Re: SPF
Take your email in example: envelope from: users-return-120376-duca=staff.spin...@spamassassin.apache.org body from: maj...@gmail.com SPF for gmail.com: v=spf1 redirect=_spf.google.com You see that in case of mailing lists (and ESPs and possibly every other VERP case) a check on the body from would fail even if the original sender intended to send that email. Daniele On 03/05/19 17:24, user321 wrote: But I have a feeling this would be extremely effective in dealing with spoofed emails. They are often having borderline score around the blocking point, so that kind of rule with relatively low score could be the last straw on the camel's back, don't you agree? cheers user321 -- Sent from: http://spamassassin.1065346.n5.nabble.com/SpamAssassin-Users-f3.html
Re: Freshclam Safebrowsing enabled for SA
On 23/04/19 17:07, Kevin A. McGrail wrote: On 4/23/2019 6:18 AM, Brent Clark wrote: Just want to pick the communities brain for a second. Does anyone use Mail::SpamAssassin::Plugin::GoogleSafeBrowsing or better enable 'SafeBrowsing Yes' to freshclams configuration file? I see SafeBrowsing is a blacklist service provided by Google that provides lists of URLs for web sites that contain malware or phishing content. What was your experience with mail containing malware or phishing content. Hello, sorry to hijack the thread, but while we are talking about ClamAV signatures, I'd like to point you also to these: https://urlhaus.abuse.ch/api/#clamav It's a very lightweight set of URLs knowing of distributing Emotet. They get hits on my systems while other signatures and AV engines fail, so you may want to give them a try Daniele
Re: Lost mail during update
On 21/11/18 07:56, @lbutlr wrote: While updating spamassassin, several emails were destructive lost because of the absence of spamc. To be fair, the date did get stuck unexpectedly asking for a confirmation, but still I’d like to avoid this happening again. Nov 20 10:20:34 mail postfix/pipe[73448]: 42zsss3jHVzcfQ1: to=, orig_to=, relay=spam-filter, delay=0.63, delays=0.61/0/0/0.02, dsn=2.0.0, status=sent (delivered via spam-filter service (/usr/local/bin/spam-filter: line 23: /usr/local/bin/spamc: No such file or directory)) Nov 20 10:20:34 mail postfix/qmgr[85457]: 42zsss3jHVzcfQ1: removed The result is a message that has a minimal set of headers and no content. Since you use Postfix, I highly advise you to switch either to a milter or a content_filter to scan emails. If you'd have used one of this systems, emails would have been 4xx'd and thus requeued by the original server. Regards Daniele
CryptoBL [was: Bitcoin rules]
Hello everyone, as said some days ago I started a DNSBL based on abused/malign BTC addresses. This list is queried by an SA plugin that takes the md5 hash (I know, outdated algorithm, but good enough for this purpose IMHO) of a BTC wallet found in the body and looks it up in the DNSBL. The DNSBL is (mostly) automatically populated by trap feeds and from bitcoinabuse.com What I'm looking for are people that would like to try it and possibly polish the plugin (I'm not a coder) and/or contribute with malign BTC wallets, or other cryptovalues found in sextortions. If interested please PM me offlist Thanks Daniele Duca
Re: Bitcoin rules
On 22/10/2018 12:37, Paul Stead wrote: This can be resolved by hashing the BTC address before lookup and looking up the result hash in the DB Paul Yes, thanks for the suggestions, I would have done that in the next version coming up in the following days, where I'd also populate the list with Monero addresses that I saw are being sometime used in ransom/extortions. Daniele
Re: Bitcoin rules
On 21/10/2018 09:15, Henrik K wrote: I wonder who's going to be the first to offer public bitcoin DNS blacklist, I could make plugin for it. :-) In the meantime, here's something to try.. Hi, I mantain a local rbldnsd zone with abused BTC addresses (btw, thanks for bitcoinabuse.com, I didn't know about it). I then use the dnsbl through a simple SA plugin where I scan the body for BTC addresses (regex: [13][a-km-zA-HJ-NP-Z1-9]{25,34}) and query them against the rbldnsd zone. The only caveat is that rbldnsd is case insensitive, so there MAY be legit BTC addresses that match abused ones, but in my setup is a risk I'm willing to take. Daniele
Re: Phishing email or no?
