Re: lots of missed spam/false negatives from .info TLD being marked with URIBL_RHS_DOB

[David Jones]

>From: John Hardin 
    
>On Mon, 29 May 2017, Robert Kudyba wrote:

>> For the past few days lots of missed spam has been getting through, running
>> SA 3.4.1 on Fedora 25 with sendmail. I see that they are being tagged with
>> URIBL_RHS_DOB, i.e.,  domains registered in the last five days. Since we
>> are not running our own DNS server (yet--need permission from our CISO)
>> URIBL_BLOCKED is also being triggered. Is there a way to update this?

>Update what how?

>I note that message hit BAYES_00. If content like that is getting a 
>"strong ham" Bayes score, you should review your training processes and 
>Bayes corpora - you *do* keep copies of messages you train Bayes with, 
>right? :)

>If you trust URIBL_RHS_DOB to not hit your ham, you can increase the score 
>of URIBL_RHS_DOB in your local rules file.

>If you'd prefer a more-focused solution, use a meta rule; perhaps:

>   meta  LCL_DOB_FROM_INFO   __FROM_DOM_INFO && URIBL_RHS_DOB
>   score LCL_DOB_FROM_INFO   2.500  # or whatever you're comfortable with

>But: fixing your Bayes and getting a non-forwarding DNS server for your 
>mail system so that you're not hitting RBL query limits are the biggest 
>things you need to do to address this.

>> I have't seen an update in sa-update since 03-May-2017 01:52:05:

>Masscheck and updates are *almost* back.

>> Here's a typical mail header & message content:
>> https://pastebin.com/Rw1S7mWe

>Thanks for that.

Do you have any RBLs setup in sendmail?  You need
to use bb.barracudacentral.org and zen.spamhaus.org
at a minimum.  Hopefully your DNS server situation
can get fixed soon so you can use BLs successfully.

score.senderscore.com reputation is 0 out of 100

http://multirbl.valli.org/lookup/208.110.91.112.html

If you switched to Postfix, there are many benefits
to using Postscreen with weighted RBLs.  I have over
20 RBLs working together for best accuracy and low
false positives.

SpamAssassin is primarily going to be a content filter
with some reputation checks.  Setup the MTA to be
primarily reputation checks with DNS (i.e. make sure
the sending IP has a PTR record [RDNS_NONE]) and
RBL lookups.

The MTA should be blocking the majority of spam
before it gets to SpamAssassin.

Dave

Re: lots of missed spam/false negatives from .info TLD being marked with URIBL_RHS_DOB

[John Hardin]

On Mon, 29 May 2017, Robert Kudyba wrote:


For the past few days lots of missed spam has been getting through, running
SA 3.4.1 on Fedora 25 with sendmail. I see that they are being tagged with
URIBL_RHS_DOB, i.e.,  domains registered in the last five days. Since we
are not running our own DNS server (yet--need permission from our CISO)
URIBL_BLOCKED is also being triggered. Is there a way to update this?


Update what how?

I note that message hit BAYES_00. If content like that is getting a 
"strong ham" Bayes score, you should review your training processes and 
Bayes corpora - you *do* keep copies of messages you train Bayes with, 
right? :)


If you trust URIBL_RHS_DOB to not hit your ham, you can increase the score 
of URIBL_RHS_DOB in your local rules file.


If you'd prefer a more-focused solution, use a meta rule; perhaps:

  meta  LCL_DOB_FROM_INFO   __FROM_DOM_INFO && URIBL_RHS_DOB
  score LCL_DOB_FROM_INFO   2.500  # or whatever you're comfortable with

But: fixing your Bayes and getting a non-forwarding DNS server for your 
mail system so that you're not hitting RBL query limits are the biggest 
things you need to do to address this.



I have't seen an update in sa-update since 03-May-2017 01:52:05:


Masscheck and updates are *almost* back.


Here's a typical mail header & message content:
https://pastebin.com/Rw1S7mWe


Thanks for that.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  USMC Rules of Gunfighting #2: Anything worth shooting
  is worth shooting twice. Ammo is cheap. Your life is expensive.
---
 Today: Memorial Day - honor those who sacrificed for our liberty

lots of missed spam/false negatives from .info TLD being marked with URIBL_RHS_DOB

[Robert Kudyba]

For the past few days lots of missed spam has been getting through, running
SA 3.4.1 on Fedora 25 with sendmail. I see that they are being tagged with
URIBL_RHS_DOB, i.e.,  domains registered in the last five days. Since we
are not running our own DNS server (yet--need permission from our CISO)
URIBL_BLOCKED is also being triggered. Is there a way to update this? I
have't seen an update in sa-update since 03-May-2017 01:52:05:
SpamAssassin: Update processed successfully. Here's a typical mail header &
message content:
https://pastebin.com/Rw1S7mWe

Re: FORGED_MUA_MOZILLA & FORGED_YAHOO_RCVD

[John Hardin]

On Fri, 26 May 2017, RW wrote:


On Thu, 25 May 2017 17:29:00 -0700 (PDT)
John Hardin wrote:


On Thu, 25 May 2017, RW wrote:

Message-ID: <74e85e8d-2495-665b-372f-0144bcb2c...@mcgrail.com>


header __MOZILLA_MSGID MESSAGEID =~
/^<[A-F\d]{8}\.[A-F1-9][A-F\d]{0,7}\@\S+>$/m

Message-ID:



So it looks like Mozilla has changed Message-ID values from 8hex.8hex
uppercase-only to a lowercase GUID. That's a simple enough change to
make to that rule.


The pattern seems to be consistently 8-4-4-4-12.


