Mailing List Archive

What about rbl integration in spamassassin?

Am 20. September 2020 16:35:22 MESZ schrieb Daryl Rose <rosede12@gmail.com>:
>I tend to get a lot of phishing attempts, and they all get through.
>
>This appears to come from Apple, but obviously is not.
>
>Subject: Re: Purchase Notification - Here is confirmation of your order
>
>
>Mail From:
>>
>acc.mubmx4btmqkymgfv1leobg.copsess2049113.222494@v2345t3w4t0inbox13.com
>
>
>I can blacklist the email address, but I know that won't help. Is
>there a
>rule that I can set up to catch more phishing attempts?
>
>Thanks
>
>Daryl

--
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

Are you using the KAM.cf ruleset?

Can you manually test the email and give the output from the report?  Or
put a spample up on pastebin?


On 9/20/2020 10:35 AM, Daryl Rose wrote:
>
> I tend to get  a lot of phishing attempts, and they all get through.  
>
> This appears to come from Apple, but obviously is not.    
>
>   Subject: Re: Purchase Notification - Here is confirmation of
> your order 
>
>
> Mail
> From: acc.mubmx4btmqkymgfv1leobg.copsess2049113.222494@v2345t3w4t0inbox13.com
> <mailto:acc.mubmx4btmqkymgfv1leobg.copsess2049113.222494@v2345t3w4t0inbox13.com>
>
>
> I can blacklist the email address, but I know that won't help.  Is
> there a rule that I can set up to catch more phishing attempts?
>
> Thanks
>
> Daryl

--
Kevin A. McGrail
KMcGrail@Apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

On 20 Sep 2020, at 10:35, Daryl Rose wrote:

> I tend to get a lot of phishing attempts, and they all get through.
>
> This appears to come from Apple, but obviously is not.
>
> Subject: Re: Purchase Notification - Here is confirmation of your
> order
>
>
> Mail From:
>> acc.mubmx4btmqkymgfv1leobg.copsess2049113.222494@v2345t3w4t0inbox13.com
>
>
> I can blacklist the email address, but I know that won't help. Is
> there a
> rule that I can set up to catch more phishing attempts?

To catch (MOST) Apple phishing:

whitelist_auth *@*.apple.com
whitelist_auth *@apple.com
header FROM_APPLE From =~ /\bapple\b/i
describe FROM_APPLE Seems to claim to be from Apple
score FROM_APPLE 4

Similar combinations of whitelist_auth rules to clear mail that passes
SPF and/or DKIM authentication for a domain but strongly suspect
anything else that seems to claim to be from them.

Note that if you happen to be on mailing lists with Apple employee
participants using their apple.com addresses, you should take other
measures to favor the list mail, since mailing lists commonly break
author DKIM and SPF is applied to the list's domain.

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)

On 20 Sep 2020, at 08:35, Daryl Rose <rosede12@gmail.com> wrote:
> I can blacklist the email address, but I know that won't help. Is there a rule that I can set up to catch more phishing attempts?

SPF and DMARC seem to be the only ways to deal with spams from large senders that are faked, but what is considered ‘faked’ may nt always match expectations.

As an example, with many GUI mail clients the client shows the “nice” part of the from, and does not show the actual address. So some scammer can send an email from

From: “SupportAdmin@PAYPAL.COM” <spammer@spamsite.tld>

And the recipient will only see a fake PayPal address.


--
"...and Digby considered how much he liked salt..."

I understand what you're saying. Yes, my email client only shows the fake
email address, so to find the actual email address, I copy the header
contents into an email header analyzer. I prefer https://mailheader.org/.
It breaks apart the header really nicely and I can see the actual email
address.

Thanks

Daryl

On Sun, Sep 20, 2020 at 11:34 PM @lbutlr <kremels@kreme.com> wrote:

> On 20 Sep 2020, at 08:35, Daryl Rose <rosede12@gmail.com> wrote:
> > I can blacklist the email address, but I know that won't help. Is there
> a rule that I can set up to catch more phishing attempts?
>
> SPF and DMARC seem to be the only ways to deal with spams from large
> senders that are faked, but what is considered ‘faked’ may nt always match
> expectations.
>
> As an example, with many GUI mail clients the client shows the “nice” part
> of the from, and does not show the actual address. So some scammer can send
> an email from
>
> From: “SupportAdmin@PAYPAL.COM” <spammer@spamsite.tld>
>
> And the recipient will only see a fake PayPal address.
>
>
> --
> "...and Digby considered how much he liked salt..."

I am not using the KAM.cf rule set. I found the script on github. Can I
just drop in into /etc/mail/spamassassin stop/start spamassassin and start
catching phishing emails?

