Interesting email based blacklist

Questions and answers about how to do stuff
Post Reply
nicola.piazzi
Posts: 286
Joined: 23 Apr 2015 09:45

Interesting email based blacklist

Post by nicola.piazzi » 24 Nov 2017 13:20

Take a look to this
https://msbl.org

here 2 config files to put in /etc/mail/spamassassin
http://msbl.org/tools/sa-hashbl.tar.gz

I installed it 1 hour ago and i have no hits at the moment

User avatar
pdwalker
Posts: 1256
Joined: 18 Mar 2015 09:16

Re: Interesting email based blacklist

Post by pdwalker » 24 Nov 2017 18:10

Can’t hurt to try. I’ll implement it tomorrow and see what happens.

nicola.piazzi
Posts: 286
Joined: 23 Apr 2015 09:45

Re: Interesting email based blacklist

Post by nicola.piazzi » 27 Nov 2017 07:43

Only 11 hits in the weekend but absolutely no false positive, i ' ll increase score to 3.00

User avatar
pdwalker
Posts: 1256
Joined: 18 Mar 2015 09:16

Re: Interesting email based blacklist

Post by pdwalker » 27 Nov 2017 07:50

I just turned it on less than three hours ago, and I've already gotten three hits.

Excellent.

nicola.piazzi
Posts: 286
Joined: 23 Apr 2015 09:45

Re: Interesting email based blacklist

Post by nicola.piazzi » 27 Nov 2017 07:59

yes,
there are not a lot of hits because this is non a rbl
this is email address based so it have few entries but these are sure that is spam

User avatar
pdwalker
Posts: 1256
Joined: 18 Mar 2015 09:16

Re: Interesting email based blacklist

Post by pdwalker » 27 Nov 2017 08:20

Every little bit helps.

User avatar
pdwalker
Posts: 1256
Joined: 18 Mar 2015 09:16

Re: Interesting email based blacklist

Post by pdwalker » 12 Jan 2018 07:51

So far, I've gotten 242 messages to trigger this rule. 100% spam. Increasing the spam score to 4.0

nicola.piazzi
Posts: 286
Joined: 23 Apr 2015 09:45

Re: Interesting email based blacklist

Post by nicola.piazzi » 12 Jan 2018 08:22

yes, they are based on real case so hit is 100%

Alleyviper
Posts: 75
Joined: 16 Oct 2018 05:55
Location: Portugal

Re: Interesting email based blacklist

Post by Alleyviper » 08 Jan 2019 02:57

Hi there,

Where to put pm file included?

nicola.piazzi
Posts: 286
Joined: 23 Apr 2015 09:45

Re: Interesting email based blacklist

Post by nicola.piazzi » 08 Jan 2019 07:27

same dir where local.cf

Alleyviper
Posts: 75
Joined: 16 Oct 2018 05:55
Location: Portugal

Re: Interesting email based blacklist

Post by Alleyviper » 22 Jan 2019 23:17

Hi Nicola,

Works like a charm :)

Check the custom phishing.bad.sites.custom to enhance event more blocking bad stuff

Code: Select all


https://forum.efa-project.org/viewtopic.php?f=14&t=3334


ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Interesting email based blacklist

Post by ovizii » 05 Mar 2019 12:09

Alleyviper wrote:
08 Jan 2019 02:57
Hi there,

Where to put pm file included?
I don't think its necessary to do anything. as of Sa 3.4.2 if you have /etc/mail/spamassassin/hashbl.cf look inside, mine says:

Code: Select all

loadplugin Mail::SpamAssassin::Plugin::HashBL   HashBL.pm

ifplugin Mail::SpamAssassin::Plugin::HashBL
    header   HASHBL_EMAIL       eval:check_hashbl_emails('ebl.msbl.org')
    describe HASHBL_EMAIL       Message contains email address found on the EBL
    score    HASHBL_EMAIL       1.0
endif
then go to your EFA dashboard => Tools and Links => Spamassassin Lin (Test) then check if HASHBL_EMAIL was loaded.

mattch
Posts: 30
Joined: 28 Mar 2018 22:26

Re: Interesting email based blacklist

Post by mattch » 22 Apr 2020 20:21

Using v4 the HashBL plugin is already loaded in v342.pre but not listing any HashBL.pm file.

