Re: Config option to skip pyzor check on empty body emails?

2017-09-12 Thread Sebastian Arcus 


On 12/09/17 12:33, RW wrote:

On Tue, 12 Sep 2017 08:41:01 +0100
Sebastian Arcus wrote:



The confusing part is that left to its devices, Pyzor creates
a .pyzor dir in the home dir of the user it is run as. But if
--homedir is specified, it dumps stuff directly there, instead of
creating a .pyzor dir.In the end I got rid of the "pyzor_options
--homedir" option in local.cf and it worked fine.


It is a bit confusing, but it's not that the .pyzor directory is use
inconsistently, it's that pyzor defines

   --homedir=HOMEDIR configuration directory

so the default homedir is $HOME/.pyzor/ not $HOME/.

If you want to use  pyzor_options you could use:

   pyzor_options  --homedir /var/spool/spamd/.pyzor


Like with everything, it all makes sense after you fully understand
what's going on :-) I just made the wrong assumptions about how the 
option would work. Like Ian says, the word "home" in the option

name makes it easy to assume that everything will be arranged as
subdirectories under it. No matter - I'm happy I've finally found a
solution to the empty bodied emails hitting PYZOR_CHECK :-)

Thanks again for all the help.

Re: new campaign: bitly & appengine.google

2017-09-12 Thread John Hardin 

On Tue, 12 Sep 2017, Chip M. wrote:


Does anyone have a contact at BitLy?  These would be trivially
easy for them to block.


I've had good fortune reporting individual instances of abuse to 
ab...@bit.ly, I don't see any reason why that wouldn't be your first point 
of contact for something like this.



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Joan Peterson is like that: you expect at least a pseudological
  argument, but instead you get the weird ramblings of a woman with
  the critical thinking abilities of an 18th century peasant.  -- Ken
---
 5 days until the 230th anniversary of the signing of the U.S. Constitution

Re: new campaign: bitly & appengine.google

2017-09-12 Thread Zinski, Steve 
Report to – supp...@bitly.com



On 9/12/17, 1:29 PM, "Benny Pedersen"  wrote:

Chip M. skrev den 2017-09-12 15:28:
> 
> Does anyone have a contact at BitLy?  These would be trivially
> easy for them to block.


https://support.bitly.com/hc/en-us/articles/231247908-I-ve-found-a-bitlink-that-directs-to-spam-what-should-I-do-

googled bit.ly report spam

Re: new campaign: bitly & appengine.google

2017-09-12 Thread Benny Pedersen 

Chip M. skrev den 2017-09-12 15:28:


Does anyone have a contact at BitLy?  These would be trivially
easy for them to block.


https://support.bitly.com/hc/en-us/articles/231247908-I-ve-found-a-bitlink-that-directs-to-spam-what-should-I-do-

googled bit.ly report spam

Re: Config option to skip pyzor check on empty body emails?

2017-09-12 Thread Ian Zimmerman 
On 2017-09-12 12:33, RW wrote:

> It is a bit confusing, but it's not that the .pyzor directory is use
> inconsistently, it's that pyzor defines 
> 
>   --homedir=HOMEDIR configuration directory

The confusing part is the spelling of the option.  The mistake is clear
from the last line quoted above: it should be "configdir" and not
"homedir".  Admittedly pyzor will put the data there by default as well
(when backed by gdbm) but that's a minor quibble by comparison.

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
Do obvious transformation on domain to reply privately _only_ on Usenet.

Re: new campaign: bitly & appengine.google

2017-09-12 Thread Kevin A. McGrail 

On 9/12/2017 9:28 AM, Chip M. wrote:

There's a new campaign that uses Bitly shorteners to some sort of
Google forwarder ("appengine").

Here's some sample Locations returned by HEADing the shorteners:

appengine.google.com/_ah/logout?continue=https://appengine.google.com/_ah/logout?continue=http://bbbcomplianceglobal.com/report.php?mn=##

appengine.google.com/_ah/logout?continue=https://appengine.google.com/_ah/logout?continue=http://bbbtax.com/getreport.php?ne=

appengine.google.com/_ah/logout?continue=http://bbbwork.com/abuse.php?number=#

appengine.google.com/_ah/logout?continue=https://appengine.google.com/_ah/logout?continue=http://bbbcompliancenetwork.com/compliance.php?ne=##

appengine.google.com/_ah/logout?continue=https://appengine.google.com/_ah/logout?continue=http://bbb-compliance.com/abuse.php?rt=###
I've hashed out the parts that look like tracking IDs, all of
which have been pure numeric chars.

Here's the corresponding Subjects:
752566913589:407
8260420930:36
Incident:062881374904:149
Incident:22677610925:290
Incident:5858851682625:543

The message text is a fake BBB complaint.
I'll put a sample online tonight, if practical.

The SA scores have ranged from -2.2 to 1.5, with no useful
patterns.

