Re: How to Block messages from display name not matching expected sender email address

[John Hardin]

On Thu, 24 Dec 2020, Bill Cole wrote:


On 24 Dec 2020, at 0:02, Joey J wrote:


I'm trying to figure out how to write a rule that looks for matches of
certain names against the display name, and then insuring its from a list
of valid email addresses.

So a phishing email come in from "Boss Man"

So I want to check if the display name is "Boss Man" and if so, make sure
the sending email address is boss...@realcompany.com or 
boss...@company2.com,

otherwise score it with 10.


header __BOSSNAME From:name =~ /Boss Man/
header __BOSSADDR From:addr =~ /BossMan\@RealCompany.com|boss...@company2.com/


Missed escaping the second @ sign, and the periods...


meta   BOSSPHISH  __BOSSNAME && !__BOSSADDR
score  BOSSPHISH 10


If you have a list of such addresses, you'd probably benefit from writing 
a script to generate the rules from that list rather than manually 
maintaining all the rules.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
   -- Peter da Silva in a.s.r
---
 Tomorrow: Christmas

Re: How to Block messages from display name not matching expected sender email address

[Bill Cole]

On 24 Dec 2020, at 0:02, Joey J wrote:


Hello,

I'm trying to figure out how to write a rule that looks for matches of
certain names against the display name, and then insuring its from a 
list

of valid email addresses.

So a phishing email come in from "Boss Man"

So I want to check if the display name is "Boss Man" and if so, make 
sure
the sending email address is boss...@realcompany.com or 
boss...@company2.com,

otherwise score it with 10.


header __BOSSNAME From:name =~ /Boss Man/
header __BOSSADDR From:addr =~ 
/BossMan\@RealCompany.com|boss...@company2.com/

meta   BOSSPHISH  __BOSSNAME && !__BOSSADDR
score  BOSSPHISH 10

Also, would there be a way to forward that email to a specific user, 
not

send it to the original recipient?


That's a function of your MTA and depends on how you've attached 
SpamAssassin to it.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

How to Block messages from display name not matching expected sender email address

[Joey J]

Hello,



I'm trying to figure out how to write a rule that looks for matches of
certain names against the display name, and then insuring its from a list
of valid email addresses.



So a phishing email come in from "Boss Man"



So I want to check if the display name is "Boss Man" and if so, make sure
the sending email address is boss...@realcompany.com or boss...@company2.com,
otherwise score it with 10.



Also, would there be a way to forward that email to a specific user, not
send it to the original recipient?



Thanks

-- 
Thanks!
Joey

Re: How to block chimpmail emails?

[Joseph Brennan]

I'm a week late, but mailchimp sends from these domains:

mcsv.net

mcdlv.net

rsgsv.net


Otherwise, same advice as below, with those domains.



On Wed, Mar 11, 2020 at 4:37 AM Marc Roos  wrote:

>
> What you can do is put in your sendmail access
>
> connect:mailchimp.com   ERROR "SPAM"
>
> This refuses any connection of ip addresses with a reverse lookup having
> *.mailchimp.com
>
>
>
> -Original Message-
> Sent: 11 March 2020 00:15
> To: users@spamassassin.apache.org
> Subject: How to block chimpmail emails?
>
> I receive several marking emails from chimpmail.  I've tried adding the
> from email address to the blackfrom_list, but that does not block
> chimpmail.  How can a person block these?
>
> Thank you.
>
> Daryl
>
>
>

-- 
Joseph Brennan
Lead, Email and Systems Applications

RE: How to block chimpmail emails?

[Marc Roos]

What you can do is put in your sendmail access

connect:mailchimp.com   ERROR "SPAM"
 
This refuses any connection of ip addresses with a reverse lookup having 
*.mailchimp.com



-Original Message-
Sent: 11 March 2020 00:15
To: users@spamassassin.apache.org
Subject: How to block chimpmail emails?

I receive several marking emails from chimpmail.  I've tried adding the 
from email address to the blackfrom_list, but that does not block 
chimpmail.  How can a person block these?

Thank you.

Daryl

Re: How to block chimpmail emails?

[Axb]

On 2020-03-11 00:15, Daryl Rose wrote:

I receive several marking emails from chimpmail.  I've tried adding the
from email address to the blackfrom_list, but that does not block
chimpmail.  How can a person block these?

Thank you.

Daryl



header  XMAILER_MAILCHIMP =~ /^MailChimp Mailer/

or an exists rule checking for X-MC-User

Re: How to block chimpmail emails?

[RW]

On Tue, 10 Mar 2020 18:15:01 -0500
Daryl Rose wrote:

> I receive several marking emails from chimpmail.  

If you mean mailchimp, then unsubscribing should work.

> I've tried adding the from email address to the blackfrom_list,

That should be blacklist_from

>  but that does not block chimpmail.  

Why doesn't it work? If you don't know why, give us enough information
to tell you why or reproduce the problem.

RE: How to block chimpmail emails?

[Marc Roos]

Can you post the message header?
 

-Original Message-
From: Daryl Rose [mailto:rosed...@gmail.com] 
Sent: 11 March 2020 00:15
To: users@spamassassin.apache.org
Subject: How to block chimpmail emails?

I receive several marking emails from chimpmail.  I've tried adding the 
from email address to the blackfrom_list, but that does not block 
chimpmail.  How can a person block these?

Thank you.

Daryl

How to block chimpmail emails?

[Daryl Rose]

I receive several marking emails from chimpmail.  I've tried adding the
from email address to the blackfrom_list, but that does not block
chimpmail.  How can a person block these?

Thank you.

Daryl

Re: How to block reverse hostname

[John Hardin]

On Thu, 9 Jan 2020, Marc Roos wrote:


How to mark all messages from *hostwindsdns.com server?

192.236.198.0
192.236.198.1
192.236.198.2   client-192-236-198-2.hostwindsdns.com.
192.236.198.3   client-192-236-198-3.hostwindsdns.com.


...etc

If you are confident that you only ever receive spam from those IP 
addresses, add them to an IP blacklist in your MTA so they get rejected up 
front. Why accept the SA processing overhead?


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Never forget, even for an instant, that the one and only reason
  anyone has for taking your gun away is to make you weaker than
  he is, so he can do something to you that you wouldn’t let him
  do if you were equipped to prevent it. This goes for burglars,
  muggers, and rapists, and even more so for policemen,
  bureaucrats, and politicians. -- Alexander Pope
---
 7 days until Benjamin Franklin's 314th Birthday

Re: How to block reverse hostname

[Benny Pedersen]

Marc Roos skrev den 2020-01-09 21:30:

How to mark all messages from *hostwindsdns.com server?

192.236.198.0


http://multirbl.valli.org/lookup/192.236.198.0.html

dont block random reverse

add more rbls or rhsbl to spamassassin

http://multirbl.valli.org/list/

be carefull with testing

How to block reverse hostname

[Marc Roos]

How to mark all messages from *hostwindsdns.com server?

192.236.198.0
192.236.198.1
192.236.198.2   client-192-236-198-2.hostwindsdns.com.
192.236.198.3   client-192-236-198-3.hostwindsdns.com.
192.236.198.4   client-192-236-198-4.hostwindsdns.com.
192.236.198.5   client-192-236-198-5.hostwindsdns.com.
192.236.198.6   client-192-236-198-6.hostwindsdns.com.
192.236.198.7   2t1.ntdservices.icu.
192.236.198.8   client-192-236-198-8.hostwindsdns.com.
192.236.198.9   client-192-236-198-9.hostwindsdns.com.
192.236.198.10  client-192-236-198-10.hostwindsdns.com.
192.236.198.11  client-192-236-198-11.hostwindsdns.com.
192.236.198.12  client-192-236-198-12.hostwindsdns.com.
192.236.198.13  client-192-236-198-13.hostwindsdns.com.
192.236.198.14  client-192-236-198-14.hostwindsdns.com.
192.236.198.15  client-192-236-198-15.hostwindsdns.com.
192.236.198.16  exchange.xforce.ibmcloud.com.
192.236.198.17  bbg3.ntdservices.icu.
192.236.198.18  client-192-236-198-18.hostwindsdns.com.
192.236.198.19  t3ulb.ntdservices.icu.
192.236.198.20  client-192-236-198-20.hostwindsdns.com.
192.236.198.21  client-192-236-198-21.hostwindsdns.com.
192.236.198.22  client-192-236-198-22.hostwindsdns.com.
192.236.198.23  client-192-236-198-23.hostwindsdns.com.
192.236.198.24  client-192-236-198-24.hostwindsdns.com.
192.236.198.25  exchange.xforce.ibmcloud.com.
192.236.198.26  exchange.xforce.ibmcloud.com.
192.236.198.27  client-192-236-198-27.hostwindsdns.com.
192.236.198.28  exchange.xforce.ibmcloud.com.
192.236.198.29  client-192-236-198-29.hostwindsdns.com.
192.236.198.30  client-192-236-198-30.hostwindsdns.com.
192.236.198.31  client-192-236-198-31.hostwindsdns.com.
192.236.198.32  client-192-236-198-32.hostwindsdns.com.

Re: How to block mails from unknown ip addresses?

[RW]

On Mon, 26 Aug 2019 09:07:47 +0200
Giovanni Bechis wrote:

> Updated geo databases are DB_File and GeoIP2 (fast does not support
> ipv6 and geoip is outdated). For DB_File you can/should update
> whenever you want but you do not have city info, for GeoIP2 you have
> more info ...

Just to be clear, Maxmind provides versions with or without city
information. AFAIK the only reason for using the much larger city
version with RelayCountry.pm is if you need that file for something
else. 

Re: How to block mails from unknown ip addresses?

[Giovanni Bechis]

On 8/26/19 9:01 AM, Dominic Raferd wrote:
> 
> 
> On Sun, 25 Aug 2019 at 20:16, mailto:tba...@txbweb.de>> 
> wrote:
> 
> Am 2019-08-25 20:54, schrieb Matus UHLAR - fantomas:
> 
> > I don't think you should download geoip postgres modules when what you
> > really need is apparently more recent database.
> >
> > Debian SA package suggests installing libgeo-ip-perl which further
> > recommends geoip-database.
> >
> > buster contains version 20181108-1, while buster-backports contains
> > version
> > 20190724-1~bpo10+1
> > Your problem could apparently be solves installing backported
> > geoip-database
> > version.
> 
> I tried this already (described in e-Mail at 4:53 pm), but the ip
> address 45.141.151.5 wasn't in the backport geoip-database.
> 
> >> Maybe I have tomatoes on my eyes. I can't find the right debian
> >> package with the DB_File-Module. Do you or someone else know which
> >> package does contain the module? I don't use the cpan shell for
> >> installing modules.
> >
> > it's very good that you don't use these. They can make mess on debian
> > system. Onlly install debian packages unless you really need and can
> > take
> > care of manually installed packages.
> 
> Yes, as you can see I got a warnung and I installed the
> liblocale-codes-perl package.
> 
> # ./pgeoiplookup.pl  -f /opt/ipcc/ipcc.db 
> 45.141.151.5
> Locale::Country will be removed from the Perl core distribution in the
> next major release. Please install the separate liblocale-codes-perl
> package. It is being used at ./pgeoiplookup.pl , 
> line 35.
> Locale::Codes will be removed from the Perl core distribution in the
> next major release. Please install the separate liblocale-codes-perl
> package. It is being used at /usr/share/perl/5.28/Locale/Country.pm,
> line 22.
> GeoIP version 1566699945: TR, Turkey
> 
> 
> This has worked for me on Debian derivatives (Ubuntu...) to install GeoIP2 
> with the much faster XS implementation:
> 
> cpan App::cpanminus &&\
> add-apt-repository -y ppa:maxmind/ppa &&\
> apt install libmaxminddb0 libmaxminddb-dev mmdb-bin &&\
> cpanm Math::Int128 &&\
> cpanm Net::Works::Network &&\
> cpanm MaxMind::DB::Reader::XS &&\
> cpanm GeoIP2::Database::Reader
> 
Updated geo databases are DB_File and GeoIP2 (fast does not support ipv6 and 
geoip is outdated).
For DB_File you can/should update whenever you want but you do not have city 
info, for GeoIP2 you have more info but you
should wait Maxmind to update the database.

