subject:"Spam by IP\-address\? Spamassassin with geoiplookup\?"

On Fri, 2016-09-23 at 20:21 -0400, Bill Cole wrote:
> On a more theoretical level, the 
> fact that BIND is able to do virtually anything that anyone would ever 
> want to do with a DNS server means that it is has a broader potential 
> attack surface in itself and is a richer prize if hijacked, either 
> directly or as a consequence of a general system compromise.

Well bind9 seems to show up relatively rarely in CERT bulletins and
pushed upgrades are rare enough to indicate to me that the current
release for my server OS (BIND 9.9.5-3ubuntu0.8-Ubuntu (Extended
Support Version)), which has been stable for 6 months, is pretty solid.
Exploit exposure is only as extensive with a package of this sort as
what one makes it to be. Both Canonical and ISC, the upstream
maintainer, are fastidious about security, but it's always possible,
through ignorance or carelessness, to make secure software insecure
through misconfiguration. Setting stock bind9 up as a simple recursive
name server is a no-brainer, however, as I noted.

I'd be very happy to hear about exploits of bind9 set up with simple
configuration as a recursive name server, with a proper acl. I keep my
ear to the ground and haven't heard of such. 

FWIW, I'm far less impressed with the general level of system
administration knowledge on this SA forum than I am with the apparent
knowledge of people whose postings and offerings elsewhere on the
Internet re. subjects such as named have been vetted and reviewed by
competent peers, as is the way of the world with open source software.

-- 
Lindsay Haisley   | "The first casualty when
FMP Computer Services | war comes is truth."
512-259-1190  |
http://www.fmp.com| -- Hiram W Johnson

Re: Spam by IP-address? Spamassassin with geoiplookup?

On Fri, 2016-09-23 at 20:21 -0400, Bill Cole wrote:
Almost every week on this list you can see examples of people who are 
> nominally and operationally sysadmins who have followed poor config 
> advice found in dubious corners of the net or even on stale pages of the 
> SA wiki, and the same class of error is a big risk of using BIND because 
> of its age and breadth of capability. On a more theoretical level, the 
> fact that BIND is able to do virtually anything that anyone would ever 
> want to do with a DNS server means that it is has a broader potential 
> attack surface in itself and is a richer prize if hijacked, either 
> directly or as a consequence of a general system compromise.
> 
> On 23 Sep 2016, at 16:10, Lindsay Haisley wrote:
> > 
> > 
> > On Fri, 2016-09-23 at 15:28 -0400, Bill Cole wrote:
> > > 
> > > 
> > > As much as I love BIND (no, seriously, I do) it's very hard to 
> > > recommend 
> > > it as the first choice for a simple recursive resolver.
> > Setting up bind as a "simple recursive resolver" is simplicity itself.
> Simplicity is generally a subjective, relative quality.
> 
> Start Unbound with literally no explicit configuration and you get a 
> working, safe, reasonably-configured resolver for localhost: the simple 
> sort of resolver that a plurality of freestanding mail servers should 
> have, perfect as a fix for the mistake of using dnsmasq locally. It's 
> very hard to typo a config that doesn't exist.
> 
> > 
> > 
> > acl goodclients {
> > 1.2.3.0/24;
> >     4.5.6.0/24;
> >     127.0.0.1;
> >     etc
> > };
> > 
> > options {
> >         ..
> > 
> > recursion yes;
> > allow-query { goodclients; };
> > 
> >         etc...
> > };
> That's more than most mail server resolvers need and the real devil is 
> in what could be in those ellipses...

The lines represented by ellipses are what's in the stock
/etc/bin/named.conf.options file and aren't relevant to the issue of
setting up a recursive DNS server.  Check out the URL I sent, or the
standard bind config on Debian or Ubuntu Server.

> Almost every week on this list you can see examples of people who are 
> nominally and operationally sysadmins who have followed poor config 
> advice found in dubious corners of the net or even on stale pages of the 
> SA wiki, and the same class of error is a big risk of using BIND because 
> of its age and breadth of capability. On a more theoretical level, the 
> fact that BIND is able to do virtually anything that anyone would ever 
> want to do with a DNS server means that it is has a broader potential 
> attack surface in itself and is a richer prize if hijacked, either 
> directly or as a consequence of a general system compromise.

Well, these few config options for bind9 work fine for me :) And they
always have. I've never had a problem.

This ain't rocket science, as they say, and there's plenty of
documentation out there. I'm not scared of bind configuration. I know
how to make bind9 stand up and make pancakes for breakfast ;)

-- 
Lindsay Haisley   |  "Humor will get you through times of no humor
FMP Computer Services |  better than no humor will get you through
512-259-1190  | times of humor."
http://www.fmp.com|- Butch Hancock

Re: Spam by IP-address? Spamassassin with geoiplookup?

On Fri, 2016-09-23 at 20:21 -0400, Bill Cole wrote:
> On 23 Sep 2016, at 16:10, Lindsay Haisley wrote:
> 
> > 
> > On Fri, 2016-09-23 at 15:28 -0400, Bill Cole wrote:
> > > 
> > > As much as I love BIND (no, seriously, I do) it's very hard to 
> > > recommend 
> > > it as the first choice for a simple recursive resolver.
> > Setting up bind as a "simple recursive resolver" is simplicity itself.
> Simplicity is generally a subjective, relative quality.
> 
> Start Unbound with literally no explicit configuration and you get a 
> working, safe, reasonably-configured resolver for localhost: the simple 
> sort of resolver that a plurality of freestanding mail servers should 
> have, perfect as a fix for the mistake of using dnsmasq locally. It's 
> very hard to typo a config that doesn't exist.
> 
> > 
> > acl goodclients {
> > 1.2.3.0/24;
> >     4.5.6.0/24;
> >     127.0.0.1;
> >     etc
> > };
> > 
> > options {
> >         ..
> > 
> > recursion yes;
> > allow-query { goodclients; };
> > 
> >         etc...
> > };
> That's more than most mail server resolvers need and the real devil is 
> in what could be in those ellipses...

The lines represented by ellipses are what's in the stock
/etc/bin/named.conf.options file and aren't relevant to the issue of
setting up a recursive DNS server.  Check out the URL I sent, or the
standard bind config on Debian or Ubuntu Server.

> Almost every week on this list you can see examples of people who are 
> nominally and operationally sysadmins who have followed poor config 
> advice found in dubious corners of the net or even on stale pages of the 
> SA wiki, and the same class of error is a big risk of using BIND because 
> of its age and breadth of capability. On a more theoretical level, the 
> fact that BIND is able to do virtually anything that anyone would ever 
> want to do with a DNS server means that it is has a broader potential 
> attack surface in itself and is a richer prize if hijacked, either 
> directly or as a consequence of a general system compromise.

Well, these few config options for bind9 work fine for me :) And they
always have. I've never had a problem.

This ain't rocket science, as they say, and there's plenty of
documentation out there. I'm not scared of bind configuration. I know
how to make bind9 stand up and make pancakes for breakfast ;)

-- 
Lindsay Haisley   | "The only unchanging certainty
FMP Computer Services |is the certainty of change"
512-259-1190  |
http://www.fmp.com| - Ancient wisdom, all cultures

Re: Spam by IP-address? Spamassassin with geoiplookup?

2016-09-23 Thread Bill Cole

On 23 Sep 2016, at 16:18, Greg Troxel wrote:

> "Bill Cole"  writes:
>
>> On 22 Sep 2016, at 23:24, John Hardin wrote:
>>
>>> As far as I understand it, dnsmasq cannot be used for local
>>> recursion; it's purely a lightweight local DNS cache layer.
>>
>> Your understanding is correct; dnsmasq is unfit for service as a
>> resolver for a mail server because it cannot perform recursion, it
>> only does forwarding to other real DNS servers.
>
> True, but I don't see harm in forwarding queries to a local recursive
> server that is used only by one's own group of machines.

Sure, although 'local' is important for performance reasons. I've done similar 
things (with Solaris' nscd as a local cache as well as dnsmasq) to give MTA 
farms access to a unified cache on a shared recursive resolver, which can be a 
worthwhile tactic for performance.

> The problems
> all appear to be from forwarding queries to resolvers run by one's ISP
> or worse the google public ones.

For DNSBL volume blocking discussed here, that's always been the case as far as 
I've seen. However, as receiving systems scale up, a local recursive resolver 
on each MTA eventually doesn't save them from being blocked, it puts them at 
slightly more risk compared to using a shared local server providing a unified 
cache (as above.) Such a server also is the ideal place to host the local 
copies of the DNSBL zones one buys from their various providers (because that's 
the RIGHT thing to do when you REALLY have the volume to justify blockage...)

signature.asc
Description: OpenPGP digital signature

Re: Spam by IP-address? Spamassassin with geoiplookup?

2016-09-23 Thread Bill Cole


On 23 Sep 2016, at 16:10, Lindsay Haisley wrote:


On Fri, 2016-09-23 at 15:28 -0400, Bill Cole wrote:
As much as I love BIND (no, seriously, I do) it's very hard to 
recommend 

it as the first choice for a simple recursive resolver.


