from:"Michael"







https://isbg.gitlab.io/isbg/index.html

support gmail and spamassassin

other then that i tryed to make a gentoo ebuild for it, have to retry now :)


Yes that's kinda similar!  I'll have to try that!  Thanks.

Re[2]: spamassassin with gmail


Matija

Sorry, you have misunderstood what I posted.  I am not at all advocating 
people use gmail.  Something like 68% of the planet already uses it and 
few people like you and me have the skills to host our own email.  It's 
not crazy for the people who use gmail or yahoo or other providers, they 
use it, they're used to it, and they apparently like it enough not to 
leave.


It's not easy for people to run their gmail acct through spamassassin.  
Maybe some hack with forwarding and adding headers and a check for 
looping might work.  This isn't what I was really talking about.  But it 
doesn't matter.


Michael Grant

Re[2]: spamassassin with gmail

l.  I am just trying to figure out what to do with it, if 
it's useful beyond family and friends, or if there is a more general 
interest in being able to use spamassassin on other providers such as 
gmail or yahoo.  If there's insufficient interest, that's fine, I'll 
just use it myself.


Michael Grant

spamassassin with gmail

Do any of you use spamassassin with a gmail account, and if so, how are 
people doing it?  The reason to do this is gmail's spam filtering isn't 
perfect and you don't have the control you have with spamassassin.


We built some plumbing to do this using gmail's API, and also IMAP which 
can work with other services such as yahoo or outlook.  I'm wondering if 
this is of any use to anyone other than myself.


Essentially, it's a daemon that connects to the account and acts as a 
mail client (an MUA).  When messages arrive in a mailbox (could be any 
folder really), sucks out the message, runs it through spamassassin, and 
puts the result either into the Spam folder or Inbox.


I'm just wondering what to do with this plumbing software, if it should 
be open sourced or run as a service.  Running it as a service couldn't 
be free as I don't have access to free servers.  The daemon in it's 
current state is a bit complicated to set up on it's own but it could 
definitely be cleaned up, especially if there was sufficient interest.


I bet this could also be put together using getmail5 instead of this 
special built daemon but that would imply polling instead of push.  
Several ways to do this.


Michael Grant

Re: OT: Microsoft Breech

2024-03-19 Thread Michael Storz


Am 2024-03-19 14:51, schrieb Thomas Cameron:

Does anyone else just block all traffic from *.onmicrosoft.com? I have
literally NEVER gotten anything from that domain which is not obvious
junk.



We block and have a whitelist with 49 entries at the moment.

Michael

Re: Dinged for .Date

2024-01-15 Thread Michael Orlitzky

On Mon, 2024-01-15 at 17:06 -0800, Cabel Sasser wrote:
> 
> There are 1,239 gTLDs. The SpamAssassin source* blocks just *22* of them.
> 

The official unofficial KAM ruleset blocks a few more, and there are
plenty of third-party URIBLs that essentially block gTLDs through SA,
albeit at one level of abstraction.

> If you believe every new gTLD is garbage (and I get that!), why isn’t 
> SpamAssassin automatically dinging, say, 1,200+ of them?
> 
> Or put another way, why _these_ 22, and _only_ these 22, and not the rest?

Be careful what you wish for :P

Re: Dinged for .Date

2024-01-15 Thread Michael Orlitzky

On Mon, 2024-01-15 at 15:58 -0800, Cabel Sasser wrote:
> 
> Can anyone help me understand “the science”? And how these domains are chosen 
> for such a heavy punishment?

What you're facing is essentially an economic problem. Everyone knows
dot-com, and to a lesser extent dot-net and dot-org. But everything
else is junk: if you're the fifth guy to try to buy example.com, you're
probably not who people are looking for when they type www.example.com
into their web browsers. The other TLDs are also much harder for people
to remember if they see it on a commercial. As a result, dot-info, dot-
biz, and everything after have always been considered knock-offs.

When the wave of new gTLDs hit, the value of each successive one became
diluted even further. By the time you get to dot-date, you're at what
should be, like, somebody's 40th choice for a domain name. How to you
sell that? At a huge fucking discount, if you want anyone to buy it!

That's one half of your economic problem.

Now imagine you're trying to block spammers by domain name, and there's
one particular set of domain names that they can get at a 90% discount
because nobody wants them otherwise. Regardless of how many legitimate
companies use those domains, the signal to noise ratio is going to be
crap.

So, the other half of your economic problem is: how much money does it
cost me (as a recipient) to block dot-date, versus how much does it
cost me to not block it? We have customers who complain about spam and
customers who complain about blocked messages. It's a pretty easy
calculation for a recipient to make, and the result for me at least is
that it's less work (i.e. less expensive) to just block every new gTLD
and whitelist the few legitimate senders brave enough to live there.

Re: Question about forwarding email (not specifically SA, pointers greatly appreciated)

2024-01-03 Thread Michael Grant via users

Here's what I have done in the past from my server to get around this
situation you are having:

1. In my .procmailrc file

:0c:
!exam...@gmail.com

This sends a copy (the c flag in first line) of the message to the
gmail account and leaves a copy in your inbox.

2. From your exam...@gmail.com acct, go to Settings -> Accounts and
Import.  Under the section 'Check email from other accounts', Add an
email account.  Then add your server's account and use POP to suck
over emails as they arrive.  Have it delete the emails once they are
sucked over.

What this does is it causes messages to be forwarded to gmail, but
some small number of them bounce because of whatever decision gmail
makes.  But those messages are popped in later, so there's no lost
mail.  Gmail de-duplicates the messages so you don't get messages
twice, and it never refuses to pop the messages in.  Popping in
messages is slow, so when the forward works (which seems to be most of
the time), mail comes in quick, unless it bounces, in which case, it's
popped in a few minutes, sometimes 10s of minutes, later.

If you are concerned about the bounce messages going back into your
mailbox (gmail doesn't loop here fortunately), you can write a
procmail rule to siphon those off into another folder or into
/dev/null.  (Left as exercise for the reader...)

3. You *may* need to do one further thing, you may need to go back
into gmail's Account and Import settings and set up 'Send mail as' and
set up to send mail as your email address on your server.  I can't
remember if gmail does this automatically for you in step 2 above or
not.

4. You probably want to then click the radio button "Reply from the
same address to which the message was sent".  Otherwise, when you
reply, it'll come from your gmail address and not your server's email
address. These radio buttons only appear once you have at least one
Send As address set up.

Michael Grant


signature.asc
Description: PGP signature

Re: Beginner Setting up Spam Assassin

2023-12-30 Thread Michael Grant via users

Can you ban this user in whatever your equivalent of the access file is so 
instead of putting the messages into a spam folder, you reject messages from 
that address at delivery time (SMTP)?



On 30 December 2023 04:08:17 CET, FalconChristopher 
 wrote:
>ⓘ *No issues found, please report it if otherwise*
>Anyone know how I can check and setup SpamAssassin so that I can 
>eliminate some spam from coming in from a email account ?
>
>
>On 12/28/2023 2:24 AM, Matus UHLAR - fantomas wrote:
>> On 27.12.23 16:53, FalconChristopher wrote:
>>> Hi, I want to setup Spam Assassin so that any email that Spam 
>>> Assassin flags as spam
>>
>> this is spamassassin's job
>>
>>> gets placed into a folder for a specific SMTP or IMAP email account.
>>
>> this is not spamassassin's job.
>> It's job of mail delivery agent - procmail, maildrop, sieve
>>
>>> Then if Spam Assassin flags emails that are not spam I can tell it 
>>> which of those emails to not place into the spam folder for the 
>>> specific email client. Until it gradually learns which emails are 
>>> spam and which are not.
>>
>> dovecot (imap/pop3 server) has plugins that support training of 
>> spam/ham, if you move the mail from/to spam folder.
>>
>> https://doc.dovecot.org/configuration_manual/spam_reporting/
>>
>>> I've done a little research and I have access with my distribution to 
>>> a mail directory as well as the local.cf file for which 
>>> configurations are for Spam Assassin but I don't know how to setup 
>>> what I mentioned above ?
>>
>

spamd with mix of real and virtual users

2023-11-04 Thread Michael Grant via users

I'm in the process of setting up virtual users on my mail server.  It
looks like I may have a mix of both real and virtual users.

The flow when scanning a message is:

sendmail -> spamass-milter -> spamc -> spamd

spamass-milter looks at the To: header and passes just the user part.
I see a -e option which causes the whole address (user@domainname) to
be passed to spamc.  cool.

spamc then will pass that verbatim to spamd.

and here's where my problem begins...

If the user exists locally, I want spamd to use that, but if not, I
want it to use the virtual-config-dir.

but to use --virtual-config-dir option requires I specify a -u option
(pin spamd to run as a specific user).

but there's a -U option which causes spamd to fall back to a specific
user.  It would seem like I should be able to specify something like
'-U dovecot-virtual', but no, spamd doesn't allow -U and
--virtual-config-dir options.  That seems like an oversight.

I'm wondering if the better solution here is to pull the problem back
a level and have spamass-milter try to look up the local user and fall
back to a fallback user (dovecot-virtual in my case).

Has anyone else tackled this issue?

Michael Grant


signature.asc
Description: PGP signature

Re: check_rbl question

2023-07-07 Thread Michael Grant via users

On Fri, Jul 07, 2023 at 04:50:18PM +0200, giova...@paclan.it wrote:
> if can(Mail::SpamAssassin::Conf::has_tflags_nolog)
>   tflags URIBL_IVMURI net nolog
> else
>   tflags URIBL_IVMURI net
> endif

and Benny Pedersen's idea of using a rule like:

header __FOO eval:check_rbl('ivmSIP-lastexternal', 'my_key.inv-sip.')
meta INVSIP __FOO
describe IVMSIP listed at dnsbl.invaluement.com/ivmsip,
score IVMSIP 5

Neither of these are ideal.  I really need to see what ip address is
being looked up.  Perhaps yes, I'll need to do a feature request.





signature.asc
Description: PGP signature

check_rbl question

2023-07-07 Thread Michael Grant via users

I'm using check_rbl with some paid lists for example invaluement.  I
don't want to put my license key into the rule or it ends up in the
spamassassin X-Spam-Report header.  On one server, I've configured
bind9 with DNAME records to hide the key.  But what do others do?  Is
there some easier way to do this?

Michael Grant


signature.asc
Description: PGP signature

Re: installing spamassassin plugins on debian

> you dont need this

I see, I stand corrected!

> maybe ask how to configure extracttext ?

Sure, I'd be happy to see some examples.  The man page looks pretty
straight forward.

I see it depends on some external tools like tesseract and odt2txt so
I had better install those first.

I have not had good luck with tesseract out of the box, I wonder if
there's some options to tune it to make it work better.  Is there
anything better?

To see how well this is working, I am hoping to be able to see the
output of these tools with -D so I can write some rules.

Similarly, is there a way to see the 'body' text that is fed into the
rules?  I don't see that in the output of -D.  By 'body', I mean the
text with the html cleaned out of it plus the subject line.  I have a
message and I want to write a new body rule, I want to see what
spamassassin is using as the 'body' so I can write the regex.  I don't
see the body text in -D.




signature.asc
Description: PGP signature

Re: installing spamassassin plugins on debian

> I guess you didn't notice that you are actually installing SpamAssassin
> 4.0.0, since that's what you are looking at from CPAN?  It's part of the
> official SA package starting from 4.0.0, not a standalone plugin.

Thank you!  I did not notice that, now I see its there.  I know why, I
have 2 boxes, one with the older 3.4 and a newer one with 4.0.0.  So
that little problem is now a non-issue!




signature.asc
Description: PGP signature

Re: installing spamassassin plugins on debian

On Fri, Mar 17, 2023 at 04:03:03PM +0100, Benny Pedersen wrote:
> Michael Grant via users skrev den 2023-03-17 09:52:
> 
> > What do people do to keep things up to date easily?
> 
> i just use gentoo, or freebsd, not a precompiled problems (hehe)
> 
> but what plugin do you need with spamassassin 4 now ?
> 
> are you willing to apt maintain a custom plugin in debian ?, i see no
> problem if you do this :)

I want to try the ExtractText plugin.

What if I just install this from CPAN?  It installs in
/usr/share/perl5/Mail/SpamAssassin/Plugin/ which looks correct.

It was also recommended to me maybe use cpan2deb and install that, but
then I'm maintaining my own private debian package which I really did
not want to do.  What's wrong with just installing from CPAN in this case?

signature.asc
Description: PGP signature

Re: installing spamassassin plugins on debian

On Fri, Mar 17, 2023 at 11:26:21AM +0200, Henrik K wrote:
> On Fri, Mar 17, 2023 at 04:52:41AM -0400, Michael Grant via users wrote:
> > Is there a recommended way of installing a spamassassin plugin on
> > debian (or ubuntu) such that the plugin gets updated via say apt?  I'm
> > guessing no because I don't see many spamassassin plugins when I do an
> > "apt search".
> > 
> > Up to now, I have been manually putting things in /etc/spamassassin/
> > but I feel like there has to be a better way to manage these.
> > 
> > What do people do to keep things up to date easily? 
> 
> There is no automated handling of third party plugins.  It's up the
> maintainers to provide or not provide any support.  Which usually just means
> monitoring some github repo etc.