On 13/10/2018 19:51, Rupert Gallagher wrote: "The message was marked as spam by the content filter." Nice... so they know they are sending spam! Who doesn't :) I mean, for a setup big enough like theirs, having abused accounts or outright spammers is somewhat endemic. What I think they are doing is trying to limit the damages by routing outbound thought spam with different /24s hoping to keep most used IPs as clean as possible. I do the same for outbound emails, but my setup have a little more than 10k users and I deal immediately with any abused account. Just FYI, I looked at my logs for the last 10 days and I have ~250 email inbound from O365 tagged with SFV:SPM , about 50 are legit emails (so their error), but more worrying is that there is also malware being delivered from O365 :( This mean they don't even do basic outbound virus scanning, or do it very poorly. On 12/10/2018 23:40, David Jones wrote: Maybe they need to start using SpamAssassin and hire some of us to do their mail filtering. :) I think that too :D Daniele
Re: Phishing email or no?
On 12/10/2018 23:12, Pedro David Marco wrote: >On Friday, October 12, 2018, 10:48:21 PM GMT+2, Rupert Gallagher wrote: >I love outlook.com ... i have seen recently an Office365 Phishing campaign coming from Office365 severs... as good as it gets... It may be already known, but O365 does some outbound spam filtering and adds some interesting headers on every email. It also uses different IP pools for outbound emails that it thinks are spam: https://docs.microsoft.com/en-us/office365/SecurityCompliance/anti-spam-message-headers I personally check the X-Forefront-Antispam-Report header for the string "SFV:SPM" and bump the score accordingly. Some phishing campaigns that I saw in the past and that came from O365 ip space had that header set, but it's not perfect in any way, there are many FPs, so don't just blindly trust their headers. Daniele
Re: txrep doesn't respect txrep_ipv4_mask_len
Thanks Kevin, this did the trick! Daniele On 04/10/2018 14:19, Kevin A. McGrail wrote: Can you open a bugzilla bug, please? It sounds like you have found a bug and it needs to be tracked. 16 is the default and the only uses of self in ip_to_awl_key are for the mask length. Off the cuff, I'm thinking it's referencing the wrong hash for self and missing conf: my $mask_len = $self->{conf}->{ipv4_mask_len}; Does that work for you? regards, KAM On 10/4/2018 3:38 AM, Daniele Duca wrote: Hi, I'm experimenting an odd behaviour while using TxRep. I have set in my local.cf "txrep_ipv4_mask_len 24" , but the database is populated by /16 instead of the expected /24. Digging in TxRep.pm I started using dbg() to see if it would at least read the correct value "24" from the .cf , and confirmed that, around line 528, the code $self->{txrep_ipv4_mask_len} = $value; is correctly working, meaning that $value has the value of "24" The problem arise around line 1727, in the following snippet: my $mask_len = $self->{txrep_ipv4_mask_len}; $mask_len = 16 if !defined $mask_len; In this case "$self->{txrep_ipv4_mask_len}" is empty, and the value is set to the default of "16". This behaviour is consistent in nine different installations with the following specs: Ubuntu 16.04.4 - SA 3.4.1 - Perl v5.22.1 Ubuntu 18.04.1 - SA 3.4.2 (CPAN) - Perl v5.26.1 Any thoughts? My perl-fu is not good enough to debug this :/ Thanks Daniele Duca
txrep doesn't respect txrep_ipv4_mask_len
