Re: Help with rule matching when it shouldn't

2024-03-19 Thread Jimmy 
The correct syntax for the header rule should be:

header __FROM_ADDRESS From:addr =~ /\@yahoo\.com/i

This rule will specifically match email addresses containing "@yahoo.com"
while excluding addresses like "ya...@gmail.com".

Regarding the example provided, the "__RETURNPATH_IS" rule should indeed be
triggered since it matches "yahoo.com" in the return-path. If you're
uncertain about the intended behavior of the rules, please clarify the
requirements so we can adjust the rules accordingly.

Jimmy



On Wed, Mar 20, 2024 at 4:52 AM Erickarlo Porro  wrote:

> Could someone help me figure out why my custom rule is matching when it
> should not be matching?
>
>
>
> This is my current setup:
>
> header __FROM_ADDRESS From =~ /yahoo/i
>
> header __RETURNPATH_IS Return-Path !~ /yahoo.com$/i
>
>
>
> meta   NOT_IT (__FROM_ADDRESS && __RETURNPATH_IS)
>
> describe NOT_IT Sender is not correct
>
> score  NOT_IT 4.0
>
>
>
>
>
> Take these headers as an exmaple:
>
> From: ya...@gmail.com
>
> Return-path: ya...@yahoo.com
>
>
>
> If I send an email that would have those headers Spamassassin is getting a
> hit for my NOT_IT rule but that should not match because __RETURNAPTH_IS
> should not get a hit.
>
>
>
> How can I troubleshoot this?
>
>
>
>
>

Help with rule matching when it shouldn't

2024-03-19 Thread Erickarlo Porro 
Could someone help me figure out why my custom rule is matching when it should 
not be matching?

This is my current setup:
header __FROM_ADDRESS From =~ /yahoo/i
header __RETURNPATH_IS Return-Path !~ /yahoo.com$/i

meta   NOT_IT (__FROM_ADDRESS && __RETURNPATH_IS)
describe NOT_IT Sender is not correct
score  NOT_IT 4.0


Take these headers as an exmaple:
From: ya...@gmail.com
Return-path: ya...@yahoo.com

If I send an email that would have those headers Spamassassin is getting a hit 
for my NOT_IT rule but that should not match because __RETURNAPTH_IS should not 
get a hit.

How can I troubleshoot this?

Re: OT: Microsoft Breech

2024-03-19 Thread Giovanni Bechis 



Il 19 marzo 2024 15:33:10 CET, Bill Cole 
 ha scritto:
>On 2024-03-19 at 09:51:04 UTC-0400 (Tue, 19 Mar 2024 08:51:04 -0500)
>Thomas Cameron 
>is rumored to have said:
>
>> Does anyone else just block all traffic from *.onmicrosoft.com?
>
>Yes. No collateral damage noticed. That includes a system that has 
>administrative and alerting role accounts which handle email alerts from Azure 
>and MS365.
>
Disposition-Notifications are sent by onmicrosoft.domain.tld domain afaik.
  Giovanni


>> I have literally NEVER gotten anything from that domain which is not obvious 
>> junk.
>>
>> I set up postfix to just flat out refuse anything from that domain.[1] If I 
>> get any complaints, I may ease it up, but I was getting TONS of spam 
>> messages from that domain and I figured it was easiest to just block it.
>>
>> -- 
>> Thomas
>>
>> [1]
>>
>> [root@east ~]# grep onmicrosoft /etc/postfix/sender_access
>> /@*.onmicrosoft\.com/ REJECT
>>
>> [root@east ~]# grep sender_access /etc/postfix/main.cf
>> check_sender_access regexp:/etc/postfix/sender_access
>>
>> On 3/18/24 21:13, Jimmy wrote:
>>>
>>> It's possible that certain email accounts utilizing email services with 
>>> easily guessable passwords were compromised, leading to abuse of the 
>>> .onmicrosoft.com subdomain for sending spam via email.
>>>
>>> I've observed an increase in the blocking of IPs belonging to Microsoft 
>>> Corporation by the SpamCop blacklist since November 2023, with a notable 
>>> spike in activity during February and March 2024.
>>>
>>> Jimmy
>>>
>>>
>>> On Tue, Mar 19, 2024 at 12:10 AM Jared Hall via users 
>>> mailto:users@spamassassin.apache.org>> 
>>> wrote:
>>>
>>> I've several customers whose accounts were used to send spam as a
>>> result
>>> of Microsoft's infrastructure breech.
>>>
>>> Curiously, NOBODY has received any breach notifications from Microsoft,
>>> despite personal information being compromised.
>>>
>>> What has anyone else experienced?
>>>
>>> Thanks,
>>>
>>> -- Jared Hall
>>>
>
>

