Re: Spam by IP-address? Spamassassin with geoiplookup?

[li...@rhsoft.net]

Am 23.09.2016 um 20:30 schrieb John Hardin:

On Fri, 23 Sep 2016, li...@rhsoft.net wrote:


Am 23.09.2016 um 05:24 schrieb John Hardin:

 On Thu, 22 Sep 2016, Thomas Barth wrote:
>  Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net:
> > > >  URIBL_BLOCKED shows you are using still a dns-forwarder and
so won't
> >  get
> >   results from a lot of blacklists
> > > >   fix that - use a local caching resolver with *no
forwarding* and > >   if you are using dnsmasq just don't do that for
a inbound > >   mailserver
> >  I found an instruction here for a debian system
> >  https://manageacloud.com/configuration/local_dns_caching
> >  Seems to work local dns caching but I dont understand why I
shouldnt
>  use it for inbound mailserver and why I still see URIBL_BLOCKED=0.001

 Lists shouldn't have said "caching", that confuses the issue. Caching
 and recursion are two different, unrelated pieces.


seriously?


Yes. I have found that when providing advice, if you provide extraneous
details quite often people will focus on them rather than the important
points.


hence the bold *no forwarding*


"with *no forwarding*" is not clear enough that one comes two days
later with a dnsmasq setup using opendns as forwarders where in fact i
said explicit


If they focused on "use a local caching resolver", sure. Obviously


sorry, but zero understanding

if someone is smart enough to know what to do the problem would not 
exist at all - if someone thinks he is so smart that he can stop reading 
in the middle of a single sentence without trying to understand it's a 
clear case of "damned don't manage any server connected to the internet"


AT LEAST when it still does not work by doing something random i expect 
someone step back and *read the whole fucking sentence* before write a 
new mail "did this and that but still don't work"

Re: DNS Terminology

[li...@rhsoft.net]

Am 23.09.2016 um 19:57 schrieb RW:

On Fri, 23 Sep 2016 13:13:19 -0400
Sean Greenslade wrote:


On Fri, Sep 23, 2016 at 05:03:00PM +0100, RW wrote:

I've been wondering whether recursive is actually the correct term.

As I understand it there are two types of DNS lookup:

  1. Iterative - where results are found by working down through
  multiple servers from the root servers.

  2. Recursive - where a request is made to a single nameserver
which handles the whole look-up on behalf of a client.

What this turns on is whether a forwarding server is a distinct
class of of nameserver or a type of recursive server. I think the
latter is most logical, since both provide a recursive interface.
Definitions of the term "recursive server" that I've seen  contrast
it only with "authoritative server".

One thing is certain, what you want is a name server that does
*iterative* lookups.


A forwarding server is a recursive server. The two are more or less
synonymous. Both iterative and recursive servers may or may not cache
their results to speed up future queries for the same information.


A nameserver that does iteration is definitely a recursive server. To
say that "recursive server" and "forwarding server" are more or less
synonymous is wrong


well, that whole stuff is discussed way too complex here

your nameserver can do recursion, be authoritative for own zones and 
forwarder for specific zones at the same time - the only relevant point 
is that it don't forward DNSBL/DNSWL/URIBL relevant questions to a 
shared nameserver outside your network - that's it


in context of a inbound mailserver (for anything you don't host on your 
machines) it's just as simple as:


* if your DNS is aksing another DNS you defined you are doing it wrong
* if your DNS configuration contains another dns server it's  wrong
* if your DNS server like dnsmasq looks in /etc/resolv.conf it's crap

the one and only ecxeption are large networks where you have a central 
caching server doing recursion and on the other nodes you have this 
machine as forwarder, but if you are in such an environment you 
hopefully understand dns basics anyways

Re: Spam by IP-address? Spamassassin with geoiplookup?

[li...@rhsoft.net]

Am 23.09.2016 um 10:43 schrieb Thomas Barth:



Am 23.09.2016 um 10:25 schrieb li...@rhsoft.net:



Am 22.09.2016 um 21:58 schrieb Bowie Bailey:

On 9/22/2016 3:40 PM, Thomas Barth wrote:


Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net:

fix that - use a local caching resolver with *no forwarding* and if
you
are using dnsmasq just don't do that for a inbound mailserver


for me that topic is finished - sorry but it needs to be said clear: you
are not capable to run a mailserver because yo are even not capable to
read what you quote


mimimi


instead of making sarcatic comments better explain what exactly did you 
not understand in "use a local caching resolver with *no forwarding* and 
if you are using dnsmasq just don't do that for a inbound mailserver" 
that you have nothing better to do than setup dnsmasq with 4 forwarders 
followeb by complain "now i have done taht but URIBL_BLOCKED is still there"


that was one single line containing:
* don't use dns forwarding
* don't use dnsmasq (because it can only do forarding)

Re: Spam by IP-address? Spamassassin with geoiplookup?

[li...@rhsoft.net]

Am 22.09.2016 um 21:58 schrieb Bowie Bailey:

On 9/22/2016 3:40 PM, Thomas Barth wrote:


Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net:

fix that - use a local caching resolver with *no forwarding* and if you
are using dnsmasq just don't do that for a inbound mailserver


for me that topic is finished - sorry but it needs to be said clear: you 
are not capable to run a mailserver because yo are even not capable to 
read what you quote


i said don't use dnsmasq for that task because i know that it can only 
forwarding - i said don#t use any forwarding - what are you doing days 
later: seek the first best howto explaining you how to install dnsmasq 
and bblow 4 forwarders in the configuration which is the opposite of 
what you have been told


and i had a reason saying *no forwarding* instead talking about 
dns-recursion because i am out of energy trying to explain the next 3 
days what is recursion and seek links and docs to make a dns basic 
education which is your homework before you start to setup servers



I found an instruction here for a debian system

https://manageacloud.com/configuration/local_dns_caching

/etc/resolv.conf
nameserver 127.0.0.1

/etc/resolv.dnsmasq
nameserver 208.67.222.222
nameserver 208.67.220.220
nameserver 208.67.222.220
nameserver 208.67.220.222

/etc/default/dnsmasq
DNSMASQ_OPTS="-r /etc/resolv.dnsmasq"

But it is using dnsmasq for local dns caching. I ve configured it, but
I still see URIBL_BLOCKED=0.001 in a mail header

Re: Spam by IP-address? Spamassassin with geoiplookup?

[li...@rhsoft.net]

Am 23.09.2016 um 05:24 schrieb John Hardin:

On Thu, 22 Sep 2016, Thomas Barth wrote:

Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net:


 URIBL_BLOCKED shows you are using still a dns-forwarder and so won't
get
 results from a lot of blacklists

 fix that - use a local caching resolver with *no forwarding* and if you
 are using dnsmasq just don't do that for a inbound mailserver


I found an instruction here for a debian system

https://manageacloud.com/configuration/local_dns_caching

Seems to work local dns caching but I dont understand why I shouldnt
use it for inbound mailserver and why I still see URIBL_BLOCKED=0.001


Lists shouldn't have said "caching", that confuses the issue. Caching
and recursion are two different, unrelated pieces.


seriously?

"with *no forwarding*" is not clear enough that one comes two days later 
with a dnsmasq setup using opendns as forwarders where in fact i said 
explicit


"fix that - use a local caching resolver with *no forwarding* and if you 
are using dnsmasq just don't do that for a inbound mailserver"



As far as I understand it, dnsmasq cannot be used for local recursion


yes, and hence in my orginial mail you are party quting i statet don't 
use that crap, see above

Re: Spam by IP-address? Spamassassin with geoiplookup?

[li...@rhsoft.net]

Am 22.09.2016 um 21:40 schrieb Thomas Barth:

URIBL_BLOCKED shows you are using still a dns-forwarder and so won't get
results from a lot of blacklists

http://uribl.com/refused.shtml

fix that - use a local caching resolver with *no forwarding* and if you
are using dnsmasq just don't do that for a inbound mailserver



I found an instruction here for a debian system

https://manageacloud.com/configuration/local_dns_caching

/etc/resolv.conf
nameserver 127.0.0.1

/etc/resolv.dnsmasq
nameserver 208.67.222.222
nameserver 208.67.220.220
nameserver 208.67.222.220
nameserver 208.67.220.222

/etc/default/dnsmasq
DNSMASQ_OPTS="-r /etc/resolv.dnsmasq"

But it is using dnsmasq for local dns caching. I ve configured it, but I
still see URIBL_BLOCKED=0.001 in a mail header


because it is nonsense

the point is not that you use 127.0.0.1 as dsn server - the point is 
that *nobody else* is using that dns server - i doubt that you are the 
only person on this plant using the 208.67.xx.xx opendns servers


frankly - get the basics!

Re: Spam by IP-address? Spamassassin with geoiplookup?

[li...@rhsoft.net]

Am 22.09.2016 um 12:59 schrieb Thomas Barth:

Am 22.09.2016 um 12:41 schrieb li...@rhsoft.net:


I ve installed clamav-unofficial-sigs by debian package. If this is not
working good enough I will try the installation I found here:
https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/INSTALL



dunno - and it's off-topic here - we use own scripts to update the
signatures and that stuff is catched by
http://sanesecurity.com/foxhole-databases/

may i ask why you put such a unfinished and untested in many ways setup
in production?



The mailservers are ready and work very good but can be improved. And I
only improve them when there is a need to do it. If there is a spam mail
going through again, I m going the next step ;-)


i see - that good that you add posion pill rules for message-id and 
similar because the other parts, even very basic ones, are not working 
and scores are not adjusted while the SA header tells you exactly your 
problems to catch things :-)


but do what you want


I dont know what is in the zip file. I just have a compressed copy of
the mail. I tried to save the  content of the zip boundary part in a zip
file but I get an loading error when opening the zip file.


what are you doing?


When you ever have parsed emails for content then you would know that
you can extracts parts of raw mails to specific file types and opened
it. I dont know why I get an error this time, but dont have time to find
an answer now.


i know more about email than you think but that's no reason for wasting 
time when you can just drag a message to a mail client as you are saying 
by yourself "dont have time"

Re: Spam by IP-address? Spamassassin with geoiplookup?

[li...@rhsoft.net]

Am 22.09.2016 um 12:32 schrieb Thomas Barth:



Am 22.09.2016 um 11:50 schrieb li...@rhsoft.net:



Am 22.09.2016 um 11:36 schrieb Benny Pedersen:

On 2016-09-22 10:16, Thomas Barth wrote:


The content of the mail is:



--boundary_af9c8db46eb73fca8b315aafef01
Content-Type: application/x-zip-compressed; name="e6dfa16bdb.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="e6dfa16bdb.zip"


whats in this zip file?


malware as in all attachments from this type of spam, easily to detect
be clamd with sanesecurity signatures


I ve installed clamav-unofficial-sigs by debian package. If this is not
working good enough I will try the installation I found here:
https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/INSTALL


dunno - and it's off-topic here - we use own scripts to update the 
signatures and that stuff is catched by 
http://sanesecurity.com/foxhole-databases/


may i ask why you put such a unfinished and untested in many ways setup 
in production?



I dont know what is in the zip file. I just have a compressed copy of
the mail. I tried to save the  content of the zip boundary part in a zip
file but I get an loading error when opening the zip file.


what are you doing?

uncompress the mail and drag the raw-mail with .eml extension in 
tunderbird from where you can simply save the attachment instead grab 
manually around in multipart-mails



I suppose it contains a javascript file (name.pdf.js)


or .wsf/.exe/.jar and so on - they are changing all the time

Re: Spam by IP-address? Spamassassin with geoiplookup?

