Re: Whitelisting and Expedia/Orbitz
clueless newbie troll microsofts own attempt at SPF did allow checking in "from" On Sat, May 21, 2016 at 2:50 AM, Reindl Harald wrote: > > > Am 20.05.2016 um 19:25 schrieb Vincent Fox: > >> SPF is only about envelopes? >> > > yes > > Unless you are Microsoft, who check against the From in the header. >> > > nonsense > > you likely confuse DMARC with SPF > > > >> From: Reindl Harald >> Sent: Friday, May 20, 2016 10:23:45 AM >> To: users@spamassassin.apache.org >> Subject: Re: Whitelisting and Expedia/Orbitz >> >> Am 20.05.2016 um 19:03 schrieb Alex: >> >>> Is it necessary to use the Envelope-From address when whitelisting >>> with whitelist_from_spf? The docs are unclear as to whether I can just >>> use the regular From address, which would be easier for me >>> >> >> SPF is by definition only about envelopes >> however, just use whitelist_auth -> RTFM >> > >
Re: SA cannot block messages with attached zip
On Fri, 20 May 2016 17:47:09 -0500 (CDT) David B Funk wrote: > > We do it the hard way. We list the contents of attached archives > > (using "lsar") and have filename-extension rules that block .js > > inside .zip files. While this can lead to some FPs, which we handle > > with selective whitelisting, it's very effective at catching the > > latest crop of cryptolocker-style attacks. > But isn't this exactly what the "foxhole_all.cdb" > signatures do? (or am I missing something?). Yes, mostly. The advantage of lsar is that it can look inside all kinds of weird archive formats (zip, zoo, rar, tar, tar.gz, etc.) While most malware uses zip, we've seen the occasional one using a different container file format. Regards, Dianne.
Re: Whitelisting and Expedia/Orbitz
Am 20.05.2016 um 19:25 schrieb Vincent Fox: SPF is only about envelopes? yes Unless you are Microsoft, who check against the From in the header. nonsense you likely confuse DMARC with SPF From: Reindl Harald Sent: Friday, May 20, 2016 10:23:45 AM To: users@spamassassin.apache.org Subject: Re: Whitelisting and Expedia/Orbitz Am 20.05.2016 um 19:03 schrieb Alex: Is it necessary to use the Envelope-From address when whitelisting with whitelist_from_spf? The docs are unclear as to whether I can just use the regular From address, which would be easier for me SPF is by definition only about envelopes however, just use whitelist_auth -> RTFM signature.asc Description: OpenPGP digital signature
Re: Whitelisting and Expedia/Orbitz
On 2016-05-20 19:03, Alex wrote: Is it necessary to use the Envelope-From address when whitelisting with whitelist_from_spf? The docs are unclear as to whether I can just use the regular From address, which would be easier for me. use opendkim for this test, and if you have Sender-ID on your own domain remove it Apparently using the regular From address appears to not be considered, however. Perhaps I should just use DKIM. yes use dkim whitelist_from_spf expe...@th.expediamail.com vs X-Envelope-From: postfix use Return-Path header, did you tell spamassassin that ? <32949091100a5e25d46b116-8cc28206-26f1-487a-839f-8e47b68f9...@mg.expediamail.com> or *@mg.expediamail.com irelevant for dkim and spf I've added a few rules that score bulk mail higher, but this is one that needs to go through. My thinking is that I'll score much of the regular junk higher, then whiltelist with SPF the ones that need to go through (a la David B Funk approach). this is unrelated to dkim/spf/dmarc
Re: SA cannot block messages with attached zip
On Fri, 20 May 2016, Dianne Skoll wrote: On Fri, 20 May 2016 09:31:48 +0300 Emin Akbulut wrote: What do you suggest to fight these spams? ClamAV is basically useless. We do it the hard way. We list the contents of attached archives (using "lsar") and have filename-extension rules that block .js inside .zip files. While this can lead to some FPs, which we handle with selective whitelisting, it's very effective at catching the latest crop of cryptolocker-style attacks. But isn't this exactly what the "foxhole_all.cdb" (http://sanesecurity.com/foxhole-databases/) signatures do? (or am I missing something?). I see that they have a "high" risk of FPs but if you are using them as a scoring component within SA you should be able to "temper" those results with other SA rules such as selective use of whitelist_auth. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Whitelisting and Expedia/Orbitz
