GeoIP not always tagging email
-
- Posts: 14
- Joined: 11 Apr 2016 18:32
GeoIP not always tagging email
Have two sample emails caught by the spam filter. Both come from the Russian Federation. However only one of them got tagged with the bad relay. Any ideas on why half the emails are getting tagged and the other half not? Right click on the sample screenshots and choose to open in new tab and they will be full size.
Re: GeoIP not always tagging email
take a look at your spamassassin Relaycountry_bad config
my /etc/mail/spamassassin/country.cf
works fine with me.
you can always tag ip ranges viewtopic.php?t=2659
cat /etc/mail/spamassassin/blockip.cf
my /etc/mail/spamassassin/country.cf
Code: Select all
ifplugin Mail::SpamAssassin::Plugin::RelayCountry
header COUNTRY_RELAY_IN X-Relay-Countries =~ /IN/
describe COUNTRY_RELAY_IN Relayed through India
score COUNTRY_RELAY_IN 3.5
header COUNTRY_RELAY_KP X-Relay-Countries =~ /KP/
describe COUNTRY_RELAY_KP Relayed through Korea North
score COUNTRY_RELAY_KP 4.5
header COUNTRY_RELAY_PK X-Relay-Countries =~ /PK/
describe COUNTRY_RELAY_PK Relayed through Pakistan
score COUNTRY_RELAY_PK 5.5
header COUNTRY_RELAY_RO X-Relay-Countries =~ /RO/
describe COUNTRY_RELAY_RO Relayed through Romania
score COUNTRY_RELAY_RO 6.5
header COUNTRY_RELAY_RU X-Relay-Countries =~ /RU/
describe COUNTRY_RELAY_RU Relayed through Russia
score COUNTRY_RELAY_RU 7.5
endif # Mail::SpamAssassin::Plugin::RelayCountry
you can always tag ip ranges viewtopic.php?t=2659
cat /etc/mail/spamassassin/blockip.cf
Code: Select all
header SPAMMING_IP Received =~ /5\.188\.129\.
describe SPAMMING_IP Spam Mail from 5.188.129/24
score SPAMMING_IP 8.0
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
- bikertrash
- Posts: 49
- Joined: 03 Feb 2016 12:53
- Location: San Diego, CA
- Contact:
Re: GeoIP not always tagging email
Hhmm... I had this setup for quite some time and it used to work pretty well.. but for some reason it just doesn't seem work anymore.
I've been trying to block all the garbage the Classmates sends out out by adding every single sub-net they used to send outbound mail but this crap still just waltzes right through. Using the Administration console to train the appliance that stuff is Spam doesn't work, adding the the sub-nets onto "/ect/mail/spamassasin/blockip.cf" and then restarting mailscanner doesn't work...
For example, I had this already specified in the "blockip.cf":
header SPAMMING_IP Received =~ /(208\.84\.41\.)/
describe SPAMMING_IP Spam Mail from 208.84.41.0/21
score SPAMMING_IP 9.0
Yet another mail message from 208.84.41.69 came right in again this morning.
Clearly I must be doing something wrong or missing something somewhere.
Suggestions? Guidance?
(I HATE Spam with a PASSION! ANY kind of SPAM! LOL )
I've been trying to block all the garbage the Classmates sends out out by adding every single sub-net they used to send outbound mail but this crap still just waltzes right through. Using the Administration console to train the appliance that stuff is Spam doesn't work, adding the the sub-nets onto "/ect/mail/spamassasin/blockip.cf" and then restarting mailscanner doesn't work...
For example, I had this already specified in the "blockip.cf":
header SPAMMING_IP Received =~ /(208\.84\.41\.)/
describe SPAMMING_IP Spam Mail from 208.84.41.0/21
score SPAMMING_IP 9.0
Yet another mail message from 208.84.41.69 came right in again this morning.
Clearly I must be doing something wrong or missing something somewhere.
Suggestions? Guidance?
(I HATE Spam with a PASSION! ANY kind of SPAM! LOL )
"If it ain't broke, it needs a lot more fix'n."
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: GeoIP not always tagging email
Do me a favor and check if the /etc/MailScanner/spamassassin.cf is properly symlinked to /etc/mail/spamassassin/mailscanner.cf
- bikertrash
- Posts: 49
- Joined: 03 Feb 2016 12:53
- Location: San Diego, CA
- Contact:
Re: GeoIP not always tagging email
An ls -al of "ls -al /etc/mail/spamassassin" shows this:
lrwxrwxrwx. 1 root root 34 Apr 19 01:09 mailscanner.cf -> /etc/MailScanner/spamassassin.conf
Not sure if those permissions are correct although I didn't create this symlink...
lrwxrwxrwx. 1 root root 34 Apr 19 01:09 mailscanner.cf -> /etc/MailScanner/spamassassin.conf
Not sure if those permissions are correct although I didn't create this symlink...