[li...@rhsoft.net]

Am 22.09.2016 um 11:36 schrieb Benny Pedersen:

On 2016-09-22 10:16, Thomas Barth wrote:


The content of the mail is:



--boundary_af9c8db46eb73fca8b315aafef01
Content-Type: application/x-zip-compressed; name="e6dfa16bdb.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="e6dfa16bdb.zip"


whats in this zip file?


malware as in all attachments from this type of spam, easily to detect 
be clamd with sanesecurity signatures

Re: Spam by IP-address? Spamassassin with geoiplookup?

[li...@rhsoft.net]

Am 22.09.2016 um 10:16 schrieb Thomas Barth:

Am 21.09.2016 um 18:47 schrieb Bowie Bailey:


That is ridiculous.  The more training bayes gets the better it works.
And manual training is better than autolearning because autolearning can
automatically learn false positives and false negatives and cause
problems for the database.


And what about filter poisening?  In the last 10 hours my company address
got 43 mails classified as spam (even a virus mail detected today). And
there was one mail classified as spam due to my rule (bad country,
message-id.

Dear so,

Your payment has been approved. Your account will be debited within two
days.

You can email us for any query regarding your account.

Thank you.

Lupe Monroe
Support


There is no spam content, am I right? Normal words and content that a
normal person can use. I dont need spam learning for all the mails
already classified as spam with high score. Spam with low score are
interesting for spam learning like this one. But when I use these mails
for spam learning there is a risk of false positive some day, because it
has learned that normal mails are also spam?


no you are not right - that *is spam content* and has nothing to do with 
bayes poisioning - in fact that are malware messages - known by our 
bayes for at least 12 months and already BAYES_99 stuff will not be trained


it's the job of the bayes filter to find the minimal but existing 
differences and mistakes between that and similar ham and *hence* 
autolearning won't work in general because you need still to decide and 
classify the border cases


bayes poisioning can become a problem and is *another* reason why you 
train you filter manually instead let him decide itself and if it once 
decided wrong learn more and more in the wrong direction


but that above is NOT bayes poisioning

Re: Digest::SHA1 module is required by the Razor2 plugin

[li...@rhsoft.net]

Am 21.09.2016 um 23:36 schrieb RW:

On Wed, 21 Sep 2016 10:54:32 +0200
li...@rhsoft.net wrote:

surely - while DCC ist not a spam sign by it's descriptions
razor/pyzor *are* and they have nothing in common with DNSBL/URIBL

they are *content digest*


Actually razor is pretty close to a URIBL, now that only engine 8 is
supported by Cloudmark.

It's based on a combination of URI domain name and text size,  so you
only get a hit if a domain has been reported inside a similarly sized
mime section


and even if it's only a URIBL - different blacklists have different 
traps, reportings etc. leading to different times where new stuff is 
listed - that's the whole point of having not only one source for 
classification and why you have DNSWL as positive wieght in the mix to 
get a balanced total score

Re: Spam by IP-address? Spamassassin with geoiplookup?

[li...@rhsoft.net]

Am 21.09.2016 um 18:28 schrieb Thomas Barth:

Am 21.09.2016 um 18:00 schrieb li...@rhsoft.net:


the problem of the OP is that he starts things the other side round and
first reject without good evidence and don't have anything to make the
system bullet profe because it's rejected


I remembered that I read a book about Postfix with the topic "Training
with SpamAssassin". And the author was against additional training. The
more you train the worst the result. With the motto "I cook an egg for
more than 15 minutes, but it is still hard." They re other arguments for
not autolearning, but my english is not that good to translate a
complete chapter. And if there are some mails breaking through the wall,
than it is better to create rules against the header. Clear facts
without side effects.
He also wrote that Amavis/SpamAssassin is learning itself. Each mail
classified as spam with a score of more than 12.0 is learned as spam and
there should be a logfile entry with loglevel 2 if a mail has been
learned as spam. I never increased the loglevel to check that.
I followed his opinion because it is the best book I ve got
(www.postfix.de, next SpamAssassin/Amavis training course in November, I
m thinking of participation)



"against additional training" and "other arguments for not autolearning" 
are the exactly *opposite*, however, i can assure you that a well 
trained bayes with any autolearning reachs a 90-95% hit quote proven by 
5 false positives and 30 spamreports on some hundret users in 2016


autolearning is anyways bad because it tends to classify alread FN oder 
FP in the exatcly wrong direction - you need to train *wrong classified* 
mail where you are 100% sure if it's spam or ham and just ignore 
anything where you are unsure, the rest will have common patterns which 
are learned over time with your well classified ones


anyways, a spamfilter completly without bayes and URIBL not wroking has 
no business to run in production

Re: Spam by IP-address? Spamassassin with geoiplookup?

[li...@rhsoft.net]

Am 21.09.2016 um 17:53 schrieb Sean Greenslade:

As for your spam rejection paradigm, I can't possibly imagine that
working well unless you have a very close relationship with every single
person who emails you. If I send my resume to a job recruiter and they
get a bounce when they email me back, I highly doubt they're going to
bother to call me up and tell me my email system is broken. My resume's
going in the trash and they're moving on.

Just because you haven't received any calls doesn't mean there's no
problems...


it's absolutely no problem to outright reject high scored spam and tag 
the likely spam stuff - BUT the prerequisite for doing so is to collect 
bayes data, watch how the systems operate and after it's classification 
is proven good and all sort of scores are adjusted decide what is the 
safe reject score


the problem of the OP is that he starts things the other side round and 
first reject without good evidence and don't have anything to make the 
system bullet profe because it's rejected


when one starts which dangerous rules like reject based on message-id, 
not realize that his balcklists are not working and bayes don't work 
this system is *not* pruction ready at all

Re: Spam by IP-address? Spamassassin with geoiplookup?

[li...@rhsoft.net]

Am 21.09.2016 um 17:23 schrieb Thomas Barth:

Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net:


#bayes
use_bayes 1
use_bayes_rules 1
bayes_auto_learn 1


so your setup either don't use that config (amavais or something like
that part of the game then you don't have just spamassassin)

or you have not trained enough spam *and* ham - or you train the wrong
bayes-database likely by calling "sa-learn" with the wrong user

https://wiki.apache.org/spamassassin/SiteWideBayesSetup


I cant do that because I dont have spam mails. I dont make
store I didnt thought that I need the spam uncompressed in a
folder for autolearning, I thought it works when sa is analyzing the
mail


how do you imagine autolearning from start with nothing trained?

just rely on rules and the train on false postives and negatives, in 
other words every rejected message as spam and every passed as ham won't 
work and when you think about it 10 seconds it should be obvious


anyways, you can't tell me that there are no mails which didn't make it 
trugh the filters which where spam to find 200 of them and 200 ham 
should be even more easy as long as you don#t delete your mail after read



My mailsystem checks mails in real time and blocks mail during
connection. If there is a false positive the sender gets an error and I
get a call of the sender to check it (last call was over a year ago :-).
But I have a compressed copy in the quarantine folder so that I can
check the reason anyway.


don't change the fact that you need the stuff which was wrong classified 
and tell SA if it's good or bad to make the filter better

Re: Spam by IP-address? Spamassassin with geoiplookup?

[li...@rhsoft.net]

RP_MATCHES_RCVD=-3.096

override this idiotic rule with "score RP_MATCHES_RCVD -0.001" and 
hopefully that will soon get fixed until the end of all days as it was 
for a long time in the past


fix the other issues below and you don't need bad rules like 
"MESSAGEID_LOCAL=3" with such a dangerous and plain wrong score


Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net:

Am 21.09.2016 um 15:48 schrieb Thomas Barth:

X-Spam-Status: No, score=3.004 tagged_above=2 required=6.31
tests=[MESSAGEID_LOCAL=3, RELAYCOUNTRY_BAD=3.1,
RP_MATCHES_RCVD=-3.096, SPF_PASS=-0.001, URIBL_BLOCKED=0.001]
autolearn=no autolearn_force=no


URIBL_BLOCKED shows you are using still a dns-forwarder and so won't get
results from a lot of blacklists

http://uribl.com/refused.shtml

fix that - use a local caching resolver with *no forwarding* and if you
are using dnsmasq just don't do that for a inbound mailserver


You all say that bayes is not working in my setup. I dont know why. I
followed a documentation for setting up my mailserver.

It says:

nano /etc/spamassassin/local.cf

#bayes
use_bayes 1
use_bayes_rules 1
bayes_auto_learn 1


so your setup either don't use that config (amavais or something like
that part of the game then you don't have just spamassassin)

or you have not trained enough spam *and* ham - or you train the wrong
bayes-database likely by calling "sa-learn" with the wrong user

https://wiki.apache.org/spamassassin/SiteWideBayesSetup

is there really no "spamassassin for beginners" which explains all that
dns-stuff *at one place* and how to train bayes and make sure it is used
instead get every day the same problem reports on the list from fresh
people?

Re: Spam by IP-address? Spamassassin with geoiplookup?

[li...@rhsoft.net]

Am 21.09.2016 um 15:48 schrieb Thomas Barth:

X-Spam-Status: No, score=3.004 tagged_above=2 required=6.31
tests=[MESSAGEID_LOCAL=3, RELAYCOUNTRY_BAD=3.1,
RP_MATCHES_RCVD=-3.096, SPF_PASS=-0.001, URIBL_BLOCKED=0.001]
autolearn=no autolearn_force=no


URIBL_BLOCKED shows you are using still a dns-forwarder and so won't get 
results from a lot of blacklists


http://uribl.com/refused.shtml

fix that - use a local caching resolver with *no forwarding* and if you 
are using dnsmasq just don't do that for a inbound mailserver



You all say that bayes is not working in my setup. I dont know why. I
followed a documentation for setting up my mailserver.

It says:

nano /etc/spamassassin/local.cf

#bayes
use_bayes 1
use_bayes_rules 1
bayes_auto_learn 1


so your setup either don't use that config (amavais or something like 
that part of the game then you don't have just spamassassin)


or you have not trained enough spam *and* ham - or you train the wrong 
bayes-database likely by calling "sa-learn" with the wrong user


https://wiki.apache.org/spamassassin/SiteWideBayesSetup

is there really no "spamassassin for beginners" which explains all that 
dns-stuff *at one place* and how to train bayes and make sure it is used 
instead get every day the same problem reports on the list from fresh 
people?

Re: Digest::SHA1 module is required by the Razor2 plugin

[li...@rhsoft.net]

Am 21.09.2016 um 10:18 schrieb Marcus Schopen:

Am Montag, den 19.09.2016, 13:35 +0100 schrieb RW:

It's not a spamassassin problem, right. Question is, can I install a
SHA1 package without harming perl at other places?


It should do any harm.


That should have been:

It shouldn't do any harm.


Thanks. Build a backport and razor is running fine now.

