Re: FORGED_GMAIL_RCVD via IMAP.
On 10.05.2018 22:23, Reindl Harald wrote: Am 10.05.2018 um 21:11 schrieb Reio Remma: Apparently it happens only if I use my Gmail account via IMAP, but not when I mailed from their webmail for testing. you don't send with IMAP - it's SMTP Indeed, I realized my mistake right after posting. By IMAP I meant I'm reading GMail with a real mail client. :) On 10.05.2018 22:38, Benny Pedersen wrote: ESMTPSA please crrate a ticket, its a false possitive on that test its not forged if sasl authed Bugrep filled, thanks. https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7584
Re: FORGED_GMAIL_RCVD via IMAP.
Reio Remma skrev den 2018-05-10 21:11: I just noticed if I mail myself via my Gmail account, I'm hitting FORGED_GMAIL_RCVD. Apparently it happens only if I use my Gmail account via IMAP, but not when I mailed from their webmail for testing. Should that be so? I suspect it's the following that trips it: Return-Path:Received: from [192.168.0.148] (85.xxx.xxx.xxx.cable.isp.ee. [85.xxx.xxx.xxx]) by smtp.googlemail.com with ESMTPSA id b65-v6sm298081lff.5.2018.05.10.11.58.19 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 10 May 2018 11:58:19 -0700 (PDT) ESMTPSA please crrate a ticket, its a false possitive on that test its not forged if sasl authed
Re: FORGED_GMAIL_RCVD via IMAP.
On 05/10/18 21:11, Reio Remma wrote: > Hello! > > I just noticed if I mail myself via my Gmail account, I'm hitting > FORGED_GMAIL_RCVD. > > Apparently it happens only if I use my Gmail account via IMAP, but not when I > mailed from their webmail for testing. > > Should that be so? I suspect it's the following that trips it: > > Return-Path:> Received: from [192.168.0.148] (85.xxx.xxx.xxx.cable.isp.ee. [85.xxx.xxx.xxx]) > by smtp.googlemail.com with ESMTPSA id > b65-v6sm298081lff.5.2018.05.10.11.58.19 > for > (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); > Thu, 10 May 2018 11:58:19 -0700 (PDT) > > Could you post full headers on pastebin ? Thanks Giovanni
Re: Invoice phish
On 05/10/2018 01:32 PM, RW wrote: On Thu, 10 May 2018 09:55:00 -0500 David Jones wrote: On 05/10/2018 09:39 AM, RW wrote: Microsoft has a list of domains it hosts and a list of hosted domains (and/or its own addresses) tied to each account. Given how much reliance MS place on DMARC's preventing spoofing, and how easy it would be for them to prevent one user spoofing another's domain on submission, I'd be very surprised if they allow it. They do. I saw an example a few weeks ago. The very fact that you are citing just one a few week ago strongly suggests that they don't. It's possible that it could have been months ago, I guess, so my memory could be off. The fact that someone tested it recently and Microsoft blocks it today is encouraging. Maybe they enabled this logic recently to match what Google is doing which is the correct way to handle this and prevent "SPF piggy-backing." Paul Stead claims to have seen it, but it's important to positively identify it as spoofing and not hacking. Not sure what the difference is from a mail filtering perspective. The difference is that if domains that include Micrsoft's SPF are as wide open to spoofing as you suggest, they shouldn't have def_whitelist_auth entries. You are correct. When they were added this issue of "SPF piggy-backing" wasn't an issue. It may have been known to be a potential problem but wasn't being actively exploited like the toyrus.com was last year when I first noticed it. It's also possible that those whitelist_* domains have added the "include:spf.protection.outlook.com" to their SPF record recently after migrating their corporate mail hosting to O365. We don't have anything actively monitoring whitelist entries for SPF record changes so we have to rely on abuse reports to this list to remove/change them in SA. -- David Jones
FORGED_GMAIL_RCVD via IMAP.
