Re: ATT RBL f---wits

[Matus UHLAR - fantomas]

On 29/11/2023 00:51, Tracy Greggs via users wrote:

Cableone is SOA on this zone, so they are the issue.

You can ask them to create a PTR for your static IP and hope for the 
best.  Most I have dealt with will do it as long as it's a 
commercial account.


On 29.11.23 07:24, Noel Butler wrote:
As I pointed out - but failed to copy/paste a couple extra lines - 
cableone have issues, earlier they were reporting SERVFAIL then it was 
unreachables.


I have tried now.

116.24.in-addr.arpa.  is only delegated to two DNS servers and both of them 
have problems


Name:   116.24.in-addr.arpa.
Updated:2004-08-10
NameServer: NS2.CABLEONE.NET
NameServer: NS1.CABLEONE.NET
Ref:https://rdap.arin.net/registry/domain/116.24.in-addr.arpa.

While reverse zone on those servers has 4 NS records, it won't help before 
either of those servers can be reached to provide cacheable response.


The fact OP showed google knowing his PTR. says he should not have to 
have them add it manually, they need to fix what they already have - 
or they need to pay their bill :)


It's also why we dont accept reports here that " oh google says its 
there" because google have a history of not honouring TTL's, and it 
always pays to use a DNS server that you don't think would have your 
zone cached, to get a fresh perspective.


correct.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam is for losers who can't get business any other way.

Re: ATT RBL f---wits

[Curtis Maurand]

On 11/27/23 16:31, Philip Prindeville wrote:

We're being blacklisted by att.net with the following message:

(reason: 550 5.7.1 Connections not accepted from servers without a valid 
sender domain.flph840 Fix reverse DNS for 24.116.100.90)

I don't know what the hell is up with these pinheads:

philipp@ubuntu22:~$ dig -tmx redfish-solutions.com. @8.8.8.8

; <<>> DiG 9.18.12-0ubuntu0.22.04.3-Ubuntu <<>> -tmx redfish-solutions.com. 
@8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58379
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;redfish-solutions.com. IN MX

;; ANSWER SECTION:
redfish-solutions.com. 21600 IN MX 10 mail.redfish-solutions.com.

;; Query time: 48 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Sun Nov 19 15:08:29 MST 2023
;; MSG SIZE  rcvd: 71

philipp@ubuntu22:~$ dig -ta mail.redfish-solutions.com. @8.8.8.8

; <<>> DiG 9.18.12-0ubuntu0.22.04.3-Ubuntu <<>> -ta mail.redfish-solutions.com. 
@8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19570
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;mail.redfish-solutions.com. IN A

;; ANSWER SECTION:
mail.redfish-solutions.com. 21600 IN A 24.116.100.90

;; Query time: 72 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Sun Nov 19 15:08:39 MST 2023
;; MSG SIZE  rcvd: 71

philipp@ubuntu22:~$ dig -x 24.116.100.90 @8.8.8.8

; <<>> DiG 9.18.12-0ubuntu0.22.04.3-Ubuntu <<>> -x 24.116.100.90 @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2371
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;90.100.116.24.in-addr.arpa. IN PTR

;; ANSWER SECTION:
90.100.116.24.in-addr.arpa. 21600 IN PTR mail.redfish-solutions.com.

;; Query time: 68 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Sun Nov 19 15:08:55 MST 2023
;; MSG SIZE  rcvd: 95

philipp@ubuntu22:~$

So that's not the problem.  You're supposed to be able to get the blacklisting fixed 
if you email abuse_...@abuse-att.net  but I've 
emailed them from 3 different addresses and have yet to get a response much less a 
resolution.

Has anyone else had to deal with this bullocks and gotten it resolved?


That has never worked for me.  I've only been met with radio silence.

Re: ATT RBL f---wits

[Noel Butler]

On 29/11/2023 00:51, Tracy Greggs via users wrote:


Cableone is SOA on this zone, so they are the issue.

You can ask them to create a PTR for your static IP and hope for the 
best.  Most I have dealt with will do it as long as it's a commercial 
account.


As I pointed out - but failed to copy/paste a couple extra lines - 
cableone have issues, earlier they were reporting SERVFAIL then it was 
unreachables.


The fact OP showed google knowing his PTR. says he should not have to 
have them add it manually, they need to fix what they already have - or 
they need to pay their bill :)


It's also why we dont accept reports here that " oh google says its 
there" because google have a history of not honouring TTL's, and it 
always pays to use a DNS server that you don't think would have your 
zone cached, to get a fresh perspective.


--
Regards,
Noel Butler

Re: ATT RBL f---wits

[Tracy Greggs via users]

NO PTR for the IP.

Cableone is SOA on this zone, so they are the issue.

You can ask them to create a PTR for your static IP and hope for the 
best.  Most I have dealt with will do it as long as it's a commercial 
account.



-- Original Message --

From "Philip Prindeville" 

To users@spamassassin.apache.org
Date 11/27/2023 3:31:52 PM
Subject ATT RBL f---wits

Re: ATT RBL f---wits

[Noel Butler]

On 28/11/2023 08:59, Noel Butler wrote:


~$ host 24.116.100.90
;; connection timed out; no servers could be reached

Seems like AT&T  *ARE* doing the correct thing and it is *YOU* with the 
problem. before you start calling others f'wits do better 
investigation, a dig trace indicates root servers dont know you.


Seems your IP provider is the onle with problems, now I get an answer of 
sorts


~$ dig +trace -x 24.116.100.90

< snip >

116.24.in-addr.arpa. 86400 IN NS ns2.cableone.net.
116.24.in-addr.arpa. 86400 IN NS ns1.cableone.net.
116.24.in-addr.arpa. 10800 IN NSEC 117.24.in-addr.arpa. NS RRSIG NSEC
116.24.in-addr.arpa. 10800 IN RRSIG NSEC 8 4 10800 20231211213247 
20231127203247 6558 24.in-addr.arpa. 
ChfIccQU9mphSoPwTZf6Og2pumL3BRTQBGm7ZyFb5R8ycVL/jyXD94O8 
XOLL48wgXFQPuW4bfoSlmB/nNJ4tfb1Vyeb3x5MmVQTL74tdotoGfFYS 
2+gjyFWYkWAtkzOAmC7Eeva7hotpQ9Qa3LbkFtfznKBFdPAHHQ1vXs0K Shg=

;; Received 366 bytes from 199.180.180.63#53(r.arin.net) in 194 ms

;; connection timed out; no servers could be reached


On 28/11/2023 07:31, Philip Prindeville wrote:


We're being blacklisted by att.net with the following message:

(reason: 550 5.7.1 Connections not accepted from servers without a 
valid sender domain.flph840 Fix reverse DNS for 24.116.100.90)


I don't know what the hell is up with these pinheads:


--
Regards,
Noel Butler

Re: ATT RBL f---wits

[Noel Butler]

~$ host 24.116.100.90
;; connection timed out; no servers could be reached

Seems like AT&T  *ARE* doing the correct thing and it is *YOU* with the 
problem. before you start calling others f'wits do better investigation, 
a dig trace indicates root servers dont know you.


On 28/11/2023 07:31, Philip Prindeville wrote:


We're being blacklisted by att.net with the following message:

(reason: 550 5.7.1 Connections not accepted from servers without a 
valid sender domain.flph840 Fix reverse DNS for 24.116.100.90)


I don't know what the hell is up with these pinheads:

philipp@ubuntu22:~$ dig -tmx redfish-solutions.com. @8.8.8.8

; <<>> DiG 9.18.12-0ubuntu0.22.04.3-Ubuntu <<>> -tmx 
redfish-solutions.com. @8.8.8.8

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58379
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;;~$ host 24.116.100.90
;; connection timed out; no servers could be reached
QUESTION SECTION:
;redfish-solutions.com. IN MX

;; ANSWER SECTION:
redfish-solutions.com. 21600 IN MX 10 mail.redfish-solutions.com.

;; Query time: 48 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Sun Nov 19 15:08:29 MST 2023
;; MSG SIZE  rcvd: 71

philipp@ubuntu22:~$ dig -ta mail.redfish-solutions.com. @8.8.8.8

; <~$ host 24.116.100.90
;; connection timed out; no servers could be reached
<>> DiG 9.18.12-0ubuntu0.22.04.3-Ubuntu <<>> -ta 
mail.redfish-solutions.com. @8.8.8.8

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19570
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;mail.redfish-solutions.com. IN A

;; ANSWER SECTION:
mail.redfish-solutions.com. 21600 IN A 24.116.100.90

;; Qu~$ host 24.116.100.90
;; connection timed out; no servers could be reached
ery time: 72 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Sun Nov 19 15:08:39 MST 2023
;; MSG SIZE  rcvd: 71

philipp@ubuntu22:~$ dig -x 24.116.100.90 @8.8.8.8

; <<>> DiG 9.18.12-0ubuntu0.22.04.3-Ubuntu <<>> -x 24.116.100.90 
@8.8.8.8

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2371
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;90.100.116.24.in-addr.arpa. IN PTR

;; ANSWER SECTION:
90.100.116.24.in-addr.arpa. 21600 IN PTR mail.redfish-solutions.com.

;; Query time: 68 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Sun Nov 19 15:08:55 MST 2023
;; MSG SIZE  rcvd: 95

philipp@ubuntu22:~$

So that's not the problem.  You're supposed to be able to get the 
blacklisting fixed if you email abuse_...@abuse-att.net 
 but I've emailed them from 3 different 
addresses and have yet to get a response much less a resolution.


Has anyone else had to deal with this bullocks and gotten it resolved?

Thanks


--
Regards,
Noel Butler

Re: ATT RBL f---wits

[Bill Cole]

On 2023-11-27 at 16:31:52 UTC-0500 (Mon, 27 Nov 2023 14:31:52 -0700)
Philip Prindeville 
is rumored to have said:


We're being blacklisted by att.net with the following message:

   (reason: 550 5.7.1 Connections not accepted from servers without a 
valid sender domain.flph840 Fix reverse DNS for 24.116.100.90)


I don't know what the hell is up with these pinheads:

philipp@ubuntu22:~$ dig -tmx redfish-solutions.com. @8.8.8.8

; <<>> DiG 9.18.12-0ubuntu0.22.04.3-Ubuntu <<>> -tmx 
redfish-solutions.com. @8.8.8.8

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58379
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;redfish-solutions.com. IN MX

;; ANSWER SECTION:
redfish-solutions.com. 21600 IN MX 10 mail.redfish-solutions.com.

;; Query time: 48 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Sun Nov 19 15:08:29 MST 2023
;; MSG SIZE  rcvd: 71

philipp@ubuntu22:~$ dig -ta mail.redfish-solutions.com. @8.8.8.8

; <<>> DiG 9.18.12-0ubuntu0.22.04.3-Ubuntu <<>> -ta 
mail.redfish-solutions.com. @8.8.8.8

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19570
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;mail.redfish-solutions.com. IN A

;; ANSWER SECTION:
mail.redfish-solutions.com. 21600 IN A 24.116.100.90

;; Query time: 72 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Sun Nov 19 15:08:39 MST 2023
;; MSG SIZE  rcvd: 71

philipp@ubuntu22:~$ dig -x 24.116.100.90 @8.8.8.8

; <<>> DiG 9.18.12-0ubuntu0.22.04.3-Ubuntu <<>> -x 24.116.100.90 
@8.8.8.8

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2371
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;90.100.116.24.in-addr.arpa. IN PTR

;; ANSWER SECTION:
90.100.116.24.in-addr.arpa. 21600 IN PTR mail.redfish-solutions.com.

;; Query time: 68 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Sun Nov 19 15:08:55 MST 2023
;; MSG SIZE  rcvd: 95

philipp@ubuntu22:~$

So that's not the problem.  You're supposed to be able to get the 
blacklisting fixed if you email abuse_...@abuse-att.net 
 but I've emailed them from 3 
different addresses and have yet to get a response much less a 
resolution.


Has anyone else had to deal with this bullocks and gotten it resolved?



Yes. Twice.

Time is your friend. AT&T still operates like it's 1970...



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

ATT RBL f---wits

[Philip Prindeville]

We're being blacklisted by att.net with the following message:

   (reason: 550 5.7.1 Connections not accepted from servers without a valid 
sender domain.flph840 Fix reverse DNS for 24.116.100.90)

I don't know what the hell is up with these pinheads:

philipp@ubuntu22:~$ dig -tmx redfish-solutions.com. @8.8.8.8

; <<>> DiG 9.18.12-0ubuntu0.22.04.3-Ubuntu <<>> -tmx redfish-solutions.com. 
@8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58379
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;redfish-solutions.com. IN MX

;; ANSWER SECTION:
redfish-solutions.com. 21600 IN MX 10 mail.redfish-solutions.com.

;; Query time: 48 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Sun Nov 19 15:08:29 MST 2023
;; MSG SIZE  rcvd: 71

philipp@ubuntu22:~$ dig -ta mail.redfish-solutions.com. @8.8.8.8

; <<>> DiG 9.18.12-0ubuntu0.22.04.3-Ubuntu <<>> -ta mail.redfish-solutions.com. 
@8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19570
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;mail.redfish-solutions.com. IN A

;; ANSWER SECTION:
mail.redfish-solutions.com. 21600 IN A 24.116.100.90

;; Query time: 72 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Sun Nov 19 15:08:39 MST 2023
;; MSG SIZE  rcvd: 71

philipp@ubuntu22:~$ dig -x 24.116.100.90 @8.8.8.8

; <<>> DiG 9.18.12-0ubuntu0.22.04.3-Ubuntu <<>> -x 24.116.100.90 @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2371
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;90.100.116.24.in-addr.arpa. IN PTR

;; ANSWER SECTION:
90.100.116.24.in-addr.arpa. 21600 IN PTR mail.redfish-solutions.com.

;; Query time: 68 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Sun Nov 19 15:08:55 MST 2023
;; MSG SIZE  rcvd: 95

philipp@ubuntu22:~$

So that's not the problem.  You're supposed to be able to get the blacklisting 
fixed if you email abuse_...@abuse-att.net  but 
I've emailed them from 3 different addresses and have yet to get a response 
much less a resolution.

Has anyone else had to deal with this bullocks and gotten it resolved?

Thanks

RE: rbl for smtp auth hosts

[Marc]

> >> >>Anyone have any experience with a dns blacklist specific to known smtp
> >> >>auth abuse?
> 
> >> On 15.09.23 17:51, Benny Pedersen wrote:
> >> >spamrats ?
> >> >
> >> >https://www.spamrats.com/
> 
> >> I have bad experiente with spam rats and thus wouldn't recommend using
> >> them.
> >> YMMV of course.
> 
> On 15.09.23 21:57, Marc wrote:
> >You could be right about this.  When I compare the last 413 failed smtp
> > auths, none are listed in auth.spamrats.com.  While bl.spamcop.net lists
> > 230 at 127.0.0.2, while zen.spamhaus.org gets 371 at
> > 127.0.0.4/127.0.0.3/127.0.0.11.  I just have to check which of them is
> not
> > a list that lists any 'dynamic' ip by default.
> 
> zen is not good idea for auth too.  It's supposed to contain dynamic IPS
> which aren't used for spaming.

I think this 127.0.0.11 is the dynamic ips

> authbl from spamhaus should do that.
> 

any idea what this costs?

Re: rbl for smtp auth hosts

[Matus UHLAR - fantomas]

>Marc skrev den 2023-09-15 17:01:
>>Anyone have any experience with a dns blacklist specific to known smtp
>>auth abuse?



On 15.09.23 17:51, Benny Pedersen wrote:
>spamrats ?
>
>https://www.spamrats.com/



I have bad experiente with spam rats and thus wouldn't recommend using
them.
YMMV of course.


On 15.09.23 21:57, Marc wrote:
You could be right about this.  When I compare the last 413 failed smtp 
auths, none are listed in auth.spamrats.com.  While bl.spamcop.net lists 
230 at 127.0.0.2, while zen.spamhaus.org gets 371 at 
127.0.0.4/127.0.0.3/127.0.0.11.  I just have to check which of them is not 
a list that lists any 'dynamic' ip by default.


zen is not good idea for auth too.  It's supposed to contain dynamic IPS 
which aren't used for spaming.


authbl from spamhaus should do that.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Holmes, what kind of school did you study to be a detective?
- Elementary, Watkins.  -- Daffy Duck & Porky Pig

Re: rbl for smtp auth hosts

[Benny Pedersen]

Marc skrev den 2023-09-15 23:57:

>Marc skrev den 2023-09-15 17:01:
>>Anyone have any experience with a dns blacklist specific to known smtp
>>auth abuse?