 Giovanni

Re: How to block mails from unknown ip addresses?

[Dominic Raferd]

On Sun, 25 Aug 2019 at 20:16,  wrote:

> Am 2019-08-25 20:54, schrieb Matus UHLAR - fantomas:
>
> > I don't think you should download geoip postgres modules when what you
> > really need is apparently more recent database.
> >
> > Debian SA package suggests installing libgeo-ip-perl which further
> > recommends geoip-database.
> >
> > buster contains version 20181108-1, while buster-backports contains
> > version
> > 20190724-1~bpo10+1
> > Your problem could apparently be solves installing backported
> > geoip-database
> > version.
>
> I tried this already (described in e-Mail at 4:53 pm), but the ip
> address 45.141.151.5 wasn't in the backport geoip-database.
>
> >> Maybe I have tomatoes on my eyes. I can't find the right debian
> >> package with the DB_File-Module. Do you or someone else know which
> >> package does contain the module? I don't use the cpan shell for
> >> installing modules.
> >
> > it's very good that you don't use these. They can make mess on debian
> > system. Onlly install debian packages unless you really need and can
> > take
> > care of manually installed packages.
>
> Yes, as you can see I got a warnung and I installed the
> liblocale-codes-perl package.
>
> # ./pgeoiplookup.pl -f /opt/ipcc/ipcc.db 45.141.151.5
> Locale::Country will be removed from the Perl core distribution in the
> next major release. Please install the separate liblocale-codes-perl
> package. It is being used at ./pgeoiplookup.pl, line 35.
> Locale::Codes will be removed from the Perl core distribution in the
> next major release. Please install the separate liblocale-codes-perl
> package. It is being used at /usr/share/perl/5.28/Locale/Country.pm,
> line 22.
> GeoIP version 1566699945: TR, Turkey
>

This has worked for me on Debian derivatives (Ubuntu...) to install GeoIP2
with the much faster XS implementation:

cpan App::cpanminus &&\
add-apt-repository -y ppa:maxmind/ppa &&\
apt install libmaxminddb0 libmaxminddb-dev mmdb-bin &&\
cpanm Math::Int128 &&\
cpanm Net::Works::Network &&\
cpanm MaxMind::DB::Reader::XS &&\
cpanm GeoIP2::Database::Reader

Re: How to block mails from unknown ip addresses?

[tbarth]

Am 2019-08-25 20:54, schrieb Matus UHLAR - fantomas:


I don't think you should download geoip postgres modules when what you
really need is apparently more recent database.

Debian SA package suggests installing libgeo-ip-perl which further
recommends geoip-database.

buster contains version 20181108-1, while buster-backports contains 
version

20190724-1~bpo10+1
Your problem could apparently be solves installing backported 
geoip-database

version.


I tried this already (described in e-Mail at 4:53 pm), but the ip 
address 45.141.151.5 wasn't in the backport geoip-database.


Maybe I have tomatoes on my eyes. I can't find the right debian 
package with the DB_File-Module. Do you or someone else know which 
package does contain the module? I don't use the cpan shell for 
installing modules.


it's very good that you don't use these. They can make mess on debian
system. Onlly install debian packages unless you really need and can 
take

care of manually installed packages.


Yes, as you can see I got a warnung and I installed the 
liblocale-codes-perl package.


# ./pgeoiplookup.pl -f /opt/ipcc/ipcc.db 45.141.151.5
Locale::Country will be removed from the Perl core distribution in the 
next major release. Please install the separate liblocale-codes-perl 
package. It is being used at ./pgeoiplookup.pl, line 35.
Locale::Codes will be removed from the Perl core distribution in the 
next major release. Please install the separate liblocale-codes-perl 
package. It is being used at /usr/share/perl/5.28/Locale/Country.pm, 
line 22.

GeoIP version 1566699945: TR, Turkey

Re: How to block mails from unknown ip addresses?

[tbarth]

Am 2019-08-25 17:34, schrieb Giovanni Bechis:


Hello, I can't find pgeoiplookup in the repository. I'm using Debian
Buster (10.0), but the geoip database in this release is from
2018-11-08. So I actived backports to get a newer version from testing
(https://tracker.debian.org/pkg/geoip-database).

sorry, it's a tool I wrote to check ip addresses using ipcc.db 
databases.

https://github.com/bigio/pgeoiplookup




Now I used the cpan shell. I thought it was a relict from the past. :)

 install IP::Country
 install IP::Country::DB_File

cpan[2]> exit
Terminal does not support GetHistory.
Lockfile removed.

# ./pgeoiplookup.pl -f /opt/ipcc/ipcc.db 45.141.151.5
Locale::Country will be removed from the Perl core distribution in the 
next major release. Please install the separate liblocale-codes-perl 
package. It is being used at ./pgeoiplookup.pl, line 35.
Locale::Codes will be removed from the Perl core distribution in the 
next major release. Please install the separate liblocale-codes-perl 
package. It is being used at /usr/share/perl/5.28/Locale/Country.pm, 
line 22.

GeoIP version 1566699945: TR, Turkey

# aptitude install liblocale-codes-perl
The following NEW packages will be installed:
  liblocale-codes-perl
0 packages upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 250 kB of archives. After unpacking 2,406 kB will be used.
Get: 1 http://asi-fs-n.contabo.net/debian buster/main amd64 
liblocale-codes-perl all 3.60-1 [250 kB]

Fetched 250 kB in 0s (3,663 kB/s)
Selecting previously unselected package liblocale-codes-perl.
(Reading database ... 45022 files and directories currently installed.)
Preparing to unpack .../liblocale-codes-perl_3.60-1_all.deb ...
Unpacking liblocale-codes-perl (3.60-1) ...
Setting up liblocale-codes-perl (3.60-1) ...
Processing triggers for man-db (2.8.5-2) ...

# ./pgeoiplookup.pl -f /opt/ipcc/ipcc.db 45.141.151.5
GeoIP version 1566699945: TR, Turkey

Re: How to block mails from unknown ip addresses?

[Matus UHLAR - fantomas]

Am 2019-08-25 17:34, schrieb Giovanni Bechis:
sorry, it's a tool I wrote to check ip addresses using ipcc.db 
databases.

https://github.com/bigio/pgeoiplookup


On 25.08.19 20:26, tba...@txbweb.de wrote:

https://cwiki.apache.org/confluence/display/spamassassin/RelayCountryPlugin

I've downloaded a db_file to an optional directory and set the 
variable "country_db_path" in /etc/spamassassin/local.cf 
(country_db_path /opt/ipcc/ipcc.db). spamassassin --lint displays no 
errors. If that works I can configure a cronjob for downloading the db 
file once a week.


But I've a problem with your scipt.

./pgeoiplookup.pl -f /opt/ipcc/ipcc.db 45.141.151.5
Can't locate IP/Country/DB_File.pm in @INC (you may need to install 
the IP::Country::DB_File module) (@INC contains: /etc/perl 
/usr/local/lib/x86_64-linux-gnu/perl/5.28.1 
/usr/local/share/perl/5.28.1 /usr/lib/x86_64-linux-gnu/perl5/5.28 
/usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.28 
/usr/share/perl/5.28 /usr/local/lib/site_perl 
/usr/lib/x86_64-linux-gnu/perl-base) at ./pgeoiplookup.pl line 34.


I don't think you should download geoip postgres modules when what you
really need is apparently more recent database.

Debian SA package suggests installing libgeo-ip-perl which further
recommends geoip-database.

buster contains version 20181108-1, while buster-backports contains version
20190724-1~bpo10+1
Your problem could apparently be solves installing backported geoip-database
version. 

Maybe I have tomatoes on my eyes. I can't find the right debian 
package with the DB_File-Module. Do you or someone else know which 
package does contain the module? I don't use the cpan shell for 
installing modules.


it's very good that you don't use these. They can make mess on debian
system. Onlly install debian packages unless you really need and can take
care of manually installed packages.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"To Boot or not to Boot, that's the question." [WD1270 Caviar]

Re: How to block mails from unknown ip addresses?

[tbarth]

Am 2019-08-25 17:34, schrieb Giovanni Bechis:

sorry, it's a tool I wrote to check ip addresses using ipcc.db 
databases.

https://github.com/bigio/pgeoiplookup



https://cwiki.apache.org/confluence/display/spamassassin/RelayCountryPlugin

I've downloaded a db_file to an optional directory and set the variable 
"country_db_path" in /etc/spamassassin/local.cf (country_db_path 
/opt/ipcc/ipcc.db). spamassassin --lint displays no errors. If that 
works I can configure a cronjob for downloading the db file once a week.


But I've a problem with your scipt.

./pgeoiplookup.pl -f /opt/ipcc/ipcc.db 45.141.151.5
Can't locate IP/Country/DB_File.pm in @INC (you may need to install the 
IP::Country::DB_File module) (@INC contains: /etc/perl 
/usr/local/lib/x86_64-linux-gnu/perl/5.28.1 /usr/local/share/perl/5.28.1 
/usr/lib/x86_64-linux-gnu/perl5/5.28 /usr/share/perl5 
/usr/lib/x86_64-linux-gnu/perl/5.28 /usr/share/perl/5.28 
/usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at 
./pgeoiplookup.pl line 34.


Maybe I have tomatoes on my eyes. I can't find the right debian package 
with the DB_File-Module. Do you or someone else know which package does 
contain the module? I don't use the cpan shell for installing modules.

Re: How to block mails from unknown ip addresses?

[tbarth]

Am 2019-08-25 00:12, schrieb Benny Pedersen:



header  RELAYCOUNTRY_BAD X-Relay-Countries =~ /(List of 
country codes)/
describeRELAYCOUNTRY_BAD Relayed through spam country at some 
point

score   RELAYCOUNTRY_BAD 3.5


correct rulee, but geoip is not working in your install


Hello,

geoip is working if geoiplookup has a valid country. Here an result when 
the ip adresse can be found (RELAYCOUNTRY_BAD=3.5 in the test list).