Is anyone using razor/pyzor/DCC and can give some efficiency report? Do
they still make sense beside DNSBL and URIBL?


surely - while DCC ist not a spam sign by it's descriptions razor/pyzor 
*are* and they have nothing in common with DNSBL/URIBL


they are *content digest* and so able to hit messages spreaded over 
different outbound servers, all sort of hacked accounts and using 
permanently changing URLs - the whole point of SA is to make a final 
score of different sources

Re: How to reject mails with special message-id (Debian, Amavis, Spamassassin)

[li...@rhsoft.net]

Am 20.09.2016 um 15:46 schrieb Thomas Barth:

I read that 5.0 is aggressive and suitable for single user setup,
conservative values are 8.0 or 11.0


depends on your glue, setup and bayes-training

many setups tag spam with 5.0 or 5.5 while the glue like a milter 
rejects spam above 8.0 points



I ve checked most of the mails recognized as spam. The lowest score was
8.6x so far.


that don't say anything as i recall from other posts your bayes is 
currently not working - the point is not what was detected but what 
slipped through and why or became a false-postive and why



Here is another mail from ...local. It definitely was spam with zip
attachment. Common is a sender address with digits.
 -> , quarantine:
l/spam-lEHVGcheLkyq.gz, Message-ID:
<20160920202635.6b90ec7...@allfromboats.com.local>, mail_id:
lEHVGcheLkyq, Hits: 19.118

May be I also should block sender adresses with more than 2 digits in
the name?


you should not block anything by single rules, that thread sounds like 
you are a absolute beginner and in that case you should refrain from 
blindly setup rules because you think you have found a spam sign somewehere


anyways, i can assure you that .local in a message-id is *nothing 
unusual* and frankly i had even to step back from reject from-headers 
with .local because a large part of mailadmins configure their systems 
as 'mail.company.local' and in case of bounces (mailbox full as example) 
the envelope is a null-sender and the from-header postmaster@fool.local


well, and all that systems have a message-id ending with .local and if 
you want numbers - we would have rejected or tagged 981 *100% ham* 
messages with a message-id ending with .local and my users would have 
crucified me for such a setup

Re: mailspike: repeatly down

[li...@rhsoft.net]

Am 19.09.2016 um 17:11 schrieb Jose Borges Ferreira:

Hi all,

To solve that issues, we are currently moving and upgrading our servers.
This should be solved quickly .
Sorry for any inconvenience.


thanks for feedback and taking action!


On Mon, Sep 19, 2016 at 2:43 PM, li...@rhsoft.net
<mailto:li...@rhsoft.net> <li...@rhsoft.net <mailto:li...@rhsoft.net>>
wrote:

in case someone cares or even somebody from 'mailspike.net
<http://mailspike.net>' is on this list - logs like below appear
repeatly the last weeks or few months

in fact these are timeouts and that will also hit default SA
installations, most likely without logging as postscreen does

Sep 19 15:36:42 mail-gw postfix/postscreen[1244]: warning: dnsblog
reply timeout 10s for wl.mailspike.net <http://wl.mailspike.net>
Sep 19 15:36:43 mail-gw postfix/postscreen[1244]: warning: dnsblog
reply timeout 10s for wl.mailspike.net <http://wl.mailspike.net>
Sep 19 15:36:55 mail-gw postfix/postscreen[1244]: warning: dnsblog
reply timeout 10s for bl.mailspike.net <http://bl.mailspike.net>
Sep 19 15:37:55 mail-gw postfix/postscreen[1244]: warning: dnsblog
reply timeout 10s for bl.mailspike.net <http://bl.mailspike.net>
Sep 19 15:40:18 mail-gw postfix/postscreen[1244]: warning: dnsblog
reply timeout 10s for wl.mailspike.net <http://wl.mailspike.net>
Sep 19 15:40:23 mail-gw postfix/postscreen[1244]: warning: dnsblog
reply timeout 10s for wl.mailspike.net <http://wl.mailspike.net>

Sep 19 15:40:03 mail-gw postfix/dnsblog[27524]: warning:
dnsblog_query: lookup error for DNS query
195.109.140.185.wl.mailspike.net
<http://195.109.140.185.wl.mailspike.net>: Host or domain name not
found. Name service error for name=195.109.140.185.wl.mailspike.net
<http://195.109.140.185.wl.mailspike.net> type=A: Host not found,
try again
Sep 19 15:40:03 mail-gw postfix/dnsblog[27513]: warning:
dnsblog_query: lookup error for DNS query
195.109.140.185.bl.mailspike.net
<http://195.109.140.185.bl.mailspike.net>: Host or domain name not
found. Name service error for name=195.109.140.185.bl.mailspike.net
<http://195.109.140.185.bl.mailspike.net> type=A: Host not found,
try again
Sep 19 15:40:04 mail-gw postfix/dnsblog[28533]: warning:
dnsblog_query: lookup error for DNS query
19.185.124.180.bl.mailspike.net
<http://19.185.124.180.bl.mailspike.net>: Host or domain name not
found. Name service error for name=19.185.124.180.bl.mailspike.net
<http://19.185.124.180.bl.mailspike.net> type=A: Host not found, try
again
Sep 19 15:40:04 mail-gw postfix/dnsblog[27997]: warning:
dnsblog_query: lookup error for DNS query
41.236.165.122.bl.mailspike.net
<http://41.236.165.122.bl.mailspike.net>: Host or domain name not
found. Name service error for name=41.236.165.122.bl.mailspike.net
<http://41.236.165.122.bl.mailspike.net> type=A: Host not found, try
again
Sep 19 15:40:04 mail-gw postfix/dnsblog[28821]: warning:
dnsblog_query: lookup error for DNS query
19.185.124.180.wl.mailspike.net
<http://19.185.124.180.wl.mailspike.net>: Host or domain name not
found. Name service error for name=19.185.124.180.wl.mailspike.net
<http://19.185.124.180.wl.mailspike.net> type=A: Host not found, try
again

mailspike: repeatly down

[li...@rhsoft.net]

in case someone cares or even somebody from 'mailspike.net' is on this 
list - logs like below appear repeatly the last weeks or few months


in fact these are timeouts and that will also hit default SA 
installations, most likely without logging as postscreen does


Sep 19 15:36:42 mail-gw postfix/postscreen[1244]: warning: dnsblog reply 
timeout 10s for wl.mailspike.net
Sep 19 15:36:43 mail-gw postfix/postscreen[1244]: warning: dnsblog reply 
timeout 10s for wl.mailspike.net
Sep 19 15:36:55 mail-gw postfix/postscreen[1244]: warning: dnsblog reply 
timeout 10s for bl.mailspike.net
Sep 19 15:37:55 mail-gw postfix/postscreen[1244]: warning: dnsblog reply 
timeout 10s for bl.mailspike.net
Sep 19 15:40:18 mail-gw postfix/postscreen[1244]: warning: dnsblog reply 
timeout 10s for wl.mailspike.net
Sep 19 15:40:23 mail-gw postfix/postscreen[1244]: warning: dnsblog reply 
timeout 10s for wl.mailspike.net


Sep 19 15:40:03 mail-gw postfix/dnsblog[27524]: warning: dnsblog_query: 
lookup error for DNS query 195.109.140.185.wl.mailspike.net: Host or 
domain name not found. Name service error for 
name=195.109.140.185.wl.mailspike.net type=A: Host not found, try again
Sep 19 15:40:03 mail-gw postfix/dnsblog[27513]: warning: dnsblog_query: 
lookup error for DNS query 195.109.140.185.bl.mailspike.net: Host or 
domain name not found. Name service error for 
name=195.109.140.185.bl.mailspike.net type=A: Host not found, try again
Sep 19 15:40:04 mail-gw postfix/dnsblog[28533]: warning: dnsblog_query: 
lookup error for DNS query 19.185.124.180.bl.mailspike.net: Host or 
domain name not found. Name service error for 
name=19.185.124.180.bl.mailspike.net type=A: Host not found, try again
Sep 19 15:40:04 mail-gw postfix/dnsblog[27997]: warning: dnsblog_query: 
lookup error for DNS query 41.236.165.122.bl.mailspike.net: Host or 
domain name not found. Name service error for 
name=41.236.165.122.bl.mailspike.net type=A: Host not found, try again
Sep 19 15:40:04 mail-gw postfix/dnsblog[28821]: warning: dnsblog_query: 
lookup error for DNS query 19.185.124.180.wl.mailspike.net: Host or 
domain name not found. Name service error for 
name=19.185.124.180.wl.mailspike.net type=A: Host not found, try again

Re: Digest::SHA1 module is required by the Razor2 plugin

[li...@rhsoft.net]

Am 19.09.2016 um 11:10 schrieb Marcus Schopen:

I'd like to use razor on my private mailbox, but it seems to depend on
Digest::SHA1, which is not part of Ubuntu 12.04 LTS or 14.04 TLS:

 The Digest::SHA1 module is required by the Razor2 plugin

I found this bug report

https://bugs.launchpad.net/ubuntu/+source/libdigest-sha1-perl/+bug/993648

where a package for precise is published (comment #9).

What to do? Building an own package from


just file a bugreport against Ubuntu spamassassin package and refer to 
the above bugreport - someone needs to fix that mess in Ubuntu and i can 
assure you Debian and Redhat systems don't have this problem


in other words: this is a distribution mess and not SA related

Re: X-Spam Tagging - Spam Status YESNO Flags - Sometimes not appended...

[li...@rhsoft.net]

Am 16.09.2016 um 19:27 schrieb Joe Quinn:

On 9/16/2016 12:59 PM, li...@rhsoft.net wrote:

...

in case you have postscreen or something else which does proper
rbl-scoring in front of the content-scanners it's no problem because
only a small part of spam attempts are mahing it to SA

may depend on the amount of ham which can be also mitigated by
shortcurcuit trustable senders with large amount of mail

i have seen in the past a lot of junk with some 5-10 MB crap attached,
completly unrelated images because spammers know that they can bypass
many spamfilters that way (in case of a large binary it's also no
problem for cpu ressources, only when they have a wrong text mimetype)

Another strategy sometimes is to truncate the message to that max size
before scanning, though making sure you get the most meaningful content
of a message without breaking the MIME format is in general not an easy
problem


the answer to this from the SA developers was "don't care, should the 
glue do it"

Re: X-Spam Tagging - Spam Status YESNO Flags - Sometimes not appended...

[li...@rhsoft.net]

Am 16.09.2016 um 18:17 schrieb David B Funk:

What do you see in your syslog reports from spamc?
Is it reporting any errors?

Please note the 'max-size' parameter for spamc:

  -s max_size, --max-size=max_size
  Set the maximum message size which will be sent to spamd -- any
bigger than
  this threshold and the message will be returned unprocessed
(default: 500 KB).
  If spamc gets handed a message bigger than this, it won't be
passed to spamd.
  The maximum message size is 256 MB.

So any message larger than that parameter (default 500KB) will be silently
bypassed as far as spamd processing is concerned.

Note, do not make that a large number in an attempt to process
-everything- unless you have a beefy (lots of RAM & CPU) machine for
your spamd processing


in case you have postscreen or something else which does proper 
rbl-scoring in front of the content-scanners it's no problem because 
only a small part of spam attempts are mahing it to SA


may depend on the amount of ham which can be also mitigated by 
shortcurcuit trustable senders with large amount of mail


i have seen in the past a lot of junk with some 5-10 MB crap attached, 
completly unrelated images because spammers know that they can bypass 
many spamfilters that way (in case of a large binary it's also no 
problem for cpu ressources, only when they have a wrong text mimetype)

Re: X-Spam Tagging - Spam Status YESNO Flags - Sometimes not appended...

[li...@rhsoft.net]

Am 16.09.2016 um 14:49 schrieb Maik Linnemann:

So far so good. The concept works like it should with only one
exception: Some mails are not tagged by spamassassin and i dont have a
clue why. Viscerally i would say its about 20% of all mails that arent
tagged by spamassassin


how is SA integrated in your mailsystem?

that a very important question because the glue like as example 
spamass-milter or amavis can skip SA completly depending on it's 
configuration

Re: Tuning recommendations?

