Re: sa-scripts hard-code perl loc, and can end up referring to wrong libs or data

[Kevin A. McGrail]

I believe if you install a version of sa yourself from a tar, you will see
they use a .raw file without the Perl hardcoded.  It is then relaxed at
install time.

On Sun, Oct 25, 2020, 20:29 L A Walsh  wrote:

> Putting the questions/wants 1st, for those wanting the bottom line.
> For backstory/why, see further on.
>
> 2 things:
>
> 1)  Is it too much effort to only use the major/minor for sa-files?
>
>i.e. instead of numbering: "3.002000/  3.004000/  3.004004/" using
>"3.002/  3.004/" ...?  Where the patch level was guaranteed not
> to cause some "incompat" with the previous Maj.Min"?
>
> 2)  Not put the perl version in the scripts -- especially when it is
> not in the PATH.
>
>
>
> Prologue/why:
>
> Been tracking down a problem specific to my setup/machine
> where some assumptions made by SA, aren't the same as the
> ones I made...
>
> I invoke /usr/bin/sa-prog, which normally I'd expect to use
> the perl in the same path @ /usr/bin/perl.
>
> That, in contains the lib paths.  Then it uses a independent
> path /var/lib/spamassassin/V/...
>
> My perls physically reside in /home/perl/perl-5.M.m, where I
> currently tell them to install relative stuff in /usr/{lib,bin}.
>
> A few apps use perllibs in /usr/lib/perl5/{.,site_perl,vendor_perl}/5.X.y
> with top-of-trees being in the /usr/lib/perl5/5.x.y for stuff from the perl
> org, and other stuff from vendor and local-site (me) under vendor or
> site perl.
>
> The problem seems to be:
> head -1 /usr/bin/sa-update
> #!/home/perl/perl-5.16.3/bin/perl -T -w
>
> so each sa version has a lock to-version in it.  Sa has tried
> to put its data under /var/lib/SA/SA-VER and force a new dir
> on each SA-update, but for their compiled's, it only goes by
>
> ll /var/lib/spamassassin/compiled/
> Oct 10  2011 5.012/
> May 20  2012 5.014/
> Oct 24 02:01 5.016/
>
> the major+minor perl version and doesn't include the patch
> level.
>

Re: sa-scripts hard-code perl loc, and can end up referring to wrong libs or data

[L A Walsh]

Putting the questions/wants 1st, for those wanting the bottom line.
For backstory/why, see further on.

2 things:

1)  Is it too much effort to only use the major/minor for sa-files?

  i.e. instead of numbering: "3.002000/  3.004000/  3.004004/" using
  "3.002/  3.004/" ...?  Where the patch level was guaranteed not
   to cause some "incompat" with the previous Maj.Min"?

2)  Not put the perl version in the scripts -- especially when it is
not in the PATH.



Prologue/why:

Been tracking down a problem specific to my setup/machine
where some assumptions made by SA, aren't the same as the
ones I made...

I invoke /usr/bin/sa-prog, which normally I'd expect to use
the perl in the same path @ /usr/bin/perl.

That, in contains the lib paths.  Then it uses a independent
path /var/lib/spamassassin/V/...

My perls physically reside in /home/perl/perl-5.M.m, where I
currently tell them to install relative stuff in /usr/{lib,bin}.

A few apps use perllibs in /usr/lib/perl5/{.,site_perl,vendor_perl}/5.X.y
with top-of-trees being in the /usr/lib/perl5/5.x.y for stuff from the perl
org, and other stuff from vendor and local-site (me) under vendor or 
site perl.


The problem seems to be:
head -1 /usr/bin/sa-update
#!/home/perl/perl-5.16.3/bin/perl -T -w

so each sa version has a lock to-version in it.  Sa has tried
to put its data under /var/lib/SA/SA-VER and force a new dir
on each SA-update, but for their compiled's, it only goes by

ll /var/lib/spamassassin/compiled/
Oct 10  2011 5.012/
May 20  2012 5.014/
Oct 24 02:01 5.016/

the major+minor perl version and doesn't include the patch
level.

Re: curl, MIRRORED.BY, and paths.

[Kevin A. McGrail]

Here are my notes for disabling it if it helps.  You might also be able to
uninstall something like perl-local-lib too.


