Re: uceprotect issue

2016-11-02 Thread Boris Behrens 
Even the CSA guys told us not to use UCEProtect. 

Mit freundlichen Grüßen
 - Boris Behrens

> Am 03.11.2016 um 00:12 schrieb Kevin Miller :
> 
> Isn’t it obvious?  It’s the NSA.  J
>  
> ...Kevin
> --
> Kevin Miller
> Network/email Administrator, CBJ MIS Dept.
> 155 South Seward Street
> Juneau, Alaska 99801
> Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357
>  
> From: Joe Quinn [mailto:jqu...@pccc.com] 
> Sent: Wednesday, November 02, 2016 2:56 PM
> To: users@spamassassin.apache.org
> Subject: Re: uceprotect issue
>  
> On 11/2/2016 2:46 PM, Marc Stürmer wrote:
>  Zitat von Marco : 
> 
> 
> Sorry, I know this is not uceprotect list, but I don't know how to contact 
> uceprotect, their contact form is unavailable. 
> 
> It seems the problem starts on 30 october. Did you have noticed too something 
> about?
> 
> UCE Protect has a very questionable reputation, foremost reason is that they 
> do charge money for delisting entries. 
> 
> And no one knows who's behind them, since they do not publish this kind of 
> information. They want to stay anonymous, that's why there is no easy way to 
> concat them on their home page. 
> 
> So you should really ask yourself: why do you trust them?
> 
> I have to agree. Their inscrutability extends deep into the public-facing 
> parts of their infrastructure. Their MX doesn't have any registrant 
> information in their whois, and their DNS provider doesn't even have a 
> website. Their own domain uses a whois privacy service, and that service's 
> website is a single page for submitting email non-delivery reports to UCE 
> Protect. It's ridiculous.


smime.p7s
Description: S/MIME cryptographic signature

Re: dropbox phish

2016-11-02 Thread Alex 
Hi,

On Wed, Nov 2, 2016 at 10:36 AM, Kris Deugau  wrote:
> Alex wrote:
>> I've had to lower the score on my header XBL check because it was
>> triggering on so many dynamic IPs that were clearly reassigned to new
>> users, then being blacklisted. I'd appreciate it if anyone could
>> provide additional input on how they might use something like this.
>>
>> header   RCVD_IN_XBL_ALLeval:check_rbl_sub('zen', '127.0.0.[45678]')
>> describe RCVD_IN_XBL_ALLReceived via a relay in Spamhaus SBL-XBL
>> tflags   RCVD_IN_XBL_ALLnet
>> scoreRCVD_IN_XBL_ALL0.01
>
> If this is really hitting on lots of legitimate mail, you probably have
> a trust path issue.  This should only check the IP that handed the
> message to your mail server.  It should NOT be checking the IP that the
> message originated from unless you really want to refuse mail from any
> IP that has recently had an infected PC on or behind it.
>
> You shouldn't need to (re)define this in any case, and I'm not certain
> without rereading the man page if or how this will behave somewhat
> differently to the stock RCVD_IN_XBL rule - that could be the problem
> all on its own.

Yes, as the rule currently stands, it was hitting on any Received
header, including the origin IP from which the message was sent.
Should there be some sort of "last-external" to signify which IP to
check?

Thanks,
Alex

RE: uceprotect issue

2016-11-02 Thread Kevin Miller 
Isn’t it obvious?  It’s the NSA.  ☺

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357

From: Joe Quinn [mailto:jqu...@pccc.com]
Sent: Wednesday, November 02, 2016 2:56 PM
To: users@spamassassin.apache.org
Subject: Re: uceprotect issue

On 11/2/2016 2:46 PM, Marc Stürmer wrote:
 Zitat von Marco :


Sorry, I know this is not uceprotect list, but I don't know how to contact 
uceprotect, their contact form is unavailable.

It seems the problem starts on 30 october. Did you have noticed too something 
about?

UCE Protect has a very questionable reputation, foremost reason is that they do 
charge money for delisting entries.

And no one knows who's behind them, since they do not publish this kind of 
information. They want to stay anonymous, that's why there is no easy way to 
concat them on their home page.

So you should really ask yourself: why do you trust them?

I have to agree. Their inscrutability extends deep into the public-facing parts 
of their infrastructure. Their MX doesn't have any registrant information in 
their whois, and their DNS provider doesn't even have a website. Their own 
domain uses a whois privacy service, and that service's website is a single 
page for submitting email non-delivery reports to UCE Protect. It's ridiculous.

Re: uceprotect issue

2016-11-02 Thread Joe Quinn 

On 11/2/2016 2:46 PM, Marc Stürmer wrote:

 Zitat von Marco :

Sorry, I know this is not uceprotect list, but I don't know how to 
contact uceprotect, their contact form is unavailable.


It seems the problem starts on 30 october. Did you have noticed too 
something about?


UCE Protect has a very questionable reputation, foremost reason is 
that they do charge money for delisting entries.


And no one knows who's behind them, since they do not publish this 
kind of information. They want to stay anonymous, that's why there is 
no easy way to concat them on their home page.


