Re: Off-Topic: cPanel Escape the Server Room SpamAssassin Homage!
El El lun, 2 de oct. de 2017 a las 13:18, Kevin A. McGrail < kevin.mcgr...@mcgrail.com> escribió: > Hi All, I enjoyed speaking about SpamAssassin and ASF Meritocracy at the > cPanel annual conference last week. They had an Anti-Spam Ninja as > part of their escape room where you had to give the Ninja some Spam to > get the next clue! > > Attached is a photo-op with the Ninja! > > Regards, > > KAM > > Very cool Regards. -- rickygm http://gnuforever.homelinux.com
Re: FROM header with two email addresses
On Mon, 2017-10-02 at 23:18 +0200, Benny Pedersen wrote: > John Hardin skrev den 2017-10-02 23:13: > > > Where? \w is not case-sensitive. > > perfect then, i had not know that, learning still so > Do you have a copy of the 'Camel Book'? AKA "Programming Perl" by Larry Wall, Tom Christiansen & Jon Orwant, pub O'Reilly. If you don't have it, you need a copy. Its never failed to explain anything I've needed to know about Perl and its chapter on regexes will help you to solve all regex-based SA rule problems. Or there's an online reference: http://www.regular-expressions.info/ Also worth knowing: - if you're running Linux, you can use the grep command to test regexes. Use the -P or --perl-regexp option to make grep use Perl regexes, so it is possible to quickly test regexes you want to use in SA rules by running the spam, saved as a file, through the grep -P 'regex' https://regex101.com/ by typing in your regex and then pasting the relevant part of the spam message you're testing against into its 'Test String' box. Martin
Re: FROM header with two email addresses
John Hardin skrev den 2017-10-02 23:13: Where? \w is not case-sensitive. perfect then, i had not know that, learning still so
Re: FROM header with two email addresses
On Mon, 2 Oct 2017, Benny Pedersen wrote: John Hardin skrev den 2017-10-02 21:07: How about: header __FROM_QUOTES From =~ /"/ header __FROM_MAYBE_SPOOF From:name =~ /\w@\w/ meta__FROM_SPOOF__FROM_MAYBE_SPOOF && !__FROM_QUOTES (warning: totally untested) +1 i can only see one problem with it, that is that email adresses is caSeinsensitive, and you test casEsensitive Where? \w is not case-sensitive. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Homeland Security: Specializing in Tactical Band-aids for Strategic Problems. -- Eric K. in Bruce Schneier's blog --- 186 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: FROM header with two email addresses
John Hardin skrev den 2017-10-02 21:07: How about: header __FROM_QUOTES From =~ /"/ header __FROM_MAYBE_SPOOF From:name =~ /\w@\w/ meta__FROM_SPOOF__FROM_MAYBE_SPOOF && !__FROM_QUOTES (warning: totally untested) +1 i can only see one problem with it, that is that email adresses is caSeinsensitive, and you test casEsensitive it is basicly a rule i like to keep
Re: FROM header with two email addresses
David Jones skrev den 2017-10-02 20:54: I have gone back to my original rule that catches senders that put an email addresss in the Display Name and do not have quotes. also matches what i see, non spam have " around from:name while spam have not testing if there is a @ in from:name is 2nd test to possible use in meta
Re: FROM header with two email addresses
On Mon, 2 Oct 2017, David Jones wrote:
On 10/02/2017 01:11 PM, John Hardin wrote:
On Mon, 2 Oct 2017, David Jones wrote:
> On 09/27/2017 09:52 AM, Kevin A. McGrail wrote:
> >
> > > I recently stumbled onto a mail with a Spam link where the FROM
> > header > field looked like this:
> > > > From: "Firstname Lastname@"
> > sendern...@real-senders-domain.com>
> >
> > Jakob, just wanted to let you know I identified this issue as well
> > and
> > just opened a ticket about it yesterday to try and figure out a rule
> > against it. Can you send me spamples via pastebin, please?
