Re: Help with today's (and previous) spam uptick?
On 2015-04-01 19:23, Kevin A. McGrail wrote: On 4/1/2015 8:21 PM, Larry Rosenman wrote: Is there an ETA for 3.4.1? And, is there anything else I can do mean time? 3.4.1 is planned to announce for release during ApacheCon in about 2 weeks. 1 - Make sure you are using the new Registrar Boundary with the TLDs that are plaguing you. 2 - Are you using KAM.cf? regards, KAM Ok, I pulled a new RegistrarBoundaries.pm and now we wait. BTW, is my every 6 hour pull of KAM.cf kosher with you? -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 108 Turvey Cove, Hutto, TX 78634-5688
RE: Help with today's (and previous) spam uptick?
Phooey. Make that header CBJ_SCIENCE From =~ /\.science\b/i The former example clobbers stuff from India... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 > -Original Message- > From: Kevin Miller [mailto:kevin.mil...@juneau.org] > Sent: Wednesday, April 01, 2015 4:27 PM > To: 'Larry Rosenman'; SpamAssassin > Subject: RE: Help with today's (and previous) spam uptick? > > I simply added them to my sendmail access file with a REJECT. Problem > solved. Of the ones that came in, I couldn't find any ham so didn't > think twice about being ruthless. If you need to take a more cautious > approach, just write a rule to score them higher. For instance, dropping > this in a .cf file in your spamassassin directory will clobber stuff > from the .science TLD. > > > ## > header CBJ_SCIENCE From =~ /\.in\b/i > describe CBJ_SCIENCE In science TLD > scoreCBJ_ SCIENCE 5.0 > > > HTH... > > ...Kevin > -- > Kevin Miller > Network/email Administrator, CBJ MIS Dept. > 155 South Seward Street > Juneau, Alaska 99801 > Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: > 307357 > > > > -Original Message- > > From: Larry Rosenman [mailto:l...@lerctr.org] > > Sent: Wednesday, April 01, 2015 4:13 PM > > To: SpamAssassin > > Subject: Help with today's (and previous) spam uptick? > > > > I've been getting pounded with stuff from "new" tld's (cricket, > > science, work, et al). > > > > I'm wondering how to make SA more immune to it. > > > > Spamples: http://pastebin.com/jc3efYju > > > > > > Thanks! > > -- > > Larry Rosenman http://www.lerctr.org/~ler > > Phone: +1 214-642-9640 E-Mail: l...@lerctr.org > > US Mail: 108 Turvey Cove, Hutto, TX 78634-5688
Re: Help with today's (and previous) spam uptick?
On 4/1/2015 8:21 PM, Larry Rosenman wrote: Is there an ETA for 3.4.1? And, is there anything else I can do mean time? 3.4.1 is planned to announce for release during ApacheCon in about 2 weeks. 1 - Make sure you are using the new Registrar Boundary with the TLDs that are plaguing you. 2 - Are you using KAM.cf? regards, KAM
RE: Help with today's (and previous) spam uptick?
I simply added them to my sendmail access file with a REJECT. Problem solved. Of the ones that came in, I couldn't find any ham so didn't think twice about being ruthless. If you need to take a more cautious approach, just write a rule to score them higher. For instance, dropping this in a .cf file in your spamassassin directory will clobber stuff from the .science TLD. ## header CBJ_SCIENCE From =~ /\.in\b/i describe CBJ_SCIENCE In science TLD scoreCBJ_ SCIENCE 5.0 HTH... ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357 > -Original Message- > From: Larry Rosenman [mailto:l...@lerctr.org] > Sent: Wednesday, April 01, 2015 4:13 PM > To: SpamAssassin > Subject: Help with today's (and previous) spam uptick? > > I've been getting pounded with stuff from "new" tld's (cricket, science, > work, et al). > > I'm wondering how to make SA more immune to it. > > Spamples: http://pastebin.com/jc3efYju > > > Thanks! > -- > Larry Rosenman http://www.lerctr.org/~ler > Phone: +1 214-642-9640 E-Mail: l...@lerctr.org > US Mail: 108 Turvey Cove, Hutto, TX 78634-5688
Re: Help with today's (and previous) spam uptick?