DONE - #DISABLE Local::Lib to stop installations of perl modules from ONLY
working for one user.  We want them on the whole box
  unset PERL5LIB PERL_MB_OPT PERL_LOCAL_LIB_ROOT PERL_MM_OPT ## set at
login by default
  rm -r ~/perl5  ## Created at login if it doesn't exist
  echo PERL_HOMEDIR=0 > ~/.perl-homedir ## To prevent the next login from
imposing it

Hth, KAM

On Sun, Oct 25, 2020, 19:03 L A Walsh  wrote:

> On 2020/10/25 13:00, Bill Cole wrote:
> > A common source of such problems is widespread adoption of the
> > local::lib module which creates a per-user Perl library tree for each
> > user of CPAN, even root. If that's not disabled, it can result in
> > independent module trees with different versions of the same modules,
> > one of which is used by the system (e.g. by cron) and the others by
> > individual users in interactive sessions.
> >
> ---
> Thanks for the heads up.  I see evidence of it having been a
> probably cause
> of problems in the past, but as part of debugging this problem, I had
> reinstall
> CPAN and reran its config script.  It asked me about the local-storage
> and I
> disabled it.  However, the local-lib (~/.local/Share) had been in use
> before
> that -- I have a feeling that some distro package migrated prefs from
> the original
> to the local (grrr..).
>
> That said, it was due to something similar that I need to figure out
> a solution for. I've fixed it for now, but it's a timebomb waiting to
> happen
> again. -- separating it out since it seems "surprising" -- i.e. not what
> one might expect... (split installation)
>

Re: curl, MIRRORED.BY, and paths.

[L A Walsh]

On 2020/10/25 13:00, Bill Cole wrote:

A common source of such problems is widespread adoption of the
local::lib module which creates a per-user Perl library tree for each 
user of CPAN, even root. If that's not disabled, it can result in 
independent module trees with different versions of the same modules, 
one of which is used by the system (e.g. by cron) and the others by 
individual users in interactive sessions.
  

---
   Thanks for the heads up.  I see evidence of it having been a 
probably cause
of problems in the past, but as part of debugging this problem, I had 
reinstall
CPAN and reran its config script.  It asked me about the local-storage 
and I

disabled it.  However, the local-lib (~/.local/Share) had been in use before
that -- I have a feeling that some distro package migrated prefs from 
the original

to the local (grrr..).

   That said, it was due to something similar that I need to figure out
a solution for. I've fixed it for now, but it's a timebomb waiting to happen
again. -- separating it out since it seems "surprising" -- i.e. not what
one might expect... (split installation)

Re: curl get fails; MIRRORED.BY claimed empty. But neither is really true

[Linda A. Walsh]

On 2020/10/25 07:58, Kevin A. McGrail wrote:
This sounds like a path issue and you have two versions of SA 
installed.  


Yeah, sorta.

One perhaps from a package manager like yum or apt and 
another from cpan.


Both by me, but I didn't know the "sa-" ignored
where they were installed/invoked from.


 Your root installation likely has a different path, 
hence the discrepancy.  

---
Oddly enough, not -- mostly to prevent probs like this.


And sa-update rights to /var/lib/spamassassdin 
by default so likely a non-privileged user can't overwrite the 
MIRRORED.BY  file.

---

My normal login has the correct access rights.  It's in
the spamd group.



Hope this helps.

---

	Indeed!  Before I could tell you there was no possibility of that, 
I had to check & used locate to find all copies of 'sa-update' and weeded out

the backups. Then found the prob -- sorta...In order not to hve
to duplicate explain, will put that in a different note.

Thanks again!

Re: curl get fails; MIRRORED.BY claimed empty. But neither is really true

[Bill Cole]

On 25 Oct 2020, at 12:06, RW wrote:


On Sat, 24 Oct 2020 21:12:39 -0700
L A Walsh wrote:


On 2020/10/18 09:22, L A Walsh wrote:

On 2020/10/17 15:58, RW wrote:


Probably a networking problem at the time sa-update ran.
status: 1792 decodes to a curl error code of 7 "Failed to connect
to host".
I suspect it's a bug that 1792 wasn't decoded.


Reinstalled from CPAN...