> >
> >
> > Regards,
> > KAM
> >
>
> I am seeing this more and more on my SA filters and being reported by my
> customers:
>
> https://pastebin.com/f07Gq1kZ
>
> https://pastebin.com/FMsJNGba
>
> This is catching this pretty well so far:
>
> header FROM_SPOOF_EMAIL_DISPLAY From =~
> /\@[a-z_]+?\.[a-z]{2,3} \> describe FROM_SPOOF_EMAIL_DISPLAY From trying to spoof an
> email address in the display name
You probably want to let SA do the header parsing and write your rule
against From:name or From:addr instead.
Thank you for the suggestions. I didn't know about the From:name and
From:addr parsing by SA. As it turns out, the double quotes missing are very
important. When I use the From:name which properly has the quotes, I am
hitting many false positives. It appears that legit sending people or mail
clients are putting email addresses in their "Display Name". It's the ones
without quotes that are spam a high percentage of the time in my mail flow.
Not surprising.
I have gone back to my original rule that catches senders that put an email
addresss in the Display Name and do not have quotes.
How about:
header __FROM_QUOTES From =~ /"/
header __FROM_MAYBE_SPOOF From:name =~ /\w@\w/
meta__FROM_SPOOF__FROM_MAYBE_SPOOF && !__FROM_QUOTES
(warning: totally untested)
If you're testing your rules in a sandbox using debug mode, this may help:
header __FROM_NAME From:name =~ /.*/
header __FROM_ADDR From:addr =~ /.*/
That way you can see what's actually being parsed from the header.
Potentially this might be as simple as:
header __FROM_MAYBE_SPOOF From:name =~ /\w@\w/
or
header __FROM_MULTIPLE_ADDR From:addr =~ /\s/
No idea how FP-prone those might be, though, so it's probably prudent to
meta them with other stuff as well...
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
The world has enough Mouse Clicking System Engineers.
-- Dave Pooser
---
186 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: FROM header with two email addresses
On 10/02/2017 01:11 PM, John Hardin wrote:
On Mon, 2 Oct 2017, David Jones wrote:
On 09/27/2017 09:52 AM, Kevin A. McGrail wrote:
> I recently stumbled onto a mail with a Spam link where the FROM
header > field looked like this:
> > From: "Firstname Lastname@"
sendern...@real-senders-domain.com>
Jakob, just wanted to let you know I identified this issue as well and
just opened a ticket about it yesterday to try and figure out a rule
against it. Can you send me spamples via pastebin, please?
Regards,
KAM
I am seeing this more and more on my SA filters and being reported by
my customers:
https://pastebin.com/f07Gq1kZ
https://pastebin.com/FMsJNGba
This is catching this pretty well so far:
header FROM_SPOOF_EMAIL_DISPLAY From =~
/\@[a-z_]+?\.[a-z]{2,3} \describe FROM_SPOOF_EMAIL_DISPLAY From trying to spoof an
email address in the display name
You probably want to let SA do the header parsing and write your rule
against From:name or From:addr instead.
Thank you for the suggestions. I didn't know about the From:name and
From:addr parsing by SA. As it turns out, the double quotes missing are
very important. When I use the From:name which properly has the quotes,
I am hitting many false positives. It appears that legit sending people
or mail clients are putting email addresses in their "Display Name".
It's the ones without quotes that are spam a high percentage of the time
in my mail flow.
I have gone back to my original rule that catches senders that put an
email addresss in the Display Name and do not have quotes.
If you're testing your rules in a sandbox using debug mode, this may help:
header __FROM_NAME From:name =~ /.*/
header __FROM_ADDR From:addr =~ /.*/
That way you can see what's actually being parsed from the header.
Potentially this might be as simple as:
header __FROM_MAYBE_SPOOF From:name =~ /\w@\w/
or
header __FROM_MULTIPLE_ADDR From:addr =~ /\s/
No idea how FP-prone those might be, though, so it's probably prudent to
meta them with other stuff as well...
