Re: FORGED_GMAIL_RCVD via IMAP.

2018-05-10 Thread Reio Remma 

On 10.05.2018 22:23, Reindl Harald wrote:

Am 10.05.2018 um 21:11 schrieb Reio Remma:

Apparently it happens only if I use my Gmail account via IMAP, but not
when I mailed from their webmail for testing.

you don't send with IMAP - it's SMTP


Indeed, I realized my mistake right after posting. By IMAP I meant I'm 
reading GMail with a real mail client. :)


On 10.05.2018 22:38, Benny Pedersen wrote:


ESMTPSA

please crrate a ticket, its a false possitive on that test

its not forged if sasl authed 


Bugrep filled, thanks.

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7584

Re: FORGED_GMAIL_RCVD via IMAP.

2018-05-10 Thread Benny Pedersen 

Reio Remma skrev den 2018-05-10 21:11:


I just noticed if I mail myself via my Gmail account, I'm hitting
FORGED_GMAIL_RCVD.

Apparently it happens only if I use my Gmail account via IMAP, but not
when I mailed from their webmail for testing.

Should that be so? I suspect it's the following that trips it:

Return-Path: 
Received: from [192.168.0.148] (85.xxx.xxx.xxx.cable.isp.ee. 
[85.xxx.xxx.xxx])

by smtp.googlemail.com with ESMTPSA id
b65-v6sm298081lff.5.2018.05.10.11.58.19
for 
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 
bits=128/128);

Thu, 10 May 2018 11:58:19 -0700 (PDT)


ESMTPSA

please crrate a ticket, its a false possitive on that test

its not forged if sasl authed

Re: FORGED_GMAIL_RCVD via IMAP.

2018-05-10 Thread Giovanni Bechis 
On 05/10/18 21:11, Reio Remma wrote:
> Hello!
> 
> I just noticed if I mail myself via my Gmail account, I'm hitting 
> FORGED_GMAIL_RCVD.
> 
> Apparently it happens only if I use my Gmail account via IMAP, but not when I 
> mailed from their webmail for testing.
> 
> Should that be so? I suspect it's the following that trips it:
> 
> Return-Path: 
> Received: from [192.168.0.148] (85.xxx.xxx.xxx.cable.isp.ee. [85.xxx.xxx.xxx])
>     by smtp.googlemail.com with ESMTPSA id 
> b65-v6sm298081lff.5.2018.05.10.11.58.19
>     for 
>     (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
>     Thu, 10 May 2018 11:58:19 -0700 (PDT)
> 
> 
Could you post full headers on pastebin ?
 Thanks
   Giovanni

Re: Invoice phish

2018-05-10 Thread David Jones 

On 05/10/2018 01:32 PM, RW wrote:

On Thu, 10 May 2018 09:55:00 -0500
David Jones wrote:


On 05/10/2018 09:39 AM, RW wrote:



Microsoft has a list of domains it hosts and a list of hosted
domains (and/or its own addresses) tied to each account.  Given how
much reliance MS place on DMARC's preventing spoofing, and how easy
it would be for them to prevent one user spoofing another's domain
on submission, I'd be very surprised if they allow it.
   


They do. I saw an example a few weeks ago.


The very fact that you are citing just one a few week ago strongly
suggests that they don't.



It's possible that it could have been months ago, I guess, so my memory 
could be off.  The fact that someone tested it recently and Microsoft 
blocks it today is encouraging.  Maybe they enabled this logic recently 
to match what Google is doing which is the correct way to handle this 
and prevent "SPF piggy-backing."



Paul Stead claims to have seen it, but it's important to positively
identify it as spoofing and not hacking.
   


Not sure what the difference is from a mail filtering perspective.


The difference is that if domains that include Micrsoft's SPF are as
wide open to spoofing as you suggest, they shouldn't have
def_whitelist_auth entries.



You are correct.  When they were added this issue of "SPF piggy-backing" 
wasn't an issue.  It may have been known to be a potential problem but 
wasn't being actively exploited like the toyrus.com was last year when I 
first noticed it.


It's also possible that those whitelist_* domains have added the 
"include:spf.protection.outlook.com" to their SPF record recently after 
migrating their corporate mail hosting to O365.  We don't have anything 
actively monitoring whitelist entries for SPF record changes so we have 
to rely on abuse reports to this list to remove/change them in SA.


--
David Jones

FORGED_GMAIL_RCVD via IMAP.

2018-05-10 Thread Reio Remma 

Hello!

I just noticed if I mail myself via my Gmail account, I'm hitting 
FORGED_GMAIL_RCVD.


Apparently it happens only if I use my Gmail account via IMAP, but not 
when I mailed from their webmail for testing.