[li...@rhsoft.net]

Am 12.09.2016 um 20:34 schrieb thomas cameron:

On 09/12/2016 01:06 PM, John Hardin wrote:

On Mon, 12 Sep 2016, thomas cameron wrote:

Make sure you have a local recursing (**NOT** forwarding) DNS server
that your MTA and SA are configured to use. Reason: if you're forwarding
your MTA DNS requests to your ISP's DNS server, the aggregated traffic
of you plus all the other ISP clients can exceed the various DNSBL and
URIBL free-usage limits, rendering those tools useless.


[root@mail-west ~]# grep recurs /etc/named.conf
allow-recursion { 127.0.0.1; };


A clear
indicator this is happening: URIBL_BLOCKED hits.


I see "URIBL_BLACK Contains an URL listed in the URIBL blacklist" in the
headers of many of the messages that got through. Is that what you mean?


no that means the message had a hit and so it seems your are using only 
127.0.0.1 as nameserver and that nameserver does *not* forwarding


it would be really helpful if you just post the full report-header of 
such a message, otherwise you are at your own

Re: RCVD_IN_SORBS_SPAM and google IPs

[li...@rhsoft.net]

Am 12.09.2016 um 18:53 schrieb David Jones:

*>From:*li...@rhsoft.net <li...@rhsoft.net>

*>Sent:* Monday, September 12, 2016 8:47 AM
*>To:* users@spamassassin.apache.org
*>Subject:* Re: RCVD_IN_SORBS_SPAM and google IPs


Am 12.09.2016 um 15:37 schrieb David Jones:

Has RCVD_IN_SORBS_WEB been considered for adjustment as well? It's
hitting a lot more ham than spam here, including mail from facebook.


You should be safely whitelisting any major senders like Facebook at
the MTA level and in SA:

whitelist_auth *@amazonses.com

for sure *not* since that would whitelist anything hosted on the amazon
cloud instances which is *not* amazon stuff itself



don't confuse major good senders with hosted crap of endcustomers
@amazonses.com != @amazon.com


I know the difference between amazonses.com and amazon.com.  I have
only had 1 instance of spam from amazonses.com and Amazon blocked
it quickly.


that's exactly what i *don't* have a contentfilter for to need customers 
report their spam and i have to talk with abuse departments to stop it



From my experience, they are trustworthy and police their
outbound spam properly to trust.  Otherwise you will block too much
legit email from their Simple Email Service.


why should i block too much legit mail just because a sender is not 
whitelisted?



https://aws.amazon.com/ses/faqs/
They have sending and bounce quotas which are going to catch most
bad actors using SES.


the same for "whitelist_auth *@icloud.com"


Apple is also doing a good job of policing their outbound spam
from icloud.com.  My logs show good reputation of the IPs.
senderscore.org report for 17.164.24.103 has a 98 out of 100
as a very high sender which is excellent.


a good job don't help much in case of hacked accounts which are closed 
after the damage of sending phising and malware mails already happened



Everyone doesn't have to whitelist_auth the same senders.  I only
wanted to show that this is a valid way to reduce false positives
for transient things like Google IPs in SORBS RBL.


[root@mail-gw:~]$ cat maillog | grep
01000157007004fc-dd484ffc-155c-48dc-8a7d-b9fbc51b7094-000...@email.amazonses.com
Sep  6 18:58:47 mail-gw postfix/cleanup[5554]: 3sTCVH11mDz9bQ:
message-id=<01000157007004fc-dd484ffc-155c-48dc-8a7d-b9fbc51b7094-000...@email.amazonses.com>
Sep  6 18:58:52 mail-gw spamd[1086]: spamd: result: Y 14 -
BAYES_99,BAYES_999,BOGOFILTER_SPAM,CUST_DNSBL_19_SPAMCANN,CUST_DNSWL_5_ORG_N,CUST_DNSWL_8_TL_N,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_D>OMAINS,HTML_MESSAGE,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_MSPIKE_H2,RP_MATCHES_RCVD,SPF_PASS,T_OBFU_ATTACH_MISSP,URIBL_LOC>AL
scantime=5.0,size=13908,user=sa-milt,uid=189,required_score=5.5,rhost=localhost,raddr=127.0.0.1,rport=/run/spamassassin/spamassassin.sock,mid=<01000157007004fc-dd484ffc-155c->48dc-8a7d-b9fbc51b7094-000...@email.amazonses.com>,bayes=1.00,autolearn=disabled,shortcircuit=no


Did you check the envelope-from address of that message?


surely - in fact i found the message-id after grep for envelopes in 
milter-reject-log and *then* seeked for the classification



Those are
message IDs which wouldn't necessarily match the envelope-from
used by whitelist_auth.


man i know what i am doing when reading maillogs (besides i knew before 
looking in the recent logs that @amazonses.com is not a blindly 
trustable envelope)


from=<01000157007004fc-dd484ffc-155c-48dc-8a7d-b9fbc51b7094-000...@amazonses.com>

from a8-21.smtp-out.amazonses.com[54.240.8.21]


I don't see an IP address either to check the
source so that email could have been forwarded


* SPF_PASS
* DKIM_VALID_AU


I would need to see
the full headers and the message body since it did hit so many rules
and high Bayes


no you don't - the destination of that mail was our sysadmin-address 
*never* used for subscribe anywhere nor as envelope-sender, it's only 
mentioned on http error pages (non 2xx response)

Re: Tuning recommendations?

[li...@rhsoft.net]

Am 12.09.2016 um 17:51 schrieb thomas cameron:

I rolled a new mail server out for my small business, and I've got a
pretty vanilla SA setup. It's just not doing a very good job of catching
spam. I'm getting a TON of "Amazon gift card" and "female hair loss" and
"work from home" spam in my inbox. I feel like if I see one more e-mail
about Blake Shelton, I'm gonna scream


train your bayes proper with enough ham *and* spam and do it with the 
user spamassassin runs

Re: RCVD_IN_SORBS_SPAM and google IPs

[li...@rhsoft.net]

Am 12.09.2016 um 15:37 schrieb David Jones:

Has RCVD_IN_SORBS_WEB been considered for adjustment as well? It's
hitting a lot more ham than spam here, including mail from facebook.


You should be safely whitelisting any major senders like Facebook at
the MTA level and in SA:

whitelist_auth *@amazonses.com


for sure *not* since that would whitelist anything hosted on the amazon 
cloud instances which is *not* amazon stuff itself


don't confuse major good senders with hosted crap of endcustomers
@amazonses.com != @amazon.com

the same for "whitelist_auth *@icloud.com"

[root@mail-gw:~]$ cat maillog | grep 
01000157007004fc-dd484ffc-155c-48dc-8a7d-b9fbc51b7094-000...@email.amazonses.com
Sep  6 18:58:47 mail-gw postfix/cleanup[5554]: 3sTCVH11mDz9bQ: 
message-id=<01000157007004fc-dd484ffc-155c-48dc-8a7d-b9fbc51b7094-000...@email.amazonses.com>
Sep  6 18:58:52 mail-gw spamd[1086]: spamd: result: Y 14 - 
BAYES_99,BAYES_999,BOGOFILTER_SPAM,CUST_DNSBL_19_SPAMCANN,CUST_DNSWL_5_ORG_N,CUST_DNSWL_8_TL_N,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_MSPIKE_H2,RP_MATCHES_RCVD,SPF_PASS,T_OBFU_ATTACH_MISSP,URIBL_LOCAL 
scantime=5.0,size=13908,user=sa-milt,uid=189,required_score=5.5,rhost=localhost,raddr=127.0.0.1,rport=/run/spamassassin/spamassassin.sock,mid=<01000157007004fc-dd484ffc-155c-48dc-8a7d-b9fbc51b7094-000...@email.amazonses.com>,bayes=1.00,autolearn=disabled,shortcircuit=no

Re: RCVD_IN_SORBS_SPAM and google IPs

[li...@rhsoft.net]

Am 09.09.2016 um 15:20 schrieb Bowie Bailey:

On 9/8/2016 6:29 PM, RW wrote:

On Thu, 8 Sep 2016 15:53:00 -0500 (CDT)
Shane Williams wrote:


I'm seeing google IP ranges hit the RCVD_IN_SORBS_SPAM rule, and in
digging deeper, I realize that there are zero hits on this rule for
the two weeks prior to Aug. 31, and now I'm seeing it thousands of
times per week (not just against google IPs).

Was this rule added/changed/re-scored in a recent sa-update?

It was commented out for a long time because it had a delisting fee,
but was recently re-enabled.

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=2221#c16


Granted, my system is fairly low volume, but out of over 15,000 messages
scanned, I have only seen 88 hits for SORBS rules in general and no hits
at all for RCVD_IN_SORBS_SPAM.  If there's a problem, I'm not seeing it


depends just on luck

* how many mails came from gmail, yahoo, gmx & friends
* from which server did they came

sorbs don't list gmail or other freemail providers as a whole, just the 
nodes which recently was absued by spammers and contacted honeypots or 
where reported repeatly


you can write the exactly same message to the same RCPT from a freemail 
provider within 5 seconds and they may hit completly different 
DNSBL/DNSWL listings

Re: RCVD_IN_SORBS_SPAM and google IPs

[li...@rhsoft.net]

Am 08.09.2016 um 22:53 schrieb Shane Williams:

I'm seeing google IP ranges hit the RCVD_IN_SORBS_SPAM rule, and in
digging deeper, I realize that there are zero hits on this rule for
the two weeks prior to Aug. 31, and now I'm seeing it thousands of
times per week (not just against google IPs).

Was this rule added/changed/re-scored in a recent sa-update?


rules are re-scoring all the time

2.397 is *way* too high because SORBS has a ton of different scorings 
and to land on "spam" is not hard for large providers which *in fact* 
all day long send some amount of spam sicne large freemail providers 
have no way to avoid it completly


"spam.dnsbl.sorbs.net" (127.0.0.6 response) has here 3 points on 
postscreen and 1.0 for SA - in both cases reject begins with 8.0

Re: Anyone else just blocking the ".top" TLD?

[li...@rhsoft.net]

Am 08.09.2016 um 15:44 schrieb Chip M.:

On Thu, 8 Sep 2016, "lists [at] rhsoft.net" wrote:

i get a diff-output per mail each time the mailserver configs
are changing


That's a completely valid approach, and I am a big fan of
pre-emptive first strike (only as applied to potentially evil
email).

However, the vast majority of those TLDs will never
"go rogue", so I prefer to block on actual abuse
(Jason's approach), or likelihood of abuse, specifically, very
low cost.  Jason appears to have much higher volume than I do,
so he'd be a good source of data for me and others.


we require at least SPF or DNSWL for them instead unconditonal reject 
and the reject text contains a link to wikipedia what SPF is


the other part of using that file is to "DUNNO" specific tld's in front 
of the checks and put a final line into helo-restrictions when no DUNNO 
at all matched


/.*\.*/ REJECT Unacceptable HELO (Invalid TLD) see 
https://www.ietf.org/rfc/rfc2821.txt and 
https://www.ietf.org/rfc/rfc1912.txt


 Weitergeleitete Nachricht 
Betreff: Cron /usr/local/bin/update-spamfilter.sh
Datum: Mon, 29 Aug 2016 16:30:03 +0200 (CEST)

UPDATED: /etc/postfix/blacklist_generic_ptr.cf
 1484a1485
 > /\.eco$/ DUNNO
 2375a2377
 > /\.vanguard$/ DUNNO
-
UPDATED: /etc/postfix/blacklist_helo.cf
 382a383
 > /\.eco$/ DUNNO
 1273a1275
 > /\.vanguard$/ DUNNO
-
UPDATED: /etc/postfix/blacklist_tld.cf
 271a272
 > /\.eco$/ REJECT Spam-TLD (SPF Required: .eco - see 
http://en.wikipedia.org/wiki/Sender_Policy_Framework)

 904a906
 > /\.vanguard$/ REJECT Spam-TLD (SPF Required: .vanguard - see 
http://en.wikipedia.org/wiki/Sender_Policy_Framework)

-

OK: /usr/bin/systemctl reload postfix.service

Re: Anyone else just blocking the ".top" TLD?