Setting up bind as a "simple recursive resolver" is simplicity itself.


Simplicity is generally a subjective, relative quality.

Start Unbound with literally no explicit configuration and you get a 
working, safe, reasonably-configured resolver for localhost: the simple 
sort of resolver that a plurality of freestanding mail servers should 
have, perfect as a fix for the mistake of using dnsmasq locally. It's 
very hard to typo a config that doesn't exist.



acl goodclients {
1.2.3.0/24;
    4.5.6.0/24;
    127.0.0.1;
    etc
};

options {
        ..

recursion yes;
allow-query { goodclients; };

        etc...
};


That's more than most mail server resolvers need and the real devil is 
in what could be in those ellipses...


Almost every week on this list you can see examples of people who are 
nominally and operationally sysadmins who have followed poor config 
advice found in dubious corners of the net or even on stale pages of the 
SA wiki, and the same class of error is a big risk of using BIND because 
of its age and breadth of capability. On a more theoretical level, the 
fact that BIND is able to do virtually anything that anyone would ever 
want to do with a DNS server means that it is has a broader potential 
attack surface in itself and is a richer prize if hijacked, either 
directly or as a consequence of a general system compromise.


In short: BIND offers more paths to more high-risk and failure modes 
than Unbound, probably more than any other DNS server.


That's not a general indictment of BIND, which I use myself on many 
systems where it's needed or is a properly configured incumbent on a 
stable system.

Re: Spam by IP-address? Spamassassin with geoiplookup?

2016-09-23 Thread John Hardin


On Fri, 23 Sep 2016, Greg Troxel wrote:



"Bill Cole"  writes:


On 22 Sep 2016, at 23:24, John Hardin wrote:


As far as I understand it, dnsmasq cannot be used for local
recursion; it's purely a lightweight local DNS cache layer.


Your understanding is correct; dnsmasq is unfit for service as a
resolver for a mail server because it cannot perform recursion, it
only does forwarding to other real DNS servers.


True, but I don't see harm in forwarding queries to a local recursive
server that is used only by one's own group of machines.   The problems
all appear to be from forwarding queries to resolvers run by one's ISP
or worse the google public ones.


For that use case yes, dnsmasq would be appropriate.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  You know things are bad when Pravda says we [the USA] have gone
  too far to the left. -- Joe Huffman
---
 276 days since the first successful real return to launch site (SpaceX)

Re: Spam by IP-address? Spamassassin with geoiplookup?

2016-09-23 Thread Greg Troxel

"Bill Cole"  writes:

> On 22 Sep 2016, at 23:24, John Hardin wrote:
>
>> As far as I understand it, dnsmasq cannot be used for local
>> recursion; it's purely a lightweight local DNS cache layer.
>
> Your understanding is correct; dnsmasq is unfit for service as a
> resolver for a mail server because it cannot perform recursion, it
> only does forwarding to other real DNS servers.

True, but I don't see harm in forwarding queries to a local recursive
server that is used only by one's own group of machines.   The problems
all appear to be from forwarding queries to resolvers run by one's ISP
or worse the google public ones.

signature.asc
Description: PGP signature

Re: Spam by IP-address? Spamassassin with geoiplookup?

On Fri, 2016-09-23 at 15:28 -0400, Bill Cole wrote:
> As much as I love BIND (no, seriously, I do) it's very hard to recommend 
> it as the first choice for a simple recursive resolver.

Setting up bind as a "simple recursive resolver" is simplicity itself.

acl goodclients {
1.2.3.0/24;
    4.5.6.0/24;
    127.0.0.1;
    etc
};

options {
        ..

recursion yes;
allow-query { goodclients; };

        etc...
};

-- 
Lindsay Haisley   | "The first casualty when
FMP Computer Services | war comes is truth."
512-259-1190  |
http://www.fmp.com| -- Hiram W Johnson

Re: Spam by IP-address? Spamassassin with geoiplookup?

2016-09-23 Thread Bill Cole


On 22 Sep 2016, at 23:24, John Hardin wrote:

As far as I understand it, dnsmasq cannot be used for local recursion; 
it's purely a lightweight local DNS cache layer.


Your understanding is correct; dnsmasq is unfit for service as a 
resolver for a mail server because it cannot perform recursion, it only 
does forwarding to other real DNS servers.


You may have to install the full BIND package and tell it to not 
forward.


As much as I love BIND (no, seriously, I do) it's very hard to recommend 
it as the first choice for a simple recursive resolver. Unbound does 
that just fine and doesn't come with BIND's baggage of trying to be the 
reference implementation of all subtypes of DNS server all at once. 
Anyone who thought they were doing just fine with dnsmasq can actually 
do anything they'll need with Unbound, and it is harder to get wrong 
than BIND.

Re: Spam by IP-address? Spamassassin with geoiplookup?




Am 23.09.2016 um 20:30 schrieb John Hardin:

On Fri, 23 Sep 2016, li...@rhsoft.net wrote:


Am 23.09.2016 um 05:24 schrieb John Hardin:

 On Thu, 22 Sep 2016, Thomas Barth wrote:
>  Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net:
> > > >  URIBL_BLOCKED shows you are using still a dns-forwarder and
so won't
> >  get
> >   results from a lot of blacklists
> > > >   fix that - use a local caching resolver with *no
forwarding* and > >   if you are using dnsmasq just don't do that for
a inbound > >   mailserver
> >  I found an instruction here for a debian system
> >  https://manageacloud.com/configuration/local_dns_caching
> >  Seems to work local dns caching but I dont understand why I
shouldnt
>  use it for inbound mailserver and why I still see URIBL_BLOCKED=0.001

 Lists shouldn't have said "caching", that confuses the issue. Caching
 and recursion are two different, unrelated pieces.


seriously?


Yes. I have found that when providing advice, if you provide extraneous
details quite often people will focus on them rather than the important
points.


hence the bold *no forwarding*


"with *no forwarding*" is not clear enough that one comes two days
later with a dnsmasq setup using opendns as forwarders where in fact i
said explicit


If they focused on "use a local caching resolver", sure. Obviously


sorry, but zero understanding

if someone is smart enough to know what to do the problem would not 
exist at all - if someone thinks he is so smart that he can stop reading 
in the middle of a single sentence without trying to understand it's a 
clear case of "damned don't manage any server connected to the internet"


AT LEAST when it still does not work by doing something random i expect 
someone step back and *read the whole fucking sentence* before write a 
new mail "did this and that but still don't work"

Re: Spam by IP-address? Spamassassin with geoiplookup?

2016-09-23 Thread John Hardin


On Fri, 23 Sep 2016, li...@rhsoft.net wrote:




Am 23.09.2016 um 05:24 schrieb John Hardin:

 On Thu, 22 Sep 2016, Thomas Barth wrote:
>  Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net:
> > 
> >  URIBL_BLOCKED shows you are using still a dns-forwarder and so won't

> >  get
> >   results from a lot of blacklists
> > 
> >   fix that - use a local caching resolver with *no forwarding* and 
> >   if you are using dnsmasq just don't do that for a inbound 
> >   mailserver
> 
>  I found an instruction here for a debian system
> 
>  https://manageacloud.com/configuration/local_dns_caching
> 
>  Seems to work local dns caching but I dont understand why I shouldnt

>  use it for inbound mailserver and why I still see URIBL_BLOCKED=0.001

 Lists shouldn't have said "caching", that confuses the issue. Caching
 and recursion are two different, unrelated pieces.


seriously?


Yes. I have found that when providing advice, if you provide extraneous 
details quite often people will focus on them rather than the important 
points.


"with *no forwarding*" is not clear enough that one comes two days later with 
a dnsmasq setup using opendns as forwarders where in fact i said explicit


If they focused on "use a local caching resolver", sure. Obviously.


 As far as I understand it, dnsmasq cannot be used for local recursion


yes, and hence in my orginial mail you are party quting i statet don't use 
that crap, see above


It may need to be restated in a different way to actually be understood.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  One death is a tragedy; thirty is a media sensation;
  a million is a statistic.  -- Joseph Stalin, modernized
---
 276 days since the first successful real return to launch site (SpaceX)

Re: Spam by IP-address? Spamassassin with geoiplookup?

2016-09-23 Thread Thomas Barth




Am 23.09.2016 um 10:47 schrieb li...@rhsoft.net:

that was one single line containing:
* don't use dns forwarding
* don't use dnsmasq (because it can only do forarding)


DNS-Resolver with Bind9 is configured now and nameserver is 127.0.0.1. 
No URIBL_BLOCKED=0.001 in Spam-Status anymore.

Re: Spam by IP-address? Spamassassin with geoiplookup?




