Re: dropbox phish
Hi, >>> Well, I find this quite useful with very few false positives: >>> >>> uridnsblURIBL_SBLXBLsbl-xbl.spamhaus.org. TXT >>> bodyURIBL_SBLXBLeval:check_uridnsbl('URIBL_SBLXBL') >>> describeURIBL_SBLXBLContains a URL listed in the SBL/XBL blocklist >>> >>> tflags URIBL_SBLXBL net >>> score URIBL_SBLXBL 7 >>> >>> This check will FP after a fashion when a nominally legitimate webserver >>> lands on the CBL because it is infected with something. I see that as not >>> a >>> FP at all but some may disagree. >>> >>> Your sample directs recipients to an URL whose domain name resolves to an >>> IP >>> that has been pon the CBL for over 30 hours straight. >> >> >> Is this not already in 25_uribl.cf? > > > Not in the one sa-update fetched for me today... It is however given as an > example in the Mail::SpamAssassin::Plugin::URIDNSBL pod/man with the > explicit 'ns' tflag, which is a bit of a surprise to me. My local.cf > comments imply that I added it at the suggestion of a wise colleague many > years ago (circa SA 3.2.) This is the one I was referring to, although it doesn't include XBL/CBL after all. uridnssub URIBL_SBLzen.spamhaus.org. A 127.0.0.2 bodyURIBL_SBLeval:check_uridnsbl('URIBL_SBL') describeURIBL_SBLContains an URL's NS IP listed in the SBL blocklist tflags URIBL_SBLnet reuse URIBL_SBL >> You believe this is more effective, and safer than a check_rbl_sub() >> SBLXBL call on the header? > > I believe it is entirely orthogonal to that test, although I don't expect > there's many SBL/XBL listees in headers unless one does not use Zen ahead of > SA (which I suppose some people probably do not...) I've had to lower the score on my header XBL check because it was triggering on so many dynamic IPs that were clearly reassigned to new users, then being blacklisted. I'd appreciate it if anyone could provide additional input on how they might use something like this. header RCVD_IN_XBL_ALLeval:check_rbl_sub('zen', '127.0.0.[45678]') describe RCVD_IN_XBL_ALLReceived via a relay in Spamhaus SBL-XBL tflags RCVD_IN_XBL_ALLnet scoreRCVD_IN_XBL_ALL0.01
Re: dropbox phish
On 1 Nov 2016, at 20:31, Alex wrote: Hi, On Mon, Oct 31, 2016 at 9:11 PM, Bill Colewrote: On 31 Oct 2016, at 20:38, Alex wrote: Hi all, We keep receiving variations of this dropbox phish that's never tagged properly. I was hoping someone had some ideas for catching them. I've added a few more body rules, and some header rules to block this "drpbox" spelling variation, but I hoped someone had some better ideas to block them before they're received... http://pastebin.com/7PQgEsrJ The domains in the body still aren't blacklisted anywhere, and the IPs are on more whitelists than otherwise. Well, I find this quite useful with very few false positives: uridnsblURIBL_SBLXBLsbl-xbl.spamhaus.org. TXT bodyURIBL_SBLXBLeval:check_uridnsbl('URIBL_SBLXBL') describeURIBL_SBLXBLContains a URL listed in the SBL/XBL blocklist tflags URIBL_SBLXBL net score URIBL_SBLXBL 7 This check will FP after a fashion when a nominally legitimate webserver lands on the CBL because it is infected with something. I see that as not a FP at all but some may disagree. Your sample directs recipients to an URL whose domain name resolves to an IP that has been pon the CBL for over 30 hours straight. Is this not already in 25_uribl.cf? Not in the one sa-update fetched for me today... It is however given as an example in the Mail::SpamAssassin::Plugin::URIDNSBL pod/man with the explicit 'ns' tflag, which is a bit of a surprise to me. My local.cf comments imply that I added it at the suggestion of a wise colleague many years ago (circa SA 3.2.) You believe this is more effective, and safer than a check_rbl_sub() SBLXBL call on the header? I believe it is entirely orthogonal to that test, although I don't expect there's many SBL/XBL listees in headers unless one does not use Zen ahead of SA (which I suppose some people probably do not...)
