the instructions the Zimbra people wrote for our own plugin here: https://wiki.zimbra.com/wiki/Spamhaus_HBL Just use the correct file name for yours and you should be fine On 25/02/23 15:30, hg user wrote: Hi, I'd like to install at least one plugin in my embedded spamassassin, installed inside Zimbra. I'm a bit afraid of breaking stuff, about missing dependencies and so on. I'm on SA 3.4.5 and - as a test - I'd like to install ESP plugin. -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaus.com/
Re: RCVD_IN_SBL_CSS FP
46.183.103.8 is listed because it's an emitter of spam, it has been
heloing with "host-41.36.37.63.tedata.net" and it is hitting traps. I
could tell you exactly what botnet family these type of heloes comes
from, but I can't. Believe me, that host is infected.
So you have an emitter that is infected by something, sending both good
and bad traffic. We signal that by giving it a "3" score, and I don't
know where you get that 3.6 score, as we define that by
sh_scores.cf: score RCVD_IN_SBL_CSS 3
If math doesn't fail me, 3 is less than 3.6 , and the total would have
scored less than 5, so, from my POV, "working as expected"
There is also SPF_NONE and SPF_HELO_NONE that, from standard SA (3.4.6)
rules, updated as yesterday, both scores 0.001 instead of 1.6. I can't
understand the logic of assigning a score so high just for *not* having
an SPF record, and I hope you didn't do it on purpose.
Of course, if you are not using DQS (meaning you are using Spamhaus
public mirrors), you are on your own.
PSA: everyone using public mirrors should switch to free DQS
On 11/01/23 19:43, Benny Pedersen wrote:
Riccardo Alfieri skrev den 2023-01-11 18:36:
No.
it checks if an emission is done by an IP that is listed in SBL, and
add 3 points if it is (in our DQS implementation at least). IPs listed
in SBL are deemed "bad" by default, so an emission from them, even if
it's not direct to mx, is bad enough.
If you found an FP I encourage you to open a ticket through
https://check.spamhaus.org/ . We review all FPs and act accordingly.
On 11/01/23 17:56, Benny Pedersen wrote:
it should only check received last ip, not deeap all ips :/
-lastexternal is done by ZEN
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on
localhost.junc.eu
X-Spam-Flag: YES
X-Spam-Level: *
X-Spam-Status: Yes, score=5.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,DMARC_PASS,HEADER_FROM_DIFFERENT_DOMAINS,
MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H3,
RCVD_IN_MSPIKE_WL,RCVD_IN_SBL_CSS,RELAYCOUNTRY_GREY,SPF_HELO_NONE,
SPF_NONE shortcircuit=no autolearn=no autolearn_force=no
version=4.0.0
X-Spam-Report:
* -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at
https://www.dnswl.org/, low
* trust
* [168.100.1.4 listed in list.dnswl.org]
* 3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
* [46.183.103.8 listed in zen.spamhaus.org]
* 1.6 SPF_NONE SPF: sender does not publish an SPF Record
* 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
* [168.100.1.4 listed in wl.mailspike.net]
* 1.6 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily
* valid
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's
* domain
* 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
* 0.1 RELAYCOUNTRY_GREY Relayed through at some point
* 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd
level mail
* domains are different
* -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen
list
* manager
* -0.1 DMARC_PASS DMARC pass policy
X-Spam-AWL: AWL= MEAN= COUNT= PRESCORE=
X-Spam-Relay-Country: US ** ** ** ** DE DE
X-Spam-ASN: AS3700 168.100.0.0/22
X-Fuglu-Incomingport: 10025
X-Fuglu-Suspect: 6a8f891e8b134a9f92cd83617788ebc7
X-Greylist: whitelisted by SQLgrey-1.8.0
Received: from russian-caravan.cloud9.net (russian-caravan.cloud9.net
[168.100.1.4])
by mx.junc.eu (Postfix) with ESMTPS
for ; Wed, 11 Jan 2023 15:58:34 +0100 (CET)
/var/lib/spamassassin/4.00/spamassassin_snb_it/20_ITA.cf:
header __ITA_RCVD_IN_SENDERSCORE_0_29
eval:check_rbl('senderscore0-lastexternal','score.senderscore.com.','^127\.0\.4\.([1-2]?[0-9])$')
/var/lib/spamassassin/4.00/kam_sa-channels_mcgrail_com/nonKAMrules.cf:header
__RCVD_IN_HOSTKARMA
eval:check_rbl('HOSTKARMA-lastexternal','hostkarma.junkemailfilter.com.')
/var/lib/spamassassin/4.00/kam_sa-channels_mcgrail_com/nonKAMrules.cf:header
RCVD_IN_HOSTKARMA_W eval:check_rbl_sub('HOSTKARMA-lastexternal',
'127.0.0.1')
/var/lib/spamassassin/4.00/kam_sa-channels_mcgrail_com/nonKAMrules.cf:header
RCVD_IN_HOSTKARMA_BL eval:check_rbl_sub('HOSTKARMA-lastexternal',
'127.0.0.2')
/var/lib/spamassassin/4.00/kam_sa-channels_mcgrail_com/nonKAMrules.cf:header
RCVD_IN_HOSTKARMA_BR eval:check_rbl_sub('HOSTKARMA-lastexternal',
'127.0.0.4')
/var/lib/spamassassin/4.00/updates_spamassassin_org/20_dnsbl_tests.cf:header
RCVD_IN_SORBS_DUL eval:check_rbl('sorbs-lastexternal',
'dnsbl.sorbs.net.', '127.0.0.10')
/var/lib/spamassassin/4.00/updates_spamassassin_org/20_dnsbl_tests.cf:header
RCVD_IN_XBL eval:check_rbl('zen-lastexternal',
'zen.spamhaus.org.', '^127\.0\.0\.