"If it ain't broke, it needs a lot more fix'n."
- bikertrash
- Posts: 49
- Joined: 03 Feb 2016 12:53
- Location: San Diego, CA
- Contact:
Re: GeoIP not always tagging email
DOH! I think I may have found the issue... spamd was not only not running... but it's also not configured to start at boot-up...
I better look into that...
I better look into that...
"If it ain't broke, it needs a lot more fix'n."
- bikertrash
- Posts: 49
- Joined: 03 Feb 2016 12:53
- Location: San Diego, CA
- Contact:
Re: GeoIP not always tagging email
Well... that wasn't it either... another one just waltzed right on through yesterday morning. Has anyone here successfully blocked mail from CLASSMATES.COM????
Yesterday at Tue, 28 Apr 2020 10:43:58 -0700
This came right through:
208.84.41.204 mta06a.iad1.classmates.com United States
This is the guy that should have blocked it but did not:
header SPAMMING_IP Received =~ /(208\.84\.40\.)/
describe SPAMMING_IP Spam Mail from 208.84.40.0/21
score SPAMMING_IP 9.0
When running an "Update SpamAssassin Rule Descriptions" it does show that this sub-net is listed
SPAMMING_IP Spam Mail from 208.84.40.0/21
I even have the domain listed in the Black List:
classmates.com davesdigitaldevices.com Delete
classmates.com default Delete
How are these guys getting through?? It does appear that all of the other sub-nets listed in blockedip.cf from other domains are indeed being blocked... all except this one.
Yesterday at Tue, 28 Apr 2020 10:43:58 -0700
This came right through:
208.84.41.204 mta06a.iad1.classmates.com United States
This is the guy that should have blocked it but did not:
header SPAMMING_IP Received =~ /(208\.84\.40\.)/
describe SPAMMING_IP Spam Mail from 208.84.40.0/21
score SPAMMING_IP 9.0
When running an "Update SpamAssassin Rule Descriptions" it does show that this sub-net is listed
SPAMMING_IP Spam Mail from 208.84.40.0/21
I even have the domain listed in the Black List:
classmates.com davesdigitaldevices.com Delete
classmates.com default Delete
How are these guys getting through?? It does appear that all of the other sub-nets listed in blockedip.cf from other domains are indeed being blocked... all except this one.
"If it ain't broke, it needs a lot more fix'n."
Re: GeoIP not always tagging email
Hi Bikertrash
The devil is always in the details. Did you carefully read? viewtopic.php?t=2659
Can you check:
Should look something like this
Also take a look at your whitelist for conflicting entries in you blacklist.
Check if you can update the Maxmind GeoIp Database in the Gui Tools Menu without errors
before you do that, open a terminal with ssh and enter
Next run a Spamassassin Lint test and Mailscanner Lint test
The devil is always in the details. Did you carefully read? viewtopic.php?t=2659
Can you check:
Code: Select all
ll /etc/mail/spamassassin/
Code: Select all
-rw-r--r--. 1 root root 2369 Nov 15 22:48 country.cf
-rw-r--r--. 1 root root 3390 Dec 1 14:37 descriptions.cf
-rw-r--r--. 1 root root 1287 Apr 24 16:14 init.pre
-rw-r--r--. 1 root root 2619 Feb 1 15:43 local.cf
lrwxrwxrwx. 1 root root 34 Apr 24 16:14 mailscanner.cf -> /etc/MailScanner/spamassassin.conf
lrwxrwxrwx. 1 root root 34 Apr 18 16:07 MailScanner.cf -> /etc/MailScanner/spamassassin.conf
drwx------. 2 root root 83 Apr 28 03:32 sa-update-keys
-rw-r--r--. 1 root root 2523 Nov 15 20:18 v310.pre
-rw-r--r--. 1 root root 1194 Nov 4 11:51 v312.pre
-rw-r--r--. 1 root root 2412 Nov 15 20:18 v320.pre
-rw-r--r--. 1 root root 1237 Nov 4 11:51 v330.pre
-rw-r--r--. 1 root root 1020 Nov 4 11:51 v340.pre
-rw-r--r--. 1 root root 1303 Nov 15 20:18 v341.pre
-rw-r--r--. 1 root root 1499 Nov 15 20:18 v342.pre
-rw-r--r--. 1 root root 949 Apr 24 16:14 v343.pre
Check if you can update the Maxmind GeoIp Database in the Gui Tools Menu without errors
before you do that, open a terminal with ssh and enter
Code: Select all
tail -F /var/log/audit/audit.log
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
- bikertrash
- Posts: 49
- Joined: 03 Feb 2016 12:53
- Location: San Diego, CA
- Contact:
Re: GeoIP not always tagging email
Hello Hank,
Indeed they are! One of the sym-links was missing, specifically the MailScanner.cf, the mailscanner.cf was there though. This has been corrected. All of the permissions were already correct.
