R: learn ham

2017-01-05 Thread Nicola Piazzi
Each minute it learn messages of the last minute so it read and learn one time 
only for each message
Messages are that it sends from internal, so il learn that words are not spam

Internal messages are not spam



Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it



-Messaggio originale-
Da: John Hardin [mailto:jhar...@impsec.org] 
Inviato: giovedì 5 gennaio 2017 17:35
A: users@spamassassin.apache.org
Oggetto: Re: learn ham

On Thu, 5 Jan 2017, Marc Stürmer wrote:

> Am 2017-01-04 10:58, schrieb Nicola Piazzi:
>
>>  I found useful to put in cron a little script like this
>>
>>  Each minute cron launch this script that takes messages of last 
>> minute  reading from maillog database
>
> What's the purpose of this script, what's the reasoning behind running 
> this thingie every minute?
>
> What you do is training the Bayes filter every minute. Training a 
> filter is something which should never be done unattended, but always 
> supervised, because if not you will get bad results over time.

The execution of the training program can safely be automated, though I'd agree 
once per minute is a bit excessive. The classification of messages into the 
folders that are trained from is what needs manual supervision.

-- 
  John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
  jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
   Individual liberties are always "loopholes" to absolute authority.
---
  381 days since the first successful real return to launch site (SpaceX)


learn ham

2017-01-04 Thread Nicola Piazzi
I found useful to put in cron a little script like this
Each minute cron launch this script that takes messages of last minute reading 
from maillog database
Then it search in filesysten related message and learn as ham
So words that come from our company are good classified when someone resend
In this example i use the ip of my Exchange server to learn ham but it can be 
everithing


# learn.local.ham.sh
# It learn HAM from messages sent from internal network in latest minute
# Put in cron every 1 minute
# * * * * * /batch/learn.local.ham.sh

# Variables
Q="/var/spool/MailScanner/quarantine"   # Quarantine folder
L="/usr/bin/sa-learn --ham --no-sync"   # Message learn command


# START

vsql="SELECT id FROM maillog WHERE clientip = '10.1.1.126' AND timestamp > 
DATE_SUB(now(), INTERVAL 1 MINUTE);"
m=( $( echo $vsql | mysql -N -u root -p -D mailscanner ) )


# Scan array and learn ham
for i in ${m[@]}; do
echo $i
ii=$(find $Q -type f -name $i)
check=${#ii}
if [ $check -gt 1 ] ; then
echo $ii
  $L $ii
fi
done

~
~

Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it<http://www.gruppocomet.it/>
[Descrizione: gc]



R: Detecting Valid Message Replies

2017-01-03 Thread Nicola Piazzi
Please take a look at this plugin :
http://saplugin.16mb.com/


Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna – Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it



-Messaggio originale-
Da: Christoffer G. Thomsen [mailto:li...@cgt.name] 
Inviato: martedì 3 gennaio 2017 14:12
A: users@spamassassin.apache.org
Oggetto: Re: Detecting Valid Message Replies

On 2017-01-03 12:11, Rob Gunther wrote:
> Has anyone ever seen anything like that before for SA?  Does it exist 
> already or any type of plugin etc?

It's not SpamAssassin, but Rspamd (https://rspamd.com/) has a plugin called 
'replies' that stores message IDs of outgoing mails in Redis. If an incoming 
mail is a reply to a known outgoing message ID, the plugin will whitelist the 
incoming mail. It could probably be adapted to be used in the opposite way too, 
to blacklist or increase score for mails that reply to unknown message IDs. 
Perhaps a similar approach could be used in a SA plugin. Of course this does 
require a database, but at least you don't have to modify the MTA's message IDs 
(or become the MTA).


Password Protected Archives

2016-12-05 Thread Nicola Piazzi
Hi
There is a rule that catch PASSWORD PROTECTED ARCHIVE attached ?
I don't want to block in Mailscanner but catch in a RULE to mix with others 
rules



Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it<http://www.gruppocomet.it/>
[Descrizione: gc]



R: rbl check

2016-11-22 Thread Nicola Piazzi
Ok seems that rbl are disabled but it seems that uribl check, is correct ?

Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it



-Messaggio originale-
Da: Benny Pedersen [mailto:m...@junc.eu] 
Inviato: venerdì 18 novembre 2016 18:27
A: users@spamassassin.apache.org
Oggetto: Re: rbl check

Nicola Piazzi skrev den 2016-11-18 16:59:
> I use spamassassin in incoming and outgoing emails

+1

> Outgoing emails come from an internal ip

setup internal_networks and trusted_networks in local.cf

see more info in perldoc Mail::SpamAssassin::Conf

spamassassin needs to know ALL your wan ips, no exception

> Is there a way to avoid rbl checks when it come from an ip class ?

rbl will be disabled on trusted networks



rbl check

2016-11-18 Thread Nicola Piazzi
I use spamassassin in incoming and outgoing emails
Outgoing emails come from an internal ip
Is there a way to avoid rbl checks when it come from an ip class ?

Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it<http://www.gruppocomet.it/>
[Descrizione: gc]



Additional great BlackList to use

2016-11-09 Thread Nicola Piazzi
Here some results of some 'unconventional' rbl that worked great in my system,
I tested spam/ham in the most true mode possible, adding the score that each 
rule give to consider a spam in count
For example, if a rule that have a score of 5 i count spam emails that have 
this rule and a score of 4 (default) + 5 (rule score) = 9

Here in order :

[McAfee] (Absolutely the best, and I think that very few people know it)
Total Hit 10.779
Spam 10.766
Ham 13
Accuracy Very High 99,9%
Volume Very High 5,0%
headerC_RBL_MCAFEE  eval:check_rbl('mcafee-lastexternal', 
'cidr.bl.mcafee.com.')
describe  C_RBL_MCAFEE  Listed in cidr.bl.mcafee.com
tflagsC_RBL_MCAFEE  net
score C_RBL_MCAFEE  7.00

[imp.ch]
Total Hit 330
Spam 329
Ham 1
Accuracy Very High 99,7%
Volume Very Low 0,2%
headerC_RBL_IMP_SPAMLISTeval:check_rbl('spamrbl-lastexternal', 
'spamrbl.imp.ch.', '127.0.0.5')
describe  C_RBL_IMP_SPAMLISTListed in spamrbl.imp.ch
tflagsC_RBL_IMP_SPAMLISTnet
score C_RBL_IMP_SPAMLIST3.00

[psky]
Total Hit 13.027
Spam 12.939
Ham 88
Accuracy Very High 99,3%
Volume Very High 6,0%
header __C_RBL_PSKY  
eval:check_rbl('bad-psky-me-lastexternal','bad.psky.me.')
describe   __C_RBL_PSKY  Check bad.psky.me
tflags __C_RBL_PSKY  net
reuse  __C_RBL_PSKY
header C_RBL_PSKY_BADeval:check_rbl_sub('bad-psky-me-lastexternal', 
'127.0.0.3')
describe   C_RBL_PSKY_BADListed in psky.me - Bad
score  C_RBL_PSKY_BAD2.80
tflags C_RBL_PSKY_BADnet
reuse  C_RBL_PSKY_BAD
header C_RBL_PSKY_POOR   eval:check_rbl_sub('bad-psky-me-lastexternal', 
'127.0.0.2')
describe   C_RBL_PSKY_POOR   Listed in psky.me - Poor
score  C_RBL_PSKY_POOR   0.80
tflags C_RBL_PSKY_POOR   net
reuse  C_RBL_PSKY_POOR


[Gbudb]
Total Hit 4.946
Spam 4.891
Ham 55
Accuracy High 98,9%
Volume High 2,3%
headerC_RBL_GBUDB   eval:check_rbl('truncate-lastexternal', 
'truncate.gbudb.net.')
describe  C_RBL_GBUDB   Listed in truncate.gbudb.net
tflagsC_RBL_GBUDB   net
score C_RBL_GBUDB   5.00

[Inps.de]
Total Hit 7.963
Spam 7.774
Ham 189
Accuracy High 97,6%
Volume High 3,7%
headerC_RBL_DNSBL_INPS_DE   
eval:check_rbl('inps-de-lastexternal','dnsbl.inps.de.')
describe  C_RBL_DNSBL_INPS_DE   Received via a relay in inps.de DNSBL
tflagsC_RBL_DNSBL_INPS_DE   net
score C_RBL_DNSBL_INPS_DE   3.00

[Blocklist.de]
Total Hit 330
Spam 321
Ham 9
Accuracy High 97,3%
Volume Very Low 0,2%
headerC_RBL_BLOCKLIST_DE
eval:check_rbl('bl.blocklist.de-lastexternal','bl.blocklist.de.')
describe  C_RBL_BLOCKLIST_DEListed in bl.blocklist.de
tflagsC_RBL_BLOCKLIST_DEnet
score C_RBL_BLOCKLIST_DE1.00

[Wpbl]
Total Hit 7.404
Spam 7.092
Ham 312
Accuracy High 95,8%
Volume Very High 3,4%
headerC_RBL_WPBLeval:check_rbl('wpbl-lastexternal', 
'db.wpbl.info.')
describe  C_RBL_WPBLListed in db.wpbl.info
tflagsC_RBL_WPBLnet
score C_RBL_WPBL2.50


[NiX Spam]
Total Hit 6.375
Spam 6.056
Ham 319
Accuracy Medium 95,0%
Volume High 2,9%
headerC_RBL_WPBL        eval:check_rbl('wpbl-lastexternal', 
'db.wpbl.info.')
describe  C_RBL_WPBLListed in db.wpbl.info
tflagsC_RBL_WPBLnet
score C_RBL_WPBL2.50


Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it<http://www.gruppocomet.it/>
[Descrizione: gc]



learn ham from internal messages

2016-10-28 Thread Nicola Piazzi
I use the same box for internal mail delivery
I shortcircuit internal messages that come from internal ip
I noticed that bayes never learn from internal messages if I take one and make 
sa-learn -ham of these messages it answer that have learned
Is possible to learn automatically ?



Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it<http://www.gruppocomet.it/>
[Descrizione: gc]



Useful and simple script to reduce high spam load at mta level, what do you think

2016-10-27 Thread Nicola Piazzi
This script can be used if you have mailscanner in mysql database that record 
results of spamassassin activity and postfix as mta






# postban.sh
# Temporary Ban SpamOnly Ip
# -
#
# This script create a table for postfix that ban IPs that made high spam 
results only
#
# 1) Put this script anywhere and set your parameters
# 2) Put in crontab a line like this to run every 15 minutes :
# 0/15 * * * * /batch/postban.sh
# 3) Modify your main.cf in postfix at this line like here and then postfix 
reload :
# smtpd_client_restrictions = (OTHER YOUR PARAMETERS) check_client_access 
hash:/etc/postfix/postban_access



# Start time
start=`date +%s`

# Parameters
ROOTPWD=YOUR MYSQL PWD
VSCORESPAM=9 # Search for IP that have more than VSCORESPAM score
VMINSPAM=3600 # In the last VMINSPAM minutes
VSCOREHAM=5 # But exclude if the ip sent message that have less than VSCOREHAM
VMINHAM=14400 # In the last VMINHAM minutes
# In the default config it block ip that sent email that have more than score 9
# for 3600 mins (24 hours) from last event, but exclude if this ip have a mail 
sent
# in the last 10 days (14400 mins) that have a score less than 5
VLOGFILE=/batch/postban.log # Logfile position
VACCFILE=/etc/postfix/postban_access # Access file position
RJMESSAGE="Il server utilizzato invia troppo spam" # Reject Message
CMDPOSTMAP="/usr/sbin/postmap /etc/postfix/postban_access" # Postmap command

# Date & Time
NOW=$(date +"%m-%d-%Y %r")

# Touching log file
touch $VLOGFILE

# Main selection query, table mailscanner
S1="SELECT clientip \
FROM mailscanner.maillog \
WHERE timestamp > DATE_SUB(now(), INTERVAL $VMINSPAM MINUTE) \
AND spamwhitelisted = 0 \
AND clientip NOT LIKE '10.%' \
AND clientip NOT LIKE '192.168.%' \
AND sascore > $VSCORESPAM \
GROUP BY clientip;"

echo "# Generated by postban.sh " $start > $VACCFILE
f=0;ff=0
res1=($(mysql -N -u root -p${ROOTPWD} -e "${S1}"))
cnt=${#res1[@]}
for (( i=0 ; i<${cnt} ; i++ ))
do
#echo "Found line " $i " " ${res1[i]}
CLIP=${res1[i]}
S2="SELECT clientip \
FROM mailscanner.maillog \
WHERE timestamp > DATE_SUB(now(), INTERVAL $VMINHAM MINUTE) \
AND clientip = '${res1[i]}' \
AND sascore < $VSCOREHAM \
GROUP BY clientip;"
#echo $S2
res2=$(mysql -N -u root -p$ROOTPWD -se "$S2")
#echo $res2
let "f++"
if [[ $res2 == "" ]] ; then
let "ff++"
#echo "Not found ham so write spam ip " $CLIP
echo $CLIP " REJECT " $RJMESSAGE >> $VACCFILE
fi

done

# Postmap (doing postmap is enough to get new ip table without refreshing)
eval $CMDPOSTMAP

# Logging
end=`date +%s`
runtime=$((end-start))
echo $NOW " Found" $f "spam ip," $ff "with no ham in the past written in reject 
table, time elapsed:" $runtime "sec." >> $VLOGFILE

# Truncating logfile
tail -n 500 $VLOGFILE > $VLOGFILE.tmp
mv $VLOGFILE.tmp $VLOGFILE


R: Custom rule based on AWL score

2016-10-20 Thread Nicola Piazzi
Why not try my powerful plugin to reduce score of known users ?
Is based on people that answer to us and in my case, after 3 week of learning, 
it HIT 70% of incoming messages that are absolutely ham


http://saplugin.16mb.com/


Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it


-Messaggio originale-
Da: John Hardin [mailto:jhar...@impsec.org] 
Inviato: giovedì 20 ottobre 2016 18:36
A: users@spamassassin.apache.org
Oggetto: Re: Custom rule based on AWL score

On Thu, 20 Oct 2016, Ian Zimmerman wrote:

> On 2016-10-20 08:34, simplerezo wrote:
>
>> My understanding is that AWL is helping frequent senders who are 
>> known to not send spam to "reduce" their spam score, preventing false 
>> positive. That's exactly what I want to rely on for my rules: adding 
>> score for mail with "invoice" pretention and an attachment but only 
>> for very unknown users (or spammers).
>
> Just add your custom rules globally, with reasonable scores.
>
> Whitelisted senders get a _huge_ bonus (I think it's 100 points by 
> default, maybe customizable), so they won't be affected if you do it 
> right.

ITYM  -100 points. :)

Small but important detail... :)

-- 
  John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
  jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
   No representation without taxation!
---
  303 days since the first successful real return to launch site (SpaceX)


R: rbldnsd

2016-10-17 Thread Nicola Piazzi
THX Antony
Service works, but at now how can i address query to this server ?
And the service name test how must be inserted in the query ?
usr/sbin/rbldnsd -n -b localhost/53 test:ip4tset:/rbldnsd/test.txt


Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna – Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it



-Messaggio originale-
Da: Antony Stone [mailto:antony.st...@spamassassin.open.source.it] 
Inviato: lunedì 17 ottobre 2016 15:04
A: users@spamassassin.apache.org
Oggetto: Re: rbldnsd

On Monday 17 October 2016 at 15:00:08, Nicola Piazzi wrote:

> Someone use dnsrbld to create personal rbl ?
> I am unable to bind to port 53 (and other ports)

Oh?

> I start and it tell that bind :
> 
> [root@EFALIST rbldnsd]# ./start.sh
> rbldnsd: listening on ::1/53
> rbldnsd: listening on 127.0.0.1/53

So, it's listening on port 53, both IPv4 and IPv6.

> rbldnsd: ip4tset:/rbldnsd/test.txt: 20161017 101633: cnt=2
> rbldnsd: zones reloaded, time 0.0e/0.0u sec, mem arena=284 free=131 
> mmap=0 Kb rbldnsd: rbldnsd version 0.998 (05 Dec 2015) started (2 
> socket(s), 1
> zone(s))

Looks happy to me.

> But when I ipscan this host I found open only ports that belongs to 
> other services and not 53 :
> 
> [root@EFALIST ~]#  nmap -sT -O localhost

Try U instead of T.

DNS runs over UDP, not TCP.


Antony.

--
I wasn't sure about having a beard at first, but then it grew on me.

   Please reply to the list;
 please *don't* CC me.


rbldnsd

2016-10-17 Thread Nicola Piazzi
Someone use dnsrbld to create personal rbl ?
I am unable to bind to port 53 (and other ports)

I start and it tell that bind :

[root@EFALIST rbldnsd]# ./start.sh
rbldnsd: listening on ::1/53
rbldnsd: listening on 127.0.0.1/53
rbldnsd: ip4tset:/rbldnsd/test.txt: 20161017 101633: cnt=2
rbldnsd: zones reloaded, time 0.0e/0.0u sec, mem arena=284 free=131 mmap=0 Kb
rbldnsd: rbldnsd version 0.998 (05 Dec 2015) started (2 socket(s), 1 zone(s))

But when I ipscan this host I found open only ports that belongs to other 
services and not 53 :

[root@EFALIST ~]#  nmap -sT -O localhost
Starting Nmap 6.40 ( http://nmap.org ) at 2016-10-17 14:56 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.52s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 997 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
23/tcp open  telnet
25/tcp open  smtp
No exact OS matches for host (If you know what OS is running on it, see 
http://nmap.org/submit/ ).
TCP/IP fingerprint:




R: ramsonware URI list

2016-10-14 Thread Nicola Piazzi
Bot not all RW_URLBL.txt are contained in RW_DOMBL.txt and viceversa

For example 25z5g623wpqpdwis.onion.to doesn’t have match in RW_URLBL.txt

And if I extract from  http://01ad681.netsolhost.com/7j0jlq3 the domain 
01ad681.netsolhost.com is not in RW_DOMBL.txt

?!




Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna – Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it


-Messaggio originale-
Da: Axb [mailto:axb.li...@gmail.com] 
Inviato: venerdì 14 ottobre 2016 10:41
A: users@spamassassin.apache.org
Oggetto: Re: ramsonware URI list

On 10/14/2016 10:30 AM, Nicola Piazzi wrote:
> ABUSE.CH mantains an updated lists of ramsonware lists, here the txt file 
> link :
> https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt
>
> It is very simple to make a shell script that check file changes every hour, 
> download if there is a new one, and write a rule .cf using data contained in 
> the file.
>
> But hor to write a rule ?
> We have more than 4000 URI in the file, we can do a single rule like this 
> separating URIs with | :
>
> uri URIRAMS 
> /http:\/\/1natureresort\.com\/afdIJGY8766gyu|http:\/\/1jamprofit\.com\
> /hjy93JNBasdas/ describe URIRAMS  Match a Ramsonware URI score URIRAMS 
> 5.00
>
> or is better to separe each URI :
>
> uri __URIRAMS1 /http:\/\/1natureresort\.com\/afdIJGY8766gyu/
> uri __URIRAMS2 /http:\/\/1jamprofit\.com\/hjy93JNBasdas/
> meta URIRAMS (__URIRAMS1 | __URIRAMS2) describe URIRAMS  Match 
> a Ramsonware URI score URIRAMS 5.00
>
> Obviously this example is related to 2 entries, and we have 4000 entries here 
> .
> Any suggestion ?

performacewise best is to use a domain list in a local instance of rbldnsd. 
Sadly abuse.ch only publishes subdomain.example.net instead of example.net so 
you'd have to do some scripted editing to remove the subdomain.

if you want to use static rules, base them on 
https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt,

use __URI_BLAH and meta them together.



ramsonware URI list

2016-10-14 Thread Nicola Piazzi
ABUSE.CH mantains an updated lists of ramsonware lists, here the txt file link :
https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt

It is very simple to make a shell script that check file changes every hour, 
download if there is a new one, and write a rule .cf using data contained in 
the file.