Re: RCVD_IN_SBL_CSS FP
No. it checks if an emission is done by an IP that is listed in SBL, and add 3 points if it is (in our DQS implementation at least). IPs listed in SBL are deemed "bad" by default, so an emission from them, even if it's not direct to mx, is bad enough. If you found an FP I encourage you to open a ticket through https://check.spamhaus.org/ . We review all FPs and act accordingly. On 11/01/23 17:56, Benny Pedersen wrote: it should only check received last ip, not deeap all ips :/ -lastexternal is done by ZEN -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaus.com/
Re: DQS rules for SA 4.0.0+
On 28/12/22 15:15, Henrik K wrote: Maybe would be even good idea to use something like this: ifplugin Mail::SpamAssassin::Plugin::HashBL else error: Please activate HashBL plugin in v342.pre endif I think I'll just add the ifplugin condition in the two .cf files and add a note in the README. No reason to overengineer something that it should be working by default, as it is in a stock SA installation. -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaus.com/
Re: DQS rules for SA 4.0.0+
On 28/12/22 14:44, Henrik K wrote: It is enabled by default for new installs in v342.pre (old users must enable it manually). But like with any other loadable plugin, one MUST check use "ifplugin" to check that it's loaded. Ok, thanks for the clarification. Would you then suggest to add also a: ifplugin Mail::SpamAssassin::Plugin::URIDNSBL to the .cf files where check_rbl , urirhssub etc are used? -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaus.com/
Re: DQS rules for SA 4.0.0+
On 28/12/22 14:20, Kevin A. McGrail wrote: Do you have hashbl plugin enabled? Ah, I thought it was enabled by default in SA 4.0. -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaus.com/
Re: DQS rules for SA 4.0.0+
Looks like you didn't replace the DQS key in the template, as it's outlined in the README. You also have a lot of parsing errors that are not normal (\t should be a , don't know why your system renders that badly) On 28/12/22 14:17, Benny Pedersen wrote: Dec 28 14:12:09.837 [1461] warn: config: failed to parse line in /etc/mail/spamassassin/sh.cf (line 71): urirhssub\tSH_BODYURI_REVERSE_SBL\tyour_DQS_key.zen.dq.spamhaus.net.\tA 127.0.0.2 -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaus.com/
Re: SA4 spamhaus/DQS "async: aborting" log messages?
Probably asking the obvious, but did you actually substitute "your_dqs_key" with your *actual* DQS key, right? On 20/12/22 17:26, PGNet Dev wrote: Tue Dec 20 11:16:28 2022 [54384] info: async: aborting after 13.670 s, deadline shrunk: HASHBL, A/compiling.spamassassin.taint.org.your_dqs_key.dbl.dq.spamhaus.net, rules: SH_DBL_HEADERS -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaus.com/
Re: How to incorporate network blocks
Hi, I can't speak for the other feeds, but for our (DROP), if you register a DQS key and install our plugin it would work out of the box On 10/11/22 17:54, Joey J wrote: I'm trying to incorporate: feeds.dshield.org/block.txt <http://feeds.dshield.org/block.txt> spamhaus.org/drop/drop.lasso <http://spamhaus.org/drop/drop.lasso> ciarmy.com/list/ci-badguys.txt <http://ciarmy.com/list/ci-badguys.txt> openbl.org/lists/base.txt <http://openbl.org/lists/base.txt> -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaus.com/
Re: Spamhaus DQS usage portal update frequency?
Hi, the graph is daily usage over the last 14 days, so it is updated daily with usage from the previous 24 hours. On 09/11/22 19:54, AJ Weber wrote: Does anyone know how often the DQL usage tab is updated by spamhaus? I believe my SA was misconfigured, and didn't have anything showing for usage. I think this is fixed now and sent test emails from their "Blocklist Tester Verification" tool. All emails were correctly categorized as SPAM, and I see the relevant headers referring to the Spamhaus rules in them. However, I still do not see any usage reflected in the portal at all. So I'm just trying to determine whether my config is correct now. Thanks in advance, AJ -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaus.com/
SA 4.0 and DQS
Good morning, If anyone is interested, I have a ruleset for DQS that works with (at least) SpamAssassin 4.0rc2 I'm not going to publish an official ruleset for 4.0 on our Github page until SA reaches release status, but if you have a production server with SA 4.0rc* and want to test DQS, contact me offlist. I have only a test server and because of this some real world feedback would be very appreciated! Thanks! -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaus.com/
[Spamhaus Notice] Reminder about the new DBL entering production tomorrow
Hello, the production version of the Spamhaus Domain Blocklist (DBL) with hostnames will go live tomorrow at 12.00 hrs UTC. This will happen automatically, with no changes required to the zone you query, unless you changed to query dbl-beta.spamhaus.org. We hope you benefit from the increased accuracy. If you haven’t already done so, we recommend updating your plug-in to this version: https://github.com/spamhaus/spamassassin-dqs Thanks again to all those who tested and provided feedback for the beta version. Please remember that if you changed your config to query, dbl-beta.spamhaus.org, this needs to be updated to query the production DBL, as dbl-beta.spamhaus.org will not be available after February 15th, 2022. -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
[Spamhaus notice] Service update for users of Spamhaus Project's DNSBLs who query via Cloudflare DNS
Hello, If you currently use The Spamhaus Project's free DNSBLs and make queries via Cloudflare DNS resolvers, you need to change your configuration. This will ensure you don't have any interruption to your service. As of Tue, February 15th, the Project will begin restricting access to its blocklists for those querying via Cloudflare DNS. Why? The Spamhaus Project's Terms of Use (https://www.spamhaus.org/organization/dnsblusage/) outline that it doesn't allow users to query via DNS resolvers where there is no attributable reverse DNS; this includes Cloudflare. This is to protect the free service for those it's intended for, i.e., non-commercial low-volume users. Some organizations try to hide behind unattributable DNS and make queries outside the Fair Use Principles, reducing the quality of the service for everyone. To keep being protected by free DNSBLs and avoid issues with your email stream, we recommend that Cloudflare users start accessing the blocklists via the free Data Query Service (DQS), which you can sign up for here: https://www.spamhaus.com/free-trial/sign-up-for-a-free-data-query-service-account/ Changing your configuration should only take a matter of minutes. Once you've signed up and verified your email address, you will get access to a "DQS key" to include in your configuration. These config changes take only minutes; see our technical docs (https://docs.spamhaus.com/datasets/docs/source/40-real-world-usage/index.html) for more detail. To provide a clear signal to users that the Project's DNSBLs are not protecting their email, Spamhaus will return an error code; 127.255.255.254. If you haven't set up your email servers to accept this error code, all emails could be rejected and returned to their sender. To ensure you continue being protected, for free, with our IP and domain DNSBLs, please move to the DQS. If you have any questions regarding these changes, please use the contact form here: https://www.spamhaus.com/#contact-form -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: A lot a false negatives
On 19/01/22 16:35, Xavier Humbert wrote: X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5.5 tests=[AWL=0.642, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_IMAGE_RATIO_04=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, MIME_QP_LONG_LINE=0.001, SPF_FAIL=0.001, SPF_HELO_NONE=0.001] autolearn=ham autolearn_force=no It looks like your bayes db is poisoned/not trained correctly. Best course of action, IMO, is to delete it and restart training from scratch, with a decent corpus of ham and spam -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: [Spamhaus notice] New plug-in is now available for use with Spamhaus Domain Blocklist with hostnames which goes into production on February 1st.
