Topic: Desperate to block TLDs

[MSmith]

.xyz, .link, .info ... and to a certain extent .us ...
Literally NO "ham" emails ever seen from these new TLDs.
THOUSANDS of spam emails flooding in.
Some blocked with RBLList / SBLList but not many.
Is there no way to stem this tide?
Yes, I recognize that blocking an entire TLD is "bad form" but I am drowning here.

WBL, despite having been raised as a possible solution, does not seem configurable to block an entire TLD. Of course, my syntax may be deficient. I've tried many things, and on advice have tried:

db spamassassin setprop wbl.global *@*.xyz Black
db spamassassin setprop wbl.global *@*.link Black

This does not seem to work.

RBLList and SBLList work on some of these, but not all, and not always. The bad guys seem to have the upper hand currently.

[Daniel B.]

Can you show what you have setup:

Code: [Select]

db spamassassin show wbl.global

And please, define "does not seem to work" (either it works as expected or it doesn't, but it cannot seem not to work )

[MSmith]

Okay, "does not block the emails I expected it to block" 

[root@postman ~]# db spamassassin show wbl.global
wbl.global=list
    *@*.info=Black
    *@*.link=Black
    *@*.xyz=Black
    *@big6drilling.com=White
    *@edg.net=White

[Daniel B.]

Have you checked in /etc/mail/spamassassin/local.cf if the settings in the DB have been correctly expanded ?

[MSmith]

[root@postman spamassassin]# cat local.cf
#------------------------------------------------------------
#              !!DO NOT MODIFY THIS FILE!!
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at http://www.contribs.org/development/
#
# Copyright (C) 1999-2006 Mitel Networks Corporation
#------------------------------------------------------------
dns_available yes
internal_networks 192.168.50.11
lock_method flock

ok_locales all
bayes_path /var/spool/spamd/.spamassassin/bayes
bayes_file_mode 750
report_safe 0
required_score 3
rewrite_header Subject [SPAM]
skip_rbl_checks 0
clear_trusted_networks
trusted_networks 192.168.50.11

use_bayes 0


blacklist_from *@*.info
whitelist_from *@big6drilling.com
blacklist_from *@*.link
blacklist_from *@*.xyz
whitelist_from *@edg.net

[CharlieBrady]

Okay, "does not block the emails I expected it to block"

It might be useful to be specific.

[ReetP]

.xyz, .link, .info ... and to a certain extent .us ...

You seem to have asked the same question before and I did write one possible solution :

http://forums.contribs.org/index.php/topic,51408.msg261341.html

Also there is an update for spamassassin on your bug http://bugs.contribs.org/show_bug.cgi?id=8980 for v9 that needs testing

B. Rgds
John

[MSmith]

You seem to have asked the same question before and I did write one possible solution :

Yes, you did write a possible solution ... one that would require that I install something that you "kludged" ... I am sure that you are a superb coder, but I am also sure that you do not expect me to install "kludged" code and mess around with templates on production servers!

Perhaps you would work up your code into a contrib that could be tested?

One of the issues with spam rejection is that it's a challenge to build a testing environment ... perhaps I should set up a test domain and subscribe that domain to every spam link I can find.

The devs are hard at work on fixing SpamAssassin so it will check these new TLDs against blacklists, and I am confident that they will accomplish their task within the accepted SME framework.

[MSmith]

It might be useful to be specific.

Having issued DB commands with wildcards that should block everything from a specific TLD, e.g. *@*.link, I would expect that everything with a "from" address ending in ".link" would be blocked. This did not happen. The problematic emails all end in ".link" and ".xyz" but have many, many different domain names before the TLD. I would suspect that the spammers are aware of problems blocking entire TLDs and have crafted this spam campaign accordingly.

[Daniel B.]

