Unsubscribe
> On Apr 4, 2017, at 6:06 PM, Jim McLachlan wrote: > > Sorry, I did a direct reply instead of a reply to the list. I hope this > corrects that. > > Hi KAM, > >You're confused Not as much as me. I'm completely baffled > >I've posted my master.cf to http://pasted.co/ba783cac just in case that > might be useful. > >It looks like my mail.* logs are rotated weekly. I'll change that so > they're rotated daily. That will certainly help, but I'm sure it would be > good for the disk and CPU if I can reduce the amount of data being logged. > >Kind regards. > >Jim. > > >> On 04/04/17 23:55, Kevin A. McGrail wrote: >>> On 4/4/2017 6:42 PM, Jim McLachlan wrote: >>> amavis1680 1 0 2016 ?00:01:40 /usr/sbin/amavisd-new >>> (master) >>> amavis 10898 1680 0 17:29 ?00:00:01 /usr/sbin/amavisd-new >>> (ch7-avail) >>> amavis 15292 1680 0 22:16 ?00:00:00 /usr/sbin/amavisd-new >>> (ch1-avail) >>> postfix 15337 7599 0 22:19 ?00:00:00 smtp -n amavis -t unix -u -o >>> smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o >>> disable_dns_lookups=yes -o max_use=20 >>> amavis 15344 1680 0 22:19 ?00:00:00 /usr/sbin/amavisd-new >>> (ch1-avail) >>> >>> >>>I've posted the spamfilter.sh file to http://pasted.co/7b794ccd >>> >>>I don't see anything in there about verbose logging >> >> Quick points: >> >> 1 - The verbose logging (which I don't think is the issue) would be in your >> postfix master.cf indicated by -v on smtpd. Reviewing the log snippet, I saw >> nothing that looked like too much logging, anything looping, etc. >> >> 2 - I am confused if you have amavis why you would also have spamfilter.sh. >> I >> don't use amavisd-new but I'm sure some here do and can comment. >> >> Regards, >> KAM > > -- > James R. McLachlan PGDCCI(Open) > Managing Director > Objective Software Services Ltd. > Web : http://www.oss-ltd.com > Tel : +44 (0)1397 708550 > Mob : +44 (0)7971 232717 > Fax : +44 (0)7970 117580 > e-mail: j...@oss-ltd.com > > Objective Software Services Ltd. is a company registered in England and Wales > with company number 2892148. > Registered office: 11 Percy Terrace, Tunbridge Wells, Kent, TN4 9RH
How to get rid of this spam? Spam assassin does not catch it
I use spam assassin with razors on ubuntu server. In recent months i started to get tons of spam. Spam assassin does not catch it and scores are very low. Are those emails fabricated so well that they look like legitimate? Can i do something to catch those as spam? I moved them all to one folder called spam and i run this command every 5 minutes on that folder: sa-learn --spam --mbox /home/username/mail/INBOX.spam but it does not help It seems like every spam email is fabricated in different way. Anyone has any idea how to catch those? Why spam assassin does not catch it? attached is the list showing subject and from for the recent spams i get. subcject_from.txt1 Description: Binary data
Re: How to get rid of this spam? Spam assassin does not catch it
I dont use any ham training.Should I scan all my folders with this command: sa-learn --ham --mbox /home/username/mail/foldername "is the bayes-db of this user *realy* used at scan time" how do i check that? I use the procemail to pass all mail through spam assassin. I use default ubuntu setup with Razors enabled. It does catches spam but not the one i attached in original post. example mail sa headers: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ip-10-254-37-89.us-west-2.compute.internal X-Spam-Level: *** X-Spam-Status: No, score=3.1 required=5.0 tests=BAYES_00,HTML_MESSAGE, RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,SPF_HELO_PASS, SPF_PASS,URIBL_BLOCKED,URIBL_DBL_SPAM autolearn=no autolearn_force=no version=3.4.0 ubuntu@ip-10-254-37-89:~$ cat /etc/spamassassin/local.cf # This is the right place to customize your installation of SpamAssassin. # # See 'perldoc Mail::SpamAssassin::Conf' for details of what can be # tweaked. # # Only a small subset of options are listed below # ### # Add *SPAM* to the Subject header of spam e-mails # # rewrite_header Subject *SPAM* # Save spam messages as a message/rfc822 MIME attachment instead of # modifying the original message (0: off, 2: use text/plain instead) # # report_safe 1 # Set which networks or hosts are considered 'trusted' by your mail # server (i.e. not spammers) # # trusted_networks 212.17.35. # Set file-locking method (flock is not safe over NFS, but is faster) # # lock_method flock # Set the threshold at which a message is considered spam (default: 5.0) # # required_score 5.0 # Use Bayesian classifier (default: 1) # # use_bayes 1 # Bayesian classifier auto-learning (default: 1) # # bayes_auto_learn 1 # Set headers which may provide inappropriate cues to the Bayesian # classifier # # bayes_ignore_header X-Bogosity # bayes_ignore_header X-Spam-Flag # bayes_ignore_header X-Spam-Status # Some shortcircuiting, if the plugin is enabled # ifplugin Mail::SpamAssassin::Plugin::Shortcircuit # # default: strongly-whitelisted mails are *really* whitelisted now, if the # shortcircuiting plugin is active, causing early exit to save CPU load. # Uncomment to turn this on # # shortcircuit USER_IN_WHITELIST on # shortcircuit USER_IN_DEF_WHITELIST on # shortcircuit USER_IN_ALL_SPAM_TO on # shortcircuit SUBJECT_IN_WHITELISTon # the opposite; blacklisted mails can also save CPU # # shortcircuit USER_IN_BLACKLIST on # shortcircuit USER_IN_BLACKLIST_TOon # shortcircuit SUBJECT_IN_BLACKLISTon # if you have taken the time to correctly specify your "trusted_networks", # this is another good way to save CPU # # shortcircuit ALL_TRUSTED on # and a well-trained bayes DB can save running rules, too # # shortcircuit BAYES_99spam # shortcircuit BAYES_00ham endif # Mail::SpamAssassin::Plugin::Shortcircuit # Vipul's Razor options. use_razor2 1 #razor_timeout 10 razor_config /etc/razor/razor-agent.conf loadplugin Mail::SpamAssassin::Plugin::Razor2 required_hits 5 report_safe 0 rewrite_header Subject [SPAM] procmail setup: :0fw: spamassassin.lock * < 256000 | spamassassin # Mails with a score of 15 or higher are almost certainly spam (with 0.05% # false positives according to rules/STATISTICS.txt). Let's put them in a # different mbox. (This one is optional.) :0: * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\* /var/spool/mail/junk # All mail tagged as spam (eg. with a score higher than the set threshold) # is moved to "probably-spam". :0: * ^X-Spam-Status: Yes /var/spool/mail/junk > > > Am 27.10.2015 um 18:50 schrieb j...@lexoncom.com: >> I use spam assassin with razors on ubuntu server. >> In recent months i started to get tons of spam. >> Spam assassin does not catch it and scores are very low. >> >> Are those emails fabricated so well that they look like legitimate? Can >> i >> do something to catch those as spam? >> >> I moved them all to one folder called spam and i run this command every >> 5 >> minutes on that folder: >> sa-learn --spam --mbox /home/username/mail/INBOX.spam >> but it does not help > > do you have enough *ham* trained? > is the bayes-db of this user *realy* used at scan time > what are the SA-headers of mails passing through? > > sorry but you need to provide basic informations > >
Re: How to get rid of this spam? Spam assassin does not catch it
I understand now. sa-learn --ham --no-rebuild ham_directory sa-learn --spam --no-rebuild spam_directory sa-learn --rebuild so would the best practice to be move spam to spam folder and learn as spam and learn all other folders as ham and then rebuild. The inbox would never be scanned as it might have new span and not spam messages. I would need some script to go through all messages for all users except the spam folder to learn as HAM. > > > Am 27.10.2015 um 20:19 schrieb j...@lexoncom.com: >> I dont use any ham training > > then you can't expect bayes to work at all because how do you expect the > bayes filter to know the *difference* of ham and spam signs? > > https://wiki.apache.org/spamassassin/BayesFaq > >
Re: How to get rid of this spam? Spam assassin does not catch it
can you explain how this works?
Do i add this to spam local.cf file?
would not
> Also - add a highest numbers MX record tarbaby.junkemailfilter.com
allow your servers to see my emails?
thx
> You can use my black and white lists. It should help.
>
> header __RCVD_IN_HOSTKARMA
> eval:check_rbl('HOSTKARMA-lastexternal','hostkarma.junkemailfilter.com.')
> describe __RCVD_IN_HOSTKARMA Sender listed in JunkEmailFilter
> tflags __RCVD_IN_HOSTKARMA net
>
> header RCVD_IN_HOSTKARMA_W eval:check_rbl_sub('HOSTKARMA-lastexternal',
> '127.0.0.1')
> describe RCVD_IN_HOSTKARMA_W Sender listed in HOSTKARMA-WHITE
> tflags RCVD_IN_HOSTKARMA_W net nice
> score RCVD_IN_HOSTKARMA_W -5
>
> header RCVD_IN_HOSTKARMA_BL eval:check_rbl_sub('HOSTKARMA-lastexternal',
> '127.0.0.2')
> describe RCVD_IN_HOSTKARMA_BL Sender listed in HOSTKARMA-BLACK
> tflags RCVD_IN_HOSTKARMA_BL net
> score RCVD_IN_HOSTKARMA_BL 3.0
>
> header RCVD_IN_HOSTKARMA_BR eval:check_rbl_sub('HOSTKARMA-lastexternal',
> '127.0.0.4')
> describe RCVD_IN_HOSTKARMA_BR Sender listed in HOSTKARMA-BROWN
> tflags RCVD_IN_HOSTKARMA_BR net
> score RCVD_IN_HOSTKARMA_BR 1.0
>
>
> Also - add a highest numbers MX record tarbaby.junkemailfilter.com
>
> This will help tune our list to your spam and also get rid of a lot od it.
