Re: low score on very spammy email

Tue, 10 Apr 2018 15:41:34 -0700 

On 04/10/2018 05:28 PM, Motty Cruz wrote:
Thank you very much for your suggestions David. MTA is configured to use RBLs, 

reject_rbl_client b.barracudacentral.org

worked really well for me at one point. Also,

      reject_rbl_client zen.spamhaus.org,
      reject_rbl_client cbl.abuseat.org,
      reject_rbl_client bl.spamcop.net,
      reject_rbl_client multi.uribl.com,
      reject_rbl_client rabl.nuclearelephant.com,



That is too risky to block on a single RBL hit above.


Since you are running Postfix, enable postscreen and postwhite 
(https://github.com/stevejenkins/postwhite) to get MUCH better results 
from combining the power of many RBLs:


/etc/postfix/main.cf:


postscreen_access_list =
  permit_mynetworks,
  cidr:/etc/postfix/postscreen_spf_whitelist.cidr,
  cidr:/etc/postfix/postscreen_access.cidr

postscreen_dnsbl_threshold           = 8
postscreen_dnsbl_action              = enforce

postscreen_dnsbl_sites =
  dnsbl.sorbs.net=127.0.0.[10;14]*9
  zen.spamhaus.org=127.0.0.[10;11]*8
  dnsbl.sorbs.net=127.0.0.5*7
  b.barracudacentral.org=127.0.0.2*7
  dnsbl.inps.de=127.0.0.2*7
  zen.spamhaus.org=127.0.0.[4..7]*7
  bl.mailspike.net=127.0.0.[10;11;12]*7
  zen.spamhaus.org=127.0.0.3*6
  hostkarma.junkemailfilter.com=127.0.0.2*4
  dnsbl.sorbs.net=127.0.0.7*4
  bl.spamcop.net=127.0.0.2*4
  bl.spameatingmonkey.net=127.0.0.[2;3]*4
  dnsrbl.swinog.ch=127.0.0.3*4
  ix.dnsbl.manitu.net=127.0.0.2*4
  psbl.surriel.com=127.0.0.2*4
  bl.mailspike.net=127.0.0.2*4
  ubl.unsubscore.com=127.0.0.2*4
  bl.fmb.la=127.0.0.2*4
  zen.spamhaus.org=127.0.0.2*3
  dnsbl-1.uceprotect.net=127.0.0.2*2
  dnsbl.sorbs.net=127.0.0.6*3
  dnsbl.sorbs.net=127.0.0.9*2
  dnsbl.sorbs.net=127.0.0.8*2
  recent.dnsbl.sorbs.net=127.0.0.6*3
  recent.dnsbl.sorbs.net=127.0.0.9*2
  recent.dnsbl.sorbs.net=127.0.0.8*2
  score.senderscore.com=127.0.4.[0..29]*2
  hostkarma.junkemailfilter.com=127.0.0.4*2
  all.spamrats.com=127.0.0.[36;38]*2
  bl.nszones.com=127.0.0.[2;3]*1
  dnsbl-2.uceprotect.net=127.0.0.2*1
  dnsbl.sorbs.net=127.0.0.2*1
  dnsbl.sorbs.net=127.0.0.4*1
  score.senderscore.com=127.0.4.[30..69]*1
  dnsbl.sorbs.net=127.0.0.3*1
  hostkarma.junkemailfilter.com=127.0.1.2*1
  dnsbl.sorbs.net=127.0.0.15*1
  ips.backscatterer.org=127.0.0.2*1
  bl.nszones.com=127.0.0.5*-1
  score.senderscore.com=127.0.4.[80..89]*-2
  wl.mailspike.net=127.0.0.[18;19;20]*-2
  hostkarma.junkemailfilter.com=127.0.0.1*-2
  ips.whitelisted.org=127.0.0.2*-2
  safe.dnsbl.sorbs.net=127.0.[0..255].0*-2
  list.dnswl.org=127.0.[0..255].0*-2
  dnswl.inps.de=127.0.[0;1].[2..10]*-2
  score.senderscore.com=127.0.4.[90..100]*-3
  list.dnswl.org=127.0.[0..255].1*-3
  list.dnswl.org=127.0.[0..255].2*-4
  list.dnswl.org=127.0.[0..255].3*-5



You may adjust the weights above based on your particular mail flow if 
needed but they should be pretty good/safe as is.



