You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by njjrdell <nr...@dellmagazines.net> on 2010/09/24 21:28:53 UTC
What rules should be stopping these
http://pastebin.com/zAvghCQJ
Hello sorry for the newbie question, one of our users is getting slammed by
these. I'm wondering which rules should be stopping these.
thanks
--
View this message in context: http://old.nabble.com/What-rules-should-be-stopping-these-tp29801831p29801831.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: What rules should be stopping these
Posted by Benny Pedersen <me...@junc.org>.
On fre 24 sep 2010 21:28:53 CEST, njjrdell wrote
> http://pastebin.com/zAvghCQJ
Content analysis details: (15.0 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
2.5 RCVD_IN_PSBL RBL: Received via a relay in PSBL
[64.32.3.3 listed in psbl.surriel.com]
1.7 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist
[URIs: abecomeasucces.net]
1.8 URIBL_BLACK Contains an URL listed in the URIBL blacklist
[URIs: abecomeasucces.net]
1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT
[64.32.3.3 listed in bb.barracudacentral.org]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 HTML_IMAGE_RATIO_06 BODY: HTML has a low ratio of text to image area
0.0 HTML_MESSAGE BODY: HTML included in message
1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
above 50%
[cf: 100]
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
from author's
domain
0.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK
signature
1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
0.0 T_REMOTE_IMAGE Message contains an external image
1.8 SAGREY Adds score to spam from first-time senders
> Hello sorry for the newbie question, one of our users is getting slammed by
> these. I'm wondering which rules should be stopping these.
enable more tests in spamassassin :)
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: What rules should be stopping these
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Mon, 2010-09-27 at 07:21 -0700, njjrdell wrote:
> I made the adjustments you recommended and these spams are now getting
> caught. I was always apprehensive about using public generated corpuses or
> lists due to possible poisoning.
Use sa-upate, and maybe lurk here for news.
If there's any DNSBL going rogue, the SA team will quickly remove it.
And the community is likely to blast the breaking news here, too, if we
don't beat them to it. ;) Similar with BLs closing down. Happened in
the past.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: What rules should be stopping these
Posted by njjrdell <nr...@dellmagazines.net>.
I made the adjustments you recommended and these spams are now getting
caught. I was always apprehensive about using public generated corpuses or
lists due to possible poisoning. I will give this a shot and see how it
turns out.
all your help is truly appreciated
Regards
Matus UHLAR - fantomas wrote:
>
> On 24.09.10 13:03, njjrdell wrote:
>> we have setup on our mailservers.
>> sbl-xbl.spamhaus.org
>
> this is obsolete, you should use zen.spamhaus.org instead
>
>> dnsbl.njable.org
>
> should be dnsbl.njabl.org, is this a mistype in your mail or in your
> server
> configuration?
>
>> bl.spamcop.net
>> b.barracudacentral.org
>
> and finally, this is your mail server ocnfiguration, not spamassassin.
> Spamassassin can check for much more than just connecting IP.
>
>> We are not doing any other network tests. I will look into it. can you
>> please recommend specifics
>
> yes, simply turn network tests on. there's much more than blacklist check
> from connecting IP - deep header parsing, URIBL's, fuzzy hash checks...
>
> --
> Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> We are but packets in the Internet of life (userfriendly.org)
>
>
--
View this message in context: http://old.nabble.com/What-rules-should-be-stopping-these-tp29801831p29815753.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: What rules should be stopping these
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 24.09.10 13:03, njjrdell wrote:
> we have setup on our mailservers.
> sbl-xbl.spamhaus.org
this is obsolete, you should use zen.spamhaus.org instead
> dnsbl.njable.org
should be dnsbl.njabl.org, is this a mistype in your mail or in your server
configuration?
> bl.spamcop.net
> b.barracudacentral.org
and finally, this is your mail server ocnfiguration, not spamassassin.
Spamassassin can check for much more than just connecting IP.
> We are not doing any other network tests. I will look into it. can you
> please recommend specifics
yes, simply turn network tests on. there's much more than blacklist check
from connecting IP - deep header parsing, URIBL's, fuzzy hash checks...
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
We are but packets in the Internet of life (userfriendly.org)
Re: What rules should be stopping these
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2010-09-24 at 22:43 +0200, Karsten Bräckelmann wrote:
> > > > Hello sorry for the newbie question, one of our users is getting slammed
> > > > by these. I'm wondering which rules should be stopping these.
>
> Your sample is missing the rules actually triggered, which usually would
> be in the X-Spam-Status header.