On 2015-04-01 19:23, Kevin A. McGrail wrote: On 4/1/2015 8:21 PM, Larry Rosenman wrote: Is there an ETA for 3.4.1? And, is there anything else I can do mean time? 3.4.1 is planned to announce for release during ApacheCon in about 2 weeks. 1 - Make sure you are using the new Registrar Boundary with the TLDs that are plaguing you. 2 - Are you using KAM.cf? regards, KAM I'll pull a new RegistrarBoundaries.pm, and YES, I poll KAM.cf every 6 hours, and when it changes, I install the new one. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 108 Turvey Cove, Hutto, TX 78634-5688
Re: Help with today's (and previous) spam uptick?
On 4/1/2015 8:18 PM, Larry Rosenman wrote: On 2015-04-01 19:15, Kevin A. McGrail wrote: On 4/1/2015 8:13 PM, Larry Rosenman wrote: I've been getting pounded with stuff from "new" tld's (cricket, science, work, et al). I'm wondering how to make SA more immune to it. Spamples: http://pastebin.com/jc3efYju Are you using a recent SA from trunk? The RegistrarBoundaries.pm for new TLDs is hard coded. Regards, KAM No the FreeBSD port, but I think(!) I updated the RegistrarBoundaries.pm: # Last update: 2015-02-21-axb Is there a plan to automate this and SOON? 3.4.1 / svn trunk has some patches in place that should allow us to implement this with sa-update. It's a key issue I'm working through on rc2. Regards, KAM
Re: Help with today's (and previous) spam uptick?
On 2015-04-01 19:20, Kevin A. McGrail wrote: On 4/1/2015 8:18 PM, Larry Rosenman wrote: On 2015-04-01 19:15, Kevin A. McGrail wrote: On 4/1/2015 8:13 PM, Larry Rosenman wrote: I've been getting pounded with stuff from "new" tld's (cricket, science, work, et al). I'm wondering how to make SA more immune to it. Spamples: http://pastebin.com/jc3efYju Are you using a recent SA from trunk? The RegistrarBoundaries.pm for new TLDs is hard coded. Regards, KAM No the FreeBSD port, but I think(!) I updated the RegistrarBoundaries.pm: # Last update: 2015-02-21-axb Is there a plan to automate this and SOON? 3.4.1 / svn trunk has some patches in place that should allow us to implement this with sa-update. It's a key issue I'm working through on rc2. Regards, KAM Is there an ETA for 3.4.1? And, is there anything else I can do mean time? -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 108 Turvey Cove, Hutto, TX 78634-5688
Re: Help with today's (and previous) spam uptick?
On 2015-04-01 19:15, Kevin A. McGrail wrote: On 4/1/2015 8:13 PM, Larry Rosenman wrote: I've been getting pounded with stuff from "new" tld's (cricket, science, work, et al). I'm wondering how to make SA more immune to it. Spamples: http://pastebin.com/jc3efYju Are you using a recent SA from trunk? The RegistrarBoundaries.pm for new TLDs is hard coded. Regards, KAM No the FreeBSD port, but I think(!) I updated the RegistrarBoundaries.pm: # Last update: 2015-02-21-axb Is there a plan to automate this and SOON? -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 108 Turvey Cove, Hutto, TX 78634-5688
Re: Help with today's (and previous) spam uptick?
On 4/1/2015 8:13 PM, Larry Rosenman wrote: I've been getting pounded with stuff from "new" tld's (cricket, science, work, et al). I'm wondering how to make SA more immune to it. Spamples: http://pastebin.com/jc3efYju Are you using a recent SA from trunk? The RegistrarBoundaries.pm for new TLDs is hard coded. Regards, KAM
Help with today's (and previous) spam uptick?
I've been getting pounded with stuff from "new" tld's (cricket, science, work, et al). I'm wondering how to make SA more immune to it. Spamples: http://pastebin.com/jc3efYju Thanks! -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 108 Turvey Cove, Hutto, TX 78634-5688
Re: Uptick in spam
On Apr 1, 2015, at 3:03 PM, Kevin Miller wrote: > You can reject on RDNS (or lack thereof) in sendmail depending on the > version. Search for "require_rdns". Thanks, I'll look into it. Sadly I don't think I have time to manually whitelist misconfigured servers, since I suspect there are not a few of them... a lot of people fail to put rDNS entries on their mail servers (including my own $DAYJOB employer, who only fixed it once I complained). > There may be other options than the firewall - if you have access to the mail > server itself, you could maybe run an instance of iptables. I presume you're > running it on Linux. Or maybe put the name servers in the /etc/host file > with 127.0.0.x addresses? Not sure if that would work or not. If all else > fails, bribe the DNS admin! :-) I do run iptables, which I use for fail2ban... but then I'd need to look up all the IP ranges served by the evil DNS servers. I could put the name servers in /etc/hosts but that would only help if I configure sendmail to require rDNS. Looks like there's no optimal solution on that one... Thanks. --- Amir
Re: Uptick in spam
On 04/01/2015 10:45 PM, Amir Caspi wrote: Certainly it would be interesting to add such capability to SA (to add points for known spammy DNS providers and/or registrars), though I imagine that could be a recipe for FPs in some cases. Then again, we did it for .pw URIs, so... You can do it running your private dnsbl (using rbldnsd) and a urifullnsrhssub SA rule. It's not hard to do - cheap as well as effective.