[li...@rhsoft.net]

Am 08.09.2016 um 10:33 schrieb Chip M.:

On Sat, 09 Jul 2016, jasonsu wrote:

Fwiw, atm I block all of the following TLDs

...

men,

..

That list is auto-generated.  Any & all TLDs that have
sent > 100 messages within the last year *AND* have a


Great approach Jason! :)
".men" just recently appeared in my data, and is not showing up
on that Surbl tld page.

Please do share any more that you notice. :)


just download https://data.iana.org/TLD/tlds-alpha-by-domain.txt in a 
cronjob, compare it with the last version and re-generate your configs


i get a diff-output per mail each time the mailserver configs are changing

Re: postfix reject_unverified_recipient and Exchange 2016

[li...@rhsoft.net]

Am 07.09.2016 um 11:00 schrieb Nicola Piazzi:

I am off topic if you think that postfix is not spamassassin
I think that this is not a Microsoft problem because exchange answer correctly 
to unknown recipients
I suppose that there is something in the return string that postix doesn’t like


postfix don't parse strings, postfix is just interested in the 3-digit 
response code where 2xx means "OK", 4xx "temporary problem" and 5xx 
"permanent problem don't come back"


"250 2.1.5 Recipient OK" is a corret answer to unknown recipients?
since when?

Here Exchange 2016 at port 25 that verify unknown recipient at DATA
phase telnet 10.1.1.126 25
220 GEMMA.gruppocomet.net Microsoft ESMTP MAIL Service ready helo me
250 GEMMA.gruppocomet.net Hello [10.2.6.4] mail from:e...@ext.com
250 2.1.0 Sender OK
rcpt to:doesntex...@gruppocomet.it
250 2.1.5 Recipient OK

Re: postfix reject_unverified_recipient and Exchange 2016

[li...@rhsoft.net]

Am 07.09.2016 um 10:42 schrieb Nicola Piazzi:

I have a problem using reject_unverified_recipient to verify under
Exchange 2016 that I don’t have with Exchange 2010


how is that a spamassassin or even postfix related problem?

call the microsoft support why their stuff is playing backscatter in 
recent versions (as you can see by all that exchange bounces flying 
around in the web)


there is nothing the delivery software can do when exchange has no clue 
about it's valid rcpt's until it received and acknolwedged the full 
message instead just reject the rcpt


workaround: list your vaild RCPT's diretly on your inboud MX and 
maintain it parallel to exchange



Postfix is used to send and receive mail and is between the internet and
the internal Exchange Server
Now, when an internet user send an email to our domain postfix verify it
making an rcptto to our exchange using reject_unverified_recipient
instruction
This worked well with Exchange 2010 but now with Exchange 2016 doesn’t work.
Exchange 2016 needs the installation of Recipient Filter Agent and
obviously I installed it.
Now we have Frontend Transport that answer at port 25 and verify
recipient at DATA phase and the Hub Transport that answer at port 2525
and verify recipient at RCPT TO

Here Exchange 2016 at port 25 that verify unknown recipient at DATA phase
telnet 10.1.1.126 25
220 GEMMA.gruppocomet.net Microsoft ESMTP MAIL Service ready
helo me
250 GEMMA.gruppocomet.net Hello [10.2.6.4]
mail from:e...@ext.com
250 2.1.0 Sender OK
rcpt to:doesntex...@gruppocomet.it
250 2.1.5 Recipient OK
data
354 Start mail input; end with .
some data

Re: new Mail-SpamAssassin-Plugin-AttachmentPresent

[li...@rhsoft.net]

Am 06.09.2016 um 23:27 schrieb Alex:

Is there any ability to determine if a particular attachment has a
Word macro enclosed in addition to just having a Word document?


that's the hob of clamav and the sa-plugin for it

"OLE2BlockMacros yes" in case of a scored SA plugin won't block but add
the
score of that clamd-instance, for unconditional block of other things you
typically have a calmd-instance with different config running as
unconditional milter


Yeah, that's unacceptable to me.

I can't accept obscuring whether a particular attachment has a macro
virus and instead just be notified only that it has a macro. That's
effectively saying it's necessary to outright block all macros or risk
allowing attachments with macro viruses to be passed unencumbered.

I was looking for another way to link macros with spamassassin, as the
amavisd/clamd approach is broken.



The reality of the world is:
1) block/quarantine/encumber/tag all documents that have a macro.
2) allow them thru unencumbered and risk delivering documents that might
have a macro virus.


That won't work. I can't tell my users they can no longer receive a
significant percentage of Word documents any longer


you do *not* block them outright
you *score* them

exactly the same as you asked here:
> Is there any ability to determine if a particular attachment has a
> Word macro enclosed in addition to just having a Word document?

what would be the difference to add some points by your question above 
in SA then add some points because the clamd instance with scoring?


you just need a second clamd-instance  with a different config which 
don't outright block and when you are at it ad to *this* clamd instance 
some sanesecurity junk-rules which are false-positive-prone and hence 
not useable for direct blocking

Re: new Mail-SpamAssassin-Plugin-AttachmentPresent

[li...@rhsoft.net]

Am 06.09.2016 um 22:40 schrieb Alex:

Is there any ability to determine if a particular attachment has a
Word macro enclosed in addition to just having a Word document?


that's the hob of clamav and the sa-plugin for it

"OLE2BlockMacros yes" in case of a scored SA plugin won't block but add the
score of that clamd-instance, for unconditional block of other things you
typically have a calmd-instance with different config running as
unconditional milter


Yeah, that's unacceptable to me.

I can't accept obscuring whether a particular attachment has a macro
virus and instead just be notified only that it has a macro. That's
effectively saying it's necessary to outright block all macros or risk
allowing attachments with macro viruses to be passed unencumbered


how is "has a Word macro enclosed in addition to just having a Word 
document" different? it says nothing about virus or not and so 
"OLE2BlockMacros yes" in context of scoring don't

Re: new Mail-SpamAssassin-Plugin-AttachmentPresent

[li...@rhsoft.net]

Am 06.09.2016 um 22:24 schrieb Alex:

Is there any ability to determine if a particular attachment has a
Word macro enclosed in addition to just having a Word document?


that's the hob of clamav and the sa-plugin for it

"OLE2BlockMacros yes" in case of a scored SA plugin won't block but add 
the score of that clamd-instance, for unconditional block of other 
things you typically have a calmd-instance with different config running 
as unconditional milter

Re: What are the T_ rules ?

[li...@rhsoft.net]

Am 06.09.2016 um 00:14 schrieb @lbutlr:

On 05 Sep 2016, at 13:36, li...@rhsoft.net wrote:

but -1.653 is just a bad joke because it means every homeuser which manages to 
get some DNS records fine (as well as every spammer which registers a ton of 
domains and cheap hosts) get a large benefit compared to any professional 
mainatained server hosting hundrets of domains with responsibility



RP_MATCHES_RCVD scores a -0.1 and T_RP_MATCHES_RCVD scores a -0.0 on my system. 
I see those scores in emails from 2011.

Don’t know where you are finding -1.653, but that is not the score that is 
getting applied here


/var/lib/spamassassin/3.004001/updates_spamassassin_org/72_scores.cf
score RP_MATCHES_RCVD   -1.152 -1.056 -1.152 -1.056

how about running "sa-update"?

Re: What are the T_ rules ?

[li...@rhsoft.net]

Am 05.09.2016 um 22:03 schrieb Ian Zimmerman:

On 2016-09-05 21:31, Axb wrote:


In what file do you see T_RP_MATCHES_RCVD ?


 [1+0]~$ cd /usr/share/spamassassin/
  [2+0]spamassassin$ fgrep T_RP_MATCHES_RCVD *
  72_active.cf:##{ T_RP_MATCHES_RCVD if version >= 3.003000 ifplugin
  Mail::SpamAssassin::Plugin::WLBLEval
  72_active.cf:header   T_RP_MATCHES_RCVD
  eval:check_mailfrom_matches_rcvd()
  72_active.cf:describe T_RP_MATCHES_RCVD  Envelope sender domain
  matches handover relay domain
  72_active.cf:tflags   T_RP_MATCHES_RCVD  nice
  72_active.cf:##} T_RP_MATCHES_RCVD if version >= 3.003000 ifplugin
  Mail::SpamAssassin::Plugin::WLBLEval


current socres are not below /usr/share/spamassassin since that is *not* 
touched by sa-update and the last SA update was a year ago

Re: What are the T_ rules ?

[li...@rhsoft.net]

Am 05.09.2016 um 22:00 schrieb Ian Zimmerman:

On 2016-09-05 12:21, John Hardin wrote:


header  __RP_MATCHES_RCVD  eval:check_mailfrom_matches_rcvd()

...which means you'd need to go digging around in the perl code to find
out what it's doing.

Basically, it's a check that the return-path (the SMTP "MAIL FROM"
envelope value, if available) matches a received header in the message.


Based on the description string, I think (in fact I hope) that this is
not quite right; it's not "matches _a_ Received header" but "matches
_the_ Received header emitted by my MX host".

It would be a bit too general for my meta rule to rely on it, were it
otherwise


it's to general at all or looking from the other side:

why should i get a worse score just because i host 100 domains on my 
outbound mailserver compared to some jerk which registered 
"new-spamdomain.tld" and have "new-spamdomain.tld" as PTR until the ISP 
shuts down his crap spreading junk and malware al day long?


that's one of the rules which deserves nothing else than a informational 
tag and that won't change

Re: What are the T_ rules ?

[li...@rhsoft.net]

Am 05.09.2016 um 21:31 schrieb Axb:

72_scores.cf published by sa-update sets a score:
score RP_MATCHES_RCVD   -1.152 -1.653 -1.152 -1.653

Ian,
In what file do you see T_RP_MATCHES_RCVD?


*currently* nowhere

but -1.653 is just a bad joke because it means every homeuser which 
manages to get some DNS records fine (as well as every spammer which 
registers a ton of domains and cheap hosts) get a large benefit compared 
to any professional mainatained server hosting hundrets of domains with 
responsibility


hence everybody right in his mind set "score RP_MATCHES_RCVD -0.001" in 
localf.cf and that isue is *not* new

Re: What are the T_ rules ?

[li...@rhsoft.net]

Am 05.09.2016 um 20:30 schrieb Ian Zimmerman:

Since I have seen other rules in results with the T_ prefix (for example
T_DKIM_INVALID) I think it must be some kind of convention with an
accepted meaning.  What is this conventional meaning, and how do these
rules relate to the ones without the T_ prefix?


T_ is testing - stff which performans questionable for different reaosns 
like T_DKIM_INVALID failing randomly and nobody knows why or rules where 
nobody is sure about their impact and if it's ok

Re: Local mode with some URI checks. Possible??

