RE: Re[2]: spamassassin with gmail

[Marc]

> >Why not just forward messages? Register a domain put some mx servers in
> front of gmails mx. I recently was testing with such relay/forward, works
> perfectly, I am only changing the envelope nothing else. DKIM, spf
> everyting perfectly working.
> >
> I'd be interested to know if anyone runs spamassassin forwarding from
> gmail back into gmail, how does this work?  How to get it so mail isn't
> in a loop?  You can't do what I'm talking about just by forwarding.
> More below on that.

You have to get a domain and put in front. You need to be able to set your own 
mx records so you can do your scanning of messages on these mx servers. This is 
how most of these 'anti spam' providers work.


> 
> In my own testing of this, my gmail Spam folder varies between 1500 and
> 5000 messages at any given time.  Sometimes there's a false positive
> that no matter how many times I tell gmail it's not spam, mail from that
> user ends up in Spam. 

I am actually suprised to read that. I have currently a setup where users can 
drag a message to a folder and than the sender is whitelisted for any future 
message.

> I also find gmail is not perfect and it misses
> 1-2 spams roughly every day that end up in my inbox.  I have already
> pressed the spam button once this morning.  I've spent quite a bit of
> time pulling down individual false negative messages and running them
> through spamassassin on my server and they almost always get scored
> highly as spam.  So I personally find such a plumbing to be useful.

You have to also check if not a lot of spamassassin knowledge comes from 
external sources like dnsbl and dnsuribl. If you would scale your service, you 
need to start paying for these.
 
Register a new domain notgmail.com, setup your own mx forward, scan and forward 
to gmail. Afaik you should be able to configure gmail to use notgmail.com as 
outgoing email address.

> What I have is a plumbing that does the message manipulation and a bunch
> of other things which are not pertinent.  Some of the hard work is done,
> it would still need some work to release to the world.  Pulling messages
> out and putting them back in is not as easy as it sounds and I can

With sieve it is not that difficult. If a user drags it to a specific folder, 
it is unmarked and the unmarked message is put back in inbox and the sender is 
whitelisted for ever. 
 
> honestly say the devil is in the details, but the good news is that part
> now works well.  I am just trying to figure out what to do with it, if
> it's useful beyond family and friends, or if there is a more general
> interest in being able to use spamassassin on other providers such as
> gmail or yahoo.  If there's insufficient interest, that's fine, I'll
> just use it myself.
> 

If you like developing such stuff, you should look into this unified 
messaging/document storage. Lots of companies are interested in better 
archiving their documents with their correspondence. Most of those services 
hook into your mailbox to do all kinds of management tagging, searching etc. 
That has target audience willing to pay for such service.

RE: spamassassin with gmail

[Marc]

> 
> Do any of you use spamassassin with a gmail account, and if so, how are
> people doing it?  The reason to do this is gmail's spam filtering isn't
> perfect 

You can add to this, that gmail actually is also losing email and annoying is 
that you can't send zip files. I am constantly asking people to give me a 
different email address.


> We built some plumbing to do this using gmail's API, and also IMAP which
> can work with other services such as yahoo or outlook.  I'm wondering if
> this is of any use to anyone other than myself.

I don't like any daemon connecting to my mail storage. Can you imagine if your 
solution gets hacked, how much data would be compromised? I prefer messages 
being scanned/marked before stored. I wonder if this is even gdpr compliant, 
because you can access private data constantly.


> Essentially, it's a daemon that connects to the account and acts as a
> mail client (an MUA).  When messages arrive in a mailbox (could be any
> folder really), sucks out the message, runs it through spamassassin, and
> puts the result either into the Spam folder or Inbox.

Why not just forward messages? Register a domain put some mx servers in front 
of gmails mx. I recently was testing with such relay/forward, works perfectly, 
I am only changing the envelope nothing else. DKIM, spf everyting perfectly 
working.


> I'm just wondering what to do with this plumbing software, if it should
> be open sourced or run as a service.  Running it as a service couldn't be
> free as I don't have access to free servers.

So for the whole of Europe you need data processing agreement for accessing the 
mail storage as a 3rd party.


>  The daemon in it's current
> state is a bit complicated to set up on it's own but it could definitely
> be cleaned up, especially if there was sufficient interest.

I think this design is just wrong from the start. I have sometimes that we see 
that clients mailboxes are accessed from the digitalocean cloud because they 
granted access via their phone. Especially IOS is really insecure/bad with such 
privacy. It is just crazy giving access to your whole mailbox for maybe a 1 
time action on a incoming email.


> I bet this could also be put together using getmail5 instead of this
> special built daemon but that would imply polling instead of push.
> Several ways to do this.
> 

Maybe forget about this? ;)

RE: WARNING: Microsoft has earned removal from SA default welcomelist

[Marc]

All nice and well, but a bit decades to late. There should never have been such 
default whitelist. Companies should take care not be on blacklists, and should 
maintain some degree of standard implementation to send out email. After all 
spf -all exists already for a long time. So why are google/microsoft/yahoo etc 
still not using it? Why don't they separate free/spam clients on different 
infrastructure. Now these companies are big enough to abuse the market and 
force everyone to customize just for them. If you would block them now like any 
other company, clients complain and move their business to  yes the market 
abusing companies.

It is just crazy that on the internet you are expected to clean up someone 
else's mess. If the macdonals next door creates a mess, you are also not 
cleaning it, you go and ask them to clean up their own shit.


> 
> 
> 
>   In my opinion, this is an indication that the default welcomelist
> entries in the official
> 
> 
> 
> 
> 
> 
> I'm good with that, so long as likes of google are not in any whitelist
> either.
> 
> I haven't been following all the anti spam stuff as much as I used to (I
> have people to do that for me so I can enjoy more of life) in past few
> years, but I've never believed the big providers should ever have been
> whitelisted.
> 
> I've used clear uridnsbl skip domain for donkies years (I think that's
> the option that removes the dnsbl whitelistings going off memory)  but
> perhaps there should also be a similar command (if not already exist?)
> that clears and disables /all/ whitelisting in rules as well, yes I know
> in the past the recommended method was writing a gazillion entries in
> local.cf zeroing out there scores, but isn't that kind of stupid in 2024.
> 
> 
> 
> 
> Trust must be earned, not implied (or bought), as Joanne points out, "my
> spam is your ham and vice versa"
> 
> 
> --
> 
> 
> Regards,
> Noel Butler
> 
> 
> 

RE: Dynamic blacklist ?

[Marc]

>   do you know if there is a way to have a blacklist, either for user or
> eventually for an entire server, that could be feeded via some scripts ?

Yes create your own dns blacklist

> A sort of auto_learn but only for addresses ( to or from ) ?

No such thing as only for... You have to implement multiple things and try to 
catch the default crap at an early stage by something that does not consume 
much resources.
I have have my from= and/or to= dnsbl at the end of all checks

Currently I am marking spam at server level and individual users can white list 
messages marked as spam. So next time when a marked message arrives, it is 
unmarked again.
But this is not done via dnsbl but with a local user whitelist db with sieve. 

RE: disable URIBL_ and spamhaus.net

[Marc]

> I must chane or disable permanently spamhaus.net and all everything he
> uses.
> 
> They calculated the rate so much that I couldn't afford to use their toys
> 
> Does anyone have an interesting solution to this problem?
> Or maybe some other lists connected?
> 

Do you really need url checking? Maybe you can make a caching servlet so you do 
not send duplicate requests? I am thinking of doing this for geo / reverse geo 
lookups.

RE: OT: Microsoft Breech

[Marc]

I am using spamcop and spamhaus to block. There are indeed outlook.com ip 
addresses that bounce. 

> 
> Does anyone else just block all traffic from *.onmicrosoft.com? I have
> literally NEVER gotten anything from that domain which is not obvious junk.
> 
> I set up postfix to just flat out refuse anything from that domain.[1]
> If I get any complaints, I may ease it up, but I was getting TONS of
> spam messages from that domain and I figured it was easiest to just
> block it.
> 

RE: Question about forwarding email (not specifically SA, pointers greatly appreciated)

[Marc]

> > Byung-Hee HWANG skrev den 2024-01-08 12:27:
> >
> > > Gmail is my last INBOX. That's enough for me.
> >
> > +1, so you are ready to setup google mx ? :)
> >
> 
> Hellow Benny,
> 
> Actually i used Google MX for 10 years. Recently, i created dedicated
> MXs and am continuing to operate them. Plus, the dedicated MXs run on
> Google Cloud and RimuHosting.
> 
> I terminated my Google Workspace commercial account. 2 years ago.
> 

Hi Byung and Benny, are you having a nice MX party? :)

RE: Anybody else getting bombarded with "I RECORDED YOU" spam?

[Marc]

Yes that is fucked up that experience and wisdom comes with getting older ;)

https://faculty.cs.niu.edu/~rickert/cf/hack/require_rdns.m4


> 
> Marc - You are correct.  All the IP sources of this spam, don't a valid
> reverse lookup of the IP address, to an IP name.   That will solve my
> problem.  Thanks! - Mark
> 
> On 11/9/2023 12:38 PM, Marc wrote:
> > Do you at least verify the reverse lookup? That already stops a lot of
> such networks.

RE: Anybody else getting bombarded with "I RECORDED YOU" spam?

[Marc]

> 
> Heck, maybe I should just block the whole country.  :)

You have to be careful with this. I think there are 'organisations' that 
specifically abuse with the intend to provoke you to have blanket block a 
specific region/range.

RE: Anybody else getting bombarded with "I RECORDED YOU" spam?

[Marc]

> 
> The spam is coming from many different IP ranges, with little
> repetition.   Most of them are from countries like Afghanistan,
> Kyrgyzstan, Azerbaijan, Kazakhstan, and Uzbekistan.  Are these the
> latest sources that spam software is using, because other countries have
> tightened up their security?

Do you at least verify the reverse lookup? That already stops a lot of such 
networks.

> I've been using spamassassin for almost several decades, and I've never
> noticed anything like this.  I don't understand why the spam continues
> to be sent over and over.  I do reject emails with a very high spam,
> which these spams have.  So I tried changing my configuration to discard
> the email instead, hoping the spammer software would decide that the
> email had been received.   This didn't help.   I'm curious if anyone is
> noticing this spam. Thanks.  - Mark
> 

This takes a while (afaik months at least). 

RE: rbl for smtp auth hosts

[Marc]

> >> >>Anyone have any experience with a dns blacklist specific to known smtp
> >> >>auth abuse?
> 
> >> On 15.09.23 17:51, Benny Pedersen wrote:
> >> >spamrats ?
> >> >
> >> >https://www.spamrats.com/
> 
> >> I have bad experiente with spam rats and thus wouldn't recommend using
> >> them.
> >> YMMV of course.
> 
> On 15.09.23 21:57, Marc wrote:
> >You could be right about this.  When I compare the last 413 failed smtp
> > auths, none are listed in auth.spamrats.com.  While bl.spamcop.net lists
> > 230 at 127.0.0.2, while zen.spamhaus.org gets 371 at
> > 127.0.0.4/127.0.0.3/127.0.0.11.  I just have to check which of them is
> not
> > a list that lists any 'dynamic' ip by default.
> 
> zen is not good idea for auth too.  It's supposed to contain dynamic IPS
> which aren't used for spaming.

I think this 127.0.0.11 is the dynamic ips

> authbl from spamhaus should do that.
> 

any idea what this costs?

RE: rbl for smtp auth hosts

[Marc]

> >Marc skrev den 2023-09-15 17:01:
> >>Anyone have any experience with a dns blacklist specific to known smtp
> >>auth abuse?
> 
> On 15.09.23 17:51, Benny Pedersen wrote:
> >spamrats ?
> >
> >https://www.spamrats.com/
> 
> I have bad experiente with spam rats and thus wouldn't recommend using
> them.
> YMMV of course.
> 

You could be right about this. When I compare the last 413 failed smtp auths, 
none are listed in auth.spamrats.com. While bl.spamcop.net lists 230 at 
127.0.0.2, while zen.spamhaus.org gets 371 at 127.0.0.4/127.0.0.3/127.0.0.11. I 
just have to check which of them is not a list that lists any 'dynamic' ip by 
default.

RE: rbl for smtp auth hosts

[Marc]

> > Anyone have any experience with a dns blacklist specific to known smtp
> > auth abuse?
> 
> spamrats ?
> 
> https://www.spamrats.com/

yes thanks! this RATS-Auth maybe

RE: rbl for smtp auth hosts

[Marc]

> 
> >
> > On 15.09.23 15:31, Riccardo Alfieri wrote:
> >> Yes, at previous $dayjob. Applied on the submission MSA, it proved to
> >> be useful in mitigating the fallout when users got their credentials
> >> compromised.
> >
> > can you describe it more?
> >
> Well, I checked the connecting IP of a client againts AuthBL *before*
> "permit_sasl_authenticated" (IIRC) in postifx and when users got their
> credential compromised (that  happened more times than I would have
> liked) I'd say more than 95% of connections from auth abusing botnet
> were denied. This mitigated a lot the spam exiting from our outbounds
> and helped us not ending up being listed in the more "trigger happy"
> dnsbls around :)
> 

Is this a freely available list?

rbl for smtp auth hosts

[Marc]

Anyone have any experience with a dns blacklist specific to known smtp auth 
abuse?