It not something I know much about, but some people on the list have
advised against installing from CPAN. These installs do seem to create 
a

disproportionate amount of problems compared with package installs.


A common source of such problems is widespread adoption of the 
local::lib module which creates a per-user Perl library tree for each 
user of CPAN, even root. If that's not disabled, it can result in 
independent module trees with different versions of the same modules, 
one of which is used by the system (e.g. by cron) and the others by 
individual users in interactive sessions.



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

https://metacpan.org/pod/IP::Country::DB_File

[Benny Pedersen]

is it possible to get ASN from this dbfile ?

using it with country lookup, would be good to stop using dns services

Re: What can one do abut outlook.com?

[Martin Gregorie]

On Sun, 2020-10-25 at 12:08 -0600, Bob Proulx wrote:
> Martin Gregorie wrote:
> > I use this to send a copy of all outbound mail to a local mailbox.
> > Then periodically a cronjob scans and erases the mailbox content,
> > adding the To: address(es) to a list of correspondents. IME this is
> > safe because its quite unlikely that you'll ever need to blacklist
> > anybody you've sent mail to.
> 
> Oh I wish that were true in general!  I have one user that I help with
> email things and they like to respond to spammers.  They shout, they
> rant, they rave.  I guess it is a catharsis for them and they feel
> better afterward.  I have not been able to convince them that this is
> a worthless thing to do in the best cases and a bad thing to do in the
> worse cases.
> 
I didn't say it works in all cases! In my case it works just as I hoped
it would, but of course those with different mailstream content may not
find it so good.

If I was you I'd quietly point out to those you help that their rants
only amuse spammers if they take any notice at all, but sending them to
you as well pisses you off mightily since you can't do anything about
said spammers, so if they want help from you in future they'd better
stop copying yo in on their rants.

It would also be fairly easy to modify the auto-whitelister code to
auto-remove a spamming correspondent from the list. Or, being slightly
more friendly, datestamp the correspondent entry when a message from
them is spam. This would let your SA module:

a) avoid whitelisting them for, say, the next month after their last
   spam.

b) or rather less friendly, send them a message each time you receive
   spam from them saying you're ignoring the message because it was
   spam.

> It is a clever idea!  I might add something similar to my own setup.
> :-)
> 
I'm pleased you like it.

Martin

Re: Blocking by country/ASN/IP/domain

[Peter Blair]

At 25 October, 2020 Marc Roos wrote:
> From: Marc Roos 
> To: mysqlstudent , users
>  
> Date: Sun, 25 Oct 2020 18:57:27 +0100
> X-Spam-Status: No, score=-13.2 required=4.0
>  tests=HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
>  RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS,
>  URIBL_BLOCKED,URIBL_SBL_A,USER_IN_DEF_SPF_WL autolearn=ham
>  autolearn_force=no version=3.4.4
> Subject: RE: Blocking by country/ASN/IP/domain
> 
> 
> I have been looking into exactly the same, don't know how I am going to 
> implement it still. What I know for now.

You can use one of the DNSBL country zones, ie:

https://dino.ciuffetti.info/2011/08/dnsbl-geoip-service-at-countries-nerd-dk/

  $ dig TXT 201.65.24.151.zz.countries.nerd.dk +short   



[12:00:
  "it"

Shows that the IP address belongs to IT.  And if we want to confirm that
this IP hits the IT zone:

  $ dig 201.65.24.151.it.countries.nerd.dk +short
  127.0.0.2

Just add those to your spamassassin DNSBL list for whichever country
codes you don't want mail from.

RE: What can one do abut outlook.com?

[Marc Roos]

> make a reality check outside your small bubble!

typical low iq response. I was already discussing the validity of these 
soccerplayer contracts before they had to change the system.

> when you have millions of customers you can do whatever you want all 
day long and you are 
> simply not able to remove every spammer or suspend every hacked 
account in realtime

No not at all. No free accounts, and every mail account costs 10 us$ per 
month. I will bet you that the outgoing spam is being reduced by more 
than 50%.

I do not care if Googles profits drop by XX%. Why do you?

> and no you can't do that fully automated because filtering of 
authenticated mail submission is way harder 
> becasue there are no received-headers and you can't apply any useful 
DNSBL because your customers are on
> dial-up networks by definition

Make spamming exensive, not free.