On 15.09.23 17:51, Benny Pedersen wrote:
>spamrats ?
>
>https://www.spamrats.com/

I have bad experiente with spam rats and thus wouldn't recommend using
them.
YMMV of course.



You could be right about this. When I compare the last 413 failed smtp
auths, none are listed in auth.spamrats.com. While bl.spamcop.net
lists 230 at 127.0.0.2, while zen.spamhaus.org gets 371 at
127.0.0.4/127.0.0.3/127.0.0.11. I just have to check which of them is
not a list that lists any 'dynamic' ip by default.


submission inet n   -   y   -   - smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_delay_reject=no
  -o { smtpd_client_restrictions = reject_rbl_client 
auth.spamrats.com=127.0.0.43, permit }
  -o { smtpd_relay_restrictions = permit_mynetworks, 
permit_sasl_authenticated, reject }


i find dokumention good, dqs can be added here aswell, but i am unsure 
if it will expose my dqs key, for me i dont like to use y (chroot), note 
all details in this, just not auth.spamrats.com plus return code hardend


please be carefull, and ask

RE: rbl for smtp auth hosts

[Marc]

> >Marc skrev den 2023-09-15 17:01:
> >>Anyone have any experience with a dns blacklist specific to known smtp
> >>auth abuse?
> 
> On 15.09.23 17:51, Benny Pedersen wrote:
> >spamrats ?
> >
> >https://www.spamrats.com/
> 
> I have bad experiente with spam rats and thus wouldn't recommend using
> them.
> YMMV of course.
> 

You could be right about this. When I compare the last 413 failed smtp auths, 
none are listed in auth.spamrats.com. While bl.spamcop.net lists 230 at 
127.0.0.2, while zen.spamhaus.org gets 371 at 127.0.0.4/127.0.0.3/127.0.0.11. I 
just have to check which of them is not a list that lists any 'dynamic' ip by 
default.

Re: rbl for smtp auth hosts

[Matus UHLAR - fantomas]

Marc skrev den 2023-09-15 17:01:

Anyone have any experience with a dns blacklist specific to known smtp
auth abuse?


On 15.09.23 17:51, Benny Pedersen wrote:

spamrats ?

https://www.spamrats.com/


I have bad experiente with spam rats and thus wouldn't recommend using them.
YMMV of course.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
It's now safe to throw off your computer.

RE: rbl for smtp auth hosts

[Marc]

> > Anyone have any experience with a dns blacklist specific to known smtp
> > auth abuse?
> 
> spamrats ?
> 
> https://www.spamrats.com/

yes thanks! this RATS-Auth maybe

Re: rbl for smtp auth hosts

[Benny Pedersen]

Riccardo Alfieri skrev den 2023-09-15 18:23:

On 15/09/23 17:51, Reindl Harald (privat) wrote:

limit the connections per hour on smtp-ports with iptables xt_recent 
and configure postfix properly


anvil_rate_time_unit   = 1800s
smtpd_client_connection_rate_limit = 100
smtpd_client_recipient_rate_limit  = 400
smtpd_client_message_rate_limit    = 400
smtpd_recipient_limit  = 100

Wont help much if you have 100k different IPs connecting, and you also
have high volume legit customers


i use weakforced for dovecot, and i know my custommers asn's

intresting parts for me is spamrats, see more rats inside of my 
custommers asn's


it will be endless fights :(

why did you reply to a blocked user here :(

Re: rbl for smtp auth hosts

[Riccardo Alfieri]

On 15/09/23 17:51, Reindl Harald (privat) wrote:

limit the connections per hour on smtp-ports with iptables xt_recent 
and configure postfix properly


anvil_rate_time_unit   = 1800s
smtpd_client_connection_rate_limit = 100
smtpd_client_recipient_rate_limit  = 400
smtpd_client_message_rate_limit    = 400
smtpd_recipient_limit  = 100
Wont help much if you have 100k different IPs connecting, and you also 
have high volume legit customers


--
Best regards,
Riccardo Alfieri

Spamhaus Technology
https://www.spamhaus.com/

Re: rbl for smtp auth hosts

[Riccardo Alfieri]

On 15/09/23 17:49, Marc wrote:


Is this a freely available list?

It's included in all DQS accounts, free ones too

--
Best regards,
Riccardo Alfieri

Spamhaus Technology
https://www.spamhaus.com/

Re: rbl for smtp auth hosts

[Benny Pedersen]

Marc skrev den 2023-09-15 17:01:

Anyone have any experience with a dns blacklist specific to known smtp
auth abuse?


spamrats ?

https://www.spamrats.com/

RE: rbl for smtp auth hosts

[Marc]

> 
> >
> > On 15.09.23 15:31, Riccardo Alfieri wrote:
> >> Yes, at previous $dayjob. Applied on the submission MSA, it proved to
> >> be useful in mitigating the fallout when users got their credentials
> >> compromised.
> >
> > can you describe it more?
> >
> Well, I checked the connecting IP of a client againts AuthBL *before*
> "permit_sasl_authenticated" (IIRC) in postifx and when users got their
> credential compromised (that  happened more times than I would have
> liked) I'd say more than 95% of connections from auth abusing botnet
> were denied. This mitigated a lot the spam exiting from our outbounds
> and helped us not ending up being listed in the more "trigger happy"
> dnsbls around :)
> 

Is this a freely available list?

Re: rbl for smtp auth hosts

[Riccardo Alfieri]

On 15/09/23 17:35, Matus UHLAR - fantomas wrote:



On 15.09.23 15:31, Riccardo Alfieri wrote:
Yes, at previous $dayjob. Applied on the submission MSA, it proved to 
be useful in mitigating the fallout when users got their credentials 
compromised.


can you describe it more?

Well, I checked the connecting IP of a client againts AuthBL *before* 
"permit_sasl_authenticated" (IIRC) in postifx and when users got their 
credential compromised (that  happened more times than I would have 
liked) I'd say more than 95% of connections from auth abusing botnet 
were denied. This mitigated a lot the spam exiting from our outbounds 
and helped us not ending up being listed in the more "trigger happy" 
dnsbls around :)


--
Best regards,
Riccardo Alfieri

Spamhaus Technology
https://www.spamhaus.com/

Re: rbl for smtp auth hosts

[Matus UHLAR - fantomas]

On 15/09/23 17:01, Marc wrote:

Anyone have any experience with a dns blacklist specific to known smtp auth 
abuse?


On 15.09.23 15:31, Riccardo Alfieri wrote:
Yes, at previous $dayjob. Applied on the submission MSA, it proved to 
be useful in mitigating the fallout when users got their credentials 
compromised.


can you describe it more?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Due to unexpected conditions Windows 2000 will be released
in first quarter of year 1901

Re: rbl for smtp auth hosts

[Riccardo Alfieri]

On 15/09/23 17:01, Marc wrote:


Anyone have any experience with a dns blacklist specific to known smtp auth 
abuse?
Yes, at previous $dayjob. Applied on the submission MSA, it proved to be 
useful in mitigating the fallout when users got their credentials 
compromised.


--
Best regards,
Riccardo Alfieri

Spamhaus Technology
https://www.spamhaus.com/

rbl for smtp auth hosts

[Marc]

Anyone have any experience with a dns blacklist specific to known smtp auth 
abuse?

Re: OFF-TOPIC ANNOUNCE: KAM Ruleset Turning PCCC Wild RBL Back On

[Pedro David Marco via users]

 With all respects,
i agree with Bill... but suppose just Bill is wrong...  Kam rules are free and 
show really huge quality, what is wrong about gently ask for cooperation if 
used in a commercial way?
KAM++
Pedro.

On Tuesday, March 21, 2023 at 06:18:38 PM GMT+1, Bill Cole 
 wrote:  
 
 On 2023-03-21 at 12:52:16 UTC-0400 (Tue, 21 Mar 2023 17:52:16 +0100)
Benny Pedersen 
is rumored to have said:

> Kevin A. McGrail skrev den 2023-03-21 17:27:
>
>> https://mcgrail.com/template/donate
>
> you know the rules to post commericial postings to public free 
> maillists ?,

What rules exactly are you referring to? Please cite them precisely, in 
grammatically decipherable English. Note that if the 'rules' being cited 
are not on an ASF site, they do not apply here.

The McGrail Foundation is not a commercial entity. That's why that page 
talks of  donating rather than purchasing, and why it refers to a US tax 
code section. Noting the enhancement of a widely-used free service for 
SA users provided by a non-profit charitable foundation with in-kind 
support from a commercial entity (Linode, A.K.A. Amazon) is not a 
commercial posting.

If you want kolektiva.social, it is over there...




-- 
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
  

Re: OFF-TOPIC ANNOUNCE: KAM Ruleset Turning PCCC Wild RBL Back On

[Bill Cole]

On 2023-03-21 at 12:52:16 UTC-0400 (Tue, 21 Mar 2023 17:52:16 +0100)
Benny Pedersen 
is rumored to have said:


Kevin A. McGrail skrev den 2023-03-21 17:27:


https://mcgrail.com/template/donate


you know the rules to post commericial postings to public free 
maillists ?,


What rules exactly are you referring to? Please cite them precisely, in 
grammatically decipherable English. Note that if the 'rules' being cited 
are not on an ASF site, they do not apply here.


The McGrail Foundation is not a commercial entity. That's why that page 
talks of  donating rather than purchasing, and why it refers to a US tax 
code section. Noting the enhancement of a widely-used free service for 
SA users provided by a non-profit charitable foundation with in-kind 
support from a commercial entity (Linode, A.K.A. Amazon) is not a 
commercial posting.


If you want kolektiva.social, it is over there...




--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: OFF-TOPIC ANNOUNCE: KAM Ruleset Turning PCCC Wild RBL Back On

[Benny Pedersen]

Kevin A. McGrail skrev den 2023-03-21 17:27:


https://mcgrail.com/template/donate


you know the rules to post commericial postings to public free maillists 
?, rspamd did this abuse aswell, now thay have only non free irc 
support, and telegram


more talk about linode ? :)

mx ~ # dig -4 +short rs.dns-oarc.net txt
rst.x487.rs.dns-oarc.net.
rst.x461.x487.rs.dns-oarc.net.
rst.x466.x461.x487.rs.dns-oarc.net.
"172.104.150.56 DNS reply size limit is at least 487"
"172.104.150.56 sent EDNS buffer size 512"

great for dns

i have a ticket to this problem at linode, there answer is try add new 
ips to your linode vps, you can be lucky a new one works :/


will it be possible to see kam channel could provide corpus data to 
spamassassin, its very low at moment

OFF-TOPIC ANNOUNCE: KAM Ruleset Turning PCCC Wild RBL Back On

[Kevin A. McGrail]

Hello All,

I am pleased to announce that users of the KAM ruleset will once again 
have the free use of the PCCC Wild RBL.


The RBL was previously removed from use due to its popularity.

Thanks go to Linode.com for donating the servers and as always thanks to 
PCCC for the datafeed.


The KAM Ruleset will be celebrating the start of it's 20th year of 
publishing free rules and threat data in May 2023. If you are a 
commercial user, please consider a donation or long-term sponsorship: 
https://mcgrail.com/template/donate <https://mcgrail.com/template/donate>


More Info:
https://raptor.pccc.com/RBL <https://raptor.pccc.com/RBL>
https://mcgrail.com/template/projects#KAM1 
<https://mcgrail.com/template/projects#KAM1>


Regards,
KAM

--
Kevin A. McGrail
kmcgr...@apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail  - 703.798.0171

Re: AuthRes plugin (replay RBL queries one hour later)

[Matus UHLAR - fantomas]

Matus UHLAR - fantomas skrev den 2023-03-02 11:50:

Authres plugin should only parse Authentication-Results: headers, not
signatures themselves.

other plugins should be able to use data provided by this plugin.


On 02.03.23 12:55, Benny Pedersen wrote:

+1 funny you provided an eval that worked ? :)

have you seen ARC_VALID or ARC_SIGNED yet ?


many.  I just still don't think we should trust ARC headers by default 
(someone has signes headers, but that does not mean that someone is 
trustful).


if ARC signer is trusted and the signature is correct, the status can be 
extracted from ARC-Authentication-Results:


Further modules can use that to e.g.  allowlist sender even if the DKIM 
fails 


Authentication-Results: fantomas.fantomas.sk; arc=pass 
smtp.remote-ip=52.100.19.99 arc.chain=microsoft.com
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=pern.onmicrosoft.com; dmarc=pass action=none
header.from=gcwus.edu.pk; dkim=pass header.d=gcwus.edu.pk; arc=none


Here, if I trust "fantomas.fantomas.sk" authentication header (configurable 
in AuthRes) and I trust signer microsoft.com, I will believe that the 
message passed DMARC and SPF for pern.onmicrosoft.com.


However, if there was other random ARC signer, faking positive results of 
spf/dkim/dmarc results, we should not believe the ARC signature


... and this message can still be spam (it is).


imho dmarc in spamassassin is already doing things right, but authres 
should maybe just be dokumented when to use it


it's the DKIM module that validates ARC headers in SA.
While the functionality is similar to DKIM, 


it already used in perlcode in dmarc, without any eval calls

previous mail i posted is without authres enabled


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #98652: Operation completed successfully.

Re: AuthRes plugin (replay RBL queries one hour later)

[Benny Pedersen]

giova...@paclan.it skrev den 2023-03-02 12:53:


how ?, this code works without authres enabled as i see it



if DKIM fails but ARC passes DMARC policy could be overriden, this
part doesn't work.


ah okay got it

eval should not be done in dkim but moved to authres so, and results 
metadata used in dmarc plugin



In your case DMARC would pass even without ARC because DKIM is valid.


currect, there is just many corner cases yet to test

your spamassassin channel for rules does btw not lint, please see why 
when only check.pm is loaded


and that rule that does not lint is already tested in spamassassin core 
rules, so that code is just tested one more time without any new results 
:/

Re: AuthRes plugin (replay RBL queries one hour later)

[Benny Pedersen]

Matus UHLAR - fantomas skrev den 2023-03-02 11:50:


Authres plugin should only parse Authentication-Results: headers, not
signatures themselves.

other plugins should be able to use data provided by this plugin.


+1 funny you provided an eval that worked ? :)

have you seen ARC_VALID or ARC_SIGNED yet ?

imho dmarc in spamassassin is already doing things right, but authres 
should maybe just be dokumented when to use it


it already used in perlcode in dmarc, without any eval calls

previous mail i posted is without authres enabled

Re: AuthRes plugin (replay RBL queries one hour later)

[giovanni]

On 3/2/23 12:49, Benny Pedersen wrote:

giova...@paclan.it skrev den 2023-03-02 10:04:

On 3/1/23 14:30, Benny Pedersen wrote:

Henrik K skrev den 2023-03-01 10:28:

On Wed, Mar 01, 2023 at 09:56:56AM +0100, Matus UHLAR - fantomas wrote:

I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available.
However, I don't see AuthRes plugin mention in .pre files nor in SA rules.

Because it's experimental and unfinished.


logic is aswell

why should spf pluging be enabled to test if arc chain pass spf ?

same problem with dkim imho

aslong forwarders insists on doing dkim sign and leave arc seal and arc sign :/


I have wip code to check if dkim passes from arc signatures and
integrate it into DMARC policies checks.


how ?, this code works without authres enabled as i see it


if DKIM fails but ARC passes DMARC policy could be overriden, this part doesn't 
work.
In your case DMARC would pass even without ARC because DKIM is valid.