---
X-Spam-Status: Yes, score=15.393 tag=2 tag2=6.31 kill=6.31 
tests=[AM.WBL=7,
BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, 
DKIM_VALID_AU=-0.1,

DKIM_VALID_EF=-0.1, FROMSPACE=0.001, FROM_SUSPICIOUS_NTLD=0.5,
FSL_BULK_SIG=1.596, HTML_EMBEDS=0.001, HTML_MESSAGE=0.001,
PYZOR_CHECK=1.392, RDNS_NONE=0.793, RELAYCOUNTRY_BAD=3.5,
SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01,
URIBL_RED=0.001] autolearn=no autolearn_force=no
---

The turkey spammer uses a DKIM-Signatures for earch dirty domain and 
changes the ip adresses.


---
Received: from habitmarsh.pro (unknown [185.81.154.251])
by mx2.level5.de (Postfix) with ESMTP
for ; Sat, 24 Aug 2019 14:46:28 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mail; 
d=habitmarsh.pro;
 h=From:Date:MIME-Version:Subject:To:Message-ID:Content-Type; 
i=restl...@habitmarsh.pro;

 bh=2t5Wf+4FfcbFXk3qlpUtl7hNcLY=;
 
b=BYPTXPtYMghNg+QpgG9WEYjd2FPjtRVS7rAfCCPt4hO6v7Fzo2ZK5YWiOBWtXPXKWFb9X6u7OQ8G
   
Db9pXFfiYN+p76hpn/dPWLCH8G3kuJakwjthtuBG85wzytnelGph79TzqTXZGylltHv3JQOoPJca

   NHrcpHXgh+sVKHit2yw=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=mail; 
d=habitmarsh.pro;
 
b=dYV5l2FhyapgbC8/s1SXbQacaxUiqlIWFCNDtBvzfV2E9+7wS61Ppqxufk1tZyYgVRLnj+1wrzZC
   
NKFQfvNL7TVSgk8u14S8ptc4q0tfE+uQ886w9ZuxOHQ+7jOasm+AW84BJm6fI3n7jEPL1xZC2bqx

   wJOICRNUrJ+k9XVHhag=;
From: " Timothy Long" 
Date: Sat, 24 Aug 2019 07:42:21 -0500
MIME-Version: 1.0
Subject: Boost your internet with this without upgrading your plan
---

Re: How to block mails from unknown ip addresses?

[Giovanni Bechis]

On Sun, Aug 25, 2019 at 04:53:36PM +0200, tba...@txbweb.de wrote:
> Am 2019-08-25 10:18, schrieb Giovanni Bechis:
> > geoip 1.x is no more updated, with 3.4.2+ you can use country_db_type
> > DB_File and it would
> > have matched that ip.
> > 
> > -
> > $ pgeoiplookup 45.141.151.5
> > GeoIP version 1566720869: TR, Turkey
> > -
> 
> Hello, I can't find pgeoiplookup in the repository. I'm using Debian 
> Buster (10.0), but the geoip database in this release is from 
> 2018-11-08. So I actived backports to get a newer version from testing 
> (https://tracker.debian.org/pkg/geoip-database).
> 
sorry, it's a tool I wrote to check ip addresses using ipcc.db databases.
https://github.com/bigio/pgeoiplookup

> # aptitude -t buster-backports install geoip-database
> 
> Get: 1 http://deb.debian.org/debian buster-backports/main amd64 
> geoip-database all 20190724-1~bpo10+1
> 
GeoIP databases are no more updated by Maxmind, you should use a different
country_db_type in RelayCouuntry plugin (db_file or geoip2) to detect new ip 
addresses.
 
 Giovanni

Re: How to block mails from unknown ip addresses?

[tbarth]

Am 2019-08-25 10:18, schrieb Giovanni Bechis:

geoip 1.x is no more updated, with 3.4.2+ you can use country_db_type
DB_File and it would
have matched that ip.

-
$ pgeoiplookup 45.141.151.5
GeoIP version 1566720869: TR, Turkey
-


Hello, I can't find pgeoiplookup in the repository. I'm using Debian 
Buster (10.0), but the geoip database in this release is from 
2018-11-08. So I actived backports to get a newer version from testing 
(https://tracker.debian.org/pkg/geoip-database).


# aptitude -t buster-backports install geoip-database

Get: 1 http://deb.debian.org/debian buster-backports/main amd64 
geoip-database all 20190724-1~bpo10+1


ls -al /usr/share/GeoIP/
total 36060
drwxr-xr-x   2 root root 4096 Aug 25 16:35 .
drwxr-xr-x 131 root root 4096 Aug 10 12:37 ..
-rw-r--r--   1 root root  4969864 Nov  8  2018 GeoIPASNum.dat
-rw-r--r--   1 root root 22104026 Nov  8  2018 GeoIPCity.dat
-rw-r--r--   1 root root  2022333 Jul 31 15:47 GeoIP.dat
-rw-r--r--   1 root root  7811745 Jul 31 15:47 GeoIPv6.dat

The database is from 2019-07-24, but ip adress is still unknown :-/

root@mx2:~# geoiplookup 45.141.151.5
GeoIP Country Edition: IP Address not found

Seems that these intelligent spammers tend to use realy new ip-adresses 
:)


Is there no solution for the relaycountry plugin to get a score if an ip 
adress can't be found? I don't need the newest databases because the ip 
adresses of good senders longer exist.


Thomas Barth

Re: How to block mails from unknown ip addresses?

[Giovanni Bechis]

On Sat, Aug 24, 2019 at 08:27:03PM +0200, tba...@txbweb.de wrote:
> Hello,
> 
> I would like to block mails from ip addresses that cant be found. There 
> is a tricky spam serie getting a low score. Currently I can block the 
> mails just be scoring the tdl.
> 
> I use the RelayCountry Plugin, but it dosnt work if the ip address is 
> not available.
> 
> header  RELAYCOUNTRY_BAD X-Relay-Countries =~ /(List of country 
> codes)/
> describeRELAYCOUNTRY_BAD Relayed through spam country at some 
> point
> score   RELAYCOUNTRY_BAD 3.5
> 
> 
> Here some infos of an header examples
> 
> X-Spam-Status: Yes, score=11.891 tag=2 tag2=6.31 kill=6.31 
> tests=[AM.WBL=7,
>  BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, 
> DKIM_VALID_AU=-0.1,
>  DKIM_VALID_EF=-0.1, FROMSPACE=0.001, FROM_SUSPICIOUS_NTLD=0.5,
>  FSL_BULK_SIG=1.596, HTML_MESSAGE=0.001, PYZOR_CHECK=1.392,
>  RDNS_NONE=0.793, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
>  T_REMOTE_IMAGE=0.01] autolearn=no autolearn_force=no
> 
> DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mail; 
> d=strapdebut.pro;
>   h=From:Date:MIME-Version:Subject:To:Message-ID:Content-Type; 
> i=nonse...@strapdebut.pro;
>   bh=p2qRX9+f0yHDj3jqqnVU4hoNG58=;
>   
> b=MmuxhWP6r2xfmasBMUUXqDc0ai2/zlR9ZgmBZPvsbo3fgl6m4dBkmpVvVqZo2DMgiee7I6Msp07c
> 
> 3xIc7SbGGs9QOFGZYkaQpYpY56zW8AqjIWQvbC6D6jVq43P/7yF6nwrI7GrHTKgeL6/SAtzCUpf2
> HOR8Zr3N45GuMa5iHdc=
> DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=mail; 
> d=strapdebut.pro;
>   
> b=UH6pdk+pAUj1o9TF7Z0RySxRb7AFJUL4yori8RZ99Wd4nxABrPXndv88xSVu2rfBPTlQO/8KbdP4
> 
> O2fJMJeSMRS+4Q7IFkjbMSkwYi+wGXZkcU10diEVt24i7bQf9l1zRNMQ9zV7GlAs4XeqAjEqGvV1
> SmcUvgGYccNp65I07nQ=;
>  From: " Carol Yates" 
> Date: Sat, 24 Aug 2019 12:48:11 -0500
> MIME-Version: 1.0
> Subject: ACs are going to be extinct after this discovery
> 
> 
> 
> Aug 24 19:54:38 mx2 amavis[3405]: (03405-11) Blocked SPAM 
> {RejectedOpenRelay,Quarantined}, [45.141.151.5]:2812 [45.141.151.5] 
>  -> , quarantine: 
> N/spam-NHIkGYse9Osv.gz, Message-ID: 
> ,
>  
> mail_id: NHIkGYse9Osv, Hits: 11.891, size: 9352, 2697 ms
> 
> 
> # geoiplookup 45.141.151.5
> GeoIP Country Edition: IP Address not found
> GeoIP City Edition, Rev 1: IP Address not found
> GeoIP ASNum Edition: IP Address not found
> 
geoip 1.x is no more updated, with 3.4.2+ you can use country_db_type DB_File 
and it would
have matched that ip.

-
$ pgeoiplookup 45.141.151.5
GeoIP version 1566720869: TR, Turkey
-

 Giovanni


signature.asc
Description: PGP signature

Re: HostKarma status (was Re: How to block mails from unknown ip addresses?)

[Benny Pedersen]

Rob McEwen skrev den 2019-08-25 04:59:


Not true. It is under _different_ management now. They are struggling
a little because of the large learning curve of abruptly stepping into
someone else's shoes on short notice, with lots of proprietary
code/processes. Some months ago, I talked to the main tech person over
there and he is a smart/good guy who is making MUCH progress. So it
looks like HostKarma is going to survive for the long term.


i writed to make a point, if mainainers of the site prepere to be back i 
would love to see it, just that using data that are old is not always 
prefered to use, we all gone die one day, and that day none will know me 
anyway :=)


can i provide abuse data to new site owners that still remains anon 
member here ?


1400 ipv4 addresses blocked here for trying sasl auth on port 25, maybe 
i extend it to postscreen data, if thats postfix that is configured 
badly i like to help solve it

HostKarma status (was Re: How to block mails from unknown ip addresses?)

[Rob McEwen]

On 8/24/2019 6:12 PM, Benny Pedersen wrote:

None of the mails is listed at hostkarma.junkemailfilter.com. I also
use junkemailfilter to score spam.
unmaintained now 



(BCC'ed to new HostKarma mgmt)

Not true. It is under /different/ management now. They are struggling a 
little because of the large learning curve of abruptly stepping into 
someone else's shoes on short notice, with lots of proprietary 
code/processes. Some months ago, I talked to the main tech person over 
there and he is a smart/good guy who is making MUCH progress. So it 
looks like HostKarma is going to survive for the long term.


--
Rob McEwen
https://www.invaluement.com

Re: How to block mails from unknown ip addresses?

[RW]

On Sun, 25 Aug 2019 00:12:20 +0200
Benny Pedersen wrote:

> > None of the mails is listed at hostkarma.junkemailfilter.com. I also
> > use junkemailfilter to score spam.  
> 
> unmaintained now

I wasn't aware of that, but I see Marc Perkel died in August 2018.

Re: How to block mails from unknown ip addresses?

[Benny Pedersen]

tba...@txbweb.de skrev den 2019-08-24 20:27:

Hello,

I would like to block mails from ip addresses that cant be found.
There is a tricky spam serie getting a low score. Currently I can
block the mails just be scoring the tdl.

