R: learn ham
Each minute it learn messages of the last minute so it read and learn one time only for each message Messages are that it sends from internal, so il learn that words are not spam Internal messages are not spam Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it -Messaggio originale- Da: John Hardin [mailto:jhar...@impsec.org] Inviato: giovedì 5 gennaio 2017 17:35 A: users@spamassassin.apache.org Oggetto: Re: learn ham On Thu, 5 Jan 2017, Marc Stürmer wrote: > Am 2017-01-04 10:58, schrieb Nicola Piazzi: > >> I found useful to put in cron a little script like this >> >> Each minute cron launch this script that takes messages of last >> minute reading from maillog database > > What's the purpose of this script, what's the reasoning behind running > this thingie every minute? > > What you do is training the Bayes filter every minute. Training a > filter is something which should never be done unattended, but always > supervised, because if not you will get bad results over time. The execution of the training program can safely be automated, though I'd agree once per minute is a bit excessive. The classification of messages into the folders that are trained from is what needs manual supervision. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Individual liberties are always "loopholes" to absolute authority. --- 381 days since the first successful real return to launch site (SpaceX)
learn ham
I found useful to put in cron a little script like this Each minute cron launch this script that takes messages of last minute reading from maillog database Then it search in filesysten related message and learn as ham So words that come from our company are good classified when someone resend In this example i use the ip of my Exchange server to learn ham but it can be everithing # learn.local.ham.sh # It learn HAM from messages sent from internal network in latest minute # Put in cron every 1 minute # * * * * * /batch/learn.local.ham.sh # Variables Q="/var/spool/MailScanner/quarantine" # Quarantine folder L="/usr/bin/sa-learn --ham --no-sync" # Message learn command # START vsql="SELECT id FROM maillog WHERE clientip = '10.1.1.126' AND timestamp > DATE_SUB(now(), INTERVAL 1 MINUTE);" m=( $( echo $vsql | mysql -N -u root -p -D mailscanner ) ) # Scan array and learn ham for i in ${m[@]}; do echo $i ii=$(find $Q -type f -name $i) check=${#ii} if [ $check -gt 1 ] ; then echo $ii $L $ii fi done ~ ~ Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it<http://www.gruppocomet.it/> [Descrizione: gc]
R: Detecting Valid Message Replies
Please take a look at this plugin : http://saplugin.16mb.com/ Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna – Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it -Messaggio originale- Da: Christoffer G. Thomsen [mailto:li...@cgt.name] Inviato: martedì 3 gennaio 2017 14:12 A: users@spamassassin.apache.org Oggetto: Re: Detecting Valid Message Replies On 2017-01-03 12:11, Rob Gunther wrote: > Has anyone ever seen anything like that before for SA? Does it exist > already or any type of plugin etc? It's not SpamAssassin, but Rspamd (https://rspamd.com/) has a plugin called 'replies' that stores message IDs of outgoing mails in Redis. If an incoming mail is a reply to a known outgoing message ID, the plugin will whitelist the incoming mail. It could probably be adapted to be used in the opposite way too, to blacklist or increase score for mails that reply to unknown message IDs. Perhaps a similar approach could be used in a SA plugin. Of course this does require a database, but at least you don't have to modify the MTA's message IDs (or become the MTA).
Password Protected Archives
Hi There is a rule that catch PASSWORD PROTECTED ARCHIVE attached ? I don't want to block in Mailscanner but catch in a RULE to mix with others rules Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it<http://www.gruppocomet.it/> [Descrizione: gc]
R: rbl check
Ok seems that rbl are disabled but it seems that uribl check, is correct ? Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it -Messaggio originale- Da: Benny Pedersen [mailto:m...@junc.eu] Inviato: venerdì 18 novembre 2016 18:27 A: users@spamassassin.apache.org Oggetto: Re: rbl check Nicola Piazzi skrev den 2016-11-18 16:59: > I use spamassassin in incoming and outgoing emails +1 > Outgoing emails come from an internal ip setup internal_networks and trusted_networks in local.cf see more info in perldoc Mail::SpamAssassin::Conf spamassassin needs to know ALL your wan ips, no exception > Is there a way to avoid rbl checks when it come from an ip class ? rbl will be disabled on trusted networks
rbl check
I use spamassassin in incoming and outgoing emails Outgoing emails come from an internal ip Is there a way to avoid rbl checks when it come from an ip class ? Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it<http://www.gruppocomet.it/> [Descrizione: gc]
Additional great BlackList to use
Here some results of some 'unconventional' rbl that worked great in my system, I tested spam/ham in the most true mode possible, adding the score that each rule give to consider a spam in count For example, if a rule that have a score of 5 i count spam emails that have this rule and a score of 4 (default) + 5 (rule score) = 9 Here in order : [McAfee] (Absolutely the best, and I think that very few people know it) Total Hit 10.779 Spam 10.766 Ham 13 Accuracy Very High 99,9% Volume Very High 5,0% headerC_RBL_MCAFEE eval:check_rbl('mcafee-lastexternal', 'cidr.bl.mcafee.com.') describe C_RBL_MCAFEE Listed in cidr.bl.mcafee.com tflagsC_RBL_MCAFEE net score C_RBL_MCAFEE 7.00 [imp.ch] Total Hit 330 Spam 329 Ham 1 Accuracy Very High 99,7% Volume Very Low 0,2% headerC_RBL_IMP_SPAMLISTeval:check_rbl('spamrbl-lastexternal', 'spamrbl.imp.ch.', '127.0.0.5') describe C_RBL_IMP_SPAMLISTListed in spamrbl.imp.ch tflagsC_RBL_IMP_SPAMLISTnet score C_RBL_IMP_SPAMLIST3.00 [psky] Total Hit 13.027 Spam 12.939 Ham 88 Accuracy Very High 99,3% Volume Very High 6,0% header __C_RBL_PSKY eval:check_rbl('bad-psky-me-lastexternal','bad.psky.me.') describe __C_RBL_PSKY Check bad.psky.me tflags __C_RBL_PSKY net reuse __C_RBL_PSKY header C_RBL_PSKY_BADeval:check_rbl_sub('bad-psky-me-lastexternal', '127.0.0.3') describe C_RBL_PSKY_BADListed in psky.me - Bad score C_RBL_PSKY_BAD2.80 tflags C_RBL_PSKY_BADnet reuse C_RBL_PSKY_BAD header C_RBL_PSKY_POOR eval:check_rbl_sub('bad-psky-me-lastexternal', '127.0.0.2') describe C_RBL_PSKY_POOR Listed in psky.me - Poor score C_RBL_PSKY_POOR 0.80 tflags C_RBL_PSKY_POOR net reuse C_RBL_PSKY_POOR [Gbudb] Total Hit 4.946 Spam 4.891 Ham 55 Accuracy High 98,9% Volume High 2,3% headerC_RBL_GBUDB eval:check_rbl('truncate-lastexternal', 'truncate.gbudb.net.') describe C_RBL_GBUDB Listed in truncate.gbudb.net tflagsC_RBL_GBUDB net score C_RBL_GBUDB 5.00 [Inps.de] Total Hit 7.963 Spam 7.774 Ham 189 Accuracy High 97,6% Volume High 3,7% headerC_RBL_DNSBL_INPS_DE eval:check_rbl('inps-de-lastexternal','dnsbl.inps.de.') describe C_RBL_DNSBL_INPS_DE Received via a relay in inps.de DNSBL tflagsC_RBL_DNSBL_INPS_DE net score C_RBL_DNSBL_INPS_DE 3.00 [Blocklist.de] Total Hit 330 Spam 321 Ham 9 Accuracy High 97,3% Volume Very Low 0,2% headerC_RBL_BLOCKLIST_DE eval:check_rbl('bl.blocklist.de-lastexternal','bl.blocklist.de.') describe C_RBL_BLOCKLIST_DEListed in bl.blocklist.de tflagsC_RBL_BLOCKLIST_DEnet score C_RBL_BLOCKLIST_DE1.00 [Wpbl] Total Hit 7.404 Spam 7.092 Ham 312 Accuracy High 95,8% Volume Very High 3,4% headerC_RBL_WPBLeval:check_rbl('wpbl-lastexternal', 'db.wpbl.info.') describe C_RBL_WPBLListed in db.wpbl.info tflagsC_RBL_WPBLnet score C_RBL_WPBL2.50 [NiX Spam] Total Hit 6.375 Spam 6.056 Ham 319 Accuracy Medium 95,0% Volume High 2,9% headerC_RBL_WPBL eval:check_rbl('wpbl-lastexternal', 'db.wpbl.info.') describe C_RBL_WPBLListed in db.wpbl.info tflagsC_RBL_WPBLnet score C_RBL_WPBL2.50 Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it<http://www.gruppocomet.it/> [Descrizione: gc]
learn ham from internal messages
I use the same box for internal mail delivery I shortcircuit internal messages that come from internal ip I noticed that bayes never learn from internal messages if I take one and make sa-learn -ham of these messages it answer that have learned Is possible to learn automatically ? Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it<http://www.gruppocomet.it/> [Descrizione: gc]