Sender-ID is not SPF On 20. maj 2016 19.28.11 Vincent Fox wrote: SPF is only about envelopes? Unless you are Microsoft, who check against the From in the header. From: Reindl Harald Sent: Friday, May 20, 2016 10:23:45 AM To: users@spamassassin.apache.org Subject: Re: Whitelisting and Expedia/Orbitz Am 20.05.2016 um 19:03 schrieb Alex: Is it necessary to use the Envelope-From address when whitelisting with whitelist_from_spf? The docs are unclear as to whether I can just use the regular From address, which would be easier for me SPF is by definition only about envelopes however, just use whitelist_auth -> RTFM
Re: Whitelisting and Expedia/Orbitz
SPF is only about envelopes? Unless you are Microsoft, who check against the From in the header. From: Reindl Harald Sent: Friday, May 20, 2016 10:23:45 AM To: users@spamassassin.apache.org Subject: Re: Whitelisting and Expedia/Orbitz Am 20.05.2016 um 19:03 schrieb Alex: > Is it necessary to use the Envelope-From address when whitelisting > with whitelist_from_spf? The docs are unclear as to whether I can just > use the regular From address, which would be easier for me SPF is by definition only about envelopes however, just use whitelist_auth -> RTFM
Re: Whitelisting and Expedia/Orbitz
Am 20.05.2016 um 19:03 schrieb Alex: Is it necessary to use the Envelope-From address when whitelisting with whitelist_from_spf? The docs are unclear as to whether I can just use the regular From address, which would be easier for me SPF is by definition only about envelopes however, just use whitelist_auth -> RTFM signature.asc Description: OpenPGP digital signature
Whitelisting and Expedia/Orbitz
Hi, Is it necessary to use the Envelope-From address when whitelisting with whitelist_from_spf? The docs are unclear as to whether I can just use the regular From address, which would be easier for me. Apparently using the regular From address appears to not be considered, however. Perhaps I should just use DKIM. whitelist_from_spf expe...@th.expediamail.com vs X-Envelope-From: <32949091100a5e25d46b116-8cc28206-26f1-487a-839f-8e47b68f9...@mg.expediamail.com> or *@mg.expediamail.com I've added a few rules that score bulk mail higher, but this is one that needs to go through. My thinking is that I'll score much of the regular junk higher, then whiltelist with SPF the ones that need to go through (a la David B Funk approach). Thanks, Alex
Re: SA cannot block messages with attached zip
+1 Yesterday, 6% of our mail flow was rejected by Foxhole.Zip family. They are #1 on our list about 50% of the time for weeks now. I got a commendation last week for prevention work, so rare in email adminning. Security team would be swimming in overtime if it weren't for foxhole_js in particular. We use all 4 of them now. Foxhole_all hasn't been a FP problem for us either, despite it being labelled high risk. We had ONE professor who couldn't email around some software, told them to use box.com instead for sharing and problem solved. From: Rick Macdougall Sent: Friday, May 20, 2016 7:50:46 AM To: users@spamassassin.apache.org Subject: Re: SA cannot block messages with attached zip On 2016-05-20 10:36 AM, Paul Stead wrote: > Second, the foxhole_js database is what you're looking for > > Paul > > On 20/05/16 13:11, Reindl Harald wrote: >> >> >> Am 20.05.2016 um 13:07 schrieb Dianne Skoll: >>> On Fri, 20 May 2016 09:31:48 +0300 >>> Emin Akbulut wrote: >>> What do you suggest to fight these spams? >>> >>> ClamAV is basically useless >> >> no it is not, look at the sanesecurity foxhole signatures >> http://sanesecurity.com/usage/signatures/ Thirded, Statistics since: 19 April 2016 04:02:15 Total Viruses stopped: [ 271764 ] Total Unique Viruses: [ 2242 ] Viruses stopped in the last 24 hours: [ 20118 ] Top 10 Viruses in the last 24 hours Sanesecurity.Foxhole.Zip_fs223.UNOFFICIAL 7860 Sanesecurity.Junk.52698.UNOFFICIAL 2798 Sanesecurity.Foxhole.Zip_Js_Js.UNOFFICIAL 1925 Sanesecurity.Malware.26201.JsHeur.UNOFFICIAL 1626 Sanesecurity.Jurlbl.Auto.b6c4d3.UNOFFICIAL 649 Sanesecurity.Malware.24631.XlsHeur.UNOFFICIAL 623 Sanesecurity.Jurlbl.Auto.87287f.UNOFFICIAL 414 winnow.spam.ts.xmailer.2.UNOFFICIAL 341 Sanesecurity.Jurlbl.Auto.a33ccf.UNOFFICIAL 283 Sanesecurity.Jurlbl.Auto.aaeaca.UNOFFICIAL 157 Regards, Rick
Re: SA cannot block messages with attached zip
Am 20.05.2016 um 17:29 schrieb Chip M.: P.S. As of about 1700 UTC yesterday, I'm seeing significant volume of zipped macro-encrusted "doc" files /etc/clamd.d/scan.conf: ScanOLE2 yes OLE2BlockMacros yes signature.asc Description: OpenPGP digital signature
