You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by linuxbox <xf...@westky.com> on 2008/10/16 17:02:23 UTC
How do i block email with a domain in a message like this?
Hello there. I have a problem with blocking an email with spamassassin.
normally when i want to block a domain in an email, be it html or plain text
i would have a rule such as this, and this works perfectly:
rawbody spam_domains /blockeddomain\.com/i
score spam_domains 20
so the above rule normally blocks any email with the domain
blockeddomain.com in the body of the email, be it an html or plain text
body.
however today i received an email in this format and it does not get blocked
by my rawbody rule that includes the domain i wish to block. the src code
of the email is in the code snippet below
Now, i'm wondering, is this an attachment in the email or something? i want
to block emails like this based on the domain contained in the email which
in this case is "yourpening.com". the rule i have that does NOT work is
this:
full spam_domains /yourpening\.com/i
score spam_domains 20
this does not work either:
rawbody spam_domains1 /yourpening\.com/i
score spam_domains1 20
can anyone show me a rule or something in spamassassin that would block
email with that domain?
here is the email source:
Return-Path: <my...@myemail.com>
X-Original-To: myemail@myemail.com
Delivered-To: myemail@myemail.com
Received: from smtp.xxxx.com (smtp.xxxx.com [12.xx.xx.xxx])
by zeus.xxxx.com (Postfix) with ESMTP id 9901139C2CC
for <my...@myemail.com>; Tue, 14 Oct 2008 12:21:01 -0500 (CDT)
Resent-From: <my...@myemail.com>
Resent-To: <my...@myemail.com>
Resent-Date: Tue, 14 Oct 2008 12:21:10 -0500
X-Loop: <my...@myemail.com>
X-Spam-Status: No, hits=0.0 required=5.0
tests=TOTAL_SCORE: 0.000
X-Spam-Level:
Received: from mx2.yourpening.com ([69.4.233.120])
by smtp.xxxx.com
for myemail@myemail.com;
Tue, 14 Oct 2008 12:20:56 -0500
X-KWF-FilterProgress: **
Reply-To: <st...@yourpening.com>
X-MimeOLE: Produced By tkfyguo
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_NextPart_000_0004_b4a3ff4c.b4a3ff4c"
Content-class: urn:content-classes:message
Subject: Re: Life insurance rates lowest in history
Date: Tue, 14 Oct 2008 12:20:46 -0600
Message-Id: <20...@mx2.yourpening.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
X-MS-GC: ahhyhttp://yourpening.com/tvnejzshtdvdwrhjwds/9920
X-Originating-IP: 69.4.233.120
Importance: Normal
From: "Accuquote" <kq...@yourpening.com>
To: <my...@myemail.com>
Resent-Message-Id: <20...@zeus.xxxx.com>
This is a multi-part message in MIME format.
------=_NextPart_000_0004_b4a3ff4c.b4a3ff4c
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0005_b4a3ff4c.b4a3ff4c"
------=_NextPart_001_0005_b4a3ff4c.b4a3ff4c
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
=
http://yourpening.com/evyekdshedvdwfckwdv/
=
This i=
s an ad=
vertise=
ment.=
=
To no long=
er receive =
mail Visit: http://yourpening.com/tvnejzshtdvdwrhjwds/
_________________________________________________________________
Enjoy 5 GB of free, password-protected online storage.
http://www.windowslive.com/skydrive/overview.html?ocid=3DTXT_TAGLM_WL_Refre=
sh_skydrive_062008=
------=_NextPart_001_0005_b4a3ff4c.b4a3ff4c
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Arial;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Arial","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Arial","sans-serif";
color:windowtext;}
MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{text-align:center; page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoNormal><o:p>=
<br /> 3D =
Comp=
are & Sa=
ve up to 7=
0% o=
n Lif=
e In=
sur=
ance <br><br>=
<o:p></o:p></p> =
<p class=3DMsoNormal><o:p> 3D 3D"cid:acccuq.jpg@b4a3ff4c.b4a3ff4c" =
=
<o:p></o:p></p> =
<br /> =
<p class=3DMsoNormal><o:p> 3D L=
ife insu=
rance rates low=
est in history.. Get FR=
EE Quote=
s Today!
