You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "chino@antennex.com" <ch...@antennex.com> on 2015/06/29 18:42:37 UTC
India spam
Hello, this is my first time on the list and would appreciate some help on a recipe. This may have been answered already as I can't imagine others not experiencing a similar issue. I've searched google but haven't found the searchable spamassassin list yet.
My question:
How can I format a recipe that will catch the ".in.net" portion of an IP as many domain names are used in front of that domain bit?
Any help please?
Warmest regards,
Mark Chino
--
chino@antennex.com
www.antennex.com
Re: Re: India spam
Posted by "chino@antennex.com" <ch...@antennex.com>.
From: Axb
Date: 2015-06-29 14:04
To: users
Subject: Re: India spam
On 29.06.2015 18:42, chino@antennex.com wrote:
> Hello, this is my first time on the list and would appreciate some
> help on a recipe. This may have been answered already as I can't
> imagine others not experiencing a similar issue. I've searched google
> but haven't found the searchable spamassassin list yet.
>
> My question: How can I format a recipe that will catch the ".in.net"
> portion of an IP as many domain names are used in front of that
> domain bit?
>
> Any help please?
after a lot of noise.... you want to tag the URI or the URI's A record IP?
For the URI, how about something like:
uri URI_NET_IN /\w+\.net\.in/
and set score as high as you please
OR if you want something drastic AND you are using SA 3.4.x
blacklist_uri_host net.in
IF you want to list the URI's A record IPs you'll need to run a local IP
BL - whole different story
h2h
Axb
------------------------------------
Many thanks, Axb!
Actually, I more inclined to snag the domain rather than the IP as the IP may be innocent.
I like your ideas, and will start with the first one and watch the headers as these are really annoying and want 'em gone! I'm using the latest version of SA, so I can try them all.
Again, my apologies for intruding on the wrong list!!
/Chino
Re: India spam
Posted by Axb <ax...@gmail.com>.
On 29.06.2015 18:42, chino@antennex.com wrote:
> Hello, this is my first time on the list and would appreciate some
> help on a recipe. This may have been answered already as I can't
> imagine others not experiencing a similar issue. I've searched google
> but haven't found the searchable spamassassin list yet.
>
> My question: How can I format a recipe that will catch the ".in.net"
> portion of an IP as many domain names are used in front of that
> domain bit?
>
> Any help please?
after a lot of noise.... you want to tag the URI or the URI's A record IP?
For the URI, how about something like:
uri URI_NET_IN /\w+\.net\.in/
and set score as high as you please
OR if you want something drastic AND you are using SA 3.4.x
blacklist_uri_host net.in
IF you want to list the URI's A record IPs you'll need to run a local IP
BL - whole different story
h2h
Axb
Re: India spam
Posted by Reindl Harald <h....@thelounge.net>.
Am 29.06.2015 um 18:42 schrieb chino@antennex.com:
> Hello, this is my first time on the list and would appreciate some help
> on a recipe. This may have been answered already as I can't imagine
> others not experiencing a similar issue. I've searched google but
> haven't found the searchable spamassassin list yet.
>
> My question:
> How can I format a recipe that will catch the ".in.net" portion of an IP
> as many domain names are used in front of that domain bit?
>
> Any help please?
you could use regex tables on the MTA side
http://www.postfix.org/postconf.5.html
check_reverse_client_hostname_access type:tableSearch the specified
access database for the unverified reverse client hostname, parent
domains, client IP address, or networks obtained by stripping least
significant octets. See the access(5) manual page for details. Note: a
result of "OK" is not allowed for safety reasons. Instead, use DUNNO in
order to exclude specific hosts from blacklists. This feature is
available in Postfix 2.6 and later.
Re: Re: India spam
Posted by John Hardin <jh...@impsec.org>.
On Mon, 29 Jun 2015, chino@antennex.com wrote:
> Untested:
>
> * ^Received: .*from [^ ]*\.in\.net[ ]
>
> * ^From: .*\.in\.net[>$]
>
> * ^Return-Path: .*\.in\.net>
>
> * ^Message-ID: .*\.in\.net>
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
> ---------------------------------------------------
>
> John:
> How about this one-liner then? They do move the handles around a lot.
> :0:
> * ^Received: .*from [^ ]*\.in\.net[ ]|* ^From: .*\.in\.net[>$]|* ^Return-Path: .*\.in\.net>|* ^Message-ID: .*\.in\.net>
> $SPAM
The asterisks at the beginning of the line are Procmail stuff that's not
part of the RE.
The combined version would be something like:
* ^(Received|From|Return-Path|Message-ID):[ ].*\.in\.net[> ]
Note that the [ ] is a space and a tab, not a bunch of spaces.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Democrats '61: Ask not what your country can do for you,
ask what you can do for your country.
Democrats '07: Ask not what your country can do for you,
demand it!
-----------------------------------------------------------------------
5 days until the 239th anniversary of the Declaration of Independence
Re: Re: India spam
Posted by "chino@antennex.com" <ch...@antennex.com>.
Warmest regards,
Mark Chino
--
chino@antennex.com
www.antennex.com
From: John Hardin
Date: 2015-06-29 17:33
To: chino@antennex.com
CC: USERS-SPAMASSASSIN
Subject: Re: Re: India spam
On Mon, 29 Jun 2015, chino@antennex.com wrote:
> Here's would be type examples:
> abc@baloney.in.net
> def@nogood.in.net
> ddd@fake.in.net
> ....and on and on.