Hi, I'm experimenting an odd behaviour while using TxRep. I have set in my local.cf "txrep_ipv4_mask_len 24" , but the database is populated by /16 instead of the expected /24. Digging in TxRep.pm I started using dbg() to see if it would at least read the correct value "24" from the .cf , and confirmed that, around line 528, the code $self->{txrep_ipv4_mask_len} = $value; is correctly working, meaning that $value has the value of "24" The problem arise around line 1727, in the following snippet: my $mask_len = $self->{txrep_ipv4_mask_len}; $mask_len = 16 if !defined $mask_len; In this case "$self->{txrep_ipv4_mask_len}" is empty, and the value is set to the default of "16". This behaviour is consistent in nine different installations with the following specs: Ubuntu 16.04.4 - SA 3.4.1 - Perl v5.22.1 Ubuntu 18.04.1 - SA 3.4.2 (CPAN) - Perl v5.26.1 Any thoughts? My perl-fu is not good enough to debug this :/ Thanks Daniele Duca
sa-update and signature verification
Hello, since updating to 3.4.2 I can't download rules from unofficial channels. The problem is that in version 3.4.1 sa-update checks the hash of the downloaded file using file.sha1 , while version 3.4.2 uses file.sha256 or file.sha512. See the relevant differences in the following sa-update --help: 3.4.1: sa-update --help ... --install filename Install updates directly from this file. Signature verification will use "file.asc" and "file.sha1" ... 3.4.2 sa-update --help ... --install filename Install updates directly from this file. Signature verification will use "file.asc", "file.sha256", and "file.sha512". ... Using the --nogpg option doesn't help, sa-update still hardfails if it doesn't find one of the .sha(256|512) files. Reading the code in sa-update I found that even if --nogpg is specified, the signature file is still tried to be downloaded even if it's not used afterwards, and that is what basically causes the update procedure to fail. For the moment I brutally hacked sa-update to don't care about signatures when using unofficial channels, but I'd like to understand if I'm missing something obvious that doesn't require code mangling to use "old" update channels. Thanks Daniele Duca
Re: sa-compile Error invalid pointer
Hi, it may be worth to run a memtest on your system. Daniele On 28/09/2018 12:25, Ronny Wagner wrote: Hello Community, since few days i have a problem with spamassassin. I can't start the service, i found out, when i delete some channels in directory "/var/lib/spamassassin/3.004001" the service come up. I download a test channel (/usr/bin/sa-update --nogpg --channel spamassassin.heinlein-support.de) and use /usr/bin/sa-compile, i see a fail message. Do anyone know why? Thank you for your help. spamassassin: Installed: 3.4.1-6+deb9u1 perl: Installed: 5.24.1-3+deb9u4 libc6: Installed: 2.24-11+deb9u3 Debian 4.9.0-5-686-pae Fail Message: Sep 28 12:18:13.654 [30438] info: generic: base extraction starting. this can take a while... Sep 28 12:18:13.654 [30438] info: generic: extracting from rules of type body_0 *** Error in `/usr/bin/perl': free(): invalid pointer: 0xb508 *** === Backtrace: = /lib/i386-linux-gnu/libc.so.6(+0x6738a)[0xb757538a] /lib/i386-linux-gnu/libc.so.6(+0x6dfc7)[0xb757bfc7] /lib/i386-linux-gnu/libc.so.6(+0x6e806)[0xb757c806] /usr/bin/perl(Perl_safesysfree+0x20)[0x550cf0] /usr/bin/perl(Perl_sv_clear+0x664)[0x57d314] /usr/bin/perl(Perl_sv_free2+0x61)[0x57d6c1] /usr/bin/perl(+0x56799)[0x505799] /usr/bin/perl(Perl_yylex+0x2798)[0x5094e8] /usr/bin/perl(Perl_yyparse+0x5e4)[0x51be04] /usr/bin/perl(+0x104cad)[0x5b3cad] /usr/bin/perl(Perl_pp_entereval+0x3c8)[0x5bdca8] /usr/bin/perl(Perl_runops_standard+0x17)[0x56ff67] /usr/bin/perl(perl_run+0x33f)[0x4f37ff] /usr/bin/perl(main+0x15e)[0x4cbb7e] /lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf6)[0xb7526286] /usr/bin/perl(+0x1cbc1)[0x4cbbc1] === Memory map: 004af000-006cf000 r-xp ca:02 467067 /usr/bin/perl 006cf000-006d2000 r--p 0021f000 ca:02 467067 /usr/bin/perl 006d2000-006d4000 rw-p 00222000 ca:02 467067 /usr/bin/perl 00831000-03224000 rw-p 00:00 0 [heap] b470c000-b4e98000 rw-p 00:00 0 b500-b5001000 rw-p 00:00 0 b530-b5321000 rw-p 00:00 0 b5321000-b540 ---p 00:00 0 b54a2000-b5aac000 rw-p 00:00 0 