Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 23.09.2016 um 20:30 schrieb John Hardin: On Fri, 23 Sep 2016, li...@rhsoft.net wrote: Am 23.09.2016 um 05:24 schrieb John Hardin: On Thu, 22 Sep 2016, Thomas Barth wrote: > Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net: > > > > URIBL_BLOCKED shows you are using still a dns-forwarder and so won't > > get > > results from a lot of blacklists > > > > fix that - use a local caching resolver with *no forwarding* and > > if you are using dnsmasq just don't do that for a inbound > > mailserver > > I found an instruction here for a debian system > > https://manageacloud.com/configuration/local_dns_caching > > Seems to work local dns caching but I dont understand why I shouldnt > use it for inbound mailserver and why I still see URIBL_BLOCKED=0.001 Lists shouldn't have said "caching", that confuses the issue. Caching and recursion are two different, unrelated pieces. seriously? Yes. I have found that when providing advice, if you provide extraneous details quite often people will focus on them rather than the important points. hence the bold *no forwarding* "with *no forwarding*" is not clear enough that one comes two days later with a dnsmasq setup using opendns as forwarders where in fact i said explicit If they focused on "use a local caching resolver", sure. Obviously sorry, but zero understanding if someone is smart enough to know what to do the problem would not exist at all - if someone thinks he is so smart that he can stop reading in the middle of a single sentence without trying to understand it's a clear case of "damned don't manage any server connected to the internet" AT LEAST when it still does not work by doing something random i expect someone step back and *read the whole fucking sentence* before write a new mail "did this and that but still don't work"
Re: DNS Terminology
Am 23.09.2016 um 19:57 schrieb RW: On Fri, 23 Sep 2016 13:13:19 -0400 Sean Greenslade wrote: On Fri, Sep 23, 2016 at 05:03:00PM +0100, RW wrote: I've been wondering whether recursive is actually the correct term. As I understand it there are two types of DNS lookup: 1. Iterative - where results are found by working down through multiple servers from the root servers. 2. Recursive - where a request is made to a single nameserver which handles the whole look-up on behalf of a client. What this turns on is whether a forwarding server is a distinct class of of nameserver or a type of recursive server. I think the latter is most logical, since both provide a recursive interface. Definitions of the term "recursive server" that I've seen contrast it only with "authoritative server". One thing is certain, what you want is a name server that does *iterative* lookups. A forwarding server is a recursive server. The two are more or less synonymous. Both iterative and recursive servers may or may not cache their results to speed up future queries for the same information. A nameserver that does iteration is definitely a recursive server. To say that "recursive server" and "forwarding server" are more or less synonymous is wrong well, that whole stuff is discussed way too complex here your nameserver can do recursion, be authoritative for own zones and forwarder for specific zones at the same time - the only relevant point is that it don't forward DNSBL/DNSWL/URIBL relevant questions to a shared nameserver outside your network - that's it in context of a inbound mailserver (for anything you don't host on your machines) it's just as simple as: * if your DNS is aksing another DNS you defined you are doing it wrong * if your DNS configuration contains another dns server it's wrong * if your DNS server like dnsmasq looks in /etc/resolv.conf it's crap the one and only ecxeption are large networks where you have a central caching server doing recursion and on the other nodes you have this machine as forwarder, but if you are in such an environment you hopefully understand dns basics anyways
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 23.09.2016 um 10:43 schrieb Thomas Barth: Am 23.09.2016 um 10:25 schrieb li...@rhsoft.net: Am 22.09.2016 um 21:58 schrieb Bowie Bailey: On 9/22/2016 3:40 PM, Thomas Barth wrote: Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net: fix that - use a local caching resolver with *no forwarding* and if you are using dnsmasq just don't do that for a inbound mailserver for me that topic is finished - sorry but it needs to be said clear: you are not capable to run a mailserver because yo are even not capable to read what you quote mimimi instead of making sarcatic comments better explain what exactly did you not understand in "use a local caching resolver with *no forwarding* and if you are using dnsmasq just don't do that for a inbound mailserver" that you have nothing better to do than setup dnsmasq with 4 forwarders followeb by complain "now i have done taht but URIBL_BLOCKED is still there" that was one single line containing: * don't use dns forwarding * don't use dnsmasq (because it can only do forarding)
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 22.09.2016 um 21:58 schrieb Bowie Bailey: On 9/22/2016 3:40 PM, Thomas Barth wrote: Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net: fix that - use a local caching resolver with *no forwarding* and if you are using dnsmasq just don't do that for a inbound mailserver for me that topic is finished - sorry but it needs to be said clear: you are not capable to run a mailserver because yo are even not capable to read what you quote i said don't use dnsmasq for that task because i know that it can only forwarding - i said don#t use any forwarding - what are you doing days later: seek the first best howto explaining you how to install dnsmasq and bblow 4 forwarders in the configuration which is the opposite of what you have been told and i had a reason saying *no forwarding* instead talking about dns-recursion because i am out of energy trying to explain the next 3 days what is recursion and seek links and docs to make a dns basic education which is your homework before you start to setup servers I found an instruction here for a debian system https://manageacloud.com/configuration/local_dns_caching /etc/resolv.conf nameserver 127.0.0.1 /etc/resolv.dnsmasq nameserver 208.67.222.222 nameserver 208.67.220.220 nameserver 208.67.222.220 nameserver 208.67.220.222 /etc/default/dnsmasq DNSMASQ_OPTS="-r /etc/resolv.dnsmasq" But it is using dnsmasq for local dns caching. I ve configured it, but I still see URIBL_BLOCKED=0.001 in a mail header
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 23.09.2016 um 05:24 schrieb John Hardin: On Thu, 22 Sep 2016, Thomas Barth wrote: Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net: URIBL_BLOCKED shows you are using still a dns-forwarder and so won't get results from a lot of blacklists fix that - use a local caching resolver with *no forwarding* and if you are using dnsmasq just don't do that for a inbound mailserver I found an instruction here for a debian system https://manageacloud.com/configuration/local_dns_caching Seems to work local dns caching but I dont understand why I shouldnt use it for inbound mailserver and why I still see URIBL_BLOCKED=0.001 Lists shouldn't have said "caching", that confuses the issue. Caching and recursion are two different, unrelated pieces. seriously? "with *no forwarding*" is not clear enough that one comes two days later with a dnsmasq setup using opendns as forwarders where in fact i said explicit "fix that - use a local caching resolver with *no forwarding* and if you are using dnsmasq just don't do that for a inbound mailserver" As far as I understand it, dnsmasq cannot be used for local recursion yes, and hence in my orginial mail you are party quting i statet don't use that crap, see above
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 22.09.2016 um 21:40 schrieb Thomas Barth: URIBL_BLOCKED shows you are using still a dns-forwarder and so won't get results from a lot of blacklists http://uribl.com/refused.shtml fix that - use a local caching resolver with *no forwarding* and if you are using dnsmasq just don't do that for a inbound mailserver I found an instruction here for a debian system https://manageacloud.com/configuration/local_dns_caching /etc/resolv.conf nameserver 127.0.0.1 /etc/resolv.dnsmasq nameserver 208.67.222.222 nameserver 208.67.220.220 nameserver 208.67.222.220 nameserver 208.67.220.222 /etc/default/dnsmasq DNSMASQ_OPTS="-r /etc/resolv.dnsmasq" But it is using dnsmasq for local dns caching. I ve configured it, but I still see URIBL_BLOCKED=0.001 in a mail header because it is nonsense the point is not that you use 127.0.0.1 as dsn server - the point is that *nobody else* is using that dns server - i doubt that you are the only person on this plant using the 208.67.xx.xx opendns servers frankly - get the basics!
