Re: false positive: KHOP_BIG_TO_CC
On 10/2/13 6:30 AM, Tony Finch d...@dotat.at wrote: We've had a report from a user about a false positive involving KHOP_BIG_TO_CC which has a score of 3.4. This seems like an excessive penalty for perfectly reasonable behaviour. I've also seen false positives on this. I was going to change it to 25 addresses locally, but haven't gotten around to it yet. header KHOP_BIG_TO_CC ToCc =~ /(?:[^,\@]{1,60}\@[^,]{4,25},){10}/ describe KHOP_BIG_TO_CC Sent to 10+ recipients instaed of Bcc or a list scoreKHOP_BIG_TO_CC 3.199 3.399 3.199 3.399 Tony. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Problems with BCCing from spammers
On 8/15/13 11:53 AM, Ted Mittelstaedt t...@ipinc.net wrote: On 8/15/2013 12:14 AM, Axb wrote: On 08/15/2013 12:20 AM, Ted Mittelstaedt wrote: I take it by the: a) lack of usable responses b) responses NOT claiming this ISN'T a bug it is *not* a bug. It's not SA's task to split a msg to multiple rcpts. Your glue (hack) or MTA (best) should do this. It IS a bug since the software is not acting according to how it's documented or expected. That is the definition of a software bug. You can argue that it's a documentation bug and I might agree but it's still a bug The wiki is reasonably clear that various headers are searched: http://wiki.apache.org/spamassassin/AllSpamToFiltering -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: spam problem Centos 6
On 7/11/13 3:23 PM, Dejan Doder dode...@gmail.com wrote: Yes of course I have installed spamassassin Some of the spamassassin tuning parameters are amavisd specific, or overwritten by amavisd. In particular, the tag_level parameters in amavisd.conf is used set threshold scores for including headers, marking as spam, and quarantines. Most likely you need to tweak those. Also, you need to set localdomain. Amavisd will by default only scan messages bound for your localdomain, so that you aren't marking outbound mail as spam... I would suggest finding amavisd.conf and reading through it. Lots of interesting things to set up in there. I'm sure there is someone for whom the defaults are right, but I've never met that person... On 7/11/13, Dejan Doder dode...@gmail.com wrote: http://wiki.centos.org/HowTos/Amavisd When I send spam test I see in log CLEAN?!? Do not need spake daemon means I have to stop daemon? On 7/11/13, Bowie Bailey bowie_bai...@buc.com wrote: On 7/11/2013 3:32 PM, Dejan Doder wrote: I installed this two rpm on Centos 6 amavisd-new.noarch 0:2.8.0-4.el64 postfix-2.6.6-2.2.el6_1.i686 clamav-0.97.8-1.el6.i686 and dont see any errors in logs , antivirus works fine but spam NO If i receive spam message nothing happens I foolwed tutorial on Centos Wiki..everything is the same.. Did you install SpamAssassin? Amavis will work with it, but you have to install it. Give us a link to the wiki page so we can see which tutorial you were following. And note that you do not need the spamd daemon running if you are calling SA through amavis. -- Bowie
Re: Massive spamruns
On 6/12/13 1:25 PM, Alex mysqlstud...@gmail.com wrote: John Hardin wrote: As was suggested earlier: greylisting? I really don't think my users would tolerate the delay, so I've never implemented it. They would have vendors calling them on the phone complaining, not to mention users. From what I understand the delay can be multiple minutes, correct? Yes, but only for the first message. Once you've proved that they are a real mail-server greylisting is pretty pointless. I'd imagine there's support for whitelisting an IP after receiving multiple messages over some extended period? Yes, once a machine has gone through greylisting successfully, it is added to the white list. Is it something suitable for an environment with a few hundred thousand messages per day? In my opinion, yes, but you have to watch out for systems that need to be exempted from grey-listing. Mostly large pools of outbound servers like Microsoft Live and gmail. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: PayPal spam filter?
On 6/12/13 2:30 PM, Juerg Reimann j...@jworld.ch wrote: Hi there, Is there a filter to block PayPal phishing mails, i.e. everything that claims to come from PayPal but is not? I believe Paypal is DKIM signed, so it shouldn't be hard to modify these rules for PayPal: header __L_ML1 Precedence =~ m{\b(list|bulk)\b}i header __L_ML2 exists:List-Id header __L_ML3 exists:List-Post header __L_ML4 exists:Mailing-List header __L_HAS_SNDR exists:Sender meta __L_VIA_ML__L_ML1 || __L_ML2 || __L_ML3 || __L_ML4 || __L_HAS_SNDR header __L_FROM_Y1 From:addr =~ m{[@.]yahoo\.com$}i header __L_FROM_Y2 From:addr =~ m{\@yahoo\.com\.(ar|br|cn|hk|my|sg)$}i header __L_FROM_Y3 From:addr =~ m{\@yahoo\.co\.(id|in|jp|nz|uk)$}i header __L_FROM_Y4 From:addr =~ m{\@yahoo\.(ca|de|dk|es|fr|gr|ie|it|pl|se)$}i meta __L_FROM_YAHOO __L_FROM_Y1 || __L_FROM_Y2 || __L_FROM_Y3 || __L_FROM_Y4 header __L_FROM_GMAIL From:addr =~ m{\@gmail\.com$}i meta L_UNVERIFIED_YAHOO !DKIM_VALID !DKIM_VALID_AU __L_FROM_YAHOO !__L_VIA_ML priority L_UNVERIFIED_YAHOO 500 scoreL_UNVERIFIED_YAHOO 2.5 meta L_UNVERIFIED_GMAIL !DKIM_VALID !DKIM_VALID_AU __L_FROM_GMAIL !__L_VIA_ML priority L_UNVERIFIED_GMAIL 500 scoreL_UNVERIFIED_GMAIL 2.5 -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
FP on SPOOF_COM2OTH (and potentially SPOOF_COM2COM)
I had a recent FP message that hit noth the SPOOF_COM2OTH and SPOOF_COM2COM rules. I don¹t think COM2OTH is appropriate: Jun 6 13:55:49.469 [26386] dbg: rules: ran uri rule SPOOF_COM2OTH == got hit: http://wwwDOTMUNGEDDOTcomDOTtemp.DOTlivebooks. Jun 6 13:55:49.469 [26386] dbg: rules: ran uri rule SPOOF_COM2COM == got hit: http://wwwDOTMUNGEDDOTcomDOTtempDOTlivebooksDOTcom A scan of the message shows that these two rules are hitting the same line. A quick check of my logs show 100% overlap in one direction: [mcdonalddj@sa ~]$ sudo grep SPOOF_COM2OTH /var/log/mail/info.log | grep -vc SPOOF_COM2COM 0 [mcdonalddj@sa ~]$ sudo grep SPOOF_COM2OTH /var/log/mail/info.log | grep -c SPOOF_COM2COM 26 [mcdonalddj@sa ~]$ sudo grep SPOOF_COM2COM /var/log/mail/info.log | grep -vc SPOOF_COM2OTH 13 I¹ll be disabling SPOOF_COM2OTH for now, but thought someone might want to look into it. I also see a single exception of s3.amazonaws.com from the rule. I might add livebooks to that list locally. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Spam rule
On 6/6/13 4:23 PM, Rejaine Monteiro reja...@bhz.jamef.com.br wrote: Hi list, How can I make a rule to do something like this: block messages For the pedantic, SpamAssassin doesn't block mail. It marks it. Whether you block mail that has been marked with some other process is up to you... with body or subject contains 'lalalalala' AND url with PDF NOT contains 'trusted.net' body__LALA_B /la{5}/ header __LALA_H Subject =~ /la{5}/ header __LALA_TRUST Received =~ /192\.162\.101\.\d{1,3}/ metaMY_LALA (__LALA_B || __LALA_H) __HAS_ANY_URI __PDF_ATTACH !__LALA_TRUST score MY_LALA 5.0 -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Spam rule
On 6/6/13 5:14 PM, Wolfgang Zeikat wolfgang.zei...@desy.de wrote: Hi, In an older episode, on 2013-06-06 23:54, Daniel McDonald wrote: with body or subject contains 'lalalalala' AND url with PDF NOT contains 'trusted.net' body__LALA_B /la{5}/ header __LALA_H Subject =~ /la{5}/ shouldn't that be /(la){5}/ Well, more properly /(?:la){5}/ I think /la{5}/ would match la instead of lalalalala ... Quite right...
Re: Calling spamassassin directly yields very different results than calling spamassassin via amavis-new
On 4/16/13 2:59 PM, Ben Johnson b...@indietorrent.org wrote: Are there any normal circumstances under which Bayes tests are not run? Yes, if USE_BAYES = 0 is included in the local.cf file. If not, are there circumstances under which Bayes tests are run but their results are not included in the message headers? (I have tag_level set to -999, so SA headers are always added.) That sounds like an amavisd command, you may want to check in ~amavisd/.spamassassin/user_prefs as well Likewise, for the vast majority of spam messages that slip-through, I see no evidence of Pyzor or Razor2 activity. I have heretofore assumed that this observation indicates that the network tests were performed, but did not contribute to the SA score. Is this assumption valid? Yes. Also, is there some means by which to *force* Pyzor and Razor2 scores to be added to the SA header, even if they did not contribute to the score? I imagine you would want something like this: fullRAZOR2_CF_RANGE_0_50 eval:check_razor2_range('','0','50') tflags RAZOR2_CF_RANGE_0_50 net reuse RAZOR2_CF_RANGE_0_50 describe RAZOR2_CF_RANGE_0_50 Razor2 gives confidence level under 50% score RAZOR2_CF_RANGE_0_500.01 fullRAZOR2_CF_RANGE_E4_0_50 eval:check_razor2_range('4','0','50') tflags RAZOR2_CF_RANGE_E4_0_50 net reuse RAZOR2_CF_RANGE_E4_0_50 describe RAZOR2_CF_RANGE_E4_0_50 Razor2 gives engine 4 confidence level below 50% score RAZOR2_CF_RANGE_E4_0_50 0.01 fullRAZOR2_CF_RANGE_E8_0_50 eval:check_razor2_range('8','0','50') tflags RAZOR2_CF_RANGE_E8_0_50 net reuse RAZOR2_CF_RANGE_E8_0_50 describe RAZOR2_CF_RANGE_E8_0_50 Razor2 gives engine 8 confidence level below 50% score RAZOR2_CF_RANGE_E8_0_50 0.01 To refresh folks' memories, we have verified that Bayes is setup correctly (database was wiped and now training is done manually and is supervised), and that network tests are being performed when messages are scanned. Thanks for sticking with me through all of this, guys! -Ben -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: X-Relay-Countries on 3.3.2 vs 3.4
On 3/5/13 2:15 PM, Scott Ostrander sostran...@printronix.com wrote: From: Benny Pedersen [mailto:m...@junc.eu] Scott Ostrander skrev den 2013-03-05 20:22: On system A (SA 3.4) I am getting RELAY_COUNTRY_XX Same email on system B (SA 3.2.2) I get RELAY_COUNTRY_ES correctly resolved. ip2cc 2.104.223.10 if not found you need updates XX is imho ip is not in use On both systems I get: # Ip2cc 146.255.100.187 Country: ES (Spain) However system A (3.4) also has GeoIP installed as suggested at http://wiki.apache.org/spamassassin/RelayCountryPlugin Is there a way to upgrade GeoIP ? I think you have to grab files from http://dev.maxmind.com/geoip/geolite Maxmind says they update them on the first Tuesday of each month. The RPM on mageia 2 has a crontab entry in /etc/cron/monthly that runs on the first day of the month, meaning that the data will be 3-7 weeks old. It appears to grab GeoIP.dat, GeoIPv6.dat, and GeoLiteCity.dat Or should I just remove Geo::IP as it appears that it is not keeping up with the updates like IP::Country::Fast
Re: X-Relay-Countries
On 2/16/13 8:10 AM, Henrik K h...@hege.li wrote: Well I updated http://mailfud.org/ip-country-fast/ for the last time.. (no, you don't need the authorities gifs) There is no excuse not using SpamAssassin 3.4 with Geo::IP support (also ipv6 works). Like the wiki says. 45 open bugs targeted for that version, 5 of them blockers? Sounds like a valid excuse to me. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: X-Relay-Countries
On 2/14/13 6:21 AM, Ned Slider n...@unixmail.co.uk wrote: On 12/02/13 20:33, Daniel McDonald wrote: On 2/12/13 1:15 PM, David F. Skolld...@roaringpenguin.com wrote: PS: Beware of penalizing other countries too much. My mail originates from Canada and the PostgreSQL mailing list is (or used to be?) hosted in Panama. Furthermore, by far the lion's share of spam originates from the US. Yes, of course. But some mail just isn't likely to originate overseas. For example, we have been getting a lot of phishes pretending to be FedEX non-delivery notices. FedEX is based in the US, so if I see FedEX and RELAY_NOT_US, and a couple of other spam signs, I can more safely conclude it is spam Nice idea, but why not just use SPF for fedex.com as they bother to publish an SPF record? Surely that has to be a far more reliable indicator it wasn't sent from fedex? $ dig txt fedex.com ;; ANSWER SECTION: fedex.com. 10578 IN TXT v=spf1 redirect=_spf.infosec.fedex.com They might sign their mail too, but as I don't have any legitimate fedex mails to hand, I can't confirm that. We get plenty of messages from suppliers stating that they have made a shipment, and the fedex tracking number is foo. But lately we've been getting a lot of phishes where the link for the fedex tracking number actually points to malware, and most of these are using cracked accounts and are being generated on botnets, so I'm looking for a fedex tracking link that didn't originate locally. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
X-Relay-Countries
I¹ve had a simple rule I use to see if mail is forwarded through a ³foreign country²: header RELAY_NOT_USX-Relay-Countries =~ /\b(?:[ABCDEFGHIJKLMNOPQRTVWXYZ]{2}|\b/ describeRELAY_NOT_USRelayed though any country other than the US score RELAY_NOT_US0.01 I mostly use it in Meta¹s, but it¹s a nice flag when doing other correlations. Unfortunately, the perl expression doesn¹t work for countries like the Ukraine (UA) or Russia (RU). And I don¹t really want ! RELAY_US, for lots of reasons. Can someone suggest an expression that will match any 2-capital letter word other than US? -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: X-Relay-Countries
On 2/12/13 12:47 PM, Daniel McDonald dan.mcdon...@austinenergy.com wrote: I¹ve had a simple rule I use to see if mail is forwarded through a ³foreign country²: header RELAY_NOT_USX-Relay-Countries =~ /\b(?:[ABCDEFGHIJKLMNOPQRTVWXYZ]{2}|\b/ Oops. I was fiddling with the syntax trying to fix it. This is my current rule: header RELAY_NOT_US X-Relay-Countries =~ /\b[ABCDEFGHIJKLMNOPQRTVWXYZ]{2}\b/ -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: X-Relay-Countries
On 2/12/13 1:15 PM, David F. Skoll d...@roaringpenguin.com wrote: On Tue, 12 Feb 2013 14:14:46 -0500 David F. Skoll d...@roaringpenguin.com wrote: header RELAY_NOT_US X-Relay-Countries =~ /\b(?:[A-TW-Z][A-Z]|[A-Z][A-RT-Z])\b/ Emm... should be header RELAY_NOT_US X-Relay-Countries =~ /\b(?:[A-TV-Z][A-Z]|[A-Z][A-RT-Z])\b/ Quite right, and quite simple. Thanks! PS: Beware of penalizing other countries too much. My mail originates from Canada and the PostgreSQL mailing list is (or used to be?) hosted in Panama. Furthermore, by far the lion's share of spam originates from the US. Yes, of course. But some mail just isn't likely to originate overseas. For example, we have been getting a lot of phishes pretending to be FedEX non-delivery notices. FedEX is based in the US, so if I see FedEX and RELAY_NOT_US, and a couple of other spam signs, I can more safely conclude it is spam
Re: URIDNSBL: how to query certain lists only?
