Re: dns: bad dns reply: Connection refused

2014-10-20 Thread Mark Martinec 

2014-10-20 20:11, Reindl Harald wrote:

[...]

sorry, no, but what i face repeatly are messages like below
in fact only if the machine has more than 1 dns in resolv.conf
configure it to just use 127.0.0.1 and that won't happen

Oct 19 09:04:42 caladan spamd[20546]: dns: no callback for id
40563/IN/A/uwc.org.dbl.spamhaus.org, ignored; packet: ;; Answer
received from 10.0.0.6 (53 bytes)
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; HEADER SECTION
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; id = 40563
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; qr = 1 aa = 0 tc =
0 rd = 1 opcode = QUERY
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; ra = 1 z = 0 ad =
0 cd = 0 rcode = SERVFAIL
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; qdcount = 1
ancount = 0 nscount = 0 arcount = 1
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; do = 0
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; EDNS version 0
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; flags: 
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; rcode: NOERROR
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; size: 1024
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; option:
Oct 19 09:04:42 caladan spamd[20546]: dns: [...]
Oct 19 09:04:42 caladan spamd[20546]: dns: [...]
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; QUESTION SECTION (1 
record)

Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;;
uwc.org.dbl.spamhaus.org. IN A
Oct 19 09:04:42 caladan spamd[20546]: dns: [...]
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; ANSWER SECTION (0 
records)

Oct 19 09:04:42 caladan spamd[20546]: dns: [...]
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; AUTHORITY SECTION
(0 records)
Oct 19 09:04:42 caladan spamd[20546]: dns: [...]
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; ADDITIONAL SECTION
(1 record)
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; EDNS version 0
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; flags: 
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; rcode: NOERROR
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; size: 1024
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; option:
Oct 19 09:04:42 caladan spamd[20546]: dns: no likely matching queries
for id 40563


This happens when a DNS response comes late and ALARM signal
interrupts its decoding. They call it a 'design feature',
I call it bug:

  https://rt.cpan.org/Ticket/Display.html?id=83451

Mark

Re: getting tons of SPAM

2014-10-20 Thread motty cruz 
Hello Benny,
I tried to find a legitimate way to reject or drop spam email. I was
getting tons of very spammy emails, with very low score. I take very
serious your advise and suggestions. I joined this forum because I want to
listen to experts.

going through the configuration files I realize I had missed configure
something, for the last 3 hours I had been monitoring my spam filter,
discarding a lot of spam.

Thanks all for your help!
Motty



On Mon, Oct 20, 2014 at 2:08 PM, Benny Pedersen  wrote:

> On October 20, 2014 4:51:35 PM Axb  wrote:
>
>  use Postfix access tables (hash/pcre/regex)
>>
>
> If he reject he will not listen to what he ask for, pointless
>



-- 
Thanks for your support,
Motty

Re: getting tons of SPAM

2014-10-20 Thread Benny Pedersen 

On October 20, 2014 4:51:35 PM Axb  wrote:


use Postfix access tables (hash/pcre/regex)


If he reject he will not listen to what he ask for, pointless

Re: getting tons of SPAM

2014-10-20 Thread Benny Pedersen 

On October 20, 2014 4:48:51 PM motty cruz  wrote:


here are the RBLs I am using:
 reject_rbl_client b.barracudacentral.org,
 reject_rbl_client zen.spamhaus.org,
 reject_rbl_client bl.spamcop.net

is there a way to block *.eu and *.link ?


Would you listen to my advise if you block eu ?

Well feel free to block, google bind9 rpz zone if you like that route

Re: Slightly OT- nolisting

2014-10-20 Thread Dave Warren 

On 2014-10-20 05:18, Robert Moskowitz wrote:
SInce this is about mail and spam, I thought this might be a good 
place to ask about nolisting:


http://en.wikipedia.org/wiki/Nolisting

I get ~ 7000 messages/day on my server, with ~70% getting tagged as spam.



I did some experimentation a few weeks ago and found that a nolisting 
style "dead first MX" didn't make anywhere near as much an impact as I 
hoped, while in some cases it did cause delays (although only a few lost 
messages that we could find, and all from small home-grown systems that 
really deserved to feed to a proper mail relay)


What does seem to still work is having a secondary/last dummy MX that 
answers with 4xx, at least at this point. Based on my (definitely 
unscientific) testing, I believe that dumb ratware hits the lower 
priority (highest numbered) MX, smarter ratware either starts at the top 
or hits them all.


For this purpose, I'm currently using junkemailfilter.com's freebie:

MX 997 mxbackup1.junkemailfilter.com.
MX 998 mxbackup2.junkemailfilter.com.

mxbackup1 is a free backup-MX service, mxbackup2 is an "always fails" 
final MX. It's very clever, before accepting mail, it probes your 
server. If your server is up and returns a 2xx or 4xx, it'll return a 
4xx (so it won't accept mail if your server is working, thereby avoiding 
the situation where a backup mail provider opens a hole in your finely 
tuned filters), or if your server returns a 5xx, it will pass on the 5xx.


If your server doesn't respond, they'll 200 and accept the mail, then 
forward it to your higher-numbered MX when you return.


It's a really nice package, plus they use the data they collect to 
improve their service, so it's a win-win. Obviously read their policies 
and ensure you're okay with part of your mail stream passing through a 
third party.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

Re: Slightly OT- nolisting

2014-10-20 Thread francis picabia 
On Mon, Oct 20, 2014 at 9:18 AM, Robert Moskowitz 
wrote:

> SInce this is about mail and spam, I thought this might be a good place to
> ask about nolisting:
>
> http://en.wikipedia.org/wiki/Nolisting
>
> I get ~ 7000 messages/day on my server, with ~70% getting tagged as spam.
>
> This is really private mailserver for my side consulting business and for
> all the standards and support lists I am on.
>
> I am in the process of building a new server that I hope to launch
> tonight: Redsleeve6 (on armv7/Cubietruck)/postfix/
> dovecot/spamassassin/clamav/amavis-new.
>
> I a friend recommended I use nolisting to reduce the amount of spam
> messages to scan for spam.  I tried the single fake MX record as discussed
> in the wiki.  Port 25 is blocked on the first MX entry. No changes in spam
> received.
>
> So I was told that this simple single MX record may not work.  To have TWO
> fake low value MX records and one high value like:
>
> MX 10 bad.foo.com
> MX 20 bad2.foo.com
> MX 30 me.foo.com
> MX 40 bad3.foo.com
>
> And this did not make any difference in % of spam.  I seem to be receiving
> the same amount.  So either the spammers that know about me use realy MTAs
> or have updated their SMTP to process MX records right.
>
> So is there any experience here with nolisting?
>
> thanks
>
>
>
We ran nolisting set up for a number of years.  It worked about as well
as reverse DNS checks for eliminating spam, without the CPU overhead
of reverse DNS check.  The problem is, this does nothing about spammers
who decide to run a real mailqueue, or abuse someone else's mail server,
which is increasingly the case.