Am 23.09.2016 um 10:43 schrieb Thomas Barth:



Am 23.09.2016 um 10:25 schrieb li...@rhsoft.net:



Am 22.09.2016 um 21:58 schrieb Bowie Bailey:

On 9/22/2016 3:40 PM, Thomas Barth wrote:


Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net:

fix that - use a local caching resolver with *no forwarding* and if
you
are using dnsmasq just don't do that for a inbound mailserver


for me that topic is finished - sorry but it needs to be said clear: you
are not capable to run a mailserver because yo are even not capable to
read what you quote


mimimi


instead of making sarcatic comments better explain what exactly did you 
not understand in "use a local caching resolver with *no forwarding* and 
if you are using dnsmasq just don't do that for a inbound mailserver" 
that you have nothing better to do than setup dnsmasq with 4 forwarders 
followeb by complain "now i have done taht but URIBL_BLOCKED is still there"


that was one single line containing:
* don't use dns forwarding
* don't use dnsmasq (because it can only do forarding)

Re: Spam by IP-address? Spamassassin with geoiplookup?

2016-09-23 Thread Thomas Barth




Am 23.09.2016 um 10:25 schrieb li...@rhsoft.net:



Am 22.09.2016 um 21:58 schrieb Bowie Bailey:

On 9/22/2016 3:40 PM, Thomas Barth wrote:


Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net:

fix that - use a local caching resolver with *no forwarding* and if you
are using dnsmasq just don't do that for a inbound mailserver


for me that topic is finished - sorry but it needs to be said clear: you
are not capable to run a mailserver because yo are even not capable to
read what you quote


mimimi

Re: Spam by IP-address? Spamassassin with geoiplookup?




Am 22.09.2016 um 21:58 schrieb Bowie Bailey:

On 9/22/2016 3:40 PM, Thomas Barth wrote:


Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net:

fix that - use a local caching resolver with *no forwarding* and if you
are using dnsmasq just don't do that for a inbound mailserver


for me that topic is finished - sorry but it needs to be said clear: you 
are not capable to run a mailserver because yo are even not capable to 
read what you quote


i said don't use dnsmasq for that task because i know that it can only 
forwarding - i said don#t use any forwarding - what are you doing days 
later: seek the first best howto explaining you how to install dnsmasq 
and bblow 4 forwarders in the configuration which is the opposite of 
what you have been told


and i had a reason saying *no forwarding* instead talking about 
dns-recursion because i am out of energy trying to explain the next 3 
days what is recursion and seek links and docs to make a dns basic 
education which is your homework before you start to setup servers



I found an instruction here for a debian system

https://manageacloud.com/configuration/local_dns_caching

/etc/resolv.conf
nameserver 127.0.0.1

/etc/resolv.dnsmasq
nameserver 208.67.222.222
nameserver 208.67.220.220
nameserver 208.67.222.220
nameserver 208.67.220.222

/etc/default/dnsmasq
DNSMASQ_OPTS="-r /etc/resolv.dnsmasq"

But it is using dnsmasq for local dns caching. I ve configured it, but
I still see URIBL_BLOCKED=0.001 in a mail header

Re: Spam by IP-address? Spamassassin with geoiplookup?




Am 23.09.2016 um 05:24 schrieb John Hardin:

On Thu, 22 Sep 2016, Thomas Barth wrote:

Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net:


 URIBL_BLOCKED shows you are using still a dns-forwarder and so won't
get
 results from a lot of blacklists

 fix that - use a local caching resolver with *no forwarding* and if you
 are using dnsmasq just don't do that for a inbound mailserver


I found an instruction here for a debian system

https://manageacloud.com/configuration/local_dns_caching

Seems to work local dns caching but I dont understand why I shouldnt
use it for inbound mailserver and why I still see URIBL_BLOCKED=0.001


Lists shouldn't have said "caching", that confuses the issue. Caching
and recursion are two different, unrelated pieces.


seriously?

"with *no forwarding*" is not clear enough that one comes two days later 
with a dnsmasq setup using opendns as forwarders where in fact i said 
explicit


"fix that - use a local caching resolver with *no forwarding* and if you 
are using dnsmasq just don't do that for a inbound mailserver"



As far as I understand it, dnsmasq cannot be used for local recursion


yes, and hence in my orginial mail you are party quting i statet don't 
use that crap, see above

Re: Spam by IP-address? Spamassassin with geoiplookup?

2016-09-22 Thread John Hardin


On Thu, 22 Sep 2016, Thomas Barth wrote:

Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net:


 URIBL_BLOCKED shows you are using still a dns-forwarder and so won't get
 results from a lot of blacklists

 fix that - use a local caching resolver with *no forwarding* and if you
 are using dnsmasq just don't do that for a inbound mailserver


I found an instruction here for a debian system

https://manageacloud.com/configuration/local_dns_caching

Seems to work local dns caching but I dont understand why I shouldnt use it 
for inbound mailserver and why I still see URIBL_BLOCKED=0.001


Lists shouldn't have said "caching", that confuses the issue. Caching and 
recursion are two different, unrelated pieces.


Focus on the "recursion" and "no forwarding" parts of that recommendation. 
If you're configuring a non-local DNS server's IP address anywhere in the 
mix (ignoring for the moment the root zones), you're doing it wrong.


As far as I understand it, dnsmasq cannot be used for local recursion; 
it's purely a lightweight local DNS cache layer. That's why Lists said 
don't use it for inpbound mail.


You may have to install the full BIND package and tell it to not forward.



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  A government is a lot like a gun: It's always loaded,
  and it's stupid and dangerous to point it at anything
  you don't intend to hurt. -- GOF at TSM
---
 275 days since the first successful real return to launch site (SpaceX)

Re: Spam by IP-address? Spamassassin with geoiplookup?




Am 22.09.2016 um 21:40 schrieb Thomas Barth:

URIBL_BLOCKED shows you are using still a dns-forwarder and so won't get
results from a lot of blacklists

http://uribl.com/refused.shtml

fix that - use a local caching resolver with *no forwarding* and if you
are using dnsmasq just don't do that for a inbound mailserver



I found an instruction here for a debian system

https://manageacloud.com/configuration/local_dns_caching

/etc/resolv.conf
nameserver 127.0.0.1

/etc/resolv.dnsmasq
nameserver 208.67.222.222
nameserver 208.67.220.220
nameserver 208.67.222.220
nameserver 208.67.220.222

/etc/default/dnsmasq
DNSMASQ_OPTS="-r /etc/resolv.dnsmasq"

But it is using dnsmasq for local dns caching. I ve configured it, but I
still see URIBL_BLOCKED=0.001 in a mail header


because it is nonsense

the point is not that you use 127.0.0.1 as dsn server - the point is 
that *nobody else* is using that dns server - i doubt that you are the 
only person on this plant using the 208.67.xx.xx opendns servers


frankly - get the basics!

Re: Spam by IP-address? Spamassassin with geoiplookup?

2016-09-22 Thread Bowie Bailey


On 9/22/2016 3:40 PM, Thomas Barth wrote:



Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net:



Am 21.09.2016 um 15:48 schrieb Thomas Barth:

X-Spam-Status: No, score=3.004 tagged_above=2 required=6.31
tests=[MESSAGEID_LOCAL=3, RELAYCOUNTRY_BAD=3.1,
RP_MATCHES_RCVD=-3.096, SPF_PASS=-0.001, URIBL_BLOCKED=0.001]
autolearn=no autolearn_force=no


URIBL_BLOCKED shows you are using still a dns-forwarder and so won't get
results from a lot of blacklists

http://uribl.com/refused.shtml

fix that - use a local caching resolver with *no forwarding* and if you
are using dnsmasq just don't do that for a inbound mailserver



I found an instruction here for a debian system

https://manageacloud.com/configuration/local_dns_caching

/etc/resolv.conf
nameserver 127.0.0.1

/etc/resolv.dnsmasq
nameserver 208.67.222.222
nameserver 208.67.220.220
nameserver 208.67.222.220
nameserver 208.67.220.222

/etc/default/dnsmasq
DNSMASQ_OPTS="-r /etc/resolv.dnsmasq"


But it is using dnsmasq for local dns caching. I ve configured it, but 
I still see URIBL_BLOCKED=0.001 in a mail header.


with local caching it s a bit faster
# for i in {1..100}; do time dig slashdot.org @localhost; done 2>&1 | 
grep ^real | sed -e s/.*m// | awk '{sum += $1} END {print sum / NR}'

0.0076


# for i in {1..100}; do time dig slashdot.org; done 2>&1 | grep ^real 
| sed -e s/.*m// | awk '{sum += $1} END {print sum / NR}'

0.00962

Seems to work local dns caching but I dont understand why I shouldnt 
use it for inbound mailserver and why I still see URIBL_BLOCKED=0.00


Because you are forwarding your DNS to OpenDNS (208.67.222.222, etc).  
You need to setup a DNS that does not do forwarding.  I'm not sure 
dnsmasq can be configured this way.


If you remove dnsmasq and install bind, it will probably do what you 
want without any further configuration.  To make sure, you can take a 
look at the main bind config file (/etc/named.conf on CentOS -- I don't 
know if it is different with Debian) and make sure there are no 
"forwarders" statements.


