Re: Blacklist for reply-to?
On Mon, 19 Feb 2018, Alex wrote: Hi, On Mon, Feb 19, 2018 at 3:20 PM, John Hardinwrote: On Mon, 19 Feb 2018, Rupert Gallagher wrote: Whatever you do, just do not ask others to blacklist Alibaba Are those getting hits on SPOOFED_FREEM_REPTO_CHN? Perhaps just bump the score for that locally? KAM's rules are still setting FORGED_YAHOO_RCVD to zero, invalidating that rule for me. Perhaps he doesn't know the rule was removed or otherwise handled? https://bz.apache.org/SpamAssassin/show_bug.cgi?id=5561 Feb 19 17:37:29 mail01 amavis[30049]: SA info: rules: meta test SPOOFED_FREEM_REPTO_CHN has dependency 'FORGED_YAHOO_RCVD' with a zero score Is there anything further that needs to be done wrt this rule, or does it now just work as expected? He's also got KAM_GRABBAG5 and KAM_UAH_YAHOOGROUP_SENDER also being affecting by FORGED_YAHOO_RCVD. Kevin, can that be set to advisory rather than completely killed? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The question of whether people should be allowed to harm themselves is simple. They *must*. -- Charles Murray --- 63 more days working to pay your (average) annual US tax bill before you're finally working for yourself.
Re: Blacklist for reply-to?
Hi, On Mon, Feb 19, 2018 at 3:20 PM, John Hardinwrote: > On Mon, 19 Feb 2018, Rupert Gallagher wrote: > >> Whatever you do, just do not ask others to blacklist Alibaba > > > Are those getting hits on SPOOFED_FREEM_REPTO_CHN? > > Perhaps just bump the score for that locally? KAM's rules are still setting FORGED_YAHOO_RCVD to zero, invalidating that rule for me. Perhaps he doesn't know the rule was removed or otherwise handled? https://bz.apache.org/SpamAssassin/show_bug.cgi?id=5561 Feb 19 17:37:29 mail01 amavis[30049]: SA info: rules: meta test SPOOFED_FREEM_REPTO_CHN has dependency 'FORGED_YAHOO_RCVD' with a zero score Is there anything further that needs to be done wrt this rule, or does it now just work as expected? He's also got KAM_GRABBAG5 and KAM_UAH_YAHOOGROUP_SENDER also being affecting by FORGED_YAHOO_RCVD.
Re: Blacklist for reply-to?
On 2018-02-19 (09:57 MST), Paul Steadwrote: > > This message is private and confidential. If you have received this message > in error, please notify us and remove it from your system. > > Zen Internet Limited may monitor email traffic data to manage billing, to > handle customer enquiries and for the prevention and detection of fraud. We > may also monitor the content of emails sent to and/or from Zen Internet > Limited for the purposes of security, staff training and to monitor quality > of service. I reject your terms. -- Rid yourself of doubt -- or should you? -George Carlin
Re: Blacklist for reply-to?
David Jones skrev den 2018-02-19 22:35: https://bz.apache.org/SpamAssassin I have added a few domains over the past few months but my mail flow isn't going to see many of the problem domains outside of the US like those listed above. https://www.google.dk/search?q=github+freemail seems all is freemail ? would adding more freemail domains give a better detection of spam ?
Re: Blacklist for reply-to?
On 02/19/2018 03:19 PM, John Hardin wrote: On Mon, 19 Feb 2018, Kenneth Porter wrote: On 2/19/2018 12:20 PM, John Hardin wrote: Are those getting hits on SPOOFED_FREEM_REPTO_CHN? No, not seeing that one. After enough training I eventually see it land in Bayes. The RBLs are starting to flag it. X-Spam-Status: Yes, score=5.7 required=5.0 tests=BAYES_99,BAYES_999, FREEMAIL_FROM,RCVD_IN_BRBL_LASTEXT autolearn=no version=3.3.1 The subject and body are offering "image editing". I get *tons* of those. I'm wondering whether the freemail list is a bit stale, I'm seeing from addresses in .jp domains that look like they might be freemail... jmail.co.jp ezweb.ne.jp Are these freemail? o2online.de wanadoo.fr The "freemail" domains also include domains that are commonly abused according to 20_freemail_domains.cf. Anyone wanting to get some domains added should open up a SpamAssassin Bugzilla: https://bz.apache.org/SpamAssassin I have added a few domains over the past few months but my mail flow isn't going to see many of the problem domains outside of the US like those listed above. -- David Jones
Re: Blacklist for reply-to?