I commented out loadplugin for hashbl in v342.pre file, or alternatively add HashBL.pm and then comment loadplugin listed in the hashbl.cf file.

smyers119
Posts: 74
Joined: 29 Nov 2019 11:36

Re: Interesting email based blacklist

Post by smyers119 » 23 Apr 2020 14:29

mattch wrote:
22 Apr 2020 20:21
Using v4 the HashBL plugin is already loaded in v342.pre but not listing any HashBL.pm file.

I commented out loadplugin for hashbl in v342.pre file
Why?

Did you not see this:
15 November 2018

SpamAssassin 3.4.2 has added support for HASHBLs through its Mail::SpamAssassin::Plugin::HashBL plugin. To use the EBL with SpamAssassin 2.3.2 and later versions, you simply enable this plugin in your spamAssassin configuration. The SpamAssassin milter remains available for those using earlier versions of SpamAssassin.
Source

mattch
Posts: 30
Joined: 28 Mar 2018 22:26

Re: Interesting email based blacklist

Post by mattch » 23 Apr 2020 15:04

I did but i also get this:

Apr 23 11:02:14.523 [28636] dbg: plugin: loading Mail::SpamAssassin::Plugin::HashBL from @INC 0.00332
Apr 23 11:02:14.544 [28636] dbg: HashBL: local tests only, disabling HashBL

smyers119
Posts: 74
Joined: 29 Nov 2019 11:36

Re: Interesting email based blacklist

Post by smyers119 » 23 Apr 2020 15:29

mattch wrote:
23 Apr 2020 15:04
I did but i also get this:

Apr 23 11:02:14.523 [28636] dbg: plugin: loading Mail::SpamAssassin::Plugin::HashBL from @INC 0.00332
Apr 23 11:02:14.544 [28636] dbg: HashBL: local tests only, disabling HashBL
That's normal, it just means it's disabled for the test, note other plugins do the same thing.

mattch
Posts: 30
Joined: 28 Mar 2018 22:26

Re: Interesting email based blacklist

Post by mattch » 23 Apr 2020 16:08

oh you're right, dcc pyzor and spamcop show disabled in the lint test.

So that means HashBL.pm file doesn't need to be referenced in the loadplugin in sa v3.4.2+, because its built-in right?

Sorry for such basic questions.

smyers119
Posts: 74
Joined: 29 Nov 2019 11:36

Re: Interesting email based blacklist

Post by smyers119 » 23 Apr 2020 16:12

That's correct, but you still need the CF file, although i haven't had 1 hit since adding it

mattch
Posts: 30
Joined: 28 Mar 2018 22:26

Re: Interesting email based blacklist

Post by mattch » 23 Apr 2020 16:23

Yeah me either and I got excited. When no hits on my spammiest users after a day I assumed it wasn't working. i suppose no hits can be considered a good thing.

smyers119
Posts: 74
Joined: 29 Nov 2019 11:36

Re: Interesting email based blacklist

Post by smyers119 » 23 Apr 2020 16:35

mattch wrote:
23 Apr 2020 16:23
Yeah me either and I got excited. When no hits on my spammiest users after a day I assumed it wasn't working. i suppose no hits can be considered a good thing.
I'll let it run a couple days then do a search to see if i got any hits. and check beck here.

smyers119
Posts: 74
Joined: 29 Nov 2019 11:36

Re: Interesting email based blacklist

Post by smyers119 » 24 Apr 2020 01:08

Ok so I checked back after 24 hours, got 3 hits, 2 were false positives. Not looking to good for this hash based block list. I'll follow it over the next week and see what happens.

the false positives were from:

Code: Select all

3gigixgckbukyz2p0w9rzzrwp.nzxv7zyrxtoowp4z7y3st0.nzx@idverification.bounces.google.com 
aka:
noreply@google.com
and
3x_2hxhekaeyvwzmxt6+nmmlxzw56owwotm.kwu@feedburner.bounces.google.com 	
aka:
Topic Search <noreply+feedproxy@google.com>
Note my mail volume is around 2000/day

Post Reply