Re: Spam by IP-address? Spamassassin with geoiplookup?
On September 24, 2016 6:12:10 AM EDT, Thomas Barthwrote: >Instead of URIBL_BLOCKED=0.001 I see URIBL_ABUSE_SURBL=1.948, >URIBL_BLACK=1.7 > >It s still not ok, is it? That means it is working as intended, and your message has triggered hits on two separate blacklists. --Sean
Re: Spam by IP-address? Spamassassin with geoiplookup?
Hello Am 23.09.2016 um 22:10 schrieb Lindsay Haisley: On Fri, 2016-09-23 at 15:28 -0400, Bill Cole wrote: As much as I love BIND (no, seriously, I do) it's very hard to recommend it as the first choice for a simple recursive resolver. Setting up bind as a "simple recursive resolver" is simplicity itself. acl goodclients { 1.2.3.0/24; 4.5.6.0/24; 127.0.0.1; etc }; options { .. recursion yes; allow-query { goodclients; }; etc... }; I did it this way as I found it in somesones blog to configure a caching dns-server for mailserver with bind. When testing it by "dig google.de @127.0.0.1" the second call gets a query time of 0 msec. So bind9 works on my system. And as described in http://uribl.com/about.shtml#abuse the results for my mailserver are host -tA 2.0.0.127.multi.uribl.com 2.0.0.127.multi.uribl.com has address 127.0.0.14 host -tA blocked.uribl.com Host blocked.uribl.com not found: 3(NXDOMAIN) In one of the last spam mails the x-spam status is X-Spam-Status: Yes, score=11.663 tag=2 tag2=6.31 kill=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.105, HTML_IMAGE_ONLY_28=0.726, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.105, RAZOR2_CF_RANGE_51_100=0.365, RAZOR2_CF_RANGE_E8_51_100=2.43, RAZOR2_CHECK=1.729, RCVD_IN_BRBL_LASTEXT=1.644, T_REMOTE_IMAGE=0.01, URIBL_ABUSE_SURBL=1.948, URIBL_BLACK=1.7] Instead of URIBL_BLOCKED=0.001 I see URIBL_ABUSE_SURBL=1.948, URIBL_BLACK=1.7 It s still not ok, is it?
Re: Spam by IP-address? Spamassassin with geoiplookup?
On Fri, 2016-09-23 at 20:21 -0400, Bill Cole wrote: > On a more theoretical level, the > fact that BIND is able to do virtually anything that anyone would ever > want to do with a DNS server means that it is has a broader potential > attack surface in itself and is a richer prize if hijacked, either > directly or as a consequence of a general system compromise. Well bind9 seems to show up relatively rarely in CERT bulletins and pushed upgrades are rare enough to indicate to me that the current release for my server OS (BIND 9.9.5-3ubuntu0.8-Ubuntu (Extended Support Version)), which has been stable for 6 months, is pretty solid. Exploit exposure is only as extensive with a package of this sort as what one makes it to be. Both Canonical and ISC, the upstream maintainer, are fastidious about security, but it's always possible, through ignorance or carelessness, to make secure software insecure through misconfiguration. Setting stock bind9 up as a simple recursive name server is a no-brainer, however, as I noted. I'd be very happy to hear about exploits of bind9 set up with simple configuration as a recursive name server, with a proper acl. I keep my ear to the ground and haven't heard of such. FWIW, I'm far less impressed with the general level of system administration knowledge on this SA forum than I am with the apparent knowledge of people whose postings and offerings elsewhere on the Internet re. subjects such as named have been vetted and reviewed by competent peers, as is the way of the world with open source software. -- Lindsay Haisley | "The first casualty when FMP Computer Services | war comes is truth." 512-259-1190 | http://www.fmp.com| -- Hiram W Johnson
Re: Spam by IP-address? Spamassassin with geoiplookup?
On Fri, 2016-09-23 at 20:21 -0400, Bill Cole wrote: Almost every week on this list you can see examples of people who are > nominally and operationally sysadmins who have followed poor config > advice found in dubious corners of the net or even on stale pages of the > SA wiki, and the same class of error is a big risk of using BIND because > of its age and breadth of capability. On a more theoretical level, the > fact that BIND is able to do virtually anything that anyone would ever > want to do with a DNS server means that it is has a broader potential > attack surface in itself and is a richer prize if hijacked, either > directly or as a consequence of a general system compromise. > > On 23 Sep 2016, at 16:10, Lindsay Haisley wrote: > > > > > > On Fri, 2016-09-23 at 15:28 -0400, Bill Cole wrote: > > > > > > > > > As much as I love BIND (no, seriously, I do) it's very hard to > > > recommend > > > it as the first choice for a simple recursive resolver. > > Setting up bind as a "simple recursive resolver" is simplicity itself. > Simplicity is generally a subjective, relative quality. > > Start Unbound with literally no explicit configuration and you get a > working, safe, reasonably-configured resolver for localhost: the simple > sort of resolver that a plurality of freestanding mail servers should > have, perfect as a fix for the mistake of using dnsmasq locally. It's > very hard to typo a config that doesn't exist. > > > > > > > acl goodclients { > > 1.2.3.0/24; > > 4.5.6.0/24; > > 127.0.0.1; > > etc > > }; > > > > options { > > .. > > > > recursion yes; > > allow-query { goodclients; }; > > > > etc... > > }; > That's more than most mail server resolvers need and the real devil is > in what could be in those ellipses... The lines represented by ellipses are what's in the stock /etc/bin/named.conf.options file and aren't relevant to the issue of setting up a recursive DNS server. Check out the URL I sent, or the standard bind config on Debian or Ubuntu Server. > Almost every week on this list you can see examples of people who are > nominally and operationally sysadmins who have followed poor config > advice found in dubious corners of the net or even on stale pages of the > SA wiki, and the same class of error is a big risk of using BIND because > of its age and breadth of capability. On a more theoretical level, the > fact that BIND is able to do virtually anything that anyone would ever > want to do with a DNS server means that it is has a broader potential > attack surface in itself and is a richer prize if hijacked, either > directly or as a consequence of a general system compromise. Well, these few config options for bind9 work fine for me :) And they always have. I've never had a problem. This ain't rocket science, as they say, and there's plenty of documentation out there. I'm not scared of bind configuration. I know how to make bind9 stand up and make pancakes for breakfast ;) -- Lindsay Haisley | "Humor will get you through times of no humor FMP Computer Services | better than no humor will get you through 512-259-1190 | times of humor." http://www.fmp.com|- Butch Hancock
Re: Spam by IP-address? Spamassassin with geoiplookup?
On Fri, 2016-09-23 at 20:21 -0400, Bill Cole wrote: > On 23 Sep 2016, at 16:10, Lindsay Haisley wrote: > > > > > On Fri, 2016-09-23 at 15:28 -0400, Bill Cole wrote: > > > > > > As much as I love BIND (no, seriously, I do) it's very hard to > > > recommend > > > it as the first choice for a simple recursive resolver. > > Setting up bind as a "simple recursive resolver" is simplicity itself. > Simplicity is generally a subjective, relative quality. > > Start Unbound with literally no explicit configuration and you get a > working, safe, reasonably-configured resolver for localhost: the simple > sort of resolver that a plurality of freestanding mail servers should > have, perfect as a fix for the mistake of using dnsmasq locally. It's > very hard to typo a config that doesn't exist. > > > > > acl goodclients { > > 1.2.3.0/24; > > 4.5.6.0/24; > > 127.0.0.1; > > etc > > }; > > > > options { > > .. > > > > recursion yes; > > allow-query { goodclients; }; > > > > etc... > > }; > That's more than most mail server resolvers need and the real devil is > in what could be in those ellipses... The lines represented by ellipses are what's in the stock /etc/bin/named.conf.options file and aren't relevant to the issue of setting up a recursive DNS server. Check out the URL I sent, or the standard bind config on Debian or Ubuntu Server. > Almost every week on this list you can see examples of people who are > nominally and operationally sysadmins who have followed poor config > advice found in dubious corners of the net or even on stale pages of the > SA wiki, and the same class of error is a big risk of using BIND because > of its age and breadth of capability. On a more theoretical level, the > fact that BIND is able to do virtually anything that anyone would ever > want to do with a DNS server means that it is has a broader potential > attack surface in itself and is a richer prize if hijacked, either > directly or as a consequence of a general system compromise. Well, these few config options for bind9 work fine for me :) And they always have. I've never had a problem. This ain't rocket science, as they say, and there's plenty of documentation out there. I'm not scared of bind configuration. I know how to make bind9 stand up and make pancakes for breakfast ;) -- Lindsay Haisley | "The only unchanging certainty FMP Computer Services |is the certainty of change" 512-259-1190 | http://www.fmp.com| - Ancient wisdom, all cultures
Re: Spam by IP-address? Spamassassin with geoiplookup?
