Score on sender domain by country

[Ramprasad]

Hi,

One of our clients has a purely local business and wants any mail coming
from a foreign domain to be given a score for spam 

I would like to reduce the spam threshold , and then give a negative
score for every mail with sender domain in India

Is there a possibility of identifying the country where a domain is
registered. Identyfying by tld seems in-correct 


Thanks
Ram

Re: increase score according message size

[John Hardin]

On Mon, 11 Apr 2011, David Touzeau wrote:


It's possible your MTA inserts a Content-Length: header before SA sees the
message. If so, then checking it is fairly trivial. Try to determine
whether your MTA does this.

If not, SA does not currently (that I can find) expose the raw size of the
message to rules. Having it generate an X-Content-Length: pseudoheader
probably wouldn't be too difficult.

For now, trivially, you can do something like this:

   header  __HDR_BYTES  ALL =~ /./
   tflags  __HDR_BYTES  multiple
   rawbody __BODY_BYTES /./
   tflags  __BODY_BYTES multiple
   metaSZ_GT_200K   (__HDR_BYTES + __BODY_BYTES) > 20

...but that will probably do Bad Things to your performance.


Many thanks !!!

I will do tests in this way !


I _strongly_ suggest you see whether your MTA can be configured to add a 
Content-Length: header before trying those rules.


Also, they were off the top of my head, and untested.

Best of luck. :)

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Public Education: the bureaucratic process of replacing
  an empty mind with a closed one.  -- Thorax
---
 3 days until Thomas Jefferson's 268th Birthday

Re: increase score according message size

[David Touzeau]

Le samedi 09 avril 2011 à 15:04 -0700, John Hardin a écrit :
> On Sat, 9 Apr 2011, David Touzeau wrote:
> 
> > Le samedi 09 avril 2011 à 08:59 -0700, John Hardin a écrit :
> >> On Sat, 9 Apr 2011, Benny Pedersen wrote:
> >>
>  This to manage a quarantine area.
>  Rejecting the message cause troubles according VIPs that needs to
>  receive some attached files.
> >
> > So i would like to know if there is way or someone trying to set
> > Spamassassin to increase score against message size.
> 
> Including or excluding headers? Including or excluding attachments?
> 
> Bear in mind that spamc enforces a maximum message size limit, spamd won't 
> even _see_ messages larger than that size. Are you going to crank that 
> size limit up?
> 
> Do you really want to spend the resources scanning messages larger than 
> that limit?
> 
> It's possible your MTA inserts a Content-Length: header before SA sees the 
> message. If so, then checking it is fairly trivial. Try to determine 
> whether your MTA does this.
> 
> If not, SA does not currently (that I can find) expose the raw size of the 
> message to rules. Having it generate an X-Content-Length: pseudoheader 
> probably wouldn't be too difficult.
> 
> For now, trivially, you can do something like this:
> 
>header  __HDR_BYTES  ALL =~ /./
>tflags  __HDR_BYTES  multiple
>rawbody __BODY_BYTES /./
>tflags  __BODY_BYTES multiple
>metaSZ_GT_200K   (__HDR_BYTES + __BODY_BYTES) > 20
> 
> ...but that will probably do Bad Things to your performance.
> 
> 
> -- 
>   John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
>   jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
>   key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> ---
>People seem to have this obsession with objects and tools as being
>dangerous in and of themselves, as though a weapon will act of its
>own accord to cause harm. A weapon is just a force multiplier. It's
>*humans* that are (or are not) dangerous.
> ---
>   4 days until Thomas Jefferson's 268th Birthday


Many thanks !!!

I will do tests in this way !

Re: RCVD_IN_SORBS_DUL on my own emails to self

[John Hardin]

On Sun, 10 Apr 2011, Jonathan Nichols wrote:

back on topic... is there a way to lower the score for a particular 
ruleset for certain hosts/clients?


I assume you don't want to just use whitelist_from_rcvd for this?

An alternative would be to write a header rule that checks the last 
external hop for the target hosts/clients (by name or, more reliably if 
not dynamic, by IP address), and score it a few points negative. If you 
want to be more specific, write metas that join the "specific host/client" 
rule and the other particular rules you want to offset, and score the 
metas instead.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  ...every time I sit down in front of a Windows machine I feel as
  if the computer is just a place for the manufacturers to put their
  advertising. -- fwadling on Y! SCOX
---
 3 days until Thomas Jefferson's 268th Birthday

Re: Retrieve specific word, phrases or sentances from mail body and subject

[John Hardin]

On Sun, 10 Apr 2011, rokdominko wrote:

The problem is, we want to tell our client exactly which words, phrases 
or sentences are problematic, so we need Spamassassin to return the list 
of these words, phrases or sentences, so that we can tell our client 
what exactly is wrong with their message.


