Re: Missing rules
On Fri, August 8, 2014 09:14, Matus UHLAR - fantomas wrote: On 06.08.14 16:19, James B. Byrne wrote: OS=CentOS-6.5 SA=3.3.1 I ran spamassassin -D -llint and see this in the output: Aug 6 15:59:03.983 [4533] dbg: config: warning: score set for non-existent rule RCVD_IN_MSPIKE_H4 did you run sa-update? Yes. Do you use sa-compile? No. your rules are apparently out of sync, some define score for RCVD_IN_MSPIKE_H4 but do not define the rules... Which is why I asked the question. Any rule named RCVD_IN_MSPIKE_H4 is unlikely to have been composed by myself and no-one else has authority or access to do so on that host. -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Re: Missing rules
On Wed, August 6, 2014 17:30, Quanah Gibson-Mount wrote: --On Wednesday, August 06, 2014 6:24 PM -0400 James B. Byrne byrn...@harte-lyne.ca wrote: I am constrained to run the version provided by the upstream distro packager (RedHat). When they update SA then, and only then, will I get the upgrade. Policies such as this show a complete lack of understanding on how to run production infrastructure. RH will never update SA in RHEL6 to any new release. Your best course of action is to fix your broken policy. Failing that, you can try finding a distribution that ships a newer build of SA, but whatever that is will quickly be outdated as well. Which explains, of course, why Linux distributions belonging to the RedHAt/CentOs/ScientificLinux/RHOS/ClearOS family are so lacking in popularity and so seldom found in corporate environments. -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Re: Missing rules
On Thu, August 7, 2014 15:53, Bob Proulx wrote: James B. Byrne wrote: Quanah Gibson-Mount wrote: Policies such as this show a complete lack of understanding on how to run production infrastructure. RH will never update SA in RHEL6 to any new release. Your best course of action is to fix your broken policy. Failing that, you can try finding a distribution that ships a newer build of SA, but whatever that is will quickly be outdated as well. Which explains, of course, why Linux distributions belonging to the RedHAt/CentOs/ScientificLinux/RHOS/ClearOS family are so lacking in popularity and so seldom found in corporate environments. On the contrary. My experience is that the RHEL family is extremely popular in corporate environments. And it is almost never connected to an update network and almost never gets any updates of any sort. Our experiences differ substantially in that respect. -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Missing rules
OS=CentOS-6.5 SA=3.3.1 I ran spamassassin -D -llint and see this in the output: Aug 6 15:59:03.983 [4533] dbg: config: warning: score set for non-existent rule RCVD_IN_MSPIKE_H4 Aug 6 15:59:03.983 [4533] dbg: config: warning: score set for non-existent rule RCVD_IN_MSPIKE_WL Aug 6 15:59:03.983 [4533] dbg: config: warning: score set for non-existent rule FREEMAIL_FORGED_FROMDOMAIN Aug 6 15:59:03.983 [4533] dbg: config: warning: score set for non-existent rule RCVD_IN_MSPIKE_L5 Aug 6 15:59:03.983 [4533] dbg: config: warning: score set for non-existent rule RCVD_IN_MSPIKE_H3 Aug 6 15:59:03.983 [4533] dbg: config: warning: score set for non-existent rule FSL_GEO_ABUSE Aug 6 15:59:03.984 [4533] dbg: config: warning: score set for non-existent rule RCVD_IN_MSPIKE_H2 Aug 6 15:59:03.984 [4533] dbg: config: warning: score set for non-existent rule FSL_YG_ABUSE Aug 6 15:59:03.984 [4533] dbg: config: warning: score set for non-existent rule HEADER_FROM_DIFFERENT_DOMAINS Aug 6 15:59:03.984 [4533] dbg: config: warning: score set for non-existent rule RCVD_IN_MSPIKE_ZBI Aug 6 15:59:03.984 [4533] dbg: config: warning: score set for non-existent rule RCVD_IN_MSPIKE_L2 Aug 6 15:59:03.984 [4533] dbg: config: warning: score set for non-existent rule HK_NAME_MR_MRS Aug 6 15:59:03.984 [4533] dbg: config: warning: score set for non-existent rule FILL_THIS_FORM_FRAUD_PHISH Aug 6 15:59:03.984 [4533] dbg: config: warning: score set for non-existent rule RCVD_IN_MSPIKE_BL Aug 6 15:59:03.984 [4533] dbg: config: warning: score set for non-existent rule RCVD_IN_MSPIKE_L4 Aug 6 15:59:03.984 [4533] dbg: config: warning: score set for non-existent rule RCVD_IN_MSPIKE_H5 Aug 6 15:59:03.985 [4533] dbg: config: warning: score set for non-existent rule URIBL_SBL_A Aug 6 15:59:03.985 [4533] dbg: config: warning: score set for non-existent rule PP_MIME_FAKE_ASCII_TEXT Aug 6 15:59:03.985 [4533] dbg: config: warning: score set for non-existent rule FSL_FAKE_GMAIL_RCVD Aug 6 15:59:03.985 [4533] dbg: config: warning: score set for non-existent rule RCVD_IN_MSPIKE_L3 Aug 6 15:59:03.985 [4533] dbg: config: warning: score set for non-existent rule FILL_THIS_FORM_LONG Aug 6 15:59:03.985 [4533] dbg: config: warning: score set for non-existent rule VANITY I do not recognise any of these as being related to something I deleted or added to the default SA config files that ship with the distribution packages. Does anyone have an idea as to why I have scores for non-existent rules? What is MSPIKE? -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Re: Missing rules
On Wed, August 6, 2014 16:27, Kevin A. McGrail wrote: MSPIKE = MailSpike RBL. Without checking, you are running an old version of SA and the rules are not valid on your installation so it's skipping them. It's innocuous and by design that you are skipping those rules. Upgrading to 3.4.0 would be recommended. Regards, KAM I am constrained to run the version provided by the upstream distro packager (RedHat). When they update SA then, and only then, will I get the upgrade. WRT MSPIKE I went to MailSpike (http://mailspike.org/usage.html) and read a brief introduction to the service. Am I to infer that one places the suggested configuration into ones own local.cf? If so then how do the scores get on my system without the associated rules? -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Re: Domain ages (was Re: SPAM from a registrar)
On Mon, June 9, 2014 15:35, Patrick Domack wrote: I guess what would need to be hammered out, is, the exact info wanted. We know age, and registrar. Though doing the registrar isn't so simple, as the same for just ENOM changes between tld, and even within a single tld (likely from the mergers they had). My investigations of the domains used against us revealed that all of the handful checked were between 4 and 20 hours old when first encountered by our servers. It would suffice I think to have a negative lookup RTBL service where if a domain is not listed therein then may be considered as new, at least insofar as mailing traffic is concerned. The registrar and the age of the domain need not concern us overmuch at the outset of a spam attack. What is more important to know is whether the domain has been seen by others before and how long before so that the information in DOB and SEM can be considered in that light. Lookup domains may be added as and when they are encountered albeit after some delay and only if some threshold of volume and distinct number of enquiring hosts is passed. A graded approach is probably called for with one listing a previously unseen domain only after 24 hours from the first enquiry, one only after 48, and so on. Of course, the domains in question need to be verified before being added. And other precautions are no doubt necessary to avoid poisoning or advance loading subversion attempts. Comments? -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Header present but MISSING_FROM triggered
SA 3.3.1 (CentOS-6) MISSING_FROM rule trigger. I am curious about the behaviour of this rule. For example I can see this in a recently received message: . . . X-Spam-Status: No, score=-101.8 tagged_above=-999 required=2.5 tests=[ALL_TRUSTED=-1, BAYES_00=-1.9, BDY_DRUG=0.2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MISSING_FROM=1.5, RP_MATCHES_RCVD=-0.5, USER_IN_WHITELIST=-100] autolearn=no . . . -- much DKIM related stuff here including signature -- Received: from 216.185.71.69 (SquirrelMail authenticated user byrnejc) by webmail.harte-lyne.ca with HTTP; Mon, 2 Jun 2014 10:59:07 -0400 Message-ID: 6f60bcdbaaa72e02b4633a40eb76a68e.squir...@webmail.harte-lyne.ca Date: Mon, 2 Jun 2014 10:59:07 -0400 Subject: PKTA01453294 Guardian Drug PU#655787 From: James Byrne (Exports) byrn...@harte-lyne.ca To: . . . As far as I can tell this message has a From: header. Does MISSING_FROM test for something else? I cannot tell what it does since all of the explanations seem to have been removed from https://spamassassin.apache.org/tests.html. -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Re: Header present but MISSING_FROM triggered