On 23 Sep 2016, at 16:18, Greg Troxel wrote: > "Bill Cole"writes: > >> On 22 Sep 2016, at 23:24, John Hardin wrote: >> >>> As far as I understand it, dnsmasq cannot be used for local >>> recursion; it's purely a lightweight local DNS cache layer. >> >> Your understanding is correct; dnsmasq is unfit for service as a >> resolver for a mail server because it cannot perform recursion, it >> only does forwarding to other real DNS servers. > > True, but I don't see harm in forwarding queries to a local recursive > server that is used only by one's own group of machines. Sure, although 'local' is important for performance reasons. I've done similar things (with Solaris' nscd as a local cache as well as dnsmasq) to give MTA farms access to a unified cache on a shared recursive resolver, which can be a worthwhile tactic for performance. > The problems > all appear to be from forwarding queries to resolvers run by one's ISP > or worse the google public ones. For DNSBL volume blocking discussed here, that's always been the case as far as I've seen. However, as receiving systems scale up, a local recursive resolver on each MTA eventually doesn't save them from being blocked, it puts them at slightly more risk compared to using a shared local server providing a unified cache (as above.) Such a server also is the ideal place to host the local copies of the DNSBL zones one buys from their various providers (because that's the RIGHT thing to do when you REALLY have the volume to justify blockage...) signature.asc Description: OpenPGP digital signature
Re: Spam by IP-address? Spamassassin with geoiplookup?
On 23 Sep 2016, at 16:10, Lindsay Haisley wrote: On Fri, 2016-09-23 at 15:28 -0400, Bill Cole wrote: As much as I love BIND (no, seriously, I do) it's very hard to recommend it as the first choice for a simple recursive resolver. Setting up bind as a "simple recursive resolver" is simplicity itself. Simplicity is generally a subjective, relative quality. Start Unbound with literally no explicit configuration and you get a working, safe, reasonably-configured resolver for localhost: the simple sort of resolver that a plurality of freestanding mail servers should have, perfect as a fix for the mistake of using dnsmasq locally. It's very hard to typo a config that doesn't exist. acl goodclients { 1.2.3.0/24; 4.5.6.0/24; 127.0.0.1; etc }; options { .. recursion yes; allow-query { goodclients; }; etc... }; That's more than most mail server resolvers need and the real devil is in what could be in those ellipses... Almost every week on this list you can see examples of people who are nominally and operationally sysadmins who have followed poor config advice found in dubious corners of the net or even on stale pages of the SA wiki, and the same class of error is a big risk of using BIND because of its age and breadth of capability. On a more theoretical level, the fact that BIND is able to do virtually anything that anyone would ever want to do with a DNS server means that it is has a broader potential attack surface in itself and is a richer prize if hijacked, either directly or as a consequence of a general system compromise. In short: BIND offers more paths to more high-risk and failure modes than Unbound, probably more than any other DNS server. That's not a general indictment of BIND, which I use myself on many systems where it's needed or is a properly configured incumbent on a stable system.
Re: Spam by IP-address? Spamassassin with geoiplookup?
On Fri, 23 Sep 2016, Greg Troxel wrote: "Bill Cole"writes: On 22 Sep 2016, at 23:24, John Hardin wrote: As far as I understand it, dnsmasq cannot be used for local recursion; it's purely a lightweight local DNS cache layer. Your understanding is correct; dnsmasq is unfit for service as a resolver for a mail server because it cannot perform recursion, it only does forwarding to other real DNS servers. True, but I don't see harm in forwarding queries to a local recursive server that is used only by one's own group of machines. The problems all appear to be from forwarding queries to resolvers run by one's ISP or worse the google public ones. For that use case yes, dnsmasq would be appropriate. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- You know things are bad when Pravda says we [the USA] have gone too far to the left. -- Joe Huffman --- 276 days since the first successful real return to launch site (SpaceX)
Re: Spam by IP-address? Spamassassin with geoiplookup?
"Bill Cole"writes: > On 22 Sep 2016, at 23:24, John Hardin wrote: > >> As far as I understand it, dnsmasq cannot be used for local >> recursion; it's purely a lightweight local DNS cache layer. > > Your understanding is correct; dnsmasq is unfit for service as a > resolver for a mail server because it cannot perform recursion, it > only does forwarding to other real DNS servers. True, but I don't see harm in forwarding queries to a local recursive server that is used only by one's own group of machines. The problems all appear to be from forwarding queries to resolvers run by one's ISP or worse the google public ones. signature.asc Description: PGP signature
Re: Spam by IP-address? Spamassassin with geoiplookup?
On Fri, 2016-09-23 at 15:28 -0400, Bill Cole wrote: > As much as I love BIND (no, seriously, I do) it's very hard to recommend > it as the first choice for a simple recursive resolver. Setting up bind as a "simple recursive resolver" is simplicity itself. acl goodclients { 1.2.3.0/24; 4.5.6.0/24; 127.0.0.1; etc }; options { .. recursion yes; allow-query { goodclients; }; etc... }; -- Lindsay Haisley | "The first casualty when FMP Computer Services | war comes is truth." 512-259-1190 | http://www.fmp.com| -- Hiram W Johnson
Re: Spam by IP-address? Spamassassin with geoiplookup?
On 22 Sep 2016, at 23:24, John Hardin wrote: As far as I understand it, dnsmasq cannot be used for local recursion; it's purely a lightweight local DNS cache layer. Your understanding is correct; dnsmasq is unfit for service as a resolver for a mail server because it cannot perform recursion, it only does forwarding to other real DNS servers. You may have to install the full BIND package and tell it to not forward. As much as I love BIND (no, seriously, I do) it's very hard to recommend it as the first choice for a simple recursive resolver. Unbound does that just fine and doesn't come with BIND's baggage of trying to be the reference implementation of all subtypes of DNS server all at once. Anyone who thought they were doing just fine with dnsmasq can actually do anything they'll need with Unbound, and it is harder to get wrong than BIND.
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 23.09.2016 um 20:30 schrieb John Hardin: On Fri, 23 Sep 2016, li...@rhsoft.net wrote: Am 23.09.2016 um 05:24 schrieb John Hardin: On Thu, 22 Sep 2016, Thomas Barth wrote: > Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net: > > > > URIBL_BLOCKED shows you are using still a dns-forwarder and so won't > > get > > results from a lot of blacklists > > > > fix that - use a local caching resolver with *no forwarding* and > > if you are using dnsmasq just don't do that for a inbound > > mailserver > > I found an instruction here for a debian system > > https://manageacloud.com/configuration/local_dns_caching > > Seems to work local dns caching but I dont understand why I shouldnt > use it for inbound mailserver and why I still see URIBL_BLOCKED=0.001 Lists shouldn't have said "caching", that confuses the issue. Caching and recursion are two different, unrelated pieces. seriously? Yes. I have found that when providing advice, if you provide extraneous details quite often people will focus on them rather than the important points. hence the bold *no forwarding* "with *no forwarding*" is not clear enough that one comes two days later with a dnsmasq setup using opendns as forwarders where in fact i said explicit If they focused on "use a local caching resolver", sure. Obviously sorry, but zero understanding if someone is smart enough to know what to do the problem would not exist at all - if someone thinks he is so smart that he can stop reading in the middle of a single sentence without trying to understand it's a clear case of "damned don't manage any server connected to the internet" AT LEAST when it still does not work by doing something random i expect someone step back and *read the whole fucking sentence* before write a new mail "did this and that but still don't work"
Re: Spam by IP-address? Spamassassin with geoiplookup?
On Fri, 23 Sep 2016, li...@rhsoft.net wrote: Am 23.09.2016 um 05:24 schrieb John Hardin: On Thu, 22 Sep 2016, Thomas Barth wrote: > Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net: > > > > URIBL_BLOCKED shows you are using still a dns-forwarder and so won't > > get > > results from a lot of blacklists > > > > fix that - use a local caching resolver with *no forwarding* and > > if you are using dnsmasq just don't do that for a inbound > > mailserver > > I found an instruction here for a debian system > > https://manageacloud.com/configuration/local_dns_caching > > Seems to work local dns caching but I dont understand why I shouldnt > use it for inbound mailserver and why I still see URIBL_BLOCKED=0.001 Lists shouldn't have said "caching", that confuses the issue. Caching and recursion are two different, unrelated pieces. seriously? Yes. I have found that when providing advice, if you provide extraneous details quite often people will focus on them rather than the important points. "with *no forwarding*" is not clear enough that one comes two days later with a dnsmasq setup using opendns as forwarders where in fact i said explicit If they focused on "use a local caching resolver", sure. Obviously. As far as I understand it, dnsmasq cannot be used for local recursion yes, and hence in my orginial mail you are party quting i statet don't use that crap, see above It may need to be restated in a different way to actually be understood. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- One death is a tragedy; thirty is a media sensation; a million is a statistic. -- Joseph Stalin, modernized --- 276 days since the first successful real return to launch site (SpaceX)
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 23.09.2016 um 10:47 schrieb li...@rhsoft.net: that was one single line containing: * don't use dns forwarding * don't use dnsmasq (because it can only do forarding) DNS-Resolver with Bind9 is configured now and nameserver is 127.0.0.1. No URIBL_BLOCKED=0.001 in Spam-Status anymore.