Should that be so? I suspect it's the following that trips it:

Return-Path: 
Received: from [192.168.0.148] (85.xxx.xxx.xxx.cable.isp.ee. [85.xxx.xxx.xxx])
by smtp.googlemail.com with ESMTPSA id 
b65-v6sm298081lff.5.2018.05.10.11.58.19
for 
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Thu, 10 May 2018 11:58:19 -0700 (PDT)


Reio

Re: Invoice phish

2018-05-10 Thread RW 
On Thu, 10 May 2018 09:55:00 -0500
David Jones wrote:

> On 05/10/2018 09:39 AM, RW wrote:

> > Microsoft has a list of domains it hosts and a list of hosted
> > domains (and/or its own addresses) tied to each account.  Given how
> > much reliance MS place on DMARC's preventing spoofing, and how easy
> > it would be for them to prevent one user spoofing another's domain
> > on submission, I'd be very surprised if they allow it.
> >   
> 
> They do. I saw an example a few weeks ago.

The very fact that you are citing just one a few week ago strongly
suggests that they don't.

> > Paul Stead claims to have seen it, but it's important to positively
> > identify it as spoofing and not hacking.
> >   
> 
> Not sure what the difference is from a mail filtering perspective.

The difference is that if domains that include Micrsoft's SPF are as 
wide open to spoofing as you suggest, they shouldn't have
def_whitelist_auth entries.

Re: training bayes database

2018-05-10 Thread David B Funk 

On Thu, 10 May 2018, John Hardin wrote:


On Thu, 10 May 2018, Matthew Broadhead wrote:


On 09/05/18 20:43, David Jones wrote:

On 05/09/2018 01:29 PM, Matthew Broadhead wrote:

On 09/05/18 16:37, Reindl Harald wrote:


quoting URIBL_BLOCKED is a joke - setup a *recursion* *non-forwarding*
nameserver, no dnsmasq or such crap

http://uribl.com/refused.shtml

with your setup you excedd *obviously* rate-limits and have most
DNSBL/URIBL not working and so you can't expect useful results at all

X-Spam-Status: No, score=-18.15 tagged_above=-999 required=6.2
 tests=[AM.WBL=-3, BAYES_00=-1.9, 
HEADER_FROM_DIFFERENT_DOMAINS=0.25,

 MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001,
 URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5]
 autolearn=ham autolearn_force=no


i followed the guidance at that url and it gave me
[root@ns1 ~]# host -tTXT 2.0.0.127.multi.uribl.com
2.0.0.127.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused. 
See http://uribl.com/refused.shtml for more information [Your DNS IP: 
213.171.193.134]"


i guess my dns is set to use my isp's dns server.  do i need to set up 
dns relay on my machine so it comes from my ip?


there is no way we send more than 500k emails from our domain so i should 
qualify for the free lookup?


Yes.  Setup BIND, unbound, or pdns_recursor on your SA server that is not 
forwarding to another DNS server then set your /etc/resolv.conf or SA 
dns_server to 127.0.0.1.  This will make your DNS queries isolated from 
your IP to stay under their daily limit.


Keep in mind that if your SA box is behind NAT that is not dedicated to 
your server then other DNS queries could get combined with your shared 
public IP.  This is not likely since others are not going to query 
RBL/URIBL servers but it's possible.  If your SA server is directly on the 
Internet as an edge mail gateway then this won't be a problem.



i already had bind handling my dns.  i just had to add to /etc/named.conf

allow-query-cache {localhost; any;};
recursion yes;


Don't forget to *turn off forwarding*.


and to /etc/resolv.conf

nameserver 127.0.0.1


That is the most important point in this whole discussion.

It doesn't matter (much) what DNS server/software you use so long as it supports 
recursive NON-FORWARDED queries.

Caching is desirable but is only a secondary consideration VS the first point.

Security point; when you run a recursive server it is a potential DDOS risk, so 
protect it from being used/abused by untrusted clients. (best if it only listens 
on the loopback address, 127.* or has strong ACL/access control support that is 
properly configured).


--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: training bayes database

2018-05-10 Thread John Hardin 

On Thu, 10 May 2018, Matthew Broadhead wrote:


On 09/05/18 20:43, David Jones wrote:

On 05/09/2018 01:29 PM, Matthew Broadhead wrote:

On 09/05/18 16:37, Reindl Harald wrote:


Am 09.05.2018 um 16:28 schrieb Matthew Broadhead:

it looks like it is working.  so maybe it is just not flagging or moving
the spam?

in a differnt post you showed this status header which *clearly* shows
bayes is working - bayes alone don't flag, the total socre does, moving
don't happen at all on this layer - other software like sieve is
responsible for acting on the headers of a message

quoting URIBL_BLOCKED is a joke - setup a *recursion* *non-forwarding*
nameserver, no dnsmasq or such crap

http://uribl.com/refused.shtml

with your setup you excedd *obviously* rate-limits and have most
DNSBL/URIBL not working and so you can't expect useful results at all

X-Spam-Status: No, score=-18.15 tagged_above=-999 required=6.2
 tests=[AM.WBL=-3, BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25,
 MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001,
 URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5]
 autolearn=ham autolearn_force=no


i followed the guidance at that url and it gave me
[root@ns1 ~]# host -tTXT 2.0.0.127.multi.uribl.com
2.0.0.127.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused. 
See http://uribl.com/refused.shtml for more information [Your DNS IP: 
213.171.193.134]"


i guess my dns is set to use my isp's dns server.  do i need to set up dns 
relay on my machine so it comes from my ip?


there is no way we send more than 500k emails from our domain so i should 
qualify for the free lookup?


