Re: Scoring Based on IP Address
On Fri, 18 Dec 2020, @lbutlr wrote: On 17 Dec 2020, at 16:19, Dave Wreski wrote: On 12/17/20 6:05 PM, Matt wrote: Is there a way with spamassassin local.conf to add a higher score based on source ip address or subnet? Basically the last IP in "Received:" header. bad_subnet_add_20_points: 192.168.240.0/24 Raising the score if that IP appeared anywhere in headers or body might work too. Yes, but if you're effectively going to create a "poison pill" rule where any mail from a particular network is quarantined, you might be better of doing this at the firewall or in postfix directly and just rejecting it outright. header __BAD_IP_RCVD Received =~ /192\.168\.240\.\d{1,3}/ body __BAD_IP_BODY /192\.168\.240\.\d{1,3}/ rawbody __BAD_IP_RAWBODY /192\.168\.240\.\d{1,3}/ meta MY_BAD_SENDER __BAD_IP_RCVD || __BAD_IP_BODY || __BAD_IP_RAWBODY score MY_BAD_SENDER 20 describe MY_BAD_SENDER Contains bad IP Won't this match for that IP in ANY Received: header? Yes. That's "deep inspection", and runs the risk of a hit on a legitimate "bad" IP in the sender's local network (assuming their MTA records the initial submission). It would be better to check the last external IP in X-Spam-Relays-External: header __EXT_MTA_IP_BAD X-Spam-Relays-External =~ /^\[ ip=192\.168\.240\.\d+ / And, as Dave said, if you're going to poison pill based on the external MTA's IP address, then do it with an MTA IP rule or at the firewall, it's a lot easier (and lighter-weight) than all this SA stuff. For example, in /etc/mail/access (for sendmail): 93.159.212.159550 5.7.1 Spammed a mailing list - go away. 65.49.16.2550 5.7.1 Open relay - go away. 202.65.168.39 550 5.7.1 Seven 419 spams in one hour - go away. 213.171.44.75 550 5.7.1 Open relay - email worms - go away. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter da Silva in a.s.r --- 7 days until Christmas
Re: More undetected hidden test spam signs
On Thu, 17 Dec 2020 08:58:07 -0800 (PST) John Hardin wrote: > On Thu, 17 Dec 2020, @lbutlr wrote: > > > On 16 Dec 2020, at 23:21, Loren Wilton > > wrote: > >> I just got a batch of spams containing > >> > >> > > > > ... various rules to tag messages as spam when they had content that > > did not display. > > Such rules are there. Unfortunately, for whatever reason, lots of ham > uses "invisible" text so it's not useful as a spam sign by itself and > it's hard to come up with any useful combination rules. The trouble with this kind of thing is that you can make anything look marginally useful with the right meta rule - even something like __RCVD_ON_MONDAY. rawbody rules are relatively expensive, if they don't show some kind of initial promise, they aren't worth pursuing IMO. > Perhaps this would be useful if it hits bayes but not hard enough to > push it over the threshold: > >meta INVIS_TEXT_BAYES __STY_INVIS && (BAYES_80 || BAYES_95 || > BAYES_99 || BAYES_999) __STY_INVIS has an S/O of 0.122 in QA hitting 6.4% of ham. In my corpus the semi-colon doesn't make much difference to the historic numbers. Unless __STY_INVIS is dominating spam I wouldn't do the above. If it works it's most likely a sign that Bayes itself is underscored. Strangely the S/O is even worst for __STY_INVIS_MANY (__STY_INVIS > 5)
Re: Scoring Based on IP Address
On 17 Dec 2020, at 16:19, Dave Wreski wrote: > On 12/17/20 6:05 PM, Matt wrote: >> Is there a way with spamassassin local.conf to add a higher score >> based on source ip address or subnet? Basically the last IP in >> "Received:" header. >> bad_subnet_add_20_points: 192.168.240.0/24 >> Raising the score if that IP appeared anywhere in headers or body >> might work too. > Yes, but if you're effectively going to create a "poison pill" rule where any > mail from a particular network is quarantined, you might be better of doing > this at the firewall or in postfix directly and just rejecting it outright. > > header __BAD_IP_RCVD Received =~ /192\.168\.240\.\d{1,3}/ > body __BAD_IP_BODY /192\.168\.240\.\d{1,3}/ > rawbody __BAD_IP_RAWBODY /192\.168\.240\.\d{1,3}/ > meta MY_BAD_SENDER __BAD_IP_RCVD || __BAD_IP_BODY || __BAD_IP_RAWBODY > score MY_BAD_SENDER 20 > describe MY_BAD_SENDER Contains bad IP Won't this match for that IP in ANY Received: header? -- "How good bad music and bad reasons sound when we march against an enemy." - Friedrich Nietzsche
Re: More undetected hidden test spam signs
On 17 Dec 2020, at 09:58, John Hardin wrote: > Such rules are there. Unfortunately, for whatever reason, lots of ham uses > "invisible" text so it's not useful as a spam sign by itself and it's hard to > come up with any useful combination rules. In the "Archive" folder on my work email there are 76,200 emails and 113,566 incidents of the string "display:\s*none". Who knew? One archived email I noticed had 24 occurrences of the string, about a third of them followed by "!important". I used to have a dehtmlizer tool that stripped the HTML down to bare text and links by piping the html mime part pf the messages through lynx --dump, but that proved to be problematic in its own way and I haven't gotten pipes working with sieve anyway.ZZ -- I AM ZOMBOR! (kelly) ZOMBOR!