>
> On 10/27/15 10:50, j...@lexoncom.com wrote:
>> sa-learn --spam --mbox /home/username/mail/INBOX.spam
>
> --
> Marc Perkel - Sales/Support
> supp...@junkemailfilter.com
> http://www.junkemailfilter.com
> Junk Email Filter dot com
> 415-992-3400
>
>
Re: How to get rid of this spam? Spam assassin does not catch it
SO i setup the dns server. Can i force spam assassin to use localhost for dns or I must reconfigure the host? > On Tue, 27 Oct 2015, j...@lexoncom.com wrote: > >> X-Spam-Status: No, score=3.1 required=5.0 tests=BAYES_00,HTML_MESSAGE, >> >> RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,SPF_HELO_PASS, >> SPF_PASS,URIBL_BLOCKED,URIBL_DBL_SPAM autolearn=no >> autolearn_force=no >> version=3.4.0 > > URIBL_BLOCKED. Set up a local recursing (NOT forwarding!) DNS server for > SpamAssassin to use. You're apparently doing DNS blacklist queries via a > public DNS server (your ISPs?) and the aggregate traffic level is > exceeding the URIBL free usage limits. > > -- > John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ > jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org > key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 > --- >...the Fates notice those who buy chainsaws... >-- www.darwinawards.com > --- > 4 days until Halloween >
Re: How to get rid of this spam? Spam assassin does not catch it
thx, yes i did that but found old doc and that option was not available: https://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html > > Am 27.10.2015 um 21:02 schrieb j...@lexoncom.com: >> SO i setup the dns server. >> Can i force spam assassin to use localhost for dns or I must reconfigure >> the host? > > i recommend to read at least basic docs > google "spamassassin dns" leads to > http://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html > and > CTRL+F "dns" leads to the following (the docs would also have mentioned > that you need at least 200 spam *and* ham samples for bayes to work) > > dns_server ip-addr-port (default: entries provided by Net::DNS) > > Specifies an IP address of a DNS server, and optionally its port number. > The dns_server directive may be specified multiple times, each entry > adding to a list of available resolving name servers. The ip-addr-port > argument can either be an IPv4 or IPv6 address, optionally enclosed in > brackets, and optionally followed by a colon and a port number. In > absence of a port number a standard port number 53 is assumed. When an > IPv6 address is specified along with a port number, the address must be > enclosed in brackets to avoid parsing ambiguity regarding a colon > separator. A scoped link-local IP address is allowed (assuming > underlying modules allow it). > > Examples : dns_server 127.0.0.1 dns_server 127.0.0.1:53 dns_server > [127.0.0.1]:53 dns_server [::1]:53 dns_server fe80::1%lo0 dns_server > [fe80::1%lo0]:53 > > In absence of dns_server directives, the list of name servers is > provided by Net::DNS module, which typically obtains the list from > /etc/resolv.conf, but this may be platform dependent. Please consult the > Net::DNS::Resolver documentation for details. > >>> On Tue, 27 Oct 2015, j...@lexoncom.com wrote: >>> X-Spam-Status: No, score=3.1 required=5.0 tests=BAYES_00,HTML_MESSAGE, RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,SPF_HELO_PASS, SPF_PASS,URIBL_BLOCKED,URIBL_DBL_SPAM autolearn=no autolearn_force=no version=3.4.0 >>> >>> URIBL_BLOCKED. Set up a local recursing (NOT forwarding!) DNS server >>> for >>> SpamAssassin to use. You're apparently doing DNS blacklist queries via >>> a >>> public DNS server (your ISPs?) and the aggregate traffic level is >>> exceeding the URIBL free usage limits. > >
Re: How to get rid of this spam? Spam assassin does not catch it
try this https://www.dropbox.com/s/ngmaryggdelecjq/INBOX.spam?dl=0 it is mbox file with like 1000 spam messages that are not recognized as spam > On 28/10/2015 07:38, j...@lexoncom.com wrote: >> i uploaded my inbox with all spam that does not get filtered >> >> https://mega.nz/#!IRhlyQLL >> > > 1/ that site is slo > 2/ you need a decryption key to access it > 3/ try pastebin instead > > > -- > If you have the urge to reply to all rather than reply to list, you best > read http://members.ausics.net/qwerty/ >
Re: How to get rid of this spam? Spam assassin does not catch it
yes there might be few emails there that were legitimate
i cleaned it but i did not have time to do it property
are not
net/RBL/DNSBL tests
enabled by default?
i need to review the documentation and see why it does not work
> On Tue, 27 Oct 2015, j...@lexoncom.com wrote:
>
>> try this
>> https://www.dropbox.com/s/ngmaryggdelecjq/INBOX.spam?dl=0
>>
>> it is mbox file with like 1000 spam messages that are not recognized as
>> spam
>>
>
> Are you -sure- all those messages are spam?
> One of them was a personal FaceBook update message.
> If you ("blwegr...@lexoncom.com") have a FB account then pretty much all
> updates
> sent to you as a result really cannot be considered spam.
>
> FWIW,
> You are really short-changing your SA by not having the net/RBL/DNSBL
> tests
> working properly.
>
> The vast majority of those messages (%96) were tagged as spam by my system
> and a
> super majority (%83) scored > 20.0 (my SMTP reject threshold). A large
> component
> of that score was from net/RBL/DNSBL tests.
>
> --
> Dave Funk University of Iowa
> College of Engineering
> 319/335-5751 FAX: 319/384-0549 1256 Seamans Center
> Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
> #include
> Better is not better, 'standard' is better. B{
>
Re: How to get rid of this spam? Spam assassin does not catch it
Is there a way to learn what bayes learned so far? > On Oct 27, 2015, at 4:35 PM, John Hardin wrote: > >> On Tue, 27 Oct 2015, j...@lexoncom.com wrote: >> >> example mail sa headers: > > Is this from a spam? > >> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on >> ip-10-254-37-89.us-west-2.compute.internal >> X-Spam-Level: *** >> X-Spam-Status: No, score=3.1 required=5.0 tests=BAYES_00,HTML_MESSAGE, > > BAYES_00. You *do* have ham and spam trained, and bayes *is* in use. > > If this is a spam, your Bayes appears to be mistrained. That might explain > why so many spams are getting through. > > If you have autolearn turned on, turn it off. > > Collect hand-classified corpora of several hundred hams and several hundred > spams, then wipe and retrain your Bayes. > > If your userbase is small enough to collect and train on just misclassified > messages, then leave autolearn turned off and just train misclassifications > and messages that don't hit either BAYES_00 or BAYES_99. > > -- > John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ > jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org > key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 > --- > ...the Fates notice those who buy chainsaws... > -- www.darwinawards.com > --- > 4 days until Halloween
Warning while running spam assasin on the message
I get this warning while running spam assassin from the command line: Oct 29 11:54:38.803 [26126] warn: plugin: eval failed: Insecure dependency in require while running with -T switch at /usr/lib/perl5/Net/DNS/RR/OPT.pm line 6. Oct 29 11:54:38.803 [26126] warn: BEGIN failed--compilation aborted at /usr/lib/perl5/Net/DNS/RR/OPT.pm line 6. Oct 29 11:54:38.803 [26126] warn: Compilation failed in require at (eval 1129) line 2. Oct 29 11:54:38.804 [26126] warn: rules: failed to run NO_DNS_FOR_FROM RBL test, skipping: Oct 29 11:54:38.804 [26126] warn: (Attempt to reload Net/DNS/RR/OPT.pm aborted. Oct 29 11:54:38.805 [26126] warn: Compilation failed in require at (eval 1131) line 2.) Oct 29 11:54:38.970 [26126] warn: rules: failed to run __TAG_EXISTS_STYLE test, skipping: Oct 29 11:54:38.970 [26126] warn: (Can't locate object method "html_tag_exists" via package "Mail: [...]:SpamAssassin::PerMsgStatus" at (eval 1128) line 24. Oct 29 11:54:38.970 [26126] warn: ) Oct 29 11:54:38.971 [26126] warn: plugin: eval failed: Timeout::_run: Insecure dependency in eval while running with -T switch at /usr/share/perl5/Mail/SpamAssassin/PerMsgStatus.pm line 2436.
