You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Brent Clark <br...@gmail.com> on 2018/11/27 10:51:40 UTC
X-Relay-Countries not working
Good day Guys
I have the following spam email, and I picked up that the plugin
'Mail::SpamAssassin::Plugin::RelayCountry', is not picking up Korea.
https://pastebin.com/i45KsgVk
header RELAYCOUNTRY_BAD X-Relay-Countries =~ /^(CN|RU|SU|IN|BR|UA|KR)/
describe RELAYCOUNTRY_BAD Relayed through foreign countries
score RELAYCOUNTRY_BAD 1.0
add_header all Relay-Country _RELAYCOUNTRY_
In my testing, I added ZA, and it picked up for IP 196.35.198.137.
Also, does anyone know why the 27.102.212.207 is in square brackets.
Geoip pics up:
$ geoiplookup 27.102.212.207
GeoIP Country Edition: KR, Korea, Republic of
Would anyone please share a rule, I can use to catch the above spam.
Regards
Brent Clark
P.s.
Im running
spamassassin 3.4.2-1~deb9u1
Re: X-Relay-Countries not working
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 27.11.18 12:51, Brent Clark wrote:
>I have the following spam email, and I picked up that the plugin
>'Mail::SpamAssassin::Plugin::RelayCountry', is not picking up Korea.
>
>https://pastebin.com/i45KsgVk
>
>header RELAYCOUNTRY_BAD X-Relay-Countries =~ /^(CN|RU|SU|IN|BR|UA|KR)/
>describe RELAYCOUNTRY_BAD Relayed through foreign countries
>score RELAYCOUNTRY_BAD 1.0
>add_header all Relay-Country _RELAYCOUNTRY_
>
>In my testing, I added ZA, and it picked up for IP 196.35.198.137.
>
>Also, does anyone know why the 27.102.212.207 is in square brackets.
>
>Geoip pics up:
>
>$ geoiplookup 27.102.212.207
>GeoIP Country Edition: KR, Korea, Republic of
>
>Would anyone please share a rule, I can use to catch the above spam.
tried runinning "spamassassin -D" over the e-mail?
just to see if it picks the rule, if it finds the database etc
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam = (S)tupid (P)eople's (A)dvertising (M)ethod
Re: X-Relay-Countries not working
Posted by Dominic Raferd <do...@timedicer.co.uk>.
On Wed, 28 Nov 2018 at 10:36, Brent Clark <br...@gmail.com> wrote:
> Sorry if I can just add, maybe the documentation can be updated?
>
> https://wiki.apache.org/spamassassin/RelayCountryPlugin
I think the documentation is fine, the example with the hat/circumflex has
describe text 'First untrusted relay is...'. It assumes some knowledge of
regex syntax that is all.
Re: X-Relay-Countries not working
Posted by Brent Clark <br...@gmail.com>.
Sorry if I can just add, maybe the documentation can be updated?
https://wiki.apache.org/spamassassin/RelayCountryPlugin
Regards
Brent
On 2018/11/28 12:32, Brent Clark wrote:
> This was it.
>
> You guys are the best. Thanks so much.
>
> Regards
> Brent
>
> On 2018/11/28 08:26, Dominic Raferd wrote:
>>
>>
>> On Wed, 28 Nov 2018 at 06:15, Brent Clark <brentgclarklist@gmail.com
>> <ma...@gmail.com>> wrote:
>>
>> Thanks for replying
>>
>> I did as you asked, here is the pastebin
>>
>> https://pastebin.com/XqSXndpW
>>
>> I could not see anything like you describe (i.e "I've found that the
>> plugin will fallback to the 'fast' version ...")
>>
>> It looks like KR is getting found but if you look at the pastebin
>> below,
>> it does not display RELAYCOUNTRY
>>
>> https://pastebin.com/sh8S10ph
>>
>>
>> You use a hat ^ so that only the first (or ?last) relay server's
>> country is matched. Maybe this is the problem? Try using:
>>
>> header RELAYCOUNTRY_BAD X-Relay-Countries =~ /(CN|RU|SU|IN|BR|UA|KR)/
>>
>> I use a similar header match string (but with GeoIP2 database, not the
>> old GeoIP) and it seems to work fine.
Re: X-Relay-Countries not working
Posted by Brent Clark <br...@gmail.com>.
This was it.
You guys are the best. Thanks so much.
Regards
Brent
On 2018/11/28 08:26, Dominic Raferd wrote:
>
>
> On Wed, 28 Nov 2018 at 06:15, Brent Clark <brentgclarklist@gmail.com
> <ma...@gmail.com>> wrote:
>
> Thanks for replying
>
> I did as you asked, here is the pastebin
>
> https://pastebin.com/XqSXndpW
>
> I could not see anything like you describe (i.e "I've found that the
> plugin will fallback to the 'fast' version ...")
>
> It looks like KR is getting found but if you look at the pastebin
> below,
> it does not display RELAYCOUNTRY
>
> https://pastebin.com/sh8S10ph
>
>
> You use a hat ^ so that only the first (or ?last) relay server's country
> is matched. Maybe this is the problem? Try using:
>
> header RELAYCOUNTRY_BAD X-Relay-Countries =~ /(CN|RU|SU|IN|BR|UA|KR)/
>
> I use a similar header match string (but with GeoIP2 database, not the
> old GeoIP) and it seems to work fine.
Re: X-Relay-Countries not working
Posted by Dominic Raferd <do...@timedicer.co.uk>.
On Wed, 28 Nov 2018 at 06:15, Brent Clark <br...@gmail.com> wrote:
> Thanks for replying
>
> I did as you asked, here is the pastebin
>
> https://pastebin.com/XqSXndpW
>
> I could not see anything like you describe (i.e "I've found that the
> plugin will fallback to the 'fast' version ...")
