Re: dropbox phish

2016-11-01 Thread Alex 
Hi,

>>> Well, I find this quite useful with very few false positives:
>>>
>>> uridnsblURIBL_SBLXBLsbl-xbl.spamhaus.org.   TXT
>>> bodyURIBL_SBLXBLeval:check_uridnsbl('URIBL_SBLXBL')
>>> describeURIBL_SBLXBLContains a URL listed in the SBL/XBL

 blocklist
>>>
>>> tflags URIBL_SBLXBL net
>>> score URIBL_SBLXBL  7
>>>
>>> This check will FP after a fashion when a nominally legitimate webserver
>>> lands on the CBL because it is infected with something. I see that as not
>>> a
>>> FP at all but some may disagree.
>>>
>>> Your sample directs recipients to an URL whose domain name resolves to an
>>> IP
>>> that has been pon the CBL for over 30 hours straight.
>>
>>
>> Is this not already in 25_uribl.cf?
>
>
> Not in the one sa-update fetched for me today... It is however given as an
> example in the Mail::SpamAssassin::Plugin::URIDNSBL pod/man with the
> explicit 'ns' tflag, which is a bit of a surprise to me. My local.cf
> comments imply that I added it at the suggestion of a wise colleague many
> years ago (circa SA 3.2.)

This is the one I was referring to, although it doesn't include
XBL/CBL after all.

uridnssub   URIBL_SBLzen.spamhaus.org.   A   127.0.0.2
bodyURIBL_SBLeval:check_uridnsbl('URIBL_SBL')
describeURIBL_SBLContains an URL's NS IP listed in the
SBL blocklist
tflags  URIBL_SBLnet
reuse   URIBL_SBL

>> You believe this is more effective, and safer than a check_rbl_sub()
>> SBLXBL call on the header?
>
> I believe it is entirely orthogonal to that test, although I don't expect
> there's many SBL/XBL listees in headers unless one does not use Zen ahead of
> SA (which I suppose some people probably do not...)

I've had to lower the score on my header XBL check because it was
triggering on so many dynamic IPs that were clearly reassigned to new
users, then being blacklisted. I'd appreciate it if anyone could
provide additional input on how they might use something like this.

header   RCVD_IN_XBL_ALLeval:check_rbl_sub('zen', '127.0.0.[45678]')
describe RCVD_IN_XBL_ALLReceived via a relay in Spamhaus SBL-XBL
tflags   RCVD_IN_XBL_ALLnet
scoreRCVD_IN_XBL_ALL0.01

Re: dropbox phish

2016-11-01 Thread Bill Cole 

On 1 Nov 2016, at 20:31, Alex wrote:


Hi,

On Mon, Oct 31, 2016 at 9:11 PM, Bill Cole
 wrote:

On 31 Oct 2016, at 20:38, Alex wrote:


Hi all,

We keep receiving variations of this dropbox phish that's never 
tagged

properly. I was hoping someone had some ideas for catching them.

I've added a few more body rules, and some header rules to block 
this
"drpbox" spelling variation, but I hoped someone had some better 
ideas

to block them before they're received...

http://pastebin.com/7PQgEsrJ

The domains in the body still aren't blacklisted anywhere, and the 
IPs

are on more whitelists than otherwise.



Well, I find this quite useful with very few false positives:

uridnsblURIBL_SBLXBLsbl-xbl.spamhaus.org.   TXT
bodyURIBL_SBLXBLeval:check_uridnsbl('URIBL_SBLXBL')
describeURIBL_SBLXBLContains a URL listed in the SBL/XBL

blocklist

tflags URIBL_SBLXBL net
score URIBL_SBLXBL  7

This check will FP after a fashion when a nominally legitimate 
webserver
lands on the CBL because it is infected with something. I see that as 
not a

FP at all but some may disagree.

Your sample directs recipients to an URL whose domain name resolves 
to an IP

that has been pon the CBL for over 30 hours straight.


Is this not already in 25_uribl.cf?


Not in the one sa-update fetched for me today... It is however given as 
an example in the Mail::SpamAssassin::Plugin::URIDNSBL pod/man with the 
explicit 'ns' tflag, which is a bit of a surprise to me. My local.cf 
comments imply that I added it at the suggestion of a wise colleague 
many years ago (circa SA 3.2.)



You believe this is more effective, and safer than a check_rbl_sub()
SBLXBL call on the header?


I believe it is entirely orthogonal to that test, although I don't 
expect there's many SBL/XBL listees in headers unless one does not use 
Zen ahead of SA (which I suppose some people probably do not...)