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 23.09.2016 um 10:43 schrieb Thomas Barth: Am 23.09.2016 um 10:25 schrieb li...@rhsoft.net: Am 22.09.2016 um 21:58 schrieb Bowie Bailey: On 9/22/2016 3:40 PM, Thomas Barth wrote: Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net: fix that - use a local caching resolver with *no forwarding* and if you are using dnsmasq just don't do that for a inbound mailserver for me that topic is finished - sorry but it needs to be said clear: you are not capable to run a mailserver because yo are even not capable to read what you quote mimimi instead of making sarcatic comments better explain what exactly did you not understand in "use a local caching resolver with *no forwarding* and if you are using dnsmasq just don't do that for a inbound mailserver" that you have nothing better to do than setup dnsmasq with 4 forwarders followeb by complain "now i have done taht but URIBL_BLOCKED is still there" that was one single line containing: * don't use dns forwarding * don't use dnsmasq (because it can only do forarding)
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 23.09.2016 um 10:25 schrieb li...@rhsoft.net: Am 22.09.2016 um 21:58 schrieb Bowie Bailey: On 9/22/2016 3:40 PM, Thomas Barth wrote: Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net: fix that - use a local caching resolver with *no forwarding* and if you are using dnsmasq just don't do that for a inbound mailserver for me that topic is finished - sorry but it needs to be said clear: you are not capable to run a mailserver because yo are even not capable to read what you quote mimimi
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 22.09.2016 um 21:58 schrieb Bowie Bailey: On 9/22/2016 3:40 PM, Thomas Barth wrote: Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net: fix that - use a local caching resolver with *no forwarding* and if you are using dnsmasq just don't do that for a inbound mailserver for me that topic is finished - sorry but it needs to be said clear: you are not capable to run a mailserver because yo are even not capable to read what you quote i said don't use dnsmasq for that task because i know that it can only forwarding - i said don#t use any forwarding - what are you doing days later: seek the first best howto explaining you how to install dnsmasq and bblow 4 forwarders in the configuration which is the opposite of what you have been told and i had a reason saying *no forwarding* instead talking about dns-recursion because i am out of energy trying to explain the next 3 days what is recursion and seek links and docs to make a dns basic education which is your homework before you start to setup servers I found an instruction here for a debian system https://manageacloud.com/configuration/local_dns_caching /etc/resolv.conf nameserver 127.0.0.1 /etc/resolv.dnsmasq nameserver 208.67.222.222 nameserver 208.67.220.220 nameserver 208.67.222.220 nameserver 208.67.220.222 /etc/default/dnsmasq DNSMASQ_OPTS="-r /etc/resolv.dnsmasq" But it is using dnsmasq for local dns caching. I ve configured it, but I still see URIBL_BLOCKED=0.001 in a mail header
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 23.09.2016 um 05:24 schrieb John Hardin: On Thu, 22 Sep 2016, Thomas Barth wrote: Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net: URIBL_BLOCKED shows you are using still a dns-forwarder and so won't get results from a lot of blacklists fix that - use a local caching resolver with *no forwarding* and if you are using dnsmasq just don't do that for a inbound mailserver I found an instruction here for a debian system https://manageacloud.com/configuration/local_dns_caching Seems to work local dns caching but I dont understand why I shouldnt use it for inbound mailserver and why I still see URIBL_BLOCKED=0.001 Lists shouldn't have said "caching", that confuses the issue. Caching and recursion are two different, unrelated pieces. seriously? "with *no forwarding*" is not clear enough that one comes two days later with a dnsmasq setup using opendns as forwarders where in fact i said explicit "fix that - use a local caching resolver with *no forwarding* and if you are using dnsmasq just don't do that for a inbound mailserver" As far as I understand it, dnsmasq cannot be used for local recursion yes, and hence in my orginial mail you are party quting i statet don't use that crap, see above
Re: Spam by IP-address? Spamassassin with geoiplookup?
On Thu, 22 Sep 2016, Thomas Barth wrote: Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net: URIBL_BLOCKED shows you are using still a dns-forwarder and so won't get results from a lot of blacklists fix that - use a local caching resolver with *no forwarding* and if you are using dnsmasq just don't do that for a inbound mailserver I found an instruction here for a debian system https://manageacloud.com/configuration/local_dns_caching Seems to work local dns caching but I dont understand why I shouldnt use it for inbound mailserver and why I still see URIBL_BLOCKED=0.001 Lists shouldn't have said "caching", that confuses the issue. Caching and recursion are two different, unrelated pieces. Focus on the "recursion" and "no forwarding" parts of that recommendation. If you're configuring a non-local DNS server's IP address anywhere in the mix (ignoring for the moment the root zones), you're doing it wrong. As far as I understand it, dnsmasq cannot be used for local recursion; it's purely a lightweight local DNS cache layer. That's why Lists said don't use it for inpbound mail. You may have to install the full BIND package and tell it to not forward. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- A government is a lot like a gun: It's always loaded, and it's stupid and dangerous to point it at anything you don't intend to hurt. -- GOF at TSM --- 275 days since the first successful real return to launch site (SpaceX)
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 22.09.2016 um 21:40 schrieb Thomas Barth: URIBL_BLOCKED shows you are using still a dns-forwarder and so won't get results from a lot of blacklists http://uribl.com/refused.shtml fix that - use a local caching resolver with *no forwarding* and if you are using dnsmasq just don't do that for a inbound mailserver I found an instruction here for a debian system https://manageacloud.com/configuration/local_dns_caching /etc/resolv.conf nameserver 127.0.0.1 /etc/resolv.dnsmasq nameserver 208.67.222.222 nameserver 208.67.220.220 nameserver 208.67.222.220 nameserver 208.67.220.222 /etc/default/dnsmasq DNSMASQ_OPTS="-r /etc/resolv.dnsmasq" But it is using dnsmasq for local dns caching. I ve configured it, but I still see URIBL_BLOCKED=0.001 in a mail header because it is nonsense the point is not that you use 127.0.0.1 as dsn server - the point is that *nobody else* is using that dns server - i doubt that you are the only person on this plant using the 208.67.xx.xx opendns servers frankly - get the basics!
Re: Spam by IP-address? Spamassassin with geoiplookup?
On 9/22/2016 3:40 PM, Thomas Barth wrote: Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net: Am 21.09.2016 um 15:48 schrieb Thomas Barth: X-Spam-Status: No, score=3.004 tagged_above=2 required=6.31 tests=[MESSAGEID_LOCAL=3, RELAYCOUNTRY_BAD=3.1, RP_MATCHES_RCVD=-3.096, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no URIBL_BLOCKED shows you are using still a dns-forwarder and so won't get results from a lot of blacklists http://uribl.com/refused.shtml fix that - use a local caching resolver with *no forwarding* and if you are using dnsmasq just don't do that for a inbound mailserver I found an instruction here for a debian system https://manageacloud.com/configuration/local_dns_caching /etc/resolv.conf nameserver 127.0.0.1 /etc/resolv.dnsmasq nameserver 208.67.222.222 nameserver 208.67.220.220 nameserver 208.67.222.220 nameserver 208.67.220.222 /etc/default/dnsmasq DNSMASQ_OPTS="-r /etc/resolv.dnsmasq" But it is using dnsmasq for local dns caching. I ve configured it, but I still see URIBL_BLOCKED=0.001 in a mail header. with local caching it s a bit faster # for i in {1..100}; do time dig slashdot.org @localhost; done 2>&1 | grep ^real | sed -e s/.*m// | awk '{sum += $1} END {print sum / NR}' 0.0076 # for i in {1..100}; do time dig slashdot.org; done 2>&1 | grep ^real | sed -e s/.*m// | awk '{sum += $1} END {print sum / NR}' 0.00962 Seems to work local dns caching but I dont understand why I shouldnt use it for inbound mailserver and why I still see URIBL_BLOCKED=0.00 Because you are forwarding your DNS to OpenDNS (208.67.222.222, etc). You need to setup a DNS that does not do forwarding. I'm not sure dnsmasq can be configured this way. If you remove dnsmasq and install bind, it will probably do what you want without any further configuration. To make sure, you can take a look at the main bind config file (/etc/named.conf on CentOS -- I don't know if it is different with Debian) and make sure there are no "forwarders" statements. -- Bowie
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net: Am 21.09.2016 um 15:48 schrieb Thomas Barth: X-Spam-Status: No, score=3.004 tagged_above=2 required=6.31 tests=[MESSAGEID_LOCAL=3, RELAYCOUNTRY_BAD=3.1, RP_MATCHES_RCVD=-3.096, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no URIBL_BLOCKED shows you are using still a dns-forwarder and so won't get results from a lot of blacklists http://uribl.com/refused.shtml fix that - use a local caching resolver with *no forwarding* and if you are using dnsmasq just don't do that for a inbound mailserver I found an instruction here for a debian system https://manageacloud.com/configuration/local_dns_caching /etc/resolv.conf nameserver 127.0.0.1 /etc/resolv.dnsmasq nameserver 208.67.222.222 nameserver 208.67.220.220 nameserver 208.67.222.220 nameserver 208.67.220.222 /etc/default/dnsmasq DNSMASQ_OPTS="-r /etc/resolv.dnsmasq" But it is using dnsmasq for local dns caching. I ve configured it, but I still see URIBL_BLOCKED=0.001 in a mail header. with local caching it s a bit faster # for i in {1..100}; do time dig slashdot.org @localhost; done 2>&1 | grep ^real | sed -e s/.*m// | awk '{sum += $1} END {print sum / NR}' 0.0076 # for i in {1..100}; do time dig slashdot.org; done 2>&1 | grep ^real | sed -e s/.*m// | awk '{sum += $1} END {print sum / NR}' 0.00962 Seems to work local dns caching but I dont understand why I shouldnt use it for inbound mailserver and why I still see URIBL_BLOCKED=0.001
Re: Spam by IP-address? Spamassassin with geoiplookup?
