Re: [Mailman-Users] Easy question for this crowd
I wish. All my listservers are on various shared hosts running cPanel. An experience not unlike making love in haz-mat suits... :-/ -Chip- On 6/2/2019 11:17 AM, Mark Sapiro wrote: On 6/2/19 7:49 AM, Chip Davis wrote: Thanks to Mark's help crafting the proper RE, I haven't had an '.icu' UCE in over 15 hours (knock wood). If you have access to Mailman's logs, the discards are logged in the 'vette' log with entries like Message discarded, msgid: <...> -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Easy question for this crowd
On 6/2/19 7:49 AM, Chip Davis wrote: > > Thanks to Mark's help crafting the proper RE, I haven't had an '.icu' > UCE in over 15 hours (knock wood). If you have access to Mailman's logs, the discards are logged in the 'vette' log with entries like Message discarded, msgid: <...> -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Easy question for this crowd
No, and No. Apparently you missed my original post (5/30 11:57AM) on this topic where I asked if my RE that would do exactly that. I've supported a dozen Mailman listservers for over a dozen years. This doesn't represent much real effort most of the time. I've had to block specific users often and specific domains rarely, but this is the first time I've had to block an entire TLD. Recently I've been gifted with an inordinate amount of UCE from many different domains under the '.icu' TLD. Since Python RE's are _almost_ the same as the UNIX RE's I used many years ago, if I put ^@.*\.icu$ in discard_these_nonmembers, will it block all domains in that TLD? And not block anyone else? Thanks to Mark's help crafting the proper RE, I haven't had an '.icu' UCE in over 15 hours (knock wood). For a more general solution for all of my lists, I'm looking into his suggestion of using a Spam Filter that triggers on the SpamAssassin score header inserted by my ISP. Thanks, Mark for you patience and help. -Chip- On 6/1/2019 3:42 PM, Phil Stracchino wrote: On 6/1/19 1:44 PM, Chip Davis wrote: I guess my question wasn't so "easy" after all ... :-( What was a daily trickle is now a flood of UCE from different domains in the .icu TLD. I hope someone can suggest some sort of prophylaxis that I haven't tried. Do you get any actual, legitimate mail from .icu? Do you have any real subscribers from .icu? If not, I'd consider just blocking the entire TLD. I've blocked several of the new shit TLDs from which I was receiving nothing but spam, and it's enormously reduced my volume of spam. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Easy question for this crowd
On 6/1/19 1:44 PM, Chip Davis wrote: > I guess my question wasn't so "easy" after all ... :-( > > What was a daily trickle is now a flood of UCE from different domains > in the .icu TLD. I hope someone can suggest some sort of prophylaxis > that I haven't tried. Do you get any actual, legitimate mail from .icu? Do you have any real subscribers from .icu? If not, I'd consider just blocking the entire TLD. I've blocked several of the new shit TLDs from which I was receiving nothing but spam, and it's enormously reduced my volume of spam. -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958 -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Easy question for this crowd
On 6/1/19 10:44 AM, Chip Davis wrote: > > Is it possible that 'general_nonmember_action = Hold' is overriding my > Spam Filter Rule? I still need to intercept legitimate subscribers who > attempt to post under a different address, depending on which device > they happen to be using. :-/ You need to adjust the regexp. It isn't matching because of the '>' at the end of the address in From: Try ^from: .*@.*\.icu[>\s] > Is there any way to tell Mailman to honor my ISP's SpamAssassin score? You can use header filter regexps like ^X-Spam-Status: Yes or ^X-Spam-Bar: \+{6,} where the 6 above is the minimum number of '+' characters to match. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Easy question for this crowd
