Interesting email based blacklist

Questions and answers about how to do stuff
Post Reply
nicola.piazzi
Posts: 388
Joined: 23 Apr 2015 09:45

Interesting email based blacklist

Post by nicola.piazzi »

Take a look to this
https://msbl.org

here 2 config files to put in /etc/mail/spamassassin
http://msbl.org/tools/sa-hashbl.tar.gz

I installed it 1 hour ago and i have no hits at the moment
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Interesting email based blacklist

Post by pdwalker »

Can’t hurt to try. I’ll implement it tomorrow and see what happens.
nicola.piazzi
Posts: 388
Joined: 23 Apr 2015 09:45

Re: Interesting email based blacklist

Post by nicola.piazzi »

Only 11 hits in the weekend but absolutely no false positive, i ' ll increase score to 3.00
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Interesting email based blacklist

Post by pdwalker »

I just turned it on less than three hours ago, and I've already gotten three hits.

Excellent.
nicola.piazzi
Posts: 388
Joined: 23 Apr 2015 09:45

Re: Interesting email based blacklist

Post by nicola.piazzi »

yes,
there are not a lot of hits because this is non a rbl
this is email address based so it have few entries but these are sure that is spam
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Interesting email based blacklist

Post by pdwalker »

Every little bit helps.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Interesting email based blacklist

Post by pdwalker »

So far, I've gotten 242 messages to trigger this rule. 100% spam. Increasing the spam score to 4.0
nicola.piazzi
Posts: 388
Joined: 23 Apr 2015 09:45

Re: Interesting email based blacklist

Post by nicola.piazzi »

yes, they are based on real case so hit is 100%
Alleyviper
Posts: 83
Joined: 16 Oct 2018 05:55
Location: Portugal

Re: Interesting email based blacklist

Post by Alleyviper »

Hi there,

Where to put pm file included?
nicola.piazzi
Posts: 388
Joined: 23 Apr 2015 09:45

Re: Interesting email based blacklist

Post by nicola.piazzi »

same dir where local.cf
Alleyviper
Posts: 83
Joined: 16 Oct 2018 05:55
Location: Portugal

Re: Interesting email based blacklist

Post by Alleyviper »

Hi Nicola,

Works like a charm :)

Check the custom phishing.bad.sites.custom to enhance event more blocking bad stuff

Code: Select all


https://forum.efa-project.org/viewtopic.php?f=14&t=3334

ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Interesting email based blacklist

Post by ovizii »

Alleyviper wrote: 08 Jan 2019 02:57 Hi there,

Where to put pm file included?
I don't think its necessary to do anything. as of Sa 3.4.2 if you have /etc/mail/spamassassin/hashbl.cf look inside, mine says:

Code: Select all

loadplugin Mail::SpamAssassin::Plugin::HashBL   HashBL.pm

ifplugin Mail::SpamAssassin::Plugin::HashBL
    header   HASHBL_EMAIL       eval:check_hashbl_emails('ebl.msbl.org')
    describe HASHBL_EMAIL       Message contains email address found on the EBL
    score    HASHBL_EMAIL       1.0
endif
then go to your EFA dashboard => Tools and Links => Spamassassin Lin (Test) then check if HASHBL_EMAIL was loaded.
mattch
Posts: 44
Joined: 28 Mar 2018 22:26

Re: Interesting email based blacklist

Post by mattch »

Using v4 the HashBL plugin is already loaded in v342.pre but not listing any HashBL.pm file.

I commented out loadplugin for hashbl in v342.pre file, or alternatively add HashBL.pm and then comment loadplugin listed in the hashbl.cf file.
smyers119
Posts: 108
Joined: 29 Nov 2019 11:36

Re: Interesting email based blacklist

Post by smyers119 »

mattch wrote: 22 Apr 2020 20:21 Using v4 the HashBL plugin is already loaded in v342.pre but not listing any HashBL.pm file.

I commented out loadplugin for hashbl in v342.pre file
Why?

Did you not see this:
15 November 2018

SpamAssassin 3.4.2 has added support for HASHBLs through its Mail::SpamAssassin::Plugin::HashBL plugin. To use the EBL with SpamAssassin 2.3.2 and later versions, you simply enable this plugin in your spamAssassin configuration. The SpamAssassin milter remains available for those using earlier versions of SpamAssassin.
Source
mattch
Posts: 44
Joined: 28 Mar 2018 22:26

Re: Interesting email based blacklist

Post by mattch »

I did but i also get this:

Apr 23 11:02:14.523 [28636] dbg: plugin: loading Mail::SpamAssassin::Plugin::HashBL from @INC 0.00332
Apr 23 11:02:14.544 [28636] dbg: HashBL: local tests only, disabling HashBL
smyers119
Posts: 108
Joined: 29 Nov 2019 11:36

Re: Interesting email based blacklist

Post by smyers119 »

mattch wrote: 23 Apr 2020 15:04 I did but i also get this:

Apr 23 11:02:14.523 [28636] dbg: plugin: loading Mail::SpamAssassin::Plugin::HashBL from @INC 0.00332
Apr 23 11:02:14.544 [28636] dbg: HashBL: local tests only, disabling HashBL
That's normal, it just means it's disabled for the test, note other plugins do the same thing.
mattch
Posts: 44
Joined: 28 Mar 2018 22:26

Re: Interesting email based blacklist

Post by mattch »

oh you're right, dcc pyzor and spamcop show disabled in the lint test.

So that means HashBL.pm file doesn't need to be referenced in the loadplugin in sa v3.4.2+, because its built-in right?

Sorry for such basic questions.
smyers119
Posts: 108
Joined: 29 Nov 2019 11:36

Re: Interesting email based blacklist

Post by smyers119 »

That's correct, but you still need the CF file, although i haven't had 1 hit since adding it
mattch
Posts: 44
Joined: 28 Mar 2018 22:26

Re: Interesting email based blacklist

Post by mattch »

Yeah me either and I got excited. When no hits on my spammiest users after a day I assumed it wasn't working. i suppose no hits can be considered a good thing.
smyers119
Posts: 108
Joined: 29 Nov 2019 11:36

Re: Interesting email based blacklist

Post by smyers119 »

mattch wrote: 23 Apr 2020 16:23 Yeah me either and I got excited. When no hits on my spammiest users after a day I assumed it wasn't working. i suppose no hits can be considered a good thing.
I'll let it run a couple days then do a search to see if i got any hits. and check beck here.
smyers119
Posts: 108
Joined: 29 Nov 2019 11:36

Re: Interesting email based blacklist

Post by smyers119 »

Ok so I checked back after 24 hours, got 3 hits, 2 were false positives. Not looking to good for this hash based block list. I'll follow it over the next week and see what happens.

the false positives were from:

Code: Select all

3gigixgckbukyz2p0w9rzzrwp.nzxv7zyrxtoowp4z7y3st0.nzx@idverification.bounces.google.com 
aka:
noreply@google.com
and
3x_2hxhekaeyvwzmxt6+nmmlxzw56owwotm.kwu@feedburner.bounces.google.com 	
aka:
Topic Search <noreply+feedproxy@google.com>
Note my mail volume is around 2000/day
Post Reply