Eventually we implemented a real grey lister, sqlgrey with Postfix.

The results were worthwhile.  The email delivered by our secondary MX fell
from
about 5000 per day down to 200 or so.  It was so alarming I was afraid we
would hear from users on missing mail, but it really was all spam.

Our solution is Postfix with postscreen (eliminates zombies that don't
behave like a mail server), sqlgrey (eliminates systems that don't queue)
amavis with SA and clamav, RBLs like spamhaus, plus SANE security
add ons for clamav.

When I eliminated the nolisting config with all the above in place,
spam and email delivery stats did not increase.

While running with nolisting I think we encountered two sites
running home made mail software which didn't fail over to
the next MX and called us.  Once we explained
why their software failed, they fixed it on their end.

Re: Give a penalty to messages with non latin UTF-8 characters?

2014-10-20 Thread Reindl Harald 



Am 20.10.2014 um 20:09 schrieb Philip Prindeville:

I don’t understand why Apple’s Mail.app, for instance,
defaults to Win-1252 here in the US. That’s braindead


well, ask the Firefox developers why they use to
say charset is "windows-1252" in recent releases
while in fact the http-headers as well meta-tags
clearly say "ISO-8859-1"

https://bugzilla.mozilla.org/show_bug.cgi?id=288904

the whole IT goes crazy in that context over years now



signature.asc
Description: OpenPGP digital signature

Re: dns: bad dns reply: Connection refused

2014-10-20 Thread Kevin A. McGrail 

On 10/20/2014 2:06 PM, Chris wrote:

The complete error shown in my syslog is:

Oct 20 11:41:44 localhost spamd[2155]: dns: sendto() to [127.0.0.1]:53
failed: Connection refused, no more alternatives
Oct 20 11:41:44 localhost spamd[2155]: dns: bad dns reply: Connection
refused

Up until this time I saw no issues. Running SA 3.4.0 on Ubuntu 14.04.1
LTS

Anyone have any suggestions?

Is your DNS server running on the localhost?

Is it blocked? Does it have enough threads?  Does your resolve.conf 
contain ONLY 127.0.0.1 (usually that's fine?)


This implies solely a DNS issue to me.

Regards,
KAM

Re: dns: bad dns reply: Connection refused

2014-10-20 Thread Kevin A. McGrail 

On 10/20/2014 2:06 PM, Chris wrote:

The complete error shown in my syslog is:

Oct 20 11:41:44 localhost spamd[2155]: dns: sendto() to [127.0.0.1]:53
failed: Connection refused, no more alternatives
Oct 20 11:41:44 localhost spamd[2155]: dns: bad dns reply: Connection
refused

Up until this time I saw no issues. Running SA 3.4.0 on Ubuntu 14.04.1
LTS

Anyone have any suggestions?

Is your DNS server running on the localhost?

Is it blocked? Does it have enough threads?  Does your resolve.conf 
contain ONLY 127.0.0.1 (usually that's fine?)


This implies solely a DNS issue to me.

Regards,
KAM

Re: dns: bad dns reply: Connection refused

2014-10-20 Thread Chris 
On Mon, 2014-10-20 at 13:06 -0500, Chris wrote:
> The complete error shown in my syslog is:
> 
> Oct 20 11:41:44 localhost spamd[2155]: dns: sendto() to [127.0.0.1]:53
> failed: Connection refused, no more alternatives
> Oct 20 11:41:44 localhost spamd[2155]: dns: bad dns reply: Connection
> refused
> 
> Up until this time I saw no issues. Running SA 3.4.0 on Ubuntu 14.04.1
> LTS
> 
> Anyone have any suggestions?
> 
> Chris
> 

I forgot to add that running this in a terminal:

chris@localhost:~$ host www.apache.org
www.apache.org has address 192.87.106.229
www.apache.org has address 140.211.11.131
www.apache.org has IPv6 address 2001:610:1:80bc:192:87:106:229
www.apache.org mail is handled by 10 minotaur.apache.org.

seems to show that dns is working or doesn't it?

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11°N 97.89°W (Elev. 1092 ft)
13:11:19 up 1:31, 3 users, load average: 0.24, 0.21, 0.23
Ubuntu 14.04.1 LTS, kernel 3.13.0-38-generic

Re: dns: bad dns reply: Connection refused

2014-10-20 Thread Reindl Harald 


Am 20.10.2014 um 20:06 schrieb Chris:

The complete error shown in my syslog is:

Oct 20 11:41:44 localhost spamd[2155]: dns: sendto() to [127.0.0.1]:53
failed: Connection refused, no more alternatives
Oct 20 11:41:44 localhost spamd[2155]: dns: bad dns reply: Connection
refused


looks like overload of your local resolver


Up until this time I saw no issues. Running SA 3.4.0 on Ubuntu 14.04.1
LTS

Anyone have any suggestions?


sorry, no, but what i face repeatly are messages like below
in fact only if the machine has more than 1 dns in resolv.conf
configure it to just use 127.0.0.1 and that won't happen

Oct 19 09:04:42 caladan spamd[20546]: dns: no callback for id 
40563/IN/A/uwc.org.dbl.spamhaus.org, ignored; packet: ;; Answer received 
from 10.0.0.6 (53 bytes)

Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; HEADER SECTION
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; id = 40563
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; qr = 1 aa = 0 tc = 0 
rd = 1 opcode = QUERY
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; ra = 1 z = 0 ad = 0 
cd = 0 rcode = SERVFAIL
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; qdcount = 1 ancount 
= 0 nscount = 0 arcount = 1

Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; do = 0
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; EDNS version 0
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; flags: 
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; rcode: NOERROR
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; size: 1024
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; option:
Oct 19 09:04:42 caladan spamd[20546]: dns: [...]
Oct 19 09:04:42 caladan spamd[20546]: dns: [...]
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; QUESTION SECTION (1 
record)
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; 
uwc.org.dbl.spamhaus.org. IN A

Oct 19 09:04:42 caladan spamd[20546]: dns: [...]
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; ANSWER SECTION (0 
records)

Oct 19 09:04:42 caladan spamd[20546]: dns: [...]
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; AUTHORITY SECTION (0 
records)

Oct 19 09:04:42 caladan spamd[20546]: dns: [...]
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; ADDITIONAL SECTION 
(1 record)

Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; EDNS version 0
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; flags: 
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; rcode: NOERROR
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; size: 1024
Oct 19 09:04:42 caladan spamd[20546]: dns: [...] ;; option:
Oct 19 09:04:42 caladan spamd[20546]: dns: no likely matching queries 
for id 40563




signature.asc
Description: OpenPGP digital signature

Re: Give a penalty to messages with non latin UTF-8 characters?

2014-10-20 Thread Philip Prindeville 

On Oct 17, 2014, at 9:53 AM, Michael Opdenacker 
 wrote:

> On 09/01/2014 01:39 AM, LuKreme wrote:
>> On 31 Aug 2014, at 14:38 , Ian Zimmerman  wrote:
>> 
>>> Doesn't ok_languages and ok_locales do the job?  It does for me.
>> Not with UTF-8 encoding, that setting only seems to apply to old-stye 
>> character declarations.
>> 
> 
> This was exactly my point. As long as characters are in utf-8,
> ok_locales doesn't trigger. And ok_languages needs a sufficient number
> of characters to trigger. A subject with only Chinese characters in
> UTF-8 isn't enough.
> 
> Michael.

I explicitly add 10.0 to messages with charset of GB2312.  Unfortunately, a lot 
of Chinese engineers use clients that still use this charset as the default, 
and post to English language mailing lists.

There used to be a recommendation that MUA’s fit messages into the “smallest” 
encoding possible (smallest from the metric of how many characters it holds), 
i.e. USASCII, Latin1, UTF8.  Period.

Thus Chinese posters of legitimate messages to English language mailing lists 
would use USASCII or Latin1 (if replying to someone named André).

I don’t understand why Apple’s Mail.app, for instance, defaults to Win-1252 
here in the US. That’s braindead.

Apple won’t bundle Flash with MacOS because it’s not an Open Standard, but 
they’ll embrace a vendor-specific character code when a superior Open Standard 
encoding exists.  Go figure.

-Philip

dns: bad dns reply: Connection refused

2014-10-20 Thread Chris 
The complete error shown in my syslog is:

Oct 20 11:41:44 localhost spamd[2155]: dns: sendto() to [127.0.0.1]:53
failed: Connection refused, no more alternatives
Oct 20 11:41:44 localhost spamd[2155]: dns: bad dns reply: Connection
refused

Up until this time I saw no issues. Running SA 3.4.0 on Ubuntu 14.04.1
LTS

Anyone have any suggestions?

Chris

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11°N 97.89°W (Elev. 1092 ft)
13:04:42 up 1:24, 3 users, load average: 0.26, 0.20, 0.23
Ubuntu 14.04.1 LTS, kernel 3.13.0-38-generic

Re: How is it that my X-Spam-Status is no, but my header gets marked with

2014-10-20 Thread Cathryn Mataga 

On 10/20/14, 9:46 AM, jdebert wrote:

On Mon, 20 Oct 2014 12:39:57 +0200
Matus UHLAR - fantomas  wrote:


On 17.10.14 10:08, jdebert wrote:

Will URIBL_BLOCKED cause [SPAM] to be inserted into Subject?


no, it will more likely cause [SPAM] _not_ to be inserted, because it
wouldn't be detected.


Good. Had me worried a bit there. (^_^)




Also, doesn't sa insert something else a bit different? Isn't it
likely that someone else inserted that before the OP's server ever
saw it?


If SA inserts anything to Subject: and what it is, depends only on SA
configuration. It's the "rewrite_header" configuration directive.



Of course. I was thinking at the time that some other spam filter/tagger
that used that by default might have done this. After posting, realised
that the config would have to be changed for that. Forgot to ask if it
was the case.

I recall some cases in the past where spam filtering setups, such as
those for "antispam" appliances did such things by default without
adding any headers. I suspected this might be the case here. Too many
possibilities, too little data.



What I'll do then is change the inserted message to something else. 
Just to verify this.  I did manage to get rid of the warning from the 
dnsdbl list.  But I can pull this and try again too.

Re: How is it that my X-Spam-Status is no, but my header gets marked with

2014-10-20 Thread jdebert 
On Mon, 20 Oct 2014 12:39:57 +0200
Matus UHLAR - fantomas  wrote:

> On 17.10.14 10:08, jdebert wrote:
> >Will URIBL_BLOCKED cause [SPAM] to be inserted into Subject?
> 
> no, it will more likely cause [SPAM] _not_ to be inserted, because it
> wouldn't be detected.

Good. Had me worried a bit there. (^_^)

> 
> >Also, doesn't sa insert something else a bit different? Isn't it
> >likely that someone else inserted that before the OP's server ever
> >saw it?
> 
> If SA inserts anything to Subject: and what it is, depends only on SA
> configuration. It's the "rewrite_header" configuration directive.
> 

Of course. I was thinking at the time that some other spam filter/tagger
that used that by default might have done this. After posting, realised
that the config would have to be changed for that. Forgot to ask if it
was the case. 