On 1/4/13 8:38 AM, Kris Deugau kdeu...@vianet.ca wrote: Alexandre Boyer wrote: Hi there, Why dont you perform those checks at the pre-data level, within postfix? Because you don't absolutely trust the DNSBL as a one-shot this-is-spam test, but you want to use its data to influence the spam/not-spam decision. And, uridnsbls look at body text for uris embedded inside the message, something that postfix doesn't do terribly well (which is why you need to test these sorts of things after normalizing the text, which SpamAssassin does very well..) The tack I would probably want to take would be to convince bind that the public domains are, in fact, local, and then allow the standard rules to query the public addresses, but respond to those queries from your local rbldnsd... -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: latest rules
On 9/22/12 3:31 PM, James bjloc...@lockie.ca wrote: Great thanks. I am lowering the required score to 3. That is generally not a desirable practice. If I still get spam, I will block everything and just use whitelisting. I see that you have bayes enabled. You should train your bayes every now and again. You may want to look at a few spams and write a rule just for them. For example, we received a spam asking for a loan of a small amount of money. It scored about 3.5. I wrote the following: body__WORD_LOAN/\bloan\b/ describe__WORD_LOANDescribes a loan body__WORD_URGENT/\burgent/ describe__WORD_URGENTSomething is urgent or urgently needed metaAE_SMALL_URGENT_LOAN__FRAUD_DBI __WORD_LOAN __WORD_URGENT __REPLY_FREEMAIL describeAE_SMALL_URGENT_LOANurgent loan for a small dollar figure to freemail user scoreAE_SMALL_URGENT_LOAN2.3 It's not the most elegant rule, but that's the real power of spamassassin - custom rules to kill off the spam. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Spamassassin and SPF records with +all
On 7/11/12 3:45 PM, Martin Gregorie mar...@gregorie.org wrote: On Wed, 2012-07-11 at 21:34 +0200, Josef Karliak wrote: Good evening, within a few days we've spams from domains that has +all in the TXT spf record. All SPF can do is check that the sender has a valid IP for that domain, i.e. that the sender's domain wasn't forged. SPF cannot and should not be used to flag mail as spam if the sender is a legitimate member of the source domain. This is regardless of whether you think the mail as spam or ham. FWIW I think SPF's main use is in avoiding backscatter, I think the main use is to whitelist those correspondents who use it correctly. We've placed that in our bid documents - in order to win business with us, you have to use either DKIM or SPF to validate your e-mail conversations with us, and I will either create a whitelist_from_spf or whitelist_from_dkim line for that domain. I also specify in the bid documents that the use of +ALL and ~ALL is not permitted. If you are going to send us mail and have a whitelist entry, I want to know that you know where your mail is coming from. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: FILL_THIS_FORM_LONG usage
On 5/18/12 9:20 AM, dhanushka ranasinghe parakrama1...@gmail.com wrote: Hi. What sort of spams are block by the FILL_THIS_FORM_LONG rule The ones that say you won the lottery or had an inheritance or someone wants to hand you cash, so just fill out this form with your details (including bank routing numbers) and that cash will just pop into your bank! Or the ones that say you are out of disk space or we think you've been hacked or we just upgraded everything and we will make it all better if you just confirm your username and password (and credit card number) Thank You -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: updates
On 4/12/12 6:22 AM, Kevin A. McGrail kmcgr...@pccc.com wrote: Updates are not publishing because of a lack of corpora to test the rules against. Sorry, known issue. Can you remind me how far below the threshold we are for corpora? If I hand qualify another couple of thousand hams or so would that be significant? Or is our deficit significantly larger than that? Regards, KAM joea j...@j4computers.com wrote: when running sa-update in debug, always end up with this: channel: current version is 895075, new version is 895075, skipping channel Are there no updates, or am I misconfigured for rules updates?
Re: URIBL_DBL_REDIR
I have such a meta (I've been querying URIBL_DBL for some time). Out of 140 hits on the meta, only about 14 pushed the spam over from flagged to quarantined this week. I checked through many of them and each sample looked like obnoxious spam. On 12/28/11 10:51 AM, Ned Slider n...@unixmail.co.uk wrote: Hi List, I noticed the recent addition of URIBL_DBL_REDIR hitting on a few spams: 25_uribl.cf:urirhssub URIBL_DBL_REDIR dbl.spamhaus.org. A 127.0.1.3 25_uribl.cf:bodyURIBL_DBL_REDIR eval:check_uridnsbl('URIBL_DBL_REDIRECTOR') 25_uribl.cf:describeURIBL_DBL_REDIR Contains a URL listed in the DBL as a spammed redirector domain Nice. I just wondered if someone would like to look at a meta rule with FREEMAIL_FROM as that's hitting a lot of spam here, although I don't see too much (non-ML) legit freemail so I don't know how much ham it might hit for others (hence the request).
Re: DNSWL will be disabled by default as of tomorrow
On 12/13/11 8:09 AM, Martin Gregorie mar...@gregorie.org wrote: On Tue, 2011-12-13 at 13:52 +0100, Axb wrote: On 2011-12-13 13:44, Kevin A. McGrail wrote: If a list is down or unresponsive for any reason, discards requests or blanks their zone file, the test entry would fail and SA would know to not use the list. Similarly, 127.0.0.1 should never be listed for any DNSBL that I'm aware of, and so when a list moves to a list-the-world configuration, this entry would spot it. Unfortunately, 1 is a bitwise answer I've seen it used. In fact, just checking real quick, I've got an RBL that uses 1 on a live server now. At the risk of exposing my ignorance, I had a thought. Since the entire 127/8 is reserved for loopback, nothing in the 127.0.0/24 block should be used as addresses. So, what is preventing RBLs and RWLs from using the third octet as a status indicator? It seems to me that the 4th octet can be used as at present as a query response which would by convention be a valid response if the 3rd octet is zero. I have in the past seen at least one DNSBL that used the 3rd octet, as they had more than 8 lists in a multi-configuration. I don't recall which one it was... -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: DNSWL will be disabled by default as of tomorrow
On 12/12/11 12:03 PM, Jeremy McSpadden jer...@fluxlabs.net wrote: Thank you! I raised this question a few months ago and was in awe that it was enabled by default. It has caused quite a few issues that i've seen around the ML. They should return a different value than a negative score. Can I ask you a fairly blunt question? What action could they have taken that would have caused you to notice that you were engaging in abusive miss-use of their service by continuing to forward your requests through google? I'm quite serious. DNSBLs have this problem of never being able to get rid of the queries from sources that appear to be abusive. What can be done so that a part-time admin will take notice and fix their equipment? A log message? Special header in every e-mail? Change the subject line to you have Spamassassin integrated wrong!? Or a visit from Guido and some of the boys, trying to make an offer you can't refuse? In this case, they moved you to action by causing your customers some grief. That made you look into the issue, get guidance that you really need to run a local recursive caching DNS server in order to get clear answers from DNSBLs, and then I imagine you fixed the problem. How else could they have let you know? -- Daniel J McDonald, CCIE # 2495, CISSP # 78281 Very bad design. On Dec 12, 2011, at 11:58 AM, dar...@chaosreigns.com wrote: Tomorrow's sa-update will include disabling of the DNSWL rules. If you wish to locally enable them with the same scores which had previously been
Re: What is the best RBL list?