On 11/01/22 16:14, Larry Rosenman wrote: will spamhaus-dqs be updated with this? or should I change FreeBSD to pull this branch? Yes, it will be updated as soon as the new DBL enters production -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: [Spamhaus notice] New plug-in is now available for use with Spamhaus Domain Blocklist with hostnames which goes into production on February 1st.
On 11/01/22 14:50, AJ Weber wrote: Sorry for not having followed as closely as maybe I should have, but... Is there a list of "legacy" Spamhaus cf/pm/plugin entries we would remove if we were to install the new DBL plug-in? I don't see anything on the github page, but maybe it's documented elsewhere? Hello, you won't need to remove anything, it should just work (TM) -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
[Spamhaus notice] New plug-in is now available for use with Spamhaus Domain Blocklist with hostnames which goes into production on February 1st.
As promised, here is the new release of the Spamhaus plug-in. This will help you easily integrate Spamhaus’ Domain Blocklist (DBL) with hostnames into your email infrastructure when the revised blocklist goes into production from February 1st. You can update your configuration with this newly released plug-in before the blocklist goes into production. The plugin is available here: https://github.com/spamhaus/spamassassin-dqs/tree/dbl-beta Reminder: If you have changed your configuration to test the beta DBL, you will need to update your config to use the production DBL, which goes live on February 1st. If you are currently using the beta version of this plug-in, please do not switch to using this production version until February 1st. We will continue to make the beta zone available for two further weeks giving you additional time to make any required changes. -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: [Spamhaus Notice] Reminder of changes to the Spamhaus beta Domain Blocklist & request for feedback
On 04/01/22 13:38, Dominic Raferd wrote: reject_rhsbl_sender redacted.dbl-beta.dq.spamhaus.net=127.0.[0..2].[0..255] reject_rhsbl_reverse_client redacted.dbl-beta.dq.spamhaus.net=127.0.[0..2].[0..255] reject_rhsbl_helo redacted.dbl-beta.dq.spamhaus.net=127.0.[0..2].[0..255] A quick addon to what I wrote before.. I noticed that you are using the wrong hostname :) The correct one, for the time being and up until the beta ends, is dbl-beta.spamhaus.org -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: [Spamhaus Notice] Reminder of changes to the Spamhaus beta Domain Blocklist & request for feedback
On 04/01/22 13:38, Dominic Raferd wrote: I haven't tried using the new plug-in with SA, but I have been using the list in a postfix restriction list (in place of redacted.dbl.dq.spamhaus.net) on several of my mailservers: reject_rhsbl_sender redacted.dbl-beta.dq.spamhaus.net=127.0.[0..2].[0..255] reject_rhsbl_reverse_client redacted.dbl-beta.dq.spamhaus.net=127.0.[0..2].[0..255] reject_rhsbl_helo redacted.dbl-beta.dq.spamhaus.net=127.0.[0..2].[0..255] Since I started in early December 2021 these restrictions have not caught any incoming mail, whereas the same but using dbl.dq.spamhaus.net on another of my mail servers continue to pick up many (with minimal fps). Am I doing something wrong, or is this expected behaviour? Hi, you are not supposed to use the abused-legit component of DBL in Postfix, because the target of that DNSBL is to list abused websites mostly seen in the email body, that are often used as redirectors to more spammy domains. Doing the rejections your way can unfortunately only lead to more FPs The correct way to do it is by checking the URLs in the email body, either by using our plugin or in some other ways. -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: [Spamhaus Notice] Reminder of changes to the Spamhaus beta Domain Blocklist & request for feedback
Hi Grant, On 15/12/21 22:42, Grant Taylor wrote: I've noticed a small down turn in the amount of spam entering my personal systems. My personal systems are small enough that I don't have good counters of before / after to share. Good to hear Will free / non-commercial DQS subscribers need to do anything other than upgrading the plugin come January 11th? You will just need to update the plugin Am I correct in assuming that you will be sending out notification(s) around the time you make the changes on January 11th? We'll send probably another reminder before 11/01 , and for sure one on the 11th itself. What will happen to the beta zone after the two week window? Will it remain with increasingly stale data? Will the zone be emptied to start answering as if nothing was listed? Will it have a wildcard to start inducing false positives a la. fail hard / fail fast? Again, just trying to set my expectations. We'll follow what is suggested here: https://datatracker.ietf.org/doc/html/rfc6471#section-3.4 -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
[Spamhaus Notice] Reminder of changes to the Spamhaus beta Domain Blocklist & request for feedback
We’d like to say a big “thank you” to all of you who have been testing the beta version of the Spamhaus Domain Blocklist (DBL) with hostnames. How are you getting on with it? Have you encountered issues? Are you noticing a reduction in false positives with the abused-legit component of the DBL? How’s the plug-in (with the recommended configuration changes) working for you? If you could find the time to let us know we would really appreciate it. REMINDER - Access to the beta version of the DBL with hostnames is through the free Public Mirrors until January 31st, 2022. However, when it moves to production on February 1st, 2022, it will only be available via the Data Query Service (DQS) or rsync, i.e., not the Public Mirrors. The DQS is available for free to non-commercial users; _https://www.spamhaus.com/free-trial/sign-up-for-a-free-data-query-service-account/_. This means that if you have changed your plug-in config to test the beta DBL you will need to upgrade it to use the production DBL. An updated plug-in will be released on Jan 11^th , 2022. We will continue to make the beta zone available for two weeks after the Production version of the blocklist goes live to provide time to ensure these config changes are made. -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Invitation to test our latest beta domain blocklist
Hi, We’d like to invite the SpamAssassin community to test our beta domain blocklists with hostnames. We’ve developed this version of the DBL to provide increased accuracy when using the abused-legit component of the DBL (listings of compromised websites). https://www.spamhaus.com/resource-center/hostnames-for-spamhaus-domain-blocklist/ The beta blocklist is available via our public mirrors “dbl-beta.spamhaus.org”. It will be available until Jan 31st, 2022. After this time, it will be moved to production and will only be available via our Data Query Service or rsync. If you are a non-commercial user of the Spamhaus Project’s blocklists (via its Public Mirrors), we recommend moving to a free DQS account with access to additional blocklists. https://www.spamhaus.com/free-trial/sign-up-for-a-free-data-query-service-account/ For the SpamAssassin community using our specially developed plug-in, we’ve put together some configuration updates to use with this beta version; https://github.com/spamhaus/spamassassin-dqs/blob/master/HOWTO_DBL_with_hostnames.md. After making a few amends and additions to the code, you will be able to use the beta zone immediately. We’d love to get your feedback on the beta DBL with hostnames. You can reach us either in this forum, via our contact form https://www.spamhaus.com/#contact-form, or on Twitter https://twitter.com/SpamhausTech. Thanks for your support! -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: heads up for false uribl black hits
On 20/05/21 18:59, Benny Pedersen wrote: Is that not working correctly? only place i find it https://spameatingmonkey.com/lookup/libera.chat Hi, by checking: http://multirbl.valli.org/lookup/libera.chat.html it looks like that is indeed listed on URIBL too: http://lookup.uribl.com/?domain=libera.chat Ot at least it is *now* , maybe it comes and goes for some reasons -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: Enforcing of new return codes for Spamhaus RBLs