Re: Warning while running spamassassin on the message
> On Thursday 29 October 2015 at 18:29:27, j...@lexoncom.com wrote: > >> I use procmail >> >> :0fw: spamassassin.lock >> * < 256000 >> | spamassassin >> >> I run >> sudo spamassassin -t -d --mbox /home/user/mail/INBOX.spamtest >> >> sudo spamassassin --mbox /home/user/mail/INBOX.spamtest >> >> there is only one message in spamtest mbox > > So, you're using procmail - which user does that rule apply to? > global procmail file /etc/procmail > It looks rather to me as though procmail (your normal way of invoking > spamassassin) runs as "you", and then you're trying to run spamassassin > from > the command line as root. both tests are run via sudo but with different variables thats why different results > > Not surprising if you get different results. > > If my assumption here is incorrect, please provide further details so we > can > try to provide further diagnosis. > > > Regards, > > > Antony. > > > PS: Please reply to the list. > > -- > Success is a lousy teacher. It seduces smart people into thinking they > can't > lose. > > - William H Gates III > >Please reply to the > list; > please *don't* CC > me. >
Re: How to get rid of this spam? Spam assassin does not catch it
> On Tue, 2015-10-27 at 14:19 -0500, j...@lexoncom.com wrote: >> I dont use any ham training.Should I scan all my folders with this >> command: >> sa-learn --ham --mbox /home/username/mail/foldername >> > YES - if Bayes never gets trained on ham, how do you expect it to > recognise the difference between ham and spam? > > Bayes won't start to work until it has seen 200 examples of ham and 200 > examples of spam. thx, i started to sort the emails for a learnng process > >> "is the bayes-db of this user *realy* used at scan time" >> how do i check that? >> > When its working you'll see BAYES_nn rules firing. > >> I use the procemail to pass all mail through spam assassin. >> I use default ubuntu setup with Razors enabled. >> It does catches spam but not the one i attached in original post. >> >> example mail sa headers: >> >> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on >> ip-10-254-37-89.us-west-2.compute.internal >> X-Spam-Level: *** >> X-Spam-Status: No, score=3.1 required=5.0 >> tests=BAYES_00,HTML_MESSAGE, >> RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_C >> HECK,SPF_HELO_PASS, >> SPF_PASS,URIBL_BLOCKED,URIBL_DBL_SPAM autolearn=no >> autolearn_force=no >> version=3.4.0 >> > As others have said, URIBL-BLOCKED shows that the number of BL lookups > from all the people using whatever DNS server you're using exceeds the > free usage count for the BL server. BL servers count messages from a > particular DNS and don't know/can't find out how many people are using > a particular DNS server to do BL lookups. To get round that you need > your own DNS server, configured the do recursive lookups and NOT to > forward queries to any other DNS server. > > So, set up your own recursive, non-forwarding DNS server on the host > where you're running SA. Configure that host to pass all DNS queries to > your new DNS server by configuring /etc/resolv.conf as I and others > have described. > > If you don't understand how to install and configure a DNS server and > prefer printed material to online documents, get the O'Reilly book "DNS > and BIND". > I did configure local recursive server and set both spam local.cf and resolved.conf to point to 127.0.0.1 and I still get the blocks. Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on xxx X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,HTML_MESSAGE, SPF_HELO_PASS,SPF_PASS,T_REMOTE_IMAGE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 X-Spam-Report: * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record * -0.0 SPF_PASS SPF: sender matches SPF record * 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. * See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block * for more information. * [URIs: motortrend.com] * 0.0 HTML_MESSAGE BODY: HTML included in message * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.] * 0.0 T_REMOTE_IMAGE Message contains an external image > > Martin > >
Re: How to get rid of this spam? Spam assassin does not catch it
If auto learn is enabled and header shows: autolearn=ham what happens when i classify that email later as spam? thx > On Tue, 2015-10-27 at 14:19 -0500, j...@lexoncom.com wrote: >> I dont use any ham training.Should I scan all my folders with this >> command: >> sa-learn --ham --mbox /home/username/mail/foldername >> > YES - if Bayes never gets trained on ham, how do you expect it to > recognise the difference between ham and spam? > > Bayes won't start to work until it has seen 200 examples of ham and 200 > examples of spam. > >> "is the bayes-db of this user *realy* used at scan time" >> how do i check that? >> > When its working you'll see BAYES_nn rules firing. > >> I use the procemail to pass all mail through spam assassin. >> I use default ubuntu setup with Razors enabled. >> It does catches spam but not the one i attached in original post. >> >> example mail sa headers: >> >> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on >> ip-10-254-37-89.us-west-2.compute.internal >> X-Spam-Level: *** >> X-Spam-Status: No, score=3.1 required=5.0 >> tests=BAYES_00,HTML_MESSAGE, >> RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_C >> HECK,SPF_HELO_PASS, >> SPF_PASS,URIBL_BLOCKED,URIBL_DBL_SPAM autolearn=no >> autolearn_force=no >> version=3.4.0 >> > As others have said, URIBL-BLOCKED shows that the number of BL lookups > from all the people using whatever DNS server you're using exceeds the > free usage count for the BL server. BL servers count messages from a > particular DNS and don't know/can't find out how many people are using > a particular DNS server to do BL lookups. To get round that you need > your own DNS server, configured the do recursive lookups and NOT to > forward queries to any other DNS server. > > So, set up your own recursive, non-forwarding DNS server on the host > where you're running SA. Configure that host to pass all DNS queries to > your new DNS server by configuring /etc/resolv.conf as I and others > have described. > > If you don't understand how to install and configure a DNS server and > prefer printed material to online documents, get the O'Reilly book "DNS > and BIND". > > > Martin > >
Re: How to get rid of this spam? Spam assassin does not catch it
I already cleaned the db to make sure I dont have it broken. Would it be better to turn off the autolearn. Teach sa ham and spam from over 200 messages and then turn back the autolearn? thx > On Thu, 29 Oct 2015, Martin Gregorie wrote: > >> On Tue, 2015-10-27 at 14:19 -0500, j...@lexoncom.com wrote: >>> I dont use any ham training.Should I scan all my folders with this >>> command: >>> sa-learn --ham --mbox /home/username/mail/foldername >> >> YES - if Bayes never gets trained on ham, how do you expect it to >> recognise the difference between ham and spam? >> >> Bayes won't start to work until it has seen 200 examples of ham and 200 >> examples of spam. > > Again: *vetted* ham and spam. Don't just blindly throw your inbox at it > assuming your inbox is pristine. > >>> "is the bayes-db of this user *realy* used at scan time" >>> how do i check that? >> >> When its working you'll see BAYES_nn rules firing. > > Note BAYES_00 in the report below. The OP is getting ham from *somewhere*. > If he's never manually trained ham then it's probably coming from > autolearn, and depending on other issues that might have poisoned the > database from the start. > >>> example mail sa headers: >>> >>> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on >>> ip-10-254-37-89.us-west-2.compute.internal >>> X-Spam-Level: *** >>> X-Spam-Status: No, score=3.1 required=5.0 >>> tests=BAYES_00,HTML_MESSAGE, >>> RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_C >>> HECK,SPF_HELO_PASS, >>> SPF_PASS,URIBL_BLOCKED,URIBL_DBL_SPAM autolearn=no >>> autolearn_force=no >>> version=3.4.0 > > -- > John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ > jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org > key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 > --- >...the Fates notice those who buy chainsaws... >-- www.darwinawards.com > --- > Tomorrow: Halloween >
Re: How to get rid of this spam? Spam assassin does not catch it
> On Fri, 30 Oct 2015, j...@lexoncom.com wrote: > >> I already cleaned the db to make sure I dont have it broken. >> Would it be better to turn off the autolearn. >> Teach sa ham and spam from over 200 messages and then turn back the >> autolearn? > > How big is your userbase and ham email volume? > > If both are fairly small, I'd leave autolearn turned off and do purely > manual classification and training. That's what I do and I have good > results, but I'm only supporting 5 users. > similar to yours i have been running sa for few years so i do have like 8-10 entries in auto-whitelist per user i cleared it and i will start over with no auto-whitelist enabled for now > Turn off autolearn to start while you're evaluating the performance of > your initial corpora. Train any FPs and FNs (keeping them as part of your > reference training corpora), and get your DNS issues resolved. > not sure where is the problem with dns as i have the caching server setup > Once things are stable and working smoothly for a while, then you can turn > autolearn back on if you feel your mail volume justifies it. > > -- > John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ > jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org > key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 > --- >...the Fates notice those who buy chainsaws... >-- www.darwinawards.com > --- > Tomorrow: Halloween >
Re: How to get rid of this spam? Spam assassin does not catch it
Further testing shows that both smazon and my public ips are blocked. I never used my public ip for dns so why is it blocked? Is it just my bad luck and the ip is just blocked on URBL? root@aws:/home/user# root@aws:/home/user# host -tTXT 2.0.0.127.multi.uribl.com 2.0.0.127.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: 54.189.149.10]" root@aws:/home/user# sudo vi /etc/resolv.conf root@aws:/home/user# host -tTXT 2.0.0.127.multi.uribl.com 2.0.0.127.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: 54.244.239.249]" root@aws:/home/user# >> On Fri, 30 Oct 2015, j...@lexoncom.com wrote: >> >>> I already cleaned the db to make sure I dont have it broken. >>> Would it be better to turn off the autolearn. >>> Teach sa ham and spam from over 200 messages and then turn back the >>> autolearn? >> >> How big is your userbase and ham email volume? > >> >> If both are fairly small, I'd leave autolearn turned off and do purely >> manual classification and training. That's what I do and I have good >> results, but I'm only supporting 5 users. >> > similar to yours > i have been running sa for few years so i do have like > 8-10 entries in auto-whitelist per user > i cleared it and i will start over > with no auto-whitelist enabled for now > >> Turn off autolearn to start while you're evaluating the performance of >> your initial corpora. Train any FPs and FNs (keeping them as part of >> your >> reference training corpora), and get your DNS issues resolved. >> > not sure where is the problem with dns > as i have the caching server setup > >> Once things are stable and working smoothly for a while, then you can >> turn >> autolearn back on if you feel your mail volume justifies it. >> >> -- >> John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ >> jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org >> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 >> --- >>...the Fates notice those who buy chainsaws... >>-- www.darwinawards.com >> --- >> Tomorrow: Halloween >> > >
Re: How to get rid of this spam? Spam assassin does not catch it