b5aac000-b61d3000 rw-p 00:00 0 b61d7000-b65da000 r-xp ca:02 82500 /var/lib/spamassassin/compiled/5.024/3.004001/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so b65da000-b65db000 r--p 00402000 ca:02 82500 /var/lib/spamassassin/compiled/5.024/3.004001/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so b65db000-b65dc000 rw-p 00403000 ca:02 82500 /var/lib/spamassassin/compiled/5.024/3.004001/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so b65dc000-b6898000 r-xp ca:02 98396 /usr/lib/i386-linux-gnu/libmysqlclient.so.18.0.0 b6898000-b689c000 r--p 002bb000 ca:02 98396 /usr/lib/i386-linux-gnu/libmysqlclient.so.18.0.0 b689c000-b6912000 rw-p 002bf000 ca:02 98396 /usr/lib/i386-linux-gnu/libmysqlclient.so.18.0.0 b6912000-b6915000 rw-p 00:00 0 b6915000-b6a47000 rw-p 00:00 0 b6a4d000-b6a91000 rw-p 00:00 0 b6a93000-b6ab2000 r-xp ca:02 1082478 /usr/local/lib/i386-linux-gnu/perl/5.24.1/auto/Compress/Raw/Zlib/Zlib.so b6ab2000-b6ab3000 r--p 0001e000 ca:02 1082478 /usr/local/lib/i386-linux-gnu/perl/5.24.1/auto/Compress/Raw/Zlib/Zlib.so b6ab3000-b6ab4000 rw-p 0001f000 ca:02 1082478 /usr/local/lib/i386-linux-gnu/perl/5.24.1/auto/Compress/Raw/Zlib/Zlib.so b6ab4000-b6ad2000 r-xp ca:02 1082480 /usr/local/lib/i386-linux-gnu/perl/5.24.1/auto/DBD/mysql/mysql.so b6ad2000-b6ad4000 r--p 0001d000 ca:02 1082480 /usr/local/lib/i386-linux-gnu/perl/5.24.1/auto/DBD/mysql/mysql.so b6ad4000-b6ad5000 rw-p 0001f000 ca:02 1082480 /usr/local/lib/i386-linux-gnu/perl/5.24.1/auto/DBD/mysql/mysql.so b6ad5000-b6ad7000 rw-p 00:00 0 b6adb000-b6ae r-xp ca:02 221477 /usr/lib/i386-linux-gnu/perl5/5.24/auto/Term/ReadKey/ReadKey.so b6ae-b6ae1000 r--p 4000 ca:02 221477 /usr/lib/i386-linux-gnu/perl5/5.24/auto/Term/ReadKey/ReadKey.so b6ae1000-b6ae2000 rw-p 5000 ca:02 221477 /usr/lib/i386-linux-gnu/perl5/5.24/auto/Term/ReadKey/ReadKey.so b6ae2000-b6ae9000 r-xp ca:02 215116 /usr/lib/i386-linux-gnu/perl/5.24.1/auto/SDBM_File/SDBM_File.so b6ae9000-b6aea000 r--p 6000 ca:02 215116 /usr/lib/i386-linux-gnu/perl/5.24.1/auto/SDBM_File/SDBM_File.so b6aea000-b6aeb000 rw-p 7000 ca:02 215116 /usr/lib/i386-linux-gnu/perl/5.24.1/auto/SDBM_File/SDBM_File.so b6aeb000-b6b0e000 r-xp ca:02 1082485 /usr/local/lib/i386-linux-gnu/perl/5.24.1/auto/DBI/DBI.so b6b0e000-b6b0f000 r--p 00022000 ca:02 1082485 /usr/local/lib/i386-linux-gnu/perl/5.24.1/auto/DBI/DBI.so b6b0f000-b6b1 rw-p 00023000 ca:02 1082485 /usr/local/lib/i386-linux-gnu/perl/5.24.1/auto/DBI/DBI.so b6b1-b6b29000 r-xp ca:02 98533 /lib/i386-linux-gnu/libz.so.1.2.8 b6b29000-b6b2a000 r--p 00018000 ca:02 98533 /lib/i386-linux-gnu/libz.so.1.2.8 b6b2a000-b
Re: Some notes on upgrading from 3.4.1 to 3.4.2 on CentOS 7
On 19/09/2018 19:42, Kevin A. McGrail wrote: auto-whitelist: sql-based get_addr_entry ign...@compiling.spamassassin.taint.org|none: SQL error: Unknown column 'last_hit' in 'order clause' I got the same error when drop-upgraded 3.4.1 to 3.4.2. In my case it was a conflict between txrep and awl, and I decided to comment the loadplugin for awl and start using txrep. Daniele
Re: Bayes overtraining
On 08/08/2018 15:04, Matus UHLAR - fantomas wrote: ...of last 40 mail in my spambox, 14 matches MAILING_LIST_MULTI ...of last 100 mail in spambox, 27 matches MAILING_LIST_MULTI I practically zeroed MAILING_LIST_MULTI the day it came in the ruleset. I mean, since there's tflag "noautolearn" designed for this, the flag "learn" should not be ignored. It's easy to put: tflags BAYES_99 learn noautolearn but not possible to put: tflags BAYES_99 learn dothefuckingautolearn Wouldn't tflags BAYES_99 autolearn_force do what you want? Or did I misunderstood completely what you meant? Personally I'll never trust BAYES_* with autolearn_force. I saw some FPs sometimes and I fear that autolearning would quickly lead to poisoning Daniele
Re: stackexchange.com in URIBL (false positive?)
On 29/07/2018 09:53, Yves Goergen wrote: No I can't because it's a locked system. I'd need an account for that. And I'm not going to register just for saving another admin's system. So either stackexchange admins repair their entry themselves, or the blacklist operator needs a review. -Yves A third option would be for you to use uridnsbl_skip_domain and don't bother anymore ;) Daniele
Bayes overtraining
Hi, I'm evaluating incorporating CRM114 in my current setup and I was reading the FAQs about training the filter here: http://crm114.sourceforge.net/src/FAQ.txt What made me rethink my actual strategy were the following lines: ... If you train in only on an error, that's close to the minimal change necessary to obtain correct behavior from the filter. If you train in something that would have been classified correctly anyway, you have now set up a prejudice (an inappropriately strong reaction) to that particular text. Now, that prejudice will make it _harder_ to re-learn correct behavior on the next piece of text that isn't right. Instead of just learning the correct behavior, we first have to unlearn the prejudice, and _then_ learn the correct behavior. ... In my current SA setup I use bayes_auto_learn along with some custom poison pills (autolearn_force on some rules) , and I'm currently wondering if over training SA's bayes could lead to the same "prejudice" problem as CRM114. I'm thinking that maybe it would be better to use "bayes_auto_learn_on_error 1" What is your preferred strategy? Train everything you can or train only errors? Daniele
Re: spample: porn extortion with pure numeric From domain and base64 body
On 18/07/2018 17:08, Rupert Gallagher wrote: OK at a second glance I would say rejected upfront again, because its From domain is NXDOMAIN. I interpreted the From: in the .txt as being a body header, because, as you pointed out, if it was an envelope header then the email should have never been accepted. It's aeons that I'm rejecting envelope NXDOMAINs and never had any complain. Daniele
Re: spample: porn extortion with pure numeric From domain and base64 body
On 18/07/2018 14:22, Rupert Gallagher wrote: At first glance I would say rejected upfront, because the client 180.252.178.204 does not have RDNS. No need for SA. I wish I could 5xx last untrusted relays without rdns without having the company's phones melt :) Daniele
Re: Method of setting score for a custom rule to be the required_score ?
On 28/06/2018 04:17, J Doe wrote: I went back to “man Mail::SpamAssassin::Conf” and can see mention of the shortcircuit plugin . . . is there more documentation (perhaps in another man or perldoc), where the shortcircuit keyword is mentioned ? I'd say a good starting point would be https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Plugin_Shortcircuit.html Daniele
Re: Method of setting score for a custom rule to be the required_score ?
