spamassassin filtering not consistently working for some TLDs

Questions and answers about how to do stuff
Post Reply
cxgl
Posts: 8
Joined: 15 Jun 2016 21:30

spamassassin filtering not consistently working for some TLDs

Post by cxgl »

Hi,

Our efa vm has been working very well for a long time, but for some reason, some particular TLDs are being inconsistently scored/blacklisted/etc.

I have tried adding 20 points to TLDs: .agency, .icu, .rocks -- sometimes they get added, sometimes they don't.

I have tried using blacklist_to on the particular email address that is being spammed. Sometimes it works, sometimes it doesn't.

I have tried adding to the whitelist and blacklist entries via the mailwatch UI. Nothing really changes.

In frustration, I keep 'learning' these particular emails, but they always come up as SA score 0.0

Any suggestions on what I should be looking for?

Thanks
cxgl
Posts: 8
Joined: 15 Jun 2016 21:30

Re: spamassassin filtering not consistently working for some TLDs

Post by cxgl »

Any ideas at all, anyone?
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: spamassassin filtering not consistently working for some TLDs

Post by henk »

Details?
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
cxgl
Posts: 8
Joined: 15 Jun 2016 21:30

Re: spamassassin filtering not consistently working for some TLDs

Post by cxgl »

Thanks, henk.

If you want/need more, please let me know.

1) spamassassin cfg snippets:

Code: Select all

# TLDs to err on the side of spam:
header BANNED_RULE_TLD From =~ /(\.agency|\.icu|\.rocks|\.live|\.ru|\.hu|\.gt|\.br|\.in|\.nl|\.ch|\.it|\.ke|\.vn|\.es|\.pk|\.id|\.ar|\.la|\.mx|\.fj|\.cl|\.ro|\.sk|\.pt|\.co|\.bg|$
score BANNED_RULE_TLD 10 10 10 10

Code: Select all

blacklist_from *.agency
blacklist_from *.icu
blacklist_from *.rocks
blacklist_to KnownHoneypotEmail@OnOneOfOurDomains.tld

Code: Select all

header BAD_SENDER_001 ALL =~ /\.icu/i
score BAD_SENDER_001 20 20 20 20
header BAD_SENDER_002 ALL =~ /\.live/i
score BAD_SENDER_002 20 20 20 20
header BAD_SENDER_003 ALL =~ /\.agency/i
score BAD_SENDER_003 20 20 20 20
header BAD_SENDER_004 ALL =~ /\.rocks/i
score BAD_SENDER_004 20
header BAD_RECIPIENT_001 /KnownHoneypotEmail/i
score BAD_RECIPIENT_001 20

2)
screenshot of *@*.agency going to one email address, some BL some not. Some manually learned as spam:
https://my.pcloud.com/publink/show?code ... rbGQ1WTn6y
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: spamassassin filtering not consistently working for some TLDs

Post by henk »

Somehow i live in a banned rule tld ( .nl) :think:

blacklist_from *.agency - Remove the wildcard and just leave the domain. Via MailWatch GUI under black and white lists. will take effect either after restarting MailScanner.

You could also add block country / ip's - viewtopic.php?t=2659

When I take a look at your screenshot, you could dig the ip's or look in mailwachGui message detail. Likely it will be a small range. With the post in the link above, you can assign a high score quite easyly.

If the domain is not valid, block it in postfix

another option (blacklist tld in postfix)
https://serverfault.com/questions/72864 ... in-postfix

another option : viewtopic.php?f=14&t=3227
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
cxgl
Posts: 8
Joined: 15 Jun 2016 21:30

Re: spamassassin filtering not consistently working for some TLDs

Post by cxgl »

henk wrote: 06 Jun 2019 17:47 Somehow i live in a banned rule tld ( .nl) :think:
Well, you've never written to me before. But I'll unblock it for you. :D
henk wrote: 06 Jun 2019 17:47 blacklist_from *.agency - Remove the wildcard and just leave the domain.
OK -- so just leave

