Re: QR phish missed
On 8/16/24 2:03 PM, Alex wrote: The body was empty with a PDF attachment. It's too big for pastebin. https://drive.google.com/file/d/1FzBgTKoBgRp7TWkqjWqSqqESYmCGH0G2/view?usp=sharing <https://drive.google.com/file/d/1FzBgTKoBgRp7TWkqjWqSqqESYmCGH0G2/view?usp=sharing> Any success stories with setting up zbar for QR code spam would also be appreciated :-) With this rule the QR-code is extracted correctly. extracttext_externalzbar/usr/local/bin/zbarimg -q -D {} extracttext_use zbar.jpg .png .pdf .webp image/(?:jpeg|png) application/pdf add_header all ExtractText-Uris _EXTRACTTEXTURIS_ Cheers Giovanni OpenPGP_signature.asc Description: OpenPGP digital signature
Re: Anyone have a rule to detect "Dear xxx" in the body of the message where the "To:" address is xxx@domain?
On 7/18/24 5:10 AM, Grant Taylor via users wrote: On 7/17/24 18:04, Matija Nalis wrote: I.e. would you consider it to be significantly less likely to be spam if it contained "Dear Elizabeth," while being addressed to "mark@domain" instead of to "elizabeth@domain" ? I've seen quite a bit of spam that opens message bodies with: Where is "Dear" or some other greeting, often language specific and is the local part of the email address. Something like the following is probably a good indication that it's spam: --8<-- Dear ux37932, I've missed talking to you, what is your opinion of ? Please check it out and let me know what you think. -->8-- If there was any doubt about the paragraph, the "ux37932" makes it quite evident to a human that the name in the salutation is not real. This is ESPECIALLY true when the name in the salutation is identical, byte for byte, including case, as the local part of the email address. do you intend to have a rule like this one ? header __TO_NAME To:name =~ /(?.*)/ body DEAR_NAME /Dear %{TO_NAME}/ Giovanni OpenPGP_signature.asc Description: OpenPGP digital signature
Re: Mail::SpamAssassin::Plugin::Phishing PhishStats[.]info domain expired
On 6/23/24 10:26 PM, Larry Nedry via users wrote: On 7/21/23 9:10 AM, Giovanni Bechis wrote: Hi, phishstats[.]info domain has recently moved to a parking domain, if you are using Mail::SpamAssassin::Plugin::Phishing plugin with data downloaded from PhishStats[.]info it would be better to comment "phishing_phishstats_feed" configuration line. If PhishStats[.]info will not find a new home I am going to remove the relevant code from the plugin. Regards Giovanni Did you remove the relevant code for PhishStats? Yes, I've removed the code; now PhishStats is back and code has been restored after 4.0.1 release. Giovanni OpenPGP_signature.asc Description: OpenPGP digital signature
Re: Warning: Your Pyzor may be broken.
On 6/9/24 7:31 PM, John Hardin wrote: On Sun, 9 Jun 2024, Michael Orlitzky wrote: On 2024-06-08 14:45:34, Bill Cole wrote: I went looking for a better fix and found a reported issue at https://github.com/SpamExperts/pyzor/issues/155 matching my original symptoms in which a workaround was provided: install directly from the GitHub project's master.zip link, i.e. a snapshot assembled from the current state of the repo, which claims to be v1.1.1. I do not like that solution at all, and added a comment to that issue suggesting that they fix the problem by cutting a release for PyPI. No response yet, but it has only been a matter of minutes. The same issue was reported in 2016 and ignored for eight years before being closed out of frustration (rather than because they did something about it): https://github.com/SpamExperts/pyzor/issues/54 Perhaps the project should consider retiring Pyzor as "no longer effectively maintained"? I think this is a valid option, Perl implementation is a reverse engineering effort and absolutely not perfect. Giovanni OpenPGP_signature.asc Description: OpenPGP digital signature
Re: TxRep does not evaluate EMAIL_IP reputation
On 6/3/24 1:10 AM, Tomohiro Hosaka wrote: Slight correction. 2024-06-03 07:55 に Tomohiro Hosaka さんは書きました: Here $rc is dualvar. https://metacpan.org/pod/DBI#execute This is not dualvar, exactly. However, the patch is unchanged. Evaluated as a bool, it is "0E0" true; evaluated as a number, it is the number of cases. You may use $cnt for more simplicity. Hi, could you please open bug reports on https://bz.apache.org/SpamAssassin/ so that we can track them ? Thanks Giovanni OpenPGP_signature.asc Description: OpenPGP digital signature
Re: Extract Local-part from To: Adress to use in spamassassin rule
On 5/23/24 5:39 PM, Bill Cole wrote: On 2024-05-23 at 03:40:48 UTC-0400 (Thu, 23 May 2024 09:40:48 +0200) Carsten is rumored to have said: Hi @all, I want to create a SpamAssassin rule that checks if the subject line of an email contains the local part of the recipient's email address (the part before the @ symbol). For example, if the recipient's email address is |i...@example.com|, I want to check if the subject contains the phrase "info lorem ipsum". If the recipient's email address is |foo...@example.com|, I want to check if the subject contains the phrase "foobar lorem ipsum". The rule should be general and adaptable to different local parts of email addresses. *Requirements:* 1. Extract the local part of the recipient's email address from the |To| header. 2. Use the extracted local part to check if it is present in the |Subject| header. 3. The rule should be written in a way that works for any local part of the email address, not just a specific one. See the section titled "CAPTURING TAGS USING REGEX NAMED CAPTURE GROUPS" in the embedded configuration documentation (perldoc Mail::SpamAssassin::Conf) for how to capture a pattern in one rule and use it in another. I don't have a working rule for you, but that's the mechanism I would use. If you need same samples to start with, take a look at https://github.com/apache/spamassassin/blob/094428cf11b0ad8d5658fd18d62d69663357fb10/rulesrc/sandbox/gbechis/20_misc.cf#L98 Giovanni OpenPGP_signature.asc Description: OpenPGP digital signature
[HEADS-UP] Changes to Validity SpamAssassin rules
Hi, if you are using rules that query Validity rbl (RCVD_IN_VALIDITY_* rules), make sure you have updated rules (at least dated 2024-04-23), otherwise you may encounter in FPs instead of hitting an overlimit response. Giovanni OpenPGP_signature.asc Description: OpenPGP digital signature
Re: uridnsbl_skip_domain question
On 5/17/24 3:17 PM, Matus UHLAR - fantomas wrote: Hi guys, I have configured exclusion for some common domains e.g. gov.sk in SA: uridnsbl_skip_domain [...] gov.sk slovensko.sk However it seems that that domain is still queried: 9826 68.951573 127.0.0.1 → 127.0.0.1 DNS 104 Standard query 0xbffe A mail.gov.sk.multi.uribl.com OPT in SA 4 docs I see that: uridnsbl_skip_domain domain1 domain2 ... Specify a domain, or a number of domains, which should be skipped for the URIBL checks. This is very useful to specify very common domains which are not going to be listed in URIBLs. In addition to trimmed domain, the full hostname is also checked from the list. Do I have to exclude subdomains for each host too? (this would kind of defeat the directive imho). This is SA 3.4.6 (debian 11) which does not have the latter paragraph but I assume the difference is only in documentation From a quick look at the code it seems that subdomains check has been added to Mail::SpamAssassin::Plugin::URIDNSBL with commit r1889093 ~10 days after 3.4.6 release. In addition to that Mail::SpamAssassin::Plugin::DNSEval honor uridnsbl_skip_domain preference only in trunk code. Giovanni OpenPGP_signature.asc Description: OpenPGP digital signature
Upcoming KAM.cf Ruleset 20th Anniversary
Hi, very soon we will celebrate KAM.cf Ruleset 20th Anniversary, are there any stories about how you use the ruleset, any products that include the rules you are aware of, or other info about how it has helped with spam and email security ? Glad to receive any info or story about KAM.cf SpamAssassin ruleset. Giovanni OpenPGP_signature.asc Description: OpenPGP digital signature
Re: Doesn't spamc/spamd need block/welcomeliist support???
On 3/20/24 21:58, Bill Cole wrote: I'm not sure how I've not noticed before, but unless I'm missing something, there is no way to replicate the [block,welcome]list functionalities of the spamassassin script when using the spamc/spamd interface. Does anyone see it hiding somewhere that I don't? Does anyone have any rationale for this missing functionality? I don't expect that it would be difficult to add. (Something I've believed every time I've taken on a coding task...) are you referring to spamassassin -W/-R options that are not present on spamc(1) ? Giovanni OpenPGP_signature.asc Description: OpenPGP digital signature
Re: OT: Microsoft Breech
Il 19 marzo 2024 15:33:10 CET, Bill Cole ha scritto: >On 2024-03-19 at 09:51:04 UTC-0400 (Tue, 19 Mar 2024 08:51:04 -0500) >Thomas Cameron >is rumored to have said: > >> Does anyone else just block all traffic from *.onmicrosoft.com? > >Yes. No collateral damage noticed. That includes a system that has >administrative and alerting role accounts which handle email alerts from Azure >and MS365. > Disposition-Notifications are sent by onmicrosoft.domain.tld domain afaik. Giovanni >> I have literally NEVER gotten anything from that domain which is not obvious >> junk. >> >> I set up postfix to just flat out refuse anything from that domain.[1] If I >> get any complaints, I may ease it up, but I was getting TONS of spam >> messages from that domain and I figured it was easiest to just block it. >> >> -- >> Thomas >> >> [1] >> >> [root@east ~]# grep onmicrosoft /etc/postfix/sender_access >> /@*.onmicrosoft\.com/ REJECT >> >> [root@east ~]# grep sender_access /etc/postfix/main.cf >> check_sender_access regexp:/etc/postfix/sender_access >> >> On 3/18/24 21:13, Jimmy wrote: >>> >>> It's possible that certain email accounts utilizing email services with >>> easily guessable passwords were compromised, leading to abuse of the >>> .onmicrosoft.com subdomain for sending spam via email. >>> >>> I've observed an increase in the blocking of IPs belonging to Microsoft >>> Corporation by the SpamCop blacklist since November 2023, with a notable >>> spike in activity during February and March 2024. >>> >>> Jimmy >>> >>> >>> On Tue, Mar 19, 2024 at 12:10 AM Jared Hall via users >>> mailto:users@spamassassin.apache.org>> >>> wrote: >>> >>> I've several customers whose accounts were used to send spam as a >>> result >>> of Microsoft's infrastructure breech. >>> >>> Curiously, NOBODY has received any breach notifications from Microsoft, >>> despite personal information being compromised. >>> >>> What has anyone else experienced? >>> >>> Thanks, >>> >>> -- Jared Hall >>> > >
Re: FORGED_HOTMAIL_RCVD2
On 1/26/24 12:15, Matus UHLAR - fantomas wrote: On 26.01.24 11:03, Rupert Gallagher wrote: Subject: FORGED_HOTMAIL_RCVD2 Rule broken. Please update. can you provide more info, perhaps headers? header FORGED_HOTMAIL_RCVD2 eval:check_for_no_hotmail_received_headers() I´ve found a sample, fixed in trunk in r1915645. Regards Giovanni OpenPGP_signature.asc Description: OpenPGP digital signature
Re: QR code phish?
On 2/5/24 09:49, Matus UHLAR - fantomas wrote: On Thu, Feb 1, 2024 at 5:01 PM Kevin A. McGrail mailto:kmcgr...@apache.org>> wrote: Hi Alex, we are definitely seeing them. There is code in trunk for this with one of the plugins and rules in the KAM ruleset using the new code. LMK if you need more info. On 2/4/24 18:56, Alex wrote: It looks like it's tied to the Raptor service and the ExtractText plugin. Do you have more details on doing that? On 05.02.24 08:31, giova...@paclan.it wrote: you can configure ExtractText to run zbarimg(1) to extract uris from QR codes. zbarimg(1) is available at https://zbar.sf.net or packaged on many OS. in Debian (I assume Ubuntu as well) it's in the zbar-tools package If you do not use any other ExtractText config line for image file types, zbarimg(1) can be configured on SpamAssassin 4.0 as well. what if you do? does ExtractText only run one of configured programs for the same type of file? Exactly, ExtractText only run the first configured program for the same type of file. Giovanni OpenPGP_signature.asc Description: OpenPGP digital signature
Re: QR code phish?
On 2/4/24 18:56, Alex wrote: Hi, On Thu, Feb 1, 2024 at 5:01 PM Kevin A. McGrail mailto:kmcgr...@apache.org>> wrote: Hi Alex, we are definitely seeing them. There is code in trunk for this with one of the plugins and rules in the KAM ruleset using the new code. LMK if you need more info. It looks like it's tied to the Raptor service and the ExtractText plugin. Do you have more details on doing that? you can configure ExtractText to run zbarimg(1) to extract uris from QR codes. zbarimg(1) is available at https://zbar.sf.net or packaged on many OS. If you do not use any other ExtractText config line for image file types, zbarimg(1) can be configured on SpamAssassin 4.0 as well. Regards Giovanni OpenPGP_signature.asc Description: OpenPGP digital signature
Re: Bayes Stopword
"ทุก" is not considered a word because it's part of the token "ทุกวันพุธเล่นชนะรับเพิ่ม". Words must be separated by spaces, otherwise we should skip the word "theme" just because "the" is in english stopword list. No idea if this makes sense for asian languages. Giovanni On 12/29/23 11:04, Jimmy wrote: The sample email and word list should contain at least these words. ถูก เลย ทุก Jimmy On Fri, Dec 29, 2023 at 4:47 PM mailto:giova...@paclan.it>> wrote: I do not speak Thai but I cannot see any word in the sample email that should match that list. Which word do you think should match the regexp ? Giovanni On 12/29/23 10:08, Jimmy wrote: > You can use this word list > > https://raw.githubusercontent.com/stopwords-iso/stopwords-th/master/stopwords-th.txt <https://raw.githubusercontent.com/stopwords-iso/stopwords-th/master/stopwords-th.txt> <https://raw.githubusercontent.com/stopwords-iso/stopwords-th/master/stopwords-th.txt <https://raw.githubusercontent.com/stopwords-iso/stopwords-th/master/stopwords-th.txt>> > > Jimmy > > On Fri, Dec 29, 2023 at 3:59 PM mailto:giova...@paclan.it> <mailto:giova...@paclan.it <mailto:giova...@paclan.it>>> wrote: > > To create the stopwords regexp I used the script I shared in a previous email and a list of words one per line. > Could you share the list you are using ? > > Giovanni > > On 12/29/23 09:22, Jimmy wrote: > > I use SpamAssassin 4.0.0 (2022-12-14) > > > > $ spamassassin -D --lint 2>&1 | grep bayes: > > Dec 29 15:17:56.919 [17420] dbg: bayes: stopword found lang=en > > Dec 29 15:17:56.919 [17420] dbg: bayes: stopword found lang=th > > Dec 29 15:17:56.919 [17420] dbg: bayes: stopword found lang=ru > > Dec 29 15:17:56.919 [17420] dbg: bayes: stopword found lang=fr > > Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=ja > > Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=zh > > Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=dk > > Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=nl > > Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=de > > Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=es > > Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=fi > > Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=fr > > Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=it > > Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=no > > Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=ru > > Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=se > > Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=tr > > Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=vi > > Dec 29 15:17:56.921 [17420] dbg: bayes: stopword found lang=ko > > Dec 29 15:17:56.921 [17420] dbg: bayes: stopword found lang=zh > > Dec 29 15:17:56.921 [17420] dbg: bayes: stopword found lang=hi > > Dec 29 15:17:58.019 [17420] dbg: bayes: stopwords for languages enabled: en th ru fr ja zh dk nl de es fi fr it no ru se tr vi ko zh hi > > > > > > $ spamassassin -D bayes,learn < test.msg 2>&1 | grep "skipped token" > > Dec 29 15:16:57.585 [17347] dbg: bayes: skipped token 'Email' because it's in stopword list for language 'en' > > > > You can use "บาท" that was listed in regexp pattern but somehow I don't know why it not show skipped token in bayes. > > > > Jimmy > > > > > > On Fri, Dec 29, 2023 at 2:59 PM mailto:giova...@paclan.it> <mailto:giova...@paclan.it <mailto:giova...@paclan.it>> <mailto:giova...@paclan.it <mailto:giova...@paclan.it> <mailto:giova...@paclan.it <mailto:giova...@paclan.it>>>> wrote: > > > > Config line produces a syntax error for me: > > config: failed to parse line in /etc/mail/spamassassin/local.cf <http://local.cf> <http://local.cf <http://local.cf>> <http://local.cf <http://local.cf> <http://local.cf <http://local.cf>>> (line 1): bayes_stopword_th > > > > Could you share the word list in utf8 ?