Hello! I just noticed if I mail myself via my Gmail account, I'm hitting FORGED_GMAIL_RCVD. Apparently it happens only if I use my Gmail account via IMAP, but not when I mailed from their webmail for testing. Should that be so? I suspect it's the following that trips it: Return-Path:Received: from [192.168.0.148] (85.xxx.xxx.xxx.cable.isp.ee. [85.xxx.xxx.xxx]) by smtp.googlemail.com with ESMTPSA id b65-v6sm298081lff.5.2018.05.10.11.58.19 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 10 May 2018 11:58:19 -0700 (PDT) Reio
Re: Invoice phish
On Thu, 10 May 2018 09:55:00 -0500 David Jones wrote: > On 05/10/2018 09:39 AM, RW wrote: > > Microsoft has a list of domains it hosts and a list of hosted > > domains (and/or its own addresses) tied to each account. Given how > > much reliance MS place on DMARC's preventing spoofing, and how easy > > it would be for them to prevent one user spoofing another's domain > > on submission, I'd be very surprised if they allow it. > > > > They do. I saw an example a few weeks ago. The very fact that you are citing just one a few week ago strongly suggests that they don't. > > Paul Stead claims to have seen it, but it's important to positively > > identify it as spoofing and not hacking. > > > > Not sure what the difference is from a mail filtering perspective. The difference is that if domains that include Micrsoft's SPF are as wide open to spoofing as you suggest, they shouldn't have def_whitelist_auth entries.
Re: training bayes database
On Thu, 10 May 2018, John Hardin wrote: On Thu, 10 May 2018, Matthew Broadhead wrote: On 09/05/18 20:43, David Jones wrote: On 05/09/2018 01:29 PM, Matthew Broadhead wrote: On 09/05/18 16:37, Reindl Harald wrote: quoting URIBL_BLOCKED is a joke - setup a *recursion* *non-forwarding* nameserver, no dnsmasq or such crap http://uribl.com/refused.shtml with your setup you excedd *obviously* rate-limits and have most DNSBL/URIBL not working and so you can't expect useful results at all X-Spam-Status: No, score=-18.15 tagged_above=-999 required=6.2 tests=[AM.WBL=-3, BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no i followed the guidance at that url and it gave me [root@ns1 ~]# host -tTXT 2.0.0.127.multi.uribl.com 2.0.0.127.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: 213.171.193.134]" i guess my dns is set to use my isp's dns server. do i need to set up dns relay on my machine so it comes from my ip? there is no way we send more than 500k emails from our domain so i should qualify for the free lookup? Yes. Setup BIND, unbound, or pdns_recursor on your SA server that is not forwarding to another DNS server then set your /etc/resolv.conf or SA dns_server to 127.0.0.1. This will make your DNS queries isolated from your IP to stay under their daily limit. Keep in mind that if your SA box is behind NAT that is not dedicated to your server then other DNS queries could get combined with your shared public IP. This is not likely since others are not going to query RBL/URIBL servers but it's possible. If your SA server is directly on the Internet as an edge mail gateway then this won't be a problem. i already had bind handling my dns. i just had to add to /etc/named.conf allow-query-cache {localhost; any;}; recursion yes; Don't forget to *turn off forwarding*. and to /etc/resolv.conf nameserver 127.0.0.1 That is the most important point in this whole discussion. It doesn't matter (much) what DNS server/software you use so long as it supports recursive NON-FORWARDED queries. Caching is desirable but is only a secondary consideration VS the first point. Security point; when you run a recursive server it is a potential DDOS risk, so protect it from being used/abused by untrusted clients. (best if it only listens on the loopback address, 127.* or has strong ACL/access control support that is properly configured). -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: training bayes database
On Thu, 10 May 2018, Matthew Broadhead wrote: On 09/05/18 20:43, David Jones wrote: On 05/09/2018 01:29 PM, Matthew Broadhead wrote: On 09/05/18 16:37, Reindl Harald wrote: Am 09.05.2018 um 16:28 schrieb Matthew Broadhead: it looks like it is working. so maybe it is just not flagging or moving the spam? in a differnt post you showed this status header which *clearly* shows bayes is working - bayes alone don't flag, the total socre does, moving don't happen at all on this layer - other software like sieve is responsible for acting on the headers of a message quoting URIBL_BLOCKED is a joke - setup a *recursion* *non-forwarding* nameserver, no dnsmasq or such crap http://uribl.com/refused.shtml with your setup you excedd *obviously* rate-limits and have most DNSBL/URIBL not working and so you can't expect useful results at all X-Spam-Status: No, score=-18.15 tagged_above=-999 required=6.2 tests=[AM.WBL=-3, BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no i followed the guidance at that url and it gave me [root@ns1 ~]# host -tTXT 2.0.0.127.multi.uribl.com 2.0.0.127.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: 213.171.193.134]" i guess my dns is set to use my isp's dns server. do i need to set up dns relay on my machine so it comes from my ip? there is no way we send more than 500k emails from our domain so i should qualify for the free lookup? Yes. Setup BIND, unbound, or pdns_recursor on your SA server that is not forwarding to another DNS server then set your /etc/resolv.conf or SA dns_server to 127.0.0.1. This will make your DNS queries isolated from your IP to stay under their daily limit. Keep in mind that if your SA box is behind NAT that is not dedicated to your server then other DNS queries could get combined with your shared public IP. This is not likely since others are not going to query RBL/URIBL servers but it's possible. If your SA server is directly on the Internet as an edge mail gateway then this won't be a problem. i already had bind handling my dns. i just had to add to /etc/named.conf allow-query-cache {localhost; any;}; recursion yes; Don't forget to *turn off forwarding*. and to /etc/resolv.conf nameserver 127.0.0.1 i cannot believe that is not the default. i always assumed my dns was working correctly. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The Constitution is a written instrument. As such its meaning does not alter. That which it meant when adopted, it means now. -- U.S. Supreme Court SOUTH CAROLINA v. US, 199 U.S. 437, 448 (1905) --- 406 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: Invoice phish
On 10/05/2018, 15:54, "David Jones"wrote: They do. I saw an example a few weeks ago. >Paul Stead claims to have seen it, but it's important to positively >identify it as spoofing and not hacking. Not sure what the difference is from a mail filtering perspective. From Microsoft's perspective it is both. A spammer got someone's password and started sending a bunch of invoice phishing emails pretending to be a local construction company that happens to host their email on O365 so their SPF record is good. I agree this scenario seems unlikely, I can't find any example, I have done some testing myself. Seems that O365 will return 550 5.7.60 SMTP; Client does not have permissions to send as this sender if the SMTP From is anything but an accepted address for that user in the domain controlled with O365 I was convinced I have seen this scenario but without the evidence I'll have to chalk it to bad memory Paul -- Paul Stead Senior Engineer (Tools & Technology) Zen Internet Direct: 01706 902018 Web: zen.co.uk Winner of 'Services Company of the Year' at the UK IT Industry Awards This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. Zen Internet Limited may monitor email traffic data to manage billing, to handle customer enquiries and for the prevention and detection of fraud. We may also monitor the content of emails sent to and/or from Zen Internet Limited for the purposes of security, staff training and to monitor quality of service. Zen Internet Limited is registered in England and Wales, Sandbrook Park, Sandbrook Way, Rochdale, OL11 1RY Company No. 03101568 VAT Reg No. 686 0495 01
Re: Invoice phish
On 05/10/2018 09:39 AM, RW wrote: On Thu, 10 May 2018 13:49:15 + (UTC) Pedro David Marco wrote: David Jones wrote:>It's not only compromised well-established accounts. Based on the odd domain names I have seen, I am pretty sure that Microsoft allows trials of O365 so spammers are signing up and blasting out junk/phishing emails until they are discovered. These spammers can spoof anyone on O365 like toysrus.com and the SPF checks will pass. I totally agree with David, i have seen trial periods of 45 days for O365, then spoofingany other O365 customer is trivial with SPF totally pointless. But have you actually tried it? I had a concern about travelodge.co.uk being whitelisted when its SPF includes gmail, but I tried spoofing it through smtp.gmail.com and it didn't work. It was said on this thread that Google rewrites/forces the envelope-from address to be the same as the authenticated sender so Google handles this properly. Microsoft does not. If you can authenticate, then you can send as whatever you want with any headers you want to add/spoof including the From:. Microsoft has a list of domains it hosts and a list of hosted domains (and/or its own addresses) tied to each account. Given how much reliance MS place on DMARC's preventing spoofing, and how easy it would be for them to prevent one user spoofing another's domain on submission, I'd be very surprised if they allow it. They do. I saw an example a few weeks ago. Paul Stead claims to have seen it, but it's important to positively identify it as spoofing and not hacking. Not sure what the difference is from a mail filtering perspective. From Microsoft's perspective it is both. A spammer got someone's password and started sending a bunch of invoice phishing emails pretending to be a local construction company that happens to host their email on O365 so their SPF record is good. -- David Jones
Re: Invoice phish
On Thu, 10 May 2018 13:49:15 + (UTC) Pedro David Marco wrote: > > David Jones wrote:>It's not only compromised well-established > accounts. Based on the odd > >domain names I have seen, I am pretty sure that Microsoft allows > >trials of O365 so spammers are signing up and blasting out > >junk/phishing emails until they are discovered. These spammers can > >spoof anyone on O365 like toysrus.com and the SPF checks will pass. > > > I totally agree with David, i have seen trial periods of 45 days for > O365, then spoofingany other O365 customer is trivial with SPF > totally pointless. But have you actually tried it? I had a concern about travelodge.co.uk being whitelisted when its SPF includes gmail, but I tried spoofing it through smtp.gmail.com and it didn't work. Microsoft has a list of domains it hosts and a list of hosted domains (and/or its own addresses) tied to each account. Given how much reliance MS place on DMARC's preventing spoofing, and how easy it would be for them to prevent one user spoofing another's domain on submission, I'd be very surprised if they allow it. Paul Stead claims to have seen it, but it's important to positively identify it as spoofing and not hacking.