Re: SA cannot block messages with attached zip
At 04:07 AM 5/20/2016, RoaringPenguin wrote: >filename-extension rules that block .js >inside .zip files. +1 We also block these scripting related Windows extensions: .hta .jse .vbs .wsf Those were originally "pre-emptive", however I've now seen both ".hta" and ".jse" in the wild (low volume). *** Question: Are there any other Windows (or Mac) scripting file extensions? As an extra layer of defense, We also do content scanning within all zipped files for terms including (among MANY others): activexobject base64_decode createobject eval fromcharcode savetofile shell unescape wscript All hits are weighted, and some can be skip-listed. Plus I recently wrote some "secret sauce" Code that looks for javascript obfuscations. :) We've had a very low FP rate on the above, and haven't had any noticeable user pushback. There have been enough high profile infections (at least two hospitals), that most endusers have been grateful and understanding. >Doing it properly requires a non-trivial amount of coding. Yes, however it's VERY satisfying Coding. :) - "Chip" P.S. As of about 1700 UTC yesterday, I'm seeing significant volume of zipped macro-encrusted "doc" files.
re: exploitable LinkedIn forwarder/whatever
Thanks Andreas! :) Wednesday am, after re-checking that the specific spam URL was still forwarding to the spam payload destination, I emailed that role account... and to my (VERY pleasant) shock, received an auto-reply which did NOT direct me to an unuseable web form (i.e. the Google model of preventing reports). Three hours later, I re-checked the original URL, and it no longer was forwarding. :) I don't know if they did anything to the actual forwarder, but at least I know it's NOT a waste of time to send reports. :) I will definitely submit directly, in future. And now, the bad news: 1. The original destination was just the first hop in a forwarding chain, with a total of six (6) hops. :( That should have been trivially easy to detect, automatically. The first Location feels rather brazen (i.e. an obvious redirect). My gut feeling is that the spammer may have been testing LinkedIn's defenses. 2. The original spam was submitted to SpamCop, which printed (in red): "ISP does not wish to receive reports regarding http://www.linkedin.com/slink - no date available" As a precaution, I'm now outright killing "linkedin.com/slink". I'm particularly annoyed at this forwarder, because LI has a Shortener service. If the spammer had been restricted to using a Shortener, my system would have caught it easily (technically that spam was blocked, but just barely). *** Question: Are there any good public lists of, um, "weakly defended" forwarders/redirectors? One of the reasons I posted that spample, is that it is an excellent example of a terse spam exploiting only well known services. This pattern recurs regularly, though always at low volumes. We educate our users to be cautious with unknown URLs, but I wouldn't blame any non-techie who succumbed to the double-whammy of a URL with a very familiar domain sent from the cracked account of a bona fide friend. :( - "Chip"
Re: SA cannot block messages with attached zip
Am 20.05.2016 um 17:11 schrieb Rick Macdougall: On 2016-05-20 11:00 AM, Reindl Harald wrote: Am 20.05.2016 um 16:50 schrieb Rick Macdougall: On 2016-05-20 10:36 AM, Paul Stead wrote: Second, the foxhole_js database is what you're looking for Paul On 20/05/16 13:11, Reindl Harald wrote: Am 20.05.2016 um 13:07 schrieb Dianne Skoll: On Fri, 20 May 2016 09:31:48 +0300 Emin Akbulut wrote: What do you suggest to fight these spams? ClamAV is basically useless no it is not, look at the sanesecurity foxhole signatures http://sanesecurity.com/usage/signatures/ Thirded, Statistics since: 19 April 2016 04:02:15 Total Viruses stopped: [ 271764 ] Total Unique Viruses: [ 2242 ] Viruses stopped in the last 24 hours: [ 20118 ] how and why do get that much crap to that stage on the inbound server? 