GeoIP not always tagging email

[northwindit]

Have two sample emails caught by the spam filter. Both come from the Russian Federation. However only one of them got tagged with the bad relay. Any ideas on why half the emails are getting tagged and the other half not? Right click on the sample screenshots and choose to open in new tab and they will be full size.

[henk]

take a look at your spamassassin Relaycountry_bad config

my /etc/mail/spamassassin/country.cf

Code: Select all

ifplugin Mail::SpamAssassin::Plugin::RelayCountry

header   COUNTRY_RELAY_IN X-Relay-Countries =~ /IN/
describe COUNTRY_RELAY_IN Relayed through India
score    COUNTRY_RELAY_IN 3.5

header   COUNTRY_RELAY_KP X-Relay-Countries =~ /KP/
describe COUNTRY_RELAY_KP Relayed through Korea North
score    COUNTRY_RELAY_KP 4.5

header   COUNTRY_RELAY_PK X-Relay-Countries =~ /PK/
describe COUNTRY_RELAY_PK Relayed through Pakistan
score    COUNTRY_RELAY_PK 5.5

header   COUNTRY_RELAY_RO X-Relay-Countries =~ /RO/
describe COUNTRY_RELAY_RO Relayed through Romania
score    COUNTRY_RELAY_RO 6.5

header   COUNTRY_RELAY_RU X-Relay-Countries =~ /RU/
describe COUNTRY_RELAY_RU Relayed through Russia
score    COUNTRY_RELAY_RU 7.5

endif # Mail::SpamAssassin::Plugin::RelayCountry

works fine with me.

you can always tag ip ranges viewtopic.php?t=2659

cat /etc/mail/spamassassin/blockip.cf

Code: Select all

header SPAMMING_IP Received =~ /5\.188\.129\.
describe SPAMMING_IP Spam Mail from 5.188.129/24
score SPAMMING_IP 8.0

[bikertrash]

Hhmm... I had this setup for quite some time and it used to work pretty well.. but for some reason it just doesn't seem work anymore.

I've been trying to block all the garbage the Classmates sends out out by adding every single sub-net they used to send outbound mail but this crap still just waltzes right through. Using the Administration console to train the appliance that stuff is Spam doesn't work, adding the the sub-nets onto "/ect/mail/spamassasin/blockip.cf" and then restarting mailscanner doesn't work...

For example, I had this already specified in the "blockip.cf":

header SPAMMING_IP Received =~ /(208\.84\.41\.)/
describe SPAMMING_IP Spam Mail from 208.84.41.0/21
score SPAMMING_IP 9.0

Yet another mail message from 208.84.41.69 came right in again this morning.

Clearly I must be doing something wrong or missing something somewhere.

Suggestions? Guidance?

(I HATE Spam with a PASSION! ANY kind of SPAM! LOL )

[shawniverson]

Do me a favor and check if the /etc/MailScanner/spamassassin.cf is properly symlinked to /etc/mail/spamassassin/mailscanner.cf

[bikertrash]

An ls -al of "ls -al /etc/mail/spamassassin" shows this:

lrwxrwxrwx. 1 root root 34 Apr 19 01:09 mailscanner.cf -> /etc/MailScanner/spamassassin.conf

Not sure if those permissions are correct although I didn't create this symlink...

[bikertrash]

DOH! I think I may have found the issue... spamd was not only not running... but it's also not configured to start at boot-up...

I better look into that...

[bikertrash]

Well... that wasn't it either... another one just waltzed right on through yesterday morning. Has anyone here successfully blocked mail from CLASSMATES.COM????

Yesterday at Tue, 28 Apr 2020 10:43:58 -0700
This came right through:

208.84.41.204 mta06a.iad1.classmates.com United States

This is the guy that should have blocked it but did not:

header SPAMMING_IP Received =~ /(208\.84\.40\.)/
describe SPAMMING_IP Spam Mail from 208.84.40.0/21
score SPAMMING_IP 9.0

When running an "Update SpamAssassin Rule Descriptions" it does show that this sub-net is listed

SPAMMING_IP Spam Mail from 208.84.40.0/21

I even have the domain listed in the Black List:

classmates.com davesdigitaldevices.com Delete
classmates.com default Delete

How are these guys getting through?? It does appear that all of the other sub-nets listed in blockedip.cf from other domains are indeed being blocked... all except this one.

[henk]

Hi Bikertrash

The devil is always in the details. Did you carefully read? viewtopic.php?t=2659
Can you check:

Code: Select all

ll /etc/mail/spamassassin/

Should look something like this

Code: Select all

-rw-r--r--. 1 root root 2369 Nov 15 22:48 country.cf
-rw-r--r--. 1 root root 3390 Dec  1 14:37 descriptions.cf
-rw-r--r--. 1 root root 1287 Apr 24 16:14 init.pre
-rw-r--r--. 1 root root 2619 Feb  1 15:43 local.cf
lrwxrwxrwx. 1 root root   34 Apr 24 16:14 mailscanner.cf -> /etc/MailScanner/spamassassin.conf
lrwxrwxrwx. 1 root root   34 Apr 18 16:07 MailScanner.cf -> /etc/MailScanner/spamassassin.conf
drwx------. 2 root root   83 Apr 28 03:32 sa-update-keys
-rw-r--r--. 1 root root 2523 Nov 15 20:18 v310.pre
-rw-r--r--. 1 root root 1194 Nov  4 11:51 v312.pre
-rw-r--r--. 1 root root 2412 Nov 15 20:18 v320.pre
-rw-r--r--. 1 root root 1237 Nov  4 11:51 v330.pre
-rw-r--r--. 1 root root 1020 Nov  4 11:51 v340.pre
-rw-r--r--. 1 root root 1303 Nov 15 20:18 v341.pre
-rw-r--r--. 1 root root 1499 Nov 15 20:18 v342.pre
-rw-r--r--. 1 root root  949 Apr 24 16:14 v343.pre

