Re: Assistance with rule
I haven't written many of these with Meta, but wanted to make sure how this works. If the meta FROM_TEST from FROM_TEST_EMAIL && FROM_TEST_IP is false, does that mean the next line score will not be added/executed? In my mind, I feel like (top down logic ) the score will happen all the time. Also, does this look like the right idea? Thanks!! header FROM_TEST_EMAIL From =~ /user@test\.com/i header FROM_TEST_IP Received =~ /from 1\.2\.3\.4/i meta FROM_TEST from FROM_TEST_EMAIL && FROM_TEST_IP score FROM_TEST -1.0 On Fri, Apr 28, 2023 at 11:48 AM Matus UHLAR - fantomas wrote: > On 28.04.23 11:04, Joey J wrote: > >I have this rule which I thought looked good, but doesn't seem to ever > kick > >in. > > >header FROM_TEST_IP_AND_EMAIL From =~ /sender@sender\.com/i && Received > =~ /from 138\.193\.30\.7/ > > >I was hoping to find the senders email address, then if it's found, see > the > >sending IP, if that matches gives a negative score. > > > >Is there a better way? > > > >Also is there some kind of rule tester you can use where you put a rule, > >put some headers and see what it evaluates? > > you must create two separate rules and a meta rule for that. > > I also recommend using X-Spam-Relays-Trusted pre-paresed pseudo-header: > > https://spamassassin.apache.org/full/4.0.x/doc/Mail_SpamAssassin_Conf.html > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > You have the right to remain silent. Anything you say will be misquoted, > then used against you. > -- Thanks! Joey
Re: FROM_RETURNPATH_MISMATCH
Thank you all. Someone internally must have seen that rule and added it, I think I'm going to pull it out as it has way too many false positives. I took the assumption (we know) that it was one of the base rules. On Fri, Apr 28, 2023 at 11:43 AM Matus UHLAR - fantomas wrote: > On 28.04.23 10:58, Joey J wrote: > >I'm trying to understand why SA keeps scoring this rule, when the sender > >only has their from address, no reply to etc, nothing helping me to > >understand why. > > > >I'm guessing here, but this would be where the reply to differs from the > >from? > > > >Any assistance appreciated. > > I don't see FROM_RETURNPATH_MISMATCH in spamassassin rules, perhaps you > fetched it from 3rd > party source? > > maybe from here: > > > https://www.lexo.ch/blog/2018/07/solved-spf-setting-does-not-apply-to-return-path-causing-more-spam-and-phishing-e-mails-spamassassin-postfix/ > > however, that is quite complicated regex and quite possibly wrong,. > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Despite the cost of living, have you noticed how popular it remains? > -- Thanks! Joey
Assistance with rule
Hello all, I have this rule which I thought looked good, but doesn't seem to ever kick in. header FROM_TEST_IP_AND_EMAIL From =~ /sender@sender\.com/i && Received =~ /from 138\.193\.30\.7/ score FROM_TEST_IP_AND_EMAIL -8.0 I was hoping to find the senders email address, then if it's found, see the sending IP, if that matches gives a negative score. Is there a better way? Also is there some kind of rule tester you can use where you put a rule, put some headers and see what it evaluates? -- Thanks! Joey
FROM_RETURNPATH_MISMATCH
Hello All, I'm trying to understand why SA keeps scoring this rule, when the sender only has their from address, no reply to etc, nothing helping me to understand why. I'm guessing here, but this would be where the reply to differs from the from? Any assistance appreciated. -- Thanks! Joey
Re: Rule Help - not sure what is wrong with my syntax