What about CPAN?  Do people use that?  It seems like there's quite a
few modules in CPAN already.  I will admit that if I see a debian
package, I go for that, I rarely if ever install stuff from CPAN but I
could be convinced to use it more if this created some order out of
the chaos.



signature.asc
Description: PGP signature

installing spamassassin plugins on debian

Is there a recommended way of installing a spamassassin plugin on
debian (or ubuntu) such that the plugin gets updated via say apt?  I'm
guessing no because I don't see many spamassassin plugins when I do an
"apt search".

Up to now, I have been manually putting things in /etc/spamassassin/
but I feel like there has to be a better way to manage these.

What do people do to keep things up to date easily? 


signature.asc
Description: PGP signature

Re: Strange findings debugging bayes results

2023-02-21 Thread Michael Grant via users

On Mon, Feb 20, 2023 at 01:30:15PM -0800, Loren Wilton wrote:
> This is a home system with only a few users. All users have "Spam" and "Ham"
> folders showing up in their email program of choice, and they just drag
> messages they do or don't like into the appropriate folders. There are 
> "Oldham"
> and "Oldspam" mboxes, and the new spam and ham (respectively) get merged into
> these folders after learning, and removed from the current Spam and Ham
> folders.

I had a similar idea but never implemmented it because I felt it was
too difficult for users to deal with.  I was considering 2 folders:
'Spam Training Set' and 'Ham Training Set' which would always
represent the set of messages that Spamassassin was currently trained
with.  If you changed the contents of these mboxes, a cron job would
delete the old bayes tokens and retrain with the current set.

The difference between these folders and the Spam folder (or Junk or
whatever you call it locally) is that messages older than 30 days get
auto-deleted.  After 30 days, those messages would no longer represent
the training set.

Having 2 spam folders is confusing and not easy to manage.

Neither of these 2 extra folders are folders that users would look for
messages so they really do have to copy messages into them which isn't
just dragging them.  That for me was the main issue I faced.

So I abandoned this line of thinkinking.

You mentioned harvesting ham and spam from mboxes as in from the inbox
directly.  This got me wondering more about this.

Clearly using messages that the user dragged to Spam that
spamassassin did not mark as Spam to train as spam.  Easy.

And use messages that the user left in their mailbox or deleted or
archived as ham.  Could be ok but less sure.

And lastly, messages that were in Spam (since Spamassassin marked them
as spam), that a user moved out of Spam.  Just look through all their
folders (except Spam) for messages that Spamassassin marked as spam
and retrain on those as ham.  Again, maybe a bad assumption, could
work though.

I was really just curious to know if other people had workable ideas
how to get bayes trained with the least amount of friction.

signature.asc
Description: PGP signature

Re: Strange findings debugging bayes results

2023-02-20 Thread Michael Grant via users

On 20 February 2023 12:28:00 CET, Loren Wilton  wrote:
>
> A cron job that will harvest Spam and Ham mboxes and feed them to sa-learn 
> once a day, then archive the learned messages. Per-user bayes and learning. 
> Mail is hand-moved into the spam and ham learning folders, and for my  
> personal account, I do this rarely, generally only when a message is 
> mis-categorized. Although messages being mis-categorized as spam is often the 
> result of a lot of quite aggressive local rules I have rather than a Bayes 
> mis-classification.

When you "harvest" ham from mboxes, what do you consider ham?

You also, additionally, have a Ham folder for your users then? Interesting. Did 
you manage to train your users to use it easily? Does it grow unbounded or are 
old messages removed from it?  If so, how to know they can be deleted like from 
the Spam folder.

It's an interesting idea, just wondering about the details.  Getting my users 
to train spamassassim has always been impossible for me.

Re: URIDNSBL full message checking

2023-02-08 Thread Michael Grant via users

> You can test with:
> 
> header SURBL_MULTI_HDR eval:check_hashbl_emails('multi.surbl.org',
> 'raw/max=10/shuffle/host', 'ALLFROM/Reply-To', '^127\.0\.0\.\d+$')
> priority   SURBL_MULTI_HDR   -100
> describe   SURBL_MULTI_HDR   Domain in email headers found in
> surbl multi

Raymond, thank you!  This works.

But I'm having an issue using this with multi.surbl.org and
multi.uribl.org.  The response addr needs to be bit-masked.  The \d+
in 127.0.0.\d+ is in fact a bitmap.

If I want to assign different scores for different entries in their
databases, I'd need to mask the \d+.  Is there any easier way to do
this than this?

header URIBL_BLACK eval:check_hashbl_emails('multi.uribl.com', 
'raw/max=10/shuffle/host', 'ALLFROM/Reply-To', 
'^127\.0\.0\.(2|3|6|7|10|11|14|15|18|19|22|23|26|27|30|31|34|35|38|39|42|43|46|47|50|51|54|55|58|59|62|63|66|67|70|71|74|75|78|79|82|83|86|87|90|91|94|95|98|99|102|103|106|107|110|111|114|115|118|119|122|123|126|127|130|131|134|135|138|139|142|143|146|147|150|151|154|155|158|159|162|163|166|167|170|171|174|175|178|179|182|183|186|187|190|191|194|195|198|199|202|203|206|207|210|211|214|215|218|219|222|223|226|227|230|231|234|235|238|239|242|243|246|247|250|251|254)$')

check_uridnsbl() handles bitmaps with the urirhssub parameter (the "2) below:

urirhssub   URIBL_BLACK multi.uribl.com.A   2

Is there something like the mask arg in urirhssub with check_hashbl?
I did have a look at the source of check_hashbl but I couldn't spot it
right off.  I get the feeling there's got to be a more straight
forward way than above!

Michael Grant


signature.asc
Description: PGP signature

Re: URIDNSBL full message checking

2023-02-06 Thread Michael Grant via users

On Mon, Feb 06, 2023 at 04:16:46PM -0500, Bill Cole wrote:
> On 2023-02-06 at 12:50:29 UTC-0500 (Mon, 6 Feb 2023 17:50:29 +)
> Michael Grant via users 
> is rumored to have said:
> 
> > I’m noticing that check_uridnsbl() seems only to check the message body.
> > Is there some way to make it check the headers as well?
> 
> No. Which is fine, because there are usually no URIs in headers, and when
> there are, they are likely to be standard List-* headers, which are unlikely
> to be useful.

It's actually just a domain name.  This uridnsbl keys off domain names
in the body too, I was kinda hoping it would look at the domain names
in the headers like the body, guess not.

> You can obviously use 'full' or the 'all' pseudo-header and look for
> specific domains, but identifying everything in the header that COULD be a
> domain and just testing that against a DNSBL designed for domains found in
> URIs could have very bad failure modes.

How about just say the from or received headers?  Is there something
like check_rbl that would look up a domain name rather than an ip
address that I could look up the domain in that URIBL list?

I played with check_rbl() but this seems only to look up numeric ip
addresses.

Michael Grant

signature.asc
Description: PGP signature

URIDNSBL full message checking

2023-02-06 Thread Michael Grant via users

I’m noticing that check_uridnsbl() seems only to check the message body.  Is 
there some way to make it check the headers as well?

In 25_uribl.cf, I have:

urirhssub   URIBL_BLACK multi.uribl.com.A   2
bodyURIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
describeURIBL_BLACK Contains an URL listed in the URIBL blacklist
tflags  URIBL_BLACK net
reuse   URIBL_BLACK

First obvious thing I tried was changing ‘body’ to ‘full’ in the above.  It 
continues to check only the body.  In fact, changing it to ‘header’, it 
continues to check the body.  I then read through the man page on URIDNSBL and 
it does clearly state a ‘body’ rule.

Is there some clever way to have a URIDNSBL rule check the header of a message 
as well?  Or is there something else I can use separately that would look up a 
domainname in the header section of an email?

Michael Grant

Providing my own body text parts function

2023-01-20 Thread Michael Grant via users

In a body rule, SA uses the textual body of the message. 

From the docs: "The 'body' in this case is the textual parts of the message 
body; any non-text MIME parts are stripped, and the message decoded from 
Quoted-Printable or Base-64-encoded format if necessary.
The message Subject header is considered part of the body and becomes the first 
paragraph"

Is there a way I could provide my own function (override SA's internal 
function) to produce this textual representation myself?

Michael Grant

Re: 4.0.0 dnsbl_subtests.t test failures

2022-12-28 Thread Michael Orlitzky

On Wed, 2022-12-28 at 16:44 +0200, Henrik K wrote:
> 
> Doesn't look too good for Gentoo packaging though, if since 2009 v310.pre
> and newer have been full of all sorts of plugins loaded.  It's like nobody
> actually cared since most of the stuff is useful.  :-)
> 

Nobody noticed until now, and now it's getting fixed. The intersection
of,

  1. Gentoo users
  2. People who run their own mail server
  3. People who blindly run the default configuration on an important 
 network-facing daemon

is pretty small. And given that changing it is likely to generate a few
complaints, compared to the contented silence regarding the existing
behavior, you can maybe understand why no one has tried to proactively
fix it when it wasn't broken.

Re: 4.0.0 dnsbl_subtests.t test failures

2022-12-28 Thread Michael Orlitzky

On Wed, 2022-12-28 at 16:20 +0200, Henrik K wrote:
> 
> Common sense would ask that how is SPF harmful for the user?  One would
> think it would be actually desirable like any other network lookups, that
> user might have accidentally left disabled?  But sure, if this is the Gentoo
> way, so be it.  I had enough of 90's linux flashbacks trying it for the
> first and last time today.  :-)
> 

Well, SPF wasn't nearly as reliable in 2005 as it is now, and it pulls
in an extra dependency.

Probably the best answer is that by having this ability, Gentoo
attracts the sort of user who likes to disable such things to save disk
space, shave off a few CPU cycles, or improve security. And then
there's a feedback loop wherein most of our users want to retain the
ability to control what gets installed/enabled.

Re: 4.0.0 dnsbl_subtests.t test failures

2022-12-28 Thread Michael Orlitzky

On Wed, 2022-12-28 at 15:38 +0200, Henrik K wrote:
> 
> Disabling default plugins solves nothing, just creates a worse experience
> for user.  Educating and guiding users to use DNS properly does not require
> this.

Gentoo builds everything from source and allows the user to
enable/disable some options for each package, called USE flags. In the
context of a C program, you might have USE=spf which would translate to
an additional dependency on libspf2 and passing

  ./configure --enable-spf

at build time to enable that feature.

These map less well to scripting languages where features are often
enabled at runtime based on the existence of some optional package. In
2005, we had a flag for USE=spf in spamassassin that was supposed to
control whether or not spamassassin used SPF.

Without disabling the plugin, how would that work? If the user happens
to install Mail::SPF as a dependency of something else and if the
plugin is *not* disabled, spamassassin will (surprise!) start using SPF
against the user's wishes.

There's no reason for it today because there's no USE=spf flag for
spamassassin, and it wasn't implemented very well back in 2005 (only
certain plugins should have been disabled, and only conditionally). But
the idea isn't as crazy as it first sounds.

Re: subscribe to blacklist for domains

2022-08-14 Thread Michael Grant via users

> WTF, that has been a terrible idea since the 90s, given most spam is 
> spoofed, the end result of this will be your mail server getting the 
> poor reputation as source of backscatter and going into blacklists :)

If you reject, you should reject on their SMTP connection.  If you
return a DSN later, there's a high chance you are causing back-scatter
spam to the wrong place.

When you reject on the initial connection, if the spammer is abusing
someone else's infrastructure, you may cause errors to go back to the
owner of that infrastructure which will clue them into a problem they
need to clean up.  Not always though.

Some ESPs track DSNs they get back and remove those addresses from
future mailouts.  If the spammer reuses that ESP, your address may not
be used again with that account.  This is really more useful for
fringe spam like things you didn't realize you signed up for or things
that weren't meant for you.

On the other hand, some ESPs let you report the account as spam, but
to do that you'd have had to received the message first to click on
some link in it.  Mailchimp for example lets you click a box to be
removed and tell them you consider it spam and if they get sufficient
complaints, the account is blocked.

In short, I don't think it's bad to reject spam.  Care needs to be
taken blanket blocking mail from ESPs though.



signature.asc
Description: PGP signature

bayes in sqlite db

2022-05-26 Thread Michael Grant

Does anyone have a working example of storing Bayes and user prefs in
SQLite?  I only see mysql and postgres schemas in 
/usr/share/doc/spamassassin/sql/

Michael Grant


signature.asc
Description: PGP signature

Running spamassassin only with specific rules

2022-04-22 Thread Michael Grant

Is there some way to run spamassassin with only a specific set of rules and 
scores?

I've tried putting the rules in a rules.cf file and running spamassassin like:

spamassassin -t -p rules.cf < test.eml

but it runs all the rules including theones in rules.cf

I've tried changing the config path with -C so it doesn't pick up the
other cf files but this breaks things.

I'm trying to identify specific types of spam.

Michael Grant


signature.asc
Description: PGP signature

Re: using spamassassin to classify spam

2022-03-25 Thread Michael Grant

On Fri, Mar 25, 2022 at 02:27:09PM +0200, Henrik K wrote:
> On Fri, Mar 25, 2022 at 06:01:43AM -0400, Michael Grant wrote:
> >
> > Unless there's an existing function in some plugin to do this, I'll
> > have to write my own.  Little surprising that there isn't, this seems
> > like an obvious check!
> 
> There is already very basic HEADER() template support added in trunk/4.0.0,
> this would generally work:
> 
> askdns UNSUB_NXDOMAIN _HEADER(List-Unsubscribe:host)_ MX [NXDOMAIN]
> 
> It just tries to find something resembling a hostname (having valid TLD) in
> the header, preferring to match @(.*) first.  So it doesn't differentiate
> between http, mailto etc.