On Mon, 19 Feb 2018, Kenneth Porter wrote: On 2/19/2018 12:20 PM, John Hardin wrote: Are those getting hits on SPOOFED_FREEM_REPTO_CHN? No, not seeing that one. After enough training I eventually see it land in Bayes. The RBLs are starting to flag it. X-Spam-Status: Yes, score=5.7 required=5.0 tests=BAYES_99,BAYES_999, FREEMAIL_FROM,RCVD_IN_BRBL_LASTEXT autolearn=no version=3.3.1 The subject and body are offering "image editing". I get *tons* of those. I'm wondering whether the freemail list is a bit stale, I'm seeing from addresses in .jp domains that look like they might be freemail... jmail.co.jp ezweb.ne.jp Are these freemail? o2online.de wanadoo.fr -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- People think they're trading chaos for order [by ceding more and more power to the Government], but they're just trading normal human evil for the really dangerous organized kind of evil, the kind that simply does not give a shit. Only bureaucrats can give you true evil. -- Larry Correia --- 3 days until George Washington's 286th Birthday
Re: Blacklist for reply-to?
On 2/19/2018 12:20 PM, John Hardin wrote: Are those getting hits on SPOOFED_FREEM_REPTO_CHN? No, not seeing that one. After enough training I eventually see it land in Bayes. The RBLs are starting to flag it. X-Spam-Status: Yes, score=5.7 required=5.0 tests=BAYES_99,BAYES_999, FREEMAIL_FROM,RCVD_IN_BRBL_LASTEXT autolearn=no version=3.3.1 The subject and body are offering "image editing". The From is forged. But the Reply-to is consistent.
Re: Blacklist for reply-to?
On Mon, 19 Feb 2018, Rupert Gallagher wrote: Whatever you do, just do not ask others to blacklist Alibaba Are those getting hits on SPOOFED_FREEM_REPTO_CHN? Perhaps just bump the score for that locally? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...much of our country's counterterrorism security spending is not designed to protect us from the terrorists, but instead to protect our public officials from criticism when another attack occurs. -- Bruce Schneier --- 3 days until George Washington's 286th Birthday
Re: Blacklist for reply-to?
I wanted you to see your proposed solution from a different point of view, and I thought the quiz was spot on. As a number of you fell into the trap head first, I am now horrified. Whatever you do, just do not ask others to blacklist Alibaba, and do not blacklist yourself. Sent from ProtonMail Mobile On Mon, Feb 19, 2018 at 10:00, Kenneth Porterwrote: > On 2/18/2018 5:09 PM, Antony Stone wrote: > >> On Monday 19 February 2018 at 01:55:45, Rupert Gallagher wrote: >> >>> Question time! You receive spam with a reply-to your own address. What do >>> you do? >> >> I take it that this is now a rather different question that the one you >> originally asked in this thread, where the reply-to address was clearly not >> your own? > > I have no clue what Rupert is on about. I just want something like > blacklist_from that uses the reply-to header. I thought it was a simple > technical question about how the config file directives map onto the actual > headers. I'm not asking for site policy.
Re: catch today's PDF pillz spam
On Mon, 19 Feb 2018, Axb wrote: oooppps - missing a backslash mimeheader AXB_CTYPE_SPELLHERO Content-Type =~ /\bapplictaion\/pdf\b/ On 02/19/2018 05:24 PM, Axb wrote: catch today's PDF pillz spam mimeheader AXB_CTYPE_SPELLHERO Content-Type =~ /bapplictaion\/pdf\b/ the typo is the trait ;) enjoy while it lasts FYI: If you use an explicit pattern-match delimeter you can avoid the "leaning toothpicks" syndrome. (particularly relevant for URIs). EG: uri MY_URL_FILTER1 /\bhttp:\/\/this-is\.adomain\.com\/this\/is\/a\/path\b/ uri MY_URL_FILTER2 m!\bhttp://this-is\.adomain\.com/this/is/a/path\b! Still need to escape those meta-chars (EG: \b) and explicit matches on dots, but otherwise makes it more readable. I realise this wouldn't have helped you with your type-o, but it does make it easier to see at a glance. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Blacklist for reply-to?