Thanks to everyone's suggestions. I will try to respond to everyone in this 1 message: This was intended for people who get both filtering inbound and outbound form the mail gateway. At times certain legit content gets flagged on the way OUT, so this was to try and add a little negative score, so it would say, OK we know we send this guy, lets say the word million etc. We didn't want to simply whitelist the TO address, because in theory if computers get hacked, they could potentially send out malicios attachments/links etc, so we want to allow something that scores a very high score, we won't allow that to go out, but if its a moderate score, make sure it doesn't get rejected. In respect to Henrik K, i tried using the rule but SA with lint didn't like the evaluation of the header you suggested. I was able to try it a litte different and got this to work, should anyone else want to use it: header TO_SPECIFIC_DOMAIN To:addr =~ /\@(test\.com|test\.net)$/ describe TO_SPECIFIC_DOMAIN Mail sent to test.com or test.net email addresses score TO_SPECIFIC_DOMAIN -2.0 *As always, thank you to everyone who helps support this list!* On Thu, Jan 12, 2023 at 9:57 PM John Hardin wrote: > On Thu, 12 Jan 2023, John Hardin wrote: > > > On Thu, 12 Jan 2023, Martin Gregorie wrote: > > > >> On Wed, 2023-01-11 at 18:39 -0500, Joey J wrote: > >>> Hello All, > >>> > >>> I created this rule to check for email addresses matching a list to > >>> get > >>> added some negative value. > >>> I also tried it with just domains so it would be more efficient, but I > >>> can't seem to get them to run. > >>> Any suggestions? > >> > >> Use a database to store addresses you accept mail from. Apart from the > >> database, you'll need a Perl module to let SA look up addresses in the > >> database. > > > > Simpler as it involves no new coding: a local DNS server and a DNSBL > lookup > > rule with a negative score. There are instructions for setting such up > for > > local blacklists, that works equally well for a local whitelist. > > Ah, whoops. I had it in my head that emailBL had been implemented. Never > mind! > > > -- > John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ > jhar...@impsec.org pgpk -a jhar...@impsec.org > key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 > --- >The difference is that Unix has had thirty years of technical >types demanding basic functionality of it. And the Macintosh has >had fifteen years of interface fascist users shaping its progress. >Windows has the hairpin turns of the Microsoft marketing machine >and that's all.-- Red Drag Diva > --- > 5 days until Benjamin Franklin's 317th Birthday > -- Thanks! Joey
Rule Help - not sure what is wrong with my syntax
Hello All,
I created this rule to check for email addresses matching a list to get
added some negative value.
I also tried it with just domains so it would be more efficient, but I
can't seem to get them to run.
Any suggestions?
header TO_SPECIFIC_EMAIL eval:check_to_specific_email()
describe TO_SPECIFIC_EMAIL Mail to a specific email address
score TO_SPECIFIC_EMAIL -2
sub check_to_specific_email {
my ($self) = @_;
my $to = lc($self->get('To:addr'));
my $list_of_address = qr/us...@example.com|us...@example.com|
us...@example.com/;
if ($to =~ $list_of_address) {
return 1;
}
return 0;
}
This version was to simply check for the domain matches, but can't seem to
get it to work
header TO_SPECIFIC_DOMAIN eval:check_to_specific_domain()
describe TO_SPECIFIC_DOMAIN Mail to specific email domain
score TO_SPECIFIC_DOMAIN -2
sub check_to_specific_domain {
my ($self) = @_;
my $to = lc($self->get('To:addr'));
if ($to =~ /\@example1\.com$|\@example2\.com$|\@example3\.com$/) {
return 1;
}
return 0;
}
--
Thanks!