We have written a PHP script, which connects to spamd process on our server
(on port 783) and it checks the message with no problems and if it's spam it
doesn't allow sending it.


That level of detail isn't available via spamd. You'd have to run 
spamassassin in debug mode with rules tracing and then parse the results.


Take a look at the output from:

   spamassassin -t --debug area=rules < your_message_file

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  ...every time I sit down in front of a Windows machine I feel as
  if the computer is just a place for the manufacturers to put their
  advertising. -- fwadling on Y! SCOX
---
 3 days until Thomas Jefferson's 268th Birthday

Re: RCVD_IN_SORBS_DUL on my own emails to self

[Jonathan Nichols]

On Apr 9, 2011, at 5:59 PM, Michelle Konzack wrote:

> Hello rstarkov,
> 
> Am 2011-04-09 15:50:36, hacktest Du folgendes herunter:
>> Does your header definitely include an ESMTP marker as per the RFC? Mine
>> didn't; that was the real issue. We didn't find a bug in this rule. So I
>> guess SpamAssassin doesn't have a way to find out that you were
>> authenticated and that it was your own message.
> 
> Yes, look into my previous message...
> 
> However, I find SORBS too errorprone and not very reliabel!
> 
> Thanks, Greetings and nice Day/Evening
>Michelle Konzack
> 

Sadly, I have to agree and have been dealing with that for a while. in fact, I 
wonder if this message will ever make it to the list or if apache.org will 
bounce it because of SORBS.. :/

back on topic... is there a way to lower the score for a particular ruleset for 
certain hosts/clients?

Retrieve specific word, phrases or sentances from mail body and subject

[rokdominko]

Hi!

I hope someone can help me with this issue. At our company we are building a
mass mailing application. We have taken every measure to ensure that our
clients aren't sending spam to their clients, but one section of our
application still has potential of sending spam, which we do not want. This
is the message subject and body. We have been using Spamassasin on our
servers for some time now, so we thought we would simply send the message
through it before sending, to check if it validates as spam or not. If it
validates as spam, then we do not allow it to be sent. The problem is, we
want to tell our client exactly which words, phrases or sentences are
problematic, so we need Spamassassin to return the list of these words,
phrases or sentences, so that we can tell our client what exactly is wrong
with their message.

We have written a PHP script, which connects to spamd process on our server
(on port 783) and it checks the message with no problems and if it's spam it
doesn't allow sending it. We use the command 'REPORT' to ask the process to
evaluate the message. With this configuration we get a nice report returned
from spamd process, but in that report we get a list of broken rules, not
the exact words, phrases or sentences, which we would need.

So, we would need to get the problematic words, phrases or sentences from
spamd. If it's not possible, maybe someone can help us find an alternative.
Hope someone can help us!

Our specifications: SpamAssassin version 3.3.1, running on Perl version
5.10.1, running on Ubuntu server version 10.04.1 with Linux kernel
2.6.32-26-generic-pae.

Have a nice day,

Rok 
-- 
View this message in context: 
http://old.nabble.com/Retrieve-specific-word%2C-phrases-or-sentances-from-mail-body-and-subject-tp31365331p31365331.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: multiple from entries

[David F. Skoll]

On Sun, 10 Apr 2011 08:30:46 -0400
Michael Scheidell  wrote:

> header __MANY_SENDER sender =~ /@.*@/

Trying to match email addresses with regexes is dangerous.  The string:

   "funny@last"@roaringpenguin.com

is a valid email address.  Check the RFCs if you don't believe me.

(That being said, such an address is unlikely to be seen in the wild and
very likely to break a lot of SMTP software, so you're probably safe.)

Regards,

David.