I recall some cases in the past where spam filtering setups, such as
those for "antispam" appliances did such things by default without
adding any headers. I suspected this might be the case here. Too many
possibilities, too little data.

jd

Re: Slightly OT- nolisting

2014-10-20 Thread jdebert 
On Mon, 20 Oct 2014 08:18:51 -0400
Robert Moskowitz  wrote:

> SInce this is about mail and spam, I thought this might be a good
> place to ask about nolisting:
> 
> http://en.wikipedia.org/wiki/Nolisting
> 
> I get ~ 7000 messages/day on my server, with ~70% getting tagged as
> spam.
> 

You could have no DNS record for your server. It wouldn't matter. Many
botnets don't bother with DNS. They stupidly scan the ip space
sequentially for mail servers. The best thing to do in such a case is
to drop connections from their ip blocks.

Re: distribute bayes with rsync

2014-10-20 Thread Reindl Harald 


Am 20.10.2014 um 18:03 schrieb RW:

On Fri, 17 Oct 2014 20:04:11 +0200
Reindl Harald wrote:



a perfect trained bayes on the inbound spamfirewall

* after recently a account was hacked and sent spam
 (luckily not massive by rate-limits) which would have
 been clearly caught by SA/spamass-milter i consider
 to install SA also on the submission servers and just
 rsync the bayes per cronjob


This is not ideal, a well-trained incoming database wont be
well-trained for outgoing mail


the 2000 ham samples are incoming and outgoing legit mail


If possible it's better to keep them separate because there will be
tokens frequencies that are very different between the two types of ham.

For example, if a spammer is sending-out spam spoofing a bank, you don't
want to have legitimate incoming mail from that bank in your ham corpus


no autolearning, hand-feed bayes and it was *a lot* of work catch 2000 
clear spam and 2000 clear ham samples (with the help of some users 
forwarding mails as eml) in total - hence i don't want to maintain a 
second one


the ham should contain samples of any type legit mail here
new spam is regulary forwarded to me for training

IMHO the new spam is the most important because is think if someone 
hacks mail-accounts than for send out the last recent crap with it


lowered and/or disabled some rules not make sense in context of 
authenticated MUA's from dialup home-networks, lowered the impact of the 
bayes in general and tested with the two intrusions attached in abuse 
mails as mailbody - both would have been rejected by milter and so far 
no single mail nearly in a FP range


looks like the goal is achieved, rate-controls and so on also tuned to 
make dictionary attacks harder - they become really a lot recently




signature.asc
Description: OpenPGP digital signature

Re: yahoo rcvd bug?

2014-10-20 Thread Dave Funk 

On Mon, 20 Oct 2014, Quinn Comendant wrote:


I'm getting FORGED_YAHOO_RCVD false positives for messages with yahoo received 
headers that do not match the search pattern defined in 
check_for_forged_yahoo_received_headers(). I'm using SpamAssassin 3.3.2 with 
latest rules as per `sa-update` rule channels `sought.rules.yerp.org` and 
`updates.spamassassin.org`.

The spamassassin rule that is firing:

*  1.6 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' 
headers

The received-by header in question:

Received: from unknown (HELO nm46-vm10.bullet.mail.bf1.yahoo.com) 
(216.109.114.203)

Full mail headers available at https://cloudup.com/cbmG8tJF71k

And finally here's the `check_for_forged_yahoo_received_headers` function that 
parses this, which doesn't contain the correct regex for this hostname:

[snip..]

 return 1;
   }


You have two different rules that have fired there (FORGED_YAHOO_RCVD &
RDNS_NONE) because your MTA was not able to resolve that IP address to
its registered domain name.
The SA code correctly parsed the info that your MTA gave it, it's just
that info was incorrect either due to local DNS issues or a network issue.

Then because you (or somebody configuring your SA) has lowered the spam
threshold from 5.0 to 3.0 it caused a FP on this message.

I don't think that it is valid to delcare a bug in SA because of an issue 
local to your system. (problematic MTA/DNS & local config choices).


I see that you also have a hit on URIBL_BLOCKED which tends to indicate
that you have local DNS issues that should be addressed.

suggestions:
1) work on improving your DNS system
2) put the spam threshold back to default to reduce FPs triggered by DNS 
issues.

3) create a meta rule that takes the DKIM_VALID detection to nullify the
 effect of that FORGED_YAHOO_RCVD (in case you cannot get your DNS to work
 correctly).

If you lowered that spam threshold because of too many FNs, I think that
getting the DNS fixed so RBL tests work will take care of that too.

There have been plenty of posts to this list about URIBL_BLOCKED and how
to fix it.

--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: distribute bayes with rsync

2014-10-20 Thread RW 
On Fri, 17 Oct 2014 20:04:11 +0200
Reindl Harald wrote:

> 
a perfect trained bayes on the inbound spamfirewall
> >> * after recently a account was hacked and sent spam
> >> (luckily not massive by rate-limits) which would have
> >> been clearly caught by SA/spamass-milter i consider
> >> to install SA also on the submission servers and just
> >> rsync the bayes per cronjob
> >
> > This is not ideal, a well-trained incoming database wont be
> > well-trained for outgoing mail
> 
> the 2000 ham samples are incoming and outgoing legit mail

If possible it's better to keep them separate because there will be
tokens frequencies that are very different between the two types of ham.

For example, if a spammer is sending-out spam spoofing a bank, you don't
want to have legitimate incoming mail from that bank in your ham corpus.

Re: getting tons of SPAM

2014-10-20 Thread Robert Schetterer 
Am 20.10.2014 um 17:17 schrieb John Wilcock:
> Le 20/10/2014 17:03, Reindl Harald a écrit :
>> Am 20.10.2014 um 17:00 schrieb motty cruz:
>>> yes you're right I am trying to "reject" emails that end with *.eu and
>>> *.link. can I do a wild card *.eu? *.link?
>>
>> http://www.postfix.org/access.5.html
>> http://www.postfix.org/regexp_table.5.html
>> http://www.postfix.org/pcre_table.5.html
> 
> It is indeed *possible* to reject all .eu and .link senders that way.
> 
> Whether it's a *good idea* is another matter. There are plenty of
> legitimate organisations that have .eu addresses, so you might end up
> rejecting messages that your users wanted to receive.

agree

reject *.eu is a very bad idea

> 
> I imagine that there are also legitimate users of the recently-created
> .link TLD though I wouldn't be surprised to find rather fewer false
> positives from blocking that.
> 



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: getting tons of SPAM

2014-10-20 Thread John Wilcock 

Le 20/10/2014 17:03, Reindl Harald a écrit :

Am 20.10.2014 um 17:00 schrieb motty cruz:

yes you're right I am trying to "reject" emails that end with *.eu and
*.link. can I do a wild card *.eu? *.link?


http://www.postfix.org/access.5.html
http://www.postfix.org/regexp_table.5.html
http://www.postfix.org/pcre_table.5.html


It is indeed *possible* to reject all .eu and .link senders that way.

