Koozali.org: home of the SME Server
Contribs.org Forums => General Discussion => Topic started by: MSmith on July 09, 2015, 03:52:14 PM
-
.xyz, .link, .info ... and to a certain extent .us ...
Literally NO "ham" emails ever seen from these new TLDs.
THOUSANDS of spam emails flooding in.
Some blocked with RBLList / SBLList but not many.
Is there no way to stem this tide?
Yes, I recognize that blocking an entire TLD is "bad form" but I am drowning here.
WBL, despite having been raised as a possible solution, does not seem configurable to block an entire TLD. Of course, my syntax may be deficient. I've tried many things, and on advice have tried:
db spamassassin setprop wbl.global *@*.xyz Black
db spamassassin setprop wbl.global *@*.link Black
This does not seem to work.
RBLList and SBLList work on some of these, but not all, and not always. The bad guys seem to have the upper hand currently.
-
Can you show what you have setup:
db spamassassin show wbl.global
And please, define "does not seem to work" (either it works as expected or it doesn't, but it cannot seem not to work ;-))
-
Okay, "does not block the emails I expected it to block" :smile:
[root@postman ~]# db spamassassin show wbl.global
wbl.global=list
*@*.info=Black
*@*.link=Black
*@*.xyz=Black
*@big6drilling.com=White
*@edg.net=White
-
Have you checked in /etc/mail/spamassassin/local.cf if the settings in the DB have been correctly expanded ?
-
[root@postman spamassassin]# cat local.cf
#------------------------------------------------------------
# !!DO NOT MODIFY THIS FILE!!
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at http://www.contribs.org/development/
#
# Copyright (C) 1999-2006 Mitel Networks Corporation
#------------------------------------------------------------
dns_available yes
internal_networks 192.168.50.11
lock_method flock
ok_locales all
bayes_path /var/spool/spamd/.spamassassin/bayes
bayes_file_mode 750
report_safe 0
required_score 3
rewrite_header Subject [SPAM]
skip_rbl_checks 0
clear_trusted_networks
trusted_networks 192.168.50.11
use_bayes 0
blacklist_from *@*.info
whitelist_from *@big6drilling.com
blacklist_from *@*.link
blacklist_from *@*.xyz
whitelist_from *@edg.net
-
Okay, "does not block the emails I expected it to block"
It might be useful to be specific.
-
.xyz, .link, .info ... and to a certain extent .us ...
You seem to have asked the same question before and I did write one possible solution :
http://forums.contribs.org/index.php/topic,51408.msg261341.html
Also there is an update for spamassassin on your bug http://bugs.contribs.org/show_bug.cgi?id=8980 for v9 that needs testing
B. Rgds
John
-
You seem to have asked the same question before and I did write one possible solution :
Yes, you did write a possible solution ... one that would require that I install something that you "kludged" ... I am sure that you are a superb coder, but I am also sure that you do not expect me to install "kludged" code and mess around with templates on production servers!
Perhaps you would work up your code into a contrib that could be tested?
One of the issues with spam rejection is that it's a challenge to build a testing environment ... perhaps I should set up a test domain and subscribe that domain to every spam link I can find.
The devs are hard at work on fixing SpamAssassin so it will check these new TLDs against blacklists, and I am confident that they will accomplish their task within the accepted SME framework.
-
It might be useful to be specific.
Having issued DB commands with wildcards that should block everything from a specific TLD, e.g. *@*.link, I would expect that everything with a "from" address ending in ".link" would be blocked. This did not happen. The problematic emails all end in ".link" and ".xyz" but have many, many different domain names before the TLD. I would suspect that the spammers are aware of problems blocking entire TLDs and have crafted this spam campaign accordingly.
-
The log snippet you've posted on http://bugs.contribs.org/show_bug.cgi?id=8980 shows that it was working. Please show your full spamassassin settings:
db configuration show spamassassin
-
You seem to have asked the same question before and I did write one possible solution :
Yes, you did write a possible solution ... one that would require that I install something that you "kludged" ... I am sure that you are a superb coder, but I am also sure that you do not expect me to install "kludged" code and mess around with templates on production servers!