Re: OT: Microsoft Breech

2024-03-19 Thread Thomas Cameron 

On 3/19/24 09:52, Michael Storz wrote:

Am 2024-03-19 14:51, schrieb Thomas Cameron:

Does anyone else just block all traffic from *.onmicrosoft.com? I have
literally NEVER gotten anything from that domain which is not obvious
junk.



We block and have a whitelist with 49 entries at the moment.

Michael


Thanks, sir.

I will whitelist anyone who complains, but like I said... I've literally 
never gotten email from that domain which was not spam.


--
Thomas

Re: OT: Microsoft Breech

2024-03-19 Thread Michael Storz 

Am 2024-03-19 14:51, schrieb Thomas Cameron:

Does anyone else just block all traffic from *.onmicrosoft.com? I have
literally NEVER gotten anything from that domain which is not obvious
junk.



We block and have a whitelist with 49 entries at the moment.

Michael

Re: OT: Microsoft Breech

2024-03-19 Thread Bill Cole 
On 2024-03-19 at 09:51:04 UTC-0400 (Tue, 19 Mar 2024 08:51:04 -0500)
Thomas Cameron 
is rumored to have said:

> Does anyone else just block all traffic from *.onmicrosoft.com?

Yes. No collateral damage noticed. That includes a system that has 
administrative and alerting role accounts which handle email alerts from Azure 
and MS365.

> I have literally NEVER gotten anything from that domain which is not obvious 
> junk.
>
> I set up postfix to just flat out refuse anything from that domain.[1] If I 
> get any complaints, I may ease it up, but I was getting TONS of spam messages 
> from that domain and I figured it was easiest to just block it.
>
> -- 
> Thomas
>
> [1]
>
> [root@east ~]# grep onmicrosoft /etc/postfix/sender_access
> /@*.onmicrosoft\.com/ REJECT
>
> [root@east ~]# grep sender_access /etc/postfix/main.cf
> check_sender_access regexp:/etc/postfix/sender_access
>
> On 3/18/24 21:13, Jimmy wrote:
>>
>> It's possible that certain email accounts utilizing email services with 
>> easily guessable passwords were compromised, leading to abuse of the 
>> .onmicrosoft.com subdomain for sending spam via email.
>>
>> I've observed an increase in the blocking of IPs belonging to Microsoft 
>> Corporation by the SpamCop blacklist since November 2023, with a notable 
>> spike in activity during February and March 2024.
>>
>> Jimmy
>>
>>
>> On Tue, Mar 19, 2024 at 12:10 AM Jared Hall via users 
>> mailto:users@spamassassin.apache.org>> wrote:
>>
>> I've several customers whose accounts were used to send spam as a
>> result
>> of Microsoft's infrastructure breech.
>>
>> Curiously, NOBODY has received any breach notifications from Microsoft,
>> despite personal information being compromised.
>>
>> What has anyone else experienced?
>>
>> Thanks,
>>
>> -- Jared Hall
>>


-- 
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: OT: Microsoft Breech

2024-03-19 Thread Thomas Cameron 
I am using this setup in my postfix main.cf. [obfuscated] is my actual 
key for spamhaus.


