date:20150401


On 2015-04-01 19:23, Kevin A. McGrail wrote:

On 4/1/2015 8:21 PM, Larry Rosenman wrote:
Is there an ETA for 3.4.1? And, is there anything else I can do mean 
time?


3.4.1 is planned to announce for release during ApacheCon in about 2 
weeks.


1 - Make sure you are using the new Registrar Boundary with the TLDs
that are plaguing you.
2 - Are you using KAM.cf?

regards,
KAM


Ok, I pulled a new RegistrarBoundaries.pm and now we wait.

BTW, is my every 6 hour pull of KAM.cf kosher with you?

--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 E-Mail: l...@lerctr.org
US Mail: 108 Turvey Cove, Hutto, TX 78634-5688

RE: Help with today's (and previous) spam uptick?

Phooey.  Make that 
  header   CBJ_SCIENCE   From =~ /\.science\b/i

The former example clobbers stuff from India...

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357 


> -Original Message-
> From: Kevin Miller [mailto:kevin.mil...@juneau.org]
> Sent: Wednesday, April 01, 2015 4:27 PM
> To: 'Larry Rosenman'; SpamAssassin
> Subject: RE: Help with today's (and previous) spam uptick?
> 
> I simply added them to my sendmail access file with a REJECT.  Problem
> solved.  Of the ones that came in, I couldn't find any ham so didn't
> think twice about being ruthless.  If you need to take a more cautious
> approach, just write a rule to score them higher. For instance, dropping
> this in a .cf file in your spamassassin directory will clobber stuff
> from the .science TLD.
> 
> 
> ##
> header   CBJ_SCIENCE   From =~ /\.in\b/i
> describe CBJ_SCIENCE   In science TLD
> scoreCBJ_ SCIENCE  5.0
> 
> 
> HTH...
> 
> ...Kevin
> --
> Kevin Miller
> Network/email Administrator, CBJ MIS Dept.
> 155 South Seward Street
> Juneau, Alaska 99801
> Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No:
> 307357
> 
> 
> > -Original Message-
> > From: Larry Rosenman [mailto:l...@lerctr.org]
> > Sent: Wednesday, April 01, 2015 4:13 PM
> > To: SpamAssassin
> > Subject: Help with today's (and previous) spam uptick?
> >
> > I've been getting pounded with stuff from "new" tld's (cricket,
> > science, work, et al).
> >
> > I'm wondering how to make SA more immune to it.
> >
> > Spamples: http://pastebin.com/jc3efYju
> >
> >
> > Thanks!
> > --
> > Larry Rosenman http://www.lerctr.org/~ler
> > Phone: +1 214-642-9640 E-Mail: l...@lerctr.org
> > US Mail: 108 Turvey Cove, Hutto, TX 78634-5688

Re: Help with today's (and previous) spam uptick?

2015-04-01 Thread Kevin A. McGrail


On 4/1/2015 8:21 PM, Larry Rosenman wrote:
Is there an ETA for 3.4.1? And, is there anything else I can do mean 
time?


3.4.1 is planned to announce for release during ApacheCon in about 2 weeks.

1 - Make sure you are using the new Registrar Boundary with the TLDs 
that are plaguing you.

2 - Are you using KAM.cf?

regards,
KAM

RE: Help with today's (and previous) spam uptick?

I simply added them to my sendmail access file with a REJECT.  Problem solved.  
Of the ones that came in, I couldn't find any ham so didn't think twice about 
being ruthless.  If you need to take a more cautious approach, just write a 
rule to score them higher. For instance, dropping this in a .cf file in your 
spamassassin directory will clobber stuff from the .science TLD.
 
##
header   CBJ_SCIENCE   From =~ /\.in\b/i
describe CBJ_SCIENCE   In science TLD
scoreCBJ_ SCIENCE  5.0


HTH...

