RE: Better phish detection
-Original Message- From: David F. Skoll [mailto:d...@roaringpenguin.com] Sent: Monday, March 12, 2012 12:49 PM To: users@spamassassin.apache.org Subject: Re: Better phish detection Hi, I've been following this thread... not sure how many of you are aware of this project: http://code.google.com/p/anti-phishing-email-reply/ We use the phishing address list and it does catch a few things. We don't yet use the phishing URL list, but it looks like it might help. Naturally, this list is reactive, but if enough people used it and contributed to it, the results might be pretty good. Regards, David. --- We use it here; I've got a little python script that parses out recent entries from that project and builds a simple postfix static map to block mail attempts to them. I'm happy to share if anyone's interested. - Aaron Bennett Manager, Systems Administration Clark University ITS
RE: preventing authenticated smtp users from triggering PBL
> -Original Message- > From: Ted Mittelstaedt [mailto:t...@ipinc.net] > Sent: Friday, December 17, 2010 12:20 PM > To: users@spamassassin.apache.org > Subject: Re: preventing authenticated smtp users from triggering PBL > > why are you using authenticated SMTP from trusted networks? > > The whole point of auth smtp is to come from UN-trusted networks. > I think you are misunderstanding. I may be on an unstrusted network, but I want to send email through a host on a trusted network. By authenticating, I can. It was the "trusted host" which authenticated me, and thus SA needs to take that I was authenticated by a trusted host into consideration before applying the PBL rule to the address the mail initiated on.
RE: preventing authenticated smtp users from triggering PBL
> -Original Message- > > Based on the headers you included, there's nothing indicating the sender > was authenticated. Are you using the following in postfix? > > smtpd_sasl_authenticated_header yes No, I'm not -- that's a good idea. If I turn that on, can I write a rule based on it, or will SA pick up on it automatically? Thanks, Aaron
preventing authenticated smtp users from triggering PBL
Hi, I've got an issue where users off-campus who are doing authenticated SMTP/TLS from home networks are having their mail hit by the PBL. I have trusted_networks set to include the incoming relay, but still the PBL hits it as follows: Received: from cmail.clarku.edu (muse.clarku.edu [140.232.1.151]) by mothra.clarku.edu (Postfix) with ESMTP id D4FC2684FEA for ; Tue, 7 Dec 2010 00:11:24 -0500 (EST) Received: from SENDERMACHINE (macaddress.hsd1.ma.comcast.net [98.216.185.77]) by cmail.clarku.edu (Postfix) with ESMTP id 82F21901E48 for ; Tue, 7 Dec 2010 00:11:24 -0500 (EST) From: "USER NAME" Despite that internal_networks and trusted_networks are set to 140.232.0.0/16, the message still triggers the PBL rule. Given that I know that (unless there's a trojaned machine or whatever) I must trust email that comes in over authenticated SMTP/TLS through the 'cmail' host, how can I prevent it from hitting the PBL? Thanks, Aaron --- Aaron Bennett Manager of Systems Administration Clark University ITS
Re: sane values for size of bayes_token database in MySQL
On 06/29/2010 11:00 AM, Kris Deugau wrote: Aaron Bennett wrote: 1) Are you supposed to have a global Bayes DB? 2) How many users do you have? 3) If the answer to 1) is "yes", did you set bayes_sql_override_username? If the answer to 1) is no, you're probably not running Bayes expiry for every user, so their individual sub-databases are growing without bound. Better to re-enable auto-expiry (it's primarily a concern with global databases, particularly with DB_File). We are using amavis-maia so every bayes transaction is made under the amavis user -- is that the same as a global database?