2 days ago we had a peak of 45 junk attempts which is 10 time higher than on normal days and nothing measurable made it to smtpd, not talking about contentfilters at all hence the virtual machine running the inbound MX still on 100-250 MHz Inbound servers, 6 of them. We are an ISP with 10s of thousands accounts, plus content filtering for many other commercial domains well, the domain in the last flood had 12 accounts the point is that valid accounts, even freemail can't spread that amout of spam and all the bots are listed on enough blacklists to make a foolproof score-based reject while most of them anyways not surivive pregreet-tests and the rest just hangs up after 10-11 seconds and don't surivive "postscreen_greet_wait = ${stress?2}${stress:12}s" which means a client ip has to wait once a week here 12 seconds to make it to smtpd that all plays far far away from content-scanning and between that and the content-scanners are conditional greylistings, honeypot-backup-mx always responding with 450 and helo/ptr-checks combined with a spf-policyd the comes spamassassin rejecting the surviving piece mostly if it contains malware or not and at the very end of the chain comes clamav-milter facing mostly ham and very few real remaining junk/malware signature.asc Description: OpenPGP digital signature
Re: SA cannot block messages with attached zip
On 2016-05-20 11:00 AM, Reindl Harald wrote: Am 20.05.2016 um 16:50 schrieb Rick Macdougall: On 2016-05-20 10:36 AM, Paul Stead wrote: Second, the foxhole_js database is what you're looking for Paul On 20/05/16 13:11, Reindl Harald wrote: Am 20.05.2016 um 13:07 schrieb Dianne Skoll: On Fri, 20 May 2016 09:31:48 +0300 Emin Akbulut wrote: What do you suggest to fight these spams? ClamAV is basically useless no it is not, look at the sanesecurity foxhole signatures http://sanesecurity.com/usage/signatures/ Thirded, Statistics since: 19 April 2016 04:02:15 Total Viruses stopped: [ 271764 ] Total Unique Viruses: [ 2242 ] Viruses stopped in the last 24 hours: [ 20118 ] how and why do get that much crap to that stage on the inbound server? 2 days ago we had a peak of 45 junk attaempts which is 10 time higher than on normal days and nothing measurable made it to smtpd, not talking about contentfilters at all hence the virtual machine running the inbound MX still on 100-250 MHz Hi, Inbound servers, 6 of them. We are an ISP with 10s of thousands accounts, plus content filtering for many other commercial domains. Regards, Rick
Re: SA cannot block messages with attached zip
On Fri, 20 May 2016 15:00:55 + David Jones wrote: > >From: Dianne Skoll > >ClamAV is basically useless. > ClamAV helps a little with the unofficial sigatures. The operative word here is "a little". I find that the unofficial signatures that are good at actually catching bad stuff have extremely high FP rates, while the less-aggressive unofficial signatures don't catch that much. > The best thing to do is block as much as you can at the MTA > level with Postscreen and RBL weights like Reindl posted, > greylisting, SMTP helo checks, etc. That's a fine solution for spam, but not for malware that can end up costing you or your customer huge amounts of money. You absolutely must use a content-scanning technique to block the malware, though of course the comparatively-cheap up-front tests can reduce the flow substantially. Regards, Dianne.
Re: SA cannot block messages with attached zip
>From: Dianne Skoll >Sent: Friday, May 20, 2016 6:07 AM >To: users@spamassassin.apache.org >Subject: Re: SA cannot block messages with attached zip >On Fri, 20 May 2016 09:31:48 +0300 >Emin Akbulut wrote: >> What do you suggest to fight these spams? >ClamAV is basically useless. ClamAV helps a little with the unofficial sigatures. http://sanesecurity.com/usage/signatures/ >We do it the hard way. We list the contents of attached archives >(using "lsar") and have filename-extension rules that block .js >inside .zip files. While this can lead to some FPs, which we handle >with selective whitelisting, it's very effective at catching the >latest crop of cryptolocker-style attacks. >Sorry for the non-easy answer. Doing it properly requires a non-trivial >amount of coding. MailScanner can do this. https://efa-project.org/ The best thing to do is block as much as you can at the MTA level with Postscreen and RBL weights like Reindl posted, greylisting, SMTP helo checks, etc. http://multirbl.valli.org/lookup/213.252.170.66.html The invaluement RBL subscription is not that expensive and will pay for itself pretty quickly. This and Spamhaus together block a lot of bad stuff at the MTA level long before SA has to see it and I have never had to deal with a false positive on these in years.