Headers of test message (no webmail involved in this transmission as far as I can tell): Return-Path: prvs=02119b6eb7=x...@international.gc.ca Authentication-Results: inet08.hamilton.harte-lyne.ca (amavisd-new); domainkeys=pass (1024-bit key) header.from=x...@international.gc.ca header.d=international.gc.ca Received: from inet08.hamilton.harte-lyne.ca ([127.0.0.1]) by localhost (inet08.hamilton.harte-lyne.ca [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2EVW_2VhtCBf; Wed, 14 May 2014 14:04:46 -0400 (EDT) Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=198.103.104.106; helo=mail5.international.gc.ca; envelope-from=prvs=02119b6eb7=x...@international.gc.ca; receiver=byrn...@harte-lyne.ca Received: from Mail5.international.gc.ca (mail5.international.gc.ca [198.103.104.106]) by inet08.hamilton.harte-lyne.ca (Postfix) with ESMTP; Wed, 14 May 2014 14:04:44 -0400 (EDT) DomainKey-Signature: a=rsa-sha1; s=mail5; d=international.gc.ca; q=dns; c=simple; h=From:To:CC:Subject:Thread-Topic:Thread-Index:Date:Message-ID:References:In-Reply-To:Accept-Language:Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator:x-dm-mail-id:Content-Type:Content-Transfer-Encoding:MIME-Version:X-EXCLAIMER-MD-CONFIG; b=lmAaCU5cd3SdRnGlpBpyNt/pO5t65+QhE2zcJJBRvp9D4rO78i1dp9+wg/oOO6RvJaiZAZoWFZhVJoo0GCQZaucJgSug8H80Prz4z9FCNIFzhISQadNUReGZBrEydgd6Tyi/FxnVSx/bceK93HDdvse7dxgWCyvpXVrctosiYjI=; From: x...@international.gc.ca To: byrn...@harte-lyne.ca CC: a...@harte-lyne.ca Subject: RE: EICS certificate recovery Thread-Topic: EICS certificate recovery Thread-Index: Ac9uHpqtIVvvPHvpQ9Sp07Y8FHGkPAAIbYmAAAhCWwD//8jEgP/9TqzA Date: Wed, 14 May 2014 18:04:42 + Message-ID: 39c0fbcc920fda4bb1208833fba2a40717e10...@lbp-dmexm12.d.r.dfait-maeci.gc.ca References: 39c0fbcc920fda4bb1208833fba2a40717e0e...@lbp-dmexm12.d.r.dfait-maeci.gc.ca 46cfa1e36d960040526940409f112354.squir...@webmail.harte-lyne.ca 39c0fbcc920fda4bb1208833fba2a40717e0e...@lbp-dmexm12.d.r.dfait-maeci.gc.ca 2cca7f6f63a57864994d8786f5066939.squir...@webmail.harte-lyne.ca In-Reply-To: 2cca7f6f63a57864994d8786f5066939.squir...@webmail.harte-lyne.ca Accept-Language: en-CA, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-dm-mail-id: E87C2A5-A5F3-4435-AE91-A09EC7AF621D Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-EXCLAIMER-MD-CONFIG: 170369b0-b740-4e85-860b-ed9d5c4fb69a Received-SPF: none Results: spamassassin -D -L local.test X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on inet08.hamilton.harte-lyne.ca X-Spam-Flag: YES X-Spam-Status: Yes, score=5.5 required=4.5 tests=BAYES_00,MISSING_DATE, MISSING_FROM,MISSING_HEADERS,MISSING_MID,MISSING_SUBJECT, TVD_RCVD_SPACE_BRACKET,UNPARSEABLE_RELAY autolearn=no version=3.3.1 X-Spam-DCC: : X-Spam-Level: * X-Spam-Pyzor: X-Spam-Report: * 0.0 TVD_RCVD_SPACE_BRACKET TVD_RCVD_SPACE_BRACKET * 1.2 MISSING_HEADERS Missing To: header * -1.5 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.] * 1.2 MISSING_MID Missing Message-Id: header * 1.3 MISSING_SUBJECT Missing Subject: header * 1.5 MISSING_FROM Missing From: header * 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines * 1.8 MISSING_DATE Missing Date: header ; I do not know why this is happening. Is there some switch I am supposed to pass spamassasin when I use it on a message text file? -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Header present but MISSING_FROM triggered
I am unable to get spamassassin to recognise headers in any email message that I pass to it from the command line. I have tried the -t and the -D switches and the result is the same. This happens whether or not the original message had a missing header message added by SA and whether or not I cut out the SA headers from the messages that I pass to it on the command line. Has anyone else run into this? -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Header present but MISSING_FROM triggered