Useful and simple script to reduce high spam load at mta level, what do you think
This script can be used if you have mailscanner in mysql database that record results of spamassassin activity and postfix as mta # postban.sh # Temporary Ban SpamOnly Ip # - # # This script create a table for postfix that ban IPs that made high spam results only # # 1) Put this script anywhere and set your parameters # 2) Put in crontab a line like this to run every 15 minutes : # 0/15 * * * * /batch/postban.sh # 3) Modify your main.cf in postfix at this line like here and then postfix reload : # smtpd_client_restrictions = (OTHER YOUR PARAMETERS) check_client_access hash:/etc/postfix/postban_access # Start time start=`date +%s` # Parameters ROOTPWD=YOUR MYSQL PWD VSCORESPAM=9 # Search for IP that have more than VSCORESPAM score VMINSPAM=3600 # In the last VMINSPAM minutes VSCOREHAM=5 # But exclude if the ip sent message that have less than VSCOREHAM VMINHAM=14400 # In the last VMINHAM minutes # In the default config it block ip that sent email that have more than score 9 # for 3600 mins (24 hours) from last event, but exclude if this ip have a mail sent # in the last 10 days (14400 mins) that have a score less than 5 VLOGFILE=/batch/postban.log # Logfile position VACCFILE=/etc/postfix/postban_access # Access file position RJMESSAGE="Il server utilizzato invia troppo spam" # Reject Message CMDPOSTMAP="/usr/sbin/postmap /etc/postfix/postban_access" # Postmap command # Date & Time NOW=$(date +"%m-%d-%Y %r") # Touching log file touch $VLOGFILE # Main selection query, table mailscanner S1="SELECT clientip \ FROM mailscanner.maillog \ WHERE timestamp > DATE_SUB(now(), INTERVAL $VMINSPAM MINUTE) \ AND spamwhitelisted = 0 \ AND clientip NOT LIKE '10.%' \ AND clientip NOT LIKE '192.168.%' \ AND sascore > $VSCORESPAM \ GROUP BY clientip;" echo "# Generated by postban.sh " $start > $VACCFILE f=0;ff=0 res1=($(mysql -N -u root -p${ROOTPWD} -e "${S1}")) cnt=${#res1[@]} for (( i=0 ; i<${cnt} ; i++ )) do #echo "Found line " $i " " ${res1[i]} CLIP=${res1[i]} S2="SELECT clientip \ FROM mailscanner.maillog \ WHERE timestamp > DATE_SUB(now(), INTERVAL $VMINHAM MINUTE) \ AND clientip = '${res1[i]}' \ AND sascore < $VSCOREHAM \ GROUP BY clientip;" #echo $S2 res2=$(mysql -N -u root -p$ROOTPWD -se "$S2") #echo $res2 let "f++" if [[ $res2 == "" ]] ; then let "ff++" #echo "Not found ham so write spam ip " $CLIP echo $CLIP " REJECT " $RJMESSAGE >> $VACCFILE fi done # Postmap (doing postmap is enough to get new ip table without refreshing) eval $CMDPOSTMAP # Logging end=`date +%s` runtime=$((end-start)) echo $NOW " Found" $f "spam ip," $ff "with no ham in the past written in reject table, time elapsed:" $runtime "sec." >> $VLOGFILE # Truncating logfile tail -n 500 $VLOGFILE > $VLOGFILE.tmp mv $VLOGFILE.tmp $VLOGFILE
R: Custom rule based on AWL score
Why not try my powerful plugin to reduce score of known users ? Is based on people that answer to us and in my case, after 3 week of learning, it HIT 70% of incoming messages that are absolutely ham http://saplugin.16mb.com/ Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it -Messaggio originale- Da: John Hardin [mailto:jhar...@impsec.org] Inviato: giovedì 20 ottobre 2016 18:36 A: users@spamassassin.apache.org Oggetto: Re: Custom rule based on AWL score On Thu, 20 Oct 2016, Ian Zimmerman wrote: > On 2016-10-20 08:34, simplerezo wrote: > >> My understanding is that AWL is helping frequent senders who are >> known to not send spam to "reduce" their spam score, preventing false >> positive. That's exactly what I want to rely on for my rules: adding >> score for mail with "invoice" pretention and an attachment but only >> for very unknown users (or spammers). > > Just add your custom rules globally, with reasonable scores. > > Whitelisted senders get a _huge_ bonus (I think it's 100 points by > default, maybe customizable), so they won't be affected if you do it > right. ITYM -100 points. :) Small but important detail... :) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- No representation without taxation! --- 303 days since the first successful real return to launch site (SpaceX)
R: rbldnsd
THX Antony Service works, but at now how can i address query to this server ? And the service name test how must be inserted in the query ? usr/sbin/rbldnsd -n -b localhost/53 test:ip4tset:/rbldnsd/test.txt Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna – Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it -Messaggio originale- Da: Antony Stone [mailto:antony.st...@spamassassin.open.source.it] Inviato: lunedì 17 ottobre 2016 15:04 A: users@spamassassin.apache.org Oggetto: Re: rbldnsd On Monday 17 October 2016 at 15:00:08, Nicola Piazzi wrote: > Someone use dnsrbld to create personal rbl ? > I am unable to bind to port 53 (and other ports) Oh? > I start and it tell that bind : > > [root@EFALIST rbldnsd]# ./start.sh > rbldnsd: listening on ::1/53 > rbldnsd: listening on 127.0.0.1/53 So, it's listening on port 53, both IPv4 and IPv6. > rbldnsd: ip4tset:/rbldnsd/test.txt: 20161017 101633: cnt=2 > rbldnsd: zones reloaded, time 0.0e/0.0u sec, mem arena=284 free=131 > mmap=0 Kb rbldnsd: rbldnsd version 0.998 (05 Dec 2015) started (2 > socket(s), 1 > zone(s)) Looks happy to me. > But when I ipscan this host I found open only ports that belongs to > other services and not 53 : > > [root@EFALIST ~]# nmap -sT -O localhost Try U instead of T. DNS runs over UDP, not TCP. Antony. -- I wasn't sure about having a beard at first, but then it grew on me. Please reply to the list; please *don't* CC me.
rbldnsd
Someone use dnsrbld to create personal rbl ? I am unable to bind to port 53 (and other ports) I start and it tell that bind : [root@EFALIST rbldnsd]# ./start.sh rbldnsd: listening on ::1/53 rbldnsd: listening on 127.0.0.1/53 rbldnsd: ip4tset:/rbldnsd/test.txt: 20161017 101633: cnt=2 rbldnsd: zones reloaded, time 0.0e/0.0u sec, mem arena=284 free=131 mmap=0 Kb rbldnsd: rbldnsd version 0.998 (05 Dec 2015) started (2 socket(s), 1 zone(s)) But when I ipscan this host I found open only ports that belongs to other services and not 53 : [root@EFALIST ~]# nmap -sT -O localhost Starting Nmap 6.40 ( http://nmap.org ) at 2016-10-17 14:56 CEST Nmap scan report for localhost (127.0.0.1) Host is up (0.52s latency). Other addresses for localhost (not scanned): 127.0.0.1 Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ). TCP/IP fingerprint:
R: ramsonware URI list
Bot not all RW_URLBL.txt are contained in RW_DOMBL.txt and viceversa For example 25z5g623wpqpdwis.onion.to doesn’t have match in RW_URLBL.txt And if I extract from http://01ad681.netsolhost.com/7j0jlq3 the domain 01ad681.netsolhost.com is not in RW_DOMBL.txt ?! Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna – Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it -Messaggio originale- Da: Axb [mailto:axb.li...@gmail.com] Inviato: venerdì 14 ottobre 2016 10:41 A: users@spamassassin.apache.org Oggetto: Re: ramsonware URI list On 10/14/2016 10:30 AM, Nicola Piazzi wrote: > ABUSE.CH mantains an updated lists of ramsonware lists, here the txt file > link : > https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt > > It is very simple to make a shell script that check file changes every hour, > download if there is a new one, and write a rule .cf using data contained in > the file. > > But hor to write a rule ? > We have more than 4000 URI in the file, we can do a single rule like this > separating URIs with | : > > uri URIRAMS > /http:\/\/1natureresort\.com\/afdIJGY8766gyu|http:\/\/1jamprofit\.com\ > /hjy93JNBasdas/ describe URIRAMS Match a Ramsonware URI score URIRAMS > 5.00 > > or is better to separe each URI : > > uri __URIRAMS1 /http:\/\/1natureresort\.com\/afdIJGY8766gyu/ > uri __URIRAMS2 /http:\/\/1jamprofit\.com\/hjy93JNBasdas/ > meta URIRAMS (__URIRAMS1 | __URIRAMS2) describe URIRAMS Match > a Ramsonware URI score URIRAMS 5.00 > > Obviously this example is related to 2 entries, and we have 4000 entries here > . > Any suggestion ? performacewise best is to use a domain list in a local instance of rbldnsd. Sadly abuse.ch only publishes subdomain.example.net instead of example.net so you'd have to do some scripted editing to remove the subdomain. if you want to use static rules, base them on https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt, use __URI_BLAH and meta them together.