Re: Bayes Stopword
I do not speak Thai but I cannot see any word in the sample email that should match that list. Which word do you think should match the regexp ? Giovanni On 12/29/23 10:08, Jimmy wrote: You can use this word list https://raw.githubusercontent.com/stopwords-iso/stopwords-th/master/stopwords-th.txt <https://raw.githubusercontent.com/stopwords-iso/stopwords-th/master/stopwords-th.txt> Jimmy On Fri, Dec 29, 2023 at 3:59 PM mailto:giova...@paclan.it>> wrote: To create the stopwords regexp I used the script I shared in a previous email and a list of words one per line. Could you share the list you are using ? Giovanni On 12/29/23 09:22, Jimmy wrote: > I use SpamAssassin 4.0.0 (2022-12-14) > > $ spamassassin -D --lint 2>&1 | grep bayes: > Dec 29 15:17:56.919 [17420] dbg: bayes: stopword found lang=en > Dec 29 15:17:56.919 [17420] dbg: bayes: stopword found lang=th > Dec 29 15:17:56.919 [17420] dbg: bayes: stopword found lang=ru > Dec 29 15:17:56.919 [17420] dbg: bayes: stopword found lang=fr > Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=ja > Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=zh > Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=dk > Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=nl > Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=de > Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=es > Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=fi > Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=fr > Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=it > Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=no > Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=ru > Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=se > Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=tr > Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=vi > Dec 29 15:17:56.921 [17420] dbg: bayes: stopword found lang=ko > Dec 29 15:17:56.921 [17420] dbg: bayes: stopword found lang=zh > Dec 29 15:17:56.921 [17420] dbg: bayes: stopword found lang=hi > Dec 29 15:17:58.019 [17420] dbg: bayes: stopwords for languages enabled: en th ru fr ja zh dk nl de es fi fr it no ru se tr vi ko zh hi > > > $ spamassassin -D bayes,learn < test.msg 2>&1 | grep "skipped token" > Dec 29 15:16:57.585 [17347] dbg: bayes: skipped token 'Email' because it's in stopword list for language 'en' > > You can use "บาท" that was listed in regexp pattern but somehow I don't know why it not show skipped token in bayes. > > Jimmy > > > On Fri, Dec 29, 2023 at 2:59 PM mailto:giova...@paclan.it> <mailto:giova...@paclan.it <mailto:giova...@paclan.it>>> wrote: > > Config line produces a syntax error for me: > config: failed to parse line in /etc/mail/spamassassin/local.cf <http://local.cf> <http://local.cf <http://local.cf>> (line 1): bayes_stopword_th > > Could you share the word list in utf8 ? > I tried adding "บาท" to https://raw.githubusercontent.com/stopwords-iso/stopwords-th/master/stopwords-th.txt <https://raw.githubusercontent.com/stopwords-iso/stopwords-th/master/stopwords-th.txt> <https://raw.githubusercontent.com/stopwords-iso/stopwords-th/master/stopwords-th.txt <https://raw.githubusercontent.com/stopwords-iso/stopwords-th/master/stopwords-th.txt>> and it produces a working regexp. > Bayes stopwords languages must also be enabled using "bayes_stopword_languages" config keyword, by default only english is enabled. > Giovanni > > On 12/28/23 17:06, Jimmy wrote: > > bayes_stopword_th https://pastebin.pl/view/0838138d <https://pastebin.pl/view/0838138d> <https://pastebin.pl/view/0838138d <https://pastebin.pl/view/0838138d>> <https://pastebin.pl/view/0838138d <https://pastebin.pl/view/0838138d> <https://pastebin.pl/view/0838138d <https://pastebin.pl/view/0838138d>>> > > Sample mail https://pastebin.pl/view/e5a2c5b8 <https://pastebin.pl/view/e5a2c5b8> <https://pastebin.pl/view/e5a2c5b8 <https://pastebin.pl/view/e5a2c5b8>> <https://pastebin.pl/view/e5a2c5b8 <https://pastebin.pl/view/e5a2c5b8> <https://pastebin.pl/view/e5a2c5b8 <https://pastebin.pl/view/e5a2c5b8>>> > > > > Jimmy > > > > > > On Thu, Dec 28, 2023 at 10:59 PM mailto:gio
Re: Bayes Stopword
To create the stopwords regexp I used the script I shared in a previous email and a list of words one per line. Could you share the list you are using ? Giovanni On 12/29/23 09:22, Jimmy wrote: I use SpamAssassin 4.0.0 (2022-12-14) $ spamassassin -D --lint 2>&1 | grep bayes: Dec 29 15:17:56.919 [17420] dbg: bayes: stopword found lang=en Dec 29 15:17:56.919 [17420] dbg: bayes: stopword found lang=th Dec 29 15:17:56.919 [17420] dbg: bayes: stopword found lang=ru Dec 29 15:17:56.919 [17420] dbg: bayes: stopword found lang=fr Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=ja Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=zh Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=dk Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=nl Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=de Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=es Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=fi Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=fr Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=it Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=no Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=ru Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=se Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=tr Dec 29 15:17:56.920 [17420] dbg: bayes: stopword found lang=vi Dec 29 15:17:56.921 [17420] dbg: bayes: stopword found lang=ko Dec 29 15:17:56.921 [17420] dbg: bayes: stopword found lang=zh Dec 29 15:17:56.921 [17420] dbg: bayes: stopword found lang=hi Dec 29 15:17:58.019 [17420] dbg: bayes: stopwords for languages enabled: en th ru fr ja zh dk nl de es fi fr it no ru se tr vi ko zh hi $ spamassassin -D bayes,learn < test.msg 2>&1 | grep "skipped token" Dec 29 15:16:57.585 [17347] dbg: bayes: skipped token 'Email' because it's in stopword list for language 'en' You can use "บาท" that was listed in regexp pattern but somehow I don't know why it not show skipped token in bayes. Jimmy On Fri, Dec 29, 2023 at 2:59 PM mailto:giova...@paclan.it>> wrote: Config line produces a syntax error for me: config: failed to parse line in /etc/mail/spamassassin/local.cf <http://local.cf> (line 1): bayes_stopword_th Could you share the word list in utf8 ? I tried adding "บาท" to https://raw.githubusercontent.com/stopwords-iso/stopwords-th/master/stopwords-th.txt <https://raw.githubusercontent.com/stopwords-iso/stopwords-th/master/stopwords-th.txt> and it produces a working regexp. Bayes stopwords languages must also be enabled using "bayes_stopword_languages" config keyword, by default only english is enabled. Giovanni On 12/28/23 17:06, Jimmy wrote: > bayes_stopword_th https://pastebin.pl/view/0838138d <https://pastebin.pl/view/0838138d> <https://pastebin.pl/view/0838138d <https://pastebin.pl/view/0838138d>> > Sample mail https://pastebin.pl/view/e5a2c5b8 <https://pastebin.pl/view/e5a2c5b8> <https://pastebin.pl/view/e5a2c5b8 <https://pastebin.pl/view/e5a2c5b8>> > > Jimmy > > > On Thu, Dec 28, 2023 at 10:59 PM mailto:giova...@paclan.it> <mailto:giova...@paclan.it <mailto:giova...@paclan.it>>> wrote: > > Could you share a config line and a sample you are using ? > Giovanni > > On 12/28/23 16:26, Jimmy wrote: > > Yes, I have done that, and I am also editing Plugin/Bayes.pm to investigate why it is not being skipped. I suspect that if words are not separated by spaces, longer words may not match those patterns. > > > > Jimmy > > > > On Thu, Dec 28, 2023 at 10:13 PM mailto:giova...@paclan.it> <mailto:giova...@paclan.it <mailto:giova...@paclan.it>> <mailto:giova...@paclan.it <mailto:giova...@paclan.it> <mailto:giova...@paclan.it <mailto:giova...@paclan.it>>>> wrote: > > > > "spamassassin -D bayes" will tell you, you should see a line like: > > bayes: skipped token 'from' because it's in stopword list for language 'en' > > > > Giovanni > > > > On 12/28/23 15:45, Jimmy wrote: > > > The pattern has successfully passed the test script, but it needs to check whether Bayes learning will identify and possibly exclude the word from matching this pattern. > > > > > > Thank you. > > > > > > > > > On Thu, Dec 28, 2023 at 9:22 PM mailto:giova...@paclan.it>
Re: Bayes Stopword
Config line produces a syntax error for me: config: failed to parse line in /etc/mail/spamassassin/local.cf (line 1): bayes_stopword_th Could you share the word list in utf8 ? I tried adding "บาท" to https://raw.githubusercontent.com/stopwords-iso/stopwords-th/master/stopwords-th.txt and it produces a working regexp. Bayes stopwords languages must also be enabled using "bayes_stopword_languages" config keyword, by default only english is enabled. Giovanni On 12/28/23 17:06, Jimmy wrote: bayes_stopword_th https://pastebin.pl/view/0838138d <https://pastebin.pl/view/0838138d> Sample mail https://pastebin.pl/view/e5a2c5b8 <https://pastebin.pl/view/e5a2c5b8> Jimmy On Thu, Dec 28, 2023 at 10:59 PM mailto:giova...@paclan.it>> wrote: Could you share a config line and a sample you are using ? Giovanni On 12/28/23 16:26, Jimmy wrote: > Yes, I have done that, and I am also editing Plugin/Bayes.pm to investigate why it is not being skipped. I suspect that if words are not separated by spaces, longer words may not match those patterns. > > Jimmy > > On Thu, Dec 28, 2023 at 10:13 PM mailto:giova...@paclan.it> <mailto:giova...@paclan.it <mailto:giova...@paclan.it>>> wrote: > > "spamassassin -D bayes" will tell you, you should see a line like: > bayes: skipped token 'from' because it's in stopword list for language 'en' > > Giovanni > > On 12/28/23 15:45, Jimmy wrote: > > The pattern has successfully passed the test script, but it needs to check whether Bayes learning will identify and possibly exclude the word from matching this pattern. > > > > Thank you. > > > > > > On Thu, Dec 28, 2023 at 9:22 PM mailto:giova...@paclan.it> <mailto:giova...@paclan.it <mailto:giova...@paclan.it>> <mailto:giova...@paclan.it <mailto:giova...@paclan.it> <mailto:giova...@paclan.it <mailto:giova...@paclan.it>>>> wrote: > > > > On 12/28/23 12:59, Jimmy wrote: > > > Hi, > > > > > > I'm seeking assistance in incorporating a stopword for Asian languages in Unicode. Although I possess comprehensive word lists, my attempts to generate a regex pattern and test it have been unsuccessful; the pattern fails to match or skips tokens in the newly added stopword list. > > > > > > I created the regex pattern using the following code: > > > > > > Regexp::Assemble->new->add(@words)->reduce(0)->as_string > > > > > > Afterward, I converted it to UTF-8 hex. > > > > > > I'm wondering if there are any tools available to facilitate the creation of these regex patterns. > > > > > I have used Regexp::Trie to create Bayes stopwords in the past, code is similar to: > > --- > > use strict; > > use warnings; > > > > use Encode; > > use Regexp::Trie; > > > > my @input = ; > > my $rt = Regexp::Trie->new; > > for my $w ( @input ) { > > chomp($w); > > $rt->add($w); > > } > > my $regexp = $rt->regexp; > > my @reg = split //, $regexp; > > for my $c ( @reg ) { > > my $char = $c; > > my $test; > > eval "\$test = decode( 'utf8', \$c, Encode::FB_CROAK )"; > > if( $@ ) { > > print 'x' . sprintf("%x", ord($c)); > > } else { > > print $char; > > } > > } > > --- > > > > Giovanni > > > OpenPGP_signature.asc Description: OpenPGP digital signature
Re: Bayes Stopword
Could you share a config line and a sample you are using ? Giovanni On 12/28/23 16:26, Jimmy wrote: Yes, I have done that, and I am also editing Plugin/Bayes.pm to investigate why it is not being skipped. I suspect that if words are not separated by spaces, longer words may not match those patterns. Jimmy On Thu, Dec 28, 2023 at 10:13 PM mailto:giova...@paclan.it>> wrote: "spamassassin -D bayes" will tell you, you should see a line like: bayes: skipped token 'from' because it's in stopword list for language 'en' Giovanni On 12/28/23 15:45, Jimmy wrote: > The pattern has successfully passed the test script, but it needs to check whether Bayes learning will identify and possibly exclude the word from matching this pattern. > > Thank you. > > > On Thu, Dec 28, 2023 at 9:22 PM mailto:giova...@paclan.it> <mailto:giova...@paclan.it <mailto:giova...@paclan.it>>> wrote: > > On 12/28/23 12:59, Jimmy wrote: > > Hi, > > > > I'm seeking assistance in incorporating a stopword for Asian languages in Unicode. Although I possess comprehensive word lists, my attempts to generate a regex pattern and test it have been unsuccessful; the pattern fails to match or skips tokens in the newly added stopword list. > > > > I created the regex pattern using the following code: > > > > Regexp::Assemble->new->add(@words)->reduce(0)->as_string > > > > Afterward, I converted it to UTF-8 hex. > > > > I'm wondering if there are any tools available to facilitate the creation of these regex patterns. > > > I have used Regexp::Trie to create Bayes stopwords in the past, code is similar to: > --- > use strict; > use warnings; > > use Encode; > use Regexp::Trie; > > my @input = ; > my $rt = Regexp::Trie->new; > for my $w ( @input ) { > chomp($w); > $rt->add($w); > } > my $regexp = $rt->regexp; > my @reg = split //, $regexp; > for my $c ( @reg ) { > my $char = $c; > my $test; > eval "\$test = decode( 'utf8', \$c, Encode::FB_CROAK )"; > if( $@ ) { > print 'x' . sprintf("%x", ord($c)); > } else { > print $char; > } > } > --- > > Giovanni > OpenPGP_signature.asc Description: OpenPGP digital signature
Re: Bayes Stopword
"spamassassin -D bayes" will tell you, you should see a line like: bayes: skipped token 'from' because it's in stopword list for language 'en' Giovanni On 12/28/23 15:45, Jimmy wrote: The pattern has successfully passed the test script, but it needs to check whether Bayes learning will identify and possibly exclude the word from matching this pattern. Thank you. On Thu, Dec 28, 2023 at 9:22 PM mailto:giova...@paclan.it>> wrote: On 12/28/23 12:59, Jimmy wrote: > Hi, > > I'm seeking assistance in incorporating a stopword for Asian languages in Unicode. Although I possess comprehensive word lists, my attempts to generate a regex pattern and test it have been unsuccessful; the pattern fails to match or skips tokens in the newly added stopword list. > > I created the regex pattern using the following code: > > Regexp::Assemble->new->add(@words)->reduce(0)->as_string > > Afterward, I converted it to UTF-8 hex. > > I'm wondering if there are any tools available to facilitate the creation of these regex patterns. > I have used Regexp::Trie to create Bayes stopwords in the past, code is similar to: --- use strict; use warnings; use Encode; use Regexp::Trie; my @input = ; my $rt = Regexp::Trie->new; for my $w ( @input ) { chomp($w); $rt->add($w); } my $regexp = $rt->regexp; my @reg = split //, $regexp; for my $c ( @reg ) { my $char = $c; my $test; eval "\$test = decode( 'utf8', \$c, Encode::FB_CROAK )"; if( $@ ) { print 'x' . sprintf("%x", ord($c)); } else { print $char; } } --- Giovanni OpenPGP_signature.asc Description: OpenPGP digital signature
Re: Bayes Stopword
On 12/28/23 12:59, Jimmy wrote: Hi, I'm seeking assistance in incorporating a stopword for Asian languages in Unicode. Although I possess comprehensive word lists, my attempts to generate a regex pattern and test it have been unsuccessful; the pattern fails to match or skips tokens in the newly added stopword list. I created the regex pattern using the following code: Regexp::Assemble->new->add(@words)->reduce(0)->as_string Afterward, I converted it to UTF-8 hex. I'm wondering if there are any tools available to facilitate the creation of these regex patterns. I have used Regexp::Trie to create Bayes stopwords in the past, code is similar to: --- use strict; use warnings; use Encode; use Regexp::Trie; my @input = ; my $rt = Regexp::Trie->new; for my $w ( @input ) { chomp($w); $rt->add($w); } my $regexp = $rt->regexp; my @reg = split //, $regexp; for my $c ( @reg ) { my $char = $c; my $test; eval "\$test = decode( 'utf8', \$c, Encode::FB_CROAK )"; if( $@ ) { print 'x' . sprintf("%x", ord($c)); } else { print $char; } } --- Giovanni OpenPGP_signature.asc Description: OpenPGP digital signature
Re: Building Red Hat Rawhide SA 4.0.0 package for RHEL/CentOS 7
On 12/6/23 08:25, Kenneth Porter wrote: On 12/5/2023 10:57 PM, Benny Pedersen wrote: mimedefang does not use spamd, you only need either spamassassin only with spamd or mimedefang with spamassassin not running spamd It's a small server so I can afford to run SA twice, once at the MTA level through mimedefang (which can potentially reject egregious spam), and once during delivery via procmail, which invokes spamc. why ? If you run SA at the MTA level you shouldn't need to run spamc at all at delivery time. Spoiler: with next SA and MIMEDefang versions you will be able to use spamd natively. Giovanni OpenPGP_signature.asc Description: OpenPGP digital signature
Re: Too many dots?
