Re: docusign changes
On Sun, 28 Feb 2021 14:17:08 -0500 Alex wrote: > Hi, > > I have a number of rules that checks for the existence of legitimate > docusign links and general weirdness (like the lack of a legitimate To > address or to undisc-recips), but it doesn't work for this legitimate > docusign email: > > https://pastebin.com/tZthJnb2 This rule seems to be your problem: * 10 LOC_DOCUSIGN_UNDISC Docusign would never send to * undisclosed-recips but the email has: To: hel...@gmail.com
docusign changes
Hi, I have a number of rules that checks for the existence of legitimate docusign links and general weirdness (like the lack of a legitimate To address or to undisc-recips), but it doesn't work for this legitimate docusign email: https://pastebin.com/tZthJnb2 Somehow it's sending to hel...@gmail.com when the real recip is 04...@example.com (it was forwarded for some reason), and the envelope-from is also gmail - I'm assuming it was routed through gmail for some reason. Why? Is the lack of a proper To header even a reliable spam indicator anymore for this? This is just a mailing list email, not a document that needs to be signed, but why would docusign make it more difficult to ensure the delivery of their email? Is it enough to allow this to pass based on the received header? Received: from mail06.esign.docusign.com (mail06.esign.docusign.com. [204.92.114.62]) Other ideas? I've already added a number of docusign addresses to the welcomelist: $ grep docusign whitelist.cf whitelist_auth *@esign.docusign.com whitelist_auth dse_...@docusign.net whitelist_auth docus...@esign.docusign.com whitelist_auth d...@docusign.net whitelist_auth dse_...@docusign.net whitelist_auth dse_...@docusign.net whitelist_auth d...@eumail.docusign.net whitelist_auth casesta...@docusign.com whitelist_auth nore...@docusign.com whitelist_auth collecti...@docusign.com
Re: AskDNS with a DNAME
On Sun, Feb 28, 2021 at 10:33:15AM -0500, Michael Grant wrote: > On Sun, Feb 28, 2021 at 03:53:33PM +0100, Giovanni Bechis wrote: > > On Sun, Feb 28, 2021 at 07:38:22AM -0500, Michael Grant wrote: > > > Ultimately I want the spamassassin report in the headers but I don't > > > want the license key in there. > > > > > you can set 'tflags net nolog' if you are using trunk. > > Invaluement uri and license key will be printed as *redacted*. > > Giovanni > > > > Hi Giovanni, unfortunately, this did not work either. > > I just pulled from your repo to make sure I was on master. I added > nolog, the pertinent lines look like this: > > askdns RBL_SENDGRID_ID _SENDGRIDID_.sendgrid-id.MYLICENSE.invaluement.com > A 127.0.0.2 > describe RBL_SENDGRID_ID Sendgrid Id blacklist > tflags RBL_SENDGRID_ID net nolog > > askdns RBL_SENDGRID_DOM > _SENDGRIDDOM_.sendgrid-efd.MYLICENSE.invaluement.com A 127.0.0.2 > describe RBL_SENDGRID_DOM Sendgrid domain blacklist > tflags RBL_SENDGRID_DOM net nolog > With SpamAssassin trunk (sorry I probably was not clear) you will have: 1.0 RBL_SENDGRID_IDASKDNS: Invaluement Sendgrid Id blacklist [*REDACTED*] Giovanni signature.asc Description: PGP signature
Re: AskDNS with a DNAME
> > askdns RBL_SENDGRID_ID > > _SENDGRIDID_.sendgrid-id.MYLICENSE.invaluement.com A 127.0.0.2 > > describe RBL_SENDGRID_ID Sendgrid Id blacklist tflags > > RBL_SENDGRID_ID net nolog > > > > askdns RBL_SENDGRID_DOM > > _SENDGRIDDOM_.sendgrid-efd.MYLICENSE.invaluement.com A 127.0.0.2 > > describe RBL_SENDGRID_DOM Sendgrid domain blacklist tflags > > RBL_SENDGRID_DOM net nolog > > > > And this is what I see in the spamassassin report in the header: > > * 1.0 RBL_SENDGRID_ID ASKDNS: Sendgrid Id blacklist > > * [16582324.sendgrid-id.MYLICENSE.invaluement.com > > A:127.0.0.2] > > I think what you need, at least in the short term, is: > > askdns __RBL_SENDGRID_ID ... > > meta RBL_SENDGRID_ID __RBL_SENDGRID_ID Ah hah! Thank you, this works. And it has an added benefit that the RBL_SENDGRID_ID rule doesn't add a default 1.0 score to the total, so this is definitely the right way to do it. _SENDGRIDID_ is set as a variable in the Esp.pm module. Is there some way to log this when the meta rule triggers? Michael Grant signature.asc Description: PGP signature
Re: AskDNS with a DNAME