ramsonware URI list
ABUSE.CH mantains an updated lists of ramsonware lists, here the txt file link : https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt It is very simple to make a shell script that check file changes every hour, download if there is a new one, and write a rule .cf using data contained in the file. But hor to write a rule ? We have more than 4000 URI in the file, we can do a single rule like this separating URIs with | : uri URIRAMS /http:\/\/1natureresort\.com\/afdIJGY8766gyu|http:\/\/1jamprofit\.com\/hjy93JNBasdas/ describe URIRAMS Match a Ramsonware URI score URIRAMS 5.00 or is better to separe each URI : uri __URIRAMS1 /http:\/\/1natureresort\.com\/afdIJGY8766gyu/ uri __URIRAMS2 /http:\/\/1jamprofit\.com\/hjy93JNBasdas/ meta URIRAMS (__URIRAMS1 | __URIRAMS2) describe URIRAMS Match a Ramsonware URI score URIRAMS 5.00 Obviously this example is related to 2 entries, and we have 4000 entries here . Any suggestion ? Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it<http://www.gruppocomet.it/> [Descrizione: gc]
take a look @ 2 great plugins
http://saplugin.16mb.com/ And tell me how it works Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it<http://www.gruppocomet.it/> [Descrizione: gc]
R: a .cf to prevent abuse of popular names
adsp_override dhl.com penalize when someone spoof address, for example sent email with @dhl.com without dkim but it doesn't catch when someone use dhl description in From as this example : From: DHL Service d...@infectedpc.com<mailto:d...@infectedpc.com> Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it<http://www.gruppocomet.it/> [Descrizione: gc] Da: Paul Stead [mailto:paul.st...@zeninternet.co.uk] Inviato: lunedì 3 ottobre 2016 13:03 A: users@spamassassin.apache.org Oggetto: Re: a .cf to prevent abuse of popular names On 03/10/16 10:14, Nicola Piazzi wrote: # DHL header __AF_DHL_FROM From =~ /([^a-zA-Z0-9]|^)dhl([^a-zA-Z0-9]|\b)/i header __AF_DHL_DOMAIN From =~ /\@dhl.com(>|\b)/i meta AF_VALID_DHL (SPF_PASS || MXPF_PASS || DKIM_VALID_AU) && __AF_DHL_DOMAIN describe AF_VALID_DHLValid dhl Sender score AF_VALID_DHL-1.00 meta AF_ABUSED_DHL __AF_DHL_FROM && !AF_VALID_DHL describe AF_ABUSED_DHL Probably Abused dhl Sender Name score AF_ABUSED_DHL 1.00 An email sent with a valid SPF for a different domain than dhl.com would hit AF_VALID_DHL in this example... A better way to validate the emails would be ---8<--- whitelist_auth *@dhl.com<mailto:*@dhl.com> ---8<--- And to catch the potential abuse ---8<--- adsp_override dhl.com custom_med ---8<--- I'm part way through raising a bug request with a feature improvement which might help towards this too, watch this space Paul -- Paul Stead Systems Engineer Zen Internet
a .cf to prevent abuse of popular names
What do you think about a antiabuse.popular.domains.cf that contains a lot of paragraphs like this ? # DHL header __AF_DHL_FROM From =~ /([^a-zA-Z0-9]|^)dhl([^a-zA-Z0-9]|\b)/i header __AF_DHL_DOMAIN From =~ /\@dhl.com(>|\b)/i meta AF_VALID_DHL (SPF_PASS || MXPF_PASS || DKIM_VALID_AU) && __AF_DHL_DOMAIN describe AF_VALID_DHLValid dhl Sender score AF_VALID_DHL-1.00 meta AF_ABUSED_DHL __AF_DHL_FROM && !AF_VALID_DHL describe AF_ABUSED_DHL Probably Abused dhl Sender Name score AF_ABUSED_DHL 1.00 __AF_DHL_FROM Search in the from field that there is something that can tell to users that message come from dhl For example it find positive something like : DHL EXPRESS __AF_DHL_DOMAIN Search if from domain is dhl.com AF_VALID_DHL True if this email is verified by spf or dkim or mxpf AND domain is dhl.com AF_ABUSED_DHL True if some dhl references in from field (__AF_DHL_FROM) and not verified dhl.com Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it<http://www.gruppocomet.it/> [Descrizione: gc]
TXREP dont work
After a new box instalation I found that txrep doesnt work The table is empty mysql> select * from txrep; Empty set (0.00 sec) Obviously I disabled AWL and Load TxRep il v341.pre Any suggestion ? Any log possible ? Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it
R: R: R: R: regular expression needed
This is what i need Bowie The query must be select from_address, from_domain, to_address, subject from maillog where subject REGEXP '\b(?:(?:FedEx|Shipment|702193383246|Notification)\b.*?){3}'; But unfortunately mysql give error ERROR 1139 (42000): Got error 'repetition-operator operand invalid' from regexp MySQL regular expressions don't have lookarounds Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it<http://www.gruppocomet.it/> [Descrizione: gc] Da: Bowie Bailey [mailto:bowie_bai...@buc.com] Inviato: mercoledì 28 settembre 2016 17:46 A: users@spamassassin.apache.org Oggetto: Re: R: R: R: regular expression needed I don't know of a way to do that with a simple regex. But since you are writing a plugin, you could do it by parsing the output of a regex search. 1) Create a regex which will match on any combination of 3 of the words. This will let you pull all of the possible matches from previous emails. Something like this: /\b(?:(?:word1|word2|word3|word4)\b.*?){3}/ 2) For each of the lines found by the previous regex, run another regex that captures all matched words. /\b(word1|word2|word3|word4)\b/g(note the global modifier to catch all matches) 3) Take a look at the results for each line and see if the regex matched at least 3 unique words. I'm quite sure that this is not the most efficient method, but it should work. Bowie On 9/28/2016 11:20 AM, Nicola Piazzi wrote: Obviously i intended to write a plugin that search the db But I need the regex syntax to search at least 3 words that match of 4 words given Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it<http://www.gruppocomet.it/> [Descrizione: gc] Da: Bowie Bailey [mailto:bowie_bai...@buc.com] Inviato: mercoledì 28 settembre 2016 17:17 A: Nicola Piazzi <mailto:nicola.pia...@gruppocomet.it>; Spamassassin List <mailto:users@spamassassin.apache.org> Oggetto: Re: R: R: regular expression needed Please keep list emails on the list. I don't think you could do a simple regex match for what you want. As I said previously, this would require a plugin both to build the custom regex(s) (or DB query) and to search for the previous emails. You would want to keep the prior email information in a database of some sort since doing a search of a large text file for every incoming email would probably be too slow. Bowie On 9/28/2016 10:05 AM, Nicola Piazzi wrote: Flux : I receive an email with subject "Federal Express Important invoice number 20" Plugin search a regex in maillog database for 10 days ago mails and this regex search match 1 or more lines So we know that similar mails received in the past But it is normal to receive similar text but not so normal to receive same subject from different addresses directed to different internal users Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it<http://www.gruppocomet.it/> [Descrizione: gc] Da: Bowie Bailey [mailto:bowie_bai...@buc.com] Inviato: mercoledì 28 settembre 2016 16:01 A: users@spamassassin.apache.org<mailto:users@spamassassin.apache.org> Oggetto: Re: R: regular expression needed I'm still not clear on exactly what you are trying to do, but in order to test anything against previous messages, you will need a custom SA plugin and some sort of database to store the information about previous emails. That is beyond my area of expertise. If you just need a regex to match something, I'd be happy to help, but I would need a more explicit description of what you are trying to match. Bowie On 9/28/2016 9:29 AM, Nicola Piazzi wrote: Bowie, your ia a manual way, it works but is not automated Automation is a plugin that check similar words in oldest messages (for example 3 of 4 words match) Then plugin check if sender domain is different and recipient is different Da: Bowie Bailey [mailto:bowie_bai...@buc.com] Inviato: mercoledì 28 settembre 2016 15:26 A: users@spamassassin.apache.org<mailto:users@spamassassin.apache.org> Oggetto: Re: regular expression needed On 9/28/2016 9:02 AM, Nicola Piazzi wrote: Usually we receive spam having subjects like these examples in order of time : Subject FromTo FedEx Shipment 702193383647 Notification j...@company1.com<mailto:j...@company1.com> s...@mycompany.it<mailto:s...@mycompany.it> FedEx Shipment 722566383641 Notification a...@other.com<mailto:a...@other.com>
R: R: R: regular expression needed