But hor to write a rule ?
We have more than 4000 URI in the file, we can do a single rule like this 
separating URIs with | :

uri URIRAMS 
/http:\/\/1natureresort\.com\/afdIJGY8766gyu|http:\/\/1jamprofit\.com\/hjy93JNBasdas/
describe URIRAMS  Match a Ramsonware URI
score URIRAMS 5.00

or is better to separe each URI :

uri __URIRAMS1 /http:\/\/1natureresort\.com\/afdIJGY8766gyu/
uri __URIRAMS2 /http:\/\/1jamprofit\.com\/hjy93JNBasdas/
meta URIRAMS (__URIRAMS1 | __URIRAMS2)
describe URIRAMS  Match a Ramsonware URI
score URIRAMS 5.00

Obviously this example is related to 2 entries, and we have 4000 entries here 
.
Any suggestion ?







Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it<http://www.gruppocomet.it/>
[Descrizione: gc]



take a look @ 2 great plugins

2016-10-03 Thread Nicola Piazzi
http://saplugin.16mb.com/

And tell me how it works 

Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it<http://www.gruppocomet.it/>
[Descrizione: gc]



R: a .cf to prevent abuse of popular names

2016-10-03 Thread Nicola Piazzi
adsp_override dhl.com penalize when someone spoof address, for example sent 
email with @dhl.com without dkim
but it doesn't catch when someone use dhl description in From as this example :
From: DHL Service d...@infectedpc.com<mailto:d...@infectedpc.com>


Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it<http://www.gruppocomet.it/>
[Descrizione: gc]

Da: Paul Stead [mailto:paul.st...@zeninternet.co.uk]
Inviato: lunedì 3 ottobre 2016 13:03
A: users@spamassassin.apache.org
Oggetto: Re: a .cf to prevent abuse of popular names


On 03/10/16 10:14, Nicola Piazzi wrote:
# DHL
header __AF_DHL_FROM   From =~ /([^a-zA-Z0-9]|^)dhl([^a-zA-Z0-9]|\b)/i
header __AF_DHL_DOMAIN From =~ /\@dhl.com(>|\b)/i
meta   AF_VALID_DHL (SPF_PASS || MXPF_PASS || DKIM_VALID_AU) && 
__AF_DHL_DOMAIN
describe   AF_VALID_DHLValid dhl Sender
score  AF_VALID_DHL-1.00
meta   AF_ABUSED_DHL   __AF_DHL_FROM && !AF_VALID_DHL
describe   AF_ABUSED_DHL   Probably Abused dhl Sender Name
score  AF_ABUSED_DHL   1.00

An email sent with a valid SPF for a different domain than dhl.com would hit 
AF_VALID_DHL in this example...

A better way to validate the emails would be

---8<---
whitelist_auth *@dhl.com<mailto:*@dhl.com>
---8<---

And to catch the potential abuse

---8<---
adsp_override dhl.com custom_med
---8<---

I'm part way through raising a bug request with a feature improvement which 
might help towards this too, watch this space

Paul --
Paul Stead
Systems Engineer
Zen Internet


a .cf to prevent abuse of popular names

2016-10-03 Thread Nicola Piazzi
What do you think about a antiabuse.popular.domains.cf that contains a lot of 
paragraphs like this ?


# DHL
header __AF_DHL_FROM   From =~ /([^a-zA-Z0-9]|^)dhl([^a-zA-Z0-9]|\b)/i
header __AF_DHL_DOMAIN From =~ /\@dhl.com(>|\b)/i
meta   AF_VALID_DHL (SPF_PASS || MXPF_PASS || DKIM_VALID_AU) && 
__AF_DHL_DOMAIN
describe   AF_VALID_DHLValid dhl Sender
score  AF_VALID_DHL-1.00
meta   AF_ABUSED_DHL   __AF_DHL_FROM && !AF_VALID_DHL
describe   AF_ABUSED_DHL   Probably Abused dhl Sender Name
score  AF_ABUSED_DHL   1.00



__AF_DHL_FROM
Search in the from field that there is something that can tell to users that 
message come from dhl
For example it find positive something like : DHL EXPRESS 


__AF_DHL_DOMAIN
Search if from domain is dhl.com

AF_VALID_DHL
True if this email is verified by spf or dkim or mxpf AND domain is dhl.com


AF_ABUSED_DHL
True if some dhl references in from field (__AF_DHL_FROM) and not verified 
dhl.com






Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it<http://www.gruppocomet.it/>
[Descrizione: gc]



TXREP dont work

2016-09-30 Thread Nicola Piazzi
After a new box instalation I found that txrep doesnt work

The table is empty
mysql> select * from txrep;
Empty set (0.00 sec)

Obviously I disabled AWL and Load TxRep il v341.pre

Any suggestion ? Any log possible ?

Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it


R: R: R: R: regular expression needed

2016-09-28 Thread Nicola Piazzi
This is what i need Bowie
The query must be
select from_address, from_domain, to_address, subject from maillog where 
subject REGEXP '\b(?:(?:FedEx|Shipment|702193383246|Notification)\b.*?){3}';

But unfortunately mysql give error
ERROR 1139 (42000): Got error 'repetition-operator operand invalid' from regexp
MySQL regular expressions don't have lookarounds


Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it<http://www.gruppocomet.it/>
[Descrizione: gc]

Da: Bowie Bailey [mailto:bowie_bai...@buc.com]
Inviato: mercoledì 28 settembre 2016 17:46
A: users@spamassassin.apache.org
Oggetto: Re: R: R: R: regular expression needed

I don't know of a way to do that with a simple regex.  But since you are 
writing a plugin, you could do it by parsing the output of a regex search.

1) Create a regex which will match on any combination of 3 of the words.  This 
will let you pull all of the possible matches from previous emails.
Something like this:  /\b(?:(?:word1|word2|word3|word4)\b.*?){3}/

2) For each of the lines found by the previous regex, run another regex that 
captures all matched words.
/\b(word1|word2|word3|word4)\b/g(note the global modifier to catch all 
matches)

3) Take a look at the results for each line and see if the regex matched at 
least 3 unique words.

I'm quite sure that this is not the most efficient method, but it should work.

Bowie
On 9/28/2016 11:20 AM, Nicola Piazzi wrote:
Obviously i intended to write a plugin that search the db
But I need the regex syntax to search at least 3 words that match of 4 words 
given
Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it<http://www.gruppocomet.it/>
[Descrizione: gc]

Da: Bowie Bailey [mailto:bowie_bai...@buc.com]
Inviato: mercoledì 28 settembre 2016 17:17
A: Nicola Piazzi 
<mailto:nicola.pia...@gruppocomet.it>; 
Spamassassin List 
<mailto:users@spamassassin.apache.org>
Oggetto: Re: R: R: regular expression needed

Please keep list emails on the list.

I don't think you could do a simple regex match for what you want.  As I said 
previously, this would require a plugin both to build the custom regex(s) (or 
DB query) and to search for the previous emails.  You would want to keep the 
prior email information in a database of some sort since doing a search of a 
large text file for every incoming email would probably be too slow.

Bowie
On 9/28/2016 10:05 AM, Nicola Piazzi wrote:
Flux :

I receive an email with subject "Federal Express Important invoice number 20"
Plugin search a regex in maillog database for 10 days ago mails and this regex 
search match 1 or more lines
So we know that similar mails received in the past
But it is normal to receive similar text but not so normal to receive same 
subject from different addresses directed to different internal users



Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it<http://www.gruppocomet.it/>
[Descrizione: gc]

Da: Bowie Bailey [mailto:bowie_bai...@buc.com]
Inviato: mercoledì 28 settembre 2016 16:01
A: users@spamassassin.apache.org<mailto:users@spamassassin.apache.org>
Oggetto: Re: R: regular expression needed

I'm still not clear on exactly what you are trying to do, but in order to test 
anything against previous messages, you will need a custom SA plugin and some 
sort of database to store the information about previous emails.  That is 
beyond my area of expertise.

If you just need a regex to match something, I'd be happy to help, but I would 
need a more explicit description of what you are trying to match.

Bowie
On 9/28/2016 9:29 AM, Nicola Piazzi wrote:
Bowie, your ia a manual way, it works but is not automated
Automation is a plugin that check similar words in oldest messages (for example 
3 of 4 words match)
Then plugin check if sender domain is different and recipient is different




Da: Bowie Bailey [mailto:bowie_bai...@buc.com]
Inviato: mercoledì 28 settembre 2016 15:26
A: users@spamassassin.apache.org<mailto:users@spamassassin.apache.org>
Oggetto: Re: regular expression needed

On 9/28/2016 9:02 AM, Nicola Piazzi wrote:




Usually we receive spam having subjects like these examples in order of time :





Subject 
 FromTo
FedEx Shipment 702193383647 Notification   
j...@company1.com<mailto:j...@company1.com> 
s...@mycompany.it<mailto:s...@mycompany.it>
FedEx Shipment 722566383641 Notification   
a...@other.com<mailto:a...@other.com>

R: R: R: regular expression needed

2016-09-28 Thread Nicola Piazzi
Obviously i intended to write a plugin that search the db
But I need the regex syntax to search at least 3 words that match of 4 words 
given
Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it<http://www.gruppocomet.it/>
[Descrizione: gc]

Da: Bowie Bailey [mailto:bowie_bai...@buc.com]
Inviato: mercoledì 28 settembre 2016 17:17
A: Nicola Piazzi ; Spamassassin List 

Oggetto: Re: R: R: regular expression needed

Please keep list emails on the list.

