You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Motty Cruz <mo...@gmail.com> on 2015/08/13 17:10:56 UTC
PatioDeals@recolong.review how to get high score
Hello,
Can I configure Spam-assassin to drop emails with extensions .review? I
get a lot of emails with extensions .date, .br. or adjust levels get
higher score. Currently is set to block over 6.2 and this specific email
got score of 4.2
Return-Path: <Pa...@recolong.review>
X-Original-To: user2@fqdn.com
Delivered-To: user2@fqdn.com
Received: from server2.fqdn.com (server1.fqdn.com [19.16.63.10])
by mail.fqdn.com (Postfix) with ESMTP id 25C4A8A018;
Wed, 12 Aug 2015 22:35:51 -0700 (PDT)
Received: from server1.fqdn.com (localhost [127.0.0.1])
by server2.fqdn.com (Postfix) with ESMTP id 20BF545EAA3
for <iu...@fqdn.com>; Wed, 12 Aug 2015 22:35:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at fqdn.com
X-Spam-Flag: NO
X-Spam-Score: 4.624
X-Spam-Level: ****
X-Spam-Status: No, score=4.624 tagged_above=-999.9 required=5.2
tests=[BAYES_95=3.9, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723,
T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from server1.fqdn.com ([127.0.0.1])
by server1.fqdn.com (server1.fqdn.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id JuMHiI2S1AEG for <iu...@fqdn.com>;
Wed, 12 Aug 2015 22:35:49 -0700 (PDT)
Received: from 07a93297.recolong.review (d8gfxe.recolong.review
[216.169.109.101])
by server1.fqdn.com (Postfix) with ESMTP id AA11C45E9CA
for <iu...@fqdn.com>; Wed, 12 Aug 2015 22:35:48 -0700 (PDT)
Received: from 07a93297.d8gfxe.recolong.review ([127.0.0.1]:20699
helo=d8gfxe.recolong.review)
by d8gfxe.recolong.review with ESMTP id 07CXOA932FOW97;
for <iu...@fqdn.com>; Wed, 12 Aug 2015 22:35:43 -0700
Date: Wed, 12 Aug 2015 22:35:43 -0700
Message-ID: <17...@d8gfxe.recolong.review>
List-Unsubscribe: <http://www.recolong.review/?func=u>
From: "Patio Deals" <Pa...@recolong.review>
Subject: Luxury outdoor furniture, Browse chairs, Tables And More
To: <iu...@fqdn.com>
Content-Language: en-us
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset="UTF-8"
Thanks,
_Motty
Re: PatioDeals@********* how to get high score
Posted by Paul Stead <pa...@zeninternet.co.uk>.
On 14/08/15 02:23, Alex wrote:
> Hi Paul,
> For those of us not familiar with FMBLA, can you describe it a bit
> further? Is this your thing? Where does it get its information from?
> What form new domain is it exactly checking for?
>
> Thanks,
> Alex
Hi Alex,
No problem. The new domains list is obtained from ICANN, it lists
domains that have been appeared in the zone filse within the last 7
(127.2.0.2) and 14 (127.2.0.14) days. The TLDs listed are all the
new-type ones. I also have access to the .net and .com Zonefiles but Day
Old Bread already lists these, but not the new TLD list.
Currently I'm tracking over 500 TLDs, with an average of ~20-30k new
domains per day.
The BL at current has nameservers based in the US and UK, if something a
little more local is required I can look into this. There are other
listings on this zone, including blacklisted domains/ips (127.0.0.1) but
the previous rules attached are specifically for the new domains list.
I happy for anyone that falls within the SA free use criteria to use this
Paul
--
Paul Stead
Systems Engineer
Zen Internet
Re: PatioDeals@********* how to get high score
Posted by Alex <my...@gmail.com>.