Obviously i intended to write a plugin that search the db But I need the regex syntax to search at least 3 words that match of 4 words given Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it<http://www.gruppocomet.it/> [Descrizione: gc] Da: Bowie Bailey [mailto:bowie_bai...@buc.com] Inviato: mercoledì 28 settembre 2016 17:17 A: Nicola Piazzi ; Spamassassin List Oggetto: Re: R: R: regular expression needed Please keep list emails on the list. I don't think you could do a simple regex match for what you want. As I said previously, this would require a plugin both to build the custom regex(s) (or DB query) and to search for the previous emails. You would want to keep the prior email information in a database of some sort since doing a search of a large text file for every incoming email would probably be too slow. Bowie On 9/28/2016 10:05 AM, Nicola Piazzi wrote: Flux : I receive an email with subject "Federal Express Important invoice number 20" Plugin search a regex in maillog database for 10 days ago mails and this regex search match 1 or more lines So we know that similar mails received in the past But it is normal to receive similar text but not so normal to receive same subject from different addresses directed to different internal users Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it<http://www.gruppocomet.it/> [Descrizione: gc] Da: Bowie Bailey [mailto:bowie_bai...@buc.com] Inviato: mercoledì 28 settembre 2016 16:01 A: users@spamassassin.apache.org<mailto:users@spamassassin.apache.org> Oggetto: Re: R: regular expression needed I'm still not clear on exactly what you are trying to do, but in order to test anything against previous messages, you will need a custom SA plugin and some sort of database to store the information about previous emails. That is beyond my area of expertise. If you just need a regex to match something, I'd be happy to help, but I would need a more explicit description of what you are trying to match. Bowie On 9/28/2016 9:29 AM, Nicola Piazzi wrote: Bowie, your ia a manual way, it works but is not automated Automation is a plugin that check similar words in oldest messages (for example 3 of 4 words match) Then plugin check if sender domain is different and recipient is different Da: Bowie Bailey [mailto:bowie_bai...@buc.com] Inviato: mercoledì 28 settembre 2016 15:26 A: users@spamassassin.apache.org<mailto:users@spamassassin.apache.org> Oggetto: Re: regular expression needed On 9/28/2016 9:02 AM, Nicola Piazzi wrote: Usually we receive spam having subjects like these examples in order of time : Subject FromTo FedEx Shipment 702193383647 Notification j...@company1.com<mailto:j...@company1.com> s...@mycompany.it<mailto:s...@mycompany.it> FedEx Shipment 722566383641 Notification a...@other.com<mailto:a...@other.com> a...@mycompany.it<mailto:a...@mycompany.it> FedEx Shipment 734563383644 Notification i...@company1.com<mailto:i...@company1.com> lo...@mycompany.it<mailto:lo...@mycompany.it> A package for you jim b...@cocacola.com<mailto:b...@cocacola.com> j...@mycompany.it<mailto:j...@mycompany.it> A package for you sue j...@buster.com<mailto:j...@buster.com> s...@mycompany.it<mailto:s...@mycompany.it> These come from viruses that infect different pcs in the word that send same spam I want to write a plugin that test each email giving penality to these mails Detection routine A mail arrive Subject is : FedEx Shipment 702193383647 Notification I search in maillog table for a regex that MATCH FedEx Shipment 702193383647 Notification ALSO IN FedEx Shipment 722566383641 Notification AND IN FedEx Shipment 734563383644 Notification If it match I verify that FROM DOMAIN IS DIFFERENT And then I verify that TO ADDRESS IS DIFFERENT Now I need a regex sintax to put all extracted words of PHRASE FedEx Shipment 734563383644 Notification and match if it found at least 3 of 4 words Someone can help ? I don't follow exactly what you are trying to do in the description above, but for that problem, I would start with something like this: header __FEDEX_ADDR From:addr /\@fedex\.com/ header __FEDEX_SUBJ Subject /FedEx Shipment/ meta FEDEX_SPAM __FEDEX_SUBJ && !
R: regular expression needed
Bowie, your ia a manual way, it works but is not automated Automation is a plugin that check similar words in oldest messages (for example 3 of 4 words match) Then plugin check if sender domain is different and recipient is different Da: Bowie Bailey [mailto:bowie_bai...@buc.com] Inviato: mercoledì 28 settembre 2016 15:26 A: users@spamassassin.apache.org Oggetto: Re: regular expression needed On 9/28/2016 9:02 AM, Nicola Piazzi wrote: Usually we receive spam having subjects like these examples in order of time : Subject FromTo FedEx Shipment 702193383647 Notification j...@company1.com<mailto:j...@company1.com> s...@mycompany.it<mailto:s...@mycompany.it> FedEx Shipment 722566383641 Notification a...@other.com<mailto:a...@other.com> a...@mycompany.it<mailto:a...@mycompany.it> FedEx Shipment 734563383644 Notification i...@company1.com<mailto:i...@company1.com> lo...@mycompany.it<mailto:lo...@mycompany.it> A package for you jim b...@cocacola.com<mailto:b...@cocacola.com> j...@mycompany.it<mailto:j...@mycompany.it> A package for you sue j...@buster.com<mailto:j...@buster.com> s...@mycompany.it<mailto:s...@mycompany.it> These come from viruses that infect different pcs in the word that send same spam I want to write a plugin that test each email giving penality to these mails Detection routine A mail arrive Subject is : FedEx Shipment 702193383647 Notification I search in maillog table for a regex that MATCH FedEx Shipment 702193383647 Notification ALSO IN FedEx Shipment 722566383641 Notification AND IN FedEx Shipment 734563383644 Notification If it match I verify that FROM DOMAIN IS DIFFERENT And then I verify that TO ADDRESS IS DIFFERENT Now I need a regex sintax to put all extracted words of PHRASE FedEx Shipment 734563383644 Notification and match if it found at least 3 of 4 words Someone can help ? I don't follow exactly what you are trying to do in the description above, but for that problem, I would start with something like this: header __FEDEX_ADDR From:addr /\@fedex\.com/ header __FEDEX_SUBJ Subject /FedEx Shipment/ meta FEDEX_SPAM __FEDEX_SUBJ && ! __FEDEX_ADDR score FEDEX_SPAM 2.0 (Off the top of my head and completely untested. Adjust score as required.) This will hit any email with "FedEx Shipment" in the subject that doesn't come from fedex.com. Note that it will also hit on any legitimate FedEx emails that have been forwarded. You could minimize this by constraining the subject match to be at the beginning of the line (/^Fedex Shipment/). This may or may not have an effect on spam detection. You could also do a test for non-FedEx urls in the body rather than looking at the sender. You could use a simple subject line test for the "A package for you" emails, unless you know of a valid delivery service that uses that phrase. -- Bowie
regular expression needed
Usually we receive spam having subjects like these examples in order of time : Subject FromTo FedEx Shipment 702193383647 Notification j...@company1.com s...@mycompany.it FedEx Shipment 722566383641 Notification a...@other.com a...@mycompany.it FedEx Shipment 734563383644 Notification i...@company1.com lo...@mycompany.it A package for you jim b...@cocacola.com j...@mycompany.it A package for you sue j...@buster.coms...@mycompany.it These come from viruses that infect different pcs in the word that send same spam I want to write a plugin that test each email giving penality to these mails Detection routine A mail arrive Subject is : FedEx Shipment 702193383647 Notification I search in maillog table for a regex that MATCH FedEx Shipment 702193383647 Notification ALSO IN FedEx Shipment 722566383641 Notification AND IN FedEx Shipment 734563383644 Notification If it match I verify that FROM DOMAIN IS DIFFERENT And then I verify that TO ADDRESS IS DIFFERENT Now I need a regex sintax to put all extracted words of PHRASE FedEx Shipment 734563383644 Notification and match if it found at least 3 of 4 words Someone can help ? Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it<http://www.gruppocomet.it/> [Descrizione: gc]
R: R: postfix reject_unverified_recipient and Exchange 2016
