Re: RelayCountry Config

[LuKreme]

On 7-Aug-2009, at 11:20, Charles Gregory wrote:

Okay, so now I'm curious. What *IS* that chunk of code?


If you compile it and run it you will see that the putchar() prints  
out his email address.


--
When the routine bites hard / and ambitions are low
And the resentment rides high / but emotions won't grow
And we're changing our ways, / taking different roads
Then love, love will tear us apart again

Re: RelayCountry Config

[RW]

On Fri, 7 Aug 2009 00:46:46 -0400
MySQL Student mysqlstud...@gmail.com wrote:

 Hi,
 
  I find ordinary header and meta rules are all I need:
 
  http://pastebin.com/f5e5232d1
 
 Among those rules you have:
 
 meta RELAYCOUNTRY_MED   ! RELAYCOUNTRY_HIGH  (
 __RELAYCOUNTRY_AF || __RELAYCOUNTRY_AS || __RELAYCOUNTRY_EU_S ||
 __RELAYCOUNTRY_OC_S || __RELAYCOUNTRY_AM_S )
 
 It's probably hard to read, but doesn't this exclude the US?
 RELAYCOUNTRY_AM_S are all the Americas except US and CA. If I
 understand correctly, this says NOT RELAYCOUNTRY_HIGH and all
 countries except US and CA, which means that RELAYCOUNTRY_MED would
 trigger on all US and CA relays.

  ! A  B  = (! A)  B

Re: RelayCountry Config

[Karsten Bräckelmann]

  char 
  *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
  main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? 
  c=1:
  (c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; 
  }}}
 
 How did you get line noise from your modem to look so much like perl code? :-)

The trick is, to catch a chunk that actually is valid C code. ;)


-- 
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: [sa] Re: RelayCountry Config

[Charles Gregory]

On Fri, 7 Aug 2009, Karsten Bräckelmann wrote:

char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

How did you get line noise from your modem to look so much like perl code? :-)

The trick is, to catch a chunk that actually is valid C code. ;)


Okay, so now I'm curious. What *IS* that chunk of code?

- C

OT: Signatures and C code that doesn't look like Perl (was: RelayCountry Config)

[Karsten Bräckelmann]

On Fri, 2009-08-07 at 13:20 -0400, Charles Gregory wrote:

char 
*t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? 
c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ 
putchar(t[s]);h=m;s=0; }}}
   
   How did you get line noise from your modem to look so much like perl 
   code? :-)
  
  The trick is, to catch a chunk that actually is valid C code. ;)
 
 Okay, so now I'm curious. What *IS* that chunk of code?

It is my signature. ;-)

More seriously, it is some obfuscated C code I wrote way back for fun.
Compiles cleanly. It implements a well-known algorithm, though quite
bare-bones with some constraints.

I won't mention the algorithm's name, though, not in public. Spoils the
fun for those who likes puzzles. ;)


-- 
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: [sa] Re: RelayCountry Config

[Martin Gregorie]

On Fri, 2009-08-07 at 13:20 -0400, Charles Gregory wrote:
 On Fri, 7 Aug 2009, Karsten Bräckelmann wrote:
  char 
  *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
  main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? 
  c=1:
  (c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; 
  }}}
  How did you get line noise from your modem to look so much like perl code? 
  :-)
  The trick is, to catch a chunk that actually is valid C code. ;)
 
 Okay, so now I'm curious. What *IS* that chunk of code?
 
Compile and run it - its quite safe, just obfuscated.

Martin

RelayCountry Config

[MySQL Student]

Hi,

I'm trying to configure RelayCountry. I have it installed, and SA recognizes it:

# spamassassin --lint -D 21|grep -i country
[4278] dbg: diag: module installed: IP::Country::Fast, version 604.001
[4278] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayCountry from @INC
[4278] dbg: plugin:
Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x8fb9648) implements
'extract_metadata', priority 0
[4278] dbg: plugin:
Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x8fb9648) implements
'parsed_metadata', priority 0

I've loaded the plugin, and add_header according to the wiki page:

add_header all Relay-Country _RELAYCOUNTRY_
loadplugin Mail::SpamAssassin::Plugin::RelayCountry

I can create rules for each country I'd like to identify, and that
successfully adds it to the header:

header  RELAYCOUNTRY_RU X-Relay-Countries =~ /RU/
describeRELAYCOUNTRY_RU Relayed through Russian Federation
score   RELAYCOUNTRY_RU 2.0

I was hoping to also have the X-Spam-Countries header added, but that
doesn't seem to work. I'm using v3.2.5, so it has the
RelayCountries.pm patch to add that support. What am I missing?

Somewhat of a basic question, but once I do manage to get that header
working, I know I can parse that and make decisions based on it. Are
there any pre-written perl routines or utilities that can make that
information useful?

Also, I believe I read it adds bayes metadata to the email. Is that
just through the additional headers or is it supposed to add something
else?

Thanks,
Alex

Re: RelayCountry Config

[RW]

On Thu, 6 Aug 2009 16:38:53 -0400
MySQL Student mysqlstud...@gmail.com wrote:


 add_header all Relay-Country _RELAYCOUNTRY_
 ...
 I was hoping to also have the X-Spam-Countries header added, but that
 doesn't seem to work. 