RE: allow general access after 1 auth

[Marc]

I am blind, thought I wrote to the apache list, thanks



> 
> This has nothing to do with SpamAssassin. Maybe you'll find better
> responses somewhere focused on web server stuff...
> 
> 
> On 2023-08-12 at 11:13:29 UTC-0400 (Sat, 12 Aug 2023 15:13:29 +)
> Marc 
> is rumored to have said:
> 
> > I was wondering if it is possible to allow general access to an url
> > after some account authenticated for this url. Without the necessity
> > to adapt the web application for this
> >
> > Say we have closed https://www.example.com/webapp with something like
> > Require valid-user
> > Order deny,allow
> > Deny from all
> >
> > If someone authenticates on https://www.example.com/webapp, the url is
> > available for everyone.
> >
> > Some inactivity timeout should lock the url again.
> 
> 
> --
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Not Currently Available For Hire

allow general access after 1 auth

[Marc]

I was wondering if it is possible to allow general access to an url after some 
account authenticated for this url. Without the necessity to adapt the web 
application for this

Say we have closed https://www.example.com/webapp with something like
Require valid-user
Order deny,allow
Deny from all

If someone authenticates on https://www.example.com/webapp, the url is 
available for everyone. 

Some inactivity timeout should lock the url again.

RE: kam channel excess spamscore gives false possitive on valid mail from microsoft store

[Marc]

> >> Yes, score=17.228 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1,
> >> DKIM_VALID=-0.1, HTML_IMAGE_RATIO_04=0.001, HTML_MESSAGE=0.001,
> >> KAM_BODY_URIBL_PCCC=9, KAM_FROM_URIBL_PCCC=9, KAM_HUGEIMGSRC=0.2,
> >> KAM_SHORT=0.001, MIME_HTML_MOSTLY=0.1, MPART_ALT_DIFF=0.724,
> >> RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-3,
> >> RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=1.3, SPF_PASS=-0.1] autolearn=no
> >> autolearn_force=no
> > They are just in a black list, that is normal not? Maybe better tell the
> sender not to use shared resources that are being used for abuse.
> >
> > KAM_BODY_URIBL_PCCC=9, KAM_FROM_URIBL_PCCC=9
> >
> >
> Still, anything blocking MS Store is pretty egregious, especially since
> it's both Address and Body URL.  A score of 9 for each?
> 

But this is how google/microsoft/sendgrid etc are forcing their networks to be 
accepted. I can remember the 'idiots' at opensrs were (still are?) sending 
password recovery/reminders over their clients network that was blacklisted for 
spamming. How dumb you need to be to put your important/app emails on such a 
network that is sending out unsolicited email? 

RE: kam channel excess spamscore gives false possitive on valid mail from microsoft store

[Marc]

> 
> Yes, score=17.228 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1,
> DKIM_VALID=-0.1, HTML_IMAGE_RATIO_04=0.001, HTML_MESSAGE=0.001,
> KAM_BODY_URIBL_PCCC=9, KAM_FROM_URIBL_PCCC=9, KAM_HUGEIMGSRC=0.2,
> KAM_SHORT=0.001, MIME_HTML_MOSTLY=0.1, MPART_ALT_DIFF=0.724,
> RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-3,
> RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=1.3, SPF_PASS=-0.1] autolearn=no
> autolearn_force=no

They are just in a black list, that is normal not? Maybe better tell the sender 
not to use shared resources that are being used for abuse.

KAM_BODY_URIBL_PCCC=9, KAM_FROM_URIBL_PCCC=9

RE: My apologies

[Marc]

> 
> > I've blocked him on my mail server, as well.
> 
> Reindl now and then says something useful, but as you have noticed his
> people skills are somewhere in the negative 200 score level. I don't
> know
> that I'd block him, but you do need to take anything he says witha few
> horselicks of salt.

I like Reindl! Is anyone training spamassassin on his emails??? ;P

RE: Really hard-to-filter spam

[Marc]

> 
> Hey, all.  I've recently started getting spam that's really hard to deal
> with, and I'm open to suggestions as to how to approach it.
> Superficially, they all look much like this:
> 

Post the complete message source including headers.

RE: Ensuring SPF/DKIM for @gmail.com

[Marc]

> 
> >> I assume that you mean so that your outbound SMTP server is actually
> >> authorized in some capacity and fall under "all".  Is that correct?
> 
> ... and does NOT dall under "all".
> 
> On 27.07.23 08:11, Marc wrote:
> >indeed afaik -all is all authorized
> 
> pardon me? -all means everyone except previously mentioned it
> UNAUTHORIZED
> to send mail.
> 
> fantomas.sk.43200   IN  TXT "v=spf1 mx -all"
> 
> meant only "mx" servers for fantomas.sk can send mail from this domain,
> all
> the rest is unauthorized.
> 

so we agree :). "-all" means only authorized can deliver, authorized as in 
mentioned in the text record.

RE: Ensuring SPF/DKIM for @gmail.com

[Marc]

> 
> I assume that you mean so that your outbound SMTP server is actually
> authorized in some capacity and fall under "all".  Is that correct?

indeed afaik -all is all authorized

> > When you configure your spf your result is either pass, softfail or
> fail
> > I think we can agree that a correctly configured spf results in a
> pass,
> > don't you?
> 
> I agree that known and authorized sources of email for my domain are
> authorized in the SPF record for my domain.
> 
> I thought you were alluding to a particular value of "all".  I did not
> understand your statement to be about servers being authorized or not.

gmail/google/outlook are using ~all, resulting in the softfail. For those 
networks if have decided to treat only their ~all as a -all. 

> I've had a number of conversations with people of late that seem to
> dislike "-all" almost as much as others dislike "+all".
> 

I am always using -all. I honestly can't think of a good argument to use 
anything else. 

RE: Ensuring SPF/DKIM for @gmail.com

[Marc]

> 
> The oldest mail server log I can find is from mx-in-08 sadly even that
> one is only from 2005 but confirms we were using it then, quite a bit
> longer than 2014 :P
> 

Why retire? To go fishing or so? I think GDPR even prohibits keeping very old 
log files, if there is no specific reason for that.

RE: Ensuring SPF/DKIM for @gmail.com

[Marc]

> > >
> > > What does "correctly setup SPF" mean to you?
> >
> > so your ip does not generate a softfail or fail
> 
> Only way to make SPF never incorrectly fail/softwail is to use "+all",
> but that kind of kills its point :-)

+all is in pass
https://datatracker.ietf.org/doc/html/rfc4408#page-8

> (actually, even with +all, some sites will fail it - especially
> because of it, as +all is sign of either intentional sloppy spammer
> or incompetent postmaster, both likely leading to spam coming from
> that site).

I am not even sure if I am able to differentiate on this level in my milter.

> > > What makes your opinion better than someone else's opinion that
> differs?
> > >   (I take it for granted that someone will have a differing
> opinion.)
> >
> > When you configure your spf your result is either pass, softfail or
> fail
> > I think we can agree that a correctly configured spf results in a
> pass, don't you?
> 
> Well *I* don't. Sometimes, maybe even often, it does. But not always.
>
 > Any SPF, no matter how correctly configured, will lead to false
> positives in some cases (e.g. encoutering mailing list or .forward

No not, the sender chooses this setup, so there are no false positives. The 
sender does not want your server to send email from their domain.
The only reason I can think of, for allowing fail/softfail is if you do not 
know your own infrastructure wel enough.

.forward should be set to forward with your own email address if spf is 
configured for external, or if it stays internal, spf should be skipped.

> We are NOT living in ideal world where everybody implements every
> existing standard. Thus, even most correctly configured SPF will
> sometimes softfail/fail, when it should not.
> 

This is just crap. I think 99% of the implemented spf checks are not following 
your reasoning. It is like you are telling your bank please I would like to use 
these 2 payment cards to spend from my bank account. 
And because it is not an ideal world, your bank will allow me to spend from 
your account?

RE: Ensuring SPF/DKIM for @gmail.com

[Marc]

> At the risk of starting a flame war...
> 
> What does "correctly setup SPF" mean to you?

so your ip does not generate a softfail or fail

> What makes your opinion better than someone else's opinion that differs?
>   (I take it for granted that someone will have a differing opinion.)

When you configure your spf your result is either pass, softfail or fail
I think we can agree that a correctly configured spf results in a pass, don't 
you?
 
> I get your server your rules.  But your server / your rules doesn't
> translate to someone else's server any more than someone else's rules
> translate to your server.
> 

I agree

RE: Ensuring SPF/DKIM for @gmail.com

[Marc]

> 
> blocklist_from *@gmail.com
> welcomelist_auth *@gmail.com
> 
> makes it perfect :)
> 
> if both dkim and spf is pass, it will get neutral scores
> 

I found this to be not sufficient (assuming the above pass is ~all). gmail has 
spf ~all. 

So I have made an exception for the google network in milter and everything 
from the gmail / google that would fail an -all spf I reject.
There is only a few legitimate domains that will be targetted by this, but 
asking them to correctly setup spf is mostly enough.

 

RE: Welcome/unwelcome list not working correctly.

[Marc]

> 
> > :) If I have to convert my old blacklists, is the blacklist than now a
> > welcome list or a unwelcome list?
> 
> blacklist->blocklikst
> whitelist->welcomelist
> 
> unwelcomelist and unblocklist directives reverse the actions of
> welcomelist and blocklist directives.
> 

:) I think this is not proper. Now we have still negative association with 
black becomming block. I don't think this is good for the racial discussions.

I think it would please people of colour if we

blacklist -> welcomelist
whitelist -> blocklist

yes yes, I know white people will complain about this eventually. So we could 
alternate the behaviour every X years.

PS. OT this reversal of actions is nice to know

RE: Welcome/unwelcome list not working correctly.

[Marc]

:) If I have to convert my old blacklists, is the blacklist than now a welcome 
list or a unwelcome list?

RE: spamd runs as root on Fedora Server 38 ?! - was Re: Newb on sa-learn - didn't get what I expected as a response...

[Marc]

> 
> I should probably add that I personally don't do per-user config because
> of the enlarged attack surface it presents and small marginal value, but
> that's guided by local details. I work with systems owned by others
> where other choices were made for very sound reasons and they have not
> had security problems with it, in many years of operations. What you
> choose to do should be based on what YOU want.
> 

I have a setup where I globally mark spam and users have the option to 'unmark' 
messages from senders. So every user has a little db with white listed email 
addresses. 
This could be a nice step before going full per-user config.

RE: Best practice for adding headers?

[Marc]

> 
> Since I need to patch spamass-milter anyway to resolve a different
> issue (calling "sendmail -bv " does not work on postfix
> systems), it should be easy to add such an option to spamass-milter.
> 

Hi Robert, are going to work on this milter? :) :) Currently I have the milter 
seperate from the spamd and if (last time I checked) if spamd changes it's ip, 
milter is never able to contact it again.

https://www.mail-archive.com/users@spamassassin.apache.org/msg110390.html

RE: comparing sender domain against recipient domain

[Marc]

> 
> On Fri, May 12, 2023 at 05:32:30PM +0200, Reindl Harald wrote:
> > > On Fri, May 12, 2023 at 09:49:40AM -0500, Dave Funk wrote:
> > > > On Fri, 12 May 2023, Matija Nalis wrote:
> > > > > That is because those domains are not EQUAL? Od did you wanted a
> > > > > rule that checks only on SIMILAR domain names (e.g. with
> lowercase
> > > > > letter "L" replaced with number "1" as in your example)?
> > >
> > > It should be relatively easy to write SA plugin for that:
> >
> > and with *what* do you replace the "1"?
> 
> With one of the similar looking characters. Doesn't really matter
> which one, but it needs to be done consistently. Personally I'd
> probably chose lowercase "L", but it can be anything.
> 
> e.g. for simple first variant (i.e. for direct matching, not more
> advanced statistical similarity based approach suggested in later
> step)
> 
> sub normalize_domain($)
> {
>   my ($domain) = @_;
> 
>   # (yes I know we have tr///)
>   $domain =~ s/1/l/g;# number 1 to lowercase "L"
>   $domain =~ s/I/l/g;# uppercase "I" to lowercase "L"
> 
>   return lc($domain);
> }
> 
> [...]
> 
> if (lc($domain1) ne lc($domain2)) { # domains are NOT the same...
>if (normalize_domain($domain1) eq normalize_domain($domain2))) { #
> ...but they LOOK the same
>   add_spam_score("domain_is_not_same_but_looks_the_same")
>}
> }
> 
> so normalize_domain() would return the same string for "paypal.com",
> "PayPal.com", "PayPaI.com" or "PayPa1.com": i.e. "paypal.com"
> 
> It doesn't matter if the result of it isn't the real domain (as it
> will be used only for comparison to simularly mangled other domain),
> e.g. if one had real domain "TheReallyBest1.com", it would be
> normalized to "thereallybestl.com" -- so while that is NOT how domain
> is really named, it doesn't matter, as it would still work for
> detecting fakes like "TheReallyBestI.com" (regardless if neither
> lowercase "L" nor the uppercase "I" are used in real domain name).
> 
> 
> > be careful with "relatively easy" when it comes to reality
> 
> Sure, I though I was. Do you spot problems with the code above?
> Think of any real-life examples where it would backfire or fail to work?
> 
> The code like the above looks trivial to me ("relatively easy" was
> more geared toward statistical analyses of the words to return
> statistical score in percentage instead of simple fake/not_fake
> boolean like above; as it should take into account ordering of the
> letters, missed letters, duplicated letters, dyslexia-alike reversal
> of two neighboring letters and similar psychological ways in which
> human mind can easily be fooled). Still might take few weeks to make
> it to reasonably publishable shape...
> 
> But I was more interested if SA already has something like that?
> I haven't dabbled in 4.0 yet, and there might be code already
> writting to accomplish similar things, so it would be a waste to
> reinvent a wheel.
> 

Hi Matija, 

It is nice to see such interest in this topic. The goal is indeed to catch 
purposfully chosen domains that could mislead the recipient like j...@her0.com 
> ad...@hero.com not to be mistaken with i...@paypa1.com > ad...@hero.com 
although these algorithms are probably very similar.