Fantastic, thank you!

I'm trying to test this with the debian experimental 4.0.0~0.0svn1896439-1
package.

Running an email through this version seems to be working (as in
spamassassin < test.eml).  However when I test just a narrow set of
rules in my own cf file, I get this:

$ spamassassin -t -C test.cf < tests/test1.eml
config: no rules were found!  Do you need to run 'sa-update'? at 
/usr/bin/spamassassin line 417.

this works fine on spamassassin 3.x by the way.

I have tried reducing test.cf to something simple, for example:

full DKIM_SIGNEDeval:check_dkim_signed()
describe DKIM_SIGNEDMessage has a DKIM or DK signature, not 
necessarily valid
scoreDKIM_SIGNED 5.0

To be clear, for this I really don't want to run all the tests.  Only
specific ones which is why I tried using the -C option which works
with 3.x.  Is there a correct way to do this with 4.x?

Michael Grant

signature.asc
Description: PGP signature

Re: using spamassassin to classify spam

2022-03-25 Thread Michael Grant

> On 24.03.22 18:34, Grant Taylor wrote:
> > Remember, there are historic mechanisms for an MX for parent domains to
> > handle child domains even if the child domain in question doesn't have
> > it's own MX record.
> 
> which, besides wildcard DNS?
>
> OP, also remember that mumble.aidemxwzlwt.bwbibibi.edu may have no A/MX
> record while not produce NXDOMAIN
> 

Right, good points!  So for each sub domain there, do an MX and A
record lookup and stop before getting to the tld itself (.edu).  Of
course there got to be some list somewhere what the tld and gtlds are.

Unless there's an existing function in some plugin to do this, I'll
have to write my own.  Little surprising that there isn't, this seems
like an obvious check!

However, my question still has another part regarding doing this in a
cf file like local.cf.  If it were simply 2 lines in a local.cf to do
this, I'd rather do it there than cobble together a plugin which is
another order of magnitude more complicated.

I have seen things like _VARIABLE_ in .cf files and they seem to get
there from the perl side by doing something like this:

  $pms->set_tag('VARIABLE', $value);

I was wondering if there was a way to set such a variable from the
output of something within the cf side.

This does not work:

header LIST_UNSUB_DOM List-Unsubscribe =~ /\@(.+)/ VARIABLE
askdns LIST_UNSUB_DOM _VARIABLE_

Even if askdns did do the correct thing, I coudln't find a way to get
it the domain name to look up.  Is there a syntax to do this in the
context of a cf file such as local.cf?  Sure seems like it'd be
useful!

Otherwise, I'll have to write a plugin but it seems a shame.

Michael Grant

p.s. the subject of my original post really could have been clearer!
I'm classifying spam by putting thigs into a buckets with certain
attributes and this is one of them.  Things with domain names that are
bogus, but it's still just spamassassin.  Sorry about any confusion!

signature.asc
Description: PGP signature

using spamassassin to classify spam

2022-03-24 Thread Michael Grant

I would like to write a rule that checks if a header has a domain name that 
doesn't resolve.

For example this header:

List-Unsubscribe: 

I want to extract the mumble.aidemxwzlwt.bwbibibi.edu and run it
through AskDNS and if I get an NXDOMAIN, I want to score it.

Is it possible to do this within a cf file?

I can easily extract the domain name with a regex.  Is there a way to
save that value in a variable in a cf file such that I can then call
AskDNS?





signature.asc
Description: PGP signature

Re: RCVD_IN_DNSWL_HI false positives

On Wed, May 12, 2021 at 10:26 PM Arne Jensen  wrote:
> Den 13-05-2021 kl. 02:19 skrev Michael B Allen:
> > On Wed, May 12, 2021 at 6:10 PM Matthias Leisi  wrote:
> >>> That is unfortunate. It's not entirely crystal clear to me that
> >>> deliberately returning false positives that allow potentially
> >>> destructive SPAM to get through filters is a good way to enforce usage
> >>> policy.
> >> We use the „return hi“ in cases where long times of using other methods 
> >> does not reduce the query load on the free nameservers.
> > I don't understand the technical details of all of this but what about
> > sending an error response just under the typical retry interval? If
> > you want to annoy someone, make it the one DNS server operator and not
> > the hundreds of SA endpoints using it. A lot of smaller companies like
> > me (I'm just me!) just use their hosting company DNS (linode for me)
> > and are completely oblivious as to what dnswl even is.
>
> See:
> https://www.mail-archive.com/users@spamassassin.apache.org/msg107949.html
> <https://www.mail-archive.com/users@spamassassin.apache.org/msg107949.html>
>
> And then try to understand how DNS works:

I understand how DNS works as well as most I at least.

I do not understand why the default SA configuration uses dnswl but
then when someone does not read every minutia of documentation about
every possible option, SPAM is then used as a stick to get people to
change or pay for the service but not before being browbeaten about
not knowing how this convoluted mess works.

It is not completely trivial setup a caching name server. I literally
have two accounts so it's at least a serious nuisance.

> In the past, I saw Spamhaus being criticized, apparently for something
> that sounded like dropping queries with a firewall, which would lead to
> long timeouts, causing the originating mail server to give up before the
> responses were received, essentially leading to mails being deferred and
> (sometimes) lost.
>
> Such query dropping does (unfortunately) also means the queries often
> will be magnified, as e.g. Linode's resolver in your case, will just try
> another authoritative server for the zone.

Then like I suggested, instead of dropping entirely, maybe a delay
just under the retry interval would make all the difference.
Presumably dnswl is custom code? You could have a large array of
structs with ip and stats pre populated with pass entries for the paid
folk. When a request comes in, you hash the addr to get the right
bucket. If they're paid they pass. If not, you update the stats and if
they're over whatever limit everything from that server goes into a
500ms delay queue. You respond with success to keep the offensive DNS
server at arms length but passivated but the SA endpoint gets an
answer of "blocked".

Sending false positives that allows SPAM though is a bad way to enforce policy.

Mike

Re: RCVD_IN_DNSWL_HI false positives

On Wed, May 12, 2021 at 6:10 PM Matthias Leisi  wrote:
>
> > That is unfortunate. It's not entirely crystal clear to me that
> > deliberately returning false positives that allow potentially
> > destructive SPAM to get through filters is a good way to enforce usage
> > policy.
>
> We use the „return hi“ in cases where long times of using other methods does 
> not reduce the query load on the free nameservers.

I don't understand the technical details of all of this but what about
sending an error response just under the typical retry interval? If
you want to annoy someone, make it the one DNS server operator and not
the hundreds of SA endpoints using it. A lot of smaller companies like
me (I'm just me!) just use their hosting company DNS (linode for me)
and are completely oblivious as to what dnswl even is.

Maybe you would prefer that SA disable dnswl lookups in the default
config? Folks who are fluent in such things and have their own DNS
server will know how to flip it on.

Mike

Re: RCVD_IN_DNSWL_HI false positives

On Wed, May 12, 2021 at 5:01 PM Matthias Leisi  wrote:
> > Am 12.05.2021 um 21:02 schrieb Michael B Allen :
>
> > X-Spam-Report:
> > * -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at https://www.dnswl.org/, high
> > *  trust
> > *  [173.82.162.98 listed in list.dnswl.org]
>
> 173.82.162.98 is not in the dnswl.org database.
>
> It’s likely you’re using one of the nameservers who are not only blocked from 
> using dnswl.org free nameserver infrastructure, but where we needed to use 
> additional methods to make them stop (ab)using our nameservers (namely, 
> returning a „_HI“ result in the hope that whoever is responsible will finally 
> notice).

Hi Matthias,

That is unfortunate. It's not entirely crystal clear to me that
deliberately returning false positives that allow potentially
destructive SPAM to get through filters is a good way to enforce usage
policy.

Mike

RCVD_IN_DNSWL_HI false positives

Hi all,

Because of RCVD_IN_DNSWL_HI a bunch of SEO type stuff is getting
through. Strangely the domains are not listed in www.dnswl.org like
the one below is "fixtheweberrors.online":

  IP address 173.82.162.98 is not whitelisted at dnswl.org.

Most of it is .online stuff. What am I missing? How can
RCVD_IN_DNSWL_HI be added if it's not in dnswl.org? Or maybe it was
and has since been removed? I find that hard to believe since
dnswl.org looks like it only has records for bigger sites.

Thanks,
Mike

Received: from [96.47.229.26] (unknown [96.47.229.26])
by shenzi.fixtheweberrors.online (Postfix) with ESMTPA id 3651DA77B;
Tue, 11 May 2021 22:17:27 -0400 (EDT)
Received: from shenzi.fixtheweberrors.online
(shenzi.fixtheweberrors.online [173.82.162.98])
by mail.ioplex.com (Postfix) with ESMTPS id 5090B11B9
for ; Wed, 12 May 2021 01:25:07 -0400 (EDT)

X-Spam-Report:
* -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at https://www.dnswl.org/, high
*  trust
*  [173.82.162.98 listed in list.dnswl.org]
*  3.0 BAYES_95 BODY: Bayes spam probability is 95 to 99%
*  [score: 0.9888]
* -0.0 SPF_PASS SPF: sender matches SPF record
*  0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
*  0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit
*  (catherinebrooke321[at]gmail.com)
*  0.0 RCVD_IN_MSPIKE_L5 RBL: Very bad reputation (-5)
*  [173.82.162.98 listed in bl.mailspike.net]
*  0.5 MISSING_MID Missing Message-Id: header
*  0.0 RCVD_IN_MSPIKE_BL Mailspike blacklisted
*  2.1 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From

Re: My 10 years old domain have a bad TLD

2021-05-04 Thread Michael Orlitzky

On Tue, 2021-05-04 at 08:28 +0200, Denis Chenu wrote:
> Yes,
> 
> You receive spam from pro and then all pro gTLD owner received a punishment.
> 
> It's same for all gTLDS, like the old teachers who punish a whole school 
> class.
> 

You're right, but as someone who blocks .pro I don't care anymore.
I've wasted half my life fighting assholes who make money by wasting my
time. To a few decimal points, 100% of the mail we get from .pro
domains is spam. I don't care about right or wrong, I just want the
spam to stop, and blocking all of .pro is the easiest way to do that.
You can email postmaster@ to be whitelisted if you're legitimate.

Re: How do you set nomail for the List?

2021-04-21 Thread Michael Grant

> But, but, but...  SpamAssassin's entire purpose is an anti-spam
> function!  Oh the irony of it!
> 
> > After all, if just anyone, without subscription, can post to a list, then 
> > it's 
> > open to the entire Internet, and then, as we all know, anarchy ensues...

The Debian mailing lists too are open for anyone to post regardless if
they are subscribed.  It's not anarchy but sometimes spam does get
posted and some people go and report it to places like spamcop (I've
been guilty here!).  Debian has a mechanism to flag messages as spam
in the archives so they can be removed.  It's far from anarchy that
imagine but it's definitely not zero labor.

For me the biggest problem with allowing non-subscribers or
subscribers that don't get mail back from the list is that there is no
way for someone to know if you are reading their replies.  I'm never
sure if I should CC the person directly or not on these open lists.

On the Spamassassin list, I know the person has to be subscribed so I
don't have to CC them.  I doubt most mailing lists are smart enough to
CC such non-subscribers on replies.

Multiple people I know join lists and then create a filter rule to put
the list directly in to the Trash folder or some folder that they
automatically delete older messages.  Then, they read the lists in
that folder.  That may be your best option in my opinion.

A hack comes to mind... maybe something could be written using sieve
or procmail to spot which messages you sent to the list and move them
and replies to it back to your inbox automatically.

Michael Grant


signature.asc
Description: PGP signature

Re: Senderscore

2021-04-19 Thread Michael Grant

On Mon, Apr 19, 2021 at 02:04:55PM +1000, Simon Wilson wrote:
> Spamassassin on my mail server uses a local dedicated caching DNS server,
> and it is only service which uses it (it's specified in local.cf).
> 
> The last 3 days I have logged about 500 failed DNS query errors to
> senderscore.com, e.g.:
> 
> 19-Apr-2021 13:28:01.367 query-errors: info: client @0x7f31c334a9a0
> 127.0.0.1#53689 (214.48.240.54.bl.score.senderscore.com): query failed
> (SERVFAIL) for 214.48.240.54.bl.score.senderscore.com/IN/A at
> ../../../bin/named/query.c:9385
> 
> ...where in the month prior there were about 10 failures logged in total.
> It's failing on what looks like every inbound email.
> 
> From what I can see it's a genuine blocklist lookup by SA...
> (RCVD_IN_RP_RNBL in 20_dnsbl_tests.cf) but the error rate is strange.
> 
> Am I the only one with high volume of lookup errors from that bl? :-) or do
> I need to be looking for an issue locally...

I am also interested in finding some sender reputation list like this.
I also had a similar experience trying to get senderscore to work.  I
picked up the phone and called them a few weeks ago.