<o:p></o:p></p> =
<br /> =
<br /> =
<br /> =
<br /> =
<br /> =
<br /> =
<br /> =
<p class=3DMsoNormal><o:p> =
</o:p></p>
<br /> =
<hr /> =
<br /> =
<p class=3DMsoNormal> =
this is a=
n advert=
isment =
<o:p></o:p></p> =
<br /> =
<p class=3DMsoNormal> 3D"http://yourpening.com/tvntjzqsjzbdwfcjwdc/"
3D"cid:acccuqu.jpg@b4a3ff4c.b4a3ff4c" =
<o:p></o:p></p>
<br /> =
=
<p class=3DMsoNormal> =
<o:p></o:p></p> =
<p class=3DMsoNormal> =
<o:p></o:p></p> =
<p class=3DMsoNormal>
Unsubscribe: =
3D"http://yourpening.com/tvntjzqsjzbdwfcjwdc/" here <o:p> </o:p></p> =
<p class=3DMsoNormal><o:p> </o:p></p>
<p class=3DMsoNormal><o:p> </o:p></p>
<p class=3DMsoNormal><o:p> </o:p></p>
<!--This elec=
tronic me=
ssage and a=
ny attac=
hments hereto co=
ntain information wh=
ich may be priv=
ileged, confid=
ential, or other=
wise prote=
cted from disc=
losure. The info=
rmation is inte=
nded to be f=
or the addr=
essee only. If you ar=
e not the addressee, an=
y disclo=
sure, copy, distribu=
tion or us=
e of the cont=
ents of the m=
essage or an=
y attachme=
nts her=
eto is stri=
ctly prohibited. If =
you ha=
ve received th=
is electronic me=
ssage in er=
ror, please no=
tify us imme=
diately, an=
d permanently de=
lete the ori=
ginal mess=
age and attac=
hments. -->=
</div>
<!--<hr />Give to a good cause w=
ith every e-mail. 3D'http://yourpening.com/= Join the i=
92m Initiative fr=
om Microsoft. -->
<!--<hr />Give to a good cause w=
ith every e-mail. 3D'http://yourpening.com/= Join the i=
92m Initiative fr=
om Microsoft. -->
</body>
</html>
------=_NextPart_001_0005_b4a3ff4c.b4a3ff4c--
------=_NextPart_000_0004_b4a3ff4c.b4a3ff4c
Content-Type: image/jpg;
name="acccuq.jpg"
Content-Transfer-Encoding: base64
Content-ID: <ac...@b4a3ff4c.b4a3ff4c>
/9j/4AAQSkZJRgABAgAAZABkAAD/7AARRHVja3kAAQAEAAAAMgAA/+4ADkFkb2JlAGTAAAAAAf/b
AIQACAYGBgYGCAYGCAwIBwgMDgoICAoOEA0NDg0NEBEMDg0NDgwRDxITFBMSDxgYGhoYGCMiIiIj
JycnJycnJycnJwEJCAgJCgkLCQkLDgsNCw4RDg4ODhETDQ0ODQ0TGBEPDw8PERgWFxQUFBcWGhoY
------=_NextPart_000_004_b4a3ff4c.b4a3ff4c--
--
View this message in context: http://www.nabble.com/How-do-i-block-email-with-a-domain-in-a-message-like-this--tp20015221p20015221.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: How do i block email with a domain in a message like this?
Posted by John Hardin <jh...@impsec.org>.
On Thu, 16 Oct 2008, Eric Foster wrote:
> i understand it works with a normal email : ) but the thing is, it
> didn't work when the email body was an attachment : ) i'll send you the
> original email tomorrow that made it's way through and you see if you
> get it.
If the attachment was small it would be better to put the message up on
pastebin and post the URL to the list.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
15 days until Halloween
Re: How do i block email with a domain in a message like this?