So you should really ask yourself: why do you trust them?

I have to agree. Their inscrutability extends deep into the 
public-facing parts of their infrastructure. Their MX doesn't have any 
registrant information in their whois, and their DNS provider doesn't 
even have a website. Their own domain uses a whois privacy service, and 
that service's website is a single page for submitting email 
non-delivery reports /to UCE Protect/. It's ridiculous.

Re: uceprotect issue

2016-11-02 Thread Marc Stürmer 

 Zitat von Marco :

Sorry, I know this is not uceprotect list, but I don't know how to  
contact uceprotect, their contact form is unavailable.


It seems the problem starts on 30 october. Did you have noticed too  
something about?


UCE Protect has a very questionable reputation, foremost reason is  
that they do charge money for delisting entries.


And no one knows who's behind them, since they do not publish this  
kind of information. They want to stay anonymous, that's why there is  
no easy way to concat them on their home page.


So you should really ask yourself: why do you trust them?

Re: uceprotect issue

2016-11-02 Thread MHielder 
Hello Marco, hello List,

There was a DNS issue we are currently investigating.
If your system still response a hit to any queries against our RBL
please flush your dns cache or use temporarily another dns resolver
until the cache of your upstream is cleared.

We apologize and will take steps to prevent this kind of issues.

Greetings M.Hielder
UCEPROTECT Network

RE: local.cf example

2016-11-02 Thread Motty Cruz 
Thanks for your help! 

I discovered AWL enable in init.pre which short-circuit all other plugins. I
disabled AWL and spamassassin is working fine now. 

Thanks for your help!
_Motty

-Original Message-
From: Matus UHLAR - fantomas [mailto:uh...@fantomas.sk] 
Sent: Wednesday, November 02, 2016 10:16 AM
To: users@spamassassin.apache.org
Subject: Re: local.cf example

On 01.11.16 11:24, Motty Cruz wrote:
>Very strange, missed configuration, here is another header and I have 
>not change any configuration and yet this one was scanned:

>X-Spam-Status: No, score=2.604 tagged_above=-999.9 required=5.6
>tests=[AWL=2.468, DATE_IN_PAST_03_06=1.076, DKIM_SIGNED=0.99,
>DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VERIFIED=0.99,
>HTML_IMAGE_RATIO_08=0.001, HTML_MESSAGE=0.001, 
>RCVD_IN_DNSWL_NONE=2.3,
>RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01,
>RCVD_IN_RP_CERTIFIED=-3, RCVD_IN_RP_SAFE=-2, SPF_HELO_PASS=-0.001,
>SPF_PASS=-0.001] autolearn=no autolearn_force=no

the former was scanned too, but it only hit RDNS_NONE with extremely
increased score.

...I have increased score for RCVD_IN_RP_CERTIFIED to -0.03 and
RCVD_IN_RP_SAFE to -0.02 to avoid spam from "certified" spammers.

Note that you have enabled network tests but I see no sign of RAZOR, PYROZ
and DCC (they all need extra SW installed).
Also, still no BAYES (maybe manual training would help)


>On 01.11.16 08:43, Motty Cruz wrote:
>>X-Virus-Scanned: amavisd-new at fqdn.com
>>X-Spam-Flag: NO
>>X-Spam-Score: 5.5
>>X-Spam-Level: *
>>X-Spam-Status: No, score=5.5 tagged_above=-999.9 required=5.6
>>tests=[RDNS_NONE=5.5] autolearn=no autolearn_force=no
>>Received: from HOST1.fqdn.com ([127.0.0.1])
>>
>>This-election is the craziest in our country's history so far but 
>>in-spite of all the press-surrounding it, there is something that NO 
>>ONE seems to have the-guts to talk about...
>>
>>Totally spam E-mail, should have score higher, but there was only one
>score?
>
>RDNS_NONE does only score 1.1/0.7, why did you bump it to 5.5?
>
>You apparently miss modules, network checks, BAYES (database apparently 
>under "amavis" user) ...
>
>yes, even in such cases you may only get only one rule hit (e.g. 
>BAYES_99) but it's quite rare case
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Posli tento mail 100 svojim znamim - nech vidia aky si idiot Send this email
to 100 your friends - let them see what an idiot you are

Re: local.cf example

2016-11-02 Thread Matus UHLAR - fantomas 

On 01.11.16 11:24, Motty Cruz wrote:

Very strange, missed configuration, here is another header and I have not
change any configuration and yet this one was scanned:



X-Spam-Status: No, score=2.604 tagged_above=-999.9 required=5.6
   tests=[AWL=2.468, DATE_IN_PAST_03_06=1.076, DKIM_SIGNED=0.99,
   DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VERIFIED=0.99,
   HTML_IMAGE_RATIO_08=0.001, HTML_MESSAGE=0.001,
RCVD_IN_DNSWL_NONE=2.3,
   RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01,
   RCVD_IN_RP_CERTIFIED=-3, RCVD_IN_RP_SAFE=-2, SPF_HELO_PASS=-0.001,
   SPF_PASS=-0.001] autolearn=no autolearn_force=no


the former was scanned too, but it only hit RDNS_NONE with extremely
increased score.