thx, that explains the issue. I setup a dns server outside the amazon server. Now, i can finally do the lookup: root@aws:~# host -tTXT 2.0.0.127.multi.uribl.com 2.0.0.127.multi.uribl.com descriptive text "permanent testpoint" X-Spam-Flag: YES X-Spam-Level: *** X-Spam-Status: Yes, score=7.0 required=5.0 tests=BAYES_00, HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,MIME_HTML_ONLY,RAZOR2_CF_RANGE_51_100, RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_BRBL_LASTEXT,SPF_HELO_PASS, SPF_PASS,URIBL_BLACK,URIBL_DBL_SPAM autolearn=disabled version=3.4.0 X-Spam-Report: * 1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: yokooo.com] * 1.4 RCVD_IN_BRBL_LASTEXT RBL: No description available. * [208.80.12.43 listed in bb.barracudacentral.org] * -0.0 SPF_PASS SPF: sender matches SPF record * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.] * 0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or identical to * background * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% * [cf: 100] * 1.9 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level * above 50% * [cf: 100] * 0.9 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) * 1.7 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist * [URIs: yokooo.com] > On Fri, 30 Oct 2015 14:46:18 -0500 > j...@lexoncom.com wrote: > >> Further testing shows that both smazon and my public ips are blocked. >> I never used my public ip for dns so why is it blocked? >> Is it just my bad luck and the ip is just blocked on URBL? > > The rdns for these two addresses is > > ec2-54-189-149-10.us-west-2.compute.amazonaws.com. > ec2-54-244-239-249.us-west-2.compute.amazonaws.com. > >>From > > http://uribl.com/datafeed_faq.shtml > > Why are DNS queries from my cloud instances > (AmazonEC2/Softlayer/Rackspace/etc) blocked? > >Large subnets owned by Amazon and other cloud providers have been >blocked due to high volume. Because amazon has so many networks, a >single user may have multiple mail exchanges on multiple networks, >and we have no ability to correlate this and block individual high >volume users. We are looking at ways of improving our query limit >system for those coming from large virtual hosting providers such as >Amazon, but at this time we do not have anything in place. We do >offer discounted Datafeed over DNS rates for low-volume, cloud >hosted users who are effected by these wide ranging blocks. See >Requesting the Datafeed Service and choose 'Cloud Hosted' on the >request form. > > > >> root@aws:/home/user# >> root@aws:/home/user# host -tTXT 2.0.0.127.multi.uribl.com >> 2.0.0.127.multi.uribl.com descriptive text "127.0.0.1 -> Query >> Refused. See http://uribl.com/refused.shtml for more information >> [Your DNS IP: 54.189.149.10]" >> root@aws:/home/user# sudo vi /etc/resolv.conf >> >> root@aws:/home/user# host -tTXT 2.0.0.127.multi.uribl.com >> 2.0.0.127.multi.uribl.com descriptive text "127.0.0.1 -> Query >> Refused. See http://uribl.com/refused.shtml for more information >> [Your DNS IP: 54.244.239.249]" >> root@aws:/home/user# >> >
Re: How to get rid of this spam? Spam assassin does not catch it
So after initial learning it looks better now. (BAYES_50) When sendmail sends email to procmail and procmail passes it to spam assassin, does spam assassin runs as root user or as the user the email is destined to? I run the sa-learn as root user and it seems like this is the data based that is being used so it would be global data base used for all mail users? X-Spam-Flag: YES X-Spam-Level: X-Spam-Status: Yes, score=12.9 required=5.0 tests=BAYES_50,FROM_12LTRDOM, HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_BRBL_LASTEXT,RCVD_IN_MSPIKE_BL, RCVD_IN_MSPIKE_L5,RCVD_IN_XBL,RDNS_NONE,URIBL_BLACK,URIBL_DBL_SPAM, URIBL_JP_SURBL,URIBL_WS_SURBL autolearn=disabled version=3.4.0 X-Spam-Report: * 1.6 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist * [URIs: curingaidtrade.com] * 1.2 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist * [URIs: curingaidtrade.com] * 1.4 RCVD_IN_BRBL_LASTEXT RBL: No description available. * [95.128.19.6 listed in bb.barracudacentral.org] * 1.7 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist * [URIs: curingaidtrade.com] * 0.4 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL * [95.128.19.6 listed in zen.spamhaus.org] * 1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: curingaidtrade.com] * 2.4 RCVD_IN_MSPIKE_L5 RBL: Very bad reputation (-5) * [95.128.19.6 listed in bl.mailspike.net] * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * 0.0 RCVD_IN_MSPIKE_BL Mailspike blacklisted * 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS * 0.1 FROM_12LTRDOM From a 12-letter domain > On Fri, 30 Oct 2015, j...@lexoncom.com wrote: > >> thx, that explains the issue. >> I setup a dns server outside the amazon server. >> Now, i can finally do the lookup: >> root@aws:~# host -tTXT 2.0.0.127.multi.uribl.com >> 2.0.0.127.multi.uribl.com descriptive text "permanent testpoint" >> >> X-Spam-Flag: YES >> X-Spam-Level: *** >> X-Spam-Status: Yes, score=7.0 required=5.0 tests=BAYES_00, >> >> HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,MIME_HTML_ONLY,RAZOR2_CF_RANGE_51_100, >> >> RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_BRBL_LASTEXT,SPF_HELO_PASS, >> SPF_PASS,URIBL_BLACK,URIBL_DBL_SPAM autolearn=disabled version=3.4.0 >> X-Spam-Report: >> * 1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist >> * [URIs: yokooo.com] >> * 1.4 RCVD_IN_BRBL_LASTEXT RBL: No description available. >> * [208.80.12.43 listed in bb.barracudacentral.org] >> * -0.0 SPF_PASS SPF: sender matches SPF record >> * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record >> * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% >> * [score: 0.] >> * 0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts >> * 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or >> identical to >> * background >> * 0.0 HTML_MESSAGE BODY: HTML included in message >> * 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% >> * [cf: 100] >> * 1.9 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence >> level >> * above 50% >> * [cf: 100] >> * 0.9 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) >> * 1.7 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist >> * [URIs: yokooo.com] > > Bravo! Now all you need to do is wipe and retrain your Bayes database with > known-good corpora to get rid of that BAYES_00. > > -- > John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ > jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org > key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 > --- >...the Fates notice those who buy chainsaws... >-- www.darwinawards.com > --- > Tomorrow: Halloween >
Re: How to get rid of this spam? Spam assassin does not catch it
> > > Am 31.10.2015 um 16:06 schrieb j...@lexoncom.com: >> So after initial learning it looks better now. (BAYES_50) > > BAYES_50 is not really good for clear spam > yep i though that bayes was used but it seems like it was all useless >> When sendmail sends email to procmail and procmail passes it to spam >> assassin, does spam assassin runs as root user or as the user the email >> is destined to? > > depends on how SA is called in detail, normally it should switch to that > unix-user and hence training as root makes no sense, *nothing* should > proceed potentially dangerous input as root at all - inbound mailcontent > is by definition that sort of "don#t do that" input > >> I run the sa-learn as root user > > oh my god... i run it through the crontab yes i can create new user and force sa-learn to use that user > >> and it seems like this is the data based >> that is being used so it would be global data base used for all mail >> users? > > https://wiki.apache.org/spamassassin/SiteWideBayesSetup i switched to global setup now all users should use same db and i will use the manual learning process > >> X-Spam-Flag: YES >> X-Spam-Level: >> X-Spam-Status: Yes, score=12.9 required=5.0 >> tests=BAYES_50,FROM_12LTRDOM, >> >> HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_BRBL_LASTEXT,RCVD_IN_MSPIKE_BL, >> >> RCVD_IN_MSPIKE_L5,RCVD_IN_XBL,RDNS_NONE,URIBL_BLACK,URIBL_DBL_SPAM, >> URIBL_JP_SURBL,URIBL_WS_SURBL autolearn=disabled version=3.4.0 > > well, the quota of your sa-headers was enough to reject my repsonse on > the submission spamass-milter > > result: Y 16 - URIBL_BLACK,URIBL_DBL_SPAM,URIBL_JP_SURBL,URIBL_WS_SURBL > > no sure what this means?
Re: How to get rid of this spam? Spam assassin does not catch it
After retraining and setting spam assassin for wide site all looks good. Spam gets bayes99 and non spam is bayes00. So far i did not get any spam. Thank you all for your help. >> >> >> Am 31.10.2015 um 16:06 schrieb j...@lexoncom.com: >>> So after initial learning it looks better now. (BAYES_50) >> >> BAYES_50 is not really good for clear spam >> > yep i though that bayes was used but it seems like it was all useless > >>> When sendmail sends email to procmail and procmail passes it to spam >>> assassin, does spam assassin runs as root user or as the user the email >>> is destined to? >> >> depends on how SA is called in detail, normally it should switch to that >> unix-user and hence training as root makes no sense, *nothing* should >> proceed potentially dangerous input as root at all - inbound mailcontent >> is by definition that sort of "don#t do that" input >> >>> I run the sa-learn as root user >> >> oh my god... > i run it through the crontab > yes i can create new user and force sa-learn to use that user >> >>> and it seems like this is the data based >>> that is being used so it would be global data base used for all mail >>> users? >> >> https://wiki.apache.org/spamassassin/SiteWideBayesSetup > > i switched to global setup > now all users should use same db > and i will use the manual learning process >> >>> X-Spam-Flag: YES >>> X-Spam-Level: >>> X-Spam-Status: Yes, score=12.9 required=5.0 >>> tests=BAYES_50,FROM_12LTRDOM, >>> >>> HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_BRBL_LASTEXT,RCVD_IN_MSPIKE_BL, >>> >>> RCVD_IN_MSPIKE_L5,RCVD_IN_XBL,RDNS_NONE,URIBL_BLACK,URIBL_DBL_SPAM, >>> URIBL_JP_SURBL,URIBL_WS_SURBL autolearn=disabled version=3.4.0 >> >> well, the quota of your sa-headers was enough to reject my repsonse on >> the submission spamass-milter >> >> result: Y 16 - URIBL_BLACK,URIBL_DBL_SPAM,URIBL_JP_SURBL,URIBL_WS_SURBL >> >> > no sure what this means? > >
Re: FIlter
I am aware of uridb blocked. My server is in amazon cloud and uridb is blocked. I do have private dns server caching only configured but my att dsl blocked dns port udp so I cannot use it. I was wondering if I could add other spam filter which I asked the question about. > On Nov 30, 2017, at 5:00 PM, Benny Pedersen wrote: > > Junk skrev den 2017-11-30 23:46: > >> Nov 30 16:45:22.663 [11935] dbg: uridnsbl: nt.ee . multi.uribl.com -> >> 127.0.0.1, URIBL_BLOCKED, subtest:1 > > fix this problem first > > https://wiki.apache.org/spamassassin/DnsBlocklists > > read above page for more help > > https://mail-archives.apache.org/mod_mbox/spamassassin-users/201201.mbox/%3c6861a6959eddf6f10ca8c96f3f65f...@www.coochey.net%3E > > old thread
Re: FIlter
I understand your concern and I agree but like I said at this point I cannot get over the dns issue unless you give me a dns server ip that will respond to my queries for the uribl. My original question was about specific filter. > On Nov 30, 2017, at 6:59 PM, Benny Pedersen wrote: > > Junk skrev den 2017-12-01 01:22: >> I am aware of uridb blocked. >> My server is in amazon cloud and uridb is blocked. >> I do have private dns server caching only configured but my att dsl >> blocked dns port udp so I cannot use it. >> I was wondering if I could add other spam filter which I asked the >> question about. > > what if junkmailfilter blocks you as uribl ? > > fix real problem first
Re: FIlter
> Junk skrev den 2017-12-01 05:35: >> I understand your concern and I agree but like I said at this point I >> cannot get over the dns issue unless you give me a dns server ip that >> will respond to my queries for the uribl. > > apt-get install bind9 > you did not reab my answer. I do have the dns server running but my isp does not allow udp port, so i cannot point my amazon server to it. > configure it to NOT forward any dns queries to any other dns server, eg > it should just be listing on 127.0.0.1, and recolv.conf have just > nameserver 127.0.0.1 > > if amazon cant allow you to do this you should change vps hoster > Its not amazons fault. It is URIDB blocking amazons subnets. >> My original question was about specific filter. > > i belive you would like uribl to work like junkmailfilter do > This still does not answer my original question.