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 22.09.2016 um 12:59 schrieb Thomas Barth: Am 22.09.2016 um 12:41 schrieb li...@rhsoft.net: I ve installed clamav-unofficial-sigs by debian package. If this is not working good enough I will try the installation I found here: https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/INSTALL dunno - and it's off-topic here - we use own scripts to update the signatures and that stuff is catched by http://sanesecurity.com/foxhole-databases/ may i ask why you put such a unfinished and untested in many ways setup in production? The mailservers are ready and work very good but can be improved. And I only improve them when there is a need to do it. If there is a spam mail going through again, I m going the next step ;-) i see - that good that you add posion pill rules for message-id and similar because the other parts, even very basic ones, are not working and scores are not adjusted while the SA header tells you exactly your problems to catch things :-) but do what you want I dont know what is in the zip file. I just have a compressed copy of the mail. I tried to save the content of the zip boundary part in a zip file but I get an loading error when opening the zip file. what are you doing? When you ever have parsed emails for content then you would know that you can extracts parts of raw mails to specific file types and opened it. I dont know why I get an error this time, but dont have time to find an answer now. i know more about email than you think but that's no reason for wasting time when you can just drag a message to a mail client as you are saying by yourself "dont have time"
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 22.09.2016 um 12:32 schrieb Thomas Barth: Am 22.09.2016 um 11:50 schrieb li...@rhsoft.net: Am 22.09.2016 um 11:36 schrieb Benny Pedersen: On 2016-09-22 10:16, Thomas Barth wrote: The content of the mail is: --boundary_af9c8db46eb73fca8b315aafef01 Content-Type: application/x-zip-compressed; name="e6dfa16bdb.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="e6dfa16bdb.zip" whats in this zip file? malware as in all attachments from this type of spam, easily to detect be clamd with sanesecurity signatures I ve installed clamav-unofficial-sigs by debian package. If this is not working good enough I will try the installation I found here: https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/INSTALL dunno - and it's off-topic here - we use own scripts to update the signatures and that stuff is catched by http://sanesecurity.com/foxhole-databases/ may i ask why you put such a unfinished and untested in many ways setup in production? I dont know what is in the zip file. I just have a compressed copy of the mail. I tried to save the content of the zip boundary part in a zip file but I get an loading error when opening the zip file. what are you doing? uncompress the mail and drag the raw-mail with .eml extension in tunderbird from where you can simply save the attachment instead grab manually around in multipart-mails I suppose it contains a javascript file (name.pdf.js) or .wsf/.exe/.jar and so on - they are changing all the time
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 22.09.2016 um 11:36 schrieb Benny Pedersen: On 2016-09-22 10:16, Thomas Barth wrote: The content of the mail is: --boundary_af9c8db46eb73fca8b315aafef01 Content-Type: application/x-zip-compressed; name="e6dfa16bdb.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="e6dfa16bdb.zip" whats in this zip file? malware as in all attachments from this type of spam, easily to detect be clamd with sanesecurity signatures
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 22.09.2016 um 10:16 schrieb Thomas Barth: Am 21.09.2016 um 18:47 schrieb Bowie Bailey: That is ridiculous. The more training bayes gets the better it works. And manual training is better than autolearning because autolearning can automatically learn false positives and false negatives and cause problems for the database. And what about filter poisening? In the last 10 hours my company address got 43 mails classified as spam (even a virus mail detected today). And there was one mail classified as spam due to my rule (bad country, message-id. Dear so, Your payment has been approved. Your account will be debited within two days. You can email us for any query regarding your account. Thank you. Lupe Monroe Support There is no spam content, am I right? Normal words and content that a normal person can use. I dont need spam learning for all the mails already classified as spam with high score. Spam with low score are interesting for spam learning like this one. But when I use these mails for spam learning there is a risk of false positive some day, because it has learned that normal mails are also spam? no you are not right - that *is spam content* and has nothing to do with bayes poisioning - in fact that are malware messages - known by our bayes for at least 12 months and already BAYES_99 stuff will not be trained it's the job of the bayes filter to find the minimal but existing differences and mistakes between that and similar ham and *hence* autolearning won't work in general because you need still to decide and classify the border cases bayes poisioning can become a problem and is *another* reason why you train you filter manually instead let him decide itself and if it once decided wrong learn more and more in the wrong direction but that above is NOT bayes poisioning
Re: Digest::SHA1 module is required by the Razor2 plugin
Am 21.09.2016 um 23:36 schrieb RW: On Wed, 21 Sep 2016 10:54:32 +0200 li...@rhsoft.net wrote: surely - while DCC ist not a spam sign by it's descriptions razor/pyzor *are* and they have nothing in common with DNSBL/URIBL they are *content digest* Actually razor is pretty close to a URIBL, now that only engine 8 is supported by Cloudmark. It's based on a combination of URI domain name and text size, so you only get a hit if a domain has been reported inside a similarly sized mime section and even if it's only a URIBL - different blacklists have different traps, reportings etc. leading to different times where new stuff is listed - that's the whole point of having not only one source for classification and why you have DNSWL as positive wieght in the mix to get a balanced total score
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 21.09.2016 um 18:28 schrieb Thomas Barth: Am 21.09.2016 um 18:00 schrieb li...@rhsoft.net: the problem of the OP is that he starts things the other side round and first reject without good evidence and don't have anything to make the system bullet profe because it's rejected I remembered that I read a book about Postfix with the topic "Training with SpamAssassin". And the author was against additional training. The more you train the worst the result. With the motto "I cook an egg for more than 15 minutes, but it is still hard." They re other arguments for not autolearning, but my english is not that good to translate a complete chapter. And if there are some mails breaking through the wall, than it is better to create rules against the header. Clear facts without side effects. He also wrote that Amavis/SpamAssassin is learning itself. Each mail classified as spam with a score of more than 12.0 is learned as spam and there should be a logfile entry with loglevel 2 if a mail has been learned as spam. I never increased the loglevel to check that. I followed his opinion because it is the best book I ve got (www.postfix.de, next SpamAssassin/Amavis training course in November, I m thinking of participation) "against additional training" and "other arguments for not autolearning" are the exactly *opposite*, however, i can assure you that a well trained bayes with any autolearning reachs a 90-95% hit quote proven by 5 false positives and 30 spamreports on some hundret users in 2016 autolearning is anyways bad because it tends to classify alread FN oder FP in the exatcly wrong direction - you need to train *wrong classified* mail where you are 100% sure if it's spam or ham and just ignore anything where you are unsure, the rest will have common patterns which are learned over time with your well classified ones anyways, a spamfilter completly without bayes and URIBL not wroking has no business to run in production
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 21.09.2016 um 17:53 schrieb Sean Greenslade: As for your spam rejection paradigm, I can't possibly imagine that working well unless you have a very close relationship with every single person who emails you. If I send my resume to a job recruiter and they get a bounce when they email me back, I highly doubt they're going to bother to call me up and tell me my email system is broken. My resume's going in the trash and they're moving on. Just because you haven't received any calls doesn't mean there's no problems... it's absolutely no problem to outright reject high scored spam and tag the likely spam stuff - BUT the prerequisite for doing so is to collect bayes data, watch how the systems operate and after it's classification is proven good and all sort of scores are adjusted decide what is the safe reject score the problem of the OP is that he starts things the other side round and first reject without good evidence and don't have anything to make the system bullet profe because it's rejected when one starts which dangerous rules like reject based on message-id, not realize that his balcklists are not working and bayes don't work this system is *not* pruction ready at all
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 21.09.2016 um 17:23 schrieb Thomas Barth: Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net: #bayes use_bayes 1 use_bayes_rules 1 bayes_auto_learn 1 so your setup either don't use that config (amavais or something like that part of the game then you don't have just spamassassin) or you have not trained enough spam *and* ham - or you train the wrong bayes-database likely by calling "sa-learn" with the wrong user https://wiki.apache.org/spamassassin/SiteWideBayesSetup I cant do that because I dont have spam mails. I dont make store I didnt thought that I need the spam uncompressed in a folder for autolearning, I thought it works when sa is analyzing the mail how do you imagine autolearning from start with nothing trained? just rely on rules and the train on false postives and negatives, in other words every rejected message as spam and every passed as ham won't work and when you think about it 10 seconds it should be obvious anyways, you can't tell me that there are no mails which didn't make it trugh the filters which where spam to find 200 of them and 200 ham should be even more easy as long as you don#t delete your mail after read My mailsystem checks mails in real time and blocks mail during connection. If there is a false positive the sender gets an error and I get a call of the sender to check it (last call was over a year ago :-). But I have a compressed copy in the quarantine folder so that I can check the reason anyway. don't change the fact that you need the stuff which was wrong classified and tell SA if it's good or bad to make the filter better
Re: Spam by IP-address? Spamassassin with geoiplookup?
RP_MATCHES_RCVD=-3.096 override this idiotic rule with "score RP_MATCHES_RCVD -0.001" and hopefully that will soon get fixed until the end of all days as it was for a long time in the past fix the other issues below and you don't need bad rules like "MESSAGEID_LOCAL=3" with such a dangerous and plain wrong score Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net: Am 21.09.2016 um 15:48 schrieb Thomas Barth: X-Spam-Status: No, score=3.004 tagged_above=2 required=6.31 tests=[MESSAGEID_LOCAL=3, RELAYCOUNTRY_BAD=3.1, RP_MATCHES_RCVD=-3.096, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no URIBL_BLOCKED shows you are using still a dns-forwarder and so won't get results from a lot of blacklists http://uribl.com/refused.shtml fix that - use a local caching resolver with *no forwarding* and if you are using dnsmasq just don't do that for a inbound mailserver You all say that bayes is not working in my setup. I dont know why. I followed a documentation for setting up my mailserver. It says: nano /etc/spamassassin/local.cf #bayes use_bayes 1 use_bayes_rules 1 bayes_auto_learn 1 so your setup either don't use that config (amavais or something like that part of the game then you don't have just spamassassin) or you have not trained enough spam *and* ham - or you train the wrong bayes-database likely by calling "sa-learn" with the wrong user https://wiki.apache.org/spamassassin/SiteWideBayesSetup is there really no "spamassassin for beginners" which explains all that dns-stuff *at one place* and how to train bayes and make sure it is used instead get every day the same problem reports on the list from fresh people?
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 21.09.2016 um 15:48 schrieb Thomas Barth: X-Spam-Status: No, score=3.004 tagged_above=2 required=6.31 tests=[MESSAGEID_LOCAL=3, RELAYCOUNTRY_BAD=3.1, RP_MATCHES_RCVD=-3.096, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no URIBL_BLOCKED shows you are using still a dns-forwarder and so won't get results from a lot of blacklists http://uribl.com/refused.shtml fix that - use a local caching resolver with *no forwarding* and if you are using dnsmasq just don't do that for a inbound mailserver You all say that bayes is not working in my setup. I dont know why. I followed a documentation for setting up my mailserver. It says: nano /etc/spamassassin/local.cf #bayes use_bayes 1 use_bayes_rules 1 bayes_auto_learn 1 so your setup either don't use that config (amavais or something like that part of the game then you don't have just spamassassin) or you have not trained enough spam *and* ham - or you train the wrong bayes-database likely by calling "sa-learn" with the wrong user https://wiki.apache.org/spamassassin/SiteWideBayesSetup is there really no "spamassassin for beginners" which explains all that dns-stuff *at one place* and how to train bayes and make sure it is used instead get every day the same problem reports on the list from fresh people?