On 14/02/21 16:09, RW wrote: What does "generic unattributable rDNS" mean? I presume it will block me because I'm querying through a VPN with no rDNS for the shared egress IP address. If I have the queries bypass the VPN, will it also block me for having ISP dynamic pool rDNS. Hello RW, you are correct. That return code will be triggered if Spamhaus is unable to identify who is the original querier, and with a VPN endpoint that is most likely the case. If you still need to do queries over VPN, then you can simply subscribe for a free DQS account, as DQS accounts are not blocked in any way, except if you go over quota. -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Enforcing of new return codes for Spamhaus RBLs
Hello everyone, this is just a friendly heads up for everyone using our RBLs through the public mirrors. Beginning in March Spamhaus will start to enforce the return codes for these three new conditions announced in late 2019: 127.255.255.252 - Typing error in DNSBL Name 127.255.255.254 - Query via public/open resolver/generic unattributable rDNS 127.255.255.255 - Excessive Number of Queries SpamAssassin already has the codes in it's ruleset, so there is nothing really to do except check the logs in March to see that your are not hitting on any on them. Please see the article at https://www.spamhaus.org/news/article/807/using-our-public-mirrors-check-your-return-codes-now for more informations -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: HEADS UP: SPAMCOP MIA
On 1/31/21 8:28 PM, Arne Jensen wrote: Spamhaus (blacklist) will return 127.255.255.x responses, if you're over quota, using public resolvers or otherwise incorrect queries. Hi, this is not completely true. As stated here: https://www.spamhaus.org/news/article/788/spamhaus-dnsbl-return-codes-technical-update we are giving 127.255.255.254 return codes if you are using public resolver, but this is not completely enforced. This means that if you are using *very common* public resolvers (or if your VM uses common VPS provider DNSs) you'll get a NXDOMAIN response, that will dramatically lower spam detection, while not giving useful response too. This had to be done because some (misconfigured) MTAs interprets any response different than NXDOMAIN as "LISTED". And we really don't want to cause unnecessary FPs. We always recommend to register a free DQS key (https://www.spamhaus.com/product/data-query-service/), that will work even with *very common* open resolvers. Our SpamAssassin plugin (https://github.com/spamhaus/spamassassin-dqs) is written taking in account all of the different edge cases, and everyone is encouraged to try it. Sorry for vendor spam, but I felt this had to be outlined -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: Update for Composite Blocklist (CBL) Users
On 1/25/21 9:16 AM, Axb wrote: Posting this to avoid surprises: As of the first week of 2021, the Composite Blocklist (CBL) is being retired. See: https://www.spamhaus.org/news/article/803/ Hi, thanks Axb for pointing this out, but, just to be clear, the CBL itself is not being retired in the sense that the data will not be available anymore. CBL has been integrated in XBL (and thus in ZEN) for years, so the default SA setup is already ok to deal with this change, that is basically transparent for everyone using the default ruleset. This is relevant only for people that have custom rules that directly query cbl.abuseat.org. If this is your case then please switch to xbl.spamhaus.org asap, and check if your query volume respects our terms and condition (https://www.spamhaus.org/organization/dnsblusage/) because they are going to be enforced. -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: spamhaus.net. type=A class=IN) failed: a domain name contains a null label
Please use only the latest github package before submitting bugs. We are really community focused, but, as already said, we can support only the latests release On 07/10/20 15:04, Damian wrote: That is indeed v1.0.1 It's old, 20190704 -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: spamhaus.net. type=A class=IN) failed: a domain name contains a null label
On 07/10/20 05:55, Chris wrote: I checked my sh.cf in /etc/mail/spamassassin Riccardo and see no extra '.' anywhere. I tested your email in my 3.4.4 installation with DQS and I don't see issues. So, if you want, send me your .cf files and I'll have a look at them, but before that be absolutely sure that you are running the latest rules from: https://github.com/spamhaus/spamassassin-dqs We only support the latest version -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: spamhaus.net. type=A class=IN) failed: a domain name contains a null label
Hi Chris, spamd[435769]: dns: new_dns_packet (domain=o279.send.iheartdogs.com..xx/db l.dq .spamhaus.net. type=A class=IN) failed: a domain name contains a null label Can you check how the DQS lookups are defined in the .cf files? The correct sytax would be, ie: urirhssub URIBL_DBL_SPAM .dbl.dq.spamhaus.net. A 127.0.1.2 From what appears in the logs it may be that you have an extra dot somewhere, possibly before the DQS key -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: Zero-point garbage text that isn't caught by the small-font rules
On 21/08/20 11:52, Matus UHLAR - fantomas wrote: I have noticed those some time ago. I wonder what's the point of sending such mail. Perhaps trying to fool the bayesians? I remember some spam emails that cyclically appear (mostly dating spam) that have a lot of hidden text at the end of the body with just entire sentences from classic books or random common words chained. Just an hypothesis :) -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: Why the new changes need to be "depricated" forever
On 23/07/20 16:53, Benny Pedersen wrote: so rspamd cant make support to spamassassin rules without permission to change rules names ?, but thay did, wonderfull world of help each other I think that rspamd's approach is correct. Rspamd just takes SA rules and use them. It doesn't provide the rules, meaning that you most likely need to have an installation of at least sa-update on the same machine that runs rspamd to keep rules updated. SA rules are also distributed under Apache 2.0 license and I guess that license permits reuse of existing code in other projects, but IANAL :) -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: Thanks to Guardian Digital & LinuxSecurity for the nice post about SpamAssassin's upcoming change
On 22/07/20 16:00, RW wrote: I'd missed that it was your testing. So when testing speed did you measure throughput with enough concurrent tests and spamd child processes to keep all the CPU cores fully occupied? I have two VMs with same HW (2vCPU, 4GB RAM), one SA 3.4.4 and one Rspamd 2.6, being fed by the same mail stream (20-30k mail/day). Rspamd is, I'd say, more than 50% light on CPU and memory. And also orders of magnitude quicker in doing checks. But to truly compare SA and Rspamd you should run Rspamd with the SpamAssassin compatibility module (https://rspamd.com/doc/modules/spamassassin.html) and have it load all SA rules too. -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: URL Scanning in html attachments
On 22/07/20 15:46, Paul Fowler wrote: Hi All, I have a general question regarding URL scanning in attachments. I don't think SpamAssassin has a way to do that out of the box, but it's something that could be done inside a dedicated plugin. It would help also to get URLs from PDF attachments since some malware is using this approach (ie: Emotet in the past days) -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: IMPORTANT NOTICE: Rules referencing WHITELIST or BLACKLIST in process of being Renamed
On 20/07/20 19:31, John Hardin wrote: Apologies for not clarifying that detail; I was aware of it. I did hedge by saying "(potentially) subject to renaming". No apologies necessary, it wasn't directed to you :) I'm just trying to raise awareness that, while changing things is possible, it must be done with proper testing and communication to all the parties involved -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: IMPORTANT NOTICE: Rules referencing WHITELIST or BLACKLIST in process of being Renamed
On 20/07/20 19:01, Martin Gregorie wrote: Repeating previously posted info for completeness: one of my private rules uses URIBL_BLACK as a subrule. I have no other potential conflicts with SA rule name changes and no postprocessing that's dependent on SA rule names. Here just to say that URIBL Black is the official name that URIBL use for that blocklist (http://uribl.com/usage.shtml). If there will be a name change then a proposal should come from the URIBL team, not SA. If SA is not satisfied with the name it should drop the list from the rules if the URIBL team is not willing to comply to the name change. I don't want to enter the discussion about what is good or not, I'm only concerned that these changes could impact other products in the SA universe -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: Detecting SendGrid shared IPs