On Sun, 28 Feb 2021 10:33:15 -0500 Michael Grant wrote: > On Sun, Feb 28, 2021 at 03:53:33PM +0100, Giovanni Bechis wrote: > > On Sun, Feb 28, 2021 at 07:38:22AM -0500, Michael Grant wrote: > > > Ultimately I want the spamassassin report in the headers but I > > > don't want the license key in there. > > > > > you can set 'tflags net nolog' if you are using trunk. > > Invaluement uri and license key will be printed as *redacted*. > > Giovanni > > > > Hi Giovanni, unfortunately, this did not work either. > > I just pulled from your repo to make sure I was on master. I added > nolog, the pertinent lines look like this: > > askdns RBL_SENDGRID_ID > _SENDGRIDID_.sendgrid-id.MYLICENSE.invaluement.com A 127.0.0.2 > describe RBL_SENDGRID_ID Sendgrid Id blacklist tflags > RBL_SENDGRID_ID net nolog > > askdns RBL_SENDGRID_DOM > _SENDGRIDDOM_.sendgrid-efd.MYLICENSE.invaluement.com A 127.0.0.2 > describe RBL_SENDGRID_DOM Sendgrid domain blacklist tflags > RBL_SENDGRID_DOM net nolog > > And this is what I see in the spamassassin report in the header: > * 1.0 RBL_SENDGRID_ID ASKDNS: Sendgrid Id blacklist > * [16582324.sendgrid-id.MYLICENSE.invaluement.com > A:127.0.0.2] I think what you need, at least in the short term, is: askdns __RBL_SENDGRID_ID ... meta RBL_SENDGRID_ID __RBL_SENDGRID_ID
Re: AskDNS with a DNAME
On Sun, 28 Feb 2021, RW wrote: On Sun, 28 Feb 2021 07:42:42 -0800 (PST) John Hardin wrote: On Sun, 28 Feb 2021, Michael Grant wrote: I've traced through the AskDNS plugin and it's definitely only looking at the first response that gets returned in this case. I also tried a regex submatch like: askdns RBL_SENDGRID_ID _SENDGRIDID_.sendgrid-id.localhost A /127.0.0.2/ and still not working. The AskDNS code which loops through the result only looks at the alias result that's returned. I would indeed characterize that as a bug in the AskDNS plugin. The fact that it is an alias is not useful information to the evaluation of the message's spamminess, and the information that *is* useful - critical, in fact - is being discarded. Please open a bugzilla ticket for this. There is already a very similar one: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7875 Ok, good. The AskDNS plugin code on trunk has had several changes that have not been merged to the 3.4 branch for release. I just ran a quick test on trunk with an askdns rule for a host that is a CNAME and it appeared to work properly - it went through all the responses and the rule did hit on the final resolved IP address. Feb 28 08:18:40.625 [29038] dbg: dns: bgread: received 860 bytes from 10.1.0.254 Feb 28 08:18:40.628 [29038] dbg: dns: dns reply 39497 is OK, 2 answer records Feb 28 08:18:40.628 [29038] dbg: askdns: answer received (__ASKDNS_DNAME_TEST), rcode NOERROR, query IN/A/ftp.impsec.org, answer has 2 records Feb 28 08:18:40.628 [29038] dbg: askdns: rr_type = CNAME Feb 28 08:18:40.628 [29038] dbg: askdns: rr_type = A Feb 28 08:18:40.628 [29038] dbg: askdns: domain "ftp.impsec.org" listed (__ASKDNS_DNAME_TEST): 108.161.139.220 I don't know whether these changes, or just the recommended fix in 7875, will make it into the pending 3.4 release. Michael, you might consider using trunk for your SA install, or if that's too risky, potentially pulling just the AskDNS plugin from trunk. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- 14 days until Albert Einstein's 142nd Birthday
Re: AskDNS with a DNAME
On Sun, 28 Feb 2021 07:42:42 -0800 (PST) John Hardin wrote: > On Sun, 28 Feb 2021, Michael Grant wrote: > > > I've traced through the AskDNS plugin and it's definitely only > > looking at the first response that gets returned in this case. I > > also tried a regex submatch like: > > > > askdns RBL_SENDGRID_ID _SENDGRIDID_.sendgrid-id.localhost A > > /127.0.0.2/ > > > > and still not working. The AskDNS code which loops through the > > result only looks at the alias result that's returned. > > I would indeed characterize that as a bug in the AskDNS plugin. The > fact that it is an alias is not useful information to the evaluation > of the message's spamminess, and the information that *is* useful - > critical, in fact - is being discarded. > > Please open a bugzilla ticket for this. There is already a very similar one: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7875
