Re: Catching well directed spear phishing messages

2016-09-19 Thread Alex 
Hi all,

On Mon, Sep 19, 2016 at 5:46 AM, Paul Stead
 wrote:
> On 15/09/16 20:54, RW wrote:
>>
>> On Thu, 15 Sep 2016 15:37:42 +0100
>> Paul Stead wrote:
>>
>>> https://github.com/fmbla/spamassassin-levenshtein
>>>
>>> An implementation I made for SA - feedback welcome
>>
>> A couple of things
>>
>>
>> 1. Instead of having a with/without tld option you could compute
>> the distance without the tld and then add 1 if the tlds differ.
>>
>> 2. The distance between two strings is at least the difference in their
>> length, so you can skip almost all the calls to distance().
>
>
> Thanks for everyone's comments. I have updated with these and other
> suggestions.

I haven't been able to follow all the ideas from this thread, one that
goes back many months and pertained to many of the problems we've been
having with CEO-directed phish attempts.

Is there something now that can be implemented from this discussion,
or is it all still being developed?

Re: mailspike: repeatly down

2016-09-19 Thread li...@rhsoft.net 



Am 19.09.2016 um 17:11 schrieb Jose Borges Ferreira:

Hi all,

To solve that issues, we are currently moving and upgrading our servers.
This should be solved quickly .
Sorry for any inconvenience.


thanks for feedback and taking action!


On Mon, Sep 19, 2016 at 2:43 PM, li...@rhsoft.net
 mailto:li...@rhsoft.net>>
wrote:

in case someone cares or even somebody from 'mailspike.net
' is on this list - logs like below appear
repeatly the last weeks or few months

in fact these are timeouts and that will also hit default SA
installations, most likely without logging as postscreen does

Sep 19 15:36:42 mail-gw postfix/postscreen[1244]: warning: dnsblog
reply timeout 10s for wl.mailspike.net 
Sep 19 15:36:43 mail-gw postfix/postscreen[1244]: warning: dnsblog
reply timeout 10s for wl.mailspike.net 
Sep 19 15:36:55 mail-gw postfix/postscreen[1244]: warning: dnsblog
reply timeout 10s for bl.mailspike.net 
Sep 19 15:37:55 mail-gw postfix/postscreen[1244]: warning: dnsblog
reply timeout 10s for bl.mailspike.net 
Sep 19 15:40:18 mail-gw postfix/postscreen[1244]: warning: dnsblog
reply timeout 10s for wl.mailspike.net 
Sep 19 15:40:23 mail-gw postfix/postscreen[1244]: warning: dnsblog
reply timeout 10s for wl.mailspike.net 

Sep 19 15:40:03 mail-gw postfix/dnsblog[27524]: warning:
dnsblog_query: lookup error for DNS query
195.109.140.185.wl.mailspike.net
: Host or domain name not
found. Name service error for name=195.109.140.185.wl.mailspike.net
 type=A: Host not found,
try again
Sep 19 15:40:03 mail-gw postfix/dnsblog[27513]: warning:
dnsblog_query: lookup error for DNS query
195.109.140.185.bl.mailspike.net
: Host or domain name not
found. Name service error for name=195.109.140.185.bl.mailspike.net
 type=A: Host not found,
try again
Sep 19 15:40:04 mail-gw postfix/dnsblog[28533]: warning:
dnsblog_query: lookup error for DNS query
19.185.124.180.bl.mailspike.net
: Host or domain name not
found. Name service error for name=19.185.124.180.bl.mailspike.net
 type=A: Host not found, try
again
Sep 19 15:40:04 mail-gw postfix/dnsblog[27997]: warning:
dnsblog_query: lookup error for DNS query
41.236.165.122.bl.mailspike.net
: Host or domain name not
found. Name service error for name=41.236.165.122.bl.mailspike.net
 type=A: Host not found, try
again
Sep 19 15:40:04 mail-gw postfix/dnsblog[28821]: warning:
dnsblog_query: lookup error for DNS query
19.185.124.180.wl.mailspike.net
: Host or domain name not
found. Name service error for name=19.185.124.180.wl.mailspike.net
 type=A: Host not found, try
again

Re: mailspike: repeatly down

2016-09-19 Thread Jose Borges Ferreira 
Hi all,

To solve that issues, we are currently moving and upgrading our servers.
This should be solved quickly .
Sorry for any inconvenience.