Yes.  Setup BIND, unbound, or pdns_recursor on your SA server that is not 
forwarding to another DNS server then set your /etc/resolv.conf or SA 
dns_server to 127.0.0.1.  This will make your DNS queries isolated from 
your IP to stay under their daily limit.


Keep in mind that if your SA box is behind NAT that is not dedicated to 
your server then other DNS queries could get combined with your shared 
public IP.  This is not likely since others are not going to query 
RBL/URIBL servers but it's possible.  If your SA server is directly on the 
Internet as an edge mail gateway then this won't be a problem.



i already had bind handling my dns.  i just had to add to /etc/named.conf

allow-query-cache {localhost; any;};
recursion yes;


Don't forget to *turn off forwarding*.


and to /etc/resolv.conf

nameserver 127.0.0.1

i cannot believe that is not the default.  i always assumed my dns was 
working correctly.




--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The Constitution is a written instrument. As such its meaning does
  not alter. That which it meant when adopted, it means now.
-- U.S. Supreme Court
   SOUTH CAROLINA v. US, 199 U.S. 437, 448 (1905)
---
 406 days since the first commercial re-flight of an orbital booster (SpaceX)

Re: Invoice phish

2018-05-10 Thread Paul Stead 


On 10/05/2018, 15:54, "David Jones"  wrote:

They do. I saw an example a few weeks ago.

>Paul Stead claims to have seen it, but it's important to positively
>identify it as spoofing and not hacking.

Not sure what the difference is from a mail filtering perspective.  From
Microsoft's perspective it is both.  A spammer got someone's password
and started sending a bunch of invoice phishing emails pretending to be
a local construction company that happens to host their email on O365 so
their SPF record is good.

I agree this scenario seems unlikely, I can't find any example, I have done 
some testing myself.

Seems that O365 will return

550 5.7.60 SMTP; Client does not have permissions to send as this sender

if the SMTP From is anything but an accepted address for that user in the 
domain controlled with O365

I was convinced I have seen this scenario but without the evidence I'll have to 
chalk it to bad memory

Paul

--
Paul Stead
Senior Engineer (Tools & Technology)
Zen Internet
Direct: 01706 902018
Web: zen.co.uk

Winner of 'Services Company of the Year' at the UK IT Industry Awards

This message is private and confidential. If you have received this message in 
error, please notify us and remove it from your system.

Zen Internet Limited may monitor email traffic data to manage billing, to 
handle customer enquiries and for the prevention and detection of fraud. We may 
also monitor the content of emails sent to and/or from Zen Internet Limited for 
the purposes of security, staff training and to monitor quality of service.

Zen Internet Limited is registered in England and Wales, Sandbrook Park, 
Sandbrook Way, Rochdale, OL11 1RY Company No. 03101568 VAT Reg No. 686 0495 01

Re: Invoice phish

2018-05-10 Thread David Jones 

On 05/10/2018 09:39 AM, RW wrote:

On Thu, 10 May 2018 13:49:15 + (UTC)
Pedro David Marco wrote:

  
David Jones wrote:>It's not only compromised well-established

accounts.  Based on the odd

domain names I have seen, I am pretty sure that Microsoft allows
trials of O365 so spammers are signing up and blasting out
junk/phishing emails until they are discovered.  These spammers can
spoof anyone on O365 like toysrus.com and the SPF checks will pass.



I totally agree with David, i have seen trial periods of 45 days for
O365, then spoofingany other O365 customer is trivial with SPF
totally pointless.


But have you actually tried it? I had a concern about  travelodge.co.uk
being whitelisted when its SPF includes gmail, but I tried spoofing it
through smtp.gmail.com and it didn't work.



It was said on this thread that Google rewrites/forces the envelope-from 
address to be the same as the authenticated sender so Google handles 
this properly.  Microsoft does not.  If you can authenticate, then you 
can send as whatever you want with any headers you want to add/spoof 
including the From:.



Microsoft has a list of domains it hosts and a list of hosted domains
(and/or its own addresses) tied to each account.  Given how much
reliance MS place on DMARC's preventing spoofing, and how easy it would
be for them to prevent one user spoofing another's domain on submission,
I'd be very surprised if they allow it.



They do. I saw an example a few weeks ago.


Paul Stead claims to have seen it, but it's important to positively
identify it as spoofing and not hacking.



Not sure what the difference is from a mail filtering perspective.  From 
Microsoft's perspective it is both.  A spammer got someone's password 
and started sending a bunch of invoice phishing emails pretending to be 
a local construction company that happens to host their email on O365 so 
their SPF record is good.


--
David Jones

Re: Invoice phish

2018-05-10 Thread RW 
On Thu, 10 May 2018 13:49:15 + (UTC)
Pedro David Marco wrote:

>  
> David Jones wrote:>It's not only compromised well-established
> accounts.  Based on the odd 
> >domain names I have seen, I am pretty sure that Microsoft allows
> >trials of O365 so spammers are signing up and blasting out
> >junk/phishing emails until they are discovered.  These spammers can
> >spoof anyone on O365 like toysrus.com and the SPF checks will pass.  
> 
> 
> I totally agree with David, i have seen trial periods of 45 days for
> O365, then spoofingany other O365 customer is trivial with SPF
> totally pointless.