[li...@rhsoft.net]

Am 05.09.2016 um 19:01 schrieb Benny Pedersen:

On 2016-09-05 07:29, Pedro David Marco wrote:


My understanding was that "if there is no net flag, then it could work
in local mode", but i was wrong..


score rule sets supports no net tests, simply score 0 on net test, and
non zero on local tests rule set score


tell him something new

the point is that he want disable *allo* network tests *expect* specific 
ones without listing all explicit - just because they may change over 
time after "sa-update" and dependencies of meta-rules are also changing 
all the time (i know that from expierience from the outbound 
submission-instance which has a ton of rules disabled)


so the answer si just: NO
that's it

Re: Local mode with some URI checks. Possible??

[li...@rhsoft.net]

Am 04.09.2016 um 11:18 schrieb Pedro David Marco:

i have several reasons to disable all networks checks but some:
1.- Some checks are done by my own SMTP proxy


since you should anyways have a local caching resolver it don't matter 
to double them and when a message slips through rbl scroing on smtpd 
it's a good thing to add points in the contentfilter for the listed ones



3.- Many RBLs have restrictions for commercial use, and as i want to do
fair play i prefer to avoid risks..


skip_rbl_checks 1
skip_uribl_checks 0

or just disable the ones in question

meta __RCVD_IN_SORBS 0
meta __RCVD_IN_ZEN 0
meta __RCVD_IN_DNSWL 0



*From:* Matus UHLAR - fantomas 
*To:* users@spamassassin.apache.org
*Sent:* Saturday, September 3, 2016 1:57 PM
*Subject:* Re: Local mode with some URI checks. Possible??

On 03.09.16 09:32, Pedro David Marco wrote:

Thans Axb, I already did it, but i could not found any reasonable way

to disable all networks checks but one...(not to go one by one, i mean)

there's also no reasonable way to disable "all but one" without going one by
one.

do you have real reason to skip all network tests?
most of them are very useful to detect spam...

Re: Image spam - FuzzyOCR?

[li...@rhsoft.net]

Am 01.09.2016 um 12:23 schrieb Mauricio Tavares:

I do agree that the OCR program should be doing the OCR'ing and
the text filtering should be left to a program that does that for a
living. In the modern, systemd world this is of course an ancient and
outdated design philosophy


this is simply *not* true und hence systemd ships a lot of different 
binaries doing different things and so *clearly* follows the unix philosophy


the only difference is that instead all this tools living in different 
upstream repos, maintained by independent teams and hopefully get 
adopted properly in case of changes which affect more than one needed 
changes are done in the same repo


some people just have the illusion that Lennart Pöttering is the one and 
only programmer of all that tools - no he is not - the different tools 
are maintained by different people and just get tightly integrated 
because they are all talking together and working in the same team 
instead different projects fighting against each other in case of 
problems and point to the other tool which is broken

Re: sa-update errors

[li...@rhsoft.net]

Am 31.08.2016 um 18:22 schrieb John Hardin:

On Wed, 31 Aug 2016, li...@rhsoft.net wrote:


Am 30.08.2016 um 22:03 schrieb John Hardin:

 On Tue, 30 Aug 2016, Joseph Brennan wrote:

>  We've had errors the past 2 nights for all of the
uridnsbl_skip_domain
>  rules. It's just us?

 It's been fixed, waiting for a new update to be generated by masscheck


i doubt that the process is working proper or why are the errors after
two successful sa-update runs still here?

29-Aug-2016 00:44:41: SpamAssassin: Update processed successfully
30-Aug-2016 01:58:40: SpamAssassin: Update processed successfully
31-Aug-2016 00:49:44: SpamAssassin: Update processed successfully

Aug 31 10:56:16.871 [28612] warn: config: failed to parse line,
skipping, in
"/var/lib/spamassassin/3.004001/updates_spamassassin_org/72_active.cf": 
uridnsbl_skip_domain
zenithbank.com


I just confirmed that those lines are not in the latest update (1758345,
8/30).

Your 8/31 update should not have generated lint errors


should is the correct word!

TODAY with the 9/01 update the lint-warnings are gone and that's what i 
meant with "i doubt that the process is working proper" when the change 
itself was done days ago while every day "sa-update" pulled sucessful


23-Aug-2016 11:46:53: SpamAssassin: Update processed successfully
24-Aug-2016 00:49:42: SpamAssassin: No update available
25-Aug-2016 00:01:12: SpamAssassin: Update processed successfully
26-Aug-2016 00:27:58: SpamAssassin: Update processed successfully
27-Aug-2016 01:15:48: SpamAssassin: Update processed successfully
28-Aug-2016 00:43:06: SpamAssassin: Update processed successfully
29-Aug-2016 00:44:41: SpamAssassin: Update processed successfully
30-Aug-2016 01:58:40: SpamAssassin: Update processed successfully
31-Aug-2016 00:49:44: SpamAssassin: Update processed successfully
01-Sep-2016 00:35:01: SpamAssassin: Update processed successfully

Re: sa-update errors

[li...@rhsoft.net]

Am 31.08.2016 um 13:18 schrieb Martin Gregorie:

On Wed, 2016-08-31 at 12:25 +0200, Axb wrote:



Blame it on the boogie


Another data point: I haven't seen this problem. I've just searched my

Considering that it doesn't seem to hit everybody, I wonder if it could
be software related, i.e. connected with specific Perl package
versions. I'm running Fedora 23, fully patched as of last Thursday


Fedora 24 x86_64 fully patched

perl-5.22.2-362.fc24.x86_64 seems to also make visible errors on other 
places or make already known more visible like undefined vars in case of 
invalid uribl dns-calls and so on

Re: sa-update errors

[li...@rhsoft.net]

Am 31.08.2016 um 11:56 schrieb Axb:

On 08/31/2016 11:41 AM, li...@rhsoft.net wrote:

however, what annoys me more is that "uridnsbl_skip_domain entries have
not yet been removed" and obviosuly nobody knows why - what if there
would be a issue leading to fatal errors for everybody running
"sa-update" and nobody has a clue how to get the fix out and when


I don't have a satisfying answer. But maybe someobody else does.

what annoys me is that there's a bunch of uridnsbl_skip_domain entries
in 25_uribl.cf and nobody complains


they are not making problems as also my 
"/etc/mail/spamassassin/local-06-uridnsbl-skip-domain.cf" without 
"ifplugin" containing a large list don't make any issue



when some show up in 72_active.cf some systems cough over them and I
cannot reproduce it. Seems these are not setups from source and
something is getting in the way.

All I can think of is that the missing "ifplugin" caused this.
I'll probably never know


if the plugin would be the problem i guess URIBL would not work at all, 
also see about the 06-uridnsbl-skip-domain.cf above - so the 
"72_active.cf" issue must be some other problem


however, if it is removed and that removal don't appear on setups which 
did successful "sa-update" calls is *a big problem* because it indicates 
the "sa-update" process is out of control somewhere

Re: sa-update errors

[li...@rhsoft.net]

Am 31.08.2016 um 11:32 schrieb Axb:

On 08/31/2016 11:25 AM, li...@rhsoft.net wrote:


Am 31.08.2016 um 11:15 schrieb Axb:

On 08/31/2016 10:57 AM, li...@rhsoft.net wrote:


Am 30.08.2016 um 22:03 schrieb John Hardin:

On Tue, 30 Aug 2016, Joseph Brennan wrote:


We've had errors the past 2 nights for all of the
uridnsbl_skip_domain
rules. It's just us?


It's been fixed, waiting for a new update to be generated by masscheck


i doubt that the process is working proper or why are the errors after
two successful sa-update runs still here?

29-Aug-2016 00:44:41: SpamAssassin: Update processed successfully

Aug 31 10:56:16.871 [28612] warn: config: failed to parse line,
skipping, in
"/var/lib/spamassassin/3.004001/updates_spamassassin_org/72_active.cf":
uridnsbl_skip_domain zenithbank.com


Just did a manual sa-update -D

while the uridnsbl_skip_domain entries have not yet been removed from
72_active.cf I get no "failed to parse line" msgs


you get them with "spamassassin --lint" and not due the update - IHMO
the subject of this thread is just wrong


I get no errors with  spamassassin --lint
 or  spamassassin --lint -D




:-(

however, what annoys me more is that "uridnsbl_skip_domain entries have 
not yet been removed" and obviosuly nobody knows why - what if there 
would be a issue leading to fatal errors for everybody running 
"sa-update" and nobody has a clue how to get the fix out and when

Re: sa-update errors

[li...@rhsoft.net]

Am 31.08.2016 um 11:15 schrieb Axb:

On 08/31/2016 10:57 AM, li...@rhsoft.net wrote:


Am 30.08.2016 um 22:03 schrieb John Hardin:

On Tue, 30 Aug 2016, Joseph Brennan wrote:


We've had errors the past 2 nights for all of the uridnsbl_skip_domain
rules. It's just us?


It's been fixed, waiting for a new update to be generated by masscheck


i doubt that the process is working proper or why are the errors after
two successful sa-update runs still here?

29-Aug-2016 00:44:41: SpamAssassin: Update processed successfully
30-Aug-2016 01:58:40: SpamAssassin: Update processed successfully
31-Aug-2016 00:49:44: SpamAssassin: Update processed successfully

Aug 31 10:56:16.871 [28612] warn: config: failed to parse line,
skipping, in
"/var/lib/spamassassin/3.004001/updates_spamassassin_org/72_active.cf":
uridnsbl_skip_domain zenithbank.com
Aug 31 10:56:16.871 [28612] warn: config: failed to parse line,
skipping, in
"/var/lib/spamassassin/3.004001/updates_spamassassin_org/72_active.cf":
uridnsbl_skip_domain zkb.ch
Aug 31 10:56:16.871 [28612] warn: config: failed to parse line,
skipping, in
"/var/lib/spamassassin/3.004001/updates_spamassassin_org/72_active.cf":
uridnsbl_skip_domain zugerkb.ch


Just did a manual sa-update -D

while the uridnsbl_skip_domain entries have not yet been removed from
72_active.cf I get no "failed to parse line" msgs


you get them with "spamassassin --lint" and not due the update - IHMO 
the subject of this thread is just wrong

Re: sa-update errors

[li...@rhsoft.net]

Am 30.08.2016 um 22:03 schrieb John Hardin:

On Tue, 30 Aug 2016, Joseph Brennan wrote:


We've had errors the past 2 nights for all of the uridnsbl_skip_domain
rules. It's just us?


It's been fixed, waiting for a new update to be generated by masscheck


i doubt that the process is working proper or why are the errors after 
two successful sa-update runs still here?