I don't think you could do a simple regex match for what you want.  As I said 
previously, this would require a plugin both to build the custom regex(s) (or 
DB query) and to search for the previous emails.  You would want to keep the 
prior email information in a database of some sort since doing a search of a 
large text file for every incoming email would probably be too slow.

Bowie
On 9/28/2016 10:05 AM, Nicola Piazzi wrote:
Flux :

I receive an email with subject "Federal Express Important invoice number 20"
Plugin search a regex in maillog database for 10 days ago mails and this regex 
search match 1 or more lines
So we know that similar mails received in the past
But it is normal to receive similar text but not so normal to receive same 
subject from different addresses directed to different internal users



Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it<http://www.gruppocomet.it/>
[Descrizione: gc]

Da: Bowie Bailey [mailto:bowie_bai...@buc.com]
Inviato: mercoledì 28 settembre 2016 16:01
A: users@spamassassin.apache.org<mailto:users@spamassassin.apache.org>
Oggetto: Re: R: regular expression needed

I'm still not clear on exactly what you are trying to do, but in order to test 
anything against previous messages, you will need a custom SA plugin and some 
sort of database to store the information about previous emails.  That is 
beyond my area of expertise.

If you just need a regex to match something, I'd be happy to help, but I would 
need a more explicit description of what you are trying to match.

Bowie
On 9/28/2016 9:29 AM, Nicola Piazzi wrote:
Bowie, your ia a manual way, it works but is not automated
Automation is a plugin that check similar words in oldest messages (for example 
3 of 4 words match)
Then plugin check if sender domain is different and recipient is different




Da: Bowie Bailey [mailto:bowie_bai...@buc.com]
Inviato: mercoledì 28 settembre 2016 15:26
A: users@spamassassin.apache.org<mailto:users@spamassassin.apache.org>
Oggetto: Re: regular expression needed

On 9/28/2016 9:02 AM, Nicola Piazzi wrote:



Usually we receive spam having subjects like these examples in order of time :




Subject 
 FromTo
FedEx Shipment 702193383647 Notification   
j...@company1.com<mailto:j...@company1.com> 
s...@mycompany.it<mailto:s...@mycompany.it>
FedEx Shipment 722566383641 Notification   
a...@other.com<mailto:a...@other.com>  
a...@mycompany.it<mailto:a...@mycompany.it>
FedEx Shipment 734563383644 Notification   
i...@company1.com<mailto:i...@company1.com>   
lo...@mycompany.it<mailto:lo...@mycompany.it>
A package for you jim   
   b...@cocacola.com<mailto:b...@cocacola.com>  
j...@mycompany.it<mailto:j...@mycompany.it>
A package for you sue   
  j...@buster.com<mailto:j...@buster.com>
s...@mycompany.it<mailto:s...@mycompany.it>


These come from viruses that infect different pcs in the word that send same 
spam
I want to write a plugin that test each email giving penality to these mails
Detection routine

A mail arrive
Subject is : FedEx Shipment 702193383647 Notification
I search in maillog table for a regex that MATCH FedEx Shipment 702193383647 
Notification ALSO IN FedEx Shipment 722566383641 Notification AND IN FedEx 
Shipment 734563383644 Notification
If it match I verify that FROM DOMAIN IS DIFFERENT
And then I verify that TO ADDRESS IS DIFFERENT

Now I need a regex sintax to put all extracted words of PHRASE FedEx Shipment 
734563383644 Notification and match if it found at least 3 of 4 words

Someone can help ?

I don't follow exactly what you are trying to do in the description above, but 
for that problem, I would start with something like this:

header  __FEDEX_ADDR From:addr /\@fedex\.com/
header __FEDEX_SUBJ Subject /FedEx Shipment/
meta FEDEX_SPAM  __FEDEX_SUBJ && ! 

R: regular expression needed

2016-09-28 Thread Nicola Piazzi
Bowie, your ia a manual way, it works but is not automated
Automation is a plugin that check similar words in oldest messages (for example 
3 of 4 words match)
Then plugin check if sender domain is different and recipient is different




Da: Bowie Bailey [mailto:bowie_bai...@buc.com]
Inviato: mercoledì 28 settembre 2016 15:26
A: users@spamassassin.apache.org
Oggetto: Re: regular expression needed

On 9/28/2016 9:02 AM, Nicola Piazzi wrote:

Usually we receive spam having subjects like these examples in order of time :


Subject 
 FromTo
FedEx Shipment 702193383647 Notification   
j...@company1.com<mailto:j...@company1.com> 
s...@mycompany.it<mailto:s...@mycompany.it>
FedEx Shipment 722566383641 Notification   
a...@other.com<mailto:a...@other.com>  
a...@mycompany.it<mailto:a...@mycompany.it>
FedEx Shipment 734563383644 Notification   
i...@company1.com<mailto:i...@company1.com>   
lo...@mycompany.it<mailto:lo...@mycompany.it>
A package for you jim   
   b...@cocacola.com<mailto:b...@cocacola.com>  
j...@mycompany.it<mailto:j...@mycompany.it>
A package for you sue   
  j...@buster.com<mailto:j...@buster.com>
s...@mycompany.it<mailto:s...@mycompany.it>


These come from viruses that infect different pcs in the word that send same 
spam
I want to write a plugin that test each email giving penality to these mails
Detection routine

A mail arrive
Subject is : FedEx Shipment 702193383647 Notification
I search in maillog table for a regex that MATCH FedEx Shipment 702193383647 
Notification ALSO IN FedEx Shipment 722566383641 Notification AND IN FedEx 
Shipment 734563383644 Notification
If it match I verify that FROM DOMAIN IS DIFFERENT
And then I verify that TO ADDRESS IS DIFFERENT

Now I need a regex sintax to put all extracted words of PHRASE FedEx Shipment 
734563383644 Notification and match if it found at least 3 of 4 words

Someone can help ?

I don't follow exactly what you are trying to do in the description above, but 
for that problem, I would start with something like this:

header  __FEDEX_ADDR From:addr /\@fedex\.com/
header __FEDEX_SUBJ Subject /FedEx Shipment/
meta FEDEX_SPAM  __FEDEX_SUBJ && ! __FEDEX_ADDR
score FEDEX_SPAM 2.0

(Off the top of my head and completely untested.  Adjust score as required.)

This will hit any email with "FedEx Shipment" in the subject that doesn't come 
from fedex.com.  Note that it will also hit on any legitimate FedEx emails that 
have been forwarded.  You could minimize this by constraining the subject match 
to be at the beginning of the line (/^Fedex Shipment/).  This may or may not 
have an effect on spam detection.  You could also do a test for non-FedEx urls 
in the body rather than looking at the sender.

You could use a simple subject line test for the "A package for you" emails, 
unless you know of a valid delivery service that uses that phrase.

--
Bowie


regular expression needed

2016-09-28 Thread Nicola Piazzi
Usually we receive spam having subjects like these examples in order of time :

Subject 
 FromTo
FedEx Shipment 702193383647 Notification   
j...@company1.com s...@mycompany.it
FedEx Shipment 722566383641 Notification   a...@other.com   
   a...@mycompany.it
FedEx Shipment 734563383644 Notification   
i...@company1.com   lo...@mycompany.it
A package for you jim   
   b...@cocacola.com  j...@mycompany.it
A package for you sue   
  j...@buster.coms...@mycompany.it


These come from viruses that infect different pcs in the word that send same 
spam
I want to write a plugin that test each email giving penality to these mails
Detection routine

A mail arrive
Subject is : FedEx Shipment 702193383647 Notification
I search in maillog table for a regex that MATCH FedEx Shipment 702193383647 
Notification ALSO IN FedEx Shipment 722566383641 Notification AND IN FedEx 
Shipment 734563383644 Notification
If it match I verify that FROM DOMAIN IS DIFFERENT
And then I verify that TO ADDRESS IS DIFFERENT

Now I need a regex sintax to put all extracted words of PHRASE FedEx Shipment 
734563383644 Notification and match if it found at least 3 of 4 words

Someone can help ?


Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it<http://www.gruppocomet.it/>
[Descrizione: gc]


R: R: postfix reject_unverified_recipient and Exchange 2016

2016-09-07 Thread Nicola Piazzi
I am off topici f you think that postfix is not spamassassin
I think that this is not a Microsoft problem because exchange answer correctly 
to unknown recipients
I suppose that there is something in the return string that postix doesn’t like

Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna – Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it



-Messaggio originale-
Da: Axb [mailto:axb.li...@gmail.com] 
Inviato: mercoledì 7 settembre 2016 10:59
A: users@spamassassin.apache.org
Oggetto: Re: R: postfix reject_unverified_recipient and Exchange 2016

This is totally off topic.
You are on the wrong list for these questions.
Use the MS knowledge base.