Re: dropbox phish

2016-11-01 Thread Alex 
Hi,

On Mon, Oct 31, 2016 at 9:11 PM, Bill Cole
 wrote:
> On 31 Oct 2016, at 20:38, Alex wrote:
>
>> Hi all,
>>
>> We keep receiving variations of this dropbox phish that's never tagged
>> properly. I was hoping someone had some ideas for catching them.
>>
>> I've added a few more body rules, and some header rules to block this
>> "drpbox" spelling variation, but I hoped someone had some better ideas
>> to block them before they're received...
>>
>> http://pastebin.com/7PQgEsrJ
>>
>> The domains in the body still aren't blacklisted anywhere, and the IPs
>> are on more whitelists than otherwise.
>
>
> Well, I find this quite useful with very few false positives:
>
> uridnsblURIBL_SBLXBLsbl-xbl.spamhaus.org.   TXT
> bodyURIBL_SBLXBLeval:check_uridnsbl('URIBL_SBLXBL')
> describeURIBL_SBLXBLContains a URL listed in the SBL/XBL
>>blocklist
> tflags URIBL_SBLXBL net
> score URIBL_SBLXBL  7
>
> This check will FP after a fashion when a nominally legitimate webserver
> lands on the CBL because it is infected with something. I see that as not a
> FP at all but some may disagree.
>
> Your sample directs recipients to an URL whose domain name resolves to an IP
> that has been pon the CBL for over 30 hours straight.

Is this not already in 25_uribl.cf?

You believe this is more effective, and safer than a check_rbl_sub()
SBLXBL call on the header?

header   RCVD_IN_XBL_ALLeval:check_rbl_sub('zen', '127.0.0.[45678]')
describe RCVD_IN_XBL_ALLReceived via a relay in Spamhaus SBL-XBL
tflags   RCVD_IN_XBL_ALLnet
scoreRCVD_IN_XBL_ALL0.01

RE: local.cf example

2016-11-01 Thread Motty Cruz 
Very strange, missed configuration, here is another header and I have not
change any configuration and yet this one was scanned: 

X-Virus-Scanned: amavisd-new at fqdn.com
X-Spam-Flag: NO
X-Spam-Score: 2.604
X-Spam-Level: **
X-Spam-Status: No, score=2.604 tagged_above=-999.9 required=5.6
tests=[AWL=2.468, DATE_IN_PAST_03_06=1.076, DKIM_SIGNED=0.99,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VERIFIED=0.99,
HTML_IMAGE_RATIO_08=0.001, HTML_MESSAGE=0.001,
RCVD_IN_DNSWL_NONE=2.3,
RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01,
RCVD_IN_RP_CERTIFIED=-3, RCVD_IN_RP_SAFE=-2, SPF_HELO_PASS=-0.001,
SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: HOST1.fqdn.com (amavisd-new);
dkim=pass (1536-bit key) header.d=kevineikenberry.com;
domainkeys=pass (1536-bit key)
header.from=repl...@kevineikenberry.com
header.d=kevineikenberry.com

I'm very confused. 

Thanks, 
Motty

-Original Message-
From: Matus UHLAR - fantomas [mailto:uh...@fantomas.sk] 
Sent: Tuesday, November 01, 2016 9:41 AM
To: users@spamassassin.apache.org
Subject: Re: local.cf example

On 01.11.16 08:43, Motty Cruz wrote:
>X-Virus-Scanned: amavisd-new at fqdn.com
>X-Spam-Flag: NO
>X-Spam-Score: 5.5
>X-Spam-Level: *
>X-Spam-Status: No, score=5.5 tagged_above=-999.9 required=5.6
>tests=[RDNS_NONE=5.5] autolearn=no autolearn_force=no
>Received: from HOST1.fqdn.com ([127.0.0.1])
>
>This-election is the craziest in our country's history so far but 
>in-spite of all the press-surrounding it, there is something that NO 
>ONE seems to have the-guts to talk about...
>
>Totally spam E-mail, should have score higher, but there was only one
score?

RDNS_NONE does only score 1.1/0.7, why did you bump it to 5.5?

You apparently miss modules, network checks, BAYES (database apparently
under "amavis" user) ...

yes, even in such cases you may only get only one rule hit (e.g. BAYES_99)
but it's quite rare case

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary safety
deserve neither liberty nor safety. -- Benjamin Franklin, 1759

Re: local.cf example

2016-11-01 Thread Matus UHLAR - fantomas 

On 01.11.16 08:43, Motty Cruz wrote:

X-Virus-Scanned: amavisd-new at fqdn.com
X-Spam-Flag: NO
X-Spam-Score: 5.5
X-Spam-Level: *
X-Spam-Status: No, score=5.5 tagged_above=-999.9 required=5.6
   tests=[RDNS_NONE=5.5] autolearn=no autolearn_force=no
Received: from HOST1.fqdn.com ([127.0.0.1])

This-election is the craziest in our country's history so far but
in-spite of all the press-surrounding it, there is something that
NO ONE seems to have the-guts to talk about...

