Re: Correct KAM.cf location?
put your custom rules (including KAM.cf) in /etc/mail/spamassassin and restart/reload spamd On 10/20/2021 12:50 PM, Jerry Malcolm wrote: As I said in a previous post, I'm installing clean. I'm looking for a way to validate the installation and make sure that everything with SA is working as it should. I'm pretty confident I've got the basic SA function working. But along with the bayes issue from a couple of posts back, I can't seem to make the KAM.cf file get involved. In previous installations, I would see a lot of KAM rules showing up in the spam reports on emails. I also have written some rules on my own and put them in a similar file next to KAM.cf in /usr/share/spamassassin. But I'm not seeing any of my rules get hit. I created a rule that triggers if the subject or sender is my company name. I sent an email from an outside email address and specifically added this name to the subject (and it's also in my sender email address). Nothing in the spam report. If I understand things correctly, that is telling me that my custom .cf file isn't even being loaded. So, where is the magic spot to put my custom .cf and the KAM.cf files so they will get used? -- Rick Cooper I.T. Manager - Bob Thomas Dealerships Cell 260-414-8566 Fax 260-434-4400 Email rcoo...@dwford.com
RE: Lint problem with KAM.cf
It lints fine now Rick _ From: Kevin A. McGrail [mailto:kmcgr...@apache.org] Sent: Wednesday, September 01, 2021 5:43 PM To: SA Mailing list Subject: Re: Lint problem with KAM.cf I published a fix for the KAM SHORT A few hours ago. Please let me know how it's working for you. On Tue, Aug 31, 2021, 23:48 Kevin A. McGrail wrote: On 8/31/2021 12:57 PM, Jared Hall wrote: > 2) OTOH, what's the point of sa-update doing versioning if nobody uses it? It's there to support different rulesets but the project as a whole found it better to do more complicated things when rules proved incompatible to encapsulate them in has(capability), version, and plugin tests to avoid that complexity. I've got a fix for KAM.cf being looked at by another pair of eyes. Expect it to be published tomorrow. Regards, KAM -- Kevin A. McGrail kmcgr...@apache.org Member, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171
RE: Lint problem with KAM.cf
It would appear you are using the SA git trunk version of the plugin (Andrew Colin Kissa informed me of the existence) which changes a LOT of the api. Near as I can tell the old module will work with your rules by adding the following at about line 489 of the DecodeShortURLs.pm module. Seems like the name of the module should have changed to prevent exactly this. sub short_url { # Set by parsed_metadata return 0; } which just copies the behavior of short_url_tests Rick _ From: Kevin A. McGrail [mailto:kmcgr...@apache.org] Sent: Monday, August 30, 2021 5:13 PM To: Rick Cooper Cc: SA Mailing list Subject: Re: Lint problem with KAM.cf We will take a look. We check with lint for every publication but maybe there's a condition we missed or a spelling issue. Thanks for bringing it up. KAM On Mon, Aug 30, 2021, 15:31 Rick Cooper wrote: This have been going on a while but I haven't had time to addresses. When the KAM rules are updated I see the following lint warning warn: rules: error: unknown eval 'short_url' for __KAM_SHORT Near as I can tell I am running the latest DecodeShortURLs.pm but the site says it's being merged directly into SA. If I change short_url to short_url_tests the error goes away but I haven't run it down in the code. I am running SA 3.4.6 and am wondering if there is a new modual for DecodeShortURLs that I am missing somewhere? Rick Cooper
Lint problem with KAM.cf
This have been going on a while but I haven't had time to addresses. When the KAM rules are updated I see the following lint warning warn: rules: error: unknown eval 'short_url' for __KAM_SHORT Near as I can tell I am running the latest DecodeShortURLs.pm but the site says it's being merged directly into SA. If I change short_url to short_url_tests the error goes away but I haven't run it down in the code. I am running SA 3.4.6 and am wondering if there is a new modual for DecodeShortURLs that I am missing somewhere? Rick Cooper
RE: Mal formed urls
Bill Cole wrote: > On 25 Feb 2021, at 13:37, Rick Cooper wrote: > >> I was just working on some rules to catch the current crop of mal >> formed urls used to escape detection by solutions that extract urls >> from emails and compare them to known bad urls and I am wondering if >> spamassassin's patterns for extraction take this into account? >> >> For instance: >> >> https:www.google.com/mail >> https:\/www.google.com/mail >> https:\\www.google.com/mail >> >> Will all work at getting you to gmail because the technical spec >> doesn't actually require \\ after the colon. > > Of course not: A http: URI must NOT contain '\\' after the colon, it > MUST contain '//' after the colon. See Sorry , the \\ is a type since that would be the beginning of a unc path for a windows box. As far as I can tell the authority/path-abempty portion of a uri is optional and must begin with // but can be empty Hence https:www.google.com or https:\/www.google.com/. I have noticed every browser I tested it with normalizes it back to the conventional //. But my question was, given this is apparently an issue with some solutions parsing of uris does SA extract them and as both you and John pointed out it does so I am happy > https://tools.ietf.org/html/rfc7230#section-2.7.1 which is the > technical spec for the formal syntax of a http URI. OTOH, there are > URI schemes which do not include '//' (e.g. mailto:) so any tool that > is doing broad URI detection can't be too picky. > > What flavors of garbage almost-URIs will work in a browser very much > depends on the whims of browser developers, and whether those are > 'clickable' in your preferred MUA is dependent on the gullibility of > your MUA author. > > SpamAssassin traditionally has assumed that there will always be some > MUA and browser authors who lack any sense of caution or prudence, so > SA is VERY loose with what it will consider as maybe being a hostname > in something that could be a URI in some obscure or novel scheme. > >> Will spamassassin still extract and normalize the urls above? > > Yes, it will see all 3 as the same canonicalized URI. > >> I was hoping >> to avoid digging through the source to find out. > > No need to dig though the source, you can see what URIs SpamAssassin > detects (trimmed of the parts after the hostname) in a message by > manually testing it with 'spamassassin -D uri' Note that SA will only > show one instance of otherwise identical URIs after trimming and > canonicalization.
Mal formed urls
I was just working on some rules to catch the current crop of mal formed urls used to escape detection by solutions that extract urls from emails and compare them to known bad urls and I am wondering if spamassassin's patterns for extraction take this into account? For instance: https:www.google.com/mail https:\/www.google.com/mail https:\\www.google.com/mail Will all work at getting you to gmail because the technical spec doesn't actually require \\ after the colon. Will spamassassin still extract and normalize the urls above? I was hoping to avoid digging through the source to find out. Rick
RE: Why the new changes need to be "depricated" forever
Kevin A. McGrail wrote: > On 7/21/2020 9:25 PM, Loren Wilton wrote: >> I do strongly wonder whether this is "society" or only "people in the >> USA". > One data point disproves that. The SA project made the choice months > ago inspired by a decision in the United Kingdom: > https://www.zdnet.com/article/uk-ncsc-to-stop-using-whitelist-and-blacklist- due-to-racial-stereotyping/ I've stayed out of this until now because I understand what you are trying to do, but this was not an issue of race until those who (just like the article) made it so. I am a white male aged 62 who grew up in the 60's and 70's in a very racially integrated area of a very poor part of a decent sized Midwest united states city in Indiana. I went through the forced integration bussing in a junior high school that mainly consisted of poor "white trash" lower income white families. There really wasn't much tension in the school system until poor lower income black students were forced to be bussed in along with wealthy upper class white students from other schools. The black students raised holy hell (riots and all) because they were forced out of their schools and the well to do white students were nearly as bad for exactly the same reason and we (the original group of lower class whites students) were pissed because we had to deal with pissed off kids from both spectrums. This was not a problem until people forced a non issue into a boiling point issue. Being one of the poorest "white trash" families in the school in the first place and having been raised to see race as a non issue I had friends in all three of the spheres and most of them just wanted things stop and didn't understand what the fuss was all about, they were fine with things as they had been. You know where none of this EVER crept in? Athletics... All those involved in athletics just wanted winning teams and didn't give a rats ass about what color the guy was playing next to them only that they performed. The problem wasn't integration of kids it was making sure each school had access to the same resources, that neighborhoods were naturally integrated and no barrier existed to the flow of people based on color, race or religion. Forcing those kids out of their neighborhood school did nothing positive because they still went home at the end of the day (and took longer to get there) and their position in life remained the same (other than seeing all the nice things the wealthy kids had I guess). They were still poor and black, I was still poor and white and the tension and resulting violence just took a chunk of our childhood to a place it didn't need to go. Now, white and black lists were not a racially charged item until someone, likely white guy but I don't know, made it so. I have asked my colleagues of all races what they think about this and linux's new issues with the terms black and white list and, especially the black persons find it somewhat insulting. Black and white have been the representation of pure good and evil since man kind found a way out of the dark. Dark was bad, you were more likely to be hunted in the dark, light was good as you were far safer hence black magic bad white magic good and most cultures who believe in the two are of dark skin. Certainly the black west African practitioners of voodoo (common term for several related religions) knew they were of black skin when they assigned black magic to magic used for harmful purpose while white magic was used for good and healing... It was just light and dark and that is what the terms white and black are used for. How about blackballing? Remember McCarthy blackballing people in the 50's... Had nothing to do with color then or now. Why is the Sabbath preceding Tisha BAv referred to as Black Sabbath? Nothing to do with skin color. I won't speak of this again but this entire overreaction to race issues literally feeds the flame every bit as much as black rappers using the *nword* as their own continues to feed the use of the word. I had hoped during my life time that word would be gone but it's clear from this discussion that people cannot just simply decide not to engage in racist behavior and stop emphasizing trouble where an issue doesn't exist until you make it an issue. I do not believe a single person of color on this list ever once looked at the terms white and black list and saw a race issue and if they did, this will not solve their actual personal problems.