But have you actually tried it? I had a concern about  travelodge.co.uk
being whitelisted when its SPF includes gmail, but I tried spoofing it
through smtp.gmail.com and it didn't work.

Microsoft has a list of domains it hosts and a list of hosted domains
(and/or its own addresses) tied to each account.  Given how much
reliance MS place on DMARC's preventing spoofing, and how easy it would
be for them to prevent one user spoofing another's domain on submission,
I'd be very surprised if they allow it. 

Paul Stead claims to have seen it, but it's important to positively
identify it as spoofing and not hacking.

Re: training bayes database

2018-05-10 Thread Reio Remma 

On 10.05.18 15:23, David Jones wrote:

On 05/10/2018 07:12 AM, Reio Remma wrote:

On 10.05.18 15:08, David Jones wrote:

On 05/10/2018 07:02 AM, Reio Remma wrote:
On a slightly related note. We're running a PFSense firewall with 
DNS Forwarder (dnsmasq) in front of our mail server. From what I've 
gleaned from the net is that it caches as well. Should I still 
install a local (BIND) on the mail server?


Thanks!
Reio


YES!  As I was corrected on this mailing list last year, dnsmasq is 
only a forwarding DNS server so it will cause your queries to be 
lumped into whatever it's forwarding to.  Setup a real recursive DNS 
server local on your mail server since it should have it's own 
dedicated NAT or real public IP on your pfSense firewall so your DNS 
queries will be completely isolated. 


There's also the option of DNS Resolver (unbound) on the firewall - 
would that be better?


Reio


No.  Your DNS traffic for your general network served by your firewall 
is much different from your mail server DNS lookup.  You will probably 
want to forward your firewall DNS server to OpenDNS, Google, or even 
do DNS over TLS someday.


https://wiki.apache.org/spamassassin/CachingNameserver

My favorite is PowerDNS Recursor but Unbound is very popular. 


That seems to have worked - installed unbound and set dns_server 
127.0.0.1 in local.cf


Thanks,
Reio

Re: Invoice phish

2018-05-10 Thread Pedro David Marco 
 
David Jones wrote:>It's not only compromised well-established accounts.  Based 
on the odd 
>domain names I have seen, I am pretty sure that Microsoft allows trials 
>of O365 so spammers are signing up and blasting out junk/phishing emails 
>until they are discovered.  These spammers can spoof anyone on O365 like 
>toysrus.com and the SPF checks will pass.


I totally agree with David, i have seen trial periods of 45 days for O365, then 
spoofingany other O365 customer is trivial with SPF totally pointless.But 
nobody is fired out for choosing O365, right?

-PedroD

Re: Invoice phish

2018-05-10 Thread RW 
On Thu, 10 May 2018 12:48:29 +
Paul Stead wrote:

> On 10/05/2018, 13:46, "David Jones"  wrote:
> 
> >Do you have a reason to think that that's possible?
> >It doesn't seem very likely, but there are some default whitelist
> >entries that should go if it is.  
> 
>  Anyone on O365 not using webmail or
> Outlook can spoof any other O365 customer using authenticated SMTP to
> smtp.office365.com where they can control the envelope-from and
> From: header and the SPF check will pass.  The only thing stopping it
> is Microsoft's ability to detect unusual activity.

My experience with gmail is that they rewrite the envelope. I expected
O365 to do the same.

> 
> Not only is it possible - I've had actual examples of this happening
> on our platform, spoofed Envelope-From spam sent through O365 and the
> SPF passing...
> 

In that case the following domains should be moved from 
60_whitelist_auth.cf to 60_whitelist_dkim.cf:

usps.gov
hilton.com
accountprotection.microsoft.com
theupsstore.com
logmein.com
lastpass.com
amtrak.com
druryhotels.com
ticketmaster.com
adt.com
homedepot.com

And the following should be removed from 60_whitelist_spf.cf:


match.com
silicon.com

Re: Invoice phish

2018-05-10 Thread Paul Stead 


On 10/05/2018, 13:46, "David Jones"  wrote:

>Do you have a reason to think that that's possible?
>It doesn't seem very likely, but there are some default whitelist
>entries that should go if it is.

Which part is possible?  The trial accounts blasting spam or the
toysrus.com SPF matching?  Anyone on O365 not using webmail or Outlook
can spoof any other O365 customer using authenticated SMTP to
smtp.office365.com where they can control the envelope-from and From:
header and the SPF check will pass.  The only thing stopping it is
Microsoft's ability to detect unusual activity.

Not only is it possible - I've had actual examples of this happening on our 
platform, spoofed Envelope-From spam sent through O365 and the SPF passing...


Paul

--
Paul Stead
Senior Engineer (Tools & Technology)
Zen Internet
Direct: 01706 902018
Web: zen.co.uk

Winner of 'Services Company of the Year' at the UK IT Industry Awards

This message is private and confidential. If you have received this message in 
error, please notify us and remove it from your system.