On 11/28/11 12:55 PM, dar...@chaosreigns.com dar...@chaosreigns.com wrote: On 11/28, Sergio wrote: in your opinion, what it will be the best RBL Anti Spam list that could not be left in a server, payed or free? All the best known RBLs are enabled in spamassassin by default. If there are better blocklists that are not used by spamassassin, please open a bug to have it evaluated. Even if the data is not freely available, it would be useful to list on the spamassassin wiki. The best RBLS for getting rid of snow-shoe spammers are from Invaluement, but it is avaiable by subscription only. I don't know if Rob McEwen r...@invaluement.com has any interest in running it through GA... -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: proper rule writing for N
On 10/21/11 11:21 AM, Bowie Bailey bowie_bai...@buc.com wrote: On 10/21/2011 12:16 PM, Bret Miller wrote: You could say header __LOCAL_MAILENGINE ALL =~ /mailengine.+\.com/I Indeterminate length matches are almost never good. How about something like: header __LOCAL_MAILENGINE ALL =~ /\bmailengine[[:alnum:]]{1,3}?\.com/i -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Bayes Poisoning
One of my users submitted a spam for analysis, and I was amazed at the efforts this troglodyte expended to poison bayes. Is it worth the effort to try to find huge html comments hiding junk like this? Maybe something like Rawbody OBFU_HTML_LONG_COMMENT /\--.{1024,}?--\/ Describe OBFU_HTML_LONG_COMMENT contains a ridiculously long html comment -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Bayes Poisoning
On 10/18/11 12:12 PM, Karsten Bräckelmann guent...@rudersport.de wrote: On Tue, 2011-10-18 at 07:53 -0500, Daniel McDonald wrote: One of my users submitted a spam for analysis, and I was amazed at the efforts this troglodyte expended to poison bayes. Is it worth the effort to try to find huge html comments hiding junk like this? Hmm, wait -- Bayes and HTML comments in the same thought. Are you trying to imply the malicious Bayes tokens are inside the comment? While this kind of attack might work with other Bayesian Classifier implementations out there, it does NOT fool SA. The (body) Bayes tokens SA uses are gathered from the *rendered* body text. All HTML dropped, including comments. Fair enough. I see that the url's in this message have been picked up by invaluement and razor, so we probably have enough points to toss it in the quarantine now anyway. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Blacklisting based on SPF
On 10/10/11 9:00 AM, Marc Perkel supp...@junkemailfilter.com wrote: On 10/7/2011 12:50 AM, Benny Pedersen wrote: On 7 Oct 2011 00:28:49 -, John Levine wrote: Nobody with any interest in delivering the mail that their users want. The error rate is much, much too high. how ? All forwarded email would fail SPF testing. You would be blocking all hosted spam filtering services for example. then you aren't doing it right. If the hosted filtering is egress, then the address ranges of your egress filter provider should be in your SPF statement. If the hosted filtering is ingress, then the address ranges of your ingress filter provider should be in your trusted-networks, so that spf will look at the last-untrusted address for the source. Mail-lists running on sane software will change the envelope address, so there is no problem there. So, what other bizarre corner cases are you talking about that break SPF? -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Blacklisting based on SPF
On 10/7/11 3:49 AM, Julian Yap julianok...@gmail.com wrote: On Thu, Oct 6, 2011 at 3:09 PM, David F. Skoll d...@roaringpenguin.com wrote: On 7 Oct 2011 00:28:49 - John Levine jo...@taugh.com wrote: Does anyone blacklist based on SPF? Nobody with any interest in delivering the mail that their users want. The error rate is much, much too high. It depends. I very confidently blacklist mail from roaringpenguin.com http://roaringpenguin.com that fails to pass SPF. That's my own domain, of course. What do your rules look like for this scenario? Something like this Unverified Yahoo rule I shameless stole from Mark Martinec: header __L_ML1 Precedence =~ m{\b(list|bulk)\b}i header __L_ML2 exists:List-Id header __L_ML3 exists:List-Post header __L_ML4 exists:Mailing-List header __L_HAS_SNDR exists:Sender meta __L_VIA_ML__L_ML1 || __L_ML2 || __L_ML3 || __L_ML4 || __L_HAS_SNDR header __L_FROM_Y1 From:addr =~ m{[@.]yahoo\.com$}i header __L_FROM_Y2 From:addr =~ m{\@yahoo\.com\.(ar|br|cn|hk|my|sg)$}i header __L_FROM_Y3 From:addr =~ m{\@yahoo\.co\.(id|in|jp|nz|uk)$}i header __L_FROM_Y4 From:addr =~ m{\@yahoo\.(ca|de|dk|es|fr|gr|ie|it|pl|se)$}i meta __L_FROM_YAHOO __L_FROM_Y1 || __L_FROM_Y2 || __L_FROM_Y3 || __L_FROM_Y4 header __L_FROM_GMAIL From:addr =~ m{\@gmail\.com$}i meta L_UNVERIFIED_YAHOO !DKIM_VALID !DKIM_VALID_AU __L_FROM_YAHOO !__L_VIA_ML priority L_UNVERIFIED_YAHOO 500 scoreL_UNVERIFIED_YAHOO 2.5 meta L_UNVERIFIED_GMAIL !DKIM_VALID !DKIM_VALID_AU __L_FROM_GMAIL !__L_VIA_ML priority L_UNVERIFIED_GMAIL 500 scoreL_UNVERIFIED_GMAIL 2.5 It would be nice to have a construct like blacklist_unless_spf or blacklist_unless_auth that did all of this for me... -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Your mailbox has exceeded...
On 10/1/11 2:04 AM, Benny Pedersen m...@junc.org wrote: On Fri, 30 Sep 2011 14:44:23 -0500, Daniel McDonald wrote: Someone ran a beta ADDRBL back in 2009. I still have the code and run a couple of private EmailBL lists. cool want to share lists ? I don't think I can, based on from where I received the data. I haven't maintained it in a long while. i did test it, but gave up on maintaining it self -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Your mailbox has exceeded...
On 9/30/11 2:21 PM, David F. Skoll d...@roaringpenguin.com wrote: On Fri, 30 Sep 2011 12:17:42 -0700 (PDT) John Hardin jhar...@impsec.org wrote: There'd need to be a plugin that would extract from, reply-to, and embedded email addresses, plus someone to host a DNS domain for checking them. Has anybody already done any ADDRBL work? Our (commercial) system has code for this, but we distribute the whole list rather than using an ADDRBL. But an ADDRBL is an interesting idea. Someone ran a beta ADDRBL back in 2009. I still have the code and run a couple of private EmailBL lists. ### Changelog: # # 0.16 - first public version # 0.17 - fix a href= mail search on 3.3, make mailto: optional in beginning # 0.18 - fix last in parsed uris # 0.19 - perl 5.12 fix (defined @$emails) # ### Blah: # # Author: Henrik Krohns s...@hege.li # Copyright 2009 Henrik Krohns # -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Latest sa-update crashing sa-compile?
I just noticed that my cron-job for sa-update/sa-compile has crashed over the weekend. Spamassassin lints fine, but sa-compile fails: Aug 15 08:59:42.970 [469] info: generic: base extraction starting. this can take a while... Aug 15 08:59:42.970 [469] info: generic: extracting from rules of type body_0 100% [===] 300.45 rules/sec 00m05s DONE 100% [===] 92.85 bases/sec 00m36s DONE Aug 15 09:00:25.846 [469] info: body_0: 1838 base strings extracted in 43 seconds cd /tmp/.spamassassin469X5iW4Ytmp cd Mail-SpamAssassin-CompiledRegexps-body_0 re2c -i -b -o scanner1.c scanner1.re re2c -i -b -o scanner2.c scanner2.re re2c: error: line 194, column 2: unterminated string constant (missing ) command failed: exit 1 Any ideas where to look? I¹m using the following channels: updates.spamassassin.org sought.rules.yerp.org
Re: Latest sa-update crashing sa-compile?
On 8/15/11 9:15 AM, Michael Scheidell michael.scheid...@secnap.com wrote: On 8/15/11 10:13 AM, Michael Scheidell wrote: On 8/15/11 10:07 AM, Daniel McDonald wrote: mine too. running sa-update again(just now) picks up a new build. interesting, spamassassin --lint didn't pick anything up. also note, 'scanner2.c' is a blank file, 0 bytes\ didn't help: (tz is CEST) you also use sought_rules? Yes, I download the sought.rules.yerp.org channel. sa-compile Aug 15 16:11:10.524 [56726] info: generic: base extraction starting. this can take a while... Aug 15 16:11:10.525 [56726] info: generic: extracting from rules of type body_0 100% [= ==] 7379.18 rules/sec 00m00s DONE 100% [= ==] 57.19 bases/sec 02m18s DONE Aug 15 16:13:29.565 [56726] info: body_0: 5403 base strings extracted in 139 seconds cd /tmp/.spamassassin56726Bqzzg8tmp cd Mail-SpamAssassin-CompiledRegexps-body_0 re2c -i -b -o scanner1.c scanner1.re re2c -i -b -o scanner2.c scanner2.re re2c: error: line 172, column 2: unterminated string constant (missing ) command failed: exit 1
Uuencoded message detected as UNWANTED_LANGUAGE_BODY
We got a false positive recently of a message containing only a uuencoded attachment being detected as UNWANTED_LANGUAGE_BODY. The message doesn¹t have a Content-type: header or an Encoding: header. The message part has one blank line and then: begin 644 new_lp_report.csv M4D503U)41$%412Q-151%4DE$+$%$1%)%4U,L0TY2051%+$))3$Q)3D=#64-, M12Q,4$9215%514Y#62Q,4$E.5$525D%,+$584$5#5$5$24Y415)604Q#3U5. . I wasn¹t able to find the code in spamassassin that detects uuencoding. Can someone point me in the correct direction so that I can figure out why TextCat is considering this as body text rather than an attachment? -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: RP_MATCHES_RCVD
On 7/28/11 9:48 AM, Mike Grau m.g...@kcc.state.ks.us wrote: On 07/28/2011 09:28 AM the voices made RW write: There seems to be a consensus that SPF and DKIM passes aren't worth significant scores. So how is it that RP_MATCHES_RCVD, scores -1.2 when it just a circumstantial version of what SPF does explicitly. For me it's hitting more spam that ham, and what's worse, it's mostly hitting low-scoring freemail spam. Is it just me that's seeing this, or is there maybe some kind of bias the test corpora? +1 RP_MATCHES_RCVD hits tons of (snowshoe?) spam here. Different senders different IPs, but often the same /16 or /24 networks. I had some local meta rules that used T_RP_MATCHES_RCVD, but evidently the name was changed to RP_MATCHES_RCVD and the spam started flying in. I see a lot of messages hitting RP_MATCHES_RCVD that also hits one of the Invaluement rbls. Invaluement primarily targets snowshoe spammers. $ grep RP_MATCHES_RCVD /var/log/mail/info.log | grep -vc INVL 41618 $ grep RP_MATCHES_RCVD /var/log/mail/info.log | grep -c INVL 55033 So I have also changed the score to 0.01 -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: RP_MATCHES_RCVD
On 7/28/11 11:47 AM, John Hardin jhar...@impsec.org wrote: On Thu, 28 Jul 2011, Daniel McDonald wrote: I see a lot of messages hitting RP_MATCHES_RCVD that also hits one of the Invaluement rbls. Invaluement primarily targets snowshoe spammers. $ grep RP_MATCHES_RCVD /var/log/mail/info.log | grep -vc INVL 41618 $ grep RP_MATCHES_RCVD /var/log/mail/info.log | grep -c INVL 55033 So I have also changed the score to 0.01 Dan, your last masscheck only had 6 spam hits for that rule... http://ruleqa.spamassassin.org/20110727-r1151385-n/RP_MATCHES_RCVD/detail That's my home mail, not $DAYJOB... Care to drop a few thousand of those into your corpus? :) I might be able to figure out a way to extract them from quarantine. But they haven't been hand-checked I've got 33,084 of them that hit RP_MATCHES_RCVD and an Invaluement list that are in this week's quarantine. I'll see what I can do... -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Stupid questions V 2.0
On 6/27/11 1:53 AM, spixx_ spixxro...@gmail.com wrote: Thank you! This what was I was looking for! rawbody Not certain why you are using rawbody. I might suggest you use subtests and tflags multiple: E.g: body __GREEN_LIAISON1 /\b(?:proprietary|information|technology|renewables|alternative)\b/i describe __GREEN_LIAISON1 Remove the emails with green tech spies tflags __GREEN_LIAISON1 multiple body __GREEN_LIAISON2 /\b(?:Positive|relationship|international|institutions)\b/i describe __GREEN_LIAISON2 Remove the emails with green tech spies tflags __GREEN_LIAISON2 multiple header __GREEN_LIAISON3 Subject =~ /\b(?:Green|renewables|technology|liaison)\b/i describe __GREEN_LIAISON3 Checking the header for more of the same tflags __GREEN_LIAISON3 multiple meta GREEN_LIAISON __GREEN_LIAISON1 2 __GREEN_LIAISON2 2 __GREEN_LIAISON3 1 describe GREEN_LIAISON Contains a lot of words found in green tech scams Not sure but I have to say that there is room for a good Howto on this topic. I will try and push myself to learn more and then try and make one for us dummies :) A howto on writing rules? Or on perl regular expressions in general? If you just want to understand perl regular expressions, there is no better place to start than perldoc perlretut -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Regression in 3.3.2?
On 6/25/11 10:23 AM, Henrik K h...@hege.li wrote: On Fri, Jun 24, 2011 at 03:17:28PM -0500, Daniel McDonald wrote: However, the webmail client is ignored in 3.3.2: Jun 24 14:37:29.686 [23089] dbg: received-header: ignored SquirrelMail injection: 41.206.11.5 (SquirrelMail authenticated user irivetti) by webmail.unisalento.it with HTTP Leaving only Italy in the X-Relay-Countries header: Jun 24 14:37:29.689 [23089] dbg: metadata: X-Relay-Countries: IT ** ** IT If RelayCountry.pm is relying on Received.pm, I don¹t think we want to ignore the ultimate web-mail source, as that tends to be a pretty good indication of spamminess A simple search in the sources says that the change was implemented in 2004. https://issues.apache.org/SpamAssassin/show_bug.cgi?id=3236 Comparing with version 3.3.0 (which I happen to have around) I see all of the countries parsed. I haven¹t upgraded the database for IP::Country::Fast on this box in a while Jun 24 15:08:18.568 [17813] dbg: metadata: X-Relay-Countries: ** ** ** IT ** ** IT It didn't parse the SquirrelMail either, I see. My other box has different internal networks defined, thus the three new internal addresses that were parsed. which is Nigerian. ip2cc claims Nigerian, but Whois suggests it is Mauritanian. In either case, it is SPAM... But I agree that the reasons ignoring the header seem ridiculous today. I suggest opening a new bug to discuss it. I found https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6549 which appears to cover the same issue. I added a proposed patch. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Regression in 3.3.2?
