Re: Question about sa-updates
On Sat, 22 Jun 2024, Paul Schmehl wrote:
On Jun 22, 2024, at 12:28 AM, Kenneth Porter
wrote:
On 6/21/2024 8:56 PM, Paul Schmehl wrote:
I scratched my head, then looked up the man page for sa-update on the
web. Sure enough, that’s where the rules
go. Is that where my local.cf file should be located? Right now it’s in
/etc/mail/spamassassin. There’s a default
local.cf file in /var/lib/…..
/var/lib/spamassassin is where channels put their rules. /etc/mail/spamassassin
is where the host admin puts her
customizations. I like to use separate files for different policies, named
after each effect I'm trying to get. SA will load
anything there with a .cf extension.
It’s not clear to me from your answer. Does SA read rules in both places? Or
only in /etc/mail/spamassassin/?
Reading the "man" page documentation for spamassassin, it lists several
different directories that SA looks for its config files in and the order that
it reads them from.
The possible directories are distro and version specific so you need to read the
docs for your specific instance.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Order of handling whitelist/blacklist
On Thu, 28 Mar 2024, Philip Prindeville via users wrote:
On Mar 28, 2024, at 2:39 AM, Matus UHLAR - fantomas wrote:
On 27.03.24 20:56, Philip Prindeville via users wrote:
I have something that looks like:
whitelist_from_rcvd v...@yandex.ru vger.kernel.org
blacklist_from *@yandex.ru
And I only ever seem to see the 2nd rule being hit, but not the first.
[snip..]
My config also has:
trusted_networks 192.168.6.0/24
trusted_networks 192.168.8.0/24
trusted_networks 127.0.0.1/32
So I don't think that's the problem.
What are some steps to troubleshoot how the white/black-listing is happening?
whitelist_from_rcvd requires SA to 'see' the envelope from address.
Depending on how you have SA glued into your MTA that may not be happening and
may require particular configurations.
Try creating an entry for a known good address and see if it fires.
If that source properly DKIM or SPF signs its messages it may be easier to use
'whitelist_auth' instead of whitelist_from_rcvd.
It's also less maintenance headache as whitelist_from_rcvd must have the proper
DNS names of their exit-point SMTP servers and in Cloud land that can change
with out notice.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Scoring Explanation Please
Denny,
If you read the fine manual for the spamassassin configuration file, in section
for 'score SYMBOLIC_TEST_NAME n.nn [ n.nn n.nn n.nn ]'
You'll see:
If only one valid score is listed, then that score is always used for a test.
If four valid scores are listed, then the score that is used depends on how
SpamAssassin is being used. The first score is used when both Bayes and network
tests are disabled (score set 0). The second score is used when Bayes is
disabled, but network tests are enabled (score set 1). The third score is used
when Bayes is enabled and network tests are disabled (score set 2). The fourth
score is used when Bayes is enabled and network tests are enabled (score set 3).
So when there are four score values it will use the one relevant to your SA's
operating condition.
EG: if the rule is senstive to the presence of network type tests, such as
DNSRBLs, the score can be adjusted accordingly.
On Wed, 30 Aug 2023, Denny Jones via users wrote:
Hello,
I have looked high and low and can't find an explanation for multi-level
scoring:
score SCC_CANSPAM_2 3.799 0.001 3.799 0.00
What does this mean?
In my simplistic way of doing things I would write this as:
score SCC_CANSPAM_2 3.799
Thanks for helping clear the mud in my mind!
Denny
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: OT - Re: DNFTEC - was My apologies
On Sat, 5 Aug 2023, Grant Taylor via users wrote:
On 8/5/23 6:42 PM, Martin Gregorie wrote:
Yes given that he is
Sorry, I as asking for differences between Energy Creatures and Trolls.
I agree with your advice about the particular EC / T.
I'm still trying to understand the conceptual difference between an EC and a
T or if they are synonyms for the same type of individual.
For the most part they can be pretty much interchangeable but slight shading:
EC -> alignment: neutral/chaotic
T -> alignment: evil
IE an EC can be unpredictable and occasionally positive but at a cost
T is pretty predictability undesirable
Just my U$0.02, YMMV
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Really hard-to-filter spam
On Wed, 2 Aug 2023, Thomas Cameron via users wrote:
Thank you very much. The message that slipped through today was NOT one of
the ones being discussed in this thread, it was a different format and
totally different message. I only included it to demonstrate that my server
was not being rejected for queries as the blocked user intimated. I will dig
deeper into the --magic and make sure I'm feeding Bayes with spam and ham.
Regardless, if a message has never been seen before and has little correlation
to earlier messages its Bayes should hit someplace in the 40% to 60% range.
The fact that it hit 00% indicates a strong correlation to lots of ham (or
something is screwy with your Bayes).
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Really hard-to-filter spam
On Fri, 28 Jul 2023, Jared Hall wrote:
On 7/27/2023 12:08 PM, Ken D'Ambrosio wrote:
Hey, all. I've recently started getting spam that's really hard to deal
with, and I'm open to suggestions as to how to approach it. Superficially,
[snip..]
The damn body's been encoded! And there's so little in there that it's not
triggering on many rules (e.g., Bayesian doesn't go over 20%). If anyone
has a bright idea -- maybe a way to decode the attachments and run a regex
against _that_? -- I'm all ears.
1. There are milters/content-filters that decode Base64 message parts
(amavisd-new, mimedefang, etc) for processing by SA.
2. There are still sufficiently unique items: First-Name-Only, Mixed-Case
word in the Subject (NLP modeling), and a Base-64 encoded HTML attachment (w/
UTF-8 encoding no less). Combined in a Meta rule, these innocuous items will
likely hit with good accuracy even without Base64 decoding.
Umm, unless I'm really missing something here the usual SA processing decodes
such body stuff (QP, Base64, etc) and feeds the "cleaned" text to the rule
processing engine.
You have to work hard to get matches done on the raw stuff if you want to do
special rule matching on the un-decoded body.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Ensuring SPF/DKIM for @gmail.com
If you do that you will guarantee yourself to get bunches of spam that might
otherwise be tagged by SA.
the "welcomelist" mechanism says:
Anybody who matches this criteria we consider strongly not to be spam
(regardless of how spammy all the other metrics may say it is).
You should "welcomelist" stuff that you want to guarantee passage of, regarless
of all other considerations.
Given that Google:
a) SPF & DKIMs all the stuff that comes out of their system
b) has lots of spammers who have Gmail accounts and spew spam from them.
c) does not seem to care two hoots about (b) and lets (b) happen even in the
case of reports.
So if you do those lines (or the more all-encompasing 'welcomelist_auth' form)
you guarantee those spammers a free ride into your system.
Now if you want to find those critters that forge "n...@gmail.com" as a sender
you'll need to create a custom rule set:
1) a non-scoring rule that fires when from == "@gmail.com"
2) a 'meta rule' that says if-from-gmail && not DKIM_VALID then give
it a spam score
DKIM_SIGNED is a standard SA rule that detects a properly valid DKIM or DK
signature.
On Tue, 25 Jul 2023, J Doe wrote:
Hi,
I am currently using SpamAssassin 4.0.0 and I had a question on how I can
ensure that any e-mail from @gmail.com has a valid SPF and DKIM signature.
I am aware that the following can be easily fooled, because it is not
checking SPF and DKIM:
welcomelist_from *@gmail.com
... so to ensure valid SPF and DKIM, I believe I would need:
welcomelist_from_spf *@gmail.com
welcomelist_from_dkim *@gmail.com
... or *two* entries.
Is that correct ?
Thanks,
- J
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Sudden surge in spam appearing to come from my email address
Assuming you own/manage your infrastructure it should be straight-forward.
Create SFP records for your domain & SMTP server, set them to either soft or
hard fail mode.
If you can, also set up DKIM signing of your outgoing mail.
Then create rules that looks for your from address in a message and a meta
which says "if from me & DKIM-fail/SPF-fail hit it hard"
If you can work with the SPF hard fail you will also help to improve your net
reputation as spammers will have a harder time trying to "Joe Job" you.
On Fri, 14 Jul 2023, Thomas Cameron wrote:
All -
I am suddenly getting hammered by a BUNCH of spam that appears to be from me.
It scores low, and even though I keep feeding it to Bayes, it's still not
hitting the threshold to be marked as spam.
When I check the headers, it's coming from multiple random email servers, but
many appear to originate from hotmail/outlook.com. So from outlook.com,
through some unsecured email server, then to my server.
I'm trying to figure out how to block this stuff. Something like "if it
appears to come from me, but it's not actually coming from my email server,"
block it. I don't necessarily think this is a job for SA, but if there's a
rule I can tweak or a setting I can change, I'm all ears.
Thanks,
Thomas
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: SpamAssassin repeatedly fails to start
On Wed, 12 Jul 2023, Wingfully Team via users wrote:
Hi,
I’m using SpamAssassin 3.4.0 on a VPS hosted by Hostinger with CentOS 7.
CyberPanel was installed by Hostinger.
I am constantly (every 90 seconds) seeing spamassassin fail to start, seemingly
because it can’t find the PID file. I’m sending and receiving emails fine (it
seems), but this is not only filling up logs/disk space, I’m also worried
something else is misconfigured which could potentially be causing other
problems. Here are the logs from /var/log/messages:
Jul 12 23:14:02 wingfully systemd: spamassassin.service start operation timed
out. Terminating.
Jul 12 23:14:02 wingfully systemd: Unit spamassassin.service entered failed
state.
Jul 12 23:14:02 wingfully systemd: spamassassin.service failed.
Jul 12 23:14:02 wingfully systemd: spamassassin.service holdoff time over,
scheduling restart.
Jul 12 23:14:04 wingfully systemd: Can't open PID file /run/spamassassin.pid
(yet?) after start: No such file or directory
Jul 12 23:15:32 wingfully systemd: spamassassin.service start operation timed
out. Terminating.
Jul 12 23:15:33 wingfully systemd: Unit spamassassin.service entered failed
state.
Jul 12 23:15:33 wingfully systemd: spamassassin.service failed.
Jul 12 23:15:33 wingfully systemd: spamassassin.service holdoff time over,
scheduling restart.
Jul 12 23:15:34 wingfully systemd: Can't open PID file /run/spamassassin.pid
(yet?) after start: No such file or directory
Here’s the output from systemctl status spamassassin -l
● spamassassin.service - Spamassassin daemon
Loaded: loaded (/usr/lib/systemd/system/spamassassin.service; enabled; vendor
preset: disabled)
Drop-In: /etc/systemd/system/spamassassin.service.d
└─override.conf
Active: activating (start) since Wed 2023-07-12 23:29:07 EDT; 1min 5s ago
Process: 5193 ExecStart=/usr/bin/spamd --pidfile /var/run/spamd.pid
$SPAMDOPTIONS (code=exited, status=0/SUCCESS)
Process: 5191 ExecStartPre=/sbin/portrelease spamd (code=exited,
status=0/SUCCESS)
CGroup: /system.slice/spamassassin.service
├─5198 /usr/bin/spamd --pidfile /var/run/spamd.pid -d -c -m5 -
├─5199 spamd chil
└─5200 spamd chil
Jul 12 23:29:07 wingfully.host systemd[1]: Stopped Spamassassin daemon.
Jul 12 23:29:07 wingfully.host systemd[1]: Starting Spamassassin daemon...
Jul 12 23:29:07 wingfully.host spamd[5193]: logger: removing stderr method
Jul 12 23:29:09 wingfully.host spamd[5198]: spamd: server started on
IO::Socket::IP [127.0.0.1]:783, IO::Socket::IP [::1]:783 (running version 3.4.0)
Jul 12 23:29:09 wingfully.host spamd[5198]: spamd: server pid: 5198
Jul 12 23:29:09 wingfully.host systemd[1]: Can't open PID file
/run/spamassassin.pid (yet?) after start: No such file or directory
Jul 12 23:29:09 wingfully.host spamd[5198]: spamd: server successfully spawned
child process, pid 5199
Jul 12 23:29:09 wingfully.host spamd[5198]: spamd: server successfully spawned
child process, pid 5200
Jul 12 23:29:09 wingfully.host spamd[5198]: prefork: child states: IS
Jul 12 23:29:09 wingfully.host spamd[5198]: prefork: child states: II
I can’t seem to figure this out. Does anyone knows what’s going on?
Thanks,
Matt
spamd & systemd aren't agreeing on where the PID file is.
look at spamd argument list:
/usr/bin/spamd --pidfile /var/run/spamd.pid
Note that "/var/run/" part.
Systemd is barking about not finding: "Can't open PID file
/run/spamassassin.pid"
So either change spamd arguments or systemd spamassassin overrides.conf file so
they agree on where the silly '.pid' file is going to live.
Note; do NOT change the spamassassin.service file (the next system update will
overwrite your changes). Put your customizations in the
/etc/systemd/system/spamassassin.service.d/override.conf file
Then make sure it actually ends up there.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: comparing sender domain against recipient domain
what useful information would you be looking for from this kind of comparison?
All the time I receive mail from people with non-local domains and regularly
receive e-mail from co-workers using the same domain as me.
The kind of things that might be useful are:
1) detecting local-domain forgeries (IE if you have DKIM/SPF, etc and the
message appears to be from your domain but fails those checks)
2) examining the "comment" part of the From: address to see if it contains a
misleading 'domain-like' text.
EG: From: "b...@my.domain.org"
On Thu, 11 May 2023, Marc wrote:
I was wondering if spamassassin is applying some sort of algorithm to comparing
sender domain against recipient domain to detect a phishing attempt?
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Rule Help - not sure what is wrong with my syntax
On Sat, 14 Jan 2023, Benny Pedersen wrote:
Benny Pedersen skrev den 2023-01-14 03:59:
header TO_SPECIFIC_DOMAIN To:addr =~ /\@(test|junc)\.(com|net|eu)$/
describe TO_SPECIFIC_DOMAIN Mail sent to test.com or test.net email addresses
score TO_SPECIFIC_DOMAIN -0.5
tested works if i mail myself :=)
Benny,
Does it work if you mail To:
Note that having an '>' character at the end of an address is valid if it has a
matching '<' but that should fail your "(com|net|eu)$/" test because of the
anchoring '$'
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: How do I check for a jpeg attachment?
On Mon, 3 Oct 2022, Loren Wilton wrote:
I'm getting a bunch of spams from fake gmail accounts that consist of one
short line of text and a 2 MB jpg file.
The subject and body text are pretty much random beyond that.
How do I check for the following?
--e345f305ea2680cd
Content-Type: image/jpeg; name="MMM.jpg"
Content-Disposition: attachment; filename="MMM.jpg"
Content-Transfer-Encoding: base64
Content-ID:
X-Attachment-Id: f_l8t6clr50
I want to match on /^Content-Type: image\/jpeg;/ but I can't figure out how
to do that. rawbody doesn't seem to work.
Use the specific 'mimeheader' rule type:
mimeheader L_IMAGE3eContent-Type =~ m!image/jpe?g;!i
describe L_IMAGE3e Has JPG image attachment
score L_IMAGE3e 0.2
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Aw: Re: info: dns: bad dns reply: bgread: recv() failed
On Thu, 29 Sep 2022, Maurizio Caloro wrote:
First let me thanks for your quick help, yes now are running:-)
mistake:
named.conf.options
-listen-on { A.B.C.D, localhost; };
+listen-on { any; };
After this, the error in Spamd.log disapper, greate!
Your mistake is that 'localhost', you need to have a real IP address there.
use '127.0.0.1' instead of localhost in that listen-on statement, and also use
';' for component separators, not ','
IE
listen-on { A.B.C.D; 127.0.0.1; };
the key-word 'any' means to discover and bind to all possible interfaces on the
machine.
but now i see in main.log, this message:
Sep 29 21:15:05 nmail postfix/smtp[26109]: warning: DNSSEC validation may be
unavailable
Sep 29 21:15:05 nmail postfix/smtp[26109]: warning: reason: dnssec_probe 'ns:.'
received a response that is not DNSSEC validated
i see this as warning, and i think i dont need intervention here?