I am off topici f you think that postfix is not spamassassin I think that this is not a Microsoft problem because exchange answer correctly to unknown recipients I suppose that there is something in the return string that postix doesn’t like Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna – Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it -Messaggio originale- Da: Axb [mailto:axb.li...@gmail.com] Inviato: mercoledì 7 settembre 2016 10:59 A: users@spamassassin.apache.org Oggetto: Re: R: postfix reject_unverified_recipient and Exchange 2016 This is totally off topic. You are on the wrong list for these questions. Use the MS knowledge base. On 09/07/2016 10:56 AM, Nicola Piazzi wrote: > It seems NOT a Microsoft problem because with "Recipient Filter Agent" > exchange answer "550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient > not found by SMTP address lookup" when a recipient is not found So I don't > know why when postfix get "550 5.1.10 RESOLVER.ADR.RecipientNotFound; > Recipient not found by SMTP address lookup" from Exchange 2016 it doesn't > consider unexistant that recipient Someone can write me the answer of > Exchange 2010 to a non existant recipient ? > > > > > > Nicola Piazzi > CED - Sistemi > COMET s.p.a. > Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 > Cell. +39 328.21.73.470 > Web: www.gruppocomet.it > > > -Messaggio originale- > Da: li...@rhsoft.net [mailto:li...@rhsoft.net] > Inviato: mercoledì 7 settembre 2016 10:49 > A: users@spamassassin.apache.org > Oggetto: Re: postfix reject_unverified_recipient and Exchange 2016 > > > > Am 07.09.2016 um 10:42 schrieb Nicola Piazzi: >> I have a problem using reject_unverified_recipient to verify under >> Exchange 2016 that I don't have with Exchange 2010 > > how is that a spamassassin or even postfix related problem? > > call the microsoft support why their stuff is playing backscatter in > recent versions (as you can see by all that exchange bounces flying > around in the web) > > there is nothing the delivery software can do when exchange has no > clue about it's valid rcpt's until it received and acknolwedged the > full message instead just reject the rcpt > > workaround: list your vaild RCPT's diretly on your inboud MX and > maintain it parallel to exchange > >> Postfix is used to send and receive mail and is between the internet >> and the internal Exchange Server Now, when an internet user send an >> email to our domain postfix verify it making an rcptto to our >> exchange using reject_unverified_recipient instruction This worked >> well with Exchange 2010 but now with Exchange 2016 doesn't work. >> Exchange 2016 needs the installation of Recipient Filter Agent and >> obviously I installed it. >> Now we have Frontend Transport that answer at port 25 and verify >> recipient at DATA phase and the Hub Transport that answer at port >> 2525 and verify recipient at RCPT TO >> >> Here Exchange 2016 at port 25 that verify unknown recipient at DATA >> phase telnet 10.1.1.126 25 >> 220 GEMMA.gruppocomet.net Microsoft ESMTP MAIL Service ready helo me >> 250 GEMMA.gruppocomet.net Hello [10.2.6.4] mail from:e...@ext.com >> 250 2.1.0 Sender OK >> rcpt to:doesntex...@gruppocomet.it >> 250 2.1.5 Recipient OK >> data >> 354 Start mail input; end with . some data
R: postfix reject_unverified_recipient and Exchange 2016
It seems NOT a Microsoft problem because with "Recipient Filter Agent" exchange answer "550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient not found by SMTP address lookup" when a recipient is not found So I don't know why when postfix get "550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient not found by SMTP address lookup" from Exchange 2016 it doesn't consider unexistant that recipient Someone can write me the answer of Exchange 2010 to a non existant recipient ? Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it -Messaggio originale- Da: li...@rhsoft.net [mailto:li...@rhsoft.net] Inviato: mercoledì 7 settembre 2016 10:49 A: users@spamassassin.apache.org Oggetto: Re: postfix reject_unverified_recipient and Exchange 2016 Am 07.09.2016 um 10:42 schrieb Nicola Piazzi: > I have a problem using reject_unverified_recipient to verify under > Exchange 2016 that I don't have with Exchange 2010 how is that a spamassassin or even postfix related problem? call the microsoft support why their stuff is playing backscatter in recent versions (as you can see by all that exchange bounces flying around in the web) there is nothing the delivery software can do when exchange has no clue about it's valid rcpt's until it received and acknolwedged the full message instead just reject the rcpt workaround: list your vaild RCPT's diretly on your inboud MX and maintain it parallel to exchange > Postfix is used to send and receive mail and is between the internet > and the internal Exchange Server Now, when an internet user send an > email to our domain postfix verify it making an rcptto to our exchange > using reject_unverified_recipient instruction This worked well with > Exchange 2010 but now with Exchange 2016 doesn't work. > Exchange 2016 needs the installation of Recipient Filter Agent and > obviously I installed it. > Now we have Frontend Transport that answer at port 25 and verify > recipient at DATA phase and the Hub Transport that answer at port 2525 > and verify recipient at RCPT TO > > Here Exchange 2016 at port 25 that verify unknown recipient at DATA > phase telnet 10.1.1.126 25 > 220 GEMMA.gruppocomet.net Microsoft ESMTP MAIL Service ready helo me > 250 GEMMA.gruppocomet.net Hello [10.2.6.4] mail from:e...@ext.com > 250 2.1.0 Sender OK > rcpt to:doesntex...@gruppocomet.it > 250 2.1.5 Recipient OK > data > 354 Start mail input; end with . some data
postfix reject_unverified_recipient and Exchange 2016
I have a problem using reject_unverified_recipient to verify under Exchange 2016 that I don't have with Exchange 2010 Postfix is used to send and receive mail and is between the internet and the internal Exchange Server Now, when an internet user send an email to our domain postfix verify it making an rcpt to to our exchange using reject_unverified_recipient instruction This worked well with Exchange 2010 but now with Exchange 2016 doesn't work. Exchange 2016 needs the installation of Recipient Filter Agent and obviously I installed it. Now we have Frontend Transport that answer at port 25 and verify recipient at DATA phase and the Hub Transport that answer at port 2525 and verify recipient at RCPT TO Here Exchange 2016 at port 25 that verify unknown recipient at DATA phase telnet 10.1.1.126 25 220 GEMMA.gruppocomet.net Microsoft ESMTP MAIL Service ready helo me 250 GEMMA.gruppocomet.net Hello [10.2.6.4] mail from:e...@ext.com 250 2.1.0 Sender OK rcpt to:doesntex...@gruppocomet.it 250 2.1.5 Recipient OK data 354 Start mail input; end with . some data . 550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient not found by SMTP address lookup Here Exchange 2016 at port 2525 that verify unknown recipient at RCPT TO phase telnet 10.1.1.126 2525 220 GEMMA.gruppocomet.net Microsoft ESMTP MAIL Service ready helo me 250 GEMMA.gruppocomet.net Hello [10.2.6.4] mail from:e...@ext.com 250 2.1.0 Sender OK rcpt to:doesntex...@gruppocomet.it 550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient not found by SMTP address lookup When I connect to a Postfix configured with reject_unverified_recipient it doesn't work I tried to transport domain to Exchange at port 2525 and at port 25 using the parameter smtp_address_verify_target = data Postfix answer OK at RCPT TO of doesntex...@gruppocomet.it<mailto:doesntex...@gruppocomet.it> and need some time to answer, so I suppose that it make the call to Exchange RCPT TO is immediate if I remove reject_unverified_recipient Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it<http://www.gruppocomet.it/> [Descrizione: gc]
Relaycountry problem
header RELAYCOUNTRY_ITX-Relay-Countries =~ /IT/ header RELAYCOUNTRY_BAD X-Relay-Countries =~ /^(US|CN|RU|UA|JP|HK|UK|DE|BR|IN)/ in some cases I have both results in the spam report, I suppose that is because plugin evals all ip address end not lastexterlal, is it correct ? is there a way to check only lastexternal ? any suggestion ? then there is a problem adding the header, I never found it in my header how is possible that the rule find it ?
2 Plugins
Here 2 plugins selfmade http://saplugin.16mb.com/ If someone send me a feedback it will be appreciate
R: R: R: Shortcircuit work partially
How to do it syncronously ? It is not important to process a single mail in 5 or 50 seconds 4 me ss most important to reduce load -Messaggio originale- Da: RW [mailto:rwmailli...@googlemail.com] Inviato: martedì 30 agosto 2016 17:24 A: users@spamassassin.apache.org Oggetto: Re: R: R: Shortcircuit work partially On Tue, 30 Aug 2016 14:48:03 + Nicola Piazzi wrote: > em is that dns check are made asincronously if it will be made > sincronously it will happen like you said it is not important slowind > down all messages because I save a lot of query and cpu Running then synchronously would mean running them consecutively. What I think you want would involve running them asynchronously, but starting them later. This would reduce dns lookups, but scans would generally take longer.