29-Aug-2016 00:44:41: SpamAssassin: Update processed successfully
30-Aug-2016 01:58:40: SpamAssassin: Update processed successfully
31-Aug-2016 00:49:44: SpamAssassin: Update processed successfully

Aug 31 10:56:16.871 [28612] warn: config: failed to parse line, 
skipping, in 
"/var/lib/spamassassin/3.004001/updates_spamassassin_org/72_active.cf": 
uridnsbl_skip_domain zenithbank.com
Aug 31 10:56:16.871 [28612] warn: config: failed to parse line, 
skipping, in 
"/var/lib/spamassassin/3.004001/updates_spamassassin_org/72_active.cf": 
uridnsbl_skip_domain zkb.ch
Aug 31 10:56:16.871 [28612] warn: config: failed to parse line, 
skipping, in 
"/var/lib/spamassassin/3.004001/updates_spamassassin_org/72_active.cf": 
uridnsbl_skip_domain zugerkb.ch

Re: sa-update errors

[li...@rhsoft.net]

Am 30.08.2016 um 21:56 schrieb Joseph Brennan:

We've had errors the past 2 nights for all of the uridnsbl_skip_domain
rules. It's just us?


no since there where yesterday at least two treads about this topic, the 
first by me and AFAIR it should have been fixed last night but wasn't 
which indicates some problem in the update process when even emergency 
changes are not pushed relieable (besides they would not be pushed when 
the mass-check did not have enough samples, but in that case sa-update 
would not have done anything at all)

Re: Shortcircuit work partially

[li...@rhsoft.net]

Am 30.08.2016 um 18:54 schrieb Kris Deugau:

Nicola Piazzi wrote:

How to do it syncronously ?
It is not important to process a single mail in 5 or 50 seconds
4 me ss most important to reduce load


DNS lookups have essentially zero cost next to almost anything else SA
does


when it comes to daily limit of RBL/URIBL services and for whatever 
reason you have abnormal peaks of inbound tries "zero cost" turns when 
you would be able to shortcircuit a majority of the messages


i even go so far and say it would be a possible attack when someone 
floods you with special composed mails containing a large list of random 
domains to exceed your URIBL limits and later send the payload where 
URIBL woul dhave been the anchor to detect it while your shields are 
just down - in that case you may be able to find some anchor for a 
meta-rule and block/shortciruit that stuff but currently it won't avoid 
the dns lookups

Re: Shortcircuit work partially

[li...@rhsoft.net]

Am 30.08.2016 um 16:21 schrieb Nicola Piazzi:

When i shortcircuit a rule not all other are bypassed

Here an example ...

Local.cf :
priority BAYES_ZERO -980
shortcircuit BAYES_ZERO ham


the dns stuff is fired asynchronous long before bayes is even evaluated


Spam report :
-0.03 ABUSIX_PRESENCE Contatto Anti-Abuse presente in abuse-contacts.abusix.org
-1.00 BAYES_ZERO Bayes Zero Percento Assoluto
0.10 C_RBL_ANTICAPTCHA Listed in dnsbl.anticaptcha.net
0.10 C_RBL_DNSRBL Listed in DnsRbl.org
0.20 C_RBL_KONSTANT Listed in bl.konstant.no
0.10 C_RBL_MEGARBL Listed in rbl.megarbl.net
0.10 C_RBL_NETUA Listed in dnsbl.net.ua
-0.30 C_RBL_NSZONES_WL NSZONES - WhiteList
0.10 C_RBL_SINGULAR Listed in singular.ttk.pte.hu
0.10 C_RBL_SWINOG_SPAM Listed in dnsrbl.swinog.ch.
0.10 C_RBL_UNSUBSCORE Listed in ubl.unsubscore.com
-100.00 SHORTCIRCUIT Not all rules were run, due to a shortcircuited rule
-0.35 URIBL_HOSTKARMA_Y Dominio in HostKarma YellowList

Re: SoughtRules

[li...@rhsoft.net]

Am 30.08.2016 um 02:45 schrieb John Hardin:

On Mon, 29 Aug 2016, Anthony Hoppe wrote:


I just learned about the sought ruleset via
https://wiki.apache.org/spamassassin/ImproveAccuracy.  Is this ruleset
still actively maintained?  I'm considering implementing it in my
environment, but want to make sure just in case.


Sadly, no. I think it's been at least a couple of years since they were
regenerated


but they still hit junkmails and are even part of the fedora default 
install pulled with the first "sa-update"


rpm -q --file /etc/mail/spamassassin/channel.d/sought.conf
spamassassin-3.4.1-9.fc24.x86_64

cat /etc/mail/spamassassin/channel.d/sought.conf
# http://wiki.apache.org/spamassassin/SoughtRules
CHANNELURL=sought.rules.yerp.org
KEYID=6C6191E3
# Ignore everything below.
return 0

-BEGIN PGP PUBLIC KEY BLOCK-
Version: GnuPG v1.4.1 (GNU/Linux)

mQGiBEa/l+YRBACC+uJfIThEoEWrNxdDD/1tAwb5L8v7H3gGt+LtuOwwn5ZU7XsT
s1DOok1oZVRnTQJYdlth7QlU9wqijwLEVzW1LDWnxXXKwPmlTlkcdGoBcb+cBbYI
miJ/TlAetvbprcZdROS4Ey31GjPRmWPPnVE2Xcwy+e4+RmnhqfZBmOaE7wCgo1GG
pkik2OPD1le4LGGOGHL5HiED/0TyvTiSS3NnUtoDFQAPrnezOCjxv8zMjYEnJs/I
h7uyIgHRsbB75cD2O1LWyO8Vz8r/snVuG35zcZagPf/7Tc9AJoaxVmCIk9DEmWZp
iuvqpMhwHAbNvY3jY2oKsDl1rNx0IIctoJwjXia99kvNTHK/Yz/HqhIyLModhiMB
aYYZA/wIdPOHGHaP5vjlbWBwGlRR9m0Rf4ob5sul8MjCyehOYcRVLwfOEfzX308v
0enOGnbbBKXU2QvA0Z068aBmJkJaaPhlIjZApQJDsb7pt6k8jMPj/Xpr779wAFQ8
IZC7Tw21OtqkjrUb3dZlEljrTwWNc6FVxuIidBBg7HCdP24WKLRESnVzdGluIE1h
c29uIFNpZ25pbmcgS2V5IChDb2RlIFNpZ25pbmcgT25seSkgPHNpZ25pbmdrZXlA
am1hc29uLm9yZz6IZAQTEQIAJAUCRr+X5gIbAwUJEswDAAYLCQgHAwIDFQIDAxYC
AQIeAQIXgAAKCRDchTQfbGGR4/GJAKCC6X6AF8nM+H00b/XeZl9vYihXBgCcDYuU
AtXjWWxndkneakmbnD0O4Z25BA0ERr+YdxAQAIYYUQHMzVsRAzpIRLfni0aeczrr
armwXMJ8y5p74lVLbJyQOjkQyIJWP80twrN8SjNyUFBr/52SlOPOuAbGZY1ZKpux
vkbsug2wWvkoj8xGjnexrSDahRgpNhf/otLRNTyUFZTM6mjZt0ItnYDl6xszY4kd
O5rVzjQuivNB4BsHcd8qQ7zVo9+VZ5R77iM4dtk6t5ycpXlAom5pD8qLb7ZzTVe0
SuhzOeynF51rwjS+wa3hzZisvJqZA5uJcAyYslgP1UTW+2e5wutSktSZmL/XnlEF
p86GPjAgDPL2Q0TgzVL6sPt0blNCyzOJrcBqBHrgZfraYgqtmGepLpk72q4VD23c
aV2wTqjnfJAsNR3y8jgVNwF8LpXtlbxrBByFRwEqsc/gzdMEnJ728XBDqT2IhZLY
maL/WxiDKNWD/Mae69HTyInIYgrfT7nJKDeKQA81+e5+UmqBVoi5/AICMlDm1DgR
gG6bbOXGhLVPh+gHjGG4Jdd/ZLedncUsjW9KyK261sqM3tSDSfgnF99w2/32ToFu
ChN8JOfQ6VZ7QbL1BWRtQWZ3tyauUUXmsrYDv1w1nx51MqxQdlitnmTRWaRW0GmD
b5XapJfSK+FiGXaynl3HHxHHpcUauX9zBa/LRp8oXiGPLfJEWmjWcGCyGZawASj3
pTTJUnbkYs0fUyUXAAQND/42mh8f3mTA+24I3lY4K8mxH9GSFgOkLoYwok8xL5Md
OUJAyvs34ixqvM2u560YJkegEO/xzg2abddfoqL8eNnjfvG3bI7KOCT+m+mM/5Cg
ul8XFSnHIEivuOXNtc/x/dwYSidKM8atkdpKtv++psd6hVbJQMfLlzf0S2QyiaGk
yXur/pM3A97lvkjAgvIKQt8NbJ/sITFlrN2TFxcbE8OED7LC4nBo54TJ1AxVsHlT
LB5XPKU8pBv0fABZrNKxf6a2iXx9jT9sSYdnb0y+hBjnoWZUNbhxo6jpAqt1quUy
buGWugvG8J75JvT6X+lwEEkg1lplmm+HuaFtegOqTUTKmffKduY+E00le+3Kh8gW
bLR8P1qp/xnxQxZJYcQ+mT4QsYpj6Pkcj0ON3NQO5wP6dr2UGhGcSzS2Cxv8TERN
7HSdFbFXQWPCekx+i7OjeRSY/XTUf2zYquPNP2oU0MjgnXhnkHq+6EaQPpM59fMd
MyLeOiUMOxpPOkeaAC8Ku0Oj2aZU/eyizuBDnhq1PAxBprSW5SSkxP4kz9BnA42x
tkMKMzzPohdfMIRI6zSu0chr76w2UeoViSsMtmWnR6qAXbQvzR+HHxhhB/Rzp6Gc
u9gybrv58IBkybn5ztST6NqgIgcQ/E7XIsB0Eooohfw+QiPlCdoghSxspbzwqcEZ
B4hPBBgRAgAPBQJGv5h3AhsMBQkSzAMAAAoJENyFNB9sYZHjUh0AnA3u5TNYHGLQ
DXLPP0qWHkTeOz8dAJ4wkrLBTaXz3CPCjoTdoBiQsNt3fw==
=nK43
-END PGP PUBLIC KEY BLOCK-

lint fails: /var/lib/spamassassin/3.004001/updates_spamassassin_org/72_active.cf

[li...@rhsoft.net]

something with that "sandbox" seems to be wrong
##} uridnsbl_skip_domain_sandbox

the cron-mail below is from the daily "spamassassin --lint" for all 
spamd instances and is way longer than below


 Weitergeleitete Nachricht 
Betreff: /usr/local/bin/spamfilter-check-config.sh
Datum: Mon, 29 Aug 2016 02:30:04 +0200 (CEST)
Von: (Cron Daemon)

Aug 29 02:30:04.229 [29063] warn: config: failed to parse line, 
skipping, in 
"/var/lib/spamassassin/3.004001/updates_spamassassin_org/72_active.cf": 
uridnsbl_skip_domain 1stnationalbank.com
Aug 29 02:30:04.229 [29063] warn: config: failed to parse line, 
skipping, in 
"/var/lib/spamassassin/3.004001/updates_spamassassin_org/72_active.cf": 
uridnsbl_skip_domain 365online.com
Aug 29 02:30:04.229 [29063] warn: config: failed to parse line, 
skipping, in 
"/var/lib/spamassassin/3.004001/updates_spamassassin_org/72_active.cf": 
uridnsbl_skip_domain 53.com
Aug 29 02:30:04.229 [29063] warn: config: failed to parse line, 
skipping, in 
"/var/lib/spamassassin/3.004001/updates_spamassassin_org/72_active.cf": 
uridnsbl_skip_domain abl.com.pk
Aug 29 02:30:04.229 [29063] warn: config: failed to parse line, 
skipping, in 
"/var/lib/spamassassin/3.004001/updates_spamassassin_org/72_active.cf": 
uridnsbl_skip_domain accessbankplc.com
Aug 29 02:30:04.230 [29063] warn: config: failed to parse line, 
skipping, in 
"/var/lib/spamassassin/3.004001/updates_spamassassin_org/72_active.cf": 
uridnsbl_skip_domain adib.ae

Re: New Install - Tons of Spam Getting Through

[li...@rhsoft.net]

Am 18.08.2016 um 21:08 schrieb Jerry Malcolm:

On 8/18/2016 1:50 PM, li...@rhsoft.net wrote:


Am 18.08.2016 um 20:48 schrieb Jerry Malcolm:

This is encouraging.  I looked up how to set recursion in Bind.  It
looks like it's just requires adding a field to the options:

|allow-recursion { any; }; |But it lists other options such as
allow-query, allow-query-cache, etc.  Is recursion the only one that
might be affecting SA?  Or should I enable other options?


sorry but *no*

it means nothing else than *remove* any forwaridng statements

the stuff above is just to limit which clients are allowed to make
recursive queries


Hmm.  I do not have any forwarding statements.  Is there a way via
command line (e.g. nslookup, etc) that I can determine if BIND is
recursing or forwarding?  I assume that might be in the SA report
header.  But see my previous response that I can't seem to ever get
report headers... Yuck...


on a proper operating system i would ask for the content of 
/etc/resolv.conf - nobody but you can find out which nameserver your SA 
is using and how this nameserver is configured


just because you are runnign named on your box don't mean this is the 
nameserver applications running on this host are using

Re: New Install - Tons of Spam Getting Through

[li...@rhsoft.net]

Am 18.08.2016 um 21:05 schrieb Jerry Malcolm:

I see the local.cf file, it is already configured with 'all report'.
But I looked at a msg that was flagged a spam.  It doesn't have a report
header either.  I guess it's possible that the JAMES invoker mailet is
stripping the headers.  But I don't see any obvious code that appears to
be removing headers.  Are there any other options that might be
controlling whether SA adds that header?


you *really* should ask somewhere at a james-list and re-consider using 
a MTA practically nobody knows as wel as some "out-of-the-box" stuff and 
then run on a windows server


you have a 1-ot-of-10 setup at best!