On 11/16/23 17:26, Greg Troxel wrote: Alex writes: Also, the KAM rules are designed to be used in conjunction with the stock rules, so it also seemed somewhat punitive to award so many points and to be expected to offset them for a completely benign email. My experience is that many of the KAM rules are unreasonably aggressive. In particular, I don't think it's ok for a rule to be over 3 points, unless it is virtually certain that any message that hits it will be spam. Overall, they don't feel tuned to meet SA doctrine which AIUI is that there should be quite rare FPs, meaning ham >= 5 points. you can work with sa-update(1) --score-multiplier and --score-limit to reduce score of KAM rules. This might improve the situation in your case. Giovanni OpenPGP_signature.asc Description: OpenPGP digital signature
Re: Anybody else getting bombarded with "I RECORDED YOU" spam?
To block this type of spam I've increased the score of GB_HASHBL_BTC (Bitcoin rbl) rule. Giovanni On 11/10/23 11:01, Mark London wrote: Sendmail didn't introduce FEATURE(require_rdns) until 2007. I'm sure I've been using it longer than that. And by default it's not enabled. It doesn't totally block the "I RECOVERED YOU" spams. Occasional some come through with ip addresses that have valid reverse lookups. But the number getting blocked, is still huge. On 11/10/2023 4:48 AM, Reindl Harald (privat) wrote: Am 10.11.23 um 08:40 schrieb Mark London: Marc - You are correct. All the IP sources of this spam, don't a valid reverse lookup of the IP address, to an IP name. That will solve my problem. Thanks! - Mark in other words your MTA is misconfigured https://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname On 11/9/2023 12:38 PM, Marc wrote: Do you at least verify the reverse lookup? That already stops a lot of such networks. OpenPGP_signature.asc Description: OpenPGP digital signature
Re: spamc -L does not return 5, or 6
On 11/7/23 18:38, Cecil Westerhof wrote: Matus UHLAR - fantomas writes: On Tue, Nov 07, 2023 at 02:28:38AM +0100, Cecil Westerhof wrote: https://spamassassin.apache.org/full/3.1.x/doc/spamc.html says: -L learn type Send message to spamd for learning. The learn type can be either spam, ham or forget. The exitcode for spamc will be set to 5 if the message was learned, or 6 if it was already learned. Note that the spamd must run with the --allow-tell option for this to work. "George A. Theall via users" writes: How are you running spamd? With -l / --allow-tell? On 07.11.23 15:01, Cecil Westerhof wrote: --pidfile=/run/spamd.pid --username=imaps --allow-tell --create-prefs --max-children 5 --helper-home-dir And the learning does work. But I have to use the generated text instead of the exit codes. I'm afraid that for --allow-tell and --username=imaps you need all mailboxes to be writable under "imaps" user, e.g. virtual users or similar. They are imaps -> imap over ssh. But that is not the problem. Spamc does what it should be doing, except that it gives back 0 instead of 5 or 6. It seems to be a documentation bug, see https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6069 and https://bz.apache.org/SpamAssassin/show_bug.cgi?id=1201#c47 Giovanni OpenPGP_signature.asc Description: OpenPGP digital signature
Re: Stealth HREF= (missed by SA)
On 9/14/23 16:24, Bill Cole wrote: On 2023-09-14 at 04:37:03 UTC-0400 (Thu, 14 Sep 2023 17:37:03 +0900) Joe Wein via users is rumored to have said: I filed a bug for this issue on Bugzilla (#8186) but so far no response from developers. https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8186 FWIW, I've thought about it a bit... We're seeing literally millions of phishing spams from Tencent VMs in Singapore targeting mostly Amazon Japan that are getting around SA checks because of this issue. Wow. I didn't expect that this was that big of a tactic. I am wondering how many other users are seeing this problem which allows spammers to circumvent URI checks in links in spam (i.e. hide the payload sites). I don't see it, but the systems I manage have no reason to expect anything but criminal-grade spam from anything on a Tencent network in Singapore. Everyone gets their own bespoke spamstream I guess. They do it by prefixing the href= attribute in an HTML tag with letters and a slash, for example: https://some.phishing.site:>https://amazon.co.jp Both Chrome and mail clients like Mozilla Thunderbird discard that "h/" prefix (perhaps treating it as a separate unrecognizable attribute, like " I'm thinking that the best approach may not be in trying to parse the bogus tag to glean a domain that may or may not be known to be bad, but rather to detect the general pattern, which is itself a direct indicator of bad intent. rawbody BADHREF /\s+.\/href\=/ should be a start to write a rule to catch those spam messages. Giovanni OpenPGP_signature Description: OpenPGP digital signature
Mail::SpamAssassin::Plugin::Phishing PhishStats[.]info domain expired
Hi, phishstats[.]info domain has recently moved to a parking domain, if you are using Mail::SpamAssassin::Plugin::Phishing plugin with data downloaded from PhishStats[.]info it would be better to comment "phishing_phishstats_feed" configuration line. If PhishStats[.]info will not find a new home I am going to remove the relevant code from the plugin. Regards Giovanni OpenPGP_signature Description: OpenPGP digital signature
Re: check_rbl question
On 7/7/23 16:18, Michael Grant via users wrote: I'm using check_rbl with some paid lists for example invaluement. I don't want to put my license key into the rule or it ends up in the spamassassin X-Spam-Report header. On one server, I've configured bind9 with DNAME records to hide the key. But what do others do? Is there some easier way to do this? If you are using SpamAssassin 4.0 you can use the "nolog" feature like this: ifplugin Mail::SpamAssassin::Plugin::URIDNSBL urirhssub URIBL_IVMURI uri.XXX.invaluement.com. A 2 body URIBL_IVMURI eval:check_uridnsbl('URIBL_IVMURI') describe URIBL_IVMURI listed on ivmURI found at invaluement.com if can(Mail::SpamAssassin::Conf::has_tflags_nolog) tflags URIBL_IVMURI net nolog else tflags URIBL_IVMURI net endif score URIBL_IVMURI 2.0 reuse URIBL_IVMURI endif Giovanni OpenPGP_signature Description: OpenPGP digital signature
Re: Why was USER_IN_DEF_SPF_WL triggered on this email, even though it's spam?
On 3/21/23 09:37, Matus UHLAR - fantomas wrote: On 20.03.23 13:54, Mark London wrote: I’ve never seen a false positive with USER_IN_DEF_SPF_WL. I have seen multiple, that's why I have: unwelcomelist_auth *@*.getresponse-mail.com - don't remember this one unwelcomelist_auth *@google.com - spam from google drive, docs etc I agree, there is a bz open for this issue. https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7902 unwelcomelist_auth *@*.microsoft.com - spam from teams invitations we should have a better welcomelist_auth check to welcomelist only some email addresses. Giovanni in my config. OpenPGP_signature Description: OpenPGP digital signature
Re: AuthRes plugin (replay RBL queries one hour later)
On 3/2/23 12:49, Benny Pedersen wrote: giova...@paclan.it skrev den 2023-03-02 10:04: On 3/1/23 14:30, Benny Pedersen wrote: Henrik K skrev den 2023-03-01 10:28: On Wed, Mar 01, 2023 at 09:56:56AM +0100, Matus UHLAR - fantomas wrote: I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available. However, I don't see AuthRes plugin mention in .pre files nor in SA rules. Because it's experimental and unfinished. logic is aswell why should spf pluging be enabled to test if arc chain pass spf ? same problem with dkim imho aslong forwarders insists on doing dkim sign and leave arc seal and arc sign :/ I have wip code to check if dkim passes from arc signatures and integrate it into DMARC policies checks. how ?, this code works without authres enabled as i see it if DKIM fails but ARC passes DMARC policy could be overriden, this part doesn't work. In your case DMARC would pass even without ARC because DKIM is valid. Return-Path: X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on localhost.junc.eu X-Spam-Level: X-Spam-Status: No, score=-2.8 required=5.0 tests=ARC_SIGNED,ARC_VALID,AWL, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DMARC_PASS, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H2,RELAYCOUNTRY_BAD,RELAYCOUNTRY_GREY,SPF_HELO_PASS, SPF_PASS,UNPARSEABLE_RELAY autolearn=no autolearn_force=no version=4.0.0 X-Spam-Timing: total 1713 ms - parse: 1.94 (0.1%), b_tie_ro: 4.4 (0.3%), extract_message_metadata: 41 (2.4%), tests_pri_-1: 7 (0.4%), compile_gen: 292 (17.1%), get_uri_detail_list: 3.4 (0.2%), tests_pri_-2000: 2.0 (0.1%), compile_eval: 27 (1.6%), tests_pri_-1000: 1.77 (0.1%), tests_pri_-950: 1.21 (0.1%), tests_pri_-900: 1.29 (0.1%), tests_pri_-100: 892 (52.1%), dkim_load_modules: 34 (2.0%), check_dkim_signature: 540 (31.5%), poll_dns_idle: 827 (48.3%), check_spf: 64 (3.7%), tests_pri_-90: 1.41 (0.1%), tests_pri_0: 443 (25.9%), tests_pri_500: 2.1 (0.1%), tests_pri_1000: 12 (0.7%), total_awl: 10 (0.6%), check_awl: 1.95 (0.1%), update_awl: 1.92 (0.1%), rewrite_mail: 0.00 (0.0%) Content analysis details: (-2.8 points, 5.0 required) pts rule name description -- -- -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [94.237.105.223 listed in wl.mailspike.net] -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [94.237.105.223 listed in list.dnswl.org] -0.1 SPF_PASS SPF: sender matches SPF record -0.1 SPF_HELO_PASS SPF: HELO matches SPF record 0.0 ARC_SIGNED Message has a ARC signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 ARC_VALID Message has a valid ARC signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 RELAYCOUNTRY_GREY Relayed through at some point 1.5 RELAYCOUNTRY_BAD Relayed through at some point 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines -2.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager -0.1 DMARC_PASS DMARC pass policy 0.0 AWL AWL: From: address is in the auto welcome-list Authres plugin is needed to parse Arc signatures and pass the results to DMARC plugin. yes the magic can be done in dmarc where it belongs authres is imho only for trusted arc signers, not for testing ARC_VALID or ARC_SIGNED confirm it ?, the rules for authres does not work for me, but it seem it does for others ?, why ? OpenPGP_signature Description: OpenPGP digital signature
Re: AuthRes plugin (replay RBL queries one hour later)
On 3/2/23 11:50, Matus UHLAR - fantomas wrote: On Wed, Mar 01, 2023 at 09:56:56AM +0100, Matus UHLAR - fantomas wrote: I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available. However, I don't see AuthRes plugin mention in .pre files nor in SA rules. Henrik K skrev den 2023-03-01 10:28: Because it's experimental and unfinished. On 3/1/23 14:30, Benny Pedersen wrote: logic is aswell why should spf pluging be enabled to test if arc chain pass spf ? same problem with dkim imho aslong forwarders insists on doing dkim sign and leave arc seal and arc sign :/ On 02.03.23 10:04, giova...@paclan.it wrote: I have wip code to check if dkim passes from arc signatures and integrate it into DMARC policies checks. Authres plugin is needed to parse Arc signatures and pass the results to DMARC plugin. Authres plugin should only parse Authentication-Results: headers, not signatures themselves. I mean ARC-Authentication-Results headers, signatures are checked by DKIM.pm. other plugins should be able to use data provided by this plugin. this is still WIP code. OpenPGP_signature Description: OpenPGP digital signature
Re: AuthRes plugin (replay RBL queries one hour later)
On 3/1/23 14:30, Benny Pedersen wrote: Henrik K skrev den 2023-03-01 10:28: On Wed, Mar 01, 2023 at 09:56:56AM +0100, Matus UHLAR - fantomas wrote: I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available. However, I don't see AuthRes plugin mention in .pre files nor in SA rules. Because it's experimental and unfinished. logic is aswell why should spf pluging be enabled to test if arc chain pass spf ? same problem with dkim imho aslong forwarders insists on doing dkim sign and leave arc seal and arc sign :/ I have wip code to check if dkim passes from arc signatures and integrate it into DMARC policies checks. Authres plugin is needed to parse Arc signatures and pass the results to DMARC plugin. Giovanni I will try to load it to see if it works. You also need rules for it to do anything. No plugin uses it's parsing at this time. its aswell good to define trustness in this senario, this is more or less bogos :) Try the example rules and report back if it works.. https://spamassassin.apache.org/full/4.0.x/doc/Mail_SpamAssassin_Plugin_AuthRes.html it does not, how should dmarc plugin use this ? dmarc only works with A-R headers imho, not internal data as in spamassassin, okay first step first :) OpenPGP_signature Description: OpenPGP digital signature
Re: Install plugins into embedded spamassassin
On Sat, Feb 25, 2023 at 03:30:13PM +0100, hg user wrote: > Hi, > I'd like to install at least one plugin in my embedded spamassassin, > installed inside Zimbra. > I'm a bit afraid of breaking stuff, about missing dependencies and so on. > > I'm on SA 3.4.5 and - as a test - I'd like to install ESP plugin. Zimbra uses standard SA, it's just bundled in their software. To install an additional plugin you should create /etc/mail/spamassassin/ESP.pre file with this content: loadplugin Mail::SpamAssassin::Plugin::Esp Esp.pm And add Esp.pm and Esp.cf to /etc/mail/spamassassin/. Same for other plugins you might need. Zimbra uses amavisd-new, so you need to reload amavisd-new as well when you change SpamAssassin configurations. Giovanni signature.asc Description: PGP signature
Re: Messages from outer clients marked as spam
On 1/26/23 08:51, Andrea Venturoli wrote: On 1/26/23 08:23, Matus UHLAR - fantomas wrote: So, I'm tempted to conclude that I don't need to mess with internal_networks, msa_networks, and trusted_networks, Not here Ok. clients submitting mail without authentication (which was very common >10 years ago and still persists somewhere). Dreadful :) or call synthesize_received_header in MIMEDefang. With milter, you need to synthetize Received: header, because milter does see the mail as it came to your MTA, without the locally added Received: header. So, this is possibly the problem. I'll investigate. (I'll also need to upgrade/patch MIMEDefang before I can use this. Thanks Giovanni for pointig this out! I guess this will save me a lot of would be wasted time). I guess it's just because of this Received: header that wasn't seen when mimedefang processed the mail. Hmm, then how could spamassassin possibly apply PDS_RDNS_DYNAMIC_FP,RCVD_IN_PBL,RCVD_IN_ZEN_LASTEXTERNAL,RDNS_DYNAMIC,... rules? Where does it get the source IP from? I only see it there and in an X-Authentication-Warning header (but I guess MIMEDefang would also not see this one). MIMEDefang 2.84 will syntetize an header like: by $hostname (envelope-sender $Sender) (MIMEDefang) with ESMTP id $MessageID" even for authenticated emails while MIMEDefang 2.85+ will inject ESMTPA header for authenticated emails. This will change which SpamAssassin rules are triggered. Giovanni Perhaps there are other Received: headers in the e-mail? Absolutely not. There's only the one I posted. bye & Thanks av. OpenPGP_signature Description: OpenPGP digital signature
Re: Messages from outer clients marked as spam