If you want your postfix to be able to validate DNSSEC signed DNS replys you
need to set up DNSSEC infrastructure. (postfix issue, not spamd).
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: info: dns: bad dns reply: bgread: recv() failed
On Thu, 29 Sep 2022, Matus UHLAR - fantomas wrote:
[snip..]
/usr/local/share/perl/5.28.1/Mail/SpamAssassin/DnsResolver.pm line 742,
line 189.
Wed Sep 28 21:46:55 2022 [9418] info: dns: bad dns reply: bgread: recv()
failed: Connection refused at
/usr/local/share/perl/5.28.1/Mail/SpamAssassin/DnsResolver.pm line 742.
That looks like BIND or a packet filter refusing the query packet or
possibly a case of failed fallback to TCP when a reply was too big for UDP.
Are you certain that BIND is configured to do recursion for 127.0.0.1 and
doesn't have anything blocking port 53 for both UDP and TCP?
root@nmail:/var/log# cat /etc/resolv.conf
nameserver 127.0.0.1
sure it is BIND running on localhost?
sudo netstat -unlpe
bind9 running
Sep 28 21:45:49 nmail named[12447]: zone 127.in-addr.arpa/IN: loaded
serial 1
Sep 28 21:45:49 nmail named[12447]: zone 255.in-addr.arpa/IN: loaded
serial 1
Sep 28 21:45:49 nmail named[12447]: zone domain.nmail/IN:
sig-re-signing-interval less than 3 * refresh.
Sep 28 21:45:49 nmail named[12447]: zone domain.nmail/IN: loaded serial 1
(DNSSEC signed)
Sep 28 21:45:49 nmail named[12447]: zone 190.120.37.in-addr.arpa/IN:
loaded serial 1
Sep 28 21:45:49 nmail named[12447]: zone localhost/IN: loaded serial 2
Sep 28 21:45:49 nmail named[12447]: all zones loaded
Sep 28 21:45:49 nmail named[12447]: running
Sep 28 21:45:49 nmail named[12447]: zone domain.nmail/IN: reconfiguring
zone keys
Sep 28 21:45:49 nmail named[12447]: zone domain.nmail/IN: next key event:
28-Sep-2022 22:45:49.345
Does:
dig @localhost google.com
get you a valid answer or does it give you an error message:
dbfunk@a-lnx000:bin> dig @localhost google.com
; <<>> DiG 9.11.2 <<>> @localhost google.com
; (2 servers found)
;; global options: +cmd
;; connection timed out; no servers could be reached
If you get that kind of an error message that tends to indicate that either your
bind is not configured to listen on 'localhost' or there's some strange firewall
issue going on.
locate your bind's "named.conf" file and look for a "listen-on" parameter.
It should contain the value "any" or explicitly list the various appropriate
addresses, including the "127.0.0.1" localhost address.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Emails from gmail.com bypassing Spamassassin scoring
How big was the message? (attached images can be pretty big).
Depending on the "glue" you use to connect your mail MTA to SA, it may have some
kind of size restriction.
For example, the 'spamc' client has a 'max-size' parameter (which defaults to
500KB). Any message larger than that size will not be passed to SA (IE it will
skip scanning).
Does your MTA log the SA processing? Can you see any logged errors associated
with that particular message?
On Mon, 7 Feb 2022, Chad wrote:
All of the other emails that were sent before and after this particular email
have the X-Spam-Status and X-spam-Report scoring,
So Spamassassin was running correctly.
-Original Message-
From: Marc
Date: Monday, February 7, 2022 at 1:49 PM
To: Chad , "users@spamassassin.apache.org"
Subject: RE: Emails from gmail.com bypassing Spamassassin scoring
I have been getting numerous emails lately from various gmail.com
accounts. They are spam or phishing emails and today I got one that
had a subject of RECEIPT 5454 and only a JPG image of an invoice.
There was no content in the email.
It bypassed Spamassassin scoring. Do you know why or what setting I
need to set so EVERY email goes through Spamassassin scoring procedures?
I do not see X-Spam headers[1], so your spamassassin was not working?
[1]
X-Spam-Status: No, score=-0.4 required=3.0 tests=ALL_TRUSTED,SPF_NEUTRAL,
TVD_SPACE_RATIO,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
4422b522-8a2b-4864-9498-4f2d06aca485
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: handle_user and connect to spamd failed
On Tue, 19 Oct 2021, Linkcheck wrote:
Ok, thanks, Dave.
'--helper-home-dir' option needs an '='
Also, --max-children?
I have been playing with options based on suggestions here. I now have the
spamassassin options as:
OPTIONS="--nouser-config -4 -i 127.0.0.1 --max-children=5
--helper-home-dir=/var/lib/spamassassin -u debian-spamd"
and the spamass-milter options:
OPTIONS="-u spamass-milter -- -d 127.0.0.1"
Once I remembered that spamass-milter also needed to be restarted, along with
spamassassin and postfix, I made more progress. :(
That has fixed both warnings but the warning message "Could not retrieve
sendmail macro 'i'" has returned; thought I'd got rid of that one for good. I
tried adding 'i' to the postfix milter_connect_macros but no difference. I've
never discovered what that macro is supposed to be nor whence/how it derives.
Thanks to everyone who has contributed to this thread. If someone could round
it off with the i macro solution that should be it.
spamass-milter wants the 'i' macro in both the milter_mail_macros and
milter_rcpt_macros postfix config parameters.
Putting it in the milter_connect_macros doesn't do any good, that's not where
spamass-milter looks for it.
(at least in the version 0.3.2 code that I looked at, YMMV version wise, grep
the Source Luke).
The 'i' macro is supposed to be the message queue-id value.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: CVD_IN_DNSWL_HI ?
On Mon, 11 Oct 2021, David B Funk wrote:
On Mon, 11 Oct 2021, Jerry Malcolm wrote:
I am getting tons of emails that are very obviously spam (elongation,
russian beauties, etc) that are getting a -5 score added on the white list
tes
t:
CVD_IN_DNSWL_HIRBL: Sender listed at https://www.dnswl.org/, high trust
I'm curious about the usefulness of a white list that spammers have
obviously been able to defeat. And with the -5.0 score added (subtracted)
in to the total, there's almost no chance for other tests to overcome it
with 10 points to get the score to 5.0
Whaat is the easiest way to disable this 'trusted white list' tester that
is sabotaging so many of my spam scores?
That's one of the several sets of evals derived from the __RCVD_IN_DNSWL test
of the "list.dnswl.org" rbl.
You can disable just the RCVD_IN_DNSWL_HI rule by setting its score to 0
EG: in your local.cf add a like that looks like:
# disable RCVD_IN_DNSWL_HI
score RCVD_IN_DNSWL_HI 0
You can disable the whole kit of rules derived from that rbl by setting the
base rule to 0:
score __RCVD_IN_DNSWL 0
The other thing you should do is to report false-positives to the dnswl.org
site.
See: https://www.dnswl.org/?page_id=17
You first might want to verify that your FPs aren't being generated by some
upstream relay that is is trusted but due to some configuration issue is
"masking" the spam source.
If you put a copy of one of the offending spams in pastebin.com and post the URL
here we can look at it with you to see if we can spot your issue.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: CVD_IN_DNSWL_HI ?
On Mon, 11 Oct 2021, Jerry Malcolm wrote:
I am getting tons of emails that are very obviously spam (elongation, russian
beauties, etc) that are getting a -5 score added on the white list tes
t:
CVD_IN_DNSWL_HIRBL: Sender listed at https://www.dnswl.org/, high trust
I'm curious about the usefulness of a white list that spammers have obviously been able to defeat.
And with the -5.0 score added (subtracted) in to the total, there's almost no chance for other tests to overcome it with 10 points to get the score
to 5.0
Whaat is the easiest way to disable this 'trusted white list' tester that is
sabotaging so many of my spam scores?
That's one of the several sets of evals derived from the __RCVD_IN_DNSWL test of
the "list.dnswl.org" rbl.
You can disable just the RCVD_IN_DNSWL_HI rule by setting its score to 0
EG: in your local.cf add a like that looks like:
# disable RCVD_IN_DNSWL_HI
score RCVD_IN_DNSWL_HI 0
You can disable the whole kit of rules derived from that rbl by setting the base
rule to 0:
score __RCVD_IN_DNSWL 0
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Customise hostname shown in X-Spam-Checker-Version?
On Fri, 30 Jul 2021, David Bürgin wrote:
David Bürgin:
Resolved. Perhaps the documentation should be updated.
There are notes for options ‘remove_header’ and ‘clear_headers’ that
‘X-Spam-Checker-Version is not removable’, so a straightforward fix to
the documentation would be replacing sentence
note that Checker-Version can not be changed or removed
with
note that Checker-Version can not be removed
More to the point:
the X-Spam-Checker-Version header is not removable and the Version-number
WITHIN the header is not changeable, the rest of the header is customizable.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Identifying Amazon hosts...
On Wed, 28 Jul 2021, Antony Stone wrote:
On Wednesday 28 July 2021 at 19:51:49, Pedro David Marco wrote:
Hi!
i have spam with this header:
Received: from a48-115.smtp-out.amazonses.com (HELO
a48-115.smtp-out.amazonses.com) (54.240.48.115)
Is there any way, based on its fqdn, to know whether an Amazon smtp host is
public or dedicated?
Apologies for what may seem like a silly question, but what's the difference?
I'm assuming he's asking if there's a chance that it's an open-relay SMTP server
or one dedicated to Amazon client systems.
I'd be shocked if it was an open-relay, it'd probably be hammered by now if it
were.
There's enough spam coming from AWS clients as-is. I've seen malware and phishes
coming out of AWS, I wouldn't wouldn't unconditionally trust anything from
them.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Another evil number
On Fri, 25 Jun 2021, Greg Troxel wrote:
RW writes:
You can reach out
to our Customer Support Team+1 (800) 781 - 2511.
Is it common in the US to put 800 in brackets like that? In my
experience brackets normally go around either country codes or area
codes, digits that may be optional.
Yes, it common. The proper form is
+1 800 782 2511
but people in the US do not write numbers like that.
The normal way in the US would be
(800) 782-2511
and i find the spaces around the - to be unusual. But really there is a
fair degree of variation.
And then there's the obfuscation that spammers/phishers use.
Here's an example from a recent message I found in one of my spam traps:
if you have any issue regarding your order.
Reach us at +1 [805} 429-6748
Thanks & Regards
+1 [805} 429-6748
Those bracket/brace mismatching are verbatium.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Why single periods in regex in spamassassin rules?
On Fri, 23 Apr 2021, Steve Dondley wrote:
I'm looking at KAM.cf. There is this rule:
body__KAM_WEB2 /INDIA based
IT|indian.based.website|certified.it.company/i
I'm wondering if there is a good reason why a singe period is used instead of
something like \s+ which would catch multiple spaces whereas a singe period
doesn't.
Because '/indian.based.website'/ will match 'indian-based_website' but \s will
not.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: SA seems powerless against marketing emails for SEO/web development
On Thu, 22 Apr 2021, Matus UHLAR - fantomas wrote:
On 22.04.21 14:21, Steve Dondley wrote:
pts rule name description
--
--
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
no trust
[209.85.210.44 listed in list.dnswl.org]
-1.0 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.]
[snip..]
-0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
This email is bit of an outlier as most of these emails will get flagged
with bayes_99 and bayes_999 but this one actually gives it bayes_00.
My bayes filter has been trained with about 2000 examples of spam and ham.
now, train as needed - this one as spam.
In that spam there was a tracking link at the bottom with a URL of the form:
https://name-company-track.appspot.com/Firebase?bunch-of-long-tracking-variables
How hard would it be to modify the uribl lookup code so that it did not truncate
hosts names, so we could create uribl entries of the form
"name-company-track.appspot.com" or would that be prohibitively expensive in
lookups?
I regularly see phish/spam that has URL hosts of the form some-name.blogspot.com
or other-name.webhosting.com and it would be nice to be able to slam those
things into a uribl list (I run my own).
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Problem installing sa on my pi 3b+
On Fri, 9 Apr 2021, spamassas...@mach2.franken.de wrote:
Am 07.04.2021 um 12:27 schrieb Antony Stone:
I am running said packet install from an internet tutorial.
Who wrote that tutorial and where does it point you to get the packages
from?
Antony.
Hmm, it says execute the following commands:
sudo apt-get update
sudo apt-get install spamassassin
Without any further params. How am I supposed to know where that command does
get its package from???
Christian
Christian,
Use the "apt show spamassassin" command to show the information about the
spamassassin package.
One of the lines of output will be something like:
APT-Sources: http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64
Packages
That will tell you the package repository that it's getting that particular
package from.
For more info about the collection of sources that 'apt' & 'apt-get' are using
look at the "sources.list" config files in /etc/apt/ directory.
HTH
Dave
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Moving Spam to Junk Folder
On Thu, 3 Sep 2020, bobby wrote:
I am following this tutorial:
https://www.linuxbabe.com/redhat/spamassassin-centos-rhel-block-email-spam.I
followed the steps in "Move Spam
into the Junk Folder". When I send an email from a blacklisted e-mail address,
I get a bounce e-mail from my e-mail server. Here is what
is in my spamass-milter file:
EXTRA_FLAGS="-m -r 8 -R NO_SPAM -i 127.0.0.1 -g sa-milt -- --max-size=512"
I would prefer it to go into my Junk folder. How can I make this happen?
Bobby,
You need to read the spamass-milter documentation to understand what those
options are doing.
That "-r 8" tells spamass-milter to return a 'SMIFS_REJECT' status to postfix if
the spam score is over 8. This causes postfix to refuse to accept the message
at all (sort of like when somebody tries to send a message to a bogus
recipient).
So if postfix never lets spam get in the front door it cannot be delivered to
any kind of "Junk Folder"
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: From Spoofed
On Wed, 26 Feb 2020, Benny Pedersen wrote:
Robert A. Ober skrev den 2020-02-26 02:28:
I have a user that is getting many emails with obscene subjects.
Someone is spoofing the From to include the users domain so the email
is hitting "USER_IN_WHITELIST". I have installed the plugins from
extremeshok and it has not stopped the problem.
remove whitelist_from in spamassassin, or change it to score -0.1
i will not argue on why whitelist_from even exists
The SUBJECT_FUCKBUDDY rule has a score of 3.0 .
change score to 300
upgrade to 3.4.4 btw
I won't argue with the recommendation to upgrade but his real problem is:
Someone is spoofing the From to include the users domain so the email is
hitting "USER_IN_WHITELIST"
That says somebody has taken the users' domain and added it to a
"whitelist_from" statement. That is -not- a SA default.
So first kill that ill-advised whitelist_from
Then find out why somebody did that and fix that problem properly, not with the
easily subverted "whitelist_from" sledge-hammer.
If they -must- have some form of whitelist_from, use something that is less
easily subverted (such as setting up DKIM or SPF for their domain and using
def_whitelist_auth or at least whitelist_from_rcvd ).
Even better, use def_whitelist_auth & def_whitelist_from_rcvd so it's not
such a sledge-hammer but just a mild "bump" to make sure locally generated
messages get a little extra help.
If it weren't from that bad "whitelist_from" the OP's message would have been
spam-tagged, it hit plenty of RBLs etc. It was just that sledge-hammer that got
it thru.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Rule for detecting two email addresses in From: field.
On Fri, 4 Oct 2019, Philip wrote:
Morning List,
Lately I'm getting a bunch of emails that are showing up with two email
addresses in the From: field.
From: "Persons Name "
When you look in your mail client (Outlook, Thunderbird) it's showing only
"Persons Name "
Is there a way I can mark From: that has 2 email addresses in it as spam?
Pro's Cons?
Phil
I seem to remember past discussions of this sort of thing.
Bottom line, it's a mixed bag. There are legitimate messages that include an
address'ey looking in the "comment" part of the 'From:' header.
Use the "header rule_name From:name =~ /target\@some\.place/"
format rule (IE use the From:name field).