On 09/07/2016 10:56 AM, Nicola Piazzi wrote:
> It seems NOT a Microsoft problem because with "Recipient Filter Agent" 
> exchange answer "550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient 
> not found by SMTP address lookup" when a recipient is not found So I don't 
> know why when postfix get "550 5.1.10 RESOLVER.ADR.RecipientNotFound; 
> Recipient not found by SMTP address lookup" from Exchange 2016 it doesn't 
> consider unexistant that recipient Someone can write me the answer of 
> Exchange 2010 to a non existant recipient ?
>
>
>
>
>
> Nicola Piazzi
> CED - Sistemi
> COMET s.p.a.
> Via Michelino, 105 - 40127 Bologna - Italia Tel.  +39 051.6079.293 
> Cell. +39 328.21.73.470
> Web: www.gruppocomet.it
>
>
> -Messaggio originale-
> Da: li...@rhsoft.net [mailto:li...@rhsoft.net]
> Inviato: mercoledì 7 settembre 2016 10:49
> A: users@spamassassin.apache.org
> Oggetto: Re: postfix reject_unverified_recipient and Exchange 2016
>
>
>
> Am 07.09.2016 um 10:42 schrieb Nicola Piazzi:
>> I have a problem using reject_unverified_recipient to verify under 
>> Exchange 2016 that I don't have with Exchange 2010
>
> how is that a spamassassin or even postfix related problem?
>
> call the microsoft support why their stuff is playing backscatter in 
> recent versions (as you can see by all that exchange bounces flying 
> around in the web)
>
> there is nothing the delivery software can do when exchange has no 
> clue about it's valid rcpt's until it received and acknolwedged the 
> full message instead just reject the rcpt
>
> workaround: list your vaild RCPT's diretly on your inboud MX and 
> maintain it parallel to exchange
>
>> Postfix is used to send and receive mail and is between the internet 
>> and the internal Exchange Server Now, when an internet user send an 
>> email to our domain postfix verify it making an rcptto to our 
>> exchange using reject_unverified_recipient instruction This worked 
>> well with Exchange 2010 but now with Exchange 2016 doesn't work.
>> Exchange 2016 needs the installation of Recipient Filter Agent and 
>> obviously I installed it.
>> Now we have Frontend Transport that answer at port 25 and verify 
>> recipient at DATA phase and the Hub Transport that answer at port 
>> 2525 and verify recipient at RCPT TO
>>
>> Here Exchange 2016 at port 25 that verify unknown recipient at DATA 
>> phase telnet 10.1.1.126 25
>> 220 GEMMA.gruppocomet.net Microsoft ESMTP MAIL Service ready helo me
>> 250 GEMMA.gruppocomet.net Hello [10.2.6.4] mail from:e...@ext.com
>> 250 2.1.0 Sender OK
>> rcpt to:doesntex...@gruppocomet.it
>> 250 2.1.5 Recipient OK
>> data
>> 354 Start mail input; end with . some data




R: postfix reject_unverified_recipient and Exchange 2016

2016-09-07 Thread Nicola Piazzi
It seems NOT a Microsoft problem because with "Recipient Filter Agent" exchange 
answer "550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient not found by SMTP 
address lookup" when a recipient is not found
So I don't know why when postfix get "550 5.1.10 
RESOLVER.ADR.RecipientNotFound; Recipient not found by SMTP address lookup" 
from Exchange 2016 it doesn't consider unexistant that recipient
Someone can write me the answer of Exchange 2010 to a non existant recipient ?





Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it


-Messaggio originale-
Da: li...@rhsoft.net [mailto:li...@rhsoft.net] 
Inviato: mercoledì 7 settembre 2016 10:49
A: users@spamassassin.apache.org
Oggetto: Re: postfix reject_unverified_recipient and Exchange 2016



Am 07.09.2016 um 10:42 schrieb Nicola Piazzi:
> I have a problem using reject_unverified_recipient to verify under 
> Exchange 2016 that I don't have with Exchange 2010

how is that a spamassassin or even postfix related problem?

call the microsoft support why their stuff is playing backscatter in recent 
versions (as you can see by all that exchange bounces flying around in the web)

there is nothing the delivery software can do when exchange has no clue about 
it's valid rcpt's until it received and acknolwedged the full message instead 
just reject the rcpt

workaround: list your vaild RCPT's diretly on your inboud MX and maintain it 
parallel to exchange

> Postfix is used to send and receive mail and is between the internet 
> and the internal Exchange Server Now, when an internet user send an 
> email to our domain postfix verify it making an rcptto to our exchange 
> using reject_unverified_recipient instruction This worked well with 
> Exchange 2010 but now with Exchange 2016 doesn't work.
> Exchange 2016 needs the installation of Recipient Filter Agent and 
> obviously I installed it.
> Now we have Frontend Transport that answer at port 25 and verify 
> recipient at DATA phase and the Hub Transport that answer at port 2525 
> and verify recipient at RCPT TO
>
> Here Exchange 2016 at port 25 that verify unknown recipient at DATA 
> phase telnet 10.1.1.126 25
> 220 GEMMA.gruppocomet.net Microsoft ESMTP MAIL Service ready helo me
> 250 GEMMA.gruppocomet.net Hello [10.2.6.4] mail from:e...@ext.com
> 250 2.1.0 Sender OK
> rcpt to:doesntex...@gruppocomet.it
> 250 2.1.5 Recipient OK
> data
> 354 Start mail input; end with . some data


postfix reject_unverified_recipient and Exchange 2016

2016-09-07 Thread Nicola Piazzi

I have a problem using reject_unverified_recipient to verify under Exchange 
2016 that I don't have with Exchange 2010

Postfix is used to send and receive mail and is between the internet and the 
internal Exchange Server
Now, when an internet user send an email to our domain postfix verify it making 
an rcpt to to our exchange using reject_unverified_recipient instruction
This worked well with Exchange 2010 but now with Exchange 2016 doesn't work.
Exchange 2016 needs the installation of Recipient Filter Agent and obviously I 
installed it.
Now we have Frontend Transport that answer at port 25 and verify recipient at 
DATA phase and the Hub Transport that answer at port 2525 and verify recipient 
at RCPT TO

Here Exchange 2016 at port 25 that verify unknown recipient at DATA phase
telnet 10.1.1.126 25
220 GEMMA.gruppocomet.net Microsoft ESMTP MAIL Service ready
helo me
250 GEMMA.gruppocomet.net Hello [10.2.6.4]
mail from:e...@ext.com
250 2.1.0 Sender OK
rcpt to:doesntex...@gruppocomet.it
250 2.1.5 Recipient OK
data
354 Start mail input; end with .
some data
.
550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient not found by SMTP address 
lookup


Here Exchange 2016 at port 2525 that verify unknown recipient at RCPT TO phase
telnet 10.1.1.126 2525
220 GEMMA.gruppocomet.net Microsoft ESMTP MAIL Service ready
helo me
250 GEMMA.gruppocomet.net Hello [10.2.6.4]
mail from:e...@ext.com
250 2.1.0 Sender OK
rcpt to:doesntex...@gruppocomet.it
550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient not found by SMTP address 
lookup

When I connect to a Postfix configured with reject_unverified_recipient it 
doesn't work
I tried to transport domain to Exchange at port 2525 and at port 25 using the 
parameter smtp_address_verify_target = data

Postfix answer OK at RCPT TO of 
doesntex...@gruppocomet.it<mailto:doesntex...@gruppocomet.it> and need some 
time to answer, so I suppose that it make the call to Exchange
RCPT TO is immediate if I remove reject_unverified_recipient



Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it<http://www.gruppocomet.it/>
[Descrizione: gc]


 



Relaycountry problem

2016-09-02 Thread Nicola Piazzi
header RELAYCOUNTRY_ITX-Relay-Countries =~ /IT/
header RELAYCOUNTRY_BAD   X-Relay-Countries =~ 
/^(US|CN|RU|UA|JP|HK|UK|DE|BR|IN)/

in some cases I have both results in the spam report, I suppose that is because 
plugin evals all ip address end not lastexterlal, is it correct ?
is there a way to check only lastexternal ? any suggestion ?

then there is a problem adding the header, I never found it in my header how is 
possible that the rule find it ?



 



2 Plugins

2016-08-30 Thread Nicola Piazzi
Here 2 plugins selfmade
http://saplugin.16mb.com/

If someone send me a feedback it will be appreciate




 



R: R: R: Shortcircuit work partially

2016-08-30 Thread Nicola Piazzi
How to do it syncronously ?
It is not important to process a single mail in 5 or 50 seconds
4 me ss most important to reduce load



-Messaggio originale-
Da: RW [mailto:rwmailli...@googlemail.com] 
Inviato: martedì 30 agosto 2016 17:24
A: users@spamassassin.apache.org
Oggetto: Re: R: R: Shortcircuit work partially

On Tue, 30 Aug 2016 14:48:03 +
Nicola Piazzi wrote:

> em is that dns check are made asincronously if it will be made 
> sincronously it will happen like you said it is not important slowind 
> down all messages because I save a lot of query and cpu

Running then synchronously would mean running them consecutively. What I think 
you want would involve running them asynchronously, but starting them later. 

This would reduce dns lookups, but scans would generally take longer.


R: R: Shortcircuit work partially

2016-08-30 Thread Nicola Piazzi
BAYES_ZERO is  :
body  BAYES_ZERO  eval:check_bayes('0.00', '0.00')
but is the same with all other rules
problem is that dns check are made asincronously
if it will be made sincronously it will happen like you said
it is not important slowind down all messages because I save a lot of query and 
cpu

-Messaggio originale-
Da: Bowie Bailey [mailto:bowie_bai...@buc.com] 
Inviato: martedì 30 agosto 2016 16:44
A: users@spamassassin.apache.org
Oggetto: Re: R: Shortcircuit work partially

I'm assuming that BAYES_ZERO is a meta of some sort.  Would you also need to 
set priority on the other referenced rules, or does SA handle that?