On Thu, 22 Sep 2016, Thomas Barth wrote: And what about filter poisening? In the last 10 hours my company address got 43 mails classified as spam (even a virus mail detected today). And there was one mail classified as spam due to my rule (bad country, message-id. X-Spam-Status: Yes, score=7.474 tag=2 tag2=6.31 kill=6.31 tests=[MESSAGEID_LOCAL=3, RDNS_NONE=1.274, RELAYCOUNTRY_BAD=3.2] autolearn=no autolearn_force=no The content of the mail is: From: "Lupe Monroe"To: "my boss address" Subject: Payment approved MIME-Version: 1.0 Content-Type: multipart/related; boundary="boundary_af9c8db46eb73fca8b315aafef01" Message-Id: <20160922063255.e11d3e5...@static.vnpt.vn.local> Date: Thu, 22 Sep 2016 06:32:55 +0700 --boundary_af9c8db46eb73fca8b315aafef01 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Dear so, Your payment has been approved. Your account will be debited within two days. You can email us for any query regarding your account. Thank you. Lupe Monroe Support --boundary_af9c8db46eb73fca8b315aafef01 Content-Type: application/x-zip-compressed; name="e6dfa16bdb.zip.virus-scan-me.virus-scan-me" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="e6dfa16bdb.zip.virus-scan-me.virus-scan-me" There is no spam content, am I right? Normal words and content that a normal person can use. I dont need spam learning for all the mails already classified as spam with high score. Spam with low score are interesting for spam learning like this one. But when I use these mails for spam learning there is a risk of false positive some day, because it has learned that normal mails are also spam? You are missing the point that Bayes uses more than just body words from a message. It also looks at headers and meta-data. So those particular body words could become "neutral" (neither spam nor ham indicators) but the other components of that message (such as that '.vn.local' message ID) would be learned as spam signs. This is why you MUST also train your Bayes with HAM messages (and train them with the --ham flag) so Bayes knows how to recognise 'hammy' or 'neutral' tokens to prevent false-positives. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Spam by IP-address? Spamassassin with geoiplookup?
On Thu, 22 Sep 2016, Thomas Barth wrote: Hi ho, a virus was found: Sanesecurity.Malware.26327.JsHeur.UNOFFICIAL Scanner detecting a virus: ClamAV-clamd Content type: Virus Internal reference code for the message is 35123-18/WRf_y9XIIOFq First upstream SMTP client IP address: [103.230.105.6] According to a 'Received:' trace, the message apparently originated at: [103.230.105.6], [103.230.107.6] unknown [103.230.105.6] You REALLY should get your DNSBL problem fixed. Once you get DNSBLs working it will help alot. That particular IP address hit almost a dozen different RBLs here, including some that I use at the SMTP level to out-right block incoming traffic (such as cbl.abuseat.org , Spamhaus PBL, SBL). -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Spam by IP-address? Spamassassin with geoiplookup?
On 2016-09-22 12:32, Thomas Barth wrote: I ve installed clamav-unofficial-sigs by debian package. If this is not working good enough I will try the installation I found here: https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/INSTALL you have to configure it aswell here i have 2 clamd, one with official signatures, and another with 3dr party signatures, so both clamd have diffrent database dir configure the script to only update the unofficial clamd database dir when this is in place one can use clamav milter to reject from clamd with official sigs, and another clamav milter to just add virus header to mail, next with that is to make a header test in spamassassin with a spam score for 3dr party sigs in clamav I dont know what is in the zip file. I just have a compressed copy of the mail. I tried to save the content of the zip boundary part in a zip file but I get an loading error when opening the zip file. I suppose it contains a javascript file (name.pdf.js) just make sure the clamav detect its malware, and you are done, but keep in mind not reject 3dr party virus :=) note aswell foxhole is good candidate to be reject besed on, you can make that happen if using pr sigs scanning in spamassasin header testing, so spamass-milter will reject it, do not use one clamd and one clamav-milter for all this
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 22.09.2016 um 12:41 schrieb li...@rhsoft.net: I ve installed clamav-unofficial-sigs by debian package. If this is not working good enough I will try the installation I found here: https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/INSTALL dunno - and it's off-topic here - we use own scripts to update the signatures and that stuff is catched by http://sanesecurity.com/foxhole-databases/ Hi ho, a virus was found: Sanesecurity.Malware.26327.JsHeur.UNOFFICIAL Scanner detecting a virus: ClamAV-clamd Content type: Virus Internal reference code for the message is 35123-18/WRf_y9XIIOFq First upstream SMTP client IP address: [103.230.105.6] According to a 'Received:' trace, the message apparently originated at: [103.230.105.6], [103.230.107.6] unknown [103.230.105.6] I added this to my mailserver documentation to install clamav-unofficial-sigs package during next mailserver installation :)
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 22.09.2016 um 12:59 schrieb Thomas Barth: Am 22.09.2016 um 12:41 schrieb li...@rhsoft.net: I ve installed clamav-unofficial-sigs by debian package. If this is not working good enough I will try the installation I found here: https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/INSTALL dunno - and it's off-topic here - we use own scripts to update the signatures and that stuff is catched by http://sanesecurity.com/foxhole-databases/ may i ask why you put such a unfinished and untested in many ways setup in production? The mailservers are ready and work very good but can be improved. And I only improve them when there is a need to do it. If there is a spam mail going through again, I m going the next step ;-) i see - that good that you add posion pill rules for message-id and similar because the other parts, even very basic ones, are not working and scores are not adjusted while the SA header tells you exactly your problems to catch things :-) but do what you want I dont know what is in the zip file. I just have a compressed copy of the mail. I tried to save the content of the zip boundary part in a zip file but I get an loading error when opening the zip file. what are you doing? When you ever have parsed emails for content then you would know that you can extracts parts of raw mails to specific file types and opened it. I dont know why I get an error this time, but dont have time to find an answer now. i know more about email than you think but that's no reason for wasting time when you can just drag a message to a mail client as you are saying by yourself "dont have time"
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 22.09.2016 um 12:41 schrieb li...@rhsoft.net: I ve installed clamav-unofficial-sigs by debian package. If this is not working good enough I will try the installation I found here: https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/INSTALL dunno - and it's off-topic here - we use own scripts to update the signatures and that stuff is catched by http://sanesecurity.com/foxhole-databases/ may i ask why you put such a unfinished and untested in many ways setup in production? The mailservers are ready and work very good but can be improved. And I only improve them when there is a need to do it. If there is a spam mail going through again, I m going the next step ;-) I dont know what is in the zip file. I just have a compressed copy of the mail. I tried to save the content of the zip boundary part in a zip file but I get an loading error when opening the zip file. what are you doing? When you ever have parsed emails for content then you would know that you can extracts parts of raw mails to specific file types and opened it. I dont know why I get an error this time, but dont have time to find an answer now.