Zen Internet Limited may monitor email traffic data to manage billing, to 
handle customer enquiries and for the prevention and detection of fraud. We may 
also monitor the content of emails sent to and/or from Zen Internet Limited for 
the purposes of security, staff training and to monitor quality of service.

Zen Internet Limited is registered in England and Wales, Sandbrook Park, 
Sandbrook Way, Rochdale, OL11 1RY Company No. 03101568 VAT Reg No. 686 0495 01

Re: Invoice phish

2018-05-10 Thread David Jones 

On 05/10/2018 07:37 AM, RW wrote:

On Thu, 10 May 2018 06:50:46 -0500
David Jones wrote:



I am pretty sure that Microsoft allows
trials of O365 so spammers are signing up and blasting out
junk/phishing emails until they are discovered.  These spammers can
spoof anyone on O365 like toysrus.com and the SPF checks will pass.


Do you have a reason to think that that's possible?

It doesn't seem very likely, but there are some default whitelist
entries that should go if it is.





Which part is possible?  The trial accounts blasting spam or the 
toysrus.com SPF matching?  Anyone on O365 not using webmail or Outlook 
can spoof any other O365 customer using authenticated SMTP to 
smtp.office365.com where they can control the envelope-from and From: 
header and the SPF check will pass.  The only thing stopping it is 
Microsoft's ability to detect unusual activity.


--
David Jones

Re: Invoice phish

2018-05-10 Thread RW 
On Thu, 10 May 2018 06:50:46 -0500
David Jones wrote:


> I am pretty sure that Microsoft allows
> trials of O365 so spammers are signing up and blasting out
> junk/phishing emails until they are discovered.  These spammers can
> spoof anyone on O365 like toysrus.com and the SPF checks will pass.

Do you have a reason to think that that's possible? 

It doesn't seem very likely, but there are some default whitelist
entries that should go if it is.

Re: training bayes database

2018-05-10 Thread David Jones 

On 05/10/2018 07:12 AM, Reio Remma wrote:

On 10.05.18 15:08, David Jones wrote:

On 05/10/2018 07:02 AM, Reio Remma wrote:

On 10.05.18 14:58, Matus UHLAR - fantomas wrote:

Am 09.05.2018 um 16:28 schrieb Matthew Broadhead:
i guess my dns is set to use my isp's dns server.  do i need to 
set up dns relay on my machine so it comes from my ip?


there is no way we send more than 500k emails from our domain so 
i should qualify for the free lookup?



On 09/05/18 20:43, David Jones wrote:
Yes.  Setup BIND, unbound, or pdns_recursor on your SA server that 
is not forwarding to another DNS server then set your 
/etc/resolv.conf or SA dns_server to 127.0.0.1.  This will make 
your DNS queries isolated from your IP to stay under their daily 
limit.


Keep in mind that if your SA box is behind NAT that is not 
dedicated to your server then other DNS queries could get combined 
with your shared public IP.  This is not likely since others are 
not going to query RBL/URIBL servers but it's possible.  If your 
SA server is directly on the Internet as an edge mail gateway then 
this won't be a problem.




On 10.05.18 12:15, Matthew Broadhead wrote:
i already had bind handling my dns.  i just had to add to 
/etc/named.conf


allow-query-cache {localhost; any;};


NO!
this way everyone is allowed to use your server as recursive DNS.

only allow "localhost;" it defined all ipv4 and ipv6 address on your 
system.


It's also better to define allow-recursion instead.
While it means something different, they both have same defaults, but
allow-recursion has more clear meaning.


recursion yes;


not needed by default.


and to /etc/resolv.conf

nameserver 127.0.0.1

i cannot believe that is not the default.  i always assumed my dns 
was working correctly.


It's not default to have DNS server on your system. And it's not 
default to
have localhost in resolv.conf - it may be authoritative-only. 


On a slightly related note. We're running a PFSense firewall with DNS 
Forwarder (dnsmasq) in front of our mail server. From what I've 
gleaned from the net is that it caches as well. Should I still 
install a local (BIND) on the mail server?


Thanks!
Reio


YES!  As I was corrected on this mailing list last year, dnsmasq is 
only a forwarding DNS server so it will cause your queries to be 
lumped into whatever it's forwarding to.  Setup a real recursive DNS 
server local on your mail server since it should have it's own 
dedicated NAT or real public IP on your pfSense firewall so your DNS 
queries will be completely isolated. 


There's also the option of DNS Resolver (unbound) on the firewall - 
would that be better?


Reio


No.  Your DNS traffic for your general network served by your firewall 
is much different from your mail server DNS lookup.  You will probably 
want to forward your firewall DNS server to OpenDNS, Google, or even do 
DNS over TLS someday.


https://wiki.apache.org/spamassassin/CachingNameserver

My favorite is PowerDNS Recursor but Unbound is very popular.

--
David Jones

Re: training bayes database

2018-05-10 Thread Matus UHLAR - fantomas 

Am 09.05.2018 um 16:28 schrieb Matthew Broadhead:
i guess my dns is set to use my isp's dns server.  do i need 
to set up dns relay on my machine so it comes from my ip?


there is no way we send more than 500k emails from our domain 
so i should qualify for the free lookup?