Re: AskDNS with a DNAME
On Sun, 28 Feb 2021, Michael Grant wrote: I've traced through the AskDNS plugin and it's definitely only looking at the first response that gets returned in this case. I also tried a regex submatch like: askdns RBL_SENDGRID_ID _SENDGRIDID_.sendgrid-id.localhost A /127.0.0.2/ and still not working. The AskDNS code which loops through the result only looks at the alias result that's returned. I would indeed characterize that as a bug in the AskDNS plugin. The fact that it is an alias is not useful information to the evaluation of the message's spamminess, and the information that *is* useful - critical, in fact - is being discarded. Please open a bugzilla ticket for this. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Usually Microsoft doesn't develop products, we buy products. -- Arno Edelmann, Microsoft product manager --- 14 days until Albert Einstein's 142nd Birthday
Re: AskDNS with a DNAME
On Sun, Feb 28, 2021 at 03:53:33PM +0100, Giovanni Bechis wrote: > On Sun, Feb 28, 2021 at 07:38:22AM -0500, Michael Grant wrote: > > Ultimately I want the spamassassin report in the headers but I don't > > want the license key in there. > > > you can set 'tflags net nolog' if you are using trunk. > Invaluement uri and license key will be printed as *redacted*. > Giovanni > Hi Giovanni, unfortunately, this did not work either. I just pulled from your repo to make sure I was on master. I added nolog, the pertinent lines look like this: askdns RBL_SENDGRID_ID _SENDGRIDID_.sendgrid-id.MYLICENSE.invaluement.com A 127.0.0.2 describe RBL_SENDGRID_ID Sendgrid Id blacklist tflags RBL_SENDGRID_ID net nolog askdns RBL_SENDGRID_DOM _SENDGRIDDOM_.sendgrid-efd.MYLICENSE.invaluement.com A 127.0.0.2 describe RBL_SENDGRID_DOM Sendgrid domain blacklist tflags RBL_SENDGRID_DOM net nolog And this is what I see in the spamassassin report in the header: * 1.0 RBL_SENDGRID_ID ASKDNS: Sendgrid Id blacklist * [16582324.sendgrid-id.MYLICENSE.invaluement.com A:127.0.0.2] Michael Grant signature.asc Description: PGP signature
Re: google domains spam
On 2021-02-28 12:26, Matus UHLAR - fantomas wrote: How can I make SA to rbl-check for subdomain, not just google.com domain? 2nd tld cf file or https://github.com/spamhaus/spamassassin-dqs/blob/master/SH.pm#L78 change SH.cf to sh_local.cf to your own rbldnsd the sh.pm module have more funtions then used, but it can be used with more testing with or without dqs keys note the 2nd tld would be global change while the sh.pm is not hope its usefull
Re: AskDNS with a DNAME
On Sun, Feb 28, 2021 at 07:38:22AM -0500, Michael Grant wrote: > Ultimately I want the spamassassin report in the headers but I don't > want the license key in there. > you can set 'tflags net nolog' if you are using trunk. Invaluement uri and license key will be printed as *redacted*. Giovanni
Re: AskDNS with a DNAME
On Sun, Feb 28, 2021 at 02:14:55PM +, Damian wrote: > I don't know about AskDNS, but this technique works with stock spamhaus rules > via spamhaustech. I have a local spamhaus.net zone with a DNAME record as > their nameservers block me anyway. > You could try with an invaluement.com zone at least temporarily as a > comparison to AskDNS. As I said, it does work if I do this: askdns RBL_SENDGRID_ID _SENDGRIDID_.sendgrid-id..invaluement.com A 127.0.0.2 But then, the LICENSEKEY gets embedded in the spamassassin report which I don't want. I've traced through the AskDNS plugin and it's definitely only looking at the first response that gets returned in this case. I also tried a regex submatch like: askdns RBL_SENDGRID_ID _SENDGRIDID_.sendgrid-id.localhost A /127.0.0.2/ and still not working. The AskDNS code which loops through the result only looks at the alias result that's returned. signature.asc Description: PGP signature
AskDNS with a DNAME
I don't know about AskDNS, but this technique works with stock spamhaus rules via spamhaustech. I have a local spamhaus.net zone with a DNAME record as their nameservers block me anyway. You could try with an invaluement.com zone at least temporarily as a comparison to AskDNS.