> i love it how poor idiots with their "me-and-my-family" setup belive 
the world is that simple - if it would be that simple
> spam won't exist at all for years

I assume your education did not include logics.

Re: What can one do abut outlook.com?

[Benny Pedersen]

Bob Proulx skrev den 2020-10-25 19:08:

I also have a tool for weeding undesirables from the correspondent 
list

because spamming addresses can creep onto the list, but its very
infrequently needed.


It is a clever idea!  I might add something similar to my own setup. 
:-)


amavisd have penpal, if that is possible to track with TxRep ?

should spamassassin have seperate inbound and outbound tracking of 
senders and recipient, does it scale ?, or is it only possible in glue 
milters ?, open for debate

Re: What can one do abut outlook.com?

[Bob Proulx]

Martin Gregorie wrote:
> Its easy enough to create a list all desirable correspondents, at least
> if your MTA has the equivalent of Postfix's 'always_bcc' directive. 
> 
> I use this to send a copy of all outbound mail to a local mailbox. Then
> periodically a cronjob scans and erases the mailbox content, adding the
> To: address(es) to a list of correspondents. IME this is safe because
> its quite unlikely that you'll ever need to blacklist anybody you've
> sent mail to.

Oh I wish that were true in general!  I have one user that I help with
email things and they like to respond to spammers.  They shout, they
rant, they rave.  I guess it is a catharsis for them and they feel
better afterward.  I have not been able to convince them that this is
a worthless thing to do in the best cases and a bad thing to do in the
worse cases.

> In my case I keep the correspondents list in a database. I use a custom
> Perl SA module to access the database and a CORRESPONDENTS_LIST rule to
> trigger it and add negative points to incoming mail email with a
> matching From: address.
> 
> I also have a tool for weeding undesirables from the correspondent list
> because spamming addresses can creep onto the list, but its very
> infrequently needed.

It is a clever idea!  I might add something similar to my own setup. :-)

Bob

Re: What can one do abut outlook.com?

[Benny Pedersen]

John Hardin skrev den 2020-10-25 01:46:

On Sat, 24 Oct 2020, Benny Pedersen wrote:


John skrev den 2020-10-24 21:30:

A regular source of spam is outlook.com;


is spamassassin say is not spam ?

in that case:

blacklist_from *@outlook.com


...and then whitelist specific desireable-correspondent outlook.com 
addresses.


or change scores for USER_IN_BLACKLIST to 5.0

i just try to keep it simple

Re: What can one do abut outlook.com?

[John Hardin]

On Sun, 25 Oct 2020, Matus UHLAR - fantomas wrote:


On 24.10.20 22:19, Juerg Reimann wrote:

This is what I did, it works a 100% :).

outlook.com   REJECT Too much spam from outlook.com, please use another 
email service.


OTOH, outlook.com responds mail sent to abuse@ address, assuring you it has
been dealt with, while gmail does not.

of course, I can't be sure if they really dealt with it (nor if gmail
didn't).


For a data point on gmail/google:

I get quite a lot of 419 scam emails, many with @gmail.com contact 
addresses. I report all of them.


One specific gmail contact address I have been seeing in 419 spams and 
reporting to ab...@google.com (they discontinued ab...@gmail.com) since 
June (5 months now).


I would assume that if the contact mailbox account had indeed been locked 
by google, then the spammers would stop using it in their pitches - there 
would be no way for them to reel in victims via that contact address.


The fact that after five months of reporting that contact address they are 
still using it to lure victims strongly suggests to me that google is 
ignoring such reports.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
   -- Peter da Silva in a.s.r
---
 7 days until Daylight Saving Time ends in U.S. - Fall Back

RE: Blocking by country/ASN/IP/domain

[Marc Roos]

I have been looking into exactly the same, don't know how I am going to 
implement it still. What I know for now.

This is how you can get info on a netblock owner. 

[@]$ dig +short -t txt 80.53.103.176.origin.asn.cymru.com
'48031 | 176.103.48.0/20 | UA | ripencc | 2011-12-09'

You can then either decide to mark everything as spam with spamassassin 
or block reject it via a milter or so. Combined with this you can then 
whitelist only this networks official outgoing smtp servers.