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357 


> -Original Message-
> From: Larry Rosenman [mailto:l...@lerctr.org]
> Sent: Wednesday, April 01, 2015 4:13 PM
> To: SpamAssassin
> Subject: Help with today's (and previous) spam uptick?
> 
> I've been getting pounded with stuff from "new" tld's (cricket, science,
> work, et al).
> 
> I'm wondering how to make SA more immune to it.
> 
> Spamples: http://pastebin.com/jc3efYju
> 
> 
> Thanks!
> --
> Larry Rosenman http://www.lerctr.org/~ler
> Phone: +1 214-642-9640 E-Mail: l...@lerctr.org
> US Mail: 108 Turvey Cove, Hutto, TX 78634-5688

Re: Help with today's (and previous) spam uptick?


On 2015-04-01 19:23, Kevin A. McGrail wrote:

On 4/1/2015 8:21 PM, Larry Rosenman wrote:
Is there an ETA for 3.4.1? And, is there anything else I can do mean 
time?


3.4.1 is planned to announce for release during ApacheCon in about 2 
weeks.


1 - Make sure you are using the new Registrar Boundary with the TLDs
that are plaguing you.
2 - Are you using KAM.cf?

regards,
KAM


I'll pull a new RegistrarBoundaries.pm, and YES, I poll KAM.cf every 6 
hours, and when it changes, I

install the new one.


--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 E-Mail: l...@lerctr.org
US Mail: 108 Turvey Cove, Hutto, TX 78634-5688

Re: Help with today's (and previous) spam uptick?

2015-04-01 Thread Kevin A. McGrail


On 4/1/2015 8:18 PM, Larry Rosenman wrote:

On 2015-04-01 19:15, Kevin A. McGrail wrote:

On 4/1/2015 8:13 PM, Larry Rosenman wrote:
I've been getting pounded with stuff from "new" tld's (cricket, 
science, work, et al).


I'm wondering how to make SA more immune to it.

Spamples: http://pastebin.com/jc3efYju Are you using a recent SA 
from trunk?  The RegistrarBoundaries.pm for new TLDs is hard coded.


Regards,
KAM

No the FreeBSD port, but I think(!) I updated the RegistrarBoundaries.pm:

# Last update: 2015-02-21-axb

Is there a plan to automate this and SOON? 


3.4.1 / svn trunk has some patches in place that should allow us to 
implement this with sa-update.  It's a key issue I'm working through on rc2.


Regards,
KAM

Re: Help with today's (and previous) spam uptick?


On 2015-04-01 19:20, Kevin A. McGrail wrote:

On 4/1/2015 8:18 PM, Larry Rosenman wrote:

On 2015-04-01 19:15, Kevin A. McGrail wrote:

On 4/1/2015 8:13 PM, Larry Rosenman wrote:
I've been getting pounded with stuff from "new" tld's (cricket, 
science, work, et al).


I'm wondering how to make SA more immune to it.

Spamples: http://pastebin.com/jc3efYju Are you using a recent SA 
from trunk?  The RegistrarBoundaries.pm for new TLDs is hard coded.


Regards,
KAM
No the FreeBSD port, but I think(!) I updated the 
RegistrarBoundaries.pm:


# Last update: 2015-02-21-axb

Is there a plan to automate this and SOON?


3.4.1 / svn trunk has some patches in place that should allow us to
implement this with sa-update.  It's a key issue I'm working through
on rc2.

Regards,
KAM
Is there an ETA for 3.4.1? And, is there anything else I can do mean 
time?



--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 E-Mail: l...@lerctr.org
US Mail: 108 Turvey Cove, Hutto, TX 78634-5688

Re: Help with today's (and previous) spam uptick?


On 2015-04-01 19:15, Kevin A. McGrail wrote:

On 4/1/2015 8:13 PM, Larry Rosenman wrote:
I've been getting pounded with stuff from "new" tld's (cricket, 
science, work, et al).


I'm wondering how to make SA more immune to it.

Spamples: http://pastebin.com/jc3efYju Are you using a recent SA from 
trunk?  The RegistrarBoundaries.pm for new TLDs is hard coded.