I think initially senderscore's goal was as you (and I) thought, to
score senders such that bad senders could be blocked.  But that's not
what they do now.  What they do now is enable marketeers to get into
people's inboxes by telling the marketeers' what *their* score is
relative to the person or group they are targeting.  It's your
sendsender score, not the other way around.

I am still looking for a sender reputation list, if anyone has
recommendations, please share!

Michael Grant

signature.asc
Description: PGP signature

Re: Using spamassassin modules from a git repo

> To update SpamAssassin module from time to time from Git I am using 
> Puppet/Ansible that will put the code in the right places.
> On simpler install I am using a Makefile like this one:
> 
> 
> install:
> pod2man Esp.pm > 
> "/usr/share/man/man3p/Mail::SpamAssassin::Plugin::Esp.3p"
> perl -cw Esp.pm && podlint Esp.pm && cp Esp.{cf,pm,pre} 
> /etc/mail/spamassassin/
> 
> 
> Then I can run git pull from the directory and run make install to copy all 
> files to the correct places.

Thanks Giovanni, yes, this is what one would normally do, drop the
files into /etc/spamassassin (linked from /etc/mail/spamassassin on my
system).

This also solves my initial problem of git repo within git repo.  But
it doesn't solve my desire to keep things in one place.  It's true
that with this particular module the file names are the same.  And
it's also true that the man page (if I wanted to be able to read it
with the man command) would need to go in a different place.

I do kind of like Tom Hendrikx idea of putting cloning the folder into
somewhere in /usr/local/etc and putting a modified pre file in
/etc/spamassassin/.  But it's true it's not perfect.

The next step in this I suppose could be to build a deb or rpm file
around these contributed modules.  But I doubt people are going to
want to build and maintain packages for each of the different
unix/linux/other OSs out there.

Maybe just recommending module developers to put in a simple Makefile
with an install and uninstall target?  I don't know if that's the
right answer.  It does feel like this should be a bit more admin
friendly, by that I mean it should be more than lore to know the right
way to install spamassassin modules in a maintainable way with a
system.

Thanks all for the answers here.


signature.asc
Description: PGP signature

Re: Using spamassassin modules from a git repo

On Thu, Apr 08, 2021 at 07:00:57PM +0200, Benny Pedersen wrote:
> On 2021-04-08 18:54, Michael Grant wrote:
> 
> > This may be a stupid question... but for a spamassassin module, for
> > example spamassassin-esp, how would one normally "install" this so
> > that it reads the .pre file?
> 
> all content should be placed in same dir as local.cf
> 
> and custom plugins should have there own .pre with the
> loadplugin
> 
> i think it works if Esp.cf is in same dir as local.cf
> then there is no need to make include lines

This is what I want to avoid which was the goal of my original post.

1. Many modules are from git repos and need to live in their own
directory to be updated from time to time, 2. the /etc/spamassassin/
directory can get very messy if you just dump things in there.  Hard
to know what's what, it becomes impossible to maintain.

So I don't see any alternative to keeping such modules in separate
directories like this.

Is there really no way to tell spamassassin where to look for such
modules, like some sort of search path?  I'm surprised if not, and if
not, would something like this be a reasonable feature to add in the
future?

signature.asc
Description: PGP signature

Re: Using spamassassin modules from a git repo

On Thu, Apr 08, 2021 at 04:11:25PM +0200, Benny Pedersen wrote:
> On 2021-04-08 11:05, Michael Grant wrote:
> 
> > loadplugin Mail::SpamAssassin::Plugin::Esp spamassassin-esp/Esp.pm
> > include spamassassin-esp/Esp.cf
> 
> loadplugin must not be in cf files, it belongs to pre files

This may be a stupid question... but for a spamassassin module, for
example spamassassin-esp, how would one normally "install" this so
that it reads the .pre file?

Putting modules in /usr/local/etc/spamassassin/ as Tom Hendrikx
suggested.

What I have at the moment now is a modified version of
/etc/spamassassin/Esp.pre:

  loadplugin Mail::SpamAssassin::Plugin::Esp 
/usr/local/etc/spamassassin-esp/Esp.pm
  include /usr/local/etc/spamassassin-esp/Esp.cf

Given that there is an Esp.pre in the spamassassin-esp folder, is
there a way I would use that pre file directly?  I mean, is there some
way to add that folder to spamassassin's "path"?

signature.asc
Description: PGP signature

Re: google.com spam

2021-04-08 Thread Michael Storz


Am 2021-04-08 17:46, schrieb Bill Cole:

On 8 Apr 2021, at 6:25, Matus UHLAR - fantomas wrote:

and there is no undef_whitelist_auth, and the unwhitelist_auth does 
NOT work.


It does work in 3.4.5, although if you're not there yet I'd advise
waiting for 3.4.6.

See https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7809


Ok, there is a code change from 3.4.4 to 3.4.5

from 3.4.5

  push (@cmds, {
command => 'unwhitelist_auth',
setting => 'whitelist_auth',
type => $CONF_TYPE_ADDRLIST,
code => \::SpamAssassin::Conf::Parser::remove_addrlist_value
  });

from 3.4.5

  push (@cmds, {
setting => 'unwhitelist_auth',
type => $CONF_TYPE_ADDRLIST,
code => sub {
  my ($self, $key, $value, $line) = @_;
  unless (defined $value && $value !~ /^$/) {
return $MISSING_REQUIRED_VALUE;
  }
  unless ($value =~ /^(?:\S+(?:\s+\S+)*)$/) {
return $INVALID_VALUE;
  }
  $self->{parser}->remove_from_addrlist('whitelist_auth',
split (/\s+/, $value));
  $self->{parser}->remove_from_addrlist('def_whitelist_auth',
split (/\s+/, $value));
}
  });

Therefore it should work in 3.4.5

Michael

Re: google.com spam

2021-04-08 Thread Michael Storz


Am 2021-04-08 17:26, schrieb Bill Cole:

On 8 Apr 2021, at 8:04, Matus UHLAR - fantomas wrote:


On Sun, 4 Apr 2021 13:21:08 +0200 Matus UHLAR - fantomas wrote:

I prefer to solve problems instead of playing with scores.

It seems that abusers have worked around SA by using google 
domains

and addresses for sending spam from.


On 04.04.21 14:19, RW wrote:

If google have been foolish enough to allow abuse on the
organizational domain it should definitely be taken out of the def
whitelists until they move anything abusable to a different
subdomain/domain.



On Sun, 4 Apr 2021 16:47:18 +0200 Matus UHLAR - fantomas wrote:

That's what I'm trying to say.


And I'm agreeing. But I'm also saying that this kind of thing would 
be

less of a problem if the 'def' whitelists were better organized.




For the
'def' whitelists to have any point they should be tuned to prevent
most such FPs while having a minimal impact on TPs. The rules are
scored far too strongly, but the fact they are additively scored
makes it impossible to fine tune them.

There's no point in additive scoring anyway. If any of them is hit
it's most likely the spam has gone through an abused server.


if you mean using combination of USER_IN_DEF_SPF_WL,
USER_IN_DEF_DKIM_WL and USER_IN_DEF_WELCOMELIST, they could be put
into if condition.


On 04.04.21 17:01, RW wrote:

I give them all a score of -0.001 and then score

USER_IN_DEF_WELCOMELIST || USER_IN_DEF_SPF_WL || USER_IN_DEF_DKIM_WL


...add USER_IN_DEF_WHITELIST there?


The way it's currently setup you could get a total def whitelist
score of -7.5, -15 -22.5 or -30, which is insane if you want there to
be a useful distinction between def and full whitelisting.

The worst part is that the commonest form, "def_whitelist_auth", is
scored separately for SPF and DKIM for a single whitelisting entry. 
So
even if you avoid overlap with def_whitelist_from_rcvd, you still 
have

this random N and 2N point scoring whatever you set N to.


I have just found that

def_whitelist_auth *@google.com

leads to:

USER_IN_DEF_DKIM_WL

...and since there's no undef_whitelist_from_auth, it sucks pretty 
much and

I can only disable the whole rule because of google.


unwhitelist_auth exists. 'perldoc Mail::SpamAssassin::Conf' is helpful.


This removes entries from $conf->{'whitelist_auth'} but not from 
$conf->{'def_whitelist_auth'}


In addition there is no delist_addrlist, therefore no chance to remove 
an entry from def_whitelist_auth.


Michael

Using spamassassin modules from a git repo

I'm running debian on my mail server.  I use etckeeper to track
changes in /etc.

Often I run across modules such as spamassassin-esp and maybe I would
consider playing with Jared Hall's CHAOS module.

I'm curious what the recommended best practice is to install such
modules from a git repo.

For spamassassin-esp, I cloned the repo into my /etc/spamassassin/
directory and then added this to my local.cf:

loadplugin Mail::SpamAssassin::Plugin::Esp spamassassin-esp/Esp.pm
include spamassassin-esp/Esp.cf

This allows me to 'git pull' from this repository from time to time to
update it.  But it's not perfect, especially as I have local changes
to Esp.cf.  It's actually worse since I forked it to give back some
changes but I'd say that's perhaps less usual.

Furthermore, as I said, I use etckeeper and when I 'apt upgrade', I get
constant warnings:

modified:   spamassassin/spamassassin-esp (modified content, untracked content)

So clearly it's not ideal to clone a spamassassin module into
/etc/spamassassin!

I'm curious if someone has a clean solution here that allows updating
the module from time to time from git.

I realize this may be more a debian question and I may post it on the
debian-users list if I don't get any decent replies here.

Michael Grant


signature.asc
Description: PGP signature

Re: AskDNS with a DNAME

> >   askdns   RBL_SENDGRID_ID
> > _SENDGRIDID_.sendgrid-id.MYLICENSE.invaluement.com A 127.0.0.2
> > describe RBL_SENDGRID_ID Sendgrid Id blacklist tflags
> > RBL_SENDGRID_ID net nolog
> > 
> >   askdns   RBL_SENDGRID_DOM
> > _SENDGRIDDOM_.sendgrid-efd.MYLICENSE.invaluement.com A 127.0.0.2
> > describe RBL_SENDGRID_DOM Sendgrid domain blacklist tflags
> > RBL_SENDGRID_DOM net nolog
> > 
> > And this is what I see in the spamassassin report in the header:
> > *  1.0 RBL_SENDGRID_ID ASKDNS: Sendgrid Id blacklist
> > *  [16582324.sendgrid-id.MYLICENSE.invaluement.com
> > A:127.0.0.2]
> 
> I think what you need, at least in the short term, is: 
> 
> askdns   __RBL_SENDGRID_ID ...
> 
> meta RBL_SENDGRID_ID __RBL_SENDGRID_ID

Ah hah! Thank you, this works.  And it has an added benefit that the
RBL_SENDGRID_ID rule doesn't add a default 1.0 score to the total, so
this is definitely the right way to do it.

_SENDGRIDID_ is set as a variable in the Esp.pm module.  Is there some
way to log this when the meta rule triggers?

Michael Grant


signature.asc
Description: PGP signature

Re: AskDNS with a DNAME

On Sun, Feb 28, 2021 at 03:53:33PM +0100, Giovanni Bechis wrote:
> On Sun, Feb 28, 2021 at 07:38:22AM -0500, Michael Grant wrote:
> > Ultimately I want the spamassassin report in the headers but I don't
> > want the license key in there.
> > 
> you can set 'tflags net nolog' if you are using trunk.
> Invaluement uri and license key will be printed as *redacted*.
>  Giovanni   
> 

Hi Giovanni, unfortunately, this did not work either.

I just pulled from your repo to make sure I was on master.  I added
nolog, the pertinent lines look like this:

  askdns   RBL_SENDGRID_ID _SENDGRIDID_.sendgrid-id.MYLICENSE.invaluement.com A 
127.0.0.2
  describe RBL_SENDGRID_ID Sendgrid Id blacklist
  tflags   RBL_SENDGRID_ID net nolog

  askdns   RBL_SENDGRID_DOM 
_SENDGRIDDOM_.sendgrid-efd.MYLICENSE.invaluement.com A 127.0.0.2
  describe RBL_SENDGRID_DOM Sendgrid domain blacklist
  tflags   RBL_SENDGRID_DOM net nolog

And this is what I see in the spamassassin report in the header:
*  1.0 RBL_SENDGRID_ID ASKDNS: Sendgrid Id blacklist
*  [16582324.sendgrid-id.MYLICENSE.invaluement.com A:127.0.0.2]

Michael Grant


signature.asc
Description: PGP signature

Re: AskDNS with a DNAME

On Sun, Feb 28, 2021 at 02:14:55PM +, Damian wrote:
> I don't know about AskDNS, but this technique works with stock spamhaus rules 
> via spamhaustech. I have a local spamhaus.net zone with a DNAME record as 
> their nameservers block me anyway.
> You could try with an invaluement.com zone at least temporarily as a 
> comparison to AskDNS.

As I said, it does work if I do this:

askdns   RBL_SENDGRID_ID _SENDGRIDID_.sendgrid-id..invaluement.com 
A 127.0.0.2

But then, the LICENSEKEY gets embedded in the spamassassin report which I don't 
want.