--
David Jones
Re: FROM header with two email addresses
On Mon, 2 Oct 2017, David Jones wrote:
On 09/27/2017 09:52 AM, Kevin A. McGrail wrote:
> I recently stumbled onto a mail with a Spam link where the FROM header
> field looked like this:
>
> From: "Firstname Lastname@" > sendern...@real-senders-domain.com>
Jakob, just wanted to let you know I identified this issue as well and
just opened a ticket about it yesterday to try and figure out a rule
against it. Can you send me spamples via pastebin, please?
Regards,
KAM
I am seeing this more and more on my SA filters and being reported by my
customers:
https://pastebin.com/f07Gq1kZ
https://pastebin.com/FMsJNGba
This is catching this pretty well so far:
header FROM_SPOOF_EMAIL_DISPLAYFrom =~ /\@[a-z_]+?\.[a-z]{2,3}
\describeFROM_SPOOF_EMAIL_DISPLAYFrom trying to spoof an email
address in the display name
You probably want to let SA do the header parsing and write your rule
against From:name or From:addr instead.
If you're testing your rules in a sandbox using debug mode, this may help:
header __FROM_NAME From:name =~ /.*/
header __FROM_ADDR From:addr =~ /.*/
That way you can see what's actually being parsed from the header.
Potentially this might be as simple as:
header __FROM_MAYBE_SPOOF From:name =~ /\w@\w/
or
header __FROM_MULTIPLE_ADDRFrom:addr =~ /\s/
No idea how FP-prone those might be, though, so it's probably prudent to
meta them with other stuff as well...
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
If you ask amateurs to act as front-line security personnel,
you shouldn't be surprised when you get amateur security.
-- Bruce Schneier
---
186 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: FROM header with two email addresses
David Jones skrev den 2017-10-02 19:43:
https://pastebin.com/f07Gq1kZ
https://pastebin.com/FMsJNGba
This is catching this pretty well so far:
header FROM_SPOOF_EMAIL_DISPLAYFrom =~
/\@[a-z_]+?\.[a-z]{2,3} \
describeFROM_SPOOF_EMAIL_DISPLAYFrom trying to spoof an
email address in the display name
score FROM_SPOOF_EMAIL_DISPLAY4.2
From: some...@example.com
also imho from:name must be with qouted content like
From: "some...@example.com"
for being rfc valid, was the extra space from from: added by you ?, i
have only seen spam bots do this
you miss hits on tld with the above tests with only support 3 chars
tlds, no ?
Re: FROM header with two email addresses
On 09/27/2017 09:52 AM, Kevin A. McGrail wrote:
I recently stumbled onto a mail with a Spam link where the FROM header
field looked like this:
From: "Firstname Lastname@" sendern...@real-senders-domain.com>
Jakob, just wanted to let you know I identified this issue as well and
just opened a ticket about it yesterday to try and figure out a rule
against it. Can you send me spamples via pastebin, please?
Regards,
KAM
I am seeing this more and more on my SA filters and being reported by my
customers:
https://pastebin.com/f07Gq1kZ
https://pastebin.com/FMsJNGba
This is catching this pretty well so far:
header FROM_SPOOF_EMAIL_DISPLAYFrom =~
/\@[a-z_]+?\.[a-z]{2,3} \describeFROM_SPOOF_EMAIL_DISPLAYFrom trying to spoof an
email address in the display name
score FROM_SPOOF_EMAIL_DISPLAY4.2
P.S. I am sure that someone will suggest an improvement to the above
rule and they are welcome. I know it won't catch all email addresses
based on that regex so it probably should be adjusted to handle new TLDs
with more than 3 characters.
P.S.S. Standard disclaimer to adjust the score down until you have done
some testing in your environment then score it how you see fit.
--
David Jones
Re: Increasing spam level for MX backup server?