Whether it's a *good idea* is another matter. There are plenty of 
legitimate organisations that have .eu addresses, so you might end up 
rejecting messages that your users wanted to receive.


I imagine that there are also legitimate users of the recently-created 
.link TLD though I wouldn't be surprised to find rather fewer false 
positives from blocking that.


--
John

Re: getting tons of SPAM

2014-10-20 Thread Reindl Harald 



Am 20.10.2014 um 17:00 schrieb motty cruz:

yes you're right I am trying to "reject" emails that end with *.eu and
*.link. can I do a wild card *.eu? *.link?


http://www.postfix.org/access.5.html
http://www.postfix.org/regexp_table.5.html
http://www.postfix.org/pcre_table.5.html


On Mon, Oct 20, 2014 at 7:51 AM, Axb mailto:axb.li...@gmail.com>> wrote:

On 10/20/2014 04:48 PM, motty cruz wrote:

here are the RBLs I am using:
   reject_rbl_client b.barracudacentral.org
,
   reject_rbl_client zen.spamhaus.org ,
   reject_rbl_client bl.spamcop.net 

is there a way to block *.eu and *.link ?

block means *reject*, right?
use Postfix access tables (hash/pcre/regex)




signature.asc
Description: OpenPGP digital signature

Re: getting tons of SPAM

2014-10-20 Thread motty cruz 
Hello Axb,

yes you're right I am trying to "reject" emails that end with *.eu and
*.link. can I do a wild card *.eu? *.link?

Thanks,

On Mon, Oct 20, 2014 at 7:51 AM, Axb  wrote:

> On 10/20/2014 04:48 PM, motty cruz wrote:
>
>> here are the RBLs I am using:
>>   reject_rbl_client b.barracudacentral.org,
>>   reject_rbl_client zen.spamhaus.org,
>>   reject_rbl_client bl.spamcop.net
>>
>> is there a way to block *.eu and *.link ?
>>
>
> block means *reject*, right?
>
> use Postfix access tables (hash/pcre/regex)
>



-- 
Thanks for your support,
Motty

Re: yahoo rcvd bug?

2014-10-20 Thread Reindl Harald 



Am 20.10.2014 um 16:43 schrieb Axb:

On 10/20/2014 04:37 PM, Reindl Harald wrote:


Am 20.10.2014 um 16:25 schrieb Axb:

On 10/20/2014 02:56 PM, Reindl Harald wrote:

seems your recursor couldn't resolve it, so your MTA added unknown...

Received: from nm46-vm10.bullet.mail.bf1.yahoo.com
(nm46-vm10.bullet.mail.bf1.yahoo.com [216.109.114.203])


what happens in case of a temporary DNS error?

postfix anserwers in such cases with a 450
even with "unknown_hostname_reject_code = 550"


only if you do tell Postfix to do so..


no true


oh yes it is...


http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname

The unknown_client_reject_code parameter specifies the response code for
rejected requests (default: 450). The reply is *always 450* in case the
address->name or name->address lookup failed due to a *temporary problem*


reject_unknown_client_hostname
reject_unknown_reverse_client_hostname

are NOT default.
had he set such check it would have not hit SA..


i asked *what does SA* in case of a *temporary* error and brought 
postfix as *example* that it could be handeled different to a response



not relevant..



it's relevant in case the OP had a temporary DNS error because no
nameserver responded resulting in a FP


it resulted in a FORGED_YAHOO_RCVD hit - takes way more than that to
trigger a FP

> anyway.. EOT...
> (why am I wasting my time?)

sorry for asking a simple question and bringing an example - you could 
have just answered "not handling different and i don't" bother, frankly 
that is the most hostile list i remember




signature.asc
Description: OpenPGP digital signature

Re: getting tons of SPAM

2014-10-20 Thread Axb 

On 10/20/2014 04:48 PM, motty cruz wrote:

here are the RBLs I am using:
  reject_rbl_client b.barracudacentral.org,
  reject_rbl_client zen.spamhaus.org,
  reject_rbl_client bl.spamcop.net

is there a way to block *.eu and *.link ?


block means *reject*, right?

use Postfix access tables (hash/pcre/regex)

Re: getting tons of SPAM

2014-10-20 Thread motty cruz 
here are the RBLs I am using:
 reject_rbl_client b.barracudacentral.org,
 reject_rbl_client zen.spamhaus.org,
 reject_rbl_client bl.spamcop.net

is there a way to block *.eu and *.link ?

here is part of local.cf
#   Set the threshold at which a message is considered spam (default: 5.0)
#
# required_score 5.0 changed to 4.5 9-7-12
required_score 6.2


#   Use Bayesian classifier (default: 1)
#
use_bayes 1
bayes_path /var/amavis/.spamassassin/bayes

here is amavisd.conf
$sa_kill_level_deflt = 6.2;  # triggers spam evasive actions (e.g. blocks
mail)

is this right combination? am i doing something wrong?

I get a bery spammy emails:
e0de6633145833.2909801.2920014.2920...@sly111.windowcostssuggest.com>,
mail_id: G1bV4l8INAHn, Hits: 1.99, size: 1683, queued_as: 430584563F1, 1062
ms

very low score.

Thanks,
Motty

On Thu, Oct 16, 2014 at 3:39 PM, Reindl Harald 
wrote:

>
> Am 17.10.2014 um 00:24 schrieb Benny Pedersen:
>
>> On October 16, 2014 11:23:57 PM motty cruz  wrote:
>>
>>  I tried to post a sample but got rejected:
>>>
>>
>> Good, thats means that its local problem
>>
>>  Here is goes again, the header:
>>> tests=[BAYES_99=4.5, BAYES_999=0.2, HTML_MESSAGE=0.001,
>>> T_RP_MATCHES_RCVD=-0.01] autolearn=no
>>>
>>
>> What plugins is loaded?
>>
>
> URIBL are just not enabled or working
>
> even the quote to the last message with headers get blocked by
> URIBL_BLACK,URIBL_DBL_SPAM,URIBL_JP_SURBL,URIBL_WS_SURBL combined
>
>


-- 
Thanks for your support,
Motty

Re: yahoo rcvd bug?