AskDNS with a DNAME
I'm trying to use a rule like this: askdns RBL_SENDGRID_ID _SENDGRIDID_.sendgrid-id.localhost A 127.0.0.2 where I have this in my db.local running bind9: sendgrid-id IN DNAMEsendgrid-id.LICENSEKEY.invaluement.com. where LICENSEKEY is a valid license key. I can query this on the command line: % host 16582324.sendgrid-id.localhost sendgrid-id.localhost has DNAME record sendgrid-id.LICENSEKEY.invaluement.com. 16582324.sendgrid-id.localhost is an alias for 16582324.sendgrid-id.LICENSEKEY.invaluement.com. 16582324.sendgrid-id.LICENSEKEY.invaluement.com has address 127.0.0.2 But the AskDNS plugin seems to see only the first alias response and ignores the actual 127.0.0.2 response. The rule is never hit. If I put the license key in the cf file directly, it is (and the license key gets added to the email headers which is what I am trying to avoid by doing a DNAME record in my .localhost db.local!) This technique of using a DNAME record works fine for milters. Ultimately I want the spamassassin report in the headers but I don't want the license key in there. Is there some way to get this to work? Not sure if this isn't actually a bug in AskDNS to be honest. Michael Grant signature.asc Description: PGP signature
google domains spam
Hi gyus, last time I received too many spam with links to sites.google.com and goo.gl redirects. The sites.google.com website containg "report" links, however after about a week of reporting them all, spam containing the same site comes and the site is not removed. The goo.gl does not seem to contain any place for reporting spams. Seems that it was deprecated but still somehow works. I have decided to locally blacklist them both (I run local rbldns, with IP and domain-based blacklists). urirhsblL_URIBL_FANTOMASrhsbl.fantomas.sk. TXT bodyL_URIBL_FANTOMASeval:check_uridnsbl('URIBL_FANTOMAS') However, both goo.gl and google.com are skipped with scanning: /var/lib/spamassassin/3.004004/updates_spamassassin_org/25_uribl.cf:uridnsbl_skip_domain go.com google.com googleadservices.com grisoft.com /var/lib/spamassassin/3.004004/updates_spamassassin_org/25_uribl.cf:uridnsbl_skip_domain gappssmtp.com github.com goo.gl google-analytics.com I can unlist locally both: clear_uridnsbl_skip_domain goo.gl google.com However, goo.gl seems to be catched: * 3.5 L_URIBL_FANTOMAS contains locally blocklisted URI * [URIs: goo.gl] but sites.google.com is not. Seems SA only calls domain, not subdomains: Feb 28 12:21:21.173 [8745] dbg: async: calling callback on key DNSBL:google.com:rhsbl.fantomas.sk, rule L_URIBL_FANTOMAS Feb 28 12:21:21.173 [8745] dbg: uridnsbl: complete_dnsbl_lookup L_URIBL_FANTOMAS DNSBL:google.com:rhsbl.fantomas.sk How can I make SA to rbl-check for subdomain, not just google.com domain? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. There's a long-standing bug relating to the x86 architecture that allows you to install Windows. -- Matthew D. Fuller