I have a BZ raised for reply-to blacklist checking: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7354 On 19/02/2018, 15:05, "Kevin A. McGrail"wrote: On 2/18/2018 3:06 PM, Kenneth Porter wrote: > Is there a blacklist for domains in the reply-to header? > > I've noticed a lot of spam with no URL and mutating From but the > reply-to domain is always aliyun dot com. I want to add a site-wide > blacklist for that. To my knowledge it doesn't exist. I documented it as an idea for GSOC at https://issues.apache.org/jira/browse/COMDEV-263 Regards, KAM -- Paul Stead Senior Engineer (Tools & Technology) Zen Internet Direct: 01706 902018 Web: zen.co.uk Winner of 'Services Company of the Year' at the UK IT Industry Awards This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. Zen Internet Limited may monitor email traffic data to manage billing, to handle customer enquiries and for the prevention and detection of fraud. We may also monitor the content of emails sent to and/or from Zen Internet Limited for the purposes of security, staff training and to monitor quality of service. Zen Internet Limited is registered in England and Wales, Sandbrook Park, Sandbrook Way, Rochdale, OL11 1RY Company No. 03101568 VAT Reg No. 686 0495 01
Re: catch today's PDF pillz spam
oooppps - missing a backslash mimeheader AXB_CTYPE_SPELLHERO Content-Type =~ /\bapplictaion\/pdf\b/ On 02/19/2018 05:24 PM, Axb wrote: catch today's PDF pillz spam mimeheader AXB_CTYPE_SPELLHERO Content-Type =~ /bapplictaion\/pdf\b/ the typo is the trait ;) enjoy while it lasts
catch today's PDF pillz spam
catch today's PDF pillz spam mimeheader AXB_CTYPE_SPELLHERO Content-Type =~ /bapplictaion\/pdf\b/ the typo is the trait ;) enjoy while it lasts
Re: Is there a way to perform selective full uri rbl lookups?
Benny, Maybe I don't see your point clearly ;-) But I don't want to whitelist URIHOSTS. Have this two rules now urirhssub URIBL_DOMAIN my.rbl.tld. A 127.0.0.16 bodyURIBL_DOMAIN eval:check_uridnsbl('MY_URIBL_DOMAIN') askdns URIBL_HOST _URIHOSTS_.my.rbl.tld. A 127.0.0.24 my.rbl.tld is based on mysql data which gets feeded more or less automatically from different sources (like my own traps or external data like phishtank etc ppt). And I have a third rule urirhssub URIBL_DOMAIN_FU my.rbl.tld. A 127.0.0.32 bodyURIBL_DOMAIN_FU eval:check_uridnsbl('URIBL_DOMAIN_FU') score URIBL_DOMAIN_FU 200 where domains will be listed after too many entries in fullhost table. Cheers tobi Am 19.02.2018 um 16:14 schrieb Benny Pedersen: > Tobi skrev den 2018-02-19 14:43: > >> no need for this as that case is covered by sa urirhssub queries. >> I needed a way to perform www.sub.domain.tld AND domain.tld queries of >> the uri www.sub.domain.tld > > would you like to test? > > blacklist _URIDOMAINS_ > whitelist _URIHOSTS_ > > :=) > > if you score whitelist 50% of blacklist score there could be nice > > that way spammers have higther burdon to jump over > > and you dont need random listning of next subdomain spammer
Re: Is there a way to perform selective full uri rbl lookups?