I don't know if it makes a difference, but I call it Relay-Countries to
match the name of the pseudo-header used in the tests

add_header all Relay-Countries  _RELAYCOUNTRY_


 Somewhat of a basic question, but once I do manage to get that header
 working, I know I can parse that and make decisions based on it. Are
 there any pre-written perl routines or utilities that can make that
 information useful?

I find ordinary header and meta rules are all I need:

http://pastebin.com/f5e5232d1

 
 Also, I believe I read it adds bayes metadata to the email. Is that
 just through the additional headers 

Just the header (whether or not it's displayed).

Re: RelayCountry Config

[Chris]

On Thu, 2009-08-06 at 22:34 +0100, RW wrote:

  Somewhat of a basic question, but once I do manage to get that header
  working, I know I can parse that and make decisions based on it. Are
  there any pre-written perl routines or utilities that can make that
  information useful?
 
 I find ordinary header and meta rules are all I need:
 
 http://pastebin.com/f5e5232d1
 
  
  Also, I believe I read it adds bayes metadata to the email. Is that
  just through the additional headers 
 
 Just the header (whether or not it's displayed).

Here are the rules I use:

http://pastebin.com/m1678caf1

They were posted here on the list quite awhile back by whom I can't
remember.


-- 
KeyID 0xE372A7DA98E6705C



signature.asc
Description: This is a digitally signed message part

Re: RelayCountry Config

[MySQL Student]

Hi,

 I don't know if it makes a difference, but I call it Relay-Countries to
 match the name of the pseudo-header used in the tests

 add_header all Relay-Countries          _RELAYCOUNTRY_

It doesn't appear to make a difference. I must be doing something else
wrong. Using spamassassin --lint -D 21 | less shows the
X-Relay-Countries header, but it's null:

# spamassassin --lint -D 21 | egrep -i 'relay|country|countries'

[23760] dbg: diag: module installed: IP::Country::Fast, version 604.001
[23760] dbg: config: read file /etc/mail/spamassassin/70_relay_country.cf
[23760] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayCountry from @INC
[23760] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayEval from @INC
[23760] dbg: Botnet: adding (\b|\d)relay(\b|\d) to botnet_serverwords
[23760] dbg: Botnet: adding (\b|\d)relay(\b|\d) to botnet_serverwords
[23760] dbg: metadata: X-Spam-Relays-Trusted:
[23760] dbg: metadata: X-Spam-Relays-Untrusted:
[23760] dbg: metadata: X-Spam-Relays-Internal:
[23760] dbg: metadata: X-Spam-Relays-External:
[23760] dbg: plugin:
Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x8fb9698) implements
'extract_metadata', priority 0
[23760] dbg: metadata: X-Relay-Countries:
[23760] dbg: plugin:
Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x8fb9698) implements
'parsed_metadata', priority 0
[23760] dbg: rules: ran eval rule NO_RELAYS == got hit (1)
[23760] dbg: Botnet: no trusted relays
[23760] dbg: check:
tests=MISSING_DATE,MISSING_HEADERS,MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS,RELAYCOUNTRY_LOW

I've added your rules in 70_relay_country.cf, and they trigger in the
tests=, but the header isn't added.

I've added the add_header in init.pre, above the loadplugin line as
well as adding it in local.cf when it didn't work in init.pre.

I've also checked email that has actually been tagged by these rules,
and not just from a -D run, and it's not there either.

Thanks again,
Alex

Re: RelayCountry Config

[Matt Kettler]

MySQL Student wrote:
 Hi,

   
 I don't know if it makes a difference, but I call it Relay-Countries to
 match the name of the pseudo-header used in the tests

 add_header all Relay-Countries  _RELAYCOUNTRY_
 

 It doesn't appear to make a difference. I must be doing something else
 wrong. Using spamassassin --lint -D 21 | less shows the
 X-Relay-Countries header, but it's null:

 # spamassassin --lint -D 21 | egrep -i 'relay|country|countries'


   
snip
 [23760] dbg: metadata: X-Spam-Relays-Trusted:
 [23760] dbg: metadata: X-Spam-Relays-Untrusted:
 [23760] dbg: metadata: X-Spam-Relays-Internal:
 [23760] dbg: metadata: X-Spam-Relays-External:

   
snip
 [23760] dbg: metadata: X-Relay-Countries:
   
The --lint test is *NOT* valid for this. --lint is *ONLY* to verify your
config files are parseable.

The lint test uses a dummy message that has no Recived: headers in it.
This prevents --lint from wasting time doing RBL lookups, etc, which
speeds up the lint run. This is valid because --lint is not intended to
be a comprehensive test of the system, it's intended to check if your
rulefiles are readable.

Since the lint dummy mode has no Received: headers, it hasn't been
anywhere, so it's been in no countries.

Try again with a real message with real headers, and try to remember
that --lint is not a general-purpose test.