sane values for size of bayes_token database in MySQL
I'm sort of pulling at straws here, but I'm reading the manpage for sa-learn and it says that sa-learn will try to expire bayes tokens according to this: - the number of tokens in the DB is> 100,000 - the number of tokens in the DB is> bayes_expiry_max_db_size - there is at least a 12 hr difference between the oldest and newest token atimes I haven't changed bayes_expiry_max_db_size and I run sa-learn --force-expire every night via cron and I have bayes_auto_expire set to 0. That said, my bayes_token database is huge: | Name | Engine | Version | Row_format | Rows | Avg_row_length | Data_length | Max_data_length | Index_length | Data_free | Auto_increment | Create_time | Update_time | Check_time | Collation | Checksum | Create_options | Comment | +---++-++---++-+-+--+---++-+-++---+--++--+ | bayes_expire | InnoDB | 9 | Fixed | 1 | 16384 | 16384 |NULL |16384 | 0 | NULL | 2006-07-06 11:25:28 | NULL| NULL | latin1_swedish_ci | NULL || InnoDB free: 29522944 kB | | bayes_global_vars | InnoDB | 9 | Dynamic| 1 | 16384 | 16384 |NULL |0 | 0 | NULL | 2006-07-06 11:25:28 | NULL| NULL | latin1_swedish_ci | NULL || InnoDB free: 29522944 kB | | bayes_seen| InnoDB | 9 | Dynamic| 90902320 |175 | 15980298240 |NULL |0 | 0 | NULL | 2006-07-06 11:25:28 | NULL| NULL | latin1_swedish_ci | NULL || InnoDB free: 29522944 kB | | bayes_token | InnoDB | 9 | Fixed | 596422823 | 83 | 49507483648 |NULL | 40946384896 | 0 | NULL | 2006-07-06 11:25:28 | NULL| NULL | latin1_swedish_ci | NULL || InnoDB free: 29522944 kB | particularly bayes_token which is almost 50GB and has WAY more then 150,000 rows. Is this sane?
boosting PBL score suggestions
Hi, We're noticing that much of the spam which makes it through our filter hits the spamhaus pbl rule. However, that rule by itself scores only 0.9. Since we quarantine spam through a web interface (maia), we're pretty tolerant of false positives. Do any of you folks have a suggestion about raising the RCVD_IN_PBL score? I was thinking of raising it as high as 2 or 3. Another thing I'm considering is a META rule that scores for PBL + BAYES_60, etc. I am generally reluctant to mess much with the default scoring -- but I'm always looking for a better setup. Aaron Bennett Clark University ITS
sa-update, dostech, / RHEL5 question
Hi, I'm in the process of converting to sa-update on rhel5, spamassassin 3.2.4, to replace a rules_du_jour installation. I'm trying to use the dostech sa-update channels. Ultimately I'm looking to use a channel file, but for now I'm trying to get just one channel to work. I'm getting this error when I run with debugging: [20790] dbg: dns: query failed: 4.2.3.72_sare_bml_post25x.cf.sare.sa-update.dostech.net => NOERROR Thanks for any suggestions - Aaron Bennett Here's the complete output of the sa-update: [EMAIL PROTECTED] ~]# sa-update --channel 72_sare_bml_post25x.cf.sare.sa-update.dostech.net -D --gpgkey 856AA88A [20790] dbg: logger: adding facilities: all [20790] dbg: logger: logging level is DBG [20790] dbg: generic: SpamAssassin version 3.2.4 [20790] dbg: config: score set 0 chosen. [20790] dbg: dns: no ipv6 [20790] dbg: dns: is Net::DNS::Resolver available? yes [20790] dbg: dns: Net::DNS version: 0.63 [20790] dbg: generic: sa-update version svn607589 [20790] dbg: generic: using update directory: /var/lib/spamassassin/3.002004 [20790] dbg: diag: perl platform: 5.008008 linux [20790] dbg: diag: module installed: Digest::SHA1, version 2.11 [20790] dbg: diag: module installed: HTML::Parser, version 3.56 [20790] dbg: diag: module installed: Net::DNS, version 0.63 [20790] dbg: diag: module installed: MIME::Base64, version 3.07 [20790] dbg: diag: module installed: DB_File, version 1.814 [20790] dbg: diag: module installed: Net::SMTP, version 2.29 [20790] dbg: diag: module not installed: Mail::SPF ('require' failed) [20790] dbg: diag: module installed: Mail::SPF::Query, version 1.999001 [20790] dbg: diag: module installed: IP::Country::Fast, version 604.001 [20790] dbg: diag: module not installed: Razor2::Client::Agent ('require' failed) [20790] dbg: diag: module not installed: Net::Ident ('require' failed) [20790] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed) [20790] dbg: diag: module installed: IO::Socket::SSL, version 1.13 [20790] dbg: diag: module installed: Compress::Zlib, version 2.01 [20790] dbg: diag: module installed: Time::HiRes, version 1.86 [20790] dbg: diag: module installed: Mail::DomainKeys, version 1.0 [20790] dbg: diag: module not installed: Mail::DKIM ('require' failed) [20790] dbg: diag: module installed: DBI, version 1.604 [20790] dbg: diag: module installed: Getopt::Long, version 2.35 [20790] dbg: diag: module installed: LWP::UserAgent, version 2.033 [20790] dbg: diag: module installed: HTTP::Date, version 1.47 [20790] dbg: diag: module installed: Archive::Tar, version 1.38 [20790] dbg: diag: module installed: IO::Zlib, version 1.09 [20790] dbg: diag: module not installed: Encode::Detect ('require' failed) [20790] dbg: gpg: adding key id 856AA88A [20790] dbg: gpg: Searching for 'gpg' [20790] dbg: util: current PATH is: /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin [20790] dbg: util: executable for gpg was found at /usr/bin/gpg [20790] dbg: gpg: found /usr/bin/gpg [20790] dbg: gpg: release trusted key id list: 5E541DC959CB8BAC7C78DFDC4056A61A5244EC45 26C900A46DD40CD5AD24F6D7DEE01987265FA05B 0C2B1D7175B852C64B3CDC716C55397824F434CE 856AA88A [20790] dbg: channel: attempting channel 72_sare_bml_post25x.cf.sare.sa-update.dostech.net [20790] dbg: channel: update directory /var/lib/spamassassin/3.002004/72_sare_bml_post25x_cf_sare_sa-update_dostech_net [20790] dbg: channel: channel cf file /var/lib/spamassassin/3.002004/72_sare_bml_post25x_cf_sare_sa-update_dostech_net.cf [20790] dbg: channel: channel pre file /var/lib/spamassassin/3.002004/72_sare_bml_post25x_cf_sare_sa-update_dostech_net.pre [20790] dbg: dns: query failed: 4.2.3.72_sare_bml_post25x.cf.sare.sa-update.dostech.net => NOERROR [20790] dbg: channel: no updates available, skipping channel [20790] dbg: diag: updates complete, exiting with code 1 [EMAIL PROTECTED] ~]#
Re: VBounce ruleset
Karsten Bräckelmann wrote: Please check the recent archives for threads about the VBounce plugin or backscatter. I apologize for not doing that... however, had I, I would have still asked the question because the advice given is not suitable for an enterprise deployment: # If you use this, set up procmail or your mail app to spot the # "ANY_BOUNCE_MESSAGE" rule hits in the X-Spam-Status line, and move # messages that match that to a 'vbounce' folder. If you read further you'll see that you didn't answer my original question My question is to people who've been using the rules in a real production environment -- do you see them working with the default scores, or have you tweaked them at all? Using procmail or a client side filter to file spam based on an X-Spam-Status line is not appropriate for a large, or even moderately large, end-user focused deployment -- that's why I asked if others are altering the default scores. Again, a thousand apologies for making you repeat yourself. That all being said... Is anyone using these rules for spam detection? If so, how have you been scoring them? I'm glad to have a confirmation that 0.1 is obviously not enough but I'm curious how others are scoring these rules; given a general spam target of 5. I'm thinking of scoring in the range of 1.5 - 2... Best, Aaron Bennett
VBounce ruleset
Hi, I'm giving some though to deploying the Vbounce ruleset into an existing SA 3.1.9+Maia Mailguard / 5,000 user email environment. It makes good sense; the only thing that seems off is the scoring. As I see it, none of the rules score greater then 0.1. It's hard to see how that's going to catch much of any spam -- even if BOUNCE_MESSAGE, CRBOUNCE_MESSAGE, and VBOUNCE_MESSAGE all hit together it wouldn't score more then 0.3. My question is to people who've been using the rules in a real production environment -- do you see them working with the default scores, or have you tweaked them at all? Best, Aaron Bennett
Re: AWL Database Cleanup
listmail wrote: I noticed that the AWL database was getting rather large, so I used the check_whitelist script to remove the stale entries. While this seems to have removed a lot of entries from the database, it did not reduce the database size. If you are using MySQL with the Innodb backend, removing entries will not always shrink the database's physical file. http://dev.mysql.com/doc/refman/5.0/en/innodb-file-defragmenting.html