custom URIDNSBL rules
Title: Message
Hi SA
Users,
I have a question
for anyone who may have added their own custom URIDNSBL
lookups.
I have set up
RBLDNSD (successfully as far as I can see) to support both IPs and
URIs.
A command line DNS
call returns the expected results, but SA 3.0.0and URIDNSBL do not 'see'
that the queried URI A record is being returned from my local RBLDNSD zone. Is
there anything that I am missing that would help SA and URIDNSBL to pick up on
the fact that my local RBLDNSD zone has that URI listed?
I've added the
custom rule to run a URIDNSBL check on my localRBLDNSD
server:
# custom
URIBLurirhssub URIBL_HOMES
auth2.homes.com. A
2header
URIBL_HOMES
eval:check_uridnsbl('URIBL_HOMES')describe
URIBL_HOMES Contains an URL in the Homes.com URI
blocklisttflags
URIBL_HOMES
netscore
URIBL_HOMES 1 1
1 1
I can see that SA is
calling my local RBLDNSD server at auth2.homes.com" from SA's DEBUG
output:
debug: plugin:
Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x898ffe4) implements
'check_tick'debug: URIDNSBL: query for broadcastemail.us took 1 seconds to
look up (auth2.homes.com.:broadcastemail.us)"debug: URIDNSBL: domain
"broadcastemail.us" listed (URIBL_AB_SURBL): 127.0.0.102debug: URIDNSBL:
domain "broadcastemail.us" listed (URIBL_SC_SURBL): 127.0.0.102debug:
URIDNSBL: domain "broadcastemail.us" listed (URIBL_WS_SURBL):
127.0.0.102debug: URIDNSBL: query for broadcastemail.us took 1 seconds to
look up (multi.surbl.org.:broadcastemail.us)debug: URIDNSBL: queries
completed: 3 started: 2debug: URIDNSBL: queries active: at Tue
Feb 8 14:49:15 2005
I have the URI
"broadcastemail.us" entered into the RBLDNSD zone. On the command line, the
command: " dig @auth2.homes.com broadcastemail.us.auth2.homes.com A ",
returns the
expected A record:
;
DiG 9.2.1 @auth2.homes.com broadcastemail.us.auth2.homes.com
A;; global options: printcmd;; Got answer:;;
-HEADER- opcode: QUERY, status: NOERROR, id: 13923;; flags:
qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0;;
QUESTION SECTION:;broadcastemail.us.auth2.homes.com. IN
A;; ANSWER SECTION:broadcastemail.us.auth2.homes.com. 2100 IN
A 127.0.0.2;; Query time: 0 msec;; SERVER:
199.44.153.104#53(auth2.homes.com);; WHEN: Tue Feb 8 14:44:43
2005;; MSG SIZE rcvd: 67
Thanks in advance,Shane
Metler
Cyrillic chars in rule regex ?
Title: Message Hi there, Has anyone constructed Spam Assassin rules that can match Cyrillic characters? I know this is more of a RegEx question, but I have been very unsuccessful at finding out how to match Cyrillic characters in Spam Assassin rules. Can anyone offer a little advice or point me to the appropriate method? These Russian spams are the only group I've been unable to stop. Thanks in advance, Shane
RE: Cyrillic chars in rule regex ?
Title: RE: Cyrillic chars in rule regex ?
Thanks,
I had tried that, but that RexEx class is not supported in PERL 5.6.1 (at least not in my install).
I'm really looking for a way to match specific phrases anyways. Like Ìåáåëüíûé ôóðãîí. Îöèíêîâàííàÿ áóäêà (as it is displayed in my browser)
The two basic RegEx's I've composed to match a string like this fails (even if I try a short phrase, ôóðãîí).
/ôóðãîí/ or /\ô\ó\ð\ã\î\í/
I'm guessing that is because my RegEx is looking for those specific chars, but the chars in the email itself are not o's and a' with accents, there are full Cyrillic chars. I suppose I'm seeing the ASCCI equivalent of the Cyrillic chars?
Maybe mapping the displayed chars to ASCII, then RegEx the ASCII hex? I'm just not so sure how the email charset is interpreted by the SA regex.
I know what I'm seeing, or how my computer is trying to display a charset it can't show correctly ... I'm just unsure of what kind of conversion steps I may need to match these specific phrases?
Thanks again,
Shane
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Monday, October 04, 2004 4:52 PM
To: users@spamassassin.apache.org
Subject: RE: Cyrillic chars in rule regex ?
Shane Metler wrote:
I know this is more of a RegEx question, but I have been very
unsuccessful at finding out how to match Cyrillic characters in Spam
Assassin rules.
\p{Cyrillic} comes to mind. Not sure what version of Perl is required.