 

-Original Message-
From: Alex [mailto:mysqlstud...@gmail.com] 
Sent: Sunday, October 25, 2020 6:50 PM
To: SA Mailing list
Subject: Blocking by country/ASN/IP/domain

Hi, I have a spamassassin-3.4.4 install with amavisd-2.12 and postfix on 
fedora32 and would like to be able to block email from an entire country 
on a per-user or per-domain basis. What is the best way to do this?

I'm currently using the RelayCountry plugin and Amavis::Custom to add an 
X-Relay-Countries header to each email, and have a series of rules of 
the form:

header  RELAYCOUNTRY_JP X-Relay-Countries =~ /JP/
describeRELAYCOUNTRY_JP Relayed through Japan
score   RELAYCOUNTRY_JP 0.1

I've also been considering blocking by ASN or IP, but I believe it would 
be the same problem just presented in a different way.

How do I tie this into amavisd so that I can allow individual users to 
control their own email? Perhaps this is done in a policy_bank?
Perhaps I would analyze the X-Relay-Countries header directly instead of 
processing the resulting RELAYCOUNTRY_JP rule, for example?

Blocking by country/ASN/IP/domain

[Alex]

Hi, I have a spamassassin-3.4.4 install with amavisd-2.12 and postfix
on fedora32 and would like to be able to block email from an entire
country on a per-user or per-domain basis. What is the best way to do
this?

I'm currently using the RelayCountry plugin and Amavis::Custom to add
an X-Relay-Countries header to each email, and have a series of rules
of the form:

header  RELAYCOUNTRY_JP X-Relay-Countries =~ /JP/
describeRELAYCOUNTRY_JP Relayed through Japan
score   RELAYCOUNTRY_JP 0.1

I've also been considering blocking by ASN or IP, but I believe it
would be the same problem just presented in a different way.

How do I tie this into amavisd so that I can allow individual users to
control their own email? Perhaps this is done in a policy_bank?
Perhaps I would analyze the X-Relay-Countries header directly instead
of processing the resulting RELAYCOUNTRY_JP rule, for example?

RE: What can one do abut outlook.com?

[Marc Roos]

Are you guys working for Google or Amazon or so? Maybe I should give 
something simple analogy so you understand. 

If your neighbours washing machine breaks down, and causes you water 
damage. They have to pay for cleaning up de mess they created in your 
apartment. If the neighbour spills oil on your parkway, they have to 
clean it up.


Your reasoning resembles:

- the neighbour does have to use their washing machine every time, so I 
will just clean up their mess every time.
- it is only once of every 3 times the neighbour uses his washing 
machine, he floods my apartment, so that is ok.
- the neighbour has kids, they cannot be held responsible for dad to 
flood my apartment every week. So I will not ask the landlord to evict 
them. I will just clean up their mess every week year after year.
- the neighbour floods my apartment every week, I think I will teach him 
this week how to use the washing machine. 
- the neighbour floods my apartment every week, I think I will replace 
my wooden floor for some plastic foil.





 

Re: What can one do abut outlook.com?

[Antony Stone]

On Sunday 25 October 2020 at 17:05:26, Marc Roos wrote:

> Google, Amazon and Microsoft have billions of cash. It is indeed a
> wonder how they are not spending it on outgoing mail detection.

Why do they need to?

Customers use their services anyway, and are either:

a) spammers, in which case they're happy that the above does not happen, or

b) non-spammers, in which case they don't really care whether their outbound 
email is filtered, so long as it gets delivered.

In the (b) case, if there *were* filtering, any false positives (ie: legitimate 
emails which got blocked) would harm the provider's reputation and customer 
satisfaction.

Also in the (b) case, anyone who blocks email from the provider is "obviously" 
causing the problem themselves, and therefore doing themselves harm.

> Nobody was saying so. Best is to block just the ip addresses that your
> receive spam from.

How does that help?  Those providers don't set up different IP addresses for 
email from different customers.  Everyone's email (spammers and non-spammers) 
gets processed by the entire farm of outbound MTAs.

> if their ip addresses a randomly blocked by many other providers. All their
> queues will start using more resources bouncing around mails,

I doubt that is much of a concern for these size organisations.

> having to explain to their clients why sometimes a mail is send and
> sometimes rejected,

Ha.  I don't think their support staff extend to that level of assistance.