Re: SA cannot block messages with attached zip
Am 20.05.2016 um 16:50 schrieb Rick Macdougall: On 2016-05-20 10:36 AM, Paul Stead wrote: Second, the foxhole_js database is what you're looking for Paul On 20/05/16 13:11, Reindl Harald wrote: Am 20.05.2016 um 13:07 schrieb Dianne Skoll: On Fri, 20 May 2016 09:31:48 +0300 Emin Akbulut wrote: What do you suggest to fight these spams? ClamAV is basically useless no it is not, look at the sanesecurity foxhole signatures http://sanesecurity.com/usage/signatures/ Thirded, Statistics since: 19 April 2016 04:02:15 Total Viruses stopped: [ 271764 ] Total Unique Viruses: [ 2242 ] Viruses stopped in the last 24 hours: [ 20118 ] how and why do get that much crap to that stage on the inbound server? 2 days ago we had a peak of 45 junk attaempts which is 10 time higher than on normal days and nothing measurable made it to smtpd, not talking about contentfilters at all hence the virtual machine running the inbound MX still on 100-250 MHz signature.asc Description: OpenPGP digital signature
Re: SA cannot block messages with attached zip
On 2016-05-20 10:36 AM, Paul Stead wrote: Second, the foxhole_js database is what you're looking for Paul On 20/05/16 13:11, Reindl Harald wrote: Am 20.05.2016 um 13:07 schrieb Dianne Skoll: On Fri, 20 May 2016 09:31:48 +0300 Emin Akbulut wrote: What do you suggest to fight these spams? ClamAV is basically useless no it is not, look at the sanesecurity foxhole signatures http://sanesecurity.com/usage/signatures/ Thirded, Statistics since: 19 April 2016 04:02:15 Total Viruses stopped: [ 271764 ] Total Unique Viruses: [ 2242 ] Viruses stopped in the last 24 hours: [ 20118 ] Top 10 Viruses in the last 24 hours Sanesecurity.Foxhole.Zip_fs223.UNOFFICIAL 7860 Sanesecurity.Junk.52698.UNOFFICIAL 2798 Sanesecurity.Foxhole.Zip_Js_Js.UNOFFICIAL 1925 Sanesecurity.Malware.26201.JsHeur.UNOFFICIAL 1626 Sanesecurity.Jurlbl.Auto.b6c4d3.UNOFFICIAL 649 Sanesecurity.Malware.24631.XlsHeur.UNOFFICIAL 623 Sanesecurity.Jurlbl.Auto.87287f.UNOFFICIAL 414 winnow.spam.ts.xmailer.2.UNOFFICIAL 341 Sanesecurity.Jurlbl.Auto.a33ccf.UNOFFICIAL 283 Sanesecurity.Jurlbl.Auto.aaeaca.UNOFFICIAL 157 Regards, Rick
Re: SA cannot block messages with attached zip
Second, the foxhole_js database is what you're looking for Paul On 20/05/16 13:11, Reindl Harald wrote: Am 20.05.2016 um 13:07 schrieb Dianne Skoll: On Fri, 20 May 2016 09:31:48 +0300 Emin Akbulut wrote: What do you suggest to fight these spams? ClamAV is basically useless no it is not, look at the sanesecurity foxhole signatures http://sanesecurity.com/usage/signatures/ -- Paul Stead Systems Engineer Zen Internet
Re: SA cannot block messages with attached zip
Am 20.05.2016 um 16:20 schrieb Kris Deugau: Emin Akbulut wrote: I tried to train SA with tons of spam messages which contains zip file (includes .js) The max spam score was lesser than 5 so I did set 4 to delete messsages. Then same kind of spam messages appear with the score of lesser than 2. In short; training the SA seems not helpful. What do you suggest to fight these spams? I've had some luck doing that, but it takes a while make 10 copies of such a message and change date/message-id header in fact we have a "spamfilter-retrain /path/to/sample.eml" which creates 5 copies per call in the corpus folder and when something i train not get's BAYES_99 it's called as long as it hits BAYES_99 (except rare caeses which you need to ignore and can't tran that way) why should i wait until i get the same crap 10 times fro outside? signature.asc Description: OpenPGP digital signature