I just upgraded my production spam filter to 3.3.2, and came across an interesting false negative. The mail is an unremarkable 419 scam, that originated from a web-café in Nigeria or Mauritius, using an Italian ISP as the relay. I¹ve seen a lot of these in the past, and have a rule to catch them, using RelayCountry.pm I¹ve defined individual rules for many of the countries, such as: header RELAY_NG X-Relay-Countries=~/\bNG\b/ describeRELAY_NG Relayed through Nigeria score RELAY_NG 2.0 And then I have a couple of meta rules that identify spammy behavior: meta__RELAY_AF (RELAY_GH || RELAY_NG || RELAY_BJ || RELAY_BF || RELAY_MZ || RELAY_ZA || RELAY_CI || RELAY_SN || RELAY_MU) metaRELAY_EU_AF (RELAY_IT || RELAY_DE) (__RELAY_AF) describeRELAY_EU_AF relayed through Europe from a country in Africa score RELAY_EU_AF 1.5 metaAE_AF_FRAUD LOTS_OF_MONEY (__RELAY_AF) describeAE_AF_FRAUD Talks about lots of money from countries with lots of scams score AE_AF_FRAUD 2.0 However, the webmail client is ignored in 3.3.2: Jun 24 14:37:29.686 [23089] dbg: received-header: ignored SquirrelMail injection: 41.206.11.5 (SquirrelMail authenticated user irivetti) by webmail.unisalento.it with HTTP Leaving only Italy in the X-Relay-Countries header: Jun 24 14:37:29.689 [23089] dbg: metadata: X-Relay-Countries: IT ** ** IT If RelayCountry.pm is relying on Received.pm, I don¹t think we want to ignore the ultimate web-mail source, as that tends to be a pretty good indication of spamminess Comparing with version 3.3.0 (which I happen to have around) I see all of the countries parsed. I haven¹t upgraded the database for IP::Country::Fast on this box in a while Jun 24 15:08:18.568 [17813] dbg: metadata: X-Relay-Countries: ** ** ** IT ** ** IT Full message with headers available at http://pastebin.com/fEvZ1PUX This message probably should have hit some freemail.pm rules as well. I¹ll probably need to add live.co.uk in locally -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: FRT_SOMA: what does it mean?
On 6/10/11 8:53 AM, Alessandro Dentella san...@e-den.it wrote: Hi, I see some mail are hit by FRT_SOMA rule that I see is defined as: ##{ FRT_SOMA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags^M body FRT_SOMA /post P2\b(?!soma|500mg)SXOMA\b/i^M describe FRT_SOMA ReplaceTags: Soma^M endif ##} FRT_SOMA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags that I cannot frankly understand: what is it all about? It looks like an obfuscated pill-spam, selling a popular prescription sleep aid. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Rule dependency problems with v3.3.2-r929478
On 5/21/11 8:52 PM, Alex mysqlstud...@gmail.com wrote: Hi, I'm also using a few of John's rules, including the advance_fee, fillform, and lotsa_money. I think some of his rules reference the missing khop rules. When trying to lint the rules, I receive the following: ADVANCE_FEE_2_NEW_FORM has undefined dependency '__HDRS_LCASE' That's in my sandbox so you shouldn't be getting dependency problems with it. It's in 20_misc_testing.cf. I wasn't sure if that was safe for production? Are these perhaps old rules that I shouldn't be using? All of those are subrules in the current trunk sandbox. They shouldn't be generating dependency problems. Is there a method for separating the experimental rules from those that are relatively safe to use in production? Nightly masschecks. Apparently we are short on recent SPAM, so the rules are not being auto-promoted. If you have a good collection of hand-graded SPAM, you should get set up to submit nightly masschecks so that we can auto-promote the good rules. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: RelayCountry Plugin
On 5/19/11 7:55 PM, Rapitharian rapithar...@hotmail.com wrote: RW-15 Can you help me some? I am not even a novice in writing/reading regular expressions. What is this doing? X-Relay-Countries=~ /^([^[:alpha:]]*(GB|US)[^[:alpha:]]*)+$/ Start at the beginning of the line. Match zero or more non-alpha characters, followed by GB or US, Follow that with zero or more non-alpha characters match the previous pattern 1 or more times. Follow with the end of a line. Since the non-alpha characters will always be a single space, and there is never a space in the first column, this would be more easily written as: /^(?:(?:GB|US)\s?)+$/ But there are two special cases that need to be considered: XX - private address space ** - addresses unassigned at the time the cc.gif file was last updated. So, you may want to add those countries into the inner match... Note that ** would need to be escaped as \*\* -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: RelayCountry Plugin
On 5/20/11 4:58 PM, RW rwmailli...@googlemail.com wrote: BTW does anyone know if there's a way to get the FreeBSD p5-IP-Country port to update its database. I just noticed it's nearly two years old. The scripts to update it are in the source tarball for IP-Country, in the dbmScripts subdirectory. I just ran that on one of my systems this week. I try to remember to do it monthly. In fact, I also opened a bug with Mandriva asking that they provide the update scripts in a package: https://qa.mandriva.com/show_bug.cgi?id=63332 -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: RelayCountry Plugin
On 5/19/11 8:07 AM, RW rwmailli...@googlemail.com wrote: On Thu, 19 May 2011 08:15:00 +0200 John Wilcock j...@tradoc.fr wrote: Le 19/05/2011 04:46, John Hardin a écrit : Sure. Well, not a _single_ rule, but you can achieve what you want... header RELAYCOUNTRY_GOOD X-Relay-Countries=~/(?:US|CA|FR)/ describe RELAYCOUNTRY_GOOD Relayed through trusted country score RELAYCOUNTRY_GOOD -1.00 That could be simplified: header __RELAYCOUNTRY_GOOD X-Relay-Countries=~/(?:US|CA|FR)/ meta RELAYCOUNTRY_NOTGOOD __HAS_RCVD !RELAYCOUNTRY_GOOD [except of course that you might find some legit French senders, for example, relaying via servers elsewhere in Europe, so the list of good countries might need to be a bit longer than you initially think] Also, newly allocated space is listed as XX until you update the database. I try to do that every month or so (I used to do it right after updating my bogon list in bind, but now that the bogon list is static I need another reminder...) In the IP-Country tarball, there is a dbmScripts directory that contains the necessary items to update the databases. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: EL5 and EL6 Packages of spamassassin-3.3.2-rc1
On 5/16/11 11:57 PM, Warren Togami Jr. wtog...@gmail.com wrote: http://people.apache.org/~wtogami/rpm/3.3.2-rc1/ I made test packages for EL5 and EL6. I began using both in production just now with no apparent ill effects. We need more people to test this and provide feedback. I've been running since Sunday on Mandriva 2010.2. It has perl 5.10. No problems. srpm packages or 64-bit rpm packages available upon request. Warren On 05/14/2011 10:34 PM, Warren Togami Jr. wrote: Hey folks, This is an UNRELEASED CANDIDATE of spamassassin-3.3.2-rc1. It would be helpful for folks to test it and provide feedback. Don't worry about the rules tarball, because the real rules you get from running sa-update the first time. http://people.apache.org/~wtogami/devel/3.3.2-rc1/ sha1sum of archive files: 191fc4548c7619e11127ef04714be19741122ea9 Mail-SpamAssassin-3.3.2-rc1.tar.bz2 813b2adb7ab15f6ddc34c9de7fc10e0f9b7b28cd Mail-SpamAssassin-3.3.2-rc1.tar.gz 23bee590d0e4ec5f11936bc931fb73211970966a Mail-SpamAssassin-3.3.2-rc1.zip 9e20dd49fbbb1bf1ff4d171ac3531b53ba7c9dfd Mail-SpamAssassin-rules-3.3.2-rc1.r1083704.tgz GPG signatures available at the above URL. WARNING: I did not test this in production. Warren Togami war...@togami.com -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: whitelist
On 4/18/11 1:44 PM, Sergei ser...@publicschoolworks.com wrote: Hello everybody, I can't figure out why even after I put an address into a whitelist (whitelist_from), it's still marked as SPAM. Sorry if this is a common question. Would be grateful for any suggestions. The simple suggestions: 1. Are you certain your whitelist matches the envelop sender address? 2. Did you restart spamd/amavisd/whatever daemonized process was running after updating the rules? The usual suggestions: 1. Whitelist_from is very dangerous, because it is so easy to spoof. You should use whitelist_from_dkim, whitelist_from_spf, or whitelist_from_received (in descending order of trust) instead. Thanks, Sergei -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Hijacked email accounts
On 4/4/11 11:03 AM, David wiki.apache@spam.lublink.net wrote: Hello, Yahoo doesn't do SPF, and hotmail is still ~all. The emails to which I refer where sent by email accounts stolen by viruses on computers running Windows. The virus steals the password, and sends it to the spammer who than uses the account to send out spam. So the emails are coming from Hotmail and Yahoo's servers. I've noticed most of the compromised accounts are exploited from elsewhere. I'm sorry if this rule is US centric, but it appears to work, somewhat, for me: headerRELAY_NOT_USX-Relay-Countries =~ /\b[ABCDEFGHIJKLMNOPQRTVWXYZ]{2}\b/ describeRELAY_NOT_USRelayed though any country other than the US scoreRELAY_NOT_US0.01 metaAE_FOREIGN_FREEFREEMAIL_FROM RELAY_NOT_US describeAE_FOREIGN_FREEFreemail that originated somewhere other than the US scoreAE_FOREIGN_FREE0.5 I also find this to be pretty useful in cleaning out the hacked mail... meta AE_SHORT_FREEFREEMAIL_FROM (URIBL_DBL_SHORT || URIBL_SU_JMF) describeAE_SHORT_FREEhas shortened URL from a freemail account scoreAE_SHORT_FREE2.0 Now if I could just find a list of url shorteners that included j.mp ... David On 2011-04-04 11:49, Benny Pedersen wrote: I wonder if perhaps a rule in spamassassin should add between 0.5 and 1.5 to the spam rating when it comes from a free webmail service like hotmail and yahoo. there is already freemail plugin freemail_domain hotmail.com freemail_whitelist ab...@hotmail.com freemail_whitelist postmas...@hotmail.com if you know somebody that really NOT sending spam from a freemail domain, then add more freemail_whitelist hotmail.com is already listed as freemail, but i just showed how to use it i have seen this problem before, but i belive that its not hijacked more that hotmail not consider forged senders in there own networking, resulting in that recipient see it as spf pass, i verifyed that sender did not send this so called hijacked email
Obfuscating advanced fee scams with html attachements?
I just got a spam that scored relatively low (mostly due to DNSWL_MED). But it also contained an html attachment that would have scored significantly more had it been part of the main message. I put it at http://pastebin.com/vXF0vGVS When I run the complete message, I only get a few hits, mostly relating to the headers: X-Spam-Status: Yes, score=5.534 tagged_above=-99 required=4.5 tests=[BOTNET_SOHO=-0.1, DEAR_FRIEND=2.604, FORGED_MUA_OUTLOOK=2.785, L_P0F_Linux=1, NSL_RCVD_FROM_USER=1.226, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_LBBL_RELAY=0.3, RELAY_US=0.01, SPF_PASS=-0.001, T_OBFU_HTML_ATTACH=0.01] autolearn=disabled When I run just the attachment through spamassassin, I get the usual advanced fee hits (and the ³no headers² hits, since it isn¹t an email at that point...): X-Spam-Report: * 0.0 HK_SCAM_N2 BODY: HK_SCAM_N2 * 0.2 FH_FROMEML_NOTLD E-mail address doesn't have TLD (.com, etc.) * -0.0 NO_RELAYS Informational: message was not relayed via SMTP * 1.2 MISSING_HEADERS Missing To: header * 0.1 MISSING_MID Missing Message-Id: header * 1.8 MISSING_SUBJECT Missing Subject: header * 0.0 LOTS_OF_MONEY Huge... sums of money * 0.0 T_HK_NAME_MR_MRS T_HK_NAME_MR_MRS * -0.0 NO_RECEIVED Informational: message has no Received headers * 1.4 MISSING_DATE Missing Date: header * 3.1 RISK_FREE No risk * 0.4 TO_NO_BRKTS_PCNT To: misformatted + percentage * 1.5 ADVANCE_FEE_4_NEW Appears to be advance fee fraud (Nigerian 419) * 2.4 ADVANCE_FEE_5_NEW Appears to be advance fee fraud (Nigerian 419) * 0.0 NO_HEADERS_MESSAGE Message appears to be missing most RFC-822 * headers * 0.5 ADVANCE_FEE_3_NEW Appears to be advance fee fraud (Nigerian 419) * 0.0 T_MONEY_PERCENT X% of a lot of money for you * 0.5 ADVANCE_FEE_2_NEW_MONEY Advance Fee fraud and lots of money * 1.0 ADVANCE_FEE_3_NEW_MONEY Advance Fee fraud and lots of money * 1.0 MONEY_FRAUD_5 Lots of money and many fraud phrases * 1.5 MONEY_FRAUD_8 Lots of money and very many fraud phrases * 0.5 MONEY_FRAUD_3 Lots of money and several fraud phrases Any suggestions for improving the detection of this new variant? I¹ll toss it in my nightly MC directory as well... -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: URIBL_RHS_DOB false positives?
