Re: Another form of obfuscation email.
On 10 Dec 2018, at 14:13, RW wrote: On Mon, 10 Dec 2018 12:45:53 -0500 Mark London wrote: Hi - Here's another form of obfuscation spam. This time, not a porn blackmail one. Almost the whole text is obfuscated. https://pastebin.com/VURwmrrF You say obfuscated, but it looked completely unreadable to me. The text/plain part is garbage, but the text/html part renders to a mostly readable phish. -- Bill Cole
Re: Spamassassin using remote rules definition source?
On Mon, 10 Dec 2018, ozgurerdogan wrote: I simply need to write custom rules to block certain mails, domain names. Do I have to learn programming language for this? Is not it easy like create a conf file and let Sa update rules from that source remotely via http? If your primary need is to block certain domain names it might be easier to create your own custom DNS-RBL and add rules to your SA configuration to score against that. Once you've got the DNS-RBL built (I recommend rbldnsd, http://www.corpit.ru/mjt/rbldnsd.html) and the querying rules added to your SA config, then updating is just a matter of adding new names to your DNS-RBL. If you use rbldnsd, it's as easy as just "echoing" names onto the end of a text file. By clever usage of the IP address associated with the name and the scoring rules it is possible to have different scores assigned to specific names. EG: if a name has the address 127.0.0.2 then give it a score of +2 if 127.0.0.4 then give it a score of 10. So if a host is a bit spammy then the 127.0.0.2 address will not outright black-list it but help score with other indications (EG Bayes, etc). Whereas if you give it a 127.0.0.4 then it's a one-shot kill. I actually run two local RBLs, one for DNS/Hostnames and one for URI-RBL to hit specific URLs within messages. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Spamassassin using remote rules definition source?
On 12/10/2018 2:49 PM, Kris Deugau wrote: > The master/reference files are stored in a Subversion repository. > Commits to particular paths trigger the creation of the tarball, SHA* > hash files, and GPG signature. A cron job on our DNS master server > polls the repository to see if any of the paths have a higher > last-changed revision, and update the DNS subzone if so. Nice. I'd like to see your svn commit hook scripts if you can share. -- Kevin A. McGrail VP Fundraising, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171
Re: Another form of obfuscation email.
On Mon, 10 Dec 2018, Mark London wrote: Hi - Here's another form of obfuscation spam. This time, not a porn blackmail one. Almost the whole text is obfuscated. https://pastebin.com/VURwmrrF __UNICODE_OBFU_ASC hits that pretty well, but the FP avoidance for the scored version was a bit too aggressive. Fixed. I had a high score assigned to the rule HTML_OBFUSCATE_90_100, which is why the message got a high spam rating. By default though, that rule is disabled (score = 0). Without that, the email would have gotten through. HTML_OBFUSCATE_90_100 gets no hits in the masscheck corpus. Potentially we should set a fixed override score for it. I've tweaked a couple of other rules that this hit that were either testing-only or filtered out. It should score higher soon. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- 5 days until Bill of Rights day
Re: Spamassassin using remote rules definition source?
John Hardin wrote: On Mon, 10 Dec 2018, ozgurerdogan wrote: I have many servers using spamassassin. Time to time, I may need to add custom rules to SA to block certain mails. It is time consuming doing it on each server. Is it somehow possible to create a one source for all Spamassassin using server and update rule set from that source? Certainly. There are several ways, at the least: (1) set up file replication from a tested master copy (probably pretty simple) This is probably the better choice if you have a single platform, with "many" nodes, to update. If you have "many" nodes, you should already have methods to push other configuration changes out to them, and SpamAssassin would be just another set of files. (2) set up your own local published ruleset source and configure your instances to include that in their rule sources for the standard sa-update processing (will require managing DNS entries and generating SHA checksums for the rules file) This is useful if you have multiple different platforms to push SA rule sets out to, or for some reason end up with multiple sets of rules that need to be pushed out to different systems in different combinations. I did this locally at a time when I was maintaining four very different systems all running SA, and wanted to distribute common rules to all of them. I'm down to one platform, with a handful of nodes, but since this is up and running it's simpler to just keep using it. The master/reference files are stored in a Subversion repository. Commits to particular paths trigger the creation of the tarball, SHA* hash files, and GPG signature. A cron job on our DNS master server polls the repository to see if any of the paths have a higher last-changed revision, and update the DNS subzone if so. -kgd
Re: Another form of obfuscation email.
On Mon, 10 Dec 2018 12:45:53 -0500 Mark London wrote: > Hi - Here's another form of obfuscation spam. This time, not a porn > blackmail one. Almost the whole text is obfuscated. > > https://pastebin.com/VURwmrrF > You say obfuscated, but it looked completely unreadable to me.