Joey
Re: Whitelist or add negative values for score
Hello All, This is the best I can grab header wise, Names/IP's have changed here to protect privacy. Know the following: The senders real server (1.2.3.4), (1.2.3.4 is the SPF match) sends the mail to the gateway, and the gateway blocked it as shown. Yes, legit going to paypal. Based on your response, will assist in making the best choice. Thanks everyone! Dec 19 19:39:42 mgw postfix/smtpd[1070732]: connect from Sender.MailServer.com[1.2.3.4] Dec 19 19:39:42 mgw postfix/smtpd[1070732]: Anonymous TLS connection established from Sender.MailServer.com[1.2.3.4]: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits) Dec 19 19:39:42 mgw postfix/smtpd[1070732]: 1270980A01: client= Sender.MailServer.com[1.2.3.4] Dec 19 19:39:42 mgw postfix/cleanup[1070437]: 1270980A01: message-id=< mn0pr22mb3689503197a395d549ee6d0daa...@mn0pr22mb3689.namprd22.prod.outlook.com > Dec 19 19:39:42 mgw postfix/qmgr[5368]: 1270980A01: from=, size=673334, nrcpt=1 (queue active) Dec 19 19:39:42 mgw postfix/smtpd[1070732]: disconnect from Sender.MailServer.com[1.2.3.4] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=1 quit=1 commands=7 Dec 19 19:39:42 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: new mail message-id=< mn0pr22mb3689503197a395d549ee6d0daa...@mn0pr22mb3689.namprd22.prod.outlook.com >#012 Dec 19 19:39:42 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: virus detected: Heuristics.Phishing.Email.SpoofedDomain (clamav) Dec 19 19:39:47 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: SA score=3/5 time=4.186 bayes=0.00 autolearn=no autolearn_force=no hits=ClamAVHeuristics(3),AWL(-0.969),BAYES_00(-1.9),BIGNUM_EMAILS_MANY(2.999),DKIM_INVALID(0.1),DKIM_SIGNED(0.1),HTML_FONT_LOW_CONTRAST(0.001),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),T_FILL_THIS_FORM_SHORT(0.01),URIBL_BLOCKED(0.001) Dec 19 19:39:47 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: notify (rule: Block outgoing Spam, 342C580C8D) Dec 19 19:39:47 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: block mail to (rule: Block outgoing Spam) Dec 19 19:39:47 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: processing time: 5.04 seconds (4.186, 0.664, 0) Dec 19 19:39:47 mgw postfix/lmtp[1070520]: 1270980A01: to=< recipi...@paypal.com>, relay=127.0.0.1[127.0.0.1]:10023, delay=5.2, delays=0.06/0/0.05/5.1, dsn=2.7.0, status=sent (250 2.7.0 BLOCKED (A760963A1044E2E16D)) Dec 19 19:39:47 mgw postfix/qmgr[5368]: 1270980A01: removed On Thu, Dec 22, 2022 at 2:24 AM Matus UHLAR - fantomas wrote: > On 21.12.22 15:48, Joey J wrote: > >Thank you for pointing me in the better direction. > >Since not many people are typing these types of email , I could do the one > >off rule and it would be manageable. > >But in better seeing the welcomelist_from_spf option, I think this will be > >my first try. > > welcomelist_auth does the same as welcomelist_from_spf and > welcomelist_from_dkim > both. > > Note that SPF is related to envelope from address and if it's different > from > header From:, it won't help you much. > > You haven't provided example of mail (headers) we are talking about. > Without it, we can only guess what your problem really is and what the > solution should be. > > > >On Wed, Dec 21, 2022 at 2:39 PM Greg Troxel wrote: > >> The other thing that should be done for j...@company.com is that > >> company.com should sign their mail with DKIM, and then you can > >> > >> welcomelist_from_dkim *@company.com > >> > >> I find that many companies I deal with that produce semi-spammy mail > >> (most big companies :-) have DKIM signatures and I can welcomelist on > >> that, without welcomelisting forgeries. > >> > >> You can of course use _rcvd for the IP address. DKIM is just nicer if > >> you can get them to do it. > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > 2B|!2B, that's a question! > -- Thanks! Joey
Re: Whitelist or add negative values for score
Kris & Greg, Thank you for pointing me in the better direction. Since not many people are typing these types of email , I could do the one off rule and it would be manageable. But in better seeing the welcomelist_from_spf option, I think this will be my first try. I appreciate all of your points and it makes us all better evaluate what we are doing and consider efficiency and effectiveness. Thanks!! On Wed, Dec 21, 2022 at 2:39 PM Greg Troxel wrote: > The other thing that should be done for j...@company.com is that > company.com should sign their mail with DKIM, and then you can > > welcomelist_from_dkim *@company.com > > I find that many companies I deal with that produce semi-spammy mail > (most big companies :-) have DKIM signatures and I can welcomelist on > that, without welcomelisting forgeries. > > You can of course use _rcvd for the IP address. DKIM is just nicer if > you can get them to do it. > -- Thanks! Joey
