Hi,
Our efa vm has been working very well for a long time, but for some reason, some particular TLDs are being inconsistently scored/blacklisted/etc.
I have tried adding 20 points to TLDs: .agency, .icu, .rocks -- sometimes they get added, sometimes they don't.
I have tried using blacklist_to on the particular email address that is being spammed. Sometimes it works, sometimes it doesn't.
I have tried adding to the whitelist and blacklist entries via the mailwatch UI. Nothing really changes.
In frustration, I keep 'learning' these particular emails, but they always come up as SA score 0.0
Any suggestions on what I should be looking for?
Thanks
spamassassin filtering not consistently working for some TLDs
Re: spamassassin filtering not consistently working for some TLDs
Any ideas at all, anyone?
Re: spamassassin filtering not consistently working for some TLDs
Details?
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
Re: spamassassin filtering not consistently working for some TLDs
Thanks, henk.
If you want/need more, please let me know.
1) spamassassin cfg snippets:
2)
screenshot of *@*.agency going to one email address, some BL some not. Some manually learned as spam:
https://my.pcloud.com/publink/show?code ... rbGQ1WTn6y
If you want/need more, please let me know.
1) spamassassin cfg snippets:
Code: Select all
# TLDs to err on the side of spam:
header BANNED_RULE_TLD From =~ /(\.agency|\.icu|\.rocks|\.live|\.ru|\.hu|\.gt|\.br|\.in|\.nl|\.ch|\.it|\.ke|\.vn|\.es|\.pk|\.id|\.ar|\.la|\.mx|\.fj|\.cl|\.ro|\.sk|\.pt|\.co|\.bg|$
score BANNED_RULE_TLD 10 10 10 10
Code: Select all
blacklist_from *.agency
blacklist_from *.icu
blacklist_from *.rocks
blacklist_to KnownHoneypotEmail@OnOneOfOurDomains.tld
Code: Select all
header BAD_SENDER_001 ALL =~ /\.icu/i
score BAD_SENDER_001 20 20 20 20
header BAD_SENDER_002 ALL =~ /\.live/i
score BAD_SENDER_002 20 20 20 20
header BAD_SENDER_003 ALL =~ /\.agency/i
score BAD_SENDER_003 20 20 20 20
header BAD_SENDER_004 ALL =~ /\.rocks/i
score BAD_SENDER_004 20
header BAD_RECIPIENT_001 /KnownHoneypotEmail/i
score BAD_RECIPIENT_001 20
2)
screenshot of *@*.agency going to one email address, some BL some not. Some manually learned as spam:
https://my.pcloud.com/publink/show?code ... rbGQ1WTn6y
Re: spamassassin filtering not consistently working for some TLDs
Somehow i live in a banned rule tld ( .nl)
blacklist_from *.agency - Remove the wildcard and just leave the domain. Via MailWatch GUI under black and white lists. will take effect either after restarting MailScanner.
You could also add block country / ip's - viewtopic.php?t=2659
When I take a look at your screenshot, you could dig the ip's or look in mailwachGui message detail. Likely it will be a small range. With the post in the link above, you can assign a high score quite easyly.
If the domain is not valid, block it in postfix
another option (blacklist tld in postfix)
https://serverfault.com/questions/72864 ... in-postfix
another option : viewtopic.php?f=14&t=3227
blacklist_from *.agency - Remove the wildcard and just leave the domain. Via MailWatch GUI under black and white lists. will take effect either after restarting MailScanner.
You could also add block country / ip's - viewtopic.php?t=2659
When I take a look at your screenshot, you could dig the ip's or look in mailwachGui message detail. Likely it will be a small range. With the post in the link above, you can assign a high score quite easyly.
If the domain is not valid, block it in postfix
another option (blacklist tld in postfix)
https://serverfault.com/questions/72864 ... in-postfix
another option : viewtopic.php?f=14&t=3227
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
Re: spamassassin filtering not consistently working for some TLDs
Well, you've never written to me before. But I'll unblock it for you.
OK -- so just leave
Code: Select all
blacklist_from .agency
Are you saying change:
Code: Select all
*@*.agency
Code: Select all
@*.agency
Code: Select all
.agency
OK. I'll dig and see.henk wrote: ↑06 Jun 2019 17:47 You could also add block country / ip's - viewtopic.php?t=2659
When I take a look at your screenshot, you could dig the ip's or look in mailwachGui message detail. Likely it will be a small range. With the post in the link above, you can assign a high score quite easyly.
OK. I'll check all 3 topics.henk wrote: ↑06 Jun 2019 17:47 If the domain is not valid, block it in postfix
another option (blacklist tld in postfix)
https://serverfault.com/questions/72864 ... in-postfix
another option : viewtopic.php?f=14&t=3227
I'll post back if the above does what I'm hoping.
Thank you!
Re: spamassassin filtering not consistently working for some TLDs
Why do all the mail have a score 0? and your -succesfull- blacklisted mail a 150 score?
And you did enable MCP?
Do you ever have a score > 0 ?
Looks like you disabled scanning somehow.
Anyway, when you enter them via the Gui-> blackandwhitelist
just enter @ and the domain you want to blacklist. so just @agency.com no wildcards
In your case they mess around with the domain names. So blacklist will not work
like
blalala@titi.agency
wdrfff@tata.agency
As postfix can block unknown domains, I would try that first.
The other option is to determan the senders IP ( just look in the message detail) Ten to one you will see a pattern. You can assign a high value to a single ip or ranges. The country block is helping also
And you did enable MCP?
Do you ever have a score > 0 ?
Looks like you disabled scanning somehow.
Anyway, when you enter them via the Gui-> blackandwhitelist
just enter @ and the domain you want to blacklist. so just @agency.com no wildcards
In your case they mess around with the domain names. So blacklist will not work
like
blalala@titi.agency
wdrfff@tata.agency
As postfix can block unknown domains, I would try that first.
The other option is to determan the senders IP ( just look in the message detail) Ten to one you will see a pattern. You can assign a high value to a single ip or ranges. The country block is helping also
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
Re: spamassassin filtering not consistently working for some TLDs
That's part of my confusion. I don't know.
I don't think I disabled it, but I wonder if this is related to: https://forum.configserver.com/viewtopic.php?t=10023
In checking MailScanner.conf, I see:
MCP Checks = yes
For SA? Yes. But not on the "failed-to-be-caught" emails from *@*.agency, .icu, etc.
On MCP -- no. It seems all MCP scores are zero. But again, maybe to do with the link above?
"unknown domains" blocking is definitely happening. I'm seeing entries in maillog right now such as: sender address rejected: domain not foundhenk wrote: ↑06 Jun 2019 22:20 Looks like you disabled scanning somehow.
Anyway, when you enter them via the Gui-> blackandwhitelist
just enter @ and the domain you want to blacklist. so just @agency.com no wildcards
In your case they mess around with the domain names. So blacklist will not work
like
blalala@titi.agency
wdrfff@tata.agency
As postfix can block unknown domains, I would try that first.
To update all those playing along at home, the following postfix changes are what I did, and it worked great. Thank you, henk!
I ended up putting these in /etc/postfix/header_checks:
Code: Select all
/\.agency/i DISCARD .agency spam
/\.icu/i DISCARD .icu spam
/\.rocks/i DISCARD .rocks spam
Code: Select all
header_checks = regexp:/etc/postfix/header_checks
Code: Select all
/etc/init.d/postfix restart