On 1/23/23 17:53, Bill Cole wrote: On 2023-01-23 at 10:51:14 UTC-0500 (Mon, 23 Jan 2023 16:51:14 +0100) Andrea Venturoli is rumored to have said: Hello. I've got a long standing server, where I run FreeBSD (13.1) + sendmail (8.17.1) + MIMEDefang (2.84) + SpamAssassin (3.4.6). (I know there are more recent versions, but that's what ports currently provide). SA4 has been in ports for a while. MD3.x should be but is not. This is unlikely to be relevant to your problem. This has been working perfectly for years. Since the beginning of this year, however, incoming (SMTP authenticated) mail from clients outside the LAN is marked as spam. Very odd. Since you're still on SA3.4.6, the only piece that should have changed about SA is the rules and the data in external resources like DNSBLs. That should not have been able to affect how SA detects authenticated clients. E.g. X-Spam-Score: 10.756 (**) BAYES_00,KAM_DMARC_REJECT,KAM_DMARC_STATUS,KAM_LOTSOFHASH,KHOP_HELO_FCRDNS,LOTS_OF_MONEY,PDS_RDNS_DYNAMIC_FP,RCVD_IN_PBL,RCVD_IN_ZEN_LASTEXTERNAL,RDNS_DYNAMIC,SPF_FAIL,TO_EQ_FM_DOM_SPF_FAIL Some external data sources there: sender domain DMARC/SPF records, SpamHaus, client rDNS. I think the KAM_DMARC_* rules may be new as well. It is also possible that there were changes in your system that could trigger this, but I would expect that you'd have mentioned it if you had made any obvious ones: hostname, local.cf, mimedefang-filter. It would also be notable if your users have started connecting from a new range of addresses. Right now I instructed MIMEDefang to avoid passing authenticated mails to SpamAssassin, but this is not what I ideally want. (If a client gets compromised...). Correct. SA should be able to detect trustworthy authentication indications in the trusted Received headers which prevent it from applying *most* of those rules. My real wish would be to always run messages through SpamAssassin, but avoid RBL/SPF/DMARC/dynamic IPs/etc... checks for those that come from an authenticated client, as these rules make no sense in that case. What's the best practice to achieve this result? Configure your internal_networks, msa_networks, and trusted_networks properly and make sure that your mimedefang-filter calls synthesize_received_header() before spam_assassin_check(). With those parameters set correctly and the local Received header included, SA should be able to detect authenticated clients of trusted machines and skip those rules. in MIMEDefang 2.84 synthesize_received_header() doesn't add a correct header if the email is authenticated, this has been fixed in MIMEDefang 2.85 with this commit: https://github.com/The-McGrail-Foundation/MIMEDefang/commit/34ffd6fa31c4d9e79494fae427ec3b9da6a1c8b1 The problem could have been spotted only recently because more domains started to use DMARC. Giovanni OpenPGP_signature Description: OpenPGP digital signature
Re: perldoc Mail::SpamAssassin::GeoDB and MaxMind wooes
On 1/5/23 21:57, Benny Pedersen wrote: giova...@paclan.it skrev den 2023-01-05 11:25: asn_lookup asn.routeviews.org _ASN_ _ASNCIDR_ asn_lookup_ipv6 origin6.asn.cymru.com _ASN_ _ASNCIDR_ is these 2 lines used for database lookup in GeoIPLite2-ASN at all ? those lines are used for dns ASN queries add_header all ASN _ASN_ _ASNCIDR_ with dns this works, but with GeoIPLite2-ASN then _ASNCIDR_ is not a valid cidr result :( hope developpers can find why with it GeoDB can only set _ASN_ tag, it has no data for _ASNCIDR_. If you need _ASNCIDR_ tag you have to switch to dns queries. Giovanni OpenPGP_signature Description: OpenPGP digital signature
Re: perldoc Mail::SpamAssassin::GeoDB and MaxMind wooes
On 1/4/23 20:07, Benny Pedersen wrote: how to setup ASN plugin with it ? currently i find that _ASNCIDR_ gives not cidr info with GeoIPLite2-ASN.mmdb is this a limit of Lite ? no, from Mail::SpamAssassin::Plugin::ASN : --- GeoDB (GeoIP ASN) database lookups are supported since SpamAssassin 4.0 and it's recommended to use them instead of DNS queries, unless "_ASNCIDR_" is needed. --- To have _ASNCIDR_ tag you need to add to your config: asn_lookup asn.routeviews.org _ASN_ _ASNCIDR_ asn_lookup_ipv6 origin6.asn.cymru.com _ASN_ _ASNCIDR_ add_header all ASN _ASN_ _ASNCIDR_ Giovanni OpenPGP_signature Description: OpenPGP digital signature
ESPs spam updates
Hi, as everybody knows, spam from ESPs continues, some news about my efforts to contrast those spammers: - new version of Mail::SpamAssassin::Plugin::Esp has been released, you can find it at https://github.com/bigio/spamassassin-esp - my ESPs rbl is now public, rules to use it can be downloaded from https://spamassassin.snb.it/Esp-rbl.cf - if you are using SpamAssassin 4.0, the rbl can be used without loading ESP plugin. Happy new Year Giovanni signature.asc Description: PGP signature
Re: 4.0.0 dnsbl_subtests.t test failures
On Mon, Dec 26, 2022 at 10:38:07AM +1300, Sidney Markowitz wrote: > Philippe Chaintreuil via users wrote on 26/12/22 6:27 am: > > I'm getting test failures for the dnsbl_subtests.t. Figured I'd check > > here before filing a bug. > > > > I'm running Spam Assassin 4.0.0 on Gentoo Linux. Perl 5.36.0. > > > > Test output: > > > > == > > ... > > t/dnsbl_subtests.t 1/46 rules: unknown eval > > 'check_uridnsbl' for X_URIBL_N_3 > > rules: unknown eval 'check_uridnsbl' for X_URIBL_Y_2D > > rules: unknown eval 'check_uridnsbl' for X_URIBL_N_0B > > I haven't tested on gentoo, but I have tested on different platforms > with perl 5.36.0. > > I can get exactly that set of error messages by commenting out the > loadplugin for URIDNSBL in rules/init.pre or deleting the file > rules/init.pre completely, and running make test with the default > setting of run_net_tests=n in t/config.dist. If I change it to > run_net_tests=y then the test t/uribl.t also fails where it tries to use > check_uridnsbl > > None of the other tests use check_uridnsbl so they don't generate > errors. t/spamd_allow_user_rules.t references check_uridnsbl but it is > checking something with rule parsing and never tries to run it so it > doesn't fail. > dnsbl_subtests.t tests runs even with run_net_tests=n (fixed few minutes ago in trunk), the "unknown eval" error is unrelated to this bug anyway, I think in this case the user fails to load init.pre correctly in his setup. Giovanni signature.asc Description: PGP signature
Re: Mial hits MISSING rules despite presence of headers
On 12/5/22 16:10, giova...@paclan.it wrote: On 11/27/22 21:58, Alex wrote: Hi, I have emails from wayfair and Dell that hit many of the MISSING_* rules but these headers are clearly displayed. * 0.5 MISSING_MID Missing Message-Id: header * 1.0 MISSING_FROM Missing From: header * 1.8 MISSING_SUBJECT Missing Subject: header * 1.4 MISSING_DATE Missing Date: header * 2.3 EMPTY_MESSAGE Message appears to have no textual parts and no * Subject: text This also consequently causes DMARC/DKIM to fail. https://pastebin.com/yFCRx76x <https://pastebin.com/yFCRx76x> Could you try if patch in bz 8078 (https://bz.apache.org/SpamAssassin/attachment.cgi?id=5863&action=diff) fixes the issue ? Spample is no more available on Pastebin. with the patch applied Shortcircuit works correctly. Giovanni OpenPGP_signature Description: OpenPGP digital signature
Re: Mial hits MISSING rules despite presence of headers
On 11/27/22 21:58, Alex wrote: Hi, I have emails from wayfair and Dell that hit many of the MISSING_* rules but these headers are clearly displayed. * 0.5 MISSING_MID Missing Message-Id: header * 1.0 MISSING_FROM Missing From: header * 1.8 MISSING_SUBJECT Missing Subject: header * 1.4 MISSING_DATE Missing Date: header * 2.3 EMPTY_MESSAGE Message appears to have no textual parts and no * Subject: text This also consequently causes DMARC/DKIM to fail. https://pastebin.com/yFCRx76x <https://pastebin.com/yFCRx76x> Could you try if patch in bz 8078 (https://bz.apache.org/SpamAssassin/attachment.cgi?id=5863&action=diff) fixes the issue ? Spample is no more available on Pastebin. Thanks Giovanni OpenPGP_signature Description: OpenPGP digital signature
Re: Mial hits MISSING rules despite presence of headers
On 11/28/22 17:47, Bill Cole wrote: On 2022-11-28 at 11:03:29 UTC-0500 (Mon, 28 Nov 2022 11:03:29 -0500) Alex is rumored to have said: On Mon, Nov 28, 2022 at 10:42 AM Kevin A. McGrail wrote: [...] Also, would be helpful to know if this is different than 3.4.6's behavior. Oh yes, I meant to mention that it is different behavior for 3.4.6. Same score for the rule, but it appears to actually shortcircuits the processing of additional rules. At the least, it doesn't add those MISSING_* rules. This is almost certainly a side-effect of recent reworking of the housekeeping around which rules have been run. As a temporary work-around, I think it would be wise to give any rule that gets SHORTCIRCUITed an overwhelming score in whichever direction it operates. Confirmed, r1904981 is the commit that is causing this behavior. Giovanni OpenPGP_signature Description: OpenPGP digital signature
Re: Spam DKIM signed by Paypal coming from their Microsoft Tenant?
On 11/14/22 21:14, Shawn Iverson wrote: How do I stop this? paypal.com <http://paypal.com> is in the default DKIM whitelist! Does this work on your sample ? The body you posted is only partial. uri__URI_IMG_PAYPAL /^https:\/\/www\.paypalobjects\.com\/(?:digitalassets|en_US|ui\-web)\/.{1,64}\.(?:gif|jpg|png)/ meta __PAYPAL_IMG_NOT_RCVD_PAYP__URI_IMG_PAYPAL && !__HDR_RCVD_PAYPAL meta GB_PAYPAL_IMG_NOT_RCVD_PAYP __PAYPAL_IMG_NOT_RCVD_PAYP && !__HAS_ERRORS_TO && !__MSGID_LIST && !__MSGID_GUID && !__RCD_RDNS_SMTP describe GB_PAYPAL_IMG_NOT_RCVD_PAYP Paypal hosted image but message not from Paypal score GB_PAYPAL_IMG_NOT_RCVD_PAYP 2.500# limit Giovanni OpenPGP_signature Description: OpenPGP digital signature
Re: Mail-SpamAssassin-4.0.0-RC1 -> Pyzor warn
On 8/29/22 19:39, Avram-Teodor Berindeie wrote: I compiled Apache SpamAssassin -- Version 4.0.0-RC1 from sources and in the testing phase I have the following problem. When running the command: /usr/local/src/Mail-SpamAssassin-4.0.0# spamassassin -t < sample-spam.txt > spam.out I get Aug 29 20:27:42.299 [28229] warn: rules: failed to run PYZOR_CHECK test, skipping: Aug 29 20:27:42.299 [28229] warn: \t(Can't locate object method "new" via package "Mail: [...]:SpamAssassin::SubProcBackChannel" (perhaps you forgot to load "Mail::SpamAssassin::SubProcBackChannel"?) at /usr/local/share/perl5/Mail/SpamAssassin/Plugin/Pyzor.pm line 336. Aug 29 20:27:42.299 [28229] warn: ) It seems that it must be added to the respective file use Mail::SpamAssassin::SubProcBackChannel; immediately after line 37 use Mail::SpamAssassin::Plugin; Bz and patch at https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8035 Giovanni OpenPGP_signature Description: OpenPGP digital signature
Heads up: "Unescaped left brace" warning on SpamAssassin 4.0
Hi, starting on 08/16 a rule that is using captured tags has been promoted and SpamAssassin 4.0 (this rule is disabled for SpamAssassin 3.x) started printing log lines like: Aug 16 01:07:49 spamd-intel1 spamd[1706586]: plugin: eval failed: Timeout::_run: Unescaped left brace in regex is illegal here in regex; marked by <-- HERE in m/(? line 5. on every message. To avoid the warning you should update to a checkout newer then r1903359 (2022-08-11). Giovanni OpenPGP_signature Description: OpenPGP digital signature
Re: DKIM fails on v4
On 6/26/22 20:26, Henrik K wrote: > On Sun, Jun 26, 2022 at 12:57:32PM -0400, Alex wrote: >> >> >> Amavisd-new works fine here. Maybe $enable_dkim_verification or something >> is different. >> >> >> It's good to know you're using amavisd. It's very dependent upon the SA >> version >> you're using, though. >> >> It appears both DKIM and DMARC worked until the May 29th version from svn >> (1901385). >> >> At some point after that, and even until yesterday's version, DKIM stopped >> working. DMARC still passes with SPF, but there are no longer any occurrences >> of DKIM. > > I think Giovannis changes don't work when amavisd is passing $suppl_attrib: > > https://svn.apache.org/viewvc?view=revision&revision=1901719 > > Sub _check_signature() isn't called at all in that case and things like tags > are not set. I'll leave it for Giovanni to fix.. > thanks for the hint, I've just committed a fix. Giovanni OpenPGP_signature Description: OpenPGP digital signature
Re: DKIM fails on v4
All the people that reported DKIM failures to me in SA 4.0 in the last month are using amavisd-new, could it be related to how amavisd-new is calling SA ? Giovanni On 6/26/22 07:55, Henrik K wrote: > > Have you checked what debugging says? > > $sa_debug = 'info,dkim,DMARC'; > > > On Sat, Jun 25, 2022 at 03:45:48PM -0400, Alex wrote: >> Hi, >> >> It's definitely a problem with the current spamassassin from github v4. I >> went >> back to an old version I built on May 29th and it immediately starts >> reporting >> DKIM normally again. >> >> I just built the latest version and it's still exhibiting the same problem. >> Based on my logs, it started happening on or around June 14th. >> >> DMARC is not working with my version from May 29th. I wonder if I could drop >> in >> the DMARC.pm that was updated at the end of June into the May 29th version >> and >> see if now they both work? >> >> btw, I previously mentioned github, but meant [1]svn.apache.org. >> svn checkout [2]http://svn.apache.org/repos/asf/spamassassin/trunk >> Mail-SpamAssassin-4.0.0 >> >> >> >> >> >> >> >> On Sat, Jun 25, 2022 at 3:07 PM Alex <[3]mysqlstud...@gmail.com> wrote: >> >> Hi, >> I've been having problems with DMARC failing over the past few weeks >> using >> the latest SA, even on sites I know have passed. It appears to have >> coincided with an update to DMARC.pm related to timing. I just now >> happened >> to notice that maybe the problem is with DKIM, or there's a separate DKIM >> problem or something I simply don't understand. Installing v3.4.6 over >> the >> latest v4 fixes the problem instantly. >> >> It appears DKIM is loading in amavis: >> Jun 25 00:13:09 mail03 amavis[4119158]: Module Mail::DKIM::Signer >> 1.20200907 >> Jun 25 00:13:09 mail03 amavis[4119158]: Module Mail::DKIM::Verifier >> 1.20200907 >> Jun 25 00:13:09 mail03 amavis[4119158]: DKIM code loaded >> Jun 25 00:13:18 mail03 amavis[4119158]: SpamAssassin loaded plugins: ASN, >> AskDNS, AutoLearnThreshold, BTCBL, Bayes, BodyEval, Check, ClamAV, DCC, >> DKIM, DMARC, DNSEval, DecodeShortURLs, FreeMail, FromNameSpoof, HTMLEval, >> HTTPSMismatch, HashBL, HeaderEval, ImageInfo, Levenshtein, MIMEEval, >> MIMEHeader, OLEVBMacro, PDFInfo, PhishTag, Phishing, Pyzor, Razor2, >> RecipientMsgID, RelayCountry, RelayEval, ReplaceTags, SPF, SendGrid, >> Shortcircuit, SpamCop, TextCat, TxRep, URIDNSBL, URIDetail, URIEval, >> URILocalBL, VBounce, WLBLEval, WelcomeListSubject, iXhash2 >> >> Yet it never fires. The only references to DKIM in emails are >> from DKIM_ADSP_ALL. What could I be missing, or is this possibly a bug? >> >> You might also recall from my previous reports that DKIM succeeds on an >> email where it otherwise failed when running it through SA directly. >> >> $ spamassassin --version >> SpamAssassin version 4.0.0-r1901426 >> running on Perl version 5.34.1 >> >> This is on fedora35. Installing the stock 3.4.6 immediately starts >> triggering DKIM hits. >> >> Is there a backport of RaciallyCharged, Esp and ExtractText (although I >> don't really use that anymore) that's available for v3.4.6, so my >> welcomelist entries work in the meantime? >> >> >> >> >> References: >> >> [1] http://svn.apache.org/ >> [2] http://svn.apache.org/repos/asf/spamassassin/trunk >> [3] mailto:mysqlstud...@gmail.com OpenPGP_signature Description: OpenPGP digital signature
Re: DMARC fails for valid record?