Tobi skrev den 2018-02-19 14:43: no need for this as that case is covered by sa urirhssub queries. I needed a way to perform www.sub.domain.tld AND domain.tld queries of the uri www.sub.domain.tld would you like to test? blacklist _URIDOMAINS_ whitelist _URIHOSTS_ :=) if you score whitelist 50% of blacklist score there could be nice that way spammers have higther burdon to jump over and you dont need random listning of next subdomain spammer
Re: Blacklist for reply-to?
On 2/18/2018 3:06 PM, Kenneth Porter wrote: Is there a blacklist for domains in the reply-to header? I've noticed a lot of spam with no URL and mutating From but the reply-to domain is always aliyun dot com. I want to add a site-wide blacklist for that. To my knowledge it doesn't exist. I documented it as an idea for GSOC at https://issues.apache.org/jira/browse/COMDEV-263 Regards, KAM
Re: Is there a way to perform selective full uri rbl lookups?
Am 19.02.2018 um 14:25 schrieb Benny Pedersen: > Tobi skrev den 2018-02-19 11:45: > add one more askdns to compensate on _URIDOMAINS_ > no need for this as that case is covered by sa urirhssub queries. I needed a way to perform www.sub.domain.tld AND domain.tld queries of the uri www.sub.domain.tld Cheers tobi
Re: Is there a way to perform selective full uri rbl lookups?
Am 19.02.2018 um 15:04 schrieb Benny Pedersen: > > yep got it, so if you only use URIHOSTS how do you know it does not miss > in URIDOMAINS ? I do not only use URIHOSTS but also a rhs lookup for just the domain. So I have both bases covered :-)
Re: Is there a way to perform selective full uri rbl lookups?
Tobi skrev den 2018-02-19 14:45: no need for this as that case is covered by sa urirhssub queries. I needed a way to perform www.sub.domain.tld AND domain.tld queries of the uri www.sub.domain.tld against by own rbl. yep got it, so if you only use URIHOSTS how do you know it does not miss in URIDOMAINS ? would you list all subdomains no matter how many subdomains a giving spammer use ? dns have cheap *.example.org cnames just my last € on it
Re: Is there a way to perform selective full uri rbl lookups?
Am 19.02.2018 um 14:25 schrieb Benny Pedersen: > Tobi skrev den 2018-02-19 11:45: > add one more askdns to compensate on _URIDOMAINS_ > no need for this as that case is covered by sa urirhssub queries. I needed a way to perform www.sub.domain.tld AND domain.tld queries of the uri www.sub.domain.tld against by own rbl. Cheers tobi
Re: Is there a way to perform selective full uri rbl lookups?
Tobi skrev den 2018-02-19 11:45: askdns MY_FULL_TEST_URIHOSTS_.my.rbl.tld A 127.0.0.4 which fires fullhost lookups according to spamassassin -D its just that spammers would like you to do this :=) i wont tell why its helping spammers add one more askdns to compensate on _URIDOMAINS_ responsible spammers should know what not to do
Re: Is there a way to perform selective full uri rbl lookups?