On 27/06/2018 02:15, J Doe wrote: Hi John, Ok, good to know. Is it possible with the SA grammar to have variables ? I was thinking I’d have something like the following in my: /etc/spamassassin/local.cf POISON_PILL = 100 Hi, I'd say that a better solution would be to use shortcircuit: body __BODY_TEST1 . . . body __BODY_TEST2 . . . meta CUSTOM_RULE1(__BODY_TEST1 && __BODY_TEST2) shortcircuit CUSTOM_RULE1 spam At least that saves computing power because other rules would not be processed once a rule is shortcircuited Daniele
Re: Huge spam increment in mid-May
This is my actual spam stream (orange) for the last month. I don't see increases worthy to be noted. Maybe you can share your numbers? Do you do prequeue rejects and maybe noted a spike there? Daniele On 01/06/2018 11:47, Pedro David Marco wrote: >Do you have any examples? I have had a quiet past 2 weeks with almost >zero reports of junk by my users. So either my rules are currently >tuned well to block the current spam/phishing campaigns or something. I >assumed a botnet had been take down. I usually have to deal with a few >compromised accounts sending spam each week but not lately. It's been nice. >I would like to see some examples via pastebin to check my mail >filtering logs. No David, sorry i have no samples... just "numbers" in reports...
Re: plugin: eval failed: __alarm__ignore__(xxx) how to troubleshoot
On 18/04/2018 16:08, David Jones wrote: I too have been seeing a very high number of SA timeouts via MailScanner the past week and would like to know how to troubleshoot these timeouts. I have never been able to catch problem messages in the act to figure out what is causing them. FWIW, when I had intermittent timeouts some time ago (TIME_LIMIT_EXCEEDED in my case, not sure if it's applicable here) and after losing hours with the ruletiming plugin trying to understand what was happening, it turned out to be a physical network problem between the server where SA ran and the database where AWL and Bayes resided, that resulted in random packet loss. This is only to suggest to start from layer 1 before everything else :) Good luck Daniele Duca
Re: Check for valid MX of sender and rspamd testing
On 09/04/2018 20:40, Sebastian Arcus wrote: This might not really answer your question, but I've had really good results leaving all this to the MTA (Exim in my case). I actually go for the whole hog full callout verification - checking with the MX that the sender really exists. I know that some people are against this and say that you get blacklisted - but I've been doing this for about 8 months on 4 sites and it has worked very well. I have a local full callout verification whitelist - to skip callout verification mainly for Microsoft operated domains - which will blacklist you at the drop of the hat. Hello Sebastian, I'm curious about this approach. I never tried it, but, assuming that you check the MX of the envelope from domain, how do you deal with poorly-configured-but-legit VPS that use, in example, www-d...@hostname.of.the.server ? I have live examples of wordpress and vbulletin installations that have not existent envelope from mailboxes or VPS hostnames without MX records. There are also other services that actively send email in the form of "nore...@domain.com". If I understood correctly, your approach would heavily penalize these senders. I know that in the ideal world everyone should configure their systems neatly, but unfortunately we are far from ideal conditions in real life :/ I'm happy to discuss this technique but I can't really afford the administrative overhead I would have with users complaining about rejected emails.. Daniele Duca
Re: Check for valid MX of sender and rspamd testing
On 09/04/2018 16:24, David Jones wrote: Been playing around with rspamd over the weekend to see how it compares and so far not that impressed. It has a few features that are interesting like the MX check but other than that it's not as impressive as the author makes it out to be on the website comparing it to SA. It claims to have better Bayes but so far I am seeing identical results after identical training. It's a few months that I'm using rspamd. I wrote a dedicated plugin for amavisd-new and I use it's scoring together with SA's. IMHO to reach satisfying results you have to train it a lot more that SA, but in the long run it's a nice addition. My empirical observations suggests that it gets better after at least 3000 ham and spam email learned. It's also cool that you can train both global and per-domain bayes, very useful if you have a multitenant installation with a lot of different domains. Daniele
Re: Extremely persistent sex/make money spam with very little text in the body
On 07/03/2018 17:32, Jakob Curdes wrote: Since I get the majority of these emails in italian, I've written a meta rule that takes in account: Hello Duca, would you share this rule with us? I would be interested in looking at the resulst, as we also have lots of these messages here. JC Hi, I believe my rule wouldn't be as useful for you because a part of it is related to mispelled italian words (i believe they sloppily translated from english) However, I'll drop an email to you offlist with the other relevant parts to avoid eventual spammers lurking here ;) Daniele