Return-Path: 
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on localhost.junc.eu
X-Spam-Level:
X-Spam-Status: No, score=-2.8 required=5.0 tests=ARC_SIGNED,ARC_VALID,AWL,
 DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DMARC_PASS,
 HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
 RCVD_IN_MSPIKE_H2,RELAYCOUNTRY_BAD,RELAYCOUNTRY_GREY,SPF_HELO_PASS,
 SPF_PASS,UNPARSEABLE_RELAY autolearn=no autolearn_force=no
 version=4.0.0
X-Spam-Timing: total 1713 ms - parse: 1.94 (0.1%), b_tie_ro: 4.4 (0.3%),
 extract_message_metadata: 41 (2.4%), tests_pri_-1: 7 (0.4%),
 compile_gen: 292 (17.1%), get_uri_detail_list: 3.4 (0.2%),
 tests_pri_-2000: 2.0 (0.1%), compile_eval: 27 (1.6%), tests_pri_-1000:
 1.77 (0.1%), tests_pri_-950: 1.21 (0.1%), tests_pri_-900: 1.29 (0.1%),
 tests_pri_-100: 892 (52.1%), dkim_load_modules: 34 (2.0%),
 check_dkim_signature: 540 (31.5%), poll_dns_idle: 827 (48.3%),
 check_spf: 64 (3.7%), tests_pri_-90: 1.41 (0.1%), tests_pri_0: 443
 (25.9%), tests_pri_500: 2.1 (0.1%), tests_pri_1000: 12 (0.7%),
 total_awl: 10 (0.6%), check_awl: 1.95 (0.1%), update_awl: 1.92 (0.1%),
 rewrite_mail: 0.00 (0.0%)

Content analysis details:   (-2.8 points, 5.0 required)

  pts rule name  description
 -- --
-0.0 RCVD_IN_MSPIKE_H2  RBL: Average reputation (+2)
     [94.237.105.223 listed in wl.mailspike.net]
-2.3 RCVD_IN_DNSWL_MED  RBL: Sender listed at https://www.dnswl.org/,
     medium trust
     [94.237.105.223 listed in list.dnswl.org]
-0.1 SPF_PASS   SPF: sender matches SPF record
-0.1 SPF_HELO_PASS  SPF: HELO matches SPF record
  0.0 ARC_SIGNED Message has a ARC signature
  0.1 DKIM_SIGNED    Message has a DKIM or DK signature, not 
necessarily valid
  0.0 ARC_VALID  Message has a valid ARC signature
-0.1 DKIM_VALID_AU  Message has a valid DKIM or DK signature from 
author's
     domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
  0.1 RELAYCOUNTRY_GREY  Relayed through at some point
  1.5 RELAYCOUNTRY_BAD   Relayed through at some point
  0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
     domains are different
  0.0 UNPARSEABLE_RELAY  Informational: message has unparseable relay lines
-2.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list
     manager
-0.1 DMARC_PASS DMARC pass policy
  0.0 AWL    AWL: From: address is in the auto welcome-list


Authres plugin is needed to parse Arc signatures and pass the results
to DMARC plugin.


yes the magic can be done in dmarc where it belongs

authres is imho only for trusted arc signers, not for testing ARC_VALID or 
ARC_SIGNED

confirm it ?, the rules for authres does not work for me, but it seem it does 
for others ?, why ?




OpenPGP_signature
Description: OpenPGP digital signature

Re: AuthRes plugin (replay RBL queries one hour later)

[giovanni]

On 3/2/23 11:50, Matus UHLAR - fantomas wrote:

On Wed, Mar 01, 2023 at 09:56:56AM +0100, Matus UHLAR - fantomas wrote:

I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available.
However, I don't see AuthRes plugin mention in .pre files nor in SA rules.



Henrik K skrev den 2023-03-01 10:28:

Because it's experimental and unfinished.



On 3/1/23 14:30, Benny Pedersen wrote:

logic is aswell

why should spf pluging be enabled to test if arc chain pass spf ?



same problem with dkim imho

aslong forwarders insists on doing dkim sign and leave arc seal and arc sign :/


On 02.03.23 10:04, giova...@paclan.it wrote:

I have wip code to check if dkim passes from arc signatures and integrate it 
into DMARC policies checks.
Authres plugin is needed to parse Arc signatures and pass the results to DMARC 
plugin.


Authres plugin should only parse Authentication-Results: headers, not 
signatures themselves.


I mean ARC-Authentication-Results headers, signatures are checked by DKIM.pm.


other plugins should be able to use data provided by this plugin.


this is still WIP code.




OpenPGP_signature
Description: OpenPGP digital signature

Re: AuthRes plugin (replay RBL queries one hour later)

[Benny Pedersen]

giova...@paclan.it skrev den 2023-03-02 10:04:

On 3/1/23 14:30, Benny Pedersen wrote:

Henrik K skrev den 2023-03-01 10:28:
On Wed, Mar 01, 2023 at 09:56:56AM +0100, Matus UHLAR - fantomas 
wrote:
I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes 
available.
However, I don't see AuthRes plugin mention in .pre files nor in SA 
rules.

Because it's experimental and unfinished.


logic is aswell

why should spf pluging be enabled to test if arc chain pass spf ?

same problem with dkim imho

aslong forwarders insists on doing dkim sign and leave arc seal and 
arc sign :/



I have wip code to check if dkim passes from arc signatures and
integrate it into DMARC policies checks.


how ?, this code works without authres enabled as i see it

Return-Path: 
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on 
localhost.junc.eu

X-Spam-Level:
X-Spam-Status: No, score=-2.8 required=5.0 
tests=ARC_SIGNED,ARC_VALID,AWL,

DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DMARC_PASS,
HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
RCVD_IN_MSPIKE_H2,RELAYCOUNTRY_BAD,RELAYCOUNTRY_GREY,SPF_HELO_PASS,
SPF_PASS,UNPARSEABLE_RELAY autolearn=no autolearn_force=no
version=4.0.0
X-Spam-Timing: total 1713 ms - parse: 1.94 (0.1%), b_tie_ro: 4.4 (0.3%),
extract_message_metadata: 41 (2.4%), tests_pri_-1: 7 (0.4%),
compile_gen: 292 (17.1%), get_uri_detail_list: 3.4 (0.2%),
tests_pri_-2000: 2.0 (0.1%), compile_eval: 27 (1.6%), tests_pri_-1000:
1.77 (0.1%), tests_pri_-950: 1.21 (0.1%), tests_pri_-900: 1.29 (0.1%),
tests_pri_-100: 892 (52.1%), dkim_load_modules: 34 (2.0%),
check_dkim_signature: 540 (31.5%), poll_dns_idle: 827 (48.3%),
check_spf: 64 (3.7%), tests_pri_-90: 1.41 (0.1%), tests_pri_0: 443
(25.9%), tests_pri_500: 2.1 (0.1%), tests_pri_1000: 12 (0.7%),
total_awl: 10 (0.6%), check_awl: 1.95 (0.1%), update_awl: 1.92 (0.1%),
rewrite_mail: 0.00 (0.0%)

Content analysis details:   (-2.8 points, 5.0 required)

 pts rule name  description
 -- 
--

-0.0 RCVD_IN_MSPIKE_H2  RBL: Average reputation (+2)
[94.237.105.223 listed in wl.mailspike.net]
-2.3 RCVD_IN_DNSWL_MED  RBL: Sender listed at 
https://www.dnswl.org/,

medium trust
[94.237.105.223 listed in list.dnswl.org]
-0.1 SPF_PASS   SPF: sender matches SPF record
-0.1 SPF_HELO_PASS  SPF: HELO matches SPF record
 0.0 ARC_SIGNED Message has a ARC signature
 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not 
necessarily valid

 0.0 ARC_VALID  Message has a valid ARC signature
-0.1 DKIM_VALID_AU  Message has a valid DKIM or DK signature 
from author's

domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK 
signature

 0.1 RELAYCOUNTRY_GREY  Relayed through at some point
 1.5 RELAYCOUNTRY_BAD   Relayed through at some point
 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
domains are different
 0.0 UNPARSEABLE_RELAY  Informational: message has unparseable relay 
lines

-2.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list
manager
-0.1 DMARC_PASS DMARC pass policy
 0.0 AWLAWL: From: address is in the auto 
welcome-list



Authres plugin is needed to parse Arc signatures and pass the results
to DMARC plugin.


yes the magic can be done in dmarc where it belongs

authres is imho only for trusted arc signers, not for testing ARC_VALID 
or ARC_SIGNED


confirm it ?, the rules for authres does not work for me, but it seem it 
does for others ?, why ?

Re: AuthRes plugin (replay RBL queries one hour later)

[Matus UHLAR - fantomas]

On Wed, Mar 01, 2023 at 09:56:56AM +0100, Matus UHLAR - fantomas wrote:

I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available.
However, I don't see AuthRes plugin mention in .pre files nor in SA rules.



Henrik K skrev den 2023-03-01 10:28:

Because it's experimental and unfinished.



On 3/1/23 14:30, Benny Pedersen wrote:

logic is aswell

why should spf pluging be enabled to test if arc chain pass spf ?



same problem with dkim imho

aslong forwarders insists on doing dkim sign and leave arc seal and arc sign :/


On 02.03.23 10:04, giova...@paclan.it wrote:

I have wip code to check if dkim passes from arc signatures and integrate it 
into DMARC policies checks.
Authres plugin is needed to parse Arc signatures and pass the results to DMARC 
plugin.


Authres plugin should only parse Authentication-Results: headers, not 
signatures themselves.


other plugins should be able to use data provided by this plugin.



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux IS user friendly, it's just selective who its friends are...

Re: AuthRes plugin (replay RBL queries one hour later)

[giovanni]

On 3/1/23 14:30, Benny Pedersen wrote:

Henrik K skrev den 2023-03-01 10:28:

On Wed, Mar 01, 2023 at 09:56:56AM +0100, Matus UHLAR - fantomas wrote:

I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available.
However, I don't see AuthRes plugin mention in .pre files nor in SA rules.

Because it's experimental and unfinished.


logic is aswell

why should spf pluging be enabled to test if arc chain pass spf ?

same problem with dkim imho

aslong forwarders insists on doing dkim sign and leave arc seal and arc sign :/


I have wip code to check if dkim passes from arc signatures and integrate it 
into DMARC policies checks.
Authres plugin is needed to parse Arc signatures and pass the results to DMARC 
plugin.

 Giovanni


I will try to load it to see if it works.

You also need rules for it to do anything.  No plugin uses it's parsing at
this time.


its aswell good to define trustness in this senario, this is more or less bogos 
:)


Try the example rules and report back if it works..
https://spamassassin.apache.org/full/4.0.x/doc/Mail_SpamAssassin_Plugin_AuthRes.html


it does not, how should dmarc plugin use this ?

dmarc only works with A-R headers imho, not internal data as in spamassassin, 
okay first step first :)




OpenPGP_signature
Description: OpenPGP digital signature

Re: AuthRes plugin (replay RBL queries one hour later)

[Henrik K]

On Wed, Mar 01, 2023 at 04:46:27PM +0100, Matus UHLAR - fantomas wrote:
> 
> 1. "header.a=rsa-sha256" and "header.s=hege2" options in
> Authentication-Results: for dkim where "a" contains algorithm and "s" the
> used selector.
> 
> 2. unknown "arc" Authentication-Results: header
> 
> removing mentioned fields in the first header caused one less error message
> and A_DKIM_VERIFIED hit.
> 
> removing second header removed error messages completely

Fixed these in trunk..

Re: AuthRes plugin (replay RBL queries one hour later)

[Matus UHLAR - fantomas]

Matus UHLAR - fantomas skrev den 2023-03-01 15:40:

so, if your mail doesn't get delivered within 1.5 seconds and the DKIM
signature expires on the fly, the mail gets dropped from mail server?


On 01.03.23 16:33, Benny Pedersen wrote:
no, aligned spf pass from facebook, and even on unaligned i do not 
reject dkim fails, this is a job for dmarc


I was asking about outgoing mail being removed from the queue after their 
DKIM signature expires. 

I would not expect anyone to use DKIM expiration shorter than queue lifetime 
of mail.



Yes, it should be the core - Mail::SpamAssassin::Plugin::SPF already
uses Authentication-Results: header if it exists.


double checking arc spf then ?
i have not checked perlcode yet


?

SPF, DKIM and DMARC headers should use results of 
Authentication-Results:

headers (optionally?) only if they produce positive result.


i only wish arc plugin would be in dmarc core so the extra plugin is 
not needed


that fits for how arc using should be


trusting ARC requires configuring server to trust ARC authority.
So it's a little use usually.

authres is only if you would forward mails to another finaly dmarc 
testing


authres is great, if you validate mail before you scan for spamminess.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
(R)etry, (A)bort, (C)ancer

Re: AuthRes plugin (replay RBL queries one hour later)

[Matus UHLAR - fantomas]

On 01.03.23 11:55, Henrik K wrote:

Bah, I think it was tested as atleast working without errors.  I'll have a
look..


On 01.03.23 11:04, Matus UHLAR - fantomas wrote:

yes, it's working at least partly:

Authentication-Results: fantomas.fantomas.sk; dmarc=none (p=none dis=none) 
header.from=hege.li
Authentication-Results: fantomas.fantomas.sk;
   dkim=pass (2048-bit key; unprotected) header.d=hege.li header.i=@hege.li 
header.a=rsa-sha256 header.s=hege2 header.b=sWtnWE1E;
   dkim-atps=neutral
Authentication-Results: fantomas.fantomas.sk; spf=pass (sender SPF
   authorized) smtp.mailfrom=spamassassin.apache.org
   (client-ip=3.227.148.255; helo=mxout1-ec2-va.apache.org;
   envelope-from=users-return-126604-uhlar=fantomas.sk@spamassassin.apache.
   org; receiver=)
Authentication-Results: fantomas.fantomas.sk; arc=none 
smtp.remote-ip=3.227.148.255


Mar  1 16:32:54.213 [30815] dbg: authres: parsing Authentication-Results: 
fantomas.fantomas.sk; dmarc=none (p=none dis=none) header.from=hege.li
Mar  1 16:32:54.214 [30815] dbg: authres: parsing Authentication-Results: 
fantomas.fantomas.sk; dkim=pass (2048-bit key; unprotected) header.d=hege.li 
header.i=@hege.li header.a=rsa-sha256 header.s=hege2 header.b=sWtnWE1E; 
dkim-atps=neutral
Mar  1 16:32:54.214 [30815] dbg: authres: skipping header, unknown property for 
header: a
Mar  1 16:32:54.214 [30815] dbg: authres: parsing Authentication-Results: 
fantomas.fantomas.sk; spf=pass (sender SPF  authorized) 
smtp.mailfrom=spamassassin.apache.org  (client-ip=3.227.148.255; 
helo=mxout1-ec2-va.apache.org;  
envelope-from=users-return-126604-uhlar=fantomas.sk@spamassassin.apache. org; 
receiver=)
Mar  1 16:32:54.214 [30815] dbg: authres: parsing Authentication-Results: 
fantomas.fantomas.sk; arc=none smtp.remote-ip=3.227.148.255
Mar  1 16:32:54.214 [30815] dbg: authres: skipping header, unknown method: arc
Mar  1 16:32:54.214 [30815] dbg: authres: results: dmarc=none spf=pass
Mar  1 16:32:55.618 [30815] warn: Use of uninitialized value $result in string 
eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
Mar  1 16:32:55.618 [30815] warn: Use of uninitialized value $result in string 
eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.

after editing headers I see that errors are caused by

1. "header.a=rsa-sha256" and "header.s=hege2" options in 
Authentication-Results: for dkim where "a" contains algorithm and "s" the 
used selector.


2. unknown "arc" Authentication-Results: header

removing mentioned fields in the first header caused one less error message 
and A_DKIM_VERIFIED hit.


removing second header removed error messages completely


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Two words: Windows survives." - Craig Mundie, Microsoft senior strategist
"So does syphillis. Good thing we have penicillin." - Matthew Alton

Re: AuthRes plugin (replay RBL queries one hour later)

[Benny Pedersen]

Matus UHLAR - fantomas skrev den 2023-03-01 15:40:


so, if your mail doesn't get delivered within 1.5 seconds and the DKIM
signature expires on the fly, the mail gets dropped from mail server?


no, aligned spf pass from facebook, and even on unaligned i do not 
reject dkim fails, this is a job for dmarc


this plugin is ment to be in core dmarc plugin not as a seperate 
plugin imho, that sayed it need config :)

It should be stable first.