Re: training bayes database
On 10.05.18 15:23, David Jones wrote: On 05/10/2018 07:12 AM, Reio Remma wrote: On 10.05.18 15:08, David Jones wrote: On 05/10/2018 07:02 AM, Reio Remma wrote: On a slightly related note. We're running a PFSense firewall with DNS Forwarder (dnsmasq) in front of our mail server. From what I've gleaned from the net is that it caches as well. Should I still install a local (BIND) on the mail server? Thanks! Reio YES! As I was corrected on this mailing list last year, dnsmasq is only a forwarding DNS server so it will cause your queries to be lumped into whatever it's forwarding to. Setup a real recursive DNS server local on your mail server since it should have it's own dedicated NAT or real public IP on your pfSense firewall so your DNS queries will be completely isolated. There's also the option of DNS Resolver (unbound) on the firewall - would that be better? Reio No. Your DNS traffic for your general network served by your firewall is much different from your mail server DNS lookup. You will probably want to forward your firewall DNS server to OpenDNS, Google, or even do DNS over TLS someday. https://wiki.apache.org/spamassassin/CachingNameserver My favorite is PowerDNS Recursor but Unbound is very popular. That seems to have worked - installed unbound and set dns_server 127.0.0.1 in local.cf Thanks, Reio
Re: Invoice phish
David Jones wrote:>It's not only compromised well-established accounts. Based on the odd >domain names I have seen, I am pretty sure that Microsoft allows trials >of O365 so spammers are signing up and blasting out junk/phishing emails >until they are discovered. These spammers can spoof anyone on O365 like >toysrus.com and the SPF checks will pass. I totally agree with David, i have seen trial periods of 45 days for O365, then spoofingany other O365 customer is trivial with SPF totally pointless.But nobody is fired out for choosing O365, right? -PedroD
Re: Invoice phish
On Thu, 10 May 2018 12:48:29 + Paul Stead wrote: > On 10/05/2018, 13:46, "David Jones"wrote: > > >Do you have a reason to think that that's possible? > >It doesn't seem very likely, but there are some default whitelist > >entries that should go if it is. > > Anyone on O365 not using webmail or > Outlook can spoof any other O365 customer using authenticated SMTP to > smtp.office365.com where they can control the envelope-from and > From: header and the SPF check will pass. The only thing stopping it > is Microsoft's ability to detect unusual activity. My experience with gmail is that they rewrite the envelope. I expected O365 to do the same. > > Not only is it possible - I've had actual examples of this happening > on our platform, spoofed Envelope-From spam sent through O365 and the > SPF passing... > In that case the following domains should be moved from 60_whitelist_auth.cf to 60_whitelist_dkim.cf: usps.gov hilton.com accountprotection.microsoft.com theupsstore.com logmein.com lastpass.com amtrak.com druryhotels.com ticketmaster.com adt.com homedepot.com And the following should be removed from 60_whitelist_spf.cf: match.com silicon.com
Re: Invoice phish
On 10/05/2018, 13:46, "David Jones"wrote: >Do you have a reason to think that that's possible? >It doesn't seem very likely, but there are some default whitelist >entries that should go if it is. Which part is possible? The trial accounts blasting spam or the toysrus.com SPF matching? Anyone on O365 not using webmail or Outlook can spoof any other O365 customer using authenticated SMTP to smtp.office365.com where they can control the envelope-from and From: header and the SPF check will pass. The only thing stopping it is Microsoft's ability to detect unusual activity. Not only is it possible - I've had actual examples of this happening on our platform, spoofed Envelope-From spam sent through O365 and the SPF passing... Paul -- Paul Stead Senior Engineer (Tools & Technology) Zen Internet Direct: 01706 902018 Web: zen.co.uk Winner of 'Services Company of the Year' at the UK IT Industry Awards This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. Zen Internet Limited may monitor email traffic data to manage billing, to handle customer enquiries and for the prevention and detection of fraud. We may also monitor the content of emails sent to and/or from Zen Internet Limited for the purposes of security, staff training and to monitor quality of service. Zen Internet Limited is registered in England and Wales, Sandbrook Park, Sandbrook Way, Rochdale, OL11 1RY Company No. 03101568 VAT Reg No. 686 0495 01
Re: Invoice phish
On 05/10/2018 07:37 AM, RW wrote: On Thu, 10 May 2018 06:50:46 -0500 David Jones wrote: I am pretty sure that Microsoft allows trials of O365 so spammers are signing up and blasting out junk/phishing emails until they are discovered. These spammers can spoof anyone on O365 like toysrus.com and the SPF checks will pass. Do you have a reason to think that that's possible? It doesn't seem very likely, but there are some default whitelist entries that should go if it is. Which part is possible? The trial accounts blasting spam or the toysrus.com SPF matching? Anyone on O365 not using webmail or Outlook can spoof any other O365 customer using authenticated SMTP to smtp.office365.com where they can control the envelope-from and From: header and the SPF check will pass. The only thing stopping it is Microsoft's ability to detect unusual activity. -- David Jones