R: R: Shortcircuit work partially
BAYES_ZERO is : body BAYES_ZERO eval:check_bayes('0.00', '0.00') but is the same with all other rules problem is that dns check are made asincronously if it will be made sincronously it will happen like you said it is not important slowind down all messages because I save a lot of query and cpu -Messaggio originale- Da: Bowie Bailey [mailto:bowie_bai...@buc.com] Inviato: martedì 30 agosto 2016 16:44 A: users@spamassassin.apache.org Oggetto: Re: R: Shortcircuit work partially I'm assuming that BAYES_ZERO is a meta of some sort. Would you also need to set priority on the other referenced rules, or does SA handle that? Also, keep in mind that if you can make this work, you will effectively be speeding up the processing of mail that matches BAYES_ZERO (slightly), while slowing down the processing of all other mail. This is because SA will now have to wait for Bayes calculations before sending the DNS requests to check blacklists. Bowie On 8/30/2016 10:37 AM, Axb wrote: > shot in te dark: > what happens if you do > > priority BAYES_ZERO -2000 > shortcircuit BAYES_ZERO ham > > On 08/30/2016 04:30 PM, Nicola Piazzi wrote: >> And there is not a solution ? >> >> Nicola Piazzi >> CED - Sistemi >> COMET s.p.a. >> Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 >> Cell. +39 328.21.73.470 >> Web: www.gruppocomet.it >> >> >> >> -Messaggio originale- >> Da: li...@rhsoft.net [mailto:li...@rhsoft.net] >> Inviato: martedì 30 agosto 2016 16:26 >> A: users@spamassassin.apache.org >> Oggetto: Re: Shortcircuit work partially >> >> >> >> Am 30.08.2016 um 16:21 schrieb Nicola Piazzi: >>> When i shortcircuit a rule not all other are bypassed >>> >>> Here an example ... >>> >>> Local.cf : >>> priority BAYES_ZERO -980 >>> shortcircuit BAYES_ZERO ham >> >> the dns stuff is fired asynchronous long before bayes is even >> evaluated >> >>> Spam report : >>> -0.03 ABUSIX_PRESENCE Contatto Anti-Abuse presente in >>> abuse-contacts.abusix.org >>> -1.00 BAYES_ZERO Bayes Zero Percento Assoluto >>> 0.10 C_RBL_ANTICAPTCHA Listed in dnsbl.anticaptcha.net >>> 0.10 C_RBL_DNSRBL Listed in DnsRbl.org >>> 0.20 C_RBL_KONSTANT Listed in bl.konstant.no >>> 0.10 C_RBL_MEGARBL Listed in rbl.megarbl.net >>> 0.10 C_RBL_NETUA Listed in dnsbl.net.ua >>> -0.30 C_RBL_NSZONES_WL NSZONES - WhiteList >>> 0.10 C_RBL_SINGULAR Listed in singular.ttk.pte.hu >>> 0.10 C_RBL_SWINOG_SPAM Listed in dnsrbl.swinog.ch. >>> 0.10 C_RBL_UNSUBSCORE Listed in ubl.unsubscore.com >>> -100.00 SHORTCIRCUIT Not all rules were run, due to a shortcircuited >>> rule >>> -0.35 URIBL_HOSTKARMA_Y Dominio in HostKarma YellowList > >
R: Shortcircuit work partially
And there is not a solution ? Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it -Messaggio originale- Da: li...@rhsoft.net [mailto:li...@rhsoft.net] Inviato: martedì 30 agosto 2016 16:26 A: users@spamassassin.apache.org Oggetto: Re: Shortcircuit work partially Am 30.08.2016 um 16:21 schrieb Nicola Piazzi: > When i shortcircuit a rule not all other are bypassed > > Here an example ... > > Local.cf : > priority BAYES_ZERO -980 > shortcircuit BAYES_ZERO ham the dns stuff is fired asynchronous long before bayes is even evaluated > Spam report : > -0.03 ABUSIX_PRESENCE Contatto Anti-Abuse presente in > abuse-contacts.abusix.org > -1.00 BAYES_ZERO Bayes Zero Percento Assoluto > 0.10 C_RBL_ANTICAPTCHA Listed in dnsbl.anticaptcha.net > 0.10 C_RBL_DNSRBL Listed in DnsRbl.org > 0.20 C_RBL_KONSTANT Listed in bl.konstant.no > 0.10 C_RBL_MEGARBL Listed in rbl.megarbl.net > 0.10 C_RBL_NETUA Listed in dnsbl.net.ua > -0.30 C_RBL_NSZONES_WL NSZONES - WhiteList > 0.10 C_RBL_SINGULAR Listed in singular.ttk.pte.hu > 0.10 C_RBL_SWINOG_SPAM Listed in dnsrbl.swinog.ch. > 0.10 C_RBL_UNSUBSCORE Listed in ubl.unsubscore.com > -100.00 SHORTCIRCUIT Not all rules were run, due to a shortcircuited rule > -0.35 URIBL_HOSTKARMA_Y Dominio in HostKarma YellowList
Shortcircuit work partially
When i shortcircuit a rule not all other are bypassed Here an example ... Local.cf : priority BAYES_ZERO -980 shortcircuit BAYES_ZERO ham Spam report : -0.03 ABUSIX_PRESENCE Contatto Anti-Abuse presente in abuse-contacts.abusix.org -1.00 BAYES_ZERO Bayes Zero Percento Assoluto 0.10 C_RBL_ANTICAPTCHA Listed in dnsbl.anticaptcha.net 0.10 C_RBL_DNSRBL Listed in DnsRbl.org 0.20 C_RBL_KONSTANT Listed in bl.konstant.no 0.10 C_RBL_MEGARBL Listed in rbl.megarbl.net 0.10 C_RBL_NETUA Listed in dnsbl.net.ua -0.30 C_RBL_NSZONES_WL NSZONES - WhiteList 0.10 C_RBL_SINGULAR Listed in singular.ttk.pte.hu 0.10 C_RBL_SWINOG_SPAM Listed in dnsrbl.swinog.ch. 0.10 C_RBL_UNSUBSCORE Listed in ubl.unsubscore.com -100.00 SHORTCIRCUIT Not all rules were run, due to a shortcircuited rule -0.35 URIBL_HOSTKARMA_Y Dominio in HostKarma YellowList
rule with multiple lines
Is there a way to have multiple line in a single rule ? For example : metaOW_SENT_EMAIL ( OW_T_SENT_EMAIL && ! OW_T_REF_EMAIL && ! OW_T_REF_FULL && ! OW_REF_THIS && OW_PASS) Will be better : metaOW_SENT_EMAIL ( OW_T_SENT_EMAIL && ! OW_T_REF_EMAIL && ! OW_T_REF_FULL && ! OW_REF_THIS && OW_PASS)
R: A domain category that all need
I made a plugin that watch if someone answer us, i watch if in header there is a reference of a message id that we sent in the past So when I receive a mail from j...@cocacola.it and it have a reference I whitelist @cocacola.it When I receive j...@gmail.com I whitelist just j...@gmail.com Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it -Messaggio originale- Da: Benny Pedersen [mailto:m...@junc.eu] Inviato: giovedì 18 agosto 2016 14:13 A: users@spamassassin.apache.org Oggetto: Re: A domain category that all need On 2016-08-18 09:31, Nicola Piazzi wrote: > It can be very useful a dns service URIBL that tell if a domain is > public or private If is private I can whitelist entire domain instead > address by address when I receive an ham from one For example : > I cannot WL gmail.com if I receive a ham from j...@gmail.com But I can > WL cocacola.com if I receive ham from s...@cocacola.com because only > cocacola.com users can use cocacola.com domain Do you know something > about it ? https://dane.sys4.de/smtp/cocacola.com https://dane.sys4.de/smtp/gmail.com not dnssec domains, so dkim whitelist will be insecure whitelist of forged domain, if you like to live with that just doit anyway in whitelist_from_dkim *@cococola.com, and whitelist_from_dkim frie...@gmail.com but why is whitelist needed in the first place ?, did thay send spam that got into junk folder ?