> costs increase, thus more incentive to kick out spammers or spend more
> on prevention.

No.  Email is a cheap service to provide alongside all the other services 
they're charging their customers the real money for,

> > If you block something, you have to ask yourself: How many innocent,
> > unsuspecting legitimate senders
> 
> Who cares, these "unsuspecting legitimate senders" should take their
> business somewhere else.

I suspect you don't have any of them as customers.  Telling them to change 
their mail service provider is simply going to tell them to use another 
organisation instead of yours.  If you block their email you clearly don't 
want to do business with them.

> > If you block even one innocent sender as collateral damage, you should
> > not block that email provider, regardless how annoying it is.
> 
> What a non-sense. This is how spammers currently work, mix legitimate
> mail with spam. Just block ip's, it is not your fault they are sending
> you spam. Nobody can blame you, if you do not want to do the work that
> Amazon, Google and Microsoft should be doing.

Blocking IPs cannot work in a commercial environment (by which I mean, you 
want to receive emails from legitimate enquireres for your commercial 
services, or from existing customers).


Antony.

-- 
Atheism is a non-prophet-making organisation.

   Please reply to the list;
 please *don't* CC me.

Re: What can one do abut outlook.com?

[Alex Woick]

If you block something, you have to ask yourself: How many innocent,
unsuspecting legitimate senders

Who cares, these "unsuspecting legitimate senders" should take their
business somewhere else.
This is extremist. You are confusing offenders with victims. Fight 
offenders, not victims. Every single rule in the default SpamAssassin 
ruleset is targeted against offenders, not against victims. I propose 
you keep it that way. If you start to block everything that once sent 
spam, you end up blocking half of the internet. You have to accept this 
is an ongoing war against spammers, and every time you add a new rule to 
detect spam content, the spammers adapt and invent new ways to 
circumvent. You cannot go further than dnsbl with their automated and 
temporary blocks - if you start to block manually mail providers as some 
answer suggested, this is usually a permanent block and from then on a 
permanent nuisance for own customers who expect mail from outlook.com 
users and a permanent nuisance for remote customers who chose 
outlook.com as provider. A nuisance that is more severe than some 
undetected spam mail. You forgot: spam detection by content still works. 
Outlook.com is not on some whitelist.

Re: curl get fails; MIRRORED.BY claimed empty. But neither is really true

[RW]

On Sat, 24 Oct 2020 21:12:39 -0700
L A Walsh wrote:

> On 2020/10/18 09:22, L A Walsh wrote:
> > On 2020/10/17 15:58, RW wrote:
> > 
> >> Probably a networking problem at the time sa-update ran.
> >> status: 1792 decodes to a curl error code of 7 "Failed to connect
> >> to host".
> >> I suspect it's a bug that 1792 wasn't decoded.  
> 
> Reinstalled from CPAN...

It not something I know much about, but some people on the list have
advised against installing from CPAN. These installs do seem to create a
disproportionate amount of problems compared with package installs.

RE: What can one do abut outlook.com?

[Marc Roos]

> all huge mail providers with thousands/millions of customers, so there 

> is no wonder there is spam included.

Google, Amazon and Microsoft have billions of cash. It is indeed a 
wonder how they are not spending it on outgoing mail detection.

> mail services to a mono-culture of single huge providers, but you 
cannot 
> block them just for being huge providers.

Nobody was saying so. Best is to block just the ip addresses that your 
receive spam from. Their network will reroute emails. But if their ip 
addresses a randomly blocked by many other providers. All their queues 
will start using more resources bouncing around mails, having to explain 
to their clients why sometimes a mail is send and sometimes rejected, 
costs increase, thus more incentive to kick out spammers or spend more 
on prevention.

> If you block something, you have to ask yourself: How many innocent, 
> unsuspecting legitimate senders

Who cares, these "unsuspecting legitimate senders" should take their 
business somewhere else. 

>  I'm blocking as well as the spammers? If 
> you block even one innocent sender as collateral damage, you should 
not 
> block that email provider, regardless how annoying it is.

What a non-sense. This is how spammers currently work, mix legitimate 
mail with spam. Just block ip's, it is not your fault they are sending 
you spam. Nobody can blame you, if you do not want to do the work that 
Amazon, Google and Microsoft should be doing.