I am a digest subscriber so I am getting the replies to my postings from the mail archives web page. Apologies for the resultant disjointedness. This comment put me on the right track: On: Mon, 02 Jun 2014 17:09:01 GMT, John Hardin jhar...@impsec.org wrote Your message headers are badly damaged, or there is a blank line at the beginning of the message as passed to SA. I was copying the problem messages from Squirellmail's 'display message details' option which I discover is not quite the same thing as copying the original message file from the mail store. However, getting messages from a cyrus imap mail store housed on a remote server is not the easiest thing in the world so I was hoping for a shortcut. Ah well, live and learn. So, now that I am passing the proper file format spamassassin -t is working as I expected for the test messages I am generating. However, returning to the original message that prompted this enquiry I have pasted the original message headers extracted from the actual email message file at: http://pastebin.com/QitggvSS This message had, as far as I can tell, a valid From: header and it passed through Spamassassin via Amavisd directly from Postfix. Nonetheless, it has a MISSING_FROM tag. Thank you for your assistance. Any further help in explaining this situation to me will is most welcome. -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Re: Blank line rules
On Thu, May 22, 2014 17:50, Karsten Bräckelmann wrote: There's another issue with your approach of different rules matching up to n occurrences and more than n. The first will always match in addition, if the latter matches. If the desired behavior is mutually exclusive matching, you need meta rules actually encoding the math / logic. The rules are meant to 'stack'. The scores need adjusting to suit but the effect is intentional. Whether or not it makes sense I will discover once I get it working. Which apparently is not going to happen any time soon. On a related note, what is the difference between 'body' and 'rawbody' rules? -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Enom strikes back?
I checked the whois of several domains that I recorded hitting us with spam last week. I reported this to the registrar, Enom, Inc. As of today all the domains that that I checked had their owner changed to N4S GROUP COMMUNICATION (N4SGROUPCOMM.COM). So it seems something caused a change at Enom. However, N4SGROUPCOMM.COM, when visited, runs a set of java scripts that eventually redirect one to a site that is blocked by Mozilla as a web forgery. It is also listed as untrustworthy by WOT. That site's true ownership is masked by a Go Daddy service called DOMAINSBYPROXY.COM. However, the domain N4SGROUPCOMM.COM is 'privacy protected' by our friends at moniker, the same people that 'protected' the identity of the original registered owner, VVSDATABASEREL.COM I was at a loss to explain this. On the one hand the original owner has been changed since my complaint; whether coincidentally or not. On the other the site owner has been changed to an even more unsavoury entity. From following the contact information I discovered that some of the domains used in the spam attack last week redirect one to http://www.whoisprivacyprotect.com which WOT lists as a known malware watering hole. WOT also has comments stating that whoisprivacyprotect.com is a subsidiary of Enom itself. This, as it turns out, is correct as shown at http://www.enom.com/privacy-protection/ which advertises the fact. Regardless of Enom's purported size, what does this say about the registrar's ethics and the domains it hosts? Should such companies and their clients be boycotted and thereby coerced into dealing with these frauds? -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
RE: SPAM from a registrar
While the number of messages getting through has dropped off to near zero this morning I nonetheless took the time to look into registrars with respect to SPAM and found this interesting web site: http://rss.uribl.com/nic/ As of this morning the top domain registrars with respect to spam origin are these: Top 100 Registrars with Blacklisted Domains for last 5 days RankRegistrar Listed Active Percent 1 ENOM, INC. 3335740345.05% 2 GO DADDY SOFTWARE, INC. 132612718 10.43% 3 GMO INTERNET, INC. D/B/A ONAMAE.COM AND DISCOUNT-DOMAIN.COM 1080169263.83% 4 REGRU-REG-RIPN 592 151539.08% 5 PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM 456 166027.47% 6 OVH 321 171018.77% 7 MONIKER ONLINE SERVICES, INC. 233 488 47.75% . . . If I read this correctly then one out of