Also, keep in mind that if you can make this work, you will effectively be 
speeding up the processing of mail that matches BAYES_ZERO (slightly), while 
slowing down the processing of all other mail.  This is because SA will now 
have to wait for Bayes calculations before sending the DNS requests to check 
blacklists.

Bowie

On 8/30/2016 10:37 AM, Axb wrote:
> shot in te dark:
> what happens if you do
>
> priority BAYES_ZERO -2000
> shortcircuit BAYES_ZERO     ham
>
> On 08/30/2016 04:30 PM, Nicola Piazzi wrote:
>> And there is not a solution ?
>>
>> Nicola Piazzi
>> CED - Sistemi
>> COMET s.p.a.
>> Via Michelino, 105 - 40127 Bologna - Italia Tel.  +39 051.6079.293 
>> Cell. +39 328.21.73.470
>> Web: www.gruppocomet.it
>>
>>
>>
>> -Messaggio originale-
>> Da: li...@rhsoft.net [mailto:li...@rhsoft.net]
>> Inviato: martedì 30 agosto 2016 16:26
>> A: users@spamassassin.apache.org
>> Oggetto: Re: Shortcircuit work partially
>>
>>
>>
>> Am 30.08.2016 um 16:21 schrieb Nicola Piazzi:
>>> When i shortcircuit a rule not all other are bypassed
>>>
>>> Here an example ...
>>>
>>> Local.cf :
>>> priority BAYES_ZERO -980
>>> shortcircuit BAYES_ZERO ham
>>
>> the dns stuff is fired asynchronous long before bayes is even 
>> evaluated
>>
>>> Spam report :
>>> -0.03 ABUSIX_PRESENCE Contatto Anti-Abuse presente in 
>>> abuse-contacts.abusix.org
>>> -1.00 BAYES_ZERO Bayes Zero Percento Assoluto
>>> 0.10 C_RBL_ANTICAPTCHA Listed in dnsbl.anticaptcha.net
>>> 0.10 C_RBL_DNSRBL Listed in DnsRbl.org
>>> 0.20 C_RBL_KONSTANT Listed in bl.konstant.no
>>> 0.10 C_RBL_MEGARBL Listed in rbl.megarbl.net
>>> 0.10 C_RBL_NETUA Listed in dnsbl.net.ua
>>> -0.30 C_RBL_NSZONES_WL NSZONES - WhiteList
>>> 0.10 C_RBL_SINGULAR Listed in singular.ttk.pte.hu
>>> 0.10 C_RBL_SWINOG_SPAM Listed in dnsrbl.swinog.ch.
>>> 0.10 C_RBL_UNSUBSCORE Listed in ubl.unsubscore.com
>>> -100.00 SHORTCIRCUIT Not all rules were run, due to a shortcircuited 
>>> rule
>>> -0.35 URIBL_HOSTKARMA_Y Dominio in HostKarma YellowList
>
>



R: Shortcircuit work partially

2016-08-30 Thread Nicola Piazzi
And there is not a solution ?

Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it



-Messaggio originale-
Da: li...@rhsoft.net [mailto:li...@rhsoft.net] 
Inviato: martedì 30 agosto 2016 16:26
A: users@spamassassin.apache.org
Oggetto: Re: Shortcircuit work partially



Am 30.08.2016 um 16:21 schrieb Nicola Piazzi:
> When i shortcircuit a rule not all other are bypassed
>
> Here an example ...
>
> Local.cf :
> priority BAYES_ZERO -980
> shortcircuit BAYES_ZERO ham

the dns stuff is fired asynchronous long before bayes is even evaluated

> Spam report :
> -0.03 ABUSIX_PRESENCE Contatto Anti-Abuse presente in 
> abuse-contacts.abusix.org
> -1.00 BAYES_ZERO Bayes Zero Percento Assoluto
> 0.10 C_RBL_ANTICAPTCHA Listed in dnsbl.anticaptcha.net
> 0.10 C_RBL_DNSRBL Listed in DnsRbl.org
> 0.20 C_RBL_KONSTANT Listed in bl.konstant.no
> 0.10 C_RBL_MEGARBL Listed in rbl.megarbl.net
> 0.10 C_RBL_NETUA Listed in dnsbl.net.ua
> -0.30 C_RBL_NSZONES_WL NSZONES - WhiteList
> 0.10 C_RBL_SINGULAR Listed in singular.ttk.pte.hu
> 0.10 C_RBL_SWINOG_SPAM Listed in dnsrbl.swinog.ch.
> 0.10 C_RBL_UNSUBSCORE Listed in ubl.unsubscore.com
> -100.00 SHORTCIRCUIT Not all rules were run, due to a shortcircuited rule
> -0.35 URIBL_HOSTKARMA_Y Dominio in HostKarma YellowList


Shortcircuit work partially

2016-08-30 Thread Nicola Piazzi
When i shortcircuit a rule not all other are bypassed

Here an example ...

Local.cf :
priority BAYES_ZERO -980
shortcircuit BAYES_ZERO ham

Spam report :
-0.03 ABUSIX_PRESENCE Contatto Anti-Abuse presente in abuse-contacts.abusix.org 
-1.00 BAYES_ZERO Bayes Zero Percento Assoluto 
0.10 C_RBL_ANTICAPTCHA Listed in dnsbl.anticaptcha.net 
0.10 C_RBL_DNSRBL Listed in DnsRbl.org 
0.20 C_RBL_KONSTANT Listed in bl.konstant.no 
0.10 C_RBL_MEGARBL Listed in rbl.megarbl.net 
0.10 C_RBL_NETUA Listed in dnsbl.net.ua 
-0.30 C_RBL_NSZONES_WL NSZONES - WhiteList 
0.10 C_RBL_SINGULAR Listed in singular.ttk.pte.hu 
0.10 C_RBL_SWINOG_SPAM Listed in dnsrbl.swinog.ch. 
0.10 C_RBL_UNSUBSCORE Listed in ubl.unsubscore.com 
-100.00 SHORTCIRCUIT Not all rules were run, due to a shortcircuited rule 
-0.35 URIBL_HOSTKARMA_Y Dominio in HostKarma YellowList

 



rule with multiple lines

2016-08-18 Thread Nicola Piazzi
Is there a way to have multiple line in a single rule ?

For example :
metaOW_SENT_EMAIL ( OW_T_SENT_EMAIL && ! OW_T_REF_EMAIL && 
! OW_T_REF_FULL && ! OW_REF_THIS && OW_PASS)

Will be better :
metaOW_SENT_EMAIL ( OW_T_SENT_EMAIL
  && ! 
OW_T_REF_EMAIL 
  && ! 
OW_T_REF_FULL 
  && ! 
OW_REF_THIS 
  && 
OW_PASS)

 



R: A domain category that all need

2016-08-18 Thread Nicola Piazzi
I made a plugin that watch if someone answer us, i watch if in header there is 
a reference of a message id that we sent in the past

So when I receive a mail from j...@cocacola.it and it have a reference I 
whitelist @cocacola.it
When I receive j...@gmail.com I whitelist just j...@gmail.com



Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it



-Messaggio originale-
Da: Benny Pedersen [mailto:m...@junc.eu] 
Inviato: giovedì 18 agosto 2016 14:13
A: users@spamassassin.apache.org
Oggetto: Re: A domain category that all need

On 2016-08-18 09:31, Nicola Piazzi wrote:
> It can be very useful a dns service URIBL that tell if a domain is 
> public or private If is private I can whitelist entire domain instead 
> address by address when I receive an ham from one For example :
> I cannot WL gmail.com if I receive a ham from j...@gmail.com But I can 
> WL cocacola.com if I receive ham from s...@cocacola.com because only 
> cocacola.com users can use cocacola.com domain Do you know something 
> about it ?

https://dane.sys4.de/smtp/cocacola.com
https://dane.sys4.de/smtp/gmail.com

not dnssec domains, so dkim whitelist will be insecure whitelist of forged 
domain, if you like to live with that just doit anyway in whitelist_from_dkim 
*@cococola.com, and whitelist_from_dkim frie...@gmail.com

but why is whitelist needed in the first place ?, did thay send spam that got 
into junk folder ?




R: R: R: A domain category that all need

2016-08-18 Thread Nicola Piazzi

On 08/18/2016 10:20 AM, Nicola Piazzi wrote:
> 1)
>>> Another thing, the date of files is # Updated 2014-09-17-axb
>> What is the problem with that?
> Problem that now we are in 2016

so? I committed the last update in 2014.
Ok bit is very probably that from 2014 a lot of new freemail services born


> 2)
> FREEMAIL_FROM rule have description “Sender email is commonly abused enduser 
> mail provider”
> Is this the rule to use if I want to know if MAIL FROM is from any kind of 
> freemail provider ?
> If is so description must be changed to “Sender email is enduser mail 
> provider”

The description is correct. Domain list is about "commonly abused"

If you want to change it in your system,  add to your local.cf

describe FREEMAIL_FROM  whatever YOU want.
I know that i can do it, but my question is : there is a reason to write 
"commonly abused" in the default description ?