This works best when looking for spear-phishing type messages where you're
looking for specific kinds of deception, EG:
header T_PAPAL_PHISH4From:name =~
/\b(?:Pay[Pp]al|service)\@paypal\.com\b/
For a general rule, I wouldn't treat it as a hard spam sign but use it in
combination with meta's
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Setting Threshold
Jerry,
One other potential point of confusion; when you say:
But when I stop and start the service and process
an email through it, headers still say 5.0 as the threshold.
What particular service did you stop and restart? Specifically did you restart
just the Apache James service or did you stop & restart the spamd daemon?
The spamd daemon is the thing that you need to restart to get it to process the
config files.
On Fri, 27 Sep 2019, David B Funk wrote:
Jerry,
That looks like a functional implementation of the "spamc" client.
So that implies your system is using "spamd" daemon for actual processing of
the spam. (as opposed to something like "amavis" which directly incorporates
the SA scanning engine)
Did you restart the spamd daemon after you changed that config file?
If you did and the change still isn't working this implies that your spamd
system is using a different set of config files -or- there's another config
file which is overriding your customization.
At startup spamd processes config files in sequence and a setting in a later
one will override corresponding values set in an earlier one.
Look at your spamd's process list to see if there are any explicit config
files specified in the command line arguments.
Also you can try starting your spamd with debugging enabled which will cause
it to log config file processing.
Add the following to your spamd start up command line arguments:
--debug config
Then restart and look at the logging output to see which config files it's
processing and in which order.
On Fri, 27 Sep 2019, Jerry Malcolm wrote:
Hi Bill, Thanks for the quick response.
I'm using Apache James 3.3.0. I investigated the class that calls spamd.
There is a class SpamAssassinInvoker in the James distribution that
actually calls spamd. Relevant code excerpt from that class is below. It
doesn't appear that any threshold info is being sent on the call.
out = socket.getOutputStream();
in = new BufferedReader(new InputStreamReader(socket.getInputStream()));
out.write("CHECK SPAMC/1.2\r\n\r\n".getBytes());
// pass the message to spamd
message.writeTo(out);
out.flush();
socket.shutdownOutput();
String s = null;
while ((s = in.readLine()) != null) {
On 9/27/2019 3:21 PM, Bill Cole wrote:
On 27 Sep 2019, at 15:14, Jerry Malcolm wrote:
I am setting up SA on an AWS Linux EC2. I am trying to change the
results threshold from 5.0 to 4.0. I went to
/usr/share/spamassassin/local.cf, uncommented and changed:
"required_score 4.0". But when I stop and start the service and process
an email through it, headers still say 5.0 as the threshold. What am I
doing wrong? Is there some other place I need to change it as well?
It is certainly possible. How are you integrating SA with your mail
system, i.e. what software is getting mail that it uses SA to filter?
Different mechanisms can end up using software-specific or user-specific
configurations that override local.cf.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Setting Threshold
Unfortunately the answer to those questions tends to be OS distro specific.
Usually logs go someplace under "/var/log/" but there's nothing to prevent
your particular distro's creators putting them elsewhere.
The startup stuff is often very OS distro & version specific; is yours an
"init script" based system, or a "systemd" based system (or something else)?
Do this, in a shell execute the command:
cat /etc/os-release
That should output several lines of text that contain data about the specific
distro/version you're running. (if it cannot find /etc/os-release try
/usr/lib/os-release ).
Using that data, you should be able to track down forums/FAQs/wikis specific to
your distro which have answers to those two questions.
On Fri, 27 Sep 2019, Jerry Malcolm wrote:
Oh yes... and the location of the actual SA startup command file as well.
Thx
On 9/27/2019 7:01 PM, Jerry Malcolm wrote:
Thanks. I'll try all of that. But unfortunately I'm coming into AWS Linux
from a Windows background. I'm having a heck of a time finding the
configuration and log file folders that linux server implementations seem
to like splattering all over the hard drive... :-). Where should I be
looking to find the SA log files?
Thanks again.
Jerry
On 9/27/2019 6:46 PM, David B Funk wrote:
Jerry,
That looks like a functional implementation of the "spamc" client.
So that implies your system is using "spamd" daemon for actual processing
of the spam. (as opposed to something like "amavis" which directly
incorporates the SA scanning engine)
Did you restart the spamd daemon after you changed that config file?
If you did and the change still isn't working this implies that your spamd
system is using a different set of config files -or- there's another
config file which is overriding your customization.
At startup spamd processes config files in sequence and a setting in a
later one will override corresponding values set in an earlier one.
Look at your spamd's process list to see if there are any explicit config
files specified in the command line arguments.
Also you can try starting your spamd with debugging enabled which will
cause it to log config file processing.
Add the following to your spamd start up command line arguments:
--debug config
Then restart and look at the logging output to see which config files it's
processing and in which order.
On Fri, 27 Sep 2019, Jerry Malcolm wrote:
Hi Bill, Thanks for the quick response.
I'm using Apache James 3.3.0. I investigated the class that calls
spamd. There is a class SpamAssassinInvoker in the James distribution
that actually calls spamd. Relevant code excerpt from that class is
below. It doesn't appear that any threshold info is being sent on the
call.
out = socket.getOutputStream();
in = new BufferedReader(new InputStreamReader(socket.getInputStream()));
out.write("CHECK SPAMC/1.2\r\n\r\n".getBytes());
// pass the message to spamd
message.writeTo(out);
out.flush();
socket.shutdownOutput();
String s = null;
while ((s = in.readLine()) != null) {
On 9/27/2019 3:21 PM, Bill Cole wrote:
On 27 Sep 2019, at 15:14, Jerry Malcolm wrote:
I am setting up SA on an AWS Linux EC2. I am trying to change the
results threshold from 5.0 to 4.0. I went to
/usr/share/spamassassin/local.cf, uncommented and changed:
"required_score 4.0". But when I stop and start the service and
process an email through it, headers still say 5.0 as the threshold.
What am I doing wrong? Is there some other place I need to change it
as well?
It is certainly possible. How are you integrating SA with your mail
system, i.e. what software is getting mail that it uses SA to filter?
Different mechanisms can end up using software-specific or user-specific
configurations that override local.cf.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Setting Threshold
Jerry,
That looks like a functional implementation of the "spamc" client.
So that implies your system is using "spamd" daemon for actual processing of the
spam. (as opposed to something like "amavis" which directly incorporates the SA
scanning engine)
Did you restart the spamd daemon after you changed that config file?
If you did and the change still isn't working this implies that your spamd
system is using a different set of config files -or- there's another config file
which is overriding your customization.
At startup spamd processes config files in sequence and a setting in a later one
will override corresponding values set in an earlier one.
Look at your spamd's process list to see if there are any explicit config files
specified in the command line arguments.
Also you can try starting your spamd with debugging enabled which will cause it
to log config file processing.
Add the following to your spamd start up command line arguments:
--debug config
Then restart and look at the logging output to see which config files it's
processing and in which order.
On Fri, 27 Sep 2019, Jerry Malcolm wrote:
Hi Bill, Thanks for the quick response.
I'm using Apache James 3.3.0. I investigated the class that calls spamd.
There is a class SpamAssassinInvoker in the James distribution that actually
calls spamd. Relevant code excerpt from that class is below. It doesn't
appear that any threshold info is being sent on the call.
out = socket.getOutputStream();
in = new BufferedReader(new InputStreamReader(socket.getInputStream()));
out.write("CHECK SPAMC/1.2\r\n\r\n".getBytes());
// pass the message to spamd
message.writeTo(out);
out.flush();
socket.shutdownOutput();
String s = null;
while ((s = in.readLine()) != null) {
On 9/27/2019 3:21 PM, Bill Cole wrote:
On 27 Sep 2019, at 15:14, Jerry Malcolm wrote:
I am setting up SA on an AWS Linux EC2. I am trying to change the results
threshold from 5.0 to 4.0. I went to /usr/share/spamassassin/local.cf,
uncommented and changed: "required_score 4.0". But when I stop and start
the service and process an email through it, headers still say 5.0 as the
threshold. What am I doing wrong? Is there some other place I need to
change it as well?
It is certainly possible. How are you integrating SA with your mail system,
i.e. what software is getting mail that it uses SA to filter? Different
mechanisms can end up using software-specific or user-specific
configurations that override local.cf.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
who is IADB and why does this spam get a -3.8 score?
This afternoon I found a spam in one of my spam-traps that was sent via
constantcontact.com and got a whopping -3.8 from IADB rules.
Why does this spam source get such a boost?
-0.0 RCVD_IN_IADB_LISTEDRBL: Participates in the IADB system
-0.1 RCVD_IN_IADB_SPF RBL: IADB: Sender publishes SPF record
-1.5 RCVD_IN_IADB_OPTIN RBL: IADB: All mailing list mail is opt-in
-2.2 RCVD_IN_IADB_VOUCHED RBL: ISIPP IADB lists as vouched-for sender
-0.0 RCVD_IN_IADB_SENDERID RBL: IADB: Sender publishes Sender ID record
In particular how can they claim "All mailing list mail is opt-in" for a message
sent to a spam-trap address that has never been used in any way other than a
spam-trap? (IE never used to send mail, never listed as a contact address, etc).
The message had a "unsubscribe" link but no "report spam" functions.
Why should we have to "unsubscribe" an address that was never subscribed at all?
(that would tend to give legitimacy to the spammer's claims that it was
subscribed/opt-in ).
who should I report this travesty to?
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: How to create my personal RBL
On Tue, 25 Jun 2019, Martin Gregorie wrote:
On Tue, 2019-06-25 at 16:11 +0200, hg user wrote:
I'd like to create my own RBL that answers queries about IP, domain or
address reputation.
Data should be stored in a database (mysql, postgres, redis, etc) so
that information can be added/modified/removed without the need to
restart spamassassin (I think the simpler solution would be a list in
SA...)
How can I create this setup?
You need to build a Perl plugin for Spamassassin that connects to, and
queries the database together with at least one SA rule that triggers
the plugin via an eval:plugin_query() call where plugin_query() is a
plugin function that runs the database query using data extracted from
the message by SA and returns either 1 (the query found a match in the
database) or zero (no matches found).
that's way overthinking it.
SA already has perfectly good DNS query tools built in, why not use those.
It's pretty simple to set up your own local private DNS zones using rbldnsd.
Adding/updating those kinds of zones is simple as adding or editing lines in
a text file (as simple as echo ".this.bad.domain :127.0.0.2:" >> my-zone-file ).
No muss no fuss, not server restart, etc.
I run two private zones for this purpose, one a IP address RBL list and one a
URIBL list.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Mail to local users
On Mon, 17 Jun 2019, David B Funk wrote:
Are you feeding spamass-milter the necessary information (via milter-macros
in your MTA config) so that -it- knows that particular session is
authenticated? It needs that info if it's going to synthesize the correct
header so that SpamAssassin knows that session was authenticated.
Specifically:
In your config for Milter.macros.envfrom you need to include "{auth_type},
{auth_authen}, {auth_ssf}, {auth_author}" (note that is sendmail syntax,
translate into postfix as appropriate).
If you don't pass those {auth_*} macros into spamass-milter it has no way to
know a particular session is authenticated.
Taking a quick look at the source code for spamass-milter (I use a different
milter) I can see that it explicitly needs '{auth_type}' and '{auth_ssf}'
so you can ignore {auth_authen} & {auth_author}.
But with out that '{auth_type}' macro info it assumes the session isn't
authenticated, and won't pass that on to SA.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Mail to local users
On Mon, 17 Jun 2019, @lbutlr wrote:
On 17 Jun 2019, at 11:06, Reindl Harald wrote:
Am 17.06.19 um 16:30 schrieb @lbutlr:
Received: from darth.lan (c-73-14.161.160.hsd1.co.comcast.net [73.14.161.160])
by mail.covisp.net(Postfix 3.4.5/8.13.0) with SMTP id unknown;
Sun, 16 Jun 2019 15:26:32 -0600
(envelope-from )
The first has an ESMTPS id and the other has SMTP id unknown.
a) ESMTPS is *not* authentication
I didn’t say it was, but the change in the header seems to be triggering
spamass-milter in ways that it was not being triggered before.
On 17 Jun 2019, at 02:07, Matus UHLAR - fantomas wrote:
if the mail was authenticated, it should contain ESMTPA or ESMTPSA instead
of SMTP.
Note that spamass-milter fakes the first Received: header (because milter
must get message as it is received from mail client), but lack of "A" in the
SMTP indicates that your mail is not really authenticated.
The message WAS sent via an authenticated connection:
Jun 16 15:26:32 mail postfix/submit/smtpd[52711]: 45RnTh0J8KzdrvJ:
client=c-73-14-161-160.hsd1.co.comcast.net[73.14.161.160], sasl_method=PLAIN,
sasl_username=kr...@kreme.com
Jun 16 15:26:32 mail postfix/cleanup[52845]: 45RnTh0J8KzdrvJ:
message-id=<0c3be5f6-c5b4-4b07-853d-fad6dcbb6...@kreme.com>
Jun 16 15:26:33 mail postfix/qmgr[27634]: 45RnTh0J8KzdrvJ:
from=, size=3259, nrcpt=2 (queue active)
Jun 16 15:26:33 mail postfix/lmtp[53026]: 45RnTh0J8KzdrvJ: to=,
orig_to=, relay=mail.covisp.net[private/dovecot-lmtp], delay=1.9,
delays=1.7/0.01/0.19/0.01, dsn=2.0.0, status=sent (250 2.0.0
1QOYNQm0Bl1fzwAAIdGjjQ:2 Saved)
Jun 16 15:26:33 mail postfix/qmgr[27634]: 45RnTh0J8KzdrvJ: removed
Are you feeding spamass-milter the necessary information (via milter-macros in
your MTA config) so that -it- knows that particular session is authenticated? It
needs that info if it's going to synthesize the correct header so that
SpamAssassin knows that session was authenticated.
Specifically:
In your config for Milter.macros.envfrom you need to include "{auth_type},
{auth_authen}, {auth_ssf}, {auth_author}" (note that is sendmail syntax,
translate into postfix as appropriate).
If you don't pass those {auth_*} macros into spamass-milter it has no way to
know a particular session is authenticated.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Amazon continues to get tagged as spam
On Mon, 1 Apr 2019, @lbutlr wrote:
I have whitelisted amazon in /usr/local/etc/mail/spamassassin/local.cf
whitelist_auth *@*.amazon.com
whitelist_auth *@amazon.com
whitelist_from *@bounces.amazon.com
whitelist_from order-upd...@amazon.com
whitelist_from_rcvd @amazon.com amazon.com
whitelist_from_rcvd @amazon.com amazonses.com
Seems this last should have matched the received header below, but it doesn't.
pts rule name description
-- --
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
no trust
[54.240.13.15 listed in list.dnswl.org]
3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
[score: 1.]
0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
[score: 1.]
1.8 DKIM_ADSP_DISCARD No valid author signature, domain signs all
mail and suggests discarding the rest
0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not necessarily
valid
0.7 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required
MIME headers
0.1 DKIM_INVALID DKIM
There's something wrong with your mail system which is trashing not only your
DKIM processing but your SPF processing too.
In the normal course of things, those Amazon messages should pass both DKIM and
SPF checks.
An Amazon message received here looks like:
pts rule name description
-- --
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
trust
[54.240.15.92 listed in list.dnswl.org]
0.0 RCVD_IN_HOSTKARMA_YE RBL: HostKarma: relay in yellow list (varies)
[54.240.15.92 listed in hostkarma.junkemailfilter.com]
0.0 T__BOTNET_NOTRUST Message has no trusted relays
-0.0 SPF_PASS SPF: sender matches SPF record
0.5 BOTNET_IPINHOSTNAMEHostname contains its own IP address
[botnet_ipinhosntame,ip=54.240.15.92,rdns=a15-92.smtp-out.amazonses.com]
0.0 BOTNET_SERVERWORDS Hostname contains server-like substrings
[botnet_serverwords,ip=54.240.15.92,rdns=a15-92.smtp-out.amazonses.com]
-7.5 USER_IN_DEF_SPF_WL From: address is in the default SPF white-list
-7.5 USER_IN_DEF_DKIM_WLFrom: address is in the default DKIM white-list
0.0 HTML_MESSAGE BODY: HTML included in message
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.]