Bumping a little the score for shared IPs? Could make sense.. On 16/07/20 14:10, m...@junc.eu wrote: Why? From: Pedro David Marco Date: Thu, Jul 16, 2020 at 09:18 AM Subject: Detecting SendGrid shared IPs To: Users Is there any way to know whether a Sendgrid IP is shared or dedicated? Thanks in advance! Pedro -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: spamhaus enabled by default
On 14/07/20 19:33, Charles Sprickman wrote: Since the consensus is that this is kind of a “turn it loose out of the box” situation, I think a nice compromise would be huge commented chunks around settings that would disable any commercial services that will start sending nastygrams if you are outside of their (sometimes complex and kind of opaque “free” use case). I do so wish some of those folks would take spamtraps in trade. We see spam from sources even the most expensive lists don’t see for at least 15-20 minutes - valuable data, IMHO. :) Well, we do have a "data sharing" program and are open to discussion of trading services for spamtraps/live traffic. We are especially interested in non US email traffic. If you or anyone else think that they have valuable data to share, please contact me offlist with details and I'll escalate to the relevant people -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: spamhaus enabled by default
On 10/07/20 22:51, Charles Sprickman wrote: That’s unrealistic. Many ISPs these days that aren’t the “big boys” with dedicated staff for every facet of ISP operations, they are one and two man shops running WISPs in rural areas or developing countries. It’s not the 90’s anymore. It’s a terrible default, even home users should have to take an effort to enable a commercial service. I'm not going to make comments about running an ISP without a basic knowledge of email/hosting/networking And spamhaus should just replace the sales pitch email with instructions on how to comment their stuff out if they don’t want small ISPs (a small business, actually!) to use it. :) Excuse me but isn't it at least "fair" that, if you use a service provided by others for commercial purposes, you pay for that service that contributes to your income? And I don't know where you got a quote of "hundreds of dollars per month" for 1000 mailboxes, but it's not really the case if you use DQS. -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: spamhaus enabled by default
On 10/07/20 18:01, Philipp Ewald wrote: Am 10.07.20 um 13:54 schrieb Kevin A. McGrail: Here's the policy: https://cwiki.apache.org/confluence/display/spamassassin/DnsBlocklistsInclusionPolicy This was active since 2018? Maybe it would be better to ask if your are commercial or not... AFIK you got problem if your running spamhaus and have no license so any mail got marked as SPAM (or got hit SMAPMHAUS rule on any domain?) Hi, sorry but this will never happen. We are not going to use a "list the world" response to queries from anyone. There are dedicated return codes for that (already included in SpamAssassin): https://www.spamhaus.org/news/article/788/spamhaus-dnsbl-return-codes-technical-update -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: handling spam from gmail.
On 11/06/20 10:19, Marc Roos wrote: I am sick of this gmail spam. Does anyone know a solution where I can do something like this: 1. received email from adcpni...@gmail.com 2. system recognizes this email address has been 'whitelisted', continue with 7. 3. system recognizes as this email never been seen before 4. auto reply with something like (maybe with a wait time of x hours): Respectfully, this is a recipe for disaster. I've lost count of misconfigured antispam appliances that do something like you want to and ended up either - Having the outbound queue full of undeliverables - Bounceback spamming innocent users So, no, please don't do that :) As others suggested, start by upgrading your SA and do some targeted training to the bayes. -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: google as biggest botnet, no kidding
On 12/05/20 01:12, Benny Pedersen wrote: is others see spam from googleapis.com urls ? its currently url skipped, but i unskipped it localy to see tracking of it i have maked my clamav reject html attachments from today Yes, we are seeing an awful lot of phishing sites hosted under https://firebasestorage.googleapis.com I'd say that 99% of them can be catched by a simple regex though, but I don't know how common those firebasestorage URLs are in normal emails.. I personally have still to see a legit one. -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: New Spamhaus zone and updates to the plugin
On 30/04/20 12:07, Dominic Raferd wrote: Thanks Riccardo this is a great tool and I have updated our SA plugin as advised. I think it is a pity we small-scale users can't benefit from the new HBL :( what was the logic here? I don't know anything about the decisions behind the usage policy sorry :) Try emailing the sales dept as advised in the README, maybe you'll work something out. It might be worth posting on the postfix users list about the benefits of a dqs account; I use it with postscreen and smtpd to good effect. I thought about that, but there are some issues I think. If you put ZEN/DBL in postfix and reject at SMTP level you are basically crippling what spamassassin is doing in postqueue, because it will never see emails coming ie: from bots, probably giving problems to the autolearn algo and other things like I think meta rules based on Spamhaus zones. You could still do prequeue rejections with SpamAssassin if you use a milter, and if you keep ZEN shortcircuiting I don't think the overall load avg would increase very much. Oviously YMMV :) -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
New Spamhaus zone and updates to the plugin
Hello, I'm happy to announce to the SpamAssassin community that Spamhaus has released an updated version of our plugin that solves minor issues and, more importantly, adds support for a new dataset we just released. The new zone is called HBL (Hash BlockList) and deals with three different email scenarios previously not covered by the plugin: - Dropbox emails: emails - mostly on freemail providers - used in 419-like scams, sextortions and the like - Cryptowallets: malicious crypto addresses used mainly in extortion scams. Currently supports BTC,BCH,LTC,XRP,XMR and ETH - Filehash: hashes of suspicious or confirmed malicious attachments All the relevant technical information is available at https://docs.spamhaustech.com/10-data-type-documentation/datasets/030-datasets.html#hbl HBL is a zone available only to paid-for DQS users, but we do offer a free trial; just follow the instructions at https://github.com/spamhaus/spamassassin-dqs Even if you are not planning to use HBL, we strongly suggest you to update the plugin to the latest release for general security. We'd love some feedback and I'm always open for suggestions or discussion. Thank you! -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: Question on early detection for relay spam
On 03/03/20 08:54, Benny Pedersen wrote: Ted Mittelstaedt skrev den 2020-03-03 08:26: What do other people do for this problem? Hi Ted, What I can suggest you is to look at our DQS product (https://www.spamhaustech.com/dqs/), that even in it's free subscription model includes AuthBL, a list made of botnet's known to be used to spam with abused credentials. A simple 5xx if a client connect to your submission port using a listed IP would take care of *most* of your problems. After that, just running a daily report with a table like: sasl_username - number of different ips observed in the latest 24h. Can help you find out abused credentials that were being used by bots (still) not in AuthBL. I've observed in the field that this is an approach that works when you have up to 20-30k users; after this threshold you may want to write something to automate warnings and/or automatically block accounts if they exceed a defined threshold of (different_ips per sasl_username) per hour. -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: URIBL_SBL_A - Spamhaus false positive..