Also take a look at your whitelist for conflicting entries in you blacklist.
Check if you can update the Maxmind GeoIp Database in the Gui Tools Menu without errors
before you do that, open a terminal with ssh and enter

Code: Select all

tail -F /var/log/audit/audit.log

Next run a Spamassassin Lint test and Mailscanner Lint test

[bikertrash]

Hello Hank,

Indeed they are! One of the sym-links was missing, specifically the MailScanner.cf, the mailscanner.cf was there though. This has been corrected. All of the permissions were already correct.

Another thing I had missed.... the GeoIP database. Just applied for an account with MaxMiond and installed the key so the database is now updated and functional. The lint tests showed no issues at all, just a couple of slow responses.

I've put on "The Cone of Shame" for the day.

Will see how this goes now and report back. Thank you!

[bikertrash]

And... another one came right through yesterday... same sub-net...

Oh well...

[smyers119]

And... another one came right through yesterday... same sub-net...

Oh well...

I don't think your regex syntax is correct.

[henk]

You need to post details.
The message-detail in the Gui is a good starter. ( a readable printscreen will do)
second using the wrong syntax in expressions is quite common.

Just noticed smyers119 is a lot faster than me.

[smyers119]

I am not a expert, and I didn't test this. but you can try adding this in local.cf

Code: Select all

header CLASSMATE_NET Received =~ /208\.84\.4[0-7]\.\d{1,3}/
describe CLASSMATE_NET Spam Mail from 208.84.40.0/21
score CLASSMATE_NET 9.0

[bikertrash]

When it comes to regex it may as well be written in Hieroglyphics for all the sense it makes to me really...

This:

header SPAMMING_IP Received =~ /(208\.84\.41\.)/
describe SPAMMING_IP Spam Mail from 208.84.41.0/21
score SPAMMING_IP 9.0

Looks like it should actually be this:

header SPAMMING_IP Received =~ /208\.84\.41\.
describe SPAMMING_IP Spam Mail from 208.84.41.0/21
score SPAMMING_IP 9.0

Correct?

I think you're both correct and it's now just a matter of fix'n my dorked up expressions.

[smyers119]

Hold up, I found the problem. the ip is encompassed in brackets which is why it's not matching will edit this post with the fix. found a cool regex validator as well (https://regex101.com/)

EDIT: Never mind it appears what I posted above is working fine according to the validator. It's showing your original regex was valid as well. So your file must not be in the right folder?? I would recommend just using local.cf and not making your own file.

[bikertrash]

The file is this in /etc/mail/spamassassin/blockip.cf

The permissions on the file are this:
-rw-r--r--. 1 root root 8271 Apr 29 04:45 blockip.cf

Is this correct?

[smyers119]

The file is this in /etc/mail/spamassassin/blockip.cf

The permissions on the file are this:
-rw-r--r--. 1 root root 8271 Apr 29 04:45 blockip.cf

Is this correct?

Permissions match mine

[bikertrash]

I think I found the problem thanks to the link you posted above....

THIS: =~ /(208\.84\.40\.)/
Should actually be THIS: =~ (208\.84\.40\.)

Does that look right?
This first one when entered into that link highlighted both "/" in red and said "pattern error"...

[smyers119]

I think I found the problem thanks to the link you posted above....

THIS: =~ /(208\.84\.40\.)/
Should actually be THIS: =~ (208\.84\.40\.)

Does that look right?
This first one when entered into that link highlighted both "/" in red and said "pattern error"...

Just use mine so you don't need 7 different rules. If you look at the validator those "/" are already there at beginning and end. and there is no benefit to using the grouping with parenthesis (it's not hurting anything either)

[bikertrash]

Well... that puts me right back where I started.... and I'm not sure what you mean by "just use mine" as it doesn't include the sub-nets all that classmates garbage is coming from.

Just going to take a break from this for today... and maybe the next week...

[smyers119]

I am not a expert, and I didn't test this. but you can try adding this in local.cf

Code: Select all

header CLASSMATE_NET Received =~ /208\.84\.4[0-7]\.\d{1,3}/
describe CLASSMATE_NET Spam Mail from 208.84.40.0/21
score CLASSMATE_NET 9.0

^^^^This catches every ip from 208.84.40.0 to 208.84.47.255

[henk]

great thinking and works fine. This is far more flexible than the original solution.
I'll change my orginal post and include your example.

[bikertrash]

Alright... I just added this... sure hope it works.

I sort of doubt there a many people on this earth that hate spam as much as I do...

[henk]

Alright... I just added this... sure hope it works.

It works!

I sort of doubt there a many people on this earth that hate spam as much as I do...

Earth is big, and there a still a lot of people without eFa not able to cut down on spam

[bikertrash]

Well so far so good... normally one comes in every single day.... but nothing today yet.

And yeah... I really don't understand why EFA Project is not more prolific as I have yet to see any other solution that works as well as this does. And believe me... I've tried a lot of them over the years. In my case, using this is sort of like taking a shot-gun on a butterfly hunt as my internal network only has 4 users but, they do NOT get SPAM.