+1, it cant be since its only localy trustness first


Yes, it should be the core - Mail::SpamAssassin::Plugin::SPF already
uses Authentication-Results: header if it exists.


double checking arc spf then ?

i have not checked perlcode yet

SPF, DKIM and DMARC headers should use results of 
Authentication-Results:

headers (optionally?) only if they produce positive result.


i only wish arc plugin would be in dmarc core so the extra plugin is not 
needed


that fits for how arc using should be

authres is only if you would forward mails to another finaly dmarc 
testing



Forced revalidation should be possible, although I have no idea how to
implement it.


+1

Re: AuthRes plugin (replay RBL queries one hour later)

[Matus UHLAR - fantomas]

Matus UHLAR - fantomas skrev den 2023-03-01 09:56:

I hope these senders expire their e-mail 1.5 hours after sending...


On 01.03.23 13:35, Benny Pedersen wrote:

facebook can do it in 1.5 sekunds :)


so, if your mail doesn't get delivered within 1.5 seconds and the DKIM 
signature expires on the fly, the mail gets dropped from mail server?



This should be avoidable by using opendkim at SMTP time, and using
Mail::SpamAssassin::Plugin::AuthRes plugin in the way that DKIM rules
aren't rechecked if they are


this plugin is ment to be in core dmarc plugin not as a seperate 
plugin imho, that sayed it need config :)


It should be stable first.

Yes, it should be the core - Mail::SpamAssassin::Plugin::SPF already uses 
Authentication-Results: header if it exists.


SPF, DKIM and DMARC headers should use results of Authentication-Results:
headers (optionally?) only if they produce positive result.

Forced revalidation should be possible, although I have no idea how to 
implement it.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Atheism is a non-prophet organization.

Re: AuthRes plugin (replay RBL queries one hour later)

[Benny Pedersen]

Matus UHLAR - fantomas skrev den 2023-03-01 10:50:
.

Mar  1 10:47:17.689 [19813] warn: Use of uninitialized value $result
in string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm
line 302.


spamassassin --version ?

aurhres was in 3.4.6 aswell is why i ask

authres in 4.0.0 does imho not make that error

Re: AuthRes plugin (replay RBL queries one hour later)

[Benny Pedersen]

Henrik K skrev den 2023-03-01 10:28:

On Wed, Mar 01, 2023 at 09:56:56AM +0100, Matus UHLAR - fantomas wrote:
I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes 
available.
However, I don't see AuthRes plugin mention in .pre files nor in SA 
rules.

Because it's experimental and unfinished.


logic is aswell

why should spf pluging be enabled to test if arc chain pass spf ?

same problem with dkim imho

aslong forwarders insists on doing dkim sign and leave arc seal and arc 
sign :/



I will try to load it to see if it works.
You also need rules for it to do anything.  No plugin uses it's parsing 
at

this time.


its aswell good to define trustness in this senario, this is more or 
less bogos :)



Try the example rules and report back if it works..
https://spamassassin.apache.org/full/4.0.x/doc/Mail_SpamAssassin_Plugin_AuthRes.html


it does not, how should dmarc plugin use this ?

dmarc only works with A-R headers imho, not internal data as in 
spamassassin, okay first step first :)

Re: AuthRes plugin (replay RBL queries one hour later)

[Benny Pedersen]

Matus UHLAR - fantomas skrev den 2023-03-01 09:56:


I hope these senders expire their e-mail 1.5 hours after sending...


facebook can do it in 1.5 sekunds :)


This should be avoidable by using opendkim at SMTP time, and using
Mail::SpamAssassin::Plugin::AuthRes plugin in the way that DKIM rules
aren't rechecked if they are


this plugin is ment to be in core dmarc plugin not as a seperate plugin 
imho, that sayed it need config :)


I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes 
available.


+1

However, I don't see AuthRes plugin mention in .pre files nor in SA 
rules.


+1


I will try to load it to see if it works.


share config if it does

(lets share trustness)

Re: AuthRes plugin (replay RBL queries one hour later)

[Matus UHLAR - fantomas]

On 01.03.23 11:55, Henrik K wrote:

Bah, I think it was tested as atleast working without errors.  I'll have a
look..


yes, it's working at least partly:

Authentication-Results: fantomas.fantomas.sk; dmarc=none (p=none dis=none) 
header.from=hege.li
Authentication-Results: fantomas.fantomas.sk;
dkim=pass (2048-bit key; unprotected) header.d=hege.li 
header.i=@hege.li header.a=rsa-sha256 header.s=hege2 header.b=sWtnWE1E;
dkim-atps=neutral
Authentication-Results: fantomas.fantomas.sk; spf=pass (sender SPF
authorized) smtp.mailfrom=spamassassin.apache.org
(client-ip=3.227.148.255; helo=mxout1-ec2-va.apache.org;
envelope-from=users-return-126604-uhlar=fantomas.sk@spamassassin.apache.
org; receiver=)
Authentication-Results: fantomas.fantomas.sk; arc=none 
smtp.remote-ip=3.227.148.255


X-Spam-Report:
* -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
* -0.0 SPF_PASS SPF: sender matches SPF record
*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
*  valid
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from 
author's
*   domain
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
*  0.0 A_SPF_PASS No description available.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.

Re: AuthRes plugin (replay RBL queries one hour later)

[Henrik K]

On Wed, Mar 01, 2023 at 10:50:02AM +0100, Matus UHLAR - fantomas wrote:
> > On Wed, Mar 01, 2023 at 09:56:56AM +0100, Matus UHLAR - fantomas wrote:
> > > I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available.
> > > 
> > > However, I don't see AuthRes plugin mention in .pre files nor in SA rules.
> 
> On 01.03.23 11:28, Henrik K wrote:
> > Because it's experimental and unfinished.
> 
> this is the info I was searching for :-)

Apparently any info was removed from UPGRADE too

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6918

> However, so far spamassassin --lint produces:
> 
> Mar  1 10:40:36.659 [19493] warn: Use of uninitialized value $result in 
> string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
> Mar  1 10:40:36.661 [19493] warn: Use of uninitialized value $result in 
> string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
> Mar  1 10:40:36.661 [19493] warn: Use of uninitialized value $result in 
> string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
> Mar  1 10:40:36.662 [19493] warn: Use of uninitialized value $result in 
> string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
> Mar  1 10:40:36.663 [19493] warn: Use of uninitialized value $result in 
> string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
> Mar  1 10:40:36.666 [19493] warn: Use of uninitialized value $result in 
> string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
> 
> I guess it's missing the headers, when I pasted this your mail with headers:
> 
> Authentication-Results: fantomas.fantomas.sk; dmarc=none (p=none dis=none) 
> header.from=hege.li
> Authentication-Results: fantomas.fantomas.sk;
> dkim=pass (2048-bit key; unprotected) header.d=hege.li 
> header.i=@hege.li header.a=rsa-sha256 header.s=hege2 header.b=B6Wp55NL;
> dkim-atps=neutral
> Authentication-Results: fantomas.fantomas.sk; spf=pass (sender SPF
> authorized) smtp.mailfrom=spamassassin.apache.org
> (client-ip=3.227.148.255; helo=mxout1-ec2-va.apache.org;
> 
> envelope-from=users-return-126602-uhlar=fantomas.sk@spamassassin.apache.
> org; receiver=)
> Authentication-Results: fantomas.fantomas.sk; arc=none 
> smtp.remote-ip=3.227.148.255
> 
> I only got two lines of errors:
> 
> Mar  1 10:47:17.688 [19813] warn: Use of uninitialized value $result in 
> string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
> Mar  1 10:47:17.689 [19813] warn: Use of uninitialized value $result in 
> string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.

Bah, I think it was tested as atleast working without errors.  I'll have a
look..

Re: AuthRes plugin (replay RBL queries one hour later)

[Matus UHLAR - fantomas]

On Wed, Mar 01, 2023 at 09:56:56AM +0100, Matus UHLAR - fantomas wrote:

I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available.

However, I don't see AuthRes plugin mention in .pre files nor in SA rules.


On 01.03.23 11:28, Henrik K wrote:

Because it's experimental and unfinished.


this is the info I was searching for :-)


I will try to load it to see if it works.


You also need rules for it to do anything.  No plugin uses it's parsing at
this time.


I see as it's missing from SA rules.


Try the example rules and report back if it works..

https://spamassassin.apache.org/full/4.0.x/doc/Mail_SpamAssassin_Plugin_AuthRes.html


I'll try to define another set of rules to see if they fit:

header  A_SPF_PASS  eval:check_authres_result('spf', 'pass')
score   A_SPF_PASS  0.001

header  A_SPF_FAIL  eval:check_authres_result('spf', 'fail')
score   A_SPF_FAIL  0.1

header  A_SPF_SOFTFAIL  eval:check_authres_result('spf', 'softfail')
score   A_SPF_SOFTFAIL  0.1

header  A_SPF_TEMPFAIL  eval:check_authres_result('spf', 'tempfail')
score   A_SPF_SOFTFAIL  0.1

header  A_DKIM_VERIFIED eval:check_authres_result('dkim', 'pass')
score   A_DKIM_VERIFIED 0.1

header  A_DKIM_INVALID  eval:check_authres_result('dkim', 'fail')
score   A_DKIM_INVALID  0.001


However, so far spamassassin --lint produces:

Mar  1 10:40:36.659 [19493] warn: Use of uninitialized value $result in string 
eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
Mar  1 10:40:36.661 [19493] warn: Use of uninitialized value $result in string 
eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
Mar  1 10:40:36.661 [19493] warn: Use of uninitialized value $result in string 
eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
Mar  1 10:40:36.662 [19493] warn: Use of uninitialized value $result in string 
eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
Mar  1 10:40:36.663 [19493] warn: Use of uninitialized value $result in string 
eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
Mar  1 10:40:36.666 [19493] warn: Use of uninitialized value $result in string 
eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.

I guess it's missing the headers, when I pasted this your mail with headers:

Authentication-Results: fantomas.fantomas.sk; dmarc=none (p=none dis=none) 
header.from=hege.li
Authentication-Results: fantomas.fantomas.sk;
dkim=pass (2048-bit key; unprotected) header.d=hege.li 
header.i=@hege.li header.a=rsa-sha256 header.s=hege2 header.b=B6Wp55NL;
dkim-atps=neutral
Authentication-Results: fantomas.fantomas.sk; spf=pass (sender SPF
authorized) smtp.mailfrom=spamassassin.apache.org
(client-ip=3.227.148.255; helo=mxout1-ec2-va.apache.org;
envelope-from=users-return-126602-uhlar=fantomas.sk@spamassassin.apache.
org; receiver=)
Authentication-Results: fantomas.fantomas.sk; arc=none 
smtp.remote-ip=3.227.148.255

I only got two lines of errors:

Mar  1 10:47:17.688 [19813] warn: Use of uninitialized value $result in string 
eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
Mar  1 10:47:17.689 [19813] warn: Use of uninitialized value $result in string 
eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.




--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Posli tento mail 100 svojim znamim - nech vidia aky si idiot
Send this email to 100 your friends - let them see what an idiot you are

Re: AuthRes plugin (replay RBL queries one hour later)

[Henrik K]

On Wed, Mar 01, 2023 at 09:56:56AM +0100, Matus UHLAR - fantomas wrote:
> 
> I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available.
>
> However, I don't see AuthRes plugin mention in .pre files nor in SA rules.

Because it's experimental and unfinished.

> I will try to load it to see if it works.

You also need rules for it to do anything.  No plugin uses it's parsing at
this time.

Try the example rules and report back if it works..

https://spamassassin.apache.org/full/4.0.x/doc/Mail_SpamAssassin_Plugin_AuthRes.html

AuthRes plugin (replay RBL queries one hour later)

[Matus UHLAR - fantomas]

Rob McEwen wrote:
All I know for sure is this - for MANY legit emails - DKIM fails 
some days later


On 28.02.23 12:52, Kris Deugau wrote:

Hours.

I've recently learned about this, in the context of trying to 
welcomelist legitimate senders.  A 2-hour validity window for the DKIM 
signature is pretty common.  :(


I hope these senders expire their e-mail 1.5 hours after sending...


This should be avoidable by using opendkim at SMTP time, and using 
Mail::SpamAssassin::Plugin::AuthRes plugin in the way that DKIM rules aren't 
rechecked if they are


I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available.

However, I don't see AuthRes plugin mention in .pre files nor in SA rules.

I will try to load it to see if it works.



- when it had originally worked/validated at the time the
message was sent. I see this often in the real world when I rescan a 
message to try to verify the impact on a message that a spam 
filtering change caused - then notice that a very legit email that 
original passed DKIM at the time the message was received - now 
suddenly fails DKIM during this days-later rescan - and without ANY 
changes to the message itself. I think that this is most likely 
caused by DNS records for that DKIM being changed/updated.


On most of those messages I expect it's an attribute set on the 
signature, not a rotated DKIM record.


Look for "t=..." and "x=..." in the DKIM-Signature header.  t= is the 
timestamp when it was signed, x= is when it expires.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
He who laughs last thinks slowest.

Re: replay RBL queries one hour later

[Kris Deugau]

Rob McEwen wrote:

Benny,

All I know for sure is this - for MANY legit emails - DKIM fails some 
days later


Hours.

I've recently learned about this, in the context of trying to 
welcomelist legitimate senders.  A 2-hour validity window for the DKIM 
signature is pretty common.  :(


 - when it had originally worked/validated at the time the
message was sent. I see this often in the real world when I rescan a 
message to try to verify the impact on a message that a spam filtering 
change caused - then notice that a very legit email that original passed 
DKIM at the time the message was received - now suddenly fails DKIM 
during this days-later rescan - and without ANY changes to the message 
itself. I think that this is most likely caused by DNS records for that 
DKIM being changed/updated.


On most of those messages I expect it's an attribute set on the 
signature, not a rotated DKIM record.


Look for "t=..." and "x=..." in the DKIM-Signature header.  t= is the 
timestamp when it was signed, x= is when it expires.


-kgd

Re: replay RBL queries one hour later

[hg user]

Thank you to everybody that replied to my request. I knew I was not clear
in my message... :-)) sorry about it.

I have 2 paid RBL (so I don't care about number of queries) at the frontier
MTA. These RBLs reject a ton of connections and so the number of messages
reaching SA is already reduced.

Unfortunately, I can't greylist at the moment... well, actually I answer
with a 4xx code with one of the paid RBL... it's not *me* that greylists
but an external, official, specialized source. I know, borderline.

Back to my request, I see two possibilities.

A.
In the logs of the frontier MTA I have the connection IPs of the messages
that went through. A simple script can extract the IPs, |sort|uniq and then
dig/nslookup and note if they are now listed.
Unfortunately I don't know if the message was reported spam or quarantined
later but it may be detected spam not for RBL

B.
On the backend, zimbra logs all the messages stored in the mailboxes. A bit
more complex script can dump the not spam and not quarantined messages
received in a time range in a specific dir and submit each one to SA, the
production one or one dedicated to this job. In this way I will also check
the URL RBLs.
Using a different SA server allows us to use SA 4.0, or a different set of
plugins and rules, or for example enabling only RBLs checks, adding the
paid ones.

Still don't know if all this is worth the effort.




>
>

Re: replay RBL queries one hour later

[Benny Pedersen]

Rob McEwen skrev den 2023-02-26 19:45:

Benny,

All I know for sure is this - for MANY legit emails - DKIM fails some
days later - when it had originally worked/validated at the time the
message was sent.


when i begined dkim signing i did that tought why would it be valid 
after delivery, could it be good to only be valid until recipient 
forwarder have recieved it ?, into days senario could harden arc more to 
be used in forwards that on it self breaks dkim


postfix have queue life time 5d, so make dkim valid for 6 days ? :)

since then i do not expire this anymore


I see this often in the real world when I rescan a
message to try to verify the impact on a message that a spam filtering
change caused - then notice that a very legit email that original
passed DKIM at the time the message was received - now suddenly fails
DKIM during this days-later rescan - and without ANY changes to the
message itself.


why rescan ?

add reuse foo into local.cf for spamassassin so it not retesting dkim


I think that this is most likely caused by DNS records
for that DKIM being changed/updated. But whatever the cause, this is
STILL a reality that's worth noting, for anyone who is rescanning
messages later.


correct, how to solve that world on steriods ? :)

Re: replay RBL queries one hour later

[Rob McEwen]

Benny,

All I know for sure is this - for MANY legit emails - DKIM fails some 
days later - when it had originally worked/validated at the time the 
message was sent. I see this often in the real world when I rescan a 
message to try to verify the impact on a message that a spam filtering 
change caused - then notice that a very legit email that original passed 
DKIM at the time the message was received - now suddenly fails DKIM 
during this days-later rescan - and without ANY changes to the message 
itself. I think that this is most likely caused by DNS records for that 
DKIM being changed/updated. But whatever the cause, this is STILL a 
reality that's worth noting, for anyone who is rescanning messages 
later.