On 23/01/20 18:56, RW wrote: I'm curious as to what's actually going on here. If I use dig ns fluent.ltd.uk @ some caches give the 2 servers supplied by Nominet, others give the 3 servers from dns[1-3].fluent.ltd.uk (an extra round-trip). If I look on Google's 8.8.8.8 I get a random result with random TTLs. Perhaps the TTLs can be explained by Google's higher-level caching not coping with the conflict and leaving the individual servers to handle it, but their software is still producing two different results. If I would have to guess, I'd say someone removed dns3.fluent.ltd.uk from the zone without updating the serial number, so now if you happen to hit a resolver that never queried that domain you'll get only dns[1-2] , while the others will keep the cached response until expiration. -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: URIBL_SBL_A - Spamhaus false positive..
On 23/01/20 14:48, RW wrote: On Thu, 23 Jan 2020 13:06:01 + Jonathan Gilpin wrote: Hi, It seems that SpamAsassin is giving out a false positive on a Spamhaus SBL lookup: * 0.1 URIBL_SBL_A Contains URL's A record listed in the Spamhaus SBL I'm not seeing this at present. I guess it's because you are running 3.4.3+. On previous versions it would hit because, as stated in 25_uribl.cf: (URIBL_SBL_A) # Only works correctly from 3.4.3, earlier versions basically run as URIBL_SBL duplicate I can also confirm that, as you properly pointed out, 195.78.94.20 is listed and that triggers URIBl_SBL. Jonathan has been given instructions on how to request a removal and this issue will be likely to be solved as soon as the removal request comes in. -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: URIBL_SBL_A - Spamhaus false positive..
Hello Jonathan, if you would care to forward me offlist a complete sample that triggers the FPs I'll be happy to investigate On 23/01/20 14:51, Jonathan Gilpin wrote: Our local resolver is 195.78.94.4 and this was verified by another Spamasassin user who has their own resolver on another network. It has been like this for at least 4 days that I know of and yes it is still happening. This seems to be the case for all spam-assassin users, that is, I haven’t found anyone using spamassassin that is not getting the same result Jonathan -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: v3.4.3 RBL lookups on the domain in Reply-to
On 12/12/19 18:44, John Schmerold wrote:
On the Postfix listserv, KAM informed the Postfix community that 3.4.3
has the ability to do RBL lookups on the domain in Reply-to address.
How do we take advantage of this new capability?
If I interpret the documentation correctly (still didn't try the new
release), you could something like:
header SH_HEADERS_DBL_SPAM eval:check_rbl_headers('dbl',
'dbl.spamhaus.org.', '127.0.1.2')
tflags SH_HEADERS_DBL_SPAM domains_only
score SH_HEADERS_DBL_SPAM XXX
To check all the domains found in the default headers
(EnvelopeFrom,Reply-To,Disposition-Notification-To,X-WebmailclientIP,X-Source-IP)
in the DBL looking for spam domains. I'd also suggest to add Message-ID
to the list of default headers, so a line like:
rbl_headers
EnvelopeFrom,Reply-To,Disposition-Notification-To,X-WebmailclientIP,X-Source-IP,Message-ID
should be added somewhere in the local.cf file.
