efa-project.org

Lately I see a lot of legitimate email being send via the Sophos' servers being flagged or nearly flagged as spam.
They do have valid DKIM so I guess I could tweak DKIM scoring to offset the high TXREP score.

94.140.18.81 id-euc1.prod.hydra.sophos.com United States
dkim=pass (2048-bit key) header.d ...

Deleting the file does indeed fix the issue. The next update cycle works as intended.

Getting this error as well lately.

If you open the phishing.safe.sites.conf.master.gz file in a text editor it reads: 301 Moved Permanently (surrounded by some html).

So it seems the file has moved to another url and the script that downloads it doesn't understand the redirect and instead ...

I fixed it a different,maybe more elaborate, way.
What I've done is:
1 - disable recurese DNS on EFA
2 - created my own recursive DNS servers
3 - added the offending domains to my new DNS servers as if I'm authoritative
4 - added a * wildcard subdomain
5 - left the wildcard subdomain empty except ...

This subdomain system is horrendously easy to abuse. The ICANN needs to have a serous look at this but I'm afraid nothing will happen until big players like Google, Cisco, Microsoft, etc. start blocking them.

1 - We have been training Bayes, it's not enough

2 - IP blocks are ineffective, with the sub-domains they change IPs, typically these are rented VPS's and they don't care if those are taken off-line within a day (probably using stolen credit-cards to pay for them)

3 - "sa.com" is not a TLD and ...

One very prolific spammer keeps getting through by using new subdomains every other day.
These subdomains have functional SPF and DMARC records and even matching RDNS.

A wildcard filter like @*.sa.com does not seem to work, is there any other way to filter these?

Examples:

preacher@hallfate.sa ...

Thank you.

The code change allows for the new key to be accepted.

Mine was generated on the day I posted this, June 1st.

As far as I can deduce as of geopipupdate version 3.1.1 there is a new key format to use.

[eFa] Please enter your MaxMind License Key (c to cancel): XXXXXX_ZAJ5wHRIAkbC2uFujBv18HaT5cYy2_xxx
ERROR: Invalid entry.

My guess is that they key format has changed and EFA is not accepting the new format.

How would this work?
Right now under "Quarantine Retention" you only have one option, this setting reflects the retention time for both spam and legitimate email.
I'd like to see this split up into two values reflection retention for spam and legitimate email separately.
Since I'm not involved in ...

On a busy server disk space will be consumed fairly quickly by legitimate email, setting retention very short helps but hinders retrieving false positives, and setting retention to only save spam removes the ability to manually train SA or resend an email.

It'd be nice if there was an option to use block lists like the Spamhaus drop and edrop lists.

https://www.spamhaus.org/drop/
https://www.spamhaus.org/drop/drop.txt

This would also allow me to dynamically block IPs from a list generated by a different application in my network.

That's the idea.

I'm not sure of spamassasin does anything with reverse-DNS other than to check if one exists.

Both posts describe adding filters based on the 'from' email address, not the TLD of the sender's reverse-DNS.

Writing your own rules is nice if you have the time, skill and documentation needed available to you.
I'd love to spend the next two weeks acquiring those but I gather my boss won't be too ...

I'd like to propose the option to add a spam score base on the Top Level Domain of de reverse-DNS of the sender.

Lately more and more spam (and phishing) seems to arriving from non-botnet spammers who go through the effort of setting up servers with functional but disposable reverse-DNS records ...

Fixed, I have disabled YARA rules in master.conf.

Virus (YARA.invalid_trailer_structure.UNOFFICIAL)

and Virus (YARA.possible_includes_base64_packed_functions.UNOFFICIAL)

Is there an workaround or update yet?

I'd rather see the option to set an ACL for the MailWatch page. Through the SSH CLI menu would be easiest to implement I gather.

I'm seeing spam that seems to originate from our domain getting through without a problem.
SPF for our domain is set as strict as possible with -all to hardfail on no match.
At closer inspection of the headers and how EFA checks SPF the issue seems clear:
EFA is not checking the domain in the 'From ...

shawniverson wrote: 13 Nov 2019 15:56 X-Spam-Status:yes headers on all email!

That's close enough, he wanted me to restrict external email to smartphones.

Hello all,

I have a client who is extremely paranoid about getting malware through email.
Do you guys have any tips on specific settings that can do:
1 - filter or mark all hyper-links except white-listed ones
2 - filter all attachments except white-listed ones.
3 - any other settings you'd deem ...

Just a reminder to my future self as I'm going to forget this and Google it again.
If you forget to add the script at install and end up with a clean and functional Centos machine.
You can download the cfg and manually install the packages and execute the post install commands as they're defined ...

Mail is stuck in queue, postfix -f doesn't do anything.
However, if I reboot the first 30 queued emails are sent then the rest gets stuck again.
I have diverted outgoing mail to a different route so the queue is not growing.
But with 2000 emails stuck I'd need to reboot another 67 times to get them ...

The little "i" button next the processed messages doesn't show any headers, only the date/time and source IP address.
System messages do give me full header information though.