Hi Paul,
>> why don't you just score BAYES_95 higher while train that messages
>> properly so they get BAYES_99 - additionally there are sure subject
>> and body-parts for custom, low-scored filters
>
> You could also give the attached a go, score to suit yourself
> urirhssub BODY_NEWDOMAIN_FMBLA bl.fmb.la. A 127.2.0.2
> body BODY_NEWDOMAIN_FMBLA eval:check_uridnsbl('BODY_NEWDOMAIN_FMBLA')
> describe BODY_NEWDOMAIN_FMBLA Body contains URI listed in FMBLA new domains
> tflags BODY_NEWDOMAIN_FMBLA net
> score BODY_NEWDOMAIN_FMBLA 0.1
> header FROM_NEWDOMAIN_FMBLA eval:check_rbl_from_domain('fmbla', 'bl.fmb.la.', '127.2.0.2')
> describe FROM_NEWDOMAIN_FMBLA From address domain listed in FMBLA new domains
> tflags FROM_NEWDOMAIN_FMBLA net
> score FROM_NEWDOMAIN_FMBLA 0.1
> urirhssub BODY_NEWDOMAIN_14_FMBLA bl.fmb.la. A 127.2.0.14
> body BODY_NEWDOMAIN_14_FMBLA eval:check_uridnsbl('BODY_NEWDOMAIN_14_FMBLA')
> describe BODY_NEWDOMAIN_14_FMBLA Body contains URI listed in FMBLA new domains - 14 days
> tflags BODY_NEWDOMAIN_14_FMBLA net
> score BODY_NEWDOMAIN_14_FMBLA 0.1
> header FROM_NEWDOMAIN_14_FMBLA eval:check_rbl_from_domain('fmbla', 'bl.fmb.la.', '127.2.0.14')
> describe FROM_NEWDOMAIN_14_FMBLA From address domain listed in FMBLA new domains - 14 days
> tflags FROM_NEWDOMAIN_14_FMBLA net
> score FROM_NEWDOMAIN_14_FMBLA 0.1
For those of us not familiar with FMBLA, can you describe it a bit
further? Is this your thing? Where does it get its information from?
What form new domain is it exactly checking for?
Thanks,
Alex
Re: PatioDeals@********* how to get high score
Posted by Paul Stead <pa...@zeninternet.co.uk>.
On 13/08/15 19:15, Reindl Harald wrote:
> why don't you just score BAYES_95 higher while train that messages
> properly so they get BAYES_99 - additionally there are sure subject
> and body-parts for custom, low-scored filters
You could also give the attached a go, score to suit yourself
--
Paul Stead
Systems Engineer
Zen Internet
Re: PatioDeals@********* how to get high score
Posted by Reindl Harald <h....@thelounge.net>.
why don't you just score BAYES_95 higher while train that messages
properly so they get BAYES_99 - additionally there are sure subject and
body-parts for custom, low-scored filters
scored body/subject filters where here they key to get the last junk
also properly rejected and finally reach a 99.9% hit-rate
BTW: i even can not respond with a quote because our outgoing
spamass-milter rejectes the quotes because URIBL, URIBL_BLACK can be
high scored in local.cf
1.5 URIBL_SBL_A Contains URL's A record listed in the SBL
blocklist
[URIs: recolong***]
3.5 URIBL_DBL_SPAM Contains a spam URL listed in the DBL blocklist
[URIs: recolong***w]
4.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL
blocklist
[URIs: recolong***]
7.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
[URIs: recolong***]
Am 13.08.2015 um 17:10 schrieb Motty Cruz:
> Hello,
>
> Can I configure Spam-assassin to drop emails with extensions ********? I
> get a lot of emails with extensions ********, ****** or adjust levels get
> higher score. Currently is set to block over 6.2 and this specific email
> got score of 4.2
Re: PatioDeals@recolong.review how to get high score
Posted by Dave Pooser <da...@pooserville.com>.
> Can I configure Spam-assassin to drop
> emails with extensions .review? I get a lot of emails with
Add to a .cf file
blacklist_from *.review
And done.
--
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com
Re: PatioDeals@recolong.review how to get high score
Posted by At <hi...@att.net>.
I employ a sender_access file using regex to handle the rapidly expanding domains
Seems like I am adding a new entry every day
> On Aug 13, 2015, at 3:29 PM, Motty Cruz <mo...@gmail.com> wrote:
>
> Thanks all, for your support.