RE: How to write a rule to block phishing?
That's odd. The fraud emails we have gotten do not use an actual PayPal address as the sender (they have been using @.pp.com) and that is a legitimate address used to notify users when their accounts have been limited, which does happen and they have an FAQ regarding that. One of ours got limited once because we hadn't logged in for a long time. If it's legit it should list the reason and you can go to the actual PayPal site and work it out from there Just saying. Rick _ From: Daryl Rose [mailto:rosed...@gmail.com] Sent: Monday, June 15, 2020 7:19 PM To: users@spamassassin.apache.org Subject: How to write a rule to block phishing? So, I received an email from "service.i...@paypal.com", Subject "Your PayPaI account has been limited". This is clearly a phishing attempt and not a legitimate email from paypal. I analyzed the headers, the message comes from a server here in the United States, the spam score is 5, and Spamassassian says "No Spam". Yea!! Only not yea, because it's clearly a phishing attempt. Normally I just add the email address to a blacklist_from.cf file and stop it that way, but adding "service.i...@paypal.com" to the blackfrom list would block any legitimate email from PayPal. So how does a person write a rule for something like this? I've never written rules before and not really sure how to. Thanks Daryl
RE: Technically not spam
@lbutlr wrote: > How do people deal with lists that a user subscribed to that require > logging in to an account to unsubscribe? I seem to be seeing a lot > more complaints from users who cannot get off lists (probably because > they didn't realize they were creating an account for getting > multiple-mails per day). > > Most legitimate mails have a simple unsubscribes list, but many > online stores seem to "forget" to do this. > > I can't just blacklist the IPs because some people want these emails. You don't mention your MTA but I have to believe all have the ability to handle a from->to blacklist. I know that if you use MailScanner it can also be done there, if you use MailWatch For MailScanner it can be done there by the user themselves. Our users can login to their accounts and add an email address to their personal blacklist so everyone can receive emails from a particular address except them. Where and how you inject this into the delivery would depend on the MTA or backend you are using.
RE: Bounced messages
Phil Reynolds wrote: > On Tue, 19 May 2020 07:43:14 -0400 > "Rick Cooper" wrote: > >> I occasionally get emails warning me of bounced mail, this one >> doesn't go through we will send a probe, yada, yada. >> >> They say they include the bounce message but they always look like >> this: --- Enclosed is a copy of the bounce message I received. >> >> Return-Path: <> >> Received: (qmail 21198 invoked for bounce); 8 May 2020 19:58:49 - >> Date: 8 May 2020 19:58:49 - >> From: mailer-dae...@apache.org >> To: users-return-1220...@spamassassin.apache.org >> Subject: failure notice >> >> Which is useless. I also cannot find where the list was every denied >> in the logs. This time I went ahead and the email that would >> retrieve the messages that had bounced and I have every single one >> of them already... Every singled one. >> >> What is up with that? > > I have seen this from time to time on several mailing lists. > > Normally, it is caused by your mailserver rejecting a malformed mail > that has been sent to the list - the list software has accepted it and > not corrected its "non-compliance" - hence your mailserver bounces it. No I would see the reject in the mail logs, and when I requested the bounced messages I had already received all of them. So that was why I wondered why the list server was saying they bounced without a denial and after having had them delivered to my box. > > If you do ever find out about the mail in question, it is usually (*) > spam. > > Unfortunately: > > (a) certain mailing list software is set up so that it can send on > malformed mail it could in theory reject or put right. I am of the > opinion this is wrong. > (b) certain mailservers (including mine, of my own volition) are > configured to reject such malformed mail on the grounds that it is > usually spam. I am of the opinion this is right. > (c) the mailing list software treats this as a bounce, without > treating the reason as special and letting it simply pass. I am > of the opinion this is wrong. > > (*) usually = at least 995 per mil. > > I am happy to read anyone else's opinions on the three points above, > of course.
Bounced messages
I occasionally get emails warning me of bounced mail, this one doesn't go through we will send a probe, yada, yada. They say they include the bounce message but they always look like this: --- Enclosed is a copy of the bounce message I received. Return-Path: <> Received: (qmail 21198 invoked for bounce); 8 May 2020 19:58:49 - Date: 8 May 2020 19:58:49 - From: mailer-dae...@apache.org To: users-return-1220...@spamassassin.apache.org Subject: failure notice Which is useless. I also cannot find where the list was every denied in the logs. This time I went ahead and the email that would retrieve the messages that had bounced and I have every single one of them already... Every singled one. What is up with that? Rick
RE: UTF-7 emails
Brent Clark wrote: > Hi Rick > > Will you be willing to share your Exim and SA rules / code? > So that the community can benefit from your finding and work. > Pretty standard exim acl The DataWhitelisted portion is calculated from several other items so that would be up to you if you even wanted to whitelist anything. The AddSuspectHeader is a flag used in various parts of the delivery as is the message that is added as a header as well. If the Suspicious headers is added to an email the end user cannot release it from quarantine on their own and the portion of the message they can see has been sanitized, disarmed (html, scripting and links disarmed and obfuscated). warn log_message = [DATA] FOUND UTF-7 CONTENT-TYPE : ${sg{$h_Content-Type:}{\N\n.*\N}{}} condition = ${if !eq {yes} {${lc:$acl_m_DataWhiteListed}}} condition = ${if def:h_Content-Type:} condition = ${if match{${lc:$h_Content-Type:}}{\Ntext\/html; charset=utf-7\N}} set acl_c_AddSuspectHeader = yes set acl_c_SuspectMsg = ${sg{$acl_c_SuspectMsg}{\NNONE(\s{0,}:)?\N}{}}:UTF-7 BODY HIDING SOMETHING > Regards > Brent Clark > > On 2020/05/05 20:00, Rick Cooper wrote: >> Henrik K wrote: >>> On Tue, May 05, 2020 at 12:51:36PM -0400, Rick Cooper wrote: >>>> We received a couple emails yesterday that barely got caught and >>>> when I looked at them they should have hit big time. As I looked it >>>> would appear the body parts are encoded quoted-printable utf-7. >>>> Apparently SA doesn't handle utf-7? >>>> >>>> I added $self->{'decoded'} = Encode::decode("UTF-7", >>>> $self->{'decoded'}); just before the decoded body is returned in >>>> Node.pm and the body rules hit again including some quick tests I >>>> put together. >>>> >>>> Is ignoring utf-7 intentional or is this a new spammer tactic? The >>>> actual email messages are rendered perfectly through outlook and >>>> our webmail application. >>> >>> If I remember right, normalize_charset 1 will handle this just >>> fine. Atleast in trunk/4.0. >>> >>> In any case, UTF-7 mails can be blocked on sight, no one uses it >>> legimately.. >> >> Bingo, that does it, And yes I added a check for utf-7 to exim and >> add a header that causes emails to be quarantined and marked so >> users cannot releaseor view them on their own. >> >> Thanks >> >> Rick