Catching stuff like paypa1.com could be a start, and if you combine the 
knowledge of knowing that the received email is not from the same company, but 
external. One could apply the checks on the sender/recipient combination.

For similar character sets one could also look at password generators that do 
exactly the opposite, skip such characters in passwords.

If I am not mistaken, some registries are already utilizing technology to try 
and catch phishing domains.

RE: comparing sender domain against recipient domain

[Marc]

> 
> > I was wondering if spamassassin is applying some sort of algorithm to
> > comparing sender domain against recipient domain to detect a phishing
> > attempt?
> 
> There is a suite of meta rules and subrules with names containing
> TO_EQ_FROM in the default rule channel. Consult the rules files for
> implementation details.
> 
> 

hmmm, I guess not 

some test message with these headers
test2:~# spamassassin -D < spam-test.txt  > out2

Date: Mon, 24 Oct 2016 22:10:07 +0200
To: recipi...@alexander.com
From: Lara 
Subject: asdf asd fas df asdf asdf asd fas dfa sdf
Message-ID: 
Return-Path: sen...@a1exander.com

gives this result:

X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on test2.local
X-Spam-Flag: YES
X-Spam-Level: 
X-Spam-Status: Yes, score=4.4 required=3.0 tests=DKIM_ADSP_NXDOMAIN,
EMPTY_MESSAGE,RDNS_NONE,T_TVD_MIME_EPI autolearn=disabled version=3.4.6
X-Spam-Report:
*  0.8 DKIM_ADSP_NXDOMAIN No valid author signature and domain not in
*  DNS
*  0.0 T_TVD_MIME_EPI BODY: No description available.
*  1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
*  2.3 EMPTY_MESSAGE Message appears to have no textual parts

RE: comparing sender domain against recipient domain

[Marc]

> 
> 
> what useful information would you be looking for from this kind of
> comparison?

sen...@a1exander.com
recipi...@alexander.com

*  3.9 PHISHING 1=l attempt

I assume there are some character substitude algorithms available, maybe an 
adapted version of an algorithm that tries to detect typos.

comparing sender domain against recipient domain

[Marc]

I was wondering if spamassassin is applying some sort of algorithm to comparing 
sender domain against recipient domain to detect a phishing attempt?

RE: Re[8]: rule based on domain age

[Marc]

> IP ranges and country connections are of no help.  These criminals use
> outlook, gmail, vps servers and everything under the sun.

So they register new domains, link them to gmail (outlook) and send spam with 
envelope of the domain via the google network, and google does nothing and 
keeps giving this service to them?

I assume this service is offered for free by google/outlook?

RE: Re[6]: rule based on domain age

[Marc]

> What I am targeting will not be on an abusive domains on any RBL
> anywhere as they buy these domains for the sole purpose of targeting our
> company and our clients.  They only have to succeed once where I have to
> succeed every time to keep them from stealing large sums.

What about the ip ranges? I have the impression that once you register these, 
it gets less. There are specific providers offering their networks for such 
services. Legitimate providers do not want to get involved with such networks, 
because they will end up on blacklists.

I am having a combination of ip ranges that I have registered, these get from 
me an url in a confirmation, only when this url is clicked the email is 
accepted.
You could tune this for your environment.

Maybe you can do something with the connection country

[@]# dig +short -t txt 95.80.124.107.origin.asn.cymru.com
"7018 | 107.64.0.0/10 | US | arin | 2011-02-04"

RE: Re[4]: rule based on domain age

[Marc]

Yes some already block/timeout with the 2nd lookup. But there is a flip side. 
There are dns blacklists that have domainnames that are currently being abused.


> 
> I hadn't considered being blocked by the TLD's from doing the lookups.
> Good point.  We probably do about 2K per day so not sure that is enough
> to be blocked but it certainly could be.
> 
> 
> >
> >>
> >>  Why would it have to have to be specific per TLD?  Why I have in
> mind is
> >>  looking at the creation date of the sending domain and scoring it up
> if
> >>  it is newer than 12 months, no matter what the TLD is.
> >
> >I totally get it. I was thinking of incorporating this in a service for
> a European project. And even going further, querying owner information.
> >
> >>  Am I missing something?
> >
> >Because this information is only available at tld's and just querying
> the whois endlessly will be blocked. Every tld registry has their own
> operating rules.

RE: rule based on domain age

[Marc]

> 
> My apologies if that has been asked and or answered previously.
> 
> I would love to have a rule to score up messages from domains registered
> in the past X configurable days.
> 
> We rarely receive legit email from domains newer than 1 year old, but we
> get spoofs daily from domains that are less than 1 year old.
> 
> I would like to score all of the less than 1 year old domains up and
> quarantine them for review.
> 
> Does such a rule already exist?
> 
> Thanks in advance for any direction any of you may have.
> 

I don't think this is available. All this would be also specific per tld. So 
everyone needed to agree on participating in some system and then you also have 
different judicial areas.

RE: Suggested Approach

[Marc]

> 
> For those that would like to investigate, the messages are in the
> attached ZIP.  It looks like simple Spamming but I can not assure
> there are no other issues of concern.
> 

Put full (redacted) plaint text source message. I can't believe that message 
headers do not contain ip addresses. What is this 202.29.234.42?

Your spamassassin should not even be processing messages from 202.29.234.42. 
Your incoming mail server should not accept mail from ip's that do no have a 
correct reverse[2]. Then it is on a dnsbl. So it should be stopped at that 
stage.


[1]
[@scripts]# testrbl.sh 202.29.234.42
202.29.234.42
 zen.spamhaus.org 127.0.0.11 "https://www.spamhaus.org/query/ip/202.29.234.42;
 bl.spamcop.net
 dul.rbl-dns.com
 rbl..xxx
 rblacc..xxx
 whitelist..xxx


[2]
[@syslog1 scripts]# digall.sh 202.29.234.42
..
202.29.234.31
202.29.234.32
202.29.234.33
202.29.234.34
202.29.234.35
202.29.234.36
202.29.234.37
202.29.234.38
202.29.234.39
202.29.234.40
202.29.234.41
202.29.234.42
202.29.234.43
202.29.234.44
202.29.234.45
202.29.234.46
202.29.234.47
202.29.234.48
202.29.234.49
202.29.234.50
202.29.234.51
202.29.234.52
202.29.234.53
...

[@syslog1 scripts]# digall.sh 209.85.219.47
209.85.219.0
209.85.219.1mail-qv1-f1.google.com.
209.85.219.2mail-qv1-f2.google.com.
209.85.219.3mail-qv1-f3.google.com.
209.85.219.4mail-qv1-f4.google.com.
209.85.219.5mail-qv1-f5.google.com.
209.85.219.6mail-qv1-f6.google.com.
209.85.219.7mail-qv1-f7.google.com.
209.85.219.8mail-qv1-f8.google.com.
209.85.219.9mail-qv1-f9.google.com.

RE: spamassassin milter auto ip address update

[Marc]

> 
> > I recently had an issue where mail was temporarily rejected because
> > clamav-milter/spamass-milter could not connect to clamd/spamd.
> > Clamd/Spamd are a tasks that can automatically change hosts and thus
> > their ips. A simple restart of the milter fixes this (resolves the new
> > ip).
> >
> > However, it would be nice if something could be added to the milter
> > code that, if it can't contact spamd, it tries to re-resolve the ip
> > address automatically.
> 
> That would be an interesting feature in a milter. You should suggest it
> to the developers of whichever milter(s) you are using. The ASF
> SpamAssassin project does not maintain any milters, but there may be
> people on this list who use the same tool can help you.
> 
> > ps. as you can deduct from the text I am not a 100% sure which milter
> > caused this actually.
> 
> Are you not aware of IP changes by spamd?

No, I would even like to have a situation where they would scale automatically. 
:)

> 
> > pps. even nicer would be, the ability to use srv records and use
> > dynamic ports.
> 
> Sounds great. Out of scope for SA itself, but it would be fine for a
> milter.

If the spamc constantly gets spawned on the milter side, it does not look very 
efficient. But at least this resolving of ip's is not an issue.
I don't get also the logics behind spawning a spamc client, I thought that 
milters should just 'pipe' the data to spamd and that is it. But I am not 
really familiar about how this design/communication is.
I would even say that a milter implementation could be generic, and does not 
depend on if the backend is a clamd or a spamd. It just parses the content and 
the result is received.

spamassassin milter auto ip address update

[Marc]

I recently had an issue where mail was temporarily rejected because 
clamav-milter/spamass-milter could not connect to clamd/spamd. Clamd/Spamd are 
a tasks that can automatically change hosts and thus their ips. A simple 
restart of the milter fixes this (resolves the new ip).

However, it would be nice if something could be added to the milter code that, 
if it can't contact spamd, it tries to re-resolve the ip address automatically. 

ps. as you can deduct from the text I am not a 100% sure which milter caused 
this actually. 

pps. even nicer would be, the ability to use srv records and use dynamic ports.

RE: Messages from outer clients marked as spam

[Marc]

> 
> >> Since the beginning of this year, however, incoming (SMTP authenticated)
> >> mail from clients outside the LAN is marked as spam.
> >> E.g.
> >> > X-Spam-Score: 10.756 (**)
> >>
> BAYES_00,KAM_DMARC_REJECT,KAM_DMARC_STATUS,KAM_LOTSOFHASH,KHOP_HELO_FCRDNS,LOT
> >>
> S_OF_MONEY,PDS_RDNS_DYNAMIC_FP,RCVD_IN_PBL,RCVD_IN_ZEN_LASTEXTERNAL,RDNS_DYNAM
> >> IC,SPF_FAIL,TO_EQ_FM_DOM_SPF_FAIL
> 
> On 23.01.23 16:05, Marc wrote:
> >Don't you have more details? Looks to me you are on dns blacklists, your spf
> is not good etc.
> 
> You have misunderstood the problem. Authenticated clients are those who
> submit mail wia OP's server, so the SPF/DKIM/DMARC can't match as they match
> when they go out of the OP's server.
> 
> Also, it's common for authenticated clients to send mail from dynamic IP
> addresses, they don't leave the OP's server using dynamic IP anymore.

yes I got this, but it looks like the stage where the message is being parsed 
to spamassassin, spamassassin uses the client ip. This is also the problem with 
the rbl, the client ip is being parsed.

I think this was just always working like this, until more and more ip's are 
listed on dns blacklist and now all of a sudden he passed the threshold.

As you wrote, you can't have such checks on the email, only content can be 
checked by spamassassin in this setup.

RE: Messages from outer clients marked as spam

[Marc]

> I've got a long standing server, where I run FreeBSD (13.1) + sendmail
> (8.17.1) + MIMEDefang (2.84) + SpamAssassin (3.4.6).
> (I know there are more recent versions, but that's what ports currently
> provide).
> This has been working perfectly for years.

yes time changes, currently gmail is sometimes blocking emails complain about 
spf+dkim, while these messages are not even configured for spf/dkim.

> Since the beginning of this year, however, incoming (SMTP authenticated)
> mail from clients outside the LAN is marked as spam.
> E.g.
> > X-Spam-Score: 10.756 (**)
> BAYES_00,KAM_DMARC_REJECT,KAM_DMARC_STATUS,KAM_LOTSOFHASH,KHOP_HELO_FCRDNS,LOT
> S_OF_MONEY,PDS_RDNS_DYNAMIC_FP,RCVD_IN_PBL,RCVD_IN_ZEN_LASTEXTERNAL,RDNS_DYNAM
> IC,SPF_FAIL,TO_EQ_FM_DOM_SPF_FAIL

Don't you have more details? Looks to me you are on dns blacklists, your spf is 
not good etc. 

> Right now I instructed MIMEDefang to avoid passing authenticated mails
> to SpamAssassin, but this is not what I ideally want. (If a client gets
> compromised...).

maybe just stat it only (with prometheus)? 
https://www.mail-archive.com/users@spamassassin.apache.org/msg109914.html

> My real wish would be to always run messages through SpamAssassin, but
> avoid RBL/SPF/DMARC/dynamic IPs/etc... checks for those that come from
> an authenticated client, as these rules make no sense in that case.

I prefer to have spf, dns rbl connect done in the milter, that is more 
efficient. As a last I parse message data to resource intensive tasks like 
spamassassin and clamav.

> What's the best practice to achieve this result?
> 

Separate in and out going servers and different configurations for their 
spamassassin. It is almost impossible to have in/out going combined.

RE: sorbs blocklist spamassassin.apache.org

[Marc]

> 
> https://multirbl.valli.org/lookup/95.216.194.37.html
> 
> but who cares ?

What is the problem? I am even surprised that there are so many green listings. 
I have even configured that hosts with a reverse xxx.your-server.de are not 
allowed to connect.

RE: *****SPAM***** Re: *****SPAM***** Re: *****SPAM***** Re: *****SPAM***** Re: *****SPAM***** Re: wordpress work

[Marc]

Lets see how many spamassassin is adding.

