Re: lots of missed spam/false negatives from .info TLD being marked with URIBL_RHS_DOB
>From: John Hardin>On Mon, 29 May 2017, Robert Kudyba wrote: >> For the past few days lots of missed spam has been getting through, running >> SA 3.4.1 on Fedora 25 with sendmail. I see that they are being tagged with >> URIBL_RHS_DOB, i.e., domains registered in the last five days. Since we >> are not running our own DNS server (yet--need permission from our CISO) >> URIBL_BLOCKED is also being triggered. Is there a way to update this? >Update what how? >I note that message hit BAYES_00. If content like that is getting a >"strong ham" Bayes score, you should review your training processes and >Bayes corpora - you *do* keep copies of messages you train Bayes with, >right? :) >If you trust URIBL_RHS_DOB to not hit your ham, you can increase the score >of URIBL_RHS_DOB in your local rules file. >If you'd prefer a more-focused solution, use a meta rule; perhaps: > meta LCL_DOB_FROM_INFO __FROM_DOM_INFO && URIBL_RHS_DOB > score LCL_DOB_FROM_INFO 2.500 # or whatever you're comfortable with >But: fixing your Bayes and getting a non-forwarding DNS server for your >mail system so that you're not hitting RBL query limits are the biggest >things you need to do to address this. >> I have't seen an update in sa-update since 03-May-2017 01:52:05: >Masscheck and updates are *almost* back. >> Here's a typical mail header & message content: >> https://pastebin.com/Rw1S7mWe >Thanks for that. Do you have any RBLs setup in sendmail? You need to use bb.barracudacentral.org and zen.spamhaus.org at a minimum. Hopefully your DNS server situation can get fixed soon so you can use BLs successfully. score.senderscore.com reputation is 0 out of 100 http://multirbl.valli.org/lookup/208.110.91.112.html If you switched to Postfix, there are many benefits to using Postscreen with weighted RBLs. I have over 20 RBLs working together for best accuracy and low false positives. SpamAssassin is primarily going to be a content filter with some reputation checks. Setup the MTA to be primarily reputation checks with DNS (i.e. make sure the sending IP has a PTR record [RDNS_NONE]) and RBL lookups. The MTA should be blocking the majority of spam before it gets to SpamAssassin. Dave
Re: lots of missed spam/false negatives from .info TLD being marked with URIBL_RHS_DOB
On Mon, 29 May 2017, Robert Kudyba wrote: For the past few days lots of missed spam has been getting through, running SA 3.4.1 on Fedora 25 with sendmail. I see that they are being tagged with URIBL_RHS_DOB, i.e., domains registered in the last five days. Since we are not running our own DNS server (yet--need permission from our CISO) URIBL_BLOCKED is also being triggered. Is there a way to update this? Update what how? I note that message hit BAYES_00. If content like that is getting a "strong ham" Bayes score, you should review your training processes and Bayes corpora - you *do* keep copies of messages you train Bayes with, right? :) If you trust URIBL_RHS_DOB to not hit your ham, you can increase the score of URIBL_RHS_DOB in your local rules file. If you'd prefer a more-focused solution, use a meta rule; perhaps: meta LCL_DOB_FROM_INFO __FROM_DOM_INFO && URIBL_RHS_DOB score LCL_DOB_FROM_INFO 2.500 # or whatever you're comfortable with But: fixing your Bayes and getting a non-forwarding DNS server for your mail system so that you're not hitting RBL query limits are the biggest things you need to do to address this. I have't seen an update in sa-update since 03-May-2017 01:52:05: Masscheck and updates are *almost* back. Here's a typical mail header & message content: https://pastebin.com/Rw1S7mWe Thanks for that. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- USMC Rules of Gunfighting #2: Anything worth shooting is worth shooting twice. Ammo is cheap. Your life is expensive. --- Today: Memorial Day - honor those who sacrificed for our liberty
lots of missed spam/false negatives from .info TLD being marked with URIBL_RHS_DOB
For the past few days lots of missed spam has been getting through, running SA 3.4.1 on Fedora 25 with sendmail. I see that they are being tagged with URIBL_RHS_DOB, i.e., domains registered in the last five days. Since we are not running our own DNS server (yet--need permission from our CISO) URIBL_BLOCKED is also being triggered. Is there a way to update this? I have't seen an update in sa-update since 03-May-2017 01:52:05: SpamAssassin: Update processed successfully. Here's a typical mail header & message content: https://pastebin.com/Rw1S7mWe
Re: FORGED_MUA_MOZILLA & FORGED_YAHOO_RCVD
On Fri, 26 May 2017, RW wrote: On Thu, 25 May 2017 17:29:00 -0700 (PDT) John Hardin wrote: On Thu, 25 May 2017, RW wrote: Message-ID: <74e85e8d-2495-665b-372f-0144bcb2c...@mcgrail.com> header __MOZILLA_MSGID MESSAGEID =~ /^<[A-F\d]{8}\.[A-F1-9][A-F\d]{0,7}\@\S+>$/m Message-ID:So it looks like Mozilla has changed Message-ID values from 8hex.8hex uppercase-only to a lowercase GUID. That's a simple enough change to make to that rule. The pattern seems to be consistently 8-4-4-4-12. Ready for working masschecks and new release: https://svn.apache.org/viewvc?view=revision=1796722 https://svn.apache.org/viewvc?view=revision=1796723 -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The world has enough Mouse Clicking System Engineers. -- Dave Pooser --- Today: Memorial Day - honor those who sacrificed for our liberty