Another thing I had missed.... the GeoIP database. Just applied for an account with MaxMiond and installed the key so the database is now updated and functional. The lint tests showed no issues at all, just a couple of slow responses.
I've put on "The Cone of Shame" for the day.
Will see how this goes now and report back. Thank you!
Indeed they are! One of the sym-links was missing, specifically the MailScanner.cf, the mailscanner.cf was there though. This has been corrected. All of the permissions were already correct.
Another thing I had missed.... the GeoIP database. Just applied for an account with MaxMiond and installed the key so the database is now updated and functional. The lint tests showed no issues at all, just a couple of slow responses.
I've put on "The Cone of Shame" for the day.
Will see how this goes now and report back. Thank you!
"If it ain't broke, it needs a lot more fix'n."
- bikertrash
- Posts: 49
- Joined: 03 Feb 2016 12:53
- Location: San Diego, CA
- Contact:
Re: GeoIP not always tagging email
And... another one came right through yesterday... same sub-net...
Oh well...
Oh well...
"If it ain't broke, it needs a lot more fix'n."
Re: GeoIP not always tagging email
I don't think your regex syntax is correct.bikertrash wrote: ↑03 May 2020 12:01 And... another one came right through yesterday... same sub-net...
Oh well...
Last edited by smyers119 on 03 May 2020 12:48, edited 1 time in total.
Re: GeoIP not always tagging email
You need to post details.
The message-detail in the Gui is a good starter. ( a readable printscreen will do)
second using the wrong syntax in expressions is quite common.
Just noticed smyers119 is a lot faster than me.
The message-detail in the Gui is a good starter. ( a readable printscreen will do)
second using the wrong syntax in expressions is quite common.
Just noticed smyers119 is a lot faster than me.
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
Re: GeoIP not always tagging email
I am not a expert, and I didn't test this. but you can try adding this in local.cf
Code: Select all
header CLASSMATE_NET Received =~ /208\.84\.4[0-7]\.\d{1,3}/
describe CLASSMATE_NET Spam Mail from 208.84.40.0/21
score CLASSMATE_NET 9.0
- bikertrash
- Posts: 49
- Joined: 03 Feb 2016 12:53
- Location: San Diego, CA
- Contact:
Re: GeoIP not always tagging email
When it comes to regex it may as well be written in Hieroglyphics for all the sense it makes to me really...
This:
header SPAMMING_IP Received =~ /(208\.84\.41\.)/
describe SPAMMING_IP Spam Mail from 208.84.41.0/21
score SPAMMING_IP 9.0
Looks like it should actually be this:
header SPAMMING_IP Received =~ /208\.84\.41\.
describe SPAMMING_IP Spam Mail from 208.84.41.0/21
score SPAMMING_IP 9.0
Correct?
I think you're both correct and it's now just a matter of fix'n my dorked up expressions.
This:
header SPAMMING_IP Received =~ /(208\.84\.41\.)/
describe SPAMMING_IP Spam Mail from 208.84.41.0/21
score SPAMMING_IP 9.0
Looks like it should actually be this:
header SPAMMING_IP Received =~ /208\.84\.41\.
describe SPAMMING_IP Spam Mail from 208.84.41.0/21
score SPAMMING_IP 9.0
Correct?
I think you're both correct and it's now just a matter of fix'n my dorked up expressions.
"If it ain't broke, it needs a lot more fix'n."
Re: GeoIP not always tagging email
Hold up, I found the problem. the ip is encompassed in brackets which is why it's not matching will edit this post with the fix. found a cool regex validator as well (https://regex101.com/)
EDIT: Never mind it appears what I posted above is working fine according to the validator. It's showing your original regex was valid as well. So your file must not be in the right folder?? I would recommend just using local.cf and not making your own file.
EDIT: Never mind it appears what I posted above is working fine according to the validator. It's showing your original regex was valid as well. So your file must not be in the right folder?? I would recommend just using local.cf and not making your own file.