I've traced through the AskDNS plugin and it's definitely only looking
at the first response that gets returned in this case.  I also tried a regex 
submatch like:

askdns   RBL_SENDGRID_ID _SENDGRIDID_.sendgrid-id.localhost A /127.0.0.2/

and still not working.  The AskDNS code which loops through the result
only looks at the alias result that's returned.

signature.asc
Description: PGP signature

AskDNS with a DNAME

I'm trying to use a rule like this:

askdns   RBL_SENDGRID_ID _SENDGRIDID_.sendgrid-id.localhost A 127.0.0.2

where I have this in my db.local running bind9:

sendgrid-id IN DNAMEsendgrid-id.LICENSEKEY.invaluement.com.

where LICENSEKEY is a valid license key.  I can query this on the command line:

% host 16582324.sendgrid-id.localhost
sendgrid-id.localhost has DNAME record sendgrid-id.LICENSEKEY.invaluement.com.
16582324.sendgrid-id.localhost is an alias for 
16582324.sendgrid-id.LICENSEKEY.invaluement.com.
16582324.sendgrid-id.LICENSEKEY.invaluement.com has address 127.0.0.2

But the AskDNS plugin seems to see only the first alias response and
ignores the actual 127.0.0.2 response.  The rule is never hit.  If I
put the license key in the cf file directly, it is (and the license
key gets added to the email headers which is what I am trying to
avoid by doing a DNAME record in my .localhost db.local!)

This technique of using a DNAME record works fine for milters.

Ultimately I want the spamassassin report in the headers but I don't
want the license key in there.

Is there some way to get this to work?

Not sure if this isn't actually a bug in AskDNS to be honest.

Michael Grant


signature.asc
Description: PGP signature

Re: Catch subtly-different Reply-To domain

2021-02-21 Thread Michael Storz


Am 2021-02-20 08:58, schrieb Dominic Raferd:

Is there a rule to catch cases where the domain of the Reply-To header
is a subtle variant on that in the To header. Take this (real) example
from a phishing email sent yesterday:

From: "Karen Howard" 
Reply-To: "Karen Howard" 

I realise that other elements of the address can be different without
being a reliable spam indicator but I think that interfacefm.com ->
intrefacefm.com are so similar and yet different that they should be
worth a few points. But I can't think how to write such a rule myself.


Use the "Damerau–Levenshtein distance" to calcutate the similarity. 
Since long I was interested to try this, but never found the time.


Michael

Re: Why is SENDGRID_REDIR score so high?

2020-09-16 Thread Michael Storz


Am 2020-09-16 05:28, schrieb John Hardin:

On Tue, 15 Sep 2020, Mark London wrote:

Hi - I receive email from spiceworks.com help desk, which are sent via 
sendgrid.   Why do these URLs trigger the SENDGRID_REDIR rule score, 
which is 3.4 ?   Thanks. - Mark


They trigger the rule because they match the rule's conditions - a
message having a Sendgrid redirect URL. They've been abused in a lot
of phishing lately.

The score is that high because spams that have such aren't scoring
highly based on all the other rules, and the SpamAssassin masscheck
corpora does not have many instances of legitimate Sendgrid redirects.

An important question is: are these mails being scored as spammy and
is that interfering with proper delivery? Or are you just worried
about a single high-scoring rule hit?

I will take a look and see if the FP rate can be reduced. If you could
send me an example of one or more of these messages privately (zipped,
with all message headers intact) then I might be able to do a better
job of that.

As a workaround, you could whitelist the spiceworks.com help desk email 
address.


The rule is absolutely useless, from more than 5.000 hits last week, at 
least 2.000 were false positives. 10% were definitely spam, the rest was 
unclassified with scores mostly less than 5.0. I've set the score to 
0.001.


Michael

Constructive solution to the blacklist thread

2020-07-23 Thread Michael Orlitzky

I'd like to offer a constructive solution to the blacklist/whitelist
argument to the Apache foundation and Kevin in particular.

There is opposition to this change on at least two fronts:

  * Philosophical: the change does nothing to address the underlying
political problems. Black people are asking not to be murdered;
changing "blacklist" to "blocklist" as the sole response is
insulting and transparently virtue signaling.

  * Practical: the gesture costs the Apache foundation nothing, because
the "gift" is paid for by the labor of the users who have to
reconfigure their systems.

Whether or not you agree with those bullet points, here's what I propose
to address them...

The Apache foundation has some cash laying around. Make whatever wording
changes you like, but **at the same time**, donate a meaningful amount
of money to a cause like the ACLU or the defense/medical funds for the
protestors. This addresses the bullet points above:

  * The donation is of real value to the people who receive it, and
addresses the underlying problem in that it helps the people who are
themselves helping in more direct ways.

  * The donation is also of value to the donor, so cannot be considered
a token gesture.

This will not be free for users: we will all still have to reconfigure
our systems. But if that "wasted" time actually helps the stated cause,
then it's no longer wasted. Knowing that an hour in my text editor may
have helped someone get out of jail or replace an eyeball shot out by a
federal goon makes it much more palatable. In other words, people might
still think it's stupid, but could be willing to suck it up if the
Apache foundation puts its money where its mouth is.

This surely won't please everyone, but it may be satisfactory to a
majority of people on both sides. Also, it will stop the email threads.

Re: IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK re: [Bug 7826] Improve language around whitelist/blacklist and master/slave

2020-07-10 Thread Michael Orlitzky

On 2020-07-10 20:02, Luis E. Muñoz wrote:
> 
> I keep hearing about this mythical people that get terribly offended by 
> the use of these words. I've been working in IT since the 90s, and I've 
> never actually seen one in real life. Do they really exist?
> 

What black people are asking for is to not be murdered. The idea to
change the word "blacklist" to "blocklist" instead as a consolation
prize comes solely from rich white folks, and is itself condescending
and offensive.

As with "all lives matter," it's possible to have the best of intentions
yet still come across as a patronizing douchebag.

Re: Bitcoin ransom mail

2019-12-10 Thread Michael Storz


Am 2019-12-10 19:03, schrieb Joseph Brennan:

A user here reported a new twist on the bitcoin ransom mail. New to
me, anyway.

From: Casper Mitten 
Sent: Monday, December 9, 2019 10:00 PM

The Subject was a single word, supposedly a password.

The message was a jpg picture of text.
Although it was in English, many vowels were accented special
characters.
The recipient was expected to scan a QR code in the picture to get the
bitcoin string!

I'm sending this purely for information. The user's report (as usual)
does not include headers so I don't know what scored. It must have hit
a rule for a message with no text and an image. There isn't much else
there.

--

Joseph Brennan
Lead, Email and Systems Applications



My copy hit

BODY_SINGLE_WORD=1.347, HTML_IMAGE_ONLY_04=1.172, MPART_ALT_DIFF=0.79

not enough to mark it as spammy.

Michael

Re: Spamhaus Technology contributions to SpamAssassin

2019-07-03 Thread Michael Orlitzky

On 7/3/19 5:43 AM, Riccardo Alfieri wrote:
> 
> You can find all the needed files here: 
> https://github.com/spamhaus/spamassassin-dqs
> 

Could I talk you into tagging a v0.0.1 release? That would make it
easier for us to create a system package for the new plugin.

Re: sa-update is broken on updates.spamassassin.org channel [was: Re: config: warning: description exists for non-existent rule EXCUSE_24]

2018-12-21 Thread Michael Orlitzky


On 12/21/18 5:52 PM, Bill Cole wrote:


Fine:

#!/bin/sh
cd `mktemp -d -t HappyMichael???`



Yes, Merry Christmas =P

Re: sa-update is broken on updates.spamassassin.org channel [was: Re: config: warning: description exists for non-existent rule EXCUSE_24]

2018-12-21 Thread Michael Orlitzky


On 12/20/18 7:00 PM, Bill Cole wrote:


 mkdir /tmp/saupdate-1849156


Never use a fixed path under /tmp =)

Re: using URIBL on other headers

2018-09-23 Thread Michael Grant

On Sat, 22 Sep 2018 at 23:55, Kevin A. McGrail  wrote:

> On 9/22/2018 5:55 PM, Michael Grant wrote:
> > The URIBL plugin looks for URLs in the subject and message body.
> >
> > Is there some way to coax it to look in the other headers as well, for
> > example the From: Reply-to: or the Received headers?
> >
> >
> It's fractured.  There are various lookups in various states in various
> plugins.
>
> From, Reply-to, Received, nameservers, rdns, webmail server headers,
> etc. are all enhancements I want to add for RBL lookups.  Some sort of
> generic Header lookup would be best.  I can't remember if I have a
> bugzilla for this but I have a lot of private notes about it.
>
>
Thanks Kevin, good to hear other folks and yourself wants this too, it sees
to make sense!

I tried to read through the plugin.  I'm not a spamassassin plugin
developer, I didn't have much luck trying to figure out how to do it
myself.  I know this plugin only does subject and body but I saw nothing in
the plugin itself that referenced the subject header.  So I am gathering
it's more complex than simply running the output of an arbitrary header
through this like the subject and body.

Is this difficult because you feel you need to parse out domain names from
all these fields?

I am not sure you need to do that.  Why not just run all the headers or
rather the entire message including headers through this plugin just like
the body, in fact, just extend it's scope to look at the entire message
rather than just the body & subject.

Just a thought.  Hopefully if it's really that easy or if you can tell me
how to extend the scope of this to encompass the entire message, we could
do this sooner than later!

Thanks for your excellent plugin by the way!

Michael Grant

using URIBL on other headers

2018-09-22 Thread Michael Grant

The URIBL plugin looks for URLs in the subject and message body.

Is there some way to coax it to look in the other headers as well, for
example the From: Reply-to: or the Received headers?

Could not retrieve sendmail macro "auth_type"!.

2018-09-02 Thread Michael Grant

I'm running spamassassin on several debian systems using sendmail and using
spamass-milter.

I'm seeing this error in my mail logs on one I updated yesterday:

Sep  1 08:21:01 debian spamass-milter[536]: Could not retrieve sendmail
macro "auth_type"!.  Please add it to confMILTER_MACROS_ENVRCPT for better
spamassassin results

I definitely have this macro in my sendmail.mc file:

define(`confMILTER_MACROS_ENVRCPT',`r, v, Z, {auth_type}, {greylist},
{auth_ssf}')dnl

Furthermore on 2 other nearly identical systems I don't have this warning
message.  I only started seeing this warning message when I ran updates
yesterday.  I only get it on inbound mail.

The main packages are all the same version from one system to the other:

dpkg -l | g 'sendmail|spamass|milter'
ii  libmilter1.0.1:amd64 8.15.2-11
 amd64Sendmail Mail Filter API (Milter)
ii  sa-compile   3.4.1-8   all
Tools for compiling SpamAssassin rules into C
ii  sendmail 8.15.2-11 all
powerful, efficient, and scalable Mail Transport Agent (metapackage)
ii  sendmail-base8.15.2-11 all
powerful, efficient, and scalable Mail Transport Agent (arch
independent files)
ii  sendmail-bin 8.15.2-11
 amd64powerful, efficient, and scalable Mail Transport Agent
ii  sendmail-cf  8.15.2-11 all
powerful, efficient, and scalable Mail Transport Agent (config
macros)
ii  spamass-milter   0.4.0-1+b1
amd64milter for filtering mail through spamassassin
ii  spamassassin 3.4.1-8   all
Perl-based spam filter using text analysis
ii  spamc3.4.1-8
 amd64Client for SpamAssassin spam filtering daemon

The sendmail.mc is also the same (with differences being things like
hostnames).

The only difference I know of is one system was updated via apt yesterday,
other a couple months old.

Anyone else seeing this?  What other change might have caused this?

Michael Grant

Re: SA MySQL DB maintenance

2018-07-17 Thread Michael Hallager (personal)


On 2018-07-18 01:11, Giovanni Bechis wrote:

Txrep does not have autocleaning support, bayes have it if
auto_bayes_expire is set.
 Giovanni


I have looked into this here:
https://spamassassin.apache.org/full/3.1.x/doc/sa-learn.html#expiration

Our Bayes DB is over 5Gb which seems at odds with the auto purge figures 
mentioned at the above link.


Even running "sa-learn --auto-expire" does not impact the size.
--

Further to my above post, running "sa-learn --auto-expire" with 
"bayes_auto_expire 0" set in the config produces a different result, 
namely the database is now down to a few 10's of Mb.


I am taking the advice provided here and running this command as a 
cronjob.


Many thanks.

Michael

Re: SA MySQL DB maintenance

2018-07-17 Thread Michael Hallager (personal)


On 2018-07-18 01:11, Giovanni Bechis wrote:

Txrep does not have autocleaning support, bayes have it if
auto_bayes_expire is set.
 Giovanni


Hi Giovanni,

I have looked into this here:
https://spamassassin.apache.org/full/3.1.x/doc/sa-learn.html#expiration

Our Bayes DB is over 5Gb which seems at odds with the auto purge figures 
mentioned at the above link.


Even running "sa-learn --auto-expire" does not impact the size.

Michael

Re: SA MySQL DB maintenance

2018-07-17 Thread Michael Hallager (personal)


On 2018-07-18 00:35, Kevin A. McGrail wrote:


What are you using in a db?

Regards,
KAM

--
Kevin A. McGrail


Hi Kevin,

awl, bayes_* and userpref.

Thanks,

Michael

SA MySQL DB maintenance

2018-07-16 Thread Michael Hallager (personal)


Hi all,

Does SA self-maintain the records in the DB or is there a script I 
should run periodically for this?


Michael

Re: This sucks

2018-04-03 Thread Michael Brunnbauer

Hello Giovanni,

On Tue, Apr 03, 2018 at 11:04:46AM +0200, Giovanni Bechis wrote:
> if you start spamd from /root and you use a perl module that is using "use 
> lib 'lib';" or similar piece of code the relevant code will not load because 
> the user spamd is running on (spamd or whichever you have configured) will 
> not have access to $PWD.

Thank you very much - this makes sense. NetAddr uses such a construct and I
can confirm that triggering a DNS query before setuid is called will make the 
problem go away.

Despite what has already been said about starting spamd from /root I think 
this should be addressed because people might stumble over it while doing 
debugging.

Regards,

Michael Brunnbauer

-- 
++  Michael Brunnbauer
++  netEstate GmbH
++  Geisenhausener Straße 11a
++  81379 München
++  Tel +49 89 32 19 77 80
++  Fax +49 89 32 19 77 89 
++  E-Mail bru...@netestate.de
++  http://www.netestate.de/
++
++  Sitz: München, HRB Nr.142452 (Handelsregister B München)
++  USt-IdNr. DE221033342
++  Geschäftsführer: Michael Brunnbauer, Franz Brunnbauer
++  Prokurist: Dipl. Kfm. (Univ.) Markus Hendel

Re: This sucks

2018-04-02 Thread Michael Brunnbauer


Hello Bill,

On Mon, Apr 02, 2018 at 02:33:08AM -0400, Bill Cole wrote:
> So I guess I was right?

I don't think so.

> Is there a tree of Perl modules under /root?

No. I actually just reproduced the problem with a completely empty /root:

cd /
mkdir root1
chmod go= root1
mv root root.old ; mv root1 root
cd
spamd

(Should have done this before, sorry).

> A normal startup of spamd (by sysvinit, Upstart, systemd, etc.) is what you
> need to diagnose, not a manual startup from a login shell. None of those
> normally should put the daemon in /root as a working directory.

People restart services at runtime by calling init scripts. Those may or may 
not change the working directory. Mine did not (now they do).

I don't think spamd should behave differently depending on the working 
directory (maybe depending on what's in it - but not depending on the
working directory itself).

> No, it's not a timing issue. The root cause is that Net::DNS::RR->rdatastr()
> should never have been relied upon by SA to have any particular format
> because it was always poorly documented and quietly vanished from the
> documentation (but not the code) for Net::DNS::RR.pm  in 0.69. What it
> actually contains is a function of the specific DNS record and what server
> generated the response, making an explanation for any specific oddity
> something of a guessing game.

Well this oddity seems to be *very* odd.

> More recently, there have been multiple other changes in various components
> of the Net-DNS distribution that have caused other problems in SA, and they
> may interact with the rdatastr issue. These issues have all been addressed
> in the current SA code, both in the 'trunk' and in the 3.4 branch which will
> (hopefully soon) become the 3.4.2 release. Many (most? all?) packagers of SA
> maintaining it for major platforms have incorporated some or all of the
> necessary DNS-related fixes. I've attached a patch that aggregates all of
> the fixes to this message. You could also install SA from the current 3.4
> branch or the last 3.4.2 release candidate package, or if you're
> adventurous, from the SVN 'trunk' that will eventually yield v4.0.

Yes I tried the 3.4 and the trunk checkout with the current Net::DNS before 
writing to the list. They both had problems with make test while 3.4.1 did
not so I decided that downgrading Net::DNS would be safer.

Regards,

Michael Brunnbauer

-- 
++  Michael Brunnbauer
++  netEstate GmbH
++  Geisenhausener Straße 11a
++  81379 München
++  Tel +49 89 32 19 77 80
++  Fax +49 89 32 19 77 89 
++  E-Mail bru...@netestate.de
++  http://www.netestate.de/
++
++  Sitz: München, HRB Nr.142452 (Handelsregister B München)
++  USt-IdNr. DE221033342
++  Geschäftsführer: Michael Brunnbauer, Franz Brunnbauer
++  Prokurist: Dipl. Kfm. (Univ.) Markus Hendel

Re: This sucks

Hello Bill,

On Sun, Apr 01, 2018 at 03:55:48PM -0400, Bill Cole wrote:
> This is a critical fact. It indicates that your spamd and the spamassassin
> script you are running are definitely using different SpamAssassin
> configurations, possibly different versions of the SpamAssassin
> distribution, and or possibly even different versions of Perl.

I am very sure that there are no other versions of SpamAssassin, Perl and
Net::DNS lying around.

> Determining what config the spamassassin script is using is fairly easy:
> 'spamassassin -D generic,config,diag  --lint' will give you all the details.
> Figuring out what spamd is using is less simple (and system-specific) but
> since you've been maintaining a system by hand for a long time I expect
> you'll be able to figure out how to do so safely.

This does not sound very helpful of you so I did some debugging on my own and 
have more information:

The problem only occurs only when spamd is started in the homedir of root. If
I start it in any other directory (including subdirs of /root), Net:DNS
behaves like it should: $answer->rdatastr in dnsbl_uri in Dns.pm contains IP 
addresses in dotted quad notation, like 127.0.0.3. If I start spamd in /root,
$answer->rdatastr contains strings like "\# 4 7f03" instead. This occurs 
regardless of any -x or -u flags to spamd.

So being in /root when started changes the behavior of spamd. Is it possible
that this is a timing issue? Could "\# 4 7f03" be some unprocessed
response that would be converted to 127.0.0.3 a moment later? Or is there
some other explanation for this?

Regards,

Michael Brunnbauer

-- 
++  Michael Brunnbauer
++  netEstate GmbH
++  Geisenhausener Straße 11a
++  81379 München
++  Tel +49 89 32 19 77 80
++  Fax +49 89 32 19 77 89 
++  E-Mail bru...@netestate.de
++  http://www.netestate.de/
++
++  Sitz: München, HRB Nr.142452 (Handelsregister B München)
++  USt-IdNr. DE221033342
++  Geschäftsführer: Michael Brunnbauer, Franz Brunnbauer
++  Prokurist: Dipl. Kfm. (Univ.) Markus Hendel

Re: This sucks


Hello Amir,

On Sun, Apr 01, 2018 at 01:17:03PM -0600, Amir Caspi wrote:
> On Apr 1, 2018, at 10:26 AM, Michael Brunnbauer <bru...@netestate.de> wrote:
> > 
> > running my example spam through spamassassin gets it marked as spam while 
> > using spamc+spamd does not.
> 
> I know this is the equivalent of ???did you plug it in??? but... did you 
> restart spamd after rebuilding Net::DNS?

Yes. Actually I'm not testing on the production system any more. I use a 
different system where I have to start spamd manually to test. So spamassassin 
and spamd use the same setup.

Regards,

Michael Brunnbauer

-- 
++  Michael Brunnbauer
++  netEstate GmbH
++  Geisenhausener Straße 11a
++  81379 München
++  Tel +49 89 32 19 77 80
++  Fax +49 89 32 19 77 89 
++  E-Mail bru...@netestate.de
++  http://www.netestate.de/
++
++  Sitz: München, HRB Nr.142452 (Handelsregister B München)
++  USt-IdNr. DE221033342
++  Geschäftsführer: Michael Brunnbauer, Franz Brunnbauer
++  Prokurist: Dipl. Kfm. (Univ.) Markus Hendel


signature.asc
Description: PGP signature

Re: This sucks


hi

On Sun, Apr 01, 2018 at 12:55:33PM -0500, David Jones wrote:
> Can you provide an example message lightly redacted via pastebin.com?

I use this message for testing: https://pastebin.com/9h9d62UW

The relay IP 185.207.8.210 is in several blacklists but spamd won't notice.
spamassassin does.

> Please
> tell us more details about your environment like OS version, Perl version,
> etc.  We know you are using spamd as the SA glue but what version of SA?

Linux Kernel 3.16.56
Glibc 2.27
Perl 5.24.1
SpamAssassin 3.4.1
Net::DNS 0.83

> How is your DNS setup?  Do you have a local recursive resolver that is not
> forwarding?

The first Nameserver in /etc/resolv.conf is on the local network and is
a non-forwarding recursive resolver. I tried this in local.cf but it does not 
change anything:

 dns_available yes
 dns_server 

>  What type and version of a local recursor are you running?  See
> this article for more details:

It's bind 9.10.4-P8

Regards,

Michael Brunnbauer

-- 
++  Michael Brunnbauer
++  netEstate GmbH
++  Geisenhausener Straße 11a
++  81379 München
++  Tel +49 89 32 19 77 80
++  Fax +49 89 32 19 77 89 
++  E-Mail bru...@netestate.de
++  http://www.netestate.de/
++
++  Sitz: München, HRB Nr.142452 (Handelsregister B München)
++  USt-IdNr. DE221033342
++  Geschäftsführer: Michael Brunnbauer, Franz Brunnbauer
++  Prokurist: Dipl. Kfm. (Univ.) Markus Hendel

Re: This sucks

hi all,

Reindl Harald wrote:
> but your distribution sucks too when you need to "So I downgraded to
> Net-DNS-0.83 today and got spamassassin working but not spamd"

I don't use a distribution and build everything myself (since I bootstrapped
my system in the 1990ies). I seldom have problems to get things running.

I deleted the .so and .pm files and directories belonging to the newer 
Net::DNS in /usr/lib/perl5 before downgrading to the older one.

David Jones wrote:
> What is your MTA?

qmail.

> Enable greylisting

I have.

[lot's of other useful tips]

I'd like to start to improve things by getting DNS blacklist in Spamassassin 
to work again. I think it would improve things drastically. So let's look at
my problem again: running my example spam through spamassassin gets it
marked as spam while using spamc+spamd does not.

Benny Pedersen wrote:

> add trusted ips that should not reject to trusted_networks
> or stop REJECT based on spamassassin ips blacklists

I have my trusted ips in trusted_networks. I also have checked with

 add_header all RelaysUntrusted _RELAYSUNTRUSTED_

that the relevant untrusted relays get checked. This is also clear from the 
output I sent. Here is is again:

spamassassin -D looks like:

 Apr  1 15:30:18.733 [22195] dbg: dns: hit  
127.0.0.3

spamd -D looks like:

 Apr  1 15:10:51 merlot spamd[6505]: dns: hit 
 \# 4 7f03

spamassassin reports RCVD_IN_SBL_CSS while spamd -D does not. The output
from spamassassin contains a normal IP while that from spamd prints the IP
as integer. This is extremely suspicious. I'd like to focus on that.

And sorry for being negative. It's easter sunday and I'm working because a
customer is drowning in spam - spam that would be filtered out with working
DNS blacklisting.

Regards,

Michael Brunnbauer

-- 
++  Michael Brunnbauer
++  netEstate GmbH
++  Geisenhausener Straße 11a
++  81379 München
++  Tel +49 89 32 19 77 80
++  Fax +49 89 32 19 77 89 
++  E-Mail bru...@netestate.de
++  http://www.netestate.de/
++
++  Sitz: München, HRB Nr.142452 (Handelsregister B München)
++  USt-IdNr. DE221033342
++  Geschäftsführer: Michael Brunnbauer, Franz Brunnbauer
++  Prokurist: Dipl. Kfm. (Univ.) Markus Hendel

This sucks


hi

I think I lost quite a few customers in the last months because DNS-lookups
are fucked up with Spamassassin so all DNSBL tests won't trigger while not
reporting errors. A problem with newer versions of Net::DNS that has been
known for months without any consequences - like a new release. This sucks.

So I downgraded to Net-DNS-0.83 today and got spamassassin working but not
spamd.

spamassassin -D looks like:

 Apr  1 15:30:18.733 [22195] dbg: dns: hit  
127.0.0.3

spamd -D looks like:

 Apr  1 15:10:51 merlot spamd[6505]: dns: hit 
 \# 4 7f03

One time the result is an IP as integer and one time it's a normal IP. The
integer result is not recognized and the DNSBL tests do not trigger.

What can I do?

P.S.: This is the third time I try to send mail to the list - I hope it works
this time. I'll try without PGP sig.

Regards,

Michael Brunnbauer

-- 
++  Michael Brunnbauer
++  netEstate GmbH
++  Geisenhausener Straße 11a
++  81379 München
++  Tel +49 89 32 19 77 80
++  Fax +49 89 32 19 77 89 
++  E-Mail bru...@netestate.de
++  http://www.netestate.de/
++
++  Sitz: München, HRB Nr.142452 (Handelsregister B München)
++  USt-IdNr. DE221033342
++  Geschäftsführer: Michael Brunnbauer, Franz Brunnbauer
++  Prokurist: Dipl. Kfm. (Univ.) Markus Hendel

Re: From:name spoofing

2018-02-17 Thread Michael Storz


Am 2018-02-17 00:46, schrieb Amir Caspi:

On Feb 16, 2018, at 4:41 PM, John Hardin <jhar...@impsec.org> wrote:

Not necessarily safe. If your MTA receives a message without a 
Message-ID, it is supposed to generate one. And if it does so, it will 
probably do so using your (recipient) domain...


Wouldn't this also FP on messages internal to the domain, i.e., sent
from one user to another on the same domain?

(Also, my Message-IDs don't seem to have this same format.  Nor do 
yours.)