José Borges Ferreira

On Mon, Sep 19, 2016 at 2:43 PM, li...@rhsoft.net  wrote:

> in case someone cares or even somebody from 'mailspike.net' is on this
> list - logs like below appear repeatly the last weeks or few months
>
> in fact these are timeouts and that will also hit default SA
> installations, most likely without logging as postscreen does
>
> Sep 19 15:36:42 mail-gw postfix/postscreen[1244]: warning: dnsblog reply
> timeout 10s for wl.mailspike.net
> Sep 19 15:36:43 mail-gw postfix/postscreen[1244]: warning: dnsblog reply
> timeout 10s for wl.mailspike.net
> Sep 19 15:36:55 mail-gw postfix/postscreen[1244]: warning: dnsblog reply
> timeout 10s for bl.mailspike.net
> Sep 19 15:37:55 mail-gw postfix/postscreen[1244]: warning: dnsblog reply
> timeout 10s for bl.mailspike.net
> Sep 19 15:40:18 mail-gw postfix/postscreen[1244]: warning: dnsblog reply
> timeout 10s for wl.mailspike.net
> Sep 19 15:40:23 mail-gw postfix/postscreen[1244]: warning: dnsblog reply
> timeout 10s for wl.mailspike.net
>
> Sep 19 15:40:03 mail-gw postfix/dnsblog[27524]: warning: dnsblog_query:
> lookup error for DNS query 195.109.140.185.wl.mailspike.net: Host or
> domain name not found. Name service error for name=
> 195.109.140.185.wl.mailspike.net type=A: Host not found, try again
> Sep 19 15:40:03 mail-gw postfix/dnsblog[27513]: warning: dnsblog_query:
> lookup error for DNS query 195.109.140.185.bl.mailspike.net: Host or
> domain name not found. Name service error for name=
> 195.109.140.185.bl.mailspike.net type=A: Host not found, try again
> Sep 19 15:40:04 mail-gw postfix/dnsblog[28533]: warning: dnsblog_query:
> lookup error for DNS query 19.185.124.180.bl.mailspike.net: Host or
> domain name not found. Name service error for name=
> 19.185.124.180.bl.mailspike.net type=A: Host not found, try again
> Sep 19 15:40:04 mail-gw postfix/dnsblog[27997]: warning: dnsblog_query:
> lookup error for DNS query 41.236.165.122.bl.mailspike.net: Host or
> domain name not found. Name service error for name=
> 41.236.165.122.bl.mailspike.net type=A: Host not found, try again
> Sep 19 15:40:04 mail-gw postfix/dnsblog[28821]: warning: dnsblog_query:
> lookup error for DNS query 19.185.124.180.wl.mailspike.net: Host or
> domain name not found. Name service error for name=
> 19.185.124.180.wl.mailspike.net type=A: Host not found, try again
>

mailspike: repeatly down

2016-09-19 Thread li...@rhsoft.net 
in case someone cares or even somebody from 'mailspike.net' is on this 
list - logs like below appear repeatly the last weeks or few months


in fact these are timeouts and that will also hit default SA 
installations, most likely without logging as postscreen does


Sep 19 15:36:42 mail-gw postfix/postscreen[1244]: warning: dnsblog reply 
timeout 10s for wl.mailspike.net
Sep 19 15:36:43 mail-gw postfix/postscreen[1244]: warning: dnsblog reply 
timeout 10s for wl.mailspike.net
Sep 19 15:36:55 mail-gw postfix/postscreen[1244]: warning: dnsblog reply 
timeout 10s for bl.mailspike.net
Sep 19 15:37:55 mail-gw postfix/postscreen[1244]: warning: dnsblog reply 
timeout 10s for bl.mailspike.net
Sep 19 15:40:18 mail-gw postfix/postscreen[1244]: warning: dnsblog reply 
timeout 10s for wl.mailspike.net
Sep 19 15:40:23 mail-gw postfix/postscreen[1244]: warning: dnsblog reply 
timeout 10s for wl.mailspike.net