--
Best regards,
Riccardo Alfieri
Spamhaus Technology
https://www.spamhaustech.com/
Re: Spamassassin reporting
On 04/12/19 17:22, Dave Goodrich wrote: Can anyone recommend a ready to run OSS script, or set of scripts, for basic maillog stats concerning Spam? Just thought I would ask before I wrote something. Internet searching is not turning up anything for me. Did you take a look at https://cwiki.apache.org/confluence/display/SPAMASSASSIN/StatsAndAnalyzers ? IIRC, years ago I used the SARE sa-stats.pl on a Zimbra installation, as it processes amavis logs out of the box (assuming Zimbra still uses amavis) -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: What Rules Am I Missing
On 21/11/19 22:02, Benny Pedersen wrote: thats why is say not using spamassassin, spamassassin add headers that begin with X-Spam I think he is calling spamc, that connects to spamd, that by default in many distributions starts with "--local" (never understood why) Headers are probably added by a wrapper or something like that. -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: What Rules Am I Missing
On 21/11/19 19:02, Jerry Malcolm wrote: X-SpamAssassin_109: Content preview: Just to Say Hellohttp://www.eyestrongpro.icu/l/lt172P21166EE1247K/1884YQ6160P10097IT163UE64992145HF620698297 X-SpamAssassin_110:Unsubscribe Here [...] It looks to me that you are not using network checks. eyestrongpro[.]icu has been listed in DBL for a lot of time now and your installation should have hit on it. Check here for hints: https://cwiki.apache.org/confluence/display/spamassassin/UsingNetworkTests -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: new emotet campain
On 18/09/19 21:05, Amir Caspi wrote: Since the return code for the domain is specifically regarding malware, shouldn't the score be higher? I would imagine the purpose of the unique Spamhaus return codes is to enable such granularity in scoring on the user end... I can't speak about SA scoring politics because we are not directly involved in the project. What I can say is that we flag legitimate domains that are abused to distribute malware. In example: http://drapart[dot]org/Prensa/k0viv68-5v5-2137/ The website itself is legit, but that particular path is hosting Emotet. As of now SA checks only the drapart[dot]org domain against DBL (and others) and gives you back a score according to masschecks. You can't outright say that *every* drapart[dot]org urls are malicious, because most of them really aren't. So, as of now, if you don't care so much about FPs, just shortcircuit DBL responses to spam. There are some new functions in SA 3.4.3 that could help with better sniping, but that's something that has still to come. -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: new emotet campain
On 17/09/19 20:54, Amir Caspi wrote: Based on https://feodotracker.abuse.ch/mitigate/, it looks like both Spamhaus DBL and SURBL are fed by URLhaus. Spamhaus returns 127.0.1.105 for URLs fed from URLhaus. Doesn't SA already handle this, then, for URLs it processes, since it uses the DBL? I know Riccardo sent an email about a new plugin for SA, but I don't know if it's yet implemented in release... but maybe that's not required since the DBL doesn't require DQS. You are correct, URLhaus domains enter DBL as abused legit malware, but the default SA score is not enough to mark the email as spam (and that's correct as it checks only the domain). The recommended way would be to use Clamav signatures, or, if you really can't, create uri rules based on https://urlhaus.abuse.ch/downloads/csv/ -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: new emotet campain
On 17/09/19 11:59, Blason R wrote: If possible please share it here? On Tue, Sep 17, 2019 at 3:20 PM hg user <mailto:mercurialu...@gmail.com>> wrote: A new emotet campain is in progress (https://twitter.com/Cryptolaemus1) and I created a rule... I don't know if is it possible to share (via pastebin) the rule I created to have feedback from the experts... Hi, not really SpamAssassin related, but for anyone concerned about Emotet, I suggest using URLhaus Clamav signatures: https://urlhaus.abuse.ch/api/#clamav -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: Score in subject differs from score in headers
On 06/09/19 19:36, Bill Cole wrote: Since pretty much forever, IF it is told to do so... See the documentation of 'rewrite_header' in 'perldoc Mail::SpamAssassin::Conf' Thanks for pointing that out, I never realized template tags could be used on the subject rewriting too. I guess my fault was/is using SA with amavisd, that redefines subject rewriting in it's own way (maybe it could add scores in subject too out of the box? Don't know, better RTFM ;) ) -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: Score in subject differs from score in headers
On 06/09/19 17:45, David Galloway wrote: For example, I'm looking at an e-mail now with "* SPAM 5.4 *" in the subject but "X-Spam-Status: No, score=3.2 required=5.0" Hi, since when does SpamAssassin also writes the scores in the subject? It's a cool feature that I probably missed completely :) -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: Spamhaus Technology contributions to SpamAssassin
On 04/07/19 09:16, @lbutlr wrote: On 3 Jul 2019, at 05:08, Stephan Seitz wrote: By the way is this plugin necessary if you are using postfix/postscreen with your DQS key? That was my question as well. If you use Spamassassin I am surely suggesting to use it, even if you use ZEN to do rejections at smtp level with your MTA. The rest of the checks will take care of what ZEN missed (well, most of them at least :) ) -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: Spamhaus Technology contributions to SpamAssassin
On 03/07/19 20:02, David Gibbs wrote: I downloaded the version that was on the install page. It has a date tag of 20190621. https://docs.spamhaustech.com/40-real-world-usage/SpamAssassin/020-SpamAssassin.html I'll update to the github version. Yes please take the github version as the latest one, we are in the process of updating the docs.spamhaustech.com website but it is taking some time :) -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: Spamhaus Technology contributions to SpamAssassin
On 03/07/19 18:01, Larry Rosenman wrote: I'm seeing the following: ... <20>1 2019-07-03T10:59:51.00-05:00 thebighonker.lerctr.org spamd 80260 - - Use of uninitialized value $_ in pattern match (m//) at /usr/local/etc/mail/spamassassin/SH.pm line 139. Is this a bug in my setup or a bug in the plugin? FYI, this has been solved offlist with Larry's help. If you use Exim you should download the latest plugin version -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: Spamhaus Technology contributions to SpamAssassin
On 03/07/19 17:59, atat wrote: You say in documentation: You should also drop, by default, all Office documents with macros. What plugin / method do You reccomend for that ? I'm no expert in detecting macros, but there at least two ways of doing that that comes to mind: - Clamav with the option OLE2BlockMacros - This package https://github.com/bigio/spamassassin-vba-macro Or you could patch something up with python oletools -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: Spamhaus Technology contributions to SpamAssassin
On 03/07/19 18:05, Chris Conn wrote: Hello, I am having a quick look over the config as am intrigued by this plugin; what is the motivation to change the RCVD_IN_XXX dnsbl lookups to utilize the per-user key system? Is this a pre-cursor to an eventual phase-out of the typical 20_dnsbl_tests.conf mecanisms? Hi, public mirrors will stay there for a*long* time, don't worry :) The whole point of using DQS instead of them is how fast DQS is updated compared to the mirrors. Mirrors can take up to a minute to have fresh data pushed to, and, while 60 seconds could seem like an acceptable time, it is *not* when dealing with hailstormers. DQS is updated in nearly true real time and starts serving listings as soon as we start detecting new sources. You can theoretically use the plugin with public mirror's data, but the detection rate will not be comparable to DQS. Also public mirrors don't have ZRD and AuthBL. Think of DQS like an upgrade from the public mirrors that only cost the time to register :) -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: Spamhaus Technology contributions to SpamAssassin