--
Bowie

Re: Spam by IP-address? Spamassassin with geoiplookup?




Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net:



Am 21.09.2016 um 15:48 schrieb Thomas Barth:

X-Spam-Status: No, score=3.004 tagged_above=2 required=6.31
tests=[MESSAGEID_LOCAL=3, RELAYCOUNTRY_BAD=3.1,
RP_MATCHES_RCVD=-3.096, SPF_PASS=-0.001, URIBL_BLOCKED=0.001]
autolearn=no autolearn_force=no


URIBL_BLOCKED shows you are using still a dns-forwarder and so won't get
results from a lot of blacklists

http://uribl.com/refused.shtml

fix that - use a local caching resolver with *no forwarding* and if you
are using dnsmasq just don't do that for a inbound mailserver



I found an instruction here for a debian system

https://manageacloud.com/configuration/local_dns_caching

/etc/resolv.conf
nameserver 127.0.0.1

/etc/resolv.dnsmasq
nameserver 208.67.222.222
nameserver 208.67.220.220
nameserver 208.67.222.220
nameserver 208.67.220.222

/etc/default/dnsmasq
DNSMASQ_OPTS="-r /etc/resolv.dnsmasq"


But it is using dnsmasq for local dns caching. I ve configured it, but I 
still see URIBL_BLOCKED=0.001 in a mail header.


with local caching it s a bit faster
# for i in {1..100}; do time dig slashdot.org @localhost; done 2>&1 | 
grep ^real | sed -e s/.*m// | awk '{sum += $1} END {print sum / NR}'

0.0076


# for i in {1..100}; do time dig slashdot.org; done 2>&1 | grep ^real | 
sed -e s/.*m// | awk '{sum += $1} END {print sum / NR}'

0.00962

Seems to work local dns caching but I dont understand why I shouldnt use 
it for inbound mailserver and why I still see URIBL_BLOCKED=0.001

Re: Spam by IP-address? Spamassassin with geoiplookup?

2016-09-22 Thread Dave Funk


On Thu, 22 Sep 2016, Thomas Barth wrote:

And what about filter poisening? In the last 10 hours my company address got 
43 mails classified as spam (even a virus mail detected today). And there was 
one mail classified as spam due to my rule (bad country, message-id.


X-Spam-Status: Yes, score=7.474 tag=2 tag2=6.31 kill=6.31
   tests=[MESSAGEID_LOCAL=3, RDNS_NONE=1.274, RELAYCOUNTRY_BAD=3.2]
   autolearn=no autolearn_force=no

The content of the mail is:


From: "Lupe Monroe" 
To: "my boss address"
Subject: Payment approved
MIME-Version: 1.0
Content-Type: multipart/related;
   boundary="boundary_af9c8db46eb73fca8b315aafef01"
Message-Id: <20160922063255.e11d3e5...@static.vnpt.vn.local>
Date: Thu, 22 Sep 2016 06:32:55 +0700

--boundary_af9c8db46eb73fca8b315aafef01
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Dear so,

Your payment has been approved. Your account will be debited within two days.

You can email us for any query regarding your account.

Thank you.

Lupe Monroe
Support

--boundary_af9c8db46eb73fca8b315aafef01
Content-Type: application/x-zip-compressed; 
name="e6dfa16bdb.zip.virus-scan-me.virus-scan-me"

Content-Transfer-Encoding: base64
Content-Disposition: attachment; 
filename="e6dfa16bdb.zip.virus-scan-me.virus-scan-me"



There is no spam content, am I right? Normal words and content that a normal 
person can use. I dont need spam learning for all the mails already 
classified as spam with high score. Spam with low score are interesting for 
spam learning like this one. But when I use these mails for spam learning 
there is a risk of false positive some day, because it has learned that 
normal mails are also spam?


You are missing the point that Bayes uses more than just body words from a 
message. It also looks at headers and meta-data. So those particular body 
words could become "neutral" (neither spam nor ham indicators) but the 
other components of that message (such as that '.vn.local' message ID) 
would be learned as spam signs.


This is why you MUST also train your Bayes with HAM messages (and train 
them with the --ham flag) so Bayes knows how to recognise 'hammy' or 
'neutral' tokens to prevent false-positives.



--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: Spam by IP-address? Spamassassin with geoiplookup?

2016-09-22 Thread Dave Funk


On Thu, 22 Sep 2016, Thomas Barth wrote:


Hi ho,

a virus was found: Sanesecurity.Malware.26327.JsHeur.UNOFFICIAL

Scanner detecting a virus: ClamAV-clamd

Content type: Virus
Internal reference code for the message is 35123-18/WRf_y9XIIOFq

First upstream SMTP client IP address: [103.230.105.6]
According to a 'Received:' trace, the message apparently originated at:
 [103.230.105.6], [103.230.107.6] unknown [103.230.105.6]


You REALLY should get your DNSBL problem fixed. Once you get DNSBLs 
working it will help alot. That particular IP address hit almost a dozen 
different RBLs here, including some that I use at the SMTP level to 
out-right block incoming traffic (such as cbl.abuseat.org , Spamhaus PBL, 
SBL).



--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: Spam by IP-address? Spamassassin with geoiplookup?

2016-09-22 Thread Benny Pedersen


On 2016-09-22 12:32, Thomas Barth wrote:


I ve installed clamav-unofficial-sigs by debian package. If this is
not working good enough I will try the installation I found here:
https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/INSTALL


you have to configure it aswell

here i have 2 clamd, one with official signatures, and another with 3dr 
party signatures, so both clamd have diffrent database dir


configure the script to only update the unofficial clamd database dir

when this is in place one can use clamav milter to reject from clamd 
with official sigs, and another clamav milter to just add virus header 
to mail, next with that is to make a header test in spamassassin with a 
spam score for 3dr party sigs in clamav



I dont know what is in the zip file. I just have a compressed copy of
the mail. I tried to save the  content of the zip boundary part in a
zip file but I get an loading error when opening the zip file. I
suppose it contains a javascript file (name.pdf.js)


just make sure the clamav detect its malware, and you are done, but keep 
in mind not reject 3dr party virus :=)


note aswell foxhole is good candidate to be reject besed on, you can 
make that happen if using pr sigs scanning in spamassasin header 
testing, so spamass-milter will reject it, do not use one clamd and one 
clamav-milter for all this

Re: Spam by IP-address? Spamassassin with geoiplookup?


Am 22.09.2016 um 12:41 schrieb li...@rhsoft.net:



I ve installed clamav-unofficial-sigs by debian package. If this is not
working good enough I will try the installation I found here:
https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/INSTALL


dunno - and it's off-topic here - we use own scripts to update the
signatures and that stuff is catched by
http://sanesecurity.com/foxhole-databases/


Hi ho,

a virus was found: Sanesecurity.Malware.26327.JsHeur.UNOFFICIAL

Scanner detecting a virus: ClamAV-clamd

Content type: Virus
Internal reference code for the message is 35123-18/WRf_y9XIIOFq

First upstream SMTP client IP address: [103.230.105.6]
According to a 'Received:' trace, the message apparently originated at:
  [103.230.105.6], [103.230.107.6] unknown [103.230.105.6]

I added this to my mailserver documentation to install 
clamav-unofficial-sigs package during next mailserver installation :)

Re: Spam by IP-address? Spamassassin with geoiplookup?




Am 22.09.2016 um 12:59 schrieb Thomas Barth:

Am 22.09.2016 um 12:41 schrieb li...@rhsoft.net:


I ve installed clamav-unofficial-sigs by debian package. If this is not
working good enough I will try the installation I found here:
https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/INSTALL



dunno - and it's off-topic here - we use own scripts to update the
signatures and that stuff is catched by
http://sanesecurity.com/foxhole-databases/

may i ask why you put such a unfinished and untested in many ways setup
in production?



The mailservers are ready and work very good but can be improved. And I
only improve them when there is a need to do it. If there is a spam mail
going through again, I m going the next step ;-)


i see - that good that you add posion pill rules for message-id and 
similar because the other parts, even very basic ones, are not working 
and scores are not adjusted while the SA header tells you exactly your 
problems to catch things :-)


but do what you want


I dont know what is in the zip file. I just have a compressed copy of
the mail. I tried to save the  content of the zip boundary part in a zip
file but I get an loading error when opening the zip file.


what are you doing?


When you ever have parsed emails for content then you would know that
you can extracts parts of raw mails to specific file types and opened
it. I dont know why I get an error this time, but dont have time to find
an answer now.


i know more about email than you think but that's no reason for wasting 
time when you can just drag a message to a mail client as you are saying 
by yourself "dont have time"

Re: Spam by IP-address? Spamassassin with geoiplookup?


Am 22.09.2016 um 12:41 schrieb li...@rhsoft.net:


I ve installed clamav-unofficial-sigs by debian package. If this is not
working good enough I will try the installation I found here:
https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/INSTALL


dunno - and it's off-topic here - we use own scripts to update the
signatures and that stuff is catched by
http://sanesecurity.com/foxhole-databases/

may i ask why you put such a unfinished and untested in many ways setup
in production?