The log snippet you've posted on http://bugs.contribs.org/show_bug.cgi?id=8980 shows that it was working. Please show your full spamassassin settings:

Code: [Select]

db configuration show spamassassin


[ReetP]

You seem to have asked the same question before and I did write one possible solution :

Yes, you did write a possible solution ... one that would require that I install something that you "kludged" ... I am sure that you are a superb coder, but I am also sure that you do not expect me to install "kludged" code and mess around with templates on production servers!

No, I am not a 'superb' coder and don't need patronising thanks. My coding skills are extremely limited, but if I can do what I did then anyone can, if they can be bothered.

You really ought to read what I actually said in the post.  I wrote a 'kludge' to test grep patterns, which are the important parts you need to check before employing the plugin. That did not need installing on your production server - anything running perl would have been fine. Of course, you could have written your own if you didn't trust it.

The plugin and templates as stated would work and are correct within 'the SME framework'. That was not a kludge (if you bothered to check)

Whether you choose to use it is your prerogative.

Perhaps you would work up your code into a contrib that could be tested?

Perhaps I could, but then I don't really have an issue, so is not a requirement. I just pasted it to try and help you out. Perhaps you could learn to code a bit (like I did) and have a go yourself ? There are lots of people who will help you, and you will learn a lot in the process.

One of the issues with spam rejection is that it's a challenge to build a testing environment ... perhaps I should set up a test domain and subscribe that domain to every spam link I can find.

That's probably one way - e.g setup a honeypot - but I am sure there are probably others.  Probably worth googling.....

The devs are hard at work on fixing SpamAssassin so it will check these new TLDs against blacklists, and I am confident that they will accomplish their task within the accepted SME framework.

Yes I am well aware of every bug, as it goes with the territory of being El Presidente round here....

There are multiples ways of dealing with junk. Spamassassin is just one. None are perfect.

The method I described using a standard qpsmtpd plugin (check_badmailfrom_patterns is already there and just needs activating - have a look in /usr/share/qpsmtpd/plugins to see for yourself) is within the bounds of normal operation for SME. There are other plugins there as well that have not been activated but could if required.

It would help a lot if you tested the updated spamassassin on your bug and report back accordingly.

B. Rgds
John

[TerryF]

 

[MSmith]

ReetP: I apologies for coming across as patronizing. That was not my intent, but clearly that was the message I conveyed. I will write more later about my experiences with the current state of affairs.

[ReetP]

ReetP: I apologies for coming across as patronizing. That was not my intent, but clearly that was the message I conveyed. I will write more later about my experiences with the current state of affairs.

No worries - lets just try and get it sorted for you

Be really good if you can have a go at testing the new version of spamassassin.

B. Rgds
John

[MSmith]

Here's a transcript of part of a PuTTY session, for those masochistic enough to pore over it.  The first part is the result of "qploggrep .xyz", the second part is after I realized after ALL THESE YEARS that I can pipe tail through tai64nlocal 

Note the sequential IP addresses  ... this is a feature of this spam run, a bunch of  sequential IP addreses in a /24, then a bunch from another /24.

Also note that these are sailing right through, even with Spamassassin set to trigger at a score of 3.0.

