Re: Scoring Based on IP Address
On Fri, 18 Dec 2020, @lbutlr wrote:
On 17 Dec 2020, at 16:19, Dave Wreski wrote:
On 12/17/20 6:05 PM, Matt wrote:
Is there a way with spamassassin local.conf to add a higher score
based on source ip address or subnet? Basically the last IP in
"Received:" header.
bad_subnet_add_20_points: 192.168.240.0/24
Raising the score if that IP appeared anywhere in headers or body
might work too.
Yes, but if you're effectively going to create a "poison pill" rule where any
mail from a particular network is quarantined, you might be better of doing this at the
firewall or in postfix directly and just rejecting it outright.
header __BAD_IP_RCVD Received =~ /192\.168\.240\.\d{1,3}/
body __BAD_IP_BODY /192\.168\.240\.\d{1,3}/
rawbody __BAD_IP_RAWBODY /192\.168\.240\.\d{1,3}/
meta MY_BAD_SENDER __BAD_IP_RCVD || __BAD_IP_BODY || __BAD_IP_RAWBODY
score MY_BAD_SENDER 20
describe MY_BAD_SENDER Contains bad IP
Won't this match for that IP in ANY Received: header?
Yes. That's "deep inspection", and runs the risk of a hit on a legitimate
"bad" IP in the sender's local network (assuming their MTA records the
initial submission).
It would be better to check the last external IP in X-Spam-Relays-External:
header __EXT_MTA_IP_BAD X-Spam-Relays-External =~ /^\[ ip=192\.168\.240\.\d+
/
And, as Dave said, if you're going to poison pill based on the external
MTA's IP address, then do it with an MTA IP rule or at the firewall, it's
a lot easier (and lighter-weight) than all this SA stuff.
For example, in /etc/mail/access (for sendmail):
93.159.212.159550 5.7.1 Spammed a mailing list - go away.
65.49.16.2550 5.7.1 Open relay - go away.
202.65.168.39 550 5.7.1 Seven 419 spams in one hour - go away.
213.171.44.75 550 5.7.1 Open relay - email worms - go away.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
---
7 days until Christmas
Re: More undetected hidden test spam signs
On Thu, 17 Dec 2020 08:58:07 -0800 (PST) John Hardin wrote: > On Thu, 17 Dec 2020, @lbutlr wrote: > > > On 16 Dec 2020, at 23:21, Loren Wilton > > wrote: > >> I just got a batch of spams containing > >> > >> > > > > ... various rules to tag messages as spam when they had content that > > did not display. > > Such rules are there. Unfortunately, for whatever reason, lots of ham > uses "invisible" text so it's not useful as a spam sign by itself and > it's hard to come up with any useful combination rules. The trouble with this kind of thing is that you can make anything look marginally useful with the right meta rule - even something like __RCVD_ON_MONDAY. rawbody rules are relatively expensive, if they don't show some kind of initial promise, they aren't worth pursuing IMO. > Perhaps this would be useful if it hits bayes but not hard enough to > push it over the threshold: > >meta INVIS_TEXT_BAYES __STY_INVIS && (BAYES_80 || BAYES_95 || > BAYES_99 || BAYES_999) __STY_INVIS has an S/O of 0.122 in QA hitting 6.4% of ham. In my corpus the semi-colon doesn't make much difference to the historic numbers. Unless __STY_INVIS is dominating spam I wouldn't do the above. If it works it's most likely a sign that Bayes itself is underscored. Strangely the S/O is even worst for __STY_INVIS_MANY (__STY_INVIS > 5)
Re: Scoring Based on IP Address
On 17 Dec 2020, at 16:19, Dave Wreski wrote:
> On 12/17/20 6:05 PM, Matt wrote:
>> Is there a way with spamassassin local.conf to add a higher score
>> based on source ip address or subnet? Basically the last IP in
>> "Received:" header.
>> bad_subnet_add_20_points: 192.168.240.0/24
>> Raising the score if that IP appeared anywhere in headers or body
>> might work too.
> Yes, but if you're effectively going to create a "poison pill" rule where any
> mail from a particular network is quarantined, you might be better of doing
> this at the firewall or in postfix directly and just rejecting it outright.
>
> header __BAD_IP_RCVD Received =~ /192\.168\.240\.\d{1,3}/
> body __BAD_IP_BODY /192\.168\.240\.\d{1,3}/
> rawbody __BAD_IP_RAWBODY /192\.168\.240\.\d{1,3}/
> meta MY_BAD_SENDER __BAD_IP_RCVD || __BAD_IP_BODY || __BAD_IP_RAWBODY
> score MY_BAD_SENDER 20
> describe MY_BAD_SENDER Contains bad IP
Won't this match for that IP in ANY Received: header?
--
"How good bad music and bad reasons sound when we march against an
enemy." - Friedrich Nietzsche
Re: More undetected hidden test spam signs
On 17 Dec 2020, at 09:58, John Hardin wrote: > Such rules are there. Unfortunately, for whatever reason, lots of ham uses > "invisible" text so it's not useful as a spam sign by itself and it's hard to > come up with any useful combination rules. In the "Archive" folder on my work email there are 76,200 emails and 113,566 incidents of the string "display:\s*none". Who knew? One archived email I noticed had 24 occurrences of the string, about a third of them followed by "!important". I used to have a dehtmlizer tool that stripped the HTML down to bare text and links by piping the html mime part pf the messages through lynx --dump, but that proved to be problematic in its own way and I haven't gotten pipes working with sieve anyway.ZZ -- I AM ZOMBOR! (kelly) ZOMBOR!