The mailservers are ready and work very good but can be improved. And I 
only improve them when there is a need to do it. If there is a spam mail 
going through again, I m going the next step ;-)




I dont know what is in the zip file. I just have a compressed copy of
the mail. I tried to save the  content of the zip boundary part in a zip
file but I get an loading error when opening the zip file.


what are you doing?


When you ever have parsed emails for content then you would know that 
you can extracts parts of raw mails to specific file types and opened 
it. I dont know why I get an error this time, but dont have time to find 
an answer now.

Re: Spam by IP-address? Spamassassin with geoiplookup?




Am 22.09.2016 um 12:32 schrieb Thomas Barth:



Am 22.09.2016 um 11:50 schrieb li...@rhsoft.net:



Am 22.09.2016 um 11:36 schrieb Benny Pedersen:

On 2016-09-22 10:16, Thomas Barth wrote:


The content of the mail is:



--boundary_af9c8db46eb73fca8b315aafef01
Content-Type: application/x-zip-compressed; name="e6dfa16bdb.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="e6dfa16bdb.zip"


whats in this zip file?


malware as in all attachments from this type of spam, easily to detect
be clamd with sanesecurity signatures


I ve installed clamav-unofficial-sigs by debian package. If this is not
working good enough I will try the installation I found here:
https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/INSTALL


dunno - and it's off-topic here - we use own scripts to update the 
signatures and that stuff is catched by 
http://sanesecurity.com/foxhole-databases/


may i ask why you put such a unfinished and untested in many ways setup 
in production?



I dont know what is in the zip file. I just have a compressed copy of
the mail. I tried to save the  content of the zip boundary part in a zip
file but I get an loading error when opening the zip file.


what are you doing?

uncompress the mail and drag the raw-mail with .eml extension in 
tunderbird from where you can simply save the attachment instead grab 
manually around in multipart-mails



I suppose it contains a javascript file (name.pdf.js)


or .wsf/.exe/.jar and so on - they are changing all the time

Re: Spam by IP-address? Spamassassin with geoiplookup?




Am 22.09.2016 um 11:50 schrieb li...@rhsoft.net:



Am 22.09.2016 um 11:36 schrieb Benny Pedersen:

On 2016-09-22 10:16, Thomas Barth wrote:


The content of the mail is:



--boundary_af9c8db46eb73fca8b315aafef01
Content-Type: application/x-zip-compressed; name="e6dfa16bdb.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="e6dfa16bdb.zip"


whats in this zip file?


malware as in all attachments from this type of spam, easily to detect
be clamd with sanesecurity signatures


I ve installed clamav-unofficial-sigs by debian package. If this is not 
working good enough I will try the installation I found here:

https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/INSTALL

I dont know what is in the zip file. I just have a compressed copy of 
the mail. I tried to save the  content of the zip boundary part in a zip 
file but I get an loading error when opening the zip file. I suppose it 
contains a javascript file (name.pdf.js)

Re: Spam by IP-address? Spamassassin with geoiplookup?

2016-09-22 Thread Matus UHLAR - fantomas


Am 21.09.2016 um 18:47 schrieb Bowie Bailey:

That is ridiculous.  The more training bayes gets the better it works.
And manual training is better than autolearning because autolearning can
automatically learn false positives and false negatives and cause
problems for the database.


correct according to my experience.

On 22.09.16 10:16, Thomas Barth wrote:
And what about filter poisening? In the last 10 hours my company 
address got 43 mails classified as spam (even a virus mail detected 
today). And there was one mail classified as spam due to my rule (bad 
country, message-id.


X-Spam-Status: Yes, score=7.474 tag=2 tag2=6.31 kill=6.31
   tests=[MESSAGEID_LOCAL=3, RDNS_NONE=1.274, RELAYCOUNTRY_BAD=3.2]
   autolearn=no autolearn_force=no


there's no poisoning, unless you count two your rules with indcredibly high
score (which is why rules should not have too big scores).
Lower scores of those two...

according to your previous mail you have:

- rule RP_MATCHES_RCVD scoring -3.096 
that should be increased to -0.001 (already recommended by li...@rhsoft.net)

or killed/zeroed (recommended by me)

- rule URIBL_BLOCKED indicating you use DNS server used by too many clients.
Set up your own recursing nameserver, BIND or unbound and don't configure it
to forward queries to upstream.

There is no spam content, am I right? Normal words and content that a 
normal person can use.


spammers typically use "normal words and content that a normal person can
use", that's why it's so hard to catch spam.  BAYES helps you find the
differencies between spam and ham and you can trust us it works great.

I dont need spam learning for all the mails 
already classified as spam with high score. Spam with low score are 
interesting for spam learning like this one. But when I use these 
mails for spam learning there is a risk of false positive some day, 
because it has learned that normal mails are also spam?


you must of course train ham mail, especially false positives, bayes needs
to be trained with ham too, because it needs to see the differencies.

if you train ham with big bayes score, it will help you much.

since you already got false positive without using BAYES, I think it's
useless to be reluctant about it.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I intend to live forever - so far so good.

Re: Spam by IP-address? Spamassassin with geoiplookup?




Am 22.09.2016 um 11:36 schrieb Benny Pedersen:

On 2016-09-22 10:16, Thomas Barth wrote:


The content of the mail is:



--boundary_af9c8db46eb73fca8b315aafef01
Content-Type: application/x-zip-compressed; name="e6dfa16bdb.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="e6dfa16bdb.zip"


whats in this zip file?


malware as in all attachments from this type of spam, easily to detect 
be clamd with sanesecurity signatures

Re: Spam by IP-address? Spamassassin with geoiplookup?

2016-09-22 Thread Benny Pedersen


On 2016-09-22 10:16, Thomas Barth wrote:


The content of the mail is:



--boundary_af9c8db46eb73fca8b315aafef01
Content-Type: application/x-zip-compressed; name="e6dfa16bdb.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="e6dfa16bdb.zip"


whats in this zip file ?

Re: Spam by IP-address? Spamassassin with geoiplookup?

2016-09-22 Thread Paul Stead




On 22/09/16 09:16, Thomas Barth wrote:

--boundary_af9c8db46eb73fca8b315aafef01
Content-Type: application/x-zip-compressed; name="e6dfa16bdb.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="e6dfa16bdb.zip"



This run of emails can be blocked using the Sanesecurity ClamAV ruleset
for Foxhole - http://sanesecurity.org/

Paul
--
Paul Stead
Systems Engineer
Zen Internet

Re: Spam by IP-address? Spamassassin with geoiplookup?




Am 22.09.2016 um 10:16 schrieb Thomas Barth:

Am 21.09.2016 um 18:47 schrieb Bowie Bailey:


That is ridiculous.  The more training bayes gets the better it works.
And manual training is better than autolearning because autolearning can
automatically learn false positives and false negatives and cause
problems for the database.


And what about filter poisening?  In the last 10 hours my company address
got 43 mails classified as spam (even a virus mail detected today). And
there was one mail classified as spam due to my rule (bad country,
message-id.

Dear so,

Your payment has been approved. Your account will be debited within two
days.

You can email us for any query regarding your account.

Thank you.

Lupe Monroe
Support


There is no spam content, am I right? Normal words and content that a
normal person can use. I dont need spam learning for all the mails
already classified as spam with high score. Spam with low score are
interesting for spam learning like this one. But when I use these mails
for spam learning there is a risk of false positive some day, because it
has learned that normal mails are also spam?


no you are not right - that *is spam content* and has nothing to do with 
bayes poisioning - in fact that are malware messages - known by our 
bayes for at least 12 months and already BAYES_99 stuff will not be trained


it's the job of the bayes filter to find the minimal but existing 
differences and mistakes between that and similar ham and *hence* 
autolearning won't work in general because you need still to decide and 
classify the border cases


bayes poisioning can become a problem and is *another* reason why you 
train you filter manually instead let him decide itself and if it once 
decided wrong learn more and more in the wrong direction


but that above is NOT bayes poisioning

Re: Spam by IP-address? Spamassassin with geoiplookup?




Am 21.09.2016 um 18:47 schrieb Bowie Bailey:


That is ridiculous.  The more training bayes gets the better it works.
And manual training is better than autolearning because autolearning can
automatically learn false positives and false negatives and cause
problems for the database.


And what about filter poisening? In the last 10 hours my company address 
got 43 mails classified as spam (even a virus mail detected today). And 
there was one mail classified as spam due to my rule (bad country, 
message-id.


X-Spam-Status: Yes, score=7.474 tag=2 tag2=6.31 kill=6.31
tests=[MESSAGEID_LOCAL=3, RDNS_NONE=1.274, RELAYCOUNTRY_BAD=3.2]
autolearn=no autolearn_force=no

The content of the mail is:


From: "Lupe Monroe" 
To: "my boss address"
Subject: Payment approved
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="boundary_af9c8db46eb73fca8b315aafef01"
Message-Id: <20160922063255.e11d3e5...@static.vnpt.vn.local>
Date: Thu, 22 Sep 2016 06:32:55 +0700

--boundary_af9c8db46eb73fca8b315aafef01
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Dear so,

Your payment has been approved. Your account will be debited within two 
days.


You can email us for any query regarding your account.

Thank you.

Lupe Monroe
Support

--boundary_af9c8db46eb73fca8b315aafef01
Content-Type: application/x-zip-compressed; name="e6dfa16bdb.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="e6dfa16bdb.zip"


There is no spam content, am I right? Normal words and content that a 
normal person can use. I dont need spam learning for all the mails 
already classified as spam with high score. Spam with low score are 
interesting for spam learning like this one. But when I use these mails 
for spam learning there is a risk of false positive some day, because it 
has learned that normal mails are also spam?

Re: Spam by IP-address? Spamassassin with geoiplookup?

2016-09-21 Thread Bowie Bailey


On 9/21/2016 12:28 PM, Thomas Barth wrote:



Am 21.09.2016 um 18:00 schrieb li...@rhsoft.net:



the problem of the OP is that he starts things the other side round and
first reject without good evidence and don't have anything to make the
system bullet profe because it's rejected


I remembered that I read a book about Postfix with the topic "Training 
with SpamAssassin". And the author was against additional training. 
The more you train the worst the result. With the motto "I cook an egg 
for more than 15 minutes, but it is still hard." They re other 
arguments for not autolearning, but my english is not that good to 
translate a complete chapter. And if there are some mails breaking 
through the wall, than it is better to create rules against the 
header. Clear facts without side effects.


That is ridiculous.  The more training bayes gets the better it works.  
And manual training is better than autolearning because autolearning can 
automatically learn false positives and false negatives and cause 
problems for the database.


If you are getting a bunch of similar spams coming through, you can 
definitely create custom rules, but you are going to be making new rules 
constantly.  A good bayes database can automatically block some of those 
spams so you don't have to do as much work creating new rules for every 
new spam campaign.


He also wrote that Amavis/SpamAssassin is learning itself. Each mail 
classified as spam with a score of more than 12.0 is learned as spam 
and there should be a logfile entry with loglevel 2 if a mail has been 
learned as spam. I never increased the loglevel to check that.


SpamAssassin does autolearning by default, but it can make mistakes.  It 
assumes that all high-scoring mail is spam and all low-scoring mail is 
ham.  This is not necessarily true.  You need to supplement this with at 
least enough manual learning to re-train the mistakes.


I followed his opinion because it is the best book I ve got 
(www.postfix.de, next SpamAssassin/Amavis training course in November, 
I m thinking of participation)


There are a lot of people on this list who have been using SA for a long 
time (about 12 years for me).  You will sometimes get differing advice, 
but that is a good thing.  I would much rather believe the consensus of 
a bunch of people with experience than one guy who decided to write a book.


--
Bowie

Re: Spam by IP-address? Spamassassin with geoiplookup?




Am 21.09.2016 um 18:28 schrieb Thomas Barth:

Am 21.09.2016 um 18:00 schrieb li...@rhsoft.net:


the problem of the OP is that he starts things the other side round and
first reject without good evidence and don't have anything to make the
system bullet profe because it's rejected


I remembered that I read a book about Postfix with the topic "Training
with SpamAssassin". And the author was against additional training. The
more you train the worst the result. With the motto "I cook an egg for
more than 15 minutes, but it is still hard." They re other arguments for
not autolearning, but my english is not that good to translate a
complete chapter. And if there are some mails breaking through the wall,
than it is better to create rules against the header. Clear facts
without side effects.
He also wrote that Amavis/SpamAssassin is learning itself. Each mail
classified as spam with a score of more than 12.0 is learned as spam and
there should be a logfile entry with loglevel 2 if a mail has been
learned as spam. I never increased the loglevel to check that.
I followed his opinion because it is the best book I ve got
(www.postfix.de, next SpamAssassin/Amavis training course in November, I
m thinking of participation)



"against additional training" and "other arguments for not autolearning" 
are the exactly *opposite*, however, i can assure you that a well 
trained bayes with any autolearning reachs a 90-95% hit quote proven by 
5 false positives and 30 spamreports on some hundret users in 2016


autolearning is anyways bad because it tends to classify alread FN oder 
FP in the exatcly wrong direction - you need to train *wrong classified* 
mail where you are 100% sure if it's spam or ham and just ignore 
anything where you are unsure, the rest will have common patterns which 
are learned over time with your well classified ones


anyways, a spamfilter completly without bayes and URIBL not wroking has 
no business to run in production

Re: Spam by IP-address? Spamassassin with geoiplookup?

2016-09-21 Thread Thomas Barth




Am 21.09.2016 um 18:00 schrieb li...@rhsoft.net:



the problem of the OP is that he starts things the other side round and
first reject without good evidence and don't have anything to make the
system bullet profe because it's rejected


I remembered that I read a book about Postfix with the topic "Training 
with SpamAssassin". And the author was against additional training. The 
more you train the worst the result. With the motto "I cook an egg for 
more than 15 minutes, but it is still hard." They re other arguments for 
not autolearning, but my english is not that good to translate a 
complete chapter. And if there are some mails breaking through the wall, 
than it is better to create rules against the header. Clear facts 
without side effects.
He also wrote that Amavis/SpamAssassin is learning itself. Each mail 
classified as spam with a score of more than 12.0 is learned as spam and 
there should be a logfile entry with loglevel 2 if a mail has been 
learned as spam. I never increased the loglevel to check that.
I followed his opinion because it is the best book I ve got 
(www.postfix.de, next SpamAssassin/Amavis training course in November, I 
m thinking of participation)

Re: Spam by IP-address? Spamassassin with geoiplookup?




Am 21.09.2016 um 17:53 schrieb Sean Greenslade:

As for your spam rejection paradigm, I can't possibly imagine that
working well unless you have a very close relationship with every single
person who emails you. If I send my resume to a job recruiter and they
get a bounce when they email me back, I highly doubt they're going to
bother to call me up and tell me my email system is broken. My resume's
going in the trash and they're moving on.

Just because you haven't received any calls doesn't mean there's no
problems...


it's absolutely no problem to outright reject high scored spam and tag 
the likely spam stuff - BUT the prerequisite for doing so is to collect 
bayes data, watch how the systems operate and after it's classification 
is proven good and all sort of scores are adjusted decide what is the 
safe reject score


the problem of the OP is that he starts things the other side round and 
first reject without good evidence and don't have anything to make the 
system bullet profe because it's rejected


when one starts which dangerous rules like reject based on message-id, 
not realize that his balcklists are not working and bayes don't work 
this system is *not* pruction ready at all

Re: Spam by IP-address? Spamassassin with geoiplookup?

2016-09-21 Thread Sean Greenslade

On Wed, Sep 21, 2016 at 05:23:46PM +0200, Thomas Barth wrote:
> I cant do that because I dont have spam mails. I dont make store I
> didnt thought that I need the spam uncompressed in a folder for
> autolearning, I thought it works when sa is analyzing the mail. My
> mailsystem checks mails in real time and blocks mail during connection. If
> there is a false positive the sender gets an error and I get a call of the
> sender to check it (last call was over a year ago :-). But I have a
> compressed copy in the quarantine folder so that I can check the reason
> anyway.
> 
> find /var/lib/amavis/virusmails/ -type f -name "spam-*.gz" -mmin -60 -exec
> ls -hal {} \;
> -rw-r- 1 amavis amavis 23K Sep 21 16:30
> /var/lib/amavis/virusmails/n/spam-nH0HbPBqwMoV.gz
> -rw-r- 1 amavis amavis 23K Sep 21 17:00
> /var/lib/amavis/virusmails/6/spam-6e2vFSpi_vsr.gz
> -rw-r- 1 amavis amavis 11K Sep 21 16:48
> /var/lib/amavis/virusmails/O/spam-Ojbq0dV-TYc2.gz
> -rw-r- 1 amavis amavis 22K Sep 21 17:05
> /var/lib/amavis/virusmails/O/spam-Owoyctlsyvzz.gz
> 
> so, no autolearning

You could write a script that decompresses the files and feeds them one
by one to sa-learn. Not too difficult, I would imagine.

As for your spam rejection paradigm, I can't possibly imagine that
working well unless you have a very close relationship with every single
person who emails you. If I send my resume to a job recruiter and they
get a bounce when they email me back, I highly doubt they're going to
bother to call me up and tell me my email system is broken. My resume's
going in the trash and they're moving on.

Just because you haven't received any calls doesn't mean there's no
problems...

--Sean

Re: Spam by IP-address? Spamassassin with geoiplookup?