Also, what's you SA version? From your sample
X-Scanned-By: MPP/Spamassassin http://www.messagepartners.com
Redirects to mailspect.com. Given they are offering a "free MPP Trial",
I assume there's a paid service, too. You also might want to bring this
up with their support.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: What rules should be stopping these
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2010-09-24 at 13:03 -0700, njjrdell wrote:
> we have setup on our mailservers.
> sbl-xbl.spamhaus.org
> dnsbl.njable.org
> bl.spamcop.net
> b.barracudacentral.org
Hmm, that seems to hint checking at SMTP time and outright rejecting
based on the sender's IP. While that certainly is a good idea in
general, what Benny and John have been hinting at is DNSBL tests enabled
in SA.
Point being, SA does a lot more lookups. Including, as John mentioned,
URI DNSBL lookups, which are not covered in the above. Same for Razor,
e.g., which would be part of Benny's broader recommendation.
Besides, the above is missing SpamHaus PBL. Again, SA uses it.
> We are not doing any other network tests. I will look into it. can you
> please recommend specifics
So you disabled them in SA, using "skip_rbl_checks 1"? By default, they
are enabled (set to 0, not skip). Same with skip_uribl_checks, if you
are using SA 3.3.
In your other follow-up, you corrected the above, mentioning you have a
custom rule-set defined for URIBL_BLACK.
> I actually take that back in our local.cf we have
In local.cf? It's default with SA anyway. So if there is any need to
define these locally, there are issues with your installation or DNS.
Why did you add it to local.cf in the first place? Also, do you ever see
URIBL_BLACK hits?
Do you have a local, caching (non-forwarding) nameserver?
> > > Hello sorry for the newbie question, one of our users is getting slammed
> > > by these. I'm wondering which rules should be stopping these.
Your sample is missing the rules actually triggered, which usually would
be in the X-Spam-Status header.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: What rules should be stopping these
Posted by njjrdell <nr...@dellmagazines.net>.
we have setup on our mailservers.
sbl-xbl.spamhaus.org
dnsbl.njable.org
bl.spamcop.net
b.barracudacentral.org
We are not doing any other network tests. I will look into it. can you
please recommend specifics
Regards
John Hardin wrote:
>
> On Fri, 24 Sep 2010, njjrdell wrote:
>
>> http://pastebin.com/zAvghCQJ
>>
>> Hello sorry for the newbie question, one of our users is getting slammed
>> by these. I'm wondering which rules should be stopping these.
>
> That hits URIBL. Do you have network tests and URIBL lookups enabled?
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> Individual liberties are always "loopholes" to absolute authority.
> -----------------------------------------------------------------------
> 84 days until TRON Legacy
>
>
--
View this message in context: http://old.nabble.com/What-rules-should-be-stopping-these-tp29801831p29802078.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: What rules should be stopping these
Posted by njjrdell <nr...@dellmagazines.net>.
I actually take that back in our local.cf we have
urirhssub URIBL_BLACK multi.uribl.com. A 2
body URIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
describe URIBL_BLACK Contains an URL listed in the URIBL blacklist
tflags URIBL_BLACK net
score URIBL_BLACK 3.0
urirhssub URIBL_GREY multi.uribl.com. A 4
body URIBL_GREY eval:check_uridnsbl('URIBL_GREY')
describe URIBL_GREY Contains an URL listed in the URIBL greylist
tflags URIBL_GREY net
score URIBL_GREY 0.25
John Hardin wrote:
>
> On Fri, 24 Sep 2010, njjrdell wrote:
>
>> http://pastebin.com/zAvghCQJ
>>
>> Hello sorry for the newbie question, one of our users is getting slammed
>> by these. I'm wondering which rules should be stopping these.
>
> That hits URIBL. Do you have network tests and URIBL lookups enabled?
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> Individual liberties are always "loopholes" to absolute authority.
> -----------------------------------------------------------------------
> 84 days until TRON Legacy
>
>
--
View this message in context: http://old.nabble.com/What-rules-should-be-stopping-these-tp29801831p29802135.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: What rules should be stopping these
Posted by John Hardin <jh...@impsec.org>.
On Fri, 24 Sep 2010, njjrdell wrote:
> http://pastebin.com/zAvghCQJ
>
> Hello sorry for the newbie question, one of our users is getting slammed
> by these. I'm wondering which rules should be stopping these.
That hits URIBL. Do you have network tests and URIBL lookups enabled?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Individual liberties are always "loopholes" to absolute authority.
-----------------------------------------------------------------------
84 days until TRON Legacy