RE: *SPAM* Re: *SPAM* Re: *SPAM* Re: *SPAM* Re: 
*SPAM* Re: wordpress work

RE: awl postgresql

[Marc]

> 
> https://github.com/apache/spamassassin/blob/trunk/sql/awl_pg.sql#L6
> 
> https://www.irccloud.com/pastebin/wRkT4AeI/awl.sql
> 
> how to solve it ?

https://notepad.ltd/asdf23423asdfasdf ;)

RE: welcomelist_auth and SPF

[Marc]

> 
> 
> Yes, GoDaddy is shit, but should that mean there's no expectation of
> being able to add it to a trusted senders list for individual senders?

of course 

whitelist_from *@christmasball.com

or you add some header 

header  TREE_WHITELISTX-Tree =~ /\bwhitelisted\b/
score   TREE_WHITELIST-50

> I'm now more curious why it says SPF_PASSed, yet my welcomelist entry
> didn't work to keep it from being marked as spam.

SPF pass is just a result that gets processed in the general result. The 
general result decides if a message is marked as spam. 

> Whether or not it's listed on the valli blocklists should also be
> irrelevant - that GoDaddy is shit is the exact reason why I'm trying to
> add this (unsuccessfully) to the welcomelist.

Maybe you have a version that still is racist? ;) 

RE: welcomelist_auth and SPF

[Marc]

> The sender's SPF record includes the sending IP (40.107.96.128) in the
> secureserver.net   entry, and SPF_PASS is hit.
> 

Without even checking anything I can already remember that this 
secureserver.net is shit. I have blocked whole ranges of them, they send spam, 
try passwords etc. I have the impression that there is nothing secure about 
secureserver and everything seems to be hacked there.

You will always have false positives, and probably even more in the future, 
there is going to be more and more networks trying to mix spam with legitimate 
email. 
For this you have to create some way to unmark / whitelist email addresses.

shameless plug for -=> mailfromd <=-

[Marc]

I am so happy about recent updates of mailfromd[1] that I wanted to share with 
you this info. 

I have been harassing the Sergey from mailfromd[1] for a while to implement 
statistics and currently this is working very nicely. Maybe you are still using 
a prehistoric project like rspamd, where they think they need to create an own 
graphical interface, and thus you can't do anything yourself.
With mailfromd[1] you can just create any stat you want, and scrape those with 
prometheus and chart them with grafana[2]

This is can be very useful to test for instance your dns blacklists. I have no 
idea how the spamassassin development team decides on what blacklists to use 
and in what order. But now you are easily able to chart the results of all 
blacklists and easily identify blacklists that have almost no added value (as 
in duplicates of others).

this is how you use a counter:

openmetrics_incr('greylist','type="urlpass",from="'.domainpart($f).'"')
openmetrics_incr('envempty')
openmetrics_incr('reject','code="5.0.1"')
 
this is a part of the output:

greylist{type="urlpass",from="u20705374.wl125.sendgrid.net"} 1
greylist{type="urlpass",from="u23624407.wl158.sendgrid.net"} 9
greylist{type="urlpass",from="u2368638.wl139.sendgrid.net"} 2
greylist{type="urlpass",from="u54769.wl.sendgrid.net"} 2
greylist{type="urlpass",from="u7281236.wl237.sendgrid.net"} 1
greylist{type="urlpass",from="u9302991.wl242.sendgrid.net"} 1
# TYPE spf counter
# HELP spf Spf registrations
spf{type="hardfail"} 45
spf{type="neutral"} 1643
spf{type="softfail"} 111
spf{type="valid"} 7974
# TYPE connect counter
# HELP connect Hostname found in the connect database
connect{type="db"} 220
connect{type="ovh"} 31
# TYPE accept counter
# HELP accept Mails accepted
accept 4054
# TYPE reject counter
# HELP reject Mails rejected
reject{code="5.0.1"} 61
reject{code="5.3.0"} 220
reject{code="5.3.1"} 31
reject{code="5.7.1"} 45
reject{code="5.7.2"} 1044
reject{code="5.7.4"} 1
reject{code="5.7.5"} 2


[1]
https://www.gnu.org.ua/software/mailfromd/manual/mailfromd.html

[2]
https://grafana.com/

RE: Facepalm

[Marc]

> I accidentally forwarded one (or more) messages to the SpamAssassin
> mailing list which I meant to forward to SpamCop. High-latency remote
> control, address prefix collision, and lack of sleep are contributing
> factors.
> 
> I will update address books to reduce likelihood of collisions in the
> future.
> 
> To those that asked if I was mentally ill, I don’t think so. Rather I
> think this was an honest mistake. All be it one with considerable egg on
> my face.  Also, please reframe from as hominem attacks as they are
> unnecessary.

You should be including a bitcoin address, so we can buy you a coffee ;)

RE: spam subject marking

[Marc]

> You might want to point out to them that rewrite_header breaks any DKIM
> signature on mail, 

Hmmm, good point, not really thought about this even. Are email clients 
complaining about this?

> in addition to cluttering the Subject if
> misclassified mail is part of a conversation.

So the alternative is adding a header and move it to the spam folder 
automatically on the basis of the header?

Currently I just want to 'warn' users that the message is possible spam, they 
can decide to move such emails automatically to a spam folder by enabling a 
sieve rule.
What would be an alternative method to keep such functionality without altering 
the subject?

RE: spam subject marking

[Marc]

> 
> When a *user* replies it's not at the beginning
> it's "Re: **spam**"

:) Indeed, and in other languages it is even different, but I think developers 
get the point ;)

RE: spam subject marking

[Marc]

> >> spamassassin add multiple times '**spam**' to the subject.
> >>
> >> your spamassassin only adds it one time
> >
> > Yes I know, and lazy users do not remove it in replies, that is how
> you get multiple occurances
> 
> than it's "Subject: **spam** Re: **spam**" and the only relevant
> information for you is the first because that's from your system

modifications to the subject I see only as relevant to the recipient. 

Email users really don't have a clue what is added by whom. Users that leave 
our spam marked subject in the email replies, generate even issues why other 
people are receiving their email marked as spam.

> just because on a random place in the middle of the subject **spam**
> appears musn't supress the flagging of my own filter

Indeed that is why a solution for development could be something like

if spam
check if there is in the beginning of the subject a string that matches the 
'rewrite_header' as configured in local.cf, if not add, if it is there skip. 

I think the situation I am describing is quite often occurring. I wonder what 
others think of this.

RE: spam subject marking

[Marc]

> >>
> >> multiple signs of spam leading to marking a message as spam
> >
> > This is not relevant for the discussion on whether or not to have
> spamassassin add multiple times '**spam**' to the subject.
> 
> your spamassassin only adds it one time

Yes I know, and lazy users do not remove it in replies, that is how you get 
multiple occurances.

RE: spam subject marking

[Marc]

> 
> Am 15.11.22 um 11:48 schrieb Marc:
> >>
> >> and i told you that it's useful when a message already passed
> multiple
> >> hops which flagged it as spam to outright reject it
> >>
> >> /^Subject: .*\*\*\*\*\*spam\*\*\*\*\* \*\*\*\*\*spam\*\*\*\*\*/
> REJECT
> >> Administrative Prohibition (Subject)
> >
> > A message is either spam or not
> 
> that's not how spam filtering works
> 
> multiple signs of spam leading to marking a message as spam

This is not relevant for the discussion on whether or not to have spamassassin 
add multiple times '**spam**' to the subject.


> > and is marked as spam or not
> 
> good filters don't only mark messages but reject them
> 
> > I don't see how telling me 3 times it is spam has any relevance.
> 
> how comes that you don't see the relevance of the sending system already
> thought it was spam and instead jerect it still continued to send the
> trash out?

This is not relevant for the discussion on whether or not to have spamassassin 
add multiple times '**spam**' to the subject.

> > If you value the information created by multiple servers processing
> the message, then this information should be passed differently
> 
> and how do you imagine that in a cahin of indepdenent systems?

My first thought would be by adding headers. If I had a chain of 3 servers 
processing a message by spamassassin. The first 2 would only add scores in the 
header and the last one would do the calculation upon which is decided to have 
the message visibly marked as spam for the recipient.

RE: spam subject marking

[Marc]

> 
> and i told you that it's useful when a message already passed multiple
> hops which flagged it as spam to outright reject it
> 
> /^Subject: .*\*\*\*\*\*spam\*\*\*\*\* \*\*\*\*\*spam\*\*\*\*\*/ REJECT
> Administrative Prohibition (Subject)

A message is either spam or not, and is marked as spam or not. I don't see how 
telling me 3 times it is spam has any relevance. If you value the information 
created by multiple servers processing the message, then this information 
should be passed differently.

RE: spam subject marking

[Marc]

> >
> > I am having repeated occurances of ***SPAM*** in the subject, maybe it
> is good to stop adding ***SPAM*** if there are already 10 in the
> subject?
> 
> ask the sending admin why in the world he still continues to blow out
> that crap instead trash it
> 
> if there are already two in the subject i reject them with postfix
> header rules

What are you on about? This is for the developers to re-think their design if 
it is necessary to keep adding SPAM

spam subject marking

[Marc]

I am having repeated occurances of ***SPAM*** in the subject, maybe it is good 
to stop adding ***SPAM*** if there are already 10 in the subject?

RE: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

[Marc]

There is no such thing as a default whitelist.

> >>
> >> How do I stop this?  paypal.com   is in the
> default
> >> DKIM whitelist!
> >>
> >
> >
> > score  USER_IN_DKIM_WHITELIST 0
> 
> would affect *every* mail in the default whitelist and so be a knee-jerk
> reaction without brain

RE: Spam DKIM signed by Paypal coming from their Microsoft Tenant?

[Marc]

> 
> How do I stop this?  paypal.com   is in the default
> DKIM whitelist!
> 
> 


score  USER_IN_DKIM_WHITELIST 0

?

RE: installing spamass-milter

[Marc]

> 
> spamass-milter isn't part of the Spamassassin project and is
> unmaintained by its upstream [https://github.com/andybalholm/spamass-
> milter], so you may have limited support opportunities here.
> 
> What you're seeing here is that the Fedora/EPEL "spamass-milter" package
> has a strong dependency on the complete "spamassassin" package (and thus
> all of its dependencies).  The package maintainer presumably expects
> that spamassassin is running in the same execution domain as your MTA,
> rather than a separate container.
> 
> You could rebuild the spamass-milter package from source, removing the
> spamassassin dependency from the spec file, to avoid this.  You can also
> submit RFE's against this component via this Bugzilla:
> https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW_status=ASSIGN
> ED=Fedora=spamass-
> milter=Fedora=Fedora%20EPEL

Hi Jered, thanks, indeed I rebuild from source but had to add the spamc binary.

installing spamass-milter

[Marc]

WTF is this??? I just need milter to send requests to an external container. 
That should be 1MB install not 315MB. Anyone else having this on a different 
distribution?