Totally spam E-mail, should have score higher, but there was only one score?


RDNS_NONE does only score 1.1/0.7, why did you bump it to 5.5?

You apparently miss modules, network checks, BAYES (database apparently
under "amavis" user) ...

yes, even in such cases you may only get only one rule hit (e.g. BAYES_99)
but it's quite rare case

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759

RE: local.cf example

2016-11-01 Thread John Hardin 

On Tue, 1 Nov 2016, Motty Cruz wrote:


If I disable AWL:

X-Virus-Scanned: amavisd-new at fqdn.com
X-Spam-Flag: NO
X-Spam-Score: 5.5
X-Spam-Level: *
X-Spam-Status: No, score=5.5 tagged_above=-999.9 required=5.6
   tests=[RDNS_NONE=5.5] autolearn=no autolearn_force=no
Received: from HOST1.fqdn.com ([127.0.0.1])

This-election is the craziest in our country's history so far but
in-spite of all the press-surrounding it, there is something that
NO ONE seems to have the-guts to talk about...

Totally spam E-mail, should have score higher, but there was only one score?


No BAYES?

There aren't any URLs so I don't expect URIBL hits, and there aren't any 
commonly spammy phrases there that rules look for (at least in the portion 
you quoted).


If it was received from a MTA that doesn't appear on any DNSBLs and had 
clean headers, that might be all you get for something like that.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
   -- Peter da Silva in a.s.r
---
 5 days until Daylight Saving Time ends in U.S. - Fall Back

RE: local.cf example

2016-11-01 Thread Motty Cruz 
If I disable AWL: 

X-Virus-Scanned: amavisd-new at fqdn.com
X-Spam-Flag: NO
X-Spam-Score: 5.5
X-Spam-Level: *
X-Spam-Status: No, score=5.5 tagged_above=-999.9 required=5.6
tests=[RDNS_NONE=5.5] autolearn=no autolearn_force=no
Received: from HOST1.fqdn.com ([127.0.0.1])

This-election is the craziest in our country's history so far but
in-spite of all the press-surrounding it, there is something that
NO ONE seems to have the-guts to talk about...

Totally spam E-mail, should have score higher, but there was only one score?



Any idea? 

Thanks, 
Motty

-Original Message-
From: RW [mailto:rwmailli...@googlemail.com] 
Sent: Saturday, October 29, 2016 5:35 AM
To: users@spamassassin.apache.org
Subject: Re: local.cf example

On Fri, 28 Oct 2016 22:25:54 -0700
motty cruz wrote:

> AWL is allowing spam email through,

It will do, it's a score averager, it moves the score towards the average
score for the sender. 

AWL is vulnerable to spoofing so you check the from address on the spam. If
that's happening you should consider switching to TxRep. TxRep also excludes
Bayes from the score averaging which make it less resistant to learning.  


> X-Spam-Status: ..., DKIM_VALID=-0.1, ... DKIM_VERIFIED=0.99,

Why do you have DKIM_VERIFIED=0.99? It's just an old name for DKIM_VALID and
not a spam indicator anyway.

Re: dropbox phish

2016-11-01 Thread RW 
On Mon, 31 Oct 2016 21:11:06 -0400
Bill Cole wrote:


> Well, I find this quite useful with very few false positives:
> 
> uridnsblURIBL_SBLXBLsbl-xbl.spamhaus.org.   TXT
> bodyURIBL_SBLXBLeval:check_uridnsbl('URIBL_SBLXBL')
> describeURIBL_SBLXBLContains a URL listed in the SBL/XBL 
>  >blocklist  
> tflags   URIBL_SBLXBL net
> score   URIBL_SBLXBL  7
> 
> This check will FP after a fashion when a nominally legitimate
> webserver lands on the CBL because it is infected with something.

In theory this shouldn't work. According to the documentation, by
default, that rule checks the webserver's nameservers.

It seems to be relying on a bug, see: 

 https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7242

 http://www.gossamer-threads.com/lists/spamassassin/users/194944

It's probably firing on either kind of lookup, but in case it ever gets
fixed you should have:

tflags URIBL_SBLXBL net a