Re: Google anti-phishing code project

[Dianne Skoll]

On Fri, 24 Feb 2017 16:26:38 -0500
Alex  wrote:

> We've actually had false-positives due to how the list is built into
> rules. In other words, "i...@ca.com" is still on the list from 2011.
> They're also not bounded by default, so noi...@ca.com and
> morei...@ca.com would also be caught, for example.

We use MIMEDefang's Perl integration, so we don't compile the list into
SA rules.  We use a database lookup instead, which does not suffer
from the partial-match problem, and we don't load anything older than 6
months into the database.

> How do you build the phishing URLs list into rules similar to how the
> addresses2spamassassin.pl does for the phishing emails?

Same idea; we do it in Perl integration code around SpamAssassin with
a database lookup.

Regards,

Dianne.

Re: top and other spammy TLDs

[Paul Stead]

On 25/02/2017, 00:39, "Alex"  wrote:

header   PDS_FROM_OTHER_BAD_TLD eval:check_from_in_list('NEWSPAMMY')


This particular check will not work as the current release of SA does not 
include the improvement in the BZ report. If you have the patch included (I 
can’t support you patching your production SA) you can use:

enlist_addrlist (NEWSPAMMY) *@*.top

to create the NEWSPAMMY addrlist to then use the check_from_list_list and 
associated evals


Paul

--
Paul Stead
Systems Engineer
Zen Internet

ASN plugin and IPv6 addresses

[Andy Smith]

Hi,

I'm using version 3.4.0 on Debian stable.

I noticed that when presented with some IPv6 addresses, the ASN
plugin is actually querying them as an IPv4 address e.g. turning
2600:… into  2.0.0.0 and coming back with the wrong ASN.

This appears to already be documented in the bugzilla:

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7211

but the conclusion there seems to be that the plugin just needs to
be configured correctly. So how would one do that?

Looking at the perldoc I see:

asn_lookup asn-zone.example.com [ _ASNTAG_ _ASNCIDRTAG_ ]
Use this to lookup the ASN info in the specified zone for the first
external IP address and add the AS number to the first specified tag and
routing info to the second specified tag.

[…]

If two or more asn_lookups use the same set of template tags, the 
results
of their lookups will be appended to each other in the template tag 
values
in no particular order. Duplicate results will be omitted when combining
results. In a similar fashion, you can also use the same template tag 
for
both the AS number tag and the routing info tag.

The thing is, I can't find one DNS zone that will answer queries
for both IPv4 and IPv6. I can add asn_lookup directives for both,
e.g.:

asn_lookup origin.asn.cymru.com _ASN_ _ASNCIDR_
asn_lookup origin6.asn.cymru.com_ASN_ _ASNCIDR_

but what then happens is that an erroneous v6-as-v4 result from the
first one gets included together with the (correct) answer from
origin6.asn.cymru.com.

What is the correct way of configuring this? Doesn't the plugin need
two different asn_lookup directives, one for IPv4 and one for IPv6,
with only the relevant queries being directed at each?

Cheers,
Andy