Rob McEwen, invaluement


-- Original Message --

From "Benny Pedersen" 

To users@spamassassin.apache.org
Date 2/26/2023 1:37:53 PM
Subject Re: replay RBL queries one hour later


Rob McEwen skrev den 2023-02-26 19:03:

..

sent. This can lead to many egregious false positives. But doing this
"one hour later" shouldn't have this problem.


message-id is timebased, so why invalidate it ? :)

i did that mistake on not dkim sign that header

in that regard i now have 2048 kbit size, where 4096 is a bit overkill

Re: replay RBL queries one hour later

[Benny Pedersen]

Rob McEwen skrev den 2023-02-26 19:03:

...

sent. This can lead to many egregious false positives. But doing this
"one hour later" shouldn't have this problem.


message-id is timebased, so why invalidate it ? :)

i did that mistake on not dkim sign that header

in that regard i now have 2048 kbit size, where 4096 is a bit overkill

Re: replay RBL queries one hour later

[Rob McEwen]

Something to keep in mind about this idea of rescanning messages later - 
once more anti-spam data is available - for use in training/reporting 
spams - this probably should NOT be done days later because SOME senders 
aggressively expire/recycle DKIM dns records. I guess that is to 
minimize the ability for criminals to spoof DKIM? The result is that if 
you implement this idea on days-old messages, you can end up with some 
spam scoring that was ONLY due to the DKIM not being valid anymore, 
where it was valid at the time the message was sent. This can lead to 
many egregious false positives. But doing this "one hour later" 
shouldn't have this problem.


Rob McEwen, invaluement

Re: replay RBL queries one hour later

[Bill Cole]

On 2023-02-25 at 09:34:52 UTC-0500 (Sat, 25 Feb 2023 15:34:52 +0100)
hg user 
is rumored to have said:

The last time I was hit by a not-recognized phishing campaign, no Ips 
nor
domains were present in RBL. When I took action one hour later I found 
that

several of them were listed.

So my idea is; is it possible to replay the queries one/two hours 
later?


If you write the code to do it, based on however you manage your mail, 
you can do this. There's no way to put that sort of site-specific 
tooling into SA itself. SA does not know anything about mail other than 
the messages it is given. SA has no way to know what has happened to a 
message after it has made its judgment.



I envision two methods:
- logging the queries, with Message-ids
- storing a copy of the message

If the second run hits new RBL, report to me, to take action.


It's certainly something that one could do.

It is not something that SpamAssassin itself does or ever will do.

A useful tool for doing this sort of thing involving SA is the 
MIMEDdefang milter, which can use SA for filtering and also can do 
anything else you can tell Perl to do with mail. I believe MailMunge (a 
descendant of MIMEDefang) also has that capacity.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: replay RBL queries one hour later

[John Hardin]

On Sat, 25 Feb 2023, hg user wrote:


The last time I was hit by a not-recognized phishing campaign, no Ips nor
domains were present in RBL. When I took action one hour later I found that
several of them were listed.

So my idea is; is it possible to replay the queries one/two hours later?


Another more common approach to this situation is "greylisting", where the 
first attempt to submit a message from an unrecognized source is 
tempfailed for some period of time. The mailer will retry and the 
submission will be accepted after the greylisting period has expired, 
which may give RBLs time to list the IPs/domains/hashes/etc.


This also theoretically blocks fire-and-forget mass spammers who only try 
submission once, but I don't know how common that model is these days.


  https://duckduckgo.com/?q=milter-greylist

There are scenarios where this delay is unwelcome, for example commercial 
accounts where you don't want a delay in receiving communications from 
customers or potential customers. There are ways to tune it that may 
mitigate these concerns somewhat.



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The Constitution is not a suicide pact, it is a restraining order
  against government. And government, like any abusive person,
  does not respect or obey restraining orders.   -- Anonymous
---
 1,001 days since the first private commercial manned orbital mission (SpaceX)

Re: replay RBL queries one hour later

[Matus UHLAR - fantomas]

On 25.02.23 15:34, hg user wrote:

The last time I was hit by a not-recognized phishing campaign, no Ips nor
domains were present in RBL. When I took action one hour later I found that
several of them were listed.

So my idea is; is it possible to replay the queries one/two hours later?


you can scan mail every time you want, the question is how do you want to do 
that.



I envision two methods:
- logging the queries, with Message-ids
- storing a copy of the message

If the second run hits new RBL, report to me, to take action.


this could work, this way you could feed all mail multiple times to SA, 
which would apparently increase usagfe of DNSBLs, they could block you then.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Microsoft dick is soft to do no harm

replay RBL queries one hour later

[hg user]

The last time I was hit by a not-recognized phishing campaign, no Ips nor
domains were present in RBL. When I took action one hour later I found that
several of them were listed.

So my idea is; is it possible to replay the queries one/two hours later?

I envision two methods:
- logging the queries, with Message-ids
- storing a copy of the message

If the second run hits new RBL, report to me, to take action.

Hope I was clear...

Re: excluding specific RBL checks

[joe a]

On 1/9/2023 3:55 AM, Matus UHLAR - fantomas wrote:
Until I can get around to updating I'm considering just nuking the 
actual tests from the ruleset.

Much easier and reliable way:

dns_query_restriction deny spamhaus.org



Charles Sprickman skrev den 2023-01-09 08:04:
Trying this on half the pair, I assume this hits all subdomains of 
spamhaus.org?


Never ran into that parameter in my searches for this.


On 09.01.23 09:26, Benny Pedersen wrote:

never read perldoc Mail::SpamAssassin::Conf ?


some people don't repeatedly read it thorough.

Henrik forgot this is pr domain, so fully domain including subdomain 
seen in "rndc querylog" in bind logs !


spamassassin -D -t spamtestmsg 2>&1 | less

dns_query_restriction deny dwl.dnswl.org list.dnswl.org
dns_query_restriction deny multi.uribl.com

imho score foo 0 is a bug


no, it's documented feature - rules with score 0 are not run.

However, joe a aka the OP should be more interested in finding out why 
are his DNS queries going through an open resolver and fixing the real 
issue.




Right you are.  It now appears resolved (cough, cough . . .).

Spamhaus site provided this quick test: "dig 2.0.0.127.zen.spamhaus.org 
+short" which with variant "dig @my.local.dns.serv 
2.0.0.127.zen.spamhaus.org +short", allowed me to pretty quickly sort it 
out.


A lot of cobwebs needed to be cleared out, but, seems to be working as 
advertised.


Thanks to all for their patience and suggestions.

joe a.

Re: excluding specific RBL checks

[Matus UHLAR - fantomas]

Until I can get around to updating I'm considering just nuking 
the actual tests from the ruleset.

Much easier and reliable way:

dns_query_restriction deny spamhaus.org



Charles Sprickman skrev den 2023-01-09 08:04:
Trying this on half the pair, I assume this hits all subdomains of 
spamhaus.org?


Never ran into that parameter in my searches for this.


On 09.01.23 09:26, Benny Pedersen wrote:

never read perldoc Mail::SpamAssassin::Conf ?


some people don't repeatedly read it thorough.

Henrik forgot this is pr domain, so fully domain including subdomain 
seen in "rndc querylog" in bind logs !


spamassassin -D -t spamtestmsg 2>&1 | less

dns_query_restriction deny dwl.dnswl.org list.dnswl.org
dns_query_restriction deny multi.uribl.com

imho score foo 0 is a bug


no, it's documented feature - rules with score 0 are not run.

However, joe a aka the OP should be more interested in finding out why are his 
DNS queries going through an open resolver and fixing the real issue.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #98652: Operation completed successfully.

Re: excluding specific RBL checks

[Benny Pedersen]

Charles Sprickman skrev den 2023-01-09 08:04:

Until I can get around to updating I'm considering just nuking the 
actual tests from the ruleset.

Much easier and reliable way:

dns_query_restriction deny spamhaus.org


Trying this on half the pair, I assume this hits all subdomains of 
spamhaus.org?


Never ran into that parameter in my searches for this.


never read perldoc Mail::SpamAssassin::Conf ?

Henrik forgot this is pr domain, so fully domain including subdomain 
seen in "rndc querylog" in bind logs !


spamassassin -D -t spamtestmsg 2>&1 | less

dns_query_restriction deny dwl.dnswl.org list.dnswl.org
dns_query_restriction deny multi.uribl.com

imho score foo 0 is a bug

Re: excluding specific RBL checks

[Charles Sprickman]

> On Jan 8, 2023, at 10:35 PM, Henrik K  wrote:
> 
> On Sun, Jan 08, 2023 at 04:23:11PM -0500, Charles Sprickman wrote:
>> What did you end up with?
>> 
>> I have a bunch of zero rules for these yet still keep getting the 
>> "administrative notice" from sbl/zen.
>> 
>> The fact that those guys don't just send out a "yes, this is on by default 
>> in spamassassin, here is copy pasta to turn us off" email bugs me.
>> 
>> I've grown to this huge list and still get the warnings.
>> 
>> # remove spamhaus tests, they want us to pay
>> # need to include the first base rule or DNS still triggers but is ignored
>> score __RCVD_IN_ZEN 0
>> score RCVD_IN_SBL 0
>> score RCVD_IN_XBL 0
>> score RCVD_IN_PBL 0
>> score URIBL_SBL 0
>> score URIBL_CSS 0
>> score URIBL_SBL_A 0
>> score URIBL_CSS_A 0
>> score URIBL_DBL_SPAM 0
>> score URIBL_DBL_PHISH 0
>> score URIBL_DBL_MALWARE 0
>> score URIBL_DBL_BOTNETCC 0
>> score URIBL_DBL_ABUSE_SPAM 0
>> score URIBL_DBL_ABUSE_REDIR 0
>> score URIBL_DBL_ABUSE_PHISH 0
>> score URIBL_DBL_ABUSE_MALW 0
>> score URIBL_DBL_ABUSE_BOTCC 0
>> 
>> Until I can get around to updating I'm considering just nuking the actual 
>> tests from the ruleset.
> 
> Much easier and reliable way:
> 
> dns_query_restriction deny spamhaus.org

Trying this on half the pair, I assume this hits all subdomains of spamhaus.org?

Never ran into that parameter in my searches for this.

Thanks!

Charles

Re: excluding specific RBL checks

[Charles Sprickman]

> On Jan 8, 2023, at 10:44 PM, joe a  wrote:
> 
> On 1/8/2023 4:23 PM, Charles Sprickman wrote:
>> What did you end up with?
> 
> score RCVD_IN_ZEN_BLOCKED_OPENDNS 0
> 
> I am not certain if that stops the test or simply reporting of the message.  
> Looks like I will need to do some packet capture after all.
> 
>> I have a bunch of zero rules for these yet still keep getting the 
>> "administrative notice" from sbl/zen.
>> The fact that those guys don't just send out a "yes, this is on by default 
>> in spamassassin, here is copy pasta to turn us off" email bugs me.
>> I've grown to this huge list and still get the warnings.
>> # remove spamhaus tests, they want us to pay
>> # need to include the first base rule or DNS still triggers but is ignored
>> score __RCVD_IN_ZEN 0
> 
> Is that a typo? There should be no underscore before RCVD, correct?

That's copypasta from the wiki page spamhaus references. No explanation on the 
page why the underscores...

C

> 
>> score RCVD_IN_SBL 0
>> score RCVD_IN_XBL 0
>> score RCVD_IN_PBL 0
>> score URIBL_SBL 0
>> score URIBL_CSS 0
>> score URIBL_SBL_A 0
>> score URIBL_CSS_A 0
>> score URIBL_DBL_SPAM 0
>> score URIBL_DBL_PHISH 0
>> score URIBL_DBL_MALWARE 0
>> score URIBL_DBL_BOTNETCC 0
>> score URIBL_DBL_ABUSE_SPAM 0
>> score URIBL_DBL_ABUSE_REDIR 0
>> score URIBL_DBL_ABUSE_PHISH 0
>> score URIBL_DBL_ABUSE_MALW 0
>> score URIBL_DBL_ABUSE_BOTCC 0
>> Until I can get around to updating I'm considering just nuking the actual 
>> tests from the ruleset.
>> Charles



signature.asc
Description: Message signed with OpenPGP

Re: excluding specific RBL checks

[joe a]

On 1/8/2023 10:35 PM, Henrik K wrote:

On Sun, Jan 08, 2023 at 04:23:11PM -0500, Charles Sprickman wrote:

. . .
# remove spamhaus tests,. . .
score RCVD_IN_SBL 0
score RCVD_IN_XBL 0
score RCVD_IN_PBL 0
score URIBL_SBL 0
score URIBL_CSS 0
score URIBL_SBL_A 0. . . 

Much easier and reliable way:

dns_query_restriction deny spamhaus.org



Ah Hah!  Seems to work for me.  See? I CAN be taught!

joe a.

Re: excluding specific RBL checks

[joe a]

On 1/8/2023 4:38 PM, Benny Pedersen wrote:

joe a skrev den 2023-01-08 21:50:

SA version 3.4.5

Gears are clashing, clutch is slipping, among other things.

Trying to exclude certain checks, via spamhouse services "by the book"


what book ?


The good one? Several places.  Most looked like cut and paste from each 
other.  Trying to find the exact place now and cannot. Saw it most 
recently on another list, where others happened to be having similar dns 
issues.



When placing these values in local.cf:

RCVD_IN_ZEN 0
RCVD_IN_XBL 0
RCVD_IN_PBL 0

"spamassassin --lint" complains. Yet SA starts without complaint and
seems to not run those tests.


you miss score in 3 lines ?


Yep.


Placing "score" at the beginning of the line makes lint happy and SA
seems to start fine and also does not run those tests.


so lint passed ?


Yes, with score.


So, one assumes it is a typo in the docs, or, one is expected to infer
the "score" word.


what docs ?

anythin on web is fake news, only valid docs is perldoc 
Mail::SpamAssassin::Conf



I only know of https://spamassassin.apache.org/full/3.4.x/doc/ which I 
though I was referencing.  Seems likely I just allowed myself to be 
misled, "chaff".



and all related plugins


Yet I still see this while "skip_rbl_checks 1" (in both above scenarios):


clear your config :)


"RCVD_IN_ZEN_BLOCKED_OPENDNS RBL: ADMINISTRATOR NOTICE:"
Which suggests that one runs despite the directive or, I am using the 
wrong one.


make /etc/resolv.conf only have nameserver 127.0.0.1 and you ether have 
bind, unbound, pdns-recursor as of your own choise


Certainly worth a try and much simpler that what I was trying.


still problems ?, lets hear them

Re: excluding specific RBL checks

[joe a]

On 1/8/2023 4:23 PM, Charles Sprickman wrote:

What did you end up with?


score RCVD_IN_ZEN_BLOCKED_OPENDNS 0

I am not certain if that stops the test or simply reporting of the 
message.  Looks like I will need to do some packet capture after all.



I have a bunch of zero rules for these yet still keep getting the "administrative 
notice" from sbl/zen.

The fact that those guys don't just send out a "yes, this is on by default in 
spamassassin, here is copy pasta to turn us off" email bugs me.

I've grown to this huge list and still get the warnings.