Re: dropbox phish
Hi, On Mon, Oct 31, 2016 at 9:11 PM, Bill Colewrote: > On 31 Oct 2016, at 20:38, Alex wrote: > >> Hi all, >> >> We keep receiving variations of this dropbox phish that's never tagged >> properly. I was hoping someone had some ideas for catching them. >> >> I've added a few more body rules, and some header rules to block this >> "drpbox" spelling variation, but I hoped someone had some better ideas >> to block them before they're received... >> >> http://pastebin.com/7PQgEsrJ >> >> The domains in the body still aren't blacklisted anywhere, and the IPs >> are on more whitelists than otherwise. > > > Well, I find this quite useful with very few false positives: > > uridnsblURIBL_SBLXBLsbl-xbl.spamhaus.org. TXT > bodyURIBL_SBLXBLeval:check_uridnsbl('URIBL_SBLXBL') > describeURIBL_SBLXBLContains a URL listed in the SBL/XBL >>blocklist > tflags URIBL_SBLXBL net > score URIBL_SBLXBL 7 > > This check will FP after a fashion when a nominally legitimate webserver > lands on the CBL because it is infected with something. I see that as not a > FP at all but some may disagree. > > Your sample directs recipients to an URL whose domain name resolves to an IP > that has been pon the CBL for over 30 hours straight. Is this not already in 25_uribl.cf? You believe this is more effective, and safer than a check_rbl_sub() SBLXBL call on the header? header RCVD_IN_XBL_ALLeval:check_rbl_sub('zen', '127.0.0.[45678]') describe RCVD_IN_XBL_ALLReceived via a relay in Spamhaus SBL-XBL tflags RCVD_IN_XBL_ALLnet scoreRCVD_IN_XBL_ALL0.01
RE: local.cf example
Very strange, missed configuration, here is another header and I have not change any configuration and yet this one was scanned: X-Virus-Scanned: amavisd-new at fqdn.com X-Spam-Flag: NO X-Spam-Score: 2.604 X-Spam-Level: ** X-Spam-Status: No, score=2.604 tagged_above=-999.9 required=5.6 tests=[AWL=2.468, DATE_IN_PAST_03_06=1.076, DKIM_SIGNED=0.99, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VERIFIED=0.99, HTML_IMAGE_RATIO_08=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_RP_CERTIFIED=-3, RCVD_IN_RP_SAFE=-2, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no Authentication-Results: HOST1.fqdn.com (amavisd-new); dkim=pass (1536-bit key) header.d=kevineikenberry.com; domainkeys=pass (1536-bit key) header.from=repl...@kevineikenberry.com header.d=kevineikenberry.com I'm very confused. Thanks, Motty -Original Message- From: Matus UHLAR - fantomas [mailto:uh...@fantomas.sk] Sent: Tuesday, November 01, 2016 9:41 AM To: users@spamassassin.apache.org Subject: Re: local.cf example On 01.11.16 08:43, Motty Cruz wrote: >X-Virus-Scanned: amavisd-new at fqdn.com >X-Spam-Flag: NO >X-Spam-Score: 5.5 >X-Spam-Level: * >X-Spam-Status: No, score=5.5 tagged_above=-999.9 required=5.6 >tests=[RDNS_NONE=5.5] autolearn=no autolearn_force=no >Received: from HOST1.fqdn.com ([127.0.0.1]) > >This-election is the craziest in our country's history so far but >in-spite of all the press-surrounding it, there is something that NO >ONE seems to have the-guts to talk about... > >Totally spam E-mail, should have score higher, but there was only one score? RDNS_NONE does only score 1.1/0.7, why did you bump it to 5.5? You apparently miss modules, network checks, BAYES (database apparently under "amavis" user) ... yes, even in such cases you may only get only one rule hit (e.g. BAYES_99) but it's quite rare case -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759
Re: local.cf example