Re: FIlter
You calling me an idiot based on what? According to URIBL: Why are DNS queries from my cloud instances (AmazonEC2/Softlayer/Rackspace/etc) blocked? Large subnets owned by Amazon and other cloud providers have been blocked due to high volume. Because amazon has so many networks, a single user may have multiple mail exchanges on multiple networks, and we have no ability to correlate this and block individual high volume users. We are looking at ways of improving our query limit system for those coming from large virtual hosting providers such as Amazon, but at this time we do not have anything in place. We do offer discounted Datafeed over DNS rates for low-volume, cloud hosted users who are effected by these wide ranging blocks. See Requesting the Datafeed Service and choose 'Cloud Hosted' on the request form. So technically you can pay and you wont be blocked. > > > Am 01.12.2017 um 09:50 schrieb Benny Pedersen: >> Junk skrev den 2017-12-01 05:35: >>> I understand your concern and I agree but like I said at this point I >>> cannot get over the dns issue unless you give me a dns server ip that >>> will respond to my queries for the uribl. >> >> apt-get install bind9 >> >> configure it to NOT forward any dns queries to any other dns server, eg >> it should just be listing on 127.0.0.1, and recolv.conf have just >> nameserver 127.0.0.1 >> >> if amazon cant allow you to do this you should change vps hoster > > idiot! URIBL blocks amazon in general! >
Re: FIlter
let me try if i can change the port to something else and then configure firewall to forward from that port to the dns server on my network. > > > Am 01.12.2017 um 01:22 schrieb Junk: >> I am aware of uridb blocked. >> My server is in amazon cloud and uridb is blocked. >> I do have private dns server caching only configured but my att dsl >> blocked dns port udp so I cannot use it > > RTFM - dns is not bound to port 53 > > http://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html > > > dns_server ip-addr-port (default: entries provided by Net::DNS) > > Specifies an IP address of a DNS server, and optionally its port > number. The dns_server directive may be specified multiple times, each > entry adding to a list of available resolving name servers. The > ip-addr-port argument can either be an IPv4 or IPv6 address, optionally > enclosed in brackets, and optionally followed by a colon and a port > number. In absence of a port number a standard port number 53 is > assumed. When an IPv6 address is specified along with a port number, the > address must be enclosed in brackets to avoid parsing ambiguity > regarding a colon separator. A scoped link-local IP address is allowed > (assuming underlying modules allow it). > > Examples : dns_server 127.0.0.1 dns_server 127.0.0.1:53 dns_server > [127.0.0.1]:53 dns_server [::1]:53 dns_server fe80::1%lo0 dns_server > [fe80::1%lo0]:53 > > In absence of dns_server directives, the list of name servers is > provided by Net::DNS module, which typically obtains the list from > /etc/resolv.conf, but this may be platform dependent. Please consult the > Net::DNS::Resolver documentation for details. >
Re: FIlter
right, did not read it correctly. > > > Am 01.12.2017 um 17:00 schrieb Junk: >> You calling me an idiot based on what? > > learn to read emails! > i repsonded to Benny's clueless "apt-get install bind9" > >> According to URIBL: >> >> Why are DNS queries from my cloud instances >> (AmazonEC2/Softlayer/Rackspace/etc) blocked? > > i know that, Benny don't > >>> Am 01.12.2017 um 09:50 schrieb Benny Pedersen: >>>> Junk skrev den 2017-12-01 05:35: >>>>> I understand your concern and I agree but like I said at this point I >>>>> cannot get over the dns issue unless you give me a dns server ip that >>>>> will respond to my queries for the uribl. >>>> >>>> apt-get install bind9 >>>> >>>> configure it to NOT forward any dns queries to any other dns server, >>>> eg >>>> it should just be listing on 127.0.0.1, and recolv.conf have just >>>> nameserver 127.0.0.1 >>>> >>>> if amazon cant allow you to do this you should change vps hoster >>> >>> idiot! URIBL blocks amazon in general! >
RE: FIlter
Amazon does not block the dns but the URIBL blocks the requests coming from the amazon subnet. I pointed the spamassasin to the server i run somewhere else and i used the port 1053 as a workaround as ATT blocks incoming udp 53. So 1053 on my firewall forwards to 53 dns server. Now spamassassin is happy and URIBL db works. Thx for a tip about the DNS. Now, back to my ordinal question. Is http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists#Spam_Assassin_Examples good addition to fight spam or its DB is same as URIBL? thx > I could me misunderstanding, but it sounds like you have a DNS server on a > different host than your mail server and that Amazon blocks that. The recommendation is to install a DNS server on the *same* host as your mail > server. There will be no UDP traffic blocked between your mail server and > DNS server if they're on the same host because the traffic from DNS server > to mail server never leaves the box. > Normally DNS is configured to query root servers and other folks DNS servers on UPD 53; it's not clear to me if Amazon would be blocking that but I rather doubt it, as DNS is pretty much the backbone of the internet. > But even if they are, you can configure a DNS server to use TCP 53. It's > not as efficient but given that the DNS responses are cached, it's not all > that burdensome either. > ...Kevin > -- > Kevin Miller > Network/email Administrator, CBJ MIS Dept. > 155 South Seward Street > Juneau, Alaska 99801 > Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 > -Original Message- > From: Junk [mailto:j...@lexoncom.com] > Sent: Friday, December 01, 2017 6:31 AM > To: Benny Pedersen > Cc: Junk; users@spamassassin.apache.org > Subject: Re: FIlter >> Junk skrev den 2017-12-01 05:35: >>> I understand your concern and I agree but like I said at this point I cannot get over the dns issue unless you give me a dns server ip that will respond to my queries for the uribl. >> apt-get install bind9 > you did not reab my answer. > I do have the dns server running but my isp does not allow udp port, so i > cannot point my amazon server to it. >> configure it to NOT forward any dns queries to any other dns server, eg it should just be listing on 127.0.0.1, and recolv.conf have just nameserver 127.0.0.1 >> if amazon cant allow you to do this you should change vps hoster > Its not amazons fault. It is URIDB blocking amazons subnets. >>> My original question was about specific filter. >> i belive you would like uribl to work like junkmailfilter do > This still does not answer my original question.