Installing:
 spamass-milter  x86_64 0.4.0-13.el9  CentOS9_64-epel  
61 k

Installing dependencies:
 annobin x86_64 10.73-3.el9   CentOS9stream-AppStream 
961 k
 binutilsx86_64 2.35.2-24.el9 CentOS9stream   
4.6 M
 checkpolicy x86_64 3.4-1.el9 CentOS9stream-AppStream 
347 k
 cpp x86_64 11.3.1-2.1.el9CentOS9stream-AppStream  
11 M
 dwz x86_64 0.14-3.el9CentOS9stream-AppStream 
128 k
 efi-srpm-macros noarch 4-9.el9   CentOS9stream-AppStream  
23 k
 elfutils-debuginfod-client  x86_64 0.187-5.el9   CentOS9stream
38 k
 environment-modules x86_64 5.0.1-2.el9   CentOS9stream   
492 k
 fonts-srpm-macros   noarch 1:2.0.5-7.el9.1   CentOS9stream-AppStream  
28 k
 gcc-plugin-annobin  x86_64 11.3.1-2.1.el9CentOS9stream-AppStream  
69 k
 gcc-toolset-12-binutils x86_64 2.38-16.el9   CentOS9stream-AppStream 
5.5 M
 gcc-toolset-12-binutils-gold
 x86_64 2.38-14.el9   CentOS9stream-AppStream 
752 k
 gcc-toolset-12-runtime  x86_64 12.0-5.el9CentOS9stream-AppStream  
55 k
 ghc-srpm-macros noarch 1.5.0-6.el9   CentOS9stream-AppStream 
8.8 k
 glibc-devel x86_64 2.34-40.el9   CentOS9stream-AppStream  
43 k
 glibc-headers   x86_64 2.34-40.el9   CentOS9stream-AppStream 
543 k
 go-srpm-macros  noarch 3.0.9-9.el9   CentOS9stream-AppStream  
27 k
 kernel-headers  x86_64 5.14.0-176.el9CentOS9stream-AppStream 
3.6 M
 kernel-srpm-macros  noarch 1.0-11.el9CentOS9stream-AppStream  
16 k
 libmpc  x86_64 1.2.1-4.el9   CentOS9stream-AppStream  
62 k
 libpkgconf  x86_64 1.7.3-10.el9  CentOS9stream
36 k
 libxcrypt-devel x86_64 4.4.18-3.el9  CentOS9stream-AppStream  
29 k
 llvm-libs   x86_64 14.0.6-1.el9  CentOS9stream-AppStream  
20 M
 lua-srpm-macros noarch 1-6.el9   CentOS9stream-AppStream 
9.5 k
 mailcap noarch 2.1.49-5.el9  CentOS9stream
33 k
 ocaml-srpm-macros   noarch 6-6.el9   CentOS9stream-AppStream 
8.8 k
 openblas-srpm-macrosnoarch 2-11.el9  CentOS9stream-AppStream 
8.4 k
 perl-Algorithm-Diff noarch 1.2010-4.el9  CentOS9stream-AppStream  
48 k
 perl-Archive-Tarnoarch 2.38-6.el9CentOS9stream-AppStream  
72 k
 perl-AutoSplit  noarch 5.74-479.el9  CentOS9stream-AppStream  
31 k
 perl-BSD-Resource   x86_64 1.291.100-17.el9  CentOS9stream-AppStream  
46 k
 perl-Benchmark  noarch 1.23-479.el9  CentOS9stream-AppStream  
36 k
 perl-CPAN-Meta-YAML noarch 0.018-461.el9 CentOS9stream-AppStream  
27 k
 perl-Compress-Raw-Bzip2 x86_64 2.101-5.el9   CentOS9stream-AppStream  
35 k
 perl-Compress-Raw-Lzma  x86_64 2.101-3.el9   CentOS9stream-AppStream  
51 k
 perl-Compress-Raw-Zlib  x86_64 2.101-5.el9   CentOS9stream-AppStream  
61 k
 perl-Crypt-OpenSSL-Bignum   x86_64 0.09-16.el9   CentOS9stream-AppStream  
43 k
 perl-Crypt-OpenSSL-RSA  x86_64 0.31-13.el9   CentOS9stream-AppStream  
44 k
 perl-Crypt-OpenSSL-Random   x86_64 0.15-14.el9   CentOS9stream-AppStream  
27 k
 perl-DB_Filex86_64 1.855-4.el9   CentOS9stream-AppStream  
82 k
 perl-Data-Dump  noarch 1.23-18.el9   CentOS9stream-AppStream  
34 k
 perl-Devel-PPPort   x86_64 3.62-4.el9CentOS9stream-AppStream 
212 k
 perl-Digest-HMACnoarch 1.03-29.el9   CentOS9stream-AppStream  
17 k
 perl-Digest-SHA x86_64 1:6.02-461.el9CentOS9stream-AppStream  
62 k
 perl-DynaLoader x86_64 1.47-479.el9  CentOS9stream-AppStream  
35 k
 perl-Encode-Detect  x86_64 1.01-37.el9   CentOS9stream-AppStream  
90 k
 perl-Encode-Locale  noarch 1.05-21.el9   CentOS9stream-AppStream  
20 k
 perl-Error  noarch 1:0.17029-7.el9   CentOS9stream-AppStream  
42 k
 perl-ExtUtils-Command   noarch 2:7.60-3.el9  CentOS9stream-AppStream  
15 k
 perl-ExtUtils-Constant  noarch 0.25-479.el9  CentOS9stream-AppStream  
56 k
 perl-ExtUtils-Install   noarch 2.20-4.el9CentOS9stream-AppStream  
45 k
 perl-ExtUtils-MakeMaker noarch 2:7.60-3.el9  CentOS9stream-AppStream 
300 k
perl-ExtUtils-Manifest  noarch 1:1.73-4.el9  CentOS9stream-AppStream  
35 k
 perl-ExtUtils-ParseXS   noarch 1:3.40-460.el9CentOS9stream-AppStream 
186 k
 perl-File-Compare   noarch 1.100.600-479.el9 CentOS9stream-AppStream  
23 

RE: shit from serverion

[Marc]

Merci beaucoup!

> 
> It looks like there is a quite confusing way to which company IP ranges
> are allocated. Last year I had a case involving an ip from this range:
> 
> % Abuse contact for '31.210.20.0 - 31.210.21.255' is
> 'ab...@serverion.com'
> 
> inetnum:31.210.20.0 - 31.210.21.255
> netname:SERVER-31-210-20-0
> country:NL
> org:ORG-SB652-RIPE
> admin-c:SBAH16-RIPE
> tech-c: SBAH16-RIPE
> status: ASSIGNED PA
> mnt-by: PREFIXBROKER-MNT
> 
> All my attempts to reach out to ab...@serverion.com or any other
> contacts found on their website remained unreplied.
> 
> Finally I contacted: PREFIXBROKER-MNT
> 

RE: shit from serverion

[Marc]

Thanks, some of them I did not have yet!

> 
> # Serverion / Des Capital B.V. (2021-08 / 2022-05)
> 2.56.56.0/22 REJECT Blacklisted (SERVER-2-56-56-0 / Serverion BV, NL)
> 2.58.148.0/22 REJECT Blacklisted (SERVER-2-58-148-0 / Serverion BV, NL)
> 31.210.20.0/24 REJECT Blacklisted (SERVER-31-210-20-0 / Serverion BV,
> NL)
> 31.210.22.0/24 REJECT Blacklisted (SERVER-31-210-22-0 / Serverion BV,
> NL)
> 37.0.8.0/21 REJECT Blacklisted (SERVER-37-0-8/12-0 / Serverion BV, NL)
> 45.85.90.0/24 REJECT Blacklisted (SERVER-45-85-90-0 / Serverion BV, NL)
> 45.133.1.0/24 REJECT Blacklisted (SERVER-45-133-1-0 / Serverion BV, NL)
> 45.134.23.0/24 REJECT Blacklisted (SERVER-45-134-23-0 / Serverion BV,
> NL)
> 45.144.225.0/24 REJECT Blacklisted (SERVER-45-144-225-0 / Serverion BV,
> NL)
> 45.144.226.0/24 REJECT Blacklisted (SERVER-45-144-226-0 / Serverion BV,
> NL)
> 62.197.136.0/24 REJECT Blacklisted (SERVER-62-197-136-0 / Serverion BV,
> NL)
> 85.202.168.0/24 REJECT Blacklisted (SERVER-85-202-168-0 / Serverion BV,
> NL)
> 107.182.131.0/24 REJECT Blacklisted (Serverion LLC, DE)
> 136.144.41.0/24 REJECT Blacklisted (SERVER-136-144-41-0 / Serverion BV,
> NL)
> 185.102.170.0/23 REJECT Blacklisted (SERVER-185-102-170-0 / Serverion
> BV, NL)
> 185.239.242.0/24 REJECT Blacklisted (SERVER-185-239-242-0 / Serverion
> BV, NL)
> 193.233.182.0/24 REJECT Blacklisted (Serverion / Des Capital B.V., NL)
> 194.31.98.0/24 REJECT Blacklisted (SERVER-194-31-98-0 / Serverion BV,
> NL)
> 194.99.45.0/24 REJECT Blacklisted (SERVER-194-99-44-0 / Serverion BV,
> NL)
> 195.133.18.0/24 REJECT Blacklisted (US-DELIS-20210528 / Des Capital
> B.V., NL)
> 195.133.38.0/24 REJECT Blacklisted (Serverion, NL)
> 195.133.39.0/24 REJECT Blacklisted (Serverion, NL)
> 212.192.216.0/22 REJECT Blacklisted (Serverion, NL)
> 212.192.244.0/22 REJECT Blacklisted (Serverion, NL)
> 

shit from serverion

[Marc]

Today I decided to spend some time getting all the ip's[1] (these are all /24 
thus you have to add 164.215.103.1-164.215.103.255) of serverion, who is 
sending out constant stream of crap. I thought about posting it here so you do 
not need to do this work. If you do some random checks, you can see this looks 
weird[2]. Do as you please with this info.

[1]
164.215.103.1 164.215.103.1 164.215.96.254 171.22.17.0 109.205.211.0 141.98.6.0 
109.206.240.0 164.215.101.0 109.206.242.0 109.206.241.0 109.206.243.0 
185.246.222.0 185.218.138.0 185.126.34.0 185.225.73.0 185.216.68.0 185.225.74.0 
185.246.220.0 185.216.71.0 171.22.30.0 185.225.75.0 185.72.9.0 185.252.178.0 
185.252.179.0 193.124.207.0 193.124.91.0 185.254.37.0 193.124.203.0 
185.246.223.0 193.124.205.0 192.124.172.0 193.37.40.0 193.47.61.0 194.135.23.0 
194.180.48.0 194.48.250.0 194.58.60.0 193.124.95.0 194.55.186.0 194.169.172.0 
193.233.176.0 193.233.177.0 193.233.178.0 193.233.179.0 193.233.180.0 
193.233.181.0 193.233.182.0 193.233.183.0 193.233.184.0 193.233.185.0 
193.233.186.0 193.233.187.0 193.233.188.0 193.233.189.0 193.233.190.0 
193.233.191.255 194.87.136.0 194.87.132.0 194.87.133.0 194.87.134.0 
194.87.135.255 194.87.128.0 194.87.108.0 194.87.129.0 194.58.67.0 194.87.137.0 
194.87.114.0 194.87.130.0 194.87.131.0 194.87.171.0 194.87.178.0 194.87.200.0 
194.87.169.0 194.87.168.0 194.87.170.0 194.87.204.0 194.87.208.0 194.87.209.0 
194.87.212.0 194.87.246.0 194.87.3.0 194.87.251.0 194.87.250.0 194.87.226.0 
194.87.227.0 194.87.24.0 194.87.25.0 194.87.26.0 194.87.27.255 194.87.228.0 
194.87.229.0 194.87.230.0 194.87.231.255 194.87.219.0 194.87.22.0 194.87.84.0 
194.87.86.0 194.87.72.0 194.87.75.0 194.87.90.0 194.87.87.0 194.87.42.0 
194.87.74.0 194.87.85.0 194.87.73.0 195.133.31.0 195.133.28.0 195.133.32.0 
195.133.84.0 195.133.80.0 195.133.75.0 195.133.39.0 195.133.38.0 195.133.76.0 
195.133.35.0 195.178.121.0 195.133.86.0 195.58.35.0 195.58.52.0 195.133.85.0 
195.58.50.0 195.58.53.0 212.192.11.0 195.178.120.0 195.58.54.0 195.58.54.255

[2]
4.169.172.5   griffith.tahoerealestateloans.com.
194.169.172.6   jones.tahoerealestateloans.com.
194.169.172.7   watkins.tahoerealestateloans.com.
194.169.172.8   phillips.tahoerealestateloans.com.
194.169.172.9   howard.tahoerealestateloans.com.
194.169.172.10  atkinson.tahoerealestateloans.com.
194.169.172.11  obrien.tahoerealestateloans.com.
194.169.172.12  smith.tahoerealestateloans.com.
194.169.172.13  fleming.tahoerealestateloans.com.
194.169.172.14  grant.tahoerealestateloans.com.
194.169.172.15  schultz.tahoerealestateloans.com.
194.169.172.16  adams.tahoerealestateloans.com.
194.169.172.17  fisher.tahoerealestateloans.com.
194.169.172.18  avila.tahoerealestateloans.com.
194.169.172.19  crawford.tahoerealestateloans.com.
194.169.172.20  francis.tahoerealestateloans.com.
194.169.172.21  hunt.tahoerealestateloans.com.
194.169.172.22  ayers.tahoerealestateloans.com.
194.169.172.23  barker.tahoerealestateloans.com.
194.169.172.24  sullivan.tahoerealestateloans.com.
194.169.172.25  campos.tahoerealestateloans.com.
194.169.172.26  sanders.tahoerealestateloans.com.
194.169.172.27  harris.tahoerealestateloans.com.
194.169.172.28  delacruz.tahoerealestateloans.com.
194.169.172.29  carlson.tahoerealestateloans.com.
194.169.172.30  walker.tahoerealestateloans.com.
194.169.172.31  ortega.tahoerealestateloans.com.
194.169.172.32  pearson.tahoerealestateloans.com.
194.169.172.33  noble.tahoerealestateloans.com.
194.169.172.34  scott.tahoerealestateloans.com.
194.169.172.35  barnes.tahoerealestateloans.com.
194.169.172.36  ortiz.tahoerealestateloans.com.
194.169.172.37  davis.tahoerealestateloans.com.
194.169.172.38  lane.tahoerealestateloans.com.
194.169.172.39  dominguez.tahoerealestateloans.com.
194.169.172.40  gonzalez.tahoerealestateloans.com.
194.169.172.41  zavala.tahoerealestateloans.com.
194.169.172.42  rhodes.tahoerealestateloans.com.
194.169.172.43  stewart.tahoerealestateloans.com.
194.169.172.44  bailey.tahoerealestateloans.com.
194.169.172.45  knight.tahoerealestateloans.com.
194.169.172.46  wilson.tahoerealestateloans.com.