I guess my question wasn't so "easy" after all ... :-( What was a daily trickle is now a flood of UCE from different domains in the .icu TLD. I hope someone can suggest some sort of prophylaxis that I haven't tried. Is it possible that 'general_nonmember_action = Hold' is overriding my Spam Filter Rule? I still need to intercept legitimate subscribers who attempt to post under a different address, depending on which device they happen to be using. :-/ Is there any way to tell Mailman to honor my ISP's SpamAssassin score? The headers of a UCE that got though and was Held for Approval may be seen at http://www.aresti.com/UCEheaders/ === dmarc_moderation_action = Munge From dmarc_quarantine_moderation_action = Yes dmarc_none_moderation_action = No - accept_these_nonmembers = [list if specific userids] hold_these_nonmembers = [] reject_these_nonmembers = [] discard_these_nonmembers = [] generic_nonmember_action = Hold forward_auto_discards = Yes - header_filter_rules = Spam Filter Rule 1: ^from: .*@.*\.icu\s Action = Discard === Any help will be greatly appreciated. -Chip- -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Easy question for this crowd
Thanks, Mark. I hadn't thought of the "from:" being embedded in the Subject: header. And your RE correction makes perfect sense once I see it. ;-) I'm pretty sure I don't have access to 'mm.config.[anything]' so I assume it's the default value. Odds are, it was my imperfect RE that was keeping if from tripping. Thanks All, -Chip- On 5/31/2019 10:11 AM, Mark Sapiro wrote: On 5/30/19 9:20 PM, Chip Davis wrote: About 12 hours after I put that RE in place, I got another one from a different domain in '.icu'. It was held for moderation, not automatically discarded. I have: 8 email addresses in accept_these_nonmembers 0 email addresses in hold_these_nonmembers 0 email addresses in reject_these_nonmembers ^@.*\.icu$ in discard_these_nonmembers 'Hold' for generic_nonmember_action 'Yes' for forward_auto_discards but it seemed to make no difference; the UCE was still held for moderation. The *_these_nonmembers checks only check one address which is what Mailman considers the sender of the message. What address this is depends on a config setting. The doc says: This can return either the From: header, the Sender: header or the envelope header (a.k.a. the unixfrom header). The first non-empty header value found is returned. However the search order is determined by the following: - If mm_cfg.USE_ENVELOPE_SENDER is true, then the search order is Sender:, From:, unixfrom - Otherwise, the search order is From:, Sender:, unixfrom So in your case, it may not be checking the From: I'm going to try putting "from: .*@.*\.icu" in header_filter_rules and see if that makes any difference. It probably should to be "^from: .*@.*\.icu\s" to avoid matching something like Subject: mail from: u...@server.icu not discarded or From: u...@sub.icure.com -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Easy question for this crowd
On 5/30/19 9:20 PM, Chip Davis wrote: > > About 12 hours after I put that RE in place, I got another one from a > different domain in '.icu'. It was held for moderation, not > automatically discarded. > > I have: > 8 email addresses in accept_these_nonmembers > 0 email addresses in hold_these_nonmembers > 0 email addresses in reject_these_nonmembers > ^@.*\.icu$ in discard_these_nonmembers > 'Hold' for generic_nonmember_action > 'Yes' for forward_auto_discards > but it seemed to make no difference; the UCE was still held for moderation. The *_these_nonmembers checks only check one address which is what Mailman considers the sender of the message. What address this is depends on a config setting. The doc says: > This can return either the From: header, the Sender: header or the > envelope header (a.k.a. the unixfrom header). The first non-empty > header value found is returned. However the search order is > determined by the following: > > - If mm_cfg.USE_ENVELOPE_SENDER is true, then the search order is > Sender:, From:, unixfrom > > - Otherwise, the search order is From:, Sender:, unixfrom So in your case, it may not be checking the From: > I'm going to try putting "from: .*@.*\.icu" in header_filter_rules and > see if that makes any difference. It probably should to be "^from: .*@.*\.icu\s" to avoid matching something like Subject: mail from: u...@server.icu not discarded or From: u...@sub.icure.com -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Easy question for this crowd