RE: UTF-7 emails
Henrik K wrote: > On Tue, May 05, 2020 at 12:51:36PM -0400, Rick Cooper wrote: >> We received a couple emails yesterday that barely got caught and >> when I looked at them they should have hit big time. As I looked it >> would appear the body parts are encoded quoted-printable utf-7. >> Apparently SA doesn't handle utf-7? >> >> I added $self->{'decoded'} = Encode::decode("UTF-7", >> $self->{'decoded'}); just before the decoded body is returned in >> Node.pm and the body rules hit again including some quick tests I >> put together. >> >> Is ignoring utf-7 intentional or is this a new spammer tactic? The >> actual email messages are rendered perfectly through outlook and our >> webmail application. > > If I remember right, normalize_charset 1 will handle this just fine. > Atleast in trunk/4.0. > > In any case, UTF-7 mails can be blocked on sight, no one uses it > legimately.. Bingo, that does it, And yes I added a check for utf-7 to exim and add a header that causes emails to be quarantined and marked so users cannot releaseor view them on their own. Thanks Rick
UTF-7 emails
We received a couple emails yesterday that barely got caught and when I looked at them they should have hit big time. As I looked it would appear the body parts are encoded quoted-printable utf-7. Apparently SA doesn't handle utf-7? I added $self->{'decoded'} = Encode::decode("UTF-7", $self->{'decoded'}); just before the decoded body is returned in Node.pm and the body rules hit again including some quick tests I put together. Is ignoring utf-7 intentional or is this a new spammer tactic? The actual email messages are rendered perfectly through outlook and our webmail application. Rick Cooper
Re: Spoofed From: names
On April 11, 2020 3:08:15 PM EDT, RW wrote: >On Sat, 11 Apr 2020 19:58:02 +0100 >RW wrote: > > >> >> The first one was cited as a format used in forwarded ham. The other >> two are common in spam. >> >> The point of this spamming technique is that many clients show only >> the display name in the message list. Consequently the three headers >> will display like this: >> >> Mr Bill (mb...@legitemail.com) >> mb...@legitemail.com >> Mr Bill >> >> IMO the middle one is the most convincing as it's exactly what would >> have been displayed if that address had been used without a display >> name. The last one at least looks like a from header. The first looks >> the > >... least convincing. > Oddly enough the first is legitimate in a lot of cases. Netsuit, for instance, uses that in the display section all the time. >I don't know happened there, it got sent before I'd finished. > >Basically it seems likely that different formats will has different >statistics. > >There's no need for any of this to be added to any plugin, it's easiest >to simply meta header regexes with the plugin result.
RE: Spoofed From: names
Grant Taylor wrote: > On 4/11/20 9:49 AM, RW wrote: >> I see that the plugin rules don't distinguish between the >> irresponsible format of: >> >>From: "Mr Bill (mb...@legitemail.com)" >> >> >> and more seriously deceptive formats like: >> >>From: "mb...@legitemail.com" >>From: "Mr Bill " > > I feel like all three examples that you have provided include an > actual usable email address in the human friendly name of the From: > header. In my opinion, anything else in the double quotes is largely > window dressing. As such, I think that it doesn't matter if the > email address is in (...) or <...> or bare. The Mr Bill prefix also > doesn't matter. > > Given the above opinion, I would consider all three of these human > friendly names to be effectively identical. > > So, what would you like the plugin to do differently? How do you > think the three examples should be handled? I think RW makes a valid point. I just rewrote my plugin to hit one of two rules depending on if the address is formatted as "m...@mine.com " vs "Fname Lname (va...@mine.com) (give or take the parenthesis). Because the second one is more commonalty used for valid purposes (hence needing the ability to whitelist and address or domain). The first example I have never seen used in a legit fashion myself. So if it hits The first rule that is a high hit, well above threshold and the second rule is bypassed (no double dip), Hit the second rule and it's a moderate bump. Rick
RE: Spoofed From: names
I wrote my own plugin for that but I don't score very high anymore because of things likes this: (obviously Mr Bill is not real but the netsuite address is) From: "Mr Bill (mb...@legitemail.com)" I find more and more companies, I believe intuit is doing something like that, that do this. I could of course add a whitelist of sorts but I prefer to bump the score a bit, enough to tag as low scoring spam. For detecting possible fraud addresses involving our own people I wrote a backend look up for exim that looks at any name like "Rick Cooper" and compares that to a DB with all email addresses for all employees in all locations and then , if the actual rcoo...@domain.com doesn't match any of those listed for that name, it rewrites the subject and appends a noticeable disclaimer to the subject line stating the email is not from rcoo...@domain.com and any other addresses that person may have. It also adds a X-Header that SA can score on at the same time. Rick -Original Message- From: micah anderson [mailto:mi...@riseup.net] Sent: Thursday, April 09, 2020 10:17 AM To: users@spamassassin.apache.org Subject: Spoofed From: names Hi, What is the current state of the art for dealing with tricking people in the From with the "Name" part? For example: From: "supp...@example.com" The "Real Name" part is used to put a fake email address of the actual domain (example.com would be my domain, or gmail.com or something other than air-compressor.ml). This has come up before[0], but at the time generic solutions seemed problematic due to various false positives, or missing features in spamassassin itself. I'm wondering what the current state is now. I can do a relatively easy meta-rule for my domain, something like this, but I'm not sure how well this would work, or if there are better methods now: header __LOCAL_FROM_QUOTE_ISUS From =~ /\".*\@example\.com\"/ header __LOCAL_FROM_CONTAIN_NOTUS From !~ /<.*\@example\.com/>/ meta TRICKY_FROM((( __LOCAL_FROM_QUOTA_ISUS ) + ( __LOCAL_FROM_CONTAIN_NOTUS )) > 1) describe TRICKY_FROMFrom has example.com in quotes, but not in path score TRICKY_FROM 5 0. https://www.mail-archive.com/users@spamassassin.apache.org/msg100800.html -- micah
SA perl requirements
I've been meaning to ask the maintainers, according to the requirements listed in the INSTALL file Required Perl Interpreter - Perl 5.8.1 or a later version is required. Preferred versions are 5.8.8, or 5.10.1 or later. Yet it actually requires 5.10+ because of FromNameSpoof.pm FromNameSpoof.pm uses the defined-or operator on line 265 (//=) and nested (possessive) quantifiers ([\w\-\.]++)\b/i) on line 352. Now fixing the source to work with 5.8x isn't a big deal but should the requirements not reflected the need for perl 5.10 or should those line be changed to comply with the stated 5.8.8 above? I know to fix this before running make test, but the errors this produces during make test could be quite confusing if you just ran into it. Rick
RE: Rule for detecting two email addresses in From: field.