Untested:
body CONTAINS_CYRILLIC_CHARACTERS /\p{Cyrillic}/
score CONTAINS_CYRILLIC_CHARACTERS 0.1
[EMAIL PROTECTED] 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -emap{y/a-z/l-za-k/;print}shift Jjhi pcdiwtg Ptga wprztg,
Output 'body' and 'rawbody' text in the Debug data for SA 3.0.0
Title: Message
Hi
there,
I have been trying
to find a debug option to output the 'body' and 'rawbody' text used when
SpamAssassin does it's RegEx tests.
There was a clever
RegEx rule that worked in SA 2.6.X
bodyPRINTBODY /(^.*$)(?{ print
"Body: $1\n" })/is
But this kind of
rule is not supported in SA 3.0.0 ?
I see there is new
debug levels in SA 3.0.0, and areas you can specify that the Debug output will
report. The documentation is not great on this, and after
tryingdifferent option to pass to the spamassassin, I haven't seen the
debug output change yet.
Does anyone know how
to output the 'body' and 'rawbody' text in the Debug output for SA 3.0.0
?
Thanks in advance,Shane
Metler
RE: Output 'body' and 'rawbody' text in the Debug data for SA 3.0.0
Answering my own question ...
Well I was able to find a BUG report that (at present) says 'body' and
'rawbody' debug output has been removed from 3.0.0.
This was bad news ... I really like to see exactly what SA sees. So I
had to add a little code to the package
Mail::SpamAssassin::PerMsgStatus, in order to output what I needed.
Since I imagine other non perl people may want the same DEBUG
functionality now and not later, I figured I should share my ad hock
fix. The code I added to PerMsgStatus.pm is below.
You can insert this DEBUG output in the PerMsgStatus.pm file (SA version
3.0.0) at line 167.
##
# added by SKM - Adds Body, Rawbody, and URI text to DEBUG output
my ($debug_rawbody, $debug_body, $debug_uris);
$debug_uris = \n\nBEGIN URI DEBUG TEXT\n\n;
for (@uris) {
chop($_);
$debug_uris .= $_ . \n;
}
dbg($debug_uris \nEND URIS DEBUG TEXT\n);
$debug_rawbody = \n\nBEGIN RAWBODY DEBUG TEXT\n\n;
for (@$bodytext) {
chop($_);
$debug_rawbody .= $_ . \n;
}
dbg($debug_rawbody \nEND RAWBODY DEBUG TEXT\n);
$debug_body = \n\nBEGIN BODY DEBUG TEXT\n\n;
for (@$decoded) {
chop($_);
$debug_body .= $_ . \n;
}
dbg($debug_body \nEND BODY DEBUG TEXT\n);
rule idea for catching 'zombie spam relays' and question of my logic
I found this type of rule to be very helpful in catching 'zombie spam relay' emails from specific 'problem' networks. The problem I faced with an all inclusive ban on these networks was that our customer's connect to our SMTP servers from all around the world. Banning Dynamic, DSL, Cable, or Dialup connections at the SMTP level was not an option, because that would prevent our customers from establishing a valid SMTP connection to us. Luckily, our Spam Assassin configuration is set up to bypass Spam Assassin processing when a customer has authenticated themselves for the SMTP connection. So 'local to local' and 'local to remote' deliveries are not scanned, and are not affected by these rules. I can safely assume any mail running through Spam Assassin is from a remote sender intended for a local customer. When Spam Assassin receives an email (at least under my setup), the first line of that email is always the Received line added by our SMTP server. With this in mind, I created a number of rules like this, which are based on the dynamic / cable / dialup / DSL hosts names of large ISPs: describeSKM_SPAM_HOST_3 Received via Insecure Networks - *.user.veloxzone.com.br fullSKM_SPAM_HOST_3 /^[^\n]+\.user\.veloxzone\.com\.br\b/i score SKM_SPAM_HOST_3 0.1 describeSKM_SPAM_HOST_25Received via Insecure Networks - *.pool*.interbusiness.it fullSKM_SPAM_HOST_25 /^[^\n]+\.pool\d+\.interbusiness\.it\b/i score SKM_SPAM_HOST_250.1 This rule will match hosts like 123-123-123-123.pool54321.interbusiness.it in the first line of the email (which is our SMTP Received line). In my logic, there is no valid reason that a remote sender would connect directly to our SMTP server from their dynamic/DSL/cable IP to send our customer's an email ... I think ? Valid 'remote to local' emails being sent from these DSL/cable/dialup IP would normally be relayed via their own network's SMTP server, which would then be delved to us by a host that didn't match the dynamic/DSL/cable custom rule. Right? It would either be a 'zombie' spam relay', or some one who setup a SMTP server on a dynamic IP (which just isn't what valid businesses do ... )? So far I have had 100% spam, 0% ham marked by these rules. Does anyone see any error in this logic? I would like to begin automatically deleting emails that match these rules, but I am curious if there are obscure cases where a non-authenticated SMTP connection (remote to local), delivering a valid email, would be connecting from these dynamic/DSL/cable IPs? Thanks in advance, Shane P.S. If there isn't some sort of error in this logic, I will be happy to post the full set of rules which match the 20-30 major 'zombie relay' networks that we receive Spam from.
