Page 1 of 1

Interesting email based blacklist

Posted: 24 Nov 2017 13:20
by nicola.piazzi
Take a look to this
https://msbl.org

here 2 config files to put in /etc/mail/spamassassin
http://msbl.org/tools/sa-hashbl.tar.gz

I installed it 1 hour ago and i have no hits at the moment

Re: Interesting email based blacklist

Posted: 24 Nov 2017 18:10
by pdwalker
Can’t hurt to try. I’ll implement it tomorrow and see what happens.

Re: Interesting email based blacklist

Posted: 27 Nov 2017 07:43
by nicola.piazzi
Only 11 hits in the weekend but absolutely no false positive, i ' ll increase score to 3.00

Re: Interesting email based blacklist

Posted: 27 Nov 2017 07:50
by pdwalker
I just turned it on less than three hours ago, and I've already gotten three hits.

Excellent.

Re: Interesting email based blacklist

Posted: 27 Nov 2017 07:59
by nicola.piazzi
yes,
there are not a lot of hits because this is non a rbl
this is email address based so it have few entries but these are sure that is spam

Re: Interesting email based blacklist

Posted: 27 Nov 2017 08:20
by pdwalker
Every little bit helps.

Re: Interesting email based blacklist

Posted: 12 Jan 2018 07:51
by pdwalker
So far, I've gotten 242 messages to trigger this rule. 100% spam. Increasing the spam score to 4.0

Re: Interesting email based blacklist

Posted: 12 Jan 2018 08:22
by nicola.piazzi
yes, they are based on real case so hit is 100%

Re: Interesting email based blacklist

Posted: 08 Jan 2019 02:57
by Alleyviper
Hi there,

Where to put pm file included?

Re: Interesting email based blacklist

Posted: 08 Jan 2019 07:27
by nicola.piazzi
same dir where local.cf

Re: Interesting email based blacklist

Posted: 22 Jan 2019 23:17
by Alleyviper
Hi Nicola,

Works like a charm :)

Check the custom phishing.bad.sites.custom to enhance event more blocking bad stuff

Code: Select all


https://forum.efa-project.org/viewtopic.php?f=14&t=3334


Re: Interesting email based blacklist

Posted: 05 Mar 2019 12:09
by ovizii
Alleyviper wrote: 08 Jan 2019 02:57 Hi there,

Where to put pm file included?
I don't think its necessary to do anything. as of Sa 3.4.2 if you have /etc/mail/spamassassin/hashbl.cf look inside, mine says:

Code: Select all

loadplugin Mail::SpamAssassin::Plugin::HashBL   HashBL.pm

ifplugin Mail::SpamAssassin::Plugin::HashBL
    header   HASHBL_EMAIL       eval:check_hashbl_emails('ebl.msbl.org')
    describe HASHBL_EMAIL       Message contains email address found on the EBL
    score    HASHBL_EMAIL       1.0
endif
then go to your EFA dashboard => Tools and Links => Spamassassin Lin (Test) then check if HASHBL_EMAIL was loaded.

Re: Interesting email based blacklist

Posted: 22 Apr 2020 20:21
by mattch
Using v4 the HashBL plugin is already loaded in v342.pre but not listing any HashBL.pm file.

I commented out loadplugin for hashbl in v342.pre file, or alternatively add HashBL.pm and then comment loadplugin listed in the hashbl.cf file.

Re: Interesting email based blacklist

Posted: 23 Apr 2020 14:29
by smyers119
mattch wrote: 22 Apr 2020 20:21 Using v4 the HashBL plugin is already loaded in v342.pre but not listing any HashBL.pm file.

I commented out loadplugin for hashbl in v342.pre file
Why?

Did you not see this:
15 November 2018

SpamAssassin 3.4.2 has added support for HASHBLs through its Mail::SpamAssassin::Plugin::HashBL plugin. To use the EBL with SpamAssassin 2.3.2 and later versions, you simply enable this plugin in your spamAssassin configuration. The SpamAssassin milter remains available for those using earlier versions of SpamAssassin.
Source

Re: Interesting email based blacklist

Posted: 23 Apr 2020 15:04
by mattch
I did but i also get this:

Apr 23 11:02:14.523 [28636] dbg: plugin: loading Mail::SpamAssassin::Plugin::HashBL from @INC 0.00332
Apr 23 11:02:14.544 [28636] dbg: HashBL: local tests only, disabling HashBL

Re: Interesting email based blacklist

Posted: 23 Apr 2020 15:29
by smyers119
mattch wrote: 23 Apr 2020 15:04 I did but i also get this:

Apr 23 11:02:14.523 [28636] dbg: plugin: loading Mail::SpamAssassin::Plugin::HashBL from @INC 0.00332
Apr 23 11:02:14.544 [28636] dbg: HashBL: local tests only, disabling HashBL
That's normal, it just means it's disabled for the test, note other plugins do the same thing.

Re: Interesting email based blacklist

Posted: 23 Apr 2020 16:08
by mattch
oh you're right, dcc pyzor and spamcop show disabled in the lint test.

So that means HashBL.pm file doesn't need to be referenced in the loadplugin in sa v3.4.2+, because its built-in right?

Sorry for such basic questions.

Re: Interesting email based blacklist

Posted: 23 Apr 2020 16:12
by smyers119
That's correct, but you still need the CF file, although i haven't had 1 hit since adding it

Re: Interesting email based blacklist

Posted: 23 Apr 2020 16:23
by mattch
Yeah me either and I got excited. When no hits on my spammiest users after a day I assumed it wasn't working. i suppose no hits can be considered a good thing.

Re: Interesting email based blacklist

Posted: 23 Apr 2020 16:35
by smyers119
mattch wrote: 23 Apr 2020 16:23 Yeah me either and I got excited. When no hits on my spammiest users after a day I assumed it wasn't working. i suppose no hits can be considered a good thing.
I'll let it run a couple days then do a search to see if i got any hits. and check beck here.

Re: Interesting email based blacklist

Posted: 24 Apr 2020 01:08
by smyers119
Ok so I checked back after 24 hours, got 3 hits, 2 were false positives. Not looking to good for this hash based block list. I'll follow it over the next week and see what happens.

the false positives were from:

Code: Select all

3gigixgckbukyz2p0w9rzzrwp.nzxv7zyrxtoowp4z7y3st0.nzx@idverification.bounces.google.com 
aka:
noreply@google.com
and
3x_2hxhekaeyvwzmxt6+nmmlxzw56owwotm.kwu@feedburner.bounces.google.com 	
aka:
Topic Search <noreply+feedproxy@google.com>
Note my mail volume is around 2000/day