RE: Uptick in spam
> -Original Message- > Ah, I see... you killed them at the firewall itself, before they even > got to sendmail. I was wondering how blocking the name servers > themselves would help, since (at least in my configuration) sendmail > doesn't reject just due to bad rDNS (not sure if that's even possible). > Unfortunately, no, I don't have control over the firewall. Indeed, > there is no hard firewall, so I only have software, and I'm not sure I > have anything that could do specifically this. > > Certainly it would be interesting to add such capability to SA (to add > points for known spammy DNS providers and/or registrars), though I > imagine that could be a recipe for FPs in some cases. Then again, we > did it for .pw URIs, so... > > --- Amir You can reject on RDNS (or lack thereof) in sendmail depending on the version. Search for "require_rdns". On my newer servers it's included in sendmail. On an older server I had to implement it as a hack. But it's easily found on the web, and wasn't hard to implement. Kills a lot of spam, but also some legitimate mail. I put the IP addresses of the legitimate (albeit misconfigured) servers in my access file and that seems to do the job. You will need to check the logs for rejects and decide who's OK. There may be other options than the firewall - if you have access to the mail server itself, you could maybe run an instance of iptables. I presume you're running it on Linux. Or maybe put the name servers in the /etc/host file with 127.0.0.x addresses? Not sure if that would work or not. If all else fails, bribe the DNS admin! :-) ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357
Re: Uptick in spam
On Apr 1, 2015, at 2:26 PM, Kevin Miller wrote: > I blocked the RRPPROXY.NET name servers at the firewall. [...] After I did > that, almost instantly the spam dropped dramatically. [...] > There was some discussion in this group about blocking on DNS providers about > a month or so ago, spawned by my initial requests for help. I don't know if > you have the luxury of dropping the connections at the firewall but it worked > for me. Look back through the archives. Ah, I see... you killed them at the firewall itself, before they even got to sendmail. I was wondering how blocking the name servers themselves would help, since (at least in my configuration) sendmail doesn't reject just due to bad rDNS (not sure if that's even possible). Unfortunately, no, I don't have control over the firewall. Indeed, there is no hard firewall, so I only have software, and I'm not sure I have anything that could do specifically this. Certainly it would be interesting to add such capability to SA (to add points for known spammy DNS providers and/or registrars), though I imagine that could be a recipe for FPs in some cases. Then again, we did it for .pw URIs, so... --- Amir
RE: Uptick in spam
I'm a bit late to the party (was on vacation) but your woes sounded awfully familiar. I was getting slammed by spam a couple months ago. The domains changed daily, but the one consistent thing was they were all served by RRPPROXY.NET. I blocked the RRPPROXY.NET name servers at the firewall. Doing a whois lookup on wheelerweightoff.com, I see that it is served by RRPPROXY.NET DNS servers: NS1, NS2, and NS3. I'd bet the others are too. After I did that, almost instantly the spam dropped dramatically. FWIW, I found no legitimate messages from the domains they hosted. Conveniently, they're a German company I think, and I'm in the US, so legitimate mail from them is unlikely. There was some discussion in this group about blocking on DNS providers about a month or so ago, spawned by my initial requests for help. I don't know if you have the luxury of dropping the connections at the firewall but it worked for me. Look back through the archives. ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357
Re: TO_IN_SUBJ for username?