Setup postwhite and add any domains that need to be bypassed on RBL 
checks to /etc/postwhite.conf in the custom_hosts.


custom_hosts="authsmtp.com"



On 04/10/2018 03:14 PM, David Jones wrote:

On 04/10/2018 05:04 PM, Leandro wrote:

2018-04-10 18:52 GMT-03:00 David Jones <djo...@ena.com 
<mailto:djo...@ena.com>>:


    On 04/10/2018 04:47 PM, Leandro wrote:

        2018-04-10 17:49 GMT-03:00 Motty Cruz <motty.c...@gmail.com
        <mailto:motty.c...@gmail.com> <mailto:motty.c...@gmail.com
        <mailto:motty.c...@gmail.com>>>:

             I apologize here is the email headers and body

        https://pastebin.com/bgXrfKaQ



        You should not take this domain mrface.com <http://mrface.com>
        <http://mrface.com> seriously because it is a TLD used for free
        dynamic IP service (changeip.com <http://changeip.com>
        <http://changeip.com>).

        There is even a fake Windows Update domain in this TLD:

        ubuntu@matrix:~$ dig +short A windowsupdate.mrface.com
        <http://windowsupdate.mrface.com>

        <http://windowsupdate.mrface.com 
<http://windowsupdate.mrface.com>>

        185.133.40.63




             Thanks,



    I noticed it was listed on the DBL dnsbl.spfbl.net
    <http://dnsbl.spfbl.net> and was just working to add that to my
    local rules.  Anyone know how to set this DBL up in SA?  I am trying
    to find an example in the stock SA rules now...



Yes. We list any IP using any free dynamic TLD.

A legit mail server never uses crap, or shouldn't use.

Documentation to set this DNSBL at SA:

https://spfbl.net/en/dnsbl/


    --     David Jones




I found an example in KAM.cf:

[root@server spamassassin]# pwd
/etc/mail/spamassassin
[root@server spamassassin]# cat 99_spfbl.cf
ifplugin Mail::SpamAssassin::Plugin::DNSEval


header        __RCVD_IN_SPFBL    eval:check_rbl('spfbl', 
'dnsbl.spfbl.net')

tflags        __RCVD_IN_SPFBL    net


header        __RCVD_IN_SPFBL_3    eval:check_rbl_sub('spfbl', 
'127.0.0.3')

meta        RCVD_IN_SPFBL    __RCVD_IN_SPFBL_3 && !RCVD_IN_SPFBL_LASTEXT
describe    RCVD_IN_SPFBL    Received is listed in SPFBL.net RBL
score        RCVD_IN_SPFBL    1.2
tflags        RCVD_IN_SPFBL    net


header        RCVD_IN_SPFBL_LASTEXT 
eval:check_rbl('spfbl-lastexternal', 'dnsbl.spfbl.net')
describe     RCVD_IN_SPFBL_LASTEXT    Last external is listed in 
SPFBL.net RBL

score        RCVD_IN_SPFBL_LASTEXT    2.2
tflags        RCVD_IN_SPFBL_LASTEXT    net

endif

ifplugin Mail::SpamAssassin::Plugin::AskDNS


askdns        SENDER_IN_SPFBL    _SENDERDOMAIN_.dnsbl.spfbl.net A 
/^127\.0\.0\.3$/

tflags        SENDER_IN_SPFBL    nice net
describe    SENDER_IN_SPFBL    Sending domain listed in SPFBL.net DBL
score        SENDER_IN_SPFBL    2.2

endif






--
David Jones


























					Reply via email to