0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not necessarily
valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's
domain
Note both the DKIM_VALID,DKIM_VALID_AU and SPF_PASS
It hit both USER_IN_DEF_SPF_WL & USER_IN_DEF_DKIM_WL which are standard SA
rules, I didn't add those.
Bottom line, what is going on with your system which is causing DKIM & SPF to
fail?
Does it fail for other properly signed messages or only fail for Amazon?
If you post a complete unaltered Amazon message on pastbin we can take a crack
at it. (only post something which you can publish with out redaction, any
alterations will invalidate the DKIM sig).
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Bug or feature? ;-)
On Mon, 25 Mar 2019, Axb wrote:
On 3/25/19 7:01 PM, Henrik K wrote:
On Mon, Mar 25, 2019 at 06:49:49PM +0100, Tobi wrote:
Am 25.03.19 um 15:18 schrieb Henrik K:
On Mon, Mar 25, 2019 at 03:00:30PM +0100, Tobi wrote:
[snip..]
uri __HAS_URI /./
tflags __HAS_URI multiple
meta __REALLY_HAS_URI (DKIM_SIGNED && __HAS_URI > 1) || (!DKIM_SIGNED &&
__HAS_URI)
seems to me everybody is making an effort in disregarding the fact that the
URI rule was hitting on a header and imo, that should not happen.
This makes the whole uri behaviour even more unpredictable.
However sometimes headers contain valuable URI targets.
For example, I've seen increasing amounts of spam which contain cloud based URLs
in the body of the message (worthless for URIBL filtering) which may also
contain URLs in the headers that are specific to the spammer source (thus
viable targets for URIBL filters).
A blanket prohibition against header URI mining would miss out on that data.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: using existing score value in new rule's score
On Sat, 23 Feb 2019, RW wrote:
On Fri, 22 Feb 2019 16:37:30 -0600 (CST)
David B Funk wrote:
Is there a rule "score" syntax that allows you to use the score
assigned to an existing rule to calculate the value assigned to
another rule?
...
What I want to do is to create a local rule:
meta L_HTML_IMAGE_ONLY_28_FIX ( HTML_IMAGE_ONLY_28 && L_O365_USER )
describe L_HTML_IMAGE_ONLY_28_FIX Fix damage from
HTML_IMAGE_ONLY_28 for local O-365 users score
L_HTML_IMAGE_ONLY_28_FIX ( -1.0 * HTML_IMAGE_ONLY_28 )
IIWY I'd just redefine the HTML_IMAGE_ONLY_XX rules in the form
body __HTML_IMAGE_ONLY_28 eval:html_image_only('2400','2800')
meta HTML_IMAGE_ONLY_28 __HTML_IMAGE_ONLY_28 && !L_O365_USER
That's one way, but given that HTML_IMAGE_ONLY_28 is a core SA rule I'd prefer
not to hack at it.
I could totally over-ride it with local redefinitions but then I'd miss out on
any updates/improvements to the core rule defs and not know about it.
By just adding my local "repair" rule who's score is derived from that
calculation of the core rule def, I don't need to worry about updates damaging
my intended functionality.
EG: if the system rule is re-scored (up or down) my "repair" will still do the
right thing.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
using existing score value in new rule's score
Is there a rule "score" syntax that allows you to use the score assigned to an
existing rule to calculate the value assigned to another rule?
Specifically what I'm trying to do is to negate the "damage" a particular rule
does for messages that meet particular local criteria.
For example: "HTML_IMAGE_ONLY_28" is a rule that will assign a modest number of
points to a message that contains a small amount of HTML and an image.
What I want to do is to create a local rule:
meta L_HTML_IMAGE_ONLY_28_FIX ( HTML_IMAGE_ONLY_28 && L_O365_USER )
describe L_HTML_IMAGE_ONLY_28_FIX Fix damage from HTML_IMAGE_ONLY_28 for
local O-365 users
score L_HTML_IMAGE_ONLY_28_FIX ( -1.0 * HTML_IMAGE_ONLY_28 )
Where if HTML_IMAGE_ONLY_28 fires and another rule which detects that the
message was generated by a local Office-365 user, negate the score from the
HTML_IMAGE_ONLY_28 rule.
My problem is that our campus has switched the bulk of our user population to
Office-365 and many outlook users like to "decorate" their messages with images
(wall-paper, deparmental logos, etc).
When one of these people sends a short message (1~5 lines of text) in their
outlook, it's not unusual for several of SA's rules to fire (EG
DC_GIF_UNO_LARGO, HTML_IMAGE_ONLY_28, SARE_GIF_STOX, etc) which pushes the
messages into spam score range.
I'd like to automate the un-doing of this damage w/o having to continually
chase after changes in the scoring.
Thus the desire for syntax to calculate the score value. It doesn't have to be
evaluated dynamically, just calculate the score at reload time.
Thanks.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: -Suggestion. Develop a List of examples of SpamAssassin Headers...
On Thu, 31 Jan 2019, Noel wrote:
On 1/31/2019 3:03 PM, Don Saklad wrote:
$ perldoc Mail::SpamAssassin::Conf
No documentation found for "Mail::SpamAssassin::Conf".
"Bill Cole"
writes:
This is not really possible.
Run 'perldoc Mail::SpamAssassin::Conf'
Am 31.01.19 um 21:34 schrieb Don Saklad:
How is it run?...
Reindl Harald writes:
> by just type it in a terminal?
$ perldoc Mail::SpamAssassin::Conf
No documentation found for "Mail::SpamAssassin::Conf".
Apparently the docs aren't installed on your system. Perhaps
there's a separate spamassassin-docs package that needs to be installed.
There's a copy on the web if that's more convenient for you. This
is the first hit if you google mail::spamassassin::conf
https://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html
SA 3.1.x is over a decade old.
Don't mess with obsolete versions, go with the current kit:
https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html
(Unless for some strange reason you -are- running an obsolete version, then go
to: https://spamassassin.apache.org/full and drill down to the docs that match
the version you are running.)
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: SPF weirdness...
On Tue, 15 Jan 2019, Bill Cole wrote:
On 15 Jan 2019, at 15:05, Grant Taylor wrote:
I will investigate to see if spamass-milter can fabricate a satisfactory
Received: header.
A quick look at the issue tracker for it implies that it does so. A milter that
actually works with SA really needs to.
Unfortunately, it is a nuisance to debug spamass-milter because it talks to
spamc which talks to spamd, so you need to give debug flags to the
spamass-milter process and spamd to see exactly what's going on.
This is a very real question.
It's a bit tricky to implement a milter correctly because people often don't
understand that the message which sendmail hands to a milter is as-received
from the incoming network connection.
Any locally added stuff (EG the "Received:" header) isn't in that milter stream.
Thus the milter must completely/correctly synthesize all locally added headers.
Actually the spamass-milter method (calling spamc) makes it easier to debug.
Just create a script which wraps spamc in-between a couple of "tee"s to capture
stdin & stdout and you'll have everything you want to know.
A simple example which ignores signal handling:
#!/bin/sh
# 'spamc' debugging script
FILE_NAME="/var/tmp/spamc-transcript-$$"
echo "spamc args: $*" "" > ${FILE_NAME}.in
tee -a ${FILE_NAME}.in | /real/path/to/spamc "$@" | tee ${FILE_NAME}.out
Adjust paths as needed.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: rule for docx o xlsx
On Mon, 17 Dec 2018, RW wrote:
On Mon, 17 Dec 2018 13:18:12 -0600
Rick Gutierrez wrote:
Hi list , happy holidays to all, I am trying to make this rule work
that a friend wrote in github, to be able to give a high score to
documents sent from different countries, like pakistan, china or india
, I have it in my spamassassin and I do not see it working, to see if
someone on the list helps me improve it
RuleWordORExcel.cf
mimeheader __MIME_WORDOREXCEL Content-Type =~ /msword|excel/i
...
https://pastebin.com/bmRq7v7h
Content-Type:
application/vnd.openxmlformats-officedocument.wordprocessingml.document,
doesn't contain msword|excel
Not to mention that rule doesn't match "Application/OCTET-STREAM"
All too often I see mail clients use the catch-all MimeTyping of
"Application/OCTET-STREAM' and assume the recipient will 'do the right thing'
based on the file extension.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Spamassassin using remote rules definition source?
On Mon, 10 Dec 2018, ozgurerdogan wrote:
I simply need to write custom rules to block certain mails, domain names. Do
I have to learn programming language for this? Is not it easy like create a
conf file and let Sa update rules from that source remotely via http?
If your primary need is to block certain domain names it might be easier to
create your own custom DNS-RBL and add rules to your SA configuration to score
against that.
Once you've got the DNS-RBL built (I recommend rbldnsd,
http://www.corpit.ru/mjt/rbldnsd.html) and the querying rules added to your SA
config, then updating is just a matter of adding new names to your DNS-RBL. If
you use rbldnsd, it's as easy as just "echoing" names onto the end of a text file.
By clever usage of the IP address associated with the name and the scoring rules
it is possible to have different scores assigned to specific names.
EG: if a name has the address 127.0.0.2 then give it a score of +2 if 127.0.0.4
then give it a score of 10.
So if a host is a bit spammy then the 127.0.0.2 address will not outright
black-list it but help score with other indications (EG Bayes, etc).
Whereas if you give it a 127.0.0.4 then it's a one-shot kill.
I actually run two local RBLs, one for DNS/Hostnames and one for URI-RBL to hit
specific URLs within messages.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: SpamSender with 2 @-signs in the address
On Mon, 3 Dec 2018, Grant Taylor wrote:
On 12/03/2018 11:53 AM, Alan Hodgson wrote:
I've been watching these for a while, and unfortunately there are a lot of
customer-service type systems that send From: addresses with quoted @domain
addresses in them. Many of them do "user@address via"
, but not all.
Sorry, I was talking about the SMTP envelope. The unquoted part between
angle brackets.
Are you talking about the SMTP-envelope From address or the 'Header' from
addreses?
It's possible to set those two different pieces of information to the same value
but note that they are -not- the same attribute.
Depending upon how your SA is glued into your mail system your SA may not even
have any visibility into the SMTP-envelope From address.
Under ordinary circumstances you will not see the SMTP-envelope From address in
an e-mail message.
All the parts you see following that "From: " header element in a message are
the 'Header' from.
[snip...]
So you will definitely get false positives just looking at @'s.
I was talking about only counting the @ signs in the unquoted part between
angle brackets. The in the following example.
That's the "from:addr" component of the header from address.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Rule for a link with an numeric IP in body?
On Mon, 29 Oct 2018, Martin Gregorie wrote:
On Mon, 2018-10-29 at 15:55 +0200, Anders Gustafsson wrote:
Is there such a rule already in 3.3.x? I would ideally want a version
of that that adds to the spam score if it sees a x.x.x.x/unsubscribe
link, possibly translated.
[snip..]
describe MG_BARE_IP Bare IP in a URI
body __MG_BAI0 /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/
uri __MG_BAI1 /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\w*/
meta MG_BARE_IP (__MG_BAI0 || __MG_BAI1)
scoreMG_BARE_IP 0.01
Note that the bare IP - n.n.n.n - is NOT a URI and so must be a body
text rule while the bare IP with a '/name' suffix is a URI and so is
found by a URI rule. This is why I used two subrules joined by the
meta-rule.
Note that technical computing discussions may validly contain bare IPs,
e.g. 127.0.0.1 is never a spam indication since it is the IP of
'localhost' and so its appearance is not a spam indication. There are
other well-known IPs that are also not spam indications.
Not to mention all the other ways that dotted-number strings can be used;
EG version numbers of sofware.
I have libwmf installed on my machine and if I was discussing a programming
issue with it I might mention that the RPM I have is:
libwmf-0_2-7-0.2.8.4-lp150.2.6.x86_64
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Is fuzzyocr i.e. Image scanning
On Wed, 17 Oct 2018, Rupert Gallagher wrote:
IC is an effort to dig a hole in the water, because the problem of image spam
with obfuscated text cannot be solved by ocr.
My approach is a "better safe than sorry" best practice that anyone can
implement with existing software:
1. do not display inline the content of attachments and linked resources;
2. give high spam score (>=5) to any email with very low text to image ratio.
Your system, your rules, but it won't work for everybody.
We routinely receive messages from users needing help which contain 1~2 lines of
text describing the issue (like: 'my computer crashed' ) and then a screen-shot
taken with a cellphone camera (10~20 megapixel) which is 4~8 MB in size.
Sometimes the text is only in the subject and the screen-shot is the only thing
in the body.
I agree about not displaying inline attachments by default but that is a client
configuration issue and we cannot control our users' clients.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Non-ascii subjects with images
On Sat, 1 Sep 2018, David B Funk wrote:
On Sat, 1 Sep 2018, Rupert Gallagher wrote:
This is a subject line:
Re: Habemus APP LG 😉
Do you understand that is not an image (EG jpg, png, or tiff) but a UTF-8
code point ("emoji" character) glyph.
We cannot tell because you haven't provided us with an actual message but I'm
going to guess that subject line was represented in Base-64 encoded UTF-8
(IE raw message looked like: Subject:
=?utf-8?B?THVjayBvZiB0aGUgUmlkZSDwn42A?= ).
I just thought of another possibility, rather than Base-64 they could use
quoted-printable encoding. EG:
Subject: =?UTF-8?Q?Re=3A_Habemus_APP_LG_=F0=9F=98=89?=
Either way that's still not an "image" but a single UTF-8 glyph.
Give that there are over a million UTF-8 glyphs, do you really want to go to the
trouble of trying to pick on a particular small subset of them?
Are you saying that there's a particular emoji (UTF-8 glyph) which is a strong
spam indicator?
If so you could write a specific pattern match rule for it or feed it to bayes
and let bayes do the heavy lifting.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Non-ascii subjects with images
On Sat, 1 Sep 2018, Rupert Gallagher wrote:
This is a subject line:
Re: Habemus APP LG 😉
Do you understand that is not an image (EG jpg, png, or tiff) but a UTF-8 code
point ("emoji" character) glyph.
We cannot tell because you haven't provided us with an actual message but I'm
going to guess that subject line was represented in Base-64 encoded UTF-8
(IE raw message looked like: Subject: =?utf-8?B?THVjayBvZiB0aGUgUmlkZSDwn42A?=
).
Given internationalization these days, we see an increasing amount of =?utf-8?B?
stuff in subject lines in legitimate messages, even if they aren't using emojies.
So if you're going to create a rule to fire against just that it will have a
lot of FPs, unless you just want it to use in METAs.
On the other-hand, if you want to decode the subject line and then pattern-match
against all the possible UTF-8 emojies, you're going to end up with a rather
unwieldy rule.
End of the day, what's the point? Lots of people put emojies in their
communications.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Best practice for learning submissions
On Mon, 23 Jul 2018, Nick Bright wrote:
On 7/23/2018 7:55 PM, Reindl Harald wrote:
and even if - whats the point to store the surrounding messages in the
corpus which you should keep forever if you need rebuild from scratch
later?
what is the problem you try to solveand why can't you just store the
attachment instead the whole mail containg it?
The problem I'm trying to solve is "how to implement a training system on my
server".
I suppose i could de-encapsulate an attachment with a script, before feeding
it to sa-learn?
If your mail-box server is imap, has public folders capability and you have
access to the back-end storage (EG Dovecot) then you could implement a
report-spam folder submission system.
EG your users drop spam messages into the report-spam folder and your script
runs on the back-side, extracting the messages, feeding them to "spamc -l" and
then moving them into a "report-done" folder for archival purposes.
That or you have to glue together some kind of de-mimifying scripts inside
procmail to feed 'spamc -l' and hope that your users use some predictable kind
of mime labeling so you can automate the unwrapping process. (good luck).
Either way you are at the mercy of your users to make valid judgments about
whether a particular message is actual spam (and not just some
marketing/newsletter thing they signed up for and then forgot).
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Help with own RBL
On Mon, 23 Jul 2018, Pedro David Marco wrote:
Not exactly a SA question but...
i am planning to run my own RBL with a nameserver, that when queried for an IP
that is not in its database, does some calculations with that IP and replies
accordingly (caching the results)...