On 3/25/11 10:42 AM, Alex mysqlstud...@gmail.com wrote: Hi, But it seems like there is a reset in the URIBL_RHS_DOB database or something. A lot of domains that are not new domains are now listed. It appears to be hitting on a lot of mail today: $ grep DOB /var/log/mail/info.log | cut -d\ -f 1,2 | uniq -c 119 Mar 20 174 Mar 21 168 Mar 22 310 Mar 23 10527 Mar 24 Isn't DOB a bit of a broad pattern to be matching for something like this? Unless there's something else than the obvious in that info.log file, or you know something I don't, why wouldn't you just search on the full rule name? I'll accept that criticism. Looks like I got a few quarantine tags, message-id's, and FRT_ADOBE2 rule hits. But it doesn't affect the order of magnitude significantly. $ grep URIBL_RHS_DOB /var/log/mail/info.log | cut -d\ -f 1,2 | uniq -c 119 Mar 20 168 Mar 21 168 Mar 22 276 Mar 23 13439 Mar 24 1844 Mar 25 And some of the discrepancy is amavis continuation lines: Mar 24 12:08:12 sa amavis[12315]: (12315-04) ...RHS_DOB=0.276, US_DOLLARS_3=2.523] autolearn=disabled Mar 24 12:27:11 sa amavis[13861]: (13861-13) ...RHS_DOB=0.276, US_DOLLARS_3=2.523] autolearn=disabled Mar 24 14:07:33 sa amavis[29001]: (29001-04) ..._RHS_DOB=0.276, US_DOLLARS_3=2.523] autolearn=disabled Mar 24 18:25:07 sa amavis[11933]: (11933-02) ...DOB=0.276] autolearn=disabled Just curious, I guess. Thanks, Alex
Re: Suspicious URL:Re: __PILL_PRICE Problems
On 3/20/11 10:58 AM, John Hardin jhar...@impsec.org wrote: On Sun, 20 Mar 2011, Matt Elson wrote: fails for me, loops, freebsd 7.3, intel, perl 5.12.3, SA 3.3.1, re2c 001305 what rule should we comment out until this is fixed? Commenting out the following fixed it for me, so should be safe # tflags __PILL_PRICE_1 multiple # tflags __PILL_PRICE_2 multiple # tflags __PILL_PRICE_3 multiple in rules_dir/updates_spamassassin_org/72_active.cf Around line 5304. Matt I'll disable the whole set in my next commit until this is resolved. I wonder if that is why my mass-checks have been taking 16-20 hours each day? Is there a need for tflags nocompile ? -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: __PILL_PRICE Problems
On 3/21/11 8:28 AM, John Hardin jhar...@impsec.org wrote: On Mon, 21 Mar 2011, Daniel McDonald wrote: On 3/20/11 10:58 AM, John Hardin jhar...@impsec.org wrote: On Sun, 20 Mar 2011, Matt Elson wrote: fails for me, loops, freebsd 7.3, intel, perl 5.12.3, SA 3.3.1, re2c 001305 I'll disable the whole set in my next commit until this is resolved. I wonder if that is why my mass-checks have been taking 16-20 hours each day? Can you isolate when that started happening? Feb 28th ran in 31 minutes. March 1st took 16 hours 15 minutes. I think I sorted out recent ham/spam that day. My box isn't swapping, jut running two cores at 96-99% cpu. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: new rules - where do i activate them?
On 3/2/11 9:46 AM, tr_ust rodri...@stthom.edu wrote: I'm sorry - there's only one line in the sample of how to write a uri rule. Are you saying that for each line I need to create a unique LOCAL_URI_EXAMPLE line? In other words it should look more like this? Yes, although score is usually spelled with a leading s... uri LOCAL_URI_EXAMPLE /03ysl.9hz.com/ core LOCAL_URI_EXAMPLE 20 uri LOCAL_URI_EXAMPLE_1 /03ysl.9hz.com/ core LOCAL_URI_EXAMPLE_1 20 uri LOCAL_URI_EXAMPLE_2 /03ysl.9hz.com/ core LOCAL_URI_EXAMPLE_2 20 -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Need Volunteers for Ham Trap
On 2/8/11 3:15 AM, Warren Togami Jr. wtog...@gmail.com wrote: I'm somewhat annoyed by the armchair quarterback negative comments on this topic. (Not just you) didn't read the rest of this thread to realize this particular concern is moot. Ditto. I don't really have time to participate in this activity, but the methodology is sound and provides a needed source of ham. Many people want these opt-in lists, and I don't want to block them. None of the people complaining about how this is such a bad idea are being helpful by actually participate in the nightly masscheck. I do participate in masschecks, primarily because I have a lot of mail from politicians (campaign pieces, updates from my congressman, notes from party officials, and the like) that was getting flagged as spam even though it is clearly opt in, and unsubscribing is clear and simple. The main corpus used in masschecks is the mail for a bunch of techies, and I had a divergent set of mail from this other interest in my life. Warren's project extends that concept much further than just the side-interests of a couple of us nerds/wonks. Talk is cheap. I'm actually doing something. Keep it up! Warren -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Suspicious URL:Re: Greylisting delay (was Re: Q about short-circuit over ruling blacklisting rule)
On 1/19/11 10:17 AM, John Hardin jhar...@impsec.org wrote: On Wed, 19 Jan 2011, Lee Dilkie wrote: Don't get me wrong, I liked GL but there are a number of big ISPs that have quite long retry timeouts (for some reason, sympatico comes to mind) and it got to be too annoying. ...and when you encounter a big ISP that does this, do you notify their postmaster so they can fix the problem? Or add a grey-listing exception and publish it to the sqlgrey list so that the rest of us can also add an exception? I seldom have problems with large mailers. Most of my greylisting issues come from small organizations. I usually end up exempting them from grey-listing, after we get their DNS cleaned up -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Suspicious URL:Re: Suspicious URL:Re: Greylisting delay (was Re: Q about short-circuit over ruling blacklisting rule)
On 1/19/11 2:35 PM, John Hardin jhar...@impsec.org wrote: On Wed, 19 Jan 2011, Daniel McDonald wrote: On 1/19/11 10:17 AM, John Hardin jhar...@impsec.org wrote: On Wed, 19 Jan 2011, Lee Dilkie wrote: Don't get me wrong, I liked GL but there are a number of big ISPs that have quite long retry timeouts (for some reason, sympatico comes to mind) and it got to be too annoying. ...and when you encounter a big ISP that does this, do you notify their postmaster so they can fix the problem? Or add a grey-listing exception and publish it to the sqlgrey list so that the rest of us can also add an exception? Is the whitelist available standalone for those of us who don't use sqlgrey? I couldn't see it and didn't want to grab the entire tarball. (As I was researching this I came across a posting to the sqlgrey list from 2005 mentioning a whitelist entry request on behalf of a C/R vendor, and my first thought was what, we want to _encourage_ C/R?) The files are accessible at http://sqlgrey.bouton.name The available files are MD5SUMS, README, clients_fqdn_whitelist, clients_ip_whitelist, dyn_fqdn.regexp, smtp_server.regexp There is a script in the tarball to retrieve the changed files by comparing the published md5sum with that on disk and only pulling down those that are different. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: mimeheader rule misfiring
On 1/7/11 3:24 PM, Kris Deugau kdeu...@vianet.ca wrote: Can anyone tell me how this rule: mimeheader T_YOUR_ORDER_VIRUS_L Subject =~ /(?:Incoming|Information|Twitter)? ?(?:Message|Ticket)? \#\d+/ You have ? On the first three elements, which means zero-or-one instances.. So, since Incoming|Information|Twitter is optional, the space is optional, and Message|Ticket is optional, the only thing required in this whole rule is a space, a literal hash, and one or more digits. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: NJABL is dead?
On 12/29/10 8:29 AM, Jack L. Stone ja...@sage-american.com wrote: Very comprehensive coverage. All of my net checks are done at the MTA level (sendmail) and none in SA -- it's turned off. What is the benefit of checking twice? Maybe I missed the benefit. The benefit lies in RBLs that have FP's. You may not think that all hosts on uce-protect are spammers (indeed, they declare that in some of their lists they intentionally cause collateral damage to get the attention of certain ISPs). So, I don't want a host that shows up on uce-protect to be summarily rejected. But, if they show up on uce-protect *and* they have several other spam spoor, I'd like to be able to take that as a weighted factor. Thanks for this discussion as it is good to keep up with those effective BLs. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: A new paradigm for DNS based lists
On 12/29/10 11:33 AM, Marc Perkel supp...@junkemailfilter.com wrote: On 12/29/2010 9:24 AM, Matt wrote: So any email from hotmail.com, gmail.com, yahoo.com, etc. if there SPF or DKIM passes skip any further DNS tests? Yes - there's no point in doing DNS blacklist lookups on yahoo, hotmail, and gmail as well as thousands of other mixed source providers. The IP tells you nothing. That's why I suggest the yellow listing. There may be no reason to check the last-external address, but plenty of reasons to do deep parsing and check the original source address or some intermediate relay. I would skip test if they have SPF because spammers often set their SPF correctly. Please stop talking about SPF until you understand the purpose for which it is intended, which you obviously still don't based on this comment (despite the flame war over SPF you started a few weeks ago.) -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Greylisting (was Re: Anti-Perl rant (was Re: Issuing rollback DBI Mysql))
On 12/27/10 4:07 PM, David F. Skoll d...@roaringpenguin.com wrote: On Mon, 27 Dec 2010 13:36:39 -0800 Ted Mittelstaedt t...@ipinc.net wrote: The real question is, do you get viruses that would make it past SA? I can't answer that because we scan for viruses before SA. I would guess yes. It would be more efficient to scan for viruses after scanning for spam, even though we still do it the other way around. I scan for viruses first, (actually second, after grey-listing) because clamav with the unofficial signatures identifies a fair amount of spam, and the non-virus findings are added to the spamassassin score... -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: DNSBL for email addresses?