Re: Extremely persistent sex/make money spam with very little text in the body
On 07/03/2018 09:52, Sebastian Arcus wrote: I have this one email account receiving, for more than a year, a very specific type of spam which I find very difficult to block: 1. The messages are all kept very short, generally below 20 words - I assume so that Bayes is less efficient at classifying them? 2. Although they are all invitations to sex, or making money - they are phrased differently every time and use different words - so Bayes scores are consistently low. Hi Sebastian, I perfectly know what type of email you are talking about, I've seen them written at least in italian, english and spanish. If you click the link you are being redirected to shady dating websites or bitcoin/investment scams sites (at least in my experience). Since I get the majority of these emails in italian, I've written a meta rule that takes in account: - Common mispelled words/phrases - Body lines must be < 5 - The common pattern in all the urls. Take a close look at them, there IS a pattern, not writing it here for obvious reasons :) If all these conditions are matched the email is flagged. So far (about 6 months), no complaints. If you have only one address that receives these emails I'd add a test to see if the recipient is that specific one for more precision Hope it helps Daniele
Spammers, IPv6 addresses, and dnsbls
Hello list, apologies if this is not directly SA related. "Lately" I've started to notice that some (not saying names) VPS providers, when offering v6 connectivity, sometimes tends to not follow the best practice of giving a /64 to their customer, routing to them much smaller v6 subnets, while still giving to them the usual /30 or /29 v4 subnets. What It's happening is that whenever a spammer buys a VPS with those providers and get blacklisted, most of the time the dnsbls list the whole v6 /64, while still listing only the single ipv4 address. This makes some senses, as it would be enormously resource intensive to track each of the 18,446,744,073,709,551,616 addresses in the /64, but unfortunately not respecting basic v6 subnetting rules causes reputation problems also for the other customers that have the bad luck of living in the same /64 and are using their VPS as an outgoing mail server. While I'm not judging the reasons why VPS providers are doing this type of useless v6 subnetting (micronetting?), I've started to deploy some countermeasures to avoid FPs. Specifically I wrote a rule that identifies if the last untrusted relay is a v6 address, and then is subsequently used in other meta rules that subtract some points in dnsbl tests that check the -lastexternal ip address on v6-aware lists. I know that probably is not the best solution, but I've started to see real FPs that worried me. I've even pondered if it could have sense to go back to v4 only connectivity for my inbound mtas. If you are in a similar situation I would like very much to discuss what would be the best approach to balance spam detection while avoiding fps Regards Daniele Duca
Re: Blacklist for reply-to?
On 18/02/2018 21:06, Kenneth Porter wrote: Is there a blacklist for domains in the reply-to header? I've noticed a lot of spam with no URL and mutating From but the reply-to domain is always aliyun dot com. I want to add a site-wide blacklist for that. If you are willing to write a little SA plugin and possibly mantain your own dnsbl you can use something like this: sub check_email_headers { my ($self, $msg) = @_; my %headers; if (defined($msg->get( 'Reply-To:addr' ))) { $headers{"Reply-To"} = $msg->get( 'Reply-To:addr' ); } foreach my $header ( keys %headers) { my @addresses = Email::Address->parse($headers{$header}); for my $address (@addresses) { if (is_domain($address->host)) { my $parser = Domain::PublicSuffix->new(); # domain is in $parser->get_root_domain($address->host) , you can now look it up on your own dnsbl, Spamhaus DBL etc.. } } return 0; } I personally also check the domain in the body From, useful in example to catch legit abused accounts that have the return-path set as the abused account but the body From set differently. Also, the "image editing" spam is almost all caught by the MSBL (https://msbl.org/) , take a look at that bl and their plugin for more inspiration Daniele Duca
Re: Blacklist for reply-to?
On 19/02/2018 10:00, Kenneth Porter wrote: I have no clue what Rupert is on about. I just want something like blacklist_from that uses the reply-to header. I thought it was a simple technical question about how the config file directives map onto the actual headers. I'm not asking for site policy. Maybe something like this? header REPLYTO_KILLER reply-to =~ /@domain\.that\.you\.want\.blacklisted/ score REPLYTO_KILLER 1000
Re: From:name spoofing
On 17/02/2018 00:41, John Hardin wrote: Not necessarily safe. If your MTA receives a message without a Message-ID, it is supposed to generate one. And if it does so, it will probably do so using your (recipient) domain... Isn't MID creation responsability of the MUA and not the MTA? If every MTA would generate a MID when not found in inbound emails rules like SA's MISSING_MID would be useless. Daniele Duca
Re: Is there a way to perform selective full uri rbl lookups?