On 5/22/22 18:25, Kevin A. McGrail wrote: > Alex, > > #1 you can use the welcomelist entries but NOT the welcomelist_auth entries > if DMARC is failing. > > #2 There are definitely some issues with SA 4.0 Trunk and DMARC issues that > we are working through, sorry to say it's been rougher than I wanted too. > But we have it in production and we are working on edge cases from my end. > > #3 At my work at PCCC, we changed some concepts to install the KAM rules so > they are parsed after the stock rules for some of the default DMARC scores to > change too. We used a new option for sa-update that Henrik added to do this. > I'll ask for some info about it and test that pastebin to see if it fails on > our system too. I was also discussing more DMARC/DKIM regression tests are > needed. It's too fragile. > starting from r1900857, official ASF channels are loaded first, then all other channels in alphabetical order. I would like to better check the original email if possible. Giovanni > Regards, > KAM > > -- > Kevin A. McGrail > Member, Apache Software Foundation > Chair Emeritus Apache SpamAssassin Project > https://www.linkedin.com/in/kmcgrail <https://www.linkedin.com/in/kmcgrail> - > 703.798.0171 > > > On Sun, May 22, 2022 at 11:25 AM Alex <mailto:mysqlstud...@gmail.com>> wrote: > > Hi, I think this is another - this one also includes KAM_DMARC_REJECT > > https://pastebin.com/9g9VrgVK <https://pastebin.com/9g9VrgVK> > > * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily > * valid > * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from > author's > * domain > * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature > * 6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message > * and the domain has a DMARC reject policy > * 1.8 DMARC_REJECT DMARC reject policy > > Can this info even be added to the welcomelist or will that also now fail? > > > > On Sun, May 22, 2022 at 11:10 AM Alex <mailto:mysqlstud...@gmail.com>> wrote: > > Hi, is it possible the DMARC_REJECT problem still exists? > > https://pastebin.com/DCu9cq4t <https://pastebin.com/DCu9cq4t> > > * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature > * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not > necessarily > * valid > * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from > author's > * domain > * 1.8 DMARC_REJECT DMARC reject policy > > Authentication-Results: xavier.example.com > <http://xavier.example.com> (amavisd-new); > dkim=pass (1024-bit key) header.d=hotwire.com > <http://hotwire.com> header.b="NEdhsCdV"; > dkim=pass (1024-bit key) header.d=amazonses.com > <http://amazonses.com> header.b="UglVB1nr" > > $ spamassassin --version > SpamAssassin version 4.0.0-r1900583 > running on Perl version 5.34.1 > > > On Wed, May 11, 2022 at 9:01 AM Alex <mailto:mysqlstud...@gmail.com>> wrote: > > Hi, > > On Tue, May 10, 2022 at 7:00 PM Kevin A. McGrail > mailto:kmcgr...@apache.org>> wrote: > > I believe this is a bug and fixed in trunk. > > On 5/10/2022 1:55 PM, Bill Cole wrote: > > Looks like a bug. It should not be possible to hit > DKIM_VALID_AU and also DMARC_REJECT and/or KAM_DMARC_REJECT > > > > This was from svn version 1900493. I've now checked out 1900794, > but that somehow appears different from the version SA reports? > > $ spamassassin --version > SpamAssassin version 4.0.0-r1900583 > running on Perl version 5.34.1 > > My firstdata email does appear to now pass DKIM properly, without > DMARC_REJECT or KAM_DMARC_REJECT. > > Any idea under what circumstances the DKIM check fails so I can > watch for it? Or can we consider it solved? > > OpenPGP_signature Description: OpenPGP digital signature
Re: Spamassassin with Galera as SQL-Backend?
On 5/6/22 11:08, Niels Kobschätzki wrote: > Hi, > > I have a setup where the spamassassin-servers have actually no access to the > data of the mail-servers. Now I was looking into having per user > bayes-databases and saw that I can do that with a SQL-database. I have > already a small galera-cluster and I wonder if spamassassin will work with it > because of the limitations galera has. > The limitations are: > > * only innodb > * unsupported explicit locking > * a primary key on all tables is necessary > * no XA transactions > * no reliance on auto-increment > > Does anyone have experience with such a setup? > Few things to consider: bayes_expire has no primary key. bayes_vars MySQL table has the id defined as "id int(11) NOT NULL AUTO_INCREMENT". Actually I have no idea if this could be a blocker for you, there should be no problem if you do not use Bayes anyway. Giovanni OpenPGP_signature Description: OpenPGP digital signature
Re: How to deal with bounce messages
On Mon, Apr 25, 2022 at 12:50:49PM +0300, Henrik K wrote: > On Mon, Apr 25, 2022 at 11:48:52AM +0200, Matus UHLAR - fantomas wrote: > > > > >> >https://pastebin.com/s032ndrA > > > > >> > > > > > >> >It's not only hitting DMARC_REJ_NO_DKIM and DMARC_FAIL_REJECT, but > > > > >> > > > > >> where did you get these from? > > > > > > > > On 22.04.22 10:02, Alex wrote: > > > > >I just realized these are from my local rules, put together from a > > > > >conversation many years ago, apparently from before SA had built-in > > > > >DMARC support. > > > > > > > > > >https://www.mail-archive.com/users@spamassassin.apache.org/msg95643.html > > > > > > now I really wonder why these aren't part of stock SA rules. > > > > On 24.04.22 14:39, Alex wrote: > > > Does this mean you are investigating further? > > > > not me, as I'm not involved in SA deployment more than by being active here. > > perhaps you could fill a wishlist report... > > > > > Are these rules from the link above useful? > > > > looks like they are. KAM.cf contains similar rules, but having them in stock > > SA would be nice. > > Soon released 4.0.0 already has a dedicated DMARC plugin, such rules should > become obsolete. Testers would be appreciated.. > KAM.cf has already all the needed glue, if you update to trunk and enable DMARC plugin, DMARC rules will use new plugin code. Giovannin
Re: Getting right GPG key for KAM
On 3/21/22 13:31, @lbutlr wrote: > On 2022 Mar 21, at 04:37, Henrik K wrote: >> Right, it does seem you haven't imported the key.. > > Thanks! That's what was missing. Odd, considering there were KAM files > present, just not recent ones. Anyway, not my system, but all sorted now. > KAM.cf channel started on November 2020, before that date KAM ruleset was not signed. Giovanni OpenPGP_signature Description: OpenPGP digital signature
Re: Regex error in most recent update
Hi Same here, ubuntu 20.04. On 2022/02/18 11:51, Bert Van de Poel wrote: Hi everyone, I just noticed we had two email servers complain last night after running sa-update about a regex problem: /etc/cron.daily/spamassassin: config: invalid regexp for __URI_TRY_3LD 'm,^https?://(?:try(?!r\.codeschool)|start|get(?!\.adobe)|save|check(?!out)|act|compare|join|learn(?!ing)|request|visit(?!or|\.vermont)|my(?!sub|turbotax|news\.apple|a\.godaddy|account|support|build|blob)\w)[^.]*\.[^/]+\.(?Variable length lookbehind is experimental in regex; marked by <-- HERE in m/(?i)^https?://(?:try(?!r\.codeschool)|start|get(?!\.adobe)|save|check(?!out)|act|compare|join|learn(?!ing)|request|visit(?!or|\.vermont)|my(?!sub|turbotax|news\.apple|a\.godaddy|account|support|build|blob)\w)[^.]*\.[^/]+\.(?<-- HERE / channel 'updates.spamassassin.org': lint check of update failed, channel failed sa-update failed for unknown reasons Did anyone else notice the same thing or is it just on our end? Kind regards, Bert
[OT] Re: fuglu 1.0.1
On 9/25/21 08:32, Jared Hall wrote: > MIMEDefang might be another program that can help you. I personally don't > know much about it, but it seems to be robust. MIMEDefang can fix Alex issue ("one domain may wish to allow html files while another would like to block them"), we can talk about it on the MIMEDefang ml (https://lists.mimedefang.org/mailman/listinfo/mimedefang_lists.mimedefang.org) or you can send me an email about it. Giovanni OpenPGP_signature Description: OpenPGP digital signature
Re: Does anyone know what generates these email headers?
On Wed, Sep 08, 2021 at 06:17:49PM -0700, Loren Wilton wrote: > > The originating PHP script header helps people who run shared servers > > track down the source of problematic mail. The two most common cases are: > > Does this look valid? > > X-PHP-Originating-Script: 48:class.phpmailer.php > > Just looking at a dozen or so of the smpams I've gotten in the last couple > days that match this pattern, they all have an x-originating-spam-status > of -2.9, which makes me a little suspicious that that header is faked. Maybe > the others are too. > class.phpmailer.php means the email has been sent by PHPMailer, one of the most popular classes used to send emails using Php. 48 is the uid of the user that sent that email, one more info useful to track down compromized account on shared hosting. As-is it's not a spam nor a ham sign. If x-originating-spam-status has always the same value it's suspect anyway. Giovanni signature.asc Description: PGP signature
Re: HashBL email_whitelist override?