On 12/14/10 8:28 AM, Marc Perkel supp...@junkemailfilter.com wrote: Are there any DNSBLs out there based on email addresses? No. There was an experimental list for a while. Since you can't use an @ in a DNS lookup - how would you do DNSBL on email addresses? # This plugin creates rbl style DNS lookups for email addresses. # There isn't any official emailbl standard yet(?) so we: # # 1) make md5hash of lowercased email address (no other normalizations) # 2) lookup hexmd5hash.zone.example.com. Is there a standard? Nope, but it works. I use it locally with the emailBL.pm plugin. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: spam with different Received and To headers
On 12/7/10 8:20 AM, Florescu, Dan Alexandru alexandru.flore...@rompetrol.com wrote: Hi, In the last few days some spam messages have been able to elude the filters I use. Upon checking the headers, it seems to be following the same pattern. I just earned $31 in a few hours at home on the computer! I went to - Business Week Journal* You will thank me - * this is a a href=virus_linkBusiness Week Journal/a link My question is: shouldn't there be a rule to verify that the mail specified at To: header actually corresponds to the one at Received: [...] for ? This would be a very effective spam catching rule. No, it would be a really bad rule, for lots of reasons. I am trying to catch these by looking for the body pattern: I {verbed} {money} {verbing} {uri} {salutation} Here is my current rule. I'd love to get more verbs to add to it, based on more examples. They seem to have a pretty good thesaurus... body__SOME_MONEY_HUNDREDS /\$\d{2,3}\b/ describe __SOME_MONEY_HUNDREDS Has a dollar amount up to $one thousand body__EASY_MONEY /\bI\b.{0,10}(?:racked|pulled|scored|made|profited|earned)/ describe __EASY_MONEY talks about making easy money body__EASY_WORK /(?:being online|doing\s(?:(?:simple|easy)\s)?(?:tasks|things|stuff)|working at home|on the computer)/ describe __EASY_WORKtalks about the work being simple metaAE_WORKFROM_HOME__EASY_MONEY __SOME_MONEY_HUNDREDS __EASY_WORK __DOS_HAS_ANY_URI describe AE_WORKFROM_HOME work from home spam score AE_WORKFROM_HOME 1.00 -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Not-so-much LOTS_OF_MONEY
On 12/1/10 2:14 PM, John Hardin jhar...@impsec.org wrote: On Wed, 1 Dec 2010, Daniel McDonald wrote: On 12/1/10 1:28 PM, John Hardin jhar...@impsec.org wrote: On Wed, 1 Dec 2010, Daniel McDonald wrote: Lately, I¹ve been seeing spammers trying to convince you to click on a site to make hundreds or tens of Dollars, like: http://pastebin.com/MfG74WGW The mail client probably stripped out the more interesting headers before I got it from my customer, because it originally hit RELAY_RU, and I don¹t see a matching header in the current revision. But, I was wondering if anyone had a good regex for finding these micro-sum spams? Now that LOTS_OF_MONEY has been promoted and is doing a great job of finding the 419-style scammers, they have changed tactics on us again... Catching the simple variants of that is pretty straightforward: body __SOME_MONEY /\$?(?:\d+,)?\d{3}\b/ Seems like that would hit on large sums as well, since there is no anchor on the front of the pattern. I suppose I could do __SOME_MONEY !LOTS_OF_MONEY or /\b\$?...etc/ That was off the top of my head. ...then use that in metas (untested). Correct. The complexity comes in from all the various obfuscations. I could work up something similar to LOTS_OF_MONEY for amounts less than $100k. Another problem is smaller amounts of money are much more FP-prone. Agreed. I've seen a couple of these from India and this one from Russia, but it will require a number of metas to make it at all useful. Yeah, but it might be quite handy in catching work-at-home spams. This is what I have come up with so far. I imagine there are lots more verbs that need to be added to this to catch them all: body__SOME_MONEY_HUNDREDS/\$\d{2,3}\b/ describe __SOME_MONEY_HUNDREDSHas a dollar amount up to $one thousand body__EASY_MONEY /\bI\b.{0,10}(?:racked|pulled|scored|made|profited)/ describe __EASY_MONEYtalks about making easy money body__EASY_WORK/(?:being online|doing\s(?:(?:simple|easy)\s)?(?:tasks|things|stuff)|working at home)/ describe __EASY_WORKtalks about the work being simple metaAE_WORKFROM_HOME__EASY_MONEY __SOME_MONEY_HUNDREDS __EASY_WORK __DOS_HAS_ANY_URI describe AE_WORKFROM_HOMEwork from home spam score AE_WORKFROM_HOME1.00 -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Not-so-much LOTS_OF_MONEY
Lately, I¹ve been seeing spammers trying to convince you to click on a site to make hundreds or tens of Dollars, like: http://pastebin.com/MfG74WGW The mail client probably stripped out the more interesting headers before I got it from my customer, because it originally hit RELAY_RU, and I don¹t see a matching header in the current revision. But, I was wondering if anyone had a good regex for finding these micro-sum spams? Now that LOTS_OF_MONEY has been promoted and is doing a great job of finding the 419-style scammers, they have changed tactics on us again... -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Not-so-much LOTS_OF_MONEY
On 12/1/10 1:28 PM, John Hardin jhar...@impsec.org wrote: On Wed, 1 Dec 2010, Daniel McDonald wrote: Lately, I¹ve been seeing spammers trying to convince you to click on a site to make hundreds or tens of Dollars, like: http://pastebin.com/MfG74WGW The mail client probably stripped out the more interesting headers before I got it from my customer, because it originally hit RELAY_RU, and I don¹t see a matching header in the current revision. But, I was wondering if anyone had a good regex for finding these micro-sum spams? Now that LOTS_OF_MONEY has been promoted and is doing a great job of finding the 419-style scammers, they have changed tactics on us again... Catching the simple variants of that is pretty straightforward: body __SOME_MONEY /\$?(?:\d+,)?\d{3}\b/ Seems like that would hit on large sums as well, since there is no anchor on the front of the pattern. I suppose I could do __SOME_MONEY !LOTS_OF_MONEY ...then use that in metas (untested). Correct. The complexity comes in from all the various obfuscations. I could work up something similar to LOTS_OF_MONEY for amounts less than $100k. Another problem is smaller amounts of money are much more FP-prone. Agreed. I've seen a couple of these from India and this one from Russia, but it will require a number of metas to make it at all useful. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Question about a spam assassin rule
On 11/19/10 2:51 PM, Bowie Bailey bowie_bai...@buc.com wrote: rawbody FR_3TAG_3TAG m'[abcefghijklmnoqstuvwxz]{3}/[abcefghijklmnoqstuvwxz]{3}'i It looks for an html tag containing exactly three characters followed by a closing tag which also contains exactly three characters. But no instances of d,p,r or y. I'm sure that's a really clever trick for something, I just don't have a clue as to what it might be -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: email address forgery
On 11/14/10 9:41 AM, Marc Perkel supp...@junkemailfilter.com wrote: On 11/11/2010 5:07 PM, Rob McEwen wrote: On 11/11/2010 7:41 PM, Noel Butler wrote: Really? I don't use SPF in SA, only MTA, if that's the case, it is a shame that SA also is behind the times. It was years ago SPF type was ratified. Justin: Any plans to change that? I guess I'm one of those mail admins who is behind the times. But I don't really care that much because I take the same position as Suresh Ramasubramanian... that SPF is a failed technology because, for one, it breaks e-mail forwarding and there are ALWAYS too many legit e-mail forwarding situations (and legit substitutionary from situations--like sending from one's phone) to create problems in comparison to the problems that SPF solves. I send from my phone just fine - Auth on the submission port to my home servers, then SPF matches the policy just fine. What disturbs me the most about SPF is that it is the most widely adopted technology that just plain does not work. It works perfectly well for what it is intended: A way to establish a moderate level of non-repudiation for sent mail. As a method to validate domains before whitelisting, it is ideal - lightweight and straightforward. It's almost cult like in nature. I've seen that behavior from the opponents, but that's probably because they believe it to be some Final Solution to the SPAM Problem, and are unwilling to consider it for what it really is. I'm someone who looks for any trick that works and it took me years to figure out any upside to SPF at all and that was very limited. I have evolved however from saying it is totally useless to barely useful. So I can see why if the SPF standard changed then no one is scrambling to adopt it. I do think however that there should be some kind of DNS lookup that can return information about where legit email for domains comes from. And that would have to includes lists of places that are sources of forwarded email. That is also easily accomplished using SPF - just add an include: directive for each domain that can legitimately forward your mail. Assuming those domains also have SPF records created... -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Error Running 'sa-update'
On 10/26/10 12:18 PM, Carlos Mennens carlosw...@gmail.com wrote: Today for the 1st time on my mail server I attempted to manually run the 'sa-update' command in the shell and got the following: [r...@mail ~]# sa-update defined(%hash) is deprecated at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Dns.pm line 757. (Maybe you should just omit the defined()?) Use of goto to jump into a construct is deprecated at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/Check.pm line [...] I did a Google search and didn't really find the answer to my issue and was wondering if anyone can please assist me and getting this issue corrected or tell me what I am doing wrong. spamassassin 3.3.1 is not compatible with perl 5.12 The patches to make it compatible are attached to https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6392 -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Problems with SA-Plugin URLRedirect
On 9/27/10 1:41 AM, Hans-Werner Friedemann h-w.friedem...@vds-herzberg.de wrote: Hi @ all I have much problems by installing the SA-Plugin URLRedirect. I´ve moved the files URLRedirect.cf, URLRedirect.pm, URLRedirect.hostpath and URLRedirect.subdomain in the directory where my local.cf is. If I restart my SA-Service I get the following messages in my logfile: Mon Sep 27 08:21:28 2010 [23392] info: config: failed to parse line, skipping, in /etc/mail/spamassassin/URLRedirect.cf: urlredirect_max_recursion 2 Mon Sep 27 08:21:28 2010 [23392] info: config: failed to parse line, skipping, in /etc/mail/spamassassin/URLRedirect.cf: urlredirect_dnslist shorturl.junkemailfilter.com Mon Sep 27 08:21:28 2010 [23392] info: config: failed to parse line, skipping, in /etc/mail/spamassassin/URLRedirect.cf: urlredirect_hostpath tinyurl.com Mon Sep 27 08:21:28 2010 [23392] info: config: failed to parse line, skipping, in /etc/mail/spamassassin/URLRedirect.cf: urlredirect_hostpath_file URLRedirect.hostpath Sounds like you didn't add a loadplugin line in a .pre file... -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: AW: Problems with SA-Plugin URLRedirect
On 9/27/10 8:08 AM, Hans-Werner Friedemann h-w.friedem...@vds-herzberg.de wrote: So, I´ve insert the following line in my v312.pre: # URLRedirect loadplugin Mail::SpamAssassin::Plugin::URLRedirect /etc/mail/spamassassin/NotUsed/URLRedirect.pm After spamassassin --lint I get: Sep 27 15:03:53.971 [10759] warn: plugin: failed to parse plugin /etc/mail/spamassassin/NotUsed/URLRedirect.pm: Can't locate Taint/Util.pm in @INC (@INC contains: lib Whats the matter It appears the Taint::Util module is a prerequisite. You will probably need to install that. If your distro doesn't have a package for Taint::Util, (probably named perl-Taint-Util or something equally clever) then I'd suggest that you make a package for it from CPAN using cpan2dist. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: sa-update 3.3 daily changes
On 9/9/10 7:46 AM, RW rwmailli...@googlemail.com wrote: On Wed, 8 Sep 2010 16:02:10 -0700 (PDT) John Hardin jhar...@impsec.org wrote: On Wed, 8 Sep 2010, RW wrote: What's the reason for the age limit? The nature of spam (and, to a lesser degree, ham, barring major changes like the widespread adoption of HTML email) changes over time. A rule that hit lots of spam and had a good S/O three years ago (e.g. the multilayer obfuscated image pharma spams that were all the rage a few years back) might hit nearly nothing today. Would it not be sensible to keep ham for as long as necessary, and supplement the spam corpus with spamtraps? No. One maxim of the corpus is that it must be hand inspected. Ham is plentiful - I get 20-50 hams a day in my personal mailbox, and around a thousand a day in my business mailbox. It just takes a little discipline on a few people to sort out and keep the ham, then run the nightly mass-checks. The current rules are 39 months before the ham ages out. I should be able to eventually build and keep a 30-40 thousand ham library just by tossing my read mail into a different bucket than the deleted items folder. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: spam caught, now how to catch spammer
On 9/5/10 8:46 PM, Dennis German dger...@real-world-systems.com wrote: In the last several weeks I have been receiving a lot of spam with email addresses of the form: learningmadeeasy.???...@??.yourseemlost.net accountingeducation.gpx...@oiteew.badpeoplepaper.net affordablelifeinsurance.aj...@wiogif.constum.net How do we stop this guy? Greylisting and a good snowshoe-spammer rbl like invaluement. Invaluement costs a little, but our snowshoe spam has pretty much disappeared since we enabled it. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: After upgrade the SA to 3.3.1, Mail scanning stop working partially
On 8/22/10 9:46 PM, Suhag Desai spde...@ncode.in wrote: After upgrade the SpamAssassin Server version to 3.3.1, my mail scanning stop working partially. This is a known bug. https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6419 -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: two SA folders and sa-updates
On 8/19/10 7:49 AM, C. Bensend be...@bennyvision.com wrote: better - *don't even think of using them* - they are not being updated and never will. Anything worthy has already been migrated to SA mainstream and the few SARE survivors are also SA commiters so they'll commit to SA instead of SARE. Anybody hammering the rulesemporium with lwp/wget on a regular basis is advised to stop unless in need of surprises when the files are zeroed out. I'm changing my SpamAssassin config to remove the SARE rules due to all this advice, and I just want to make sure I'm doing the correct thing here... I have an /etc/mail/spamassassin/sa-update-channels.txt file that lists the additional SARE channels I was updating via Daryl's site. Only SARE channels are in it. Then you haven't been getting the regular updates. If you don't have updates.spamassassin.org in your --channelfile, it won't check it... Given this cronjob that runs once a day: /usr/local/bin/sa-update --channelfile /etc/mail/spamassassin/sa-update-channels.txt --gpgkey 856AA88A --gpgkey 6C6191E3 /usr/local/bin/spamassassin --lint pkill -SIGHUP spamd I should just be able to rip out the sa-update-channels.txt and the second GPG key, and I'll still get the stock ruleset updates, Start, actually... but won't be buggin' Daryl or futzing with the SARE rules any longer, correct? I will of course remove them from the rules directories and restart SpamAssassin. :) -- Daniel J McDonald, CCIE # 2495, CISSP # 78281 Just want to make sure I'll still get the regular updates... Thanks! Benny
Re: Optional argument in regex
On 8/16/10 6:00 AM, Mynabbler mynab...@live.com wrote: I think everybody and their dog made a ruleset regarding 'your email address has won'. Something like: MN_YEAHRIGHT /\bYour (?:email|e-mail) (?:address|account) (?:has won|just won you)\b/ How do you make the second argument optional? So it also hits 'your email has won'? MN_YEAHRIGHT /\byour e-?mail\b.{0,20}\bwon\b/i The essential point is that it talks about email, and winning, in close proximity. That precisely is in the middle is mostly irrelevant. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: List of banned words/bounce to sender
On 8/9/10 6:58 AM, Martin Gregorie mar...@gregorie.org wrote: On Mon, 2010-08-09 at 14:17 +0300, Henrik K wrote: On Mon, Aug 09, 2010 at 11:38:50AM +0100, Martin Gregorie wrote: On Thu, 2010-08-05 at 14:00 -0500, Matthew Kitchin (public/usenet) wrote: Thanks. We are looking at roughly 70,000 names and always growing. If I gave it sufficient hardware, would you expect that to be practical, or is that totally ridiculous? Any options for a database look up here? I'd use a plugin that simply queries the database plus a rule to activate the plugin by calling its eval() method and sets the score if the rule fires. Queries database for what? I guess you didn't read the thread fully. :-) Queries the patient data DB for patient names - obviously. I made the offer because I found it useful to be able to modify an existing plugin that queried a database. Exactly what the SQL query does in largely irrelevant. I found that the difficult bit was working out to how to configure the plugin to access my database. Constructing the query and interpreting its result were relatively easy. So, you are recommending that he use a plugin to query 70,000 records from a database, and perform 140,000 body matches, for every e-mail message he receives? Doesn't seem very efficient. It would make sense if it were structured data he was looking at, to then perform one-off queries to see if that data matched the database. But the original post was discussing a data-loss-prevention scheme to avoid unstructured data leaks. If the data could be regularized somehow, that might be different. For example, if there were a limited number of first names, you could write signatures that looked for first names with another capitalized word nearby, and then do a database lookup to see if the capitalized word was a last name associated with the first name that you discovered. Unfortunately, people are pretty random with first names. I have a database of some 600K voters in Travis County, Texas. There are 38,808 distinct first names. This technique might cut down the number of rules by 93.5%, but then you have to do database lookups and some fancy parsing to verify the hit. Don't know if that would be worth it. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: sa-compile has no effect (under Windows.......)