R: R: R: A domain category that all need
On 08/18/2016 10:20 AM, Nicola Piazzi wrote: > 1) >>> Another thing, the date of files is # Updated 2014-09-17-axb >> What is the problem with that? > Problem that now we are in 2016 so? I committed the last update in 2014. Ok bit is very probably that from 2014 a lot of new freemail services born > 2) > FREEMAIL_FROM rule have description “Sender email is commonly abused enduser > mail provider” > Is this the rule to use if I want to know if MAIL FROM is from any kind of > freemail provider ? > If is so description must be changed to “Sender email is enduser mail > provider” The description is correct. Domain list is about "commonly abused" If you want to change it in your system, add to your local.cf describe FREEMAIL_FROM whatever YOU want. I know that i can do it, but my question is : there is a reason to write "commonly abused" in the default description ? > > > Nicola Piazzi > CED - Sistemi > COMET s.p.a. > Via Michelino, 105 - 40127 Bologna – Italia Tel. +39 051.6079.293 > Cell. +39 328.21.73.470 > Web: www.gruppocomet.it > > > > -Messaggio originale- > Da: Axb [mailto:axb.li...@gmail.com] > Inviato: giovedì 18 agosto 2016 10:16 > A: users@spamassassin.apache.org > Oggetto: Re: R: A domain category that all need > > On 08/18/2016 10:04 AM, Nicola Piazzi wrote: >> This is a good idea, but there are 2 files : >> 20_freemail_mailcom_domains.cf >> 20_freemail_domains.cf >> The first is commonly abused only >> FREEMAIL_FROM rule search in both but have a strange description “Sender >> email is commonly abused enduser mail provider” >> It tell ‘commonly abused’ but it search also in >> 20_freemail_mailcom_domains.cf > > You need to understand who the Freemail plugin works. > The domain lists can be across multiple files. > In this case 20_freemail_mailcom_domains.cf groups doamisn from the same > source making it easier to read/maintain. > > If the domains have the same label prefix they will be used for the same > rules. > > The FREEMAIL_FROM rule could "apply" domain lists from dozens of files > > >> Another thing, the date of files is # Updated 2014-09-17-axb > > What is the problem with that? > > >> >> Nicola Piazzi >> CED - Sistemi >> COMET s.p.a. >> Via Michelino, 105 - 40127 Bologna – Italia Tel. +39 051.6079.293 >> Cell. +39 328.21.73.470 >> Web: www.gruppocomet.it<http://www.gruppocomet.it/> >> [Descrizione: gc] >> >> Da: Jason Haar [mailto:jason_h...@trimble.com] >> Inviato: giovedì 18 agosto 2016 09:50 >> A: Nicola Piazzi >> Cc: users@spamassassin.apache.org >> Oggetto: Re: A domain category that all need >> >> Check out 20_freemail_domains.cf<http://20_freemail_domains.cf> that is part >> of SpamAssassin. It contains all the known "freemail" services, so you could >> work on the assumption that if it's not one of these, it's "private" >> >> >> -- >> Cheers >> >> Jason Haar >> Information Security Manager, Trimble Navigation Ltd. >> Phone: +1 408 481 8171 >> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 >> > >
R: R: A domain category that all need
1) >> Another thing, the date of files is # Updated 2014-09-17-axb > What is the problem with that? Problem that now we are in 2016 2) FREEMAIL_FROM rule have description “Sender email is commonly abused enduser mail provider” Is this the rule to use if I want to know if MAIL FROM is from any kind of freemail provider ? If is so description must be changed to “Sender email is enduser mail provider” Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna – Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it -Messaggio originale- Da: Axb [mailto:axb.li...@gmail.com] Inviato: giovedì 18 agosto 2016 10:16 A: users@spamassassin.apache.org Oggetto: Re: R: A domain category that all need On 08/18/2016 10:04 AM, Nicola Piazzi wrote: > This is a good idea, but there are 2 files : > 20_freemail_mailcom_domains.cf > 20_freemail_domains.cf > The first is commonly abused only > FREEMAIL_FROM rule search in both but have a strange description “Sender > email is commonly abused enduser mail provider” > It tell ‘commonly abused’ but it search also in > 20_freemail_mailcom_domains.cf You need to understand who the Freemail plugin works. The domain lists can be across multiple files. In this case 20_freemail_mailcom_domains.cf groups doamisn from the same source making it easier to read/maintain. If the domains have the same label prefix they will be used for the same rules. The FREEMAIL_FROM rule could "apply" domain lists from dozens of files > Another thing, the date of files is # Updated 2014-09-17-axb What is the problem with that? > > Nicola Piazzi > CED - Sistemi > COMET s.p.a. > Via Michelino, 105 - 40127 Bologna – Italia Tel. +39 051.6079.293 > Cell. +39 328.21.73.470 > Web: www.gruppocomet.it<http://www.gruppocomet.it/> > [Descrizione: gc] > > Da: Jason Haar [mailto:jason_h...@trimble.com] > Inviato: giovedì 18 agosto 2016 09:50 > A: Nicola Piazzi > Cc: users@spamassassin.apache.org > Oggetto: Re: A domain category that all need > > Check out 20_freemail_domains.cf<http://20_freemail_domains.cf> that is part > of SpamAssassin. It contains all the known "freemail" services, so you could > work on the assumption that if it's not one of these, it's "private" > > > -- > Cheers > > Jason Haar > Information Security Manager, Trimble Navigation Ltd. > Phone: +1 408 481 8171 > PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 >
R: A domain category that all need
This is a good idea, but there are 2 files : 20_freemail_mailcom_domains.cf 20_freemail_domains.cf The first is commonly abused only FREEMAIL_FROM rule search in both but have a strange description “Sender email is commonly abused enduser mail provider” It tell ‘commonly abused’ but it search also in 20_freemail_mailcom_domains.cf Another thing, the date of files is # Updated 2014-09-17-axb Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna – Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it<http://www.gruppocomet.it/> [Descrizione: gc] Da: Jason Haar [mailto:jason_h...@trimble.com] Inviato: giovedì 18 agosto 2016 09:50 A: Nicola Piazzi Cc: users@spamassassin.apache.org Oggetto: Re: A domain category that all need Check out 20_freemail_domains.cf<http://20_freemail_domains.cf> that is part of SpamAssassin. It contains all the known "freemail" services, so you could work on the assumption that if it's not one of these, it's "private" -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
A domain category that all need
It can be very useful a dns service URIBL that tell if a domain is public or private If is private I can whitelist entire domain instead address by address when I receive an ham from one For example : I cannot WL gmail.com if I receive a ham from j...@gmail.com But I can WL cocacola.com if I receive ham from s...@cocacola.com because only cocacola.com users can use cocacola.com domain Do you know something about it ?
new powerful plugin
It is difficoult to write a doc of what this plugin that I wrote do But here is the ow.cf file, so you can see what this plugin do It can be used ONLY when box is the same for send and receive emails What do you think about it ?someone want to have to try ? # oUTwHITELIST (ow) # Is a SpamAssassin Plugin that build a database WhiteList using data from email that your internal users send out # So ow works ONLY if the machine running SpamAssassin is used both for send and receive email. # When some internal people send a mail ow make two things : # 1 It save the internal Message Id into a dedicated table # 2 It save the destination email address into a dedicated table # When receiving external messages it check that they have a reference to a message id also it check email address that was a reply loadplugin Mail::SpamAssassin::Plugin::ow ow.pm use_ow 1 ow_message_id_string Message-ID ow_message_id_must_contain @ ow_message_id_server_prefix 10.1. ow_recipient_server_prefix 10.1. ow_inreplyto_string In-Reply-To ow_references_string References ow_sql_dsn DBI:mysql:mailscanner:localhost ow_sql_username sa_user ow_sql_password BxaDfefrfrr4frf4f4fNNE # (1) # Email Verification methods to be used combined with __OW_T_REF_EMAIL and __OW_T_SENT_EMAIL # If mxpf plugin is used it will be also considered meta__OW_PASS ( DKIM_VALID || SPF_PASS || MXPF_PASS ) # (2) # This rule hits when an incoming message have in the header a valid Message-ID that we # sent out in the past, we can be sure that this message is the reply to our message so is # impossible that is a spam, we can give a great bonus in its score describeOW_REF_THIS Message references a valid Message-ID header OW_REF_THIS eval:ow_ref_this() score OW_REF_THIS -1.80 # (3) # This rule hits when an incoming message have the email address and the C Class of the ip # that match a record in the table cwcontaining all messages that hit a Message-ID in the past # Also if it is not an immediate reply of our messages we are sure that it come from a user # we usually send messages # This is test only, score must be assigned to OW_REF_FULL (6) header __OW_T_REF_FULL eval:ow_ref_full() # (4) # This rule hits when an incoming message have the email address only (unverified) # that match a record in the table containing all messages that hit a Message-ID in the past # Also if it is not an immediate reply of our messages we are sure that it come from a user # we usually send messages but only if it match also a verification method (__OW_PASS) # This is test only, score must be assigned to OW_REF_EMAIL (7) header __OW_T_REF_EMAIL eval:ow_ref_email() # (5) # This rule hits when an incoming message have the email address only (unverified) # that match a record in the table containing all message recipients that iour internal users sent to # It is rasonable that if someone of us sent out something receivers can reply to it # If it match must be verified with a verification method (__OW_PASS) # This is test only, score must be assigned to OW_SENT_EMAIL (8) header __OW_T_SENT_EMAIL eval:ow_sent_email() # (6) # This rule hits when __OW_T_REF_FULL (3) is matched and there is no higher rules matched metaOW_REF_FULL ( __OW_T_REF_FULL && ! OW_REF_THIS ) describeOW_REF_FULL Message (Sender + Ip C Class) hit a reference in the past score OW_REF_FULL -1.60 # (7) # This rule hits when __OW_T_REF_EMAIL (4) is matched, __OW_PASS match also and there is no higher rules matched metaOW_REF_EMAIL ( __OW_T_REF_EMAIL && ! __OW_T_REF_FULL && ! OW_REF_THIS && __OW_PASS) describeOW_REF_EMAIL Message hit a reference in the past, Verified score OW_REF_EMAIL -1.40 # (8) # This rule hits when __OW_T_SENT_EMAIL (5) is matched, __OW_PASS match also and there is no higher rules matched metaOW_SENT_EMAIL ( __OW_T_SENT_EMAIL && ! __OW_T_REF_EMAIL ! && __OW_T_REF_FULL && ! OW_REF_THIS && __OW_PASS) describeOW_SENT_EMAIL Message with address we sent to in the past, Verified score OW_SENT_EMAIL -1.10