On 01/04/15 17:41, Amir Caspi wrote: Going back to this: On Apr 1, 2015, at 7:47 AM, Bowie Bailey wrote: Well, this wouldn't be the first or only rule that doesn't work for everyone... plus, I would certainly make it case sensitive, so that "John" wouldn't match "john@", for example. This rule could be disabled by default and turned on by people who want it, or vice versa. I'd also imagine it would generate a lower score from masscheck than the regular TO_IN_SUBJ would, and hence would be of less impact towards FPs (but that extra few-tenths of a point could make the difference to push a lot of these spams over the threshold, particularly if they hit BAYES_999 but not any other rules, as many snowshoe spams often do in the early stages). Anyway, it was just a thought... I'd certainly support such a rule, even if it had to be manually enabled or rescored. Untested, but this might work, adjusted from existing __SUBJ_HAS_TO rules ---8<--- header __SUBJ_HAS_TO_LOCAL_1ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>@,]+)@(?:[^\n>]+)>?\n(?:[^\n]{1,200}\n)*Subject:\s+[^\n]{0,100}\1[>,\s\n]/sm header __SUBJ_HAS_TO_LOCAL_2ALL =~ /\nReceived:[^\n]{0,200} for ;@]+)@(?:[^\n>]+)>?;(?:[^\n]+\n)*Subject:\s+[^\n]{0,100}\1[>,\s\n]/sm header __SUBJ_HAS_TO_LOCAL_3To:addr !~ /^(?:info|abuse|support)@/ meta __TO_LOCAL_IN_SUBJ (__SUBJ_HAS_TO_LOCAL_1 || __SUBJ_HAS_TO_LOCAL_2) && __SUBJ_HAS_TO_LOCAL_3 meta TO_LOCAL_IN_SUBJ __TO_LOCAL_IN_SUBJ && !__VIA_ML && !MISSING_MIMEOLE && !__THREAD_INDEX_GOOD && !__FSL_RELAY_GOOGLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HS_SUBJ_RE_FW describe TO_LOCAL_IN_SUBJ To local part is in Subject score TO_LOCAL_IN_SUBJ 0.01 ---8<--- Paul -- Paul Stead Systems Engineer Zen Internet
Re: TO_IN_SUBJ for username?
On 4/1/2015 12:41 PM, Amir Caspi wrote: Going back to this: On Apr 1, 2015, at 7:47 AM, Bowie Bailey wrote: That might be reasonable for most email addresses, but there are quite a few people who have a usable name or nickname as the user part of their email. (j...@example.com). It would not make sense to score an email just for having their name in the subject. Well, this wouldn't be the first or only rule that doesn't work for everyone... plus, I would certainly make it case sensitive, so that "John" wouldn't match "john@", for example. This rule could be disabled by default and turned on by people who want it, or vice versa. I'd also imagine it would generate a lower score from masscheck than the regular TO_IN_SUBJ would, and hence would be of less impact towards FPs (but that extra few-tenths of a point could make the difference to push a lot of these spams over the threshold, particularly if they hit BAYES_999 but not any other rules, as many snowshoe spams often do in the early stages). And then there are addresses which use normal words in the address which would also not make sense to score. For example: i...@example.com, ab...@example.com, supp...@example.com, etc. Indeed, and those likely-FP words could be explicitly excluded via negative match, so that qw(info abuse support mail) etc. wouldn't score. The same could be done for common names, I suppose, although I agree that gets a bit cumbersome. Anyway, it was just a thought... I'd certainly support such a rule, even if it had to be manually enabled or rescored. I don't think it would work as a standard rule. It would have too much variance in the FP rate depending on the email address and trying to maintain a list of problematic words/names would probably be too cumbersome in the general case. It might work as an informational rule (score 0.001) that admins could use in meta rules or increase scoring on a per-user basis. -- Bowie
Re: TO_IN_SUBJ for username?
Going back to this: On Apr 1, 2015, at 7:47 AM, Bowie Bailey wrote: > That might be reasonable for most email addresses, but there are quite a few > people who have a usable name or nickname as the user part of their email. > (j...@example.com). It would not make sense to score an email just for > having their name in the subject. Well, this wouldn't be the first or only rule that doesn't work for everyone... plus, I would certainly make it case sensitive, so that "John" wouldn't match "john@", for example. This rule could be disabled by default and turned on by people who want it, or vice versa. I'd also imagine it would generate a lower score from masscheck than the regular TO_IN_SUBJ would, and hence would be of less impact towards FPs (but that extra few-tenths of a point could make the difference to push a lot of these spams over the threshold, particularly if they hit BAYES_999 but not any other rules, as many snowshoe spams often do in the early stages). > And then there are addresses which use normal words in the address which > would also not make sense to score. For example: i...@example.com, > ab...@example.com, supp...@example.com, etc. Indeed, and those likely-FP words could be explicitly excluded via negative match, so that qw(info abuse support mail) etc. wouldn't score. The same could be done for common names, I suppose, although I agree that gets a bit cumbersome. Anyway, it was just a thought... I'd certainly support such a rule, even if it had to be manually enabled or rescored. Cheers. --- Amir
Re: TO_IN_SUBJ for username?