Code: Select all

blacklist_from .agency
henk wrote: 06 Jun 2019 17:47 Via MailWatch GUI under black and white lists. will take effect either after restarting MailScanner.
Are you saying change:

Code: Select all

*@*.agency
to

Code: Select all

@*.agency
or just

Code: Select all

.agency
?
henk wrote: 06 Jun 2019 17:47 You could also add block country / ip's - viewtopic.php?t=2659

When I take a look at your screenshot, you could dig the ip's or look in mailwachGui message detail. Likely it will be a small range. With the post in the link above, you can assign a high score quite easyly.
OK. I'll dig and see.
henk wrote: 06 Jun 2019 17:47 If the domain is not valid, block it in postfix

another option (blacklist tld in postfix)
https://serverfault.com/questions/72864 ... in-postfix

another option : viewtopic.php?f=14&t=3227
OK. I'll check all 3 topics.

I'll post back if the above does what I'm hoping.

Thank you!
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: spamassassin filtering not consistently working for some TLDs

Post by henk »

Why do all the mail have a score 0? and your -succesfull- blacklisted mail a 150 score?

And you did enable MCP?

Do you ever have a score > 0 ?

Looks like you disabled scanning somehow.


Anyway, when you enter them via the Gui-> blackandwhitelist

just enter @ and the domain you want to blacklist. so just @agency.com no wildcards

In your case they mess around with the domain names. So blacklist will not work
like
blalala@titi.agency
wdrfff@tata.agency

As postfix can block unknown domains, I would try that first.

The other option is to determan the senders IP ( just look in the message detail) Ten to one you will see a pattern. You can assign a high value to a single ip or ranges. The country block is helping also
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
cxgl
Posts: 8
Joined: 15 Jun 2016 21:30

Re: spamassassin filtering not consistently working for some TLDs

Post by cxgl »

henk wrote: 06 Jun 2019 22:20 Why do all the mail have a score 0? and your -succesfull- blacklisted mail a 150 score?
That's part of my confusion. I don't know.
henk wrote: 06 Jun 2019 22:20 And you did enable MCP?
I don't think I disabled it, but I wonder if this is related to: https://forum.configserver.com/viewtopic.php?t=10023

In checking MailScanner.conf, I see:
MCP Checks = yes

henk wrote: 06 Jun 2019 22:20 Do you ever have a score > 0 ?
For SA? Yes. But not on the "failed-to-be-caught" emails from *@*.agency, .icu, etc.

On MCP -- no. It seems all MCP scores are zero. But again, maybe to do with the link above?
henk wrote: 06 Jun 2019 22:20 Looks like you disabled scanning somehow.


Anyway, when you enter them via the Gui-> blackandwhitelist

just enter @ and the domain you want to blacklist. so just @agency.com no wildcards

In your case they mess around with the domain names. So blacklist will not work
like
blalala@titi.agency
wdrfff@tata.agency

As postfix can block unknown domains, I would try that first.
"unknown domains" blocking is definitely happening. I'm seeing entries in maillog right now such as: sender address rejected: domain not found

To update all those playing along at home, the following postfix changes are what I did, and it worked great. Thank you, henk!

I ended up putting these in /etc/postfix/header_checks:

Code: Select all

/\.agency/i DISCARD .agency spam
/\.icu/i DISCARD .icu spam
/\.rocks/i DISCARD .rocks spam
I made sure this was in /etc/postfix/main.cf:

Code: Select all

header_checks = regexp:/etc/postfix/header_checks
...and finally restarted the postfix daemon:

Code: Select all

/etc/init.d/postfix restart
...and I've been back to a normal spam-(almost)-free existence without those tricksy bastards.
henk wrote: 06 Jun 2019 22:20 The other option is to determan the senders IP ( just look in the message detail) Ten to one you will see a pattern. You can assign a high value to a single ip or ranges. The country block is helping also
Post Reply