Well, it was worth a try. :-/ About 12 hours after I put that RE in place, I got another one from a different domain in '.icu'. It was held for moderation, not automatically discarded. I have: 8 email addresses in accept_these_nonmembers 0 email addresses in hold_these_nonmembers 0 email addresses in reject_these_nonmembers ^@.*\.icu$ in discard_these_nonmembers 'Hold' for generic_nonmember_action 'Yes' for forward_auto_discards but it seemed to make no difference; the UCE was still held for moderation. I'm going to try putting "from: .*@.*\.icu" in header_filter_rules and see if that makes any difference. Any other ideas? -Chip- On 5/30/2019 7:03 PM, Robert Heller wrote: At Thu, 30 May 2019 11:57:44 -0400 Chip Davis wrote: I've supported a dozen Mailman listservers for over a dozen years. This doesn't represent much real effort most of the time. I've had to block specific users often and specific domains rarely, but this is the first time I've had to block an entire TLD. Recently I've been gifted with an inordinate amount of UCE from many different domains under the '.icu' TLD. Since Python RE's are _almost_ the same as the UNIX RE's I used many years ago, if I put ^@.*\.icu$ in discard_these_nonmembers, will it block all domains in that TLD? Yes. And not block anyone else? Yes. I've done this, and then I took things a step further: What *I* have done (because I can), is configure rejection of both domains AND cidrs at the Postfix level, putting REJECT's in both /etc/postfix/access and /etc/postfix/cidr.clients. (I use *REJECT* for a reason: I figure if these idiots are going to make trouble for me, I'll make trouble for them -- eg now they will will get reject messages. Also when the addresses are from legit mail servers, the admins there will get a wake up call and presumably do something -- I have discovered that there is really little point in sending anything to the [so-called] 'abuse' addresses.) I've also configured mimedefang and spamassassin to *reject* spam at the Postfix as well. Very little gets though now. Thanks, -Chip Davis- Mailman 2.1.27 > shared host linux 2.6.32-696.18.7.el6.x86_64 cPanel 80.0.10 -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/heller%40deepsoft.com -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Easy question for this crowd
At Thu, 30 May 2019 11:57:44 -0400 Chip Davis wrote: > > I've supported a dozen Mailman listservers for over a dozen years. > This doesn't represent much real effort most of the time. I've had to > block specific users often and specific domains rarely, but this is > the first time I've had to block an entire TLD. > > Recently I've been gifted with an inordinate amount of UCE from many > different domains under the '.icu' TLD. > > Since Python RE's are _almost_ the same as the UNIX RE's I used many > years ago, if I put > > ^@.*\.icu$ > > in discard_these_nonmembers, will it block all domains in that TLD? Yes. > > And not block anyone else? Yes. I've done this, and then I took things a step further: What *I* have done (because I can), is configure rejection of both domains AND cidrs at the Postfix level, putting REJECT's in both /etc/postfix/access and /etc/postfix/cidr.clients. (I use *REJECT* for a reason: I figure if these idiots are going to make trouble for me, I'll make trouble for them -- eg now they will will get reject messages. Also when the addresses are from legit mail servers, the admins there will get a wake up call and presumably do something -- I have discovered that there is really little point in sending anything to the [so-called] 'abuse' addresses.) I've also configured mimedefang and spamassassin to *reject* spam at the Postfix as well. Very little gets though now. > > Thanks, > > -Chip Davis- > > Mailman 2.1.27 > shared host > linux 2.6.32-696.18.7.el6.x86_64 > cPanel 80.0.10 > -- > Mailman-Users mailing list Mailman-Users@python.org > https://mail.python.org/mailman/listinfo/mailman-users > Mailman FAQ: http://wiki.list.org/x/AgA3 > Security Policy: http://wiki.list.org/x/QIA9 > Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ > Unsubscribe: > https://mail.python.org/mailman/options/mailman-users/heller%40deepsoft.com > > -- Robert Heller -- 978-544-6933 Deepwoods Software-- Custom Software Services http://www.deepsoft.com/ -- Linux Administration Services hel...@deepsoft.com -- Webhosting Services -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org