On 8/2/10 7:53 AM, Daniel Lemke le...@jam-software.com wrote: Yet Another Ninja wrote: compiled rules only affects body rawbody rules. Network tests won't be affected and are probably the reason for the lack of a massive difference. Good advice, I disabled all the other plugins and ran spamassassin in local test mode, processing a huge text mail. Without Rule2XSBody, 188 seconds. With Rule2XSBody activated, 86 seconds. So this is a huge improvement, but has little to no effect on regular spam as network tests will take more time in general. The question is not how processing one mail compares, but how 10 per second compare in each scenario. That's where the win is - lower total cpu utilization to accomplish the same work. But your numbers are really wacked out for duration. I grabbed a log of 16418 mailed processed since the log rolled over last. Only a third of them took more than 1 second - 4749. Only a eighth of them took over 2 seconds - 2008, less than 2% took over 5 seconds - 301, and a very tiny fraction (less than a half percent) took over 10 seconds - just 74 -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: I need MORE SPAM - You get less spam
On 7/20/10 8:53 AM, Dave O'Neill d...@roaringpenguin.com wrote: On Mon, Jul 19, 2010 at 01:39:32PM -0700, John Hardin wrote: I'll say it again, Marc: you'd get better response from large sites if you offered source code for a small SMTP daemon that did the connection analysis you want and sent to you just the offending IP addresses via an auditable channel (e.g. a plain HTTP PUT), and asked people to install that somewhere in their public netspace. Rather than something bespoke over HTTP, I'd suggest instead using https://datatracker.ietf.org/doc/draft-dskoll-reputation-reporting/ Looks nice, but the only report types are IPv4 and IPv6. You may wish to describe domain-name (uri), domain-name (fcdns) and domain-name (email) report types, as those may be more applicable to Marc's purposes. But as a general note, I'd love to see sqlgrey use this to coordinate multiple greylisting servers, but IP reputation is insufficient for that purpose.
Re: SA checking of authenticated users' messages
On 7/7/10 4:45 PM, Louis Guillaume lo...@zabrico.com wrote: On 6/10/10 11:27 AM, Greg Troxel wrote: (spamass-milter doesn't tell SA about auth) == [ rbl checks run against authenticated user's IP address lack of ALL_TRUSTED for authenticated user's mail ] That last one seems to be my problem. Does the patch fix this? I'll try updating and see what happens. Hi Again! I just need to clarify one thing that's not clear to me in re-reading our thread from the other day: Is there a work-around for this? Usually, you listen for end-users on the submission port, and don't filter it for spam, just auth. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
72_active scores?
Running spamAssassin 3.3.1, via amavisd-new, on Mandriva Enterprise Server 5.1, using scoreset 1 (no bayes, network tests enabled) I¹ve been getting a significant number of spams that are hitting on a number of rules in 72_active.cf, for example: ADVANCE_FEE_3_NEW=0.001, ADVANCE_FEE_3_NEW_MONEY=0.001, AE_FORM_MONEY=2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, L_P0F_Unix=-1, RCVD_IN_DNSWL_NONE=-0.0001, RELAY_US=0.01, SPF_NEUTRAL=0.652, T_FILL_THIS_FORM_SHORT=0.01, T_LOTS_OF_MONEY=0.01, US_DOLLARS_3=2.52 In the past couple of days, there have been around 700 spams that matched one of the ADVANCE_FEE_3_NEW rules, as well as 28 messages that were most likely spams that were not marked. Are we likely to see some of these rules scored a little higher than 0.001 anytime soon? Or do I need to start tweaking the scores for the ones I find reliable? -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Mail discarded
On 6/25/10 4:24 AM, Sasa s...@shoponweb.it wrote: Hi, from a few days much incomings mails are blocked and in log file I have always 'discarded, UBE': That is the standard message from amavisd-new when the spamscore exceeds the discard threshold but the domain 'email.it' (but I have this problem with much mail domains) isn't in blacklist and this domain is certainly 'clean'. Spamassassin uses a scoring system, so there could be any number of reasons that the message is listed as spam, of which blacklists are only a small part. My doubt is for what reason these mail are blocked ? Change your logging level to 2 in amavisd.conf so that you log the SPAM-TAG messages: Jun 23 11:16:50 ca amavis[18393]: (18393-14) SPAM-TAG, nore...@activation.example.net - some.lu...@example.com, No, score=3.823 tagged_above=-99 required=4.5 tests=[FUZZY_AMBIEN=1.851, HTML_MESSAGE=0.001, HTML_TITLE_SUBJ_DIFF=2.171, L_P0F_Unix=-1, MIME_HEADER_CTYPE_ONLY=1.996, MIME_HTML_ONLY=1.105, RCVD_IN_DNSWL_MED=-2.3, RELAY_US=0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=disabled On my mail server I have SA-3.2.5 with postfix/amavisd-new/clamav. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: does anyone know of (filtering-)software that would fiddle with Content-Type?
On 6/2/10 9:42 AM, Joseph Brennan bren...@columbia.edu wrote: Per Jessen p...@computer.org wrote: I've received a virtually unreadable email - about 3Mb worth, containing text, html and a zip file. Nothing unusual about it, except that the Content-Type should have been multipart/mixed and specified a boundary - instead it was just text/plain, which made the mail a little difficult for e.g. Thunderbird to digest. Does anyone know of software (probably a filter somewhere) that might have fiddled with that?? Any milter MIGHT HAVE done that if configured to do so. We could do it with the one we use. If we were insane. Or have I overlooked a good reason to do this... no, I don't think so. If a milter accidentally added a blank line in the headers before the Content-Type header, many MTAs will interpret the remainder as a text/plain. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Interesting link in spam message
On 5/25/10 5:22 PM, fchan fc...@molsci.org wrote: I'm recently got some spam with link to bit.ly A fairly common url shortening service if this could be a compromise of Google or something. Nope, just someone abusing a link shortener. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: [OT] was SORBS
On 4/30/10 8:22 AM, Martin Gregorie mar...@gregorie.org wrote: On Fri, 2010-04-30 at 08:43 -0400, Lee Dilkie wrote: First, I'd like to point out that not everyone has the option of changing ISP's. Believe it or not, there are many folks who have only one choice for high-speed internet access (myself included). However, that doesn't apply to the OP, who is using British Telecom as his ISP. My broadband connection goes through the local BT exchange and copper after that, but BT has never been my ISP. I initially used Demon as my ISP, switching to my current ISP (who subcontract broadband connectivity to a third party, *not* BT) when I discovered that Demon didn't offer a suitable package that included domain registration. The OP can do exactly what I did. Out of pure curiosity, what is there about the broadband set-up in your locality that could prevent you from doing something similar? Are both your broadband provider and your ISP monopolies? For me, it was the case the last time I renegotiated my contract for my business-class broadband at home. Short of bringing in a T1 at $600-$1000/month, I had exactly one choice for a provider that would provide me with a static /29 and a SWIP record - the monopoly cable provider. In another year or so I'll see if the monopoly POTS provider can provide the service I need - they promise the moon in their advertisements but balk really fast when you start to ask specific, tangible questions. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Legitimate mail flagged as Spam
On 4/23/10 7:53 AM, PSuo petri.suomi...@pssoft.fi wrote: Hi, I have a problem with legimate mail getting flagged as spam. The headers mark as following: X-Virus-Check-By: mailwash7.pair.com X-Spam-Check-By: mailwash7.pair.com X-Spam-Status: Yes, hits=8.7 required=4.0 tests=BAD_ENC_HEADER,HELO_LH_HOME,MIME_BASE64_BLANKS,TRACKER_ID What I'm trying to figure out is what am I doing wrong that causes the tests to fail and score high points. Any Help would be appreciated ! You should grep the test names above in /var/lib/spamassassin/3.3.1/updates.spamassassin.org And then change your mail to not look like them. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: CLAMAV 0.95 to be disabled
On 4/9/10 9:45 AM, Charles Gregory cgreg...@hwcn.org wrote: Realize this is OT, and that even the instigation is OT :) But I'm hoping someone here just KNOWS 'rpm'. and can help... (Or can point me to the best forum for a quick answer) While attempting to use rpm on RH9 to update to a newer set of clamav packages, the rpm process locked up, and I had to kill it, and now rpm does not seem to be working at all I'm currently trying 'rpm --rebuilddb' but it's just sitting there, and I've got a feeling it has locked-up too You've got to delete the __db.* files in /varlib/rpm before you run --rebuilddb -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: How to configure spamassassin
On 4/9/10 10:31 AM, hateSpam khwaja_a...@yahoo.co.uk wrote: Thanks a lot for replies. Do I have to install Amavisd-new and ClamAV to get spamassassin working? Is there any other way to configure spamassassin with postfix not installing additional software? Yes, there are hundreds of ways to integrate spamassassin and clamav. Amavisd-new is one of the easiest to get right. * You could run the clamd milter, which requires a fairly recent version of postfix to support. * You could call spamassassin at delivery time from procmail, which requires that all of your dovecot users have actual user accounts (they might anyway) * there are plenty of other integration glue packages, such as mailzu, mailscanner, mimedefang I stumbled upon amavisd-new , and it has always been flexible enough to handle what I need, so that's what I use, but you need to go look at the various options and pick for yourself. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281 Ned Slider wrote: Birta Levente wrote: On 09/04/2010 13:43, hateSpam wrote: Dear All, I have Spamassassin on my Centos 5.4. For send and receive email I use postfix and Dovecot and Sendmail version 8.13.8. Since I have You seem a little confused - are you running postfix or sendmail as your MTA?
Re: Where is my error?