Ready for working masschecks and new release:
https://svn.apache.org/viewvc?view=revision=1796722
https://svn.apache.org/viewvc?view=revision=1796723

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The world has enough Mouse Clicking System Engineers.
   -- Dave Pooser
---
 Today: Memorial Day - honor those who sacrificed for our liberty

Re: dns:2.3.3.updates.spamassassin.org => 3.3 1786853, parsed as 3

[David Dodell]

Wow … thanks for the response … and thank you for all the time you are putting 
into getting this working again.

David

> On May 29, 2017, at 9:56 AM, David Jones  wrote:
> 
>> From: David Dodell 
> 
>> I've noticed that my rules are not updating anymore. 
> 
>> I'm on SpamAssassin 3.3.2 
> 
>> So I get this error; 
> 
>> dns:2.3.3.updates.spamassassin.org => 3.3 1786853, parsed as 3 
>> current version is 1786853, new version is 3, skipping channel 
> 
>> I've tried googling the error, checking the SA website ... but can't
>> find any discussion of this.
> 
>> If I do a DNS lookup of: 
> 
>> 2.3.3.updates.spamassassin.org  canonical name = 
>> 3.3.3.updates.spamassassin.org 
> 
>> DNS then can not find 3.3.3.updates.spamassassin.org; tried some
>> off-site DNS lookups, and they too can not find 
>> 3.3.3.updates.spamassassin.org
> 
> Sorry about that.  I am working on getting the rule update scripts
> working again on our master server.  I think I know what is going
> on so I should be able to revert my changes to get 3.3.2 sa-update
> working again.  It must not be able to handle the CNAME like newer
> versions of sa-update can.
> 
> From what I can tell, all versions of SA 3.3.0 and above are compatible
> with the same rules so I was hoping to only have to do rule validation
> against a single version 3.3.3 and set the DNS TXT record for 3.3.3.  It
> appears I am going to have to adjust the script slightly to also set a direct
> TXT for 3.3.2 and not use a CNAME like newer versions of sa-update
> support.
> 
> BTW, I hope to have the rules updating very soon so we can continue
> with the ruleqa processing and scoring updates.  I know there are a
> couple of rule updates needed so I am working very hard and many
> hours to get this going as soon as possible.
> 
> Dave



smime.p7s
Description: S/MIME cryptographic signature

Re: dns:2.3.3.updates.spamassassin.org => 3.3 1786853, parsed as 3

[David Jones]

>From: David Dodell 
    
>I've noticed that my rules are not updating anymore. 

>I'm on SpamAssassin 3.3.2 

>So I get this error; 

>dns:2.3.3.updates.spamassassin.org => 3.3 1786853, parsed as 3 
>current version is 1786853, new version is 3, skipping channel 

>I've tried googling the error, checking the SA website ... but can't
>find any discussion of this.

>If I do a DNS lookup of: 

>2.3.3.updates.spamassassin.org  canonical name = 
>3.3.3.updates.spamassassin.org 

>DNS then can not find 3.3.3.updates.spamassassin.org; tried some
>off-site DNS lookups, and they too can not find 3.3.3.updates.spamassassin.org

Sorry about that.  I am working on getting the rule update scripts
working again on our master server.  I think I know what is going
on so I should be able to revert my changes to get 3.3.2 sa-update
working again.  It must not be able to handle the CNAME like newer
versions of sa-update can.

>From what I can tell, all versions of SA 3.3.0 and above are compatible
with the same rules so I was hoping to only have to do rule validation
against a single version 3.3.3 and set the DNS TXT record for 3.3.3.  It
appears I am going to have to adjust the script slightly to also set a direct
TXT for 3.3.2 and not use a CNAME like newer versions of sa-update
support.

BTW, I hope to have the rules updating very soon so we can continue
with the ruleqa processing and scoring updates.  I know there are a
couple of rule updates needed so I am working very hard and many
hours to get this going as soon as possible.

Dave

dns:2.3.3.updates.spamassassin.org => 3.3 1786853, parsed as 3

[David Dodell]

I've noticed that my rules are not updating anymore. 

I'm on SpamAssassin 3.3.2 

So I get this error; 

dns:2.3.3.updates.spamassassin.org => 3.3 1786853, parsed as 3 
current version is 1786853, new version is 3, skipping channel 

I've tried googling the error, checking the SA website ... but can't find any 
discussion of this. 

If I do a DNS lookup of: 

2.3.3.updates.spamassassin.org  canonical name = 3.3.3.updates.spamassassin.org 

DNS then can not find 3.3.3.updates.spamassassin.org; tried some off-site DNS 
lookups, and they too can not find 3.3.3.updates.spamassassin.org 

While I see on the SA website that 3.3.2 is no longer being updated or 
supported, I see nothing about the rules not being updates.Maybe I’m 
missing something in my search?

David 

smime.p7s
Description: S/MIME cryptographic signature

Re: EX_IOERR

[Joe Quinn]

On 5/28/2017 10:59 AM, Cecil Westerhof wrote:

On Sunday 28 May 2017 14:50 CEST, Joe Quinn wrote:


On 5/28/2017 2:11 AM, Cecil Westerhof wrote:

When executing:
spamc -L spam 
It looks like EX_IOERR simply refers to the fact that some process
exited with status 74. Restart spamd with the -D option so you get
debugging output, and it should be easier to narrow it down to a
specific cause.

That gave me:
 spamd: service unavailable: TELL commands are not enabled, set the 
--allow-tell switch.

I added --allow-tell in spamassassin.service and it works.

Thanks.


Yay!