> I did fed spammy emails, most are blocked but users still get bunch of those emails a day. I added this in MTA:
> smtpd_sender_restrictions = reject_unknown_sender_domain
>
> in the .cf file I addes
> blacklist_from *.review
> blacklist_from *.work
> blacklist_from *.date
>
> I will be monitoring,
>
> Thanks,
>
>
>> On 08/13/2015 11:34 AM, John Hardin wrote:
>> On Thu, 13 Aug 2015, John Hardin wrote:
>>
>>> On Thu, 13 Aug 2015, Motty Cruz wrote:
>>>
>>>> Can I configure Spam-assassin to drop emails with extensions .review?
>>>
>>>> From: "Patio Deals" <Pa...@recolong.review>
>>>
>>> untested:
>>>
>>> header FROM_TLD_REVIEW From:addr =~ /\.review$/i
>>
>> Also, if you want to poison-pill such senders, do it at the MTA level.
>
Re: PatioDeals@****** how to get high score
Posted by Cedric Knight <ce...@gn.apc.org>.
On 14/08/15 02:19, Alex wrote:
>>>> in the .cf file I addes blacklist_from *.review
>>>> blacklist_from *.work blacklist_from *.date
>>>
>>> I would use the following:
>>>
>>> blacklist_uri_host review blacklist_uri_host work
>>> blacklist_uri_host date
>>
>> you want both: a bad sender using the domain as well a URI to the
>> domain and without having tested it at my own: make sure it does
>> only match when the domain ends with "review", "work", "date" to
>> prevent FP
>
> Are you talking about it somehow matching "123review", for example?
> It appears that it refers to only the rhs of the address. For
> example "blacklist_from *.review" catches user@123test.review but
> not user@123review.com or user@123review.123review or
> 123test.review.com. Are there any other variations to be concerned
> with, or could someone else confirm?
That looks right, checking Conf/Parser.pm. blacklist_from internally
adds a "$" so it must match the rightmost part of any address.
> So while blacklist_from requires the wildcard match,
> blacklist_uri_host does not.
Indeed blacklist_uri_host does not permit wildcards. It must be an
exact match with the top 1-10 parts (labels).
> Also, at some time, Axb had posted a list of the new TLDs that are
> a significant source of spam and included domains like xxx and xyz.
> Does anyone have an updated list that might be helpful?
Try http://rss.uribl.com/tlds/index.html (it's percentages per domain,
rather than per email)
.uno, .red, .black, .blue, .pink, .click, .xyz all seem significantly
abused.
.asia and .link seems to have cleaned up a bit in the last few months,
.science less so. xxx probably isn't very useful to spammers.
Also 20_aux_tlds.cf contains a link to the full IANA gTLD list.
If you want to be less severe, maybe a meta rule using Paul's
BODY_NEWDOMAIN_14_FMBLA with enlist_uri_host setting a range of scores
as described at https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6458#c3
CK
Re: PatioDeals@****** how to get high score
Posted by Alex <my...@gmail.com>.
Hi,
>>> in the .cf file I addes
>>> blacklist_from *.review
>>> blacklist_from *.work
>>> blacklist_from *.date
>>
>> I would use the following:
>>
>> blacklist_uri_host review
>> blacklist_uri_host work
>> blacklist_uri_host date
>
> you want both: a bad sender using the domain as well a URI to the domain and
> without having tested it at my own: make sure it does only match when the
> domain ends with "review", "work", "date" to prevent FP
Are you talking about it somehow matching "123review", for example? It
appears that it refers to only the rhs of the address. For example
"blacklist_from *.review" catches user@123test.review but not
user@123review.com or user@123review.123review or 123test.review.com.
Are there any other variations to be concerned with, or could someone
else confirm?
So while blacklist_from requires the wildcard match,
blacklist_uri_host does not.
Also, at some time, Axb had posted a list of the new TLDs that are a
significant source of spam and included domains like xxx and xyz. Does
anyone have an updated list that might be helpful?
Thanks,
Alex
Re: PatioDeals@****** how to get high score
Posted by Reindl Harald <h....@thelounge.net>.