On 4/3/10 8:09 AM, Alex mysqlstud...@gmail.com wrote: Hi, I¹m building a new 3.3.1 SpamAssassin box from scratch, and ran into a small problem when I ran lint: $ spamassassin --lint Apr 2 11:24:05.923 [22379] warn: plugin: failed to create instance of plugin Mail::SpamAssassin::Plugin::EmailBL.pm: Bareword Mail::SpamAssassin::Plugin::EmailBL not allowed while strict subs in use at (eval 73) line 1. With the little perl expertise that I have, I ask, what is the environment like for the user that you ran spamassassin as? IOW, does it know where to find the perl libs? Yes. Everything works fine other than the EmailBL.pm plugin. If you try su - user to create a login shell, does it then work? Nope. Not a permissions issue... Does perl -V show anything useful about your environment? Nothing that sticks out: $ perl -V Summary of my perl5 (revision 5 version 10 subversion 0) configuration: Platform: osname=linux, osvers=2.6.22.18-server-1mdv, archname=i386-linux-thread-multi uname='linux n2.mandriva.com 2.6.22.18-server-1mdv #1 smp mon feb 11 16:46:24 est 2008 i686 intel(r) xeon(tm) cpu 2.80ghz gnulinux ' config_args='-des -Dinc_version_list=5.8.8 5.8.7 5.8.6 5.8.5 5.8.4 5.8.3 5.8.2 5.8.1 5.8.0 5.6.1 5.6.0 -Darchname=i386-linux -Dcc=gcc -Doptimize=-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -fomit-frame-pointer -march=i586 -mtune=generic -fasynchronous-unwind-tables -DDEBUGGING=-g -Dprefix=/usr -Dvendorprefix=/usr -Dsiteprefix=/usr -Dsitebin=/usr/local/bin -Dsiteman1dir=/usr/local/share/man/man1 -Dsiteman3dir=/usr/local/share/man/man3 -Dman3ext=3pm -Dcf_by=Mandriva -Dmyhostname=localhost -dperladmin=r...@localhost -dcf_email=r...@localhost -Dd_dosuid -Ud_csh -Duseshrplib -Duseithreads -Di_db -Di_ndbm -Di_gdbm' hint=recommended, useposix=true, d_sigaction=define useithreads=define, usemultiplicity=define useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef use64bitint=undef, use64bitall=undef, uselongdouble=undef usemymalloc=n, bincompat5005=undef Compiler: cc='gcc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm', optimize='-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -fomit-frame-pointer -march=i586 -mtune=generic -fasynchronous-unwind-tables', cppflags='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -I/usr/local/include -I/usr/include/gdbm' ccversion='', gccversion='4.3.2', gccosandvers='' intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12 ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8 alignbytes=4, prototype=define Linker and Libraries: ld='gcc', ldflags =' -L/usr/local/lib' libpth=/usr/local/lib /lib /usr/lib libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lpthread -lc perllibs=-lnsl -ldl -lm -lcrypt -lutil -lpthread -lc libc=/lib/libc-2.8.so, so=so, useshrplib=true, libperl=libperl.so gnulibc_version='2.8' Dynamic Linking: dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E -Wl,-rpath,/usr/lib/perl5/5.10.0/i386-linux-thread-multi/CORE' cccdlflags='-fPIC', lddlflags='-shared -O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -fomit-frame-pointer -march=i586 -mtune=generic -fasynchronous-unwind-tables -L/usr/local/lib' Characteristics of this binary (from libperl): Compile-time options: MULTIPLICITY PERL_DONT_CREATE_GVSV PERL_IMPLICIT_CONTEXT PERL_MALLOC_WRAP USE_ITHREADS USE_LARGE_FILES USE_PERLIO USE_REENTRANT_API Locally applied patches: Mandriva Linux patches Built under linux Compiled at Sep 18 2008 16:41:00 @INC: /usr/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.10.0 /usr/lib/perl5/vendor_perl/5.10.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.10.0 /usr/lib/perl5/5.10.0/i386-linux-thread-multi /usr/lib/perl5/5.10.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl . -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Where is my error?
On 4/5/10 6:53 AM, Mark Martinec mark.martinec...@ijs.si wrote: On Monday April 5 2010 13:01:40 Daniel McDonald wrote: I'm building a new 3.3.1 SpamAssassin box from scratch, and ran into a small problem when I ran lint: $ spamassassin --lint Apr 2 11:24:05.923 [22379] warn: plugin: failed to create instance of plugin Mail::SpamAssassin::Plugin::EmailBL.pm: Bareword Mail::SpamAssassin::Plugin::EmailBL not allowed while strict subs in use at (eval 73) line 1. Leave out the '.pm' in your loadplugin directive. Wrong: loadplugin Mail::SpamAssassin::Plugin::EmailBL.pm right: loadplugin Mail::SpamAssassin::Plugin::EmailBL Mark Thanks! That fixed it - I knew it had to be simple, but the error message really didn't tell me where to look. Now on to Amavisd-new, sqlgrey, p0f, rbldnsd -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Where is my error?
I¹m building a new 3.3.1 SpamAssassin box from scratch, and ran into a small problem when I ran lint: $ spamassassin --lint Apr 2 11:24:05.923 [22379] warn: plugin: failed to create instance of plugin Mail::SpamAssassin::Plugin::EmailBL.pm: Bareword Mail::SpamAssassin::Plugin::EmailBL not allowed while strict subs in use at (eval 73) line 1. Not much help to know where to look, so I tried in Debug mode: Apr 2 11:30:32.971 [22440] dbg: config: fixed relative path: /etc/mail/spamassassin/EmailBL.pm Apr 2 11:30:32.972 [22440] dbg: plugin: loading Mail::SpamAssassin::Plugin::EmailBL.pm from /etc/mail/spamassassin/EmailBL.pm Apr 2 11:30:32.979 [22440] warn: plugin: failed to create instance of plugin Mail::SpamAssassin::Plugin::EmailBL.pm: Bareword Mail::SpamAssassin::Plugin::EmailBL not allowed while strict subs in use at (eval 73) line 1. Still not a clue what precisely is wrong, so: $ grep -n EmailBL * emailbl.cf:1:ifplugin Mail::SpamAssassin::Plugin::EmailBL EmailBL.cf:4:## loadplugin Mail::SpamAssassin::Plugin::EmailBL EmailBL.pm EmailBL.cf:6:## See: http://sa.hege.li/EmailBL.pm EmailBL.cf:11:ifplugin Mail::SpamAssassin::Plugin::EmailBL EmailBL.pm:1:package Mail::SpamAssassin::Plugin::EmailBL; EmailBL.pm:20:# loadplugin Mail::SpamAssassin::Plugin::EmailBL EmailBL.pm EmailBL.pm:150:sub dbg { Mail::SpamAssassin::Plugin::dbg (EmailBL: @_); } EmailBL.pm:160:$self-{EmailBL_available} = 1; EmailBL.pm:162:$self-{EmailBL_available} = 0; EmailBL.pm:189:return 1 unless $self-{EmailBL_available}; EmailBL.pm:222:return 0 unless $self-{EmailBL_available}; EmailBL.pm:357:$self-_add_desc($pms, $email, EmailBL hit at $prs-{zone}); EmailBL.pm:382:$self-_add_desc($pms, $email, EmailBL hit at $prs-{zone}); EmailBL.pm:584:return 0 unless $self-{EmailBL_available}; init.pre:39:loadplugin Mail::SpamAssassin::Plugin::EmailBL.pm EmailBL.pm I don¹t see a bareword in any files, and nothing appears to be a eval line 73. Can anyone help me track this down? Oh, and I know the EmailBL project is dead. I maintain a local list of bad actors and feed them via DNS in a format compatible with EmailBL.pm -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
.pn TLDs not recognized for util_rb_2tld?
config: SpamAssassin failed to parse line, co.at.pn is not valid for util_rb_2tld, skipping: util_rb_2tld co.at.pn config: SpamAssassin failed to parse line, co.uk.pn is not valid for util_rb_2tld, skipping: util_rb_2tld co.uk.pn config: SpamAssassin failed to parse line, com.au.pn is not valid for util_rb_2tld, skipping: util_rb_2tld com.au.pn channel: lint check of update failed, channel failed $ dig +short 5.2.3.90_2tld.cf.sare.sa-update.dostech.net txt 201002251100 Shouldn¹t those have util_rb_3tld? -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Rules for not passing SPF
On 2/2/10 5:38 PM, dar...@chaosreigns.com dar...@chaosreigns.com wrote: On 02/02, Marc Perkel wrote: Why would you want to catch domains without SPF as SPF has no relationship to detecting spam? SPF is entirely about spam. Sorry, but SPF is entirely about ham. We use SPF with vendors who want to ensure that we receive their mail. They must either provide a valid SPF policy or use DKIM signing in order to be added to our whitelist. It's specified in all of the bid documentation. http://www.openspf.org/Introduction If everyone uses SPF, all we need to block all spam is these rules (SPF_NOT_PASS alone should do it), and a blacklist of domains that have SPF records including IPs that send spam. Spammers will often create a rule like spf=v1 all. That always matches, so their mail is now SPF compliant. Better to use it for personal whitelisting, and as an anti-spoofing filter (if it doesn't match our SPF policy, we didn't send it so it should be considered as SPAM) SPF is easy, there's a wizard http://www.openspf.org/, then you paste the results into the DNS TXT record for your domain). Yes, we all know how to set up SPF. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Sought Rules Back?
On 2/1/10 9:30 AM, Mark Martinec mark.martinec...@ijs.si wrote: Update returned sought rules 1/31/2010. Actually back since Jan 6. :) Re-viewed about 1k fraud spam the following days, for the Sought Fraud sub-set. Btw, the three rules JM_SOUGHT_FRAUD_{1,2,3} have a score of zero as per Justin's request (Bug 6155 c 38, c72, c89, c124). Doesn't appear to be that way in the 3.2.5 channel: $ cd /var/lib/spamassassin/3.002005/sought_rules_yerp_org/ $ grep score * 20_sought.cf:score JM_SOUGHT_1 4.0 20_sought.cf:score JM_SOUGHT_2 4.0 20_sought.cf:score JM_SOUGHT_3 4.0 20_sought_fraud.cf:score JM_SOUGHT_FRAUD_1 3.0 20_sought_fraud.cf:score JM_SOUGHT_FRAUD_2 3.0 20_sought_fraud.cf:score JM_SOUGHT_FRAUD_3 3.0 $ ls -l total 128 -rw-r--r-- 1 root root 44591 Feb 1 07:12 20_sought.cf -rw-r--r-- 1 root root 80120 Feb 1 07:12 20_sought_fraud.cf -rw-r--r-- 1 root root29 Feb 1 07:12 MIRRORED.BY And in fact, looking at the 3.3.0 channel on a different box, the scores are the same: $ cd /var/lib/spamassassin/3.003000/sought_rules_yerp_org/ $ grep score * 20_sought.cf:score JM_SOUGHT_1 4.0 20_sought.cf:score JM_SOUGHT_2 4.0 20_sought.cf:score JM_SOUGHT_3 4.0 20_sought_fraud.cf:score JM_SOUGHT_FRAUD_1 3.0 20_sought_fraud.cf:score JM_SOUGHT_FRAUD_2 3.0 20_sought_fraud.cf:score JM_SOUGHT_FRAUD_3 3.0 Not sure if people using the channel realize that scores need to be bumped up. Btw, I prefer to avoid them monopolizing the score when more than one hits: score JM_SOUGHT_FRAUD_1 0.1 score JM_SOUGHT_FRAUD_2 0.1 score JM_SOUGHT_FRAUD_3 0.1 meta JM_SOUGHT_FRAUD_ANY JM_SOUGHT_FRAUD_1 || JM_SOUGHT_FRAUD_2 || JM_SOUGHT_FRAUD_3 score JM_SOUGHT_FRAUD_ANY 3.0 Mark -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: Sought Rules Back?
On 2/1/10 9:59 AM, Jason Bertoch ja...@i6ix.com wrote: On 2/1/2010 10:58 AM, RW wrote: On Mon, 1 Feb 2010 16:30:04 +0100 Mark Martinec mark.martinec...@ijs.si wrote: Update returned sought rules 1/31/2010. Actually back since Jan 6. :) Re-viewed about 1k fraud spam the following days, for the Sought Fraud sub-set. Btw, the three rules JM_SOUGHT_FRAUD_{1,2,3} have a score of zero as per Justin's request (Bug 6155 c 38, c72, c89, c124). Not sure if people using the channel realize that scores need to be bumped up. That doesn't seem to be correct: $ grep score 20_sought_fraud.cf score JM_SOUGHT_FRAUD_1 3.0 score JM_SOUGHT_FRAUD_2 3.0 score JM_SOUGHT_FRAUD_3 3.0 $ ls -l 20_sought_fraud.cf -rw-r--r-- 1 root wheel 80120 1 Feb 15:38 20_sought_fraud.cf updates_spamassassin_org/50_scores.cf overrides the scores in the sought ruleset. Ah, I didn't catch that. But it is only in the 3.3.0 channel. Fixing my 3.3.0 test machines now -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: That Future Bug
On 1/19/10 9:02 AM, Robert Ober ro...@robob.com wrote: Well, I have googled it and read lot's of stuff and the problem persists. I have a server on CentOS 5.3 with spamassassin-3.2.5-1.el5 from that distribution. They have no newer according to yum. The local.cf fix did not change anything after restarting spamassassin. Have you compiled rules in the past? If so, you will need to re-compile your rules before restarting spamd. Sorry to come into the middle of the conversation, but a few more details of what you have done would be helpful... -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: That Future Bug
On 1/19/10 9:19 AM, Robert Ober ro...@robob.com wrote: Daniel McDonald wrote: On 1/19/10 9:02 AM, Robert Oberro...@robob.com wrote: Well, I have googled it and read lot's of stuff and the problem persists. I have a server on CentOS 5.3 with spamassassin-3.2.5-1.el5 from that distribution. They have no newer according to yum. The local.cf fix did not change anything after restarting spamassassin. Have you compiled rules in the past? If so, you will need to re-compile your rules before restarting spamd. Have not compiled rules that I can remember. Can you point me to a doc? man sa-compile To see if you have compiled rules, look for /var/lib/spamassassin/compiled Sorry to come into the middle of the conversation, but a few more details of what you have done would be helpful... I have only entered score FH-DATE-PAST-20XX 0.0 into the local.cf and Shouldn't those dashes be underscores? restarted spamassassin. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281