Regards,
KAM
No the FreeBSD port, but I think(!) I updated the 
RegistrarBoundaries.pm:


# Last update: 2015-02-21-axb

Is there a plan to automate this and SOON?


--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 E-Mail: l...@lerctr.org
US Mail: 108 Turvey Cove, Hutto, TX 78634-5688

Re: Help with today's (and previous) spam uptick?

2015-04-01 Thread Kevin A. McGrail


On 4/1/2015 8:13 PM, Larry Rosenman wrote:
I've been getting pounded with stuff from "new" tld's (cricket, 
science, work, et al).


I'm wondering how to make SA more immune to it.

Spamples: http://pastebin.com/jc3efYju 
Are you using a recent SA from trunk?  The RegistrarBoundaries.pm for 
new TLDs is hard coded.


Regards,
KAM

Help with today's (and previous) spam uptick?

I've been getting pounded with stuff from "new" tld's (cricket, science, 
work, et al).


I'm wondering how to make SA more immune to it.

Spamples: http://pastebin.com/jc3efYju


Thanks!
--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 E-Mail: l...@lerctr.org
US Mail: 108 Turvey Cove, Hutto, TX 78634-5688

Re: Uptick in spam

On Apr 1, 2015, at 3:03 PM, Kevin Miller  wrote:

> You can reject on RDNS (or lack thereof) in sendmail depending on the 
> version.  Search for "require_rdns".

Thanks, I'll look into it.  Sadly I don't think I have time to manually 
whitelist misconfigured servers, since I suspect there are not a few of them... 
a lot of people fail to put rDNS entries on their mail servers (including my 
own $DAYJOB employer, who only fixed it once I complained).

> There may be other options than the firewall - if you have access to the mail 
> server itself, you could maybe run an instance of iptables.  I presume you're 
> running it on Linux.  Or maybe put the name servers in the /etc/host file 
> with 127.0.0.x addresses?  Not sure if that would work or not.  If all else 
> fails, bribe the DNS admin! :-)

I do run iptables, which I use for fail2ban... but then I'd need to look up all 
the IP ranges served by the evil DNS servers.  I could put the name servers in 
/etc/hosts but that would only help if I configure sendmail to require rDNS.  
Looks like there's no optimal solution on that one...

Thanks.

--- Amir

Re: Uptick in spam

2015-04-01 Thread Axb


On 04/01/2015 10:45 PM, Amir Caspi wrote:

Certainly it would be interesting to add such capability to SA (to
add points for known spammy DNS providers and/or registrars), though
I imagine that could be a recipe for FPs in some cases.  Then again,
we did it for .pw URIs, so...



You can do it running your private dnsbl (using rbldnsd) and a 
urifullnsrhssub SA rule.

It's not hard to do - cheap as well as effective.

RE: Uptick in spam

> -Original Message-
> Ah, I see... you killed them at the firewall itself, before they even
> got to sendmail.  I was wondering how blocking the name servers
> themselves would help, since (at least in my configuration) sendmail
> doesn't reject just due to bad rDNS (not sure if that's even possible).
> Unfortunately, no, I don't have control over the firewall.  Indeed,
> there is no hard firewall, so I only have software, and I'm not sure I
> have anything that could do specifically this.
> 
> Certainly it would be interesting to add such capability to SA (to add
> points for known spammy DNS providers and/or registrars), though I
> imagine that could be a recipe for FPs in some cases.  Then again, we
> did it for .pw URIs, so...
> 
> --- Amir

You can reject on RDNS (or lack thereof) in sendmail depending on the version.  
Search for "require_rdns".  On my newer servers it's included in sendmail.  On 
an older server I had to implement it as a hack.  But it's easily found on the 
web, and wasn't hard to implement.  Kills a lot of spam, but also some 
legitimate mail.  I put the IP addresses of the legitimate (albeit 
misconfigured) servers in my access file and that seems to do the job.  You 
will need to check the logs for rejects and decide who's OK.