**************
2015-07-11 17:19:34.947811500   19183   107.158.123.237 0/40
2015-07-11 17:19:38.985211500   19183   107.158.123.237 queued          <Apple-iPad-Device@theta237.credbe.xyz> <dick@(REDACTED).com>,Mail::Address=ARRAY(0x317ae68)       <97bf0ab46f12c59cec09ec1f6aea31f9_97bf0ab46f12c59cec09ec1f6aea31f9.10829512@theta237.credbe.xyz>        No, hits=1.4 required=3.0_
2015-07-11 17:25:56.975646500   19315   107.158.123.238 queued          <DrOzTrimWaistSecret@debrho.xyz>        <dick@(REDACTED).com>,Mail::Address=ARRAY(0x3136ff8)       <97bf0ab46f12c59cec09ec1f6aea31f9_97bf0ab46f12c59cec09ec1f6aea31f9.1565376@debrho.xyz>  Yes, hits=5.5 required=3.0_
2015-07-11 17:31:08.777137500   19352   107.158.123.239 queued          <SummerRoofSpecials@dojinx.xyz> <dick@(REDACTED).com>,Mail::Address=ARRAY(0x3137e98)       <97bf0ab46f12c59cec09ec1f6aea31f9.7385638.23459438@dojinx.xyz>  No, hits=2.9 required=3.0_
2015-07-11 17:35:16.722057500   19481   107.158.123.240 queued          <IncreaseYourIntelligence@easfl.xyz>    <dick@(REDACTED).com>,Mail::Address=ARRAY(0x3137ef8)       <97bf0ab46f12c59cec09ec1f6aea31f9.3548702.14352122@easfl.xyz>   Yes, hits=8.0 required=3.0_
2015-07-11 17:40:11.115329500   19521   107.158.123.241 0/40
2015-07-11 17:40:23.926606500   19521   107.158.123.241 queued          <Your-Private-Fantasy@theta241.theysilentcouplething.xyz>       <dick@(REDACTED).com>,Mail::Address=ARRAY(0x317eb88)       <13920909.6822927_97bf0ab46f12c59cec09ec1f6aea31f9@theta241.theysilentcouplething.xyz>  No, hits=1.4 required=3.0_
2015-07-11 17:44:44.150205500   19650   107.158.123.242 queued          <CureYourTinnitus@carehearingimportance.xyz>    <dick@(REDACTED).com>,Mail::Address=ARRAY(0x3138188)       <97bf0ab46f12c59cec09ec1f6aea31f9.4832235.16822652@carehearingimportance.xyz>   Yes, hits=5.0 required=3.0_
2015-07-11 17:54:57.256687500   19888   107.158.123.244 queued          <Dr.Ozs-Bean-Secret@curedkidneydevelopment.xyz> <dick@(REDACTED).com>,Mail::Address=ARRAY(0x3137478)       <17282193-17282193-97bf0ab46f12c59cec09ec1f6aea31f9@curedkidneydevelopment.xyz> Yes, hits=5.5 required=3.0_
2015-07-11 17:59:23.607591500   19927   107.158.123.245 queued          <Met-Life-Senior-Burial-Plans@educti.xyz>       <dick@(REDACTED).com>,Mail::Address=ARRAY(0x3138028)       <97bf0ab46f12c59cec09ec1f6aea31f9.23599116.17027139@educti.xyz> No, hits=2.9 required=3.0_
2015-07-11 18:12:23.283400500   20080   107.158.123.246 0/40
2015-07-11 18:12:36.054942500   20080   107.158.123.246 queued          <Kohler.Walk-in.Bath@theta246.eeloil.xyz>       <dick@(REDACTED).com>,Mail::Address=ARRAY(0x317e948)       <97bf0ab46f12c59cec09ec1f6aea31f9.18488693.23783501@theta246.eeloil.xyz>        No, hits=1.4 required=3.0_
2015-07-11 18:17:28.160266500   20305   107.158.123.247 queued          <MercedesInventoryClearance@enlimo.xyz> <dick@(REDACTED).com>,Mail::Address=ARRAY(0x3137f78)       <97bf0ab46f12c59cec09ec1f6aea31f9.16558364.22651250@enlimo.xyz> No, hits=2.9 required=3.0_
2015-07-11 18:23:35.352527500   20338   107.158.123.248 queued          <GNC-Strength-Booster@fafree.xyz>       <dick@(REDACTED).com>,Mail::Address=ARRAY(0x3136ff8)       <97bf0ab46f12c59cec09ec1f6aea31f9.21709888.14910708@fafree.xyz> No, hits=2.9 required=3.0_
2015-07-11 18:28:32.810458500   20473   107.158.123.249 0/40
2015-07-11 18:28:36.093186500   20473   107.158.123.249 queued          <Marvin-July-Window-Event@theta249.finddc.xyz>  <dick@(REDACTED).com>,Mail::Address=ARRAY(0x317a248)       <97bf0ab46f12c59cec09ec1f6aea31f9.20583647.22422084@theta249.finddc.xyz>        No, hits=1.4 required=3.0_
2015-07-11 18:31:38.710930500   20501   107.158.123.250 queued          <PublicRecordsExposed@activecheckfiles.xyz>     <dick@(REDACTED).com>,Mail::Address=ARRAY(0x3137f38)       <6370064-24410741.97bf0ab46f12c59cec09ec1f6aea31f9@activecheckfiles.xyz>        No, hits=1.3 required=3.0_
2015-07-11 18:39:26.234511500   20638   107.158.123.251 1/40
2015-07-11 18:39:33.670363500   20638   107.158.123.251 queued          <KitchenAidWarehouseClearance@theta251.foamla.xyz>      <dick@(REDACTED).com>,Mail::Address=ARRAY(0x31828f8)       <97bf0ab46f12c59cec09ec1f6aea31f9.3103436.23849553@theta251.foamla.xyz> Yes, hits=4.5 required=3.0_
2015-07-11 18:44:08.587242500   20772   107.158.123.252 0/40
2015-07-11 18:44:12.301176500   20772   107.158.123.252 queued          <ContactLensDiscounts@theta252.ftmom.xyz>       <dick@(REDACTED).com>,Mail::Address=ARRAY(0x317a878)       <97bf0ab46f12c59cec09ec1f6aea31f9.22485998.17379614@theta252.ftmom.xyz> No, hits=1.4 required=3.0_
2015-07-11 18:48:36.161938500   20902   107.158.123.253 0/40
2015-07-11 18:48:39.435132500   20902   107.158.123.253 queued          <CureEar-Ringing@theta253.backhearingwhose.xyz> <dick@(REDACTED).com>,Mail::Address=ARRAY(0x317f878)       <97bf0ab46f12c59cec09ec1f6aea31f9.12248810.16747279@theta253.backhearingwhose.xyz>      Yes, hits=3.4 required=3.0_

[root@mailserver bin]# tail -f /var/log/qpsmtpd/current | tai64nlocal
2015-07-12 04:49:00.241427500 13616 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
2015-07-12 04:49:00.248613500 13616 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
2015-07-12 04:49:01.253195500 13616 check_earlytalker plugin (connect): remote host said nothing spontaneous, proceeding
2015-07-12 04:49:01.255778500 13616 220 mailserver.(REDACTED).com ESMTP
2015-07-12 04:49:02.284636500 13616 dispatching RSET
2015-07-12 04:49:02.284764500 13616 250 OK
2015-07-12 04:49:02.304667500 13616 dispatching QUIT
2015-07-12 04:49:02.304668500 13616 221 (REDACTED).com closing connection. Have a wonderful day.
2015-07-12 04:49:02.304669500 13616 click, disconnecting
2015-07-12 04:49:02.746933500 2010 cleaning up after 13616
 107.158.123.2232015-07-12 07:12:01.548976500 16262 Accepted connection 0/40 from 107.179.25.195 / rdd9m.montrosevic.com
2015-07-12 07:12:01.549053500 16262 Connection from rdd9m.montrosevic.com [107.179.25.195]
2015-07-12 07:12:01.549878500 16262 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
2015-07-12 07:12:01.551396500 16262 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
2015-07-12 07:12:01.560463500 16262 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
2015-07-12 07:12:02.565063500 16262 check_earlytalker plugin (connect): remote host said nothing spontaneous, proceeding
2015-07-12 07:12:02.568087500 16262 220 mailserver.(REDACTED).com ESMTP
2015-07-12 07:12:02.625409500 16262 dispatching EHLO acosv.xyz
2015-07-12 07:12:02.626598500 16262 250-(REDACTED).com Hi rdd9m.montrosevic.com [107.179.25.195]
2015-07-12 07:12:02.626628500 16262 250-PIPELINING
2015-07-12 07:12:02.626629500 16262 250-8BITMIME
2015-07-12 07:12:02.626655500 16262 250-SIZE 15000000
2015-07-12 07:12:02.626662500 16262 250 STARTTLS
2015-07-12 07:12:02.691301500 16262 dispatching MAIL FROM:<Dr.OZ-Beach-Body-Tip@acosv.xyz> BODY=7BIT
2015-07-12 07:12:02.691302500 16262 full from_parameter: FROM:<Dr.OZ-Beach-Body-Tip@acosv.xyz> BODY=7BIT
2015-07-12 07:12:03.357966500 16262 getting mail from <Dr.OZ-Beach-Body-Tip@acosv.xyz>
2015-07-12 07:12:03.358002500 16262 250 <Dr.OZ-Beach-Body-Tip@acosv.xyz>, sender OK - how exciting to get mail from you!
2015-07-12 07:12:03.358170500 16262 dispatching RCPT TO:<dick@(REDACTED).com>
2015-07-12 07:12:13.726083500 16262 check_goodrcptto plugin (rcpt): stripping '-' extensions
2015-07-12 07:12:13.727253500 16262 250 <dick@(REDACTED).com>, recipient ok
2015-07-12 07:12:13.727328500 16262 dispatching DATA
2015-07-12 07:12:13.727504500 16262 354 go ahead
2015-07-12 07:12:13.849667500 16262 spooling message to disk
2015-07-12 07:12:13.864093500 16262 bcc plugin (data_post): message copied to maillog
2015-07-12 07:12:18.512343500 16262 spamassassin plugin (data_post): check_spam: No, hits=2.5, required=3.0, tests=FUZZY_DR_OZ,HTML_MESSAGE,SPF_HELO_PASS,SPF_PASS,T_HK_NAME_DR,T_REMOTE_IMAGE
2015-07-12 07:12:18.512344500 16262 virus::clamav plugin (data_post): Changing permissions on file to permit scanner access
2015-07-12 07:12:18.525507500 16262 virus::clamav plugin (data_post): clamscan results: /var/spool/qpsmtpd/1436703133:16262:0: OK
2015-07-12 07:12:18.525509500 16262 logging::logterse plugin (queue): ` 107.179.25.195  rdd9m.montrosevic.com   acosv.xyz       <Dr.OZ-Beach-Body-Tip@acosv.xyz>   <dick@(REDACTED).com>,Mail::Address=ARRAY(0x3171088)    queued          <97bf0ab46f12c59cec09ec1f6aea31f9_97bf0ab46f12c59cec09ec1f6aea31f9.10044919@acosv.xyz-1181> No, hits=2.5 required=3.0_
2015-07-12 07:12:18.535696500 16269 queue::qmail_2dqueue plugin (queue): (for 16262 ) Queuing qp 16269 to /var/qmail/bin/qmail-queue
2015-07-12 07:12:18.738795500 16262 250 Queued! 1436703138 qp 16269 <97bf0ab46f12c59cec09ec1f6aea31f9_97bf0ab46f12c59cec09ec1f6aea31f9.10044919@acosv.xyz-1181>
2015-07-12 07:12:18.801179500 16262 dispatching QUIT
2015-07-12 07:12:18.801290500 16262 221 (REDACTED).com closing connection. Have a wonderful day.
2015-07-12 07:12:18.801325500 16262 click, disconnecting
2015-07-12 07:12:18.971748500 2010 cleaning up after 16262

 107.158.123.2232015-07-12 07:12:01.548976500 16262 Accepted connection 0/40 from 107.179.25.195 / rdd9m.montrosevic.com
2015-07-12 07:12:01.549053500 16262 Connection from rdd9m.montrosevic.com [107.179.25.195]
2015-07-12 07:12:01.549878500 16262 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
2015-07-12 07:12:01.551396500 16262 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
2015-07-12 07:12:01.560463500 16262 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
2015-07-12 07:12:02.565063500 16262 check_earlytalker plugin (connect): remote host said nothing spontaneous, proceeding
2015-07-12 07:12:02.568087500 16262 220 mailserver.(REDACTED).com ESMTP
2015-07-12 07:12:02.625409500 16262 dispatching EHLO acosv.xyz
2015-07-12 07:12:02.626598500 16262 250-(REDACTED).com Hi rdd9m.montrosevic.com [107.179.25.195]
2015-07-12 07:12:02.626628500 16262 250-PIPELINING
2015-07-12 07:12:02.626629500 16262 250-8BITMIME
2015-07-12 07:12:02.626655500 16262 250-SIZE 15000000
2015-07-12 07:12:02.626662500 16262 250 STARTTLS
2015-07-12 07:12:02.691301500 16262 dispatching MAIL FROM:<Dr.OZ-Beach-Body-Tip@acosv.xyz> BODY=7BIT
2015-07-12 07:12:02.691302500 16262 full from_parameter: FROM:<Dr.OZ-Beach-Body-Tip@acosv.xyz> BODY=7BIT
2015-07-12 07:12:03.357966500 16262 getting mail from <Dr.OZ-Beach-Body-Tip@acosv.xyz>
2015-07-12 07:12:03.358002500 16262 250 <Dr.OZ-Beach-Body-Tip@acosv.xyz>, sender OK - how exciting to get mail from you!
2015-07-12 07:12:03.358170500 16262 dispatching RCPT TO:<dick@(REDACTED).com>
2015-07-12 07:12:13.726083500 16262 check_goodrcptto plugin (rcpt): stripping '-' extensions
2015-07-12 07:12:13.727253500 16262 250 <dick@(REDACTED).com>, recipient ok
2015-07-12 07:12:13.727328500 16262 dispatching DATA
2015-07-12 07:12:13.727504500 16262 354 go ahead
2015-07-12 07:12:13.849667500 16262 spooling message to disk
2015-07-12 07:12:13.864093500 16262 bcc plugin (data_post): message copied to maillog
2015-07-12 07:12:18.512343500 16262 spamassassin plugin (data_post): check_spam: No, hits=2.5, required=3.0, tests=FUZZY_DR_OZ,HTML_MESSAGE,SPF_HELO_PASS,SPF_PASS,T_HK_NAME_DR,T_REMOTE_IMAGE
2015-07-12 07:12:18.512344500 16262 virus::clamav plugin (data_post): Changing permissions on file to permit scanner access
2015-07-12 07:12:18.525507500 16262 virus::clamav plugin (data_post): clamscan results: /var/spool/qpsmtpd/1436703133:16262:0: OK
2015-07-12 07:12:18.525509500 16262 logging::logterse plugin (queue): ` 107.179.25.195  rdd9m.montrosevic.com   acosv.xyz       <Dr.OZ-Beach-Body-Tip@acosv.xyz>   <dick@(REDACTED).com>,Mail::Address=ARRAY(0x3171088)    queued          <97bf0ab46f12c59cec09ec1f6aea31f9_97bf0ab46f12c59cec09ec1f6aea31f9.10044919@acosv.xyz-1181> No, hits=2.5 required=3.0_
2015-07-12 07:12:18.535696500 16269 queue::qmail_2dqueue plugin (queue): (for 16262 ) Queuing qp 16269 to /var/qmail/bin/qmail-queue
2015-07-12 07:12:18.738795500 16262 250 Queued! 1436703138 qp 16269 <97bf0ab46f12c59cec09ec1f6aea31f9_97bf0ab46f12c59cec09ec1f6aea31f9.10044919@acosv.xyz-1181>
2015-07-12 07:12:18.801179500 16262 dispatching QUIT
2015-07-12 07:12:18.801290500 16262 221 (REDACTED).com closing connection. Have a wonderful day.
2015-07-12 07:12:18.801325500 16262 click, disconnecting
2015-07-12 07:12:18.971748500 2010 cleaning up after 16262