On 09/05/18 20:43, David Jones wrote:
Yes.  Setup BIND, unbound, or pdns_recursor on your SA server 
that is not forwarding to another DNS server then set your 
/etc/resolv.conf or SA dns_server to 127.0.0.1.  This will make 
your DNS queries isolated from your IP to stay under their 
daily limit.


Keep in mind that if your SA box is behind NAT that is not 
dedicated to your server then other DNS queries could get 
combined with your shared public IP.  This is not likely since 
others are not going to query RBL/URIBL servers but it's 
possible.  If your SA server is directly on the Internet as an 
edge mail gateway then this won't be a problem.


On 10.05.18 15:02, Reio Remma wrote:
On a slightly related note. We're running a PFSense firewall with DNS 
Forwarder (dnsmasq) in front of our mail server. From what I've 
gleaned from the net is that it caches as well. Should I still 
install a local (BIND) on the mail server?


The requirement is not for caching server - it's for recursing server

dnsmasq is forwarding server, get rid of if when possible. It's even
documented:

https://wiki.apache.org/spamassassin/CachingNameserver

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
If Barbie is so popular, why do you have to buy her friends?

Re: training bayes database

2018-05-10 Thread Reio Remma 

On 10.05.18 15:08, David Jones wrote:

On 05/10/2018 07:02 AM, Reio Remma wrote:

On 10.05.18 14:58, Matus UHLAR - fantomas wrote:

Am 09.05.2018 um 16:28 schrieb Matthew Broadhead:
i guess my dns is set to use my isp's dns server.  do i need to 
set up dns relay on my machine so it comes from my ip?


there is no way we send more than 500k emails from our domain so 
i should qualify for the free lookup?



On 09/05/18 20:43, David Jones wrote:
Yes.  Setup BIND, unbound, or pdns_recursor on your SA server that 
is not forwarding to another DNS server then set your 
/etc/resolv.conf or SA dns_server to 127.0.0.1.  This will make 
your DNS queries isolated from your IP to stay under their daily 
limit.


Keep in mind that if your SA box is behind NAT that is not 
dedicated to your server then other DNS queries could get combined 
with your shared public IP.  This is not likely since others are 
not going to query RBL/URIBL servers but it's possible.  If your 
SA server is directly on the Internet as an edge mail gateway then 
this won't be a problem.




On 10.05.18 12:15, Matthew Broadhead wrote:
i already had bind handling my dns.  i just had to add to 
/etc/named.conf


allow-query-cache {localhost; any;};


NO!
this way everyone is allowed to use your server as recursive DNS.

only allow "localhost;" it defined all ipv4 and ipv6 address on your 
system.


It's also better to define allow-recursion instead.
While it means something different, they both have same defaults, but
allow-recursion has more clear meaning.


recursion yes;


not needed by default.


and to /etc/resolv.conf

nameserver 127.0.0.1

i cannot believe that is not the default.  i always assumed my dns 
was working correctly.


It's not default to have DNS server on your system. And it's not 
default to
have localhost in resolv.conf - it may be authoritative-only. 


On a slightly related note. We're running a PFSense firewall with DNS 
Forwarder (dnsmasq) in front of our mail server. From what I've 
gleaned from the net is that it caches as well. Should I still 
install a local (BIND) on the mail server?


Thanks!
Reio


YES!  As I was corrected on this mailing list last year, dnsmasq is 
only a forwarding DNS server so it will cause your queries to be 
lumped into whatever it's forwarding to.  Setup a real recursive DNS 
server local on your mail server since it should have it's own 
dedicated NAT or real public IP on your pfSense firewall so your DNS 
queries will be completely isolated. 


There's also the option of DNS Resolver (unbound) on the firewall - 
would that be better?


Reio

Re: training bayes database

2018-05-10 Thread David Jones 

On 05/10/2018 07:02 AM, Reio Remma wrote:

On 10.05.18 14:58, Matus UHLAR - fantomas wrote:

Am 09.05.2018 um 16:28 schrieb Matthew Broadhead:
i guess my dns is set to use my isp's dns server.  do i need to set 
up dns relay on my machine so it comes from my ip?


there is no way we send more than 500k emails from our domain so i 
should qualify for the free lookup?



On 09/05/18 20:43, David Jones wrote:
Yes.  Setup BIND, unbound, or pdns_recursor on your SA server that 
is not forwarding to another DNS server then set your 
/etc/resolv.conf or SA dns_server to 127.0.0.1.  This will make your 
DNS queries isolated from your IP to stay under their daily limit.


Keep in mind that if your SA box is behind NAT that is not dedicated 
to your server then other DNS queries could get combined with your 
shared public IP.  This is not likely since others are not going to 
query RBL/URIBL servers but it's possible.  If your SA server is 
directly on the Internet as an edge mail gateway then this won't be 
a problem.