There may be other options than the firewall - if you have access to the mail 
server itself, you could maybe run an instance of iptables.  I presume you're 
running it on Linux.  Or maybe put the name servers in the /etc/host file with 
127.0.0.x addresses?  Not sure if that would work or not.  If all else fails, 
bribe the DNS admin! :-)


...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357

Re: Uptick in spam

On Apr 1, 2015, at 2:26 PM, Kevin Miller  wrote:

> I blocked the RRPPROXY.NET name servers at the firewall. [...] After I did 
> that, almost instantly the spam dropped dramatically.
[...]
> There was some discussion in this group about blocking on DNS providers about 
> a month or so ago, spawned by my initial requests for help.  I don't know if 
> you have the luxury of dropping the connections at the firewall but it worked 
> for me.   Look back through the archives.

Ah, I see... you killed them at the firewall itself, before they even got to 
sendmail.  I was wondering how blocking the name servers themselves would help, 
since (at least in my configuration) sendmail doesn't reject just due to bad 
rDNS (not sure if that's even possible).  Unfortunately, no, I don't have 
control over the firewall.  Indeed, there is no hard firewall, so I only have 
software, and I'm not sure I have anything that could do specifically this.

Certainly it would be interesting to add such capability to SA (to add points 
for known spammy DNS providers and/or registrars), though I imagine that could 
be a recipe for FPs in some cases.  Then again, we did it for .pw URIs, so...

--- Amir

RE: Uptick in spam

I'm a bit late to the party (was on vacation) but your woes sounded awfully 
familiar.  I was getting slammed by spam a couple months ago.  The domains 
changed daily, but the one consistent thing was they were all served by 
RRPPROXY.NET.  I blocked the RRPPROXY.NET name servers at the firewall.  Doing 
a whois lookup on wheelerweightoff.com, I see that it is served by RRPPROXY.NET 
DNS servers: NS1, NS2, and NS3.  I'd bet the others are too.

After I did that, almost instantly the spam dropped dramatically.

FWIW, I found no legitimate messages from the domains they hosted.  
Conveniently, they're a German company I think, and I'm in the US, so 
legitimate mail from them is unlikely.

There was some discussion in this group about blocking on DNS providers about a 
month or so ago, spawned by my initial requests for help.  I don't know if you 
have the luxury of dropping the connections at the firewall but it worked for 
me.   Look back through the archives.

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357

Re: TO_IN_SUBJ for username?

2015-04-01 Thread Paul Stead



On 01/04/15 17:41, Amir Caspi wrote:

Going back to this:

On Apr 1, 2015, at 7:47 AM, Bowie Bailey  wrote:


Well, this wouldn't be the first or only rule that doesn't work for everyone... plus, I would 
certainly make it case sensitive, so that "John" wouldn't match "john@", for 
example.  This rule could be disabled by default and turned on by people who want it, or vice 
versa.  I'd also imagine it would generate a lower score from masscheck than the regular TO_IN_SUBJ 
would, and hence would be of less impact towards FPs (but that extra few-tenths of a point could 
make the difference to push a lot of these spams over the threshold, particularly if they hit 
BAYES_999 but not any other rules, as many snowshoe spams often do in the early stages).

Anyway, it was just a thought... I'd certainly support such a rule, even if it 
had to be manually enabled or rescored.