Re: SA cannot block messages with attached zip
Emin Akbulut wrote: > I tried to train SA with tons of spam messages which contains zip file > (includes .js) > The max spam score was lesser than 5 so I did set 4 to delete messsages. > > Then same kind of spam messages appear with the score of lesser than 2. > > In short; training the SA seems not helpful. > > What do you suggest to fight these spams? I've had some luck doing that, but it takes a while. I've also added some rules that should match on most of these messages: mimeheader __ZIP_ATTACH_1 Content-Type =~ m{application/(?:x-)?zip(?:-compressed)?; name="[^"]+\.zip"} mimeheader __ZIP_ATTACH_2 content-type =~ m{application/(?:x-)?zip(?:-compressed)?; name="[^"]+\.zip"} metaZIP_ATTACH __ZIP_ATTACH_1 || __ZIP_ATTACH_2 describe ZIP_ATTACH Has .zip attachment score ZIP_ATTACH 0.001 (Note the different case for "Content-Type"; I found both were needed.) -kgd
Re: SA cannot block messages with attached zip
I hitched a ride in this thread and I appreciate the tip of the foxhole and clamav! I was also having problems here! solved now. On 20-05-2016 09:11, Reindl Harald wrote: Am 20.05.2016 um 13:07 schrieb Dianne Skoll: On Fri, 20 May 2016 09:31:48 +0300 Emin Akbulut wrote: What do you suggest to fight these spams? ClamAV is basically useless no it is not, look at the sanesecurity foxhole signatures http://sanesecurity.com/usage/signatures/ -- Rejaine da Silveira Monteiro Suporte-TI Tel: (31) 2102-8854 reja...@bhz.jamef.com.br www.jamef.com.br
Re: SA cannot block messages with attached zip
Am 20.05.2016 um 13:07 schrieb Dianne Skoll: On Fri, 20 May 2016 09:31:48 +0300 Emin Akbulut wrote: What do you suggest to fight these spams? ClamAV is basically useless no it is not, look at the sanesecurity foxhole signatures http://sanesecurity.com/usage/signatures/ signature.asc Description: OpenPGP digital signature
Re: SA cannot block messages with attached zip
On Fri, 20 May 2016 09:31:48 +0300 Emin Akbulut wrote: > What do you suggest to fight these spams? ClamAV is basically useless. We do it the hard way. We list the contents of attached archives (using "lsar") and have filename-extension rules that block .js inside .zip files. While this can lead to some FPs, which we handle with selective whitelisting, it's very effective at catching the latest crop of cryptolocker-style attacks. Sorry for the non-easy answer. Doing it properly requires a non-trivial amount of coding. Regards, Dianne.
Re: SA cannot block messages with attached zip
Am 20.05.2016 um 11:40 schrieb @lbutlr: On May 20, 2016, at 2:46 AM, Reindl Harald wrote: postscreen_dnsbl_action = enforce postscreen_greet_action = enforce [long list] What do you set postscreen_dnsbl_threshold to? 8 signature.asc Description: OpenPGP digital signature
Re: SA cannot block messages with attached zip
On May 20, 2016, at 2:46 AM, Reindl Harald wrote: > postscreen_dnsbl_action = enforce > postscreen_greet_action = enforce [long list] What do you set postscreen_dnsbl_threshold to? -- "Give a man a fire and he's warm for a day, but set fire to him an he's warm for the rest of his life."
Re: SA cannot block messages with attached zip