Am 21.09.2016 um 17:23 schrieb Thomas Barth:

Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net:


#bayes
use_bayes 1
use_bayes_rules 1
bayes_auto_learn 1


so your setup either don't use that config (amavais or something like
that part of the game then you don't have just spamassassin)

or you have not trained enough spam *and* ham - or you train the wrong
bayes-database likely by calling "sa-learn" with the wrong user

https://wiki.apache.org/spamassassin/SiteWideBayesSetup


I cant do that because I dont have spam mails. I dont make
store I didnt thought that I need the spam uncompressed in a
folder for autolearning, I thought it works when sa is analyzing the
mail


how do you imagine autolearning from start with nothing trained?

just rely on rules and the train on false postives and negatives, in 
other words every rejected message as spam and every passed as ham won't 
work and when you think about it 10 seconds it should be obvious


anyways, you can't tell me that there are no mails which didn't make it 
trugh the filters which where spam to find 200 of them and 200 ham 
should be even more easy as long as you don#t delete your mail after read



My mailsystem checks mails in real time and blocks mail during
connection. If there is a false positive the sender gets an error and I
get a call of the sender to check it (last call was over a year ago :-).
But I have a compressed copy in the quarantine folder so that I can
check the reason anyway.


don't change the fact that you need the stuff which was wrong classified 
and tell SA if it's good or bad to make the filter better

Re: Spam by IP-address? Spamassassin with geoiplookup?

2016-09-21 Thread Thomas Barth


Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net:


#bayes
use_bayes 1
use_bayes_rules 1
bayes_auto_learn 1


so your setup either don't use that config (amavais or something like
that part of the game then you don't have just spamassassin)

or you have not trained enough spam *and* ham - or you train the wrong
bayes-database likely by calling "sa-learn" with the wrong user

https://wiki.apache.org/spamassassin/SiteWideBayesSetup



I cant do that because I dont have spam mails. I dont make 
store I didnt thought that I need the spam uncompressed in a 
folder for autolearning, I thought it works when sa is analyzing the 
mail. My mailsystem checks mails in real time and blocks mail during 
connection. If there is a false positive the sender gets an error and I 
get a call of the sender to check it (last call was over a year ago :-). 
But I have a compressed copy in the quarantine folder so that I can 
check the reason anyway.


find /var/lib/amavis/virusmails/ -type f -name "spam-*.gz" -mmin -60 
-exec ls -hal {} \;
-rw-r- 1 amavis amavis 23K Sep 21 16:30 
/var/lib/amavis/virusmails/n/spam-nH0HbPBqwMoV.gz
-rw-r- 1 amavis amavis 23K Sep 21 17:00 
/var/lib/amavis/virusmails/6/spam-6e2vFSpi_vsr.gz
-rw-r- 1 amavis amavis 11K Sep 21 16:48 
/var/lib/amavis/virusmails/O/spam-Ojbq0dV-TYc2.gz
-rw-r- 1 amavis amavis 22K Sep 21 17:05 
/var/lib/amavis/virusmails/O/spam-Owoyctlsyvzz.gz


so, no autolearning

Re: Spam by IP-address? Spamassassin with geoiplookup?

2016-09-21 Thread Bowie Bailey

On 9/21/2016 9:48 AM, Thomas Barth wrote:

Am 20.09.2016 um 13:12 schrieb Paul Stead:
.

Hi Thomas,

The RelayCountry plugin would answer your needs:

https://wiki.apache.org/spamassassin/RelayCountryPlugin

Hello Paul,

I ve activated that Plugin and installed the geoip modul (aptitude
install libgeo-ip-perl), seems to work. I ve tested it with my own
address. I ve also reduced the score for MESSAGEID_LOCAL because I ve
found a past mail of one of our partners with .local in the message-id :)

X-Spam-Status: No, score=3.004 tagged_above=2 required=6.31
tests=[MESSAGEID_LOCAL=3, RELAYCOUNTRY_BAD=3.1,
RP_MATCHES_RCVD=-3.096, SPF_PASS=-0.001, URIBL_BLOCKED=0.001]
autolearn=no autolearn_force=no

@all

You all say that bayes is not working in my setup. I dont know why. I
followed a documentation for setting up my mailserver.

It says:

nano /etc/spamassassin/local.cf

#bayes
use_bayes 1
use_bayes_rules 1
bayes_auto_learn 1

It s a virtual user mailsystem described in
https://www.howtoforge.com/virtual-users-and-domains-with-postfix-courier-mysql-and-squirrelmail-ubuntu-14.04-lts-p3

We say bayes is not working because there are not any BAYES_XX rules
hitting in the headers you are providing. When bayes is working, you
should see a bayes rule hit on almost every email.

Most likely, it has not yet learned from the 200 ham and 200 spam
required for it to start scoring. To check this, login as the "amavis"
user (or whatever user Amavis is running as) and type the command
"sa-learn --dump magic". Take a look at the nham and nspam lines. If
they are not at least 200, then bayes needs to learn from more emails.
You can either wait for the autolearn process to do it, or (preferably)
manually learn from some hand-sorted emails.

In any case, you should set up a process for bayes to learn from
misclassified emails. In my case, spam is delivered to a "spam"
folder. Once or twice a day, I will scan through the subject lines and
sender names that folder to make sure it is all really spam. Any ham
that gets there is copied to a "ham-checked" folder and the rest is
moved to a "spam-checked" folder. Any spam that gets delivered to my
inbox goes to "spam-checked" as well. Occasionally, I'll grab a
selection of good mail from my inbox and copy it to "ham-checked" to
provide some extra ham for bayes to learn from. I have a script that
looks for emails in those folders every couple of hours and runs
sa-learn on them if there is anything there. After learning from the
messages, you can either delete them or move them to a storage
location. If you keep a selection of hand-sorted ham and spam, then you
can use that later to re-create the bayes database if it gets messed up.

Also, as others have mentioned, you are being blocked by URIBL. This is
probably because you are forwarding your DNS to your ISP. You should set
up a non-forwarding DNS server for your mail system to use. Personally,
I prefer Bind. It should do what you need by default with very minimal
(if any) configuration. You will need to set up your /etc/resolv.conf
file to make the server use the local name server.

--
Bowie

Re: Spam by IP-address? Spamassassin with geoiplookup?

2016-09-21 Thread Benny Pedersen


On 2016-09-21 15:48, Thomas Barth wrote:


X-Spam-Status: No, score=3.004 tagged_above=2 required=6.31
tests=[MESSAGEID_LOCAL=3, RELAYCOUNTRY_BAD=3.1,
RP_MATCHES_RCVD=-3.096, SPF_PASS=-0.001, URIBL_BLOCKED=0.001]
autolearn=no autolearn_force=no

@all

You all say that bayes is not working in my setup. I dont know why. I
followed a documentation for setting up my mailserver.


http://uribl.com/about.shtml#abuse

you are currently uribl_blicked, the link shows how to test and solve

Re: Spam by IP-address? Spamassassin with geoiplookup?


RP_MATCHES_RCVD=-3.096

override this idiotic rule with "score RP_MATCHES_RCVD -0.001" and 
hopefully that will soon get fixed until the end of all days as it was 
for a long time in the past


fix the other issues below and you don't need bad rules like 
"MESSAGEID_LOCAL=3" with such a dangerous and plain wrong score


Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net:

Am 21.09.2016 um 15:48 schrieb Thomas Barth:

X-Spam-Status: No, score=3.004 tagged_above=2 required=6.31
tests=[MESSAGEID_LOCAL=3, RELAYCOUNTRY_BAD=3.1,
RP_MATCHES_RCVD=-3.096, SPF_PASS=-0.001, URIBL_BLOCKED=0.001]
autolearn=no autolearn_force=no


URIBL_BLOCKED shows you are using still a dns-forwarder and so won't get
results from a lot of blacklists

http://uribl.com/refused.shtml

fix that - use a local caching resolver with *no forwarding* and if you
are using dnsmasq just don't do that for a inbound mailserver


You all say that bayes is not working in my setup. I dont know why. I
followed a documentation for setting up my mailserver.

It says:

nano /etc/spamassassin/local.cf

#bayes
use_bayes 1
use_bayes_rules 1
bayes_auto_learn 1


so your setup either don't use that config (amavais or something like
that part of the game then you don't have just spamassassin)

or you have not trained enough spam *and* ham - or you train the wrong
bayes-database likely by calling "sa-learn" with the wrong user

https://wiki.apache.org/spamassassin/SiteWideBayesSetup

is there really no "spamassassin for beginners" which explains all that
dns-stuff *at one place* and how to train bayes and make sure it is used
instead get every day the same problem reports on the list from fresh
people?

Re: Spam by IP-address? Spamassassin with geoiplookup?




Am 21.09.2016 um 15:48 schrieb Thomas Barth:

X-Spam-Status: No, score=3.004 tagged_above=2 required=6.31
tests=[MESSAGEID_LOCAL=3, RELAYCOUNTRY_BAD=3.1,
RP_MATCHES_RCVD=-3.096, SPF_PASS=-0.001, URIBL_BLOCKED=0.001]
autolearn=no autolearn_force=no


URIBL_BLOCKED shows you are using still a dns-forwarder and so won't get 
results from a lot of blacklists


http://uribl.com/refused.shtml

fix that - use a local caching resolver with *no forwarding* and if you 
are using dnsmasq just don't do that for a inbound mailserver



You all say that bayes is not working in my setup. I dont know why. I
followed a documentation for setting up my mailserver.