Does anyone have a contact at BitLy?  These would be trivially
easy for them to block.
- "Chip"

I added a rule called FAKEBBB to KAM.cf yesterday for these issues.  If 
you have variants not caught, please let me know.  I haven't seen one 
since. Good idea to contact bit.ly as well as Google.  I'll see if I can 
backchannel to google about the appengine misuse.


Regards,

KAM

new campaign: bitly & appengine.google

2017-09-12 Thread Chip M. 
There's a new campaign that uses Bitly shorteners to some sort of
Google forwarder ("appengine").

Here's some sample Locations returned by HEADing the shorteners:

appengine.google.com/_ah/logout?continue=https://appengine.google.com/_ah/logout?continue=http://bbbcomplianceglobal.com/report.php?mn=##

appengine.google.com/_ah/logout?continue=https://appengine.google.com/_ah/logout?continue=http://bbbtax.com/getreport.php?ne=

appengine.google.com/_ah/logout?continue=http://bbbwork.com/abuse.php?number=#

appengine.google.com/_ah/logout?continue=https://appengine.google.com/_ah/logout?continue=http://bbbcompliancenetwork.com/compliance.php?ne=##

appengine.google.com/_ah/logout?continue=https://appengine.google.com/_ah/logout?continue=http://bbb-compliance.com/abuse.php?rt=###
I've hashed out the parts that look like tracking IDs, all of 
which have been pure numeric chars.

Here's the corresponding Subjects:
752566913589:407
8260420930:36
Incident:062881374904:149
Incident:22677610925:290
Incident:5858851682625:543

The message text is a fake BBB complaint.
I'll put a sample online tonight, if practical.

The SA scores have ranged from -2.2 to 1.5, with no useful 
patterns.

Does anyone have a contact at BitLy?  These would be trivially 
easy for them to block.
- "Chip"

Re: Config option to skip pyzor check on empty body emails?

2017-09-12 Thread RW 
On Tue, 12 Sep 2017 08:41:01 +0100
Sebastian Arcus wrote:


> The confusing part is that left to its devices, Pyzor creates
> a .pyzor dir in the home dir of the user it is run as. But if
> --homedir is specified, it dumps stuff directly there, instead of
> creating a .pyzor dir.In the end I got rid of the "pyzor_options
> --homedir" option in local.cf and it worked fine.

It is a bit confusing, but it's not that the .pyzor directory is use
inconsistently, it's that pyzor defines 

  --homedir=HOMEDIR configuration directory

so the default homedir is $HOME/.pyzor/ not $HOME/.

If you want to use  pyzor_options you could use:

  pyzor_options  --homedir /var/spool/spamd/.pyzor

Re: Config option to skip pyzor check on empty body emails?

2017-09-12 Thread Sebastian Arcus 

On 12/09/17 00:56, RW wrote:

On Tue, 12 Sep 2017 00:37:40 +0100
Sebastian Arcus wrote:


On 11/09/17 20:20, RW wrote:



This is why pyzor has the  local_whitelist command. At very least
it's a good idea to pipe an empty string through
"pyzor local_whitelist" (probably as the user running
spamassassin).


I have spotted that command in the docs - and if it worked, it would
seem like a good solution. But it doesn't seem to. I have added the
hash of the empty string to the local whitelist. If I try to re-add
the same hash, or the hash of the problem emails - I get a message
stating that it is already in the whitelist - so it would appear to
be working. But when running the email message through SA, it still
hits PYZOR_CHECK. I have found the location of Pyzor's local
whitelist - and the permissions are correct. It appears that SA
completely ignores the fact that the digest is whitelisted locally:


SA can't ignore it, if a hash is whitelisted pyzor returns a dummy
result.  e.g.:

$ echo "" | pyzor check
public.pyzor.org:24441  (200, 'OK') 0   0

compared with:

$ echo "" | pyzor --local-whitelist=/nonextistent check
public.pyzor.org:24441  (200, 'OK') 2749671 82562


Thank you for that. I finally gotten to the bottom of my problem. It was 
the Pyzor homedir. Although I have set it up in 
/etc/mail/spamassassin/local.cf, I ended up confusing myself. If I ran 
as root:


   #pyzor local_whitelist < /email.eml

it placed the whitelist in /root/.pyzor/whitelist

When I ran:

   #su - spamd -c "pyzor local_whitelist < /email.eml"

it placed it in /var/spool/spamd/.pyzor/whitelist (/var/spool/spamd is 
the homedir of the 'spamd' user on this system)


But when I ran:

   #su - spamd -c "pyzor --homedir /var/spool/spamd < /email.eml"

it placed it in /var/spool/spamd/whitelist

The confusing part is that left to its devices, Pyzor creates a .pyzor 
dir in the home dir of the user it is run as. But if --homedir is 
specified, it dumps stuff directly there, instead of creating a .pyzor 
dir. In the end I got rid of the "pyzor_options --homedir" option in 
local.cf and it worked fine. I was just tying myself in knots there :-)


Thanks again