Hi list just as follow up: at least spamassassin 3.4.1 has the necessary stuff in URIDNSBL.pm. There _URIDOMAINS_ and _URIHOSTS_ are set so a fullhost lookup becomes a simple one-liner askdns MY_FULL_TEST_URIHOSTS_.my.rbl.tld A 127.0.0.4 which fires fullhost lookups according to spamassassin -D Feb 19 10:44:50.821 [22500] dbg: async: calling callback on key askdns:A:img.promio-mail.com.my.rbl.tld Feb 19 10:44:50.821 [22500] dbg: askdns: answer received, rcode NOERROR, query IN/A/img.promio-mail.com.my.rbl.tld, answer has 2 records Will keep testing for some days, but this seems to be the solution for me :-) Cheers tobi Am 17.02.2018 um 12:52 schrieb Tobi: > Hi Daniele (this time onlist, sorry for offlist I have a stupid mobile client > when it comes to replies to lists) > > thanks a lot for your reply. As I'm really not the perl coder I think I will > keep it as I have my fullhost lookups currently :-) > > Can anyone confirm that aux_tlds does not help if one want to perform rh > lookups and fulluri lookups on the same uri found? > > Any chance that sa in future will support a urifullsub method to lookup > fullhost of an uri? > > Cheers > > Tobi > > - Originale Nachricht - > Von: Daniele Duca> Gesendet: 17.02.18 - 09:04 > An: jahli...@gmx.ch, users@spamassassin.apache.org > Betreff: Re: Is there a way to perform selective full uri rbl lookups? > >> Hello, >> >> I do full uris dns lookups through a simple SA plugin. The core lines in >> the function are: >> >> sub check_fulluris { >> my ($self, $msg) = @_; >> my $pms = $msg->{permsgstatus}; >> my $body = $msg->{msg}->get_pristine_body(); >> foreach my $this_url (uniq( $body =~ >> /(http|https):\/\/(.*?)\//g )) { >> >> # code to do dns lookups >> >> } >> } >> >> and in the .cf >> >> urirhssub TEST_FULL_URIS mypersonal.dnsbl. A 127.0.0.2 >> body TEST_FULL_URIS eval:check_fulluris('TEST_FULL_URIS') >> >> As for my personal reason of doing full hostnames lookups, I find it >> easier to mantain a rbldnsd zone with hacked websites/landing pages of >> marketers than to write uri rules in the .cf each time >> >> Hope it helps >> >> Daniele Duca >> >> >> >> On 16/02/2018 22:08, jahlives wrote: >>> Hi list >>> >>> I'm looking for a way in spamassassin to run a full-uri-host rbl lookup >>> for a specific rule. I do not want to discuss about sense or non-sense >>> of full-uri-hosts lookups ;-) >>> >>> lets assume I have two rules which query my own rbl >>> >>> urirhssub HIT_DOMAINmy.rbl.tld. A 127.0.0.2 >>> bodyHIT_DOMAIN eval:check_uridnsbl('HIT_DOMAIN') >>> >>> urifullsub HIT_FULL my.rbl.tld. A 127.0.0.4 >>> bodyHIT_FULLeval:check_uridnsbl('HIT_FULL') >>> >>> I know urifullsub does not exist, should just visualize what I try to >>> achieve :-) >>> >>> now for a uri like www.sub.domain.tld both rules should be tested. The >>> first one for domain.tld (which sa does with rh lookups) and the second >>> one with the full-uri-host (www.sub.domain.tld) >>> >>> I read about aux_tlds but I think this does not help me as if I add >>> domain.tld to aux_tlds the first query above would be fired with >>> sub.domain.tld >>> >>> I thought that the second query could be solved using askdns plugin in a >>> way like this >>> >>> askdns HIT_FULL _URIFULLHOST_.my.rbl.tld. A 127.0.0.4 >>> >>> But how to get access to urifullhost? :-) >>> >>> Currently I use a plugin of my antispam glue to perform the full uri >>> host lookups on uris found. This plugin adds a X-Header upon hit on >>> which spamassassin fires and scores. >>> So I have a solution to this "problem" but it would be nice to do both >>> queries from spamassassin :-) >>> >>> Cheers >>> >>> tobi >>> >> >
Re: Blacklist for reply-to?
On 19/02/2018 10:00, Kenneth Porter wrote: I have no clue what Rupert is on about. I just want something like blacklist_from that uses the reply-to header. I thought it was a simple technical question about how the config file directives map onto the actual headers. I'm not asking for site policy. Maybe something like this? header REPLYTO_KILLER reply-to =~ /@domain\.that\.you\.want\.blacklisted/ score REPLYTO_KILLER 1000
Re: Blacklist for reply-to?
On 2/18/2018 5:09 PM, Antony Stone wrote: On Monday 19 February 2018 at 01:55:45, Rupert Gallagher wrote: Question time! You receive spam with a reply-to your own address. What do you do? I take it that this is now a rather different question that the one you originally asked in this thread, where the reply-to address was clearly not your own? I have no clue what Rupert is on about. I just want something like blacklist_from that uses the reply-to header. I thought it was a simple technical question about how the config file directives map onto the actual headers. I'm not asking for site policy.