Re: Digest::SHA1 module is required by the Razor2 plugin
Am 21.09.2016 um 10:18 schrieb Marcus Schopen: Am Montag, den 19.09.2016, 13:35 +0100 schrieb RW: It's not a spamassassin problem, right. Question is, can I install a SHA1 package without harming perl at other places? It should do any harm. That should have been: It shouldn't do any harm. Thanks. Build a backport and razor is running fine now. Is anyone using razor/pyzor/DCC and can give some efficiency report? Do they still make sense beside DNSBL and URIBL? surely - while DCC ist not a spam sign by it's descriptions razor/pyzor *are* and they have nothing in common with DNSBL/URIBL they are *content digest* and so able to hit messages spreaded over different outbound servers, all sort of hacked accounts and using permanently changing URLs - the whole point of SA is to make a final score of different sources
Re: How to reject mails with special message-id (Debian, Amavis, Spamassassin)
Am 20.09.2016 um 15:46 schrieb Thomas Barth: I read that 5.0 is aggressive and suitable for single user setup, conservative values are 8.0 or 11.0 depends on your glue, setup and bayes-training many setups tag spam with 5.0 or 5.5 while the glue like a milter rejects spam above 8.0 points I ve checked most of the mails recognized as spam. The lowest score was 8.6x so far. that don't say anything as i recall from other posts your bayes is currently not working - the point is not what was detected but what slipped through and why or became a false-postive and why Here is another mail from ...local. It definitely was spam with zip attachment. Common is a sender address with digits.-> , quarantine: l/spam-lEHVGcheLkyq.gz, Message-ID: <20160920202635.6b90ec7...@allfromboats.com.local>, mail_id: lEHVGcheLkyq, Hits: 19.118 May be I also should block sender adresses with more than 2 digits in the name? you should not block anything by single rules, that thread sounds like you are a absolute beginner and in that case you should refrain from blindly setup rules because you think you have found a spam sign somewehere anyways, i can assure you that .local in a message-id is *nothing unusual* and frankly i had even to step back from reject from-headers with .local because a large part of mailadmins configure their systems as 'mail.company.local' and in case of bounces (mailbox full as example) the envelope is a null-sender and the from-header postmaster@fool.local well, and all that systems have a message-id ending with .local and if you want numbers - we would have rejected or tagged 981 *100% ham* messages with a message-id ending with .local and my users would have crucified me for such a setup
Re: mailspike: repeatly down
Am 19.09.2016 um 17:11 schrieb Jose Borges Ferreira: Hi all, To solve that issues, we are currently moving and upgrading our servers. This should be solved quickly . Sorry for any inconvenience. thanks for feedback and taking action! On Mon, Sep 19, 2016 at 2:43 PM, li...@rhsoft.net <mailto:li...@rhsoft.net> <li...@rhsoft.net <mailto:li...@rhsoft.net>> wrote: in case someone cares or even somebody from 'mailspike.net <http://mailspike.net>' is on this list - logs like below appear repeatly the last weeks or few months in fact these are timeouts and that will also hit default SA installations, most likely without logging as postscreen does Sep 19 15:36:42 mail-gw postfix/postscreen[1244]: warning: dnsblog reply timeout 10s for wl.mailspike.net <http://wl.mailspike.net> Sep 19 15:36:43 mail-gw postfix/postscreen[1244]: warning: dnsblog reply timeout 10s for wl.mailspike.net <http://wl.mailspike.net> Sep 19 15:36:55 mail-gw postfix/postscreen[1244]: warning: dnsblog reply timeout 10s for bl.mailspike.net <http://bl.mailspike.net> Sep 19 15:37:55 mail-gw postfix/postscreen[1244]: warning: dnsblog reply timeout 10s for bl.mailspike.net <http://bl.mailspike.net> Sep 19 15:40:18 mail-gw postfix/postscreen[1244]: warning: dnsblog reply timeout 10s for wl.mailspike.net <http://wl.mailspike.net> Sep 19 15:40:23 mail-gw postfix/postscreen[1244]: warning: dnsblog reply timeout 10s for wl.mailspike.net <http://wl.mailspike.net> Sep 19 15:40:03 mail-gw postfix/dnsblog[27524]: warning: dnsblog_query: lookup error for DNS query 195.109.140.185.wl.mailspike.net <http://195.109.140.185.wl.mailspike.net>: Host or domain name not found. Name service error for name=195.109.140.185.wl.mailspike.net <http://195.109.140.185.wl.mailspike.net> type=A: Host not found, try again Sep 19 15:40:03 mail-gw postfix/dnsblog[27513]: warning: dnsblog_query: lookup error for DNS query 195.109.140.185.bl.mailspike.net <http://195.109.140.185.bl.mailspike.net>: Host or domain name not found. Name service error for name=195.109.140.185.bl.mailspike.net <http://195.109.140.185.bl.mailspike.net> type=A: Host not found, try again Sep 19 15:40:04 mail-gw postfix/dnsblog[28533]: warning: dnsblog_query: lookup error for DNS query 19.185.124.180.bl.mailspike.net <http://19.185.124.180.bl.mailspike.net>: Host or domain name not found. Name service error for name=19.185.124.180.bl.mailspike.net <http://19.185.124.180.bl.mailspike.net> type=A: Host not found, try again Sep 19 15:40:04 mail-gw postfix/dnsblog[27997]: warning: dnsblog_query: lookup error for DNS query 41.236.165.122.bl.mailspike.net <http://41.236.165.122.bl.mailspike.net>: Host or domain name not found. Name service error for name=41.236.165.122.bl.mailspike.net <http://41.236.165.122.bl.mailspike.net> type=A: Host not found, try again Sep 19 15:40:04 mail-gw postfix/dnsblog[28821]: warning: dnsblog_query: lookup error for DNS query 19.185.124.180.wl.mailspike.net <http://19.185.124.180.wl.mailspike.net>: Host or domain name not found. Name service error for name=19.185.124.180.wl.mailspike.net <http://19.185.124.180.wl.mailspike.net> type=A: Host not found, try again
mailspike: repeatly down
in case someone cares or even somebody from 'mailspike.net' is on this list - logs like below appear repeatly the last weeks or few months in fact these are timeouts and that will also hit default SA installations, most likely without logging as postscreen does Sep 19 15:36:42 mail-gw postfix/postscreen[1244]: warning: dnsblog reply timeout 10s for wl.mailspike.net Sep 19 15:36:43 mail-gw postfix/postscreen[1244]: warning: dnsblog reply timeout 10s for wl.mailspike.net Sep 19 15:36:55 mail-gw postfix/postscreen[1244]: warning: dnsblog reply timeout 10s for bl.mailspike.net Sep 19 15:37:55 mail-gw postfix/postscreen[1244]: warning: dnsblog reply timeout 10s for bl.mailspike.net Sep 19 15:40:18 mail-gw postfix/postscreen[1244]: warning: dnsblog reply timeout 10s for wl.mailspike.net Sep 19 15:40:23 mail-gw postfix/postscreen[1244]: warning: dnsblog reply timeout 10s for wl.mailspike.net Sep 19 15:40:03 mail-gw postfix/dnsblog[27524]: warning: dnsblog_query: lookup error for DNS query 195.109.140.185.wl.mailspike.net: Host or domain name not found. Name service error for name=195.109.140.185.wl.mailspike.net type=A: Host not found, try again Sep 19 15:40:03 mail-gw postfix/dnsblog[27513]: warning: dnsblog_query: lookup error for DNS query 195.109.140.185.bl.mailspike.net: Host or domain name not found. Name service error for name=195.109.140.185.bl.mailspike.net type=A: Host not found, try again Sep 19 15:40:04 mail-gw postfix/dnsblog[28533]: warning: dnsblog_query: lookup error for DNS query 19.185.124.180.bl.mailspike.net: Host or domain name not found. Name service error for name=19.185.124.180.bl.mailspike.net type=A: Host not found, try again Sep 19 15:40:04 mail-gw postfix/dnsblog[27997]: warning: dnsblog_query: lookup error for DNS query 41.236.165.122.bl.mailspike.net: Host or domain name not found. Name service error for name=41.236.165.122.bl.mailspike.net type=A: Host not found, try again Sep 19 15:40:04 mail-gw postfix/dnsblog[28821]: warning: dnsblog_query: lookup error for DNS query 19.185.124.180.wl.mailspike.net: Host or domain name not found. Name service error for name=19.185.124.180.wl.mailspike.net type=A: Host not found, try again
Re: Digest::SHA1 module is required by the Razor2 plugin
Am 19.09.2016 um 11:10 schrieb Marcus Schopen: I'd like to use razor on my private mailbox, but it seems to depend on Digest::SHA1, which is not part of Ubuntu 12.04 LTS or 14.04 TLS: The Digest::SHA1 module is required by the Razor2 plugin I found this bug report https://bugs.launchpad.net/ubuntu/+source/libdigest-sha1-perl/+bug/993648 where a package for precise is published (comment #9). What to do? Building an own package from just file a bugreport against Ubuntu spamassassin package and refer to the above bugreport - someone needs to fix that mess in Ubuntu and i can assure you Debian and Redhat systems don't have this problem in other words: this is a distribution mess and not SA related
Re: X-Spam Tagging - Spam Status YESNO Flags - Sometimes not appended...
Am 16.09.2016 um 19:27 schrieb Joe Quinn: On 9/16/2016 12:59 PM, li...@rhsoft.net wrote: ... in case you have postscreen or something else which does proper rbl-scoring in front of the content-scanners it's no problem because only a small part of spam attempts are mahing it to SA may depend on the amount of ham which can be also mitigated by shortcurcuit trustable senders with large amount of mail i have seen in the past a lot of junk with some 5-10 MB crap attached, completly unrelated images because spammers know that they can bypass many spamfilters that way (in case of a large binary it's also no problem for cpu ressources, only when they have a wrong text mimetype) Another strategy sometimes is to truncate the message to that max size before scanning, though making sure you get the most meaningful content of a message without breaking the MIME format is in general not an easy problem the answer to this from the SA developers was "don't care, should the glue do it"
Re: X-Spam Tagging - Spam Status YESNO Flags - Sometimes not appended...
Am 16.09.2016 um 18:17 schrieb David B Funk: What do you see in your syslog reports from spamc? Is it reporting any errors? Please note the 'max-size' parameter for spamc: -s max_size, --max-size=max_size Set the maximum message size which will be sent to spamd -- any bigger than this threshold and the message will be returned unprocessed (default: 500 KB). If spamc gets handed a message bigger than this, it won't be passed to spamd. The maximum message size is 256 MB. So any message larger than that parameter (default 500KB) will be silently bypassed as far as spamd processing is concerned. Note, do not make that a large number in an attempt to process -everything- unless you have a beefy (lots of RAM & CPU) machine for your spamd processing in case you have postscreen or something else which does proper rbl-scoring in front of the content-scanners it's no problem because only a small part of spam attempts are mahing it to SA may depend on the amount of ham which can be also mitigated by shortcurcuit trustable senders with large amount of mail i have seen in the past a lot of junk with some 5-10 MB crap attached, completly unrelated images because spammers know that they can bypass many spamfilters that way (in case of a large binary it's also no problem for cpu ressources, only when they have a wrong text mimetype)
Re: X-Spam Tagging - Spam Status YESNO Flags - Sometimes not appended...
Am 16.09.2016 um 14:49 schrieb Maik Linnemann: So far so good. The concept works like it should with only one exception: Some mails are not tagged by spamassassin and i dont have a clue why. Viscerally i would say its about 20% of all mails that arent tagged by spamassassin how is SA integrated in your mailsystem? that a very important question because the glue like as example spamass-milter or amavis can skip SA completly depending on it's configuration
Re: Tuning recommendations?