# remove spamhaus tests, they want us to pay
# need to include the first base rule or DNS still triggers but is ignored
score __RCVD_IN_ZEN 0


Is that a typo? There should be no underscore before RCVD, correct?


score RCVD_IN_SBL 0
score RCVD_IN_XBL 0
score RCVD_IN_PBL 0
score URIBL_SBL 0
score URIBL_CSS 0
score URIBL_SBL_A 0
score URIBL_CSS_A 0
score URIBL_DBL_SPAM 0
score URIBL_DBL_PHISH 0
score URIBL_DBL_MALWARE 0
score URIBL_DBL_BOTNETCC 0
score URIBL_DBL_ABUSE_SPAM 0
score URIBL_DBL_ABUSE_REDIR 0
score URIBL_DBL_ABUSE_PHISH 0
score URIBL_DBL_ABUSE_MALW 0
score URIBL_DBL_ABUSE_BOTCC 0

Until I can get around to updating I'm considering just nuking the actual tests 
from the ruleset.

Charles

Re: excluding specific RBL checks

[joe a]

On 1/8/2023 4:00 PM, joe a wrote:

On 1/8/2023 3:50 PM, joe a wrote:

SA version 3.4.5

Gears are clashing, clutch is slipping, among other things.

Trying to exclude certain checks, via spamhouse services "by the book"

When placing these values in local.cf:

RCVD_IN_ZEN 0
RCVD_IN_XBL 0
RCVD_IN_PBL 0

"spamassassin --lint" complains. Yet SA starts without complaint and 
seems to not run those tests.


Placing "score" at the beginning of the line makes lint happy and SA 
seems to start fine and also does not run those tests.


So, one assumes it is a typo in the docs, or, one is expected to infer 
the "score" word.


Yet I still see this while "skip_rbl_checks 1" (in both above scenarios):

"RCVD_IN_ZEN_BLOCKED_OPENDNS RBL: ADMINISTRATOR NOTICE:"

Which suggests that one runs despite the directive or, I am using the 
wrong one.





And the answer to the latter is "I had the wrong directive".  Which is 
obvious.  Now.




Correcting myself, yet again, "score" needs to be specified, it seems, 
otherwise this is seen in /var/log/mail:


2023-01-08T15:00:42.854109-05:00 auxilary spamd[14937]: config: failed 
to parse line, skipping, in "/etc/mail/spamassassin/local.cf": RCVD_IN_ZEN 0
2023-01-08T15:00:42.854573-05:00 auxilary spamd[14937]: config: failed 
to parse line, skipping, in "/etc/mail/spamassassin/local.cf": RCVD_IN_XBL 0
2023-01-08T15:00:42.854908-05:00 auxilary spamd[14937]: config: failed 
to parse line, skipping, in "/etc/mail/spamassassin/local.cf": RCVD_IN_PBL 0


Contrary to some, there is value in following logs when making changes.
who'd have thought that.

Re: excluding specific RBL checks

[Henrik K]

On Sun, Jan 08, 2023 at 04:23:11PM -0500, Charles Sprickman wrote:
> What did you end up with?
> 
> I have a bunch of zero rules for these yet still keep getting the 
> "administrative notice" from sbl/zen.
> 
> The fact that those guys don't just send out a "yes, this is on by default in 
> spamassassin, here is copy pasta to turn us off" email bugs me.
> 
> I've grown to this huge list and still get the warnings.
> 
> # remove spamhaus tests, they want us to pay
> # need to include the first base rule or DNS still triggers but is ignored
> score __RCVD_IN_ZEN 0
> score RCVD_IN_SBL 0
> score RCVD_IN_XBL 0
> score RCVD_IN_PBL 0
> score URIBL_SBL 0
> score URIBL_CSS 0
> score URIBL_SBL_A 0
> score URIBL_CSS_A 0
> score URIBL_DBL_SPAM 0
> score URIBL_DBL_PHISH 0
> score URIBL_DBL_MALWARE 0
> score URIBL_DBL_BOTNETCC 0
> score URIBL_DBL_ABUSE_SPAM 0
> score URIBL_DBL_ABUSE_REDIR 0
> score URIBL_DBL_ABUSE_PHISH 0
> score URIBL_DBL_ABUSE_MALW 0
> score URIBL_DBL_ABUSE_BOTCC 0
> 
> Until I can get around to updating I'm considering just nuking the actual 
> tests from the ruleset.

Much easier and reliable way:

dns_query_restriction deny spamhaus.org

Re: excluding specific RBL checks

[Benny Pedersen]

Charles Sprickman skrev den 2023-01-08 22:23:

What did you end up with?

I have a bunch of zero rules for these yet still keep getting the
"administrative notice" from sbl/zen.

The fact that those guys don't just send out a "yes, this is on by
default in spamassassin, here is copy pasta to turn us off" email bugs
me.

I've grown to this huge list and still get the warnings.

# remove spamhaus tests, they want us to pay
# need to include the first base rule or DNS still triggers but is 
ignored

score __RCVD_IN_ZEN 0
score RCVD_IN_SBL 0
score RCVD_IN_XBL 0
score RCVD_IN_PBL 0
score URIBL_SBL 0
score URIBL_CSS 0
score URIBL_SBL_A 0
score URIBL_CSS_A 0
score URIBL_DBL_SPAM 0
score URIBL_DBL_PHISH 0
score URIBL_DBL_MALWARE 0
score URIBL_DBL_BOTNETCC 0
score URIBL_DBL_ABUSE_SPAM 0
score URIBL_DBL_ABUSE_REDIR 0
score URIBL_DBL_ABUSE_PHISH 0
score URIBL_DBL_ABUSE_MALW 0
score URIBL_DBL_ABUSE_BOTCC 0


oh, i bet spamhaus is still queryed sadly :(

but with score 0 its not known or have any effect

if yuo have bind installed then do "rndc querylog" this is a togle so 
one more call shift state of querylog, do "rndc status" to see current 
state


veryfy now its does not query undesired rbls

if you can verify this i can help solve the remaining problem

Re: excluding specific RBL checks

[Benny Pedersen]

joe a skrev den 2023-01-08 21:50:

SA version 3.4.5

Gears are clashing, clutch is slipping, among other things.

Trying to exclude certain checks, via spamhouse services "by the book"


what book ?


When placing these values in local.cf:

RCVD_IN_ZEN 0
RCVD_IN_XBL 0
RCVD_IN_PBL 0

"spamassassin --lint" complains. Yet SA starts without complaint and
seems to not run those tests.


you miss score in 3 lines ?


Placing "score" at the beginning of the line makes lint happy and SA
seems to start fine and also does not run those tests.


so lint passed ?


So, one assumes it is a typo in the docs, or, one is expected to infer
the "score" word.


what docs ?

anythin on web is fake news, only valid docs is perldoc 
Mail::SpamAssassin::Conf


and all related plugins

Yet I still see this while "skip_rbl_checks 1" (in both above 
scenarios):


clear your config :)


"RCVD_IN_ZEN_BLOCKED_OPENDNS RBL: ADMINISTRATOR NOTICE:"
Which suggests that one runs despite the directive or, I am using the 
wrong one.


make /etc/resolv.conf only have nameserver 127.0.0.1 and you ether have 
bind, unbound, pdns-recursor as of your own choise


still problems ?, lets hear them

Re: excluding specific RBL checks

[Charles Sprickman]

What did you end up with?

I have a bunch of zero rules for these yet still keep getting the 
"administrative notice" from sbl/zen.

The fact that those guys don't just send out a "yes, this is on by default in 
spamassassin, here is copy pasta to turn us off" email bugs me.

I've grown to this huge list and still get the warnings.

# remove spamhaus tests, they want us to pay
# need to include the first base rule or DNS still triggers but is ignored
score __RCVD_IN_ZEN 0
score RCVD_IN_SBL 0
score RCVD_IN_XBL 0
score RCVD_IN_PBL 0
score URIBL_SBL 0
score URIBL_CSS 0
score URIBL_SBL_A 0
score URIBL_CSS_A 0
score URIBL_DBL_SPAM 0
score URIBL_DBL_PHISH 0
score URIBL_DBL_MALWARE 0
score URIBL_DBL_BOTNETCC 0
score URIBL_DBL_ABUSE_SPAM 0
score URIBL_DBL_ABUSE_REDIR 0
score URIBL_DBL_ABUSE_PHISH 0
score URIBL_DBL_ABUSE_MALW 0
score URIBL_DBL_ABUSE_BOTCC 0

Until I can get around to updating I'm considering just nuking the actual tests 
from the ruleset.

Charles

> On Jan 8, 2023, at 4:00 PM, joe a  wrote:
> 
> On 1/8/2023 3:50 PM, joe a wrote:
>> SA version 3.4.5
>> Gears are clashing, clutch is slipping, among other things.
>> Trying to exclude certain checks, via spamhouse services "by the book"
>> When placing these values in local.cf:
>> RCVD_IN_ZEN 0
>> RCVD_IN_XBL 0
>> RCVD_IN_PBL 0
>> "spamassassin --lint" complains. Yet SA starts without complaint and seems 
>> to not run those tests.
>> Placing "score" at the beginning of the line makes lint happy and SA seems 
>> to start fine and also does not run those tests.
>> So, one assumes it is a typo in the docs, or, one is expected to infer the 
>> "score" word.
>> Yet I still see this while "skip_rbl_checks 1" (in both above scenarios):
>> "RCVD_IN_ZEN_BLOCKED_OPENDNS RBL: ADMINISTRATOR NOTICE:"
>> Which suggests that one runs despite the directive or, I am using the wrong 
>> one.
> 
> And the answer to the latter is "I had the wrong directive".  Which is 
> obvious.  Now.
> 

Re: excluding specific RBL checks

[joe a]

On 1/8/2023 3:50 PM, joe a wrote:

SA version 3.4.5

Gears are clashing, clutch is slipping, among other things.

Trying to exclude certain checks, via spamhouse services "by the book"

When placing these values in local.cf:

RCVD_IN_ZEN 0
RCVD_IN_XBL 0
RCVD_IN_PBL 0

"spamassassin --lint" complains. Yet SA starts without complaint and 
seems to not run those tests.


Placing "score" at the beginning of the line makes lint happy and SA 
seems to start fine and also does not run those tests.


So, one assumes it is a typo in the docs, or, one is expected to infer 
the "score" word.


Yet I still see this while "skip_rbl_checks 1" (in both above scenarios):

"RCVD_IN_ZEN_BLOCKED_OPENDNS RBL: ADMINISTRATOR NOTICE:"

Which suggests that one runs despite the directive or, I am using the 
wrong one.





And the answer to the latter is "I had the wrong directive".  Which is 
obvious.  Now.

excluding specific RBL checks

[joe a]

SA version 3.4.5

Gears are clashing, clutch is slipping, among other things.

Trying to exclude certain checks, via spamhouse services "by the book"

When placing these values in local.cf:

RCVD_IN_ZEN 0
RCVD_IN_XBL 0
RCVD_IN_PBL 0

"spamassassin --lint" complains. Yet SA starts without complaint and 
seems to not run those tests.


Placing "score" at the beginning of the line makes lint happy and SA 
seems to start fine and also does not run those tests.


So, one assumes it is a typo in the docs, or, one is expected to infer 
the "score" word.


Yet I still see this while "skip_rbl_checks 1" (in both above scenarios):

"RCVD_IN_ZEN_BLOCKED_OPENDNS RBL: ADMINISTRATOR NOTICE:"

Which suggests that one runs despite the directive or, I am using the 
wrong one.

Re: RBL timeouts

[Bill Cole]

On 2022-12-02 at 08:04:40 UTC-0500 (Fri, 2 Dec 2022 08:04:40 -0500)
Alex 
is rumored to have said:


Hi,

Is anyone (everyone?) also experiencing DNS timeouts with barracuda?


Chonically, for years, until I gave up on them. Not worthy of production 
use.



02-Dec-2022 07:03:02.229 query-errors: client @0x7fd19d26c968
127.0.0.1#37098 (168.22.111.13.bb.barracudacentral.org): query failed
(timed out) for 168.22.111.13.bb.barracudacentral.org/IN/A at
../../../lib/ns/query.c:7729
02-Dec-2022 07:03:21.458 lame-servers: SERVFAIL unexpected RCODE 
resolving '

216.209.245.104.bb.barracudacentral.org/A/IN': 3.13.7.254#53


But that is NOT a timeout. SERVFAIL is an explicit affirmative reply 
that the answering server cannot give any valid answer to the query.



I'm also seeing a few timeouts from mcafee:

24-Nov-2022 16:12:37.151 query-errors: client @0x7fd19f7a4f68
127.0.0.1#47466 (17.31.10.37.cidr.bl.mcafee.com): query failed (timed 
out)
for 17.31.10.37.cidr.bl.mcafee.com/IN/A at 
../../../lib/ns/query.c:7729


I don't necessarily think there's something wrong with my nameservers 
- I'm
more just surprised that such high-profile companies are having 
problems

and wanted to confirm.


Big companies have big problems. High-profile companies have 
high-profile problems.


Any bind experts know of a way to record which nameserver is timing 
out so
I can perhaps exclude them? Any idea why it wouldn't just rotate to 
the

next one, or even how to confirm whether it's doing that?


The SERVFAIL errors are very likely immune to any workaround attempt.
The timeouts should already be handled as best they can be by BIND & the 
system resolver, given reasonable query timeout and retry values, such 
as OS defaults. Note that it may not make sense for a resolver to allow 
slow DNSBL lookups to block a message transaction from proceeding.


It is unlikely that you can tune BIND and/or your system resolver to 
reduce timeouts in any meaningful ways. The exception to that would be 
if your system is generally overloaded and BIND is just not getting the 
resources (cpu and memory) it needs to operate fast. You would likely 
notice that sort of overload.




--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: RBL timeouts

[Benny Pedersen]

Alex skrev den 2022-12-02 14:04:


Any bind experts know of a way to record which nameserver is timing
out so I can perhaps exclude them? Any idea why it wouldn't just
rotate to the next one, or even how to confirm whether it's doing
that?


you are using

1: rbls not default in spamassassin
2: not checking 2nd hand sites if the ips are listed

remove dead rpbls in spamassassin, problem solved


Links:
--
[1] http://168.22.111.13.bb.barracudacentral.org
[2] http://168.22.111.13.bb.barracudacentral.org/IN/A
[3] http://216.209.245.104.bb.barracudacentral.org/A/IN
[4] http://17.31.10.37.cidr.bl.mcafee.com
[5] http://17.31.10.37.cidr.bl.mcafee.com/IN/A


https://multirbl.valli.org/lookup/13.111.22.168.html
https://multirbl.valli.org/lookup/216.209.245.104.html
https://multirbl.valli.org/lookup/37.10.31.17.html

seems ok, remove cidr.bl.mcafee.com or convence multirbl to add it :=)

RBL timeouts

[Alex]

Hi,

Is anyone (everyone?) also experiencing DNS timeouts with barracuda?

02-Dec-2022 07:03:02.229 query-errors: client @0x7fd19d26c968
127.0.0.1#37098 (168.22.111.13.bb.barracudacentral.org): query failed
(timed out) for 168.22.111.13.bb.barracudacentral.org/IN/A at
../../../lib/ns/query.c:7729
02-Dec-2022 07:03:21.458 lame-servers: SERVFAIL unexpected RCODE resolving '
216.209.245.104.bb.barracudacentral.org/A/IN': 3.13.7.254#53

I'm also seeing a few timeouts from mcafee:

24-Nov-2022 16:12:37.151 query-errors: client @0x7fd19f7a4f68
127.0.0.1#47466 (17.31.10.37.cidr.bl.mcafee.com): query failed (timed out)
for 17.31.10.37.cidr.bl.mcafee.com/IN/A at ../../../lib/ns/query.c:7729

I don't necessarily think there's something wrong with my nameservers - I'm
more just surprised that such high-profile companies are having problems
and wanted to confirm.

Any bind experts know of a way to record which nameserver is timing out so
I can perhaps exclude them? Any idea why it wouldn't just rotate to the
next one, or even how to confirm whether it's doing that?

Re: RBL via Spamassasin configuration

[Bill Cole]

META:

The message below seems to be a reply to a message by Harald Reindl, who 
was blocked from posting to this mailing list in the past for chronic 
unreasonably combative behavior. Unfortunately, there's no way to stop 
him from reading this mailing list via any of the public archives or a 
'stealth' subscription, and he still injects his special flavor of 
discourse into the conversation by sending mail directly to list members 
instead of via the list.



