You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by "emailitis.com" <in...@emailitis.com> on 2014/08/29 11:48:27 UTC

Advice on how to block via a mail domain in maillog

I have a lot of Spam getting into our mail servers where the common thread
is cloudapp

 

/root/weeklymail/Thumaillog:Aug 27 11:58:15 plesk3 qmail-scanner-queue.pl:
qmail-scanner[12013]: Clear:RC:0(216.170.115.184):SA:0(0.9/4.0): 4.409458
6225 compare@franking-expert.co.uk user@domain.com Saving_by_Switching
<34...@expert.cloudapp.net>
1409137091.12021-1.plesk3.hostname.co.uk:3019
1409137091.12021-0.plesk3.emailitis.co.uk:1263
orig-plesk3.hostname.co.uk140913709079712013:6225

 

And the hyperlinks in the emails are http://expert.cloudapp.net/..... 

 

Please could you advise on how I can block by the information on the maillog
on that, or using a rule which checks the URL to include the above thread?

 

Many thanks in advance for any help,

 

Christoph

Re: Advice on how to block via a mail domain in maillog

Posted by Axb <ax...@gmail.com>.

On 08/29/2014 02:45 PM, Kevin A. McGrail wrote:
> On 8/29/2014 5:48 AM, emailitis.com wrote:
>>
>> I have a lot of Spam getting into our mail servers where the common
>> thread is cloudapp
>>
>> /root/weeklymail/Thumaillog:Aug 27 11:58:15 plesk3
>> qmail-scanner-queue.pl: qmail-scanner[12013]:
>> Clear:RC:0(216.170.115.184):SA:0(0.9/4.0): 4.409458 6225
>> compare@franking-expert.co.uk user@domain.com Saving_by_Switching
>> <3442703078ef969a9f97133682d9e3f1@*expert.cloudapp.net*>
>> 1409137091.12021-1.plesk3.hostname.co.uk:3019
>> 1409137091.12021-0.plesk3.emailitis.co.uk:1263
>> orig-plesk3.hostname.co.uk140913709079712013:6225
>>
>> And the hyperlinks in the emails are http://expert.cloudapp.net/.....
>>
>> Please could you advise on how I can block by the information on the
>> maillog on that, or using a rule which checks the URL to include the
>> above thread?
>>
>> Many thanks in advance for any help,
>>
>> Christoph
>>
> Christoph,
>
> There is a new feature in trunk that I believe will help you easily
> called URILocalBL.pm

or with SA 3.4

blacklist_uri_host expert.cloudapp.net

or if you want it wider

blacklist_uri_host cloudapp.net

can't be easier than that.

Re: Advice on how to block via a mail domain in maillog

Posted by Karsten Bräckelmann <gu...@rudersport.de>.

On Fri, 2014-08-29 at 12:43 -0600, Philip Prindeville wrote:
> On Aug 29, 2014, at 6:45 AM, Kevin A. McGrail <KM...@PCCC.com> wrote:
> > On 8/29/2014 5:48 AM, emailitis.com wrote:

> > > I have a lot of Spam getting into our mail servers where the common
> > > thread is cloudapp

You guys realize cloudapp.net is Microsoft Azure, don't you?


> > > And the hyperlinks in the emails are http://expert.cloudapp.net/.....
> > > 
> > > Please could you advise on how I can block by the information on
> > > the maillog on that, or using a rule which checks the URL to include
> > > the above thread?

SA does not block.


> > There is a new feature in trunk that I believe will help you easily
> > called URILocalBL.pm

> That should do it.
> 
> There’s a configuration example in the bug, and POD documentation in
> the plugin, but in this particular case you’d do something like:
> 
> uri_block_cidr L_BLOCK_CLOUDAPP	191.237.208.246
> body L_BLOCK_CLOUDAPP		eval:check_uri_local_bl()

That seem an overly complicated variant of a simple uri regex rule. And
it really depends on the IP to match a URI? And manual looking it up?

  uri URI_EXPERT_CLOUDAPP  m~^https?://expert\.cloudapp\.net$~


> describe L_BLOCK_CLOUDAPP	Block URI’s pointing to expert.cloudapp.net
> score L_BLOCK_CLOUDAPP		5.0

SA does not block. *sigh*


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: Advice on how to block via a mail domain in maillog

Posted by Philip Prindeville <ph...@redfish-solutions.com>.

On Aug 29, 2014, at 6:45 AM, Kevin A. McGrail <KM...@PCCC.com> wrote:

> On 8/29/2014 5:48 AM, emailitis.com wrote:
>> I have a lot of Spam getting into our mail servers where the common thread is cloudapp
>>  
>> /root/weeklymail/Thumaillog:Aug 27 11:58:15 plesk3 qmail-scanner-queue.pl: qmail-scanner[12013]: Clear:RC:0(216.170.115.184):SA:0(0.9/4.0): 4.409458 6225 compare@franking-expert.co.uk user@domain.comSaving_by_Switching <34...@expert.cloudapp.net> 1409137091.12021-1.plesk3.hostname.co.uk:3019 1409137091.12021-0.plesk3.emailitis.co.uk:1263 orig-plesk3.hostname.co.uk140913709079712013:6225
>>  
>> And the hyperlinks in the emails are http://expert.cloudapp.net/.....
>>  
>> Please could you advise on how I can block by the information on the maillog on that, or using a rule which checks the URL to include the above thread?
>>  
>> Many thanks in advance for any help,
>>  
>> Christoph
>>  
> Christoph,
> 
> There is a new feature in trunk that I believe will help you easily called URILocalBL.pm
> 
> See https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7060
> 
> Philip, your thoughts?
> 
> Regards,
> KAM


That should do it.

There’s a configuration example in the bug, and POD documentation in the plugin, but in this particular case you’d do something like:

uri_block_cidr L_BLOCK_CLOUDAPP	191.237.208.246
body L_BLOCK_CLOUDAPP		eval:check_uri_local_bl()
describe L_BLOCK_CLOUDAPP	Block URI’s pointing to expert.cloudapp.net
score L_BLOCK_CLOUDAPP		5.0

You should be able to drop in the patch fairly easily.

-Philip

Re: Advice on how to block via a mail domain in maillog

Posted by "Kevin A. McGrail" <KM...@PCCC.com>.

On 8/29/2014 5:48 AM, emailitis.com wrote:
>
> I have a lot of Spam getting into our mail servers where the common 
> thread is cloudapp
>
> /root/weeklymail/Thumaillog:Aug 27 11:58:15 plesk3 
> qmail-scanner-queue.pl: qmail-scanner[12013]: 
> Clear:RC:0(216.170.115.184):SA:0(0.9/4.0): 4.409458 6225 
> compare@franking-expert.co.uk user@domain.com Saving_by_Switching 
> <3442703078ef969a9f97133682d9e3f1@*expert.cloudapp.net*> 
> 1409137091.12021-1.plesk3.hostname.co.uk:3019 
> 1409137091.12021-0.plesk3.emailitis.co.uk:1263 
> orig-plesk3.hostname.co.uk140913709079712013:6225
>
> And the hyperlinks in the emails are http://expert.cloudapp.net/.....
>
> Please could you advise on how I can block by the information on the 
> maillog on that, or using a rule which checks the URL to include the 
> above thread?
>
> Many thanks in advance for any help,
>
> Christoph
>
Christoph,

There is a new feature in trunk that I believe will help you easily 
called URILocalBL.pm

See https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7060

Philip, your thoughts?

Regards,
KAM