No, I am not a 'superb' coder and don't need patronising thanks. My coding skills are extremely limited, but if I can do what I did then anyone can, if they can be bothered.
You really ought to read what I actually said in the post. I wrote a 'kludge' to test grep patterns, which are the important parts you need to check before employing the plugin. That did not need installing on your production server - anything running perl would have been fine. Of course, you could have written your own if you didn't trust it.
The plugin and templates as stated would work and are correct within 'the SME framework'. That was not a kludge (if you bothered to check)
Whether you choose to use it is your prerogative.
Perhaps you would work up your code into a contrib that could be tested?
Perhaps I could, but then I don't really have an issue, so is not a requirement. I just pasted it to try and help you out. Perhaps you could learn to code a bit (like I did) and have a go yourself ? There are lots of people who will help you, and you will learn a lot in the process.
One of the issues with spam rejection is that it's a challenge to build a testing environment ... perhaps I should set up a test domain and subscribe that domain to every spam link I can find.
That's probably one way - e.g setup a honeypot - but I am sure there are probably others. Probably worth googling.....
The devs are hard at work on fixing SpamAssassin so it will check these new TLDs against blacklists, and I am confident that they will accomplish their task within the accepted SME framework.
Yes I am well aware of every bug, as it goes with the territory of being El Presidente round here....
There are multiples ways of dealing with junk. Spamassassin is just one. None are perfect.
The method I described using a standard qpsmtpd plugin (check_badmailfrom_patterns is already there and just needs activating - have a look in /usr/share/qpsmtpd/plugins to see for yourself) is within the bounds of normal operation for SME. There are other plugins there as well that have not been activated but could if required.
It would help a lot if you tested the updated spamassassin on your bug and report back accordingly.
B. Rgds
John
-
:lol:
-
ReetP: I apologies for coming across as patronizing. That was not my intent, but clearly that was the message I conveyed. I will write more later about my experiences with the current state of affairs.
-
ReetP: I apologies for coming across as patronizing. That was not my intent, but clearly that was the message I conveyed. I will write more later about my experiences with the current state of affairs.
No worries - lets just try and get it sorted for you :-)
Be really good if you can have a go at testing the new version of spamassassin.
B. Rgds
John
-
Here's a transcript of part of a PuTTY session, for those masochistic enough to pore over it. The first part is the result of "qploggrep .xyz", the second part is after I realized after ALL THESE YEARS that I can pipe tail through tai64nlocal :?
Note the sequential IP addresses ... this is a feature of this spam run, a bunch of sequential IP addreses in a /24, then a bunch from another /24.
Also note that these are sailing right through, even with Spamassassin set to trigger at a score of 3.0.
**************
2015-07-11 17:19:34.947811500 19183 107.158.123.237 0/40