Philip wrote: > Morning List, > > Lately I'm getting a bunch of emails that are showing up with two > email addresses in the From: field. > > From: "Persons Name " > > When you look in your mail client (Outlook, Thunderbird) it's showing > only "Persons Name " > > Is there a way I can mark From: that has 2 email addresses in it as > spam? Pro's Cons? > > Phil From: =~ /^.*?<.+?\@.+?>.*?<.+\@.+?>/g Can't imagine the circumstance where such a from: format would be required Rick
RE: Phishing.pm
Giovanni Bechis wrote: > Il 13 gennaio 2019 21:52:19 CET, Giovanni Bechis > ha scritto: >> Il 13 gennaio 2019 20:22:40 CET, Ian Evans ha >> scritto: >>> Running 3.4.2, spamd daemon. >>> >>> Just enabled the new Phishing.pm plugin but wondering about the >>> data feeds. Is that something we need to set up a cron to wget or >>> does the plugin handle it? Unless my google fu is weak due to a >>> lack of caffeine, I couldn't find any doc on setting it up. >>> >>> Thanks for any advice. >> >> try Mail::SpamAssassin::Plugin::Phishing >> >> Cheers >> Giovanni > > man Mail::SpamAssassin::Plugin::Phishing > to be precise. >Giovanni Something that isn't answered in the docs is the default score and I am wondering if SA has to be restarted after each update of the data or does it reread each time the plugin is called Rick Cooper
RE: TXREP dont work
Karol Augustin wrote: > On 07/10/16 03:51, Rick Cooper wrote: >> So how do I dump the ~/ disk file for the DB . The txrep.cf file : >> >> user_awl_dsn DBI:mysql:SpamAssassin:127.0.0.1 >> user_awl_sql_username CorrectUser >> user_awl_sql_password CorrectPassword >> user_awl_sql_table txrep >> use_txrep 1 >> txrep_track_messages 1 > You need the line: > > txrep_factory Mail::SpamAssassin::SQLBasedAddrList > > It tells SA to use SQL DB factory module. > > > Best, > Karol Yep, that was it. I did not try that because the documents clearly say: I misread that and did not see the difference (SQL) over the default at first. Thanks for point out my "duhhh" moment. Rick
RE: TXREP dont work
RW wrote: > On Fri, 30 Sep 2016 08:43:18 + > Nicola Piazzi wrote: > >> After a new box instalation I found that txrep doesnt work >> >> The table is empty >> mysql> select * from txrep; >> Empty set (0.00 sec) >> >> Obviously I disabled AWL and Load TxRep il v341.pre > > Did you set > > use_txrep 1 I am in the same boat and yes use_txrep is set to 1. There is not a single item in the table after a week. But when I do a test with a known spam mail I get a line like This: 0.1 TXREP TXREP: Score normalizing based on sender's reputation When run in debug mode it appears that it is using ~/.spamassassin/tx-reputation Instead of the mysql DB. Oct 6 22:46:39.479 [13510] dbg: locker: mode is 384 Oct 6 22:46:39.479 [13510] dbg: locker: safe_lock: created /home/exim/.spamassassin/tx-reputation.mutex Oct 6 22:46:39.479 [13510] dbg: locker: safe_lock: trying to get lock on /home/exim/.spamassassin/tx-reputation with 30 timeout Oct 6 22:46:39.479 [13510] dbg: locker: safe_lock: link to /home/exim/.spamassassin/tx-reputation.mutex: link ok So how do I dump the ~/ disk file for the DB . The txrep.cf file : user_awl_dsn DBI:mysql:SpamAssassin:127.0.0.1 user_awl_sql_username CorrectUser user_awl_sql_password CorrectPassword user_awl_sql_table txrep use_txrep 1 txrep_track_messages 1 Thanks for any help, Rick
RE: Spamassassin with single link in body
Benny Pedersen wrote: Celene skrev den 2013-07-06 21:24: Example: http://pastebin.com/UZtzfyEs To be honest, I have never gotten any emails from people with only a URL, unless they are spam, so this shouldn't be a problem. I just want to match all emails that have a single link in the body uri __HAS_URL /./ meta LESS_THEN_2_URL (__HAS_URL 2) describe LESS_THEN_2_URL Meta: have one single url score LESS_THEN_2_URL 0.1 untested This would match a message that had a body full of text that was legit but only had one link, I believe the OP wants to match a body that is blank except for a single url and I found no way to do that without writing a custom plugin Rick
RE: Chain rules?
Andrew Talbot wrote: This is what I was wondering. We don't want to have to run a computationally-expensive body rule unless we need to. No choice though, I guess. Thanks for your help! -Original Message- From: John Hardin [mailto:jhar...@impsec.org] Sent: Monday, June 24, 2013 1:20 PM To: users@spamassassin.apache.org Subject: Re: Chain rules? On Mon, 24 Jun 2013, Andrew Talbot wrote: Is there a way to chain rules together such that one rule will only fire if another is hit? Specifically, we have a client that is getting hit with a bunch of messages that are just links, but the links contain sex words. We want to do a body scan for a list of sex words if and only if the body contains only a link rule we have is triggered. I tried to get this to work with meta rules but it seems like it won't do it. Is there currently a way to do this sort of conditional check? Unfortunately you can't control whether or not a rule is *executed*, you can only control whether or not it contributes to the message's overall score. Don't forget you can do this with a custom module. I have one that does some network things and before I actually do the processing I check the current score and if it's above a certain score I skip the tests and I also check for two other tests to see if one or both hit (I changed the priority of those tests to run early and before the module) and if neither hit I also skip processing in the module, so perhaps you should look at the documentation and examples for custom modules they really are not too difficult to program. Also look at shorcircuit and priority
RE: Hot News
Dave Funk wrote: On Fri, 15 Mar 2013, Kevin A. McGrail wrote: On 3/15/2013 9:17 AM, Tom Kinghorn wrote: On 15/03/2013 15:11, Christopher Nido wrote: http://www.naturalstonesinc-munged.com/aah/pabfjd/pgrezs Now this is a guy with cahona's grande' for spamming the spamassassin list. Poor sucker. It's a compromised Yahoo! account. One of the #1 spamming issues right now for us. Regards, KAM Not only a compromised Yahoo! account but also a compromised website so listing the URLs in some kind of RBL will be probelmatic for FPs. I wrote a custom plug-in to detect certain things about these messages that, so far, have not resulted in any FPs (one would have to have a yahoo account and make the message look just like the spams) and I have looked a some of the messages caught and something I noticed in all, so far cases, is that if you attempt to pull the link from wget without using a user agent string you will get ERROR 405: Not Allowed every time, so far. I also find that there are *several* common traits within the body of the web pages, for instance a fox news copyright, specific class names and links names such as 'lia href=http--//www.buy-berryrasp.com/order.phpHome/a/li' (remove the --) If anyone has a chance to verify this, especially the 404 without a user-agent string I would think something could easily be done with a custom plug-in to detect that. Oh, and they all do a 301 or 302 redirect at the intial request Rick
RE: Off Topic - SPF - What a Disaster
Original Message From: Marc Perkel [mailto:m...@perkel.com] Sent: Thursday, February 25, 2010 6:11 PM To: Rick Cooper Cc: 'ram'; users@spamassassin.apache.org Subject: Re: Off Topic - SPF - What a Disaster Rick Cooper wrote: The anti-SPF bandwagon is not ego driven but results driven. Than you for admitting that SPF in not a spam filtering solution. However it is also not a white listing solution because as many people have said here - spammers are the ones who are using SPF correctly. I can see some theoretical benefits that if you have a list of banks with SPF and you receive an email from an address that the bank lists then you can safely pass it. But I find that an easier way to do that is to use FCrDNS to do the same thing. On the down site SPF breaks email forwarding and it creates a false sense that people are doing something to fight spam or protect ham that is not supported by reality. SPF has received intellectual welfare because stuff that doesn't work tends to be culled out of spam assassin and other than backscatter most people here are telling the SPF supporters that it doesn't work. If SPF is becoming more popular it just means that more people are misled. So then SRS Doesn't work for forwarding systems? I ask because I am not a forwarding service and, as I only handle corporate mail systems, do not give access to arbitrary forwarding to the mail users so we do not have tons of (external) forwarding going on. Since SPF and SRS are like legs on the same body I will assume trying to walk with one leg produces results similar to a forwarding service using SPF without SRS. I personally would love comcast would list all of their Valid outbound mail hosts and hard fail all others, same with aol, yahoo, gmail, etc. Seems to me if you are going to push email all over hell's half acre it behooves you To use any and all tools available to take responsibility for those mails and SPF is One of several tools that can do that, at least to some extent. If there would have been Some kind of total commitment to spam 10 years ago we would not be where we are today and Spamassassin (as it is) would not be quite so necessary. (My apologies for the pathetic attempt at manually reformatting the original html post) SRS is even more broken than SPF. I allow users to white list or black list based on the sender. If you rewrite the sender then you lose sender based conditionals. SRS has no use other than to try to fix SPF which has no use in the first place. I suppose you would have to add logic to your whitlisting to accommodate an SRS message, it's not like you cannot tell and the return path remains intact so the original sending address is still available for the white list. Pobox.com uses it (of course) and the are a forwarding service. I don't personally see SPF as a spam tool so much as someone taking responsibility for the mail they send. I suppose since all forwarding services are legitimate the world should just take messages originating from them as legitimate as well My bad Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: Off Topic - SPF - What a Disaster