2014-10-20 Thread Axb 

On 10/20/2014 04:37 PM, Reindl Harald wrote:



Am 20.10.2014 um 16:25 schrieb Axb:

On 10/20/2014 02:56 PM, Reindl Harald wrote:

seems your recursor couldn't resolve it, so your MTA added unknown...

works for me:

Received: from nm46-vm10.bullet.mail.bf1.yahoo.com
(nm46-vm10.bullet.mail.bf1.yahoo.com [216.109.114.203])


what happens in case of a temporary DNS error?

postfix anserwers in such cases with a 450
even with "unknown_hostname_reject_code = 550"


only if you do tell Postfix to do so..


no true


oh yes it is...


http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname

The unknown_client_reject_code parameter specifies the response code for
rejected requests (default: 450). The reply is *always 450* in case the
address->name or name->address lookup failed due to a *temporary problem*


reject_unknown_client_hostname
reject_unknown_reverse_client_hostname

are NOT default.

had he set such check it would have not hit SA..


not relevant..



it's relevant in case the OP had a temporary DNS error because no
nameserver responded resulting in a FP


it resulted in a FORGED_YAHOO_RCVD hit - takes way more than that to 
trigger a FP


anyway.. EOT...
(why am I wasting my time?)

Re: yahoo rcvd bug?

2014-10-20 Thread Reindl Harald 



Am 20.10.2014 um 16:25 schrieb Axb:

On 10/20/2014 02:56 PM, Reindl Harald wrote:

seems your recursor couldn't resolve it, so your MTA added unknown...

works for me:

Received: from nm46-vm10.bullet.mail.bf1.yahoo.com
(nm46-vm10.bullet.mail.bf1.yahoo.com [216.109.114.203])


what happens in case of a temporary DNS error?

postfix anserwers in such cases with a 450
even with "unknown_hostname_reject_code = 550"


only if you do tell Postfix to do so..


no true

http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname

The unknown_client_reject_code parameter specifies the response code for 
rejected requests (default: 450). The reply is *always 450* in case the 
address->name or name->address lookup failed due to a *temporary problem*



not relevant..


it's relevant in case the OP had a temporary DNS error because no 
nameserver responded resulting in a FP




signature.asc
Description: OpenPGP digital signature

Re: yahoo rcvd bug?

2014-10-20 Thread Axb 

On 10/20/2014 02:56 PM, Reindl Harald wrote:


Am 20.10.2014 um 14:51 schrieb Axb:

On 10/20/2014 02:26 PM, Quinn Comendant wrote:

I'm getting FORGED_YAHOO_RCVD false positives for messages with yahoo
received headers that do not match the search pattern defined in
check_for_forged_yahoo_received_headers(). I'm using SpamAssassin
3.3.2 with latest rules as per `sa-update` rule channels
`sought.rules.yerp.org` and `updates.spamassassin.org`.

The spamassassin rule that is firing:

*  1.6 FORGED_YAHOO_RCVD 'From' yahoo.com does not match
'Received' headers

The received-by header in question:

Received: from unknown (HELO nm46-vm10.bullet.mail.bf1.yahoo.com)
(216.109.114.203)


seems your recursor couldn't resolve it, so your MTA added unknown...

works for me:

Received: from nm46-vm10.bullet.mail.bf1.yahoo.com
(nm46-vm10.bullet.mail.bf1.yahoo.com [216.109.114.203])


what happens in case of a temporary DNS error?

postfix anserwers in such cases with a 450
even with "unknown_hostname_reject_code = 550"


only if you do tell Postfix to do so.. not relevant..

Re: yahoo rcvd bug?

2014-10-20 Thread Reindl Harald 


Am 20.10.2014 um 14:51 schrieb Axb:

On 10/20/2014 02:26 PM, Quinn Comendant wrote:

I'm getting FORGED_YAHOO_RCVD false positives for messages with yahoo
received headers that do not match the search pattern defined in
check_for_forged_yahoo_received_headers(). I'm using SpamAssassin
3.3.2 with latest rules as per `sa-update` rule channels
`sought.rules.yerp.org` and `updates.spamassassin.org`.

The spamassassin rule that is firing:

*  1.6 FORGED_YAHOO_RCVD 'From' yahoo.com does not match
'Received' headers

The received-by header in question:

Received: from unknown (HELO nm46-vm10.bullet.mail.bf1.yahoo.com)
(216.109.114.203)


seems your recursor couldn't resolve it, so your MTA added unknown...

works for me:

Received: from nm46-vm10.bullet.mail.bf1.yahoo.com
(nm46-vm10.bullet.mail.bf1.yahoo.com [216.109.114.203])


what happens in case of a temporary DNS error?

postfix anserwers in such cases with a 450
even with "unknown_hostname_reject_code = 550"



signature.asc
Description: OpenPGP digital signature

Re: yahoo rcvd bug?

2014-10-20 Thread Axb 

On 10/20/2014 02:26 PM, Quinn Comendant wrote:

Full mail headers available athttps://cloudup.com/cbmG8tJF71k


Pls put on pastebin - cloudup timesout

Re: yahoo rcvd bug?

2014-10-20 Thread Axb 

On 10/20/2014 02:26 PM, Quinn Comendant wrote:

I'm getting FORGED_YAHOO_RCVD false positives for messages with yahoo received 
headers that do not match the search pattern defined in 
check_for_forged_yahoo_received_headers(). I'm using SpamAssassin 3.3.2 with 
latest rules as per `sa-update` rule channels `sought.rules.yerp.org` and 
`updates.spamassassin.org`.