Re: Invoice phish
On Thu, 10 May 2018 06:50:46 -0500 David Jones wrote: > I am pretty sure that Microsoft allows > trials of O365 so spammers are signing up and blasting out > junk/phishing emails until they are discovered. These spammers can > spoof anyone on O365 like toysrus.com and the SPF checks will pass. Do you have a reason to think that that's possible? It doesn't seem very likely, but there are some default whitelist entries that should go if it is.
Re: training bayes database
On 05/10/2018 07:12 AM, Reio Remma wrote: On 10.05.18 15:08, David Jones wrote: On 05/10/2018 07:02 AM, Reio Remma wrote: On 10.05.18 14:58, Matus UHLAR - fantomas wrote: Am 09.05.2018 um 16:28 schrieb Matthew Broadhead: i guess my dns is set to use my isp's dns server. do i need to set up dns relay on my machine so it comes from my ip? there is no way we send more than 500k emails from our domain so i should qualify for the free lookup? On 09/05/18 20:43, David Jones wrote: Yes. Setup BIND, unbound, or pdns_recursor on your SA server that is not forwarding to another DNS server then set your /etc/resolv.conf or SA dns_server to 127.0.0.1. This will make your DNS queries isolated from your IP to stay under their daily limit. Keep in mind that if your SA box is behind NAT that is not dedicated to your server then other DNS queries could get combined with your shared public IP. This is not likely since others are not going to query RBL/URIBL servers but it's possible. If your SA server is directly on the Internet as an edge mail gateway then this won't be a problem. On 10.05.18 12:15, Matthew Broadhead wrote: i already had bind handling my dns. i just had to add to /etc/named.conf allow-query-cache {localhost; any;}; NO! this way everyone is allowed to use your server as recursive DNS. only allow "localhost;" it defined all ipv4 and ipv6 address on your system. It's also better to define allow-recursion instead. While it means something different, they both have same defaults, but allow-recursion has more clear meaning. recursion yes; not needed by default. and to /etc/resolv.conf nameserver 127.0.0.1 i cannot believe that is not the default. i always assumed my dns was working correctly. It's not default to have DNS server on your system. And it's not default to have localhost in resolv.conf - it may be authoritative-only. On a slightly related note. We're running a PFSense firewall with DNS Forwarder (dnsmasq) in front of our mail server. From what I've gleaned from the net is that it caches as well. Should I still install a local (BIND) on the mail server? Thanks! Reio YES! As I was corrected on this mailing list last year, dnsmasq is only a forwarding DNS server so it will cause your queries to be lumped into whatever it's forwarding to. Setup a real recursive DNS server local on your mail server since it should have it's own dedicated NAT or real public IP on your pfSense firewall so your DNS queries will be completely isolated. There's also the option of DNS Resolver (unbound) on the firewall - would that be better? Reio No. Your DNS traffic for your general network served by your firewall is much different from your mail server DNS lookup. You will probably want to forward your firewall DNS server to OpenDNS, Google, or even do DNS over TLS someday. https://wiki.apache.org/spamassassin/CachingNameserver My favorite is PowerDNS Recursor but Unbound is very popular. -- David Jones
Re: training bayes database
Am 09.05.2018 um 16:28 schrieb Matthew Broadhead: i guess my dns is set to use my isp's dns server. do i need to set up dns relay on my machine so it comes from my ip? there is no way we send more than 500k emails from our domain so i should qualify for the free lookup? On 09/05/18 20:43, David Jones wrote: Yes. Setup BIND, unbound, or pdns_recursor on your SA server that is not forwarding to another DNS server then set your /etc/resolv.conf or SA dns_server to 127.0.0.1. This will make your DNS queries isolated from your IP to stay under their daily limit. Keep in mind that if your SA box is behind NAT that is not dedicated to your server then other DNS queries could get combined with your shared public IP. This is not likely since others are not going to query RBL/URIBL servers but it's possible. If your SA server is directly on the Internet as an edge mail gateway then this won't be a problem. On 10.05.18 15:02, Reio Remma wrote: On a slightly related note. We're running a PFSense firewall with DNS Forwarder (dnsmasq) in front of our mail server. From what I've gleaned from the net is that it caches as well. Should I still install a local (BIND) on the mail server? The requirement is not for caching server - it's for recursing server dnsmasq is forwarding server, get rid of if when possible. It's even documented: https://wiki.apache.org/spamassassin/CachingNameserver -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. If Barbie is so popular, why do you have to buy her friends?