193.233.176.13  juvis.e-hitart.co.uk.
193.233.176.14  tastat.free-business-directory.co.uk.
193.233.176.15  rgissa.free-business-directory.co.uk.
193.233.176.16  haytap.free-business-directory.co.uk.
193.233.176.17  ssvax.free-business-directory.co.uk.
193.233.176.18  sryian.imakoocars.co.uk.
193.233.176.19  overkj.imakoocars.co.uk.
193.233.176.20  xjnu.imakoocars.co.uk.
193.233.176.21  amuru.imakoocars.co.uk.
193.233.176.22  teip.tfng.co.uk.
193.233.176.23  qudian.tfng.co.uk.
193.233.176.24  fogou.tfng.co.uk.
193.233.176.25  inuge.tfng.co.uk.
193.233.176.26  very.nike-free-run.org.uk.
193.233.176.27  shim.nike-free-run.org.uk.
193.233.176.28  phimht.nike-free-run.org.uk.
193.233.176.29  sparev.nike-free-run.org.uk.
193.233.176.30  ombyt.nike-free-run.org.uk.
193.233.176.31  ekoka.nike-free-run.org.uk.
193.233.176.32  sirpus.nike-free-run.org.uk.
193.233.176.33  

RE: RBL via Spamassasin configuration

[Marc]

> 
> On 2022-06-29 10:25, Matus UHLAR - fantomas wrote:
> > Since SpamAssassin does deep header scanning, it's more effective than
> > just use incoming IP at MTA level.
> 
> this is not good, its a sign of forwarding that forwards spam in the
> first place, that make the forwarding ip grey, not white/wellcommed,
> same shit as sendgrid does
> 
> if sendgrid changes to use pr domain sender ips then sendgrid have
> solved it 100%, but that say we have bilions custommers so that cant,
> lol

I don't really get what you wrote. There is something for blocking at ip level, 
least resource intensive, and there is an application for doing the advanced 
header/body scans at a later stage.

RE: RBL via Spamassasin configuration

[Marc]

> biggest nonsense at all when it comes to spammes given that i added some
> hundrets addresses never existed to collect the bodies for trainign and
> for the outisde world they are still rejects (milter)

How is the guessing of existing email addresses relevant to the current 
discussion? 

RE: RBL via Spamassasin configuration

[Marc]

 
> BTW: "spammers also strife to optimize the usage of their resources"
> shows that you know little to nothing!
> 
> they are using infected machines all over they world
> 
> that bot's are running completly without any feedback because it would
> make it possible to track the origin
> 
> even if: other than the bots for free *it would* take rsources to
> collect the reject states from millions of boths spear all over the
> planet

If your spam network is 10% effective instead of 1% you can ask a higher price 
for your service. So you want to make sure you addresses are up to date. Even 
if you have a bot network that does not report back you still use a small % 
that does inform you. The universal goal is to optimize, this is not different 
for spammers.
That you can not think of a way to optimize spamming, does not mean they are 
not doing it.

It is very difficult to analyse and argue this, unless you really target your 
logging for this. Because if your clients fluctuate, also your email traffic 
fluctuates, your email traffic even fluctuates on periods of the year. I see a 
drop in the garbage (connections) coming from your-server.de since I put them 
on the connection blocking. It does not mean anything unless I start grabbing 
the message bodies before sending the reject.

If you conclude something based on some month, there is no going back on this. 
I know people in IT that did not learn anything in 15 years. As for now, I am 
not really convinced by your arguments.

RE: RBL via Spamassasin configuration

[Marc]

> 
> 
> Am 28.06.22 um 20:56 schrieb Marc:
> > I also believe there is an advantage in rejecting messages, compared
> to just marking them. Rejecting messages will train spam systems not to
> try more.
> > If they know you allow messages through, they will only send you more
> 
> that's nonsense - otherwise "they" would stop sending me messages with
> at the MTA hard rejected subjects

It is not nonsense. It is common logic. Business processes are being optimized, 
spammers also strife to optimize the usage of their resources. Bouncing 
messages are messages not delivered and get noticed, resulting in bot's being 
discovered and cleaned.

PS. It is also a bit 'dumb' to conclude this from a months sample, before the 
information trickles through to the address lists, it takes months I would 
assume. 

RE: RBL via Spamassasin configuration

[Marc]

> In trying to setup RBL's with SA, I wanted to make sure the proper way
> to do it.
> I have seen some samples like this
> header RCVD_IN_BARRACUDACEN eval:check_rbl('bbarracuda-lastexternal',
> 'b.barracudacentral.org.')
> describe RCVD_IN_BARRACUDACEN Relay is listed in b.barracudacentral.org
> 
> tflags RCVD_IN_BARRACUDACEN net
> score RCVD_IN_BARRACUDACEN 4.0

Maybe add/choose the value?
header  RCVD_IN_EXAMPLE_RBL  eval:check_rbl('example', 'rbl.example.com.', 
'127.0.0.1')

I have always had issues with barracuda's false positives, are you sure you 
want to use them?

> 
> Is this actually going out and doing a DNS query or reading from the
> header of the message?
> I think I want to actually do the DNS query and I will cache locally to
> avoid issues and increase performance.

That is what dns servers do, cache. If you have your local dns, these requests 
are probably faster than spamassassin rule processing.

> 
> 
> The last part of my question is, here we score and then based on scoring
> the next part can either quarantine the message or deliver it, but is
> there a way from SA to simply say reject it right there?

Why not use the dns blacklist at the mta? And reject the messages even before 
they are using spamassassin. Imho you should apply simple/basic/fast checks 
first and at the end use resource intensive tasks like spamassassin. 
I also believe there is an advantage in rejecting messages, compared to just 
marking them. Rejecting messages will train spam systems not to try more. 
If they know you allow messages through, they will only send you more.

RE: Understanding FORGED_GMAIL_RCVD and other rules

[Marc]

> 
> There is one mailchimp user (an org sending mail news by leveraging

only one ;)


> mailchimp services), whose mails are flagged by our mail gateway servers
> (postfix with amavis and spamassassin) with "FORGED_GMAIL_RCVD".
> 
> I am trying to understand what is wrong with these mails and they
> trigger the "FORGED_GMAIL_RCVD" rule.

I didn't write these rules, but my guess would be because the Host network is 
mailchimp, and the email address is @gmail.com ?

> How should these (and possibly other ones too) rules be treated in
> production systems to avoid banning legitimate mailing list mails?
>

It is very difficult to separate 'legitimate' email from spam, especially at 
mailchimp. I have decided to just block ranges that are emitting 
spam/newsletters that people did not sign up for. 
If legitimate email is blocked, though luck for the sender. Should they have 
chosen a more professional (not free) service.

RE: OT - Hotmail/Outlook.com marking most of our email as Junk

[Marc]

Complain to the European Union. It is not in Microsoft's and google's interest 
to fix this. By frustrating/sabotaging other providers services, they create an 
environment where users are forced to switch to the outlook.com/gmail.com 
cloud. Eg. what you have done is already more than gmail.com is doing, they are 
still working with an spf ~all.

This companies have billions in cash, so there is no reason not to fix this 
problem. This is just a management decision.


> 
> 
>   I am also having a world of trouble getting my emails to Outlook
> users.  For reference, my work domain has one user (me).  I have had the
> account for about 9 months and I have not yet sent 100 emails.  I
> typically send an email to a single recipient, although I will
> occasionally CC a handful of people.
> 
> 
> 
>   What I’ve tried:
> 
> 
> 
>   1.  I have also set up SPF, DKIM, and DMARC.  I’m *pretty sure*
> they’re solid.  Emails still go to junk.
>   2.  Initially, I didn’t have anything actually at the website for
> my domain, so I threw my executive summary into a google site.  Emails
> still go to junk
>   3.  I've checked our public IP and the domain name at
> mxtoolbox.com   – no errors, but it warns that a) my
> DMARC policy isn’t q or r, and b) it doesn’t care for my SOA
>   4.  I tried to get on Microsoft’s SDNS and JMRP, but I was not
> able.  I am pretty sure I have a shared IP, but I don’t know how I would
> check that.  Microsoft also suggested I join the Return Path Safe Senders
> program, but I am pretty sure I would need a dedicated IP for that.  In
> any case, I don’t love the idea of paying to get whitelisted so I can send
> 11 emails a month.
>   5.  I’ve checked several sites and my domain isn’t on any
> blacklists.  However, I did register the domain through NameCheap, which
> is on the UCEPROTECT_LVL3 list
>   6.  The domain is relatively new, as I said, but I don’t send any
> bulk mail of any kind from it.  All mail is either to people I
> specifically know, people to whom I have received a personal introduction,
> or people listed as contacts for their organization on public websites
>   7.  My mail is handled by Zoho Mail, so I haven’t done anything
> fancy with the mail server.  If there’s anything I should try, I will, but
> I might need the instructions at a fifth-grade level
>   8.  I am fairly careful with my words, and the emails are
> appropriately long, so I would be surprised if they were getting flagged
> for trigger words.   I have tried mail-tester.com 
> and it did not object to the body of my emails
>   9.  Mail-tester.com claims to test emails against SA, although I
> know this is a contentious point around here.  I bring it up, though,
> because the fact that my TLD is “.space” raised some flags
>   10. When I have called my contacts, they have been as confused as
> I am that they did not receive my emails
>   11. Emails I send to any other domains are never a problem spam-
> wise
> 

RE: Add header, not beginning with X?

[Marc]

> >
> >While it seems feasible to do this in postfix, I wanted to explore doing
> it with minimal fuss in SAm or if a FILTER or MILTER might be required.
> >
> >So far I've only found "Basic Message Tagging Options".
> 
> this is not a job for SpamAssassin.
> 
> Perhaps a milter application could do that - there are milter interfaces
> for
> per, python, so you can make one.
> 

Indeed, only one line in mailfromd (once you have mailfromd you will start 
using it for a lot more ;))

header_add ("X-XXX", "whitelisted $client_addr in 
whitelist.xx.xxx.x" )

RE: Emails from gmail.com bypassing Spamassassin scoring

[Marc]

> 
> All of the other emails that were sent before and after this particular
> email have the X-Spam-Status and X-spam-Report scoring,
> 
> So Spamassassin was running correctly.
> 

So something went wrong with this one. It should have headers, maybe some 
communication problem. I have configured the MTA to process the messages anyway 
if spamd is not available. You can also configure to bounce the message with an 
'Temporary unable to process'..

RE: Emails from gmail.com bypassing Spamassassin scoring

[Marc]

> I have been getting numerous emails lately from various gmail.com
> accounts.  They are spam or phishing emails and today I got one that
> had a subject of RECEIPT 5454 and only a JPG image of an invoice.
> There was no content in the email.
> 
> 
> 
> It bypassed Spamassassin scoring.  Do you know why or what setting I
> need to set so EVERY email goes through Spamassassin scoring procedures?
> 
> 

I do not see X-Spam headers[1], so your spamassassin was not working?


[1]
X-Spam-Status: No, score=-0.4 required=3.0 tests=ALL_TRUSTED,SPF_NEUTRAL,
TVD_SPACE_RATIO,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
4422b522-8a2b-4864-9498-4f2d06aca485

best practice redundant/failover spamd

[Marc]

I am testing with containerizing the spamd and I was wondering what would be a 
good solution to configure multiple spamd. What is the general advice on this 
here?



1. multiple instances

If I spawn multiple instances of the same container, I would get multiple ip 
addresses something like:

[@]# dig +short spamassassin.prod.local
192.168.200.246
192.168.200.147
192.168.200.149

It looks like this is still handled sort of ok by the spamass-milter. In case 
the ip is not available I am getting ' spamc[19094]: connect to spamd on 
192.168.200.x failed, retrying'


2. multiple different containers

What if I would create two different containers spamassassin.prod.local and 
spamassassin.dev.local

Is it possible to give multiple hostnames and ports to spamass-milter? 

Or is it better to have some sort of conditional expression in the MTA 
configuration that if one is not available process the other? Which requires a 
milter daemon running for each differently named container (I am currently 
using sendmail)

RE: updates.spamassassin.org not resolving?

[Marc]

> >>
> >> 6.4.3.updates.spamassassin.org. 3600 IN CNAME
> >> 3.3.3.updates.spamassassin.org.
> >> 3.3.3.updates.spamassassin.org. 3600 IN TXT "1897787"
> >>
> >> the "updates.spamassassin.org" itself has no data.
> 
> On 06.02.22 14:27, Marc wrote:
> >Oh ok, I did the dig because I got this
> >
> >bash-5.1$ sa-update
> channel 'updates.spamassassin.org': could not find working mirror, channel
> failed
> 
> should be no big problem. if you really need, find the cron job and run it
> again (you may need to run it under user it runs from cron)

Looks like you get this message also when /var/lib/spamassassin is not writable.

RE: getting spamass-milter to work with remote spamd (on CentOS8)

[Marc]

> >  ~]# spamass-milter -h
> > spamass-milter: invalid option -- 'h'
> > spamass-milter - Version 0.4.0
> > SpamAssassin Sendmail Milter Plugin
> > Usage: spamass-milter -p socket [-b|-B bucket] [-d xx[,yy...]] [-D host]
> >   [-e defaultdomain] [-f] [-i networks] [-m] [-M]
> >   [-P pidfile] [-r nn] [-u defaultuser] [-x] [-a]
> >   [-C rejectcode] [-R rejectmsg] [-g group]
> >   [-- spamc args ]
> 
> Understand the difference between "-d" and "-- -d".
> 

I agree, p 

RE: updates.spamassassin.org not resolving?