2015-07-11 17:19:38.985211500 19183 107.158.123.237 queued <Apple-iPad-Device@theta237.credbe.xyz> <dick@(REDACTED).com>,Mail::Address=ARRAY(0x317ae68) <97bf0ab46f12c59cec09ec1f6aea31f9_97bf0ab46f12c59cec09ec1f6aea31f9.10829512@theta237.credbe.xyz> No, hits=1.4 required=3.0_
2015-07-11 17:25:56.975646500 19315 107.158.123.238 queued <DrOzTrimWaistSecret@debrho.xyz> <dick@(REDACTED).com>,Mail::Address=ARRAY(0x3136ff8) <97bf0ab46f12c59cec09ec1f6aea31f9_97bf0ab46f12c59cec09ec1f6aea31f9.1565376@debrho.xyz> Yes, hits=5.5 required=3.0_
2015-07-11 17:31:08.777137500 19352 107.158.123.239 queued <SummerRoofSpecials@dojinx.xyz> <dick@(REDACTED).com>,Mail::Address=ARRAY(0x3137e98) <97bf0ab46f12c59cec09ec1f6aea31f9.7385638.23459438@dojinx.xyz> No, hits=2.9 required=3.0_
2015-07-11 17:35:16.722057500 19481 107.158.123.240 queued <IncreaseYourIntelligence@easfl.xyz> <dick@(REDACTED).com>,Mail::Address=ARRAY(0x3137ef8) <97bf0ab46f12c59cec09ec1f6aea31f9.3548702.14352122@easfl.xyz> Yes, hits=8.0 required=3.0_
2015-07-11 17:40:11.115329500 19521 107.158.123.241 0/40
2015-07-11 17:40:23.926606500 19521 107.158.123.241 queued <Your-Private-Fantasy@theta241.theysilentcouplething.xyz> <dick@(REDACTED).com>,Mail::Address=ARRAY(0x317eb88) <13920909.6822927_97bf0ab46f12c59cec09ec1f6aea31f9@theta241.theysilentcouplething.xyz> No, hits=1.4 required=3.0_
2015-07-11 17:44:44.150205500 19650 107.158.123.242 queued <CureYourTinnitus@carehearingimportance.xyz> <dick@(REDACTED).com>,Mail::Address=ARRAY(0x3138188) <97bf0ab46f12c59cec09ec1f6aea31f9.4832235.16822652@carehearingimportance.xyz> Yes, hits=5.0 required=3.0_
2015-07-11 17:54:57.256687500 19888 107.158.123.244 queued <Dr.Ozs-Bean-Secret@curedkidneydevelopment.xyz> <dick@(REDACTED).com>,Mail::Address=ARRAY(0x3137478) <17282193-17282193-97bf0ab46f12c59cec09ec1f6aea31f9@curedkidneydevelopment.xyz> Yes, hits=5.5 required=3.0_
2015-07-11 17:59:23.607591500 19927 107.158.123.245 queued <Met-Life-Senior-Burial-Plans@educti.xyz> <dick@(REDACTED).com>,Mail::Address=ARRAY(0x3138028) <97bf0ab46f12c59cec09ec1f6aea31f9.23599116.17027139@educti.xyz> No, hits=2.9 required=3.0_
2015-07-11 18:12:23.283400500 20080 107.158.123.246 0/40
2015-07-11 18:12:36.054942500 20080 107.158.123.246 queued <Kohler.Walk-in.Bath@theta246.eeloil.xyz> <dick@(REDACTED).com>,Mail::Address=ARRAY(0x317e948) <97bf0ab46f12c59cec09ec1f6aea31f9.18488693.23783501@theta246.eeloil.xyz> No, hits=1.4 required=3.0_
2015-07-11 18:17:28.160266500 20305 107.158.123.247 queued <MercedesInventoryClearance@enlimo.xyz> <dick@(REDACTED).com>,Mail::Address=ARRAY(0x3137f78) <97bf0ab46f12c59cec09ec1f6aea31f9.16558364.22651250@enlimo.xyz> No, hits=2.9 required=3.0_
2015-07-11 18:23:35.352527500 20338 107.158.123.248 queued <GNC-Strength-Booster@fafree.xyz> <dick@(REDACTED).com>,Mail::Address=ARRAY(0x3136ff8) <97bf0ab46f12c59cec09ec1f6aea31f9.21709888.14910708@fafree.xyz> No, hits=2.9 required=3.0_
2015-07-11 18:28:32.810458500 20473 107.158.123.249 0/40
2015-07-11 18:28:36.093186500 20473 107.158.123.249 queued <Marvin-July-Window-Event@theta249.finddc.xyz> <dick@(REDACTED).com>,Mail::Address=ARRAY(0x317a248) <97bf0ab46f12c59cec09ec1f6aea31f9.20583647.22422084@theta249.finddc.xyz> No, hits=1.4 required=3.0_