On Wed, 1 Apr 2015, Amir Caspi wrote: On Apr 1, 2015, at 8:08 AM, Bowie Bailey wrote: The way it's written, it will only hit if the Subject header follows the To header. I thought John modified the rule to fix that, about a year ago... did that not get implemented in production? It will match if the To: or Received: header with recipient address comes first. There's not a version that tries to parse an email address out of the Subject: if that's encountered first. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The most glaring example of the cognitive dissonance on the left is the concept that human beings are inherently good, yet at the same time cannot be trusted with any kind of weapon, unless the magic fairy dust of government authority gets sprinkled upon them. -- Moshe Ben-David --- Today: April Fools' day
Re: TO_IN_SUBJ for username?
On 4/1/2015 10:20 AM, Amir Caspi wrote: On Apr 1, 2015, at 8:08 AM, Bowie Bailey wrote: The way it's written, it will only hit if the Subject header follows the To header. I thought John modified the rule to fix that, about a year ago... did that not get implemented in production? Apparently not. I'm running SA 3.4.0 with rules updated today. There are two main regexes referenced by the TO_IN_SUBJ meta . One matches To and then Subject and the other matches Received and then Subject. -- Bowie
Re: TO_IN_SUBJ for username?
On Apr 1, 2015, at 8:08 AM, Bowie Bailey wrote: > > The way it's written, it will only hit if the Subject header follows the To > header. I thought John modified the rule to fix that, about a year ago... did that not get implemented in production? --- Amir thumbed via iPhone
Re: TO_IN_SUBJ for username?
Hello Bowie, Wednesday, April 1, 2015, 3:08:10 PM, you wrote: BB> The way it's written, it will only hit if the Subject header follows the BB> To header. Ho Hum! -- Best regards, Niamhmailto:ni...@fullbore.co.uk pgpmInVp50o64.pgp Description: PGP signature
Re: TO_IN_SUBJ for username?
On 4/1/2015 9:58 AM, Niamh Holding wrote: Hello Amir, Wednesday, April 1, 2015, 4:44:08 AM, you wrote: AC> I'm guessing that TO_IN_SUBJ only pops when the Subject: contains the full email address in To: Didnit hit on this- Date: Sun, 29 Mar 2015 23:05:53 + Return-Path: Subject: ad...@holtain.co.uk Reply-To: marketingmodelstrat...@wikihawmakemoney.com X-Complaints-To: ab...@getresponse.com To: "Friend" From: "SAID Bacem" The way it's written, it will only hit if the Subject header follows the To header. -- Bowie
Re: TO_IN_SUBJ for username?
Hello Amir, Wednesday, April 1, 2015, 4:44:08 AM, you wrote: AC> I'm guessing that TO_IN_SUBJ only pops when the Subject: contains the full email address in To: Didnit hit on this- Date: Sun, 29 Mar 2015 23:05:53 + Return-Path: Subject: ad...@holtain.co.uk Reply-To: marketingmodelstrat...@wikihawmakemoney.com X-Complaints-To: ab...@getresponse.com To: "Friend" From: "SAID Bacem" -- Best regards, Niamhmailto:ni...@fullbore.co.uk pgpbLCF_96tLe.pgp Description: PGP signature
Re: TO_IN_SUBJ for username?
On 3/31/2015 11:44 PM, Amir Caspi wrote: Hi, I'm guessing that TO_IN_SUBJ only pops when the Subject: contains the full email address in To:, not just the user part... is that right? I've been getting a bunch of spam (some of which ends up as FNs) with just the username portion of To: in the Subject line. This is almost invariably spam, so I think it might be worthwhile to add a TO_USER_IN_SUBJ which focuses only on the user part. Presumably one might want to score this a tad lower than TO_IN_SUBJ, but maybe not... A spample is here: http://pastebin.com/qNu0TsfF John, thoughts? That might be reasonable for most email addresses, but there are quite a few people who have a usable name or nickname as the user part of their email. (j...@example.com). It would not make sense to score an email just for having their name in the subject. And then there are addresses which use normal words in the address which would also not make sense to score. For example: i...@example.com, ab...@example.com, supp...@example.com, etc. -- Bowie