Sep 19 15:40:03 mail-gw postfix/dnsblog[27524]: warning: dnsblog_query: 
lookup error for DNS query 195.109.140.185.wl.mailspike.net: Host or 
domain name not found. Name service error for 
name=195.109.140.185.wl.mailspike.net type=A: Host not found, try again
Sep 19 15:40:03 mail-gw postfix/dnsblog[27513]: warning: dnsblog_query: 
lookup error for DNS query 195.109.140.185.bl.mailspike.net: Host or 
domain name not found. Name service error for 
name=195.109.140.185.bl.mailspike.net type=A: Host not found, try again
Sep 19 15:40:04 mail-gw postfix/dnsblog[28533]: warning: dnsblog_query: 
lookup error for DNS query 19.185.124.180.bl.mailspike.net: Host or 
domain name not found. Name service error for 
name=19.185.124.180.bl.mailspike.net type=A: Host not found, try again
Sep 19 15:40:04 mail-gw postfix/dnsblog[27997]: warning: dnsblog_query: 
lookup error for DNS query 41.236.165.122.bl.mailspike.net: Host or 
domain name not found. Name service error for 
name=41.236.165.122.bl.mailspike.net type=A: Host not found, try again
Sep 19 15:40:04 mail-gw postfix/dnsblog[28821]: warning: dnsblog_query: 
lookup error for DNS query 19.185.124.180.wl.mailspike.net: Host or 
domain name not found. Name service error for 
name=19.185.124.180.wl.mailspike.net type=A: Host not found, try again

Re: Digest::SHA1 module is required by the Razor2 plugin

2016-09-19 Thread RW 
On Mon, 19 Sep 2016 13:33:59 +0100
RW wrote:

> On Mon, 19 Sep 2016 14:05:34 +0200
> Marcus Schopen wrote:
> 
> > Am Montag, den 19.09.2016, 11:37 +0200 schrieb li...@rhsoft.net:  
> > > Am 19.09.2016 um 11:10 schrieb Marcus Schopen:
> > > > I'd like to use razor on my private mailbox, but it seems to
> > > > depend on Digest::SHA1, which is not part of Ubuntu 12.04 LTS or
> > > > 14.04 TLS:
> > > >
> > > >  The Digest::SHA1 module is required by the Razor2 plugin
> > > >
> > > > I found this bug report
> > > >
> > > > https://bugs.launchpad.net/ubuntu/+source/libdigest-sha1-perl/+bug/993648
> > > >
> > > > where a package for precise is published (comment #9).
> > > >
> > > > What to do? Building an own package from
> > > 
> > > just file a bugreport against Ubuntu spamassassin package and
> > > refer to the above bugreport - someone needs to fix that mess in
> > > Ubuntu and i can assure you Debian and Redhat systems don't have
> > > this problem
> > > 
> > > in other words: this is a distribution mess and not SA related
> > 
> > It's not a spamassassin problem, right. Question is, can I install a
> > SHA1 package without harming perl at other places?  
> 
> It should do any harm.

That should have been:

It shouldn't do any harm.

Re: Digest::SHA1 module is required by the Razor2 plugin

2016-09-19 Thread RW 
On Mon, 19 Sep 2016 14:05:34 +0200
Marcus Schopen wrote:

> Am Montag, den 19.09.2016, 11:37 +0200 schrieb li...@rhsoft.net:
> > Am 19.09.2016 um 11:10 schrieb Marcus Schopen:  
> > > I'd like to use razor on my private mailbox, but it seems to
> > > depend on Digest::SHA1, which is not part of Ubuntu 12.04 LTS or
> > > 14.04 TLS:
> > >
> > >  The Digest::SHA1 module is required by the Razor2 plugin
> > >
> > > I found this bug report
> > >
> > > https://bugs.launchpad.net/ubuntu/+source/libdigest-sha1-perl/+bug/993648
> > >
> > > where a package for precise is published (comment #9).
> > >
> > > What to do? Building an own package from  
> > 
> > just file a bugreport against Ubuntu spamassassin package and refer
> > to the above bugreport - someone needs to fix that mess in Ubuntu
> > and i can assure you Debian and Redhat systems don't have this
> > problem
> > 
> > in other words: this is a distribution mess and not SA related  
> 
> It's not a spamassassin problem, right. Question is, can I install a
> SHA1 package without harming perl at other places?

It should do any harm.