Re: New Install - Tons of Spam Getting Through

[li...@rhsoft.net]

Am 18.08.2016 um 20:48 schrieb Jerry Malcolm:

This is encouraging.  I looked up how to set recursion in Bind.  It
looks like it's just requires adding a field to the options:

|allow-recursion { any; }; |But it lists other options such as
allow-query, allow-query-cache, etc.  Is recursion the only one that
might be affecting SA?  Or should I enable other options?


sorry but *no*

it means nothing else than *remove* any forwaridng statements

the stuff above is just to limit which clients are allowed to make 
recursive queries

Re: New Install - Tons of Spam Getting Through

[li...@rhsoft.net]

Am 18.08.2016 um 20:27 schrieb Jerry Malcolm:


On 8/18/2016 1:17 PM, li...@rhsoft.net wrote:


Am 18.08.2016 um 20:10 schrieb Jerry Malcolm:

Here is a pastebin.com link to an example uncaught spam message. SA
scored it a 4.7. http://pastebin.com/T1CfVgP4


useless without any headers which would show the matching rules
including major mistakes like URIBL_BLOCKED

but even passing that "non-email" to SA would hit URIBL_ABUSE_SURBL,
PYZOR_CHECK, URIBL_DBL_SPAM, URIBL_BLACK and URIBL_SBL_A so i guess
you are using some DNS forwarder which does *not* work for a inbound
spamfilter


I haven't figured out a way to get Thunderbird to allow me to copy/paste
the headers


seriously?
"view -> source code" or however the menus are called in english

Re: New Install - Tons of Spam Getting Through

[li...@rhsoft.net]

Am 18.08.2016 um 20:18 schrieb Jerry Malcolm:

This is the X-Spam-Status header I got back on an uncaught spam. No,
hits=0.3 required=5.0.  The spam was selling an all-in-one charger


we need the *report* header


What kind of DNS issues?  I lease a server from Peer1 and use their name
servers.


don't do that - just install a *recursing* local resolver like unbound 
and point only to 127.0.0.1 - anything else won't work for a inbound 
mailserver because you hit RBL limits when you share the nameserver with 
a unknown amount of other people

Re: New Install - Tons of Spam Getting Through

[li...@rhsoft.net]

Am 18.08.2016 um 20:10 schrieb Jerry Malcolm:

Here is a pastebin.com link to an example uncaught spam message. SA
scored it a 4.7. http://pastebin.com/T1CfVgP4


useless without any headers which would show the matching rules 
including major mistakes like URIBL_BLOCKED


but even passing that "non-email" to SA would hit URIBL_ABUSE_SURBL, 
PYZOR_CHECK, URIBL_DBL_SPAM, URIBL_BLACK and URIBL_SBL_A so i guess you 
are using some DNS forwarder which does *not* work for a inbound spamfilter

Re: DKIM Score

[li...@rhsoft.net]

Am 16.08.2016 um 22:04 schrieb Benny Pedersen:

On 2016-08-16 21:52, li...@rhsoft.net wrote:

Am 16.08.2016 um 21:31 schrieb Benny Pedersen:

On 2016-08-16 13:57, RW wrote:


whitelist_from_dkim *@example.com *@example.net


should be sepearted line


why?


read perldoc


read spamassassin docs

WHITELIST AND BLACKLIST OPTIONS

Whitelist and blacklist addresses are now file-glob-style patterns, so 
fri...@somewhere.com, *@isp.com, or *.domain.net will all work. 
Specifically, * and ? are allowed, but all other metacharacters are not. 
Regular expressions are not used for security reasons.


Multiple addresses per line, separated by spaces, is OK. Multiple 
whitelist_from lines is also OK.




blacklist_from  *@example.com *@example.net


cant remember if that can be one line


as all whitelist_ and blacklist_ *it can*

so what is your point?


read perldoc


read spamassassin docs

unwhitelist_from_rcvd a...@ress.com
Used to override a default whitelist_from_rcvd entry, so for example a 
distribution whitelist_from_rcvd can be overridden in a local.cf file, 
or an individual user can override a whitelist_from_rcvd entry in their 
own user_prefs file.


The specified email address has to match exactly the address previously 
used in a whitelist_from_rcvd line.


e.g.

  unwhitelist_from_rcvd j...@example.com f...@example.com
  unwhitelist_from_rcvd *@axkit.org

Re: DKIM Score

[li...@rhsoft.net]

Am 16.08.2016 um 21:31 schrieb Benny Pedersen:

On 2016-08-16 13:57, RW wrote:


whitelist_from_dkim *@example.com *@example.net


should be sepearted line


why?


blacklist_from  *@example.com *@example.net


cant remember if that can be one line


as all whitelist_ and blacklist_ *it can*

so what is your point?

Re: DKIM Score

[li...@rhsoft.net]

Am 16.08.2016 um 10:47 schrieb Chris Lee:

Suppose there is a user someb...@example.com is on vacation and using 3rd party 
SMTP server (w/o DKIM) for sending email.
I want temporary whitelist it to bypass DKIM checking.


he MUST NOT do that and so there is no justification handle whatever 
random server different because it sends technical forged mail of a 
foreign domain - i would say BLACKLIST that server because he allows a 
random and foreign envelope-sender would be the way to go instead 
whitelist it

Re: DKIM Score

[li...@rhsoft.net]

Am 16.08.2016 um 10:30 schrieb Kevin Golding:

Probably even more of a performance nightmare, but possibly easier to
maintain could be something like:

header __FROM_EXAMPLECOM From:addr =~ /\@(example\.com)$/i
header __FROM_EXAMPLEORG From:addr =~ /\@( example\.org)$/i
header __FROM_EXAMPLENL  From:addr =~ /\@( example\.nl)$/i

meta __DKIM_REQUIRED ( __FROM_EXAMPLECOM || __FROM_EXAMPLEORG ||
__FROM_EXAMPLENL )


horrible to maintain - normally you generate that with a script and so 
you can in php (as example) simply implode('|', $list) to fill the regex 
(make sure anything is proper escaped before)


/\@(example\.com|example.org|example.net)$/i

Re: google spamming ?

[li...@rhsoft.net]

Am 15.08.2016 um 15:47 schrieb Benny Pedersen:

On 2016-08-15 15:30, Joe Quinn wrote:


If you reported it already, why are you still asking how?


not possible for me to run spamassassin -r here


one reason more to not post to *this list* at all instead a) complain at 
rspamd and b) ask how the replacement for "spamassassin -r" is called if 
one exists


anyways the tags without message headers are not helpful since "google" 
can mean all or nothing from free gmail to googlegroups, youtube and 
dozens of other subdomains and if you "want to share" you need at least 
to share the whole message so that anybody can compare it with SA


the initial post as it was made is useless and in fact SPAM itself

Re: google spamming ?

[li...@rhsoft.net]

Am 15.08.2016 um 15:21 schrieb Benny Pedersen:

On 2016-08-15 15:16, Joe Quinn wrote:


Have you tried asking on either the rspamd or dnswl mailing lists?


why should i waste my time with it ?

i have reported spam to dnswl


why do you waste *our* time with it?

when you switch from SA to rspamd then switch sending your contentfilter 
related stuff to the rspamd list instead the SA list - common sense - 
that's it

Re: [SOLVED] R: A plugin to legitimate email when SPF and DKIM missing

[li...@rhsoft.net]

Am 10.08.2016 um 12:00 schrieb Nicola Piazzi:


I wrote this simple plugin, mxpf
This plugin search B class of sender Ip Address and try to match B class of any 
Ip of mx records of declared domain
So when it match is very difficolut that sender is a spoofed domain, you can 
use MXPF_PASS to combine with other rules in addition to SPF_PASS

1) Unpack mxpf.cf and mxpf.pm under /etc/mail/spamassassin dir
2) put your score in mxpf.cf

Download here :

https://forum.efa-project.org/viewtopic.php?f=14=1777


that looks really good

on piece missing - something like "whitelist_mx" working the same way as 
"whilelist_auth" to combine it with shortcicuit to complement whitelist 
by spf with that for senders you trust but don't have SPF/DKIM for 
whitelist_auth


whitelist_mx sen...@domain.tld
whitelist_mx *@domain.tld

Re: A plugin to legitimate email when SPF and DKIM missing

[li...@rhsoft.net]

Am 09.08.2016 um 18:08 schrieb Kevin Golding:

Based on what you're trying to do:

man dig


don't help, see below


or depending on your resolver possibly:

man drill


don't help, see below


Whilst I agree it is slightly more effort to set-up whitelisting by
looking up the details first it would still be far more resource
efficient on your servers


that don't catch the problem if the MX changes that you need to 
permanently watch your "whitelist_from_rcvd" and maintain them


his point is pretty sure that he want to be able to rely on the senders 
DNS like whitelisting by DKIM or SPF does


given the amount of DNS records in summary (RBL, URIBL, DKIM, SPF) that 
single one is not a topic for "more resource efficient" and in any case 
outweights the maintainance burden of "whitelist_from_rcvd" lines

Re: A plugin to legitimate email when SPF and DKIM missing

[li...@rhsoft.net]

Am 09.08.2016 um 17:39 schrieb RW:

On Tue, 9 Aug 2016 15:19:08 +
Nicola Piazzi top-posted:


I dont know if you want to find a solution of if you want to say why
i am searching one. Reason is this :
I have SPF_PASS, a variable that tell me that who send is proprietary
of that domain I KNOW PERFECTLY THAT SOMEONE CAN TELL SPAM WITH A
PURCHASED REGULAR NON SPOOFED DOMAIN But I can combine SPF_PASS with
a list of email address, for example, but not all put SPF in dns, so
with MX I have another chance


I'm confused now because "combine SPF_PASS with a list of email
address" sounds like whitelisting, which is something you implied you
didn't want to do when whitelist_from_rcvd was mentioned


the hostname of the sending machine may change - the fact that it's the 
MX is likely more stable even when the ISP get changed - in case a IP 
has more than one PTR (happens often) or becomes a second one you need 
to whitelist all of them - the question "is this ip listed as MX" stays 
stable