On 03/07/19 17:10, David Gibbs wrote: On 7/3/19 7:54 AM, Riccardo Alfieri wrote: apparently I missed to write on the documentation that you need also Perl's List::MoreUtils installed. And 'Data::Validate::Domain'. david That was for an older version of the plugin, it's now not needed anymore. Get the code from the github repository to have the latest version. -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: Spamhaus Technology contributions to SpamAssassin
On 03/07/19 16:53, @lbutlr wrote: On 3 Jul 2019, at 06:54, Riccardo Alfieri wrote: If you have a debian based distriution, do an # apt-get install liblist-moreutils-perl or, if you use something RPM based, the correct command should be # yum install perl-List-MoreUtils portmaster lang/p5-List-MoreUtils or pkg install p5-List-MoreUtils Thanks, this is for FreeBSD right? If that's the case I'll update the documentation -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: Spamhaus Technology contributions to SpamAssassin
Hi, apparently I missed to write on the documentation that you need also Perl's List::MoreUtils installed. If you have a debian based distriution, do an # apt-get install liblist-moreutils-perl or, if you use something RPM based, the correct command should be # yum install perl-List-MoreUtils On 03/07/19 14:47, AJ Weber wrote: Trying to follow the instructions, I got the following error: spamassassin --lint Jul 3 08:29:08.089 [26120] warn: plugin: failed to parse plugin /etc/mail/spamassassin/SH.pm: Can't locate List/MoreUtils.pm in @INC (@INC contains: lib /usr/share/perl5/vendor_perl /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5) at /etc/mail/spamassassin/SH.pm line 32. Jul 3 08:29:08.089 [26120] warn: BEGIN failed--compilation aborted at /etc/mail/spamassassin/SH.pm line 32. Are there more pre-requisites that I'm not aware of? Thanks, AJ -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: Spamhaus Technology contributions to SpamAssassin
Thanks for pointing that out. I warned the webmaster, in the meantime a temporary fix is to go back with the browser "back" arrow and submit the registration again On 03/07/19 13:23, Noel Butler wrote: We would sign up if we could, but after clicking continue of name/email page it goes to a blank WP page. -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Spamhaus Technology contributions to SpamAssassin
Hello everyone, I'm sure that many of you are aware that our datasets are already in use with SpamAssassin's default config, but I wanted to reach out and let you know that we have developed a SpamAssassin plugin that helps you get more out of our DNSBLs. The plugin works with our Data Query Service (DQS). The DQS provides you with additional feeds: Zero Reputation Domain & AuthBL, and it also receives updates in 'realtime.' This last point is key, because, as you can see in the latest Virus Bulletin report (https://www.virusbulletin.com/testing/results/latest/vbspam-email-security), DQS catches 42% more spam than our RSYNC service or public mirrors. Last but not least, the usage terms for the DQS are the same as for our public mirrors, meaning that if you already use our public mirrors, you can register for a personal DQS key free of charge. You can find all the needed files here: https://github.com/spamhaus/spamassassin-dqs Have fun with our data, and if there are difficulties in installing the plugin, or if you have suggestions, you can drop us a line at datafeed-supp...@spamteq.com or post here. I'll try to keep the list monitored to deliver as much help as I can. -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: check_rbl digging too deep
On 25/06/19 17:42, Matus UHLAR - fantomas wrote: On 25.06.19 07:52, John Hardin wrote: I'll let others address SA issues with this, I just want to point out an alternative: Many sites consider Zen reliable enough for it to be used at the SMTP level as a poison-pill DNSBL. That would avoid any chance of it being used "too deeply"... no. Many people consider Zen reliable enough to reject connections from listed IP. Deep header scanning is something very different. ZEN is safe enough to reject at SMTP level if you can do it on your MTA (avoiding unnecessary CPU usage by SA) It's also useful for deep header scanning, just remember to avoid PBL return codes when you do that :) AuthBL also proved to be useful and doesn't create FPs even if you weight it 80% of your required_score -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: check_rbl digging too deep
On 25/06/19 14:42, Benny Pedersen wrote:
https://docs.spamhaustech.com/10-data-type-documentation/datasets/040-zones.html
add 9 to sbl test ?
I'd add a rule like
RCVD_IN_SBL_DROP eval:check_rbl_sub('zen', '127.0.0.9')
With a score of at least 4
possible aswell new test for authbl ?
Well AuthBL (and ZRD) are zones available to people that register with
our Data Query Service. We are just in talks with the Apache Foundation
to have our plugin that uses our new datasets added to Spamassassin.
If you are curious about DQS, it's a service that anyone can subscribe
to with a "free for most" license [1], and for which we developed a
Spamassassin plugin under Apache license that you can freely download
from
https://docs.spamhaustech.com/40-real-world-usage/SpamAssassin/000-intro.html
We have just been featured on Virus Bulletin [2], where they tested the
differences between DQS and Rsync (that are basically our public
mirrors). The difference in catch rate is quite substantial.
If anyone want to test the plugin I'll do my best to give support either
on list (that may benefit others) or our support team is available
offlist at datafeed-supp...@spamteq.com
[1] https://www.spamhaustech.com/data-access/
[2]
https://www.virusbulletin.com/testing/results/latest/vbspam-email-security
--
Best regards,
Riccardo Alfieri
Spamhaus Technology
https://www.spamhaustech.com/
Re: check_rbl digging too deep
Sorry guys, I don't know what happened, my client sent a lot of emails during drafting :( Apologies -- Best regards, Riccardo Alfieri Spamhaus Technology https://www.spamhaustech.com/
Re: check_rbl digging too deep
Hi,
On 25/06/19 11:00, Matus UHLAR - fantomas wrote:
header RCVD_IN_XBL eval:check_rbl('zen-lastexternal',
'zen.spamhaus.org.', '^127\.0\.0\.[45678]$')
I take this opportunity to point out that the correct rule for XBL
should be:
header RCVD_IN_XBL eval:check_rbl('zen-lastexternal',
'zen.spamhaus.org.', '^127\.0\.0\.[4567]$')
The return code 127.0.0.8 has been dropped a long time ago.
More infos on
https://docs.spamhaustech.com/10-data-type-documentation/datasets/030-datasets.html#xbl
--
Best regards,
Riccardo Alfieri
Spamhaus Technology
https://www.spamhaustech.com/
Re: check_rbl digging too deep
Hi
On 25/06/19 00:15, John Schmerold wrote:
We had an inbound message get rejected because it was sent from a cell
phone, shouldn't SA be checking the most recent hop? Is there a way to
make this the default?
I have this in local.cf:
header RCVD_IN_rbl2spamhausz eval:check_rbl('spamhausz',
'zen.spamhaus.org.')
score RCVD_IN_rbl2spamhausz 3.5
Please do *not* use ZEN in all the received chain without checking
return codes
(https://docs.spamhaustech.com/10-data-type-documentation/datasets/040-zones.html)
ZEN includes PBL, that is a list mantained by ISP all over the world,
and it is perfectly legit to find the first public IP in the received
chain to be listed in PBL. You should only reject mail from ZEN if you
use the -lastexternal flag
--
Best regards,
Riccardo Alfieri
Spamhaus Technologies
https://www.spamhaustech.com/