--- Amir


Theoretically, yes. However, if you look carefully at the different 
parts of the rule, you can see, that the probability for a FP is very 
low.


- the TO field is a simple address not enclosed in <>
- the Message-ID has a special syntax found very seldom (check your 
logs)

- the header field Message-ID must come immediately after the To field
- the boundary used at the moment is one of the Microsoft boundaries

If you use amavisd you could check the log with

perl -ne 'print if /> -> <[^@]+\@([^>]+)>.+Message-ID: 
<\d{8,13}\.201[78]\d{5,11}\@\1/' logfile


This not exactly the same rule because it uses the envelope recipient, 
but it shows if this sort of spam is relevant for you.


--
Michael

Re: From:name spoofing

2018-02-17 Thread Michael Storz


Am 2018-02-17 00:41, schrieb John Hardin:

On Fri, 16 Feb 2018, Michael Storz wrote:


Am 2018-02-15 19:27, schrieb David Jones:

We have covered this issue a few times recently on this list but I
don't think anything definitive was ever decided or recommended to
detect and block this sort of spoofing:

https://pastebin.com/juXLD8vr

This appears to be a spoofed email from a compromised account trying
to be a known corespondent to this customer of mine.

The Message-ID is suspicious since it's an inbound email to the
hck12.net domain.


David,

You can reject this kind of spam using

ALL =~ /^To: .+\@([^>]+)\nMessage-ID: 
<\d{8,13}\.201[78]\d{5,11}\@\1>/m


and the message-id and the boundary. I am doing this since May last 
year.


Not necessarily safe. If your MTA receives a message without a
Message-ID, it is supposed to generate one. And if it does so, it will
probably do so using your (recipient) domain...


Addition of a missing Message-ID should only be done by a MSA not a MTA. 
The added Message-ID would have the domain of the MTA which is normally 
different from the domain of the recipient.


Michael

Re: From:name spoofing

2018-02-16 Thread Michael Storz


Am 2018-02-15 19:27, schrieb David Jones:

We have covered this issue a few times recently on this list but I
don't think anything definitive was ever decided or recommended to
detect and block this sort of spoofing:

https://pastebin.com/juXLD8vr

This appears to be a spoofed email from a compromised account trying
to be a known corespondent to this customer of mine.

The Message-ID is suspicious since it's an inbound email to the
hck12.net domain.


David,

You can reject this kind of spam using

ALL =~ /^To: .+\@([^>]+)\nMessage-ID: <\d{8,13}\.201[78]\d{5,11}\@\1>/m

and the message-id and the boundary. I am doing this since May last 
year.


Michael

Sometimes (rarely) spamass-milter does not add the x-spam-* headers

2018-01-23 Thread Michael Grant

>From time to time (rarely) I notice that spamass-milter does not for
some reason add the x-spam-* headers to a message, but I clearly see
the "Milter add: header: X-Spam-Status:" in the mail log.

For example, this is in the mail.log but nothing in the message received:

Jan 22 13:47:56 strange sm-mta[22301]: w0MIlSrP022301[1]: Milter add:
header: X-Spam-Report: \n\t* -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed
at http://www.dnswl.org/, low\n\t* trust\n\t* [65.79.165.125 listed in
list.dnswl.org]\n\t* 1.0 GENERIC_IXHASH No description available.\n\t*
-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover
relay\n\t* domain\n\t* -0.0 SPF_PASS SPF: sender matches SPF
record\n\t* 0.0 HTML_MESSAGE BODY: HTML included in message\n\t* -4.9
BAYES_00 BODY: Bayes spam probability is 0 to 1%\n\t* [score:
0.]\n\t* 0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME
parts\n\t* 1.1 DCC_CHECK Detected as bulk mail by DCC
(dcc-servers.net)\n\t* 0.1 DKIM_SIGNED Message has a DKIM or DK
signature, not necessarily\n\t* valid\n\t* -0.1 DKIM_VALID_AU Message
has a valid DKIM or DK signature from author's\n\t* domain\n\t* -0.1
DKIM_VALID Message has at least one valid DKIM or DK signature\n\t*
0.5 MISSING_MID Missing Message-Id: ...
Jan 22 13:47:56 strange sm-mta[22301]: w0MIlSrP022301[2]: header\n\t*
1.4 MISSING_DATE Missing Date: header
Jan 22 13:47:56 strange sm-mta[22301]: w0MIlSrP022301: Milter add:
header: X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28)
on\n\texample.org

Is it possible that the headers were too long? Why would it not
actually follow through and modify the message?

Re: maillist.pm module ?

2017-12-22 Thread Michael Storz

Am 2017-12-22 12:04, schrieb Axb:

On 12/22/2017 10:58 AM, Michael Storz wrote:

Am 2017-12-21 18:08, schrieb Axb:

On 12/21/2017 05:20 PM, Benny Pedersen wrote:

RW skrev den 2017-12-21 17:12:

On Thu, 21 Dec 2017 16:40:13 +0100
Benny Pedersen wrote:

is this plugin used at all ?

i see freemail defines __ml why does it not use maillist.pm to
detect

maillists ?

asking since i have a own plugin where i like to use this plugin
for

my own needs to detect maillist so my rules does not hit there

There's no such plugin in SA or in the list of custom plugins.

In a search there were a two hit on a Maillist.pm which appears to
be

unrelated to SA. All the other hits were from you.

https://apache.googlesource.com/spamassassin/+/bug-5293-pluginized-bayes/lib/Mail/SpamAssassin/MailingList.pm
i like to use this module, sorry its not a plugin, but it is there

hope to bring it to live with a rule

don't understand the need for this when a handfull of header rules do
just the same and way more efficiently.
What am I missing?

This is interesting. Can you explain why a handfull of header rules
would be more efficient than using a dedicated Perl module? I always
thought the opposite would be true.

Michael

Why do you think the use of a dedicated Perl module would be the
better choice for this case?

Because header rules are another layer on top of Perl. Perl uses
short-circuit evaluation for boolean operators whereas meta rules
evaluate all terms. Several functions of HeaderEval.pm could be
expressed by header rules, but they have been programmed as procedures.

Michael

Re: maillist.pm module ?

2017-12-22 Thread Michael Storz


Am 2017-12-21 18:08, schrieb Axb:

On 12/21/2017 05:20 PM, Benny Pedersen wrote:

RW skrev den 2017-12-21 17:12:

On Thu, 21 Dec 2017 16:40:13 +0100
Benny Pedersen wrote:


is this plugin used at all ?

i see freemail defines __ml why does it not use maillist.pm to 
detect

maillists ?

asking since i have a own plugin where i like to use this plugin for
my own needs to detect maillist so my rules does not hit there


There's no such plugin in SA or in the list of custom plugins.

In a search there were a two hit on a Maillist.pm which appears to be
unrelated to SA. All the other hits were from you.


https://apache.googlesource.com/spamassassin/+/bug-5293-pluginized-bayes/lib/Mail/SpamAssassin/MailingList.pm 
i like to use this module, sorry its not a plugin, but it is there


hope to bring it to live with a rule


don't understand the need for this when a handfull of header rules do
just the same and way more efficiently.
What am I missing?


This is interesting. Can you explain why a handfull of header rules 
would be more efficient than using a dedicated Perl module? I always 
thought the opposite would be true.


Michael

Re: MSBL Email Blocklist (EBL) SA usage query

2017-12-05 Thread Michael Grant



On 5 December 2017 18:40:15 GMT-05:00, Benny Pedersen <m...@junc.eu> wrote:
>Michael Grant skrev den 2017-12-05 19:01:
>
>> loadplugin Mail::SpamAssassin::Plugin::HashBL HashBL.pm
>
>this line must not be in cf file but should be in pre file
>
># cat hashbl.pre
>loadplugin Mail::SpamAssassin::Plugin::HashBL 
>/path-to-custom-sa-plugins/HashBL.pm
>
># cat hashbl.cf
>> ifplugin Mail::SpamAssassin::Plugin::HashBL
>> header   HASHBL_EMAIL eval:check_hashbl_emails('ebl.msbl.org')
>> describe HASHBL_EMAIL Message contains email address found on the
>
>> EBL
>> scoreHASHBL_EMAIL 1.0
>> endif

interesting, because "as distributed" & installed on Debian, it's in our .cf 
file (and we've had no "problems"/"issues")!

But thanks for the comments.

Re: MSBL Email Blocklist (EBL) SA usage query

2017-12-05 Thread Michael Grant

N.B. that the HASHBL_EMAIL initial installed -- as distributed --
SCORE is set to a lowly 1 in hashbl.cf, viz.:

loadplugin Mail::SpamAssassin::Plugin::HashBL HashBL.pm

ifplugin Mail::SpamAssassin::Plugin::HashBL
header   HASHBL_EMAIL eval:check_hashbl_emails('ebl.msbl.org')
describe HASHBL_EMAIL Message contains email address found on the EBL
scoreHASHBL_EMAIL 1.0
endif

Highly Recommended you up it to at least 5 (ours is presently set at 9).

In the many months we’ve been using the EBL SA Plugin we have yet to
see a single FP and with the 9 SCORE we are able to blocking this type
of drop box spam at the SMTP level with SA with scores at 15 or
greater!

Re: spamd Will Not Create unix:socket

2017-11-28 Thread Michael Orlitzky

On 11/27/2017 10:34 PM, Colony.three wrote:
>> ExecStartPre=/bin/chown -R spamd:spamd /run/spamassassin
>>
>> There's a root exploit for the "spamd" user in that last line. Assuming
>> you got the tmpfiles.d thing working, you should delete those
>> ExecStartPre commands.
> 
> Can you explain further please?
> 
> If this is true, someone should tell Red Hat that their
> /usr/lib/systemd/system/spamass-milter-root.service has the same problem.
> 

The "chown" command follows both symlinks and hardlinks by default. When
used with the "-R" flag, it only follows hardlinks, but that can still
be abused by the "spamd" user. The first time "chown -R" gets executed,
you give ownership of /run/spamassassin to the "spamd" user. The second
(and third, ...) time that the service is started, the "spamd" user owns
that directory and can place a hard link in it pointing to a root-owned
file. The "chown" call will then give root's file to the "spamd" user.

The exploit is trickier in this case because /run is on a tmpfs, and
because hard links can't cross filesystem boundaries. But I would bet
that you have something else sensitive in /run that can be used to gain
root.

Re: spamd Will Not Create unix:socket

2017-11-27 Thread Michael Orlitzky

On 11/27/2017 11:53 AM, Colony.three wrote:
> 
> It simply would not create /run/spamassassin directory on boot.  It is
> supposed to create it automatically like clamd does, since /run is wiped
> at each boot.  To make it work I finally had to add:
> ExecStartPre=/usr/bin/mkdir /run/spamassassin
> ExecStartPre=/bin/chown -R spamd:spamd /run/spamassassin
> 

There's a root exploit for the "spamd" user in that last line. Assuming
you got the tmpfiles.d thing working, you should delete those
ExecStartPre commands.

Re: How to view bayesian database in legible text

2017-11-13 Thread Michael Parker

> On Nov 9, 2017, at 10:15 AM, Emanuel <emanuel.gonza...@donweb.com> wrote:
> I am interested in seeing the bayes info in the database, because it was 
> created years ago
> 
> 

There does exist a plugin, that allows you to fill in the actual text for the 
hashed value.

https://wiki.apache.org/spamassassin/UnmaintainedCustomPlugins 
<https://wiki.apache.org/spamassassin/UnmaintainedCustomPlugins>

CollectTokens.pm - Unfortunately it doesn’t seem to be there anymore and my 
googling foo didn’t find any traces, maybe you’ll have better luck.

Here is the original thread where someone basically asks the same question as 
you.

http://spamassassin.1065346.n5.nabble.com/getting-Bayes-token-data-from-spamassassin-td30092.html

<http://spamassassin.1065346.n5.nabble.com/getting-Bayes-token-data-from-spamassassin-td30092.html>

As others have said, it’s impossible to reverse the hash, the plugin just fills 
in the value once it figures it out.

Michael

Re: Oracle Eloqua.com marketing emails

2017-10-22 Thread Michael Orlitzky

On 10/22/2017 09:31 AM, David Jones wrote:
> 
> You hard-coded the IPs based on their current SPF record?  What if 
> things change and they start sending out different servers/IPs?

If they add IPs, then either,

  a) I never know because we don't get spam from them -- great.
  b) We get spam from them, and I track down and block the new IPs.

If they release some of their IPs on the market, whoever buys them will
have to complain (our postmaster address is in the rejection message).

Re: Oracle Eloqua.com marketing emails

2017-10-22 Thread Michael Orlitzky

On 10/21/2017 11:23 AM, David Jones wrote:
> Anyone have any experience with eloqua.com marketing emails and handle 
> these with custom local rules?

We blocked some of their space back in 2013 with no complaints, and
thanks to their SPF record, just blocked a bunch more.

Re: MSBL Email Blocklist (EBL) SA usage query

2017-10-15 Thread Michael Grant

Hi Keven

I will tell you in the many months we’ve been using the EBL SA Plug in, we
have yet to see a FP, and thus have raised its initial SA scoring of 1 up
to 5 and then again presently to 9.  The EBL has been wildly successful for
us at catching and now blocking this type of drop box spam at the SMTP
level for which we do with SA  that score at 15 or greater.

This would definitely be a good thing to include in the spamassassin
distribution if possible!