Re: training bayes database
On 10.05.18 15:08, David Jones wrote: On 05/10/2018 07:02 AM, Reio Remma wrote: On 10.05.18 14:58, Matus UHLAR - fantomas wrote: Am 09.05.2018 um 16:28 schrieb Matthew Broadhead: i guess my dns is set to use my isp's dns server. do i need to set up dns relay on my machine so it comes from my ip? there is no way we send more than 500k emails from our domain so i should qualify for the free lookup? On 09/05/18 20:43, David Jones wrote: Yes. Setup BIND, unbound, or pdns_recursor on your SA server that is not forwarding to another DNS server then set your /etc/resolv.conf or SA dns_server to 127.0.0.1. This will make your DNS queries isolated from your IP to stay under their daily limit. Keep in mind that if your SA box is behind NAT that is not dedicated to your server then other DNS queries could get combined with your shared public IP. This is not likely since others are not going to query RBL/URIBL servers but it's possible. If your SA server is directly on the Internet as an edge mail gateway then this won't be a problem. On 10.05.18 12:15, Matthew Broadhead wrote: i already had bind handling my dns. i just had to add to /etc/named.conf allow-query-cache {localhost; any;}; NO! this way everyone is allowed to use your server as recursive DNS. only allow "localhost;" it defined all ipv4 and ipv6 address on your system. It's also better to define allow-recursion instead. While it means something different, they both have same defaults, but allow-recursion has more clear meaning. recursion yes; not needed by default. and to /etc/resolv.conf nameserver 127.0.0.1 i cannot believe that is not the default. i always assumed my dns was working correctly. It's not default to have DNS server on your system. And it's not default to have localhost in resolv.conf - it may be authoritative-only. On a slightly related note. We're running a PFSense firewall with DNS Forwarder (dnsmasq) in front of our mail server. From what I've gleaned from the net is that it caches as well. Should I still install a local (BIND) on the mail server? Thanks! Reio YES! As I was corrected on this mailing list last year, dnsmasq is only a forwarding DNS server so it will cause your queries to be lumped into whatever it's forwarding to. Setup a real recursive DNS server local on your mail server since it should have it's own dedicated NAT or real public IP on your pfSense firewall so your DNS queries will be completely isolated. There's also the option of DNS Resolver (unbound) on the firewall - would that be better? Reio
Re: training bayes database
On 05/10/2018 07:02 AM, Reio Remma wrote: On 10.05.18 14:58, Matus UHLAR - fantomas wrote: Am 09.05.2018 um 16:28 schrieb Matthew Broadhead: i guess my dns is set to use my isp's dns server. do i need to set up dns relay on my machine so it comes from my ip? there is no way we send more than 500k emails from our domain so i should qualify for the free lookup? On 09/05/18 20:43, David Jones wrote: Yes. Setup BIND, unbound, or pdns_recursor on your SA server that is not forwarding to another DNS server then set your /etc/resolv.conf or SA dns_server to 127.0.0.1. This will make your DNS queries isolated from your IP to stay under their daily limit. Keep in mind that if your SA box is behind NAT that is not dedicated to your server then other DNS queries could get combined with your shared public IP. This is not likely since others are not going to query RBL/URIBL servers but it's possible. If your SA server is directly on the Internet as an edge mail gateway then this won't be a problem. On 10.05.18 12:15, Matthew Broadhead wrote: i already had bind handling my dns. i just had to add to /etc/named.conf allow-query-cache {localhost; any;}; NO! this way everyone is allowed to use your server as recursive DNS. only allow "localhost;" it defined all ipv4 and ipv6 address on your system. It's also better to define allow-recursion instead. While it means something different, they both have same defaults, but allow-recursion has more clear meaning. recursion yes; not needed by default. and to /etc/resolv.conf nameserver 127.0.0.1 i cannot believe that is not the default. i always assumed my dns was working correctly. It's not default to have DNS server on your system. And it's not default to have localhost in resolv.conf - it may be authoritative-only. On a slightly related note. We're running a PFSense firewall with DNS Forwarder (dnsmasq) in front of our mail server. From what I've gleaned from the net is that it caches as well. Should I still install a local (BIND) on the mail server? Thanks! Reio YES! As I was corrected on this mailing list last year, dnsmasq is only a forwarding DNS server so it will cause your queries to be lumped into whatever it's forwarding to. Setup a real recursive DNS server local on your mail server since it should have it's own dedicated NAT or real public IP on your pfSense firewall so your DNS queries will be completely isolated. -- David Jones
