txrep and bayes_sql_override_username

[bOnK]

I'm using bayes_sql_override_username.
Mysql userpref:
@example.combayes_sql_override_usernameSomeName

Table bayes_vars uses SomeName for all users @example.com,
but txrep seems to ignore this setting and uses u...@example.com

Am I mistaken in thinking txrep should use bayes_sql_override_username 
setting as well?


--
bOnK

Re: txrep and bayes_sql_override_username

[bOnK]

On 25-2-2016 17:56, Kevin Golding wrote:
On Thu, 25 Feb 2016 16:47:05 -, bOnK 
 wrote:



I'm using bayes_sql_override_username.
Mysql userpref:
@example.combayes_sql_override_usernameSomeName

Table bayes_vars uses SomeName for all users @example.com,
but txrep seems to ignore this setting and uses u...@example.com

Am I mistaken in thinking txrep should use 
bayes_sql_override_username setting as well?




From: 
https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Plugin_TxRep.txt


user_awl_sql_override_usernameSomeName


That did the trick... thanks.

--
bOnK

Re: false possitive

[bOnK]

On 31-7-2016 22:16, Benny Pedersen wrote:

dovecot.org working on there own problem with 3.3.1


Maybe you meant this as a follow-up on thread "dovecot runs on a pbl 
listed ip ?" on the dovecot list?


wake up 


;-)

--
b.

Re: false possitive

[bOnK]

Please send me a sample of whatever it is you are smoking!

--
b.

On 1-8-2016 11:23, Benny Pedersen wrote:

On 2016-08-01 11:07, bOnK wrote:

On 31-7-2016 22:16, Benny Pedersen wrote:

dovecot.org working on there own problem with 3.3.1

Maybe you meant this as a follow-up on thread "dovecot runs on a pbl


fun aside, i have it much more fun with a raspberri pi as full-hd 
shell terminal



listed ip ?" on the dovecot list?

wake up

;-)


and learning lua

Re: detect if html attachment without plugin

[bOnK]

On 4-8-2016 14:53, Robert Boyl wrote:

rawbody TEST_HTML  /bContent-Type: text\/html\b/i


I don't know if it will work, but your RegEx is wrong:

/\bContent-Type: text\/html\b/i

\b in stead of b

--
bOnK

Re: DKIM Score

[bOnK]

https://blog.laussat.de/2014/11/06/using-dmarc-in-spamassassin-native/

On 15-8-2016 10:44, Chris Lee wrote:


Hi,

How to setup to give high score for specific domain cannot pass DKIM test?

For example: My own email domain is example.com

Any incoming email from:  example.com does not pass DKIM test score 10.0

Spamassassin

Version: 3.4.1

Release: 6.fc23

OS: Fedora FC 23

Many thanks in advance.

Cheers,

Lee



This message and its attachment (if any) are strictly confidential and 
sent to the designated recipient(s) only. If you are not the intended 
recipient, please notify the sender by e-mail and delete this message 
and its attachment (if any) from your computer system immediately . 
Century City International Holdings Limited, Paliburg Holdings 
Limited, Regal Hotels International Holdings Limited, its respective 
related subsidiaries, associated companies and affiliates do not 
guarantee this message and its attachment (if any) are free of 
computer virus and would not accept any liability whatsoever arising 
from Internet transmission.

DNS mismatch

[bOnK]

FYI
For the last couple of weeks, the DNS slave servers 
[abc].auth-ns.sonic.net seem to always be behind ns.hyperreal.org.


Wed Sep 14 12:08:37 UTC 2016
dig 2.3.3.updates.spamassassin.org. txt +short @ns.hyperreal.org.
"1760494"
dig 2.3.3.updates.spamassassin.org. txt +short @a.auth-ns.sonic.net.
"1760316"
dig 2.3.3.updates.spamassassin.org. txt +short @b.auth-ns.sonic.net.
"1760316"
dig 2.3.3.updates.spamassassin.org. txt +short @c.auth-ns.sonic.net.
"1760316"

--
bOnK

Re: whitelist_auth and how to test

[bOnK]

On 9-10-2016 21:38, Alex wrote:

Hi all,

I've been experimenting with penalizing bulk mailers with points, but
there's a bulk email that was quarantined that apparently the users
actually want, so I'd like to just whitelist it.

I've added a whitelist_auth entry with the sender, but testing the
email afterwards doesn't show it's been whitelisted.

It's also unclear from the docs whether the From: address can be used,
or the more difficult MAILFROM address must be used, considering it
would be SPF that's used to authenticate it.

