Page 1 of 2
GeoIP not always tagging email
Posted: 15 Oct 2019 19:52
by northwindit
Have two sample emails caught by the spam filter. Both come from the Russian Federation. However only one of them got tagged with the bad relay. Any ideas on why half the emails are getting tagged and the other half not? Right click on the sample screenshots and choose to open in new tab and they will be full size.
Re: GeoIP not always tagging email
Posted: 16 Oct 2019 05:49
by henk
take a look at your spamassassin Relaycountry_bad config
my
/etc/mail/spamassassin/country.cf
Code: Select all
ifplugin Mail::SpamAssassin::Plugin::RelayCountry
header COUNTRY_RELAY_IN X-Relay-Countries =~ /IN/
describe COUNTRY_RELAY_IN Relayed through India
score COUNTRY_RELAY_IN 3.5
header COUNTRY_RELAY_KP X-Relay-Countries =~ /KP/
describe COUNTRY_RELAY_KP Relayed through Korea North
score COUNTRY_RELAY_KP 4.5
header COUNTRY_RELAY_PK X-Relay-Countries =~ /PK/
describe COUNTRY_RELAY_PK Relayed through Pakistan
score COUNTRY_RELAY_PK 5.5
header COUNTRY_RELAY_RO X-Relay-Countries =~ /RO/
describe COUNTRY_RELAY_RO Relayed through Romania
score COUNTRY_RELAY_RO 6.5
header COUNTRY_RELAY_RU X-Relay-Countries =~ /RU/
describe COUNTRY_RELAY_RU Relayed through Russia
score COUNTRY_RELAY_RU 7.5
endif # Mail::SpamAssassin::Plugin::RelayCountry
works fine with me.
you can always tag ip ranges
viewtopic.php?t=2659
cat
/etc/mail/spamassassin/blockip.cf
Code: Select all
header SPAMMING_IP Received =~ /5\.188\.129\.
describe SPAMMING_IP Spam Mail from 5.188.129/24
score SPAMMING_IP 8.0
Re: GeoIP not always tagging email
Posted: 26 Apr 2020 15:22
by bikertrash
Hhmm... I had this setup for quite some time and it used to work pretty well.. but for some reason it just doesn't seem work anymore.
I've been trying to block all the garbage the Classmates sends out out by adding every single sub-net they used to send outbound mail but this crap still just waltzes right through. Using the Administration console to train the appliance that stuff is Spam doesn't work, adding the the sub-nets onto "/ect/mail/spamassasin/blockip.cf" and then restarting mailscanner doesn't work...
For example, I had this already specified in the "blockip.cf":
header SPAMMING_IP Received =~ /(208\.84\.41\.)/
describe SPAMMING_IP Spam Mail from 208.84.41.0/21
score SPAMMING_IP 9.0
Yet another mail message from 208.84.41.69 came right in again this morning.
Clearly I must be doing something wrong or missing something somewhere.
Suggestions? Guidance?
(I HATE Spam with a PASSION! ANY kind of SPAM!
LOL )
Re: GeoIP not always tagging email
Posted: 26 Apr 2020 15:26
by shawniverson
Do me a favor and check if the /etc/MailScanner/spamassassin.cf is properly symlinked to /etc/mail/spamassassin/mailscanner.cf
Re: GeoIP not always tagging email
Posted: 26 Apr 2020 16:10
by bikertrash
An ls -al of "ls -al /etc/mail/spamassassin" shows this:
lrwxrwxrwx. 1 root root 34 Apr 19 01:09 mailscanner.cf -> /etc/MailScanner/spamassassin.conf
Not sure if those permissions are correct although I didn't create this symlink...
Re: GeoIP not always tagging email
Posted: 26 Apr 2020 16:38
by bikertrash
DOH! I think I may have found the issue... spamd was not only not running... but it's also not configured to start at boot-up...
I better look into that...
Re: GeoIP not always tagging email
Posted: 29 Apr 2020 11:55
by bikertrash
Well... that wasn't it either... another one just waltzed right on through yesterday morning. Has anyone here successfully blocked mail from CLASSMATES.COM????