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 22.09.2016 um 12:32 schrieb Thomas Barth: Am 22.09.2016 um 11:50 schrieb li...@rhsoft.net: Am 22.09.2016 um 11:36 schrieb Benny Pedersen: On 2016-09-22 10:16, Thomas Barth wrote: The content of the mail is: --boundary_af9c8db46eb73fca8b315aafef01 Content-Type: application/x-zip-compressed; name="e6dfa16bdb.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="e6dfa16bdb.zip" whats in this zip file? malware as in all attachments from this type of spam, easily to detect be clamd with sanesecurity signatures I ve installed clamav-unofficial-sigs by debian package. If this is not working good enough I will try the installation I found here: https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/INSTALL dunno - and it's off-topic here - we use own scripts to update the signatures and that stuff is catched by http://sanesecurity.com/foxhole-databases/ may i ask why you put such a unfinished and untested in many ways setup in production? I dont know what is in the zip file. I just have a compressed copy of the mail. I tried to save the content of the zip boundary part in a zip file but I get an loading error when opening the zip file. what are you doing? uncompress the mail and drag the raw-mail with .eml extension in tunderbird from where you can simply save the attachment instead grab manually around in multipart-mails I suppose it contains a javascript file (name.pdf.js) or .wsf/.exe/.jar and so on - they are changing all the time
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 22.09.2016 um 11:50 schrieb li...@rhsoft.net: Am 22.09.2016 um 11:36 schrieb Benny Pedersen: On 2016-09-22 10:16, Thomas Barth wrote: The content of the mail is: --boundary_af9c8db46eb73fca8b315aafef01 Content-Type: application/x-zip-compressed; name="e6dfa16bdb.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="e6dfa16bdb.zip" whats in this zip file? malware as in all attachments from this type of spam, easily to detect be clamd with sanesecurity signatures I ve installed clamav-unofficial-sigs by debian package. If this is not working good enough I will try the installation I found here: https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/INSTALL I dont know what is in the zip file. I just have a compressed copy of the mail. I tried to save the content of the zip boundary part in a zip file but I get an loading error when opening the zip file. I suppose it contains a javascript file (name.pdf.js)
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 21.09.2016 um 18:47 schrieb Bowie Bailey: That is ridiculous. The more training bayes gets the better it works. And manual training is better than autolearning because autolearning can automatically learn false positives and false negatives and cause problems for the database. correct according to my experience. On 22.09.16 10:16, Thomas Barth wrote: And what about filter poisening? In the last 10 hours my company address got 43 mails classified as spam (even a virus mail detected today). And there was one mail classified as spam due to my rule (bad country, message-id. X-Spam-Status: Yes, score=7.474 tag=2 tag2=6.31 kill=6.31 tests=[MESSAGEID_LOCAL=3, RDNS_NONE=1.274, RELAYCOUNTRY_BAD=3.2] autolearn=no autolearn_force=no there's no poisoning, unless you count two your rules with indcredibly high score (which is why rules should not have too big scores). Lower scores of those two... according to your previous mail you have: - rule RP_MATCHES_RCVD scoring -3.096 that should be increased to -0.001 (already recommended by li...@rhsoft.net) or killed/zeroed (recommended by me) - rule URIBL_BLOCKED indicating you use DNS server used by too many clients. Set up your own recursing nameserver, BIND or unbound and don't configure it to forward queries to upstream. There is no spam content, am I right? Normal words and content that a normal person can use. spammers typically use "normal words and content that a normal person can use", that's why it's so hard to catch spam. BAYES helps you find the differencies between spam and ham and you can trust us it works great. I dont need spam learning for all the mails already classified as spam with high score. Spam with low score are interesting for spam learning like this one. But when I use these mails for spam learning there is a risk of false positive some day, because it has learned that normal mails are also spam? you must of course train ham mail, especially false positives, bayes needs to be trained with ham too, because it needs to see the differencies. if you train ham with big bayes score, it will help you much. since you already got false positive without using BAYES, I think it's useless to be reluctant about it. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I intend to live forever - so far so good.
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 22.09.2016 um 11:36 schrieb Benny Pedersen: On 2016-09-22 10:16, Thomas Barth wrote: The content of the mail is: --boundary_af9c8db46eb73fca8b315aafef01 Content-Type: application/x-zip-compressed; name="e6dfa16bdb.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="e6dfa16bdb.zip" whats in this zip file? malware as in all attachments from this type of spam, easily to detect be clamd with sanesecurity signatures
Re: Spam by IP-address? Spamassassin with geoiplookup?
On 2016-09-22 10:16, Thomas Barth wrote: The content of the mail is: --boundary_af9c8db46eb73fca8b315aafef01 Content-Type: application/x-zip-compressed; name="e6dfa16bdb.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="e6dfa16bdb.zip" whats in this zip file ?
Re: Spam by IP-address? Spamassassin with geoiplookup?
On 22/09/16 09:16, Thomas Barth wrote: --boundary_af9c8db46eb73fca8b315aafef01 Content-Type: application/x-zip-compressed; name="e6dfa16bdb.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="e6dfa16bdb.zip" This run of emails can be blocked using the Sanesecurity ClamAV ruleset for Foxhole - http://sanesecurity.org/ Paul -- Paul Stead Systems Engineer Zen Internet
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 22.09.2016 um 10:16 schrieb Thomas Barth: Am 21.09.2016 um 18:47 schrieb Bowie Bailey: That is ridiculous. The more training bayes gets the better it works. And manual training is better than autolearning because autolearning can automatically learn false positives and false negatives and cause problems for the database. And what about filter poisening? In the last 10 hours my company address got 43 mails classified as spam (even a virus mail detected today). And there was one mail classified as spam due to my rule (bad country, message-id. Dear so, Your payment has been approved. Your account will be debited within two days. You can email us for any query regarding your account. Thank you. Lupe Monroe Support There is no spam content, am I right? Normal words and content that a normal person can use. I dont need spam learning for all the mails already classified as spam with high score. Spam with low score are interesting for spam learning like this one. But when I use these mails for spam learning there is a risk of false positive some day, because it has learned that normal mails are also spam? no you are not right - that *is spam content* and has nothing to do with bayes poisioning - in fact that are malware messages - known by our bayes for at least 12 months and already BAYES_99 stuff will not be trained it's the job of the bayes filter to find the minimal but existing differences and mistakes between that and similar ham and *hence* autolearning won't work in general because you need still to decide and classify the border cases bayes poisioning can become a problem and is *another* reason why you train you filter manually instead let him decide itself and if it once decided wrong learn more and more in the wrong direction but that above is NOT bayes poisioning
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 21.09.2016 um 18:47 schrieb Bowie Bailey: That is ridiculous. The more training bayes gets the better it works. And manual training is better than autolearning because autolearning can automatically learn false positives and false negatives and cause problems for the database. And what about filter poisening? In the last 10 hours my company address got 43 mails classified as spam (even a virus mail detected today). And there was one mail classified as spam due to my rule (bad country, message-id. X-Spam-Status: Yes, score=7.474 tag=2 tag2=6.31 kill=6.31 tests=[MESSAGEID_LOCAL=3, RDNS_NONE=1.274, RELAYCOUNTRY_BAD=3.2] autolearn=no autolearn_force=no The content of the mail is: From: "Lupe Monroe"To: "my boss address" Subject: Payment approved MIME-Version: 1.0 Content-Type: multipart/related; boundary="boundary_af9c8db46eb73fca8b315aafef01" Message-Id: <20160922063255.e11d3e5...@static.vnpt.vn.local> Date: Thu, 22 Sep 2016 06:32:55 +0700 --boundary_af9c8db46eb73fca8b315aafef01 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Dear so, Your payment has been approved. Your account will be debited within two days. You can email us for any query regarding your account. Thank you. Lupe Monroe Support --boundary_af9c8db46eb73fca8b315aafef01 Content-Type: application/x-zip-compressed; name="e6dfa16bdb.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="e6dfa16bdb.zip" There is no spam content, am I right? Normal words and content that a normal person can use. I dont need spam learning for all the mails already classified as spam with high score. Spam with low score are interesting for spam learning like this one. But when I use these mails for spam learning there is a risk of false positive some day, because it has learned that normal mails are also spam?
Re: Spam by IP-address? Spamassassin with geoiplookup?
On 9/21/2016 12:28 PM, Thomas Barth wrote: Am 21.09.2016 um 18:00 schrieb li...@rhsoft.net: the problem of the OP is that he starts things the other side round and first reject without good evidence and don't have anything to make the system bullet profe because it's rejected I remembered that I read a book about Postfix with the topic "Training with SpamAssassin". And the author was against additional training. The more you train the worst the result. With the motto "I cook an egg for more than 15 minutes, but it is still hard." They re other arguments for not autolearning, but my english is not that good to translate a complete chapter. And if there are some mails breaking through the wall, than it is better to create rules against the header. Clear facts without side effects. That is ridiculous. The more training bayes gets the better it works. And manual training is better than autolearning because autolearning can automatically learn false positives and false negatives and cause problems for the database. If you are getting a bunch of similar spams coming through, you can definitely create custom rules, but you are going to be making new rules constantly. A good bayes database can automatically block some of those spams so you don't have to do as much work creating new rules for every new spam campaign. He also wrote that Amavis/SpamAssassin is learning itself. Each mail classified as spam with a score of more than 12.0 is learned as spam and there should be a logfile entry with loglevel 2 if a mail has been learned as spam. I never increased the loglevel to check that. SpamAssassin does autolearning by default, but it can make mistakes. It assumes that all high-scoring mail is spam and all low-scoring mail is ham. This is not necessarily true. You need to supplement this with at least enough manual learning to re-train the mistakes. I followed his opinion because it is the best book I ve got (www.postfix.de, next SpamAssassin/Amavis training course in November, I m thinking of participation) There are a lot of people on this list who have been using SA for a long time (about 12 years for me). You will sometimes get differing advice, but that is a good thing. I would much rather believe the consensus of a bunch of people with experience than one guy who decided to write a book. -- Bowie
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 21.09.2016 um 18:28 schrieb Thomas Barth: Am 21.09.2016 um 18:00 schrieb li...@rhsoft.net: the problem of the OP is that he starts things the other side round and first reject without good evidence and don't have anything to make the system bullet profe because it's rejected I remembered that I read a book about Postfix with the topic "Training with SpamAssassin". And the author was against additional training. The more you train the worst the result. With the motto "I cook an egg for more than 15 minutes, but it is still hard." They re other arguments for not autolearning, but my english is not that good to translate a complete chapter. And if there are some mails breaking through the wall, than it is better to create rules against the header. Clear facts without side effects. He also wrote that Amavis/SpamAssassin is learning itself. Each mail classified as spam with a score of more than 12.0 is learned as spam and there should be a logfile entry with loglevel 2 if a mail has been learned as spam. I never increased the loglevel to check that. I followed his opinion because it is the best book I ve got (www.postfix.de, next SpamAssassin/Amavis training course in November, I m thinking of participation) "against additional training" and "other arguments for not autolearning" are the exactly *opposite*, however, i can assure you that a well trained bayes with any autolearning reachs a 90-95% hit quote proven by 5 false positives and 30 spamreports on some hundret users in 2016 autolearning is anyways bad because it tends to classify alread FN oder FP in the exatcly wrong direction - you need to train *wrong classified* mail where you are 100% sure if it's spam or ham and just ignore anything where you are unsure, the rest will have common patterns which are learned over time with your well classified ones anyways, a spamfilter completly without bayes and URIBL not wroking has no business to run in production
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 21.09.2016 um 18:00 schrieb li...@rhsoft.net: the problem of the OP is that he starts things the other side round and first reject without good evidence and don't have anything to make the system bullet profe because it's rejected I remembered that I read a book about Postfix with the topic "Training with SpamAssassin". And the author was against additional training. The more you train the worst the result. With the motto "I cook an egg for more than 15 minutes, but it is still hard." They re other arguments for not autolearning, but my english is not that good to translate a complete chapter. And if there are some mails breaking through the wall, than it is better to create rules against the header. Clear facts without side effects. He also wrote that Amavis/SpamAssassin is learning itself. Each mail classified as spam with a score of more than 12.0 is learned as spam and there should be a logfile entry with loglevel 2 if a mail has been learned as spam. I never increased the loglevel to check that. I followed his opinion because it is the best book I ve got (www.postfix.de, next SpamAssassin/Amavis training course in November, I m thinking of participation)
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 21.09.2016 um 17:53 schrieb Sean Greenslade: As for your spam rejection paradigm, I can't possibly imagine that working well unless you have a very close relationship with every single person who emails you. If I send my resume to a job recruiter and they get a bounce when they email me back, I highly doubt they're going to bother to call me up and tell me my email system is broken. My resume's going in the trash and they're moving on. Just because you haven't received any calls doesn't mean there's no problems... it's absolutely no problem to outright reject high scored spam and tag the likely spam stuff - BUT the prerequisite for doing so is to collect bayes data, watch how the systems operate and after it's classification is proven good and all sort of scores are adjusted decide what is the safe reject score the problem of the OP is that he starts things the other side round and first reject without good evidence and don't have anything to make the system bullet profe because it's rejected when one starts which dangerous rules like reject based on message-id, not realize that his balcklists are not working and bayes don't work this system is *not* pruction ready at all
Re: Spam by IP-address? Spamassassin with geoiplookup?
On Wed, Sep 21, 2016 at 05:23:46PM +0200, Thomas Barth wrote: > I cant do that because I dont have spam mails. I dont make store I > didnt thought that I need the spam uncompressed in a folder for > autolearning, I thought it works when sa is analyzing the mail. My > mailsystem checks mails in real time and blocks mail during connection. If > there is a false positive the sender gets an error and I get a call of the > sender to check it (last call was over a year ago :-). But I have a > compressed copy in the quarantine folder so that I can check the reason > anyway. > > find /var/lib/amavis/virusmails/ -type f -name "spam-*.gz" -mmin -60 -exec > ls -hal {} \; > -rw-r- 1 amavis amavis 23K Sep 21 16:30 > /var/lib/amavis/virusmails/n/spam-nH0HbPBqwMoV.gz > -rw-r- 1 amavis amavis 23K Sep 21 17:00 > /var/lib/amavis/virusmails/6/spam-6e2vFSpi_vsr.gz > -rw-r- 1 amavis amavis 11K Sep 21 16:48 > /var/lib/amavis/virusmails/O/spam-Ojbq0dV-TYc2.gz > -rw-r- 1 amavis amavis 22K Sep 21 17:05 > /var/lib/amavis/virusmails/O/spam-Owoyctlsyvzz.gz > > so, no autolearning You could write a script that decompresses the files and feeds them one by one to sa-learn. Not too difficult, I would imagine. As for your spam rejection paradigm, I can't possibly imagine that working well unless you have a very close relationship with every single person who emails you. If I send my resume to a job recruiter and they get a bounce when they email me back, I highly doubt they're going to bother to call me up and tell me my email system is broken. My resume's going in the trash and they're moving on. Just because you haven't received any calls doesn't mean there's no problems... --Sean
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 21.09.2016 um 17:23 schrieb Thomas Barth: Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net: #bayes use_bayes 1 use_bayes_rules 1 bayes_auto_learn 1 so your setup either don't use that config (amavais or something like that part of the game then you don't have just spamassassin) or you have not trained enough spam *and* ham - or you train the wrong bayes-database likely by calling "sa-learn" with the wrong user https://wiki.apache.org/spamassassin/SiteWideBayesSetup I cant do that because I dont have spam mails. I dont make store I didnt thought that I need the spam uncompressed in a folder for autolearning, I thought it works when sa is analyzing the mail how do you imagine autolearning from start with nothing trained? just rely on rules and the train on false postives and negatives, in other words every rejected message as spam and every passed as ham won't work and when you think about it 10 seconds it should be obvious anyways, you can't tell me that there are no mails which didn't make it trugh the filters which where spam to find 200 of them and 200 ham should be even more easy as long as you don#t delete your mail after read My mailsystem checks mails in real time and blocks mail during connection. If there is a false positive the sender gets an error and I get a call of the sender to check it (last call was over a year ago :-). But I have a compressed copy in the quarantine folder so that I can check the reason anyway. don't change the fact that you need the stuff which was wrong classified and tell SA if it's good or bad to make the filter better
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net: #bayes use_bayes 1 use_bayes_rules 1 bayes_auto_learn 1 so your setup either don't use that config (amavais or something like that part of the game then you don't have just spamassassin) or you have not trained enough spam *and* ham - or you train the wrong bayes-database likely by calling "sa-learn" with the wrong user https://wiki.apache.org/spamassassin/SiteWideBayesSetup I cant do that because I dont have spam mails. I dont make store I didnt thought that I need the spam uncompressed in a folder for autolearning, I thought it works when sa is analyzing the mail. My mailsystem checks mails in real time and blocks mail during connection. If there is a false positive the sender gets an error and I get a call of the sender to check it (last call was over a year ago :-). But I have a compressed copy in the quarantine folder so that I can check the reason anyway. find /var/lib/amavis/virusmails/ -type f -name "spam-*.gz" -mmin -60 -exec ls -hal {} \; -rw-r- 1 amavis amavis 23K Sep 21 16:30 /var/lib/amavis/virusmails/n/spam-nH0HbPBqwMoV.gz -rw-r- 1 amavis amavis 23K Sep 21 17:00 /var/lib/amavis/virusmails/6/spam-6e2vFSpi_vsr.gz -rw-r- 1 amavis amavis 11K Sep 21 16:48 /var/lib/amavis/virusmails/O/spam-Ojbq0dV-TYc2.gz -rw-r- 1 amavis amavis 22K Sep 21 17:05 /var/lib/amavis/virusmails/O/spam-Owoyctlsyvzz.gz so, no autolearning
Re: Spam by IP-address? Spamassassin with geoiplookup?
On 9/21/2016 9:48 AM, Thomas Barth wrote: Am 20.09.2016 um 13:12 schrieb Paul Stead: . Hi Thomas, The RelayCountry plugin would answer your needs: https://wiki.apache.org/spamassassin/RelayCountryPlugin Hello Paul, I ve activated that Plugin and installed the geoip modul (aptitude install libgeo-ip-perl), seems to work. I ve tested it with my own address. I ve also reduced the score for MESSAGEID_LOCAL because I ve found a past mail of one of our partners with .local in the message-id :) X-Spam-Status: No, score=3.004 tagged_above=2 required=6.31 tests=[MESSAGEID_LOCAL=3, RELAYCOUNTRY_BAD=3.1, RP_MATCHES_RCVD=-3.096, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no @all You all say that bayes is not working in my setup. I dont know why. I followed a documentation for setting up my mailserver. It says: nano /etc/spamassassin/local.cf #bayes use_bayes 1 use_bayes_rules 1 bayes_auto_learn 1 It s a virtual user mailsystem described in https://www.howtoforge.com/virtual-users-and-domains-with-postfix-courier-mysql-and-squirrelmail-ubuntu-14.04-lts-p3 We say bayes is not working because there are not any BAYES_XX rules hitting in the headers you are providing. When bayes is working, you should see a bayes rule hit on almost every email. Most likely, it has not yet learned from the 200 ham and 200 spam required for it to start scoring. To check this, login as the "amavis" user (or whatever user Amavis is running as) and type the command "sa-learn --dump magic". Take a look at the nham and nspam lines. If they are not at least 200, then bayes needs to learn from more emails. You can either wait for the autolearn process to do it, or (preferably) manually learn from some hand-sorted emails. In any case, you should set up a process for bayes to learn from misclassified emails. In my case, spam is delivered to a "spam" folder. Once or twice a day, I will scan through the subject lines and sender names that folder to make sure it is all really spam. Any ham that gets there is copied to a "ham-checked" folder and the rest is moved to a "spam-checked" folder. Any spam that gets delivered to my inbox goes to "spam-checked" as well. Occasionally, I'll grab a selection of good mail from my inbox and copy it to "ham-checked" to provide some extra ham for bayes to learn from. I have a script that looks for emails in those folders every couple of hours and runs sa-learn on them if there is anything there. After learning from the messages, you can either delete them or move them to a storage location. If you keep a selection of hand-sorted ham and spam, then you can use that later to re-create the bayes database if it gets messed up. Also, as others have mentioned, you are being blocked by URIBL. This is probably because you are forwarding your DNS to your ISP. You should set up a non-forwarding DNS server for your mail system to use. Personally, I prefer Bind. It should do what you need by default with very minimal (if any) configuration. You will need to set up your /etc/resolv.conf file to make the server use the local name server. -- Bowie
Re: Spam by IP-address? Spamassassin with geoiplookup?
On 2016-09-21 15:48, Thomas Barth wrote: X-Spam-Status: No, score=3.004 tagged_above=2 required=6.31 tests=[MESSAGEID_LOCAL=3, RELAYCOUNTRY_BAD=3.1, RP_MATCHES_RCVD=-3.096, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no @all You all say that bayes is not working in my setup. I dont know why. I followed a documentation for setting up my mailserver. http://uribl.com/about.shtml#abuse you are currently uribl_blicked, the link shows how to test and solve
Re: Spam by IP-address? Spamassassin with geoiplookup?
RP_MATCHES_RCVD=-3.096 override this idiotic rule with "score RP_MATCHES_RCVD -0.001" and hopefully that will soon get fixed until the end of all days as it was for a long time in the past fix the other issues below and you don't need bad rules like "MESSAGEID_LOCAL=3" with such a dangerous and plain wrong score Am 21.09.2016 um 16:13 schrieb li...@rhsoft.net: Am 21.09.2016 um 15:48 schrieb Thomas Barth: X-Spam-Status: No, score=3.004 tagged_above=2 required=6.31 tests=[MESSAGEID_LOCAL=3, RELAYCOUNTRY_BAD=3.1, RP_MATCHES_RCVD=-3.096, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no URIBL_BLOCKED shows you are using still a dns-forwarder and so won't get results from a lot of blacklists http://uribl.com/refused.shtml fix that - use a local caching resolver with *no forwarding* and if you are using dnsmasq just don't do that for a inbound mailserver You all say that bayes is not working in my setup. I dont know why. I followed a documentation for setting up my mailserver. It says: nano /etc/spamassassin/local.cf #bayes use_bayes 1 use_bayes_rules 1 bayes_auto_learn 1 so your setup either don't use that config (amavais or something like that part of the game then you don't have just spamassassin) or you have not trained enough spam *and* ham - or you train the wrong bayes-database likely by calling "sa-learn" with the wrong user https://wiki.apache.org/spamassassin/SiteWideBayesSetup is there really no "spamassassin for beginners" which explains all that dns-stuff *at one place* and how to train bayes and make sure it is used instead get every day the same problem reports on the list from fresh people?
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 21.09.2016 um 15:48 schrieb Thomas Barth: X-Spam-Status: No, score=3.004 tagged_above=2 required=6.31 tests=[MESSAGEID_LOCAL=3, RELAYCOUNTRY_BAD=3.1, RP_MATCHES_RCVD=-3.096, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no URIBL_BLOCKED shows you are using still a dns-forwarder and so won't get results from a lot of blacklists http://uribl.com/refused.shtml fix that - use a local caching resolver with *no forwarding* and if you are using dnsmasq just don't do that for a inbound mailserver You all say that bayes is not working in my setup. I dont know why. I followed a documentation for setting up my mailserver. It says: nano /etc/spamassassin/local.cf #bayes use_bayes 1 use_bayes_rules 1 bayes_auto_learn 1 so your setup either don't use that config (amavais or something like that part of the game then you don't have just spamassassin) or you have not trained enough spam *and* ham - or you train the wrong bayes-database likely by calling "sa-learn" with the wrong user https://wiki.apache.org/spamassassin/SiteWideBayesSetup is there really no "spamassassin for beginners" which explains all that dns-stuff *at one place* and how to train bayes and make sure it is used instead get every day the same problem reports on the list from fresh people?
Re: Spam by IP-address? Spamassassin with geoiplookup?
Am 20.09.2016 um 13:12 schrieb Paul Stead: . Hi Thomas, The RelayCountry plugin would answer your needs: https://wiki.apache.org/spamassassin/RelayCountryPlugin Hello Paul, I ve activated that Plugin and installed the geoip modul (aptitude install libgeo-ip-perl), seems to work. I ve tested it with my own address. I ve also reduced the score for MESSAGEID_LOCAL because I ve found a past mail of one of our partners with .local in the message-id :) X-Spam-Status: No, score=3.004 tagged_above=2 required=6.31 tests=[MESSAGEID_LOCAL=3, RELAYCOUNTRY_BAD=3.1, RP_MATCHES_RCVD=-3.096, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no @all You all say that bayes is not working in my setup. I dont know why. I followed a documentation for setting up my mailserver. It says: nano /etc/spamassassin/local.cf #bayes use_bayes 1 use_bayes_rules 1 bayes_auto_learn 1 It s a virtual user mailsystem described in https://www.howtoforge.com/virtual-users-and-domains-with-postfix-courier-mysql-and-squirrelmail-ubuntu-14.04-lts-p3
Re: Spam by IP-address? Spamassassin with geoiplookup?
On Tue, 20 Sep 2016 22:02:14 +0100 Groach wrote: > On 20/09/2016 20:31, RW wrote: > > On Tue, 20 Sep 2016 18:56:47 +0100 > > Groach wrote: > > > >> This Spamassassin plugin will allow you to block by country. > >> > >> Create the 'nerd.cf' file containing the code, put it in your > >> spamassasin ETC directory, and uncomment the countries you wish to > >> block. Full details in the post. > >> https://www.hmailserver.com/forum/viewtopic.php?f=7=29992=187520#p187500 > >> > > It's not a plugin, it's a just a list of dns rules based on > > zz.countries.nerd.dk. > Sorry, the word 'plugin' was incorrectly used. I did mean it as the > completed NERD.CF file containing the predefined rules. > > > Is the RelayCountry plugin not usable on Windows for some reason? > > Windows spamassassin is more-or-less no different from linux version > (3.4.2) so Im sure it can use it yes. (I dont know about this plugin > myself. Got details?) It's part of SpamAssassin, there just aren't any default rules that use it. Paul Stead already gave a link to the Wiki page.
Re: Spam by IP-address? Spamassassin with geoiplookup?