Am 12.09.2016 um 20:34 schrieb thomas cameron: On 09/12/2016 01:06 PM, John Hardin wrote: On Mon, 12 Sep 2016, thomas cameron wrote: Make sure you have a local recursing (**NOT** forwarding) DNS server that your MTA and SA are configured to use. Reason: if you're forwarding your MTA DNS requests to your ISP's DNS server, the aggregated traffic of you plus all the other ISP clients can exceed the various DNSBL and URIBL free-usage limits, rendering those tools useless. [root@mail-west ~]# grep recurs /etc/named.conf allow-recursion { 127.0.0.1; }; A clear indicator this is happening: URIBL_BLOCKED hits. I see "URIBL_BLACK Contains an URL listed in the URIBL blacklist" in the headers of many of the messages that got through. Is that what you mean? no that means the message had a hit and so it seems your are using only 127.0.0.1 as nameserver and that nameserver does *not* forwarding it would be really helpful if you just post the full report-header of such a message, otherwise you are at your own
Re: RCVD_IN_SORBS_SPAM and google IPs
Am 12.09.2016 um 18:53 schrieb David Jones: *>From:*li...@rhsoft.net <li...@rhsoft.net> *>Sent:* Monday, September 12, 2016 8:47 AM *>To:* users@spamassassin.apache.org *>Subject:* Re: RCVD_IN_SORBS_SPAM and google IPs Am 12.09.2016 um 15:37 schrieb David Jones: Has RCVD_IN_SORBS_WEB been considered for adjustment as well? It's hitting a lot more ham than spam here, including mail from facebook. You should be safely whitelisting any major senders like Facebook at the MTA level and in SA: whitelist_auth *@amazonses.com for sure *not* since that would whitelist anything hosted on the amazon cloud instances which is *not* amazon stuff itself don't confuse major good senders with hosted crap of endcustomers @amazonses.com != @amazon.com I know the difference between amazonses.com and amazon.com. I have only had 1 instance of spam from amazonses.com and Amazon blocked it quickly. that's exactly what i *don't* have a contentfilter for to need customers report their spam and i have to talk with abuse departments to stop it From my experience, they are trustworthy and police their outbound spam properly to trust. Otherwise you will block too much legit email from their Simple Email Service. why should i block too much legit mail just because a sender is not whitelisted? https://aws.amazon.com/ses/faqs/ They have sending and bounce quotas which are going to catch most bad actors using SES. the same for "whitelist_auth *@icloud.com" Apple is also doing a good job of policing their outbound spam from icloud.com. My logs show good reputation of the IPs. senderscore.org report for 17.164.24.103 has a 98 out of 100 as a very high sender which is excellent. a good job don't help much in case of hacked accounts which are closed after the damage of sending phising and malware mails already happened Everyone doesn't have to whitelist_auth the same senders. I only wanted to show that this is a valid way to reduce false positives for transient things like Google IPs in SORBS RBL. [root@mail-gw:~]$ cat maillog | grep 01000157007004fc-dd484ffc-155c-48dc-8a7d-b9fbc51b7094-000...@email.amazonses.com Sep 6 18:58:47 mail-gw postfix/cleanup[5554]: 3sTCVH11mDz9bQ: message-id=<01000157007004fc-dd484ffc-155c-48dc-8a7d-b9fbc51b7094-000...@email.amazonses.com> Sep 6 18:58:52 mail-gw spamd[1086]: spamd: result: Y 14 - BAYES_99,BAYES_999,BOGOFILTER_SPAM,CUST_DNSBL_19_SPAMCANN,CUST_DNSWL_5_ORG_N,CUST_DNSWL_8_TL_N,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_D>OMAINS,HTML_MESSAGE,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_MSPIKE_H2,RP_MATCHES_RCVD,SPF_PASS,T_OBFU_ATTACH_MISSP,URIBL_LOC>AL scantime=5.0,size=13908,user=sa-milt,uid=189,required_score=5.5,rhost=localhost,raddr=127.0.0.1,rport=/run/spamassassin/spamassassin.sock,mid=<01000157007004fc-dd484ffc-155c->48dc-8a7d-b9fbc51b7094-000...@email.amazonses.com>,bayes=1.00,autolearn=disabled,shortcircuit=no Did you check the envelope-from address of that message? surely - in fact i found the message-id after grep for envelopes in milter-reject-log and *then* seeked for the classification Those are message IDs which wouldn't necessarily match the envelope-from used by whitelist_auth. man i know what i am doing when reading maillogs (besides i knew before looking in the recent logs that @amazonses.com is not a blindly trustable envelope) from=<01000157007004fc-dd484ffc-155c-48dc-8a7d-b9fbc51b7094-000...@amazonses.com> from a8-21.smtp-out.amazonses.com[54.240.8.21] I don't see an IP address either to check the source so that email could have been forwarded * SPF_PASS * DKIM_VALID_AU I would need to see the full headers and the message body since it did hit so many rules and high Bayes no you don't - the destination of that mail was our sysadmin-address *never* used for subscribe anywhere nor as envelope-sender, it's only mentioned on http error pages (non 2xx response)
Re: Tuning recommendations?
Am 12.09.2016 um 17:51 schrieb thomas cameron: I rolled a new mail server out for my small business, and I've got a pretty vanilla SA setup. It's just not doing a very good job of catching spam. I'm getting a TON of "Amazon gift card" and "female hair loss" and "work from home" spam in my inbox. I feel like if I see one more e-mail about Blake Shelton, I'm gonna scream train your bayes proper with enough ham *and* spam and do it with the user spamassassin runs
Re: RCVD_IN_SORBS_SPAM and google IPs
Am 12.09.2016 um 15:37 schrieb David Jones: Has RCVD_IN_SORBS_WEB been considered for adjustment as well? It's hitting a lot more ham than spam here, including mail from facebook. You should be safely whitelisting any major senders like Facebook at the MTA level and in SA: whitelist_auth *@amazonses.com for sure *not* since that would whitelist anything hosted on the amazon cloud instances which is *not* amazon stuff itself don't confuse major good senders with hosted crap of endcustomers @amazonses.com != @amazon.com the same for "whitelist_auth *@icloud.com" [root@mail-gw:~]$ cat maillog | grep 01000157007004fc-dd484ffc-155c-48dc-8a7d-b9fbc51b7094-000...@email.amazonses.com Sep 6 18:58:47 mail-gw postfix/cleanup[5554]: 3sTCVH11mDz9bQ: message-id=<01000157007004fc-dd484ffc-155c-48dc-8a7d-b9fbc51b7094-000...@email.amazonses.com> Sep 6 18:58:52 mail-gw spamd[1086]: spamd: result: Y 14 - BAYES_99,BAYES_999,BOGOFILTER_SPAM,CUST_DNSBL_19_SPAMCANN,CUST_DNSWL_5_ORG_N,CUST_DNSWL_8_TL_N,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_MSPIKE_H2,RP_MATCHES_RCVD,SPF_PASS,T_OBFU_ATTACH_MISSP,URIBL_LOCAL scantime=5.0,size=13908,user=sa-milt,uid=189,required_score=5.5,rhost=localhost,raddr=127.0.0.1,rport=/run/spamassassin/spamassassin.sock,mid=<01000157007004fc-dd484ffc-155c-48dc-8a7d-b9fbc51b7094-000...@email.amazonses.com>,bayes=1.00,autolearn=disabled,shortcircuit=no
Re: RCVD_IN_SORBS_SPAM and google IPs
Am 09.09.2016 um 15:20 schrieb Bowie Bailey: On 9/8/2016 6:29 PM, RW wrote: On Thu, 8 Sep 2016 15:53:00 -0500 (CDT) Shane Williams wrote: I'm seeing google IP ranges hit the RCVD_IN_SORBS_SPAM rule, and in digging deeper, I realize that there are zero hits on this rule for the two weeks prior to Aug. 31, and now I'm seeing it thousands of times per week (not just against google IPs). Was this rule added/changed/re-scored in a recent sa-update? It was commented out for a long time because it had a delisting fee, but was recently re-enabled. https://bz.apache.org/SpamAssassin/show_bug.cgi?id=2221#c16 Granted, my system is fairly low volume, but out of over 15,000 messages scanned, I have only seen 88 hits for SORBS rules in general and no hits at all for RCVD_IN_SORBS_SPAM. If there's a problem, I'm not seeing it depends just on luck * how many mails came from gmail, yahoo, gmx & friends * from which server did they came sorbs don't list gmail or other freemail providers as a whole, just the nodes which recently was absued by spammers and contacted honeypots or where reported repeatly you can write the exactly same message to the same RCPT from a freemail provider within 5 seconds and they may hit completly different DNSBL/DNSWL listings
Re: RCVD_IN_SORBS_SPAM and google IPs
Am 08.09.2016 um 22:53 schrieb Shane Williams: I'm seeing google IP ranges hit the RCVD_IN_SORBS_SPAM rule, and in digging deeper, I realize that there are zero hits on this rule for the two weeks prior to Aug. 31, and now I'm seeing it thousands of times per week (not just against google IPs). Was this rule added/changed/re-scored in a recent sa-update? rules are re-scoring all the time 2.397 is *way* too high because SORBS has a ton of different scorings and to land on "spam" is not hard for large providers which *in fact* all day long send some amount of spam sicne large freemail providers have no way to avoid it completly "spam.dnsbl.sorbs.net" (127.0.0.6 response) has here 3 points on postscreen and 1.0 for SA - in both cases reject begins with 8.0
Re: Anyone else just blocking the ".top" TLD?
Am 08.09.2016 um 15:44 schrieb Chip M.: On Thu, 8 Sep 2016, "lists [at] rhsoft.net" wrote: i get a diff-output per mail each time the mailserver configs are changing That's a completely valid approach, and I am a big fan of pre-emptive first strike (only as applied to potentially evil email). However, the vast majority of those TLDs will never "go rogue", so I prefer to block on actual abuse (Jason's approach), or likelihood of abuse, specifically, very low cost. Jason appears to have much higher volume than I do, so he'd be a good source of data for me and others. we require at least SPF or DNSWL for them instead unconditonal reject and the reject text contains a link to wikipedia what SPF is the other part of using that file is to "DUNNO" specific tld's in front of the checks and put a final line into helo-restrictions when no DUNNO at all matched /.*\.*/ REJECT Unacceptable HELO (Invalid TLD) see https://www.ietf.org/rfc/rfc2821.txt and https://www.ietf.org/rfc/rfc1912.txt Weitergeleitete Nachricht Betreff: Cron /usr/local/bin/update-spamfilter.sh Datum: Mon, 29 Aug 2016 16:30:03 +0200 (CEST) UPDATED: /etc/postfix/blacklist_generic_ptr.cf 1484a1485 > /\.eco$/ DUNNO 2375a2377 > /\.vanguard$/ DUNNO - UPDATED: /etc/postfix/blacklist_helo.cf 382a383 > /\.eco$/ DUNNO 1273a1275 > /\.vanguard$/ DUNNO - UPDATED: /etc/postfix/blacklist_tld.cf 271a272 > /\.eco$/ REJECT Spam-TLD (SPF Required: .eco - see http://en.wikipedia.org/wiki/Sender_Policy_Framework) 904a906 > /\.vanguard$/ REJECT Spam-TLD (SPF Required: .vanguard - see http://en.wikipedia.org/wiki/Sender_Policy_Framework) - OK: /usr/bin/systemctl reload postfix.service
Re: Anyone else just blocking the ".top" TLD?