Re: dns:2.3.3.updates.spamassassin.org => 3.3 1786853, parsed as 3
Wow … thanks for the response … and thank you for all the time you are putting into getting this working again. David > On May 29, 2017, at 9:56 AM, David Joneswrote: > >> From: David Dodell > >> I've noticed that my rules are not updating anymore. > >> I'm on SpamAssassin 3.3.2 > >> So I get this error; > >> dns:2.3.3.updates.spamassassin.org => 3.3 1786853, parsed as 3 >> current version is 1786853, new version is 3, skipping channel > >> I've tried googling the error, checking the SA website ... but can't >> find any discussion of this. > >> If I do a DNS lookup of: > >> 2.3.3.updates.spamassassin.org canonical name = >> 3.3.3.updates.spamassassin.org > >> DNS then can not find 3.3.3.updates.spamassassin.org; tried some >> off-site DNS lookups, and they too can not find >> 3.3.3.updates.spamassassin.org > > Sorry about that. I am working on getting the rule update scripts > working again on our master server. I think I know what is going > on so I should be able to revert my changes to get 3.3.2 sa-update > working again. It must not be able to handle the CNAME like newer > versions of sa-update can. > > From what I can tell, all versions of SA 3.3.0 and above are compatible > with the same rules so I was hoping to only have to do rule validation > against a single version 3.3.3 and set the DNS TXT record for 3.3.3. It > appears I am going to have to adjust the script slightly to also set a direct > TXT for 3.3.2 and not use a CNAME like newer versions of sa-update > support. > > BTW, I hope to have the rules updating very soon so we can continue > with the ruleqa processing and scoring updates. I know there are a > couple of rule updates needed so I am working very hard and many > hours to get this going as soon as possible. > > Dave smime.p7s Description: S/MIME cryptographic signature
Re: dns:2.3.3.updates.spamassassin.org => 3.3 1786853, parsed as 3
>From: David Dodell>I've noticed that my rules are not updating anymore. >I'm on SpamAssassin 3.3.2 >So I get this error; >dns:2.3.3.updates.spamassassin.org => 3.3 1786853, parsed as 3 >current version is 1786853, new version is 3, skipping channel >I've tried googling the error, checking the SA website ... but can't >find any discussion of this. >If I do a DNS lookup of: >2.3.3.updates.spamassassin.org canonical name = >3.3.3.updates.spamassassin.org >DNS then can not find 3.3.3.updates.spamassassin.org; tried some >off-site DNS lookups, and they too can not find 3.3.3.updates.spamassassin.org Sorry about that. I am working on getting the rule update scripts working again on our master server. I think I know what is going on so I should be able to revert my changes to get 3.3.2 sa-update working again. It must not be able to handle the CNAME like newer versions of sa-update can. >From what I can tell, all versions of SA 3.3.0 and above are compatible with the same rules so I was hoping to only have to do rule validation against a single version 3.3.3 and set the DNS TXT record for 3.3.3. It appears I am going to have to adjust the script slightly to also set a direct TXT for 3.3.2 and not use a CNAME like newer versions of sa-update support. BTW, I hope to have the rules updating very soon so we can continue with the ruleqa processing and scoring updates. I know there are a couple of rule updates needed so I am working very hard and many hours to get this going as soon as possible. Dave
dns:2.3.3.updates.spamassassin.org => 3.3 1786853, parsed as 3
I've noticed that my rules are not updating anymore. I'm on SpamAssassin 3.3.2 So I get this error; dns:2.3.3.updates.spamassassin.org => 3.3 1786853, parsed as 3 current version is 1786853, new version is 3, skipping channel I've tried googling the error, checking the SA website ... but can't find any discussion of this. If I do a DNS lookup of: 2.3.3.updates.spamassassin.org canonical name = 3.3.3.updates.spamassassin.org DNS then can not find 3.3.3.updates.spamassassin.org; tried some off-site DNS lookups, and they too can not find 3.3.3.updates.spamassassin.org While I see on the SA website that 3.3.2 is no longer being updated or supported, I see nothing about the rules not being updates.Maybe I’m missing something in my search? David smime.p7s Description: S/MIME cryptographic signature
Re: EX_IOERR
On 5/28/2017 10:59 AM, Cecil Westerhof wrote: On Sunday 28 May 2017 14:50 CEST, Joe Quinn wrote: On 5/28/2017 2:11 AM, Cecil Westerhof wrote: When executing: spamc -L spam It looks like EX_IOERR simply refers to the fact that some process exited with status 74. Restart spamd with the -D option so you get debugging output, and it should be easier to narrow it down to a specific cause. That gave me: spamd: service unavailable: TELL commands are not enabled, set the --allow-tell switch. I added --allow-tell in spamassassin.service and it works. Thanks. Yay!