2015-07-11 18:31:38.710930500 20501 107.158.123.250 queued <PublicRecordsExposed@activecheckfiles.xyz> <dick@(REDACTED).com>,Mail::Address=ARRAY(0x3137f38) <6370064-24410741.97bf0ab46f12c59cec09ec1f6aea31f9@activecheckfiles.xyz> No, hits=1.3 required=3.0_
2015-07-11 18:39:26.234511500 20638 107.158.123.251 1/40
2015-07-11 18:39:33.670363500 20638 107.158.123.251 queued <KitchenAidWarehouseClearance@theta251.foamla.xyz> <dick@(REDACTED).com>,Mail::Address=ARRAY(0x31828f8) <97bf0ab46f12c59cec09ec1f6aea31f9.3103436.23849553@theta251.foamla.xyz> Yes, hits=4.5 required=3.0_
2015-07-11 18:44:08.587242500 20772 107.158.123.252 0/40
2015-07-11 18:44:12.301176500 20772 107.158.123.252 queued <ContactLensDiscounts@theta252.ftmom.xyz> <dick@(REDACTED).com>,Mail::Address=ARRAY(0x317a878) <97bf0ab46f12c59cec09ec1f6aea31f9.22485998.17379614@theta252.ftmom.xyz> No, hits=1.4 required=3.0_
2015-07-11 18:48:36.161938500 20902 107.158.123.253 0/40
2015-07-11 18:48:39.435132500 20902 107.158.123.253 queued <CureEar-Ringing@theta253.backhearingwhose.xyz> <dick@(REDACTED).com>,Mail::Address=ARRAY(0x317f878) <97bf0ab46f12c59cec09ec1f6aea31f9.12248810.16747279@theta253.backhearingwhose.xyz> Yes, hits=3.4 required=3.0_
[root@mailserver bin]# tail -f /var/log/qpsmtpd/current | tai64nlocal
2015-07-12 04:49:00.241427500 13616 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
2015-07-12 04:49:00.248613500 13616 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
2015-07-12 04:49:01.253195500 13616 check_earlytalker plugin (connect): remote host said nothing spontaneous, proceeding
2015-07-12 04:49:01.255778500 13616 220 mailserver.(REDACTED).com ESMTP
2015-07-12 04:49:02.284636500 13616 dispatching RSET
2015-07-12 04:49:02.284764500 13616 250 OK
2015-07-12 04:49:02.304667500 13616 dispatching QUIT
2015-07-12 04:49:02.304668500 13616 221 (REDACTED).com closing connection. Have a wonderful day.
2015-07-12 04:49:02.304669500 13616 click, disconnecting
2015-07-12 04:49:02.746933500 2010 cleaning up after 13616
107.158.123.2232015-07-12 07:12:01.548976500 16262 Accepted connection 0/40 from 107.179.25.195 / rdd9m.montrosevic.com
2015-07-12 07:12:01.549053500 16262 Connection from rdd9m.montrosevic.com [107.179.25.195]
2015-07-12 07:12:01.549878500 16262 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
2015-07-12 07:12:01.551396500 16262 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
2015-07-12 07:12:01.560463500 16262 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
2015-07-12 07:12:02.565063500 16262 check_earlytalker plugin (connect): remote host said nothing spontaneous, proceeding
2015-07-12 07:12:02.568087500 16262 220 mailserver.(REDACTED).com ESMTP
2015-07-12 07:12:02.625409500 16262 dispatching EHLO acosv.xyz
2015-07-12 07:12:02.626598500 16262 250-(REDACTED).com Hi rdd9m.montrosevic.com [107.179.25.195]
2015-07-12 07:12:02.626628500 16262 250-PIPELINING
2015-07-12 07:12:02.626629500 16262 250-8BITMIME
2015-07-12 07:12:02.626655500 16262 250-SIZE 15000000
2015-07-12 07:12:02.626662500 16262 250 STARTTLS
2015-07-12 07:12:02.691301500 16262 dispatching MAIL FROM:<Dr.OZ-Beach-Body-Tip@acosv.xyz> BODY=7BIT
2015-07-12 07:12:02.691302500 16262 full from_parameter: FROM:<Dr.OZ-Beach-Body-Tip@acosv.xyz> BODY=7BIT
2015-07-12 07:12:03.357966500 16262 getting mail from <Dr.OZ-Beach-Body-Tip@acosv.xyz>
2015-07-12 07:12:03.358002500 16262 250 <Dr.OZ-Beach-Body-Tip@acosv.xyz>, sender OK - how exciting to get mail from you!