Please, does anyone know of any nameserver that can do that? To my knowledge
RBLDNSD cannot do it...
Thanks in advance!
What kind of 'calculations with that IP' ?
Is it dynamic factored with some kind of external coefficients or is it a more
static mapping?
If the latter you may be able to use something like RBLDNSD.
With RBLDNSD you can define overlapping zones and it will pick the most
specific one.
EG: 0.0.0/0 == some default value
41.0.0.0/8 == some other value
41.23.0.0/16 == yet another value
etc...
Put your coding into a map generator, then push the results into RBLDNSD.
It can handle 10^5+ entires with no sweat.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Line too long [rfc 2822, section 2.1.1]
On Fri, 13 Jul 2018, Rupert Gallagher wrote:
A little survey on your local policies...
What do you do when a subject line is longer than 78 characters?
A. Reject
B. Accept as spam
C. Accept
That clause for 78 chars is a "SHOULD", the "MUST" is for 998 chars.
It then also says:
Again, even though this limitation is put on
messages, it is encumbant upon implementations which display messages
to handle an arbitrarily large number of characters in a line
(certainly at least up to the 998 character limit) for the sake of
robustness.
I've regularly seen "important" messages with subjects over 500 chars
(ones that our users complain about if not delivered normally).
So subject length > 78 is not a hard spam sign.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Whitelisting envelope-from
On Fri, 1 Jun 2018, Martin Gregorie wrote:
On Fri, 2018-06-01 at 15:37 -0400, Alex wrote:
Hi,
I have an email with an address as follows that I'd like to
whitelist:
X-Envelope-From:
Using whitelist_auth doesn't appear to work:
whitelist_auth FredSavage*@cmail19.com
Try
whitelist_auth FredSavage.*@cmail19.com
^
You used UNIX shell notation where '*' represents any number of chars.
In Perl regexes '*' repeats the previous pattern element - in this case
'e'.
Martin
Martin what you say is true for general perl code but the 'whitelist' stuff
explicitly does -NOT- use perl regexes. If you read the Mail::SpamAssassin::Conf
docs for that stuff you'll see:
Whitelist and blacklist addresses are now file-glob-style patterns, so "fri...@somewhere.com",
"*@isp.com", or "*.domain.net" will all
work. Specifically, "*" and "?" are allowed, but all other metacharacters
are not. Regular expressions are not used for security reasons.
Matching is case-insensitive.
If the whitelist_auth does not work it may be the case that the necessary 'auth' stuff
(either SPF or DKIM ) isn't working for that particular address.
Save a copy of one of those messages and run it thru "spamassassin -D" to see the
debugging report on that process.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Invoice phish
On Tue, 15 May 2018, Alex wrote:
Hi,
[snip..]
Train bayes, look for custom URIBL lists that might hit that powned website.
The IP (216.32.180.23) is listed on sorbs, but that's it, and the
domain (peabodyenergy.com) is not listed anywhere.
I wasn't referring to the site that was the source of the message but the
website that was hosting that PHISH login page.
(EG that "https://euphqobeofnetwork . com/example.survey/question/login.php" )
I don't hold it against a company if one of their LLusers gets p0wned and used
to send out spam/phishes.
What I do hold accountable is if some website gets p0wned and then (ab)used to
host phish pages. Whos's to say that the next page the black-hats put up is a
malware page?
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Invoice phish
On Tue, 15 May 2018, Alex wrote:
Hi,
We received another of those phishes as a result of a compromised O365 account.
https://pastebin.com/raw/Fv5NKRAP
Anyone able to take a look and provide ideas on how to block them? It
passes with DKIM_VALID_AU, RCVD_IN_SENDERSCORE_90_100 and SPF_PASS.
It's missing headers, and I've written a rule to account for that, but
it would be great to have some other input.
Interestingly, it was passed through a mimecast system first.
The amount of Outlook/O365/Exchange headers in this email is enormous!
Thanks,
Alex
For openers either totally lose "RCVD_IN_HOSTKARMA_W" & "RCVD_IN_DNSWL_LOW"
rules, or set their score to something minimal (EG -0.1 instead of that honking
-2.5) or create a rule that detects the message being from O365 and meta it with
RCVD_IN_HOSTKARMA_W to then add an offsetting score to nullify the damage from
RCVD_IN_HOSTKARMA_W WRT O365.
(Can we get the maintainers of RCVD_IN_HOSTKARMA_W to remove that contagion pit
called O365 from their list of "good guy" sites?).
I've done a bit of all of the above so an incoming O365 message ends up with no
"brownie points" at all, so it's only scored on the merits of its contents.
Then look for custom anti-phish rulesets. Your example hit a rule
"RULEGEN_PHISH2" which was in a file 90_rulegen_phish.cf on my server.
(I'm sorry I don't remember where I got that from).
Train bayes, look for custom URIBL lists that might hit that powned website.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: training bayes database
On Thu, 10 May 2018, John Hardin wrote:
On Thu, 10 May 2018, Matthew Broadhead wrote:
On 09/05/18 20:43, David Jones wrote:
On 05/09/2018 01:29 PM, Matthew Broadhead wrote:
On 09/05/18 16:37, Reindl Harald wrote:
quoting URIBL_BLOCKED is a joke - setup a *recursion* *non-forwarding*
nameserver, no dnsmasq or such crap
http://uribl.com/refused.shtml
with your setup you excedd *obviously* rate-limits and have most
DNSBL/URIBL not working and so you can't expect useful results at all
X-Spam-Status: No, score=-18.15 tagged_above=-999 required=6.2
tests=[AM.WBL=-3, BAYES_00=-1.9,
HEADER_FROM_DIFFERENT_DOMAINS=0.25,
MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001,
URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5]
autolearn=ham autolearn_force=no
i followed the guidance at that url and it gave me
[root@ns1 ~]# host -tTXT 2.0.0.127.multi.uribl.com
2.0.0.127.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused.
See http://uribl.com/refused.shtml for more information [Your DNS IP:
213.171.193.134]"
i guess my dns is set to use my isp's dns server. do i need to set up
dns relay on my machine so it comes from my ip?
there is no way we send more than 500k emails from our domain so i should
qualify for the free lookup?
Yes. Setup BIND, unbound, or pdns_recursor on your SA server that is not
forwarding to another DNS server then set your /etc/resolv.conf or SA
dns_server to 127.0.0.1. This will make your DNS queries isolated from
your IP to stay under their daily limit.
Keep in mind that if your SA box is behind NAT that is not dedicated to
your server then other DNS queries could get combined with your shared
public IP. This is not likely since others are not going to query
RBL/URIBL servers but it's possible. If your SA server is directly on the
Internet as an edge mail gateway then this won't be a problem.
i already had bind handling my dns. i just had to add to /etc/named.conf
allow-query-cache {localhost; any;};
recursion yes;
Don't forget to *turn off forwarding*.
and to /etc/resolv.conf
nameserver 127.0.0.1
That is the most important point in this whole discussion.
It doesn't matter (much) what DNS server/software you use so long as it supports
recursive NON-FORWARDED queries.
Caching is desirable but is only a secondary consideration VS the first point.
Security point; when you run a recursive server it is a potential DDOS risk, so
protect it from being used/abused by untrusted clients. (best if it only listens
on the loopback address, 127.* or has strong ACL/access control support that is
properly configured).
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Invoice phish
On Wed, 9 May 2018, Vincent Fox wrote:
I see an interesting dichotomy.
Students are on Google, fac/staff on O365 now.
Guess which group is phished most often?
If you said students, bzzzt.
It’s the O365 users, by a large margin. Faculty and staff should be best
trained. Also protected by “Advanced Threat Protection”.
Our university drank the Microsoft Kool-Aid completely and threw everybody into
the O-365 ocean. (except for us already entrenched hold-outs ;).
We've seen a major up-tick of phished O-365 accounts of all flavors (faculty,
staff, students).
I attribute it to several factors:
1) phish attacks have become increasingly sophisticated (quality of duplicating
'sign in' sites, looking a institutional service announcements so they can craft
credible decptive scenarios, etc).
2) the 'Outlook' mail client hides technical details of messages and makes it
hard to determine the validity of a messages
3) O-365/Exchange has a "Big Brother" attitude to RFC mail info, it wants to
'bowdlerize' those ugly messages and replace them with simplistic, soothing
verbiage to not confuse the end users.
4) Less technical sophistication of the server side filtering VS google.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Just to lighten your day?
On Wed, 2 May 2018, John Hardin wrote:
On Wed, 2 May 2018, David Jones wrote:
On 05/02/2018 01:21 PM, Joe Acquisto-j4 wrote:
One slipped through, with this subtle sig line (thought it might brighten
someones day . . . )
"Note: Failure to Verify will lead to final termination of your email
account.
Technical Team
Email Administrator
All Right Reversed 2018.(c)"
-
Please post the full email, with all headers, minimally redacted to
pastebin.com and send us a link.
You need your humor detector recalibrated.
His humor detector caught that one. He didn't say if it caught the one in the
body of the message:
"will lead to final termination of your email"
The first three terminations weren't good enough, so we're going to do it one
more time. And if -that- one doesn't do it, we'll proceed to the final ultimate
termination...
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Just to lighten your day?
On Wed, 2 May 2018, Joe Acquisto-j4 wrote:
On 5/2/2018 at 2:57 PM, in message
<0e5889ab-b61a-36ba-6b28-549f2c365...@ena.com>, David Jones
wrote:
On 05/02/2018 01:21 PM, Joe Acquisto-j4 wrote:
One slipped through, with this subtle sig line (thought it might brighten
someones day . . . )
"Note: Failure to Verify will lead to final termination of your email
account.
Technical Team
Email Administrator
All Right Reversed 2018.(c)"
Please post the full email, with all headers, minimally redacted to
pastebin.com and send us a link.
--
David Jones
It's been a while, but I think I did it properly:
https://pastebin.com/Sw8R0QPe
Do you have the DecodeShortURLs plugin installed in your SA?
The target of that tinyurl.com is listed in URIBLs and SA will fire on it if you
have DecodeShortURLs functional.
For that message I get:
hecker-Version SpamAssassin 3.4.1 (2015-04-28) on s-l107.engr.uiowa.edu
Content analysis details: (8.1 points, 6.0 required, autolearn=no)
pts rule name description
-- --
0.0 HAS_SHORT_URL Message contains one or more shortened URLs
2.5 SEM_FRESH Contains a domain registered less than 5 days ago
[URIs: erumsadet.info]
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
trust
[40.92.2.16 listed in list.dnswl.org]
0.1 L_BANK_PHISH3 BODY: Possible bank phish
0.3 L_UI_PHISHb3 BODY: possible email acct phish
0.0 T__BOTNET_NOTRUST Message has no trusted relays
0.9 FORGED_HOTMAIL_RCVD2 hotmail.com 'From' address, but no 'Received:'
0.5 BOTNET_IPINHOSTNAMEHostname contains its own IP address
[botnet_ipinhosntame,ip=40.92.2.16,rdns=mail-oln040092002016.outbound.protection.outlook.com]
0.0 RCVD_IN_HOSTKARMA_YE RBL: HostKarma: relay in yellow list (varies)
[40.92.2.16 listed in hostkarma.junkemailfilter.com]
0.0 URIBL_RED Contains an URL listed in the URIBL redlist
[URIs: erumsadet.info]
0.0 BOTNET_SERVERWORDS Hostname contains server-like substrings
[botnet_serverwords,ip=40.92.2.16,rdns=mail-oln040092002016.outbound.protection.outlook.com]
0.7 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
provider
(jln4deafkids[at]hotmail.com)
0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.5000]
0.0 HTML_MESSAGE BODY: HTML included in message
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's
domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not necessarily
valid
0.6 SARE_HTML_COLOR_B RAW: BAD STYLE: color: too light (rgb(n))
0.0 T__KAM_SHORT KAM URL shortner fired
0.8 KAM_INFOUSMEBIZPrevalent use of .info|.us|.me|.me.uk|.biz domains
in
spam/malware
0.0 T__FROM_OUTLOOKFrom microsoft outlook/hotmail servers
0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines
0.0 T__RECEIVED_2 More than one untrusted relay
0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
0.2 L_FROM_OUTLOOK From microsoft outlook/hotmail servers
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Dropping mail
On Fri, 27 Apr 2018, Dianne Skoll wrote:
On Fri, 27 Apr 2018 14:39:43 -0500 (CDT)
David B Funk wrote:
[snip]
Define two classes of recipients:
class A == all users who want everything
class B == all users who want "standard" filtering
This works if you have a limited number of classes, but in some cases
users can make their own rules and settings so the number of classes
can be the same as the number of RCPTs.
Even in the two-class case, there's still a delay for the subsequent
class(es).
If you have that many different classes of recipients, just set the number of
allowed recipients/transaction to one and be done with it.
The delay is entirely up to the sending side, they could immediately retry the
subsequent recipients.
I was just trying to suggest a solution to your conundrum that didn't require
you to drop messages. I didn't say it was optimal, just avoiding the loss of
messages.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: regexp dealing with display name don't work
On Fri, 27 Apr 2018, Joëlle Pfeffer wrote:
I have progressed.
If my rule is
header REGLE_HF002 From:name =~ /@A/i
e-mails containing
From: @A
or
From: "@AB"
or
From: "@Ab"
are not blocked
but if my rule is
header REGLE_HF002 From:name =~ /@.b/i
e-mails containing
From: "@Ab"
or
From: "@ABc" < jopfef...@free.fr >
are blocked
[snip..]
If you want to match a literal '@' in a SA regex you need to escape it.
Try:
header REGLE_HF002 From:name =~ /\@a/i
(note the trailing 'i' makes the regex be case-insenstive so /\@A/i doesn't make
sense).
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Dropping mail
On Fri, 27 Apr 2018, Dianne Skoll wrote:
Hi,
I have reluctantly come to the conclusion that in some cases, it is
necessary to silently drop spam rather than reject it. This is the
situation:
An email comes in for two recipients in one SMTP trasaction (ie,
a MAIL, two RCPTs and then DATA).
One recipient's rules say to accept. The other recipient's says to reject.
You can't reject post-DATA because then it looks like both recipients
received the mail.
You can accept and create a failure message for one recipient, but then
you risk generating backscatter.
You can tempfail all but the first RCPT to force the message to be
split up into individual messages per recipient, allowing you to accept
or reject individually. But this will delay mail and possibly cause it
not to be delivered if there are many recipients and the sending relay
is impatient.
So I reluctantly conclude that in all but the smallest of installations,
dropping the mail for the recipient whose rules say to do so is the
best thing to do.
There have been SMTP extensions proposed to combat this. I recall an
extension that had you issue RCPTs until one of the RCPTs was
accepted, then DATA, then additional RCPTs with a "also send the
foregoing to this one" keyword so you could have per-recipient data
filtering, but of course spammers could not be obliged to use the
extension. :(
One possible way to deal with this situation (which would require some additional
complexity on the server and require good behavior on the senders) is:
Define two classes of recipients:
class A == all users who want everything
class B == all users who want "standard" filtering
At 'RCPT' phase of the SMTP transaction note if the first valid recipient is
class "A" or class "B", set a flag to remember it.
For each subsequent valid recipient see if their class is the same as the first
recipient. If not then return a "452 Too many recipients" reply code for that
one and all subsequent valid recipients.
Ideally the sender should then move on to the DATA phase, complete the
processing for the first batch of recipients, and then try again for the
remainder.
If all goes well, this should split up the different classes of recipients into
separate SMTP transactions allowing for appropriate processing with out loss.
Your classifications can be expanded upon to meet your site requirements but
the processing logic should be the same.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: dropping other's email(s) as a "best practice" for hosted email? (was: "anyone recognize these headers? ...")
On Fri, 27 Apr 2018, Matus UHLAR - fantomas wrote:
On 26.04.18 13:41, L A Walsh wrote:
To my way of thinking, dropping someone else's email,
telling the sender the email is being rejected for having
spam-like characteristics and telling the recipient nothing
seems like it might have legal liability for the for the
user potentially missing vital email.
