Page 1 of 1

spamassassin filtering not consistently working for some TLDs

Posted: 04 Jun 2019 20:28
by cxgl
Hi,

Our efa vm has been working very well for a long time, but for some reason, some particular TLDs are being inconsistently scored/blacklisted/etc.

I have tried adding 20 points to TLDs: .agency, .icu, .rocks -- sometimes they get added, sometimes they don't.

I have tried using blacklist_to on the particular email address that is being spammed. Sometimes it works, sometimes it doesn't.

I have tried adding to the whitelist and blacklist entries via the mailwatch UI. Nothing really changes.

In frustration, I keep 'learning' these particular emails, but they always come up as SA score 0.0

Any suggestions on what I should be looking for?

Thanks

Re: spamassassin filtering not consistently working for some TLDs

Posted: 05 Jun 2019 14:36
by cxgl
Any ideas at all, anyone?

Re: spamassassin filtering not consistently working for some TLDs

Posted: 05 Jun 2019 15:10
by henk
Details?

Re: spamassassin filtering not consistently working for some TLDs

Posted: 06 Jun 2019 16:35
by cxgl
Thanks, henk.

If you want/need more, please let me know.

1) spamassassin cfg snippets:

Code: Select all

# TLDs to err on the side of spam:
header BANNED_RULE_TLD From =~ /(\.agency|\.icu|\.rocks|\.live|\.ru|\.hu|\.gt|\.br|\.in|\.nl|\.ch|\.it|\.ke|\.vn|\.es|\.pk|\.id|\.ar|\.la|\.mx|\.fj|\.cl|\.ro|\.sk|\.pt|\.co|\.bg|$
score BANNED_RULE_TLD 10 10 10 10

Code: Select all

blacklist_from *.agency
blacklist_from *.icu
blacklist_from *.rocks
blacklist_to KnownHoneypotEmail@OnOneOfOurDomains.tld

Code: Select all

header BAD_SENDER_001 ALL =~ /\.icu/i
score BAD_SENDER_001 20 20 20 20
header BAD_SENDER_002 ALL =~ /\.live/i
score BAD_SENDER_002 20 20 20 20
header BAD_SENDER_003 ALL =~ /\.agency/i
score BAD_SENDER_003 20 20 20 20
header BAD_SENDER_004 ALL =~ /\.rocks/i
score BAD_SENDER_004 20
header BAD_RECIPIENT_001 /KnownHoneypotEmail/i
score BAD_RECIPIENT_001 20

2)
screenshot of *@*.agency going to one email address, some BL some not. Some manually learned as spam:
https://my.pcloud.com/publink/show?code ... rbGQ1WTn6y

Re: spamassassin filtering not consistently working for some TLDs

Posted: 06 Jun 2019 17:47
by henk
Somehow i live in a banned rule tld ( .nl) :think:

blacklist_from *.agency - Remove the wildcard and just leave the domain. Via MailWatch GUI under black and white lists. will take effect either after restarting MailScanner.

You could also add block country / ip's - viewtopic.php?t=2659

When I take a look at your screenshot, you could dig the ip's or look in mailwachGui message detail. Likely it will be a small range. With the post in the link above, you can assign a high score quite easyly.

If the domain is not valid, block it in postfix

another option (blacklist tld in postfix)
https://serverfault.com/questions/72864 ... in-postfix

another option : viewtopic.php?f=14&t=3227

Re: spamassassin filtering not consistently working for some TLDs

Posted: 06 Jun 2019 20:03
by cxgl
henk wrote:
06 Jun 2019 17:47
Somehow i live in a banned rule tld ( .nl) :think:
Well, you've never written to me before. But I'll unblock it for you. :D
henk wrote:
06 Jun 2019 17:47
blacklist_from *.agency - Remove the wildcard and just leave the domain.
OK -- so just leave

Code: Select all

blacklist_from .agency
henk wrote:
06 Jun 2019 17:47
Via MailWatch GUI under black and white lists. will take effect either after restarting MailScanner.
Are you saying change:

Code: Select all

*@*.agency
to

Code: Select all

@*.agency
or just

Code: Select all

.agency
?
henk wrote:
06 Jun 2019 17:47
You could also add block country / ip's - viewtopic.php?t=2659

When I take a look at your screenshot, you could dig the ip's or look in mailwachGui message detail. Likely it will be a small range. With the post in the link above, you can assign a high score quite easyly.
OK. I'll dig and see.
henk wrote:
06 Jun 2019 17:47
If the domain is not valid, block it in postfix

another option (blacklist tld in postfix)
https://serverfault.com/questions/72864 ... in-postfix

another option : viewtopic.php?f=14&t=3227
OK. I'll check all 3 topics.

I'll post back if the above does what I'm hoping.

Thank you!

Re: spamassassin filtering not consistently working for some TLDs

Posted: 06 Jun 2019 22:20
by henk
Why do all the mail have a score 0? and your -succesfull- blacklisted mail a 150 score?

And you did enable MCP?

Do you ever have a score > 0 ?

Looks like you disabled scanning somehow.


Anyway, when you enter them via the Gui-> blackandwhitelist

just enter @ and the domain you want to blacklist. so just @agency.com no wildcards

In your case they mess around with the domain names. So blacklist will not work
like
blalala@titi.agency
wdrfff@tata.agency

As postfix can block unknown domains, I would try that first.

The other option is to determan the senders IP ( just look in the message detail) Ten to one you will see a pattern. You can assign a high value to a single ip or ranges. The country block is helping also

Re: spamassassin filtering not consistently working for some TLDs

Posted: 09 Jun 2019 18:30
by cxgl
henk wrote:
06 Jun 2019 22:20
Why do all the mail have a score 0? and your -succesfull- blacklisted mail a 150 score?
That's part of my confusion. I don't know.
henk wrote:
06 Jun 2019 22:20
And you did enable MCP?
I don't think I disabled it, but I wonder if this is related to: https://forum.configserver.com/viewtopic.php?t=10023

In checking MailScanner.conf, I see:
MCP Checks = yes

henk wrote:
06 Jun 2019 22:20
Do you ever have a score > 0 ?
For SA? Yes. But not on the "failed-to-be-caught" emails from *@*.agency, .icu, etc.

On MCP -- no. It seems all MCP scores are zero. But again, maybe to do with the link above?
henk wrote:
06 Jun 2019 22:20
Looks like you disabled scanning somehow.


Anyway, when you enter them via the Gui-> blackandwhitelist

just enter @ and the domain you want to blacklist. so just @agency.com no wildcards

In your case they mess around with the domain names. So blacklist will not work
like
blalala@titi.agency
wdrfff@tata.agency

As postfix can block unknown domains, I would try that first.
"unknown domains" blocking is definitely happening. I'm seeing entries in maillog right now such as: sender address rejected: domain not found

To update all those playing along at home, the following postfix changes are what I did, and it worked great. Thank you, henk!

I ended up putting these in /etc/postfix/header_checks:

Code: Select all

/\.agency/i DISCARD .agency spam
/\.icu/i DISCARD .icu spam
/\.rocks/i DISCARD .rocks spam
I made sure this was in /etc/postfix/main.cf:

Code: Select all

header_checks = regexp:/etc/postfix/header_checks
...and finally restarted the postfix daemon:

Code: Select all

/etc/init.d/postfix restart
...and I've been back to a normal spam-(almost)-free existence without those tricksy bastards.
henk wrote:
06 Jun 2019 22:20
The other option is to determan the senders IP ( just look in the message detail) Ten to one you will see a pattern. You can assign a high value to a single ip or ranges. The country block is helping also