>
> It looks like KR is getting found but if you look at the pastebin below,
> it does not display RELAYCOUNTRY
>
> https://pastebin.com/sh8S10ph
You use a hat ^ so that only the first (or ?last) relay server's country is
matched. Maybe this is the problem? Try using:
header RELAYCOUNTRY_BAD X-Relay-Countries =~ /(CN|RU|SU|IN|BR|UA|KR)/
I use a similar header match string (but with GeoIP2 database, not the old
GeoIP) and it seems to work fine.
Re: X-Relay-Countries not working
Posted by Vitali Quiering <vi...@quiering.com>.
Try removing the eval in the actual code that calls the database file temporarily and check if there are perl modules missing. I‘ve been there too and had to install some maxmind reader and database modules.
If they are missing, you‘ll see an error in the debug log then.
Vitali
> Am 28.11.2018 um 07:15 schrieb Brent Clark <br...@gmail.com>:
>
> Thanks for replying
>
> I did as you asked, here is the pastebin
>
> https://pastebin.com/XqSXndpW
>
> I could not see anything like you describe (i.e "I've found that the plugin will fallback to the 'fast' version ...")
>
> It looks like KR is getting found but if you look at the pastebin below, it does not display RELAYCOUNTRY
>
> https://pastebin.com/sh8S10ph
>
> I am at a complete loss on this one.
>
> Thanks in advance for your help.
>
> Regards
> Brent
>
>
>
>> On 2018/11/27 16:02, RW wrote:
>> On Tue, 27 Nov 2018 12:51:40 +0200
>> Brent Clark wrote:
>>> Good day Guys
>>>
>>> I have the following spam email, and I picked up that the plugin
>>> 'Mail::SpamAssassin::Plugin::RelayCountry', is not picking up Korea.
>>>
>>> https://pastebin.com/i45KsgVk
>> Try running it through
>> spamassassin -D metadata 1>/dev/null
>> and look for debug about what database type is being used. I've found
>> that the plugin will fallback to the 'fast' version if anything is
>> wrong and it only shows up in detailed debug.
>>>
>>> header RELAYCOUNTRY_BAD X-Relay-Countries
>>> =~ /^(CN|RU|SU|IN|BR|UA|KR)/ describe RELAYCOUNTRY_BAD Relayed
>>> through foreign countries score RELAYCOUNTRY_BAD 1.0
>>> add_header all Relay-Country _RELAYCOUNTRY_
>>>
>>> In my testing, I added ZA, and it picked up for IP 196.35.198.137.
>>>
>>> Also, does anyone know why the 27.102.212.207 is in square brackets.
>> Usually it's to indicate that it's an IP address.
Re: X-Relay-Countries not working
Posted by Brent Clark <br...@gmail.com>.
Thanks for replying
I did as you asked, here is the pastebin
https://pastebin.com/XqSXndpW
I could not see anything like you describe (i.e "I've found that the
plugin will fallback to the 'fast' version ...")
It looks like KR is getting found but if you look at the pastebin below,
it does not display RELAYCOUNTRY
https://pastebin.com/sh8S10ph
I am at a complete loss on this one.
Thanks in advance for your help.
Regards
Brent
On 2018/11/27 16:02, RW wrote:
> On Tue, 27 Nov 2018 12:51:40 +0200
> Brent Clark wrote:
>
>> Good day Guys
>>
>> I have the following spam email, and I picked up that the plugin
>> 'Mail::SpamAssassin::Plugin::RelayCountry', is not picking up Korea.
>>
>> https://pastebin.com/i45KsgVk
>
>
> Try running it through
>
> spamassassin -D metadata 1>/dev/null
>
>
> and look for debug about what database type is being used. I've found
> that the plugin will fallback to the 'fast' version if anything is
> wrong and it only shows up in detailed debug.
>
>>
>> header RELAYCOUNTRY_BAD X-Relay-Countries
>> =~ /^(CN|RU|SU|IN|BR|UA|KR)/ describe RELAYCOUNTRY_BAD Relayed
>> through foreign countries score RELAYCOUNTRY_BAD 1.0
>> add_header all Relay-Country _RELAYCOUNTRY_
>>
>> In my testing, I added ZA, and it picked up for IP 196.35.198.137.
>>
>> Also, does anyone know why the 27.102.212.207 is in square brackets.
>
> Usually it's to indicate that it's an IP address.
>
Re: X-Relay-Countries not working
Posted by RW <rw...@googlemail.com>.
On Tue, 27 Nov 2018 12:51:40 +0200
Brent Clark wrote:
> Good day Guys
>
> I have the following spam email, and I picked up that the plugin
> 'Mail::SpamAssassin::Plugin::RelayCountry', is not picking up Korea.
>
> https://pastebin.com/i45KsgVk
Try running it through
spamassassin -D metadata 1>/dev/null
and look for debug about what database type is being used. I've found
that the plugin will fallback to the 'fast' version if anything is
wrong and it only shows up in detailed debug.
>
> header RELAYCOUNTRY_BAD X-Relay-Countries
> =~ /^(CN|RU|SU|IN|BR|UA|KR)/ describe RELAYCOUNTRY_BAD Relayed
> through foreign countries score RELAYCOUNTRY_BAD 1.0
> add_header all Relay-Country _RELAYCOUNTRY_
>
> In my testing, I added ZA, and it picked up for IP 196.35.198.137.
>
> Also, does anyone know why the 27.102.212.207 is in square brackets.
Usually it's to indicate that it's an IP address.