2015-07-12 07:12:03.358170500 16262 dispatching RCPT TO:<dick@(REDACTED).com>
2015-07-12 07:12:13.726083500 16262 check_goodrcptto plugin (rcpt): stripping '-' extensions
2015-07-12 07:12:13.727253500 16262 250 <dick@(REDACTED).com>, recipient ok
2015-07-12 07:12:13.727328500 16262 dispatching DATA
2015-07-12 07:12:13.727504500 16262 354 go ahead
2015-07-12 07:12:13.849667500 16262 spooling message to disk
2015-07-12 07:12:13.864093500 16262 bcc plugin (data_post): message copied to maillog
2015-07-12 07:12:18.512343500 16262 spamassassin plugin (data_post): check_spam: No, hits=2.5, required=3.0, tests=FUZZY_DR_OZ,HTML_MESSAGE,SPF_HELO_PASS,SPF_PASS,T_HK_NAME_DR,T_REMOTE_IMAGE
2015-07-12 07:12:18.512344500 16262 virus::clamav plugin (data_post): Changing permissions on file to permit scanner access
2015-07-12 07:12:18.525507500 16262 virus::clamav plugin (data_post): clamscan results: /var/spool/qpsmtpd/1436703133:16262:0: OK
2015-07-12 07:12:18.525509500 16262 logging::logterse plugin (queue): ` 107.179.25.195 rdd9m.montrosevic.com acosv.xyz <Dr.OZ-Beach-Body-Tip@acosv.xyz> <dick@(REDACTED).com>,Mail::Address=ARRAY(0x3171088) queued <97bf0ab46f12c59cec09ec1f6aea31f9_97bf0ab46f12c59cec09ec1f6aea31f9.10044919@acosv.xyz-1181> No, hits=2.5 required=3.0_
2015-07-12 07:12:18.535696500 16269 queue::qmail_2dqueue plugin (queue): (for 16262 ) Queuing qp 16269 to /var/qmail/bin/qmail-queue
2015-07-12 07:12:18.738795500 16262 250 Queued! 1436703138 qp 16269 <97bf0ab46f12c59cec09ec1f6aea31f9_97bf0ab46f12c59cec09ec1f6aea31f9.10044919@acosv.xyz-1181>
2015-07-12 07:12:18.801179500 16262 dispatching QUIT
2015-07-12 07:12:18.801290500 16262 221 (REDACTED).com closing connection. Have a wonderful day.
2015-07-12 07:12:18.801325500 16262 click, disconnecting
2015-07-12 07:12:18.971748500 2010 cleaning up after 16262
107.158.123.2232015-07-12 07:12:01.548976500 16262 Accepted connection 0/40 from 107.179.25.195 / rdd9m.montrosevic.com
2015-07-12 07:12:01.549053500 16262 Connection from rdd9m.montrosevic.com [107.179.25.195]
2015-07-12 07:12:01.549878500 16262 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
2015-07-12 07:12:01.551396500 16262 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
2015-07-12 07:12:01.560463500 16262 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
2015-07-12 07:12:02.565063500 16262 check_earlytalker plugin (connect): remote host said nothing spontaneous, proceeding
2015-07-12 07:12:02.568087500 16262 220 mailserver.(REDACTED).com ESMTP
2015-07-12 07:12:02.625409500 16262 dispatching EHLO acosv.xyz
2015-07-12 07:12:02.626598500 16262 250-(REDACTED).com Hi rdd9m.montrosevic.com [107.179.25.195]
2015-07-12 07:12:02.626628500 16262 250-PIPELINING
2015-07-12 07:12:02.626629500 16262 250-8BITMIME
2015-07-12 07:12:02.626655500 16262 250-SIZE 15000000
2015-07-12 07:12:02.626662500 16262 250 STARTTLS
2015-07-12 07:12:02.691301500 16262 dispatching MAIL FROM:<Dr.OZ-Beach-Body-Tip@acosv.xyz> BODY=7BIT
2015-07-12 07:12:02.691302500 16262 full from_parameter: FROM:<Dr.OZ-Beach-Body-Tip@acosv.xyz> BODY=7BIT
2015-07-12 07:12:03.357966500 16262 getting mail from <Dr.OZ-Beach-Body-Tip@acosv.xyz>
2015-07-12 07:12:03.358002500 16262 250 <Dr.OZ-Beach-Body-Tip@acosv.xyz>, sender OK - how exciting to get mail from you!