On 10.05.18 12:15, Matthew Broadhead wrote:
i already had bind handling my dns.  i just had to add to 
/etc/named.conf


allow-query-cache {localhost; any;};


NO!
this way everyone is allowed to use your server as recursive DNS.

only allow "localhost;" it defined all ipv4 and ipv6 address on your 
system.


It's also better to define allow-recursion instead.
While it means something different, they both have same defaults, but
allow-recursion has more clear meaning.


recursion yes;


not needed by default.


and to /etc/resolv.conf

nameserver 127.0.0.1

i cannot believe that is not the default.  i always assumed my dns 
was working correctly.


It's not default to have DNS server on your system. And it's not 
default to
have localhost in resolv.conf - it may be authoritative-only. 


On a slightly related note. We're running a PFSense firewall with DNS 
Forwarder (dnsmasq) in front of our mail server. From what I've gleaned 
from the net is that it caches as well. Should I still install a local 
(BIND) on the mail server?


Thanks!
Reio


YES!  As I was corrected on this mailing list last year, dnsmasq is only 
a forwarding DNS server so it will cause your queries to be lumped into 
whatever it's forwarding to.  Setup a real recursive DNS server local on 
your mail server since it should have it's own dedicated NAT or real 
public IP on your pfSense firewall so your DNS queries will be 
completely isolated.


--
David Jones

Re: training bayes database

2018-05-10 Thread Reio Remma 

On 10.05.18 14:58, Matus UHLAR - fantomas wrote:

Am 09.05.2018 um 16:28 schrieb Matthew Broadhead:
i guess my dns is set to use my isp's dns server.  do i need to set 
up dns relay on my machine so it comes from my ip?


there is no way we send more than 500k emails from our domain so i 
should qualify for the free lookup?



On 09/05/18 20:43, David Jones wrote:
Yes.  Setup BIND, unbound, or pdns_recursor on your SA server that 
is not forwarding to another DNS server then set your 
/etc/resolv.conf or SA dns_server to 127.0.0.1.  This will make your 
DNS queries isolated from your IP to stay under their daily limit.


Keep in mind that if your SA box is behind NAT that is not dedicated 
to your server then other DNS queries could get combined with your 
shared public IP.  This is not likely since others are not going to 
query RBL/URIBL servers but it's possible.  If your SA server is 
directly on the Internet as an edge mail gateway then this won't be 
a problem.




On 10.05.18 12:15, Matthew Broadhead wrote:
i already had bind handling my dns.  i just had to add to 
/etc/named.conf


allow-query-cache {localhost; any;};


NO!
this way everyone is allowed to use your server as recursive DNS.

only allow "localhost;" it defined all ipv4 and ipv6 address on your 
system.


It's also better to define allow-recursion instead.
While it means something different, they both have same defaults, but
allow-recursion has more clear meaning.


recursion yes;


not needed by default.


and to /etc/resolv.conf

nameserver 127.0.0.1

i cannot believe that is not the default.  i always assumed my dns 
was working correctly.


It's not default to have DNS server on your system. And it's not 
default to
have localhost in resolv.conf - it may be authoritative-only. 


On a slightly related note. We're running a PFSense firewall with DNS 
Forwarder (dnsmasq) in front of our mail server. From what I've gleaned 
from the net is that it caches as well. Should I still install a local 
(BIND) on the mail server?


Thanks!
Reio

Re: training bayes database

2018-05-10 Thread Matus UHLAR - fantomas 

Am 09.05.2018 um 16:28 schrieb Matthew Broadhead:
i guess my dns is set to use my isp's dns server.  do i need to 
set up dns relay on my machine so it comes from my ip?


there is no way we send more than 500k emails from our domain so 
i should qualify for the free lookup?



On 09/05/18 20:43, David Jones wrote:
Yes.  Setup BIND, unbound, or pdns_recursor on your SA server that 
is not forwarding to another DNS server then set your 
/etc/resolv.conf or SA dns_server to 127.0.0.1.  This will make 
your DNS queries isolated from your IP to stay under their daily 
limit.


Keep in mind that if your SA box is behind NAT that is not 
dedicated to your server then other DNS queries could get combined 
with your shared public IP.  This is not likely since others are 
not going to query RBL/URIBL servers but it's possible.  If your SA 
server is directly on the Internet as an edge mail gateway then 
this won't be a problem.




On 10.05.18 12:15, Matthew Broadhead wrote:

i already had bind handling my dns.  i just had to add to /etc/named.conf

allow-query-cache {localhost; any;};


NO!
this way everyone is allowed to use your server as recursive DNS.

only allow "localhost;" it defined all ipv4 and ipv6 address on your system.

It's also better to define allow-recursion instead.
While it means something different, they both have same defaults, but
allow-recursion has more clear meaning.


recursion yes;


not needed by default.


and to /etc/resolv.conf

nameserver 127.0.0.1

i cannot believe that is not the default.  i always assumed my dns 
was working correctly.


It's not default to have DNS server on your system. And it's not default to
have localhost in resolv.conf - it may be authoritative-only.



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Eagles may soar, but weasels don't get sucked into jet engines.

