custom URIDNSBL rules
Title: Message Hi SA Users, I have a question for anyone who may have added their own custom URIDNSBL lookups. I have set up RBLDNSD (successfully as far as I can see) to support both IPs and URIs. A command line DNS call returns the expected results, but SA 3.0.0and URIDNSBL do not 'see' that the queried URI A record is being returned from my local RBLDNSD zone. Is there anything that I am missing that would help SA and URIDNSBL to pick up on the fact that my local RBLDNSD zone has that URI listed? I've added the custom rule to run a URIDNSBL check on my localRBLDNSD server: # custom URIBLurirhssub URIBL_HOMES auth2.homes.com. A 2header URIBL_HOMES eval:check_uridnsbl('URIBL_HOMES')describe URIBL_HOMES Contains an URL in the Homes.com URI blocklisttflags URIBL_HOMES netscore URIBL_HOMES 1 1 1 1 I can see that SA is calling my local RBLDNSD server at auth2.homes.com" from SA's DEBUG output: debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x898ffe4) implements 'check_tick'debug: URIDNSBL: query for broadcastemail.us took 1 seconds to look up (auth2.homes.com.:broadcastemail.us)"debug: URIDNSBL: domain "broadcastemail.us" listed (URIBL_AB_SURBL): 127.0.0.102debug: URIDNSBL: domain "broadcastemail.us" listed (URIBL_SC_SURBL): 127.0.0.102debug: URIDNSBL: domain "broadcastemail.us" listed (URIBL_WS_SURBL): 127.0.0.102debug: URIDNSBL: query for broadcastemail.us took 1 seconds to look up (multi.surbl.org.:broadcastemail.us)debug: URIDNSBL: queries completed: 3 started: 2debug: URIDNSBL: queries active: at Tue Feb 8 14:49:15 2005 I have the URI "broadcastemail.us" entered into the RBLDNSD zone. On the command line, the command: " dig @auth2.homes.com broadcastemail.us.auth2.homes.com A ", returns the expected A record: ; DiG 9.2.1 @auth2.homes.com broadcastemail.us.auth2.homes.com A;; global options: printcmd;; Got answer:;; -HEADER- opcode: QUERY, status: NOERROR, id: 13923;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:;broadcastemail.us.auth2.homes.com. IN A;; ANSWER SECTION:broadcastemail.us.auth2.homes.com. 2100 IN A 127.0.0.2;; Query time: 0 msec;; SERVER: 199.44.153.104#53(auth2.homes.com);; WHEN: Tue Feb 8 14:44:43 2005;; MSG SIZE rcvd: 67 Thanks in advance,Shane Metler
Cyrillic chars in rule regex ?
Title: Message Hi there, Has anyone constructed Spam Assassin rules that can match Cyrillic characters? I know this is more of a RegEx question, but I have been very unsuccessful at finding out how to match Cyrillic characters in Spam Assassin rules. Can anyone offer a little advice or point me to the appropriate method? These Russian spams are the only group I've been unable to stop. Thanks in advance, Shane
RE: Cyrillic chars in rule regex ?
Title: RE: Cyrillic chars in rule regex ? Thanks, I had tried that, but that RexEx class is not supported in PERL 5.6.1 (at least not in my install). I'm really looking for a way to match specific phrases anyways. Like Ìåáåëüíûé ôóðãîí. Îöèíêîâàííàÿ áóäêà (as it is displayed in my browser) The two basic RegEx's I've composed to match a string like this fails (even if I try a short phrase, ôóðãîí). /ôóðãîí/ or /\ô\ó\ð\ã\î\í/ I'm guessing that is because my RegEx is looking for those specific chars, but the chars in the email itself are not o's and a' with accents, there are full Cyrillic chars. I suppose I'm seeing the ASCCI equivalent of the Cyrillic chars? Maybe mapping the displayed chars to ASCII, then RegEx the ASCII hex? I'm just not so sure how the email charset is interpreted by the SA regex. I know what I'm seeing, or how my computer is trying to display a charset it can't show correctly ... I'm just unsure of what kind of conversion steps I may need to match these specific phrases? Thanks again, Shane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, October 04, 2004 4:52 PM To: users@spamassassin.apache.org Subject: RE: Cyrillic chars in rule regex ? Shane Metler wrote: I know this is more of a RegEx question, but I have been very unsuccessful at finding out how to match Cyrillic characters in Spam Assassin rules. \p{Cyrillic} comes to mind. Not sure what version of Perl is required. Untested: body CONTAINS_CYRILLIC_CHARACTERS /\p{Cyrillic}/ score CONTAINS_CYRILLIC_CHARACTERS 0.1 [EMAIL PROTECTED] 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer perl -emap{y/a-z/l-za-k/;print}shift Jjhi pcdiwtg Ptga wprztg,
Output 'body' and 'rawbody' text in the Debug data for SA 3.0.0