On 10/2/2017 10:03 AM, Davide Marchi wrote: > Il 2017-09-28 18:41 Noel ha scritto: > [..] > >> >> If you feel you must have a backup MX, then the backup must have >> spam controls equal to or more strict than the primary, and backup >> must have a current recipient list so it can reject unknown >> recipients. The primary must never reject mail forwarded from the >> backup. >> > > Well, this is clear! > And and at this point, excluding for the reasons above, Postcreen, > if I enabled DKIM keys on both servers? This solution could be > stop spam email from non-existent aliases that come from my domains? > For example a my domain could be foo.com and I have postfix > virtual user: o...@foo.com and t...@foo.com and receive email spam > from nonexistent th...@foo.com. > The DKIM solution on both servers could stop spam from > th...@foo.com? Or maybe should I configure better > local_recipient_maps? > > > many thanks again and thanks for your patience!! :-) > > David DKIM will stop forged senders in your domain, but it won't stop mail to a random recipient in your domain. Each server *must* have a list of valid recipients. The secondary MX will use relay_recipients_maps for this. You can still use postscreen independently on both servers, but the two postscreen instances can't share information. For further info on postfix config, please see the postfix docs or ask on the postfix-users list since this is off-topic for spamassassin. -- Noel Jones
Re: Increasing spam level for MX backup server?
Il 2017-09-28 18:41 Noel ha scritto: [..] First, [...] If the two hosts aren't physically close -- on the same switch -- this just isn't practical. Eh, my two VPS are in two different geographic locations. This spoils everything Secondly, [..]And if the postscreen cache is on the primary and unreachable, then you won't be getting any mail. OK The best way to reduce spam on the backup MX server is to not use a backup MX server. :-) If you feel you must have a backup MX, then the backup must have spam controls equal to or more strict than the primary, and backup must have a current recipient list so it can reject unknown recipients. The primary must never reject mail forwarded from the backup. Well, this is clear! And and at this point, excluding for the reasons above, Postcreen, if I enabled DKIM keys on both servers? This solution could be stop spam email from non-existent aliases that come from my domains? For example a my domain could be foo.com and I have postfix virtual user: o...@foo.com and t...@foo.com and receive email spam from nonexistent th...@foo.com. The DKIM solution on both servers could stop spam from th...@foo.com? Or maybe should I configure better local_recipient_maps? many thanks again and thanks for your patience!! :-) Davide
Re: Increasing spam level for MX backup server?
Il 2017-09-28 16:48 Reindl Harald ha scritto:
[..]
no, you have both the same machine, frankly you do nothing else than
add the IP aof the backup-mx to the box and tell postscreen with
"postscreen_whitelist_interfaces" which one is *always* a 450 response
OK
there is no "primary MX down" - it's the same postscreen process, they
are both up or both down - if down queued email is the clients job and
spambots trying first the backup-mx don't retry
OK
how often and how long is your MX down?
if it's below 3-5 days no need for a backup-mx at all
if it's often longer solve that problem
OK
Regarding the configuration:
OK
main.f:
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
postscreen_greet_wait = ${stress?2}${stress:10}s
postscreen_whitelist_interfaces = !, static:all
My master.cf (for both server are the same):
smtp inet n - - - - smtpd
#smtp inet n - - - 1 postscreen
#smtpd pass - - - - - smtpd
#dnsblog unix - - - - 0 dnsblog
#tlsproxy unix - - - - 0 tlsproxy
Should be enough uncomment "postscreen"?
NO these belongs together and "dnsblog" is used for the RBL requests
OK
master.cf:
smtp unix - - n - 50 smtp
smtpd pass - - n - 15 smtpd
smtp inet n - y - 1 postscreen
dnsblog unix - - y - 0 dnsblog
OK
main.cf:
postscreen_dnsbl_min_ttl = 30s
postscreen_dnsbl_max_ttl = 30s
postscreen_dnsbl_threshold = 8
postscreen_dnsbl_sites =
dnsbl.sorbs.net=127.0.0.10*9
[..]
many thanks Harald!
Many Thanks again, now is more clear for me the overall situation!
Davide