Re: training bayes database
On 10.05.18 14:58, Matus UHLAR - fantomas wrote: Am 09.05.2018 um 16:28 schrieb Matthew Broadhead: i guess my dns is set to use my isp's dns server. do i need to set up dns relay on my machine so it comes from my ip? there is no way we send more than 500k emails from our domain so i should qualify for the free lookup? On 09/05/18 20:43, David Jones wrote: Yes. Setup BIND, unbound, or pdns_recursor on your SA server that is not forwarding to another DNS server then set your /etc/resolv.conf or SA dns_server to 127.0.0.1. This will make your DNS queries isolated from your IP to stay under their daily limit. Keep in mind that if your SA box is behind NAT that is not dedicated to your server then other DNS queries could get combined with your shared public IP. This is not likely since others are not going to query RBL/URIBL servers but it's possible. If your SA server is directly on the Internet as an edge mail gateway then this won't be a problem. On 10.05.18 12:15, Matthew Broadhead wrote: i already had bind handling my dns. i just had to add to /etc/named.conf allow-query-cache {localhost; any;}; NO! this way everyone is allowed to use your server as recursive DNS. only allow "localhost;" it defined all ipv4 and ipv6 address on your system. It's also better to define allow-recursion instead. While it means something different, they both have same defaults, but allow-recursion has more clear meaning. recursion yes; not needed by default. and to /etc/resolv.conf nameserver 127.0.0.1 i cannot believe that is not the default. i always assumed my dns was working correctly. It's not default to have DNS server on your system. And it's not default to have localhost in resolv.conf - it may be authoritative-only. On a slightly related note. We're running a PFSense firewall with DNS Forwarder (dnsmasq) in front of our mail server. From what I've gleaned from the net is that it caches as well. Should I still install a local (BIND) on the mail server? Thanks! Reio
Re: training bayes database
Am 09.05.2018 um 16:28 schrieb Matthew Broadhead: i guess my dns is set to use my isp's dns server. do i need to set up dns relay on my machine so it comes from my ip? there is no way we send more than 500k emails from our domain so i should qualify for the free lookup? On 09/05/18 20:43, David Jones wrote: Yes. Setup BIND, unbound, or pdns_recursor on your SA server that is not forwarding to another DNS server then set your /etc/resolv.conf or SA dns_server to 127.0.0.1. This will make your DNS queries isolated from your IP to stay under their daily limit. Keep in mind that if your SA box is behind NAT that is not dedicated to your server then other DNS queries could get combined with your shared public IP. This is not likely since others are not going to query RBL/URIBL servers but it's possible. If your SA server is directly on the Internet as an edge mail gateway then this won't be a problem. On 10.05.18 12:15, Matthew Broadhead wrote: i already had bind handling my dns. i just had to add to /etc/named.conf allow-query-cache {localhost; any;}; NO! this way everyone is allowed to use your server as recursive DNS. only allow "localhost;" it defined all ipv4 and ipv6 address on your system. It's also better to define allow-recursion instead. While it means something different, they both have same defaults, but allow-recursion has more clear meaning. recursion yes; not needed by default. and to /etc/resolv.conf nameserver 127.0.0.1 i cannot believe that is not the default. i always assumed my dns was working correctly. It's not default to have DNS server on your system. And it's not default to have localhost in resolv.conf - it may be authoritative-only. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Eagles may soar, but weasels don't get sucked into jet engines.