I've pasted the header here:
http://pastebin.com/ysq4A1nU

The whitelist entry I've created is:
whitelist_auth bo...@azhdi.com

The email passes SPF, but DKIM apparently isn't fully authenticated,
as it doesn't contain the DKIM_VALID_AU.

The sender is sendgrid.net, using an Envelope-From that contains a
random ID, making it impossible to use the whole address for the
whitelist_auth entry.

It's probably not a good idea to penalize sendgrid.net with 1.5
points, but I'm more interested in how to properly whitelist mails
like this for now.

Perhaps there's a better way to deal with bulk mailers like sendgrid
you might recommend?


whitelist_from_dkim bo...@azhdi.com sendgrid.net

Mail::SpamAssassin::Plugin::DKIM

--
b.

Re: sa-update failing

[bOnK]

On 22-11-2016 18:22, Larry Starr wrote:


Has there been a mirror change that I've missed?

For the past few days my daily "sa-update" job has been failing:



I don't know if this has anything to do with your problem, but there is 
a sync problem with the master and slave DNS servers.


--
b.

Re: Hints needed for spf rule

[bOnK]

On 24-9-2018 17:13, Adam Katz wrote:
These SPF records are all effectively equivalent (the fourth is Sender 
ID , we'll get to #5 later):

v=spf1 +all
v=spf1 all
v=spf1 all 192.0.2.0/24
v=spf2.0/mfrom +all
v=spf1 1.2.3.0/1 128.4.5.0/2 192.6.7.8/3 -all

So therefore I propose regexps like |/^v=spf[12].*[\s+]all\b/| and 
|/^v=spf[12].*\s\?all\b/| (the latter should be very rare and a better 
indication of a clueless admin than a spammer).


The fifth item above permits 0.0.0.0 to 223.255.255.255 and therefore 
only multicast and the reserved Class E network are banned. To address 
this, consider |/^v=spf[12].*[0-9]\/[0-7]\b/|. I haven't observed this 
sort of workaround (yet), but it's the attackers' logical escalation 
in response to this. (I conservatively chose a max mask of /7, though 
I don't think there's any legitimate use of /8, even by the remaining 
Class A holders 
 
like AT&T, HP, and the US DoD—nobody /should/ have an email network 
even approaching a /16 let alone a /8, though note that Google 
currently includes three /16s. I'm not sure where to draw a similar 
"too large" threshold for IPv6; perhaps /32?)


-Adam (still here, sometimes)




A better idea might be testing if SPF for a external domain would pass 
on your own server.

This is what milter greylist does.
http://hcpnet.free.fr/milter-greylist/

Though probably exceptional, according to the RFC +all *can be* 
restrictive...

https://tools.ietf.org/html/rfc7208

A.4.  Multiple Requirements Example

   Say that your sender policy requires both that the IP address is
   within a certain range and that the reverse DNS for the IP matches.
   This can be done several ways, including the following:

   example.com.   SPF  ( "v=spf1 "
 "-include:ip4._spf.%{d} "
 "-include:ptr._spf.%{d} "
 "+all" )
   ip4._spf.example.com.  SPF  "v=spf1 -ip4:192.0.2.0/24 +all"
   ptr._spf.example.com.  SPF  "v=spf1 -ptr +all"

   This example shows how the "-include" mechanism can be useful, how an
   SPF record that ends in "+all" can be very restrictive, and the use
   of De Morgan's Law.

--
b.

Re: Rule for detecting two email addresses in From: field.

[bOnK]

On 4-10-2019 1:12, Philip wrote:

Morning List,

Lately I'm getting a bunch of emails that are showing up with two 
email addresses in the From: field.


From: "Persons Name " 

When you look in your mail client (Outlook, Thunderbird) it's showing 
only "Persons Name "


Is there a way I can mark From: that has 2 email addresses in it as 
spam? Pro's Cons?


Phil


header  FR_D_AT  From =~ /\S+\@[\w\-\.]+.*\S+\@[\w\-\.]+/
describe    FR_D_AT  From has double email address?
score   FR_D_AT  0.1

header  FR_NA_SAME   From =~ /(\S+\@[\w\-\.]+).*\1/
describe    FR_NA_SAME   From name and address is the same email 
address.

tflags  FR_NA_SAME   nice
score   FR_NA_SAME   -0.1

meta    SPOOF_EMAIL  (FR_D_AT && ! FR_NA_SAME)
describe    SPOOF_EMAIL  From name and address have different email 
address!

score   SPOOF_EMAIL  2.5

--
bOnK