I use the RelayCountry Plugin, but it dosnt work if the ip address is
not available.

header  RELAYCOUNTRY_BAD X-Relay-Countries =~ /(List of country 
codes)/
describeRELAYCOUNTRY_BAD Relayed through spam country at some 
point

score   RELAYCOUNTRY_BAD 3.5


correct rulee, but geoip is not working in your install



Here some infos of an header examples

X-Spam-Status: Yes, score=11.891 tag=2 tag2=6.31 kill=6.31 
tests=[AM.WBL=7,
BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, 
DKIM_VALID_AU=-0.1,

DKIM_VALID_EF=-0.1, FROMSPACE=0.001, FROM_SUSPICIOUS_NTLD=0.5,
FSL_BULK_SIG=1.596, HTML_MESSAGE=0.001, PYZOR_CHECK=1.392,
RDNS_NONE=0.793, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
T_REMOTE_IMAGE=0.01] autolearn=no autolearn_force=no

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mail; 
d=strapdebut.pro;

 h=From:Date:MIME-Version:Subject:To:Message-ID:Content-Type;
i=nonse...@strapdebut.pro;
 bh=p2qRX9+f0yHDj3jqqnVU4hoNG58=;
 
b=MmuxhWP6r2xfmasBMUUXqDc0ai2/zlR9ZgmBZPvsbo3fgl6m4dBkmpVvVqZo2DMgiee7I6Msp07c
   
3xIc7SbGGs9QOFGZYkaQpYpY56zW8AqjIWQvbC6D6jVq43P/7yF6nwrI7GrHTKgeL6/SAtzCUpf2

   HOR8Zr3N45GuMa5iHdc=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=mail; 
d=strapdebut.pro;
 
b=UH6pdk+pAUj1o9TF7Z0RySxRb7AFJUL4yori8RZ99Wd4nxABrPXndv88xSVu2rfBPTlQO/8KbdP4
   
O2fJMJeSMRS+4Q7IFkjbMSkwYi+wGXZkcU10diEVt24i7bQf9l1zRNMQ9zV7GlAs4XeqAjEqGvV1

   SmcUvgGYccNp65I07nQ=;
From: " Carol Yates" 
Date: Sat, 24 Aug 2019 12:48:11 -0500
MIME-Version: 1.0
Subject: ACs are going to be extinct after this discovery




if the dkim singed domain is the spamming domain, you could then make 
header test for this aswell




Aug 24 19:54:38 mx2 amavis[3405]: (03405-11) Blocked SPAM
{RejectedOpenRelay,Quarantined}, [45.141.151.5]:2812 [45.141.151.5]
 -> , quarantine:
N/spam-NHIkGYse9Osv.gz, Message-ID:
,
mail_id: NHIkGYse9Osv, Hits: 11.891, size: 9352, 2697 ms



amavisd missing your wan ips, so it thinks you are openrelay, so policy 
banks is incorrect selected




# geoiplookup 45.141.151.5
GeoIP Country Edition: IP Address not found
GeoIP City Edition, Rev 1: IP u not found
GeoIP ASNum Edition: IP Address not found


make sure geoip is installed correect


None of the mails is listed at hostkarma.junkemailfilter.com. I also
use junkemailfilter to score spam.


unmaintained now

How to block mails from unknown ip addresses?

[tbarth]

Hello,

I would like to block mails from ip addresses that cant be found. There 
is a tricky spam serie getting a low score. Currently I can block the 
mails just be scoring the tdl.


I use the RelayCountry Plugin, but it dosnt work if the ip address is 
not available.


header  RELAYCOUNTRY_BAD X-Relay-Countries =~ /(List of country 
codes)/
describeRELAYCOUNTRY_BAD Relayed through spam country at some 
point

score   RELAYCOUNTRY_BAD 3.5


Here some infos of an header examples

X-Spam-Status: Yes, score=11.891 tag=2 tag2=6.31 kill=6.31 
tests=[AM.WBL=7,
BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, 
DKIM_VALID_AU=-0.1,

DKIM_VALID_EF=-0.1, FROMSPACE=0.001, FROM_SUSPICIOUS_NTLD=0.5,
FSL_BULK_SIG=1.596, HTML_MESSAGE=0.001, PYZOR_CHECK=1.392,
RDNS_NONE=0.793, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
T_REMOTE_IMAGE=0.01] autolearn=no autolearn_force=no

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mail; 
d=strapdebut.pro;
 h=From:Date:MIME-Version:Subject:To:Message-ID:Content-Type; 
i=nonse...@strapdebut.pro;

 bh=p2qRX9+f0yHDj3jqqnVU4hoNG58=;
 
b=MmuxhWP6r2xfmasBMUUXqDc0ai2/zlR9ZgmBZPvsbo3fgl6m4dBkmpVvVqZo2DMgiee7I6Msp07c
   
3xIc7SbGGs9QOFGZYkaQpYpY56zW8AqjIWQvbC6D6jVq43P/7yF6nwrI7GrHTKgeL6/SAtzCUpf2

   HOR8Zr3N45GuMa5iHdc=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=mail; 
d=strapdebut.pro;
 
b=UH6pdk+pAUj1o9TF7Z0RySxRb7AFJUL4yori8RZ99Wd4nxABrPXndv88xSVu2rfBPTlQO/8KbdP4
   
O2fJMJeSMRS+4Q7IFkjbMSkwYi+wGXZkcU10diEVt24i7bQf9l1zRNMQ9zV7GlAs4XeqAjEqGvV1

   SmcUvgGYccNp65I07nQ=;
From: " Carol Yates" 
Date: Sat, 24 Aug 2019 12:48:11 -0500
MIME-Version: 1.0
Subject: ACs are going to be extinct after this discovery



Aug 24 19:54:38 mx2 amavis[3405]: (03405-11) Blocked SPAM 
{RejectedOpenRelay,Quarantined}, [45.141.151.5]:2812 [45.141.151.5] 
 -> , quarantine: 
N/spam-NHIkGYse9Osv.gz, Message-ID: 
, 
mail_id: NHIkGYse9Osv, Hits: 11.891, size: 9352, 2697 ms



# geoiplookup 45.141.151.5
GeoIP Country Edition: IP Address not found
GeoIP City Edition, Rev 1: IP Address not found
GeoIP ASNum Edition: IP Address not found

None of the mails is listed at hostkarma.junkemailfilter.com. I also use 
junkemailfilter to score spam.


Thanks for any help!

Thomas Barth

Re: How to block email with multiple addresses in From:

[RW]

On Thu, 20 Dec 2018 13:26:30 -0700
Grant Taylor wrote:

> On 12/20/2018 12:34 PM, Grant Taylor wrote:
> > Does SpamAssassin even handle two true From:addr(esses)?  
> 
> I'm hoping someone will comment on the above question.
> 
> > I'll have to go back and read pertinent RFCs to see how 
> > struth...@psfc.mit.edu is interpreted, seeing as how it's outside
> > of double quotes, and not in angle brackets.  
> 
> According to my re-read of § 3.4 of RFC 5322 (which the IETF's 
> Datatracker indicates is current) it looks like
> struth...@psfc.mit.edu is indeed a legitimate address and not some
> form of human friendly name.


> I'd love to see someone comment on how well SpamAssassin treats
> multiple From: addresses.

AFAIK it only uses the first address for :addr and :name, and for the
author for DKIM. I'm not aware of anything that uses more than that.

Re: How to block email with multiple addresses in From:

[Grant Taylor]

On 12/20/2018 12:34 PM, Grant Taylor wrote:

Does SpamAssassin even handle two true From:addr(esses)?


I'm hoping someone will comment on the above question.

I'll have to go back and read pertinent RFCs to see how 
struth...@psfc.mit.edu is interpreted, seeing as how it's outside of 
double quotes, and not in angle brackets.


According to my re-read of § 3.4 of RFC 5322 (which the IETF's 
Datatracker indicates is current) it looks like struth...@psfc.mit.edu 
is indeed a legitimate address and not some form of human friendly name.


§ 3.4
address =   mailbox / group
mailbox =   name-addr / addr-spec
§ 3.4.1
addr-spec   =   local-part "@" domain

I'd love to see someone comment on how well SpamAssassin treats multiple 
From: addresses.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: How to block email with multiple addresses in From:

[Grant Taylor]

On 12/20/2018 10:30 AM, Mark London wrote:
Hi - What's the best rule to catch email with multiple addresses in the 
From: line?  


¯\_(ツ)_/¯


I realize thatrfc2822allows it.


Does SpamAssassin even handle two true From:addr(esses)?  I.e.:

From:  , 

Does From:addr contain both of the from addresses?

But the only email we've ever received with multiple addresses, were spam, 
and even GMAIL.COM doesn't allow it:


I question if the examples that you're seeing are actually multiple 
From:addr(esses) or if it's not one From:addr(ess) and a creative From:name.



<<< 550-5.7.1 Messages with multiple addresses in From:
<<< 550 5.7.1 header are not accepted. e7si4119336qvp.159 - gsmtp


I would like to see the raw header that you tested, particularly to 
understand how it relates to the above question.



At the very least, I want to block emails that spoof my domain.


Aside:  I hope that you've already got other measures in place, like 
SPF, DKIM, DMARC, to thwart people spoofing your domain.  As a bonus, 
they also help other people detect when people are spoofing your domain.


I.e. I want to block email that has @psfc.mit.edu followed by a comma. 
For example:


From:struth...@psfc.mit.edu,
 "Lorraine M."


I'll have to go back and read pertinent RFCs to see how 
struth...@psfc.mit.edu is interpreted, seeing as how it's outside of 
double quotes, and not in angle brackets.  I don't know if it's treated 
as a raw From:addr(ess) or part of a weirdly formed From:name.



I tried to have a rule like:


It looks like you solved your own problem in a follow up.



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: How to block email with multiple addresses in From: IGNORE ME.

[Mark London]

Sorry, I meant this doesn't work:

header BAD_FROM_PSFCFrom: =~ /^\S+\@psfc.mit.edu,/i

Without the ^ It does work:

header BAD_FROM_PSFCFrom: =~ /\S+\@psfc.mit.edu,/i

So I just tried:

header BAD_FROM_PSFCFrom: =~ /^\W*\S+\@psfc.mit.edu,/i

And that works.  although I don't know why I need the \W*.   But, 
whatever!   Never mind. - Mark


On 12/20/2018 12:30 PM, Mark London wrote:

Hi - What's the best rule to catch email with multiple addresses in the From: 
line?  I realize thatrfc2822allows it.  But the only email we've ever received 
with multiple addresses, were spam, and even GMAIL.COM doesn't allow it:

<<< 550-5.7.1 Messages with multiple addresses in From:
<<< 550 5.7.1 header are not accepted. e7si4119336qvp.159 - gsmtp

At the very least, I want to block emails that spoof my domain.  I.e. I want to 
block email that has @psfc.mit.edu followed by a comma.  For example:

From:struth...@psfc.mit.edu,
 "Lorraine M."