Am 08.09.2016 um 10:33 schrieb Chip M.: On Sat, 09 Jul 2016, jasonsu wrote: Fwiw, atm I block all of the following TLDs ... men, .. That list is auto-generated. Any & all TLDs that have sent > 100 messages within the last year *AND* have a Great approach Jason! :) ".men" just recently appeared in my data, and is not showing up on that Surbl tld page. Please do share any more that you notice. :) just download https://data.iana.org/TLD/tlds-alpha-by-domain.txt in a cronjob, compare it with the last version and re-generate your configs i get a diff-output per mail each time the mailserver configs are changing
Re: postfix reject_unverified_recipient and Exchange 2016
Am 07.09.2016 um 11:00 schrieb Nicola Piazzi: I am off topic if you think that postfix is not spamassassin I think that this is not a Microsoft problem because exchange answer correctly to unknown recipients I suppose that there is something in the return string that postix doesn’t like postfix don't parse strings, postfix is just interested in the 3-digit response code where 2xx means "OK", 4xx "temporary problem" and 5xx "permanent problem don't come back" "250 2.1.5 Recipient OK" is a corret answer to unknown recipients? since when? Here Exchange 2016 at port 25 that verify unknown recipient at DATA phase telnet 10.1.1.126 25 220 GEMMA.gruppocomet.net Microsoft ESMTP MAIL Service ready helo me 250 GEMMA.gruppocomet.net Hello [10.2.6.4] mail from:e...@ext.com 250 2.1.0 Sender OK rcpt to:doesntex...@gruppocomet.it 250 2.1.5 Recipient OK
Re: postfix reject_unverified_recipient and Exchange 2016
Am 07.09.2016 um 10:42 schrieb Nicola Piazzi: I have a problem using reject_unverified_recipient to verify under Exchange 2016 that I don’t have with Exchange 2010 how is that a spamassassin or even postfix related problem? call the microsoft support why their stuff is playing backscatter in recent versions (as you can see by all that exchange bounces flying around in the web) there is nothing the delivery software can do when exchange has no clue about it's valid rcpt's until it received and acknolwedged the full message instead just reject the rcpt workaround: list your vaild RCPT's diretly on your inboud MX and maintain it parallel to exchange Postfix is used to send and receive mail and is between the internet and the internal Exchange Server Now, when an internet user send an email to our domain postfix verify it making an rcptto to our exchange using reject_unverified_recipient instruction This worked well with Exchange 2010 but now with Exchange 2016 doesn’t work. Exchange 2016 needs the installation of Recipient Filter Agent and obviously I installed it. Now we have Frontend Transport that answer at port 25 and verify recipient at DATA phase and the Hub Transport that answer at port 2525 and verify recipient at RCPT TO Here Exchange 2016 at port 25 that verify unknown recipient at DATA phase telnet 10.1.1.126 25 220 GEMMA.gruppocomet.net Microsoft ESMTP MAIL Service ready helo me 250 GEMMA.gruppocomet.net Hello [10.2.6.4] mail from:e...@ext.com 250 2.1.0 Sender OK rcpt to:doesntex...@gruppocomet.it 250 2.1.5 Recipient OK data 354 Start mail input; end with . some data
Re: new Mail-SpamAssassin-Plugin-AttachmentPresent
Am 06.09.2016 um 23:27 schrieb Alex: Is there any ability to determine if a particular attachment has a Word macro enclosed in addition to just having a Word document? that's the hob of clamav and the sa-plugin for it "OLE2BlockMacros yes" in case of a scored SA plugin won't block but add the score of that clamd-instance, for unconditional block of other things you typically have a calmd-instance with different config running as unconditional milter Yeah, that's unacceptable to me. I can't accept obscuring whether a particular attachment has a macro virus and instead just be notified only that it has a macro. That's effectively saying it's necessary to outright block all macros or risk allowing attachments with macro viruses to be passed unencumbered. I was looking for another way to link macros with spamassassin, as the amavisd/clamd approach is broken. The reality of the world is: 1) block/quarantine/encumber/tag all documents that have a macro. 2) allow them thru unencumbered and risk delivering documents that might have a macro virus. That won't work. I can't tell my users they can no longer receive a significant percentage of Word documents any longer you do *not* block them outright you *score* them exactly the same as you asked here: > Is there any ability to determine if a particular attachment has a > Word macro enclosed in addition to just having a Word document? what would be the difference to add some points by your question above in SA then add some points because the clamd instance with scoring? you just need a second clamd-instance with a different config which don't outright block and when you are at it ad to *this* clamd instance some sanesecurity junk-rules which are false-positive-prone and hence not useable for direct blocking
Re: new Mail-SpamAssassin-Plugin-AttachmentPresent
Am 06.09.2016 um 22:40 schrieb Alex: Is there any ability to determine if a particular attachment has a Word macro enclosed in addition to just having a Word document? that's the hob of clamav and the sa-plugin for it "OLE2BlockMacros yes" in case of a scored SA plugin won't block but add the score of that clamd-instance, for unconditional block of other things you typically have a calmd-instance with different config running as unconditional milter Yeah, that's unacceptable to me. I can't accept obscuring whether a particular attachment has a macro virus and instead just be notified only that it has a macro. That's effectively saying it's necessary to outright block all macros or risk allowing attachments with macro viruses to be passed unencumbered how is "has a Word macro enclosed in addition to just having a Word document" different? it says nothing about virus or not and so "OLE2BlockMacros yes" in context of scoring don't
Re: new Mail-SpamAssassin-Plugin-AttachmentPresent
Am 06.09.2016 um 22:24 schrieb Alex: Is there any ability to determine if a particular attachment has a Word macro enclosed in addition to just having a Word document? that's the hob of clamav and the sa-plugin for it "OLE2BlockMacros yes" in case of a scored SA plugin won't block but add the score of that clamd-instance, for unconditional block of other things you typically have a calmd-instance with different config running as unconditional milter
Re: What are the T_ rules ?
Am 06.09.2016 um 00:14 schrieb @lbutlr: On 05 Sep 2016, at 13:36, li...@rhsoft.net wrote: but -1.653 is just a bad joke because it means every homeuser which manages to get some DNS records fine (as well as every spammer which registers a ton of domains and cheap hosts) get a large benefit compared to any professional mainatained server hosting hundrets of domains with responsibility RP_MATCHES_RCVD scores a -0.1 and T_RP_MATCHES_RCVD scores a -0.0 on my system. I see those scores in emails from 2011. Don’t know where you are finding -1.653, but that is not the score that is getting applied here /var/lib/spamassassin/3.004001/updates_spamassassin_org/72_scores.cf score RP_MATCHES_RCVD -1.152 -1.056 -1.152 -1.056 how about running "sa-update"?
Re: What are the T_ rules ?
Am 05.09.2016 um 22:03 schrieb Ian Zimmerman: On 2016-09-05 21:31, Axb wrote: In what file do you see T_RP_MATCHES_RCVD ? [1+0]~$ cd /usr/share/spamassassin/ [2+0]spamassassin$ fgrep T_RP_MATCHES_RCVD * 72_active.cf:##{ T_RP_MATCHES_RCVD if version >= 3.003000 ifplugin Mail::SpamAssassin::Plugin::WLBLEval 72_active.cf:header T_RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd() 72_active.cf:describe T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 72_active.cf:tflags T_RP_MATCHES_RCVD nice 72_active.cf:##} T_RP_MATCHES_RCVD if version >= 3.003000 ifplugin Mail::SpamAssassin::Plugin::WLBLEval current socres are not below /usr/share/spamassassin since that is *not* touched by sa-update and the last SA update was a year ago
Re: What are the T_ rules ?
Am 05.09.2016 um 22:00 schrieb Ian Zimmerman: On 2016-09-05 12:21, John Hardin wrote: header __RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd() ...which means you'd need to go digging around in the perl code to find out what it's doing. Basically, it's a check that the return-path (the SMTP "MAIL FROM" envelope value, if available) matches a received header in the message. Based on the description string, I think (in fact I hope) that this is not quite right; it's not "matches _a_ Received header" but "matches _the_ Received header emitted by my MX host". It would be a bit too general for my meta rule to rely on it, were it otherwise it's to general at all or looking from the other side: why should i get a worse score just because i host 100 domains on my outbound mailserver compared to some jerk which registered "new-spamdomain.tld" and have "new-spamdomain.tld" as PTR until the ISP shuts down his crap spreading junk and malware al day long? that's one of the rules which deserves nothing else than a informational tag and that won't change
Re: What are the T_ rules ?
Am 05.09.2016 um 21:31 schrieb Axb: 72_scores.cf published by sa-update sets a score: score RP_MATCHES_RCVD -1.152 -1.653 -1.152 -1.653 Ian, In what file do you see T_RP_MATCHES_RCVD? *currently* nowhere but -1.653 is just a bad joke because it means every homeuser which manages to get some DNS records fine (as well as every spammer which registers a ton of domains and cheap hosts) get a large benefit compared to any professional mainatained server hosting hundrets of domains with responsibility hence everybody right in his mind set "score RP_MATCHES_RCVD -0.001" in localf.cf and that isue is *not* new
Re: What are the T_ rules ?
Am 05.09.2016 um 20:30 schrieb Ian Zimmerman: Since I have seen other rules in results with the T_ prefix (for example T_DKIM_INVALID) I think it must be some kind of convention with an accepted meaning. What is this conventional meaning, and how do these rules relate to the ones without the T_ prefix? T_ is testing - stff which performans questionable for different reaosns like T_DKIM_INVALID failing randomly and nobody knows why or rules where nobody is sure about their impact and if it's ok
Re: Local mode with some URI checks. Possible??
Am 05.09.2016 um 19:01 schrieb Benny Pedersen: On 2016-09-05 07:29, Pedro David Marco wrote: My understanding was that "if there is no net flag, then it could work in local mode", but i was wrong.. score rule sets supports no net tests, simply score 0 on net test, and non zero on local tests rule set score tell him something new the point is that he want disable *allo* network tests *expect* specific ones without listing all explicit - just because they may change over time after "sa-update" and dependencies of meta-rules are also changing all the time (i know that from expierience from the outbound submission-instance which has a ton of rules disabled) so the answer si just: NO that's it
Re: Local mode with some URI checks. Possible??