Refusing to take a mail is not dropping. Noone is required by any means to
accept anything because there may be many reasons a mail can't be accepted.
The place where dropping is a risk is if the next-to-last hop is Dain Bramaged
and doesn't handle SMTP rejects properly.
But that isn't your server's fault, it's the poor service the sender's using.
(unfortunately the sender may not know of that bad link in their chain).
Also it's entirely possible that the NtLH server may strip off useful
info from the SMTP reject message and leave the poor sender wondering what went
wrong. (I'm looking at you MS Exchange).
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: anyone recognize these headers? From SA or are they from another spam product?
On Tue, 24 Apr 2018, L A Walsh wrote:
These headers (not these values) are in most or all of my emails.
In one email on the net they were adjacent to SA's headers (but they
aren't in my emails). I was wondering if anyone knew what
product might be inserting these headers:
X-CSC: 0
X-CHA: v=1.1 cv=6jkfEoj2u7Yj9etNrzOg8LH7MfGxzbc6Xn0EJkmycus= c=1 sm=1
a=nDghuxUhq_wA:10 a=CxQU8S3nryls5r8B3V4N1Q==:17 a=3Y9Ew-73vc-33Fzs_NIA:9
a=wPNLvfGTeEIA:10 a=z11Dn8fxQD8A:10 a=Pmo6RyrIMpYA:10 a=zoqau9DHoPcA:10
a=zE7RolXeqPMA:10 a=CxQU8S3nryls5r8B3V4N1Q==:117
X-CTCH-Spam: Unknown
X-CTCH-RefID:
str=0001.0A020207.521CE122.0254,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
X-WHL: SLR
I don't know if it is related, but some evidence of scanning by something
called 'ironport', as well as by Semantec.
I'm trying to track down what is scanning my email at an upstream mail host
as they've rejected random emails on initial rcpt of the msg -- without
accepting the message and bouncing it, but just not accepting it
with the message:
User and password not set, continuing without authentication.
64.29.145.41 failed after I sent the message.
Remote host said: 550 5.7.1 vB73jgO3003858 This message has been
blocked for containing SPAM-like characteristics.
What email SW censors things by rejecting them before accepting them?
Um that should be:
"What email SW censors things by rejecting them -INSTEAD- of accepting them?"
(rejecting and accepting are mutually exclusive)
Most email SW rejects messages it cannot/does-not want to deliver; EG:
rejecting messages addressed to invalid or no-longer present users.
rejecting messages that violate some policy limits (EG an overly-large
message).
Best practice recommends this behavior. Far better to not even let in the front
door things you're not going to be able to deliver on the back side.
So it's not unusual to find anti-virus/anti-spam filtering systems that SMTP reject
unwanted messages.
Bottom line, you need to talk to your ISP/MSP to find out who's running the
filtering system and what their parameters are.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Can't Get Removed From List
On Thu, 1 Mar 2018, John Hardin wrote:
A bunch of Javascript to display a *single image*? And it doesn't display
*any content at all* if javascript is disabled for that site?
That's what I hate about the web these days, there's too much crap
surrounding the useful content.
"too much -vulnerable- crap" ...
it's one thing if the javascript is coming from the base site, but these days
it often is coming from a bunch of cloud based aggregation servers that could
be full of who-knows-what.
Can you say AWS Bucket-brigade?
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)
On Sun, 25 Feb 2018, LeandroCarlosRodrigues wrote:
Amir Caspi wrote
On that note -- regardless of what OTHER HW/SW solutions might do, since
this is a SpamAssassin mailing list ... is there any facility to implement
this in SA? That is, when calling the URIBL plugin, could it check both
the shortened URL and the expanded URL (for known shorteners) ? Does that
facility already exist and I missed it?
Hi Guys! We provide an URIBL that already have a script in Perl to expand
redirections until no more redirections:
[snip..]
Just be careful how you do that "expand redirections until no more redirections"
or you may get caught in a spammer trap.
If you're going thru a professional redirect site like goo.gl or bit.ly you're
probably pretty safe but if it's a dedicated spammer site be ware.
I was testing some redirection expantions on URLs from spam and found a site
that clearly had been crafted to foil this kind of thing.
It was in one of those "check this out" spams which contains one line of
greeting and then a URL.
When I grabbed it using curl it returned a 301 redirect, so I grabbed that
target, which lead to another 301, lather-rinse-repeat ad nausium.
However if you used a browser it went to the target "burn fat pills" site in
just two redirects.
So my bet is that the spammers are crafty enough to check things like browser
referrer, cookies, etc to detect/differentiate a browser vs a link-checker.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Bayes not auto-learning?
On Fri, 23 Feb 2018, Amir Caspi wrote:
Hi all,
So, I've been trying to tweak my setup and noticed that VERY few of my
emails are being autolearned as spam, even when their spam threshold is far above
the autolearn threshold. The threshold is set to 12; I just saw a spam with score
>25 not being autolearned.
Are there rules that prevent autolearning? If so, why? If a spam
scores really high because it hits (let's say) 10 or more rules, but just one
of those rules is enough to prevent autolearning, that seems overly
restrictive, no?
For example, for one of my users, out of about 650 spams received in
the last month, only 10 have been autolearned. For another user, only 12 of
nearly 1400. That seems like a very low percentage, and clearly some
high-scoring spams are not being auto-learned.
Any explanation is appreciated!
Thanks!
--- Amir
If you read the spamassassin documentation about Bayes auto-learning you will
see that there are several conditions that must be satisfied.
For example, there are some types of rules which aren't considered at all when
computing the auto-learning threshold score (such as white/black list scores or
rules tagged with the noautolearn tflag or the actual Bayes score itself).
Of the types of rules which are allowed, at least 3 of those points must come
from header type rules and at least 3 of those points must come from body type
rules.
So a spam can have 100 points from a blacklist and not auto-learn.
It could have 20 points from a whole bunch of body rules but if it only hit 2
points via header rules it still will not auto-learn.
Another possible factor, if you have "bayes_auto_learn_on_error" enabled, then
autolearn will be skipped if Bayes already agrees with the condition of the
message. IE: if the message is already classifed as BAYES_99 then it won't
bother auto-learning it as yet another high-ranking spam.
What I usually see in auto-learned spam is that they hit a number of network RBL
rules (spamhaus, SORBS, etc) and a number of body rules such as RAZOR, URIBLS,
etc.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Custom rule don't match without empty line before the string!
On Thu, 22 Feb 2018, RW wrote:
On Thu, 22 Feb 2018 15:54:45 +0100
saqariden wrote:
Hello guys,
I have the following SA rule which is supposed to block base64
encoded mails:
This may be dangerous. If someone doesn't wish to use 8bit text then
base64 encoding of UTF-8 is a sensible choice; QP is very inefficient
unless the text is almost completely ASCII.
bodyEN_BASE64_B/(Content-Transfer-Encoding:
base64\sContent-Type: text\/(plain|html);
charset="?utf-8"?)|(Content-Type: text\/(plain|html);
charset="?utf-8"?\sContent-Transfer-Encoding: base64)/i
describe EN_BASE64_BTEXT OR HTML B64 ENCODED
score EN_BASE64_B5
this is the mail that i want to stop:
the rule don't match for this mail, but it match when i had an empty
line like this:
..
How can i do to match the both, with the empty line and without it?
body rules check only the text that's visible in a mail client
(including the subject text). This rule only works at all if you make
the mime unparsable.
For mime you need "full" instead of "body". You then need an
explicit \n between lines.
I agree with RW about the risk of FPs from that approach, particularly if you
have international correspondents.
However if you really want to do that, you need to use the "mimeheader" kind of
rule. It works like a regular message 'header' type of rule but processes mime
headers within the message contents.
For example, to catch messages with a particular mime attachment file name I
have a rule:
mimeheader L_BANK_PHISH1Content-Disposition =~ m!attachment;
filename="[\w\s\d._-]{1,30}verification\.html?"$!i
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: catch today's PDF pillz spam
On Mon, 19 Feb 2018, Axb wrote:
oooppps - missing a backslash
mimeheader AXB_CTYPE_SPELLHERO Content-Type =~ /\bapplictaion\/pdf\b/
On 02/19/2018 05:24 PM, Axb wrote:
catch today's PDF pillz spam
mimeheader AXB_CTYPE_SPELLHERO Content-Type =~ /bapplictaion\/pdf\b/
the typo is the trait ;)
enjoy while it lasts
FYI:
If you use an explicit pattern-match delimeter you can avoid the "leaning
toothpicks" syndrome. (particularly relevant for URIs).
EG:
uri MY_URL_FILTER1 /\bhttp:\/\/this-is\.adomain\.com\/this\/is\/a\/path\b/
uri MY_URL_FILTER2 m!\bhttp://this-is\.adomain\.com/this/is/a/path\b!
Still need to escape those meta-chars (EG: \b) and explicit matches on dots,
but otherwise makes it more readable.
I realise this wouldn't have helped you with your type-o, but it does make it
easier to see at a glance.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: URIBL_BLOCKED
If you read that informational spamassassin wiki page referenced in that message
you'd know that it has nothing to do with querying a Russian RBL.
That Russian URI is what the query to URIBL was asking.
So your use of URIBL (via spamassassin) hit a threshold and was blocked.
Read that spamassassin wiki page for more information.
On Tue, 13 Feb 2018, @lbutlr wrote:
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: cz-salda.ru]
So, I’ve never heard of cz-salda.ru, is that the RBL that is blocking me? If
so, where is it listed in SA’s configuration (FreeBSD 11.1-RELEASE)? (tried a
`grep salda.ru /usr/local/etc/mail/spamassassin/*` for no results)
Also, why would anything be checking a Russian RBL?
Supposedly I can disable this with a line like
Score RCVD_IN_ORBS 0
But “ORBS” wouldn’t be right and there’s nothing in the text above to indicate
what it might be.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Barracuda Reputation Block List (BRBL) removal from the SA ruleset
On Tue, 6 Feb 2018, Kris Deugau wrote:
Alex wrote:
These phishes we've received were all from otherwise trusted sources
like salesforce, amazonses and sendgrid. These are examples that I
believe were previously whitelisted because of having received a phish
through these systems but have no been disabled.
whitelist_auth *@bounce.mail.salesforce.com
whitelist_auth *@sendgrid.net
whitelist_auth *@*.mcdlv.net
I've seen enough spam sent through all three - both by way of whole
apparently spammer-owned accounts and cracked-but-otherwise-legitimate
accounts - that I would never blanket-whitelist whole bulk email providers.
Legitimate mail sent through them generally gets through anyway IME.
An alternative is to use "def_whitelist_auth" instead of "whitelist_auth"
That gives a -7.5 point bump to usually good sources which may occasionally get
abused.
That way if one of their accounts gets p0wned your anti-phish rules have a
chance of pulling the junk into the spam-tagged range.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Scoring Issues
On Fri, 26 Jan 2018, John Hardin wrote:
On Fri, 26 Jan 2018, b...@inter-control.com wrote:
Oh, here is the X-SPAM status from the command line:
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
M1-2.dettenwanger.inter-control.com
X-Spam-Flag: YES
X-Spam-Level: ***
X-Spam-Status: Yes, score=23.0 required=4.0 tests=DKIM_SIGNED,
RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_SBL_CSS,RDNS_NONE,T_DKIM_INVALID,
URIBL_ABUSE_SURBL,URIBL_BLACK,URIBL_DBL_SPAM autolearn=no
autolearn_force=no
version=3.4.0
MIME-Version: 1.0
Bob
RAZOR and URIBL hits.
Is amavis perhaps configured to disable network tests?
On 1/26/18 2:48 PM, David Jones wrote:
On 01/26/2018 02:39 PM, b...@inter-control.com wrote:
The headers that get through are usually along the lines of:
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=- required=5
tests=[HTML_MESSAGE=0.001, SPF_HELO_PASS=-1, SPF_PASS=-1,
T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01]
autolearn=ham autolearn_force=no
Regardless, giving -1 score for SPF_PASS and another -1 for SPF_HELO_PASS
is nontrivial DainBRamage.
It's trivial for a spammer to set up SPF on a throw-away domain and thus waltz
thru that kind of filtering.
Who set up amavis with that kind of idiocy?
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: check utf-8 subjects/from?
On Wed, 13 Dec 2017, AJ Weber wrote:
Is there an easy way to check if the Subject or From is UTF-8 -- or non-ASCII
-- char set?
I see in some of my recent spam, either the Subject or the From (sometimes
both) starts with "=?UTF-8?" (in these cases the rest is Base64 encoded, but
I don't want to qualify on that).
If I check a header with a "header ... =~" regex rule, is it the raw text
that I will check, or is it the decoded characters I will be checking
against?
If it's the raw text, I can probably just look for that prefix to indicate
the UTF-8 encoding.
I do get some legitimate emails with encoded chars and emojis, etc...but I
think I'd like a rule to support it being SPAM in general.
As other people have said, the header ":raw" rule form will let you match on
that.
There are two commonly used encoding methods for UTF-8:
Base64 "=?utf-8?B?"
Quoted-Printable "=?utf-8?Q?"
There's nothing that prevents a mailer from using either for purely 7-bit ASCII,
even though it isn't necessary. You are more likely to see that used by
international clients. They may just utf-8 encode by default so not to have to
do special processing for non 7-bit ASCII headers.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: help with phishing email?
On Fri, 8 Dec 2017, John Hardin wrote:
On Fri, 8 Dec 2017, AJ Weber wrote:
I'm trying to decide the best way to detect something like this.
https://pastebin.com/hCX9MWNg
That appears to be corrupt. I downloaded it and ran it through my testbed and
it wouldn't decode the body.
Don't know if it was the pastbin, but the MIME headers were mangled.
Fixing those (and removing the space at the beginning of the base64 lines) made
it parse-able.
It's clearly misleading spam, not sure where the phish is. (but then I didn't go
thru their "survey").
There's a bunch of anomalous things about that message;
3 Message-ID: headers, one of which tries to look like from outlook.com
2 Reply-To: headers, one of which has a clearly bogus address:
3 Received: from relay167.mysmtp.mobi (relay167.mysmtp.mobi [93.90.117.141])
lines.
MIME-Version: 4.0
50 blank lines at the start of the message, borked HTML (mismatched
tags, code after the closing , etc).
That "http://email dot turnaroundbaby dot be" site looks new & bogus, I just
tossed it in my personal RBL list.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Whitelisting Sprint with no domain security
On Wed, 6 Dec 2017, Alex wrote:
Hi,
sprintpcs.com has no domain security and for some reason I can't
whitelist them using whitelist_from_rcvd, or even whitelist_from just
to make it even more simple.
Can someone help me figure out what I'm doing wrong? Ideally I'd like
to avoid whitelisting them, but many people using their cell phones to
email pictures and otherwise empty messages and missing subject. This
causes it to hit pyzor and others which makes an email with just an
image marked as spam.
What is TVD_SPACE_RATIO_MINFP? That appears to be a complex rule, but
adds 2.5 points to a basic email with just an image attachment.
https://pastebin.com/cYtygBY9
I've tried:
whitelist_from_rcvd *@pm.sprintpcs.com sprintpcs.com
Ideas greatly appreciated.
Try to capture an example message as close to the version that gets fed to your
SA as you can. (Your pastebin example has "Resent" stuff in it that I'm betting
the original did not).
Take the capture file and feed it directly into SA with the debug flag set:
spamassassin -D < mail.eml > mail-out.txt 2>&1
examine the output file to see if you can find any clues from the debug stuff as
to why SA didn't honor your whitelist_from_rcvd statement. (probably something
like it doesn't trust the header/DNS stuff, or cannot find the envelope 'From'
address).
whitelist_from_rcvd is a bit crufty but should work.
You can craft some rules (probably have to be meta) that detect cell phone
messages and negate those annoying rules (EG: TVD_SPACE_RATIO_MINFP &
TO_NO_BRKTS_HTML_IMG )
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Your header "To: undisclosed-recipients:;" is RFC 822 compliant
On Fri, 27 Oct 2017, A. Schulze wrote:
Am 27.10.2017 um 07:15 schrieb @lbutlr:
RFC 822 is obsolete, replaced by RFC 2822.