Re: Invoice phish

2018-05-10 Thread David Jones 

On 05/10/2018 05:16 AM, Rupert Gallagher wrote:


On Thu, May 10, 2018 at 00:54, David B Funk 
> wrote:



 4) Less technical sophistication of the server side filtering VS google


Both Google and Microsoft deliver a product for the masses. They are a 
mcdonald after all: you get the quality that you pay for.


Google rejects messages with either failed dmarc or a banned file type, 
which is good, but also accepts advertisements, because it is *free* 
after all. A relative of mine, who insists in using 
gmail, spotted authentic messages to her from IRS and pension fund 
buried in thousands of spam.


O365 is a paid-for service in the sense that one pays to receive spam.

2FA helps against intrusions, but I find people annoyed by the 
technology, so they disable it. Hence the hacked accounts with poor 
passwords.


It's not only compromised well-established accounts.  Based on the odd 
domain names I have seen, I am pretty sure that Microsoft allows trials 
of O365 so spammers are signing up and blasting out junk/phishing emails 
until they are discovered.  These spammers can spoof anyone on O365 like 
toysrus.com and the SPF checks will pass.


They really need to enable rate limiting and unusual GeoIP-usage 
detection.  Maybe they need to setup a well-tuned SpamAssassin platform 
internally to properly detect spam and lock compromised/abusive accounts 
quickly.  :)


--
David Jones

Re: Invoice phish

2018-05-10 Thread RW 
On Tue, 8 May 2018 16:02:32 -0400
Alex wrote:

> Hi,
> Does anyone have any special techniques for catching these invoice
> phish emails?
> 
> https://pastebin.com/raw/TfvhUu0X


I think this may be worth a try:

uri_detail INSECURE_INVOICE_LINK text =~ /\binvoices?\b/i cleaned=~ /http:/i


It's looking for html links where the tag mentions invoice,
but the link is not secure.

Re: Invoice phish

2018-05-10 Thread Rupert Gallagher 
On Thu, May 10, 2018 at 00:54, David B Funk  
wrote:

> 4) Less technical sophistication of the server side filtering VS google

Both Google and Microsoft deliver a product for the masses. They are a mcdonald 
after all: you get the quality that you pay for.

Google rejects messages with either failed dmarc or a banned file type, which 
is good, but also accepts advertisements, because it is *free* after all. A 
relative of mine, who insists in using gmail, spotted authentic messages to her 
from IRS and pension fund buried in thousands of spam.

O365 is a paid-for service in the sense that one pays to receive spam.

2FA helps against intrusions, but I find people annoyed by the technology, so 
they disable it. Hence the hacked accounts with poor passwords.

>

Re: training bayes database

2018-05-10 Thread Matthew Broadhead 

On 09/05/18 20:43, David Jones wrote:

On 05/09/2018 01:29 PM, Matthew Broadhead wrote:

On 09/05/18 16:37, Reindl Harald wrote:


Am 09.05.2018 um 16:28 schrieb Matthew Broadhead:
it looks like it is working.  so maybe it is just not flagging or 
moving

the spam?

in a differnt post you showed this status header which *clearly* shows
bayes is working - bayes alone don't flag, the total socre does, moving
don't happen at all on this layer - other software like sieve is
responsible for acting on the headers of a message

quoting URIBL_BLOCKED is a joke - setup a *recursion* *non-forwarding*
nameserver, no dnsmasq or such crap

http://uribl.com/refused.shtml

with your setup you excedd *obviously* rate-limits and have most
DNSBL/URIBL not working and so you can't expect useful results at all

X-Spam-Status: No, score=-18.15 tagged_above=-999 required=6.2
 tests=[AM.WBL=-3, BAYES_00=-1.9, 
HEADER_FROM_DIFFERENT_DOMAINS=0.25,

 MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001,
 URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5]
 autolearn=ham autolearn_force=no


i followed the guidance at that url and it gave me
[root@ns1 ~]# host -tTXT 2.0.0.127.multi.uribl.com
2.0.0.127.multi.uribl.com descriptive text "127.0.0.1 -> Query 
Refused. See http://uribl.com/refused.shtml for more information 
[Your DNS IP: 213.171.193.134]"


i guess my dns is set to use my isp's dns server.  do i need to set 
up dns relay on my machine so it comes from my ip?


there is no way we send more than 500k emails from our domain so i 
should qualify for the free lookup?


Yes.  Setup BIND, unbound, or pdns_recursor on your SA server that is 
not forwarding to another DNS server then set your /etc/resolv.conf or 
SA dns_server to 127.0.0.1.  This will make your DNS queries isolated 
from your IP to stay under their daily limit.


Keep in mind that if your SA box is behind NAT that is not dedicated 
to your server then other DNS queries could get combined with your 
shared public IP.  This is not likely since others are not going to 
query RBL/URIBL servers but it's possible.  If your SA server is 
directly on the Internet as an edge mail gateway then this won't be a 
problem.



i already had bind handling my dns.  i just had to add to /etc/named.conf

allow-query-cache {localhost; any;};
recursion yes;

and to /etc/resolv.conf

nameserver 127.0.0.1

i cannot believe that is not the default.  i always assumed my dns was 
working correctly.