smtpd_recipient_restrictions =
check_sender_access regexp:/etc/postfix/sender_access
permit_mynetworks
permit_auth_destination
permit_sasl_authenticated
reject_rbl_client [obfuscated].zen.dq.spamhaus.net=127.0.0.[2..11]
reject_rhsbl_sender [obfuscated].dbl.dq.spamhaus.net=127.0.1.[2..99]
reject_rhsbl_helo [obfuscated].dbl.dq.spamhaus.net=127.0.1.[2..99]
reject_rhsbl_reverse_client 
[obfuscated].dbl.dq.spamhaus.net=127.0.1.[2..99]

reject_rhsbl_sender [obfuscated].zrd.dq.spamhaus.net=127.0.2.[2..24]
reject_rhsbl_helo [obfuscated].zrd.dq.spamhaus.net=127.0.2.[2..24]
reject_rhsbl_reverse_client 
[obfuscated].zrd.dq.spamhaus.net=127.0.2.[2..24]

reject

I was still getting a TON of junk from onmicrosoft.com. I blocked the 
domain many months ago... Do you recommend I let that back open? I 
definitely don't want to miss emails from folks who use outlook.com 
(although, not gonna lie, it feels nice to raise a middle finger to 
Microsoft for their terrible email practices).


--
Thomas

On 3/19/24 09:02, Marc wrote:

I am using spamcop and spamhaus to block. There are indeed outlook.com ip 
addresses that bounce.



Does anyone else just block all traffic from *.onmicrosoft.com? I have
literally NEVER gotten anything from that domain which is not obvious junk.

I set up postfix to just flat out refuse anything from that domain.[1]
If I get any complaints, I may ease it up, but I was getting TONS of
spam messages from that domain and I figured it was easiest to just
block it.

RE: OT: Microsoft Breech

2024-03-19 Thread Marc 
I am using spamcop and spamhaus to block. There are indeed outlook.com ip 
addresses that bounce. 

> 
> Does anyone else just block all traffic from *.onmicrosoft.com? I have
> literally NEVER gotten anything from that domain which is not obvious junk.
> 
> I set up postfix to just flat out refuse anything from that domain.[1]
> If I get any complaints, I may ease it up, but I was getting TONS of
> spam messages from that domain and I figured it was easiest to just
> block it.
>

Re: OT: Microsoft Breech

2024-03-19 Thread Thomas Cameron 
Does anyone else just block all traffic from *.onmicrosoft.com? I have 
literally NEVER gotten anything from that domain which is not obvious junk.


I set up postfix to just flat out refuse anything from that domain.[1] 
If I get any complaints, I may ease it up, but I was getting TONS of 
spam messages from that domain and I figured it was easiest to just 
block it.


--
Thomas

[1]

[root@east ~]# grep onmicrosoft /etc/postfix/sender_access
/@*.onmicrosoft\.com/ REJECT

[root@east ~]# grep sender_access /etc/postfix/main.cf
check_sender_access regexp:/etc/postfix/sender_access

On 3/18/24 21:13, Jimmy wrote:


It's possible that certain email accounts utilizing email services with 
easily guessable passwords were compromised, leading to abuse of the 
.onmicrosoft.com subdomain for sending spam via email.


I've observed an increase in the blocking of IPs belonging to Microsoft 
Corporation by the SpamCop blacklist since November 2023, with a notable 
spike in activity during February and March 2024.


Jimmy


On Tue, Mar 19, 2024 at 12:10 AM Jared Hall via users 
mailto:users@spamassassin.apache.org>> 
wrote:


I've several customers whose accounts were used to send spam as a
result
of Microsoft's infrastructure breech.

Curiously, NOBODY has received any breach notifications from Microsoft,
despite personal information being compromised.

What has anyone else experienced?

Thanks,

-- Jared Hall