From: Marc Perkel [mailto:m...@perkel.com] Sent: Thursday, February 25, 2010 12:30 PM To: ram Cc: users@spamassassin.apache.org Subject: Re: Off Topic - SPF - What a Disaster ram wrote: On Tue, 2010-02-23 at 18:33 -0800, Marc Perkel wrote: Jeff Koch wrote: In an effort to reduce spam further we tried implementing SPF enforcement. Within three days we turned it off. What we found was that: - domain owners are allowing SPF records to be added to their zone files without understanding the implications or that are just not correct - domain owners and their employees regularly send email from mailservers that violate their SPF. - our customers were unable to receive email from important business contacts - our customers were unable to understand why we would be enforcing a system that prevented them from getting important email. - our customers couldn't understand what SPF does. - our customers could not explain SPF to their business contacts who would have had to contact their IT people to correct the SPF records. Our assessment is that SPF is a good idea but pretty much unworkable for an ISP/host without a major education program which we neither have the time or money to do. Since we like our customers and they pay the bills it is now a dead issue. Any other experiences? I love to hear. Best Regards, Jeff Koch, Intersessions I agree. I've been in the spam filtering business for many years and have yetto find any use for SPF at all. It's disturbing this useless technology is getting the false positive support we are seeing. Marc, This is just to repeat the cliche. SPF was not designed to help *you* in *spam filtering*. This was designed to help legitimate senders send mails. However as much as you, unreasonably , dislike it .. SPF adoption is on the rise.Two years ago most banks in India had no SPF records. Today almost every bank here publishes a SPF record. And that helps. For eg I use SPF checks to whitelist all local banks mail. Conversely, I have a custom rule that says if the header-from contains $popularbank.com and mail did not SPF pass add a score of 3.0. Phishers can use whatever envelope from they want. But if they put the banks domain in the header-from the mail will be caught as spam. I know there are ways to get around this rule too but in practical life this has been real effective against phishing. IMHO most of the anti-SPF bandwagon is more due ego issues than technical. The anti-SPF bandwagon is not ego driven but results driven. Than you for admitting that SPF in not a spam filtering solution. However it is also not a white listing solution because as many people have said here - spammers are the ones who are using SPF correctly. I can see some theoretical benefits that if you have a list of banks with SPF and you receive an email from an address that the bank lists then you can safely pass it. But I find that an easier way to do that is to use FCrDNS to do the same thing. On the down site SPF breaks email forwarding and it creates a false sense that people are doing something to fight spam or protect ham that is not supported by reality. SPF has received intellectual welfare because stuff that doesn't work tends to be culled out of spam assassin and other than backscatter most people here are telling the SPF supporters that it doesn't work. If SPF is becoming more popular it just means that more people are misled. So then SRS Doesn't work for forwarding systems? I ask because I am not a forwarding service and, as I only handle corporate mail systems, do not give access to arbitrary forwarding to the mail users so we do not have tons of (external) forwarding going on. Since SPF and SRS are like legs on the same body I will assume trying to walk with one leg produces results similar to a forwarding service using SPF without SRS. I personally would love comcast would list all of their Valid outbound mail hosts and hard fail all others, same with aol, yahoo, gmail, etc. Seems to me if you are going to push email all over hell's half acre it behooves you To use any and all tools available to take responsibility for those mails and SPF is One of several tools that can do that, at least to some extent. If there would have been Some kind of total commitment to spam 10 years ago we would not be where we are today and Spamassassin (as it is) would not be quite so necessary. (My apologies for the pathetic attempt at manually reformatting the original html post) I am open to and interested in
RE: Block Spammers Spoofing My Domain
Original Message From: schmo_j [mailto:schm...@yahoo.com] Sent: Thursday, February 25, 2010 1:40 PM To: users@spamassassin.apache.org Subject: Block Spammers Spoofing My Domain Greetings! I'm running SpamAssassin 3.2.5 on Gentoo Linux, and I'm looking to block messages from @mydomain.com that originate from outside my network. I already have a whitelist_from_rcvd *...@mydomain.com mydomain.com rule in place, can I simply add a blacklist_from *...@mydomain.com rule right below it to accomplish my goal? All of my mail-producing servers are inside my internal network (also defined in internal_networks), so I'm positive that nothing from @mydomain.com should come from the outside. Thanks! -- View this message in context: http://old.nabble.com/Block-Spammers-Spoofing-My-Domain-tp27714499p27714499. html Sent from the SpamAssassin - Users mailing list archive at Nabble.com. That should really be blocked at smtp not with SA. I do it (via exim) with a list of Ips that are allowed to helo with my domain(s) and I require authentication from Any user to send mail, period. In my case if you break the helo with my name rule You are instantly added to the firewall for a week. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: List of 600,000 IP addresses of virus infected computers
I have noted one FP so far, lists.sophos.com and it was sending the latest new viruses, I get this list a couple times per day on average Rick -Original Message- From: Marc Perkel [mailto:[EMAIL PROTECTED] Sent: Monday, September 10, 2007 1:26 PM To: SpamAssassin Users List Subject: List of 600,000 IP addresses of virus infected computers I've developed an extremely accurate of detecting virus infected spam zombies. I think it's 100% accurate can catches them on the first try. Here is 600,000 IP addresses I've detected in the last 3 days. Enjoy http://iplist.junkemailfilter.com/virus.txt -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: List of 600,000 IP addresses of virus infected computers
My bad, I had 127.0.0.1 in the blacklist on that host instead of 127.0.0.2 Sorry -Original Message- From: Rick Cooper [mailto:[EMAIL PROTECTED] Sent: Thursday, September 13, 2007 9:03 AM To: 'Marc Perkel'; 'SpamAssassin Users List' Subject: RE: List of 600,000 IP addresses of virus infected computers I have noted one FP so far, lists.sophos.com and it was sending the latest new viruses, I get this list a couple times per day on average Rick -Original Message- From: Marc Perkel [mailto:[EMAIL PROTECTED] Sent: Monday, September 10, 2007 1:26 PM To: SpamAssassin Users List Subject: List of 600,000 IP addresses of virus infected computers I've developed an extremely accurate of detecting virus infected spam zombies. I think it's 100% accurate can catches them on the first try. Here is 600,000 IP addresses I've detected in the last 3 days. Enjoy http://iplist.junkemailfilter.com/virus.txt -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: SPF-Compliant Spam
_ From: Marc Perkel [mailto:[EMAIL PROTECTED] Sent: Monday, August 27, 2007 3:49 PM To: users@spamassassin.apache.org Subject: Re: SPF-Compliant Spam Kai Schaetzl wrote: Justin Mason wrote on Mon, 27 Aug 2007 14:35:39 +0100: On the contrary, we in SpamAssassin find it useful. I have to agree with Marc in this special case. It's not very useful. The reason I think this is that the amount of domains that use SPF is scarce, *really* scarce. I kept an eye on this for some weeks with the help of milter-spf and less than 5% of all mail had SPF. It may be helpful for some people, for instance to avoid greylisting or so, but as it is not much in use I don't find it very useful. Kai I agree. And SPF breaks email forwarding and spammers can set SPF records as well. SPF is useless. [Rick Cooper] Not true, proper implementation does not break forwarding. And for spammers using bots they pretty much have to use a rule that allows the whole world to send for them (like +all) . We deny mail from anyone who uses things like +all, \d+\.0\.0\.0\/2, etc. If they publish valid, accurate SPF records then they have taken responsibility for their spam and helps with complaints. Last of all, if everyone used SPF it would certainly render most joe-jobs useless. It really pisses me off if I get a bunch of back-scatter from a joe-job when our SPF records list all hosts allowed to send in our name, and hard fail all others. While I don't get huge numbers of SPF fail I get enough that I find it very worth while. I also fail a fair number of +all type records and when you look at the hosts you see a lot of dsl/cable hosts which would lead one to believe they are certainly bots. SPF would do a better job if it were used by more systems, especially in the area of forged addresses. Rick -- This message has been scanned for viruses and dangerous content by http://www.mailscanner.info/ MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: SPF-Compliant Spam