>
>
> Nicola Piazzi
> CED - Sistemi
> COMET s.p.a.
> Via Michelino, 105 - 40127 Bologna – Italia Tel.  +39 051.6079.293 
> Cell. +39 328.21.73.470
> Web: www.gruppocomet.it
>
>
>
> -Messaggio originale-
> Da: Axb [mailto:axb.li...@gmail.com]
> Inviato: giovedì 18 agosto 2016 10:16
> A: users@spamassassin.apache.org
> Oggetto: Re: R: A domain category that all need
>
> On 08/18/2016 10:04 AM, Nicola Piazzi wrote:
>> This is a good idea, but there are 2 files :
>> 20_freemail_mailcom_domains.cf
>> 20_freemail_domains.cf
>> The first is commonly abused only
>> FREEMAIL_FROM rule search in both but have a strange description “Sender 
>> email is commonly abused enduser mail provider”
>> It tell ‘commonly abused’ but it search also in 
>> 20_freemail_mailcom_domains.cf
>
> You need to understand who the Freemail plugin works.
> The domain lists can be across multiple files.
> In this case 20_freemail_mailcom_domains.cf groups doamisn from the same 
> source making it easier to read/maintain.
>
> If the domains have the same label prefix they will be used for the same 
> rules.
>
> The FREEMAIL_FROM rule could "apply" domain lists from dozens of files
>
>
>> Another thing, the date of files is # Updated 2014-09-17-axb
>
> What is the problem with that?
>
>
>>
>> Nicola Piazzi
>> CED - Sistemi
>> COMET s.p.a.
>> Via Michelino, 105 - 40127 Bologna – Italia Tel.  +39 051.6079.293 
>> Cell. +39 328.21.73.470
>> Web: www.gruppocomet.it<http://www.gruppocomet.it/>
>> [Descrizione: gc]
>>
>> Da: Jason Haar [mailto:jason_h...@trimble.com]
>> Inviato: giovedì 18 agosto 2016 09:50
>> A: Nicola Piazzi 
>> Cc: users@spamassassin.apache.org
>> Oggetto: Re: A domain category that all need
>>
>> Check out 20_freemail_domains.cf<http://20_freemail_domains.cf> that is part 
>> of SpamAssassin. It contains all the known "freemail" services, so you could 
>> work on the assumption that if it's not one of these, it's "private"
>>
>>
>> --
>> Cheers
>>
>> Jason Haar
>> Information Security Manager, Trimble Navigation Ltd.
>> Phone: +1 408 481 8171
>> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>>
>
>




R: R: A domain category that all need

2016-08-18 Thread Nicola Piazzi
1)
>> Another thing, the date of files is # Updated 2014-09-17-axb
> What is the problem with that?
Problem that now we are in 2016

2)
FREEMAIL_FROM rule have description “Sender email is commonly abused enduser 
mail provider”
Is this the rule to use if I want to know if MAIL FROM is from any kind of 
freemail provider ?
If is so description must be changed to “Sender email is enduser mail provider”



Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna – Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it



-Messaggio originale-
Da: Axb [mailto:axb.li...@gmail.com] 
Inviato: giovedì 18 agosto 2016 10:16
A: users@spamassassin.apache.org
Oggetto: Re: R: A domain category that all need

On 08/18/2016 10:04 AM, Nicola Piazzi wrote:
> This is a good idea, but there are 2 files :
> 20_freemail_mailcom_domains.cf
> 20_freemail_domains.cf
> The first is commonly abused only
> FREEMAIL_FROM rule search in both but have a strange description “Sender 
> email is commonly abused enduser mail provider”
> It tell ‘commonly abused’ but it search also in 
> 20_freemail_mailcom_domains.cf

You need to understand who the Freemail plugin works.
The domain lists can be across multiple files.
In this case 20_freemail_mailcom_domains.cf groups doamisn from the same source 
making it easier to read/maintain.

If the domains have the same label prefix they will be used for the same rules.

The FREEMAIL_FROM rule could "apply" domain lists from dozens of files


> Another thing, the date of files is # Updated 2014-09-17-axb

What is the problem with that?


>
> Nicola Piazzi
> CED - Sistemi
> COMET s.p.a.
> Via Michelino, 105 - 40127 Bologna – Italia Tel.  +39 051.6079.293 
> Cell. +39 328.21.73.470
> Web: www.gruppocomet.it<http://www.gruppocomet.it/>
> [Descrizione: gc]
>
> Da: Jason Haar [mailto:jason_h...@trimble.com]
> Inviato: giovedì 18 agosto 2016 09:50
> A: Nicola Piazzi 
> Cc: users@spamassassin.apache.org
> Oggetto: Re: A domain category that all need
>
> Check out 20_freemail_domains.cf<http://20_freemail_domains.cf> that is part 
> of SpamAssassin. It contains all the known "freemail" services, so you could 
> work on the assumption that if it's not one of these, it's "private"
>
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +1 408 481 8171
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>




R: A domain category that all need

2016-08-18 Thread Nicola Piazzi
This is a good idea, but there are 2 files :
20_freemail_mailcom_domains.cf
20_freemail_domains.cf
The first is commonly abused only
FREEMAIL_FROM rule search in both but have a strange description “Sender email 
is commonly abused enduser mail provider”
It tell ‘commonly abused’ but it search also in 20_freemail_mailcom_domains.cf

Another thing, the date of files is # Updated 2014-09-17-axb


Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna – Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it<http://www.gruppocomet.it/>
[Descrizione: gc]

Da: Jason Haar [mailto:jason_h...@trimble.com]
Inviato: giovedì 18 agosto 2016 09:50
A: Nicola Piazzi 
Cc: users@spamassassin.apache.org
Oggetto: Re: A domain category that all need

Check out 20_freemail_domains.cf<http://20_freemail_domains.cf> that is part of 
SpamAssassin. It contains all the known "freemail" services, so you could work 
on the assumption that if it's not one of these, it's "private"


--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


A domain category that all need

2016-08-18 Thread Nicola Piazzi
It can be very useful a dns service URIBL that tell if a domain is public or 
private
If is private I can whitelist entire domain instead address by address when I 
receive an ham from one
For example :
I cannot WL gmail.com if I receive a ham from j...@gmail.com
But I can WL cocacola.com if I receive ham from s...@cocacola.com because only 
cocacola.com users can use cocacola.com domain 
Do you know something about it ?

 



new powerful plugin

2016-08-16 Thread Nicola Piazzi
It is difficoult to write a doc of what this plugin that I wrote do
But here is the ow.cf file, so you can see what this plugin do
It can be used ONLY when box is the same for send and receive emails
What do you think about it ?someone want to have to try ?


# oUTwHITELIST (ow)
# Is a SpamAssassin Plugin that build a database WhiteList using data from 
email that your internal users send out
# So ow works ONLY if the machine running SpamAssassin is used both for send 
and receive email.
# When some internal people send a mail ow make two things :
# 1 It save the internal Message Id into a dedicated table
# 2 It save the destination email address into a dedicated table
# When receiving external messages it check that they have a reference to a 
message id also it check email address that was a reply

loadplugin  Mail::SpamAssassin::Plugin::ow ow.pm

use_ow   1
ow_message_id_string Message-ID
ow_message_id_must_contain   @
ow_message_id_server_prefix  10.1.
ow_recipient_server_prefix   10.1.
ow_inreplyto_string  In-Reply-To
ow_references_string References
ow_sql_dsn   DBI:mysql:mailscanner:localhost
ow_sql_username  sa_user
ow_sql_password  BxaDfefrfrr4frf4f4fNNE


# (1)
# Email Verification methods to be used combined with __OW_T_REF_EMAIL and 
__OW_T_SENT_EMAIL
# If mxpf plugin is used it will be also considered
meta__OW_PASS ( DKIM_VALID || SPF_PASS || MXPF_PASS )

# (2)
# This rule hits when an incoming message have in the header a valid Message-ID 
that we
# sent out in the past, we can be sure that this message is the reply to our 
message so is
# impossible that is a spam, we can give a great bonus in its score
describeOW_REF_THIS   Message references a valid Message-ID
header  OW_REF_THIS   eval:ow_ref_this()
score   OW_REF_THIS   -1.80

# (3)
# This rule hits when an incoming message have the email address and the C 
Class of the ip
# that match a record in the table cwcontaining all messages that hit a 
Message-ID in the past
# Also if it is not an immediate reply of our messages we are sure that it come 
from a user
# we usually send messages
# This is test only, score must be assigned to OW_REF_FULL (6)
header  __OW_T_REF_FULL   eval:ow_ref_full()

# (4)
# This rule hits when an incoming message have the email address only 
(unverified)
# that match a record in the table containing all messages that hit a 
Message-ID in the past
# Also if it is not an immediate reply of our messages we are sure that it come 
from a user
# we usually send messages but only if it match also a verification method 
(__OW_PASS)
# This is test only, score must be assigned to OW_REF_EMAIL (7)
header  __OW_T_REF_EMAIL  eval:ow_ref_email()

# (5)
# This rule hits when an incoming message have the email address only 
(unverified)
# that match a record in the table containing all message recipients that iour 
internal users sent to
# It is rasonable that if someone of us sent out something receivers can reply 
to it
# If it match must be verified  with a verification method (__OW_PASS)
# This is test only, score must be assigned to OW_SENT_EMAIL (8)
header  __OW_T_SENT_EMAIL eval:ow_sent_email()

# (6)
# This rule hits when __OW_T_REF_FULL (3) is matched and there is no higher 
rules matched
metaOW_REF_FULL   ( __OW_T_REF_FULL && ! OW_REF_THIS )
describeOW_REF_FULL   Message (Sender + Ip C Class) hit a 
reference in the past
score   OW_REF_FULL   -1.60

# (7)
# This rule hits when __OW_T_REF_EMAIL (4) is matched, __OW_PASS match also and 
there is no higher rules matched
metaOW_REF_EMAIL  ( __OW_T_REF_EMAIL && ! __OW_T_REF_FULL 
&& ! OW_REF_THIS && __OW_PASS)
describeOW_REF_EMAIL  Message hit a reference in the past, 
Verified
score   OW_REF_EMAIL  -1.40