Re: Whitelist or add negative values for score
Thanks Everyone. Within all of the responses, I will try to reply here. 1. The legit sender will talk about big numbers because of the real things he is involved with so big numbers is still a valid method to score, just not in this case. 2. The SPF record is set to fail on no match, however this does not automatically say, ok it's the approved source everything is ok, let them spam out, SA will still score content, and simply not score for bad SPF. 3. The goal is to say for user j...@company.com, if we can confirm the source is their mail server IP, the lets add some negative value, lets say -2, to allow message that might be scored such as the above #1 because they are legit. Unless there is something I'm missing, I'm not sure how to better explain it. Yes, I can provide the full headers, but I thought the spam info was enough to provide the SA aspect of the scoring. This is why I thought of the extra rule based on email address and IP combo, almost confirming its legit, to add ot the negative score. On Wed, Dec 21, 2022 at 1:12 PM Bill Cole < sausers-20150...@billmail.scconsult.com> wrote: > On 2022-12-21 at 12:02:27 UTC-0500 (Wed, 21 Dec 2022 18:02:27 +0100) > Matus UHLAR - fantomas > is rumored to have said: > [...]> > > On 21.12.22 11:19, Henrik K wrote: > >> It will pass welcomelist_auth, since there is SPF_PASS, which you > missed: > >> > >> SPF_PASS -0.001 SPF: sender matches SPF record > > > > I understood KAM_DMARC_STATUS as failing SPF alignment. > >KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict > Alignment > > Note that 'or' is not 'and' in that description. The message in question > had a bad DKIM signature. > > > -- > Bill Cole > b...@scconsult.com or billc...@apache.org > (AKA @grumpybozo and many *@billmail.scconsult.com addresses) > Not Currently Available For Hire > -- Thanks! Joey
Re: Whitelist or add negative values for score
Thanks to Bill and Matus for your responses. Basically, the client is talking about real money transactions, airplanes, paypal etc, but he is a legit sender with these often flagged topics. Sometimes the message goes through, but by the time you reply 2 or 3 times, there are more of the buzz words that SA looks at based on rules. We can't whitelist j...@company.com because of course everyone pretending to be him will more than likely get whitelisted and you know the rest. This is why I thought if user j...@company.com from ip 1.2.3.4 condition would allow me to add some negative score to get over the total flagging it as spam. You guys would know better than I as to which would be the best method, I like scoring it some and going to -100. Within the reject to the user it had the following: Spam detection results: 3 ClamAVHeuristics3 ClamAV heuristic test: Phishing.Email.SpoofedDomain (clamav) AWL-0.969 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% BIGNUM_EMAILS_MANY 2.999 Lots of email addresses/leads, over and over DKIM_INVALID 0.1 DKIM or DK signature exists, but is not valid DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid HTML_FONT_LOW_CONTRAST 0.001 HTML font color similar or identical to background HTML_MESSAGE0.001 HTML included in message KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_FILL_THIS_FORM_SHORT 0.01 Fill in a short form with personal information URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block On Tue, Dec 20, 2022 at 6:14 AM Matus UHLAR - fantomas wrote: > On 19.12.22 20:05, Joey J wrote: > >I'm trying to see if there is a "best way" to provide negative scoring for > >a certain persons email. > >As an example if j...@company.com is communicating with paypal or other > real > >banking institutions, then at times within the email chain, SA will tag it > >as spam. > > do you have an example? > > >I want to see if there is if email is from j...@company.com AND is from IP > >address 1.2.3.4, then lets take away 2 from the score, hopefully allowing > >those legitimate types of messages through. > > there are techniques like SPF and DKIM to authenticate e-mail. > In such case you should be able to "welcomelist_auth j...@company.com" > without > providing outgoing mailserver IP > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease > -- Thanks! Joey
Re: Whitelist or add negative values for score