RE: FIlter
I do have scripts to go through 2 folders daily spam % ham but i noticed that although i add tons of messages to spam and some to ham its not enough to catch spam without URIBL or others like Razors. >> Now, back to my ordinal question. >> Is >> >> http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists#Spam_Assassin_Examples >> good addition to fight spam or its DB is same as URIBL?Glad you got it >> sorted. > > I've added the hostkarma rules from junkmailfilter.com to my local ruleset > a couple years ago and they do help some. The magic in spamassassin is > lots of small scores add up to big scores so every little bit helps, in > both directions. In the last 30 days it's pushed 44 messages over the > edge. Not a lot, but every little bit helps. > > Long story short, it's worth adding then watching. Tailor the scores as > necessary to tune your system if the defaults aren't a good match for your > corpus of messages. > > ...Kevin > -- > Kevin Miller > Network/email Administrator, CBJ MIS Dept. > 155 South Seward Street > Juneau, Alaska 99801 > Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: > 307357 > > > -Original Message- > From: Junk [mailto:j...@lexoncom.com] > Sent: Friday, December 01, 2017 9:55 AM > To: Kevin Miller > Cc: users@spamassassin.apache.org > Subject: RE: FIlter > > Amazon does not block the dns but the URIBL blocks the requests coming > from the amazon subnet. I pointed the spamassasin to the server i run > somewhere else and i used the port 1053 as a workaround as ATT blocks > incoming udp 53. > > So 1053 on my firewall forwards to 53 dns server. > > Now spamassassin is happy and URIBL db works. > Thx for a tip about the DNS. > > > > > >
RE: FIlter
Do you know any additional lists that could be added in addition to: - built ones - http://wiki.junkemailfilter.com - razors I have the spam score set to above to be 100% spam as i noticed what is below 5% sometimes falls into not a spam email. > I doubt anybody here is running spamassassin successfully w/o some > additional add-ons such as various RBLs, URIBLs, custom made rules, etc. > Some things I reject outright at the MTA, and what makes it through that > then has to run a gauntlet of spamassassin rules of all stripes. Since > it's so easy to adjust scores, when you add a new series of tests that > you're not sure about, it's probably a reasonable practice to change the > default scoring to something small - .01 maybe - then let it percolate for > a few days. After it's seen a bunch of messages, check to see which rules > hit, and then bump up the scores to levels are in line with your needs. > There's virtually no risk in that but it does take time... > > ...Kevin > -- > Kevin Miller > Network/email Administrator, CBJ MIS Dept. > 155 South Seward Street > Juneau, Alaska 99801 > Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: > 307357 > > > -Original Message- > From: Junk [mailto:j...@lexoncom.com] > Sent: Friday, December 01, 2017 12:19 PM > To: Kevin Miller > Cc: users@spamassassin.apache.org > Subject: RE: FIlter > > I do have scripts to go through 2 folders daily spam % ham but i noticed > that although i add tons of messages to spam and some to ham its not > enough to catch spam without URIBL or others like Razors. > > > >>> Now, back to my ordinal question. >>> Is >>> >>> http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists#Spam_Assassi >>> n_Examples good addition to fight spam or its DB is same as >>> URIBL?Glad you got it sorted. >> >> I've added the hostkarma rules from junkmailfilter.com to my local >> ruleset a couple years ago and they do help some. The magic in >> spamassassin is lots of small scores add up to big scores so every >> little bit helps, in both directions. In the last 30 days it's pushed >> 44 messages over the edge. Not a lot, but every little bit helps. >> >> Long story short, it's worth adding then watching. Tailor the scores >> as necessary to tune your system if the defaults aren't a good match >> for your corpus of messages. >> >> ...Kevin >> -- >> Kevin Miller >> Network/email Administrator, CBJ MIS Dept. >> 155 South Seward Street >> Juneau, Alaska 99801 >> Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: >> 307357 >> >> >> -Original Message- >> From: Junk [mailto:j...@lexoncom.com] >> Sent: Friday, December 01, 2017 9:55 AM >> To: Kevin Miller >> Cc: users@spamassassin.apache.org >> Subject: RE: FIlter >> >> Amazon does not block the dns but the URIBL blocks the requests coming >> from the amazon subnet. I pointed the spamassasin to the server i run >> somewhere else and i used the port 1053 as a workaround as ATT blocks >> incoming udp 53. >> >> So 1053 on my firewall forwards to 53 dns server. >> >> Now spamassassin is happy and URIBL db works. >> Thx for a tip about the DNS. >> >> >> >> >> >> > > >
Re: FIlter
Thx for the tips. I will look at theses and try to implement. I definitely need more ways to get more scores so those that score 3.4-4.9 finally go over 5 and are marked spam. > On Dec 1, 2017, at 5:05 PM, Kevin Miller wrote: > > HashBL
Re: FIlter
> On Dec 1, 2017, at 7:07 PM, John Hardin wrote: > > On Fri, 1 Dec 2017, Junk wrote: > >> Thx for the tips. >> I will look at theses and try to implement. >> I definitely need more ways to get more scores so those that score 3.4-4.9 >> finally go over 5 and are marked spam. > > If you trust your Bayes you might consider implementing a BAYES_999 rule that > adds another point. > I might look into it > Getting past URIBL_BLOCKED will help. > Yes once it started to work again there is less spam although i still get some that are formatted as images. > A lot of people trust the Zen DNSBL enough to do hard SMTP-time rejects of > those IPs. Not sure if you do that currently. > Not sure about this. In the logs i see calls to ZEN. > I'll contact you privately with one other thing. > > > -- > John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ > jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org > key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 > --- > *Your* lack of self-control does not give you > the authority to dictate limitations on *my* freedom. > --- > 246 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: FIlter
i implemented all of the filters yo mentioned and the score went up from 3.5. to 3.9 on an example spam email i was testing. I will look further into more filters. I see lots of spam that is formatted as image and those are not being caught. > On Dec 1, 2017, at 5:05 PM, Kevin Miller wrote: > > There's a number of rulesets that I use - many are mentioned here in this > list and discussed so a look at the archives will probably be helpful. > > KAM - http://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf > Hashcash > HashBL > SEM - spameatingmonkey.net > > To mention just a few... > > > ...Kevin > -- > Kevin Miller > Network/email Administrator, CBJ MIS Dept. > 155 South Seward Street > Juneau, Alaska 99801 > Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 > > > -Original Message- > From: Junk [mailto:j...@lexoncom.com] > Sent: Friday, December 01, 2017 1:36 PM > To: Kevin Miller > Cc: users@spamassassin.apache.org > Subject: RE: FIlter > > Do you know any additional lists that could be added in addition to: > - built ones > - http://wiki.junkemailfilter.com > - razors > > I have the spam score set to above to be 100% spam as i noticed what is below > 5% sometimes falls into not a spam email. >
Re: FIlter
I am using sendmail. > On Dec 2, 2017, at 12:33 PM, David Jones wrote: > >> On 12/02/2017 10:39 AM, Junk wrote: >> i implemented all of the filters yo mentioned and the score went up from >> 3.5. to 3.9 on an example spam email i was testing. >> I will look further into more filters. >> I see lots of spam that is formatted as image and those are not being caught. > > What is your MTA? If you are using Postfix then definitely enable postscreen > plus it's weighted RBLs. Then you can combine the power of multiple RBLs > that would normally be too risky to reject on their own to make them more > reliable. > > Then you can start experimenting with RBLs at > http://multirbl.valli.org/lookup/ with low weights and slowly bump them up as > you find ones that are helpful for your particular mail flow. Here is my > current list: > > postscreen_dnsbl_sites = > dnsbl.sorbs.net=127.0.0.[10;14]*9 > zen.spamhaus.org=127.0.0.[10;11]*8 > dnsbl.sorbs.net=127.0.0.5*7 > zen.spamhaus.org=127.0.0.[4..7]*7 > b.barracudacentral.org=127.0.0.2*7 > zen.spamhaus.org=127.0.0.3*7 > dnsbl.inps.de=127.0.0.2*7 > hostkarma.junkemailfilter.com=127.0.0.2*4 > dnsbl.sorbs.net=127.0.0.7*4 > bl.spamcop.net=127.0.0.2*4 > bl.spameatingmonkey.net=127.0.0.[2;3]*4 > dnsrbl.swinog.ch=127.0.0.3*4 > ix.dnsbl.manitu.net=127.0.0.2*4 > psbl.surriel.com=127.0.0.2*4 > bl.mailspike.net=127.0.0.[10;11;12]*4 > bl.mailspike.net=127.0.0.2*4 > ubl.unsubscore.com=127.0.0.2*4 > zen.spamhaus.org=127.0.0.2*3 > dnsbl-1.uceprotect.net=127.0.0.2*2 > dnsbl.sorbs.net=127.0.0.6*3 > dnsbl.sorbs.net=127.0.0.9*2 > dnsbl.sorbs.net=127.0.0.8*2 > score.senderscore.com=127.0.4.[0..29]*2 > hostkarma.junkemailfilter.com=127.0.0.4*2 > all.spamrats.com=127.0.0.38*2 > bl.nszones.com=127.0.0.[2;3]*1 > dnsbl-2.uceprotect.net=127.0.0.2*1 > dnsbl.sorbs.net=127.0.0.2*1 > dnsbl.sorbs.net=127.0.0.4*1 > score.senderscore.com=127.0.4.[30..69]*1 > all.spamrats.com=127.0.0.38*2 > bl.nszones.com=127.0.0.[2;3]*1 > dnsbl-2.uceprotect.net=127.0.0.2*1 > dnsbl.sorbs.net=127.0.0.2*1 > dnsbl.sorbs.net=127.0.0.4*1 > score.senderscore.com=127.0.4.[30..69]*1 > dnsbl.sorbs.net=127.0.0.3*1 > hostkarma.junkemailfilter.com=127.0.1.2*1 > dnsbl.sorbs.net=127.0.0.15*1 > ips.backscatterer.org=127.0.0.2*1 > bl.nszones.com=127.0.0.5*-1 > wl.mailspike.net=127.0.0.[18;19;20]*-2 > hostkarma.junkemailfilter.com=127.0.0.1*-2 > ips.whitelisted.org=127.0.0.2*-2 > safe.dnsbl.sorbs.net=127.0.[0..255].0*-2 > list.dnswl.org=127.0.[0..255].0*-2 > dnswl.inps.de=127.0.[0;1].[2..10]*-2 > list.dnswl.org=127.0.[0..255].1*-3 > list.dnswl.org=127.0.[0..255].2*-4 > list.dnswl.org=127.0.[0..255].3*-5 > > - Setup postwhite with Postfix to bypass major/trusted senders so you don't > reject too much with the above RBL lists. > > - Enable basic DNS check in Postfix main.cf: > > smtpd_recipient_restrictions = > permit_mynetworks, > ..., > permit_sasl_authenticated, > reject_non_fqdn_sender, > reject_non_fqdn_recipient, > reject_non_fqdn_hostname, > reject_invalid_hostname, > reject_unauth_destination, > reject_unverified_recipient, > reject_unknown_reverse_client_hostname, > reject_unknown_sender_domain, > reject_unlisted_sender, > reject_unlisted_recipient, > ..., > > > - Enable greylisting if you can. It really does work, especially helpful > with zero-hour spammers from compromised accounts that are very difficult to > block. It is possible to deploy it slowly so users don't notice a delay. > > - Enable Postfix rate limiting. > > - Install pypolicyd-spf, OpenDKIM, OpenDMARC to add headers that SA can use. > OpenDMARC with some custom rules can give Spamassassin basic DMARC support. > > headerDMARC_PASSAuthentication-Results =~ /your-server-here; > dmarc=pass/ > describeDMARC_PASSDMARC check passed > scoreDMARC_PASS-0.01 > > headerDMARC_FAILAuthentication-Results =~ /your-server-here; > dmarc=fail/ > describeDMARC_FAILDMARC check failed > scoreDMARC_FAIL0.01 > > headerDMARC_NONEAuthentication-Results =~ /your-server-here; > dmarc=none/ > describeDMARC_NONEDMARC check neutral > scoreDMARC_NONE0.01 > > headerDMARC_FAIL_REJECTAuthentication-Results =~ > /your-server-here; dmarc=fail \(p=reject/ > describeDMARC_FAIL_REJECTDMARC check failed and the sending domains > says to reject this message > scoreDMARC_FAIL_REJECT8.2 > > > - Consider slightly bumping up the scores on FREEMAIL* rules this these are > often so