...I have increased score for RCVD_IN_RP_CERTIFIED to -0.03 and RCVD_IN_RP_SAFE
to -0.02 to avoid spam from "certified" spammers.

Note that you have enabled network tests but I see no sign of RAZOR, PYROZ
and DCC (they all need extra SW installed).
Also, still no BAYES (maybe manual training would help)



On 01.11.16 08:43, Motty Cruz wrote:

X-Virus-Scanned: amavisd-new at fqdn.com
X-Spam-Flag: NO
X-Spam-Score: 5.5
X-Spam-Level: *
X-Spam-Status: No, score=5.5 tagged_above=-999.9 required=5.6
   tests=[RDNS_NONE=5.5] autolearn=no autolearn_force=no
Received: from HOST1.fqdn.com ([127.0.0.1])

This-election is the craziest in our country's history so far but
in-spite of all the press-surrounding it, there is something that NO
ONE seems to have the-guts to talk about...

Totally spam E-mail, should have score higher, but there was only one

score?

RDNS_NONE does only score 1.1/0.7, why did you bump it to 5.5?

You apparently miss modules, network checks, BAYES (database apparently
under "amavis" user) ...

yes, even in such cases you may only get only one rule hit (e.g. BAYES_99)
but it's quite rare case

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Posli tento mail 100 svojim znamim - nech vidia aky si idiot
Send this email to 100 your friends - let them see what an idiot you are

Re: dropbox phish

2016-11-02 Thread Kris Deugau 
Alex wrote:
> I've had to lower the score on my header XBL check because it was
> triggering on so many dynamic IPs that were clearly reassigned to new
> users, then being blacklisted. I'd appreciate it if anyone could
> provide additional input on how they might use something like this.
> 
> header   RCVD_IN_XBL_ALLeval:check_rbl_sub('zen', '127.0.0.[45678]')
> describe RCVD_IN_XBL_ALLReceived via a relay in Spamhaus SBL-XBL
> tflags   RCVD_IN_XBL_ALLnet
> scoreRCVD_IN_XBL_ALL0.01

If this is really hitting on lots of legitimate mail, you probably have
a trust path issue.  This should only check the IP that handed the
message to your mail server.  It should NOT be checking the IP that the
message originated from unless you really want to refuse mail from any
IP that has recently had an infected PC on or behind it.

You shouldn't need to (re)define this in any case, and I'm not certain
without rereading the man page if or how this will behave somewhat
differently to the stock RCVD_IN_XBL rule - that could be the problem
all on its own.

-kgd

uceprotect issue

2016-11-02 Thread Marco 

Hello,

 do you know if are the uceprotect's servers compromised?

I see these strange results:

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> 
42.215.85.209.dnsbl-3.uceprotect.net

;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28044
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 11

;; QUESTION SECTION:
;42.215.85.209.dnsbl-3.uceprotect.net. IN A

;; ANSWER SECTION:
42.215.85.209.dnsbl-3.uceprotect.NET. 428316 IN A 176.107.178.7

;; AUTHORITY SECTION:
dnsbl-3.uceprotect.NET. 2249IN  NS 
dns-cluster-5.uceprotect.net.
dnsbl-3.uceprotect.NET. 2249IN  NS 
dns-cluster-1.uceprotect.net.
dnsbl-3.uceprotect.NET. 2249IN  NS 
dns-cluster-2.uceprotect.net.
dnsbl-3.uceprotect.NET. 2249IN  NS 
dns-cluster-3.uceprotect.net.
dnsbl-3.uceprotect.NET. 2249IN  NS 
dns-cluster-4.uceprotect.net.


;; ADDITIONAL SECTION:
dns-cluster-4.uceprotect.NET. 1797 IN   A   95.211.237.210
dns-cluster-4.uceprotect.NET. 1797 IN   A   204.13.169.44
dns-cluster-4.uceprotect.NET. 1797 IN   A   208.77.218.114
dns-cluster-4.uceprotect.NET. 1797 IN   A   209.126.213.95
dns-cluster-5.uceprotect.NET. 372668 IN A   176.107.178.7
dns-cluster-1.uceprotect.NET. 372668 IN A   176.107.178.7
dns-cluster-2.uceprotect.NET. 372668 IN A   176.107.178.7
dns-cluster-3.uceprotect.NET. 1797 IN   A   70.38.37.139
dns-cluster-3.uceprotect.NET. 1797 IN   A   193.138.29.11
dns-cluster-3.uceprotect.NET. 1797 IN   A   199.187.241.194
dns-cluster-3.uceprotect.NET. 1797 IN   A   66.240.236.50


Many records resolve to 176.107.178.7, like 
84.105.105.38.dnsbl-3.uceprotect.net.



Sorry, I know this is not uceprotect list, but I don't know how to 
contact uceprotect, their contact form is unavailable.


It seems the problem starts on 30 october. Did you have noticed too 
something about?


I think if you use uceprotect it's better to test the answer in 
127.x.x.x address class...


Best Regards
Marco