Actually, what would be the format, in respect to header for that rule? so header welcomelist_from_rcvd j...@company.com [1.2.3.4] On Mon, Dec 19, 2022 at 8:39 PM Greg Troxel wrote: > > Joey J writes: > > > I'm trying to see if there is a "best way" to provide negative scoring > for > > a certain persons email. > > That's easy. There are many ways, but not best way. > > > As an example if j...@company.com is communicating with paypal or other > real > > banking institutions, then at times within the email chain, SA will tag > it > > as spam. > > It's really not clear what your issue is. > > > I want to see if there is if email is from j...@company.com AND is from > IP > > address 1.2.3.4, then lets take away 2 from the score, hopefully allowing > > those legitimate types of messages through. > > I couldn't find an example on how to accomplish this dual criteria check. > > Any assistance is apreciated. > > welcomelist_from_rcvd j...@company.com [1.2.3.4] > > should work, but -100. It would be nice if welcomelist_* could take a > score, but it you are sure you want *your* SA to not mark it as spam, > -100 is the way to spell that. > -- Thanks! Joey
Re: Whitelist or add negative values for score
Thanks, So welcomelist_from_rcvd j...@company.com [1.2.3.4] Is saying if it's received from j...@company.com and the IP combination? And then simply score it welcomelist_from_rcvd score -2 I will try that thank you! On Mon, Dec 19, 2022 at 8:39 PM Greg Troxel wrote: > > Joey J writes: > > > I'm trying to see if there is a "best way" to provide negative scoring > for > > a certain persons email. > > That's easy. There are many ways, but not best way. > > > As an example if j...@company.com is communicating with paypal or other > real > > banking institutions, then at times within the email chain, SA will tag > it > > as spam. > > It's really not clear what your issue is. > > > I want to see if there is if email is from j...@company.com AND is from > IP > > address 1.2.3.4, then lets take away 2 from the score, hopefully allowing > > those legitimate types of messages through. > > I couldn't find an example on how to accomplish this dual criteria check. > > Any assistance is apreciated. > > welcomelist_from_rcvd j...@company.com [1.2.3.4] > > should work, but -100. It would be nice if welcomelist_* could take a > score, but it you are sure you want *your* SA to not mark it as spam, > -100 is the way to spell that. > -- Thanks! Joey
Whitelist or add negative values for score
Hello All, I'm trying to see if there is a "best way" to provide negative scoring for a certain persons email. As an example if j...@company.com is communicating with paypal or other real banking institutions, then at times within the email chain, SA will tag it as spam. I want to see if there is if email is from j...@company.com AND is from IP address 1.2.3.4, then lets take away 2 from the score, hopefully allowing those legitimate types of messages through. I couldn't find an example on how to accomplish this dual criteria check. Any assistance is apreciated. -- Thanks! Joey
How to incorporate network blocks
Hello All, I'm trying to see if there is a way to incorporate network ranges into SA to essentially flag messages. I know I can use iptables and reject it before getting to SA, but in some cases we would have legit email get flagged within these bigger blocks. I'm trying to incorporate: feeds.dshield.org/block.txt spamhaus.org/drop/drop.lasso ciarmy.com/list/ci-badguys.txt openbl.org/lists/base.txt Thanks! -- Thanks! Joey
Re: Block IP's for certain domains based on list
Most of the users servers I'm referring to are on the other side of our mail gateway, so we know where they are sending from (through our gateway) but when the client's domain is used on an inbound message, we would be able to simply reject, knowing it's not the users servers sending it. I agree don't re-invent, but some clients have many providers that send email on their behalf making it more complicated. On Fri, Jul 22, 2022 at 10:08 AM Reindl Harald wrote: > > > Am 21.07.22 um 22:58 schrieb Joey J: > > Hello, > > > > Is there a way for me to block mail that claims its from a certain > > domain, based on my own valid ip address list? > > > > Example: > > > > myserver.com - IP address 1.2.3.4 > > If a messages comes in from any server other than 1.2.3.4 for domain > > myserver.com reject it? > > SPF > > > I know SPF/DKIM/DMARC would also help here, but trying to almost make my > > own ACL > > why reinvent the wheel? > > such lists go outdated over time and are only asking for touble > -- Thanks! Joey
Block IP's for certain domains based on list
Hello, Is there a way for me to block mail that claims its from a certain domain, based on my own valid ip address list? Example: myserver.com - IP address 1.2.3.4 If a messages comes in from any server other than 1.2.3.4 for domain myserver.com reject it? I know SPF/DKIM/DMARC would also help here, but trying to almost make my own ACL. Thanks -- Thanks! Joey
Re: RBL via Spamassasin configuration
Hello All, not sure where I'm going wrong.