Re: RelayCountry Config

[MySQL Student]

Hi,

 [23760] dbg: metadata: X-Relay-Countries:

 The --lint test is *NOT* valid for this. --lint is *ONLY* to verify your
 config files are parseable.

Yes, thanks, I should have known that, and I think I did. I mentioned
in the previous post that I tried it with a real message, and even
viewed a number already in quarantine, and the same result.

I found this message on nabble:

http://www.nabble.com/Question-about-RelayCountry-td18309349.html#a18339974

Same problem, back in'08, with no resolution. I even downgraded to the
IP::Fast released in Jan 09, and no difference.

Could this be a problem with one of the modules, or is this most
likely a configuration issue?

What I don't understand is that it knows which country its relayed
through, because it prints the rules in the tests= section:

X-Spam-Status: Yes, hits=21.8 tag1=-300.0 tag2=4.9 kill=4.9
 use_bayes=1 tests=BAYES_50, BODY_ENHANCEMENT, BOTNET,
FH_HELO_EQ_D_D_D_D, RDNS_NONE,  RELAYCOUNTRY_UK, SARE_ADULT2,
SARE_RECV_IP_FROMIP3, URIBL_AB_SURBL, URIBL_BLACK, []

Curiously, why doesn't it print them each in a column with
description, instead of all together?

Thanks,
Alex

Re: RelayCountry Config

[Karsten Bräckelmann]

 What I don't understand is that it knows which country its relayed
 through, because it prints the rules in the tests= section:
 
 X-Spam-Status: Yes, hits=21.8 tag1=-300.0 tag2=4.9 kill=4.9
  use_bayes=1 tests=BAYES_50, BODY_ENHANCEMENT, BOTNET,
 FH_HELO_EQ_D_D_D_D, RDNS_NONE,  RELAYCOUNTRY_UK, SARE_ADULT2,
 SARE_RECV_IP_FROMIP3, URIBL_AB_SURBL, URIBL_BLACK, []

You are using Amavis. This is not a SA header, but an Amavis header, I
believe. Amavis adds its own headers. If you want more SA headers being
preserved, go check the Amavis docs.

This is also why the plugin works and you do get the per-country rule
hits, but don't get the SA Relay-Countries header.


 Curiously, why doesn't it print them each in a column with
 description, instead of all together?

Cause this is the Status header. The (SA) Report headers would also
report the descriptions. Just as above, if you want more or other
headers, checking your Amavis conf is what you need.


-- 
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: RelayCountry Config

[MySQL Student]

Hi,

 This is also why the plugin works and you do get the per-country rule
 hits, but don't get the SA Relay-Countries header.

Yes, you are correct. Thanks for the lead and the explanation. Here's
a thread that talks about how to add the header for amavisd:

http://www.mail-archive.com/amavis-u...@lists.sourceforge.net/msg12416.html

I'm not sure it's really necessary after all, though, because the
rules work without it, and it still doesn't print the header in
quarantined mail.

 char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
 main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
 (c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

How did you get line noise from your modem to look so much like perl code? :-)

Thanks,
Alex

Re: RelayCountry Config

[Luis Daniel Lucio Quiroz]

Le jeudi 6 août 2009 21:55:33, Karsten Bräckelmann a écrit :
  What I don't understand is that it knows which country its relayed
  through, because it prints the rules in the tests= section:
 
  X-Spam-Status: Yes, hits=21.8 tag1=-300.0 tag2=4.9 kill=4.9
   use_bayes=1 tests=BAYES_50, BODY_ENHANCEMENT, BOTNET,
  FH_HELO_EQ_D_D_D_D, RDNS_NONE,  RELAYCOUNTRY_UK, SARE_ADULT2,
  SARE_RECV_IP_FROMIP3, URIBL_AB_SURBL, URIBL_BLACK, []

 You are using Amavis. This is not a SA header, but an Amavis header, I
 believe. Amavis adds its own headers. If you want more SA headers being
 preserved, go check the Amavis docs.

 This is also why the plugin works and you do get the per-country rule
 hits, but don't get the SA Relay-Countries header.

  Curiously, why doesn't it print them each in a column with
  description, instead of all together?

 Cause this is the Status header. The (SA) Report headers would also
 report the descriptions. Just as above, if you want more or other
 headers, checking your Amavis conf is what you need.

You should use
amavisd debug-sa  to review if there is a rule hit

Re: RelayCountry Config

[MySQL Student]

Hi,

 I find ordinary header and meta rules are all I need:

 http://pastebin.com/f5e5232d1

Among those rules you have:

meta RELAYCOUNTRY_MED   ! RELAYCOUNTRY_HIGH  (
__RELAYCOUNTRY_AF || __RELAYCOUNTRY_AS || __RELAYCOUNTRY_EU_S ||
__RELAYCOUNTRY_OC_S || __RELAYCOUNTRY_AM_S )

It's probably hard to read, but doesn't this exclude the US?
RELAYCOUNTRY_AM_S are all the Americas except US and CA. If I
understand correctly, this says NOT RELAYCOUNTRY_HIGH and all
countries except US and CA, which means that RELAYCOUNTRY_MED would
trigger on all US and CA relays.

Thanks,
Alex