Re: FIlter
> On Dec 2, 2017, at 12:53 PM, John Hardin wrote: > > On Sat, 2 Dec 2017, Junk wrote: > >>> If you trust your Bayes you might consider implementing a BAYES_999 rule >>> that adds another point. >> >> I might look into it >> >>> Getting past URIBL_BLOCKED will help. >> >> Yes once it started to work again there is less spam although i still get >> some that are formatted as images. > > BL lookups won't help with that... : So is there a solution for this? >>> A lot of people trust the Zen DNSBL enough to do hard SMTP-time rejects of >>> those IPs. Not sure if you do that currently. >> >> Not sure about this. In the logs i see calls to ZEN. > > Which logs? > > SA will do Zen lookups by default. That says nothing about whether your *MTA* > is doing similar lookups at SMTP time and rejecting hits I was looking at the sa debug log when testing against spam message to see what is happening > -- > John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ > jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org > key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 > --- > USMC Rules of Gunfighting #6: If you can choose what to bring > to a gunfight, bring a long gun and a friend with a long gun. > --- > 5 days until The 76th anniversary of Pearl Harbor
Re: FIlter
Is there any list that can be trusted and is publicly available or unless you pay nothing is trusted? > On Dec 2, 2017, at 7:44 PM, Bill Cole > wrote: > >> On 2 Dec 2017, at 13:33 (-0500), David Jones wrote: >> >> Then you can start experimenting with RBLs at >> http://multirbl.valli.org/lookup/ > > Be VERY careful with that list of DNSBLs. For years they listed and tested my > local, private, never-public DNSBL (which has always had an external view > that "lists the world") despite repeated requests to stop, resulting in a > steady stream of clueless users pleading, rationalizing, and/or threatening > me over their supposed listing. It is only after I started to give actively > hostile answers to external queries that they took my DNSBL off their lookup > page, but they still ping it every day or so. Apparently, similar sites > copied them and some end users seem to have gotten the bright idea to query > the zone, sometimes in substantial volume. > > The bottom line: before actually *using* any of the DNSBLs you find via any > 3rd-party site, research the list's actual purpose and availability. > > -- > Bill Cole > b...@scconsult.com or billc...@apache.org > (AKA @grumpybozo and many *@billmail.scconsult.com addresses) > Currently Seeking Steady Work: https://linkedin.com/in/billcole
Re: FIlter
Thx I willl look at it. I started with send mail and for used to it so i would have to read more about postfix etc. > On Dec 3, 2017, at 7:42 AM, David Jones wrote: > >> On 12/02/2017 09:03 PM, Junk wrote: >> I am using sendmail. > > It's pretty easy to switch from sendmail to Postfix so I highly recommend it. > Once you see how powerful Postfix is with all of its built-in features and > flexibility, you will be very glad you switched. > > Basic/high-level steps (Google for specific details on your particular OS > version): > > 1. /etc/postfix/main.cf - relay_domains > 2. /etc/postfix/transport > 3. Integrate Spamassassin into Postfix > 4. Run 'postmap /etc/postfix/transport' to make transport.db > 5. Switch the MTA from sendmail to Postfix in the OS. > 6. Stop sendmail > 7. Start postfix > 8. Watch your maillog > 9. Start tuning Postfix by enabling postscreen in the master.cf then the > postscreen_dnsbl_sites in the main.cf. Don't forget to estart postfix. > 10. Watch your maillog for spam being rejected and smile > >>>> On Dec 2, 2017, at 12:33 PM, David Jones wrote: >>>> >>>> On 12/02/2017 10:39 AM, Junk wrote: >>>> i implemented all of the filters yo mentioned and the score went up from >>>> 3.5. to 3.9 on an example spam email i was testing. >>>> I will look further into more filters. >>>> I see lots of spam that is formatted as image and those are not being >>>> caught. >>> >>> What is your MTA? If you are using Postfix then definitely enable >>> postscreen plus it's weighted RBLs. Then you can combine the power of >>> multiple RBLs that would normally be too risky to reject on their own to >>> make them more reliable. >>> >>> Then you can start experimenting with RBLs at >>> http://multirbl.valli.org/lookup/ with low weights and slowly bump them up >>> as you find ones that are helpful for your particular mail flow. Here is my >>> current list: >>> >>> postscreen_dnsbl_sites = >>> dnsbl.sorbs.net=127.0.0.[10;14]*9 >>> zen.spamhaus.org=127.0.0.[10;11]*8 >>> dnsbl.sorbs.net=127.0.0.5*7 >>> zen.spamhaus.org=127.0.0.[4..7]*7 >>> b.barracudacentral.org=127.0.0.2*7 >>> zen.spamhaus.org=127.0.0.3*7 >>> dnsbl.inps.de=127.0.0.2*7 >>> hostkarma.junkemailfilter.com=127.0.0.2*4 >>> dnsbl.sorbs.net=127.0.0.7*4 >>> bl.spamcop.net=127.0.0.2*4 >>> bl.spameatingmonkey.net=127.0.0.[2;3]*4 >>> dnsrbl.swinog.ch=127.0.0.3*4 >>> ix.dnsbl.manitu.net=127.0.0.2*4 >>> psbl.surriel.com=127.0.0.2*4 >>> bl.mailspike.net=127.0.0.[10;11;12]*4 >>> bl.mailspike.net=127.0.0.2*4 >>> ubl.unsubscore.com=127.0.0.2*4 >>> zen.spamhaus.org=127.0.0.2*3 >>> dnsbl-1.uceprotect.net=127.0.0.2*2 >>> dnsbl.sorbs.net=127.0.0.6*3 >>> dnsbl.sorbs.net=127.0.0.9*2 >>> dnsbl.sorbs.net=127.0.0.8*2 >>> score.senderscore.com=127.0.4.[0..29]*2 >>> hostkarma.junkemailfilter.com=127.0.0.4*2 >>> all.spamrats.com=127.0.0.38*2 >>> bl.nszones.com=127.0.0.[2;3]*1 >>> dnsbl-2.uceprotect.net=127.0.0.2*1 >>> dnsbl.sorbs.net=127.0.0.2*1 >>> dnsbl.sorbs.net=127.0.0.4*1 >>> score.senderscore.com=127.0.4.[30..69]*1 >>> all.spamrats.com=127.0.0.38*2 >>> bl.nszones.com=127.0.0.[2;3]*1 >>> dnsbl-2.uceprotect.net=127.0.0.2*1 >>> dnsbl.sorbs.net=127.0.0.2*1 >>> dnsbl.sorbs.net=127.0.0.4*1 >>> score.senderscore.com=127.0.4.[30..69]*1 >>> dnsbl.sorbs.net=127.0.0.3*1 >>> hostkarma.junkemailfilter.com=127.0.1.2*1 >>> dnsbl.sorbs.net=127.0.0.15*1 >>> ips.backscatterer.org=127.0.0.2*1 >>> bl.nszones.com=127.0.0.5*-1 >>> wl.mailspike.net=127.0.0.[18;19;20]*-2 >>> hostkarma.junkemailfilter.com=127.0.0.1*-2 >>> ips.whitelisted.org=127.0.0.2*-2 >>> safe.dnsbl.sorbs.net=127.0.[0..255].0*-2 >>> list.dnswl.org=127.0.[0..255].0*-2 >>> dnswl.inps.de=127.0.[0;1].[2..10]*-2 >>> list.dnswl.org=127.0.[0..255].1*-3 >>> list.dnswl.org=127.0.[0..255].2*-4 >>> list.dnswl.org=127.0.[0..255].3*-5 >>> >>> - Setup postwhite with Postfix to bypass major/trusted senders so you don't >>> reject too much with the above RBL lists. >>> >>> - Enable basic DNS check in Postfix main.cf: >>> >>> smtpd_recipient_restrictions = >>> permit_mynetworks, >>> ..., >>> permit_sasl_authenticated, &
Re: FIlter
So I wonder if
postscreen_dnsbl is enabled is it possible that mail get lost by mistake?
Somehow some false positive?
How do you maintain the list?
> On 12/02/2017 09:09 PM, Junk wrote:
>> Is there any list that can be trusted and is publicly available or
>> unless you pay nothing is trusted?
>>
>>
>
> See my previous list of postscreen_dnsbl_sites entries. These can be
> trusted in aggregate but not individually. Traditionally in MTAs, a
> single block list hit will reject email but that is too risky. You
> really should consider switching to Postfix and try out
> postscreen_dnsbl_sites to combine the results of block lists. More
> trustworthy lists get a higher weight and less trustworthy lists get a
> lower weight above zero. Whitelists get a negative weight to lower the
> total score.
>
> /etc/postfix/main.cf:
> postscreen_cache_retention_time = 7d
> postscreen_bare_newline_ttl = 7d
> postscreen_greet_ttl = 7d
> postscreen_non_smtp_command_ttl = 7d
> postscreen_pipelining_ttl= 7d
> postscreen_dnsbl_ttl = 1m
> postscreen_dnsbl_threshold = 8
> postscreen_dnsbl_action = enforce
> postscreen_greet_action = enforce
> postscreen_greet_wait= ${stress?1}${stress:11}s
> postscreen_bare_newline_action = enforce
> postscreen_bare_newline_enable = yes
> postscreen_non_smtp_command_enable = yes
> postscreen_pipelining_enable = yes
> postscreen_dnsbl_whitelist_threshold = -1
> postscreen_blacklist_action = drop
>
> postscreen_dnsbl_sites =
>... (from previous email)
>
>>> On Dec 2, 2017, at 7:44 PM, Bill Cole
>>> wrote:
>>>
>>>> On 2 Dec 2017, at 13:33 (-0500), David Jones wrote:
>>>>
>>>> Then you can start experimenting with RBLs at
>>>> http://multirbl.valli.org/lookup/
>>>
>>> Be VERY careful with that list of DNSBLs. For years they listed and
>>> tested my local, private, never-public DNSBL (which has always had an
>>> external view that "lists the world") despite repeated requests to
>>> stop, resulting in a steady stream of clueless users pleading,
>>> rationalizing, and/or threatening me over their supposed listing. It is
>>> only after I started to give actively hostile answers to external
>>> queries that they took my DNSBL off their lookup page, but they still
>>> ping it every day or so. Apparently, similar sites copied them and some
>>> end users seem to have gotten the bright idea to query the zone,
>>> sometimes in substantial volume.
