You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Per-Erik Persson <pe...@irt.kth.se> on 2012/11/15 22:16:46 UTC
dynamically load url filtersI
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Is there a way to add spamassin rules without editing the config and
reloading the process?
To be more specific, I can set up a RBL of my own and add suspicious
servers found in the header, no problems to do that.
This can be done today with our current setup of hostadministration
tools without writing one single line of code more that defining the RBL
in spamassassin.
I just do a copy-paste-enter and suddenly the malicious spamming server
will not end up in my mailbox anymore :-)
But if I want to insert a rule to shoot down a malicious link to a
phishingsite listed in the body of the email I need to do the following
steps.
update the config with an uricheck
testdrive it
distribute it to the spamassassin servers
reload services
watch syslogs to be sure the reload succeeded
Does anyone know of a way to kill a malicious url in the example above
in an easier way without granting tools and permissions to people that
most likely will shoot themselves in the foot?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iQEcBAEBAgAGBQJQpVu+AAoJEOVOmoKjmKMkk4wH/jcFSQGVBme43dDFYgJ5kOJE
PyrOtIjX8+lDnZ5E/iMjWoKZ/9IIRn0wqL/tHeg0FHOljLeRNNCV4bLF5xiGqDS9
fMlqlgTsz/88vqtGai/xrwjlzNMrX21K18xSuzZUDNxVD7uwUZGFav2HU4kK3GFx
oZ1EIQ7hglvFFg50aqkUK4iSjZ9yMfSst18P9NkO4WR0Q7ZNVkN7KvtuyUEYVrrM
UVG8ko3y+8caIDsPJ6QfzTEnBMBtnOlW/4M572NuU5SB0lAqyG+HHYStDtdlqeyk
BNrdjd8YgJ/VX7l/XIoahW8uvptOVhXuMO2u7jrVkDcoe6t0z4umXKEb5ofsQk4=
=jXRV
-----END PGP SIGNATURE-----
Re: dynamically load url filtersI
Posted by mouss <mo...@ml.netoyen.net>.
Le 15/11/2012 22:16, Per-Erik Persson a écrit :
>
> Is there a way to add spamassin rules without editing the config
> and reloading the process?
>
> To be more specific, I can set up a RBL of my own and add
> suspicious servers found in the header, no problems to do that.
> This can be done today with our current setup of
> hostadministration tools without writing one single line of code
> more that defining the RBL in spamassassin. I just do a
> copy-paste-enter and suddenly the malicious spamming server will
> not end up in my mailbox anymore :-)
>
> But if I want to insert a rule to shoot down a malicious link to a
> phishingsite listed in the body of the email I need to do the
> following steps.
>
> update the config with an uricheck testdrive it distribute it to
> the spamassassin servers reload services watch syslogs to be sure
> the reload succeeded
>
> Does anyone know of a way to kill a malicious url in the example
> above in an easier way without granting tools and permissions to
> people that most likely will shoot themselves in the foot?
>
>
not sure I understand what you mean, but...
if the goal is to block URLs, then setup rbldnsd and use a rule like this:
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub URIBL_MINE uri.bl.example.com. A 2
body URIBL_MINE eval:check_uridnsbl('URIBL_MINE')
describe URIBL_MINE Contains an URL listed in MY blocklist
tflags URIBL_MINE net
score URIBL_MINE 10.0
endif #ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
the rbldnsd "zone" file for uri.bl.example.com would contain things like:
# Start of authority record (TTL 3000), with serial (0) computed as
# a timestamp of data file
$SOA 3000 localhost admin.example.com 0 600 300 86400 300
$NS 3000 localhost
#
:127.0.0.2:blocked, see http://blockeduri.example.com/ipbl/lookup?$
## Test entry
example.com :2:Test entry
*.example.com :2:Test entry
spammer.net :2:spam domain
*.spammer.net :2:spam domain
Re: dynamically load url filtersI
Posted by Axb <ax...@gmail.com>.
On 11/16/2012 01:47 PM, Per-Erik Persson wrote:
> On 11/15/2012 10:24 PM, John Hardin wrote:
>> On Thu, 15 Nov 2012, Per-Erik Persson wrote:
>>
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Is there a way to add spamassin rules without editing the config and
>>> reloading the process?
>>>
>>> To be more specific, I can set up a RBL of my own and add suspicious
>>> servers found in the header, no problems to do that.
>>
>> You can also set up your own local URIBL as well. It's all just DNS.
> Yes that was my intention since it is so simple if you already have to
> tools to manage a large scale network.
>>
>>> But if I want to insert a rule to shoot down a malicious link to a
>>> phishingsite listed in the body of the email I need to do the following
>>> steps.
>>
>> The caveat with a private URIBL is it's only on the domain name. If
>> you want to poison a specific page on an otherwise acceptable host a
>> local URIBL won't help you.
>>
> Excactly, I was hoping for a solution to that problem. A way to use an
> URIBL to match evil httplinks in the body.
> Or if that is not possible I will have to go with the other solution:
> Write a fairly simple interface to build the ruleset and insert it into
> cvs(or whatever) and on the serverside poll the cvs server for changes,
> testdrive them and after that reload amavis, on failure back down to the
> latest working change.
You may want to look into ClamAV's sigtool.
Re: dynamically load url filtersI
Posted by Per-Erik Persson <pe...@irt.kth.se>.
On 11/15/2012 10:24 PM, John Hardin wrote:
> On Thu, 15 Nov 2012, Per-Erik Persson wrote:
>
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Is there a way to add spamassin rules without editing the config and
>> reloading the process?
>>
>> To be more specific, I can set up a RBL of my own and add suspicious
>> servers found in the header, no problems to do that.
>
> You can also set up your own local URIBL as well. It's all just DNS.
Yes that was my intention since it is so simple if you already have to
tools to manage a large scale network.
>
>> But if I want to insert a rule to shoot down a malicious link to a
>> phishingsite listed in the body of the email I need to do the following
>> steps.
>
> The caveat with a private URIBL is it's only on the domain name. If
> you want to poison a specific page on an otherwise acceptable host a
> local URIBL won't help you.
>
Excactly, I was hoping for a solution to that problem. A way to use an
URIBL to match evil httplinks in the body.
Or if that is not possible I will have to go with the other solution:
Write a fairly simple interface to build the ruleset and insert it into
cvs(or whatever) and on the serverside poll the cvs server for changes,
testdrive them and after that reload amavis, on failure back down to the
latest working change.
Re: dynamically load url filtersI
Posted by John Hardin <jh...@impsec.org>.
On Thu, 15 Nov 2012, Per-Erik Persson wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Is there a way to add spamassin rules without editing the config and
> reloading the process?
>
> To be more specific, I can set up a RBL of my own and add suspicious
> servers found in the header, no problems to do that.
You can also set up your own local URIBL as well. It's all just DNS.
> But if I want to insert a rule to shoot down a malicious link to a
> phishingsite listed in the body of the email I need to do the following
> steps.
The caveat with a private URIBL is it's only on the domain name. If you
want to poison a specific page on an otherwise acceptable host a local
URIBL won't help you.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Public Education: the bureaucratic process of replacing
an empty mind with a closed one. -- Thorax
-----------------------------------------------------------------------
168 days since the first successful private support mission to ISS (SpaceX)