Untested, but this might work, adjusted from existing __SUBJ_HAS_TO rules

---8<---
header __SUBJ_HAS_TO_LOCAL_1ALL =~
/\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>@,]+)@(?:[^\n>]+)>?\n(?:[^\n]{1,200}\n)*Subject:\s+[^\n]{0,100}\1[>,\s\n]/sm
header __SUBJ_HAS_TO_LOCAL_2ALL =~ /\nReceived:[^\n]{0,200} for
;@]+)@(?:[^\n>]+)>?;(?:[^\n]+\n)*Subject:\s+[^\n]{0,100}\1[>,\s\n]/sm
header __SUBJ_HAS_TO_LOCAL_3To:addr !~ /^(?:info|abuse|support)@/
meta   __TO_LOCAL_IN_SUBJ   (__SUBJ_HAS_TO_LOCAL_1 ||
__SUBJ_HAS_TO_LOCAL_2) && __SUBJ_HAS_TO_LOCAL_3

meta   TO_LOCAL_IN_SUBJ __TO_LOCAL_IN_SUBJ && !__VIA_ML &&
!MISSING_MIMEOLE && !__THREAD_INDEX_GOOD && !__FSL_RELAY_GOOGLE &&
!__LCL__ENV_AND_HDR_FROM_MATCH && !__HS_SUBJ_RE_FW
describe   TO_LOCAL_IN_SUBJ To local part is in Subject
score  TO_LOCAL_IN_SUBJ 0.01
---8<---

Paul
--
Paul Stead
Systems Engineer
Zen Internet

Re: TO_IN_SUBJ for username?

On 4/1/2015 12:41 PM, Amir Caspi wrote:

Going back to this:

On Apr 1, 2015, at 7:47 AM, Bowie Bailey wrote:

That might be reasonable for most email addresses, but there are quite a few
people who have a usable name or nickname as the user part of their email.
(j...@example.com). It would not make sense to score an email just for having
their name in the subject.

Well, this wouldn't be the first or only rule that doesn't work for everyone... plus, I would
certainly make it case sensitive, so that "John" wouldn't match "john@", for
example. This rule could be disabled by default and turned on by people who want it, or vice
versa. I'd also imagine it would generate a lower score from masscheck than the regular TO_IN_SUBJ
would, and hence would be of less impact towards FPs (but that extra few-tenths of a point could
make the difference to push a lot of these spams over the threshold, particularly if they hit
BAYES_999 but not any other rules, as many snowshoe spams often do in the early stages).

And then there are addresses which use normal words in the address which would
also not make sense to score. For example: i...@example.com,
ab...@example.com, supp...@example.com, etc.

Indeed, and those likely-FP words could be explicitly excluded via negative
match, so that qw(info abuse support mail) etc. wouldn't score. The same could
be done for common names, I suppose, although I agree that gets a bit
cumbersome.

Anyway, it was just a thought... I'd certainly support such a rule, even if it
had to be manually enabled or rescored.

I don't think it would work as a standard rule. It would have too much
variance in the FP rate depending on the email address and trying to
maintain a list of problematic words/names would probably be too
cumbersome in the general case.

It might work as an informational rule (score 0.001) that admins could
use in meta rules or increase scoring on a per-user basis.

--
Bowie

Re: TO_IN_SUBJ for username?

Going back to this:

On Apr 1, 2015, at 7:47 AM, Bowie Bailey  wrote:

> That might be reasonable for most email addresses, but there are quite a few 
> people who have a usable name or nickname as the user part of their email.  
> (j...@example.com).  It would not make sense to score an email just for 
> having their name in the subject.

Well, this wouldn't be the first or only rule that doesn't work for everyone... 
plus, I would certainly make it case sensitive, so that "John" wouldn't match 
"john@", for example.  This rule could be disabled by default and turned on by 
people who want it, or vice versa.  I'd also imagine it would generate a lower 
score from masscheck than the regular TO_IN_SUBJ would, and hence would be of 
less impact towards FPs (but that extra few-tenths of a point could make the 
difference to push a lot of these spams over the threshold, particularly if 
they hit BAYES_999 but not any other rules, as many snowshoe spams often do in 
the early stages).

> And then there are addresses which use normal words in the address which 
> would also not make sense to score.  For example: i...@example.com, 
> ab...@example.com, supp...@example.com, etc.

Indeed, and those likely-FP words could be explicitly excluded via negative 
match, so that qw(info abuse support mail) etc. wouldn't score.  The same could 
be done for common names, I suppose, although I agree that gets a bit 
cumbersome.