[Marc]

> >[@svr ~]# dig +short @8.8.8.8 updates.spamassassin.org
> 
> it resolves, but it does not resolve to A record dig searches for by
> default:
> 
> 6.4.3.updates.spamassassin.org. 3600 IN CNAME
> 3.3.3.updates.spamassassin.org.
> 3.3.3.updates.spamassassin.org. 3600 IN TXT "1897787"
> 
> the "updates.spamassassin.org" itself has no data.
> 

Oh ok, I did the dig because I got this 

bash-5.1$ sa-update 
channel 
'updates.spamassassin.org': could not find working mirror, channel failed

RE: getting spamass-milter to work with remote spamd (on CentOS8)

[Marc]

> On 06.02.22 14:02, Marc wrote:
> >Thanks! Got it to work with this:
> >EXTRA_FLAGS=" -D xx.xxx.xxx -- -p 34219"
> 
> the man page for spamass-milter says:
> 
>  -D host
>  Connects to a remote spamd server on host, instead of using
> one
>  on localhost.  This option is deprecated; use -- -d host
> instead.
> 
> so, 1. it's deprecated, 2. only uses host.
> 

It is not deprecated and -d is for debug.

in source:
307   cout << "   -C RejectCode: using this Reject Code." << endl;
308   cout << "   -d xx[,yy ...]: set debug flags.  Logs to syslog" << 
endl;
309   cout << "   -D host: connect to spamd at remote host 
(deprecated)" << endl;
310   cout << "   -e defaultdomain: pass full email address to spamc 
instead of just\n"
311   "  username.  Uses 'defaultdomain' if there was 
none" << endl;
312   cout << "   -f: fork into background" << endl;
313   cout << "   -i: skip (ignore) checks from these IPs or netblocks" 
<< endl;

on centos8

 ~]# spamass-milter -h
spamass-milter: invalid option -- 'h'
spamass-milter - Version 0.4.0
SpamAssassin Sendmail Milter Plugin
Usage: spamass-milter -p socket [-b|-B bucket] [-d xx[,yy...]] [-D host]
  [-e defaultdomain] [-f] [-i networks] [-m] [-M]
  [-P pidfile] [-r nn] [-u defaultuser] [-x] [-a]
  [-C rejectcode] [-R rejectmsg] [-g group]
  [-- spamc args ]
   -p socket: path to create socket
   -b bucket: redirect spam to this mail address.  The orignal
  recipient(s) will not receive anything.
   -B bucket: add this mail address as a BCC recipient of spam.
   -C RejectCode: using this Reject Code.
   -d xx[,yy ...]: set debug flags.  Logs to syslog

updates.spamassassin.org not resolving?

[Marc]

[@svr ~]# dig +short @8.8.8.8 updates.spamassassin.org
[@svr ~]#

RE: getting spamass-milter to work with remote spamd (on CentOS8)

[Marc]

> Usually a SpamAssassin milter can accept additional arguments after ‘--’
> that it will pass to spamc. So:
> 
> spamassassin-milter ...other args... -- -d 192.168.10.243 -p 34219
> 
> Or configure the connection in /etc/spamassassin/spamc.conf, that works
> too.

Thanks! Got it to work with this:
EXTRA_FLAGS=" -D xx.xxx.xxx -- -p 34219"

getting spamass-milter to work with remote spamd (on CentOS8)

[Marc]

I have problems configuring the spamass-milter to connect to the remote spamd. 
I am constantly getting

getaddrinfo(192.168.10.243:34219) failed: Name or service not known
could not resolve any hosts (192.168.10.243:34219): no such host

Nothing of these seem to work
-D 192.168.10.243:34219 inet:34219@hostname 

this spamc commandline is processed ok
spamc -d .xxx.xxx -p 34219 < /etc/mail/spamassassin/sample-spam2.txt

Anyone having a remote spamd configured?

Amazon is changing reverse lookups, time to update your configs.

[Marc Roos]

Time to update your amazon abuse filters! I was surprised to see I got 
spam again from amazon. They have changed their reverse lookups. I guess 
there were quite a few 'blacklists' using amazonses.com. Good to see 
blacklisting bigger organizations still works.

smtp-out.eu-west-1.amazonses.156
smtp-out.eu-west-1.amazonses.157
smtp-out.eu-west-1.amazonses.158
smtp-out.eu-west-1.amazonses.159
smtp-out.eu-west-1.amazonses.160
smtp-out.eu-west-1.amazonses.161
smtp-out.eu-west-1.amazonses.162
smtp-out.eu-west-1.amazonses.163
smtp-out.eu-west-1.amazonses.164
smtp-out.eu-west-1.amazonses.165
smtp-out.eu-west-1.amazonses.166
smtp-out.eu-west-1.amazonses.167
smtp-out.eu-west-1.amazonses.168
smtp-out.eu-west-1.amazonses.169
smtp-out.eu-west-1.amazonses.170
smtp-out.eu-west-1.amazonses.171
smtp-out.eu-west-1.amazonses.172
smtp-out.eu-west-1.amazonses.173
smtp-out.eu-west-1.amazonses.174
smtp-out.eu-west-1.amazonses.175
smtp-out.eu-west-1.amazonses.176
smtp-out.eu-west-1.amazonses.177
smtp-out.eu-west-1.amazonses.178
smtp-out.eu-west-1.amazonses.179
smtp-out.eu-west-1.amazonses.180
smtp-out.eu-west-1.amazonses.181
smtp-out.eu-west-1.amazonses.182
smtp-out.eu-west-1.amazonses.183
smtp-out.eu-west-1.amazonses.184
smtp-out.eu-west-1.amazonses.185
smtp-out.eu-west-1.amazonses.186
smtp-out.eu-west-1.amazonses.187
smtp-out.eu-west-1.amazonses.188
smtp-out.eu-west-1.amazonses.189
smtp-out.eu-west-1.amazonses.190
smtp-out.eu-west-1.amazonses.191
smtp-out.eu-west-1.amazonses.192
smtp-out.eu-west-1.amazonses.193
smtp-out.eu-west-1.amazonses.194
smtp-out.eu-west-1.amazonses.195

Flow chart processing messages available?

[Marc Roos]

I was wondering if there is a flow chart available of how spamassassin 
is processing messages by default?

RE: Are these valid email headers?

[Marc Roos]

 
>> with HTTPS (ZuckMail)

WTF this guy is mental

https://www.zerohedge.com/news/2018-03-25/dumb-f-ks-julian-assange-reminds-us-what-mark-zuckerberg-thinks-facebook-users





-Original Message-
From: @lbutlr [mailto:krem...@kreme.com] 
Sent: zondag 6 december 2020 7:42
To: users@spamassassin.apache.org
Subject: Re: Are these valid email headers?

On 05 Dec 2020, at 13:03, John Capo  wrote:
> On Sat, December 5, 2020 14:30, Loren Wilton wrote:
>> I don't have a Faceboox account and don't know anyone on Facebook 
>> that would send me mail (and don't want to!), so I have absolutely no 

>> idea if these headers from recent spams are completely made up out of 
the air (and thus spam signs) or are valid headers.
>> 
>> Can anyone tell me if this stuff is valid or obviously fake?
>> 
>> 
>> X-Facebook: from 2401:db00:1050:208b:face:0:4f:0 ([MTI3LjAuMC4x]) by 
>> www.facebook.com with HTTPS (ZuckMail); X-Priority: 3
>> X-Mailer: ZuckMail [version 1.00]
>> X-Facebook-Notify: skipped_password_change;
>> mailid=5ac39662d1c08G5af32c89e396G5ac39afc31edaG569 Feedback-ID:
>> 509:skipped_password_change:Facebook
>> X-FACEBOOK-PRIORITY: 0
>> X-Auto-Response-Suppress: All
>> Require-Recipient-Valid-Since: gouldi...@earthlink.net; Sunday, 29 
>> Nov 2009
>> 00:17:08 +
> 
> Except for mailid: I see those headers in mail from Facebook.

Yeah, I use X-Facebook to auto-junk mail to me. For me it is 100% spam 
sign, but then again I refuse to use Facebook.


--
You have severe reading comprehension problems that I can not be held
responsible for.

RE: Legitimate message being flagged as spam

[Marc Roos]

 
I see secureserver.net and sendgrid.net, of course it gets flagged. I am 
constantly harassed by these networks. I would not recommend using 
secureserver.net, I think those servers are easy to hack, otherwise I 
would not even know this network.



-Original Message-
From: Daryl Rose [mailto:rosed...@gmail.com] 
Sent: zondag 29 november 2020 16:41
To: users@spamassassin.apache.org
Subject: Legitimate message being flagged as spam

I get an email/receipt from a vendor on a payment made.  This message 
continuously gets flagged as spam even though I've added it to the 
whitelist_from.cf list.  


Received: (qmail 26946 invoked by uid 30297); 27 Nov 2020 20:52:17 
-
Received: from unknown (HELO 
p3plibsmtp02-04.prod.phx3.secureserver.net)
 ([68.178.213.4])
  (envelope-sender
 @sendgrid.net>)
  by p3plsmtp23-04-26.prod.phx3.secureserver.net 
(qmail-1.03) with
 SMTP
  for ; 27 Nov 2020 20:52:17 -
Received: from o1.3nn.shared.sendgrid.net ([167.89.100.129])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 256/256 
bits)
(Client did not present a certificate)
by CMGW with ESMTP
id ikj3kLwOeFeQXikj3kiQrL; Fri, 27 Nov 2020 13:52:17 -0700
X-CMAE-Analysis: v=2.4 cv=SdYyytdu c=1 sm=1 tr=0 ts=5fc16701 b=1 
cx=a_idp_nop
 a=d87GDerR7hnUjA61tTL9RQ==:117 a=d87GDerR7hnUjA61tTL9RQ==:17
 a=kj9zAlcOel0A:10 a=zPYWiABU:8 a=5-f5ixlAKy49-4MjWEkA:9
 a=O-7aY5Sf57aUu7p3:21 a=_W_S_7VecoQA:10 a=CjuIK1q_8ugA:10 
a=5LfDJFqq-uUA:10
 a=AWL3az150N33eOPX4RKm:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 
a=UDnyf2zBuKT2w-IlGP_r:22
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; 
d=sendgrid.net;
h=from:subject:mime-version:to:content-type:content-transfer-encodi
ng;
s=smtpapi; bh=5/eVCwWUZDl73ybzUYFmyMNdYNgvUvrvS9S5NJHu8QU=;
b=kDKnSU9Bb2Mi5khPiwjinzdlOorchkBuNfEWHSiqVeWqCaZPHmztDB3ZeQXPLVkVb
LuH
6NgvFXajs2aidTnh9bSKSMn4RaTPC+nvQU4DxFoXj0dL9yy9rjBGsdmS0BBD6+qzBl6
gSi
i2UwAMxRGXKbODjK5T5Ll1us3XKXKt9cI=
Received: by filterdrecv-p3iad2-5dc87598f5-8bxxp with SMTP id
 filterdrecv-p3iad2-5dc87598f5-8bxxp-19-5FC16700-AD
2020-11-27 20:52:16.878084415 + UTC m=+951689.287978429
Received: from spiderdoor.com (unknown)
by ismtpd0118p1mdw1.sendgrid.net (SG) with ESMTP
id ceyKf2F5QpyH7v63ZKS3nA
Fri, 27 Nov 2020 20:52:16.783 + (UTC)
Date: Fri, 27 Nov 2020 20:52:16 + (UTC)
From: no-re...@spiderdoor.com
Message-ID: <5fc1670079f34_26fd3171828...@api1.mail>
Subject: Payment Receipt for Unit G030 - paid from SpiderApp
Mime-Version: 1.0
X-SG-EID: 
 
=?us-ascii?Q?nNFctdm0BWd6iTjLSzehWYRyQOg6=2FUycD+ddLrh9vGVcvZBTHPJYDTCVi
DqyYQ?=
 =?us-ascii?Q?Li3bEIOOksE35=2FhSgezGSc37DN46Fkbxk1TO9E8?=
 =?us-ascii?Q?MGQPgTWt6k58DhiRQTG0=2F+79xc=2FO7jtyaG0XkLO?=
 =?us-ascii?Q?1DjUXyElg+pd9Ry=2Fm1Wy7CmJWR0I1zJgLk=2FUjTC?=
 =?us-ascii?Q?=2F7EUOycJlpjn1eLS5JSN9MBpwsXNk7EKGYPvDxO?=
 =?us-ascii?Q?duJHjPbILEuJJjx1g=3D?=
To: i...@myspace.rent, 
X-Entity-ID: eEuAPys4acQ9ere1FZlp6A==
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-CMAE-Envelope: 
 
MS4xfLrAfEKlWNG6dcz1a05VWlMXnGyOE7soLGjybMz1QFzvpZ8a8cRDyTGNbMY9ezX311xK
b9zb5aWg3AtH7xkCUlT7kaAYASl+bOfJ3EEdSfKKIoPXjO+i
 
gjrerNiIxiRiWOcLF0BuxQKyIc/5BN0U4rxx20N0k1kPbaXyR06Ty99IgAWy9imxFxsms0GP
03MmGWur7XyGwMcP6r/JKJ3ntGwGN1Diolw7WC+ywjp9VBM5
 X6m7dicNVVVO+LUx/qLWyQ==
X-Nonspam: None





Any idea why it gets flagged and what rule I need to put in place to 
prevent it from happening?

Thank you.

Daryl

 

RE: contact from blacklist

[Marc Roos]

 

Url blacklists? Maybe paste some headers here?



-Original Message-
To: users@spamassassin.apache.org
Subject: contact from blacklist

Hi everyone,

lately I get more and more spam from so called contact forms.

Does anyone know a blacklist for this?

Kind regards
Philipp

--
Philipp Ewald
Administrator

DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln
Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de

AG Köln HRB 27711, St.-Nr. 5215 5811 0640
Geschäftsführer: Werner Grafenhain

Informationen zum Datenschutz: www.digionline.de/ds

RE: What can one do abut outlook.com?

[Marc Roos]

 
Thanks for the update! Although I am not really an advocate for blocking 
people. 



-Original Message-
To: users@spamassassin.apache.org
Subject: Re: What can one do abut outlook.com?