Am 20.05.2016 um 10:32 schrieb Reindl Harald: Am 20.05.2016 um 08:31 schrieb Emin Akbulut: I tried to train SA with tons of spam messages which contains zip file (includes .js) The max spam score was lesser than 5 so I did set 4 to delete messsages. Then same kind of spam messages appear with the score of lesser than 2. In short; training the SA seems not helpful. What do you suggest to fight these spams? Raw message: http://pastebin.com/gPREh54L just get a proper clamav setup the real good question is why the hell that message does not get bayes classified at all here when pipe your download through spamc/spmad while other messages are also a good question is why your header don't contain a single DNSBL and if that happens all the time - without blacklists you have no good chances for proper reject (for the trolls - YES a FULL SETUP rejects) many junk well, and another good question is why a mail listed on so many blacklists makes it to your contenfilter at all get a proper MTA setup (containing a local dns-resolver doing recursion and NOT forwarding) and your inbound MX runs with zero load most of the time, facing a spam attack the last two days on a domain previously had 1 valid rcpt triggering 150 rejects per minute and much more not pass the 12 sconds pregreet-phase, 100 Mhz loda on the VM running postfix/spamassassin/clamav hust because nothing of this crap makes it to a smtpd proess postscreen_dnsbl_action = enforce postscreen_greet_action = enforce postscreen_dnsbl_sites = dnsbl.sorbs.net=127.0.0.10*9 dnsbl.sorbs.net=127.0.0.14*9 zen.spamhaus.org=127.0.0.[10;11]*8 dnsbl.sorbs.net=127.0.0.5*7 zen.spamhaus.org=127.0.0.[4..7]*7 b.barracudacentral.org=127.0.0.2*7 zen.spamhaus.org=127.0.0.3*7 dnsbl.inps.de=127.0.0.2*7 dnsbl.sorbs.net=127.0.0.7*4 hostkarma.junkemailfilter.com=127.0.0.2*4 bl.spamcop.net=127.0.0.2*4 bl.spameatingmonkey.net=127.0.0.[2;3]*4 dnsrbl.swinog.ch=127.0.0.3*4 ix.dnsbl.manitu.net=127.0.0.2*4 psbl.surriel.com=127.0.0.2*4 bl.mailspike.net=127.0.0.[10;11;12]*4 bl.mailspike.net=127.0.0.2*4 bl.spamcannibal.org=127.0.0.2*3 zen.spamhaus.org=127.0.0.2*3 score.senderscore.com=127.0.4.[0..20]*3 dnsbl.sorbs.net=127.0.0.6*3 dnsbl.sorbs.net=127.0.0.8*2 hostkarma.junkemailfilter.com=127.0.0.4*2 dnsbl.sorbs.net=127.0.0.9*2 dnsbl-1.uceprotect.net=127.0.0.2*2 all.spamrats.com=127.0.0.38*2 bl.nszones.com=127.0.0.[2;3]*1 dnsbl-2.uceprotect.net=127.0.0.2*1 dnsbl.sorbs.net=127.0.0.2*1 dnsbl.sorbs.net=127.0.0.4*1 score.senderscore.com=127.0.4.[0..69]*1 dnsbl.sorbs.net=127.0.0.3*1 hostkarma.junkemailfilter.com=127.0.1.2*1 dnsbl.sorbs.net=127.0.0.15*1 ips.backscatterer.org=127.0.0.2*1 bl.nszones.com=127.0.0.5*-1 score.senderscore.com=127.0.4.[90..100]*-1 wl.mailspike.net=127.0.0.[18;19;20]*-2 hostkarma.junkemailfilter.com=127.0.0.1*-2 ips.whitelisted.org=127.0.0.2*-2 list.dnswl.org=127.0.[0..255].0*-2 dnswl.inps.de=127.0.[0;1].[2..10]*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].2*-4 list.dnswl.org=127.0.[0..255].3*-5 X-Spam-Status: No, score=1.6 required=4.0 tests=BAYES_50,RDNS_NONE autolearn=no autolearn_force=no version=3.4.1 _ /var/www/uploadtemp/5633d7b4bafd01d72635e8496c9a781a4efa94d8.eml: Sanesecurity.Foxhole.Zip_fs223.UNOFFICIAL FOUND /var/www/uploadtemp/5633d7b4bafd01d72635e8496c9a781a4efa94d8.eml: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL FOUND --- VIRUS-SCAN SUMMARY --- Infected files: 1 Time: 0.005 sec (0 m 0 s) Content analysis details: (37.6 points, 5.5 required) pts rule name description -- -- 4.5 CUST_DNSBL_10_SORBS_WEB RBL: dnsbl.sorbs.net (web.dnsbl.sorbs.net) [213.252.170.66 listed in dnsbl.sorbs.net] 0.5 CUST_DNSBL_33_SORBS_VIRUS RBL: dnsbl.sorbs.net (virus.dnsbl.sorbs.net) 1.5 CUST_DNSBL_20_SORBS_SPAM RBL: dnsbl.sorbs.net (spam.dnsbl.sorbs.net) 0.1 CUST_DNSBL_34_BACKSCATTER RBL: dnsbl-backscatterer.thelounge.net (ips.backscatterer.org) [213.252.170.66 listed in dnsbl-backscatterer.thelounge.net] 3.5 CUST_DNSBL_11_JEF_BLACK RBL: hostkarma.junkemailfilter.com [213.252.170.66 listed in hostkarma.junkemailfilter.com] 1.0 CUST_DNSBL_24_UCE1 RBL: dnsbl-uce.thelounge.net (dnsbl-1.uceprotect.net) [213.252.170.66 listed in dnsbl-uce.thelounge.net] 2.5 CUST_DNSBL_16_PSBL RBL: dnsbl-surriel.thelounge.net (psbl.surriel.com) [213.252.170.66 listed in dnsbl-surriel.thelounge.net] 2.5 CUST_DNSBL_12_SPAMCOP RBL: bl.spamcop.net [213.252.170.66 listed in bl.spamcop.net] 3.0 RCVD_IN_MSPIKE_L5 RBL: Very bad reputation (-5) [213.252.170.66 listed in bl.mailspike.ne