Am 04.09.2016 um 11:18 schrieb Pedro David Marco: i have several reasons to disable all networks checks but some: 1.- Some checks are done by my own SMTP proxy since you should anyways have a local caching resolver it don't matter to double them and when a message slips through rbl scroing on smtpd it's a good thing to add points in the contentfilter for the listed ones 3.- Many RBLs have restrictions for commercial use, and as i want to do fair play i prefer to avoid risks.. skip_rbl_checks 1 skip_uribl_checks 0 or just disable the ones in question meta __RCVD_IN_SORBS 0 meta __RCVD_IN_ZEN 0 meta __RCVD_IN_DNSWL 0 *From:* Matus UHLAR - fantomas*To:* users@spamassassin.apache.org *Sent:* Saturday, September 3, 2016 1:57 PM *Subject:* Re: Local mode with some URI checks. Possible?? On 03.09.16 09:32, Pedro David Marco wrote: Thans Axb, I already did it, but i could not found any reasonable way to disable all networks checks but one...(not to go one by one, i mean) there's also no reasonable way to disable "all but one" without going one by one. do you have real reason to skip all network tests? most of them are very useful to detect spam...
Re: Image spam - FuzzyOCR?
Am 01.09.2016 um 12:23 schrieb Mauricio Tavares: I do agree that the OCR program should be doing the OCR'ing and the text filtering should be left to a program that does that for a living. In the modern, systemd world this is of course an ancient and outdated design philosophy this is simply *not* true und hence systemd ships a lot of different binaries doing different things and so *clearly* follows the unix philosophy the only difference is that instead all this tools living in different upstream repos, maintained by independent teams and hopefully get adopted properly in case of changes which affect more than one needed changes are done in the same repo some people just have the illusion that Lennart Pöttering is the one and only programmer of all that tools - no he is not - the different tools are maintained by different people and just get tightly integrated because they are all talking together and working in the same team instead different projects fighting against each other in case of problems and point to the other tool which is broken
Re: sa-update errors
Am 31.08.2016 um 18:22 schrieb John Hardin: On Wed, 31 Aug 2016, li...@rhsoft.net wrote: Am 30.08.2016 um 22:03 schrieb John Hardin: On Tue, 30 Aug 2016, Joseph Brennan wrote: > We've had errors the past 2 nights for all of the uridnsbl_skip_domain > rules. It's just us? It's been fixed, waiting for a new update to be generated by masscheck i doubt that the process is working proper or why are the errors after two successful sa-update runs still here? 29-Aug-2016 00:44:41: SpamAssassin: Update processed successfully 30-Aug-2016 01:58:40: SpamAssassin: Update processed successfully 31-Aug-2016 00:49:44: SpamAssassin: Update processed successfully Aug 31 10:56:16.871 [28612] warn: config: failed to parse line, skipping, in "/var/lib/spamassassin/3.004001/updates_spamassassin_org/72_active.cf": uridnsbl_skip_domain zenithbank.com I just confirmed that those lines are not in the latest update (1758345, 8/30). Your 8/31 update should not have generated lint errors should is the correct word! TODAY with the 9/01 update the lint-warnings are gone and that's what i meant with "i doubt that the process is working proper" when the change itself was done days ago while every day "sa-update" pulled sucessful 23-Aug-2016 11:46:53: SpamAssassin: Update processed successfully 24-Aug-2016 00:49:42: SpamAssassin: No update available 25-Aug-2016 00:01:12: SpamAssassin: Update processed successfully 26-Aug-2016 00:27:58: SpamAssassin: Update processed successfully 27-Aug-2016 01:15:48: SpamAssassin: Update processed successfully 28-Aug-2016 00:43:06: SpamAssassin: Update processed successfully 29-Aug-2016 00:44:41: SpamAssassin: Update processed successfully 30-Aug-2016 01:58:40: SpamAssassin: Update processed successfully 31-Aug-2016 00:49:44: SpamAssassin: Update processed successfully 01-Sep-2016 00:35:01: SpamAssassin: Update processed successfully
Re: sa-update errors
Am 31.08.2016 um 13:18 schrieb Martin Gregorie: On Wed, 2016-08-31 at 12:25 +0200, Axb wrote: Blame it on the boogie Another data point: I haven't seen this problem. I've just searched my Considering that it doesn't seem to hit everybody, I wonder if it could be software related, i.e. connected with specific Perl package versions. I'm running Fedora 23, fully patched as of last Thursday Fedora 24 x86_64 fully patched perl-5.22.2-362.fc24.x86_64 seems to also make visible errors on other places or make already known more visible like undefined vars in case of invalid uribl dns-calls and so on
Re: sa-update errors
Am 31.08.2016 um 11:56 schrieb Axb: On 08/31/2016 11:41 AM, li...@rhsoft.net wrote: however, what annoys me more is that "uridnsbl_skip_domain entries have not yet been removed" and obviosuly nobody knows why - what if there would be a issue leading to fatal errors for everybody running "sa-update" and nobody has a clue how to get the fix out and when I don't have a satisfying answer. But maybe someobody else does. what annoys me is that there's a bunch of uridnsbl_skip_domain entries in 25_uribl.cf and nobody complains they are not making problems as also my "/etc/mail/spamassassin/local-06-uridnsbl-skip-domain.cf" without "ifplugin" containing a large list don't make any issue when some show up in 72_active.cf some systems cough over them and I cannot reproduce it. Seems these are not setups from source and something is getting in the way. All I can think of is that the missing "ifplugin" caused this. I'll probably never know if the plugin would be the problem i guess URIBL would not work at all, also see about the 06-uridnsbl-skip-domain.cf above - so the "72_active.cf" issue must be some other problem however, if it is removed and that removal don't appear on setups which did successful "sa-update" calls is *a big problem* because it indicates the "sa-update" process is out of control somewhere
Re: sa-update errors
Am 31.08.2016 um 11:32 schrieb Axb: On 08/31/2016 11:25 AM, li...@rhsoft.net wrote: Am 31.08.2016 um 11:15 schrieb Axb: On 08/31/2016 10:57 AM, li...@rhsoft.net wrote: Am 30.08.2016 um 22:03 schrieb John Hardin: On Tue, 30 Aug 2016, Joseph Brennan wrote: We've had errors the past 2 nights for all of the uridnsbl_skip_domain rules. It's just us? It's been fixed, waiting for a new update to be generated by masscheck i doubt that the process is working proper or why are the errors after two successful sa-update runs still here? 29-Aug-2016 00:44:41: SpamAssassin: Update processed successfully Aug 31 10:56:16.871 [28612] warn: config: failed to parse line, skipping, in "/var/lib/spamassassin/3.004001/updates_spamassassin_org/72_active.cf": uridnsbl_skip_domain zenithbank.com Just did a manual sa-update -D while the uridnsbl_skip_domain entries have not yet been removed from 72_active.cf I get no "failed to parse line" msgs you get them with "spamassassin --lint" and not due the update - IHMO the subject of this thread is just wrong I get no errors with spamassassin --lint or spamassassin --lint -D :-( however, what annoys me more is that "uridnsbl_skip_domain entries have not yet been removed" and obviosuly nobody knows why - what if there would be a issue leading to fatal errors for everybody running "sa-update" and nobody has a clue how to get the fix out and when
Re: sa-update errors
Am 31.08.2016 um 11:15 schrieb Axb: On 08/31/2016 10:57 AM, li...@rhsoft.net wrote: Am 30.08.2016 um 22:03 schrieb John Hardin: On Tue, 30 Aug 2016, Joseph Brennan wrote: We've had errors the past 2 nights for all of the uridnsbl_skip_domain rules. It's just us? It's been fixed, waiting for a new update to be generated by masscheck i doubt that the process is working proper or why are the errors after two successful sa-update runs still here? 29-Aug-2016 00:44:41: SpamAssassin: Update processed successfully 30-Aug-2016 01:58:40: SpamAssassin: Update processed successfully 31-Aug-2016 00:49:44: SpamAssassin: Update processed successfully Aug 31 10:56:16.871 [28612] warn: config: failed to parse line, skipping, in "/var/lib/spamassassin/3.004001/updates_spamassassin_org/72_active.cf": uridnsbl_skip_domain zenithbank.com Aug 31 10:56:16.871 [28612] warn: config: failed to parse line, skipping, in "/var/lib/spamassassin/3.004001/updates_spamassassin_org/72_active.cf": uridnsbl_skip_domain zkb.ch Aug 31 10:56:16.871 [28612] warn: config: failed to parse line, skipping, in "/var/lib/spamassassin/3.004001/updates_spamassassin_org/72_active.cf": uridnsbl_skip_domain zugerkb.ch Just did a manual sa-update -D while the uridnsbl_skip_domain entries have not yet been removed from 72_active.cf I get no "failed to parse line" msgs you get them with "spamassassin --lint" and not due the update - IHMO the subject of this thread is just wrong
Re: sa-update errors
Am 30.08.2016 um 22:03 schrieb John Hardin: On Tue, 30 Aug 2016, Joseph Brennan wrote: We've had errors the past 2 nights for all of the uridnsbl_skip_domain rules. It's just us? It's been fixed, waiting for a new update to be generated by masscheck i doubt that the process is working proper or why are the errors after two successful sa-update runs still here? 29-Aug-2016 00:44:41: SpamAssassin: Update processed successfully 30-Aug-2016 01:58:40: SpamAssassin: Update processed successfully 31-Aug-2016 00:49:44: SpamAssassin: Update processed successfully Aug 31 10:56:16.871 [28612] warn: config: failed to parse line, skipping, in "/var/lib/spamassassin/3.004001/updates_spamassassin_org/72_active.cf": uridnsbl_skip_domain zenithbank.com Aug 31 10:56:16.871 [28612] warn: config: failed to parse line, skipping, in "/var/lib/spamassassin/3.004001/updates_spamassassin_org/72_active.cf": uridnsbl_skip_domain zkb.ch Aug 31 10:56:16.871 [28612] warn: config: failed to parse line, skipping, in "/var/lib/spamassassin/3.004001/updates_spamassassin_org/72_active.cf": uridnsbl_skip_domain zugerkb.ch