On 2022-06-28 at 17:22:51 UTC-0400 (Tue, 28 Jun 2022 21:22:51 +)
Marc 
is rumored to have said:


BTW: "spammers also strife to optimize the usage of their resources"
shows that you know little to nothing!

they are using infected machines all over they world

that bot's are running completly without any feedback because it 
would

make it possible to track the origin

even if: other than the bots for free *it would* take rsources to
collect the reject states from millions of boths spear all over the
planet


If your spam network is 10% effective instead of 1% you can ask a 
higher price for your service. So you want to make sure you addresses 
are up to date. Even if you have a bot network that does not report 
back you still use a small % that does inform you. The universal goal 
is to optimize, this is not different for spammers.
That you can not think of a way to optimize spamming, does not mean 
they are not doing it.


It is very difficult to analyse and argue this, unless you really 
target your logging for this. Because if your clients fluctuate, also 
your email traffic fluctuates, your email traffic even fluctuates on 
periods of the year. I see a drop in the garbage (connections) coming 
from your-server.de since I put them on the connection blocking. It 
does not mean anything unless I start grabbing the message bodies 
before sending the reject.


If you conclude something based on some month, there is no going back 
on this. I know people in IT that did not learn anything in 15 years. 
As for now, I am not really convinced by your arguments.



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: RBL via Spamassasin configuration

[Matus UHLAR - fantomas]

On 2022-06-29 10:25, Matus UHLAR - fantomas wrote:

Since SpamAssassin does deep header scanning, it's more effective than
just use incoming IP at MTA level.


On 29.06.22 10:58, Benny Pedersen wrote:
this is not good, its a sign of forwarding that forwards spam in the 
first place, that make the forwarding ip grey, not white/wellcommed, 
same shit as sendgrid does


SA does this for years and it works perfectly.

SA can detect from which IP was mail delivered to your network (not just to 
direct server that uses SA) and check that IP in DNSBLs, instead of only 
checking IP of nearest mailserver.


not all headers are checked in all DNSBLs, but SA can check much more than 
MTA.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows found: (R)emove, (E)rase, (D)elete

Re: RBL via Spamassasin configuration

[Benny Pedersen]

On 2022-06-29 11:05, Marc wrote:


I don't really get what you wrote. There is something for blocking at
ip level, least resource intensive, and there is an application for
doing the advanced header/body scans at a later stage.


dont use deap ip scanning on dnsbl

use deap content scanning is ok, that includes urlbl

stop cc me, i am still read maillists

RE: RBL via Spamassasin configuration

[Marc]

> 
> On 2022-06-29 10:25, Matus UHLAR - fantomas wrote:
> > Since SpamAssassin does deep header scanning, it's more effective than
> > just use incoming IP at MTA level.
> 
> this is not good, its a sign of forwarding that forwards spam in the
> first place, that make the forwarding ip grey, not white/wellcommed,
> same shit as sendgrid does
> 
> if sendgrid changes to use pr domain sender ips then sendgrid have
> solved it 100%, but that say we have bilions custommers so that cant,
> lol

I don't really get what you wrote. There is something for blocking at ip level, 
least resource intensive, and there is an application for doing the advanced 
header/body scans at a later stage.

Re: RBL via Spamassasin configuration

[Benny Pedersen]

On 2022-06-29 10:25, Matus UHLAR - fantomas wrote:

Since SpamAssassin does deep header scanning, it's more effective than
just use incoming IP at MTA level.


this is not good, its a sign of forwarding that forwards spam in the 
first place, that make the forwarding ip grey, not white/wellcommed, 
same shit as sendgrid does


if sendgrid changes to use pr domain sender ips then sendgrid have 
solved it 100%, but that say we have bilions custommers so that cant, 
lol

Re: RBL via Spamassasin configuration

[Matus UHLAR - fantomas]

Is this actually going out and doing a DNS query or reading from the
header of the message?
I think I want to actually do the DNS query and I will cache locally to
avoid issues and increase performance.


That is what dns servers do, cache.  If you have your local dns, these 
requests are probably faster than spamassassin rule processing.


just don't use forwarding nameserver, it would 


The last part of my question is, here we score and then based on scoring
the next part can either quarantine the message or deliver it, but is
there a way from SA to simply say reject it right there?


you can reject with SA ad MTA level, just use one of milters available.
spamass-milter, amavisd-milter or others.

Just don't reject with standard spam score, with well-trained BAYES I reject 
score over 8 (10 without proper BAYES training)


On 28.06.22 18:56, Marc wrote:
Why not use the dns blacklist at the mta?  And reject the messages even 
before they are using spamassassin.  Imho you should apply 
simple/basic/fast checks first and at the end use resource intensive tasks 
like spamassassin.


you can use multiple DNS Blocklists at MTA level (it's often not safe enough 
to accept match from single DNSBL) and use them within SA too.
Since SpamAssassin does deep header scanning, it's more effective than just 
use incoming IP at MTA level.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Atheism is a non-prophet organization.

Re: RBL via Spamassasin configuration

[Benny Pedersen]

On 2022-06-29 02:56, Joey J wrote:

Hello All, not sure where I'm going wrong.

in my custom.cf [3] I have

#RBL's
header RCVD_IN_ZENSPAMHAUS eval:check_rbl('zenspamhaus-lastexternal',
'zen.spamhaus.org.')
describe RCVD_IN_ZENSPAMHAUS Relay is listed in zen.spamhaus.org [4]
tflags RCVD_IN_ZENSPAMHAUS net
score RCVD_IN_ZENSPAMHAUS 5.0


zen.spamhaus.org is already in spamassassin, why redefine it ?

Re: RBL via Spamassasin configuration

[Benny Pedersen]

On 2022-06-28 23:22, Marc wrote:


If you conclude something based on some month, there is no going back
on this. I know people in IT that did not learn anything in 15 years.
As for now, I am not really convinced by your arguments.


Subject RE: RBL via Spamassasin configuration
FromMarc
To  Reindl Harald, Joey J, users@spamassassin.apache.org
Date2022-06-28 23:22

why do you send to others ?, is this not being spammer on its own ?

doh :)

Re: RBL via Spamassasin configuration

[Joey J]

Hello All, not sure where I'm going wrong.

in my custom.cf I have
#RBL's
header RCVD_IN_ZENSPAMHAUS eval:check_rbl('zenspamhaus-lastexternal',
'zen.spamhaus.org.')
describe RCVD_IN_ZENSPAMHAUS Relay is listed in zen.spamhaus.org
tflags RCVD_IN_ZENSPAMHAUS net
score RCVD_IN_ZENSPAMHAUS 5.0

if I query DNS, I get the expected answer from local caching:
dig +short TXT 2.0.0.127.zen.spamhaus.org
"https://www.spamhaus.org/sbl/query/SBL2";
"https://www.spamhaus.org/query/ip/127.0.0.2";

When I send a test message using Access the Portal – Blocklist Tester |
Spamhaus 
It goes through, and upon inspection of the email headers, the rule name
nor points shows anywhere.
I must be missing something.
Any suggestions?

Thanks


On Tue, Jun 28, 2022 at 5:28 PM Bill Cole <
sausers-20150...@billmail.scconsult.com> wrote:

> On 2022-06-28 at 14:38:16 UTC-0400 (Tue, 28 Jun 2022 14:38:16 -0400)
> Joey J 
> is rumored to have said:
>
> > Hello All,
> >
> > In trying to setup RBL's with SA, I wanted to make sure the proper way
> > to
> > do it.
> > I have seen some samples like this
> > header RCVD_IN_BARRACUDACEN eval:check_rbl('bbarracuda-lastexternal',
> > 'b.barracudacentral.org.')
> > describe RCVD_IN_BARRACUDACEN Relay is listed in
> > b.barracudacentral.org
> > tflags RCVD_IN_BARRACUDACEN net
> > score RCVD_IN_BARRACUDACEN 4.0
>
> That looks right. Definitive documentation can be had with 'perldoc
> Mail::SpamAssassin::Plugin::DNSEval' and 'perldoc
> Mail::SpamAssassin::Conf'
>
> > Is this actually going out and doing a DNS query or reading from the
> > header
> > of the message?
>
> It does both...
>
> SA analyzes the Received headers in a message to find relevant SMTP
> handoffs, with relevant settings in trusted_networks, internal_networks,
> and msa_networks. For DNSBLs, typically the "last external" Recceived
> heasder is the key: the latest one written by a trusted machine,
> documenting a handoff from a machine which is not in any of those
> special sets. It tests the IP address of that last external machine to
> handle the message. DNSEval looks up that IP address in the DNSBL.
>
> > I think I want to actually do the DNS query and I will cache locally
> > to
> > avoid issues and increase performance.
>
> The proper way to do this is to run a local caching recursive resolver
> (e.g. Unbound or BIND, NOT dnsmasq) on the same machine as the MTA and
> use that for all DNS lookups. Using more distant DNS servers can result
> in latency delays and using forwarding of any sort will cause blocking
> by DNSBL services. Any DNS server that filters or modifies responses to
> 'protect' user personal computers is unfit for use with email.
>
> > Also if someone has a list of these rules, that they use and could
> > share
> > that would be great.
>
> There are many in the standard ruleset. I think we do a reasonably good
> job of curating them, and they should all be safe to use as designed.
> Note that some DNSBLs are explicitly NOT intended for use on a mail
> server that accepts initial submission from end users.
>
> > The last part of my question is, here we score and then based on
> > scoring
> > the next part can either quarantine the message or deliver it, but is
> > there
> > a way from SA to simply say reject it right there?
> > (I think the answer is no, it simply scores it, but wanted to be sure)
>
> SpamAssassin itself has no capacity to handle the disposition of email.
> It only scores messages and reports those scores to whatever tool is
> using it.
>
> Hence, if you are accepting or quarantining mail based on a SA score,
> there's Something Else making that disposition decision. It might be a
> milter (MIMEDefang, MailMunge, spamass-milter, or amavisd-milter,) or a
> Postfix content_filter script or a SMTP proxy (many amavisd systems) or
> an Exim config stanza (not sure if that's an 'acl' or a 'router' in Exim
> jargon.)   It is that 'glue' between the MTA and SA which implements the
> handling decision for scored messages.
>
> Generally it is a good idea to reject messages that you are not going to
> deliver. As a backstop for false positives rejection alerts the sender
> to the problem, in contrast to the silent death of quarantining.
> Quarantining (or worse, discarding) borderline messages may seem good in
> that it doesn't give any feedback to spammers, but in practice there's
> no evidence that they use the sort of feedback they get from rejections
> in any way. The simplest way they might do so in theory, washing bad
> addresses out of their lists, would actually be GOOD if they all did it.
>
>
>
>
> --
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Not Currently Available For Hire
>


-- 
Thanks!
Joey

Re: RBL via Spamassasin configuration

[Joey J]

Thank you, this makes sense, I will look through the mentioned resource.

On Tue, Jun 28, 2022 at 5:28 PM Bill Cole <
sausers-20150...@billmail.scconsult.com> wrote:

> On 2022-06-28 at 14:38:16 UTC-0400 (Tue, 28 Jun 2022 14:38:16 -0400)
> Joey J 
> is rumored to have said:
>
> > Hello All,
> >
> > In trying to setup RBL's with SA, I wanted to make sure the proper way
> > to
> > do it.
> > I have seen some samples like this
> > header RCVD_IN_BARRACUDACEN eval:check_rbl('bbarracuda-lastexternal',
> > 'b.barracudacentral.org.')
> > describe RCVD_IN_BARRACUDACEN Relay is listed in
> > b.barracudacentral.org
> > tflags RCVD_IN_BARRACUDACEN net
> > score RCVD_IN_BARRACUDACEN 4.0
>
> That looks right. Definitive documentation can be had with 'perldoc
> Mail::SpamAssassin::Plugin::DNSEval' and 'perldoc
> Mail::SpamAssassin::Conf'
>
> > Is this actually going out and doing a DNS query or reading from the
> > header
> > of the message?
>
> It does both...
>
> SA analyzes the Received headers in a message to find relevant SMTP
> handoffs, with relevant settings in trusted_networks, internal_networks,
> and msa_networks. For DNSBLs, typically the "last external" Recceived
> heasder is the key: the latest one written by a trusted machine,
> documenting a handoff from a machine which is not in any of those
> special sets. It tests the IP address of that last external machine to
> handle the message. DNSEval looks up that IP address in the DNSBL.
>
> > I think I want to actually do the DNS query and I will cache locally
> > to
> > avoid issues and increase performance.
>
> The proper way to do this is to run a local caching recursive resolver
> (e.g. Unbound or BIND, NOT dnsmasq) on the same machine as the MTA and
> use that for all DNS lookups. Using more distant DNS servers can result
> in latency delays and using forwarding of any sort will cause blocking
> by DNSBL services. Any DNS server that filters or modifies responses to
> 'protect' user personal computers is unfit for use with email.
>
> > Also if someone has a list of these rules, that they use and could
> > share
> > that would be great.
>
> There are many in the standard ruleset. I think we do a reasonably good
> job of curating them, and they should all be safe to use as designed.
> Note that some DNSBLs are explicitly NOT intended for use on a mail
> server that accepts initial submission from end users.
>
> > The last part of my question is, here we score and then based on
> > scoring
> > the next part can either quarantine the message or deliver it, but is
> > there
> > a way from SA to simply say reject it right there?
> > (I think the answer is no, it simply scores it, but wanted to be sure)
>
> SpamAssassin itself has no capacity to handle the disposition of email.
> It only scores messages and reports those scores to whatever tool is
> using it.
>
> Hence, if you are accepting or quarantining mail based on a SA score,
> there's Something Else making that disposition decision. It might be a
> milter (MIMEDefang, MailMunge, spamass-milter, or amavisd-milter,) or a
> Postfix content_filter script or a SMTP proxy (many amavisd systems) or
> an Exim config stanza (not sure if that's an 'acl' or a 'router' in Exim
> jargon.)   It is that 'glue' between the MTA and SA which implements the
> handling decision for scored messages.
>
> Generally it is a good idea to reject messages that you are not going to
> deliver. As a backstop for false positives rejection alerts the sender
> to the problem, in contrast to the silent death of quarantining.
> Quarantining (or worse, discarding) borderline messages may seem good in
> that it doesn't give any feedback to spammers, but in practice there's
> no evidence that they use the sort of feedback they get from rejections
> in any way. The simplest way they might do so in theory, washing bad
> addresses out of their lists, would actually be GOOD if they all did it.
>
>
>
>
> --
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Not Currently Available For Hire
>


-- 
Thanks!
Joey

RE: RBL via Spamassasin configuration

[Marc]

> biggest nonsense at all when it comes to spammes given that i added some
> hundrets addresses never existed to collect the bodies for trainign and
> for the outisde world they are still rejects (milter)

How is the guessing of existing email addresses relevant to the current 
discussion? 

Re: RBL via Spamassasin configuration

[Bill Cole]

On 2022-06-28 at 14:38:16 UTC-0400 (Tue, 28 Jun 2022 14:38:16 -0400)
Joey J 
is rumored to have said:


Hello All,

In trying to setup RBL's with SA, I wanted to make sure the proper way 
to

do it.
I have seen some samples like this
header RCVD_IN_BARRACUDACEN eval:check_rbl('bbarracuda-lastexternal',
'b.barracudacentral.org.')
describe RCVD_IN_BARRACUDACEN Relay is listed in 
b.barracudacentral.org

tflags RCVD_IN_BARRACUDACEN net
score RCVD_IN_BARRACUDACEN 4.0


That looks right. Definitive documentation can be had with 'perldoc 
Mail::SpamAssassin::Plugin::DNSEval' and 'perldoc 
Mail::SpamAssassin::Conf'


Is this actually going out and doing a DNS query or reading from the 
header

of the message?


It does both...

SA analyzes the Received headers in a message to find relevant SMTP 
handoffs, with relevant settings in trusted_networks, internal_networks, 
and msa_networks. For DNSBLs, typically the "last external" Recceived 
heasder is the key: the latest one written by a trusted machine, 
documenting a handoff from a machine which is not in any of those 
special sets. It tests the IP address of that last external machine to 
handle the message. DNSEval looks up that IP address in the DNSBL.


I think I want to actually do the DNS query and I will cache locally 
to

avoid issues and increase performance.


