Re: Google Safe Browsing plugin?

2017-04-25 Thread Merijn van den Kroonenberg 
>> Hi everyone,
>>
>> I want to try and detect malicious uri in the body of emails better and
>> thought there might be something I could use, since I imagine google
>> have
>> a good list of them. I found this link, but it fails to install.
>>
>> http://search.cpan.org/~danborn/Bundle-SafeBrowsing/lib/Bundle/SafeBrowsing.pm
>
> I think this one only supports the version 1 of the protocol, which is no
> longer supported. I think they are at version 3 now.

I was off by 1 in the version numbering. They are now at version 4 (and we
implemented version 3).

>
>>
>> I'm using FreeBSD. Does anyone use this? Or do you have any other
>> suggestions?
>
> We use our own implementation of the v2 protocol. It doesn't hit on that
> many spam. But occasionally it hits on some spam/phishing runs.
>
> I am not sure if there is an implementation of the v3 protocol which can
> be easily used in SA... Our implementation will probably stop working at
> some point.

The Lookup API is probably not so hard to implement, but it would expose
all url's in your e-mail to google. The Update API prevents this by using
hashes but you are required to keep a local cache of hash prefixes which
is a lot more work to implement.


>
>>
>> Thanks,
>> Rich
>>
>
>
>

Re: Google Safe Browsing plugin?

2017-04-25 Thread Merijn van den Kroonenberg 
> Hi everyone,
>
> I want to try and detect malicious uri in the body of emails better and
> thought there might be something I could use, since I imagine google have
> a good list of them. I found this link, but it fails to install.
>
> http://search.cpan.org/~danborn/Bundle-SafeBrowsing/lib/Bundle/SafeBrowsing.pm

I think this one only supports the version 1 of the protocol, which is no
longer supported. I think they are at version 3 now.

>
> I'm using FreeBSD. Does anyone use this? Or do you have any other
> suggestions?

We use our own implementation of the v2 protocol. It doesn't hit on that
many spam. But occasionally it hits on some spam/phishing runs.

I am not sure if there is an implementation of the v3 protocol which can
be easily used in SA... Our implementation will probably stop working at
some point.

>
> Thanks,
> Rich
>

Google Safe Browsing plugin?

2017-04-25 Thread Richard Mealing 
Hi everyone,

I want to try and detect malicious uri in the body of emails better and thought 
there might be something I could use, since I imagine google have a good list 
of them. I found this link, but it fails to install.

http://search.cpan.org/~danborn/Bundle-SafeBrowsing/lib/Bundle/SafeBrowsing.pm

I'm using FreeBSD. Does anyone use this? Or do you have any other suggestions?

Thanks,
Rich

Re: TVD_PH_SEC score problem

2017-04-25 Thread RW 
On Tue, 25 Apr 2017 08:40:27 -0400
Alex wrote:


> Even 2.8 points for merely the word "xanax" alone, without any other
> basis for consideration, sounds too high.

Actually it's looking for something that looks like xanax, but isn't
xanax.

Unless I'm misunderstanding something, these FUZZY rules are all going
to need some work following this:

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7232

since they make heavy use of utf-8 byte sequences.

Re: TVD_PH_SEC score problem

2017-04-25 Thread Alex 
Hi,

On Mon, Apr 24, 2017 at 11:43 PM, Bill Cole
 wrote:
> On 24 Apr 2017, at 21:35, Alex wrote:
>
>> Hi,
>>
 Hi, this rule hit a citibank.com email. Adding 1.8 points simply for
 the phrase "your account security" does not seem reasonable.

 Apr 24 20:13:18.660 [28524] dbg: rules: ran body rule TVD_PH_SEC
 ==> got hit: "your account security"
>>>
>>>
>>> What *else* hit? What was the final total score?
>>
>>
>> It also hit a secondary RBL for an IP that it shouldn't have, as well
>> as bayes00 and hostkarma_bl, totaling 5.044, making it spam. The IP
>> that was hit was 52.40.63.1, mta1b3.c1-t.msyscloud.com.
>
>
> Umm...
>
> # host 1.63.40.52.hostkarma.junkemailfilter.com
> 1.63.40.52.hostkarma.junkemailfilter.com has address 127.0.1.1
>
> # host mta1b3.c1-t.msyscloud.com.hostkarma.junkemailfilter.com
> mta1b3.c1-t.msyscloud.com.hostkarma.junkemailfilter.com has address
> 127.0.2.3
> mta1b3.c1-t.msyscloud.com.hostkarma.junkemailfilter.com has address
> 127.0.1.1
>
> You probably should not be treating those "experimental" result codes as
> derogatory. 127.0.1.1 seems to be an assertion that the IP behaves in a
> formally correct manner and 127.0.2.3 seems to mean that it's been sending
> mail for over a week. These are both GOOD things.

Yes, I said it was for an IP that shouldn't have hit hostkarma_bl.
When this email was received on Apr 15th, it also hit hostkarma_bl.
It's apparently been corrected.