2015-07-12 07:12:03.358170500 16262 dispatching RCPT TO:<dick@(REDACTED).com>
2015-07-12 07:12:13.726083500 16262 check_goodrcptto plugin (rcpt): stripping '-' extensions
2015-07-12 07:12:13.727253500 16262 250 <dick@(REDACTED).com>, recipient ok
2015-07-12 07:12:13.727328500 16262 dispatching DATA
2015-07-12 07:12:13.727504500 16262 354 go ahead
2015-07-12 07:12:13.849667500 16262 spooling message to disk
2015-07-12 07:12:13.864093500 16262 bcc plugin (data_post): message copied to maillog
2015-07-12 07:12:18.512343500 16262 spamassassin plugin (data_post): check_spam: No, hits=2.5, required=3.0, tests=FUZZY_DR_OZ,HTML_MESSAGE,SPF_HELO_PASS,SPF_PASS,T_HK_NAME_DR,T_REMOTE_IMAGE
2015-07-12 07:12:18.512344500 16262 virus::clamav plugin (data_post): Changing permissions on file to permit scanner access
2015-07-12 07:12:18.525507500 16262 virus::clamav plugin (data_post): clamscan results: /var/spool/qpsmtpd/1436703133:16262:0: OK
2015-07-12 07:12:18.525509500 16262 logging::logterse plugin (queue): ` 107.179.25.195 rdd9m.montrosevic.com acosv.xyz <Dr.OZ-Beach-Body-Tip@acosv.xyz> <dick@(REDACTED).com>,Mail::Address=ARRAY(0x3171088) queued <97bf0ab46f12c59cec09ec1f6aea31f9_97bf0ab46f12c59cec09ec1f6aea31f9.10044919@acosv.xyz-1181> No, hits=2.5 required=3.0_
2015-07-12 07:12:18.535696500 16269 queue::qmail_2dqueue plugin (queue): (for 16262 ) Queuing qp 16269 to /var/qmail/bin/qmail-queue
2015-07-12 07:12:18.738795500 16262 250 Queued! 1436703138 qp 16269 <97bf0ab46f12c59cec09ec1f6aea31f9_97bf0ab46f12c59cec09ec1f6aea31f9.10044919@acosv.xyz-1181>
2015-07-12 07:12:18.801179500 16262 dispatching QUIT
2015-07-12 07:12:18.801290500 16262 221 (REDACTED).com closing connection. Have a wonderful day.
2015-07-12 07:12:18.801325500 16262 click, disconnecting
2015-07-12 07:12:18.971748500 2010 cleaning up after 16262
-
Here's a transcript of part of a PuTTY session, for those masochistic enough to pore over it.
But what would it tell us, other than that messages from .xyz sender addresses are not blocked by your server? We don't know your server configuration at the time of these mail deliveries.
Please post all further followup to the bug tracker. Thanks.
-
Yes please.
I believe there may be number of different issues which we need to solve (along with some red herrings)
First, as noted on the bug, is the upgraded spamassassin. Thia needs verifying.
Separate issues such as Geoip shoukd be in separate bugs.
We need to be methodical and logical about this, and the best place to resolve issuea is on the bug tracker.
-
@all: please continue in bugzilla, thank you
locking as requested