The proper way to do this is to run a local caching recursive resolver 
(e.g. Unbound or BIND, NOT dnsmasq) on the same machine as the MTA and 
use that for all DNS lookups. Using more distant DNS servers can result 
in latency delays and using forwarding of any sort will cause blocking 
by DNSBL services. Any DNS server that filters or modifies responses to 
'protect' user personal computers is unfit for use with email.


Also if someone has a list of these rules, that they use and could 
share

that would be great.


There are many in the standard ruleset. I think we do a reasonably good 
job of curating them, and they should all be safe to use as designed. 
Note that some DNSBLs are explicitly NOT intended for use on a mail 
server that accepts initial submission from end users.


The last part of my question is, here we score and then based on 
scoring
the next part can either quarantine the message or deliver it, but is 
there

a way from SA to simply say reject it right there?
(I think the answer is no, it simply scores it, but wanted to be sure)


SpamAssassin itself has no capacity to handle the disposition of email. 
It only scores messages and reports those scores to whatever tool is 
using it.


Hence, if you are accepting or quarantining mail based on a SA score, 
there's Something Else making that disposition decision. It might be a 
milter (MIMEDefang, MailMunge, spamass-milter, or amavisd-milter,) or a 
Postfix content_filter script or a SMTP proxy (many amavisd systems) or 
an Exim config stanza (not sure if that's an 'acl' or a 'router' in Exim 
jargon.)   It is that 'glue' between the MTA and SA which implements the 
handling decision for scored messages.


Generally it is a good idea to reject messages that you are not going to 
deliver. As a backstop for false positives rejection alerts the sender 
to the problem, in contrast to the silent death of quarantining. 
Quarantining (or worse, discarding) borderline messages may seem good in 
that it doesn't give any feedback to spammers, but in practice there's 
no evidence that they use the sort of feedback they get from rejections 
in any way. The simplest way they might do so in theory, washing bad 
addresses out of their lists, would actually be GOOD if they all did it.





--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

RE: RBL via Spamassasin configuration

[Marc]

 
> BTW: "spammers also strife to optimize the usage of their resources"
> shows that you know little to nothing!
> 
> they are using infected machines all over they world
> 
> that bot's are running completly without any feedback because it would
> make it possible to track the origin
> 
> even if: other than the bots for free *it would* take rsources to
> collect the reject states from millions of boths spear all over the
> planet

If your spam network is 10% effective instead of 1% you can ask a higher price 
for your service. So you want to make sure you addresses are up to date. Even 
if you have a bot network that does not report back you still use a small % 
that does inform you. The universal goal is to optimize, this is not different 
for spammers.
That you can not think of a way to optimize spamming, does not mean they are 
not doing it.

It is very difficult to analyse and argue this, unless you really target your 
logging for this. Because if your clients fluctuate, also your email traffic 
fluctuates, your email traffic even fluctuates on periods of the year. I see a 
drop in the garbage (connections) coming from your-server.de since I put them 
on the connection blocking. It does not mean anything unless I start grabbing 
the message bodies before sending the reject.

If you conclude something based on some month, there is no going back on this. 
I know people in IT that did not learn anything in 15 years. As for now, I am 
not really convinced by your arguments.

RE: RBL via Spamassasin configuration

[Marc]

> 
> 
> Am 28.06.22 um 20:56 schrieb Marc:
> > I also believe there is an advantage in rejecting messages, compared
> to just marking them. Rejecting messages will train spam systems not to
> try more.
> > If they know you allow messages through, they will only send you more
> 
> that's nonsense - otherwise "they" would stop sending me messages with
> at the MTA hard rejected subjects

It is not nonsense. It is common logic. Business processes are being optimized, 
spammers also strife to optimize the usage of their resources. Bouncing 
messages are messages not delivered and get noticed, resulting in bot's being 
discovered and cleaned.

PS. It is also a bit 'dumb' to conclude this from a months sample, before the 
information trickles through to the address lists, it takes months I would 
assume. 

RE: RBL via Spamassasin configuration

[Marc]

> In trying to setup RBL's with SA, I wanted to make sure the proper way
> to do it.
> I have seen some samples like this
> header RCVD_IN_BARRACUDACEN eval:check_rbl('bbarracuda-lastexternal',
> 'b.barracudacentral.org.')
> describe RCVD_IN_BARRACUDACEN Relay is listed in b.barracudacentral.org
> 
> tflags RCVD_IN_BARRACUDACEN net
> score RCVD_IN_BARRACUDACEN 4.0

Maybe add/choose the value?
header  RCVD_IN_EXAMPLE_RBL  eval:check_rbl('example', 'rbl.example.com.', 
'127.0.0.1')

I have always had issues with barracuda's false positives, are you sure you 
want to use them?

> 
> Is this actually going out and doing a DNS query or reading from the
> header of the message?
> I think I want to actually do the DNS query and I will cache locally to
> avoid issues and increase performance.

That is what dns servers do, cache. If you have your local dns, these requests 
are probably faster than spamassassin rule processing.

> 
> 
> The last part of my question is, here we score and then based on scoring
> the next part can either quarantine the message or deliver it, but is
> there a way from SA to simply say reject it right there?

Why not use the dns blacklist at the mta? And reject the messages even before 
they are using spamassassin. Imho you should apply simple/basic/fast checks 
first and at the end use resource intensive tasks like spamassassin. 
I also believe there is an advantage in rejecting messages, compared to just 
marking them. Rejecting messages will train spam systems not to try more. 
If they know you allow messages through, they will only send you more.

RBL via Spamassasin configuration

[Joey J]

Hello All,

In trying to setup RBL's with SA, I wanted to make sure the proper way to
do it.
I have seen some samples like this
header RCVD_IN_BARRACUDACEN eval:check_rbl('bbarracuda-lastexternal',
'b.barracudacentral.org.')
describe RCVD_IN_BARRACUDACEN Relay is listed in b.barracudacentral.org
tflags RCVD_IN_BARRACUDACEN net
score RCVD_IN_BARRACUDACEN 4.0

Is this actually going out and doing a DNS query or reading from the header
of the message?
I think I want to actually do the DNS query and I will cache locally to
avoid issues and increase performance.

Also if someone has a list of these rules, that they use and could share
that would be great.

The last part of my question is, here we score and then based on scoring
the next part can either quarantine the message or deliver it, but is there
a way from SA to simply say reject it right there?
(I think the answer is no, it simply scores it, but wanted to be sure)

Thanks!



-- 
Thanks!
Joey

Re: SA 3.4.5 meta with RBL rules not working.

[Jared Hall]

Could be worse, like 3.4.4 on Ubuntu.  Surprisingly,  CPAN update worked great 
and put everthing in the right spots, symlinks and all!

9 out of 10 cavemen prefer Ubuntu with their Brontosaurus burgers.  *Sigh*

-- Jared Hall






Sent from my T-Mobile 4G LTE Device
Get Outlook for Android<https://aka.ms/AAb9ysg>

From: Dave Funk 
Sent: Monday, July 19, 2021 10:55:19 AM
To: users@spamassassin.apache.org 
Subject: Re: SA 3.4.5 meta with RBL rules not working.

Ugg, I was afraid of that.

For decades I've rolled my own install of things like sendmail, SA & ClamAV but
this time I wanted to try the release supplied by our server OS vender (SuSE).
Unfortunately that's SA 3.4.5.

OK, back to the salt-mines.

Thanks

On Mon, 19 Jul 2021, Henrik K wrote:

>
> How about upgrading to latest 3.4.6?
>
> This release includes fixes for the following:
>  - Fixed URIDNSBL not triggering meta rules
>
> On Mon, Jul 19, 2021 at 01:42:51AM -0500, Dave Funk wrote:
>> I recently updated from SA 3.4.1 to 3.4.5 and noticed that a number of my
>> "meta" rules quit working.
>>
>> I have a number of meta rules that combine RBL/URIBL rules with other rules
>> and they no longer fire, eventho the various components are fireing.
>>
>> EG, a rule like:
>>
>> meta L_TEST_NS2c   ( URIBL_ABUSE_SURBL && HTML_MESSAGE )
>> describe L_TEST_NS2c   abusive HTML message
>> score L_TEST_NS2c  1.1
>>
>> does not fire even tho the message under test triggers both
>> URIBL_ABUSE_SURBL & HTML_MESSAGE.
>> This used to work as expected under 3.4.1.
>>
>> Running a message thru "spamassassin -D" does not give any clues what's
>> going wrong.
>>
>> Any suggestions about how to debug this?
>>
>> Thanks,
>> Dave
>>
>> --
>> Dave Funk   University of Iowa
>>  College of Engineering
>> 319/335-5751   FAX: 319/384-05491256 Seamans Center, 103 S Capitol 
>> St.
>> Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
>> #include 
>> Better is not better, 'standard' is better. B{
>
>

--
Dave Funk   University of Iowa
 College of Engineering
319/335-5751   FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: SA 3.4.5 meta with RBL rules not working.

[Dave Funk]

Ugg, I was afraid of that.

For decades I've rolled my own install of things like sendmail, SA & ClamAV but 
this time I wanted to try the release supplied by our server OS vender (SuSE).

Unfortunately that's SA 3.4.5.

OK, back to the salt-mines.

Thanks

On Mon, 19 Jul 2021, Henrik K wrote:



How about upgrading to latest 3.4.6?

This release includes fixes for the following:
 - Fixed URIDNSBL not triggering meta rules

On Mon, Jul 19, 2021 at 01:42:51AM -0500, Dave Funk wrote:

I recently updated from SA 3.4.1 to 3.4.5 and noticed that a number of my
"meta" rules quit working.

I have a number of meta rules that combine RBL/URIBL rules with other rules
and they no longer fire, eventho the various components are fireing.

EG, a rule like:

meta L_TEST_NS2c   ( URIBL_ABUSE_SURBL && HTML_MESSAGE )
describe L_TEST_NS2c   abusive HTML message
score L_TEST_NS2c  1.1

does not fire even tho the message under test triggers both
URIBL_ABUSE_SURBL & HTML_MESSAGE.
This used to work as expected under 3.4.1.

Running a message thru "spamassassin -D" does not give any clues what's
going wrong.

Any suggestions about how to debug this?

Thanks,
Dave

--
Dave Funk   University of Iowa
 College of Engineering
319/335-5751   FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{





--
Dave Funk   University of Iowa
 College of Engineering
319/335-5751   FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: SA 3.4.5 meta with RBL rules not working.

[Benny Pedersen]

On 2021-07-19 09:43, Henrik K wrote:

How about upgrading to latest 3.4.6?


not in gentoo yet :)

waiting for 4.0.0

where less problems is in, hopply aswell that some dkim validation is 
not working while later tests shows dkim is valid, but not when 
spamassassin is called from fuglu


fuglu uses spamd on std port

help me solve this one

Re: SA 3.4.5 meta with RBL rules not working.

[Henrik K]

How about upgrading to latest 3.4.6?

This release includes fixes for the following:
  - Fixed URIDNSBL not triggering meta rules

On Mon, Jul 19, 2021 at 01:42:51AM -0500, Dave Funk wrote:
> I recently updated from SA 3.4.1 to 3.4.5 and noticed that a number of my
> "meta" rules quit working.
> 
> I have a number of meta rules that combine RBL/URIBL rules with other rules
> and they no longer fire, eventho the various components are fireing.
> 
> EG, a rule like:
> 
> meta L_TEST_NS2c   ( URIBL_ABUSE_SURBL && HTML_MESSAGE )
> describe L_TEST_NS2c   abusive HTML message
> score L_TEST_NS2c  1.1
> 
> does not fire even tho the message under test triggers both
> URIBL_ABUSE_SURBL & HTML_MESSAGE.
> This used to work as expected under 3.4.1.
> 
> Running a message thru "spamassassin -D" does not give any clues what's
> going wrong.
> 
> Any suggestions about how to debug this?
> 
> Thanks,
> Dave
> 
> -- 
> Dave Funk   University of Iowa
>  College of Engineering
> 319/335-5751   FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
> Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
> #include 
> Better is not better, 'standard' is better. B{

SA 3.4.5 meta with RBL rules not working.

[Dave Funk]

I recently updated from SA 3.4.1 to 3.4.5 and noticed that a number of my "meta" 
rules quit working.


I have a number of meta rules that combine RBL/URIBL rules with other rules and 
they no longer fire, eventho the various components are fireing.


EG, a rule like:

meta L_TEST_NS2c   ( URIBL_ABUSE_SURBL && HTML_MESSAGE )
describe L_TEST_NS2c   abusive HTML message
score L_TEST_NS2c  1.1

does not fire even tho the message under test triggers both URIBL_ABUSE_SURBL & 
HTML_MESSAGE.

This used to work as expected under 3.4.1.

Running a message thru "spamassassin -D" does not give any clues what's going 
wrong.


Any suggestions about how to debug this?

Thanks,
Dave

--
Dave Funk   University of Iowa
 College of Engineering
319/335-5751   FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: Bypass RBL checks for specific address

[John Hardin]

On Wed, 23 Dec 2020, Grant Taylor wrote:


On 12/23/20 9:55 PM, John Hardin wrote:

Did you see my mention of this earlier?


Yes, I did see it.

That's a bit more invasive of a change than I was hoping to do for this task.

I had been waiting to reply to your earlier message to test some things that 
you recommended.


As you will see in my recent reply, I do believe that I've managed to achieve 
most of what I wanted to do.


Good.

I did notice from your earlier description that you (weakly) wanted to 
completely bypass SA scanning for those automated messages, which makes 
sense from a resource management perspective. The milter proxy would be 
the way to do that, as it would give you a way to bypass spamass-milter 
based on recipient (or more reliably sender + recipient).


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
   -- Peter da Silva in a.s.r
---
 Tomorrow: Christmas

Re: Bypass RBL checks for specific address

[John Hardin]

On Wed, 23 Dec 2020, Grant Taylor wrote:


On 12/23/20 2:15 PM, John Hardin wrote:
spamass-milter has a -u flag for a username to pass to SA. If these are 
single-recipient messages that may be enough to reliably tie into per-user 
config to disable the RBL check.


It seems as if spamass-milter is using the -u to specify a default user.  It 
also seems as if spamass-milter will attempt to discover the (first) 
recipient if -x is also used.  Spamass-milter will then use -u to pass the 
username default for first detected to spamc so that spamc can use 
personalized settings.


Right. Sorry, I misworded my description a bit.

I am fairly sure that setting a rule score to zero bypasses the rule (vs. 
running it and ignoring the result) but you will probably want to test that 
to confirm whether the RBL is checked anyways. However, if the RBL check is 
written as a subrule then it can't be disabled this way as subrules don't 
have scores to set to zero.


ACK

This matches my tests.


Oh, good. Thanks for the confirmation.


That last option sounds to me like the first one you should explore.


Thankfully, and to my surprise, SpamAssassin / spamass-milter /is/ attempting 
personalization.


"-u spamass-milter" was already in place.

I added "-x" to cause spamass-milter to try to detect the first user, tweaked 
permissions (group membership) to allow spamass-milter to run sendmail -bv to 
detect some other users correctly, and now things seem to be working much 
closer to how I want.


Initial testing seems very promising use of heavily modified 
~/.spamassassin/user_prefs.


Good news!

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
   -- Peter da Silva in a.s.r
---
 Tomorrow: Christmas

Re: Bypass RBL checks for specific address

[Grant Taylor]

On 12/22/20 4:56 PM, Grant Taylor wrote:

Is there a way to bypass RBL checks for a specific address?


Thank you all.

I believe I have been able to get the result I desired and learn a few 
things in the process.


TL;DR:  Setting scores to 0 in the specific recipient's 
~/.spamassassin/user_prefs file worked.


I learned that spamass-milter /does/ /apparently/ support 
personalization, something I wasn't aware of.


I learned that adding the "-x" option to spamass-milter will cause it to 
use sendmail -bv to try to identify the Unix account that needs to be 
passed to spamc via (spamc's) "-u" option.


I needed to tweak group membership so that the user spamass-milter ran 
as could read /etc/mail/virtusertable.db.


Now, things seem to be working.  spamd is setuid(ing) to the correct 
Unix user and reading the user_prefs file like I need.


Thank you again for all your help.



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature