Re: Config option to skip pyzor check on empty body emails?
On 12/09/17 12:33, RW wrote: On Tue, 12 Sep 2017 08:41:01 +0100 Sebastian Arcus wrote: The confusing part is that left to its devices, Pyzor creates a .pyzor dir in the home dir of the user it is run as. But if --homedir is specified, it dumps stuff directly there, instead of creating a .pyzor dir.In the end I got rid of the "pyzor_options --homedir" option in local.cf and it worked fine. It is a bit confusing, but it's not that the .pyzor directory is use inconsistently, it's that pyzor defines --homedir=HOMEDIR configuration directory so the default homedir is $HOME/.pyzor/ not $HOME/. If you want to use pyzor_options you could use: pyzor_options --homedir /var/spool/spamd/.pyzor Like with everything, it all makes sense after you fully understand what's going on :-) I just made the wrong assumptions about how the option would work. Like Ian says, the word "home" in the option name makes it easy to assume that everything will be arranged as subdirectories under it. No matter - I'm happy I've finally found a solution to the empty bodied emails hitting PYZOR_CHECK :-) Thanks again for all the help.
Re: new campaign: bitly & appengine.google
On Tue, 12 Sep 2017, Chip M. wrote: Does anyone have a contact at BitLy? These would be trivially easy for them to block. I've had good fortune reporting individual instances of abuse to ab...@bit.ly, I don't see any reason why that wouldn't be your first point of contact for something like this. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Joan Peterson is like that: you expect at least a pseudological argument, but instead you get the weird ramblings of a woman with the critical thinking abilities of an 18th century peasant. -- Ken --- 5 days until the 230th anniversary of the signing of the U.S. Constitution
Re: new campaign: bitly & appengine.google
Report to – supp...@bitly.com On 9/12/17, 1:29 PM, "Benny Pedersen" wrote: Chip M. skrev den 2017-09-12 15:28: > > Does anyone have a contact at BitLy? These would be trivially > easy for them to block. https://support.bitly.com/hc/en-us/articles/231247908-I-ve-found-a-bitlink-that-directs-to-spam-what-should-I-do- googled bit.ly report spam
Re: new campaign: bitly & appengine.google
Chip M. skrev den 2017-09-12 15:28: Does anyone have a contact at BitLy? These would be trivially easy for them to block. https://support.bitly.com/hc/en-us/articles/231247908-I-ve-found-a-bitlink-that-directs-to-spam-what-should-I-do- googled bit.ly report spam
Re: Config option to skip pyzor check on empty body emails?
On 2017-09-12 12:33, RW wrote: > It is a bit confusing, but it's not that the .pyzor directory is use > inconsistently, it's that pyzor defines > > --homedir=HOMEDIR configuration directory The confusing part is the spelling of the option. The mistake is clear from the last line quoted above: it should be "configdir" and not "homedir". Admittedly pyzor will put the data there by default as well (when backed by gdbm) but that's a minor quibble by comparison. -- Please don't Cc: me privately on mailing lists and Usenet, if you also post the followup to the list or newsgroup. Do obvious transformation on domain to reply privately _only_ on Usenet.
Re: new campaign: bitly & appengine.google
On 9/12/2017 9:28 AM, Chip M. wrote: There's a new campaign that uses Bitly shorteners to some sort of Google forwarder ("appengine"). Here's some sample Locations returned by HEADing the shorteners: appengine.google.com/_ah/logout?continue=https://appengine.google.com/_ah/logout?continue=http://bbbcomplianceglobal.com/report.php?mn=## appengine.google.com/_ah/logout?continue=https://appengine.google.com/_ah/logout?continue=http://bbbtax.com/getreport.php?ne= appengine.google.com/_ah/logout?continue=http://bbbwork.com/abuse.php?number=# appengine.google.com/_ah/logout?continue=https://appengine.google.com/_ah/logout?continue=http://bbbcompliancenetwork.com/compliance.php?ne=## appengine.google.com/_ah/logout?continue=https://appengine.google.com/_ah/logout?continue=http://bbb-compliance.com/abuse.php?rt=### I've hashed out the parts that look like tracking IDs, all of which have been pure numeric chars. Here's the corresponding Subjects: 752566913589:407 8260420930:36 Incident:062881374904:149 Incident:22677610925:290 Incident:5858851682625:543 The message text is a fake BBB complaint. I'll put a sample online tonight, if practical. The SA scores have ranged from -2.2 to 1.5, with no useful patterns. Does anyone have a contact at BitLy? These would be trivially easy for them to block. - "Chip" I added a rule called FAKEBBB to KAM.cf yesterday for these issues. If you have variants not caught, please let me know. I haven't seen one since. Good idea to contact bit.ly as well as Google. I'll see if I can backchannel to google about the appengine misuse. Regards, KAM
new campaign: bitly & appengine.google
There's a new campaign that uses Bitly shorteners to some sort of Google forwarder ("appengine"). Here's some sample Locations returned by HEADing the shorteners: appengine.google.com/_ah/logout?continue=https://appengine.google.com/_ah/logout?continue=http://bbbcomplianceglobal.com/report.php?mn=## appengine.google.com/_ah/logout?continue=https://appengine.google.com/_ah/logout?continue=http://bbbtax.com/getreport.php?ne= appengine.google.com/_ah/logout?continue=http://bbbwork.com/abuse.php?number=# appengine.google.com/_ah/logout?continue=https://appengine.google.com/_ah/logout?continue=http://bbbcompliancenetwork.com/compliance.php?ne=## appengine.google.com/_ah/logout?continue=https://appengine.google.com/_ah/logout?continue=http://bbb-compliance.com/abuse.php?rt=### I've hashed out the parts that look like tracking IDs, all of which have been pure numeric chars. Here's the corresponding Subjects: 752566913589:407 8260420930:36 Incident:062881374904:149 Incident:22677610925:290 Incident:5858851682625:543 The message text is a fake BBB complaint. I'll put a sample online tonight, if practical. The SA scores have ranged from -2.2 to 1.5, with no useful patterns. Does anyone have a contact at BitLy? These would be trivially easy for them to block. - "Chip"
Re: Config option to skip pyzor check on empty body emails?
On Tue, 12 Sep 2017 08:41:01 +0100 Sebastian Arcus wrote: > The confusing part is that left to its devices, Pyzor creates > a .pyzor dir in the home dir of the user it is run as. But if > --homedir is specified, it dumps stuff directly there, instead of > creating a .pyzor dir.In the end I got rid of the "pyzor_options > --homedir" option in local.cf and it worked fine. It is a bit confusing, but it's not that the .pyzor directory is use inconsistently, it's that pyzor defines --homedir=HOMEDIR configuration directory so the default homedir is $HOME/.pyzor/ not $HOME/. If you want to use pyzor_options you could use: pyzor_options --homedir /var/spool/spamd/.pyzor
Re: Config option to skip pyzor check on empty body emails?
On 12/09/17 00:56, RW wrote: On Tue, 12 Sep 2017 00:37:40 +0100 Sebastian Arcus wrote: On 11/09/17 20:20, RW wrote: This is why pyzor has the local_whitelist command. At very least it's a good idea to pipe an empty string through "pyzor local_whitelist" (probably as the user running spamassassin). I have spotted that command in the docs - and if it worked, it would seem like a good solution. But it doesn't seem to. I have added the hash of the empty string to the local whitelist. If I try to re-add the same hash, or the hash of the problem emails - I get a message stating that it is already in the whitelist - so it would appear to be working. But when running the email message through SA, it still hits PYZOR_CHECK. I have found the location of Pyzor's local whitelist - and the permissions are correct. It appears that SA completely ignores the fact that the digest is whitelisted locally: SA can't ignore it, if a hash is whitelisted pyzor returns a dummy result. e.g.: $ echo "" | pyzor check public.pyzor.org:24441 (200, 'OK') 0 0 compared with: $ echo "" | pyzor --local-whitelist=/nonextistent check public.pyzor.org:24441 (200, 'OK') 2749671 82562 Thank you for that. I finally gotten to the bottom of my problem. It was the Pyzor homedir. Although I have set it up in /etc/mail/spamassassin/local.cf, I ended up confusing myself. If I ran as root: #pyzor local_whitelist < /email.eml it placed the whitelist in /root/.pyzor/whitelist When I ran: #su - spamd -c "pyzor local_whitelist < /email.eml" it placed it in /var/spool/spamd/.pyzor/whitelist (/var/spool/spamd is the homedir of the 'spamd' user on this system) But when I ran: #su - spamd -c "pyzor --homedir /var/spool/spamd < /email.eml" it placed it in /var/spool/spamd/whitelist The confusing part is that left to its devices, Pyzor creates a .pyzor dir in the home dir of the user it is run as. But if --homedir is specified, it dumps stuff directly there, instead of creating a .pyzor dir. In the end I got rid of the "pyzor_options --homedir" option in local.cf and it worked fine. I was just tying myself in knots there :-) Thanks again