... which is obsoleted by RFC 5322 and updated some other RFCs
see https://tools.ietf.org/html/rfc5322
And it still explicitly says that construct is legal:
rfc5322:3.4
... This is done by giving a display name for the group,
followed by a colon, followed by a comma-separated list of any number
of mailboxes (including zero and one), and ending with a semicolon.
Because the list of mailboxes can be empty, using the group construct
is also a simple way to communicate to recipients that the message
was sent to one or more named sets of recipients, without actually
providing the individual mailbox address for any of those recipients.
Anybody can block mail for any reason they want ("my server, my rules"). But if
they claim to do so with RFC justification for this case, then they're playing
in the realm of "Alternative Facts"
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Bank fraud phish
On Tue, 24 Oct 2017, Pedro David Marco wrote:
Out of curiosity...
"account is deactivated due to inactive,"
is this correct in english? shouldn't it be "inactivity"?
It isn't good English, but I've seen worse from official notices.
Now the fact that it claims to be a US financial company being served from a
South African website with a cPanel SSL certificate which has a ONE MONTH life
span is darned fishy.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Bank fraud phish
On Tue, 24 Oct 2017, Rupert Gallagher wrote:
Easy one. The Message-ID is not well formed / RFC compliant. We reject such
junk upfront.
Sent from ProtonMail Mobile
On Tue, Oct 24, 2017 at 8:32 PM, Alex wrote:
Hi all, I'm wondering if someone has some ideas to handle bank fraud
phishing emails, and in particular this one:
https://pastebin.com/wxFtKK16 It doesn't hit bayes99 because we haven't
seen one before, and txrep subtracts points.
It also doesn't hit any blacklists. Ideas for blocking these, and more
general advice for blocking banking fraud/phish
attacks would be appreciated.
I'm sorry, what RFC does that message-id fail to comply with?
It's of the form :
"Message-ID: "
Looks darned correct to me.
It's a bit on the long side but I've seen worse and is still not too long.
The fact that there's folded-whitespace in there is totally permissable as long
as done correctly, which it looks like it is.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: OT - Hotmail/Outlook.com marking most of our email as Junk
On Wed, 20 Sep 2017, Rupert Gallagher wrote:
> 10. The emails we send are operational and notices emails to customers -
who need them. They call on the phone and complain they haven't received
them - just to discover they were sent, but ended up in the junk.
Tell them to send you a copy of the header, then look for clues in their
anti-spam report.
Good luck with that.
Have you ever seen the kind of stuff that M$ adds to
Hotmail/Outlook.com/Office365 etc.. messages?
Then when you try to track down any info on how to iterpret the dense pile of
stuff in a 'x-forefront-antispam-report' header you run into this page:
https://technet.microsoft.com/en-us/library/dn205071(v=exchg.150).aspx
Note the paragraph:
After accessing the message header information, search for
X-Forefront-Antispam-Report and then look for these fields. Other fields in
this header are used exclusively by the Microsoft anti-spam team for diagnostic
purposes.
IE, we're not tellin..
Having been in the same situation as the OP (Done the full Monty monkey dance,
MX, DKIM, SPF, abuse@, etc) the only thing that I can say is it's all VouDoo.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: ISIPP - Re: bb.barracudacentral.org
On Tue, 19 Sep 2017, Chris wrote:
On Wed, 2017-09-20 at 00:40 +0100, Martin Gregorie wrote:
On Tue, 2017-09-19 at 16:44 -0500, Chris wrote:
Thanks Martin, here's what I get, it appears to not be running.
sudo systemctl stop dnsmasq
[sudo] password for chris:
Failed to stop dnsmasq.service: Unit dnsmasq.service not loaded.
OK, that makes sense
sudo systemctl disable dnsmasq
Failed to execute operation: No such file or directory
That's interesting: I've never seen that before:
[snip..]
It would be interesting to know what 'systemctl status' shows on your
system, though its quite possible it looks similar to what 'systemctl
disable' showed. I can only guess that your system is a transitional
systemd setup, i.e. systemctl is used for service management but some
services (dnsmasq for one) are still running under the old systemV
init
scripts. Fedora installations used to work that way for some
services,
but that was a few versions ago (F21 or 22 at the latest).
Martin
Hi Martin, here's what I see:
sudo systemctl status dnsmasq
[sudo] password for chris:
● dnsmasq.service
Loaded: not-found (Reason: No such file or directory)
Active: inactive (dead)
chris@localhost:~$ sudo systemctl enable dnsmasq
Failed to execute operation: No such file or directory
chris@localhost:~$ sudo systemctl status dnsmasq
● dnsmasq.service
Loaded: not-found (Reason: No such file or directory)
Active: inactive (dead)
I then installed dnsmasq (apparently it wasn't installed)
Results are here - https://pastebin.com/MRR4NCMp
dnsmasq was already there (see your own previous posts) just not put there via
the "apt" package management system. Thus "apt" didn't know about the rogue
dnsmasq process, and it failed to start the newly installed one.
(as the rogue dnsmasq process was already there, running, and bound to the DNS
socket).
So now you have -two- dnsmasq kits, one installed by "apt" and managed thru the
"systemctl" tools, and another one that somebody put there which is outside the
realm of "apt" & "systemctl" (thus they don't know how to manange it).
You should really pick one method of installing/managing software and stick with
it.
This is similar to the mess you get when you mix CPAN with yum/yast/rpm/apt for
installing Perl modules.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: In anyone else getting 325KB spams from cont...@cron-job.org?
On Thu, 14 Sep 2017, Dianne Skoll wrote:
On Thu, 14 Sep 2017 11:27:27 -0700
"Loren Wilton" wrote:
Other than being obvious spam, they seem to be set up as though they
were legitimate commercial mailing list stuff, often containing
things like contact-id and the like in the links.
Is anyone else seeing these?
A small number. The cont...@cron-job.org address is only in the From:
header; the envelope recipients look randomly-generated and sometimes
from unrelated domains.
Should be easy to block. Just block the cron-job.org domain.
Not to mention that the target URL "proffbuilder DOT com" is listed in several
URIBLs.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: TxRep can't use SQLBasedAddrList factory module
On Tue, 15 Aug 2017, Christopher Engelhard wrote:
On 08/14/2017 05:24 PM, Kevin A. McGrail wrote:
does mysql -u -p localhost spamdb work?
Yes, that works. The user has INSERT, DELETE, UPDATE, SELECT privileges.
Does it need CREATE? The table 'txrep' exists with columns username,
email, ip, count, totscore, signedby.
The Bayes-related tables reside in the same DB, and those can be
accessed (though I've only tried it with amavis, not with pure spamd/spamc).
christopher
I've not looked at the TxRep code but some kinds of SQL operations need to be
able to create temporary tables.
I'd start by giving it all perms (excepting things like GRANT), see if it works,
and then scale back the perms until you find the minimal necessary set.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
RE: Sender needs help with false positive
On Mon, 7 Aug 2017, Jacek Osuchowski wrote:
This is an email I sent to IsNotSpam.com. They list the whole thing when
testing for spam. I am getting a lot of complains from our customers that our
emails are not received. Our domain is not blacklisted anywhere so I suspect it
is the spam filtering (as IsNotSpam tool indicates). Is there anything in the
email we send that could trigger flagging as a spam. THANK YOU
https://pastebin.com/J1cdCHAe
Try this experiment.
Take that same message, add two paragraphs of text describing your
business/organization to the end and DELETE that embedded image.
Re-test and I'll bet that you get a passing score.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Sender needs help with false positive
On Mon, 7 Aug 2017, David Jones wrote:
[snip..]
This IP is listed on SORBS and Spamhaus ZEN which are going to cause problems
with delivery to many receiving mail filters, not just SpamAssassin.
http://multirbl.valli.org/lookup/68.192.71.191.html
That's his PC which is the MSA. As it's the first hop, it's not surprising it
hits Zen PBL (it should, given a host name like ool-44c047bf.dyn.optonline.net).
That shouldn't score against him except in broken SA installations.
His problem is the small amount of text that looks like a phish spam and the
embedded image.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Sender needs help with false positive
On Mon, 7 Aug 2017, Alex wrote:
Hi,
On Mon, Aug 7, 2017 at 6:56 PM, Jacek Osuchowski wrote:
We use emails to allow users to reset their passwords to our website. We
send very brief emails containing the reset password. Example between :
Your password to access your account is:
S]U3bC7k
Upon successful login you may change your password by going to Modify
Account / Change Your Password.
* 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
* 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
You can't control their bayes training so there's nothing you can do here.
You -can- control the content of your message. I'm guessing that short
password reset message doesn't have very many tokens, and the ones that it does
have may be too close a match to things like password phish spams. (something
that we train heavily on).
Put more text in there that is related to your business/organization which will
be unique and thus unlike other spammy message.
* 2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words
Are you sending these emails as an image or text?
Do you have a text component to your message as well?
More to the point do you have an image attached/embedded in your message?
If so, either drop it altogether or add a few Kbytes of text to balance it out.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Results of Individual Tests on spamd "CHECK"
On Mon, 7 Aug 2017, Jerry Malcolm wrote:
I'm invoking spamd using:
CHECK SPAMC/1.2\r\n
I'm getting the expected response such as:
Spam: False ; -1.8 / 4.0
I am trying to figure out how to get the TESTS= results of the individual
tests returned as well.
(e.g.tests=[AWL=-1.103, BAYES_00=-2.599,
HTML_MESSAGE=0.001,URIBL_BLACK=1.955, URIBL_GREY=0.25])
I see there's an option in spamc that appears to do that. But I can't figure
out how to make
that happen when I do a direct socket invoke of spamd.
Can someone tell me what I need to add to the spamd call (and the syntax) in
order to get the
results of the individual tests returned as part of the status?
Thanks,
Jerry
Jerry,
the spamd 'CHECK' command just returns the status+score, nothing else.
the spamd 'REPORT' command returns the status+score and report.
So replace 'CHECK' with 'REPORT' in your spamd call. Then be ready to read an
arbitrary number of additonal lines in the return connection.
Note that it will not return any part of the original message.
If you want to use any of the SA report features that add additional headers
(such as the relays header) you will need to use a different spamd command:
'HEADERS'.
BTW, I cannot tell from your posting if you have one detail correct; you need
the command, (and any addtional optional arguments) then a blank line, then the
message.
EG:
REPORT SPAMC/1.2\r\n
User: joe-blow\r\n
\r\n
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: tflags
On Thu, 3 Aug 2017, Kris Deugau wrote:
Ian Zimmerman wrote:
On 2017-08-03 10:38, sha...@shanew.net wrote:
The most common ones that I make use of are "multiple" and "maxhits"
in order to allow a rule to be scored for each time it hits, but to
stop counting after some threshold. I also use the "net" tflag so
that RBL checks only run when a net-based ruleset is loaded.
Where is the concept of "ruleset" in general documented, and in
particular what makes it "net-based"? Not in Mail::SpamAssassin::Conf.
"Ruleset" is a somewhat fuzzy term that depends on context - it could refer
to a single rule, a cluster of rules in a single file, a group of files, or
"all active rules files". It's not a formal definition within SpamAssassin.
In this case it's referring to one rule - tflags are only set on a per-rule
basis.
Any net-based rule is one that relies on a working Internet connection to do
a data lookup - most commonly DNS lookups, but rules for eg Vipul's Razor
(RAZOR_* rules), DCC, or Pyzor are also considered net rules since they do a
lookup against a network service somewhere.
More to the point, if you look at the "spamd" documentation for the "-L" flag
you'll see:
-L, --local
Perform only local tests on all mail. In other words, skip DNS and
other network tests. Works the same as the
"-L" flag to spamassassin(1).
So all "net-based" rules (as indicated by intrinsic coding or the tflags 'net')
get ignored when running in --local mode.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Spam with tons of lines with garbage characters, preceded by
On Thu, 20 Jul 2017, Andrzej A. Filip wrote:
By default messages bigger than 500KB are not sent to spamd for
processing/scanning => the tactics you describe frequently "turns off"
spam filtering.
IMHO SA should design procedures to deal with big messages.
I personally use "sacan headers only" approach => it seems
to be a quite good first step.
That can be done in the "glue" that connects your mail system to SA.
In my milter I take in the first 'N' bytes (configurable) of the message, pass
them to SA and then discard the rest (IE truncating the body of the message).
I had to code it to keep track of the MIME headers (if any) and fabricate a mime
closing tag after the truncation point to maintain the logical integrity of
the message.
Another way to do it would be to take a mime-aware filter (like mimedefang) and
use it to strip off non-textural parts of the message to reduce it down in size
and feed SA the parts that it actually looks at. This won't help if they embed
insane amounts of garbage text (then only the truncation scheme will help) but
will help with spam that has lots of images and junk.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: ramsonware URI list
On Sat, 15 Jul 2017, Antony Stone wrote:
On Saturday 15 July 2017 at 11:19:54, mastered wrote:
Hi Nicola,
I'm not good at SHELL script language, but this might be fine:
1 - Save file into lista.txt
2 - trasform lista.txt in spamassassin rules:
cat lista.txt | sed s'/http:\/\///' | sed s'/\/.*//' | sed s'/\./\\./g' |
sed s'/^/\//' | sed s'/$/\\b\/i/' | nl | awk '{print
"uri;RULE_NR_"$1";"$2"
describe;RULE_NR_"$1";Url;presente;nella;Blacklist;Ramsonware
score;RULE_NR_"$1";5.0" }' > listone.txt ;for i in $(sed -n p listone.txt)
; do echo "$i" ; done | sed s'/;/ /g' > blacklist.cf
[snip..]
One observation; that list has over 10,000 entries which means that you're going
to be adding thousands of additional rules to SA on an automated basis.
Some time in the past other people had worked up automated mechanisms to add
large numbers of rules derived from example spam messages (Hi Chris;) and there
were performance issues (significant increase in SA load time, memory usage,
etc).
Be aware, you may run into that situation. Using a URI-dnsbl avoids that risk.
I see that list gets updated frequently. How quickly do stale entries get
removed from it?
I couldn't find a policy statement about that other than the note about the 30
days retention for the RW_IPBL list.
Checking a random sample of the URLs on that list, the majority of them hit
404 errors.
If that list grows with out bound and isn't periodically pruned of stale entries
then it will become problematic for automated rule generation.
I'm not saying that this isn't an idea worth pursuing, just be aware there may
be issues.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: ramsonware URI list
On Sat, 15 Jul 2017, Antony Stone wrote:
On Saturday 15 July 2017 at 11:19:54, mastered wrote:
Hi Nicola,
I'm not good at SHELL script language, but this might be fine:
1 - Save file into lista.txt
2 - trasform lista.txt in spamassassin rules:
cat lista.txt | sed s'/http:\/\///' | sed s'/\/.*//' | sed s'/\./\\./g' |
sed s'/^/\//' | sed s'/$/\\b\/i/' | nl | awk '{print "uri;RULE_NR_"$1";"$2"
describe;RULE_NR_"$1";Url;presente;nella;Blacklist;Ramsonware
score;RULE_NR_"$1";5.0" }' > listone.txt ;for i in $(sed -n p listone.txt)
; do echo "$i" ; done | sed s'/;/ /g' > blacklist.cf
If anyone can optimize it, i'm happy.
My first comment would be "useless use of cat" :)
My second comment would be that you can combine sed commands into a single
string, separated by ; so that you only have to call sed itself once at the
start of all that:
sed "s'/http:\/\///'; s'/\/.*//'; s'/\./\\./g'; s'/^/\//'; s'/$/\\b\/i/'"
lista.txt | nl .
Another observation/optimization; use the perl pattern-match separator character
specifier to avoid delimiter collision. (EG "m!" ).
The following two regexes are functionally equivalent but one is easier to
write/read:
/http:\/\/site\.com\/this\/that\/the\other\//i
m!http://site\.com/this/that/the/other/!i
Second one avoids the "Leaning toothpick syndrome"
https://en.wikipedia.org/wiki/Leaning_toothpick_syndrome
Another way to use that data is to extract the hostnames and feed them into a
local URI-dnsbl.
Using "rbldnsd" is an easy to maintain, lightweight (low CPU/RAM overhead) way
to implement a local DNSbl for multiple purposes (EG an IP-addr based list for
RBLDNSd or host-name based URI-dnsbl).
The URI-dnsbl has an advantage of being easy to add names (just 'cat' them on to
the end of the data-file with appropriate suffix) and doesn't require a restart
of any daemon to take effect.
Clearly it has a greater risk of FPs than a targeted rule that matches on the
specific URL of the malware. However if the site is purpose created by blackhats
to disseminate malware or a legitimate site that has been compromised and isn't
being maintained then there's a high probability that it will be (ab)used again
for other payloads. In that case blacklisting the host name gets all future
garbage too.
IMHO: any site on that list with more than 3 entries or a registration age of
less than a year is fair game for URIdnsbl listing.
Looking at that data there are clearly several patterns that could be used to
create targeted rules.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Somewhat OT: DMARC and this list
On Fri, 19 May 2017, David Jones wrote:
From: David B Funk
On Fri, 19 May 2017, RW wrote:
On Fri, 19 May 2017 14:13:22 -0500 (CDT)
David B Funk wrote:
ne.
My read on this is that "@ena.com" is living dangerously. They
publish SPF records and DMARC records (with p=reject) but do NOT DKIM
sign their mail.
Most of them pass DKIM, a minority aren't signed.
Urgg, I see that now. I looked at a few of David Jones' posts to this list and
saw that they weren't DKIM signed, so I extrapolated that to a general
asumption.
They are DKIM signed so something must be striping the headers.
I see that they're using Office-365. This is one of the issues I have with
0-365, it's a black box which is hard to second guess.
Sometimes they DKIM sign, some times they don't.
Sometimes they will score incoming messasge that are properly DKIM signed as
spam (for no reason other than the DKIM signature, as far as I can tell).
Bottom line; If you put yourself at the mercy of Office-365, using a DKIM policy
of "reject" is risky.
I don't. Our inbound to and outbound from Office 365 is handled by our
own mail servers that are properly DKIM signing. I have been reviewing
DMARC reports for years now to make sure we had good SPF, DKIM and
DMARC before recently moving to p=reject.
Dave
I hate to break it to you but you are at the mercy of Office-365 and its erratic
DKIM policy.
The message from you that I'm replying to here (both the one that came directly
to me and the copy I got thru the Apache list server) are -totally- devoid of
DKIM headers. (If you'd like to see it I can put it up in paste-bin.)
Looking at some of your other posts to this list, many of them do have DKIM
headers but not all. The interesting part is that the DKIM headers are
interpolated with the O-365 headers so it looks like O-365 is taking your
original message, stripping off the DKIM headers and sometimes re-adding them.
Good luck with this, welcome to the O-365 world.
Dave
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Somewhat OT: DMARC and this list
On Fri, 19 May 2017, RW wrote:
On Fri, 19 May 2017 14:13:22 -0500 (CDT)
David B Funk wrote:
ne.
My read on this is that "@ena.com" is living dangerously. They
publish SPF records and DMARC records (with p=reject) but do NOT DKIM
sign their mail.
Most of them pass DKIM, a minority aren't signed.
Urgg, I see that now. I looked at a few of David Jones' posts to this list and
saw that they weren't DKIM signed, so I extrapolated that to a general
asumption.
I see that they're using Office-365. This is one of the issues I have with
0-365, it's a black box which is hard to second guess.
Sometimes they DKIM sign, some times they don't.
Sometimes they will score incoming messasge that are properly DKIM signed as
spam (for no reason other than the DKIM signature, as far as I can tell).
Bottom line; If you put yourself at the mercy of Office-365, using a DKIM policy
of "reject" is risky.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Somewhat OT: DMARC and this list
On Fri, 19 May 2017, Dianne Skoll wrote:
Hi,
Tons of list traffic keeps getting quarantined because of DMARC. For
example, a recent message from David Jones :
DMARC policy for domain ena.com suggests Rejection as
DMARC_POLICY_REJECT, but quarantined due to rule settings
$ host -t txt _dmarc.ena.com
_dmarc.ena.com descriptive text "v=DMARC1\; p=reject\; sp=reject\;
rua=mailto:dm...@ena.net\;";
(In this instance, we've overridden the DMARC policy and converted it
to quarantine instead of reject, so I was able to retrieve the email, but...)
I'm pretty sure Mailman can do DMARC-munging. Can ezmlm do the equivalent
of Mailman's "ALLOW_FROM_IS_LIST" feature?
Regards,
Dianne.
My read on this is that "@ena.com" is living dangerously. They publish SPF
records and DMARC records (with p=reject) but do NOT DKIM sign their mail.
In general it's dangerous to expect SPF to work thru a maillist or other
forwarder. Often DKIM will but you cannot count on it (particularly if the list
engages in Subject munging).
If they're only going to use SPF then publishing a DMARC policy of "reject" is
risky.
See: https://dmarc.org/2017/03/can-i-use-dmarc-if-i-have-only-deployed-spf/
Please let me know if I'm misinterpreting the signs.
Dave
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service
On Fri, 19 May 2017, John Hardin wrote:
On Thu, 18 May 2017, Rob McEwen wrote:
In many cases, they explain to me that their settings got auto-overwritten
by their hoster - who just HAD to switch their resolv.conf file back to
8.8.8.8
cron. job.
Wouldn't the SA config parameter "dns_server" over-ride what's in the
resolv.conf, or doesn't that work for RBL queries?
EG, set:
dns_server 127.0.0.1
in your local.cf file and don't worry about what's in the resolv.conf
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Negative rule score not working as expected
On Thu, 11 May 2017, Benny Pedersen wrote:
Anthony Hoppe skrev den 2017-05-11 00:55:
I'm trying to implement a very simple rule that looks at the
"Received" header(s) and if a string is found apply a negative score.
The rule is as follows:
headerAH_KNOWBE4 Received=~ /phishtest\.knowbe4\.com/
score AH_KNOWBE4 score -10.0
above line, remove 2nd score
describe AH_KNOWBE4 Prevents KnowBe4 campaign emails from falling
into users Junk folders
The rule triggers as expected, but a score of 1 is applied as opposed
to the desired -10. What am I doing wrong?
Thanks!
Why didn't "spamassassin --lint" bark about this syntax error?
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: block Bayes autolearn for specific messages
On Wed, 10 May 2017, John Hardin wrote:
On Wed, 10 May 2017, David B Funk wrote:
Is there any way to use Bayes autolearn in general but prevent it from
learning specific messages?
I have a specific source of messages (Office-365) which I would like to
prevent from being autolearn (with out scoring them as spam).
I still want those messages to be SA scored using the normal methods, just
not be considered -at-all- for autolearning.
bayes_ignore_from u...@example.com
bayes_ignore_to u...@example.com
John,
Thanks for the suggestion but I still want Bayes classifier run on those
messages, just no autolearning.
bayes_ignore_(to|from) prevents both.
I've already got a rule that adds a small score (0.3) to those messages but
unfortunately they hit minus-score rules (EG: RCVD_IN_MSPIKE_*,
KHOP_RCVD_TRUST, etc) often enough that they still get learned.
I could jack up the local score add but then I run the risk of FPing O365
messages that don't hit the minus-score rules.
Is there some kind of score calculation rule that does something along the line
of "if total score is less than N, add M"
Dave
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
block Bayes autolearn for specific messages
Is there any way to use Bayes autolearn in general but prevent it from learning
specific messages?
I have a specific source of messages (Office-365) which I would like to prevent
from being autolearn (with out scoring them as spam).
I still want those messages to be SA scored using the normal methods, just not
be considered -at-all- for autolearning.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: US-CERT message FP
On Mon, 8 May 2017, Chris wrote:
whitelist_auth *@*.us-cert.gov us-cert.gov
This should be:
whitelist_auth *@*.us-cert.gov
I don't know why I keep putting the second entry in my 'my-
whitelist.cf' file. I must have read it or something a long, long time
ago in order to be doing this.
Possibly got the format of whitelist_from_rcvd stuck in your brain. ;)
There is an optional second argument to whitelist_from_dkim which provides the
domain of a third-party signatory.
EG:
whitelist_from_dkim j...@example.com
vs:
whitelist_from_dkim j...@example.net example.org
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: US-CERT message FP
On Mon, 8 May 2017, John Hardin wrote:
On Mon, 8 May 2017, Chris wrote:
I get various posts from US-CERT none so far have been tagged as spam
until today. The raw message with the SA tags is here - https://pastebi
n.com/f71A2FfW What it hit on was:
pts rule name description
-- -
5.0 BOTNET Relay might be a spambot or virusbot
[botnet0.8,ip=208.42.190.173,maildomain=ncas.us-
cert.gov,nordns]
That's a bit worrying.
...but that looks like a local rule, I can't find "BOTNET" by itself as a
rule in SVN. Is it local? How is it defined?
[snip..]
How did ncas.us-cert.gov get classified as a botnet host?
"Botnet" is a SA plugin that was written several years ago by John Rudd which
tries to look for spammyness clues derived from the DNS/hostname of the
first untrusted relay. From the source code comments:
# Botnet - perform DNS validations on the first untrusted relay
#looking for signs of a Botnet infected host, such as no reverse
#DNS, a hostname that would indicate an ISP client or domain
#workstation, or other hosts that aren't intended to be acting as
#a direct mail submitter outside of their own domain.
One of its heurisitcs is to look for signs of the IP address embedded in the
hostname (EG looking for things like "client-201.240.187.107.speedy.net.pe")
as a sign of an infected PC doing direct mail delivery.
This fired on the host name of that site: mailer190173.service.govdelivery.com
because part of its IP address [208.42.190.173] was found in the name.
Years ago I dropped the default Botnet score (5.0) way down because of FPs like
this.
I'd be concerned with what caused the DKIM signature to fail validation.
(DKIM_SIGNED, T_DKIM_INVALID).
If something in the mail chain is breaking DKIM validation then attempts to use
things like whitelist_auth are doomed to failure.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Today's Google Docs phish
On Wed, 3 May 2017, Alex wrote:
Hi,
If you haven't heard, there was a huge Google Docs phishing attack
today. Several hundred bypassed our filters in the hour or so before
we were able to identify them. The To address is always
"h...@mailinator.com" and the subject is always " has shared a document on Google Docs with you" where "user name"
is some random user.
https://www.theatlantic.com/technology/archive/2017/05/did-someone-just-share-a-random-google-doc-with-you/525279/
I wanted to provide an example in case it helps, even though chances
are the campaign is dead. We've seen Google proxy and redirect attacks
before and will probably see them again.
https://pastebin.com/aWVaMMni
[snip..]
The LOC_FRAUD_DOC is a local rule and the LOC_URI_RARE_TLD was for
'.pro' from John's rules some time ago. They're only scored at 0.6.
Obviously training these would be enough to put them over to spam, but
would someone like to look at the URI in the body to create a possible
rule? It's likely Google is looking at this more closely - do you
think they will put an end to the redirect that's being used?
Should the score for .pro domains and other rare TLDs be higher?
Have you received any of these? Have you done anything to prevent them
next time or from being received this time?
That target domain "g-docs . pro" was registered 12 days ago via namecheap.com
which was enough to earn it a few extra points at our site.
It's now sitting in a high-scoring local URIBL here (which is enough to get a
SMTP-REJECT).
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: MISSING_MIMEOLE and X-MimeOLE
On Mon, 1 May 2017, Alex wrote:
Hi,
On Mon, May 1, 2017 at 8:44 AM, David Jones wrote:
From: Alex
I've taken a more conservative, but also more time-consuming approach
by creating rules that subtract a few points with the right
combination.
I was also hoping there was a more general approach that would make
these rules with such high scores less prone to FPs in the first
place, or at least create a greater burden by default before adding
such high scores to rules involving just a regex.
* 3.3 MSGID_NOFQDN1 Message-ID with no domain name
This one catches even automated reports generated by HP to many of our
users, as well as a common email fax service. They just don't consider
proper RFC compliance in their shell scripts, and to basically turn it
into spam just for that is unreasonable.
Also unfortunately, they don't comply with SPF or DKIM conventions,
and one might argue simply passing SPF_PASS isn't sufficient for a
meta rule before whitelisting.
It's more time-consuming to maintain, but whitelist_from_rcvd lets you
reasonably safely (safe from spoofing) whitelist a given sender that doesn't
have DKIM/SPF.
(I'm partial to the "def_whitelist*" version of local whitelists because it will
save good messages from quarantine but can be over-ridden by heavy-duty spam
rules (such as malware being sent from a compromised Yahoo user's account).
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Can someone post some real-world examples of whitelist_auth, whitelist_spf, and whitelist_dkim?
On Thu, 23 Mar 2017, fitz wrote:
I am attempting to tighten up my whitelists, replacing whitelist_from with
whitelist_auth, whitelist_spf, and/or whitelist_dkim. And having trouble.
The simplistic example of
whitelist_auth b...@example.com example.net
does not really cut it.
For example, I have the following headers:
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
client-ip=76.74.244.76; helo=outbound076.dcm8.com;
envelope-from=qd_pat_ba7cce6de305fce6b09be229f71e639fdebb287253d1e...@inbound.dcm8.com;
receiver=some...@bebop.com
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key1;
d=inbound.dcm8.com;
h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding:List-Unsubscribe;
bh=glCJ7SPuJhI+sBNWpIcLUzww974=;
b=xtADEde9s1pYTVT8IBwjLVjOiDNCjf8GY3vaqk7HmMMgRtOzRhRcGZkT+yeKNHwlIOk8iYD9Y6uX
mMrOwIYFJ1H5iX1hn5Mj+Pd3BTpdhxPDd0YUBbfvmoa/W7hj2plUYDtSKt5wGYU8GRjSNj7xK5zx
juMZm6vlWkfFTwRdyM8=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=key1;
d=questdiagnosticssurvey.com;
b=mC5TtAPZBG0FwqfSaoAAFEn2hGO193KMoqpRbx/C3CmZ1KTfhcBz+9MsDi5z2dma4tkwLeGXYmMU
IyL3l2Y9bZD5MhpdA3daN8Z2o23QKgHFM7KHxfovtClAniOhoNDukdWhLAumDMlsmg4GG/iutulk
TbSLKC7h4SYaWu/Y1js=;
Received: from parking.hostmonster.com (10.0.95.23) by outbound076.dcm8.com
(PowerMTA(TM) v3.5r15) id hqfm400lr5gd for ; Thu, 23 Mar
2017 15:39:28 + (envelope-from
)
Date: Thu, 23 Mar 2017 15:39:28 +
From: Quest Diagnostics
Reply-To: Quest Diagnostics
I have tried
whitelist_(spf|auth|dkim) *@QuestDiagnosticsSurvey.com
(questdiagnosticssurvey.com | inbound.dcm8.com | outbound076.dcm8.com |
dcm8.com)
and none seem to work. I get SPF AUTH and DKIM_VALID_AU but no
USER_IN_WHITELIST.
I have been able to get the whitelist_auth to work for gmail, comcast, and a
few other places, but this one does not seem to work using the same rules.
From WHERE is one supposed to pull the second parameter for these rules?
I think you are confusing whitelist_(spf|auth|dkim) with
whitelist_from_received
The former only requires single addresses/address-patterns the latter requires
pairs of configuration data.
EG for your example try:
whitelist_auth sur...@questdiagnosticssurvey.com
whitelist_spf *@inbound.dcm8.com
One slight potential point of confusion, whitelist_(spf|auth|dkim) allows for
multiple addresses on one line, so it can look a little like
whitelist_from_received which -requires- pairs of conf data but
whitelist_(spf|auth|dkim) actuall works on single address/patterns.
FWIW, I personally like the "def_whitelist_*" form. The def_whitelist_*
varient only gives an addtional -15 score (instead of the -100 from the full
varient). This usually gives the necessary boost to get mis-classified messages
past filtering with out totally swamping nasty spam that sometimes gets emitted
from ordinarily whitelisted sources. (EG when a whitehat business gets
compromised or one of their staff gets phished).
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