in my custom.cf I have
#RBL's
header RCVD_IN_ZENSPAMHAUS eval:check_rbl('zenspamhaus-lastexternal',
'zen.spamhaus.org.')
describe RCVD_IN_ZENSPAMHAUS Relay is listed in zen.spamhaus.org
tflags RCVD_IN_ZENSPAMHAUS net
score RCVD_IN_ZENSPAMHAUS 5.0
if I query DNS, I get the expected answer from local caching:
dig +short TXT 2.0.0.127.zen.spamhaus.org
"https://www.spamhaus.org/sbl/query/SBL2;
"https://www.spamhaus.org/query/ip/127.0.0.2;
When I send a test message using Access the Portal – Blocklist Tester |
Spamhaus <https://blt.spamhaus.com/>
It goes through, and upon inspection of the email headers, the rule name
nor points shows anywhere.
I must be missing something.
Any suggestions?
Thanks
On Tue, Jun 28, 2022 at 5:28 PM Bill Cole <
sausers-20150...@billmail.scconsult.com> wrote:
> On 2022-06-28 at 14:38:16 UTC-0400 (Tue, 28 Jun 2022 14:38:16 -0400)
> Joey J
> is rumored to have said:
>
> > Hello All,
> >
> > In trying to setup RBL's with SA, I wanted to make sure the proper way
> > to
> > do it.
> > I have seen some samples like this
> > header RCVD_IN_BARRACUDACEN eval:check_rbl('bbarracuda-lastexternal',
> > 'b.barracudacentral.org.')
> > describe RCVD_IN_BARRACUDACEN Relay is listed in
> > b.barracudacentral.org
> > tflags RCVD_IN_BARRACUDACEN net
> > score RCVD_IN_BARRACUDACEN 4.0
>
> That looks right. Definitive documentation can be had with 'perldoc
> Mail::SpamAssassin::Plugin::DNSEval' and 'perldoc
> Mail::SpamAssassin::Conf'
>
> > Is this actually going out and doing a DNS query or reading from the
> > header
> > of the message?
>
> It does both...
>
> SA analyzes the Received headers in a message to find relevant SMTP
> handoffs, with relevant settings in trusted_networks, internal_networks,
> and msa_networks. For DNSBLs, typically the "last external" Recceived
> heasder is the key: the latest one written by a trusted machine,
> documenting a handoff from a machine which is not in any of those
> special sets. It tests the IP address of that last external machine to
> handle the message. DNSEval looks up that IP address in the DNSBL.
>
> > I think I want to actually do the DNS query and I will cache locally
> > to
> > avoid issues and increase performance.
>
> The proper way to do this is to run a local caching recursive resolver
> (e.g. Unbound or BIND, NOT dnsmasq) on the same machine as the MTA and
> use that for all DNS lookups. Using more distant DNS servers can result
> in latency delays and using forwarding of any sort will cause blocking
> by DNSBL services. Any DNS server that filters or modifies responses to
> 'protect' user personal computers is unfit for use with email.
>
> > Also if someone has a list of these rules, that they use and could
> > share
> > that would be great.
>
> There are many in the standard ruleset. I think we do a reasonably good
> job of curating them, and they should all be safe to use as designed.
> Note that some DNSBLs are explicitly NOT intended for use on a mail
> server that accepts initial submission from end users.
>
> > The last part of my question is, here we score and then based on
> > scoring
> > the next part can either quarantine the message or deliver it, but is
> > there
> > a way from SA to simply say reject it right there?
> > (I think the answer is no, it simply scores it, but wanted to be sure)
>
> SpamAssassin itself has no capacity to handle the disposition of email.
> It only scores messages and reports those scores to whatever tool is
> using it.