_ From: Marc Perkel [mailto:[EMAIL PROTECTED] Sent: Monday, August 27, 2007 5:26 PM To: Bernd Petrovitsch Cc: users@spamassassin.apache.org Subject: Re: SPF-Compliant Spam Bernd Petrovitsch wrote: On Mon, 2007-08-27 at 12:50 -0700, Marc Perkel wrote: [...] I don't support from mangling and I'm talking about email forwarded to us from other servers who also don't do from mangling. So not from-mangled forwarded email cannot be (technically and quite simply) distinguished from intended spam mail. So the only logical useful consequence is to forbid not from-mangled forwarding. Where is the real problem? BTW I see from mangling as a conceptual necessary thing: Simply because the forwarded mail is actually sent by your mail server. Bernd Forwarded mail isn't send from my server. It is sent from the sender. I am relaying the message and it's not up to me to mangle the from address. The people who I farward to want the from address to be original. [Rick Cooper] Then your server(s) should be listed in their SPF records, problem solved. We list every host that could possibly end up sending mail on from any of our systems, that includes back up relays, ect. If you are sending mail for them you should be listed in their SPF records, easy enough. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: SPF-Compliant Spam
-Original Message- From: Marc Perkel [mailto:[EMAIL PROTECTED] Sent: Monday, August 27, 2007 5:29 PM To: Meng Weng Wong Cc: Kelson; users@spamassassin.apache.org Subject: Re: SPF-Compliant Spam Meng Weng Wong wrote: On Aug 27, 2007, at 11:39 AM, Kelson wrote: Jason Bertoch wrote: Is it wise to blacklist both, or is this yet another case where SPF has failed to meet projections? It's a case where the spammer has just handed you useful information: You know for sure that the domain name is, indeed, the spammer's domain name, and not an innocent third-party's. Blacklist it without hesitation! Yes, that usage was exactly the design intent of SPF. Once you move from IP to domain reputation, you can do many interesting things. For example, you can go from the known-bad domain to its nameservers. You can then go from those nameservers to detect other bad domains. The URIBL plugin associates URL - domain - IP - reputation lookup. I am writing a similar plugin that associates domain - NS - reputation lookup. Meng - you are doing the email community a huge disservice with SPF. I wish you'd just end this lie because SPF is less than useless. I breaks existing forwarding standards and it causes false positives. SPF DOESN'T WORK! A lamp doesn't work either, until you plug it in. Use it correctly and it works, don't and it doesn't Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: Two errors with 3.2.2
-Original Message- From: Ed Kasky [mailto:[EMAIL PROTECTED] Sent: Thursday, July 26, 2007 12:22 AM To: users@spamassassin.apache.org Subject: Two errors with 3.2.2 I upgraded today from 3.2.1 to 3.2.2 on a RH7.2 server using perl 5.8.1 and am having 2 issues. [...] 2. In 3.2.2, I also get setuid errors when I try to run spamd as user spamd: Jul 25 20:47:31 yoda2 spamd[26486]: spamd: server successfully spawned child process, pid 26506 Jul 25 20:47:31 yoda2 spamd[26505]: spamd: setuid to uid 1205 failed Jul 25 20:47:31 yoda2 spamd[26506]: spamd: setuid to uid 1205 failed Jul 25 20:47:31 yoda2 spamd[26486]: prefork: child states: SS Any suggestions on either of these is greatly appreciated... Ed I have these errors as well, same perl and I was not able to figure out what the problem was and had to roll back to 3.2.1, anyone have an idea (I noticed everyone skipped addressing this part of the two errors Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: SaneSecurity
-Original Message- From: John Rudd [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 27, 2007 1:27 PM To: Bret Miller Cc: users@spamassassin.apache.org Subject: Re: SaneSecurity Bret Miller wrote: Perhaps more a clamav question, but does anyone use the additional definitions for clam from SaneSecurity and are they helpful in the Spam Wars? You're in luck! I just installed them yesterday. Had been meaning to for a while, but things have been too busy to get the script written to update them. So, in less than 24 hours, hit over 1800 spam messages here-- about 1/3 of our spam volume. I've been told that 3rd party clamav signatures can make clamav unstable, because they seem to not be as well tested as the clamav signatures. You end up with more than a few cases of error in 3rd party signature file causes clamav to choke and not run. Which is all to say: watch the results of your updates closely. The big thing is to check the db after download, before moving it into place (especially if it's a scripted download) Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: My Newly Expanded DNS Blacklist - Who wants to try it?
-Original Message- From: Marc Perkel [mailto:[EMAIL PROTECTED] Sent: Monday, June 18, 2007 9:31 AM To: Shane Williams Cc: Daryl C. W. O'Shea; users@spamassassin.apache.org Subject: Re: My Newly Expanded DNS Blacklist - Who wants to try it? Shane Williams wrote: On Sun, 17 Jun 2007, Marc Perkel wrote: Shane Williams wrote: [...] Shane - your listing has nothing to do with dynamic IPs. The way you got listed is that your server hit my high MX records when all of my lower MX records were working. What I'm still investigating is why that happened. And it's a problem I intend to fix because I don't want any false positives in the list. Is there any reason your server would try MX records in an unusual order? I don't know what his reason is but had I attempted to send mail to your server last Friday I could easily have ended up hitting one of your higher MXs. I had a problem with Verizon where I would loose my connection for seconds to a min and everything would be fine for seconds to a min or two. This went on for hours, it was like someone flicking a light switch. If exim couldn't connect to your lower mx servers during one of these episodes it would have rolled up the list as it should since Verizon has yet to inform my mail server they are having transient network problems and to consider any connection issues to be temporary and please try again. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: My Newly Expanded DNS Blacklist - Who wants to try it?
-Original Message- From: Marc Perkel [mailto:[EMAIL PROTECTED] Sent: Monday, June 18, 2007 10:00 AM To: Rick Cooper Cc: users@spamassassin.apache.org Subject: Re: My Newly Expanded DNS Blacklist - Who wants to try it? Rick Cooper wrote: I don't know what his reason is but had I attempted to send mail to your server last Friday I could easily have ended up hitting one of your higher MXs. I had a problem with Verizon where I would loose my connection for seconds to a min and everything would be fine for seconds to a min or two. This went on for hours, it was like someone flicking a light switch. If exim couldn't connect to your lower mx servers during one of these episodes it would have rolled up the list as it should since Verizon has yet to inform my mail server they are having transient network problems and to consider any connection issues to be temporary and please try again. Rick Rick, it does take multiple hits to get listed and I did add code that if you hit all the high ones in sucession that it only counts as one. However, having said that, this is experimental and there's a possibility that it's just not going to work. I do believe that there's information to be had by looking at hosts who hit high numbered MX records when low numbered MX servers are available. I'm just trying to figure out how to extract this information. So - I ask the question - I think we can all agree that there's information to be had. How do we extract this in a useful form an avoid false positives? I am probably over sensitive to blacklists of this nature because of past problems. I had an issue where someone could not deliver a reply to a customer once and when I investigated I found the (actually two) server was on a blacklist I had never heard of. I let our ISP know that apparently their entire address space was on the list and the owner (someone I have known since the early eighties) investigated and found the entire att address space (their carrier) was on this black list and att knew all about it. Apparently this person wanted them to pay him $50,000 to be removed in less than one year. Granted few people probably use the list but it still worries me when some one uses a list maintained by a guy and even more so if it's fully automated. Personally a relatively few mails on our servers make it to RBL portion (I also use exim) and get dumped for other reasons, right now the biggest is probably non FQDN (or bracketed dotted quad) helo. I would say number two is attempting to send mail heloing as part of our domain space when the host is not part of our network, and three is attempting to send mail to our addresses from a host not allowed to send mail from our addresses. I also seem to see a lot of localhost/localhost.localdomain and 127.0.0.1. I would like to see a lot more hardfail SPF hits and less SPF none. I still believe there are too many people who (subconsciously or otherwise) get a thrill out of fighting spam and the world would be much better off to move to taking responsibility for the mails they send. DKIM is about the closest thing to what I would like. You can have all the anti-spam laws in the world but proving responsibility is always the biggest problem. I would like to see a light weight service similar to DNS used to validate emails, quick and simple. It could be distributed like DNS and do you approve this mail, yes or no, like sender verification only without the smtp overhead. Last one that touches it is responsible, through the chain. The current, base, smtp spec simply wasn't developed in a time where anyone considered today's enviroment. There has to be a better way than trying to catch spam as that does nothing toward trying to stop it. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: Why doesn't Spamassassin bounce spam?