Re: Spamassassin using remote rules definition source?
On 10 Dec 2018, at 13:28, ozgurerdogan wrote: Can you give me some more step by step for : "set up your own local published ruleset source and configure your instances to include that in their rule sources for the standard sa-update processing (will require managing DNS entries and generating SHA checksums for the rules file) " This is what I needed. Thank you everyone by the way. The setup John refers to is fully documented at https://wiki.apache.org/spamassassin/PublishingRuleUpdates
Re: Spamassassin using remote rules definition source?
Can you give me some more step by step for : "set up your own local published ruleset source and configure your instances to include that in their rule sources for the standard sa-update processing (will require managing DNS entries and generating SHA checksums for the rules file) " This is what I needed. Thank you everyone by the way. -- Sent from: http://spamassassin.1065346.n5.nabble.com/SpamAssassin-Users-f3.html
Re: Spamassassin using remote rules definition source?
On Mon, 10 Dec 2018, ozgurerdogan wrote: I have many servers using spamassassin. Time to time, I may need to add custom rules to SA to block certain mails. It is time consuming doing it on each server. Is it somehow possible to create a one source for all Spamassassin using server and update rule set from that source? Certainly. There are several ways, at the least: (1) set up file replication from a tested master copy (probably pretty simple) (2) set up your own local published ruleset source and configure your instances to include that in their rule sources for the standard sa-update processing (will require managing DNS entries and generating SHA checksums for the rules file) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The yardstick you should use when considering whether to support a given piece of legislation is "what if my worst enemy is chosen to administer this law?" --- 5 days until Bill of Rights day
Re: Subtest __E_LIKE_LETTER and __LOWER_E listed many times in message header
On 9 Dec 2018, at 18:23, Chris Pollock wrote: > On Sun, 2018-12-09 at 13:06 -0500, Bill Cole wrote: >> On 9 Dec 2018, at 12:04, Chris Pollock wrote: >> >>> This is probably very trivial and doesn't affect anything except >>> maybe >>> the size of the headers but I have to ask. When looking at the >>> headers >>> of some ham I noticed - https://pastebin.com/H7euxqVX the two rules >>> I >>> mention above are in 72_active.cf. Is there a reason for the number >>> of >>> times it's listed? Couldn't each subtest be listed just once >>> instead >>> of >>> multiple times? >> >> Not with the current documented behavior of the code, given the way >> those sub-rules are designed to work together. The goal is to >> identify >> messages which use Latin-script 'e' characters but also use many >> non-Latin-script characters which look like 'e' but are not. To make >> this determination, the rules require the 'multiple' flag without a >> cap >> on thne number of matches which a 'maxhits' parameter would set. > > Got it, thanks Bill. I've never noticed this before. I also noticed > that according to my daily sa-update output this subtest is apparently > new or at least it didn't appear in the output until this past Fri. Correct. See the thread with the subject "No longer just embedded =9D characters in blackmail emails" here last week for the background. >> >> It is not recommended to routinely add the list of matched sub-rules >> to >> scanned messages. >> > Any specific reason why? This is just on my home system. It's got the potential to be VERY noisy (as you've discovered) while not really providing much useful info. Not a big deal on a small system. Anyway, as of today I've capped those 2 subrules at levels which leave ample space to still match the target spam. Should show up in tomorrow's update. signature.asc Description: OpenPGP digital signature
Another form of obfuscation email.
Hi - Here's another form of obfuscation spam. This time, not a porn blackmail one. Almost the whole text is obfuscated. https://pastebin.com/VURwmrrF I had a high score assigned to the rule HTML_OBFUSCATE_90_100, which is why the message got a high spam rating. By default though, that rule is disabled (score = 0). Without that, the email would have gotten through. Rule T_MIXED_ES was triggered. But that rule has too many false positives to be of any use (IMHO, from looking at my spam logs). Thanks! - Mark
Re: Spamassassin using remote rules definition source?
On Mon, 2018-12-10 at 04:57 -0700, ozgurerdogan wrote: > I simply need to write custom rules to block certain mails, domain names. Do > I have to learn programming language for this? Is not it easy like create a > conf file and let Sa update rules from that source remotely via http? > > cron + wget + reload. Although if you're running multiple servers it's well worth setting up puppet or something similar eventually.
SCAM Bitcoins
FYI Our "friends" of the SCAM_PORNO_BTC campaign are sending scams with wrong wallets ID, hence the __BITCOIN_ID rule does not trigger... Be aware of this if you have METAs depending on that rule. PedroD
Re: Spamassassin using remote rules definition source?