>
> Hence, if you are accepting or quarantining mail based on a SA score,
> there's Something Else making that disposition decision. It might be a
> milter (MIMEDefang, MailMunge, spamass-milter, or amavisd-milter,) or a
> Postfix content_filter script or a SMTP proxy (many amavisd systems) or
> an Exim config stanza (not sure if that's an 'acl' or a 'router' in Exim
> jargon.) It is that 'glue' between the MTA and SA which implements the
> handling decision for scored messages.
>
> Generally it is a good idea to reject messages that you are not going to
> deliver. As a backstop for false positives rejection alerts the sender
> to the problem, in contrast to the silent death of quarantining.
> Quarantining (or worse, discarding) borderline messages may seem good in
> that it doesn't give any feedback to spammers, but in practice there's
> no evidence that they use the sort of feedback they get from rejections
> in any way. The simplest way they might do so in theory, washing bad
> addresses out of their lists, would actually be GOOD if they all did it.
>
>
>
>
> --
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Not Currently Available For Hire
>
--
Thanks!
Joey
Re: RBL via Spamassasin configuration
Thank you, this makes sense, I will look through the mentioned resource.
On Tue, Jun 28, 2022 at 5:28 PM Bill Cole <
sausers-20150...@billmail.scconsult.com> wrote:
> On 2022-06-28 at 14:38:16 UTC-0400 (Tue, 28 Jun 2022 14:38:16 -0400)
> Joey J
> is rumored to have said:
>
> > Hello All,
> >
> > In trying to setup RBL's with SA, I wanted to make sure the proper way
> > to
> > do it.
> > I have seen some samples like this
> > header RCVD_IN_BARRACUDACEN eval:check_rbl('bbarracuda-lastexternal',
> > 'b.barracudacentral.org.')
> > describe RCVD_IN_BARRACUDACEN Relay is listed in
> > b.barracudacentral.org
> > tflags RCVD_IN_BARRACUDACEN net
> > score RCVD_IN_BARRACUDACEN 4.0
>
> That looks right. Definitive documentation can be had with 'perldoc
> Mail::SpamAssassin::Plugin::DNSEval' and 'perldoc
> Mail::SpamAssassin::Conf'
>
> > Is this actually going out and doing a DNS query or reading from the
> > header
> > of the message?
>
> It does both...
>
> SA analyzes the Received headers in a message to find relevant SMTP
> handoffs, with relevant settings in trusted_networks, internal_networks,
> and msa_networks. For DNSBLs, typically the "last external" Recceived
> heasder is the key: the latest one written by a trusted machine,
> documenting a handoff from a machine which is not in any of those
> special sets. It tests the IP address of that last external machine to
> handle the message. DNSEval looks up that IP address in the DNSBL.
>
> > I think I want to actually do the DNS query and I will cache locally
> > to
> > avoid issues and increase performance.
>
> The proper way to do this is to run a local caching recursive resolver
> (e.g. Unbound or BIND, NOT dnsmasq) on the same machine as the MTA and
> use that for all DNS lookups. Using more distant DNS servers can result
> in latency delays and using forwarding of any sort will cause blocking
> by DNSBL services. Any DNS server that filters or modifies responses to
> 'protect' user personal computers is unfit for use with email.
>
> > Also if someone has a list of these rules, that they use and could
> > share
> > that would be great.
>
> There are many in the standard ruleset. I think we do a reasonably good
> job of curating them, and they should all be safe to use as designed.
> Note that some DNSBLs are explicitly NOT intended for use on a mail
> server that accepts initial submission from end users.
>
> > The last part of my question is, here we score and then based on
> > scoring
> > the next part can either quarantine the message or deliver it, but is
> > there
> > a way from SA to simply say reject it right there?
> > (I think the answer is no, it simply scores it, but wanted to be sure)
>
> SpamAssassin itself has no capacity to handle the disposition of email.
> It only scores messages and reports those scores to whatever tool is
> using it.
>
> Hence, if you are accepting or quarantining mail based on a SA score,
> there's Something Else making that disposition decision. It might be a
> milter (MIMEDefang, MailMunge, spamass-milter, or amavisd-milter,) or a
> Postfix content_filter script or a SMTP proxy (many amavisd systems) or
> an Exim config stanza (not sure if that's an 'acl' or a 'router' in Exim
> jargon.) It is that 'glue' between the MTA and SA which implements the
> handling decision for scored messages.