On 01.11.16 08:43, Motty Cruz wrote: X-Virus-Scanned: amavisd-new at fqdn.com X-Spam-Flag: NO X-Spam-Score: 5.5 X-Spam-Level: * X-Spam-Status: No, score=5.5 tagged_above=-999.9 required=5.6 tests=[RDNS_NONE=5.5] autolearn=no autolearn_force=no Received: from HOST1.fqdn.com ([127.0.0.1]) This-election is the craziest in our country's history so far but in-spite of all the press-surrounding it, there is something that NO ONE seems to have the-guts to talk about... Totally spam E-mail, should have score higher, but there was only one score? RDNS_NONE does only score 1.1/0.7, why did you bump it to 5.5? You apparently miss modules, network checks, BAYES (database apparently under "amavis" user) ... yes, even in such cases you may only get only one rule hit (e.g. BAYES_99) but it's quite rare case -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759
RE: local.cf example
On Tue, 1 Nov 2016, Motty Cruz wrote: If I disable AWL: X-Virus-Scanned: amavisd-new at fqdn.com X-Spam-Flag: NO X-Spam-Score: 5.5 X-Spam-Level: * X-Spam-Status: No, score=5.5 tagged_above=-999.9 required=5.6 tests=[RDNS_NONE=5.5] autolearn=no autolearn_force=no Received: from HOST1.fqdn.com ([127.0.0.1]) This-election is the craziest in our country's history so far but in-spite of all the press-surrounding it, there is something that NO ONE seems to have the-guts to talk about... Totally spam E-mail, should have score higher, but there was only one score? No BAYES? There aren't any URLs so I don't expect URIBL hits, and there aren't any commonly spammy phrases there that rules look for (at least in the portion you quoted). If it was received from a MTA that doesn't appear on any DNSBLs and had clean headers, that might be all you get for something like that. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter da Silva in a.s.r --- 5 days until Daylight Saving Time ends in U.S. - Fall Back
RE: local.cf example
If I disable AWL: X-Virus-Scanned: amavisd-new at fqdn.com X-Spam-Flag: NO X-Spam-Score: 5.5 X-Spam-Level: * X-Spam-Status: No, score=5.5 tagged_above=-999.9 required=5.6 tests=[RDNS_NONE=5.5] autolearn=no autolearn_force=no Received: from HOST1.fqdn.com ([127.0.0.1]) This-election is the craziest in our country's history so far but in-spite of all the press-surrounding it, there is something that NO ONE seems to have the-guts to talk about... Totally spam E-mail, should have score higher, but there was only one score? Any idea? Thanks, Motty -Original Message- From: RW [mailto:rwmailli...@googlemail.com] Sent: Saturday, October 29, 2016 5:35 AM To: users@spamassassin.apache.org Subject: Re: local.cf example On Fri, 28 Oct 2016 22:25:54 -0700 motty cruz wrote: > AWL is allowing spam email through, It will do, it's a score averager, it moves the score towards the average score for the sender. AWL is vulnerable to spoofing so you check the from address on the spam. If that's happening you should consider switching to TxRep. TxRep also excludes Bayes from the score averaging which make it less resistant to learning. > X-Spam-Status: ..., DKIM_VALID=-0.1, ... DKIM_VERIFIED=0.99, Why do you have DKIM_VERIFIED=0.99? It's just an old name for DKIM_VALID and not a spam indicator anyway.
Re: dropbox phish
On Mon, 31 Oct 2016 21:11:06 -0400 Bill Cole wrote: > Well, I find this quite useful with very few false positives: > > uridnsblURIBL_SBLXBLsbl-xbl.spamhaus.org. TXT > bodyURIBL_SBLXBLeval:check_uridnsbl('URIBL_SBLXBL') > describeURIBL_SBLXBLContains a URL listed in the SBL/XBL > >blocklist > tflags URIBL_SBLXBL net > score URIBL_SBLXBL 7 > > This check will FP after a fashion when a nominally legitimate > webserver lands on the CBL because it is infected with something. In theory this shouldn't work. According to the documentation, by default, that rule checks the webserver's nameservers. It seems to be relying on a bug, see: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7242 http://www.gossamer-threads.com/lists/spamassassin/users/194944 It's probably firing on either kind of lookup, but in case it ever gets fixed you should have: tflags URIBL_SBLXBL net a