Re: sa-update errors
Am 30.08.2016 um 21:56 schrieb Joseph Brennan: We've had errors the past 2 nights for all of the uridnsbl_skip_domain rules. It's just us? no since there where yesterday at least two treads about this topic, the first by me and AFAIR it should have been fixed last night but wasn't which indicates some problem in the update process when even emergency changes are not pushed relieable (besides they would not be pushed when the mass-check did not have enough samples, but in that case sa-update would not have done anything at all)
Re: Shortcircuit work partially
Am 30.08.2016 um 18:54 schrieb Kris Deugau: Nicola Piazzi wrote: How to do it syncronously ? It is not important to process a single mail in 5 or 50 seconds 4 me ss most important to reduce load DNS lookups have essentially zero cost next to almost anything else SA does when it comes to daily limit of RBL/URIBL services and for whatever reason you have abnormal peaks of inbound tries "zero cost" turns when you would be able to shortcircuit a majority of the messages i even go so far and say it would be a possible attack when someone floods you with special composed mails containing a large list of random domains to exceed your URIBL limits and later send the payload where URIBL woul dhave been the anchor to detect it while your shields are just down - in that case you may be able to find some anchor for a meta-rule and block/shortciruit that stuff but currently it won't avoid the dns lookups
Re: Shortcircuit work partially
Am 30.08.2016 um 16:21 schrieb Nicola Piazzi: When i shortcircuit a rule not all other are bypassed Here an example ... Local.cf : priority BAYES_ZERO -980 shortcircuit BAYES_ZERO ham the dns stuff is fired asynchronous long before bayes is even evaluated Spam report : -0.03 ABUSIX_PRESENCE Contatto Anti-Abuse presente in abuse-contacts.abusix.org -1.00 BAYES_ZERO Bayes Zero Percento Assoluto 0.10 C_RBL_ANTICAPTCHA Listed in dnsbl.anticaptcha.net 0.10 C_RBL_DNSRBL Listed in DnsRbl.org 0.20 C_RBL_KONSTANT Listed in bl.konstant.no 0.10 C_RBL_MEGARBL Listed in rbl.megarbl.net 0.10 C_RBL_NETUA Listed in dnsbl.net.ua -0.30 C_RBL_NSZONES_WL NSZONES - WhiteList 0.10 C_RBL_SINGULAR Listed in singular.ttk.pte.hu 0.10 C_RBL_SWINOG_SPAM Listed in dnsrbl.swinog.ch. 0.10 C_RBL_UNSUBSCORE Listed in ubl.unsubscore.com -100.00 SHORTCIRCUIT Not all rules were run, due to a shortcircuited rule -0.35 URIBL_HOSTKARMA_Y Dominio in HostKarma YellowList
Re: SoughtRules
Am 30.08.2016 um 02:45 schrieb John Hardin: On Mon, 29 Aug 2016, Anthony Hoppe wrote: I just learned about the sought ruleset via https://wiki.apache.org/spamassassin/ImproveAccuracy. Is this ruleset still actively maintained? I'm considering implementing it in my environment, but want to make sure just in case. Sadly, no. I think it's been at least a couple of years since they were regenerated but they still hit junkmails and are even part of the fedora default install pulled with the first "sa-update" rpm -q --file /etc/mail/spamassassin/channel.d/sought.conf spamassassin-3.4.1-9.fc24.x86_64 cat /etc/mail/spamassassin/channel.d/sought.conf # http://wiki.apache.org/spamassassin/SoughtRules CHANNELURL=sought.rules.yerp.org KEYID=6C6191E3 # Ignore everything below. return 0 -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v1.4.1 (GNU/Linux) mQGiBEa/l+YRBACC+uJfIThEoEWrNxdDD/1tAwb5L8v7H3gGt+LtuOwwn5ZU7XsT s1DOok1oZVRnTQJYdlth7QlU9wqijwLEVzW1LDWnxXXKwPmlTlkcdGoBcb+cBbYI miJ/TlAetvbprcZdROS4Ey31GjPRmWPPnVE2Xcwy+e4+RmnhqfZBmOaE7wCgo1GG pkik2OPD1le4LGGOGHL5HiED/0TyvTiSS3NnUtoDFQAPrnezOCjxv8zMjYEnJs/I h7uyIgHRsbB75cD2O1LWyO8Vz8r/snVuG35zcZagPf/7Tc9AJoaxVmCIk9DEmWZp iuvqpMhwHAbNvY3jY2oKsDl1rNx0IIctoJwjXia99kvNTHK/Yz/HqhIyLModhiMB aYYZA/wIdPOHGHaP5vjlbWBwGlRR9m0Rf4ob5sul8MjCyehOYcRVLwfOEfzX308v 0enOGnbbBKXU2QvA0Z068aBmJkJaaPhlIjZApQJDsb7pt6k8jMPj/Xpr779wAFQ8 IZC7Tw21OtqkjrUb3dZlEljrTwWNc6FVxuIidBBg7HCdP24WKLRESnVzdGluIE1h c29uIFNpZ25pbmcgS2V5IChDb2RlIFNpZ25pbmcgT25seSkgPHNpZ25pbmdrZXlA am1hc29uLm9yZz6IZAQTEQIAJAUCRr+X5gIbAwUJEswDAAYLCQgHAwIDFQIDAxYC AQIeAQIXgAAKCRDchTQfbGGR4/GJAKCC6X6AF8nM+H00b/XeZl9vYihXBgCcDYuU AtXjWWxndkneakmbnD0O4Z25BA0ERr+YdxAQAIYYUQHMzVsRAzpIRLfni0aeczrr armwXMJ8y5p74lVLbJyQOjkQyIJWP80twrN8SjNyUFBr/52SlOPOuAbGZY1ZKpux vkbsug2wWvkoj8xGjnexrSDahRgpNhf/otLRNTyUFZTM6mjZt0ItnYDl6xszY4kd O5rVzjQuivNB4BsHcd8qQ7zVo9+VZ5R77iM4dtk6t5ycpXlAom5pD8qLb7ZzTVe0 SuhzOeynF51rwjS+wa3hzZisvJqZA5uJcAyYslgP1UTW+2e5wutSktSZmL/XnlEF p86GPjAgDPL2Q0TgzVL6sPt0blNCyzOJrcBqBHrgZfraYgqtmGepLpk72q4VD23c aV2wTqjnfJAsNR3y8jgVNwF8LpXtlbxrBByFRwEqsc/gzdMEnJ728XBDqT2IhZLY maL/WxiDKNWD/Mae69HTyInIYgrfT7nJKDeKQA81+e5+UmqBVoi5/AICMlDm1DgR gG6bbOXGhLVPh+gHjGG4Jdd/ZLedncUsjW9KyK261sqM3tSDSfgnF99w2/32ToFu ChN8JOfQ6VZ7QbL1BWRtQWZ3tyauUUXmsrYDv1w1nx51MqxQdlitnmTRWaRW0GmD b5XapJfSK+FiGXaynl3HHxHHpcUauX9zBa/LRp8oXiGPLfJEWmjWcGCyGZawASj3 pTTJUnbkYs0fUyUXAAQND/42mh8f3mTA+24I3lY4K8mxH9GSFgOkLoYwok8xL5Md OUJAyvs34ixqvM2u560YJkegEO/xzg2abddfoqL8eNnjfvG3bI7KOCT+m+mM/5Cg ul8XFSnHIEivuOXNtc/x/dwYSidKM8atkdpKtv++psd6hVbJQMfLlzf0S2QyiaGk yXur/pM3A97lvkjAgvIKQt8NbJ/sITFlrN2TFxcbE8OED7LC4nBo54TJ1AxVsHlT LB5XPKU8pBv0fABZrNKxf6a2iXx9jT9sSYdnb0y+hBjnoWZUNbhxo6jpAqt1quUy buGWugvG8J75JvT6X+lwEEkg1lplmm+HuaFtegOqTUTKmffKduY+E00le+3Kh8gW bLR8P1qp/xnxQxZJYcQ+mT4QsYpj6Pkcj0ON3NQO5wP6dr2UGhGcSzS2Cxv8TERN 7HSdFbFXQWPCekx+i7OjeRSY/XTUf2zYquPNP2oU0MjgnXhnkHq+6EaQPpM59fMd MyLeOiUMOxpPOkeaAC8Ku0Oj2aZU/eyizuBDnhq1PAxBprSW5SSkxP4kz9BnA42x tkMKMzzPohdfMIRI6zSu0chr76w2UeoViSsMtmWnR6qAXbQvzR+HHxhhB/Rzp6Gc u9gybrv58IBkybn5ztST6NqgIgcQ/E7XIsB0Eooohfw+QiPlCdoghSxspbzwqcEZ B4hPBBgRAgAPBQJGv5h3AhsMBQkSzAMAAAoJENyFNB9sYZHjUh0AnA3u5TNYHGLQ DXLPP0qWHkTeOz8dAJ4wkrLBTaXz3CPCjoTdoBiQsNt3fw== =nK43 -END PGP PUBLIC KEY BLOCK-
lint fails: /var/lib/spamassassin/3.004001/updates_spamassassin_org/72_active.cf
something with that "sandbox" seems to be wrong ##} uridnsbl_skip_domain_sandbox the cron-mail below is from the daily "spamassassin --lint" for all spamd instances and is way longer than below Weitergeleitete Nachricht Betreff: /usr/local/bin/spamfilter-check-config.sh Datum: Mon, 29 Aug 2016 02:30:04 +0200 (CEST) Von: (Cron Daemon) Aug 29 02:30:04.229 [29063] warn: config: failed to parse line, skipping, in "/var/lib/spamassassin/3.004001/updates_spamassassin_org/72_active.cf": uridnsbl_skip_domain 1stnationalbank.com Aug 29 02:30:04.229 [29063] warn: config: failed to parse line, skipping, in "/var/lib/spamassassin/3.004001/updates_spamassassin_org/72_active.cf": uridnsbl_skip_domain 365online.com Aug 29 02:30:04.229 [29063] warn: config: failed to parse line, skipping, in "/var/lib/spamassassin/3.004001/updates_spamassassin_org/72_active.cf": uridnsbl_skip_domain 53.com Aug 29 02:30:04.229 [29063] warn: config: failed to parse line, skipping, in "/var/lib/spamassassin/3.004001/updates_spamassassin_org/72_active.cf": uridnsbl_skip_domain abl.com.pk Aug 29 02:30:04.229 [29063] warn: config: failed to parse line, skipping, in "/var/lib/spamassassin/3.004001/updates_spamassassin_org/72_active.cf": uridnsbl_skip_domain accessbankplc.com Aug 29 02:30:04.230 [29063] warn: config: failed to parse line, skipping, in "/var/lib/spamassassin/3.004001/updates_spamassassin_org/72_active.cf": uridnsbl_skip_domain adib.ae
Re: New Install - Tons of Spam Getting Through
Am 18.08.2016 um 21:08 schrieb Jerry Malcolm: On 8/18/2016 1:50 PM, li...@rhsoft.net wrote: Am 18.08.2016 um 20:48 schrieb Jerry Malcolm: This is encouraging. I looked up how to set recursion in Bind. It looks like it's just requires adding a field to the options: |allow-recursion { any; }; |But it lists other options such as allow-query, allow-query-cache, etc. Is recursion the only one that might be affecting SA? Or should I enable other options? sorry but *no* it means nothing else than *remove* any forwaridng statements the stuff above is just to limit which clients are allowed to make recursive queries Hmm. I do not have any forwarding statements. Is there a way via command line (e.g. nslookup, etc) that I can determine if BIND is recursing or forwarding? I assume that might be in the SA report header. But see my previous response that I can't seem to ever get report headers... Yuck... on a proper operating system i would ask for the content of /etc/resolv.conf - nobody but you can find out which nameserver your SA is using and how this nameserver is configured just because you are runnign named on your box don't mean this is the nameserver applications running on this host are using
Re: New Install - Tons of Spam Getting Through
Am 18.08.2016 um 21:05 schrieb Jerry Malcolm: I see the local.cf file, it is already configured with 'all report'. But I looked at a msg that was flagged a spam. It doesn't have a report header either. I guess it's possible that the JAMES invoker mailet is stripping the headers. But I don't see any obvious code that appears to be removing headers. Are there any other options that might be controlling whether SA adds that header? you *really* should ask somewhere at a james-list and re-consider using a MTA practically nobody knows as wel as some "out-of-the-box" stuff and then run on a windows server you have a 1-ot-of-10 setup at best!
