Search found 39 matches

by BOOZy
26 Oct 2023 07:20
Forum: How-to
Topic: How to filter ever changing subdomains
Replies: 9
Views: 14296

Re: How to filter ever changing subdomains

I fixed it a different,maybe more elaborate, way. What I've done is: 1 - disable recurese DNS on EFA 2 - created my own recursive DNS servers 3 - added the offending domains to my new DNS servers as if I'm authoritative 4 - added a * wildcard subdomain 5 - left the wildcard subdomain empty except fo...
by BOOZy
22 Sep 2023 09:22
Forum: How-to
Topic: How to filter ever changing subdomains
Replies: 9
Views: 14296

Re: How to filter ever changing subdomains

This subdomain system is horrendously easy to abuse. The ICANN needs to have a serous look at this but I'm afraid nothing will happen until big players like Google, Cisco, Microsoft, etc. start blocking them.
by BOOZy
20 Sep 2023 14:52
Forum: How-to
Topic: How to filter ever changing subdomains
Replies: 9
Views: 14296

Re: How to filter ever changing subdomains

1 - We have been training Bayes, it's not enough 2 - IP blocks are ineffective, with the sub-domains they change IPs, typically these are rented VPS's and they don't care if those are taken off-line within a day (probably using stolen credit-cards to pay for them) 3 - "sa.com" is not a TLD...
by BOOZy
20 Sep 2023 09:10
Forum: How-to
Topic: How to filter ever changing subdomains
Replies: 9
Views: 14296

How to filter ever changing subdomains

One very prolific spammer keeps getting through by using new subdomains every other day. These subdomains have functional SPF and DMARC records and even matching RDNS. A wildcard filter like @*.sa.com does not seem to work, is there any other way to filter these? Examples: preacher@hallfate.sa.com f...
by BOOZy
07 Jun 2023 09:34
Forum: 4.x Bugs
Topic: Maxmind GeoIP2 license key not accepted
Replies: 6
Views: 8689

Re: Maxmind GeoIP2 license key not accepted

Thank you.

The code change allows for the new key to be accepted.
by BOOZy
06 Jun 2023 13:39
Forum: 4.x Bugs
Topic: Maxmind GeoIP2 license key not accepted
Replies: 6
Views: 8689

Re: Maxmind GeoIP2 license key not accepted

Mine was generated on the day I posted this, June 1st.

As far as I can deduce as of geopipupdate version 3.1.1 there is a new key format to use.
by BOOZy
01 Jun 2023 10:21
Forum: 4.x Bugs
Topic: Maxmind GeoIP2 license key not accepted
Replies: 6
Views: 8689

Maxmind GeoIP2 license key not accepted

[eFa] Please enter your MaxMind License Key (c to cancel): XXXXXX_ZAJ5wHRIAkbC2uFujBv18HaT5cYy2_xxx
ERROR: Invalid entry.

My guess is that they key format has changed and EFA is not accepting the new format.
by BOOZy
15 May 2023 08:22
Forum: Feature Requests
Topic: Different retention times for quarantined and normal email
Replies: 3
Views: 1945

Re: Different retention times for quarantined and normal email

How would this work? Right now under "Quarantine Retention" you only have one option, this setting reflects the retention time for both spam and legitimate email. I'd like to see this split up into two values reflection retention for spam and legitimate email separately. Since I'm not invo...
by BOOZy
10 May 2023 09:05
Forum: Feature Requests
Topic: Different retention times for quarantined and normal email
Replies: 3
Views: 1945

Different retention times for quarantined and normal email

On a busy server disk space will be consumed fairly quickly by legitimate email, setting retention very short helps but hinders retrieving false positives, and setting retention to only save spam removes the ability to manually train SA or resend an email.
by BOOZy
31 Mar 2022 09:14
Forum: Feature Requests
Topic: External subnet block lists in CIDR notation
Replies: 2
Views: 2112

External subnet block lists in CIDR notation

It'd be nice if there was an option to use block lists like the Spamhaus drop and edrop lists.

https://www.spamhaus.org/drop/
https://www.spamhaus.org/drop/drop.txt

This would also allow me to dynamically block IPs from a list generated by a different application in my network.
by BOOZy
17 Dec 2021 13:13
Forum: Feature Requests
Topic: Score by RDNS TLD
Replies: 4
Views: 3135

Re: Score by RDNS TLD

That's the idea.