I tried to have a rule like:

header BAD_FROM_PSFCFrom: =~ /\S+\@psfc.mit.edu,/i

This rule gets triggered when I run spamassasin manually on the email.   But it 
doesn't gets triggered on actual incoming email.   I even tried:

header BAD_FROM_PSFCALL =~ /From: \S+\@psfc.mit.edu,/i

It's still not triggered.  Any ideas?  Thanks. - Mark
  

How to block email with multiple addresses in From:

[Mark London]

Hi - What's the best rule to catch email with multiple addresses in the From: 
line?  I realize thatrfc2822allows it.  But the only email we've ever received 
with multiple addresses, were spam, and even GMAIL.COM doesn't allow it:

<<< 550-5.7.1 Messages with multiple addresses in From:
<<< 550 5.7.1 header are not accepted. e7si4119336qvp.159 - gsmtp

At the very least, I want to block emails that spoof my domain.  I.e. I want to 
block email that has @psfc.mit.edu followed by a comma.  For example:

From: struth...@psfc.mit.edu,
"Lorraine M. " 

I tried to have a rule like:

header BAD_FROM_PSFCFrom: =~ /\S+\@psfc.mit.edu,/i

This rule gets triggered when I run spamassasin manually on the email.   But it 
doesn't gets triggered on actual incoming email.   I even tried:

header BAD_FROM_PSFCALL =~ /From: \S+\@psfc.mit.edu,/i

It's still not triggered.  Any ideas?  Thanks. - Mark
 

Advice on how to block via a mail domain in maillog

[emailitis.com]

I have a lot of Spam getting into our mail servers where the common thread
is cloudapp

 

/root/weeklymail/Thumaillog:Aug 27 11:58:15 plesk3 qmail-scanner-queue.pl:
qmail-scanner[12013]: Clear:RC:0(216.170.115.184):SA:0(0.9/4.0): 4.409458
6225 comp...@franking-expert.co.uk u...@domain.com Saving_by_Switching
3442703078ef969a9f97133682d9e...@expert.cloudapp.net
1409137091.12021-1.plesk3.hostname.co.uk:3019
1409137091.12021-0.plesk3.emailitis.co.uk:1263
orig-plesk3.hostname.co.uk140913709079712013:6225

 

And the hyperlinks in the emails are http://expert.cloudapp.net/. 

 

Please could you advise on how I can block by the information on the maillog
on that, or using a rule which checks the URL to include the above thread?

 

Many thanks in advance for any help,

 

Christoph 

 

Re: Advice on how to block via a mail domain in maillog

[Kevin A. McGrail]

On 8/29/2014 5:48 AM, emailitis.com wrote:


I have a lot of Spam getting into our mail servers where the common 
thread is cloudapp


/root/weeklymail/Thumaillog:Aug 27 11:58:15 plesk3 
qmail-scanner-queue.pl: qmail-scanner[12013]: 
Clear:RC:0(216.170.115.184):SA:0(0.9/4.0): 4.409458 6225 
comp...@franking-expert.co.uk u...@domain.com Saving_by_Switching 
3442703078ef969a9f97133682d9e3f1@*expert.cloudapp.net* 
1409137091.12021-1.plesk3.hostname.co.uk:3019 
1409137091.12021-0.plesk3.emailitis.co.uk:1263 
orig-plesk3.hostname.co.uk140913709079712013:6225


And the hyperlinks in the emails are http://expert.cloudapp.net/.

Please could you advise on how I can block by the information on the 
maillog on that, or using a rule which checks the URL to include the 
above thread?


Many thanks in advance for any help,

Christoph


Christoph,

There is a new feature in trunk that I believe will help you easily 
called URILocalBL.pm


See https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7060

Philip, your thoughts?

Regards,
KAM

Re: Advice on how to block via a mail domain in maillog

[Axb]

On 08/29/2014 02:45 PM, Kevin A. McGrail wrote:

On 8/29/2014 5:48 AM, emailitis.com wrote:


I have a lot of Spam getting into our mail servers where the common
thread is cloudapp

/root/weeklymail/Thumaillog:Aug 27 11:58:15 plesk3
qmail-scanner-queue.pl: qmail-scanner[12013]:
Clear:RC:0(216.170.115.184):SA:0(0.9/4.0): 4.409458 6225
comp...@franking-expert.co.uk u...@domain.com Saving_by_Switching
3442703078ef969a9f97133682d9e3f1@*expert.cloudapp.net*
1409137091.12021-1.plesk3.hostname.co.uk:3019
1409137091.12021-0.plesk3.emailitis.co.uk:1263
orig-plesk3.hostname.co.uk140913709079712013:6225

And the hyperlinks in the emails are http://expert.cloudapp.net/.

Please could you advise on how I can block by the information on the
maillog on that, or using a rule which checks the URL to include the
above thread?

Many thanks in advance for any help,

Christoph


Christoph,

There is a new feature in trunk that I believe will help you easily
called URILocalBL.pm


or with SA 3.4

blacklist_uri_host expert.cloudapp.net

or if you want it wider

blacklist_uri_host cloudapp.net

can't be easier than that.

Re: Advice on how to block via a mail domain in maillog

[Philip Prindeville]

On Aug 29, 2014, at 6:45 AM, Kevin A. McGrail kmcgr...@pccc.com wrote:

 On 8/29/2014 5:48 AM, emailitis.com wrote:
 I have a lot of Spam getting into our mail servers where the common thread 
 is cloudapp
  
 /root/weeklymail/Thumaillog:Aug 27 11:58:15 plesk3 qmail-scanner-queue.pl: 
 qmail-scanner[12013]: Clear:RC:0(216.170.115.184):SA:0(0.9/4.0): 4.409458 
 6225 comp...@franking-expert.co.uk user@domain.comSaving_by_Switching 
 3442703078ef969a9f97133682d9e...@expert.cloudapp.net 
 1409137091.12021-1.plesk3.hostname.co.uk:3019 
 1409137091.12021-0.plesk3.emailitis.co.uk:1263 
 orig-plesk3.hostname.co.uk140913709079712013:6225
  
 And the hyperlinks in the emails are http://expert.cloudapp.net/.
  
 Please could you advise on how I can block by the information on the maillog 
 on that, or using a rule which checks the URL to include the above thread?
  
 Many thanks in advance for any help,
  
 Christoph
  
 Christoph,
 
 There is a new feature in trunk that I believe will help you easily called 
 URILocalBL.pm
 
 See https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7060
 
 Philip, your thoughts?
 
 Regards,
 KAM


That should do it.

There’s a configuration example in the bug, and POD documentation in the 
plugin, but in this particular case you’d do something like:

uri_block_cidr L_BLOCK_CLOUDAPP 191.237.208.246
body L_BLOCK_CLOUDAPP   eval:check_uri_local_bl()
describe L_BLOCK_CLOUDAPP   Block URI’s pointing to expert.cloudapp.net
score L_BLOCK_CLOUDAPP  5.0

You should be able to drop in the patch fairly easily.

-Philip

Re: Advice on how to block via a mail domain in maillog

[Karsten Bräckelmann]

On Fri, 2014-08-29 at 12:43 -0600, Philip Prindeville wrote:
 On Aug 29, 2014, at 6:45 AM, Kevin A. McGrail kmcgr...@pccc.com wrote:
  On 8/29/2014 5:48 AM, emailitis.com wrote:

   I have a lot of Spam getting into our mail servers where the common
   thread is cloudapp

You guys realize cloudapp.net is Microsoft Azure, don't you?


   And the hyperlinks in the emails are http://expert.cloudapp.net/.
   
   Please could you advise on how I can block by the information on
   the maillog on that, or using a rule which checks the URL to include
   the above thread?

SA does not block.


  There is a new feature in trunk that I believe will help you easily
  called URILocalBL.pm

 That should do it.
 
 There’s a configuration example in the bug, and POD documentation in
 the plugin, but in this particular case you’d do something like:
 
 uri_block_cidr L_BLOCK_CLOUDAPP   191.237.208.246
 body L_BLOCK_CLOUDAPP eval:check_uri_local_bl()

That seem an overly complicated variant of a simple uri regex rule. And
it really depends on the IP to match a URI? And manual looking it up?

  uri URI_EXPERT_CLOUDAPP  m~^https?://expert\.cloudapp\.net$~


 describe L_BLOCK_CLOUDAPP Block URI’s pointing to expert.cloudapp.net
 score L_BLOCK_CLOUDAPP5.0

SA does not block. *sigh*


-- 
char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

How to block a network

[Igor Chudov]

I receive a large number of spams from network IPs belonging to
SharkTech, 70.39.69.99 or so and so on.

They advertise romantic encounters with people born prior to 50 years
ago, small increment auxions, ability to borrow money using house as
collateral, and other scams. Examples are here:

http://igor.chudov.com/tmp/spam011.txt

I am being hit pretty badly and feel annoyed.

How can I write a rule to blacklist a whole IP subnet.

Any ideas?

If anyone knows what I am doing wrong so that these spams do not
score, please let me know. I am using Ubuntu Lucid, which is pretty
recent.

Re: How to block a network

[Karsten Bräckelmann]

Block? In your MTA. Reject them based on the connecting IP.

On Fri, 2010-07-16 at 14:07 -0500, Igor Chudov wrote:
 I receive a large number of spams from network IPs belonging to
 SharkTech, 70.39.69.99 or so and so on.

 I am being hit pretty badly and feel annoyed.
 
 How can I write a rule to blacklist a whole IP subnet.

  spamassassin -D  spam.msg  21 | grep X-Spam-Relays-Untrusted

Write a rule, that hits on that. Every relay is enclosed in square
brackets, so using /[^\]]+/ instead of /.+/ will prevent deep parsing,
if you want to match the rdns or helo, for example.

  header SHARKTECH  X-Spam-Relays-Untrusted =~ /^\[ ip=70\.39\.69\./

Changing the RE part for the IP to actually match the entire
70.39.64.0/18 network, or whatever you feel appropriate, is left as an
exercise to the OP. :)

Another option might be to use a wildcard blacklist, with the rDNS of
the sender. See the docs for details.

  blacklist_from_rcvd  * rdns.example.net


-- 
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: How to block a network

[Ned Slider]

On 16/07/10 20:07, Igor Chudov wrote:

I receive a large number of spams from network IPs belonging to
SharkTech, 70.39.69.99 or so and so on.

They advertise romantic encounters with people born prior to 50 years
ago, small increment auxions, ability to borrow money using house as
collateral, and other scams. Examples are here:

http://igor.chudov.com/tmp/spam011.txt

I am being hit pretty badly and feel annoyed.

How can I write a rule to blacklist a whole IP subnet.

Any ideas?

If anyone knows what I am doing wrong so that these spams do not
score, please let me know. I am using Ubuntu Lucid, which is pretty
recent.



To score in SpamAssassin, you could try something like:

header  RCVD_FROM_70_39_69  Received =~ /\[70\.39\.69\.\d{1,3}/
score   RCVD_FROM_70_39_69  1.0
describeRCVD_FROM_70_39_69  Received from 70.39.69.0/24

Obviously this is easier for /16, /24 subnets etc.

However, I would not bother scoring these hits in SA, but would rather 
block at the MTA level. Assuming you are running Postfix (as you're 
using Ubuntu), you can create a cidr format table to blacklist/whitelist 
IP addresses in cidr notation at the smtp level. For example, add to 
your smtpd_recipient_restrictions:


   check_client_access
 cidr:/etc/postfix/client.cidr

and create an /etc/postfix/client.cidr file like so:

# /etc/postfix/client.cidr
#
# See http://www.postfix.org/cidr_table.5.html
# *** No need to postmap this table ***
#
# Black/Whitelist for client IP addresses
#

70.39.69.99 REJECT
70.39.69.0/24   REJECT

and issue 'postfix reload' to pick up the changes.