Re: What can one do abut outlook.com?

[Alex Woick]

A regular source of spam is outlook.com; or at least that is the
domain that delivered the junk to my domain.
Outlook.com is a legitimate email provider and not known for ignoring 
reports. If you block outlook.com, you have to block google.com for the 
same reason. And everything sent through amazon web services. These are 
all huge mail providers with thousands/millions of customers, so there 
is no wonder there is spam included.


For me, the regular SpamAssassin rules detect and classify spam sent 
through outlook.com very good, so there it's no use of completely 
blocking major mail providers. All this is the result of concentrating 
mail services to a mono-culture of single huge providers, but you cannot 
block them just for being huge providers.
If you block something, you have to ask yourself: How many innocent, 
unsuspecting legitimate senders I'm blocking as well as the spammers? If 
you block even one innocent sender as collateral damage, you should not 
block that email provider, regardless how annoying it is. Instead, build 
custom rules to filter the spam by text content.


Alex

Re: curl get fails; MIRRORED.BY claimed empty. But neither is really true

[Kevin A. McGrail]

This sounds like a path issue and you have two versions of SA installed.
One perhaps from a package manager like yum or apt and another from cpan.
Your root installation likely has a different path, hence the discrepancy.
And sa-update rights to /var/lib/spamassassdin by default so likely a
non-privileged user can't overwrite the MIRRORED.BY file.

Hope this helps.

Regards,
KAM
--
Kevin A. McGrail
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171


On Sun, Oct 25, 2020 at 12:13 AM L A Walsh  wrote:

> On 2020/10/18 09:22, L A Walsh wrote:
> > On 2020/10/17 15:58, RW wrote:
> >
> >> Probably a networking problem at the time sa-update ran.
> >> status: 1792 decodes to a curl error code of 7 "Failed to connect to
> >> host".
> >> I suspect it's a bug that 1792 wasn't decoded.
> 
> Reinstalled from CPAN...getting same  _verbiage_  but isn't true.
>
>
> dbg info (slightly trimmed) vs. "reality":
> 3:06:28 [77] dbg: channel: protocol family available: inet; force inet
> 3:06:28 [77] dbg: channel: --refreshmirrors used, forcing mirrors file
> refresh on channel updates.spamassassin.org
> 3:06:28 [77] dbg: channel: DNS lookup on mirrors.updates.spamassassin.org
> 3:06:29 [77] dbg: http: url:
> http://spamassassin.apache.org/updates/MIRRORED.BY
> 3:06:29 [77] dbg: http: downloading to:
> /var/lib/spamassassin/3.004004/updates_spamassassin_org/MIRRORED.BY,
> replace
> 3:06:29 [77] dbg: util: executable for curl was found at /usr/bin/curl
> 3:06:29 [77] dbg: http: /usr/bin/curl -s -L -O --remote-time -g
> --max-redirs 2 --connect-timeout 30 --max-time 300 --fail -o MIRRORED.BY
> -4 -- http://spamassassin.apache.org/updates/MIRRORED.BY
> 3:06:29 [77] dbg: channel: no mirror data available for channel
> updates.spamassassin.org from
> http://spamassassin.apache.org/updates/MIRRORED.BY
> error: unable to refresh mirrors file for channel
> updates.spamassassin.org, using old file
>
> error: no mirror data available for channel updates.spamassassin.org
> channel: MIRRORED.BY file contents were missing, channel failed
>
> --
> Looking in the download dir:
> /var/lib/spamassassin/3.004004/updates_spamassassin_org, I see MIRRORED.BY
> with 1401 bytes in it (not empty).
>
> There i tried d/l w/wget -- worked fine -- actually said file on server was
> not newer than local copy, so it didn't d/l it (FWIW, I'm not going
> through a
> proxy).
>
> Then I tried curl.  It worked as well (exit status of 0).  Just to ensure
> it
> really was downloading the file, I tried same command but in a tmp dir and
> it downloaded the same file (1401 bytes), status=0.
>
> *cough*...just tried it again now rerunning sa-update as root
> curl is working but am getting a version mismatch:
>
> ===
> Oct 24 20:54:45.081 [97694] dbg: plugin: did not register
> Mail::SpamAssassin::Plugin::VBounce, already registered
> Oct 24 20:54:45.082 [97694] dbg: plugin: did not register
> Mail::SpamAssassin::Plugin::ImageInfo, already registered
> Oct 24 20:54:45.082 [97694] dbg: plugin: did not register
> Mail::SpamAssassin::Plugin::Rule2XSBody, already registered
> Oct 24 20:54:45.082 [97694] dbg: plugin: loading
> Mail::SpamAssassin::Plugin::AskDNS from @INC
> config: configuration file
> "/tmp/.spamassassin97694UzqVBBtmp/20_advance_fee.cf" requires version
> 3.004000 of SpamAssassin, but this is code version 3.004004. Maybe you
> need to use the -C switch, or remove the old config files? Skipping this
> file at /usr/lib/perl5/site_perl/5.16/Mail/SpamAssassin/Conf/Parser.pm
> line 408.
> config: configuration file
> "/tmp/.spamassassin97694UzqVBBtmp/20_advance_fee.cf" requires version
> 3.004000 of SpamAssassin, but this is code version 3.004004. Maybe you
> need to use the -C switch, or remove the old config files? Skipping this
> file
> Oct 24 20:54:45.097 [97694] dbg: config: cleared tld lists
> -
>
> The current version on CPAN seems to be 3.4.4 -- where in my config
> would it be saying to use the 3.4.0 ruleset?
>
>
> Thanks again *sigh*
>
>
>
>
>
>
>
>
>