Hello, I do full uris dns lookups through a simple SA plugin. The core lines in the function are: sub check_fulluris { my ($self, $msg) = @_; my $pms = $msg->{permsgstatus}; my $body = $msg->{msg}->get_pristine_body(); foreach my $this_url (uniq( $body =~ /(http|https):\/\/(.*?)\//g )) { # code to do dns lookups } } and in the .cf urirhssub TEST_FULL_URIS mypersonal.dnsbl. A 127.0.0.2 body TEST_FULL_URIS eval:check_fulluris('TEST_FULL_URIS') As for my personal reason of doing full hostnames lookups, I find it easier to mantain a rbldnsd zone with hacked websites/landing pages of marketers than to write uri rules in the .cf each time Hope it helps Daniele Duca On 16/02/2018 22:08, jahlives wrote: Hi list I'm looking for a way in spamassassin to run a full-uri-host rbl lookup for a specific rule. I do not want to discuss about sense or non-sense of full-uri-hosts lookups ;-) lets assume I have two rules which query my own rbl urirhssub HIT_DOMAINmy.rbl.tld. A 127.0.0.2 bodyHIT_DOMAIN eval:check_uridnsbl('HIT_DOMAIN') urifullsub HIT_FULL my.rbl.tld. A 127.0.0.4 bodyHIT_FULLeval:check_uridnsbl('HIT_FULL') I know urifullsub does not exist, should just visualize what I try to achieve :-) now for a uri like www.sub.domain.tld both rules should be tested. The first one for domain.tld (which sa does with rh lookups) and the second one with the full-uri-host (www.sub.domain.tld) I read about aux_tlds but I think this does not help me as if I add domain.tld to aux_tlds the first query above would be fired with sub.domain.tld I thought that the second query could be solved using askdns plugin in a way like this askdns HIT_FULL _URIFULLHOST_.my.rbl.tld. A 127.0.0.4 But how to get access to urifullhost? :-) Currently I use a plugin of my antispam glue to perform the full uri host lookups on uris found. This plugin adds a X-Header upon hit on which spamassassin fires and scores. So I have a solution to this "problem" but it would be nice to do both queries from spamassassin :-) Cheers tobi
Re: ClamAV.pm question
It looks like apparmor is preventing clamav to create it's temporary files. Two solutions, disable apparmor or fix the config file in /etc/apparmor.d/usr.sbin.clamd Daniele On 30/01/2018 17:50, Chris wrote: I'm seeing this - https://pastebin.com/86s7cVBj and I'm not sure if it's an SA issue or a ClamAV issue. apt-cache policy clamav clamav: Installed: 0.99.3-0ubuntu1~chris+1 Candidate: 0.99.3-0ubuntu1~chris+1 apt-cache policy spamassassin spamassassin: Installed: 3.4.1-3 Candidate: 3.4.1-3 Chris
Re: Scoring Issues
On 27/01/2018 19:29, Ralph Seichter wrote: I trust you are aware that you actually penalise senders which pass the SPF check if you use a greater-than-zero score? Minus signs matter. ;-) Sure it's a "penalization", but of an order of magnitude so little that a minus, albeit more logically correct, wouldn't really matter in the grand scheme of scoring. I merely need dkim and spf rules to exist to use them in meta rules. But yes, a minus would be better :)
Re: Scoring Issues
On 27/01/2018 14:01, David Jones wrote: If you set those to 0, then you could be disabling many other helpful meta rules that use them. It is recommended to set them to a very small non-zero number as others have said: score SPF_PASS -0.001 score SPF_HELO_PASS -0.001 I know, I meant to write that I score them at 0.001 (no minus sign in my case) but I'm lazy :)
Re: Scoring Issues
On 26/01/2018 23:54, David B Funk wrote: Regardless, giving -1 score for SPF_PASS and another -1 for SPF_HELO_PASS is nontrivial DainBRamage. It's trivial for a spammer to set up SPF on a throw-away domain and thus waltz thru that kind of filtering. You are spot on, spammers are much more competent in setting up spf/dkim than most of legit mail administrators. I personally score spf/dkim that passes at 0 and only penalize the fails Daniele