On Mon, 2018-12-10 at 04:57 -0700, ozgurerdogan wrote: > I simply need to write custom rules to block certain mails, domain > names. Do I have to learn programming language for this? Is not it > easy like create a conf file and let Sa update rules from that source > remotely via http? > Thats all explained in the SA documentation, but you do know enough Perl to write regular expressions. SA rules are built round them. You don't need to any more Perl that to test and debug rules. To do that you need an SA installation on a PC. You can also use grep (with the -P option) to check regular expression syntax before writing an SA rule that uses the regex. Martin
Re: Spamassassin using remote rules definition source?
On Mon, 2018-12-10 at 04:18 -0700, ozgurerdogan wrote: > I have many servers using spamassassin. Time to time, I may need to > add > custom rules to SA to block certain mails. It is time consuming doing > it on > each server. Is it somehow possible to create a one source for all > Spamassassin using server and update rule set from that source? > Install SA on a PC running the same OS as the servers. Keep your spam corpus there and use it as your SA rule development system. Then either use a script to distribute your rules to the servers via scp and to force an SA restart to make them active. or use a version control system to hold checked-on rules. Run a cron job on all your servers that periodically checks version control for new and revised rules and, if any new rules were uploaded, forces an SA restart to make them active. Martin
Re: Spamassassin using remote rules definition source?
On 2018/12/10 13:57, ozgurerdogan wrote: I simply need to write custom rules to block certain mails, domain names. Do I have to learn programming language for this? Is not it easy like create a conf file and let Sa update rules from that source remotely via http? Nothing comes to mind, else try: https://www.unixmen.com/copying-files-to-multiple-systems-simultaneously-with-pssh/ Then use pssh to restart spamd. Regards Brent
Re: Spamassassin using remote rules definition source?
I simply need to write custom rules to block certain mails, domain names. Do I have to learn programming language for this? Is not it easy like create a conf file and let Sa update rules from that source remotely via http? -- Sent from: http://spamassassin.1065346.n5.nabble.com/SpamAssassin-Users-f3.html
Re: Spamassassin using remote rules definition source?
On 2018/12/10 13:18, ozgurerdogan wrote: I have many servers using spamassassin. Time to time, I may need to add custom rules to SA to block certain mails. It is time consuming doing it on each server. Is it somehow possible to create a one source for all Spamassassin using server and update rule set from that source? Puppet -> Puppetbolt Ansible Take your pick Regards Brent
[SA 3.4.1] Are all Perl module dependencies necessary?
Hi all. I am running SA version 3.4.1 on Debian Jessie (from the backport archives). SA run through Amavis and so far I did not have any problem, nor with the classification orthe updates through sa-update. Following the advises on the SA wiki (https://wiki.apache.org/spamassassin/ImproveAccuracy), I just ran: "spamassassin -D --lint 2>&1 | grep -i failed" and I got the following output: [...] Dec 10 11:47:20.731 [6060] dbg: diag: [...] module not installed: Digest::SHA1 ('require' failed)Dec 10 11:47:20.731 [6060] dbg: diag: [...] module not installed: Geo::IP ('require' failed) Dec 10 11:47:20.731 [6060] dbg: diag: [...] module not installed: Net::CIDR::Lite ('require' failed)Dec 10 11:47:20.732 [6060] dbg: diag: [...] module not installed: LWP::UserAgent ('require' failed)Dec 10 11:47:20.732 [6060] dbg: diag: [...] module not installed: Encode::Detect::Detector ('require' failed) Dec 10 11:47:20.732 [6060] dbg: diag: [...] module not installed: Net::Patricia ('require' failed) Despite the 'require failed' messages, how much of these plugins are actually used by SA? Are those missing plugins preventing some of the rules from triggering oraffecting the scoring process in any sensible way? Or they are basically bypassed by the fact that SA is invoked through Amavis via the 'Mail::SpamAssassin' module? I went ahead and install all the missing Perl modules through additional packages but it would be nice to know why these requirements seems not to affect SA. Can anybody explain it to me or point me to the docs/code commits/bug reports/mailing list thread/ related to this? Thanks in advance! Best regards,Matteo
Spamassassin using remote rules definition source?
I have many servers using spamassassin. Time to time, I may need to add custom rules to SA to block certain mails. It is time consuming doing it on each server. Is it somehow possible to create a one source for all Spamassassin using server and update rule set from that source? -- Sent from: http://spamassassin.1065346.n5.nabble.com/SpamAssassin-Users-f3.html