Posted by Eric Foster <ef...@k105.com>.
i understand it works with a normal email : )
but the thing is, it didn't work when the email body was an attachment : )
i'll send you the original email tomorrow that made it's way through and you
see if you get it.
----- Original Message -----
From: "John Hardin" <jh...@impsec.org>
To: "Eric Foster" <co...@westky.com>
Cc: "SpamAssassin Users List" <us...@spamassassin.apache.org>
Sent: Thursday, October 16, 2008 5:03 PM
Subject: Re: How do i block email with a domain in a message like this?
> On Thu, 16 Oct 2008, Eric Foster wrote:
>
>> hehe, yes indeed i'm putting the proper domain in : )
>>
>> in fact here's the actual rule:
>>
>> uri spam_domains_22
>> /contendosystems\.com\.ar|fincharacter\.net|efficientx\.info|
>> gr8rliving\.com|thebuysell\.com|hottomorrow\.com|vrolone\.com|
>> eastbayventure\.com|bestvalueeducation\.com|theoperate\.com|
>> daxflackatt\.com|yardsweepersales\.com|petroleumnowhere\.com|
>> strengthplant\.com|bestbusinessclub\.net|completesuggest\.net|
>> ardextra\.com|crystalclubonline\.com|moremoneyfor\.net|
>> entiresuggest\.net|supershoppro\.com|makeownwealth\.net|
>> southwatercommunity\.com|dvdplusmore\.com|petshowcorner\.com|
>> hotkeyserver\.net|codsli\.com|ewebzero\.com|greatblessingway\.com|
>> bikeblessingonline\.com|blessingchurch\.com|blessingchristian\.com|
>> fareastjourney\.com|besteinternet\.com|newdaymart\.com|
>> qclearsark\.com|resterkind\.com|ssskeel\.com|windvigourtoday\.com|
>> yourpening\.com|johnalanonline\.com|angeliemk\.com|
>> greatwebpro\.com|bestlightfixture\.com|whitepagezone\.com|
>> ozkcm\.com|lurekeep\.com|scrapinverbs\.com|porcula\.com|
>> llrcorp\.net|neteigthteenmarketing\.com|gavinder\.org|
>> incazone\.org|puckstera\.info|cid-212e
>> fd379931012a\.spaces\.live\.com|rkhei\.com|pudlowmk\.com|
>> polltill\.org|humderin\.info|singresoup\.info|
>> greatdifferences\.com|ulinder\.org|bluestreetwear\.com|wuggin\.org|
>> fishingextremesguide\.com|uptrail\.org|italiancoffeeguide\.com|
>> schoolsource\.org|theb rakesonline\.com|joetables\.com|
>> moneachsail\.com|stateshawaii\.com|topnotchwebdeals\.info|
>> bigcashcreator\.com|rurna\.com|homeibiz\.info/i score spam_domains_22 20
>
> That works in my testbed with a domain picked at random out of the middle.
>
> That list is getting a little long to be manageable. You might want to
> look into setting up a local uribl zone on an internal DNS server,
> especially if you intend to add domains to that list. There were some
> references for how to do this on the list in the past month or so.
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> ...the Fates notice those who buy chainsaws...
> -- www.darwinawards.com
> -----------------------------------------------------------------------
> 15 days until Halloween
>
>
> __________ Information from ESET Smart Security, version of virus
> signature database 3528 (20081016) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
Re: How do i block email with a domain in a message like this?
Posted by John Hardin <jh...@impsec.org>.