Title: Message Hi there, I have been trying to find a debug option to output the 'body' and 'rawbody' text used when SpamAssassin does it's RegEx tests. There was a clever RegEx rule that worked in SA 2.6.X bodyPRINTBODY /(^.*$)(?{ print "Body: $1\n" })/is But this kind of rule is not supported in SA 3.0.0 ? I see there is new debug levels in SA 3.0.0, and areas you can specify that the Debug output will report. The documentation is not great on this, and after tryingdifferent option to pass to the spamassassin, I haven't seen the debug output change yet. Does anyone know how to output the 'body' and 'rawbody' text in the Debug output for SA 3.0.0 ? Thanks in advance,Shane Metler
RE: Output 'body' and 'rawbody' text in the Debug data for SA 3.0.0
Answering my own question ... Well I was able to find a BUG report that (at present) says 'body' and 'rawbody' debug output has been removed from 3.0.0. This was bad news ... I really like to see exactly what SA sees. So I had to add a little code to the package Mail::SpamAssassin::PerMsgStatus, in order to output what I needed. Since I imagine other non perl people may want the same DEBUG functionality now and not later, I figured I should share my ad hock fix. The code I added to PerMsgStatus.pm is below. You can insert this DEBUG output in the PerMsgStatus.pm file (SA version 3.0.0) at line 167. ## # added by SKM - Adds Body, Rawbody, and URI text to DEBUG output my ($debug_rawbody, $debug_body, $debug_uris); $debug_uris = \n\nBEGIN URI DEBUG TEXT\n\n; for (@uris) { chop($_); $debug_uris .= $_ . \n; } dbg($debug_uris \nEND URIS DEBUG TEXT\n); $debug_rawbody = \n\nBEGIN RAWBODY DEBUG TEXT\n\n; for (@$bodytext) { chop($_); $debug_rawbody .= $_ . \n; } dbg($debug_rawbody \nEND RAWBODY DEBUG TEXT\n); $debug_body = \n\nBEGIN BODY DEBUG TEXT\n\n; for (@$decoded) { chop($_); $debug_body .= $_ . \n; } dbg($debug_body \nEND BODY DEBUG TEXT\n);
rule idea for catching 'zombie spam relays' and question of my logic
I found this type of rule to be very helpful in catching 'zombie spam relay' emails from specific 'problem' networks. The problem I faced with an all inclusive ban on these networks was that our customer's connect to our SMTP servers from all around the world. Banning Dynamic, DSL, Cable, or Dialup connections at the SMTP level was not an option, because that would prevent our customers from establishing a valid SMTP connection to us. Luckily, our Spam Assassin configuration is set up to bypass Spam Assassin processing when a customer has authenticated themselves for the SMTP connection. So 'local to local' and 'local to remote' deliveries are not scanned, and are not affected by these rules. I can safely assume any mail running through Spam Assassin is from a remote sender intended for a local customer. When Spam Assassin receives an email (at least under my setup), the first line of that email is always the Received line added by our SMTP server. With this in mind, I created a number of rules like this, which are based on the dynamic / cable / dialup / DSL hosts names of large ISPs: describeSKM_SPAM_HOST_3 Received via Insecure Networks - *.user.veloxzone.com.br fullSKM_SPAM_HOST_3 /^[^\n]+\.user\.veloxzone\.com\.br\b/i score SKM_SPAM_HOST_3 0.1 describeSKM_SPAM_HOST_25Received via Insecure Networks - *.pool*.interbusiness.it fullSKM_SPAM_HOST_25 /^[^\n]+\.pool\d+\.interbusiness\.it\b/i score SKM_SPAM_HOST_250.1 This rule will match hosts like 123-123-123-123.pool54321.interbusiness.it in the first line of the email (which is our SMTP Received line). In my logic, there is no valid reason that a remote sender would connect directly to our SMTP server from their dynamic/DSL/cable IP to send our customer's an email ... I think ? Valid 'remote to local' emails being sent from these DSL/cable/dialup IP would normally be relayed via their own network's SMTP server, which would then be delved to us by a host that didn't match the dynamic/DSL/cable custom rule. Right? It would either be a 'zombie' spam relay', or some one who setup a SMTP server on a dynamic IP (which just isn't what valid businesses do ... )? So far I have had 100% spam, 0% ham marked by these rules. Does anyone see any error in this logic? I would like to begin automatically deleting emails that match these rules, but I am curious if there are obscure cases where a non-authenticated SMTP connection (remote to local), delivering a valid email, would be connecting from these dynamic/DSL/cable IPs? Thanks in advance, Shane P.S. If there isn't some sort of error in this logic, I will be happy to post the full set of rules which match the 20-30 major 'zombie relay' networks that we receive Spam from.