It says:

nano /etc/spamassassin/local.cf

#bayes
use_bayes 1
use_bayes_rules 1
bayes_auto_learn 1


so your setup either don't use that config (amavais or something like 
that part of the game then you don't have just spamassassin)


or you have not trained enough spam *and* ham - or you train the wrong 
bayes-database likely by calling "sa-learn" with the wrong user


https://wiki.apache.org/spamassassin/SiteWideBayesSetup

is there really no "spamassassin for beginners" which explains all that 
dns-stuff *at one place* and how to train bayes and make sure it is used 
instead get every day the same problem reports on the list from fresh 
people?

Re: Spam by IP-address? Spamassassin with geoiplookup?

2016-09-21 Thread Thomas Barth




Am 20.09.2016 um 13:12 schrieb Paul Stead:
.


Hi Thomas,

The RelayCountry plugin would answer your needs:

https://wiki.apache.org/spamassassin/RelayCountryPlugin



Hello Paul,

I ve activated that Plugin and installed the geoip modul (aptitude 
install libgeo-ip-perl), seems to work. I ve tested it with my own 
address. I ve also reduced the score for MESSAGEID_LOCAL because I ve 
found a past mail of one of our partners with .local in the message-id :)


X-Spam-Status: No, score=3.004 tagged_above=2 required=6.31
tests=[MESSAGEID_LOCAL=3, RELAYCOUNTRY_BAD=3.1,
RP_MATCHES_RCVD=-3.096, SPF_PASS=-0.001, URIBL_BLOCKED=0.001]
autolearn=no autolearn_force=no

@all

You all say that bayes is not working in my setup. I dont know why. I 
followed a documentation for setting up my mailserver.


It says:

nano /etc/spamassassin/local.cf

#bayes
use_bayes 1
use_bayes_rules 1
bayes_auto_learn 1


It s a virtual user mailsystem described in 
https://www.howtoforge.com/virtual-users-and-domains-with-postfix-courier-mysql-and-squirrelmail-ubuntu-14.04-lts-p3

Re: Spam by IP-address? Spamassassin with geoiplookup?

On Tue, 20 Sep 2016 22:02:14 +0100
Groach wrote:

> On 20/09/2016 20:31, RW wrote:
> > On Tue, 20 Sep 2016 18:56:47 +0100
> > Groach wrote:
> >  
> >> This Spamassassin plugin will allow you to block by country.
> >>
> >> Create the 'nerd.cf' file containing the code, put it in your
> >> spamassasin ETC directory, and uncomment the countries you wish to
> >> block.  Full details in the post.
> >> https://www.hmailserver.com/forum/viewtopic.php?f=7=29992=187520#p187500
> >>   
> > It's not a plugin, it's a just a list of dns rules based on
> > zz.countries.nerd.dk.  
> Sorry, the word 'plugin' was incorrectly used.  I did mean it as the 
> completed NERD.CF file containing the predefined rules.
> 
> > Is the RelayCountry plugin not usable on Windows for some reason?  
> 
> Windows spamassassin is more-or-less no different from linux version 
> (3.4.2) so Im sure it can use it yes.  (I dont know about this plugin 
> myself.  Got details?)

It's part of SpamAssassin, there just aren't any default rules that
use it. Paul Stead already gave a link to the Wiki page.

Re: Spam by IP-address? Spamassassin with geoiplookup?

2016-09-20 Thread Groach



On 20/09/2016 20:31, RW wrote:

On Tue, 20 Sep 2016 18:56:47 +0100
Groach wrote:


This Spamassassin plugin will allow you to block by country.

Create the 'nerd.cf' file containing the code, put it in your
spamassasin ETC directory, and uncomment the countries you wish to
block.  Full details in the post.
https://www.hmailserver.com/forum/viewtopic.php?f=7=29992=187520#p187500

It's not a plugin, it's a just a list of dns rules based on
zz.countries.nerd.dk.
Sorry, the word 'plugin' was incorrectly used.  I did mean it as the 
completed NERD.CF file containing the predefined rules.



Is the RelayCountry plugin not usable on Windows for some reason?


Windows spamassassin is more-or-less no different from linux version 
(3.4.2) so Im sure it can use it yes.  (I dont know about this plugin 
myself.  Got details?)

Re: Spam by IP-address? Spamassassin with geoiplookup?

On Tue, 20 Sep 2016 18:56:47 +0100
Groach wrote:

> This Spamassassin plugin will allow you to block by country.
> 
> Create the 'nerd.cf' file containing the code, put it in your 
> spamassasin ETC directory, and uncomment the countries you wish to 
> block.  Full details in the post. 
> https://www.hmailserver.com/forum/viewtopic.php?f=7=29992=187520#p187500

It's not a plugin, it's a just a list of dns rules based on
zz.countries.nerd.dk.

Is the RelayCountry plugin not usable on Windows for some reason?

Re: Spam by IP-address? Spamassassin with geoiplookup?

On Tue, 20 Sep 2016 15:24:52 +
Shawn Bakhtiar wrote:

> > On Sep 20, 2016, at 8:13 AM, RW  wrote:
> > 
> > On Tue, 20 Sep 2016 14:34:02 +
> > Shawn Bakhtiar wrote:
> >   
> >> If you are strictly looking to block by IP addresses this is a far
> >> better task left to the firewall, and configured by networks not
> >> individual IP addresses.   
> > 
> > It shouldn't really be about blocking, it's about biasing the
> > score. 
> > 
> >   
> 
> I humbly disagree
> 
> I find it interesting that most ISP's will block incoming connections
> like port 80 so home users can't run their own web servers,
> effectively forcing them to use providers for services "in the name
> of security" but when it comes to outgoing connection they take no
> measures what so ever.
> 
> Mind you, I'm not taking about blocking HTTP or DNS. I simply block
> them on the SMTP gateway (kernel level firewall), this reduces
> directed spearfishing by a lot when I catch it early enough. Of
> course it usually means getting into the office at 5 AM and waddling
> through the honeypot email address to see where the next attack is
> coming from. :P

That's a different matter, the thread is about using geoip information.

Re: Spam by IP-address? Spamassassin with geoiplookup?

2016-09-20 Thread Groach





On 20/09/2016 11:53, Thomas Barth wrote:

Hello,

is it possible to use geoiplookup with Spamassassin? I want to reject 
all mails as spam not send in my country or another second country, 
but accept whitelisted mailing list addresses. Any chance to use 
geoiplookup for this? I want to exclude Spammer Countries e.g. China, 
Thaiwan, India, etc...





On 20/09/2016 18:56, Groach wrote:

This Spamassassin plugin will allow you to block by country.

Create the 'nerd.cf' file containing the code, put it in your 
spamassasin ETC directory, and uncomment the countries you wish to 
block.  Full details in the post. 
https://www.hmailserver.com/forum/viewtopic.php?f=7=29992=187520#p187500





It seems others have taken this approach as a proven effective solution 
too: http://vdhout.nl/2015/07/block-email-from-foreign-countries

Re: Spam by IP-address? Spamassassin with geoiplookup?

2016-09-20 Thread Groach


This Spamassassin plugin will allow you to block by country.

Create the 'nerd.cf' file containing the code, put it in your 
spamassasin ETC directory, and uncomment the countries you wish to 
block.  Full details in the post. 
https://www.hmailserver.com/forum/viewtopic.php?f=7=29992=187520#p187500



On 20/09/2016 11:53, Thomas Barth wrote:

Hello,

is it possible to use geoiplookup with Spamassassin? I want to reject 
all mails as spam not send in my country or another second country, 
but accept whitelisted mailing list addresses. Any chance to use 
geoiplookup for this? I want to exclude Spammer Countries e.g. China, 
Thaiwan, India, etc...

Re: Spam by IP-address? Spamassassin with geoiplookup?

2016-09-20 Thread Shawn Bakhtiar

> On Sep 20, 2016, at 8:13 AM, RW  wrote:
> 
> On Tue, 20 Sep 2016 14:34:02 +
> Shawn Bakhtiar wrote:
> 
>> If you are strictly looking to block by IP addresses this is a far
>> better task left to the firewall, and configured by networks not
>> individual IP addresses. 
> 
> It shouldn't really be about blocking, it's about biasing the score. 
> 
> 

I humbly disagree

I find it interesting that most ISP's will block incoming connections like port 
80 so home users can't run their own web servers, effectively forcing them to 
use providers for services "in the name of security" but when it comes to 
outgoing connection they take no measures what so ever.

Mind you, I'm not taking about blocking HTTP or DNS. I simply block them on the 
SMTP gateway (kernel level firewall), this reduces directed spearfishing by a 
lot when I catch it early enough. Of course it usually means getting into the 
office at 5 AM and waddling through the honeypot email address to see where the 
next attack is coming from. :P

Re: Spam by IP-address? Spamassassin with geoiplookup?