- bikertrash
- Posts: 49
- Joined: 03 Feb 2016 12:53
- Location: San Diego, CA
- Contact:
Re: GeoIP not always tagging email
The file is this in /etc/mail/spamassassin/blockip.cf
The permissions on the file are this:
-rw-r--r--. 1 root root 8271 Apr 29 04:45 blockip.cf
Is this correct?
The permissions on the file are this:
-rw-r--r--. 1 root root 8271 Apr 29 04:45 blockip.cf
Is this correct?
"If it ain't broke, it needs a lot more fix'n."
Re: GeoIP not always tagging email
Permissions match minebikertrash wrote: ↑03 May 2020 13:49 The file is this in /etc/mail/spamassassin/blockip.cf
The permissions on the file are this:
-rw-r--r--. 1 root root 8271 Apr 29 04:45 blockip.cf
Is this correct?
- bikertrash
- Posts: 49
- Joined: 03 Feb 2016 12:53
- Location: San Diego, CA
- Contact:
Re: GeoIP not always tagging email
I think I found the problem thanks to the link you posted above....
THIS: =~ /(208\.84\.40\.)/
Should actually be THIS: =~ (208\.84\.40\.)
Does that look right?
This first one when entered into that link highlighted both "/" in red and said "pattern error"...
THIS: =~ /(208\.84\.40\.)/
Should actually be THIS: =~ (208\.84\.40\.)
Does that look right?
This first one when entered into that link highlighted both "/" in red and said "pattern error"...
"If it ain't broke, it needs a lot more fix'n."
Re: GeoIP not always tagging email
Just use mine so you don't need 7 different rules. If you look at the validator those "/" are already there at beginning and end. and there is no benefit to using the grouping with parenthesis (it's not hurting anything either)bikertrash wrote: ↑03 May 2020 13:58 I think I found the problem thanks to the link you posted above....
THIS: =~ /(208\.84\.40\.)/
Should actually be THIS: =~ (208\.84\.40\.)
Does that look right?
This first one when entered into that link highlighted both "/" in red and said "pattern error"...
- bikertrash
- Posts: 49
- Joined: 03 Feb 2016 12:53
- Location: San Diego, CA
- Contact:
Re: GeoIP not always tagging email
Well... that puts me right back where I started.... and I'm not sure what you mean by "just use mine" as it doesn't include the sub-nets all that classmates garbage is coming from.
Just going to take a break from this for today... and maybe the next week...
Just going to take a break from this for today... and maybe the next week...
"If it ain't broke, it needs a lot more fix'n."
Re: GeoIP not always tagging email
^^^^This catches every ip from 208.84.40.0 to 208.84.47.255smyers119 wrote: ↑03 May 2020 13:10 I am not a expert, and I didn't test this. but you can try adding this in local.cfCode: Select all
header CLASSMATE_NET Received =~ /208\.84\.4[0-7]\.\d{1,3}/ describe CLASSMATE_NET Spam Mail from 208.84.40.0/21 score CLASSMATE_NET 9.0
Re: GeoIP not always tagging email
great thinking and works fine. This is far more flexible than the original solution.
I'll change my orginal post and include your example.
I'll change my orginal post and include your example.
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
- bikertrash
- Posts: 49
- Joined: 03 Feb 2016 12:53
- Location: San Diego, CA
- Contact:
Re: GeoIP not always tagging email
Alright... I just added this... sure hope it works.
I sort of doubt there a many people on this earth that hate spam as much as I do...
I sort of doubt there a many people on this earth that hate spam as much as I do...
"If it ain't broke, it needs a lot more fix'n."
Re: GeoIP not always tagging email
It works!
Earth is big, and there a still a lot of people without eFa not able to cut down on spamI sort of doubt there a many people on this earth that hate spam as much as I do...
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
- bikertrash
- Posts: 49
- Joined: 03 Feb 2016 12:53
- Location: San Diego, CA
- Contact:
Re: GeoIP not always tagging email
Well so far so good... normally one comes in every single day.... but nothing today yet.
And yeah... I really don't understand why EFA Project is not more prolific as I have yet to see any other solution that works as well as this does. And believe me... I've tried a lot of them over the years. In my case, using this is sort of like taking a shot-gun on a butterfly hunt as my internal network only has 4 users but, they do NOT get SPAM.
And yeah... I really don't understand why EFA Project is not more prolific as I have yet to see any other solution that works as well as this does. And believe me... I've tried a lot of them over the years. In my case, using this is sort of like taking a shot-gun on a butterfly hunt as my internal network only has 4 users but, they do NOT get SPAM.
"If it ain't broke, it needs a lot more fix'n."