Michael

On 15 October 2017 at 13:22, Kevin A. McGrail <kevin.mcgr...@mcgrail.com>
wrote:

> I use a private plugin that does the same thing and have asked a few times
> for them to consider contributing it.
>
> Perhaps this will encourage them to finally do so. I will take a look at
> msbl and ping the other.
>
> Thanks for pointing this out.
> Regards,
> KAM
>
>
> On October 15, 2017 6:01:31 AM EDT, Michael Grant <michael.gr...@gmail.com>
> wrote:
>>
>> Has anyone tried out the the MSBL Email Blocklist (EBL) HashBL.pm with
>> Spamassassin from msbl.org and possibly considered packaging this module
>> (available from this page: http://msbl.org/ebl-implementation.html) with
>> SpamAssassin (perhaps in a forthcoming release)?  rSpamD already has
>> internal support for the EBL. So I believe the MSBL folks are for this sort
>> of thing in general.
>>
>> This plugin looks through the message (not just headers) for email
>> addresses which have been identified as email drop boxes for scams like 419
>> advance fee fraud.  It then looks hashes of these addresses up in a
>> blocklist.
>>
>> I'm not affiliated with these folks.  I do however use this module in my
>> setup though and find it catches a bunch of things we wouldn't have
>> otherwise caught.
>>
>> Michael Grant
>>
>

MSBL Email Blocklist (EBL) SA usage query

2017-10-15 Thread Michael Grant

Has anyone tried out the the MSBL Email Blocklist (EBL) HashBL.pm with
Spamassassin from msbl.org and possibly considered packaging this module
(available from this page: http://msbl.org/ebl-implementation.html) with
SpamAssassin (perhaps in a forthcoming release)?  rSpamD already has
internal support for the EBL. So I believe the MSBL folks are for this sort
of thing in general.

This plugin looks through the message (not just headers) for email
addresses which have been identified as email drop boxes for scams like 419
advance fee fraud.  It then looks hashes of these addresses up in a
blocklist.

I'm not affiliated with these folks.  I do however use this module in my
setup though and find it catches a bunch of things we wouldn't have
otherwise caught.

Michael Grant

Re: FROM header with two email addresses

2017-10-04 Thread Michael Storz


Am 2017-10-02 19:43, schrieb David Jones:

On 09/27/2017 09:52 AM, Kevin A. McGrail wrote:


I recently stumbled onto a mail with a Spam link where the FROM 
header field looked like this:


From: "Firstname Lastname@" sendern...@real-senders-domain.com>


Jakob, just wanted to let you know I identified this issue as well and 
just opened a ticket about it yesterday to try and figure out a rule 
against it.  Can you send me spamples via pastebin, please?



Regards,
KAM



I am seeing this more and more on my SA filters and being reported by
my customers:

https://pastebin.com/f07Gq1kZ

https://pastebin.com/FMsJNGba



These are typical examples for the emails send by a botnet since at 
least May this year. You can catch these mostly with a simple rule:


header __LRZ_BND_MSContent-Type =~ 
/boundary="-{4}=_NextPart_000_[0-9A-F]{4}_[0-9A-F]{8}\.[0-9A-F]{8}"/

header __LRZ_MSGID_SPAM_99 MESSAGEID =~ /<\d{8,13}\.2017\d{6,11}\@/
meta   LRZ_HEADER_SPAM_99  (__LRZ_MSGID_SPAM_99 && __LRZ_BND_MS)

Regards,
Michael

Re: apache.org have URIBL_BLOCKED now :/

2017-08-08 Thread Michael Orlitzky

On 08/08/2017 02:32 PM, Benny Pedersen wrote:
> subj might concern infra staff
> 
> forward please to infra
> 

URIBL_BLOCKED means that the URIBL refused your DNS query:

  http://uribl.com/refused.shtml

The name "apache.org" isn't blacklisted, and there's nothing apache can
do to fix it. You need to make your DNS queries from somewhere else,
probably.

Re: Direct download link detection - new variant

2017-07-26 Thread Michael Storz


Am 2017-07-26 17:22, schrieb Dianne Skoll:

On Wed, 26 Jul 2017 17:15:43 +0200
Michael Storz <michael.st...@lrz.de> wrote:

[...]


/boundary="-{4}=_NextPart_000_[0-9A-F]{4}_[0-9A-F]{8}\.[0-9A-F]{8}"/


You may get FPs.  See for example
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails==sk105578

I am guessing that boundary is generated by a library that's also used
for legitimate purposes.



The boundary is a standard Microsoft Outlook boundary. You can't score 
on the boundary alone. But if you score on the meta rule a FP is 
unlikely. Just try it.


Regards,
Michael

Re: Direct download link detection - new variant

2017-07-26 Thread Michael Storz


Am 2017-07-26 15:08, schrieb Dianne Skoll:

On Tue, 25 Jul 2017 08:36:22 -0400
Dianne Skoll <d...@roaringpenguin.com> wrote:


All of the URLs match this pattern:



/\/[A-Z]{4}\d{6}\/$/


We see a new variant with the subject "Your Virgin Media bill is ready" 
and

URLs that match:

uri__RP_D_00108_03 /\/\d{12}\/[A-Z]{6}\/?$/

Regards,

Dianne.


Nearly all of these spammails can be blocked with

header  __LRZ_BND_MSContent-Type =~ 
/boundary="-{4}=_NextPart_000_[0-9A-F]{4}_[0-9A-F]{8}\.[0-9A-F]{8}"/
header  __LRZ_MSGID_SPAM_99 MESSAGEID =~ 
/<\d{8,13}\.2017\d{6,11}\@/
metaLRZ_HEADER_SPAM_99  (__LRZ_MSGID_SPAM_99 && 
__LRZ_BND_MS)


The version before had a different boundary

header  __LRZ_BND_HU32  Content-Type =~ 
/boundary="[0-9A-F]{32}"/


Regards,
Michael

Re: updates.spamassassin.org gone?

2017-07-06 Thread Michael Da Cova


Hi

I get the same, who do we report it to


Michael


On 06/07/17 09:06, Rainer Sokoll wrote:

Hi,

for at least the last 2 days, updates.spamassin.org does not resolve anymore:

~$ host updates.spamassassin.org.
~$

But note:

~$ host nonexistent.spamassassin.org.
Host nonexistent.spamassassin.org. not found: 3(NXDOMAIN)
~$

Meaning: no updates for SA anymore?

Rainer


--
Michael Da Cova, Technical Support Manager
NetPilot Internet Security Ltd.

www.netpilot.com

+44 (0)117 335 7335 | +44 (0)7990887629
https://uk.linkedin.com/in/michael-da-cova-5427969

Re: bayes sql: bayes_seen needs UPDATE

2017-06-24 Thread Michael Parker

Jesse,

Thanks for the report.  For sure get this into Bugzilla once you get the 
account setup.

Please make sure you include which version of MySQL you are running as well.

The Bayes SQL stuff hasn’t been updated in many many years, it might be that 
MySQL changed the permissions for INSERT on DUPLICATE KEY UPDATE to require 
UPDATE as well, this is just a theory.

Michael

> On Jun 22, 2017, at 1:49 PM, Jesse Norell <je...@kci.net> wrote:
> 
> Hello,
> 
> I'm working on converting a spam training script/setup which works with
> bayes dbm files to support sql bayes, and came across an error in the
> grants in the README.bayes file at:
> 
>  GRANT SELECT, DELETE, INSERT ON TABLE bayes_seen TO ;
> 
> I'm using the MySQL driver (maybe it matters), and UPDATE permission is
> needed on bayes_seen to avoid:
> 
>write(6, "\257\0\0\0\3INSERT INTO bayes_seen (id, msgid, flag)\n   
>   VALUES 
> ('2','2d74cc15f332ac5a1789ac7d979ef9320ac98d80@sa_generated','s')\n\t ON 
> DUPLICATE KEY UPDATE flag=VALUES(flag)", 179) = 179
>read(6, "X\0\0\1\377v\4#42000UPDATE command denied to user 
> 'spamassassin'@'localhost' for table 'bayes_seen'", 16384) = 92
> 
> I never did see any error printed by sa-learn on that, I just happened
> to catch it in tracing sa-learn to see what takes so long.  After
> granting UPDATE permission I see a few quirks with bayes_seen disappear,
> where re-learning the same message shows an increase in nspam or nham
> count (and entries in bayes_seen are duplicated), where using dbm files
> showed the counts stayed the same.  I was hoping for a performance
> improvement too, but not seeing much change there yet (though I don't
> have much of a baseline on this new system).
> 
> I'm running 3.4.1-6~bpo8+1 from jessie-backports, but README.bayes is
> the same:
> https://svn.apache.org/repos/asf/spamassassin/trunk/sql/README.bayes
> 
> 
> Thanks,
> Jesse
> 
> 
> (I've been waiting a few hours on a bugzilla email so haven't yet added
> this to the bug tracker.)
> 
> 
> -- 
> Jesse Norell
> Kentec Communications, Inc.
> 970-522-8107  -  www.kci.net
>

FREEMAIL_REPLYTO

2017-03-09 Thread Michael Grant

We find FREEMAIL_REPLYTO to be quite successful at weeding out spam so we
raised up to 9.1.  i.e. with this in local.cf:

score FREEMAIL_REPLYTO 9.1

However, it causes a false positive with FREEMAIL_REPLYTO and it got me
very curious:

Here's a sanitized minimal example that triggers this (indented by 4
spaces):

Date: Wed, 8 Mar 2017 03:20:05 + (UTC)
From: Winston 
To: Kipper 
Subject: foo
Reply-To: Winston 

> From: Kipper 
> To: Winston , innocentbystan...@ymail.com
> Subject: bar

Reports:

*  9.1 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain
different
*  freemails

The problem is caused by innocentbytan...@ymail.com IN THE BODY!

This seems a bit overzealous.  It seems like a bit of an over-reach to look
at headers in the BODY of the message.

This is an excellent rule except for this rude message body cavity search!

I suggest only searching the headers in this rule.

If you really feel it aught to search the body like this, can you please
split it into 2 rules:
  1) the existing rule which searches the body+headers, and
  2) a second that only searches the headers.

Re: Uninitialized values in URIDNSBL

2017-02-08 Thread Michael Orlitzky

On 02/08/2017 02:08 PM, Kevin A. McGrail wrote:
> On 2/8/2017 1:22 PM, Philip Prindeville wrote:
>> While we’re waiting for that, can I just grab Util.pm and 
>> Plugin/URIDNSBL.pm out of trunk, or are there more dependencies than 
>> that to splice the fix back into 3.4.1?
> I wouldn't be able to say.  EIther custom patch or run trunk would be my 
> recommendation.
> 

I posted a custom patch to our Gentoo bug at

  https://590338.bugs.gentoo.org/attachment.cgi?id=452626

But as the warning in the comment states:

  * I don't know perl.
  * I haven't even tried it.

Give it a try if you're desperate =)

Re: Legit Yahoo mail servers list

On 01/26/2017 02:53 PM, David Jones wrote:
> 
> I  understand what their SPF record means and how it works
> but what they are publishing in their SPF record is not common.
> Normally this would expand out to a list of IPs and CIDRs or DNS
> records that can be turned into IPs that postwhite can use to build
> a list for bypassing RBL checks.
> 

Are the problematic RBL checks performed by Postfix, or by SpamAssassin?

The possibilities for whitelisting in SpamAssassin are a lot more
flexible, so if I were you, I would tweak postscreen (or my smtpd
restrictions) to the point where it causes no false positives. Then
SpamAssassin can be configured to do the same level of RBL checks that
are occasionally causing false positives now. The double lookups aren't
expensive because they're cached locally. And the false positives are
easy to deal with in SA, where for example you have access to the result
of SPF.

If you can get it to the point where SA is the one blocking Yahoo, then
all you have to do is add a meta rule that subtracts a few points when
the sender's domain belongs to Yahoo and the SPF_PASS rule hits.

Re: Legit Yahoo mail servers list

On 01/26/2017 01:29 PM, Reindl Harald wrote:
> 
> SPF_NEUTRAL will NEVER hit SPF_PASS and that's the problem with ?all
> 

SPF mechanisms are evaluated in order, and each one has a result type
associated with it. The default result is "+" for "pass". Another type
of result is "?" for "neutral."

The record,

  v=spf1 ptr:yahoo.com ptr:yahoo.net ?all

is equivalent to

  v=spf1 +ptr:yahoo.com +ptr:yahoo.net ?all

and it means

  a) PASS if "ptr:yahoo.com" matches
  b) PASS if "ptr:yahoo.net" matches
  c) NEUTRAL if "all" matches

Re: Legit Yahoo mail servers list

On 01/26/2017 12:59 PM, Reindl Harald wrote:
> 
> 
> Am 26.01.2017 um 18:51 schrieb Michael Orlitzky:
>> On 01/26/2017 12:22 PM, David Jones wrote:
>>> ...
>>> They don't publish a good SPF record so I am not able to add
>>> them to my postwhite list.
>>>
>>
>> Isn't that what their SPF record does?
> 
> did you notice the "?all"
> re-read your spf manuals
> 

The OP is looking for a way to whitelist so the "?all" is irrelevant.
Does the sending IP pass the SPF check? If so, whitelist it.

Re: Legit Yahoo mail servers list