Re: What can one do abut outlook.com?

[Matus UHLAR - fantomas]

On 24.10.20 22:19, Juerg Reimann wrote:

This is what I did, it works a 100% :).

outlook.com   REJECT Too much spam from outlook.com, please use another email 
service.


OTOH, outlook.com responds mail sent to abuse@ address, assuring you it has
been dealt with, while gmail does not.

of course, I can't be sure if they really dealt with it (nor if gmail
didn't).


-Original Message-
From: John 
Sent: Saturday, October 24, 2020 9:31 PM
To: users@spamassassin.apache.org
Subject: What can one do abut outlook.com?

A regular source of spam is outlook.com; or at least that is the
domain that delivered the junk to my domain.  I am tempted to block
them but a number of universities with whom I have connections seem to
have outsourced mailing to outlook.  I complain regularly (daily) but
all I ever see as a result is a standard "We got your mail" and
pointing me to a web page if I need more help; said page assumes the
reader is inside outlook and getting mail from outside.

What do people do about them?  Do I lie and say I trust them?  or
should I just continue to block parts of their spam-network?  I cannot
be the only one with this problem!

==John ffitch




--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I intend to live forever - so far so good.

Re: What can one do abut outlook.com?

[Martin Gregorie]

On Sat, 2020-10-24 at 16:46 -0700, John Hardin wrote:
> ...and then whitelist specific desireable-correspondent outlook.com 
> addresses.
> 
Its easy enough to create a list all desirable correspondents, at least
if your MTA has the equivalent of Postfix's 'always_bcc' directive. 

I use this to send a copy of all outbound mail to a local mailbox. Then
periodically a cronjob scans and erases the mailbox content, adding the
To: address(es) to a list of correspondents. IME this is safe because
its quite unlikely that you'll ever need to blacklist anybody you've
sent mail to.

In my case I keep the correspondents list in a database. I use a custom
Perl SA module to access the database and a CORRESPONDENTS_LIST rule to
trigger it and add negative points to incoming mail email with a
matching From: address.

I also have a tool for weeding undesirables from the correspondent list
because spamming addresses can creep onto the list, but its very
infrequently needed.

Martin
 

Re: What can one do abut outlook.com?

[John Capo]

On Sat, October 24, 2020 16:33, Benny Pedersen wrote:
> John skrev den 2020-10-24 21:30:
>
>> A regular source of spam is outlook.com;
>>
>
> is spamassassin say is not spam ?
>
> in that case:
>
> blacklist_from *@outlook.com
>
> if it contains urls, is this urls unlisted ?
>
> i see low scooring spams aswell, and i add it to local rules to stop it

Spamassassin rules and scores from the Bogofilter bayes classifier works well 
against the kind of spam that I see from Outlook. I would think that the bayes 
classifier in Spamassassin would work well also.

John Capo