Anyway, it was just a thought... I'd certainly support such a rule, even if it 
had to be manually enabled or rescored.

Cheers.

--- Amir

Re: TO_IN_SUBJ for username?

2015-04-01 Thread John Hardin


On Wed, 1 Apr 2015, Amir Caspi wrote:


On Apr 1, 2015, at 8:08 AM, Bowie Bailey  wrote:


The way it's written, it will only hit if the Subject header follows the To 
header.


I thought John modified the rule to fix that, about a year ago... did that not 
get implemented in production?


It will match if the To: or Received: header with recipient address comes 
first. There's not a version that tries to parse an email address out of 
the Subject: if that's encountered first.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The most glaring example of the cognitive dissonance on the left
  is the concept that human beings are inherently good, yet at the
  same time cannot be trusted with any kind of weapon, unless the
  magic fairy dust of government authority gets sprinkled upon them.
   -- Moshe Ben-David
---
 Today: April Fools' day

Re: TO_IN_SUBJ for username?


On 4/1/2015 10:20 AM, Amir Caspi wrote:

On Apr 1, 2015, at 8:08 AM, Bowie Bailey  wrote:

The way it's written, it will only hit if the Subject header follows the To 
header.

I thought John modified the rule to fix that, about a year ago... did that not 
get implemented in production?


Apparently not.  I'm running SA 3.4.0 with rules updated today. There 
are two main regexes referenced by the TO_IN_SUBJ meta .  One matches To 
and then Subject and the other matches Received and then Subject.


--
Bowie

Re: TO_IN_SUBJ for username?

On Apr 1, 2015, at 8:08 AM, Bowie Bailey  wrote:
> 
> The way it's written, it will only hit if the Subject header follows the To 
> header.

I thought John modified the rule to fix that, about a year ago... did that not 
get implemented in production?

--- Amir
thumbed via iPhone

Re: TO_IN_SUBJ for username?

2015-04-01 Thread Niamh Holding


Hello Bowie,

Wednesday, April 1, 2015, 3:08:10 PM, you wrote:

BB> The way it's written, it will only hit if the Subject header follows the 
BB> To header.

Ho Hum!

-- 
Best regards,
 Niamhmailto:ni...@fullbore.co.uk

pgpmInVp50o64.pgp
Description: PGP signature

Re: TO_IN_SUBJ for username?


On 4/1/2015 9:58 AM, Niamh Holding wrote:

Hello Amir,

Wednesday, April 1, 2015, 4:44:08 AM, you wrote:

AC> I'm guessing that TO_IN_SUBJ only pops when the Subject: contains the full 
email address in To:

Didnit hit on this-

Date: Sun, 29 Mar 2015 23:05:53 +
Return-Path: 
Subject: ad...@holtain.co.uk
Reply-To: marketingmodelstrat...@wikihawmakemoney.com
X-Complaints-To: ab...@getresponse.com
To: "Friend" 
From: "SAID Bacem" 



The way it's written, it will only hit if the Subject header follows the 
To header.


--
Bowie

Re: TO_IN_SUBJ for username?

2015-04-01 Thread Niamh Holding


Hello Amir,

Wednesday, April 1, 2015, 4:44:08 AM, you wrote:

AC> I'm guessing that TO_IN_SUBJ only pops when the Subject: contains the full 
email address in To:

Didnit hit on this-

Date: Sun, 29 Mar 2015 23:05:53 +
Return-Path: 
Subject: ad...@holtain.co.uk
Reply-To: marketingmodelstrat...@wikihawmakemoney.com
X-Complaints-To: ab...@getresponse.com
To: "Friend" 
From: "SAID Bacem" 

-- 
Best regards,
 Niamhmailto:ni...@fullbore.co.uk

pgpbLCF_96tLe.pgp
Description: PGP signature

Re: TO_IN_SUBJ for username?