Yesterday at Tue, 28 Apr 2020 10:43:58 -0700
This came right through:
208.84.41.204 mta06a.iad1.classmates.com United States
This is the guy that should have blocked it but did not:
header SPAMMING_IP Received =~ /(208\.84\.40\.)/
describe SPAMMING_IP Spam Mail from 208.84.40.0/21
score SPAMMING_IP 9.0
When running an "Update SpamAssassin Rule Descriptions" it does show that this sub-net is listed
SPAMMING_IP Spam Mail from 208.84.40.0/21
I even have the domain listed in the Black List:
classmates.com davesdigitaldevices.com Delete
classmates.com default Delete
How are these guys getting through??
It does appear that all of the other sub-nets listed in blockedip.cf from other domains are indeed being blocked... all except this one.
Re: GeoIP not always tagging email
Posted: 29 Apr 2020 12:42
by henk
Hi Bikertrash
The devil is always in the details. Did you carefully read?
viewtopic.php?t=2659
Can you check:
Should look something like this
Code: Select all
-rw-r--r--. 1 root root 2369 Nov 15 22:48 country.cf
-rw-r--r--. 1 root root 3390 Dec 1 14:37 descriptions.cf
-rw-r--r--. 1 root root 1287 Apr 24 16:14 init.pre
-rw-r--r--. 1 root root 2619 Feb 1 15:43 local.cf
lrwxrwxrwx. 1 root root 34 Apr 24 16:14 mailscanner.cf -> /etc/MailScanner/spamassassin.conf
lrwxrwxrwx. 1 root root 34 Apr 18 16:07 MailScanner.cf -> /etc/MailScanner/spamassassin.conf
drwx------. 2 root root 83 Apr 28 03:32 sa-update-keys
-rw-r--r--. 1 root root 2523 Nov 15 20:18 v310.pre
-rw-r--r--. 1 root root 1194 Nov 4 11:51 v312.pre
-rw-r--r--. 1 root root 2412 Nov 15 20:18 v320.pre
-rw-r--r--. 1 root root 1237 Nov 4 11:51 v330.pre
-rw-r--r--. 1 root root 1020 Nov 4 11:51 v340.pre
-rw-r--r--. 1 root root 1303 Nov 15 20:18 v341.pre
-rw-r--r--. 1 root root 1499 Nov 15 20:18 v342.pre
-rw-r--r--. 1 root root 949 Apr 24 16:14 v343.pre
Also take a look at your whitelist for conflicting entries in you blacklist.
Check if you can update the Maxmind GeoIp Database in the Gui Tools Menu without errors
before you do that, open a terminal with ssh and enter
Next run a Spamassassin Lint test and Mailscanner Lint test
Re: GeoIP not always tagging email
Posted: 30 Apr 2020 11:25
by bikertrash
Hello Hank,
Indeed they are! One of the sym-links was missing, specifically the MailScanner.cf, the mailscanner.cf was there though. This has been corrected. All of the permissions were already correct.
Another thing I had missed.... the GeoIP database.
Just applied for an account with MaxMiond and installed the key so the database is now updated and functional. The lint tests showed no issues at all, just a couple of slow responses.
I've put on "The Cone of Shame" for the day.
Will see how this goes now and report back. Thank you!
Re: GeoIP not always tagging email
Posted: 03 May 2020 12:01
by bikertrash
And... another one came right through yesterday... same sub-net...
Oh well...
Re: GeoIP not always tagging email
Posted: 03 May 2020 12:43
by smyers119
bikertrash wrote: ↑03 May 2020 12:01
And... another one came right through yesterday... same sub-net...
Oh well...
I don't think your regex syntax is correct.
Re: GeoIP not always tagging email
Posted: 03 May 2020 12:46
by henk
You need to post details.
The message-detail in the Gui is a good starter. ( a readable printscreen will do)
second using the wrong syntax in expressions is quite common.
Just noticed smyers119 is a lot faster than me.
Re: GeoIP not always tagging email
Posted: 03 May 2020 13:10
by smyers119
I am not a expert, and I didn't test this. but you can try adding this in local.cf
Code: Select all
header CLASSMATE_NET Received =~ /208\.84\.4[0-7]\.\d{1,3}/
describe CLASSMATE_NET Spam Mail from 208.84.40.0/21
score CLASSMATE_NET 9.0
Re: GeoIP not always tagging email
Posted: 03 May 2020 13:14
by bikertrash
When it comes to regex it may as well be written in Hieroglyphics for all the sense it makes to me really...