The spamassassin rule that is firing:

*  1.6 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' 
headers

The received-by header in question:

Received: from unknown (HELO nm46-vm10.bullet.mail.bf1.yahoo.com) 
(216.109.114.203)



seems your recursor couldn't resolve it, so your MTA added unknown...

works for me:

Received: from nm46-vm10.bullet.mail.bf1.yahoo.com 
(nm46-vm10.bullet.mail.bf1.yahoo.com [216.109.114.203])

Re: Slightly OT- nolisting

2014-10-20 Thread Reindl Harald 



Am 20.10.2014 um 14:18 schrieb Robert Moskowitz:

SInce this is about mail and spam, I thought this might be a good place
to ask about nolisting:

http://en.wikipedia.org/wiki/Nolisting

I get ~ 7000 messages/day on my server, with ~70% getting tagged as spam.

This is really private mailserver for my side consulting business and
for all the standards and support lists I am on.

I am in the process of building a new server that I hope to launch
tonight: Redsleeve6 (on
armv7/Cubietruck)/postfix/dovecot/spamassassin/clamav/amavis-new.

I a friend recommended I use nolisting to reduce the amount of spam
messages to scan for spam.  I tried the single fake MX record as
discussed in the wiki. Port 25 is blocked on the first MX entry. No
changes in spam received.


that may be the mistake, just reject temporary there

many bots don't retry but if there is no connect the may fall
back on the primary MX in the same second, the other benefit of the temp 
reject is that the bot may think this is greylisting and come back on 
the primary 10 or 15 minutes later


well, within that 10 minutes they chances to be in RBLs is high


So I was told that this simple single MX record may not work.  To have
TWO fake low value MX records and one high value like:

MX 10 bad.foo.com
MX 20 bad2.foo.com
MX 30 me.foo.com
MX 40 bad3.foo.com

And this did not make any difference in % of spam.  I seem to be
receiving the same amount.  So either the spammers that know about me
use realy MTAs or have updated their SMTP to process MX records right.

So is there any experience here with nolisting?


* postscreen
* two ip-addressess
* backup MX for the second
* postscreen_whitelist_interfaces = !, static:all

the stats below are unique IP's

most bots starting on the backup-MX never come back
the ones which come back are mostly catched by RBL's

some big legit senders start also on the backup, hence temp-reject 
because they come back with proper behavior later on the primary


Default-MX: 31400
Honeypot-MX:16906
Honeypot-Only:  14062



signature.asc
Description: OpenPGP digital signature

yahoo rcvd bug?

2014-10-20 Thread Quinn Comendant 
I'm getting FORGED_YAHOO_RCVD false positives for messages with yahoo received 
headers that do not match the search pattern defined in 
check_for_forged_yahoo_received_headers(). I'm using SpamAssassin 3.3.2 with 
latest rules as per `sa-update` rule channels `sought.rules.yerp.org` and 
`updates.spamassassin.org`.

The spamassassin rule that is firing:

*  1.6 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' 
headers

The received-by header in question:

Received: from unknown (HELO nm46-vm10.bullet.mail.bf1.yahoo.com) 
(216.109.114.203)

Full mail headers available at https://cloudup.com/cbmG8tJF71k

And finally here's the `check_for_forged_yahoo_received_headers` function that 
parses this, which doesn't contain the correct regex for this hostname:

sub check_for_forged_yahoo_received_headers {
  my ($self, $pms) = @_;

  my $from = $pms->get('From:addr');
  if ($from !~ /\byahoo\.com$/i) { return 0; }

  my $rcvd = $pms->get('Received');

  if ($pms->get("Resent-From") ne '' && $pms->get("Resent-To") ne '') {
my $xrcvd = $pms->get("X-Received");
$rcvd = $xrcvd  if $xrcvd ne '';
  }
  $rcvd =~ s/\s+/ /gs;  # just spaces, simplify the regexp

  # not sure about this
  #if ($rcvd !~ /from \S*yahoo\.com/) { return 0; }

  if ($self->gated_through_received_hdr_remover($pms)) { return 0; }

  # bug 3740: ignore bounces from Yahoo!.   only honoured if the
  # correct rDNS shows up in the trusted relay list, or first untrusted 
relay
  #
  # bug 4528: [ ip=68.142.202.54 rdns=mta122.mail.mud.yahoo.com 
  # helo=mta122.mail.mud.yahoo.com by=eclectic.kluge.net ident=
  # envfrom= intl=0 id=49F2EAF13B auth= ]
  #
  if ($pms->{relays_trusted_str} =~ / rdns=\S+\.yahoo\.com /
|| $pms->{relays_untrusted_str} =~ /^[^\]]+ rdns=\S+\.yahoo\.com /)
{ return 0; }

  if ($rcvd =~ /by web\S+\.mail\S*\.yahoo\.com via HTTP/) { return 0; }
  if ($rcvd =~ /by smtp\S+\.yahoo\.com with SMTP/) { return 0; }
  my $IP_ADDRESS = IP_ADDRESS;
  if ($rcvd =~
  /from \[$IP_ADDRESS\] by \S+\.(?:groups|scd|dcn)\.yahoo\.com with 
NNFMP/) {
return 0;
  }

  # used in "forward this news item to a friend" links.  There's no better
  # received hdrs to match on, unfortunately.  I'm not sure if the next 
test is
  # still useful, as a result.
  #
  # search for msgid <20020929140301.451a9294...@xent.com>, subject "Yahoo!
  # News Story - Top Stories", date Sep 29 2002 on
  #  for an example.
  #
  if ($rcvd =~ /\bmailer\d+\.bulk\.scd\.yahoo\.com\b/
&& $from =~ /\@reply\.yahoo\.com$/i) { return 0; }

  if ($rcvd =~ /by \w+\.\w+\.yahoo\.com \(\d+\.\d+\.\d+\/\d+\.\d+\.\d+\)(?: 
with ESMTP)? id \w+/) {
  # possibly sent from "mail this story to a friend"
  return 0;
  }

  return 1;
}

Slightly OT- nolisting

2014-10-20 Thread Robert Moskowitz 
SInce this is about mail and spam, I thought this might be a good place 
to ask about nolisting:


http://en.wikipedia.org/wiki/Nolisting

I get ~ 7000 messages/day on my server, with ~70% getting tagged as spam.

This is really private mailserver for my side consulting business and 
for all the standards and support lists I am on.