>
> Generally it is a good idea to reject messages that you are not going to
> deliver. As a backstop for false positives rejection alerts the sender
> to the problem, in contrast to the silent death of quarantining.
> Quarantining (or worse, discarding) borderline messages may seem good in
> that it doesn't give any feedback to spammers, but in practice there's
> no evidence that they use the sort of feedback they get from rejections
> in any way. The simplest way they might do so in theory, washing bad
> addresses out of their lists, would actually be GOOD if they all did it.
>
>
>
>
> --
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Not Currently Available For Hire
>
--
Thanks!
Joey
RBL via Spamassasin configuration
Hello All,
In trying to setup RBL's with SA, I wanted to make sure the proper way to
do it.
I have seen some samples like this
header RCVD_IN_BARRACUDACEN eval:check_rbl('bbarracuda-lastexternal',
'b.barracudacentral.org.')
describe RCVD_IN_BARRACUDACEN Relay is listed in b.barracudacentral.org
tflags RCVD_IN_BARRACUDACEN net
score RCVD_IN_BARRACUDACEN 4.0
Is this actually going out and doing a DNS query or reading from the header
of the message?
I think I want to actually do the DNS query and I will cache locally to
avoid issues and increase performance.
Also if someone has a list of these rules, that they use and could share
that would be great.
The last part of my question is, here we score and then based on scoring
the next part can either quarantine the message or deliver it, but is there
a way from SA to simply say reject it right there?
(I think the answer is no, it simply scores it, but wanted to be sure)
Thanks!
--
Thanks!
Joey
Re: BCC Rule and Subject change for specific rule
Thanks for the follow up. I understand what you are saying. This is SA within ProxMox Mail gateway, I added my custom rule via SA which is working, just this additional function. On Mon, Jan 4, 2021 at 8:23 PM John Hardin wrote: > On Mon, 4 Jan 2021, Joey J wrote: > > > If I'm understanding things correctly, there is a way for me to BCC spam > > messages which lets say score 10 and send a BCC to an email address, but > > I'm trying to do it within only 1 rule, as well as modify the subject. > > > > What I don't want is a BCC sent for every messages which is scored a 10, > > but only the specific rule. > > > > Is there a way for me to accomplish this set of actions? > > You can't BCC the message within SpamAssassin, as SA only scores messages. > The MTA or glue layer (what ties SA into your MTA) is what determines > *delivery* of the message based on SA's score. > > Potentially, your MTA or glue layer could be configured to look for a > specific scored rule name appearing in the header that lists rule hits and > if found deliver the message to another destination. > > But specifically how to do that depends on your MTA and/or your glue. What > are you using? > > I'm pretty sure SA only allows setting the subject tag by language, not > based on rule hits. You may beable to modify the subject in the MTA/glue > at the same point you do the extra delivery. > > -- > John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ > jhar...@impsec.org pgpk -a jhar...@impsec.org > key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 > --- >News flash: Lowest Common Denominator down 50 points > --- > 219 days since the first private commercial manned orbital mission > (SpaceX) > -- Thanks! Joey
BCC Rule and Subject change for specific rule
Hello All, If I'm understanding things correctly, there is a way for me to BCC spam messages which lets say score 10 and send a BCC to an email address, but I'm trying to do it within only 1 rule, as well as modify the subject. What I don't want is a BCC sent for every messages which is scored a 10, but only the specific rule. Is there a way for me to accomplish this set of actions? Thanks! -- Thanks! Joey
How to Block messages from display name not matching expected sender email address
Hello, I'm trying to figure out how to write a rule that looks for matches of certain names against the display name, and then insuring its from a list of valid email addresses. So a phishing email come in from "Boss Man" So I want to check if the display name is "Boss Man" and if so, make sure the sending email address is boss...@realcompany.com or boss...@company2.com, otherwise score it with 10. Also, would there be a way to forward that email to a specific user, not send it to the original recipient? Thanks -- Thanks! Joey