every two recently active Enom registered domains is engaged in SPAM activities. What I cannot tell is whether the total number of active domains refers to recent registrations (5 days old) or number of domains registered with Enom that have evidenced some Internet activity as measured by some indeterminate means. I also note that the 'Privacy' service for the spam site owner contact registered at Enom is Moniker. Who also has a one out of two ratio of spam domains to total active domains. If this information is accurate then it seems to me on the basis of the evidence that it is entirely reasonable to block email from domains registered with either Enom or Moniker; and GMO Internet looks like a good candidate as well. Comments? -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Blank line rules
I am clearly missing something with these rules but I lack the experience to
see what it is:
score RAW_BLANK_LINES_05 0.5
rawbody RAW_BLANK_LINES_05 /(\r?\n){5,9}/i
describe RAW_BLANK_LINES_05 Raw body contains 5 or more consecutive empty lines
score RAW_BLANK_LINES_10 1.0
rawbody RAW_BLANK_LINES_10 /(\r?\n){10,24}/i
describe RAW_BLANK_LINES_10 Raw body contains 10 or more consecutive empty lines
score RAW_BLANK_LINES_15 1.5
rawbody RAW_BLANK_LINES_15 /(\r?\n){25}/
describe RAW_BLANK_LINES_15 Raw body contains 25 or more consecutive empty lines
I created a test file that consisted of nought but newlines (shown as $
characters using vim set list).
I passed it to spamassassin from the command line with the above rules in
/etc/mail/spamassassin/local.cf and nothing was reported. I used an actual
message body from a spam message received and only the RAW_BLANK_LINES_05 test
is tripped even though the body of that message has 18 consecutive blank
lines, also consisting of nothing but \n characters.
So what is it about the regexp I am using that I evidently do not understand?
--
*** E-Mail is NOT a SECURE channel ***
James B. Byrnemailto:byrn...@harte-lyne.ca
Harte Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
It is a bit difficult to post to this list
I included the results of a find on URIBL_RHS_DOB together with the dig report on a newly registered spam domain and an extract from the whois report. All of which was to show that the domain was registered today and that the DOB service did not appear to have it listed as new. This is what I get in response: users@spamassassin.apache.org: host mx1.us.apache.org[140.211.11.136] said: 552 spam score (10.9) exceeded threshold (SPF_HELO_PASS,SPF_PASS,SPOOF_COM2OTH,URIBL_BLACK,URIBL_DBL_SPAM,URIBL_JP_SURBL (in reply to end of DATA command) Basically, my question is whether or not the Day Old Bread service is only by paid subscription? If it is not then paid then how long is the window between registration and inclusion in the RBL? -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
RE: SPAM from a registrar
On Thu, May 15, 2014 09:08, David Jones wrote: We use the fresh15.spameatingmonkey.net RBL. http://spameatingmonkey.com/lists.html I checked three domain names used by the spam messages received yesterday. All of the domains were registered yesterday as well. None of them report as being in any of the fresh lists at spameatingmonkey.com. Nor are they listed in DOB at support-intelligence.net. I have to wonder how soon after creation new domains are added to the fresh lists. Over 20% of the coverage period is already over for fresh.spameatingmonkey.net and I suspect that the domain used yesterday has already been abandoned. At least we are getting the exact same messages today from a bunch of different domains all registered with the same registrar: enom.com. At this point I would be willing to implement a rule to block all domains registered with that registrar and be done with it. Is there a spamassassin whois plug-in that can parse and check the registrar and the domain creation date? -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Re: SPAM from a registrar