R: [SOLVED] R: A plugin to legitimate email when SPF and DKIM missing
I usually doesnt use whitelisting so much I wrote a couple of scripts that can be put in cron They read my sql log, extract message id and create whitelist rules based on reply on your sender id Thay match 55% of incoming clean mail at now for me Download and read more here https://forum.efa-project.org/viewtopic.php?f=14&t=1769 Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it -Messaggio originale- Da: li...@rhsoft.net [mailto:li...@rhsoft.net] Inviato: mercoledì 10 agosto 2016 12:14 A: users@spamassassin.apache.org Oggetto: Re: [SOLVED] R: A plugin to legitimate email when SPF and DKIM missing Am 10.08.2016 um 12:00 schrieb Nicola Piazzi: > > I wrote this simple plugin, mxpf > This plugin search B class of sender Ip Address and try to match B > class of any Ip of mx records of declared domain So when it match is > very difficolut that sender is a spoofed domain, you can use MXPF_PASS > to combine with other rules in addition to SPF_PASS > > 1) Unpack mxpf.cf and mxpf.pm under /etc/mail/spamassassin dir > 2) put your score in mxpf.cf > > Download here : > > https://forum.efa-project.org/viewtopic.php?f=14&t=1777 that looks really good on piece missing - something like "whitelist_mx" working the same way as "whilelist_auth" to combine it with shortcicuit to complement whitelist by spf with that for senders you trust but don't have SPF/DKIM for whitelist_auth whitelist_mx sen...@domain.tld whitelist_mx *@domain.tld
[SOLVED] R: A plugin to legitimate email when SPF and DKIM missing
I wrote this simple plugin, mxpf This plugin search B class of sender Ip Address and try to match B class of any Ip of mx records of declared domain So when it match is very difficolut that sender is a spoofed domain, you can use MXPF_PASS to combine with other rules in addition to SPF_PASS 1) Unpack mxpf.cf and mxpf.pm under /etc/mail/spamassassin dir 2) put your score in mxpf.cf Download here : https://forum.efa-project.org/viewtopic.php?f=14&t=1777 Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it -Messaggio originale- Da: John Hardin [mailto:jhar...@impsec.org] Inviato: martedì 9 agosto 2016 23:04 A: users@spamassassin.apache.org Oggetto: Re: A plugin to legitimate email when SPF and DKIM missing On Tue, 9 Aug 2016, li...@rhsoft.net wrote: > > Am 09.08.2016 um 18:08 schrieb Kevin Golding: >> Based on what you're trying to do: >> >> man dig > > don't help, see below > >> or depending on your resolver possibly: >> >> man drill > > don't help, see below > >> Whilst I agree it is slightly more effort to set-up whitelisting by >> looking up the details first it would still be far more resource >> efficient on your servers > > that don't catch the problem if the MX changes that you need to > permanently watch your "whitelist_from_rcvd" and maintain them So script it. Write a script that reads a list of domain names, does digs to get those domains' MX hosts, and writes whitelist_from_rcvd rules for them to a local config file. Run that every night as part of your scheduled sa-update script. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The question of whether people should be allowed to harm themselves is simple. They *must*. -- Charles Murray --- 6 days until the 71st anniversary of the end of World War II
R: R: R: A plugin to legitimate email when SPF and DKIM missing
WHITELIST_FROM_RCVD require to know mailserver name Take this example : whitelist_from_rcvd *@axkit.org sergeant.org We want to accept all domain axkit.org and we are sure that is not spoofing when it come from names that end with domain sergeant.org But if I have only email address I cant write a line like this, I don't know mailserver domain Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it -Messaggio originale- Da: RW [mailto:rwmailli...@googlemail.com] Inviato: martedì 9 agosto 2016 17:39 A: users@spamassassin.apache.org Oggetto: Re: R: R: A plugin to legitimate email when SPF and DKIM missing On Tue, 9 Aug 2016 15:19:08 + Nicola Piazzi top-posted: > I dont know if you want to find a solution of if you want to say why i > am searching one. Reason is this : > I have SPF_PASS, a variable that tell me that who send is proprietary > of that domain I KNOW PERFECTLY THAT SOMEONE CAN TELL SPAM WITH A > PURCHASED REGULAR NON SPOOFED DOMAIN But I can combine SPF_PASS with a > list of email address, for example, but not all put SPF in dns, so > with MX I have another chance I'm confused now because "combine SPF_PASS with a list of email address" sounds like whitelisting, which is something you implied you didn't want to do when whitelist_from_rcvd was mentioned.
R: R: A plugin to legitimate email when SPF and DKIM missing
I dont know if you want to find a solution of if you want to say why i am searching one. Reason is this : I have SPF_PASS, a variable that tell me that who send is proprietary of that domain I KNOW PERFECTLY THAT SOMEONE CAN TELL SPAM WITH A PURCHASED REGULAR NON SPOOFED DOMAIN But I can combine SPF_PASS with a list of email address, for example, but not all put SPF in dns, so with MX I have another chance Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it -Messaggio originale- Da: Merijn van den Kroonenberg [mailto:mer...@web2all.nl] Inviato: martedì 9 agosto 2016 16:41 A: users@spamassassin.apache.org Oggetto: Re: R: A plugin to legitimate email when SPF and DKIM missing > On Tue, 9 Aug 2016 08:45:54 + > Nicola Piazzi wrote: > >> whitelist_from_rcvd is intended to legitimate a single somain, >> specifiing domain by domain >> >> I need something that tell me that check all incoming email and say >> if the originating ip (or class c) is the same of mx record >> >> This can be intended like an SPF_PASS when people doesn t set spf at >> all. > > I think the reason that he mentioned whitelist_from_rcvd is that the > absence of SPF or DKIM doesn't score anything in any of the default > scoresets. > In fact SPF or DKIM does not tell us anything about spammy (or hammy) ness. Spammers use spf and dkim too. The usefulness of DKIM and SPF is in combination with *specific* domains. So your mx check would also be only useful in combination with *specific* domains. And when you are doing specfic domains then you could just do whitelist_from_rcvd. So I am not sure what your intention is with this MX check. Would you score senders who fail it? Or would you blindly reward (whitelist) servers who match the MX subnet?
R: A plugin to legitimate email when SPF and DKIM missing
whitelist_from_rcvd is intended to legitimate a single somain, specifiing domain by domain I need something that tell me that check all incoming email and say if the originating ip (or class c) is the same of mx record This can be intended like an SPF_PASS when people doesn t set spf at all. Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it -Messaggio originale- Da: Kevin Golding [mailto:k...@caomhin.org] Inviato: martedì 9 agosto 2016 10:28 A: users@spamassassin.apache.org Oggetto: Re: A plugin to legitimate email when SPF and DKIM missing On Tue, 09 Aug 2016 09:10:06 +0100, Nicola Piazzi wrote: > Hi > A lot of time we receive mail that are SPF NONE and have no DKIM Il > will be useful a little plugin that be able to give another chance to > legitimate these emails A lot of servers use the same machine to send > and receive emails, Plugin must read sender domain and search if the > IP used to send to us is one of the MX record list for domain This is > not intended to exclude other cases, but intended to have a chance to > recognize that is not a spoofed email only We can think to use not the > ip but the C class to get much more hits For example someone sent from > 199.56.23.5 and have mx record 199.56.23.9 can be legitimate because > both come from 199.56.23 > > Have someone something like this ? Not quite, but assuming you're looking at using it for whitelisting purposes you can use: whitelist_from_rcvd *@gruppocommet.it gruppocommet.it That says that any mail sent with a @gruppocommet.it address that is received from a host with an rDNS matching gruppocommet.it will be whitelisted. It's rather effective and efficient. https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html#whitelist_and_blacklist_options may tell you more.
A plugin to legitimate email when SPF and DKIM missing
Hi A lot of time we receive mail that are SPF NONE and have no DKIM Il will be useful a little plugin that be able to give another chance to legitimate these emails A lot of servers use the same machine to send and receive emails, Plugin must read sender domain and search if the IP used to send to us is one of the MX record list for domain This is not intended to exclude other cases, but intended to have a chance to recognize that is not a spoofed email only We can think to use not the ip but the C class to get much more hits For example someone sent from 199.56.23.5 and have mx record 199.56.23.9 can be legitimate because both come from 199.56.23 Have someone something like this ? Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it<http://www.gruppocomet.it/> [Descrizione: gc]