Re: Invoice phish
On 05/10/2018 05:16 AM, Rupert Gallagher wrote: On Thu, May 10, 2018 at 00:54, David B Funk> wrote: 4) Less technical sophistication of the server side filtering VS google Both Google and Microsoft deliver a product for the masses. They are a mcdonald after all: you get the quality that you pay for. Google rejects messages with either failed dmarc or a banned file type, which is good, but also accepts advertisements, because it is *free* after all. A relative of mine, who insists in using gmail, spotted authentic messages to her from IRS and pension fund buried in thousands of spam. O365 is a paid-for service in the sense that one pays to receive spam. 2FA helps against intrusions, but I find people annoyed by the technology, so they disable it. Hence the hacked accounts with poor passwords. It's not only compromised well-established accounts. Based on the odd domain names I have seen, I am pretty sure that Microsoft allows trials of O365 so spammers are signing up and blasting out junk/phishing emails until they are discovered. These spammers can spoof anyone on O365 like toysrus.com and the SPF checks will pass. They really need to enable rate limiting and unusual GeoIP-usage detection. Maybe they need to setup a well-tuned SpamAssassin platform internally to properly detect spam and lock compromised/abusive accounts quickly. :) -- David Jones
Re: Invoice phish
On Tue, 8 May 2018 16:02:32 -0400 Alex wrote: > Hi, > Does anyone have any special techniques for catching these invoice > phish emails? > > https://pastebin.com/raw/TfvhUu0X I think this may be worth a try: uri_detail INSECURE_INVOICE_LINK text =~ /\binvoices?\b/i cleaned=~ /http:/i It's looking for html links where the tag mentions invoice, but the link is not secure.
Re: Invoice phish
On Thu, May 10, 2018 at 00:54, David B Funkwrote: > 4) Less technical sophistication of the server side filtering VS google Both Google and Microsoft deliver a product for the masses. They are a mcdonald after all: you get the quality that you pay for. Google rejects messages with either failed dmarc or a banned file type, which is good, but also accepts advertisements, because it is *free* after all. A relative of mine, who insists in using gmail, spotted authentic messages to her from IRS and pension fund buried in thousands of spam. O365 is a paid-for service in the sense that one pays to receive spam. 2FA helps against intrusions, but I find people annoyed by the technology, so they disable it. Hence the hacked accounts with poor passwords. >
Re: training bayes database
On 09/05/18 20:43, David Jones wrote: On 05/09/2018 01:29 PM, Matthew Broadhead wrote: On 09/05/18 16:37, Reindl Harald wrote: Am 09.05.2018 um 16:28 schrieb Matthew Broadhead: it looks like it is working. so maybe it is just not flagging or moving the spam? in a differnt post you showed this status header which *clearly* shows bayes is working - bayes alone don't flag, the total socre does, moving don't happen at all on this layer - other software like sieve is responsible for acting on the headers of a message quoting URIBL_BLOCKED is a joke - setup a *recursion* *non-forwarding* nameserver, no dnsmasq or such crap http://uribl.com/refused.shtml with your setup you excedd *obviously* rate-limits and have most DNSBL/URIBL not working and so you can't expect useful results at all X-Spam-Status: No, score=-18.15 tagged_above=-999 required=6.2 tests=[AM.WBL=-3, BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no i followed the guidance at that url and it gave me [root@ns1 ~]# host -tTXT 2.0.0.127.multi.uribl.com 2.0.0.127.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: 213.171.193.134]" i guess my dns is set to use my isp's dns server. do i need to set up dns relay on my machine so it comes from my ip? there is no way we send more than 500k emails from our domain so i should qualify for the free lookup? Yes. Setup BIND, unbound, or pdns_recursor on your SA server that is not forwarding to another DNS server then set your /etc/resolv.conf or SA dns_server to 127.0.0.1. This will make your DNS queries isolated from your IP to stay under their daily limit. Keep in mind that if your SA box is behind NAT that is not dedicated to your server then other DNS queries could get combined with your shared public IP. This is not likely since others are not going to query RBL/URIBL servers but it's possible. If your SA server is directly on the Internet as an edge mail gateway then this won't be a problem. i already had bind handling my dns. i just had to add to /etc/named.conf allow-query-cache {localhost; any;}; recursion yes; and to /etc/resolv.conf nameserver 127.0.0.1 i cannot believe that is not the default. i always assumed my dns was working correctly.