On Fri, May 16, 2014 15:50, Kevin A. McGrail wrote: Enom is a big registrar and in fact owns the registrar I use (BulkRegister). I'm surprised they are having an issue. I'll try and reach out to them if you can give me a list of some of the domains you are seeing problems with spam. Regards, KAM Other than the domain names and the registration date they are all identical to this and there are dozens registered every day. Domain Name: EYESUBELL.COM Registry Domain ID: NA Registrar WHOIS Server: whois.enom.com Registrar URL: www.enom.com Updated Date: 2014-05-16 12:41:15Z Creation Date: 2014-05-16 19:41:00Z Registrar Registration Expiration Date: 2015-05-16 19:41:00Z Registrar: ENOM, INC. Registrar IANA ID: 48 Registrar Abuse Contact Email: ab...@enom.com Registrar Abuse Contact Phone: +1.4252744500 Domain Status: clientTransferProhibited Registry Registrant ID: Registrant Name: ADMIN NOC Registrant Organization: - Registrant Street: 515 OAKLANE Registrant City: MCPHERSON Registrant State/Province: KS Registrant Postal Code: 67460 Registrant Country: US Registrant Phone: +1.1115463768 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: ad...@vvsdatabaserel.com Registry Admin ID: Admin Name: ADMIN NOC Admin Organization: - Admin Street: 515 OAKLANE Admin City: MCPHERSON Admin State/Province: KS Admin Postal Code: 67460 Admin Country: US Admin Phone: +1.1115463768 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: ad...@vvsdatabaserel.com Registry Tech ID: Tech Name: ADMIN NOC Tech Organization: - Tech Street: 515 OAKLANE Tech City: MCPHERSON Tech State/Province: KS Tech Postal Code: 67460 Tech Country: US Tech Phone: +1.1115463768 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: ad...@vvsdatabaserel.com Name Server: DNS1.NAME-SERVICES.COM Name Server: DNS2.NAME-SERVICES.COM Name Server: DNS3.NAME-SERVICES.COM Name Server: DNS4.NAME-SERVICES.COM Name Server: DNS5.NAME-SERVICES.COM DNSSEC: unSigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ Last update of WHOIS database: 2014-05-16 12:41:15Z Whoever this is they have been doing this using the same address since at least 2014. I found this one by googling the address: Domain Name: ELMVETSHEEP.COM Registry Domain ID: 1847263901_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.enom.com Registrar URL: www.enom.com Updated Date: 2014-04-23 08:30:14Z Creation Date: 2014-02-19 16:41:00Z Registrar Registration Expiration Date: 2015-02-19 16:41:00Z Registrar: ENOM, INC. Registrar IANA ID: 48 Registrar Abuse Contact Email: ab...@enom.com Registrar Abuse Contact Phone: +1.4252744500 Domain Status: clientTransferProhibited Registry Registrant ID: Registrant Name: ADMIN NOC Registrant Organization: - Registrant Street: 515 OAKLANE Registrant City: MCPHERSON Registrant State/Province: KS Registrant Postal Code: 67460 Registrant Country: US Registrant Phone: +1.1115463768 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: ad...@vvsdatabaserel.com The domain VVSDATABASEREL.COM is hosted in Denver Co but the contact and mail service are hidden by: Moniker Privacy Services vvsdatabaserel@monikerprivacy.net Moniker Privacy Services 1800 SW 1st Avenue Suite 440 Portland OR 97201 US -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
SPAM from a registrar
This AM we received (and are continuing to receive) numerous spam messages from multiple domains that were all registered today (2014-05-14) with a company called enom, inc. This firm is also the registrar for the the mail server domain BOSJAW.com that is ending some if not all of the UCEM. That server is hosted in CZ. It seems likely that this is a planned UCEM campaign designed to use disposable domains, probably registered with stolen credit cards or some other form of fraud, in order to escape blacklisting services. No doubt by tomorrow they will be abandoned. Is there any test to check how long a domain name has been in existence and set a spam score with that information? Along the same lines, is there any test to determine the country of origin of the IP address in the last hop before it connects to our servers? -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Bayes refinement
Is there any way to limit Bayes content checking to only the first X characters of the message body? I ask this because it is clear that the spam messages getting through contain text meant to poison the tests but this gibberish always trails the main message and is separated by a large white space in most cases. -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Are messages bypassing Spamassassin checks? Why?