On Thu, 16 Oct 2008, Eric Foster wrote:
> hehe, yes indeed i'm putting the proper domain in : )
>
> in fact here's the actual rule:
>
> uri spam_domains_22
> /contendosystems\.com\.ar|fincharacter\.net|efficientx\.info|
> gr8rliving\.com|thebuysell\.com|hottomorrow\.com|vrolone\.com|
> eastbayventure\.com|bestvalueeducation\.com|theoperate\.com|
> daxflackatt\.com|yardsweepersales\.com|petroleumnowhere\.com|
> strengthplant\.com|bestbusinessclub\.net|completesuggest\.net|
> ardextra\.com|crystalclubonline\.com|moremoneyfor\.net|
> entiresuggest\.net|supershoppro\.com|makeownwealth\.net|
> southwatercommunity\.com|dvdplusmore\.com|petshowcorner\.com|
> hotkeyserver\.net|codsli\.com|ewebzero\.com|greatblessingway\.com|
> bikeblessingonline\.com|blessingchurch\.com|blessingchristian\.com|
> fareastjourney\.com|besteinternet\.com|newdaymart\.com|
> qclearsark\.com|resterkind\.com|ssskeel\.com|windvigourtoday\.com|
> yourpening\.com|johnalanonline\.com|angeliemk\.com|
> greatwebpro\.com|bestlightfixture\.com|whitepagezone\.com|
> ozkcm\.com|lurekeep\.com|scrapinverbs\.com|porcula\.com|
> llrcorp\.net|neteigthteenmarketing\.com|gavinder\.org|
> incazone\.org|puckstera\.info|cid-212e
> fd379931012a\.spaces\.live\.com|rkhei\.com|pudlowmk\.com|
> polltill\.org|humderin\.info|singresoup\.info|
> greatdifferences\.com|ulinder\.org|bluestreetwear\.com|wuggin\.org|
> fishingextremesguide\.com|uptrail\.org|italiancoffeeguide\.com|
> schoolsource\.org|theb rakesonline\.com|joetables\.com|
> moneachsail\.com|stateshawaii\.com|topnotchwebdeals\.info|
> bigcashcreator\.com|rurna\.com|homeibiz\.info/i
> score spam_domains_22 20
That works in my testbed with a domain picked at random out of the middle.
That list is getting a little long to be manageable. You might want to
look into setting up a local uribl zone on an internal DNS server,
especially if you intend to add domains to that list. There were some
references for how to do this on the list in the past month or so.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
15 days until Halloween
Re: How do i block email with a domain in a message like this?
Posted by Eric Foster <co...@westky.com>.
hehe, yes indeed i'm putting the proper domain in : )
in fact here's the actual rule:
uri spam_domains_22
/contendosystems\.com\.ar|fincharacter\.net|efficientx\.info|gr8rliving\.com|thebuysell\.com|hottomorrow\.com|vrolone\.com|eastbayventure\.com|bestvalueeducation\.com|theoperate\.com|daxflackatt\.com|yardsweepersales\.com|petroleumnowhere\.com|strengthplant\.com|bestbusinessclub\.net|completesuggest\.net|ardextra\.com|crystalclubonline\.com|moremoneyfor\.net|entiresuggest\.net|supershoppro\.com|makeownwealth\.net|southwatercommunity\.com|dvdplusmore\.com|petshowcorner\.com|hotkeyserver\.net|codsli\.com|ewebzero\.com|greatblessingway\.com|bikeblessingonline\.com|blessingchurch\.com|blessingchristian\.com|fareastjourney\.com|besteinternet\.com|newdaymart\.com|qclearsark\.com|resterkind\.com|ssskeel\.com|windvigourtoday\.com|yourpening\.com|johnalanonline\.com|angeliemk\.com|greatwebpro\.com|bestlightfixture\.com|whitepagezone\.com|ozkcm\.com|lurekeep\.com|scrapinverbs\.com|porcula\.com|llrcorp\.net|neteigthteenmarketing\.com|gavinder\.org|incazone\.org|puckstera\.info|cid-212ef
d379931012a\.spaces\.live\.com|rkhei\.com|pudlowmk\.com|polltill\.org|humderin\.info|singresoup\.info|greatdifferences\.com|ulinder\.org|bluestreetwear\.com|wuggin\.org|fishingextremesguide\.com|uptrail\.org|italiancoffeeguide\.com|schoolsource\.org|thebrakesonline\.com|joetables\.com|moneachsail\.com|stateshawaii\.com|topnotchwebdeals\.info|bigcashcreator\.com|rurna\.com|homeibiz\.info/i
score spam_domains_22 20
not sure if that got formatted properly in this email of course. yes, i
restart my mailserver which is kerio.
so does the uri rule work even if the email body is an attachment?