On 8/18/21 10:55 AM, Lars Einarsen wrote: > Hi list, > any suggestion on how to override the whitelist entries in the HashBL plugin? > > We run an in house hashbl dns list and see lots of "administrative" type > adresses that matches the whitelist regex in the plugin. > There is no way atm but I thought more than once to add such a feature for the same reason. Giovanni OpenPGP_signature Description: OpenPGP digital signature
Re: More fake order spam
On 4/28/21 12:59 PM, Matus UHLAR - fantomas wrote: >>> On 4/28/21 11:44 AM, Matus UHLAR - fantomas wrote: >>>>> -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list >>>>> manager >>>> >>>> I have disabled his rule some time ago. >>>> Many spammers use mailing list or their signatures. > >> On 2021-04-28 11:55, Giovanni Bechis wrote: >>> Same here, is it worth to keep MAILING_LIST_MULTI to that hardcoded score ? > > On 28.04.21 12:18, Benny Pedersen wrote: >> i have -20 there :=) > >> but also local uribl enlists to catch spam >> >> no dns for me >> >> keep it very negative ensures not rejecting maillists >> >> maybe harden with !FREEMAIL_FROM >> >> or DKIM_VALID_EF >> >> if that hits its direct mailling and possible spam, while ! is maillist >> often :=) > > I looked around my spam folder, I see that I did: > > score MAILING_LIST_MULTI -0.001 > > just to see the rule if it hits. > > out of 120 spams currently, I see many spams from google(groups), mailjet > and other list providers I haven't signed for. > > some do hit FREEMAIL_FROM, some don't. > ~8% of my daily spam hits MAILING_LIST_MULTI and only 0.2% hits both MAILING_LIST_MULTI and FREEMAIL_FROM for me. > funny is that they hit FREEMAIL_FORGED_FROMDOMAIN because of > @googlegroups.com envelope but gmail.com From, which is expected for mailing > list. > > some hit DKIM_VALID_EF, some don't > > ...DKIM_VALID_EF is imho useless, because mail should to be signed with DKIM > of > header domain, not envelope. > > > while I agree that MAILING_LIST_MULTI can be used in meta rules, it's > neither of those, and none I currently know of. OpenPGP_signature Description: OpenPGP digital signature
Re: More fake order spam
On 4/28/21 11:44 AM, Matus UHLAR - fantomas wrote: > >> -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list >> manager > > I have disabled his rule some time ago. > Many spammers use mailing list or their signatures. Same here, is it worth to keep MAILING_LIST_MULTI to that hardcoded score ? Giovanni OpenPGP_signature Description: OpenPGP digital signature
Re: Using spamassassin modules from a git repo
On 4/8/21 7:51 PM, Bill Cole wrote: >> So clearly it's not ideal to clone a spamassassin module into >> /etc/spamassassin! >> >> I'm curious if someone has a clean solution here that allows updating >> the module from time to time from git. > > That module? No. I have the utmost respect for and trust in Giovanni Bechis > and use his code every day, but that module as it exists at Github is not > structured to be used from a git checkout. The 4 significant files all > properly belong in different places. The specific proper places would depend > on how your Perl and SA installations were configured. To update SpamAssassin module from time to time from Git I am using Puppet/Ansible that will put the code in the right places. On simpler install I am using a Makefile like this one: install: pod2man Esp.pm > "/usr/share/man/man3p/Mail::SpamAssassin::Plugin::Esp.3p" perl -cw Esp.pm && podlint Esp.pm && cp Esp.{cf,pm,pre} /etc/mail/spamassassin/ Then I can run git pull from the directory and run make install to copy all files to the correct places. Giovanni OpenPGP_signature Description: OpenPGP digital signature
Re: SA DKIM check
On 4/1/21 3:10 PM, Simon Wilson wrote: > Does SA always do its "own" DKIM check, or can it be told to use an already > written trusted AuthservId-written Authentication-Results header, e.g. from > OpenDKIM? > I think Mail::SpamAssassin::Plugin::AuthRes (on trunk) is what you are looking for. Giovanni OpenPGP_signature Description: OpenPGP digital signature
Re: AskDNS with a DNAME
On Sun, Feb 28, 2021 at 10:33:15AM -0500, Michael Grant wrote: > On Sun, Feb 28, 2021 at 03:53:33PM +0100, Giovanni Bechis wrote: > > On Sun, Feb 28, 2021 at 07:38:22AM -0500, Michael Grant wrote: > > > Ultimately I want the spamassassin report in the headers but I don't > > > want the license key in there. > > > > > you can set 'tflags net nolog' if you are using trunk. > > Invaluement uri and license key will be printed as *redacted*. > > Giovanni > > > > Hi Giovanni, unfortunately, this did not work either. > > I just pulled from your repo to make sure I was on master. I added > nolog, the pertinent lines look like this: > > askdns RBL_SENDGRID_ID _SENDGRIDID_.sendgrid-id.MYLICENSE.invaluement.com > A 127.0.0.2 > describe RBL_SENDGRID_ID Sendgrid Id blacklist > tflags RBL_SENDGRID_ID net nolog > > askdns RBL_SENDGRID_DOM > _SENDGRIDDOM_.sendgrid-efd.MYLICENSE.invaluement.com A 127.0.0.2 > describe RBL_SENDGRID_DOM Sendgrid domain blacklist > tflags RBL_SENDGRID_DOM net nolog > With SpamAssassin trunk (sorry I probably was not clear) you will have: 1.0 RBL_SENDGRID_IDASKDNS: Invaluement Sendgrid Id blacklist [*REDACTED*] Giovanni signature.asc Description: PGP signature
Re: AskDNS with a DNAME
On Sun, Feb 28, 2021 at 07:38:22AM -0500, Michael Grant wrote: > Ultimately I want the spamassassin report in the headers but I don't > want the license key in there. > you can set 'tflags net nolog' if you are using trunk. Invaluement uri and license key will be printed as *redacted*. Giovanni
Re: Phishing campaign using nested Google redirect
On 2/19/21 1:09 AM, John Hardin wrote: > On Thu, 18 Feb 2021, Giovanni Bechis wrote: > >> On 2/18/21 6:37 PM, Ricky Boone wrote: >>> Just wanted to forward an example of an interesting URL obfuscation >>> tactic observed yesterday. >>> >>> https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&url=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g >> >> I just committed a new variation of GB_GOOGLE_OBFUR that should match this >> spam as well. >> If you can send me a spample I could tweak it a bit more. > > We may need to coordinate a little here - there's also a google.com/url redir > rule in my sandbox, and they may be overlapping. > I proposed a shared sandbox for that reason when we developed bitcoin rules (and we had similar problems with overlapping rules). Giovanni OpenPGP_signature Description: OpenPGP digital signature
Re: Phishing campaign using nested Google redirect
On 2/18/21 6:37 PM, Ricky Boone wrote: > Just wanted to forward an example of an interesting URL obfuscation > tactic observed yesterday. > > https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&url=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g > > Google then spits back a response with the redirect target in both > JavaScript and non-JavaScript forms (meta refresh tag): > > https://www.google.com/url?q=https%3A%2F%2Fwww.tehminadurranifoundation.org%2F1%2F1%2Findex.php&sa=D&sntz=1&usg=AFQjCNEa27A724-wMQik8STZvuisHK2G4g > > Slightly different response behavior this time, but ultimately > redirects the victim to the malicious destination. The effective > destination in this case has been taken down, but I'll avoid putting > the full link. > > Unfortunately, there didn't seem to be any rules that would help catch > this. I have a couple thoughts on some that I would need to test, but > wanted to share to the community. > I just committed a new variation of GB_GOOGLE_OBFUR that should match this spam as well. If you can send me a spample I could tweak it a bit more. Giovanni OpenPGP_signature Description: OpenPGP digital signature
Re: Points for improbable Received header date?
On Thu, Feb 11, 2021 at 08:52:59AM -0500, Bill Cole wrote: > On 11 Feb 2021, at 7:00, Loren Wilton wrote: > > > I'm getting a lot of spams that all have a series of completely bogus > > Received headers in them. A characteristic of these headers is a > > rather improbable datestamp, considering today's date: > > > > Received: from 69-171-232-143.mail-mail.facebook.com > > ([69.171.232.143]) > > by oxsus1nmtai03p.internal.vadesecure.com with ngmta > > id 0574d1a8-1628c15907fbaba1; Thu, 06 Aug 2020 18:30:56 + > > > > Note that this message must have been in flight for about a year and a > > half according to that header. > > Minor pedantry: Actually just a few days more than half a year. > > > Anyone know an easy way to check for a Received header date more than > > say a week old and add some points? > > There is a received_within_months() eval in the HeaderEval plugin which > someone wrote at some point but failed to suitably document or even use. > There are also private functions there (e.g. > _get_received_header_times()) which seem potentially useful but which > are also undocumented. If you feel like being a pioneer, you > could try creating rules to make use of that code. > and if you want to become an hero patches to document those evals are always welcome ;-) Giovanni signature.asc Description: PGP signature
Re: netflix phishing emails forwarded via sendgrid
On 2/9/21 10:03 PM, Benny Pedersen wrote: > On 2021-02-02 03:25, Kevin A. McGrail wrote: >> Since it's already hitting 8.9, why do more? > > got one more today > > http://multirbl.valli.org/lookup/167.89.112.86.html > > envelope sender is not sendgrid.net > > spamurls to the phishing is sendgrid redir to hide all detalts of spam domain > > why is so many uribl not blocking phish attemps better ? > With the updated Esp plugin[¹] just committed to trunk you could use Sendgrid files downloaded from Invaluement as well as local generated files. Local files can be generated by looking at the Return-path of the offending email. Return-Path: In this case "1234" is the id you are interested in. Giovanni [¹] https://github.com/bigio/spamassassin-esp/releases/tag/esp-v1.2
Re: netflix phishing emails forwarded via sendgrid
On Tue, Feb 09, 2021 at 10:03:57PM +0100, Benny Pedersen wrote: > On 2021-02-02 03:25, Kevin A. McGrail wrote: > > Since it's already hitting 8.9, why do more? > > got one more today > > http://multirbl.valli.org/lookup/167.89.112.86.html > > envelope sender is not sendgrid.net > > spamurls to the phishing is sendgrid redir to hide all detalts of spam > domain > > why is so many uribl not blocking phish attemps better ? > > i can send sample on request to pmc members Please send me spamples, I will take a look at them. Giovanni signature.asc Description: PGP signature
Re: Bayes converstion: SQL--> Redis?
On 2/4/21 10:47 AM, Dan Mahoney (Gushi) wrote: > Hey there all, > > In looking at my sql server, it looks like the on-disk size of my MySQL DB's > is like 9G (because of InnoDB, it's hard to glean just from the filesystem > what tables are which). > > Anyway, I'd like to move over to a global redis system, but I don't see an > easy way to convert from bayes SQL to redis bayes. > > Is this somewhere and I can't find it? > "sa-learn --backup" with old config and "sa-learn --restore" with new one should do what you need. Giovanni
Re: BCC Rule and Subject change for specific rule
On 1/6/21 2:40 PM, RW wrote: > On Tue, 5 Jan 2021 10:14:45 -0800 (PST) > John Hardin wrote: > >> On Tue, 5 Jan 2021, Dave Funk wrote: >> >>> On Tue, 5 Jan 2021, John Hardin wrote: > >>>>> subjprefix FROM_ME [From Me] >>>> > >>> >>> Does this work if you're using a milter for your glue? >>> >>> Is there some special status/command that spamd returns to the >>> milter for this kind of modification? If so the milters may need to >>> be recoded to implement it. >> >> No, it's rewriting the message headers before passing the message >> back to the MTA. It's already adding a [SPAM] tag to the subject by >> default (if enabled). This just allows customization of that behavior. > > Assuming that the scan itself adds the headers. I was under the > impression that amavisd adds its own headers. > > > There's also this rather vague remark in the documentation: > > "To be able to use this feature a "add_header all Subjprefix > _SUBJPREFIX_" configuration line could be needed on some setups." > This is needed to let amavisd (from next released version afaik) or Mimedefang (with a custom mimedefang-filter snippet) parse the headers and correctly rewrite the subject. Giovanni
Re: BCC Rule and Subject change for specific rule
On Mon, Jan 04, 2021 at 05:23:30PM -0800, John Hardin wrote: > On Mon, 4 Jan 2021, Joey J wrote: > > > If I'm understanding things correctly, there is a way for me to BCC spam > > messages which lets say score 10 and send a BCC to an email address, but > > I'm trying to do it within only 1 rule, as well as modify the subject. > > > > What I don't want is a BCC sent for every messages which is scored a 10, > > but only the specific rule. > > > > Is there a way for me to accomplish this set of actions? > > You can't BCC the message within SpamAssassin, as SA only scores messages. > The MTA or glue layer (what ties SA into your MTA) is what determines > *delivery* of the message based on SA's score. > > Potentially, your MTA or glue layer could be configured to look for a > specific scored rule name appearing in the header that lists rule hits and > if found deliver the message to another destination. > > But specifically how to do that depends on your MTA and/or your glue. What > are you using? > > I'm pretty sure SA only allows setting the subject tag by language, not > based on rule hits. You may beable to modify the subject in the MTA/glue > at the same point you do the extra delivery. > Starting from 3.4.3 you can add a prefix to the email subject like that: header FROM_ME From:name =~ /Me/ subjprefix FROM_ME [From Me] Giovanni signature.asc Description: PGP signature
Re: Happy Thanksgiving and Announcing the Apache SpamAssassin Channel for the KAM Rule Set
On 12/14/20 7:27 PM, AJ Weber wrote: > >> if you are using RH based Linux distros, just put the attached configuration >> file under /etc/mail/spamassassin/channels.d/ > > Apologies for the naive question; I'm running CentOS 7, SA 3.4.3. I don't > have that channels.d directory by default. I've been running a more > traditional cron update: > > 9 3 * * * /usr/local/bin/sa-update --gpgkey 6C6191E3 --channel > updates.spamassassin.org && /etc/init.d/spamassassin restart > > Can I simplify by putting a conf file for the default updates and the KAM > updates config into that location, then just run "sa-update && spamassassin > restart" in cron? > The channels.d directory is handled by /usr/share/spamassassin/sa-update.cron which is distributed with official RH-based RPM files and executed by /etc/cron.d/sa-update. Stock sa-update doesn't know how to handle channels.d directories. Giovanni
Re: Mailchimp support for spamassassin-esp
On Mon, Nov 30, 2020 at 05:40:39PM -0500, Alex wrote: > Hi, > > I happened to notice today that the sendgrid spam work being done by > Invaluement (https://www.invaluement.com/serviceproviderdnsbl/) and SA > developers now apparently supports compromised Mailchimp domains. > https://github.com/bigio/spamassassin-esp > Hi, spamassassin-esp plugin has been committed to trunk and I will keep in sync with my Github repo. > Is there an ongoing list of compromised mailchimp domains available to > be used with this? That info is not included with the man page for > this plugin. > for the moment you should use your own data, Rob replied more extensively to this question. Giovanni signature.asc Description: PGP signature
Re: Happy Thanksgiving and Announcing the Apache SpamAssassin Channel for the KAM Rule Set
On 11/26/20 5:22 PM, Kevin A. McGrail wrote: [...] > The KAM rule set is authored by Kevin A. McGrail with contributions from Joe > Quinn, Karsten Bräckelmann, Bill Cole, and Giovanni Bechis. It is maintained > by The McGrail Foundation. > > The KAM channel is made possible with the support of hosting from Linode and > help from PCCC & cPanel. More information about our sponsors can be found at > our Sponsor's Page <https://mcgrail.com/template/sponsors> at > https://mcgrail.com/template/sponsors > > To enable the KAM rule set via an sa-update channel see the channel page > <https://mcgrail.com/template/kam.cf_channel> at > https://mcgrail.com/template/kam.cf_channel > if you are using RH based Linux distros, just put the attached configuration file under /etc/mail/spamassassin/channels.d/ Giovanni CHANNELURL=kam.sa-channels.mcgrail.com KEYID=24C063D8 # Ignore everything below. return 0 -BEGIN PGP PUBLIC KEY BLOCK- mQINBF96bE0BEADsT1xRD2l19kmUSg9XMfRUtJbMGa9YAQ0a2fayT9IdmR38J4o3 Ln2fIR0CMa81Q+mi7pSdTpHGqR3t5GjmDGcCN8kwoHbmm0t5F9gK0tFAXThf+e40 kMdzLNzled4+5D83VyKCNaPm1tmogzYKKIEzTHCqQ7TdahWZDRDFiZJWFkd/9miE kURY2uWLCttF+4Aa2AOHUg/7q00NSR8S0jWpLzpVNjbgi/jjkCafhpSZ56aqXHk3 QrTwJj3sznrLb9TkVZoXFKbBCh15m7mf5VVJVEZpj3BsvbcZJPnBFkCrzPjfShRz lttRyiCFflOIcDrClg62tA/a1BmdUuIB5ktdCX8gB0F4t+9MhqgF89vT/OQpxywv /QmuvKZzl77TQcLFHDlS+TKjLI6RdM3xuto1B8aSIYpKslnVpYuMpxNsvouAiQig 5qKBzYMbFCVge8Kjvcs6znxsPyjkCWgZVbf7ev7v+h71kkVfJ2TRR52ty/vsh82c LYEaIB8CKYTstf69EOEQEhqMVNfhzuEb22ueYtAQSsnpLgGii0PwAFfSB4puzEUI ItJVmD4DviD7ZfZnT8dR2bsysV4BF8s2dKX0KDnBAkzhlc30/iwt8j8bZXx3Evau Ci+sFvBRMbpJJbVH8AJT7/dImn1ZqbK7jaZkFMticGBBWaKee8NYmF+KKwARAQAB tDdLZXZpbiBBLiBNY0dyYWlsIChLQU0gQ2hhbm5lbCkgPGthbWNoYW5uZWxAbWNn cmFpbC5jb20+iQJOBBMBCAA4FiEEIdlxQicskGb8qnkrShVtpSTAY9gFAl96bE0C GwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQShVtpSTAY9hQZRAA5i8RkBCH zjY/xHAoIUa4u9Di52I8t8IKHuIbH5a1TfShT8uj38ucmc/gRWMoOu1Tef9G2DdJ FQc7KOA9GcGyGl1C2gfoTJEqBSNJTgJVfmHQ1Ef0ucNSjYFD3H0eFGTIuoSFy3Mi g7CzxfhIJXIn4JW9sNwICH/7pOLke5Ihd5WvyOqU13FrfGemRbilviG73HYoy+Fh 4R9A1MLF3I0zVG5nszfn5CjSVG3c+Buj7Gk1d67noINbhCs2IPnyuOSvfrZc5wx1 ImCS8BpmGjXqaXZAIWLIhpMXvRiboGxX1zzRZLoz7Y5Y5h1MfnY2ASDMddmJpgOv Vey/acAB4+6TtCgXmA6Wy8xmsqlId4qBocxX/jCMJ8OsuueYE6eF2jzS/JfbTndA 7pHOnCoR+ndMra5vaX8MYyGKqxxWyBoKWGgeBs8fSMwHAqRIo9GHWK67nBX0x39U x9G0yn/A2dhaGqhui8xrcAHg/OGJErOlDw7YBeVX0RiS6awPyk9fo0IsGN0po2VX bd9H8DKz1CXBLNZRG0vn5mViSOBzZeGU+K9aAs58GZ46LKA3YfWJ4s5W8BS+J3Ia TFpq8U+OO/BSmOkMHZ+OPKWSlxNitFTyQsIdtS1PfqqYc+MK312LdmvrG2KWXE3N EnuBffLm6uSOHJA6/0r6THJkffDSuvqM5yU= =GVCC -END PGP PUBLIC KEY BLOCK-
Re: What can one do abut outlook.com?