Re: RCVD_IN_SORBS_DUL on my own emails to self

[Nigel Frankcom]

On Sun, 10 Apr 2011 00:59:29 +0200, Michelle Konzack
 wrote:

>Hello rstarkov,
>
>Am 2011-04-09 15:50:36, hacktest Du folgendes herunter:
>> Does your header definitely include an ESMTP marker as per the RFC? Mine
>> didn't; that was the real issue. We didn't find a bug in this rule. So I
>> guess SpamAssassin doesn't have a way to find out that you were
>> authenticated and that it was your own message.
>
>Yes, look into my previous message...
>
>However, I find SORBS too errorprone and not very reliabel!
>
>Thanks, Greetings and nice Day/Evening
>Michelle Konzack

I'd agree that one in spades. I'm still getting stuff bounce from
cached entries months after I cleared the last SORBS issue. That was
the 3rd time I've had to do so and I've been on static from the get go
(15 years +).

My ISP didn't help overly. BT decided that all issues relating to
rbl's are abuse issues and should be dealt with by that department; it
might have helped if they told said department and actually trained
the poor sods. 

Saying that, no amount of training helps with SORBS. IMVHO SORBS gives
rbl's an undeserved bad name. Additionally, BT's approach of 'we are
big ergo you do what we say' doesn't add much in the way of help
either.

After many years I'm moving off BT, though that is because of their
billing and the incompetence there makes their rbl handling look like
it's 6 sigma.

I've defended BT for years, seems I was naive.

Expect to see me in SORBS soon :-D

Nigel

Re: RCVD_IN_SORBS_DUL on my own emails to self

[Michelle Konzack]

Hello Matus UHLAR - fantomas,

Am 2011-04-10 15:00:53, hacktest Du folgendes herunter:
> SA never rejects messages. Your problem must lie elsewhere...

The problem is, it scores to high FOR ME!  I have checked others and  it
is working correctly, but if I send from my IP at   it  is  OK,
not from an IP of  e.g. <89.204.137.232>...

Thanks, Greetings and nice Day/Evening
Michelle Konzack

-- 
# Debian GNU/Linux Consultant ##
   Development of Intranet and Embedded Systems with Debian GNU/Linux

itsystems@tdnet France EURL   itsystems@tdnet UG (limited liability)
Owner Michelle KonzackOwner Michelle Konzack

Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France   77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix

  
 

Jabber linux4miche...@jabber.ccc.de
ICQ#328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/


signature.pgp
Description: Digital signature

Re: RCVD_IN_SORBS_DUL on my own emails to self

[Matus UHLAR - fantomas]

> Am 2011-04-05 03:29:44, hacktest Du folgendes herunter:
> > I'm not sure I understand this bit. From what I see on
> > http://en.wikipedia.org/wiki/Smart_host, I already use a "smart host", in
> > that the SMTP server specified in my mail client is not an open relay. Or is
> > there more to this?

On 10.04.11 00:44, Michelle Konzack wrote:
> I have the same problem!  If I activate the SORBS DUL, I  can  not  even
> send over my own SMTP-Relay  (even authenticated).

activate where?

> It seems, ther is a bug in thsis SA rule...  because from the  header  I
> see, that I was authenticated and SA see this too, so why it does reject
> MY OWN MESSAGE?

SA never rejects messages. Your problem must lie elsewhere...

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The only substitute for good manners is fast reflexes. 

Re: multiple from entries

[Michael Scheidell]

On 4/9/11 10:51 AM, David F. Skoll wrote:


So you could (I suppose) legitimately reject a message with multiple From:
addresses that lacks a conforming Sender: header.


__L_HAS_SNDR looks for sender(s).  BUT we need a 'one sender' rule


so, a meta rule like:
meta __MANY_FROM && ! __ONE_SENDER

should do it.

sender can't have FULLNAME, only email, and can't have multiple emails.

header __MANY_SENDER sender =~ /@.*@/

header __ONE_SENDER __L_HAS_SNDR && ! __MANY_SENDER

header __MANY_FROM From:addr =~ /@.*@/


but, I can't get many 'from' to trigger: with that, but this does work.

header __MANY_FROM From =~/(?:\@[^@]{5,30}){3}/

that (from your MANY_RECIPS).   anyone want to pair it down do make it 
less expensive?


suggest put in sandbox for a while? but, no reason it should not trigger 
a score of 3 or more.



(pastebin available upon request, but:

From: ,
,
,
,





Regards,

David.



--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
>*| *SECNAP Network Security Corporation

   * Best Intrusion Prevention Product, Networks Product Guide
   * Certified SNORT Integrator
   * Hot Company Award, World Executive Alliance
   * Best in Email Security, 2010 Network Products Guide
   * King of Spam Filters, SC Magazine

__
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
__