----- Original Message -----
From: John Hardin
To: linuxbox
Cc: users@spamassassin.apache.org
Sent: Thursday, October 16, 2008 3:19 PM
Subject: Re: How do i block email with a domain in a message like this?
On Thu, 16 Oct 2008, linuxbox wrote:
> because i tried this:
>
> uri spam_domains_22 /baddomain\.com/i
> score spam_domains_22 20
>
> and that did not work...
That surely should work.
Silly question, forgive me, but... you _are_ putting your chosen evil
domain name in place of "baddomain" for testing the rule, aren't you?
Also, are you restarting spamd after changing the rules?
Sorry to ask these, but sometimes we lose sight of the obvious.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
15 days until Halloween
Re: How do i block email with a domain in a message like this?
Posted by John Hardin <jh...@impsec.org>.
On Thu, 16 Oct 2008, linuxbox wrote:
> because i tried this:
>
> uri spam_domains_22 /baddomain\.com/i
> score spam_domains_22 20
>
> and that did not work...
That surely should work.
Silly question, forgive me, but... you _are_ putting your chosen evil
domain name in place of "baddomain" for testing the rule, aren't you?
Also, are you restarting spamd after changing the rules?
Sorry to ask these, but sometimes we lose sight of the obvious.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
15 days until Halloween
Re: How do i block email with a domain in a message like this?
Posted by "McDonald, Dan" <Da...@austinenergy.com>.
On Thu, 2008-10-16 at 13:02 -0700, linuxbox wrote:
> are you saying that uri will work if the message is an attachment?
What attachment? The example you showed had multipart/alternative. The
only attachment was a small image.
> because i tried this:
>
> uri spam_domains_22 /baddomain\.com/i
> score spam_domains_22 20
>
> and that did not work.........................
All things being normal, it should work fine.
Does spamassassin -D < the.message kick out any interesting errors?
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com
Re: How do i block email with a domain in a message like this?
Posted by linuxbox <xf...@westky.com>.
are you saying that uri will work if the message is an attachment?
because i tried this:
uri spam_domains_22 /baddomain\.com/i
score spam_domains_22 20
and that did not work.........................
McDonald, Dan wrote:
>
> On Thu, 2008-10-16 at 08:02 -0700, linuxbox wrote:
>> Hello there. I have a problem with blocking an email with spamassassin.
>> normally when i want to block a domain in an email, be it html or plain
>> text
>> i would have a rule such as this, and this works perfectly:
>>
>> rawbody spam_domains /blockeddomain\.com/i
>> score spam_domains 20
>
> Why not use a uri rule instead of rawbody? That way, it doesn't matter
> how they encode it...
>
> uri spam_domains /blockeddoamin\.com/i
> score spam_domains 20
>
>
> --
> Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
> Austin Energy
> http://www.austinenergy.com
>
>
>
>
--
View this message in context: http://www.nabble.com/How-do-i-block-email-with-a-domain-in-a-message-like-this--tp20015221p20016582.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: How do i block email with a domain in a message like this?
Posted by John Hardin <jh...@impsec.org>.
On Thu, 16 Oct 2008, Randy wrote:
> John Hardin wrote:
>
>> How does the MTA block on a domain name _in the message body_ without
>> passing it to a filtering application?
>
> Postfix can do this so my suggestion stands. Look for body_checks in
> Postfix.
I wasn't aware postfix had that as a builtin. I stand corrected.
However, as mouss pointed out, the body scanning capabilities in postfix
(and milter-regex) are simpistic compared to the decoding abilities in SA.
They'd certainly suffice to prune the low-hanging fruit, as this example
was, but would not be robust in the face of obfuscation (which is not a
reason to avoid using them!).
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
15 days until Halloween
Re: How do i block email with a domain in a message like this?
Posted by Randy <rr...@livedatagroup.com>.