Re: SA cannot block messages with attached zip
Am 20.05.2016 um 08:31 schrieb Emin Akbulut: I tried to train SA with tons of spam messages which contains zip file (includes .js) The max spam score was lesser than 5 so I did set 4 to delete messsages. Then same kind of spam messages appear with the score of lesser than 2. In short; training the SA seems not helpful. What do you suggest to fight these spams? Raw message: http://pastebin.com/gPREh54L just get a proper clamav setup the real good question is why the hell that message does not get bayes classified at all here when pipe your download through spamc/spmad while other messages are also a good question is why your header don't contain a single DNSBL and if that happens all the time - without blacklists you have no good chances for proper reject (for the trolls - YES a FULL SETUP rejects) many junk X-Spam-Status: No, score=1.6 required=4.0 tests=BAYES_50,RDNS_NONE autolearn=no autolearn_force=no version=3.4.1 _ /var/www/uploadtemp/5633d7b4bafd01d72635e8496c9a781a4efa94d8.eml: Sanesecurity.Foxhole.Zip_fs223.UNOFFICIAL FOUND /var/www/uploadtemp/5633d7b4bafd01d72635e8496c9a781a4efa94d8.eml: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL FOUND --- VIRUS-SCAN SUMMARY --- Infected files: 1 Time: 0.005 sec (0 m 0 s) Content analysis details: (37.6 points, 5.5 required) pts rule name description -- -- 4.5 CUST_DNSBL_10_SORBS_WEB RBL: dnsbl.sorbs.net (web.dnsbl.sorbs.net) [213.252.170.66 listed in dnsbl.sorbs.net] 0.5 CUST_DNSBL_33_SORBS_VIRUS RBL: dnsbl.sorbs.net (virus.dnsbl.sorbs.net) 1.5 CUST_DNSBL_20_SORBS_SPAM RBL: dnsbl.sorbs.net (spam.dnsbl.sorbs.net) 0.1 CUST_DNSBL_34_BACKSCATTER RBL: dnsbl-backscatterer.thelounge.net (ips.backscatterer.org) [213.252.170.66 listed in dnsbl-backscatterer.thelounge.net] 3.5 CUST_DNSBL_11_JEF_BLACK RBL: hostkarma.junkemailfilter.com [213.252.170.66 listed in hostkarma.junkemailfilter.com] 1.0 CUST_DNSBL_24_UCE1 RBL: dnsbl-uce.thelounge.net (dnsbl-1.uceprotect.net) [213.252.170.66 listed in dnsbl-uce.thelounge.net] 2.5 CUST_DNSBL_16_PSBL RBL: dnsbl-surriel.thelounge.net (psbl.surriel.com) [213.252.170.66 listed in dnsbl-surriel.thelounge.net] 2.5 CUST_DNSBL_12_SPAMCOP RBL: bl.spamcop.net [213.252.170.66 listed in bl.spamcop.net] 3.0 RCVD_IN_MSPIKE_L5 RBL: Very bad reputation (-5) [213.252.170.66 listed in bl.mailspike.net] 5.5 CUST_DNSBL_6_ZEN_XBL RBL: zen.spamhaus.org (xbl.spamhaus.org) [213.252.170.66 listed in zen.spamhaus.org] 1.5 CUST_DNSBL_19_SENDERSC_HIGH RBL: score.senderscore.com (senderscore.com High) [213.252.170.66 listed in score.senderscore.com] 1.0 CUST_DNSBL_30_SENDERSC_MED RBL: score.senderscore.com (senderscore.com Medium) 5.0 CUST_DNSBL_7_CUDA RBL: b.barracudacentral.org [213.252.170.66 listed in b.barracudacentral.org] 2.5 CUST_DNSBL_13_SEM RBL: bl.spameatingmonkey.net [213.252.170.66 listed in bl.spameatingmonkey.net] 2.5 RDNS_NONE Delivered to internal network by a host with no rDNS 0.0 RCVD_IN_MSPIKE_BL Mailspike blacklisted 0.5 HELO_MISC_IP Looking for more Dynamic IP Relays signature.asc Description: OpenPGP digital signature