Search found 39 matches
- 26 Oct 2023 07:20
- Forum: How-to
- Topic: How to filter ever changing subdomains
- Replies: 9
- Views: 14302
Re: How to filter ever changing subdomains
I fixed it a different,maybe more elaborate, way. What I've done is: 1 - disable recurese DNS on EFA 2 - created my own recursive DNS servers 3 - added the offending domains to my new DNS servers as if I'm authoritative 4 - added a * wildcard subdomain 5 - left the wildcard subdomain empty except fo...
- 22 Sep 2023 09:22
- Forum: How-to
- Topic: How to filter ever changing subdomains
- Replies: 9
- Views: 14302
Re: How to filter ever changing subdomains
This subdomain system is horrendously easy to abuse. The ICANN needs to have a serous look at this but I'm afraid nothing will happen until big players like Google, Cisco, Microsoft, etc. start blocking them.
- 20 Sep 2023 14:52
- Forum: How-to
- Topic: How to filter ever changing subdomains
- Replies: 9
- Views: 14302
Re: How to filter ever changing subdomains
1 - We have been training Bayes, it's not enough 2 - IP blocks are ineffective, with the sub-domains they change IPs, typically these are rented VPS's and they don't care if those are taken off-line within a day (probably using stolen credit-cards to pay for them) 3 - "sa.com" is not a TLD...
- 20 Sep 2023 09:10
- Forum: How-to
- Topic: How to filter ever changing subdomains
- Replies: 9
- Views: 14302
How to filter ever changing subdomains
One very prolific spammer keeps getting through by using new subdomains every other day. These subdomains have functional SPF and DMARC records and even matching RDNS. A wildcard filter like @*.sa.com does not seem to work, is there any other way to filter these? Examples: preacher@hallfate.sa.com f...
- 07 Jun 2023 09:34
- Forum: 4.x Bugs
- Topic: Maxmind GeoIP2 license key not accepted
- Replies: 6
- Views: 8689
Re: Maxmind GeoIP2 license key not accepted
Thank you.
The code change allows for the new key to be accepted.
The code change allows for the new key to be accepted.
- 06 Jun 2023 13:39
- Forum: 4.x Bugs
- Topic: Maxmind GeoIP2 license key not accepted
- Replies: 6
- Views: 8689
Re: Maxmind GeoIP2 license key not accepted
Mine was generated on the day I posted this, June 1st.
As far as I can deduce as of geopipupdate version 3.1.1 there is a new key format to use.
As far as I can deduce as of geopipupdate version 3.1.1 there is a new key format to use.
- 01 Jun 2023 10:21
- Forum: 4.x Bugs
- Topic: Maxmind GeoIP2 license key not accepted
- Replies: 6
- Views: 8689
Maxmind GeoIP2 license key not accepted
[eFa] Please enter your MaxMind License Key (c to cancel): XXXXXX_ZAJ5wHRIAkbC2uFujBv18HaT5cYy2_xxx
ERROR: Invalid entry.
My guess is that they key format has changed and EFA is not accepting the new format.
ERROR: Invalid entry.
My guess is that they key format has changed and EFA is not accepting the new format.
- 15 May 2023 08:22
- Forum: Feature Requests
- Topic: Different retention times for quarantined and normal email
- Replies: 3
- Views: 1945
Re: Different retention times for quarantined and normal email
How would this work? Right now under "Quarantine Retention" you only have one option, this setting reflects the retention time for both spam and legitimate email. I'd like to see this split up into two values reflection retention for spam and legitimate email separately. Since I'm not invo...
- 10 May 2023 09:05
- Forum: Feature Requests
- Topic: Different retention times for quarantined and normal email
- Replies: 3
- Views: 1945
Different retention times for quarantined and normal email
On a busy server disk space will be consumed fairly quickly by legitimate email, setting retention very short helps but hinders retrieving false positives, and setting retention to only save spam removes the ability to manually train SA or resend an email.
- 31 Mar 2022 09:14
- Forum: Feature Requests
- Topic: External subnet block lists in CIDR notation
- Replies: 2
- Views: 2112
External subnet block lists in CIDR notation
It'd be nice if there was an option to use block lists like the Spamhaus drop and edrop lists.
https://www.spamhaus.org/drop/
https://www.spamhaus.org/drop/drop.txt
This would also allow me to dynamically block IPs from a list generated by a different application in my network.
https://www.spamhaus.org/drop/
https://www.spamhaus.org/drop/drop.txt
This would also allow me to dynamically block IPs from a list generated by a different application in my network.
- 17 Dec 2021 13:13
- Forum: Feature Requests
- Topic: Score by RDNS TLD
- Replies: 4
- Views: 3135
Re: Score by RDNS TLD
That's the idea.
I'm not sure of spamassasin does anything with reverse-DNS other than to check if one exists.
I'm not sure of spamassasin does anything with reverse-DNS other than to check if one exists.
- 16 Dec 2021 10:15
- Forum: Feature Requests
- Topic: Score by RDNS TLD
- Replies: 4
- Views: 3135
Re: Score by RDNS TLD
Both posts describe adding filters based on the 'from' email address, not the TLD of the sender's reverse-DNS. Writing your own rules is nice if you have the time, skill and documentation needed available to you. I'd love to spend the next two weeks acquiring those but I gather my boss won't be too ...