John Hardin wrote:
> On Thu, 16 Oct 2008, Randy wrote:
>
>> McDonald, Dan wrote:
>>> On Thu, 2008-10-16 at 08:02 -0700, linuxbox wrote:
>>>
>>> > rawbody spam_domains /blockeddomain\.com/i
>>>
>>> uri spam_domains /blockeddoamin\.com/i
>>
>> If you need to block a domain from sending e-mail, then use the mail
>> server to handle it. It is better to block messages from even getting
>> to your filtering applications.
>
> How does the MTA block on a domain name _in the message body_ without
> passing it to a filtering application?
>
> Your answer, while valid, isn't germane to the OP's question.
>
Postfix can do this so my suggestion stands. Look for body_checks in
Postfix. However, this isn't "germane" if the OP simply chooses mark
messages as spam with spammassassin. The key word he used was "block"
and when I read block I look at the MTA.
OP original quote.
"Hello there. I have a problem with blocking an email with spamassassin.
normally when i want to block a domain in an email, be it html or plain
text
i would have a rule such as this, and this works perfectly: "
Re: How do i block email with a domain in a message like this?
Posted by John Hardin <jh...@impsec.org>.
On Thu, 16 Oct 2008, mouss wrote:
> John Hardin a écrit :
>> On Thu, 16 Oct 2008, Randy wrote:
>>
>>> McDonald, Dan wrote:
>>>> On Thu, 2008-10-16 at 08:02 -0700, linuxbox wrote:
>>>>
>>>>> rawbody spam_domains /blockeddomain\.com/i
>>>>
>>>> uri spam_domains /blockeddoamin\.com/i
>>>
>>> If you need to block a domain from sending e-mail, then use the mail
>>> server to handle it. It is better to block messages from even getting
>>> to your filtering applications.
>>
>> How does the MTA block on a domain name _in the message body_ without
>> passing it to a filtering application?
>
> I guess he meant something like postfix body_checks, but that's not an
> appropriate filtering mechanism (it checks one line at a time and
> doesn't decode).
The same applies to milter_regex with sendmail.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
15 days until Halloween
Re: How do i block email with a domain in a message like this?
Posted by mouss <mo...@netoyen.net>.
John Hardin a écrit :
> On Thu, 16 Oct 2008, Randy wrote:
>
>> McDonald, Dan wrote:
>>> On Thu, 2008-10-16 at 08:02 -0700, linuxbox wrote:
>>>
>>> > rawbody spam_domains /blockeddomain\.com/i
>>>
>>> uri spam_domains /blockeddoamin\.com/i
>>
>> If you need to block a domain from sending e-mail, then use the mail
>> server to handle it. It is better to block messages from even getting
>> to your filtering applications.
>
> How does the MTA block on a domain name _in the message body_ without
> passing it to a filtering application?
>
I guess he meant something like postfix body_checks, but that's not an
appropriate filtering mechanism (it checks one line at a time and
doesn't decode).
> Your answer, while valid, isn't germane to the OP's question.
>
Re: How do i block email with a domain in a message like this?
Posted by John Hardin <jh...@impsec.org>.
On Thu, 16 Oct 2008, Randy wrote:
> McDonald, Dan wrote:
>> On Thu, 2008-10-16 at 08:02 -0700, linuxbox wrote:
>>
>> > rawbody spam_domains /blockeddomain\.com/i
>>
>> uri spam_domains /blockeddoamin\.com/i
>
> If you need to block a domain from sending e-mail, then use the mail
> server to handle it. It is better to block messages from even getting to
> your filtering applications.
How does the MTA block on a domain name _in the message body_ without
passing it to a filtering application?
Your answer, while valid, isn't germane to the OP's question.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
15 days until Halloween
Re: How do i block email with a domain in a message like this?
Posted by Randy <rr...@livedatagroup.com>.
McDonald, Dan wrote:
> On Thu, 2008-10-16 at 08:02 -0700, linuxbox wrote:
>
>> Hello there. I have a problem with blocking an email with spamassassin.