 *  1.0 RCVD_IN_HOSTKARMA_BL RBL: Sender listed in HOSTKARMA-BLACK
 *  [52.40.63.1 listed in hostkarma.junkemailfilter.com]

Re: TVD_PH_SEC score problem

2017-04-25 Thread Alex 
Hi,

>> It also hit a secondary RBL for an IP that it shouldn't have, as well
>> as bayes00 and hostkarma_bl, totaling 5.044, making it spam. The IP
>> that was hit was 52.40.63.1, mta1b3.c1-t.msyscloud.com.
>>
>> I would have included that initially, but I figured any one phrase
>> shouldn't be enough to add more than 50% of the points with one
>> rule...
>
> 50% of 5 points (the default "spam" score) is 2.5 points. This rule meets
> your expectation.

Yeah, at the time I wrote that I was thinking it scored 2.8 points,
not 1.8, oops.

>> Apr 24 20:40:33.583 [7613] dbg: rules: ran body rule LOW_PRICE ==>
>> got hit: "Lowest Price"
>> This added 1.5 points to an email discussing reservation pricing,
>> making it spam.
>
> That along with everything else made it spam.
>
> I'm not trying to be difficult, but: what score *should* phishy/spammy
> phrases be limited to?

No, I'm sorry, these were all from separate emails. Sorry I wasn't
more clear with all of this; it was the end of a long day.

I don't think phishy/spammy phrases that are also extremely generic,
common phrases found in everyday language should alone have a very
high score at all.

Even 2.8 points for merely the word "xanax" alone, without any other
basis for consideration, sounds too high.

utf-16 spam :(

2017-04-25 Thread Benny Pedersen 

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7252

can it be solved in 3.4.2 ?

only tools i have here is sigtool from clamav that can decode it, so i 
could for the time make a clamav local sig that reject this spam mails

Re: Score maths

2017-04-25 Thread Geoff Soper 
Hi Tom,
Thanks for your explanation, I hadn't appreciated that there was higher 
precision being hidden. 

Thanks,
Geoff

> On 25 Apr 2017, at 09:39, Tom Hendrikx  wrote:
> 
> Hoi Geoff,
> 
> The scores actually have a precision of 3 numerals after the dot. The
> actual score of NO_RELAYS = -0.001. While rounding would still give you
> 3.0 as final score for this message, the actual score is below 3.
> 
> When you would have a ham/spam threshold at exactly 3, and the final
> score would say '3.0', you would be asking why a message with score 3
> wasn't blocked. So the 2.9 indicates that it's not 3 ;)
> 
> Kind regards,
> 
>Tom
> 
>> On 25-04-17 10:27, Geoff Soper wrote:
>> X-Spam-Status: No, Score=2.9
>> 
>> X-Spam-Report:
>> 
>> * -0.0 NO_RELAYS Informational: message was not relayed via SMTP
>> 
>> * 3.0 GS_NO_RLYS_PHP No description available.
>> 
>> X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
>> 
>> server.alphaworks.co.uk 
>> 
>> 
>> Can anyone explain why this isn't scoring 3.0?
>> 
>> :)
>> 
>

Re: Score maths

2017-04-25 Thread Tom Hendrikx 
Hoi Geoff,

The scores actually have a precision of 3 numerals after the dot. The
actual score of NO_RELAYS = -0.001. While rounding would still give you
3.0 as final score for this message, the actual score is below 3.

When you would have a ham/spam threshold at exactly 3, and the final
score would say '3.0', you would be asking why a message with score 3
wasn't blocked. So the 2.9 indicates that it's not 3 ;)

Kind regards,

Tom

On 25-04-17 10:27, Geoff Soper wrote:
> X-Spam-Status: No, Score=2.9
> 
> X-Spam-Report:
> 
> * -0.0 NO_RELAYS Informational: message was not relayed via SMTP
> 
> * 3.0 GS_NO_RLYS_PHP No description available.
> 
> X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
> 
> server.alphaworks.co.uk 
> 
> 
> Can anyone explain why this isn't scoring 3.0?
> 
> :)
>

Re: Score maths

2017-04-25 Thread Benny Pedersen 

Geoff Soper skrev den 2017-04-25 10:27:


Can anyone explain why this isn't scoring 3.0?


take your calculator:

1000/3 = ?

if you take that results with a good calculator and * 3 it will say 1000 
as a result, but most cheap ones say 999 :=)


where did that 1 go ?

Re: Score maths

2017-04-25 Thread Markus Clardy 

A score of -0.0 is actually not 0, it is something like -0.01 (or smaller).

If it had a score of actual 0, it wouldn't trigger.

As such, due to rounding, it ends up becoming 2.9, instead of 3.

On 04/25/2017 09:27 AM, Geoff Soper wrote:


X-Spam-Status: No, Score=2.9

X-Spam-Report:

* -0.0 NO_RELAYS Informational: message was not relayed via SMTP

* 3.0 GS_NO_RLYS_PHP No description available.

X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on

server.alphaworks.co.uk 


Can anyone explain why this isn't scoring 3.0?

:)

Score maths

2017-04-25 Thread Geoff Soper 
X-Spam-Status: No, Score=2.9
X-Spam-Report:
* -0.0 NO_RELAYS Informational: message was not relayed via SMTP
* 3.0 GS_NO_RLYS_PHP No description available.
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
server.alphaworks.co.uk

Can anyone explain why this isn't scoring 3.0?
:)