I'm not sure of spamassasin does anything with reverse-DNS other than to check if one exists.
by BOOZy
16 Dec 2021 10:15
Forum: Feature Requests
Topic: Score by RDNS TLD
Replies: 4
Views: 3135

Re: Score by RDNS TLD

Both posts describe adding filters based on the 'from' email address, not the TLD of the sender's reverse-DNS. Writing your own rules is nice if you have the time, skill and documentation needed available to you. I'd love to spend the next two weeks acquiring those but I gather my boss won't be too ...
by BOOZy
10 Dec 2021 08:25
Forum: Feature Requests
Topic: Score by RDNS TLD
Replies: 4
Views: 3135

Score by RDNS TLD

I'd like to propose the option to add a spam score base on the Top Level Domain of de reverse-DNS of the sender. Lately more and more spam (and phishing) seems to arriving from non-botnet spammers who go through the effort of setting up servers with functional but disposable reverse-DNS records, elu...
by BOOZy
11 Jan 2021 10:36
Forum: 4.x Bugs
Topic: ALL PDF files are blocked due to antivirus false positive
Replies: 5
Views: 2989

Re: ALL PDF files are blocked due to antivirus false positive

Fixed, I have disabled YARA rules in master.conf.
by BOOZy
11 Jan 2021 08:55
Forum: 4.x Bugs
Topic: ALL PDF files are blocked due to antivirus false positive
Replies: 5
Views: 2989

ALL PDF files are blocked due to antivirus false positive

Virus (YARA.invalid_trailer_structure.UNOFFICIAL)

and Virus (YARA.possible_includes_base64_packed_functions.UNOFFICIAL)

Is there an workaround or update yet?
by BOOZy
14 Feb 2020 08:57
Forum: Feature Requests
Topic: eFa MailWatch HTTPS Port 8080
Replies: 2
Views: 3541

Re: eFa MailWatch HTTPS Port 8080

I'd rather see the option to set an ACL for the MailWatch page. Through the SSH CLI menu would be easiest to implement I gather.
by BOOZy
14 Nov 2019 08:59
Forum: 4.x Bugs
Topic: Serious bug, SPAM getting through
Replies: 2
Views: 1903

Serious bug, SPAM getting through

I'm seeing spam that seems to originate from our domain getting through without a problem. SPF for our domain is set as strict as possible with -all to hardfail on no match. At closer inspection of the headers and how EFA checks SPF the issue seems clear: EFA is not checking the domain in the 'From'...
by BOOZy
14 Nov 2019 08:13
Forum: How-to
Topic: Extreme paranoid mode
Replies: 3
Views: 2003

Re: Extreme paranoid mode

shawniverson wrote: 13 Nov 2019 15:56 X-Spam-Status:yes headers on all email!

:lol: :lol: :lol: :lol: :dance:
That's close enough, he wanted me to restrict external email to smartphones.
by BOOZy
13 Nov 2019 14:07
Forum: How-to
Topic: Extreme paranoid mode
Replies: 3
Views: 2003

Extreme paranoid mode

Hello all, I have a client who is extremely paranoid about getting malware through email. Do you guys have any tips on specific settings that can do: 1 - filter or mark all hyper-links except white-listed ones 2 - filter all attachments except white-listed ones. 3 - any other settings you'd deem nec...
by BOOZy
12 Mar 2019 10:23
Forum: 4.x Bugs
Topic: How to install EFA4 Beta RC2/RC3 on Hyper-V 2016
Replies: 4
Views: 6671

Re: How to install EFA4 Beta RC2 on Hyper-V 2016

Just a reminder to my future self as I'm going to forget this and Google it again. If you forget to add the script at install and end up with a clean and functional Centos machine. You can download the cfg and manually install the packages and execute the post install commands as they're defined ins...
by BOOZy
11 Mar 2019 09:06
Forum: 3.x Bugs
Topic: [re-fixed] Outgoing mail stuck in queue
Replies: 1
Views: 2468

[re-fixed] Outgoing mail stuck in queue

Mail is stuck in queue, postfix -f doesn't do anything. However, if I reboot the first 30 queued emails are sent then the rest gets stuck again. I have diverted outgoing mail to a different route so the queue is not growing. But with 2000 emails stuck I'd need to reboot another 67 times to get them ...
by BOOZy
08 Mar 2019 16:15
Forum: 3.x Bugs
Topic: Can't view headers
Replies: 1
Views: 2421

Can't view headers

The little "i" button next the processed messages doesn't show any headers, only the date/time and source IP address.
System messages do give me full header information though.
by BOOZy
25 Jan 2019 08:51
Forum: 3.x Bugs
Topic: Overzealous double extension filter
Replies: 2
Views: 2779

Overzealous double extension filter

Hi All, I often see emails being blocked that trigger the double extension filter that a human viewer can instantly recognize as a false positive. For example: 'itinerary j.doe.pdf' will get filtered. Since both '.doe' and '.pdf' are safe extensions this shouldn't happen. I have manually added a few...
by BOOZy
12 Dec 2018 13:19
Forum: Feature Requests
Topic: Skip greylisting on matching SPF record
Replies: 1
Views: 4371

Skip greylisting on matching SPF record

I'd like to speed up mail delivery from sources that have properly configured SPF records. This would greatly reduce waiting and administration time, especial with mail from Office 365 as Microsoft seems to have a zillion mail servers and their auto balance algorithm conflicts with greylisting in ge...
by BOOZy
24 Sep 2018 07:30
Forum: 3.x Bugs
Topic: mysql overloading system cpu/IO
Replies: 34
Views: 50696

Re: mysql overloading system cpu/IO

And it went away... All by itself.