>> normally when i want to block a domain in an email, be it html or plain text
>> i would have a rule such as this, and this works perfectly:
>>
>> rawbody spam_domains /blockeddomain\.com/i
>> score spam_domains 20
>>
>
> Why not use a uri rule instead of rawbody? That way, it doesn't matter
> how they encode it...
>
> uri spam_domains /blockeddoamin\.com/i
> score spam_domains 20
>
>
>
If you need to block a domain from sending e-mail, then use the mail
server to handle it. It is better to block messages from even getting to
your filtering applications.
Randy Ramsdell
Foreclosure.com
Re: How do i block email with a domain in a message like this?
Posted by "McDonald, Dan" <Da...@austinenergy.com>.
On Thu, 2008-10-16 at 08:02 -0700, linuxbox wrote:
> Hello there. I have a problem with blocking an email with spamassassin.
> normally when i want to block a domain in an email, be it html or plain text
> i would have a rule such as this, and this works perfectly:
>
> rawbody spam_domains /blockeddomain\.com/i
> score spam_domains 20
Why not use a uri rule instead of rawbody? That way, it doesn't matter
how they encode it...
uri spam_domains /blockeddoamin\.com/i
score spam_domains 20
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com
Re: How do i block email with a domain in a message like this?
Posted by Eric Foster <co...@westky.com>.
Yes, my spamassassin added this. I'm using Kerio Mailserver and it uses spamassassin. i write my own regular expression rules in
a file called 80_domains.cf and it does a great job at blocking most things i need but it wont block that email i posted. i'm not familiar with URI rules so i'll look into that.
----- Original Message -----
From: Jeff Mincy
To: linuxbox
Cc: users@spamassassin.apache.org
Sent: Thursday, October 16, 2008 10:26 AM
Subject: Re: How do i block email with a domain in a message like this?
From: linuxbox <xf...@westky.com>
Date: Thu, 16 Oct 2008 08:02:23 -0700 (PDT)
Hello there. I have a problem with blocking an email with spamassassin.
normally when i want to block a domain in an email, be it html or plain text
i would have a rule such as this, and this works perfectly:
rawbody spam_domains /blockeddomain\.com/i
however today i received an email in this format and it does not get blocked
by my rawbody rule that includes the domain i wish to block. the src code
of the email is in the code snippet below
...
full spam_domains /yourpening\.com/i
score spam_domains 20
can anyone show me a rule or something in spamassassin that would block
email with that domain?
here is the email source:
Return-Path: <my...@myemail.com>
...
X-Spam-Status: No, hits=0.0 required=5.0
tests=TOTAL_SCORE: 0.000
The X-Spam-Status line on the message is suspicious.
Was this header in the original message or did your SpamAssassin add this?
How are you calling SpamAssassin? Are you using procmail or something
that skips messages that already have a X-Spam-Status line?
Also, as already pointed out, use uri rules instead of full or rawbody.
-jeff
Re: How do i block email with a domain in a message like this?
Posted by Jeff Mincy <je...@delphioutpost.com>.
From: linuxbox <xf...@westky.com>
Date: Thu, 16 Oct 2008 08:02:23 -0700 (PDT)
Hello there. I have a problem with blocking an email with spamassassin.
normally when i want to block a domain in an email, be it html or plain text
i would have a rule such as this, and this works perfectly:
rawbody spam_domains /blockeddomain\.com/i
however today i received an email in this format and it does not get blocked
by my rawbody rule that includes the domain i wish to block. the src code
of the email is in the code snippet below
...
full spam_domains /yourpening\.com/i
score spam_domains 20
can anyone show me a rule or something in spamassassin that would block
email with that domain?
here is the email source:
Return-Path: <my...@myemail.com>
...
X-Spam-Status: No, hits=0.0 required=5.0
tests=TOTAL_SCORE: 0.000
The X-Spam-Status line on the message is suspicious.
Was this header in the original message or did your SpamAssassin add this?
How are you calling SpamAssassin? Are you using procmail or something
that skips messages that already have a X-Spam-Status line?
Also, as already pointed out, use uri rules instead of full or rawbody.
-jeff