Re: New Install - Tons of Spam Getting Through
Am 18.08.2016 um 20:48 schrieb Jerry Malcolm: This is encouraging. I looked up how to set recursion in Bind. It looks like it's just requires adding a field to the options: |allow-recursion { any; }; |But it lists other options such as allow-query, allow-query-cache, etc. Is recursion the only one that might be affecting SA? Or should I enable other options? sorry but *no* it means nothing else than *remove* any forwaridng statements the stuff above is just to limit which clients are allowed to make recursive queries
Re: New Install - Tons of Spam Getting Through
Am 18.08.2016 um 20:27 schrieb Jerry Malcolm: On 8/18/2016 1:17 PM, li...@rhsoft.net wrote: Am 18.08.2016 um 20:10 schrieb Jerry Malcolm: Here is a pastebin.com link to an example uncaught spam message. SA scored it a 4.7. http://pastebin.com/T1CfVgP4 useless without any headers which would show the matching rules including major mistakes like URIBL_BLOCKED but even passing that "non-email" to SA would hit URIBL_ABUSE_SURBL, PYZOR_CHECK, URIBL_DBL_SPAM, URIBL_BLACK and URIBL_SBL_A so i guess you are using some DNS forwarder which does *not* work for a inbound spamfilter I haven't figured out a way to get Thunderbird to allow me to copy/paste the headers seriously? "view -> source code" or however the menus are called in english
Re: New Install - Tons of Spam Getting Through
Am 18.08.2016 um 20:18 schrieb Jerry Malcolm: This is the X-Spam-Status header I got back on an uncaught spam. No, hits=0.3 required=5.0. The spam was selling an all-in-one charger we need the *report* header What kind of DNS issues? I lease a server from Peer1 and use their name servers. don't do that - just install a *recursing* local resolver like unbound and point only to 127.0.0.1 - anything else won't work for a inbound mailserver because you hit RBL limits when you share the nameserver with a unknown amount of other people
Re: New Install - Tons of Spam Getting Through
Am 18.08.2016 um 20:10 schrieb Jerry Malcolm: Here is a pastebin.com link to an example uncaught spam message. SA scored it a 4.7. http://pastebin.com/T1CfVgP4 useless without any headers which would show the matching rules including major mistakes like URIBL_BLOCKED but even passing that "non-email" to SA would hit URIBL_ABUSE_SURBL, PYZOR_CHECK, URIBL_DBL_SPAM, URIBL_BLACK and URIBL_SBL_A so i guess you are using some DNS forwarder which does *not* work for a inbound spamfilter
Re: DKIM Score
Am 16.08.2016 um 22:04 schrieb Benny Pedersen: On 2016-08-16 21:52, li...@rhsoft.net wrote: Am 16.08.2016 um 21:31 schrieb Benny Pedersen: On 2016-08-16 13:57, RW wrote: whitelist_from_dkim *@example.com *@example.net should be sepearted line why? read perldoc read spamassassin docs WHITELIST AND BLACKLIST OPTIONS Whitelist and blacklist addresses are now file-glob-style patterns, so fri...@somewhere.com, *@isp.com, or *.domain.net will all work. Specifically, * and ? are allowed, but all other metacharacters are not. Regular expressions are not used for security reasons. Multiple addresses per line, separated by spaces, is OK. Multiple whitelist_from lines is also OK. blacklist_from *@example.com *@example.net cant remember if that can be one line as all whitelist_ and blacklist_ *it can* so what is your point? read perldoc read spamassassin docs unwhitelist_from_rcvd a...@ress.com Used to override a default whitelist_from_rcvd entry, so for example a distribution whitelist_from_rcvd can be overridden in a local.cf file, or an individual user can override a whitelist_from_rcvd entry in their own user_prefs file. The specified email address has to match exactly the address previously used in a whitelist_from_rcvd line. e.g. unwhitelist_from_rcvd j...@example.com f...@example.com unwhitelist_from_rcvd *@axkit.org
Re: DKIM Score
Am 16.08.2016 um 21:31 schrieb Benny Pedersen: On 2016-08-16 13:57, RW wrote: whitelist_from_dkim *@example.com *@example.net should be sepearted line why? blacklist_from *@example.com *@example.net cant remember if that can be one line as all whitelist_ and blacklist_ *it can* so what is your point?
Re: DKIM Score
Am 16.08.2016 um 10:47 schrieb Chris Lee: Suppose there is a user someb...@example.com is on vacation and using 3rd party SMTP server (w/o DKIM) for sending email. I want temporary whitelist it to bypass DKIM checking. he MUST NOT do that and so there is no justification handle whatever random server different because it sends technical forged mail of a foreign domain - i would say BLACKLIST that server because he allows a random and foreign envelope-sender would be the way to go instead whitelist it
Re: DKIM Score
Am 16.08.2016 um 10:30 schrieb Kevin Golding: Probably even more of a performance nightmare, but possibly easier to maintain could be something like: header __FROM_EXAMPLECOM From:addr =~ /\@(example\.com)$/i header __FROM_EXAMPLEORG From:addr =~ /\@( example\.org)$/i header __FROM_EXAMPLENL From:addr =~ /\@( example\.nl)$/i meta __DKIM_REQUIRED ( __FROM_EXAMPLECOM || __FROM_EXAMPLEORG || __FROM_EXAMPLENL ) horrible to maintain - normally you generate that with a script and so you can in php (as example) simply implode('|', $list) to fill the regex (make sure anything is proper escaped before) /\@(example\.com|example.org|example.net)$/i
Re: google spamming ?
Am 15.08.2016 um 15:47 schrieb Benny Pedersen: On 2016-08-15 15:30, Joe Quinn wrote: If you reported it already, why are you still asking how? not possible for me to run spamassassin -r here one reason more to not post to *this list* at all instead a) complain at rspamd and b) ask how the replacement for "spamassassin -r" is called if one exists anyways the tags without message headers are not helpful since "google" can mean all or nothing from free gmail to googlegroups, youtube and dozens of other subdomains and if you "want to share" you need at least to share the whole message so that anybody can compare it with SA the initial post as it was made is useless and in fact SPAM itself
Re: google spamming ?
Am 15.08.2016 um 15:21 schrieb Benny Pedersen: On 2016-08-15 15:16, Joe Quinn wrote: Have you tried asking on either the rspamd or dnswl mailing lists? why should i waste my time with it ? i have reported spam to dnswl why do you waste *our* time with it? when you switch from SA to rspamd then switch sending your contentfilter related stuff to the rspamd list instead the SA list - common sense - that's it
Re: [SOLVED] R: A plugin to legitimate email when SPF and DKIM missing
Am 10.08.2016 um 12:00 schrieb Nicola Piazzi: I wrote this simple plugin, mxpf This plugin search B class of sender Ip Address and try to match B class of any Ip of mx records of declared domain So when it match is very difficolut that sender is a spoofed domain, you can use MXPF_PASS to combine with other rules in addition to SPF_PASS 1) Unpack mxpf.cf and mxpf.pm under /etc/mail/spamassassin dir 2) put your score in mxpf.cf Download here : https://forum.efa-project.org/viewtopic.php?f=14=1777 that looks really good on piece missing - something like "whitelist_mx" working the same way as "whilelist_auth" to combine it with shortcicuit to complement whitelist by spf with that for senders you trust but don't have SPF/DKIM for whitelist_auth whitelist_mx sen...@domain.tld whitelist_mx *@domain.tld
Re: A plugin to legitimate email when SPF and DKIM missing
Am 09.08.2016 um 18:08 schrieb Kevin Golding: Based on what you're trying to do: man dig don't help, see below or depending on your resolver possibly: man drill don't help, see below Whilst I agree it is slightly more effort to set-up whitelisting by looking up the details first it would still be far more resource efficient on your servers that don't catch the problem if the MX changes that you need to permanently watch your "whitelist_from_rcvd" and maintain them his point is pretty sure that he want to be able to rely on the senders DNS like whitelisting by DKIM or SPF does given the amount of DNS records in summary (RBL, URIBL, DKIM, SPF) that single one is not a topic for "more resource efficient" and in any case outweights the maintainance burden of "whitelist_from_rcvd" lines
Re: A plugin to legitimate email when SPF and DKIM missing
Am 09.08.2016 um 17:39 schrieb RW: On Tue, 9 Aug 2016 15:19:08 + Nicola Piazzi top-posted: I dont know if you want to find a solution of if you want to say why i am searching one. Reason is this : I have SPF_PASS, a variable that tell me that who send is proprietary of that domain I KNOW PERFECTLY THAT SOMEONE CAN TELL SPAM WITH A PURCHASED REGULAR NON SPOOFED DOMAIN But I can combine SPF_PASS with a list of email address, for example, but not all put SPF in dns, so with MX I have another chance I'm confused now because "combine SPF_PASS with a list of email address" sounds like whitelisting, which is something you implied you didn't want to do when whitelist_from_rcvd was mentioned the hostname of the sending machine may change - the fact that it's the MX is likely more stable even when the ISP get changed - in case a IP has more than one PTR (happens often) or becomes a second one you need to whitelist all of them - the question "is this ip listed as MX" stays stable