-Version: 2.1.15 Precedence: list Reply-To: nore...@cibc.net List-Id: alert_aossystems.com.aossystems.com List-Unsubscribe: http://aossystems.com/mailman/options/alert_aossystems.com, mailto:alert-requ...@aossystems.com?subject=unsubscribe List-Archive: http://aossystems.com/pipermail/alert_aossystems.com/ List-Post: mailto:al...@aossystems.com List-Help: mailto:alert-requ...@aossystems.com?subject=help List-Subscribe: http://aossystems.com/mailman/listinfo/alert_aossystems.com, mailto:alert-requ...@aossystems.com?subject=subscribe Errors-To: alert-boun...@aossystems.com Sender: Alert alert-boun...@aossystems.com X-OutGoing-Spam-Status: No, score=-0.3 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - sof.softech.in X-AntiAbuse: Original Domain - harte-lyne.ca X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - aossystems.com X-Get-Message-Sender-Via: sof.softech.in: acl_c_authenticated_local_user: mailman/mailman X-Source: X-Source-Args: X-Source-Dir: This message is attempting to pass itself off as being from the Canadian Imperial Bank of Canada (CIBC). As you can see there are no spam headers from our site in the delivered message. However, if I save this message to a text file and run it through spamassassin manually on the same host that the original message came through then this is what I see: spamassassin spam-test.txt X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on inet08.hamilton.harte-lyne.ca X-Spam-Flag: YES X-Spam-Status: Yes, score=7.3 required=4.5 tests=BDY_PRES,MISSING_DATE, MISSING_FROM,MISSING_HEADERS,MISSING_MID,MISSING_SUBJECT,NO_HEADERS_MESSAGE, NO_RECEIVED,NO_RELAYS,SPOOF_COM2COM autolearn=no version=3.3.1 X-Spam-Report: * -0.0 NO_RELAYS Informational: message was not relayed via SMTP * 1.2 MISSING_HEADERS Missing To: header * 0.2 BDY_PRES BODY: Body contains pres * 1.6 SPOOF_COM2COM URI: URI contains .com in middle and end * 0.1 MISSING_MID Missing Message-Id: header * 1.8 MISSING_SUBJECT Missing Subject: header * 1.0 MISSING_FROM Missing From: header * -0.0 NO_RECEIVED Informational: message has no Received headers * 1.4 MISSING_DATE Missing Date: header * 0.0 NO_HEADERS_MESSAGE Message appears to be missing most RFC-822 * headers X-Spam-DCC: : X-Spam-Level: *** X-Spam-Pyzor: Reported 0 times. RFC822 Message body Return-Path: alert-boun...@aossystems.com Received: from inet07.hamilton.harte-lyne.ca ([unix socket]) by inet07.hamilton.harte-lyne.ca (Cyrus v2.3.16-Fedora-RPM-2.3.16-6.el6_2.5) with LMTPA; Fri, 09 May 2014 20:19:26 -0400 X-Sieve: CMU Sieve 2.3 Received: from inet08.hamilton.harte-lyne.ca (inet08.hamilton.harte-lyne.ca [216.185.71.28]) by inet07.hamilton.harte-lyne.ca (Postfix) with ESMTP id 280278B2C6 for byrnej...@harte-lyne.ca; Fri, 9 May 2014 20:19:26 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by inet08.hamilton.harte-lyne.ca (Postfix) with ESMTP id DC99E60EF3 for byrnej...@harte-lyne.ca; Fri, 9 May 2014 20:19:25 -0400 (EDT) . . . So, can some kind soul tell me what is going on here? Why is this message getting through? Is this an artefact of messages passing through the SPF policy milter then being reinjected from localhost [127.0.0.1]? How do we handle this? -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Problems in local.cf
Following some prior to SpamAssassin update these messages now appear in the maillog file: Sep 19 12:37:11.053 [27093] warn: netset: cannot include 127.0.0.1/32 as it has already been included Sep 19 12:37:11.056 [27093] info: config: failed to parse line, skipping, in /etc/mail/spamassassin/local.cf: auto_whitelist_factor 1 Sep 19 12:37:11.056 [27093] info: config: failed to parse line, skipping, in /etc/mail/spamassassin/local.cf: num_check_received 10 local.cf contains these directives: . . . trusted_networks 10.0.0.0/8 trusted_networks 127.0.0.1/32 trusted_networks 192.168.0.0/16 . . . auto_whitelist_factor 1 num_check_received 10 . . . Are these directives deprecated? What misconfiguration is causing the warnings to appear? -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Re: Problems in local.cf
On Thu, September 19, 2013 15:11, Karsten Bräckelmann wrote: A most informative and interesting explanation. Thank you very much for taking the time to explain this to me. We presently run SpamAssassin 3.3.1-2.el6 on our CentOS-6.4 based PostFix MX as part of the Amavis-new package obtained from the EPEL repository. The present local.cf was inherited from our previous CentOs-5.x Sendmail/MailScanner MX server which in turn inherited it from its predecessor, whose particulars I no longer recall. However, we have been using SA at least since the early 2000's and no doubt we have been just keeping the local config file since then. I have made your suggested modifications to local.cf. Thank you again for your assistance. Regards, -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