Hope that helps.

Re: [sa] How to block a network

[Charles Gregory]

On Fri, 16 Jul 2010, Igor Chudov wrote:

I receive a large number of spams from network IPs belonging to
SharkTech, 70.39.69.99 or so and so on.


Does UBuntu use 'iptables' firewall? Throw it in there, and
forget even the wasted initial SMTP connections.

- C

Re: [sa] How to block a network

[John Hardin]

On Fri, 16 Jul 2010, Charles Gregory wrote:


On Fri, 16 Jul 2010, Igor Chudov wrote:

 I receive a large number of spams from network IPs belonging to
 SharkTech, 70.39.69.99 or so and so on.


Does UBuntu use 'iptables' firewall? Throw it in there, and
forget even the wasted initial SMTP connections.


Better still, do what I would do and tarpit them.

http://www.impsec.org/~jhardin/antispam/spammer-firewall

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Gun Control laws aren't enacted to control guns, they are enacted
  to control people: catholics (1500s), japanese peasants (1600s),
  blacks (1860s), italian immigrants (1911), the irish (1920s),
  jews (1930s), blacks (1960s), the poor (always)
---
 Today: the 65th anniversary of the dawn of the Atomic Age

Re: How to block the bat!

[OliverScott]

If you want to reduce the spam you get which claims to be from the bat then
do the following:

Create a rule which looks for the bat as a header with a 0.001 score.

Create a meta rule which looks for email which is caught by the above rule
AND hits Bayes_99 AND/OR (you choose based on how worried you are about FPs)
which hits BOTNET. Give this meta rule a score of 5 or more.

Thats how I would handle it (if my current config wern't already catching
all these emails).
-- 
View this message in context: 
http://www.nabble.com/How-to-block-the-bat%21-tf4644470.html#a13362545
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: How to block the bat!

[Michelle Konzack]

Am 2007-10-17 22:08:53, schrieb cpayne:
 Guys,
 
 I am getting a lot mail which I know is from a mail program use by 
 spammers,  called the bat.
 
 I like to know how can I write a rule to give lets say two or three 
 points for this in the header.
 
 X-Mailer: The Bat! (v2.00.6) Educational
 
 Thanks for any help you can give me. 

I have the same problem...  (Bat and Outlook) and I use procmail and a
small script to get rid of forged User-Agents

I do:

Filter all incoming Bat/Outlook messages into a possible_spam folder
and store the From/To/Cc in a flat database.  If the From: appears a
second time, move all two messages into a folder for manual_approval.
If the sender is OK, whitlist it and the messages will bypass the
possible_spam folder.

(I am on the Debian BTS and there I get per day over 1000 Outlook spams)

Thanks, Greetings and nice Day
Michelle Konzack
Tamay Dogan Network


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack   Apt. 917  ICQ #328449886
   50, rue de Soultz MSN LinuxMichi
0033/6/6192519367100 Strasbourg/France   IRC #Debian (irc.icq.com)


signature.pgp
Description: Digital signature

Re: How to block the bat!

[Loren Wilton]

But no spammer is going to be foolish enough to put:

User-Agent: Storm Worm Botnet v 3.12.0


Well, that sort of thing did happen in the early days of spamming, when the 
spam tool used would advertise itself.  I never figured out who the intended 
audience was.  I suppose the assumption was that the recipients would be so 
impressed with the quality of the spam delivery that they would want to buy 
a copy and make their own spams.




But we can all dream... :)


Yup.  :-)

   Loren

Re: How to block the bat!

[Jeff Chan]

Quoting Matt Kettler [EMAIL PROTECTED]:

 cpayne wrote:
  Robert Braver wrote:
  Hello Payne,
 
  On Wednesday, October 17, 2007, 9:08:53 PM, you wrote:
 
  c I am getting a lot mail which I know is from a mail program use by
  c spammers,  called the bat.
 
 
  Yea, I did a search. And found you are right, shame that most of the
  spam I am using is coming from the mail program.

 Correction. The spam *claims* to be coming from The Bat!.

  With near perfect certainty, I can tell you the spam was not generated
 by The Bat, Outlook, or whatever other program might appear in the
 User-Agent or X-Mailer header. It is no more believable than the From:
 header, and it is forged just as often (ie: nearly always). It is
 generally advisable for spammers to fake this header to look like a real
 mail client, as best they can, because it makes spam detection harder.
 So they do.

 In reality nearly all spam is generated by custom software that runs in
 the background on infected PCs in botnets.

Matt is right.  Please don't block all mail from The Bat.  The Bat is one of the
best Windows mail clients available.  It is better than any open source Linux
graphical mail client I could find.  The Bat has extensive sorting and
filtering by folder using PCRE perl regular expressions.

Just because some spamware claims to be The Bat does not mean it is.

Jeff C.

Re: How to block the bat!

[Matthias Haegele]

Robert Braver schrieb:

Hello Payne,

On Wednesday, October 17, 2007, 9:43:25 PM, you wrote:

c spam I am using is coming from the mail program.

c http://www.ritlabs.com/en/products/thebat/

Just to be clear, I doubt highly that the spam you are seeing is
coming from an actual copy of The Bat.

Spamassassin will tag and score messages that claim to be from the
Bat that it can tell isn't really (just as is does for obviously
false Outlook x-mailer headers).  The only problem is that this rule
falsely fires sometimes on messages that have been relayed through a
mailing list.


Exactly. Is there a known workaround for this (false hits with 
Bat-Messages send through ML)?

What would you suggest?.

I am having this problem regarding a german mailinglist.:
(AWL Score seems to be too quick and dirty ...)


X-Spam-Status: No, score=2.763 required=3.5 tests=[AWL=0.521, BAYES_00=-2.599,
FORGED_MUA_THEBAT_CS=2.2, REPTO_OVERQUOTE_THEBAT=2.641]
X-Mailer: The Bat! (v3.99.24) Professional


The user is known to me and he is using The Bat.

btw:
It seems to be the same with Microsoft Internet Mail Service.






--
Grüsse/Greetings
MH


Dont send mail to: [EMAIL PROTECTED]
--

How to block the bat!

[cpayne]

Guys,

I am getting a lot mail which I know is from a mail program use by 
spammers,  called the bat.


I like to know how can I write a rule to give lets say two or three 
points for this in the header.


X-Mailer: The Bat! (v2.00.6) Educational

Thanks for any help you can give me. 


Payne

Re: How to block the bat!

[Robert Braver]

Hello Payne,

On Wednesday, October 17, 2007, 9:08:53 PM, you wrote:

c I am getting a lot mail which I know is from a mail program use by 
c spammers,  called the bat.

This comes up on the list from time to time.

No, The Bat is a legitimate email client (such as Outlook and
Eudora) which, like Outlook and Eudora, is often falsely inserted
into the headers by spamware.

I first thought that The Bat was spamware when I first saw it in
spam headers.  I quickly found out that it was not, and after
looking into it further, found it to be the Windows email client
that I dislike the least.  I've been using it now for over 5 years.

-- 
Best regards,
 Robert Braver
 [EMAIL PROTECTED]

Re: How to block the bat!

[cpayne]

Robert Braver wrote:

Hello Payne,

On Wednesday, October 17, 2007, 9:08:53 PM, you wrote:

c I am getting a lot mail which I know is from a mail program use by 
c spammers,  called the bat.


This comes up on the list from time to time.

No, The Bat is a legitimate email client (such as Outlook and
Eudora) which, like Outlook and Eudora, is often falsely inserted
into the headers by spamware.

I first thought that The Bat was spamware when I first saw it in
spam headers.  I quickly found out that it was not, and after
looking into it further, found it to be the Windows email client
that I dislike the least.  I've been using it now for over 5 years.

  
Yea, I did a search. And found you are right, shame that most of the 
spam I am using is coming from the mail program.


http://www.ritlabs.com/en/products/thebat/

Oh. Well. Thanks.

Re: How to block the bat!

[Matt Kettler]

cpayne wrote:
 Robert Braver wrote:
 Hello Payne,

 On Wednesday, October 17, 2007, 9:08:53 PM, you wrote:

 c I am getting a lot mail which I know is from a mail program use by
 c spammers,  called the bat.

  
 Yea, I did a search. And found you are right, shame that most of the
 spam I am using is coming from the mail program.

Correction. The spam *claims* to be coming from The Bat!.

 With near perfect certainty, I can tell you the spam was not generated
by The Bat, Outlook, or whatever other program might appear in the
User-Agent or X-Mailer header. It is no more believable than the From:
header, and it is forged just as often (ie: nearly always). It is
generally advisable for spammers to fake this header to look like a real
mail client, as best they can, because it makes spam detection harder.
So they do.

In reality nearly all spam is generated by custom software that runs in
the background on infected PCs in botnets.

Think about it, the mail viruses that infected the PC in the first place
can generate emails to spread themselves.. Spamming activity is simply
good reuse of the same code.

So, your spam was probably generated by a fragment of code from the
Storm worm, mydoom, bagel, etc, possibly glued together with some other
code for the differing payload needs.

But no spammer is going to be foolish enough to put:

User-Agent: Storm Worm Botnet v 3.12.0

But we can all dream... :)

How to block this?

[Robert Fitzpatrick]

I am getting a lot of these. We use pretty much all the rules at rules 
emporium, but nothing over 0 level, as well as do our sa-update (which 
doesn't seem to have updated since Feb 24?, maybe the problem?). I also 
use the KAM.cf file and FuzzyOcr. I even tried disabling bayes afer this 
weeks discussion, but no help. I get a few variations of this spam


Our Last pick Doubled in 48 hours

Ground floor to the future

Critical CARE NEW

SYm-C.C.T.I

Extremely b ullish at 20 Cents

Watch it like a hawk

How to block yahoogroups?

[Firdaus Tjahyadi]

Dear All

I'm having trouble blok a few yahoogroups milist
i want blok this milist

[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]

but i did'nt want to blok this milist

[EMAIL PROTECTED]

how to set that rule ?

i'v tried setting in badmailfrom but did'nt work cause yahoogroups is sent
by @ returns.groups.yahoo.com
i'v tried to set in my local.cf spamassassin like this blacklist_from
[EMAIL PROTECTED]
but it did'nt work too

thanks for any help

RE: How to block yahoogroups?

[Philip Seccombe]

Can you blacklist @ returns.groups.yahoo.com and then whitelist
[EMAIL PROTECTED] or something?

 

I'm not sure how the yahoo groups work, but is the reply address
specific to each group or does it get sent from the person to the group
address like this list?

 

Kind Regards,

Philip Seccombe

Turnstone Technologies NZ Limited

 

Phone: +64 9 970 5550

Fax: +64 9 970 5559

DDI: +64 9 970 5552

Email: [EMAIL PROTECTED] 

Web: www.turnstone.co.nz 

 

From: Firdaus Tjahyadi [mailto:[EMAIL PROTECTED] 
Sent: Monday, 12 February 2007 3:53 p.m.
To: users@spamassassin.apache.org
Subject: How to block yahoogroups?