-Original Message- From: WLamotte [mailto:[EMAIL PROTECTED] Sent: Friday, June 15, 2007 10:13 AM To: users@spamassassin.apache.org Subject: Why doesn't Spamassassin bounce spam? Sorry if this is an obvious question but why isn't there an option for Spamassassin to bounce spam? Sure it does a good job at filtering spam but I don't want it from my web(mail)server to my inbox. I want my web- or mailserver to bounce suspected spam. Is this a feature that could be implemented? TIA, I assume you mean dump not bounce? Bouncing spam is a very bad idea. I have personally been the recipient hate mail and even several I will kill you messages (according to babblefish, as they were mostly French) because spam was sent with my email address (while I was a comcast customer). If you don't want the emails dump them after SA tags them as spam but don't bounce them. See http://en.wikipedia.org/wiki/Joe_job or google backscatter joe job. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: Does anyone catch this....
-Original Message- From: Matthias Haegele [mailto:[EMAIL PROTECTED] Sent: Monday, May 14, 2007 8:30 AM To: SpamAssassin Subject: Re: Does anyone catch this Dennis Davis schrieb: On Mon, 14 May 2007, Duncan Hill wrote: From: Duncan Hill [EMAIL PROTECTED] To: users@spamassassin.apache.org Date: Mon, 14 May 2007 11:41:24 +0100 (BST) Subject: Re: Does anyone catch this On Mon, May 14, 2007 11:32, Matt Hampton wrote: http://www.coders.co.uk/slipped.through.txt It has sailed through both a SA3.1.8 and SA3.2.0 (3.2.0-pre2-r512851) running on recent versions of MailScanner The ClamAV engine tends to work well on a large number of that type of phish. Local testing shows DCC hitting it, but that's about it. Doesn't help that Halifax don't publish SPF records. In particular the Sanesecurity additions to ClamAV detect this as: Html.Phishing.Bank.Sanesecurity.06030604 We've detected (and rejected) over 1300 copies of this particular phishing scam over the last couple of weeks or so. Link: http://sanesecurity.co.uk/clamav/usage.htm For Debian the example script (Example 1) had to be fixed (paths dont match), dont know if you need to fix it for other distris too ... For testing use the sample fishing attachment. I just sent Steve an updated script that accommodates the trailing back slash the debian adds to the clam db dir in the debug output and add -m 1 to the grep so it short circuits finding the clam db dir (so it now takes less than a second), and I added rsync for the MSRBL-* files since that site not only supports it but prefers it be handled that way. I would imagine Steve will have it up sometime today, I have been testing it since he made the last change to the mirroring methods last week. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: Sender Address Verification is NOT abouse and very effective
-Original Message- From: Marc Perkel [mailto:[EMAIL PROTECTED] Sent: Friday, March 30, 2007 11:42 AM To: users@spamassassin.apache.org Subject: Re: Sender Address Verification is NOT abouse and very effective John D. Hardin wrote: Is there a non-abusive way to automatically verify an email address is valid? Verification does not need to occur in real-time; large delay is acceptable. It is not intended as any sort of attack/abuse/spam prevention or mitigation strategy. A given address will not be checked more than once. There may not be any email message headers associated with the address. If this is drifting off topic, let's kill it and I'll find someplace more appropriate. Yes - there is. I'm using Exim and if you aren't using Exim you might not be able to do the things I can do. It's SAV done right. Exim provides caching so it minimizes real callouts. Youalso have to do things in the right order. You do the greylisting/blacklisting first. You then exclude all the spammer only tricks like impersonating your domain(s) and other stuff that only spammers do. You then verify the recipient exists first. After doing all this the sender verification traffic is minimal. Now if someone wants to invent a better way that would be great. I'd like to see some sort of DNS based way to do this but until there's something better SAV is it. I agree with the DNS based method. Perhaps a txt record that states a given IP is allowed to run mail services on the owner of that Ips DNS Next verify via a forward query of the domain that IP is allowed to *send* mail for that Domain. I am not talking about defining dynamic, etc I am saying a query on the IP returns a yes no as far as that IP having the right (AUP) to operate an email service. Then check the domain part to see if that IP is allowed to send mail on behalf of that domain. Like a ms (mail sender) records instead of a mx record. Next I have thought it would be nice in today's world of bot that a service exist explicitly to honor address verification requests that has nothing to do with the SMTP server. It would have to be light and fast, perhaps UDP in the same light as DNS. You would send the request to the service designated by the domain's DNS, this would allow the same types of round robin or load balancing as DNS servers enjoy. That server would hold all valid addresses (include aliases) that domain would like to allow to send mail. It would return a simple 0,1,2 type of response for yes, no, defer. I would think that were the backend for such a service to be CDB, the load would be as light, perhaps less, than a DNS service. Smaller mail systems could easily run it on the same host as the mail service it's self, larger would run separate servers or share a DNS server. This type of service could also enjoy the same geographical dispersement as large DNS systems do as well. A CDB database wouldn't require much in terms of memory or physical resource, they are extremely fast and efficient. Example: calling host mail.this.com [10.10.10.10] mail from [EMAIL PROTECTED] 1. DNS request type ms 10.10.10.10 a. response no - reject b. response yes 1. DNS request type mailok this.com a. response no - reject b. response yes 1. DNS request type mauthservice mail.this.com a. response none - defer b response 10.10.10.11 1. CheckSender 10.10.10.11 [EMAIL PROTECTED] a. response 0 - accept b. response 1 - deny c. response 2 - defer Under such a scenario the service at 10.10.10.11 could handle requests for this.com, that.com or there.com. What ever is setup for those domains, so handle virtuals or hosting services would be no big deal. The point is when the whole SMTP process was originally designed no one anticipated the current state of the internet much less the concept of someone forging addresses, domains, etc. And in terms of resources just look at what is currently wasted to trying to determine spam/ham. While I am sure the above is not perfect it would require an ISP to be party to mass spamming, it would certainly provide a clear chain of responsibility and make enforcement of anti-spam laws much easier. And, please don't bring up dynamic host blocking. I am currently awaiting SORBS to de-list a mail server that has never been dynamic but is part of a DSL listing. That host had symmetrical DNS for nearly 3 weeks prior to turning on the mail
RE: Annoying stocks scams
Sorry to mess up the thread, I lost the original -Original Message- From: Dhawal Doshy [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 06, 2007 9:39 AM To: users@spamassassin.apache.org Subject: Re: Annoying stocks scams [EMAIL PROTECTED] wrote: Hi List! [ ... ] meta HILO_STOCKS ( __HILO_STOCKS1 __HILO_STOCKS2 ) describe HILO_STOCKS Looks like stocks scam score HILO_STOCKS 3.5 It's my first meta rule, which only gives a score if both conditions are true, and I was wondering if there's a possibility to make the score more intelligent : - if __HILO_STOCKS1 fires up, i would like to give the score maybe 0.5 - if __HILO_STOCKS2 matches as well together with __HILO_STOCKS2, make it 3.5 [ ... ] Define two metas, the first one hits only when 1 is true and 2 is false The second hits when both are true. You have to use the negation for 2 In meta one or you would double dip whenever both are true. meta HILO_STOCKS_1 ( __HILO_STOCKS1 !__HILO_STOCKS2 ) meta HILO_STOCKS_2 ( __HILO_STOCKS1 __HILO_STOCKS2 ) describe HILO_STOCKS_1 Looks like stocks scam First Hit Only describe HILO_STOCKS_2 Looks like stocks scam Both Hit score HILO_STOCKS_1 0.5 score HILO_STOCKS_2 3.5 If you wanted to score the 0.5 whenever either 1 or 2 is true and the other is false meta HILO_STOCKS_1 ( (__HILO_STOCKS1 !__HILO_STOCKS2) || (!__HILO_STOCKS1 __HILO_STOCKS2) ) Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: Discourage broken content
-Original Message- From: decoder [mailto:[EMAIL PROTECTED] Sent: Friday, August 25, 2006 2:24 PM To: users@spamassassin.apache.org Subject: Re: Discourage broken content -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kenneth Porter wrote: --On Friday, August 25, 2006 12:05 AM -0700 Plenz [EMAIL PROTECTED] wrote: I disagree. To check out what happens I converted a JPG picture into a GIF file and sent it to myself. One time I converted it with IrfanView and the second time with PaintShop Pro. Both GIF files had the result giftopnm: EOF or error reading data portion... So I produced a corrupt (?) image, but it was not spam. I think we should discourage all broken content in email and on the web. At one time we could assume that broken content was an honest mistake and make an attempt at fixing it. But with the rise of malicious content attempting to exploit bugs in content handlers (like overruns in image libraries), we should simply reject anything that fails to pass validation, on the assumption that's it out to get us. This includes not just broken images but also broken HTML, which is so commonly used to conceal spam. We need to stop giving a free pass to broken content creation software just because it's popular. When someone sends you broken content, you should react the same way you would if they sent you documents on dirt-smeared paper. Stop letting your emperor walk around naked. I completely agree, the problem is, some implementations makes this impossible. For example MailScanner. I've heard that it truncates the mail at 30kb, no matter if that is within a MIME block or not... So my plugin gets a broken image.. though it was not broken originally... That is patently false. I have a graphics design/advertising department at one of my locations and these fellas send huge graphics files back and forth when they have emergency proofs/changes and MailScanner has *never* damaged anything, ever, anywhere. Now, there is a setting for scanning (much like exiscan IIRCC) that allows you to truncate the message and only scan xxx amount, it's optional and doesn't modify the actual message in anyway. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: Discourage broken content