On 20/09/2016 20:31, RW wrote: On Tue, 20 Sep 2016 18:56:47 +0100 Groach wrote: This Spamassassin plugin will allow you to block by country. Create the 'nerd.cf' file containing the code, put it in your spamassasin ETC directory, and uncomment the countries you wish to block. Full details in the post. https://www.hmailserver.com/forum/viewtopic.php?f=7=29992=187520#p187500 It's not a plugin, it's a just a list of dns rules based on zz.countries.nerd.dk. Sorry, the word 'plugin' was incorrectly used. I did mean it as the completed NERD.CF file containing the predefined rules. Is the RelayCountry plugin not usable on Windows for some reason? Windows spamassassin is more-or-less no different from linux version (3.4.2) so Im sure it can use it yes. (I dont know about this plugin myself. Got details?)
Re: Spam by IP-address? Spamassassin with geoiplookup?
On Tue, 20 Sep 2016 18:56:47 +0100 Groach wrote: > This Spamassassin plugin will allow you to block by country. > > Create the 'nerd.cf' file containing the code, put it in your > spamassasin ETC directory, and uncomment the countries you wish to > block. Full details in the post. > https://www.hmailserver.com/forum/viewtopic.php?f=7=29992=187520#p187500 It's not a plugin, it's a just a list of dns rules based on zz.countries.nerd.dk. Is the RelayCountry plugin not usable on Windows for some reason?
Re: Spam by IP-address? Spamassassin with geoiplookup?
On Tue, 20 Sep 2016 15:24:52 + Shawn Bakhtiar wrote: > > On Sep 20, 2016, at 8:13 AM, RWwrote: > > > > On Tue, 20 Sep 2016 14:34:02 + > > Shawn Bakhtiar wrote: > > > >> If you are strictly looking to block by IP addresses this is a far > >> better task left to the firewall, and configured by networks not > >> individual IP addresses. > > > > It shouldn't really be about blocking, it's about biasing the > > score. > > > > > > I humbly disagree > > I find it interesting that most ISP's will block incoming connections > like port 80 so home users can't run their own web servers, > effectively forcing them to use providers for services "in the name > of security" but when it comes to outgoing connection they take no > measures what so ever. > > Mind you, I'm not taking about blocking HTTP or DNS. I simply block > them on the SMTP gateway (kernel level firewall), this reduces > directed spearfishing by a lot when I catch it early enough. Of > course it usually means getting into the office at 5 AM and waddling > through the honeypot email address to see where the next attack is > coming from. :P That's a different matter, the thread is about using geoip information.
Re: Spam by IP-address? Spamassassin with geoiplookup?
On 20/09/2016 11:53, Thomas Barth wrote: Hello, is it possible to use geoiplookup with Spamassassin? I want to reject all mails as spam not send in my country or another second country, but accept whitelisted mailing list addresses. Any chance to use geoiplookup for this? I want to exclude Spammer Countries e.g. China, Thaiwan, India, etc... On 20/09/2016 18:56, Groach wrote: This Spamassassin plugin will allow you to block by country. Create the 'nerd.cf' file containing the code, put it in your spamassasin ETC directory, and uncomment the countries you wish to block. Full details in the post. https://www.hmailserver.com/forum/viewtopic.php?f=7=29992=187520#p187500 It seems others have taken this approach as a proven effective solution too: http://vdhout.nl/2015/07/block-email-from-foreign-countries
Re: Spam by IP-address? Spamassassin with geoiplookup?
This Spamassassin plugin will allow you to block by country. Create the 'nerd.cf' file containing the code, put it in your spamassasin ETC directory, and uncomment the countries you wish to block. Full details in the post. https://www.hmailserver.com/forum/viewtopic.php?f=7=29992=187520#p187500 On 20/09/2016 11:53, Thomas Barth wrote: Hello, is it possible to use geoiplookup with Spamassassin? I want to reject all mails as spam not send in my country or another second country, but accept whitelisted mailing list addresses. Any chance to use geoiplookup for this? I want to exclude Spammer Countries e.g. China, Thaiwan, India, etc...
Re: Spam by IP-address? Spamassassin with geoiplookup?
> On Sep 20, 2016, at 8:13 AM, RWwrote: > > On Tue, 20 Sep 2016 14:34:02 + > Shawn Bakhtiar wrote: > >> If you are strictly looking to block by IP addresses this is a far >> better task left to the firewall, and configured by networks not >> individual IP addresses. > > It shouldn't really be about blocking, it's about biasing the score. > > I humbly disagree I find it interesting that most ISP's will block incoming connections like port 80 so home users can't run their own web servers, effectively forcing them to use providers for services "in the name of security" but when it comes to outgoing connection they take no measures what so ever. Mind you, I'm not taking about blocking HTTP or DNS. I simply block them on the SMTP gateway (kernel level firewall), this reduces directed spearfishing by a lot when I catch it early enough. Of course it usually means getting into the office at 5 AM and waddling through the honeypot email address to see where the next attack is coming from. :P
Re: Spam by IP-address? Spamassassin with geoiplookup?
On Tue, 20 Sep 2016 14:34:02 + Shawn Bakhtiar wrote: > If you are strictly looking to block by IP addresses this is a far > better task left to the firewall, and configured by networks not > individual IP addresses. It shouldn't really be about blocking, it's about biasing the score.
Re: Spam by IP-address? Spamassassin with geoiplookup?
If you are strictly looking to block by IP addresses this is a far better task left to the firewall, and configured by networks not individual IP addresses. There are many ranges which should not be sending email directly (IE those allocated by providers to home users). Unfortunately finding all of them and keeping the list valid is a full time job. I believe this is the point behind RBLs, but they can be a bit slow picking up on directed phishing attacks. In those cases I look up the IP address at ARIN or RIPE find the segment, and if it's anything other than an a real ISP I block the network from my mail server. A kernel firewall is magnitude faster than a SA and can be your first line of defense, the same way I use RBLs at the MTA before the mail even gets to SA. I also agree, there is plenty of blame to go around for all countries. This is not a region specific issue (tho some tend to be more nefarious than others). > On Sep 20, 2016, at 6:43 AM, Byung-Hee HWANG (황병희, 黃炳熙)> wrote: > > Dear Thomas, > > Thomas Barth 께서 쓰시길, > 《記事 全文 <5eddfcdb-957c-e7c0-b133-a40c7ab37...@txbweb.de> 에서》: > >> Hello, >> >> is it possible to use geoiplookup with Spamassassin? I want to reject >> all mails as spam not send in my country or another second country, >> but accept whitelisted mailing list addresses. Any chance to use >> geoiplookup for this? I want to exclude Spammer Countries e.g. China, >> Thaiwan, India, etc... > > There are many people to contribute for FOSS projects all around the > world. You would be reconsideration about blocking by countries. > > Sincerely, > > -- > ^고맙습니다 _地平天成_ 감사합니다_^))//
Re: Spam by IP-address? Spamassassin with geoiplookup?
Dear Thomas, Thomas Barth께서 쓰시길, 《記事 全文 <5eddfcdb-957c-e7c0-b133-a40c7ab37...@txbweb.de> 에서》: > Hello, > > is it possible to use geoiplookup with Spamassassin? I want to reject > all mails as spam not send in my country or another second country, > but accept whitelisted mailing list addresses. Any chance to use > geoiplookup for this? I want to exclude Spammer Countries e.g. China, > Thaiwan, India, etc... There are many people to contribute for FOSS projects all around the world. You would be reconsideration about blocking by countries. Sincerely, -- ^고맙습니다 _地平天成_ 감사합니다_^))//
Re: Spam by IP-address? Spamassassin with geoiplookup?
On 20/09/16 11:53, Thomas Barth wrote: > Hello, > > is it possible to use geoiplookup with Spamassassin? I want to reject > all mails as spam not send in my country or another second country, > but accept whitelisted mailing list addresses. Any chance to use > geoiplookup for this? I want to exclude Spammer Countries e.g. China, > Thaiwan, India, etc... Don't forget to exclude North America too, because they are the main source of spam, by far. Olivier --
Re: Spam by IP-address? Spamassassin with geoiplookup?
On 20/09/16 11:53, Thomas Barth wrote: Hello, is it possible to use geoiplookup with Spamassassin? I want to reject all mails as spam not send in my country or another second country, but accept whitelisted mailing list addresses. Any chance to use geoiplookup for this? I want to exclude Spammer Countries e.g. China, Thaiwan, India, etc... Hi Thomas, The RelayCountry plugin would answer your needs: https://wiki.apache.org/spamassassin/RelayCountryPlugin Paul -- Paul Stead Systems Engineer Zen Internet
Spam by IP-address? Spamassassin with geoiplookup?
Hello, is it possible to use geoiplookup with Spamassassin? I want to reject all mails as spam not send in my country or another second country, but accept whitelisted mailing list addresses. Any chance to use geoiplookup for this? I want to exclude Spammer Countries e.g. China, Thaiwan, India, etc...