Am 13.08.2015 um 21:52 schrieb Alex:
>> Thanks all, for your support.
>> I did fed spammy emails, most are blocked but users still get bunch of those
>> emails a day. I added this in MTA:
>>
>> smtpd_sender_restrictions = reject_unknown_sender_domain
>>
>> in the .cf file I addes
>> blacklist_from *.review
>> blacklist_from *.work
>> blacklist_from *.date
>
> I would use the following:
>
> blacklist_uri_host review
> blacklist_uri_host work
> blacklist_uri_host date
you want both: a bad sender using the domain as well a URI to the domain
and without having tested it at my own: make sure it does only match
when the domain ends with "review", "work", "date" to prevent FP
P.S.: i wonder why people still can reply with the original thread
subject - no way that a response with that domain would pass our
submission server because URIBL
Re: PatioDeals@recolong.review how to get high score
Posted by Alex <my...@gmail.com>.
Hi,
> Thanks all, for your support.
> I did fed spammy emails, most are blocked but users still get bunch of those
> emails a day. I added this in MTA:
>
> smtpd_sender_restrictions = reject_unknown_sender_domain
>
> in the .cf file I addes
> blacklist_from *.review
> blacklist_from *.work
> blacklist_from *.date
I would use the following:
blacklist_uri_host review
blacklist_uri_host work
blacklist_uri_host date
...
Regards,
Alex
Re: PatioDeals@recolong.review how to get high score
Posted by Motty Cruz <mo...@gmail.com>.
Thanks all, for your support.
I did fed spammy emails, most are blocked but users still get bunch of
those emails a day. I added this in MTA:
smtpd_sender_restrictions <http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions> =reject_unknown_sender_domain <http://www.postfix.org/postconf.5.html#reject_unknown_sender_domain>
in the .cf file I addes
blacklist_from *.review
blacklist_from *.work
blacklist_from *.date
I will be monitoring,
Thanks,
On 08/13/2015 11:34 AM, John Hardin wrote:
> On Thu, 13 Aug 2015, John Hardin wrote:
>
>> On Thu, 13 Aug 2015, Motty Cruz wrote:
>>
>>> Can I configure Spam-assassin to drop emails with extensions .review?
>>
>>> From: "Patio Deals" <Pa...@recolong.review>
>>
>> untested:
>>
>> header FROM_TLD_REVIEW From:addr =~ /\.review$/i
>
> Also, if you want to poison-pill such senders, do it at the MTA level.
>
Re: PatioDeals@recolong.review how to get high score
Posted by John Hardin <jh...@impsec.org>.
On Thu, 13 Aug 2015, John Hardin wrote:
> On Thu, 13 Aug 2015, Motty Cruz wrote:
>
>> Can I configure Spam-assassin to drop emails with extensions .review?
>
>> From: "Patio Deals" <Pa...@recolong.review>
>
> untested:
>
> header FROM_TLD_REVIEW From:addr =~ /\.review$/i
Also, if you want to poison-pill such senders, do it at the MTA level.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Where We Want You To Go Today 09/13/07: Microsoft patents in-OS
adware architecture that incorporates monitoring and analysis of
user actions and interrupting the user to display apparently
relevant advertisements (U.S. Patent #20070214042)
-----------------------------------------------------------------------
2 days until the 70th anniversary of the end of World War II
Re: PatioDeals@recolong.review how to get high score
Posted by John Hardin <jh...@impsec.org>.
On Thu, 13 Aug 2015, Motty Cruz wrote:
> Can I configure Spam-assassin to drop emails with extensions .review?
> From: "Patio Deals" <Pa...@recolong.review>
untested:
header FROM_TLD_REVIEW From:addr =~ /\.review$/i
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Where We Want You To Go Today 09/13/07: Microsoft patents in-OS
adware architecture that incorporates monitoring and analysis of
user actions and interrupting the user to display apparently
relevant advertisements (U.S. Patent #20070214042)
-----------------------------------------------------------------------
2 days until the 70th anniversary of the end of World War II