Il 26 ottobre 2020 20:09:52 CET, Benny Pedersen ha scritto: >Giovanni Bechis skrev den 2020-10-26 09:05: > >>> amavisd have penpal, if that is possible to track with TxRep ? >> maybe something is doable by reading _TXREPEMAILCOUNT_ tag. > >with 3.4.4 it does not work, so is it trunk ? TxRep tags are broken on 3.4.4, they have been fixed in trunk and 3.4 tree (available when 3.4.5 will be released). Giovanni
Re: What can one do abut outlook.com?
On 10/25/20 7:12 PM, Benny Pedersen wrote: > Bob Proulx skrev den 2020-10-25 19:08: > >>> I also have a tool for weeding undesirables from the correspondent list >>> because spamming addresses can creep onto the list, but its very >>> infrequently needed. >> >> It is a clever idea! I might add something similar to my own setup. :-) > > amavisd have penpal, if that is possible to track with TxRep ? > maybe something is doable by reading _TXREPEMAILCOUNT_ tag. Giovanni
Re: TXREP: positive score on malware emails
On 10/23/20 3:30 PM, Alessio Cecchi wrote: > Hi, > > I have enabled txrep on a test spamassassin setup, but on some emails with > malware file attached, txrep assign a positive score: > > # zcat spam.eml.gz | spamc -s 2097152 -R > > [...] > > Content analysis details: (52.6 points, 5.0 required) > [...] > The sender was domain name "dal corte DOT org" that is sending malware to > many different domains hosted by us. > > Is my setup of txrep bad or is "normal"? > Thanks > txrep add positive/negative score based on the reputation of the sender, if this sender normally send ham email it is normal that a negative score will be applied. If spam from this sender keep coming score will change from a negative to a positive value. You can tweak txrep_learn_penalty and txrep_learn_bonus if you want to speedup the process. Regards Giovanni
Re: Template variable to get the score of a single check.
On 10/23/20 2:44 PM, RW wrote: > On Fri, 23 Oct 2020 12:49:10 +0200 (CEST) > Matthias Rieber wrote: > > >> is it possible to get, for instance txrep, the score of single test >> to write it in a header like this: >> >> X-Spam-Reputation: _TXREP_SCORE_ >> >> The man page lists the following variables: >> >>> _TXREP_XXX_Y_ TXREP modifier >>> _TXREP_XXX_Y_MEAN_ Mean score on which TXREP modification is >>> based _TXREP_XXX_Y_COUNT_Number of messages on which TXREP >>> modification is based _TXREP_XXX_Y_PRESCORE_ Score before TXREP >>> _TXREP_XXX_Y_UNKNOW_ New sender (not found in the TXREP list) >> >> I guess none of them is the final TXREP score. Maybe there's some >> generic template variable to access this values? > > Why would you want that? The score isn't a reputation, it's an > adjustment that has no meaning outside of the score arithmetic. For any > given reputation the TxRep score can be positive or negative, high or > low. > > _TXREP_XXX_Y_MEAN_ represents the reputation. > note that this tag will work only on 3.4.5+ (where it has been renamed to _TXREPXXXYMEAN_), see bz #7749. Giovanni
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
On Tue, Aug 25, 2020 at 08:29:55PM +0200, Benny Pedersen wrote: > Rob McEwen skrev den 2020-08-25 19:20: > > > PRO TIP: Instead of complaining about this problem on this thread - > > why not go to the discussion list or forum of your preferred MTA - and > > ask them to implement it? > > maybe make clamav sigs ? > > is mimedefang working still ?, special plugins needed ?, i just use > fuglu Mimedefang is still alive on a new home: https://github.com/The-McGrail-Foundation/MIMEDefang I think it should not be complicated to implement it. Giovanni
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
On 8/21/20 9:28 PM, Rob McEwen wrote: > ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for > Sendgrid-spams! > > ...a collection of a new TYPE of DNSBL, with the FIRST of these having a > focus on Sendgrid-sent spams. AND - there is a FREE version of this - that > can be used NOW! (/well... might need a SpamAssassin rule or two! Your help > appreciated!)/: > SpamAssassin plugin available at: https://github.com/bigio/spamassassin-esp/archive/esp-v0.1.tar.gz We will work on improving this new type of DNSBL with more data and more features, stay tuned. Giovanni > INFO AND INSTRUCTIONS HERE: > > https://www.invaluement.com/serviceproviderdnsbl/ > > This provides a way to surgically block Sendgrid's WORST spammers, yet > without the massive collateral damage that would happen if blocking Sendgrid > domains and IP addresses. But we're NOT stopping at the phishes and viruses - > and we're not finished! There will be some well-deserved economic pain, that > puts the recipients' best interests at heart. Therefore, flagrant "cold > email" spamming to recipients who don't even know the sender - is also being > targeted - first with the absolute worst - and then progressing to other > offenders as we make adjustments in the coming weeks. > > -- Rob McEwen https://www.invaluement.com >
Re: base64 encoded sextorsion
On 4/22/20 5:43 PM, Henrik K wrote: > > I've updated replace_tags with these 4-byte UTF-8 characters, whatever they > are, will look more indepth later.. > you have been faster, I have the same diff on my tree and I was going to commit it :-) Giovanni > For example replace_tag A [\xf0][\x9d][\x97][\xae] > > Now your example hits atleast these rules > > 3.6 FUZZY_BITCOIN BODY: Obfuscated "Bitcoin" > 1.0 BITCOIN_EXTORT_02 Extortion spam, pay via BitCoin > > Will take a day or two to end up in sa-update.. > > > On Wed, Apr 22, 2020 at 04:44:25PM +0200, Brent Clark wrote: >> I want to add, I tried this as well, and it *did* match. But it feels >> clunky. >> >> https://pastebin.com/raw/7FaqnByB >> >> Regards >> Brent >> >> On 2020/04/22 16:14, Brent Clark wrote: >>> Sorry in that example I copied body. >>> I tried rawbody and body. >>> >>> Regards >>> Brent >>> >>> On 2020/04/22 16:11, Brent Clark wrote: >>>> Good day Guys >>>> >>>> I would like to ask it someone could help write a rule for the following >>>> base64 encoded sextorsion. >>>> >>>> https://pastebin.com/raw/MWYmfkuh >>>> >>>> I tried using rawbody. But it was proving to not work and be the right >>>> solution. Below is it me testing. >>>> >>>> i.e. >>>> body BASESEX /8J2XrvCdmIHwnZiB8J2XsvCdl7vwnZiB8J2XtvCdl7zwnZe7/ >>>> describe BASESEX Base64 Sextorsion >>>> score BASESEX 2.0 >>>> >>>> If anyone could assist, it would be appreciated. >>>> >>>> King regards >>>> Brent Clark
Re: Spam Mail
On Tue, Mar 24, 2020 at 12:01:46PM +0530, KADAM, SIDDHESH wrote: > Team, > > Anyway of blocking attached spam mail of Corona. > it's hitting more than 9 points for me with updated rules. Most relevant hits are: 1.0 FORGED_SPF_HELONo description available. 0.5 KAM_NUMSUBJECT Subject ends in numbers excluding current years 0.6 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag 0.2 KAM_DMARC_NONE DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy 1.3 BITCOIN_SPAM_01BitCoin spam pattern 01 1.3 BITCOIN_EXTORT_01 Extortion spam, pay via BitCoin 0.5 PDS_BTC_ID FP reduced Bitcoin ID 2.5 BITCOIN_SPAM_05BitCoin spam pattern 05 Do you have updated rules ? Are you using KAM.cf rules as well ? Which rules does this message hits for you ? Giovanni signature.asc Description: PGP signature
Re: Some new SQL activity with 3.4.3?
Il 15 dicembre 2019 13:27:03 CET, Jari Fredriksson ha scritto: > >On 15.12.2019 7.54, Bill Cole wrote: >> On 15 Dec 2019, at 0:08, Jari Fredriksson wrote: >> >>> I suddenly find stuff like this in mail.log. What is this? Where can > >>> I get the schema? >>> >>> Dec 15 07:03:04 gauntlet spamd[19176]: auto-whitelist: sql-based >>> get_addr_entry >>> 5c2a750a32f249155ecf3ade17358fa1a98b2db7@sa_generated|1576386183: >SQL >>> error: Unknown column 'msgcount' in 'field list'[wtc...] >> >> Read the UPGRADE file. It includes steps required for anyone using >> SQL-based AWL or TxRep. >> >Hmm. Need to somehow find that file. I upgraded using CPAN so I do not >have the files. Maybe they are somewhere in /root/.cpan on some box... > >br. jarif you can find it here: https://svn.apache.org/repos/asf/spamassassin/tags/spamassassin_release_3_4_3/UPGRADE Giovanni
Re: Bitcoin ransom mail
On 12/13/19 3:21 PM, Dean Carpenter wrote: > On 2019-12-11 1:58 pm, Giovanni Bechis wrote: >> On 12/11/19 3:17 PM, Bill Cole wrote: >>> On 11 Dec 2019, at 2:39, Giovanni Bechis wrote: >>> >>>> On 12/11/19 6:21 AM, KADAM, SIDDHESH wrote: >>>>> Hi PFA... >>>>> >>>>> On 12/11/2019 12:36 AM, Giovanni Bechis wrote: >>>>>> On 12/10/19 7:49 PM, Michael Storz wrote: >>>>>> [...] >>>>>>> My copy hit >>>>>>> >>>>>>> BODY_SINGLE_WORD=1.347, HTML_IMAGE_ONLY_04=1.172, MPART_ALT_DIFF=0.79 >>>>>>> >>>>>>> not enough to mark it as spammy. >>>>> >>>> FuzzyOcr + bayes is killing this kind of emails for me: >>> >>> FuzzyOcr is unmaintained and doesn't even have an authoritative repository >>> as far as I can tell. It is computationally very expensive, to the degree >>> that it isn't safe to just add it to an existing mail system which does not >>> have a lot of idle CPU and memory capacity. >>> >> it's true that it's unmaintained but I have it running on Perl 5.28 >> with some patches and it's still useful every now and then (if you >> have some spare cpu cycles and you know what you are doing). >> A new ocr plugin could be definetely a better choice. >> Giovanni > > fuzzyocr is available from the standard repos for Ubuntu 18.04. It's > v3.6.0-10, with a homepage listed as > > https://web.archive.org/web/20130117050640/http://fuzzyocr.own-hero.net/ > > Interestingly I just got one of those bitcoin spams, but fuzzyocr didn't pick > up on it. This is the spam report for it : > If I remember well, by default fuzzyocr skips images with resolution higher than 800x800, the spam I received had a bigger image. Giovanni
Re: Bitcoin ransom mail
On 12/11/19 8:00 PM, Mauricio Tavares wrote: > On Wed, Dec 11, 2019 at 1:58 PM Giovanni Bechis wrote: >> >> On 12/11/19 3:17 PM, Bill Cole wrote: >>> On 11 Dec 2019, at 2:39, Giovanni Bechis wrote: >>> >>>> On 12/11/19 6:21 AM, KADAM, SIDDHESH wrote: >>>>> Hi PFA... >>>>> >>>>> On 12/11/2019 12:36 AM, Giovanni Bechis wrote: >>>>>> On 12/10/19 7:49 PM, Michael Storz wrote: >>>>>> [...] >>>>>>> My copy hit >>>>>>> >>>>>>> BODY_SINGLE_WORD=1.347, HTML_IMAGE_ONLY_04=1.172, MPART_ALT_DIFF=0.79 >>>>>>> >>>>>>> not enough to mark it as spammy. >>>>> >>>> FuzzyOcr + bayes is killing this kind of emails for me: >>> >>> FuzzyOcr is unmaintained and doesn't even have an authoritative repository >>> as far as I can tell. It is computationally very expensive, to the degree >>> that it isn't safe to just add it to an existing mail system which does not >>> have a lot of idle CPU and memory capacity. >>> >> it's true that it's unmaintained but I have it running on Perl 5.28 with >> some patches and it's still useful every now and then (if you have some >> spare cpu cycles and you know what you are doing). >> A new ocr plugin could be definetely a better choice. >> Giovanni > > I asked the project owner if I could put fuzzyocr on github. He said > go for it, so it is now at https://github.com/raubvogel/FuzzyOcr. > Cool, you can grab my patches (if they are needed) here: http://cvsweb.openbsd.org/ports/mail/p5-FuzzyOcr/patches/ Giovanni
Re: Bitcoin ransom mail
On 12/11/19 3:17 PM, Bill Cole wrote: > On 11 Dec 2019, at 2:39, Giovanni Bechis wrote: > >> On 12/11/19 6:21 AM, KADAM, SIDDHESH wrote: >>> Hi PFA... >>> >>> On 12/11/2019 12:36 AM, Giovanni Bechis wrote: >>>> On 12/10/19 7:49 PM, Michael Storz wrote: >>>> [...] >>>>> My copy hit >>>>> >>>>> BODY_SINGLE_WORD=1.347, HTML_IMAGE_ONLY_04=1.172, MPART_ALT_DIFF=0.79 >>>>> >>>>> not enough to mark it as spammy. >>> >> FuzzyOcr + bayes is killing this kind of emails for me: > > FuzzyOcr is unmaintained and doesn't even have an authoritative repository as > far as I can tell. It is computationally very expensive, to the degree that > it isn't safe to just add it to an existing mail system which does not have a > lot of idle CPU and memory capacity. > it's true that it's unmaintained but I have it running on Perl 5.28 with some patches and it's still useful every now and then (if you have some spare cpu cycles and you know what you are doing). A new ocr plugin could be definetely a better choice. Giovanni
Re: Bitcoin ransom mail
On 12/11/19 6:21 AM, KADAM, SIDDHESH wrote: > Hi PFA... > > On 12/11/2019 12:36 AM, Giovanni Bechis wrote: >> On 12/10/19 7:49 PM, Michael Storz wrote: >> [...] >>> My copy hit >>> >>> BODY_SINGLE_WORD=1.347, HTML_IMAGE_ONLY_04=1.172, MPART_ALT_DIFF=0.79 >>> >>> not enough to mark it as spammy. > FuzzyOcr + bayes is killing this kind of emails for me: 5.0 FUZZY_OCR BODY: Mail contains an image with common spam text inside [Words found:] ["cialis" in 2 lines] [(2 word occurrences found)] Giovanni
Re: Bitcoin ransom mail
On 12/10/19 7:49 PM, Michael Storz wrote: [...] > My copy hit > > BODY_SINGLE_WORD=1.347, HTML_IMAGE_ONLY_04=1.172, MPART_ALT_DIFF=0.79 > > not enough to mark it as spammy. > > could you share a spample (as a pastebin uri or in private) ? Giovanni
Re: Spamassassin reporting
On 12/4/19 5:22 PM, Dave Goodrich wrote: > Good morning, > > Many years ago, in previous jobs, I used several scripts to report spam > statistics daily. Some I wrote, some I downloaded. I need to create some > reporting on our current zimbra/postfix/spamassassin server. The supplied > stats are pretty for managers if you have Flash, but not useful. > > Can anyone recommend a ready to run OSS script, or set of scripts, for basic > maillog stats concerning Spam? Just thought I would ask before I wrote > something. Internet searching is not turning up anything for me. > It's not a "ready to run" set of scripts, but I am using ELK to analyze maillog stats; it will take a bit to setup all the stack but it's a very good software and you can extract all kind of info with that. Giovanni
Re: False positives due to __BITCOIN_ID
On Wed, Dec 04, 2019 at 08:59:42AM +0100, Benny Pedersen wrote: > On 2019-12-03 20:15, RW wrote: > > On Tue, 3 Dec 2019 14:05:10 -0500 > > Mark London wrote: > > > >> It seems to me that the rule for detecting a BITCOIN in an email, is > >> incorrect. See below: > >> > >> body __BITCOIN_ID /\b(? >> > >> Why is there a \s in this rule?I didn't think that a BITCOIN id > >> has a space. > > > > It doesn't, but spammers have started splitting them up to evade > > detections. > > if clients begin to pay to splitted btc it works :=) > > i noted every btc spam have uniq btc address, so maybe its not mean for > payment but only hidded tracking unfortunately it is meant for payment, here a spample: https://pastebin.com/uBzPeXcX Giovanni signature.asc Description: PGP signature
Re: Hint to write a [raw]body rule
On 10/16/19 4:11 PM, Bill Cole wrote: > On 16 Oct 2019, at 8:44, Giovanni Bechis wrote: > >> I have lot of emails like this one (redacted): >> https://pastebin.com/v5NCRK9d >> and I would like to write a rule that matches the "=0D" that appears on some >> lines, > > Are you sure? > > That's a QP-encoded carriage return. I would expect a lot of them in both > spam and ham. > it is a part of a meta-experiment >> any hints ? > > You could try matching it as '\r' in a rawbody rule, but I'm not sure that > would work. If it does, you probably want '\r[^\n]' to exclude CRLFs, but you > should test that carefully > > What should work better is to use a 'full' rule and look for the undecoded > '=D0', probably with '=0D(?!=0A)' or even '=0D(?!(=0A|=?$)' > > e.g.: > > full QP_BARE_CR /=0D(?!(=0A|=?$))/m > > CAVEAT: not well tested... > Seems to work, more tests later. thanks Giovanni
Hint to write a [raw]body rule
I have lot of emails like this one (redacted): https://pastebin.com/v5NCRK9d and I would like to write a rule that matches the "=0D" that appears on some lines, any hints ? Giovanni
Re: List of available query templates?