 

Dear All

I'm having trouble blok a few yahoogroups milist
i want blok this milist

[EMAIL PROTECTED] 
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]

but i did'nt want to blok this milist

[EMAIL PROTECTED]

how to set that rule ?

i'v tried setting in badmailfrom but did'nt work cause yahoogroups is
sent by @ returns.groups.yahoo.com http://returns.groups.yahoo.com/ 
i'v tried to set in my local.cf http://local.cf/  spamassassin like
this blacklist_from [EMAIL PROTECTED]
but it did'nt work too 

thanks for any help

Re: How to block yahoogroups? (fwd)

[Doni Indrawan]

You could use e-mail property of yahoogroups mailling such as,
List-Unsubscribe, List-Post or Mailing-List. Set score for each
property






 -- Forwarded message --
Subject: RE: How to block yahoogroups?
Date: Mon, 12 Feb 2007 16:15:53 +1300
Message-ID:
[EMAIL PROTECTED]
From: Philip Seccombe [EMAIL PROTECTED]
To: Firdaus Tjahyadi [EMAIL PROTECTED],
   users@spamassassin.apache.org

Can you blacklist @ returns.groups.yahoo.com and then whitelist
[EMAIL PROTECTED] or something?



I'm not sure how the yahoo groups work, but is the reply address
specific to each group or does it get sent from the person to the group
address like this list?



Kind Regards,

Philip Seccombe

Turnstone Technologies NZ Limited



Phone: +64 9 970 5550

Fax: +64 9 970 5559

DDI: +64 9 970 5552

Email: [EMAIL PROTECTED]

Web: www.turnstone.co.nz



From: Firdaus Tjahyadi [mailto:[EMAIL PROTECTED]
Sent: Monday, 12 February 2007 3:53 p.m.
To: users@spamassassin.apache.org
Subject: How to block yahoogroups?



Dear All

I'm having trouble blok a few yahoogroups milist
i want blok this milist

[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]

but i did'nt want to blok this milist

[EMAIL PROTECTED]

how to set that rule ?

i'v tried setting in badmailfrom but did'nt work cause yahoogroups is
sent by @ returns.groups.yahoo.com http://returns.groups.yahoo.com/
i'v tried to set in my local.cf http://local.cf/  spamassassin like
this blacklist_from [EMAIL PROTECTED]
but it did'nt work too

thanks for any help





Can you blacklist @ returns.groups.yahoo.com and then whitelist [EMAIL 
PROTECTED] or something?



I'm not sure how the yahoo groups work, but is the reply address specific to 
each group or does it get sent from the person to the group address like this 
list?



Kind Regards,

Philip Seccombe

Turnstone Technologies NZ Limited



Phone: +64 9 970 5550

Fax: +64 9 970 5559

DDI: +64 9 970 5552

Email: [EMAIL PROTECTED]

Web: www.turnstone.co.nz




From: Firdaus Tjahyadi [mailto:[EMAIL PROTECTED]
Sent: Monday, 12 February 2007 3:53 p.m.
To: users@spamassassin.apache.org
Subject: How to block yahoogroups?



Dear All

I'm having trouble blok a few yahoogroups milist
i want blok this milist

[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]

but i did'nt want to blok this milist

[EMAIL PROTECTED]

how to set that rule ?

i'v tried setting in badmailfrom but did'nt work cause yahoogroups is sent by @ 
returns.groups.yahoo.com
i'v tried to set in my local.cf spamassassin like this blacklist_from [EMAIL 
PROTECTED]
but it did'nt work too

thanks for any help

Re: How to block these

[Benny Pedersen]

On Fri, October 20, 2006 11:26, Andreas Pettersson wrote:

 body   CATCHY_RULE   /The message contains Unicode characters /
 score  CATCHY_RULE   50

 Use with care :)

sure unicode is 8bit :-)


same goes for spam that start with

Dear client

without proving the client records :-)

-- 
This message was sent using 100% recycled spam mails.

How to block these

[Suhas \(QualiSpace\)]

I am getting lots of mails like this. How to block it?



Subject: Good day



The message contains Unicode characters and has been sent

as a binary
attachment.



Warm Regards,

Suhas

System Administrator

QualiSpace - A
QuantumPages Enterprise

===

Tel India:
+91 (22) 6792 - 1480

Tel US:
+1 (614) 827 - 1224

Fax India:
+91 (22) 2530 - 3166

URL: http://www.qualispace.com


===

For Any Technical Query Please Use: http://helpdesk.qualispace.com 

QualiSpace Community Discussion forum: http://forum.qualispace.com 

Re: How to block these

[hamann . w]

 
 I am getting lots of mails like this. How to block it?
 
  
 
 Subject: Good day
 
  
 
 The message contains Unicode characters and has been sent
 
 as a binary attachment.
 
  
 
 Warm Regards,
 
 Suhas
 
 System Administrator
 
 QualiSpace - A QuantumPages Enterprise
 

Hi,

have you tried a virus scanner on them? The unicode letters might form a 
valid windows
binary

Wolfgang Hamann

RE: How to block these

[Suhas \(QualiSpace\)]

Even it is getting slipped thru the AV

Warm Regards,
Suhas
System Admin
QualiSpace - A QuantumPages Enterprise
===
Tel India: +91 (22) 6792 - 1480
Tel US: +1 (614) 827 - 1224
Fax India: +91 (22) 2530 - 3166
URL: http://www.qualispace.com 
===
For Any Technical Query Please Use: http://helpdesk.qualispace.com 
QualiSpace Community Discussion forum: http://forum.qualispace.com

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 20, 2006 1:05 PM
To: users@spamassassin.apache.org
Subject: Re: How to block these 

 
 I am getting lots of mails like this. How to block it?
 
  
 
 Subject: Good day
 
  
 
 The message contains Unicode characters and has been sent
 
 as a binary attachment.
 
  
 
 Warm Regards,
 
 Suhas
 
 System Administrator
 
 QualiSpace - A QuantumPages Enterprise
 

Hi,

have you tried a virus scanner on them? The unicode letters might form a
valid windows
binary

Wolfgang Hamann

How to block this email??

[Bryan Haase]

Does anyone have a rule that will score foreign characters or characters with 
the dashes on top?
Below is example email that is not scoring at all for me.

Thanks
Bryan


 berton laurence [EMAIL PROTECTED] 6/18/2005 7:52 PM 
   ТРАНСБЛОК XXI


Наша компания оказывает юридические 
услуги в области налогооблажения:

- Возмещение НДС 

после проведения правовой экспертизы 
финансово-хозяйственной деятельности 
Вашей компании мы обеспечиваем 
поступление денег на ваш расчетный счет.

- Представительство и защита интересов 
вашей компании в арбитражных судах и судах 
общей юрисдикции, во всех государственных 
органах, включая налоговые и таможенные 
органы.

-Регистрация предприятий различных форм 
собственности. 

Телефон: 8(926)530-13-94


-

This email transmission and any documents, files or previous

email messages attached to it may contain information that is

confidential or legally privileged. If you are not the intended

recipient, you are hereby notified that any disclosure, copying,

printing, distributing or use of this transmission is strictly

prohibited. If you have received this transmission in error,

please immediately notify the sender by telephone or return

email and delete the original transmission and its attachments

without reading or saving in any manner.



The Evangelical Lutheran Good Samaritan Society.

-

Re: How to block this email??

[Joe Zitnik]

I know some of the rules at SARE: http://www.rulesemporium.com/rules.htmare aimed at English only environments, and will score non English e-mail higher. Look for the .cf files with _eng in the names. "Bryan Haase" [EMAIL PROTECTED] 6/20/2005 11:30 AM 
Does anyone have a rule that will score foreign characters or characters with the dashes on top?Below is example email that is not scoring at all for me.ThanksBryan berton laurence [EMAIL PROTECTED] 6/18/2005 7:52 PM  ? XXI  ? ??? ?? ? ??? ???:- ?? ??? ? ??  ?? ?-?  ?  ??  ??? ? ?? ??? ? .- ? ? ?? ? ?  ? ??? ? ? ? ? ??, ??  ??? ???, ??? ? ? ?? ??.-??? ??? ?  ?. ???: 8(926)530-13-94

Re: How to block this email??

[Shelley Waltz]

I had good luck eliminating this by using sa-learn.  It took about 15
messages
before the score went high enough to register as spam.

Shelley Waltz

Bryan Haase said:
 Does anyone have a rule that will score foreign characters or characters
 with the dashes on top?
 Below is example email that is not scoring at all for me.

 Thanks
 Bryan


 berton laurence [EMAIL PROTECTED] 6/18/2005 7:52 PM 
ТРÐ?Ð?СБЛОК XXI


 Ð?аша компаниÑ? 
 оказывает 
 юридичеÑ?кие
 уÑ?луги в облаÑ?ти 
 налогооблажениÑ?:

 - Возмещение Ð?ДС

 поÑ?ле проведениÑ? 
 правовой Ñ?кÑ?пертизы
 финанÑ?ово-хозÑ?йÑ?твенной
  деÑ?тельноÑ?ти
 Вашей компании мы 
 обеÑ?печиваем
 поÑ?тупление денег на 
 ваш раÑ?четный
 Ñ?чет.

 - ПредÑ?тавительÑ?тво и 
 защита интереÑ?ов
 вашей компании в 
 арбитражных Ñ?удах и
 Ñ?удах общей 
 юриÑ?дикции, во вÑ?ех
 гоÑ?ударÑ?твенных 
 органах, включаÑ?
 налоговые и 
 таможенные органы.

 -РегиÑ?трациÑ? 
 предприÑ?тий 
 различных форм
 Ñ?обÑ?твенноÑ?ти.

 Телефон: 8(926)530-13-94


 -

 This email transmission and any documents, files or previous

 email messages attached to it may contain information that is

 confidential or legally privileged. If you are not the intended

 recipient, you are hereby notified that any disclosure, copying,

 printing, distributing or use of this transmission is strictly

 prohibited. If you have received this transmission in error,

 please immediately notify the sender by telephone or return

 email and delete the original transmission and its attachments

 without reading or saving in any manner.



 The Evangelical Lutheran Good Samaritan Society.

 -



{ Shelley Waltz;
  Center for Advanced Biotechnology and Medicine;
  Rutgers University/UMDNJ;
  679 Hoes Lane;
  Piscataway, NJ 08854;
  732 235 3346 }

Re: How to block this email??

[Sean Sowell]

Bryan Haase asked Monday, June 20, 2005 0830:

 Does anyone have a rule that will score foreign characters or characters with
the dashes on top?
 Below is example email that is not scoring at all for me.

 Thanks
 Bryan


  berton laurence [EMAIL PROTECTED] 6/18/2005 7:52 PM 
ТР��СБЛОК XXI


 �аша компани� 
 оказывает 
 юридиче�кие
у�луги в обла�ти 
налогооблажени�:

 - Возмещение �ДС

 по�ле проведени� 
 правовой 
 �к�пертизы
финан�ово-хоз�й�твенной
 де�тельно�ти В
ашей компании мы 
обе�печиваем 
по�тупление
денег на ваш 
ра�четный �чет.

 - Пред�тавитель�тво 
 и защита интере�ов
вашей компании в 
арбитражных �удах и 
�удах
общей юри�дикции, во 
в�ех 
го�удар�твенных
органах, включа� 
налоговые и 
таможенные
органы.