# (8)
# This rule hits when __OW_T_SENT_EMAIL (5) is matched, __OW_PASS match also 
and there is no higher rules matched
metaOW_SENT_EMAIL ( __OW_T_SENT_EMAIL && ! __OW_T_REF_EMAIL 
! && __OW_T_REF_FULL && ! OW_REF_THIS && __OW_PASS)
describeOW_SENT_EMAIL Message with address we sent to in the 
past, Verified
score   OW_SENT_EMAIL -1.10



 



R: [SOLVED] R: A plugin to legitimate email when SPF and DKIM missing

2016-08-10 Thread Nicola Piazzi
I usually doesnt use whitelisting so much
I wrote a couple of scripts that can be put in cron
They read my sql log, extract message id and create whitelist rules based on 
reply on your sender id
Thay match 55% of incoming clean mail at now for me

Download and read more here
https://forum.efa-project.org/viewtopic.php?f=14&t=1769




Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it



-Messaggio originale-
Da: li...@rhsoft.net [mailto:li...@rhsoft.net] 
Inviato: mercoledì 10 agosto 2016 12:14
A: users@spamassassin.apache.org
Oggetto: Re: [SOLVED] R: A plugin to legitimate email when SPF and DKIM missing



Am 10.08.2016 um 12:00 schrieb Nicola Piazzi:
>
> I wrote this simple plugin, mxpf
> This plugin search B class of sender Ip Address and try to match B 
> class of any Ip of mx records of declared domain So when it match is 
> very difficolut that sender is a spoofed domain, you can use MXPF_PASS 
> to combine with other rules in addition to SPF_PASS
>
> 1) Unpack mxpf.cf and mxpf.pm under /etc/mail/spamassassin dir
> 2) put your score in mxpf.cf
>
> Download here :
>
> https://forum.efa-project.org/viewtopic.php?f=14&t=1777

that looks really good

on piece missing - something like "whitelist_mx" working the same way as 
"whilelist_auth" to combine it with shortcicuit to complement whitelist by spf 
with that for senders you trust but don't have SPF/DKIM for whitelist_auth

whitelist_mx sen...@domain.tld
whitelist_mx *@domain.tld


[SOLVED] R: A plugin to legitimate email when SPF and DKIM missing

2016-08-10 Thread Nicola Piazzi

I wrote this simple plugin, mxpf
This plugin search B class of sender Ip Address and try to match B class of any 
Ip of mx records of declared domain
So when it match is very difficolut that sender is a spoofed domain, you can 
use MXPF_PASS to combine with other rules in addition to SPF_PASS

1) Unpack mxpf.cf and mxpf.pm under /etc/mail/spamassassin dir
2) put your score in mxpf.cf 

Download here :

https://forum.efa-project.org/viewtopic.php?f=14&t=1777


Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it



-Messaggio originale-
Da: John Hardin [mailto:jhar...@impsec.org] 
Inviato: martedì 9 agosto 2016 23:04
A: users@spamassassin.apache.org
Oggetto: Re: A plugin to legitimate email when SPF and DKIM missing

On Tue, 9 Aug 2016, li...@rhsoft.net wrote:
>
> Am 09.08.2016 um 18:08 schrieb Kevin Golding:
>>  Based on what you're trying to do:
>>
>>  man dig
>
> don't help, see below
>
>>  or depending on your resolver possibly:
>>
>>  man drill
>
> don't help, see below
>
>>  Whilst I agree it is slightly more effort to set-up whitelisting by  
>> looking up the details first it would still be far more resource  
>> efficient on your servers
>
> that don't catch the problem if the MX changes that you need to 
> permanently watch your "whitelist_from_rcvd" and maintain them

So script it.

Write a script that reads a list of domain names, does digs to get those 
domains' MX hosts, and writes whitelist_from_rcvd rules for them to a local 
config file. Run that every night as part of your scheduled sa-update script.

-- 
  John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
  jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
   The question of whether people should be allowed to harm themselves
   is simple. They *must*.   -- Charles Murray
---
  6 days until the 71st anniversary of the end of World War II


R: R: R: A plugin to legitimate email when SPF and DKIM missing

2016-08-09 Thread Nicola Piazzi
WHITELIST_FROM_RCVD require to know mailserver name

Take this example :
whitelist_from_rcvd *@axkit.org  sergeant.org

We want to accept all domain axkit.org and we are sure that is not spoofing 
when it come from names that end with domain sergeant.org

But if I have only email address I cant write a line like this, I don't know 
mailserver domain






Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it



-Messaggio originale-
Da: RW [mailto:rwmailli...@googlemail.com] 
Inviato: martedì 9 agosto 2016 17:39
A: users@spamassassin.apache.org
Oggetto: Re: R: R: A plugin to legitimate email when SPF and DKIM missing

On Tue, 9 Aug 2016 15:19:08 +
Nicola Piazzi top-posted:

> I dont know if you want to find a solution of if you want to say why i 
> am searching one. Reason is this :
> I have SPF_PASS, a variable that tell me that who send is proprietary 
> of that domain I KNOW PERFECTLY THAT SOMEONE CAN TELL SPAM WITH A 
> PURCHASED REGULAR NON SPOOFED DOMAIN But I can combine SPF_PASS with a 
> list of email address, for example, but not all put SPF in dns, so 
> with MX I have another chance

I'm confused now because "combine SPF_PASS with a list of email address" sounds 
like whitelisting, which is something you implied you didn't want to do when 
whitelist_from_rcvd was mentioned. 


R: R: A plugin to legitimate email when SPF and DKIM missing

2016-08-09 Thread Nicola Piazzi
I dont know if you want to find a solution of if you want to say why i am 
searching one.
Reason is this :
I have SPF_PASS, a variable that tell me that who send is proprietary of that 
domain
I KNOW PERFECTLY THAT SOMEONE CAN TELL SPAM WITH A PURCHASED REGULAR NON 
SPOOFED DOMAIN
But I can combine SPF_PASS with a list of email address, for example, but not 
all put SPF in dns, so with MX I have another chance


Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it



-Messaggio originale-
Da: Merijn van den Kroonenberg [mailto:mer...@web2all.nl] 
Inviato: martedì 9 agosto 2016 16:41
A: users@spamassassin.apache.org
Oggetto: Re: R: A plugin to legitimate email when SPF and DKIM missing

> On Tue, 9 Aug 2016 08:45:54 +
> Nicola Piazzi wrote:
>
>> whitelist_from_rcvd is intended to legitimate a single somain, 
>> specifiing domain by domain
>>
>> I need something that tell me that check all incoming email and say 
>> if the originating ip (or class c) is the same of mx record
>>
>> This can be intended like an SPF_PASS when people doesn t set spf at 
>> all.
>
> I think the reason that he mentioned whitelist_from_rcvd is that the 
> absence of SPF or DKIM doesn't score anything in any of the default 
> scoresets.
>

In fact SPF or DKIM does not tell us anything about spammy (or hammy) ness. 
Spammers use spf and dkim too. The usefulness of DKIM and SPF is in combination 
with *specific* domains.

So your mx check would also be only useful in combination with *specific* 
domains. And when you are doing specfic domains then you could just do 
whitelist_from_rcvd.

So I am not sure what your intention is with this MX check. Would you score 
senders who fail it? Or would you blindly reward (whitelist) servers who match 
the MX subnet?




R: A plugin to legitimate email when SPF and DKIM missing

2016-08-09 Thread Nicola Piazzi
whitelist_from_rcvd is intended to legitimate a single somain, specifiing 
domain by domain

I need something that tell me that check all incoming email and say if the 
originating ip (or class c) is the same of mx record

This can be intended like an SPF_PASS when people doesn t set spf at all.



Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it



-Messaggio originale-
Da: Kevin Golding [mailto:k...@caomhin.org] 
Inviato: martedì 9 agosto 2016 10:28
A: users@spamassassin.apache.org
Oggetto: Re: A plugin to legitimate email when SPF and DKIM missing

On Tue, 09 Aug 2016 09:10:06 +0100, Nicola Piazzi 
 wrote:

> Hi
> A lot of time we receive mail that are SPF NONE and have no DKIM Il 
> will be useful a little plugin that be able to give another chance to 
> legitimate these emails A lot of servers use the same machine to send 
> and receive emails, Plugin must read sender domain and search if the 
> IP used to send to us is one of the MX record list for domain This is 
> not intended to exclude other cases, but intended to have a chance to 
> recognize that is not a spoofed email only We can think to use not the 
> ip but the C class to get much more hits For example someone sent from 
> 199.56.23.5 and have mx record 199.56.23.9 can be legitimate because 
> both come from 199.56.23
>
> Have someone something like this ?

Not quite, but assuming you're looking at using it for whitelisting purposes 
you can use:

whitelist_from_rcvd *@gruppocommet.it gruppocommet.it

That says that any mail sent with a @gruppocommet.it address that is received 
from a host with an rDNS matching gruppocommet.it will be whitelisted.

It's rather effective and efficient.  
https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html#whitelist_and_blacklist_options
may tell you more.


A plugin to legitimate email when SPF and DKIM missing

2016-08-09 Thread Nicola Piazzi
Hi
A lot of time we receive mail that are SPF NONE and have no DKIM
Il will be useful a little plugin that be able to give another chance to 
legitimate these emails
A lot of servers use the same machine to send and receive emails,
Plugin must read sender domain and search if the IP used to send to us is one 
of the MX record list for domain
This is not intended to exclude other cases, but intended to have a chance to 
recognize that is not a spoofed email only
We can think to use not the ip but the C class to get much more hits
For example someone sent from 199.56.23.5 and have mx record 199.56.23.9 can be 
legitimate because both come from 199.56.23

Have someone something like this ?

Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it<http://www.gruppocomet.it/>
[Descrizione: gc]