-Original Message- From: John Andersen [mailto:[EMAIL PROTECTED] Sent: Friday, August 25, 2006 4:20 PM To: users@spamassassin.apache.org Subject: Re: Discourage broken content On Friday 25 August 2006 12:10, Rick Cooper wrote: That is patently false. I have a graphics design/advertising department at one of my locations and these fellas send huge graphics files back and forth when they have emergency proofs/changes and MailScanner has *never* damaged anything, ever, anywhere. Now, there is a setting for scanning (much like exiscan IIRCC) that allows you to truncate the message and only scan xxx amount, it's optional and doesn't modify the actual message in anyway. Yes, Rick, that is correct, but the situation under discussion is that mailscanner passes a partial file to the spamassassin proceess, which in turn passes that partial file to the image analysis plugins, which decide that the image is broken. Upon being passed by spamassassin, the entire, unchanged mail is sent on its way intact by mailscanner. Amavis-New does something similar. Shreds mail into pieces, launches scanners on the pieces. The problem is that the spam scanner (and presumably virus scanner) plugins are being handed partial files. Not a good practice in my view. I misunderstood what decoder was saying. And no, MailScanner doesn't give the virus scanners partial messages. In fact it goes to great pains to completely unpack all attachments (including tnef) and sanitize the file names, etc. The option to give partial messages to SA is due in part to the historical lack of need to hand a large message to SA to determine ham/spam and there are/were vulnerabilities in the tnef processing that could be exploited by very large tnef attachments. Mailscanner currently handles tnef in a way I doubt there would be a problem and can in fact (optionally) decode tnef attachments and recreate them as standard attachments that any mail client can handle. In any event I plan to bring this up on the MailScanner list and suggest the default behavior should no longer be handing only a part of the message to SA. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: Improved OCR Plugin with approximate matching
-Original Message- From: decoder [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 09, 2006 5:31 PM To: Spamassassin List; users@spamassassin.apache.org Subject: Re: Improved OCR Plugin with approximate matching [snip] According to google, libungif seems correct for yum... If the giffix binary still isn't present, try installing giflib from source.. that isn't a big deal Chris yum install libungif* will get both libungif and libungif-progs (which contains giffix) Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: why doesn't this email get detected as spam?
I get a similar score now, when they first came in they didn't hit any of the SURBL or RAZOR rules so it scored very low. I was looking for a way to hit the scheme they are using before they make it into the various block lists. I had quite a few on several servers in just a few min. I wrote a sequence of meta rules that seem to catch it well and they didn't get any FPs with mass-check, but they didn't get any hits either (using spam, spam_2 and hard_ham). I assume since they didn't get hits on the public corpus but hit every one I have actually recieved this is a fairly new trick. I guess I will just watch them for a while and see how they do in real life. Rick -Original Message- From: saurabh.bhasin [mailto:[EMAIL PROTECTED] Sent: Sunday, November 20, 2005 12:40 PM To: Andreas Kotowicz Cc: users@spamassassin.apache.org Subject: Re: why doesn't this email get detected as spam? Scores 9.1 here. To give you an idea, details are mentioned below: Content analysis details: (9.1 points, 1.0 required) pts rule name description -- -- 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 0.1 OPTING_OUT_CAPSBODY: Talks about opting out (capitalized version) -0.7 BAYES_20 BODY: Bayesian spam probability is 5 to 20% [score: 0.1239] 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 4.1 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist [URIs: thrillhand.com] 3.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist [URIs: thrillhand.com] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: Clever Spammers, Anything to catch this?
I get a similar score now, when they first came in they didn't hit any of the SURBL or RAZOR rules so it scored very low. I was looking for a way to hit the scheme they are using before they make it into the various block lists. I had quite a few on several servers in just a few min. I wrote a sequence of meta rules that seem to catch it well and they didn't get any FPs with mass-check, but they didn't get any hits either (using spam, spam_2 and hard_ham). I assume since they didn't get hits on the public corpus but hit every one I have actually recieved this is a fairly new trick. I guess I will just watch them for a while and see how they do in real life. Rick -Original Message- From: Kai Schaetzl [mailto:[EMAIL PROTECTED] Sent: Sunday, November 20, 2005 12:31 PM To: users@spamassassin.apache.org Subject: Re: Clever Spammers, Anything to catch this? Doesn't score that bad (I removed the hits on missing ehader stuff). * 2.1 BAYES_95 BODY: Bayesian spam probability is 95 to 99% * [score: 0.9854] * 1.7 SARE_SPEC_LEO_LINE04 RAW: common Leo body text * 1.5 URIBL_SBL Contains an URL listed in the SBL blocklist * [URIs: seltagook.com] * 3.0 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist * [URIs: seltagook.com] * 2.0 URIBL_XS_SURBL Has URI in XS - Testing * [URIs: seltagook.com] * 0.4 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist * [URIs: seltagook.com] * 3.0 URIBL_SC2_SURBL Has URI in SC2 SURBL list * [URIs: seltagook.com] * 4.0 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist * [URIs: seltagook.com] * 0.0 UPPERCASE_50_75 message body is 50-75% uppercase Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de http://msie.winware.org -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: why doesn't this email get detected as spam?
My apologies to all for accidentally replying to the wrong thread in my previous post on this thread Rick -Original Message- From: saurabh.bhasin [mailto:[EMAIL PROTECTED] Sent: Sunday, November 20, 2005 12:40 PM To: Andreas Kotowicz Cc: users@spamassassin.apache.org Subject: Re: why doesn't this email get detected as spam? Scores 9.1 here. To give you an idea, details are mentioned below: Content analysis details: (9.1 points, 1.0 required) pts rule name description -- -- 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 0.1 OPTING_OUT_CAPSBODY: Talks about opting out (capitalized version) -0.7 BAYES_20 BODY: Bayesian spam probability is 5 to 20% [score: 0.1239] 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 4.1 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist [URIs: thrillhand.com] 3.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist [URIs: thrillhand.com] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: Bombarded by German political spam
-Original Message- From: Jeff Chan [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 18, 2005 6:17 AM To: users@spamassassin.apache.org Subject: Re: Bombarded by German political spam On Tuesday, May 17, 2005, 3:42:09 PM, David Funk wrote: So the intensity of the spam bombing is inversely proportional to the local computer community 'clue level'. This tends to indicate that there are more clue-less American windows llusers than there are German. No surprise there, however a bit counter-productive given the original perps probable desired results. ;) IIRC Sober P advertised free World Cup tickets or something like that. That would tend to get people to open the virus spams in Europe, but probably wouldn't mean sh!t here in the U.S. where probably fewer than 1 in 10 people has any idea what a World Cup is. Superbowl they've heard of. World Cup not. ;-) That's not really accurate, soccer is actually one of the largest team, youth, sports in America now. IIRC it's has been the YMCA's biggest team sport for nearly a decade. That means the kids that are playing, and their parents, will know what a World Cup is. In America we tended to judge the enthusiasm for a sport based on revenue and media coverage. Right now the advertising target for athletics are those who play, are involved in or played soccer when they were kids. When I was in school there was 5 days devoted to soccer in JR. High and that was it. Now there are probably more soccer families in our community than baseball. In the next 10 - 15 years you will see a big difference in the number of pro soccer teams in the US as well as an increase in coverage because the kids that have grown up playing soccer will have the money to be heard and catered to. It's economics not ignorance, sports media coverage follows the money, as it always has. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.