- 10 Dec 2021 08:25
- Forum: Feature Requests
- Topic: Score by RDNS TLD
- Replies: 4
- Views: 3135
Score by RDNS TLD
I'd like to propose the option to add a spam score base on the Top Level Domain of de reverse-DNS of the sender. Lately more and more spam (and phishing) seems to arriving from non-botnet spammers who go through the effort of setting up servers with functional but disposable reverse-DNS records, elu...
- 11 Jan 2021 10:36
- Forum: 4.x Bugs
- Topic: ALL PDF files are blocked due to antivirus false positive
- Replies: 5
- Views: 2990
Re: ALL PDF files are blocked due to antivirus false positive
Fixed, I have disabled YARA rules in master.conf.
- 11 Jan 2021 08:55
- Forum: 4.x Bugs
- Topic: ALL PDF files are blocked due to antivirus false positive
- Replies: 5
- Views: 2990
ALL PDF files are blocked due to antivirus false positive
Virus (YARA.invalid_trailer_structure.UNOFFICIAL)
and Virus (YARA.possible_includes_base64_packed_functions.UNOFFICIAL)
Is there an workaround or update yet?
and Virus (YARA.possible_includes_base64_packed_functions.UNOFFICIAL)
Is there an workaround or update yet?
- 14 Feb 2020 08:57
- Forum: Feature Requests
- Topic: eFa MailWatch HTTPS Port 8080
- Replies: 2
- Views: 3541
Re: eFa MailWatch HTTPS Port 8080
I'd rather see the option to set an ACL for the MailWatch page. Through the SSH CLI menu would be easiest to implement I gather.
- 14 Nov 2019 08:59
- Forum: 4.x Bugs
- Topic: Serious bug, SPAM getting through
- Replies: 2
- Views: 1903
Serious bug, SPAM getting through
I'm seeing spam that seems to originate from our domain getting through without a problem. SPF for our domain is set as strict as possible with -all to hardfail on no match. At closer inspection of the headers and how EFA checks SPF the issue seems clear: EFA is not checking the domain in the 'From'...
- 14 Nov 2019 08:13
- Forum: How-to
- Topic: Extreme paranoid mode
- Replies: 3
- Views: 2003
Re: Extreme paranoid mode
That's close enough, he wanted me to restrict external email to smartphones.
- 13 Nov 2019 14:07
- Forum: How-to
- Topic: Extreme paranoid mode
- Replies: 3
- Views: 2003
Extreme paranoid mode
Hello all, I have a client who is extremely paranoid about getting malware through email. Do you guys have any tips on specific settings that can do: 1 - filter or mark all hyper-links except white-listed ones 2 - filter all attachments except white-listed ones. 3 - any other settings you'd deem nec...
- 12 Mar 2019 10:23
- Forum: 4.x Bugs
- Topic: How to install EFA4 Beta RC2/RC3 on Hyper-V 2016
- Replies: 4
- Views: 6673
Re: How to install EFA4 Beta RC2 on Hyper-V 2016
Just a reminder to my future self as I'm going to forget this and Google it again. If you forget to add the script at install and end up with a clean and functional Centos machine. You can download the cfg and manually install the packages and execute the post install commands as they're defined ins...
- 11 Mar 2019 09:06
- Forum: 3.x Bugs
- Topic: [re-fixed] Outgoing mail stuck in queue
- Replies: 1
- Views: 2468
[re-fixed] Outgoing mail stuck in queue
Mail is stuck in queue, postfix -f doesn't do anything. However, if I reboot the first 30 queued emails are sent then the rest gets stuck again. I have diverted outgoing mail to a different route so the queue is not growing. But with 2000 emails stuck I'd need to reboot another 67 times to get them ...
- 08 Mar 2019 16:15
- Forum: 3.x Bugs
- Topic: Can't view headers
- Replies: 1
- Views: 2421
Can't view headers
The little "i" button next the processed messages doesn't show any headers, only the date/time and source IP address.
System messages do give me full header information though.
System messages do give me full header information though.
- 25 Jan 2019 08:51
- Forum: 3.x Bugs
- Topic: Overzealous double extension filter
- Replies: 2
- Views: 2779
Overzealous double extension filter
Hi All, I often see emails being blocked that trigger the double extension filter that a human viewer can instantly recognize as a false positive. For example: 'itinerary j.doe.pdf' will get filtered. Since both '.doe' and '.pdf' are safe extensions this shouldn't happen. I have manually added a few...
- 12 Dec 2018 13:19
- Forum: Feature Requests
- Topic: Skip greylisting on matching SPF record
- Replies: 1
- Views: 4372
Skip greylisting on matching SPF record
I'd like to speed up mail delivery from sources that have properly configured SPF records. This would greatly reduce waiting and administration time, especial with mail from Office 365 as Microsoft seems to have a zillion mail servers and their auto balance algorithm conflicts with greylisting in ge...
- 24 Sep 2018 07:30
- Forum: 3.x Bugs
- Topic: mysql overloading system cpu/IO
- Replies: 34
- Views: 50701
Re: mysql overloading system cpu/IO
And it went away... All by itself.