I am in the process of building a new server that I hope to launch 
tonight: Redsleeve6 (on 
armv7/Cubietruck)/postfix/dovecot/spamassassin/clamav/amavis-new.


I a friend recommended I use nolisting to reduce the amount of spam 
messages to scan for spam.  I tried the single fake MX record as 
discussed in the wiki.  Port 25 is blocked on the first MX entry. No 
changes in spam received.


So I was told that this simple single MX record may not work.  To have 
TWO fake low value MX records and one high value like:


MX 10 bad.foo.com
MX 20 bad2.foo.com
MX 30 me.foo.com
MX 40 bad3.foo.com

And this did not make any difference in % of spam.  I seem to be 
receiving the same amount.  So either the spammers that know about me 
use realy MTAs or have updated their SMTP to process MX records right.


So is there any experience here with nolisting?

thanks

Re: How is it that my X-Spam-Status is no, but my header gets marked with

2014-10-20 Thread Matus UHLAR - fantomas 

On Fri, 17 Oct 2014 12:13:49 +0100
Martin Gregorie  wrote:


On Thu, 2014-10-16 at 22:37 -0700, Cathryn Mataga wrote:
> The score is only 1.9, 3.5 required.  What's going on here?
>
> X-Spam-Status: No, score=1.9 required=3.5
> tests=BAYES_50,DKIM_SIGNED,
> EMAIL_URI_PHISH,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_DNSWL_LOW,T_DKIM_INVALID,
> URIBL_BLOCKED autolearn=disabled version=3.3.2
>
URIBL_BLOCKED usually means that you've exceeded the daily free use
limit on URIBL queries.


On 17.10.14 10:08, jdebert wrote:

Will URIBL_BLOCKED cause [SPAM] to be inserted into Subject?


no, it will more likely cause [SPAM] _not_ to be inserted, because it
wouldn't be detected.


Also, doesn't sa insert something else a bit different? Isn't it
likely that someone else inserted that before the OP's server ever
saw it?


If SA inserts anything to Subject: and what it is, depends only on SA
configuration. It's the "rewrite_header" configuration directive.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
   One OS to rule them all, One OS to find them, 
One OS to bring them all and into darkness bind them

Re: blacklist by sender description, not by send e-mail address?

2014-10-20 Thread Axb 

On 10/20/2014 11:40 AM, Michael Opdenacker wrote:

Greetings,

On 10/17/2014 06:37 PM, Bowie Bailey wrote:

On 10/17/2014 12:13 PM, Axb wrote:

On 10/17/2014 06:02 PM, Michael Opdenacker wrote:

Greetings,

I'm receiving a specific type of spam which From header is always like:

From: service by foobar 

These guys always use "by foobar" or " foobar" (not the real string,
don't want them to notice in case they read the list archives) in the
sender description string, so they should be easy to catch, instead of
their domain name which changes constantly.

However, from the examples in the documentation, I believe that
"blacklist_from" only works on the e-mail address itself, and therefore
is likely to ignore the description string.

Am I right? If this is true, how would you give a penalty to messages
with a sender description containing " foobar" (need to match the space
before the recurring string too)?

Any tips are welcome!

headerFOO From:name =~ /\bfoobar\b/


And to match the space as well:

header   FOOFrom:name =~ / \bfoobar\b/

If you want to to be a blacklist-type rule, just adjust the score
accordingly.  There is no magic to the blacklist rules, they just have
a high score.

score   FOO   20

I would start it with a low score (0.01) first to make sure it is
matching what you expect and not causing false positives before
raising the score to a higher level.



Thank you very much for your advice! That's exactly what I needed.

I added the below lines to my /etc/spamassassin/local.cf file:

header  FROM_NAME_FOOBAR   From:name =~ /\bfoobar\b/i
describeFROM_NAME_FOOBAR   From name contains " foobar"
score   FROM_NAME_FOOBAR  0.01

\b (word break) is enough to make sure that "foobar" is a separate word.
\i means case insensitive

I found useful guidelines on
https://wiki.apache.org/spamassassin/WritingRules


take a look at

http://www.cs.tut.fi/~jkorpela/perl/regexp.html

Re: blacklist by sender description, not by send e-mail address?

2014-10-20 Thread Michael Opdenacker 
Greetings,

On 10/17/2014 06:37 PM, Bowie Bailey wrote:
> On 10/17/2014 12:13 PM, Axb wrote:
>> On 10/17/2014 06:02 PM, Michael Opdenacker wrote:
>>> Greetings,
>>>
>>> I'm receiving a specific type of spam which From header is always like:
>>>
>>> From: service by foobar 
>>>
>>> These guys always use "by foobar" or " foobar" (not the real string,
>>> don't want them to notice in case they read the list archives) in the
>>> sender description string, so they should be easy to catch, instead of
>>> their domain name which changes constantly.
>>>
>>> However, from the examples in the documentation, I believe that
>>> "blacklist_from" only works on the e-mail address itself, and therefore
>>> is likely to ignore the description string.
>>>
>>> Am I right? If this is true, how would you give a penalty to messages
>>> with a sender description containing " foobar" (need to match the space
>>> before the recurring string too)?
>>>
>>> Any tips are welcome!
>> headerFOO From:name =~ /\bfoobar\b/
>
> And to match the space as well:
>
> header   FOOFrom:name =~ / \bfoobar\b/
>
> If you want to to be a blacklist-type rule, just adjust the score
> accordingly.  There is no magic to the blacklist rules, they just have
> a high score.
>
> score   FOO   20
>
> I would start it with a low score (0.01) first to make sure it is
> matching what you expect and not causing false positives before
> raising the score to a higher level.
>

Thank you very much for your advice! That's exactly what I needed.

I added the below lines to my /etc/spamassassin/local.cf file:

header  FROM_NAME_FOOBAR   From:name =~ /\bfoobar\b/i
describeFROM_NAME_FOOBAR   From name contains " foobar"
score   FROM_NAME_FOOBAR  0.01

\b (word break) is enough to make sure that "foobar" is a separate word.
\i means case insensitive

I found useful guidelines on
https://wiki.apache.org/spamassassin/WritingRules

Thanks again!

Michael.

-- 
Michael Opdenacker, CEO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com
+33 484 258 098