On 10/4/19 3:01 PM, Bill Cole wrote: > On 4 Oct 2019, at 3:36, Tobi wrote: > >> Hi list >> >> is there any doc where one can find a list of supported DNS query >> templates? > > What does that even mean??? > > SpamAssassin does many different sorts of DNS query. I am unaware of any > "template" construct in SA used for its many possible DNS queries. > > I think the user is referring to rules such as: askdns __FROM_FMBLA_NEWDOM_AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.2$/ In Mail::SpamAssassin::Conf you have docs about what _AUTHORDOMAIN_ and other tags means. Giovanni
Re: possible FORGED_GMAIL_RCVD false positive
On Wed, Sep 18, 2019 at 08:40:55PM +0100, RW wrote: > On Wed, 18 Sep 2019 12:29:43 +0200 > Matus UHLAR - fantomas wrote: > > > Hello, > > > > I have received following spam: > > > > https://pastebin.com/SkvkVWik > > > > This hits FORGED_GMAIL_RCVD although the message came from google mail > > servers. > > > > According to HeaderEval.pm, message apparently misses > > X-Google-Smtp-Source header > > > > is there any reason to expect that header in mail from gmail? > > It seems to always be there. The posts on the list have it, and I sent > some test messages from webmail and the Android app. both headers should be there, anyway the fp has been fixed in r1867159. Giovanni signature.asc Description: PGP signature
Re: How to block mails from unknown ip addresses?
On 8/26/19 9:01 AM, Dominic Raferd wrote: > > > On Sun, 25 Aug 2019 at 20:16, mailto:tba...@txbweb.de>> > wrote: > > Am 2019-08-25 20:54, schrieb Matus UHLAR - fantomas: > > > I don't think you should download geoip postgres modules when what you > > really need is apparently more recent database. > > > > Debian SA package suggests installing libgeo-ip-perl which further > > recommends geoip-database. > > > > buster contains version 20181108-1, while buster-backports contains > > version > > 20190724-1~bpo10+1 > > Your problem could apparently be solves installing backported > > geoip-database > > version. > > I tried this already (described in e-Mail at 4:53 pm), but the ip > address 45.141.151.5 wasn't in the backport geoip-database. > > >> Maybe I have tomatoes on my eyes. I can't find the right debian > >> package with the DB_File-Module. Do you or someone else know which > >> package does contain the module? I don't use the cpan shell for > >> installing modules. > > > > it's very good that you don't use these. They can make mess on debian > > system. Onlly install debian packages unless you really need and can > > take > > care of manually installed packages. > > Yes, as you can see I got a warnung and I installed the > liblocale-codes-perl package. > > # ./pgeoiplookup.pl <http://pgeoiplookup.pl> -f /opt/ipcc/ipcc.db > 45.141.151.5 > Locale::Country will be removed from the Perl core distribution in the > next major release. Please install the separate liblocale-codes-perl > package. It is being used at ./pgeoiplookup.pl <http://pgeoiplookup.pl>, > line 35. > Locale::Codes will be removed from the Perl core distribution in the > next major release. Please install the separate liblocale-codes-perl > package. It is being used at /usr/share/perl/5.28/Locale/Country.pm, > line 22. > GeoIP version 1566699945: TR, Turkey > > > This has worked for me on Debian derivatives (Ubuntu...) to install GeoIP2 > with the much faster XS implementation: > > cpan App::cpanminus &&\ > add-apt-repository -y ppa:maxmind/ppa &&\ > apt install libmaxminddb0 libmaxminddb-dev mmdb-bin &&\ > cpanm Math::Int128 &&\ > cpanm Net::Works::Network &&\ > cpanm MaxMind::DB::Reader::XS &&\ > cpanm GeoIP2::Database::Reader > Updated geo databases are DB_File and GeoIP2 (fast does not support ipv6 and geoip is outdated). For DB_File you can/should update whenever you want but you do not have city info, for GeoIP2 you have more info but you should wait Maxmind to update the database. Giovanni
Re: How to block mails from unknown ip addresses?
On Sun, Aug 25, 2019 at 04:53:36PM +0200, tba...@txbweb.de wrote: > Am 2019-08-25 10:18, schrieb Giovanni Bechis: > > geoip 1.x is no more updated, with 3.4.2+ you can use country_db_type > > DB_File and it would > > have matched that ip. > > > > - > > $ pgeoiplookup 45.141.151.5 > > GeoIP version 1566720869: TR, Turkey > > - > > Hello, I can't find pgeoiplookup in the repository. I'm using Debian > Buster (10.0), but the geoip database in this release is from > 2018-11-08. So I actived backports to get a newer version from testing > (https://tracker.debian.org/pkg/geoip-database). > sorry, it's a tool I wrote to check ip addresses using ipcc.db databases. https://github.com/bigio/pgeoiplookup > # aptitude -t buster-backports install geoip-database > > Get: 1 http://deb.debian.org/debian buster-backports/main amd64 > geoip-database all 20190724-1~bpo10+1 > GeoIP databases are no more updated by Maxmind, you should use a different country_db_type in RelayCouuntry plugin (db_file or geoip2) to detect new ip addresses. Giovanni
Re: How to block mails from unknown ip addresses?
On Sat, Aug 24, 2019 at 08:27:03PM +0200, tba...@txbweb.de wrote: > Hello, > > I would like to block mails from ip addresses that cant be found. There > is a tricky spam serie getting a low score. Currently I can block the > mails just be scoring the tdl. > > I use the RelayCountry Plugin, but it dosnt work if the ip address is > not available. > > header RELAYCOUNTRY_BAD X-Relay-Countries =~ /(List of country > codes)/ > describeRELAYCOUNTRY_BAD Relayed through spam country at some > point > score RELAYCOUNTRY_BAD 3.5 > > > Here some infos of an header examples > > X-Spam-Status: Yes, score=11.891 tag=2 tag2=6.31 kill=6.31 > tests=[AM.WBL=7, > BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, > DKIM_VALID_AU=-0.1, > DKIM_VALID_EF=-0.1, FROMSPACE=0.001, FROM_SUSPICIOUS_NTLD=0.5, > FSL_BULK_SIG=1.596, HTML_MESSAGE=0.001, PYZOR_CHECK=1.392, > RDNS_NONE=0.793, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, > T_REMOTE_IMAGE=0.01] autolearn=no autolearn_force=no > > DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mail; > d=strapdebut.pro; > h=From:Date:MIME-Version:Subject:To:Message-ID:Content-Type; > i=nonse...@strapdebut.pro; > bh=p2qRX9+f0yHDj3jqqnVU4hoNG58=; > > b=MmuxhWP6r2xfmasBMUUXqDc0ai2/zlR9ZgmBZPvsbo3fgl6m4dBkmpVvVqZo2DMgiee7I6Msp07c > > 3xIc7SbGGs9QOFGZYkaQpYpY56zW8AqjIWQvbC6D6jVq43P/7yF6nwrI7GrHTKgeL6/SAtzCUpf2 > HOR8Zr3N45GuMa5iHdc= > DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=mail; > d=strapdebut.pro; > > b=UH6pdk+pAUj1o9TF7Z0RySxRb7AFJUL4yori8RZ99Wd4nxABrPXndv88xSVu2rfBPTlQO/8KbdP4 > > O2fJMJeSMRS+4Q7IFkjbMSkwYi+wGXZkcU10diEVt24i7bQf9l1zRNMQ9zV7GlAs4XeqAjEqGvV1 > SmcUvgGYccNp65I07nQ=; > From: " Carol Yates" > Date: Sat, 24 Aug 2019 12:48:11 -0500 > MIME-Version: 1.0 > Subject: ACs are going to be extinct after this discovery > > > > Aug 24 19:54:38 mx2 amavis[3405]: (03405-11) Blocked SPAM > {RejectedOpenRelay,Quarantined}, [45.141.151.5]:2812 [45.141.151.5] > -> , quarantine: > N/spam-NHIkGYse9Osv.gz, Message-ID: > , > > mail_id: NHIkGYse9Osv, Hits: 11.891, size: 9352, 2697 ms > > > # geoiplookup 45.141.151.5 > GeoIP Country Edition: IP Address not found > GeoIP City Edition, Rev 1: IP Address not found > GeoIP ASNum Edition: IP Address not found > geoip 1.x is no more updated, with 3.4.2+ you can use country_db_type DB_File and it would have matched that ip. - $ pgeoiplookup 45.141.151.5 GeoIP version 1566720869: TR, Turkey - Giovanni signature.asc Description: PGP signature
Re: PDS_NO_HELO_DNS is not helpful at all.
On 7/10/19 5:54 PM, Mark London wrote: > I'm sorry for not using bugzilla, but the new rule for PDS_NO_HELO_DNS is > mostly hittng real emails at my site 1168 real emails versus 219 spam mls. > Luckily, the score is not high, to be making any difference. FWIW. - Mark > ruleqa has the same opinion: https://ruleqa.spamassassin.org/?daterev=20190709-r1862790-n&rule=PDS_NO_HELO_DNS&srcpath=&g=Change Giovanni
Re: Spamhaus Technology contributions to SpamAssassin
On 7/3/19 7:11 PM, Riccardo Alfieri wrote: > On 03/07/19 17:59, atat wrote: > >> You say in documentation: >> >> You should also drop, by default, all Office documents with macros. >> >> What plugin / method do You reccomend for that ? > > I'm no expert in detecting macros, but there at least two ways of doing that > that comes to mind: > > - Clamav with the option OLE2BlockMacros > > - This package https://github.com/bigio/spamassassin-vba-macro > This has been superseded by https://svn.apache.org/repos/asf/spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/OLEMacro.pm the plugin is for trunk but it works out of the box in 3.4.3rc3 as well (some work is needed to let it work on 3.4.2) Giovanni
Re: Rules for invisible div and 0pt font?
On 6/17/19 9:14 PM, Amir Caspi wrote: > Hi all, > > In reviewing today's FNs I came across the following spample: > https://pastebin.com/9QQVwUY6 > > There is a div here with display:none, as well as font-size:0px. The spample > hits HTML_FONT_LOW_CONTRAST but does not appear to hit any rule relating to a > hidden div or tiny font. > > Does LOW_CONTRAST include font-size too small, or just color too light? Is > there a rule for matching display:none? > > If not, may I propose that the following rules be sandboxed? > > rawbody AC_HIDDEN_ELEMENT /display\s*:\s*none\s*;/ > > rawbody AC_HIDDEN_FONT /font-size\s*:\s*0\s*(?:em|pt|px|%)\s*;/ > > The font one above could be modified for [0-3] or similar, if we want to > catch tiny versus literally hidden fonts. > > Cheers. > > --- Amir > There is T_HIDDEN_WORD on my sandbox (https://ruleqa.spamassassin.org/20190617-r1861495-n/T_HIDDEN_WORD/detail) I have just committed a more generic version. Giovanni
Re: bad arg length for Socket::unpack_sockaddr_in
On 5/22/19 7:37 AM, @lbutlr wrote: > With spamassassin-3.4.2_3 and spamass-milter-0.4.0_3 and perl5-5.28.2 running > on FreeBSD 11.2 I am getting the following in the mail.log when postfix tries > to feed a mail to spamass-milter. At least I think that's when it is. > > May 21 23:20:56 mail spamd[22787]: spamd: error: Bad arg length for > Socket::unpack_sockaddr_in, length is 28, should be 16 at > /usr/local/lib/perl5/5.28/mach/Socket.pm line 848. > May 21 23:20:56 mail spamd[22787]: , continuing at /usr/local/bin/spamd line > 1419. > there should be message like "spamd: connection from %s [%s]:%s to port %d, fd %d" in your log files at that time, could you post the relevant info ? Thanks Giovanni
Re: Check equal headers
On 5/21/19 3:48 AM, Jari Fredriksson wrote: > > >> Giovanni Bechis kirjoitti 20.5.2019 kello 17.00: >> >> Hi, >> in a rule I would like to check if "From:" != "Reply-To:", is this possible >> without writing any code or should I add a new function in HeaderEval ? >> Thanks & Cheers >> Giovanni >> > > Hello! > > I have this in my /etc/spamassassin/local-rules.cf > [...] > header __FROM_V_REPLY eval:check_for_from_v_replyto_dom() > warn: rules: error: unknown eval 'check_for_from_v_replyto_dom' for __FROM_V_REPLY Do you have some custom code maybe ? Anyway I wrote what I have in mind in a different way, thanks. http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/gbechis/20_freemail.cf?view=diff&r1=1859609&r2=1859610&pathrev=1859610 Thanks & Cheers Giovanni