>
> I've looked up some of the domains used which are not as obvious as my examples and they don't exist. The IPs may be OK and don't want to use IPs to snag those.
>
> Again, not much constants in the bodies to do much good to use "HB ??" in the recipe to look in the header and body.
Well, the basic /\.in\.net/ RE is likely to be rather FP-prone, especially
in Procmail if you aren't using weighting.
There are ways to bound that RE to limit what it will match, but different
parts of the message will need different bounds.
Untested:
* ^Received: .*from [^ ]*\.in\.net[ ]
* ^From: .*\.in\.net[>$]
* ^Return-Path: .*\.in\.net>
* ^Message-ID: .*\.in\.net>
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
---------------------------------------------------
John:
How about this one-liner then? They do move the handles around a lot.
:0:
* ^Received: .*from [^ ]*\.in\.net[ ]|* ^From: .*\.in\.net[>$]|* ^Return-Path: .*\.in\.net>|* ^Message-ID: .*\.in\.net>
$SPAM
/Chino
Re: Re: India spam
Posted by John Hardin <jh...@impsec.org>.
On Mon, 29 Jun 2015, chino@antennex.com wrote:
> Here's would be type examples:
> abc@baloney.in.net
> def@nogood.in.net
> ddd@fake.in.net
> ....and on and on.
>
> I've looked up some of the domains used which are not as obvious as my examples and they don't exist. The IPs may be OK and don't want to use IPs to snag those.
>
> Again, not much constants in the bodies to do much good to use "HB ??" in the recipe to look in the header and body.
Well, the basic /\.in\.net/ RE is likely to be rather FP-prone, especially
in Procmail if you aren't using weighting.
There are ways to bound that RE to limit what it will match, but different
parts of the message will need different bounds.
Untested:
* ^Received: .*from [^ ]*\.in\.net[ ]
* ^From: .*\.in\.net[>$]
* ^Return-Path: .*\.in\.net>
* ^Message-ID: .*\.in\.net>
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
A good high-school education is still essential, and
college is where you go to get one. -- MiddleAgedKen
-----------------------------------------------------------------------
5 days until the 239th anniversary of the Declaration of Independence
Re: Re: India spam
Posted by "chino@antennex.com" <ch...@antennex.com>.
From: John Hardin
Date: 2015-06-29 14:39
To: chino@antennex.com
CC: SpamAssassin Users List
Subject: Re: Re: India spam
Keep replies on-list, please.
On Mon, 29 Jun 2015, chino@antennex.com wrote:
>>
>>> How can I format a recipe that will catch the ".in.net" portion of an
>>> IP as many domain names are used in front of that domain bit?
>>
>> Where do you want to look for that? In the sender's email address? In
>> URLs embedded in the message body? In MTA relays?
>>
>> --
>> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
>
> First I mispoke by stating recipe for spamass. That should be procmail.
Not a problem.
> Somehow catching those in the domain name would be the broadest way if
> possible. I am using some phrases found in the body already, but that
> only applies to some. Everyday, I get a bunch from the ".in.net" domain.
You still need to clarify where you want to look for ".in.net". The last
bit suggests in the from address.
Can you post a spample to (e.g.) pastebin so that we can take a look?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
=================================================================
Hi John!
Thanks for the response.
Here's would be type examples:
abc@baloney.in.net
def@nogood.in.net
ddd@fake.in.net
....and on and on.
I've looked up some of the domains used which are not as obvious as my examples and they don't exist. The IPs may be OK and don't want to use IPs to snag those.
Again, not much constants in the bodies to do much good to use "HB ??" in the recipe to look in the header and body.
Does the above explain better?
/Chino
Re: Re: India spam
Posted by John Hardin <jh...@impsec.org>.
Keep replies on-list, please.
On Mon, 29 Jun 2015, chino@antennex.com wrote:
>>
>>> How can I format a recipe that will catch the ".in.net" portion of an
>>> IP as many domain names are used in front of that domain bit?
>>
>> Where do you want to look for that? In the sender's email address? In
>> URLs embedded in the message body? In MTA relays?
>>
>> --
>> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
>
> First I mispoke by stating recipe for spamass. That should be procmail.
Not a problem.
> Somehow catching those in the domain name would be the broadest way if
> possible. I am using some phrases found in the body already, but that
> only applies to some. Everyday, I get a bunch from the ".in.net" domain.
You still need to clarify where you want to look for ".in.net". The last
bit suggests in the from address.
Can you post a spample to (e.g.) pastebin so that we can take a look?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
North Korea: the only country in the world where people would risk
execution to flee to communist China. -- Ride Fast
-----------------------------------------------------------------------
5 days until the 239th anniversary of the Declaration of Independence
Re: India spam
Posted by John Hardin <jh...@impsec.org>.
On Mon, 29 Jun 2015, chino@antennex.com wrote:
> How can I format a recipe that will catch the ".in.net" portion of an IP
> as many domain names are used in front of that domain bit?
Where do you want to look for that? In the sender's email address? In URLs
embedded in the message body? In MTA relays?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Vista is at best mildly annoying and at worst makes you want to
rush to Redmond, Wash. and rip somebody's liver out. -- Forbes
-----------------------------------------------------------------------
5 days until the 239th anniversary of the Declaration of Independence