>>>
>>> The bottom line: before actually *using* any of the DNSBLs you find via
>>> any 3rd-party site, research the list's actual purpose and
>>> availability.
>>>
>>> --
>>> Bill Cole
>>> b...@scconsult.com or billc...@apache.org
>>> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
>>> Currently Seeking Steady Work: https://linkedin.com/in/billcole
>>
>
>
> --
> David Jones
>
Re: FIlter
what i am asking is how to you manage actual IPs of the hosts providing services. What if at some point one of them or more are out of service? D you monitor it so in case some stop providing the services you remove them or replace them? Does send mail provide similar functionality to postscreen? If i understand it correctly this feature allows to stop email from being delivered before it gets through MTA. So spam assassin does same filtering but it requires more processing? thx > On Dec 4, 2017, at 4:30 PM, Reindl Harald wrote: > > > > Am 04.12.2017 um 23:17 schrieb Junk: >> So I wonder if >> postscreen_dnsbl is enabled is it possible that mail get lost by mistake? >> Somehow some false positive? >> How do you maintain the list? > > the whole point is that you don't need to babysit the list because you have > not that thrustworth lists with low scores but reject if enough other RBL's > at the same time agree > > you have a combination of blacklists and whitelists, see the whitelists at > the end with negative score and when the summary is > "postscreen_dnsbl_threshold" or higher the message is rejected > __ > > the first 3 with the poision pill score 8 or higher are with names > > * dul.dnsbl.sorbs.net > * noserver.dnsbl.sorbs.net > * pbl.spamhaus.org > > these are normally deadly safe "reject it" but even that ones are guided by > the whitelists and so it typically needs at least one additional RBL to get > above 8 > > the 127.0.0.x stuff are the responses from the DNSBL/DNSWL server so that > postscreen only needs to ask "dnsbl.sorbs.net" once and probably get more > than one ip back, each ip response has it's score and so wehn you get back > "127.0.0.10" *and* "127.0.0.14" it's listed on both (dul/noserver) and get 17 > points plus the responses from other lists minus whitelist responses and the > final number makes the decision > > well, and with a caching nameserver spamassassin can re-use the cached > responses > > postscreen_dnsbl_threshold = 8 > postscreen_dnsbl_action = enforce > postscreen_greet_action = enforce > postscreen_dnsbl_sites = > dnsbl.sorbs.net=127.0.0.10*9 > dnsbl.sorbs.net=127.0.0.14*9 > zen.spamhaus.org=127.0.0.[10;11]*8 > dnsbl.sorbs.net=127.0.0.5*7 > zen.spamhaus.org=127.0.0.[4..7]*7 > b.barracudacentral.org=127.0.0.2*7 > zen.spamhaus.org=127.0.0.3*7 > dnsbl.inps.de=127.0.0.2*7 > hostkarma.junkemailfilter.com=127.0.0.2*4 > dnsbl.sorbs.net=127.0.0.7*4 > bl.spamcop.net=127.0.0.2*4 > bl.spameatingmonkey.net=127.0.0.[2;3]*4 > dnsrbl.swinog.ch=127.0.0.3*4 > ix.dnsbl.manitu.net=127.0.0.2*4 > psbl.surriel.com=127.0.0.2*4 > bl.mailspike.net=127.0.0.[10;11;12]*4 > bl.mailspike.net=127.0.0.2*4 > zen.spamhaus.org=127.0.0.2*3 > score.senderscore.com=127.0.4.[0..20]*3 > bl.spamcannibal.org=127.0.0.2*3 > dnsbl.sorbs.net=127.0.0.6*3 > dnsbl.sorbs.net=127.0.0.8*2 > hostkarma.junkemailfilter.com=127.0.0.4*2 > dnsbl.sorbs.net=127.0.0.9*2 > dnsbl-1.uceprotect.net=127.0.0.2*2 > all.spamrats.com=127.0.0.38*2 > bl.nszones.com=127.0.0.[2;3]*1 > dnsbl-2.uceprotect.net=127.0.0.2*1 > dnsbl.sorbs.net=127.0.0.2*1 > dnsbl.sorbs.net=127.0.0.4*1 > score.senderscore.com=127.0.4.[0..69]*1 > dnsbl.sorbs.net=127.0.0.3*1 > hostkarma.junkemailfilter.com=127.0.1.2*1 > dnsbl.sorbs.net=127.0.0.15*1 > ips.backscatterer.org=127.0.0.2*1 > bl.nszones.com=127.0.0.5*-1 > score.senderscore.com=127.0.4.[90..100]*-1 > wl.mailspike.net=127.0.0.[18;19;20]*-2 > hostkarma.junkemailfilter.com=127.0.0.1*-2 > ips.whitelisted.org=127.0.0.2*-2 > list.dnswl.org=127.0.[0..255].0*-2 > dnswl.inps.de=127.0.[0;1].[2..10]*-2 > list.dnswl.org=127.0.[0..255].1*-3 > list.dnswl.org=127.0.[0..255].2*-4 > list.dnswl.org=127.0.[0..255].3*-5
RE: FIlter
I wonder in addition to what recomened i could add to increase the score. I am browsing through the archives to learn more but if you think of something quick i could try. Switching to postfix is my next goal but this requires me to rebuild my server as i want to stage the switch and ubuntu server is not happy to have both mta installed at the same time. I a still hitting some spam everyday that scores just below 5. Here are few messages samples. https://ufile.io/k3dzf > There's a number of rulesets that I use - many are mentioned here in this > list and discussed so a look at the archives will probably be helpful. > > KAM - http://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf > Hashcash > HashBL > SEM - spameatingmonkey.net > > To mention just a few... > > > ...Kevin > -- > Kevin Miller > Network/email Administrator, CBJ MIS Dept. > 155 South Seward Street > Juneau, Alaska 99801 > Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: > 307357 > > > -Original Message- > From: Junk [mailto:j...@lexoncom.com] > Sent: Friday, December 01, 2017 1:36 PM > To: Kevin Miller > Cc: users@spamassassin.apache.org > Subject: RE: FIlter > > Do you know any additional lists that could be added in addition to: > - built ones > - http://wiki.junkemailfilter.com > - razors > > I have the spam score set to above to be 100% spam as i noticed what is > below 5% sometimes falls into not a spam email. > >
Re: FIlter
> On 12/11/2017 01:19 PM, Junk wrote: >> I wonder in addition to what recomened i could add to increase the >> score. >> I am browsing through the archives to learn more but if you think of >> something quick i could try. >> Switching to postfix is my next goal but this requires me to rebuild my >> server as i want to stage the switch and ubuntu server is not happy to >> have both mta installed at the same time. >> >> >> I a still hitting some spam everyday that scores just below 5. >> >> Here are few messages samples. >> >> https://ufile.io/k3dzf >> >> > > Make sure you have the DNSEval plugin enabled in v320.pre. I am not > seeing any RBL hits from SA (RCVD_IN_* hits). it seemed to be enabled: # Plugins which used to be EvalTests.pm # broken out into separate plugins loadplugin Mail::SpamAssassin::Plugin::Bayes loadplugin Mail::SpamAssassin::Plugin::BodyEval loadplugin Mail::SpamAssassin::Plugin::DNSEval loadplugin Mail::SpamAssassin::Plugin::HTMLEval loadplugin Mail::SpamAssassin::Plugin::HeaderEval loadplugin Mail::SpamAssassin::Plugin::MIMEEval loadplugin Mail::SpamAssassin::Plugin::RelayEval loadplugin Mail::SpamAssassin::Plugin::URIEval loadplugin Mail::SpamAssassin::Plugin::WLBLEval Also run sa-update to > make sure you have a recent ruleset. was not that part of the system script to run everyday by default? > > Here's how one from IP 154.16.149.120 scored on my SA platform: > > https://pastebin.com/0f6srYLC > > Make sure you have DCC and Pyzor add-ons installed and working correctly > too. Not seeing any hits on those rules in your mbox file link above. > > installed pyzor looking at dcc setup as ubuntu does not come with it due to licensing i guess >>> There's a number of rulesets that I use - many are mentioned here in >>> this >>> list and discussed so a look at the archives will probably be helpful. >>> >>> KAM - http://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf >>> Hashcash >>> HashBL >>> SEM - spameatingmonkey.net >>> >>> To mention just a few... >>> >>> >>> ...Kevin >>> -- >>> Kevin Miller >>> Network/email Administrator, CBJ MIS Dept. >>> 155 South Seward Street >>> Juneau, Alaska 99801 >>> Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: >>> 307357 >>> >>> >>> -Original Message- >>> From: Junk [mailto:j...@lexoncom.com] >>> Sent: Friday, December 01, 2017 1:36 PM >>> To: Kevin Miller >>> Cc: users@spamassassin.apache.org >>> Subject: RE: FIlter >>> >>> Do you know any additional lists that could be added in addition to: >>> - built ones >>> - http://wiki.junkemailfilter.com >>> - razors >>> >>> I have the spam score set to above to be 100% spam as i noticed what is >>> below 5% sometimes falls into not a spam email. >>> >>> >> >> > > -- > David Jones >