On 26/10/20 5:17 am, Marc Roos wrote:
>> make a reality check outside your small bubble!
> typical low iq response. I was already discussing the validity of 
> these soccerplayer contracts before they had to change the system.
>
Afternoon Marc.

Just thought I'd let you know this same person was blocked from CentOS 
mailing list a while back due to trolling.  I'm not sure the chemicals 
deep in his noggin work as they are supposed to.  On the CentOS mailing 
list, we stopped feeding the troll and I, specifically, made sure that 
I'd never again see an email from his likes.  I wonder if the 
SpamAssassin admins could just as well stop feeding the troll here as 
well.  By stop I mean block it at the entrance.

Not knowing how many sunrises and sunsets the troll has seen, I'd want 
to hope that it's seen enough to warrant an expedient expiry - but I can 
only wish.

In the meantime, enjoy the comedy that it is.

RE: different Return-Path: and From:

[Marc Roos]

 

> so you want your own messages blocked everywhere?

I do not know yet. I can assume this different on something like a 
mailing list. It is irritating that the From has a credible name, in 
this case from a bank.

different Return-Path: and From:

[Marc Roos]

 
I had a phishing mail skip my spf check. The spf check was done on the 
Return-Path and not the From:. Is a default convention? How does 
spamassassin treat a different Return-Path and From in a message? 

RE: What can one do abut outlook.com?

[Marc Roos]

>> That is why it is important to read and use the brain, otherwise you
>> wander of the subject.

>waht do *you* know about brain when you don't realize that it's simply 
>not doable to fight against spam by fight against large providers as 
>outlook.com?

Because I understand eg there is a difference between theoretical, 
practical and maybe even legal point of view.

>overall there amount of bad clients is *low* compared to the total 
>number of clients

How is that % relevant. I only care that I receive spam, and I have
to put effort/work/time into resolving it.

>if all the customers of outlook.com would be served by clueless idiots 
>like yours which means spread over thousands of clueless providers the 
>outcome would be much worse

I am not so sure about this. Email services are more easier to set up, 
thus come quite equal to bigger providers. 
Smaller providers have better/more contact with their clients. Can 
instruct eg clients not to use the network for newsletters. 
Smaller provider have more system administrators per 1000 clients than
bigger companies, thus more hours to spend on support/abuse etc.
Smaller providers are easier to blanket block, so they are forced to 
maintain higher quality of service.
Failing to see this, has the same origin as you fail to detect 
intelligence. 


> you can block what you want on yur home-pet-server but you really 
don't 
> understand how legit business works

You do not get the bigger picture, you basically are doing the work the
bigger providers should do or pay you to do. In this regards, the 
Net neutrality discussion is very similar.

>proven by your bullshit of "are you guys paid by them" while the truth 
>is that my and other customers of whatever mailservice want their 
>fucking *legit mail* received and not trhown out with the bathwater

The use of dnsbl to reject mail is ages old. I did not invent this. The 
process
is very simple. You receive spam from an ip, you eventually block the ip 

from delivering mail. 
How can it be your fault, if that provider is trying to send legitimate 
mail via
that blocked ip? It is this providers fault. They have countless options 
to 
mitigate this situation, but they are just to lazy to do this. One for 
instance
would be to put free new accounts on a different outgoing ip range than
long time high paying customers. Seperate newsletters from regular
outgoing mail, etc.


> not everybody who is in the business for decades is a supporter of big 

> ISP's, the opposite is true, otherwise we just would use them at our 
own

If you are long in business, you have experience, and one is likely to 
have such a point of view.

> the point is: everybody but you has to deal with the real world
> if it's just me microsoft, amazon and guess what can die tomorrow and 
i 
> couldn't care less, but as long as they exist and as long they are 
used 
>by millions of legit customers it is what it is

Indeed and that is why this is a problem. 

RE: What can one do abut outlook.com?

[Marc Roos]

 
That is why it is important to read and use the brain, otherwise you 
wander of the subject.



-Original Message-
Sent: Monday, October 26, 2020 4:48 PM
To: John Wilcock
Cc: users
Subject: Re: What can one do abut outlook.com?

Lets remember youre arguing with someone who clearly doesnt run 
any sort of commercial email system because no sane person selling boxes 
can simply block outlook...



On Oct 26, 2020, at 5:44 AM, John Wilcock  wrote:


The problem with your analogy is that you are not just interacting 
with one unwelcome neighbour with a defective washing machine, but with 
dozens of neighbours whose washing machines work perfectly but who 
happen to share the same plumber as the unwelcome one. And in many cases 
these people aren't just your neighbours but potential clients of yours. 
If you refuse to deal with them on the basis that they use that plumber, 
you're the one who will lose business.

I'm not sure the analogy works all that well, but hopefully you get 
my point. Outlook.com, Google and Amazon all have millions of legitimate 
customers from whom you might receive genuine email, and if you block 
them because of their (relatively few) unwelcome customers, you're 
throwing the baby out with the bathwater. 

-- 
John

 

On 2020-10-25 18:48, Marc Roos wrote:


Are you guys working for Google or Amazon or so? Maybe I 
should give 
something simple analogy so you understand. 

If your neighbours washing machine breaks down, and causes you 
water 
damage. They have to pay for cleaning up de mess they created 
in your 
apartment. If the neighbour spills oil on your parkway, they 
have to 
clean it up.


Your reasoning resembles:

- the neighbour does have to use their washing machine every 
time, so I 
will just clean up their mess every time.
- it is only once of every 3 times the neighbour uses his 
washing 
machine, he floods my apartment, so that is ok.
- the neighbour has kids, they cannot be held responsible for 
dad to 
flood my apartment every week. So I will not ask the landlord 
to evict 
them. I will just clean up their mess every week year after 
year.
- the neighbour floods my apartment every week, I think I will 
teach him 
this week how to use the washing machine. 
- the neighbour floods my apartment every week, I think I will 
replace 
my wooden floor for some plastic foil.





 

RE: What can one do abut outlook.com?

[Marc Roos]

> The problem with your analogy is that you are not just interacting 
with one unwelcome neighbour with a defective washing machine, 
> but with dozens of neighbours whose washing machines work perfectly 
but who happen to share the same plumber as the unwelcome one.

I think you prove yourself to be wrong, because later you just write 
Google, Outlook and Amazon and not company A, company B, company XX. 
Everyone is in the same appartment. 

> And in many cases these people aren't just your neighbours but 
potential clients of yours. If you refuse to deal 
> with them on the basis that they use that plumber, you're the one who 
will lose business.

That is beside the point. But I agree, it does complicate executing this 
point of view. That is why I think that big companies are not good in 
general. 

>I'm not sure the analogy works all that well, but hopefully you get my 
point.
> Outlook.com, Google and Amazon all have millions
> of legitimate customers from whom you might receive genuine email, and 
if you block them because of their (relatively few)
> unwelcome customers, you're throwing the baby out with the bathwater. 

To me it is very simple. An ip address gets blocked when it sends out 
spam/phising/abuse etc. I assume you have also been using dns blacklists 
to reject email. This has been a very old practice. If google sends 
messages from a legitimate client via the same ip, as that of a spammer. 
That is googles responsibility, so this legitimate clients should 
complain to google.
If google supplies me with software, that will block spam from such an 
ip and let through legitimate email from the same ip (or pays someone to 
sit in my office to do it for them). I will be the first to use it.



 

RE: What can one do abut outlook.com?

[Marc Roos]

> make a reality check outside your small bubble!

typical low iq response. I was already discussing the validity of these 
soccerplayer contracts before they had to change the system.

> when you have millions of customers you can do whatever you want all 
day long and you are 
> simply not able to remove every spammer or suspend every hacked 
account in realtime

No not at all. No free accounts, and every mail account costs 10 us$ per 
month. I will bet you that the outgoing spam is being reduced by more 
than 50%.

I do not care if Googles profits drop by XX%. Why do you?

> and no you can't do that fully automated because filtering of 
authenticated mail submission is way harder 
> becasue there are no received-headers and you can't apply any useful 
DNSBL because your customers are on
> dial-up networks by definition

Make spamming exensive, not free.

> i love it how poor idiots with their "me-and-my-family" setup belive 
the world is that simple - if it would be that simple
> spam won't exist at all for years

I assume your education did not include logics.

RE: Blocking by country/ASN/IP/domain

[Marc Roos]

I have been looking into exactly the same, don't know how I am going to 
implement it still. What I know for now.

This is how you can get info on a netblock owner. 

[@]$ dig +short -t txt 80.53.103.176.origin.asn.cymru.com
'48031 | 176.103.48.0/20 | UA | ripencc | 2011-12-09'

You can then either decide to mark everything as spam with spamassassin 
or block reject it via a milter or so. Combined with this you can then 
whitelist only this networks official outgoing smtp servers.



 

-Original Message-
From: Alex [mailto:mysqlstud...@gmail.com] 
Sent: Sunday, October 25, 2020 6:50 PM
To: SA Mailing list
Subject: Blocking by country/ASN/IP/domain

Hi, I have a spamassassin-3.4.4 install with amavisd-2.12 and postfix on 
fedora32 and would like to be able to block email from an entire country 
on a per-user or per-domain basis. What is the best way to do this?

I'm currently using the RelayCountry plugin and Amavis::Custom to add an 
X-Relay-Countries header to each email, and have a series of rules of 
the form:

header  RELAYCOUNTRY_JP X-Relay-Countries =~ /JP/
describeRELAYCOUNTRY_JP Relayed through Japan
score   RELAYCOUNTRY_JP 0.1

I've also been considering blocking by ASN or IP, but I believe it would 
be the same problem just presented in a different way.

How do I tie this into amavisd so that I can allow individual users to 
control their own email? Perhaps this is done in a policy_bank?
Perhaps I would analyze the X-Relay-Countries header directly instead of 
processing the resulting RELAYCOUNTRY_JP rule, for example?

RE: What can one do abut outlook.com?

[Marc Roos]

Are you guys working for Google or Amazon or so? Maybe I should give 
something simple analogy so you understand. 

If your neighbours washing machine breaks down, and causes you water 
damage. They have to pay for cleaning up de mess they created in your 
apartment. If the neighbour spills oil on your parkway, they have to 
clean it up.


Your reasoning resembles:

- the neighbour does have to use their washing machine every time, so I 
will just clean up their mess every time.
- it is only once of every 3 times the neighbour uses his washing 
machine, he floods my apartment, so that is ok.
- the neighbour has kids, they cannot be held responsible for dad to 
flood my apartment every week. So I will not ask the landlord to evict 
them. I will just clean up their mess every week year after year.
- the neighbour floods my apartment every week, I think I will teach him 
this week how to use the washing machine. 
- the neighbour floods my apartment every week, I think I will replace 
my wooden floor for some plastic foil.





 

RE: What can one do abut outlook.com?

[Marc Roos]

> all huge mail providers with thousands/millions of customers, so there 

> is no wonder there is spam included.

Google, Amazon and Microsoft have billions of cash. It is indeed a 
wonder how they are not spending it on outgoing mail detection.

> mail services to a mono-culture of single huge providers, but you 
cannot 
> block them just for being huge providers.

Nobody was saying so. Best is to block just the ip addresses that your 
receive spam from. Their network will reroute emails. But if their ip 
addresses a randomly blocked by many other providers. All their queues 
will start using more resources bouncing around mails, having to explain 
to their clients why sometimes a mail is send and sometimes rejected, 
costs increase, thus more incentive to kick out spammers or spend more 
on prevention.

> If you block something, you have to ask yourself: How many innocent, 
> unsuspecting legitimate senders

Who cares, these "unsuspecting legitimate senders" should take their 
business somewhere else. 

>  I'm blocking as well as the spammers? If 
> you block even one innocent sender as collateral damage, you should 
not 
> block that email provider, regardless how annoying it is.

What a non-sense. This is how spammers currently work, mix legitimate 
mail with spam. Just block ip's, it is not your fault they are sending 
you spam. Nobody can blame you, if you do not want to do the work that 
Amazon, Google and Microsoft should be doing.

RE: check doman against uri bl of spamassassin

[Marc Roos]

 > 
 >
 >
 >> :D I thought I could query the blacklists from the command line with 

 >> dig
 >> or so
 >
 >You can, at least in principle, but it would not be a single command 
or 
 >a well-defined small set of commands if you don't have SA installed 
and 
 >want to know the SA penalty of an URI in a particular domain.
 >
 >The rules files in the default rules channel have 23 active urirhssub 
 >rules defined. They reference 4 URIBL zones, 3 of which are 
multiplexed:
 >
 >dbl.spamhaus.org.
 >dob.sibl.support-intelligence.net
 >multi.surbl.org.
 >multi.uribl.com.
 >
 >So you COULD just check a domain such as example.com like this:
 >
 >   dig example.com.dbl.spamhaus.org. 
 >example.com.dob.sibl.support-intelligence.net. 
 >example.com.multi.surbl.org. example.com.multi.uribl.com.

Oh ok, that sounds indeed simple. I thought there was more to it. 
This means with such implementation, that if you have such a blog
collection site like wordpress.com. If one wordpress.com/xxx
site gets listed, all are listed.

 >Figuring out what the results of such a search means would require you 

 >to look up the return codes and what they mean for each of those 
URIBLs. 
 >Figuring out what the cumulative SA score would be of a particular 
 >domain would require you to check the current score files in the rules 

 >distribution.

No, that is not necessary, just need to know if it is possible to query
these blacklists on existence.