 -Реги�траци� 
 предпри�тий 
 различных форм
�об�твенно�ти.

 Телефон: 8(926)530-13-94

... [snip] ...

Am rather new to SpamAssassin Bryan, but I hope this helps.  There are two
default SA rules that may help here:

DESCRIPTION OF TEST / TEST NAME / Score
Character set indicates a foreign language / CHARSET_FARAWAY / 3.2
Message written in an undesired language / UNWANTED_LANGUAGE_BODY / 2.8

The points assigned _should_ be showing up.  If they are but the messages are
still getting through, you could bump up the scores in your local.cf file - say
to 4.0 and 3.5.  Then these messages might score above your threshold.

If these rules are not showing up at all, then something else is probably going
on and hopefully somebody with more experience could offer you another solution
...

Anyway, these and the other default SA rules are on the wiki at
http://spamassassin.apache.org/tests_3_0_x.html.

Regards,

Sean Sowell
www.twin-dad.com

Re: How to block rolex spam

[Tim Litwiller]

Same as I am - hmm.
ok, check the /etc/mail/spamassassin.init.pre file for this list
loadplugin Mail::SpamAssassin::Plugin::URIDNSBL

Andrew Xiang wrote:
3.01
- Original Message - From: Tim Litwiller [EMAIL PROTECTED]
To: Andrew Xiang [EMAIL PROTECTED]
Sent: Thursday, December 02, 2004 7:51 PM
Subject: Re: How to block rolex spam

which version of spamassassin are you using?
comment out the URIBL sections and then test again
Andrew Xiang wrote:
I failed lint when I added:

spamassassin --lint
config: SpamAssassin failed to parse line, skipping: urirhssub
URIBL_JP_SURBL  multi.surbl.org.A   64
Failed to run URIBL_JP_SURBL SpamAssassin test, skipping:
   (Can't locate object method check_uridnsbl via package
Mail::SpamAssassin::PerMsgStatus (perhaps you forgot to load
Mail::SpamAssassin::PerMsgStatus?) at
/usr/local/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/PerMsgStatus.pm 
line
2296.
)
lint: 2 issues detected.  please rerun with debug enabled for more
information.

local.cf:
urirhssub URIBL_JP_SURBL  multi.surbl.org.A   64
body  URIBL_JP_SURBL  eval:check_uridnsbl('URIBL_JP_SURBL')
describe  URIBL_JP_SURBL  Has URI in JP at 
http://www.surbl.org/lists.html
tflagsURIBL_JP_SURBL  net

score URIBL_JP_SURBL4.0

- Original Message - From: Tim Litwiller [EMAIL PROTECTED]
To: Andrew Xiang [EMAIL PROTECTED]
Sent: Thursday, December 02, 2004 4:44 PM
Subject: Re: How to block rolex spam

It is a personal preference - I think it helps some but i wouldn't use
it as the only bayes learning
The SURBL plugin in SA 3* take urls found in email and compares 
those to
a url black list - if the url of an advertised site is listed in SURBL
it is most likely spam

The rules are already in 3.0 but they are scored way to low.

Andrew Xiang wrote:

is it a good idea to autolearn, the key file can get pretty large?
And what are those blacklist? how does it work?


# set bayes autolearning levels
bayes_auto_learn_threshold_nonspam -2.0
bayes_auto_learn_threshold_spam8.0





# blacklist
#
urirhssub URIBL_PH_SURBL  multi.surbl.org.A   8
headerURIBL_PH_SURBL  eval:check_uridnsbl('URIBL_PH_SURBL')
describe  URIBL_PH_SURBL  Contains a URL listed in PH
tflagsURIBL_PH_SURBL  net
score URIBL_PH_SURBL5.0
urirhssub URIBL_JP_SURBL  multi.surbl.org.A   64
headerURIBL_JP_SURBL  eval:check_uridnsbl('URIBL_JP_SURBL')
describe  URIBL_JP_SURBL  Contains a URL listed in JP
tflagsURIBL_JP_SURBL  net
score URIBL_JP_SURBL4.0
#-
#Global WBL entries
whitelist_from [EMAIL PROTECTED]
#-

---snip---
Andrew Xiang wrote:


can you send me your local.cf file?
thanks
Andrew
- Original Message - From: Tim Litwiller 
[EMAIL PROTECTED]
To: Andrew Xiang [EMAIL PROTECTED]
Sent: Thursday, December 02, 2004 3:23 PM
Subject: Re: How to block rolex spam




in you local.cf file add lines like
score RCVD_IN_BL_SPAMCOP_NET #
score RCVD_IN_DSBL #
score RCVD_IN_SORBS_HTTP #
score RCVD_IN_SORBS_MISC #
where # is the score you want that rule to use
I have spamcop at 5
dsbl at 3.8
and I'm not using sorbs so I don't know what those actually 
contribure
to the score.
I did look thru the rolex spam in my quarentine and they average a

score
of 29.7
here are the SA headers from an averave rolex spam - Note the 
SURBL is
really pushing the score up on the linked domain.

X-Spam-Prev-Subject: Order Rolex or other Swiss watches online
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on
mailhost.bccwebhosting.com
X-Spam-DCC: xmailer: mailhost 1192; Body=many Fuz1=many Fuz2=many
X-Spam-Report:
*  1.9 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
*  [score: 1.]
*  3.0 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
*  3.8 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org
*  [http://dsbl.org/listing?84.24.207.174]
*  5.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in

bl.spamcop.net

*  [Blocked - see 
http://www.spamcop.net/bl.shtml?84.24.207.174]
*  1.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
*  [http://www.spamhaus.org/query/bl?ip=84.24.207.174]
*  0.0 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web 
server
*  [84.24.207.174 listed in dnsbl.sorbs.net]
*  2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP


address

*  [84.24.207.174 listed in dnsbl.sorbs.net]
*  1.0 URIBL_SBL Contains an URL listed in the SBL blocklist
*  [URIs: bhex.com]
*  4.3 URIBL_SC_SURBL Contains an URL listed in the SC SURBL 
blocklist
*  [URIs: bhex.com]
*  1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL 
blocklist
*  [URIs: bhex.com]
*  3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL 
blocklist
*  [URIs: bhex.com]
*  0.4 URIBL_AB_SURBL Contains an URL listed in the AB SURBL 
blocklist
*  [URIs: bhex.com]
*  2.7

Re: How to block rolex spam

[Glenn Jackman]

On 2004-12-02 10:10, Matt Kettler wrote:
 At 05:37 AM 12/2/2004 -0800, Loren Wilton wrote:
 
 body  __LW_OBREPLICA /\brepIicas?\b/i
 body  __LW_REPLICA /\breplicas?\b/i
 
 Loren..might I suggest using a lower-case I for the OB version? In some 
 sans-serif fonts (ie: Arial) lower case l and upper case I are drawn the 
 same. At first glance I thought you'd made a typo and had entered the same 
 regex twice :)

Or use just one rule:  /\brep[li]icas?\b/i

-- 
Glenn Jackman
CF Sysadmin

How to block rolex spam

[Ronald I. Nutter]

I have been getting bombarded by spam trying to sell me Rolex watches of
one variety or another.  I have had experience writing rules as yet but
may need to start.  The following is the smtp header from one of the
messages.  cleta is my server running webshield before SA gets a hold of
it on another system.  What are my options on blocking this ?

Thanks,
Ron

Received: From datamar.com.ar ([61.248.28.182]) by cleta (WebShield SMTP
v4.5 MR1a P0803.345);
 id 1101847291937; Tue, 30 Nov 2004 15:41:31 -0500
Received: from 138.153.251.19 by smtp.prim.is;
 Tue, 30 Nov 2004 20:45:02 +
Message-ID: [EMAIL PROTECTED]
From: Patty Leblanc [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Order Rolex or other Swiss watches online
Date: Wed, 01 Dec 2004 00:45:00 +0400
MIME-Version: 1.0
Content-Type: text/plain;
 charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, hits=5.562 tagged_above=2 required=6.31
tests=BAYES_50,
 RAZOR2_CF_RANGE_51_100, RAZOR2_CHECK, RCVD_IN_BL_SPAMCOP_NET,
RCVD_IN_DSBL,
 RCVD_IN_SORBS_HTTP, RCVD_IN_SORBS_MISC
X-Spam-Level: *
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 30 Nov 2004 20:41:39.0400 (UTC)
FILETIME=[FE04CC80:01C4D71C]


Ron Nutter  [EMAIL PROTECTED] 
Network Manager
Information Technology Services(502)863-7002
Georgetown College 
Georgetown, KY40324-1696

Re: How to block rolex spam

[Duncan Hill]

On Thursday 02 December 2004 13:12, Ronald I. Nutter might have typed:
 I have been getting bombarded by spam trying to sell me Rolex watches of
 one variety or another.  I have had experience writing rules as yet but
 may need to start.  The following is the smtp header from one of the
 messages.  cleta is my server running webshield before SA gets a hold of
 it on another system.  What are my options on blocking this ?

mejc.com the URL by any chance?  If so, it should be in SURBL at least.

Re: How to block rolex spam

[Loren Wilton]

These are working for me.  They haven't been mass-checked yet, and the
scoring may be aggressive.

body  LW_ROLEX  /\broll?ex\b/i
score  LW_ROLEX  1
describe LW_ROLEX  Mentions Rolex

body  __LW_OBREPLICA /\brepIicas?\b/i
body  __LW_REPLICA /\breplicas?\b/i
body  __LW_WATCHES /\bwatch(?:es)?\b/i

meta  LW_ROLEXWATCH LW_ROLEX  __LW_WATCHES
score  LW_ROLEXWATCH 1
describe LW_ROLEXWATCH Mentions rolex watches

meta  LW_FAKEROLEX LW_ROLEX  __LW_REPLICA
score  LW_FAKEROLEX 5
describe LW_FAKEROLEX Talks about rolex and replicas

body  LW_WANTAROLEX /Want a (?:\w+ ){0,3}Rolex(?: Watch)?\?/i  # Want a
cheap Rolex Watch?
score  LW_WANTAROLEX 5
describe LW_WANTAROLEX Asks if you want a rolex watch

meta  LW_ROLEXOBFU __LW_OBREPLICA  LW_ROLEX
score  LW_ROLEXOBFU 5
describe LW_ROLEXOBFU Obfuscating replica rolexes!


Loren

Re: How to block rolex spam

[Tim Litwiller]

Ronald I. Nutter wrote:
I have been getting bombarded by spam trying to sell me Rolex watches of
 

X-Spam-Status: No, hits=5.562 tagged_above=2 required=6.31
tests=BAYES_50,
RAZOR2_CF_RANGE_51_100, RAZOR2_CHECK, RCVD_IN_BL_SPAMCOP_NET,
RCVD_IN_DSBL,
RCVD_IN_SORBS_HTTP, RCVD_IN_SORBS_MISC
X-Spam-Level: *
 

That email hist enough blacklists that it should have got marked but you 
raised your required score to 6.31 - and you didn't raise the blacklist 
scoreing to match.

I'd add  .3 to .5  to spamcop, DSBL and each of the SORBS
I see a few rolex spam in my quarantine but I've never had one in my 
inbox yet.