This:
header SPAMMING_IP Received =~ /(208\.84\.41\.)/
describe SPAMMING_IP Spam Mail from 208.84.41.0/21
score SPAMMING_IP 9.0
Looks like it should actually be this:
header SPAMMING_IP Received =~ /208\.84\.41\.
describe SPAMMING_IP Spam Mail from 208.84.41.0/21
score SPAMMING_IP 9.0
Correct?
I think you're both correct and it's now just a matter of fix'n my dorked up expressions.
Re: GeoIP not always tagging email
Posted: 03 May 2020 13:32
by smyers119
Hold up, I found the problem. the ip is encompassed in brackets which is why it's not matching will edit this post with the fix. found a cool regex validator as well (
https://regex101.com/)
EDIT: Never mind it appears what I posted above is working fine according to the validator. It's showing your original regex was valid as well. So your file must not be in the right folder?? I would recommend just using local.cf and not making your own file.
Re: GeoIP not always tagging email
Posted: 03 May 2020 13:49
by bikertrash
The file is this in /etc/mail/spamassassin/blockip.cf
The permissions on the file are this:
-rw-r--r--. 1 root root 8271 Apr 29 04:45 blockip.cf
Is this correct?
Re: GeoIP not always tagging email
Posted: 03 May 2020 13:53
by smyers119
bikertrash wrote: ↑03 May 2020 13:49
The file is this in /etc/mail/spamassassin/blockip.cf
The permissions on the file are this:
-rw-r--r--. 1 root root 8271 Apr 29 04:45 blockip.cf
Is this correct?
Permissions match mine
Re: GeoIP not always tagging email
Posted: 03 May 2020 13:58
by bikertrash
I think I found the problem thanks to the link you posted above....
THIS: =~ /(208\.84\.40\.)/
Should actually be THIS: =~ (208\.84\.40\.)
Does that look right?
This first one when entered into that link highlighted both "/" in red and said "pattern error"...
Re: GeoIP not always tagging email
Posted: 03 May 2020 14:14
by smyers119
bikertrash wrote: ↑03 May 2020 13:58
I think I found the problem thanks to the link you posted above....
THIS: =~ /(208\.84\.40\.)/
Should actually be THIS: =~ (208\.84\.40\.)
Does that look right?
This first one when entered into that link highlighted both "/" in red and said "pattern error"...
Just use mine so you don't need 7 different rules. If you look at the validator those "/" are already there at beginning and end. and there is no benefit to using the grouping with parenthesis (it's not hurting anything either)
Re: GeoIP not always tagging email
Posted: 03 May 2020 14:24
by bikertrash
Well... that puts me right back where I started.... and I'm not sure what you mean by "just use mine" as it doesn't include the sub-nets all that classmates garbage is coming from.
Just going to take a break from this for today... and maybe the next week...
Re: GeoIP not always tagging email
Posted: 03 May 2020 14:26
by smyers119
smyers119 wrote: ↑03 May 2020 13:10
I am not a expert, and I didn't test this. but you can try adding this in local.cf
Code: Select all
header CLASSMATE_NET Received =~ /208\.84\.4[0-7]\.\d{1,3}/
describe CLASSMATE_NET Spam Mail from 208.84.40.0/21
score CLASSMATE_NET 9.0
^^^^This catches every ip from 208.84.40.0 to 208.84.47.255
Re: GeoIP not always tagging email
Posted: 04 May 2020 07:24
by henk
great thinking and works fine.
This is far more flexible than the original solution.
I'll change my orginal post and include your example.
Re: GeoIP not always tagging email
Posted: 04 May 2020 12:28
by bikertrash
Alright... I just added this... sure hope it works.
I sort of doubt there a many people on this earth that hate spam as much as I do...
Re: GeoIP not always tagging email
Posted: 04 May 2020 13:07
by henk
bikertrash wrote: ↑04 May 2020 12:28
Alright... I just added this... sure hope it works.
It works! 
I sort of doubt there a many people on this earth that hate spam as much as I do...
Earth is big, and there a still a lot of people without eFa not able to cut down on spam 
Re: GeoIP not always tagging email
Posted: 05 May 2020 12:23
by bikertrash
Well so far so good... normally one comes in every single day.... but nothing today yet.
And yeah... I really don't understand why EFA Project is not more prolific as I have yet to see any other solution that works as well as this does. And believe me... I've tried a lot of them over the years. In my case, using this is sort of like taking a shot-gun on a butterfly hunt as my internal network only has 4 users but, they do NOT get SPAM.