Re: Digest::SHA1 module is required by the Razor2 plugin

2016-09-19 Thread Marcus Schopen 
Am Montag, den 19.09.2016, 11:37 +0200 schrieb li...@rhsoft.net:
> Am 19.09.2016 um 11:10 schrieb Marcus Schopen:
> > I'd like to use razor on my private mailbox, but it seems to depend on
> > Digest::SHA1, which is not part of Ubuntu 12.04 LTS or 14.04 TLS:
> >
> >  The Digest::SHA1 module is required by the Razor2 plugin
> >
> > I found this bug report
> >
> > https://bugs.launchpad.net/ubuntu/+source/libdigest-sha1-perl/+bug/993648
> >
> > where a package for precise is published (comment #9).
> >
> > What to do? Building an own package from
> 
> just file a bugreport against Ubuntu spamassassin package and refer to 
> the above bugreport - someone needs to fix that mess in Ubuntu and i can 
> assure you Debian and Redhat systems don't have this problem
> 
> in other words: this is a distribution mess and not SA related

It's not a spamassassin problem, right. Question is, can I install a
SHA1 package without harming perl at other places?

Ciao
Marcus

Re: AW: X-Spam Tagging - Spam Status YESNO Flags - Sometimes not appended...

2016-09-19 Thread Matus UHLAR - fantomas 

On Fri, 16 Sep 2016, Maik Linnemann wrote:

SA is integrated into postix via master.cf like:



spamassassin unix -   n   n   -   -   pipe
 user=nobody argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f 
${sender} ${recipient}




Please note the 'max-size' parameter for spamc:

  -s max_size, --max-size=max_size


On 17.09.16 10:34, Maik Linnemann wrote:

Thanks! I checked that and it gave me a direction. Log says that messages
skipped because of size limit which i haven't set and is still default
(512000 bytes).  On the other site I checked the messages that are not
tagged and not all of them are bigger than 512kb.  Anyway most of them
are!

I tried to set the -s option in /etc/default/spamassassin on debian to 1024000 
for a test, with no effect.

Log still says its skipping due to the limit of 512000.

Does anyone have a clue what needs to be done in debian?!


/etc/default/spamassassin contains options for spamassassin DAEMON, not for its
clients.
you must set the option for spamc in master.cf if you want it to apply.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Saving Private Ryan...
Private Ryan exists. Overwrite? (Y/N)

Re: Catching well directed spear phishing messages

2016-09-19 Thread Paul Stead 

On 15/09/16 20:54, RW wrote:

On Thu, 15 Sep 2016 15:37:42 +0100
Paul Stead wrote:


https://github.com/fmbla/spamassassin-levenshtein

An implementation I made for SA - feedback welcome

A couple of things


1. Instead of having a with/without tld option you could compute
the distance without the tld and then add 1 if the tlds differ.

2. The distance between two strings is at least the difference in their
length, so you can skip almost all the calls to distance().


Thanks for everyone's comments. I have updated with these and other
suggestions.

Paul
--
Paul Stead
Systems Engineer
Zen Internet

Re: Digest::SHA1 module is required by the Razor2 plugin

2016-09-19 Thread li...@rhsoft.net 


Am 19.09.2016 um 11:10 schrieb Marcus Schopen:

I'd like to use razor on my private mailbox, but it seems to depend on
Digest::SHA1, which is not part of Ubuntu 12.04 LTS or 14.04 TLS:

 The Digest::SHA1 module is required by the Razor2 plugin

I found this bug report

https://bugs.launchpad.net/ubuntu/+source/libdigest-sha1-perl/+bug/993648

where a package for precise is published (comment #9).

What to do? Building an own package from


just file a bugreport against Ubuntu spamassassin package and refer to 
the above bugreport - someone needs to fix that mess in Ubuntu and i can 
assure you Debian and Redhat systems don't have this problem


in other words: this is a distribution mess and not SA related

Digest::SHA1 module is required by the Razor2 plugin

2016-09-19 Thread Marcus Schopen 
Hi,

I'd like to use razor on my private mailbox, but it seems to depend on
Digest::SHA1, which is not part of Ubuntu 12.04 LTS or 14.04 TLS:

 The Digest::SHA1 module is required by the Razor2 plugin

I found this bug report

https://bugs.launchpad.net/ubuntu/+source/libdigest-sha1-perl/+bug/993648

where a package for precise is published (comment #9).

What to do? Building an own package from

https://launchpad.net/ubuntu/+source/libdigest-sha1-perl/2.13-2build2/

for 12.04 und 14.04 or would an install have side effects on perl?

Btw: what's the efficiency of razor? Does it help? I used it years ago,
but didn't follow it anymore.

System:
perl 5.14.2 (Ubuntu 12.04) 5.18.2 (Ubuntu 14.04)
spamassassin 3.4.1-3 (backported)

Ciao
Marcus