Thanks

Daryl

On Sun, Sep 20, 2020 at 10:32 AM Kevin A. McGrail <kmcgrail@apache.org>
wrote:

> Are you using the KAM.cf ruleset?
>
> Can you manually test the email and give the output from the report? Or
> put a spample up on pastebin?
>
>
> On 9/20/2020 10:35 AM, Daryl Rose wrote:
>
> I tend to get a lot of phishing attempts, and they all get through.
>
> This appears to come from Apple, but obviously is not.
>
> Subject: Re: Purchase Notification - Here is confirmation of your order
>
>
> Mail From:
>> acc.mubmx4btmqkymgfv1leobg.copsess2049113.222494@v2345t3w4t0inbox13.com
>
>
> I can blacklist the email address, but I know that won't help. Is there a
> rule that I can set up to catch more phishing attempts?
>
> Thanks
>
> Daryl
>
> --
> Kevin A. McGrailKMcGrail@Apache.org
>
> Member, Apache Software Foundation
> Chair Emeritus Apache SpamAssassin Projecthttps://www.linkedin.com/in/kmcgrail - 703.798.0171
>
>

I'm not familiar with RBL. What and how would I use it?

Thanks

Daryl

On Sun, Sep 20, 2020 at 9:42 AM sebastian@debianfan.de <
sebastian@debianfan.de> wrote:

> What about rbl integration in spamassassin?
>
> Am 20. September 2020 16:35:22 MESZ schrieb Daryl Rose <rosede12@gmail.com
> >:
>>
>> I tend to get a lot of phishing attempts, and they all get through.
>>
>> This appears to come from Apple, but obviously is not.
>>
>> Subject: Re: Purchase Notification - Here is confirmation of your order
>>>
>>
>>
>> Mail From:
>>> acc.mubmx4btmqkymgfv1leobg.copsess2049113.222494@v2345t3w4t0inbox13.com
>>
>>
>> I can blacklist the email address, but I know that won't help. Is there
>> a rule that I can set up to catch more phishing attempts?
>>
>> Thanks
>>
>> Daryl
>>
>
> --
> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
>

On Sun, Sep 20, 2020 at 09:35:22AM -0500, Daryl Rose wrote:
> I tend to get a lot of phishing attempts, and they all get through.
>
> This appears to come from Apple, but obviously is not.

Not a spamassassin solution, but Apple has a DMARC policy of quarantine
for those types of emails. If you implement dmarc policy checking on
your mail server and enforce the policy that Apple asks you to follow
when you receive emails supposedly from apple.com, those phishing
emails will end up in your mail server's quarantine directory.

-Bryan

On Mon, 21 Sep 2020 07:33:01 -0500
Bryan K. Walton wrote:

> On Sun, Sep 20, 2020 at 09:35:22AM -0500, Daryl Rose wrote:
> > I tend to get a lot of phishing attempts, and they all get through.
> >
> > This appears to come from Apple, but obviously is not.
>
> Not a spamassassin solution, but Apple has a DMARC policy of
> quarantine for those types of emails. If you implement dmarc policy
> checking on your mail server and enforce the policy that Apple asks
> you to follow when you receive emails supposedly from apple.com,
> those phishing emails will end up in your mail server's quarantine
> directory.

Assuming they actually have Apple's domain as the author address, which
they very likely don't.

I don't have the email server, it's hosted by a provider. This provider
does a crappy job at filtering spam and phishing, so I am running ISBG and
Spamassassin to block the spam and phishing.

Thanks

Daryl

On Mon, Sep 21, 2020 at 7:33 AM Bryan K. Walton <
bwalton+1576874476@leepfrog.com> wrote:

> On Sun, Sep 20, 2020 at 09:35:22AM -0500, Daryl Rose wrote:
> > I tend to get a lot of phishing attempts, and they all get through.
> >
> > This appears to come from Apple, but obviously is not.
>
> Not a spamassassin solution, but Apple has a DMARC policy of quarantine
> for those types of emails. If you implement dmarc policy checking on
> your mail server and enforce the policy that Apple asks you to follow
> when you receive emails supposedly from apple.com, those phishing
> emails will end up in your mail server's quarantine directory.
>
> -Bryan
>

On 21 Sep 2020, at 08:21, Daryl Rose <rosede12@gmail.com> wrote:
> I don't have the email server, it's hosted by a provider. This provider does a crappy job at filtering spam and phishing, so I am running ISBG and Spamassassin to block the spam and phishing.

This isn't really a workable solution as there are many tests that
your SA can't do that a mail server can do. The better solutions include:

1) Never use ISP email, they are pretty much universally garbage.
2) Get your own domain and pay for someone to run email service
for you, pick a company that does a good job at managing spam
and if you are unhappy with them, move to another provider.
4) Gmail
5) a service like SaneBox or others that acts as an intermediary
to filter spam (and often for other services as well.
6) Get an email from a provider that takes email and spam seriously.
7) Run your own server (I don't recommend this)

Probably several others I am not thinking of.



--
"Are you pondering what I'm pondering?"
"I think so, Brain, but couldn't the constant use of a henna rinse
lead to premature baldness?"

On Wed, 23 Sep 2020 14:03:32 -0600
@lbutlr wrote:

> On 21 Sep 2020, at 08:21, Daryl Rose <rosede12@gmail.com> wrote:
> > I don't have the email server, it's hosted by a provider. This
> > provider does a crappy job at filtering spam and phishing, so I am
> > running ISBG and Spamassassin to block the spam and phishing.
>
> This isn't really a workable solution

It really is, unless the account is being deluged with spam.

> as there are many tests that your SA can't do that a mail server can
> do.

There are a few tests that SA can't do, but SA can do some of them a lot
better. Mail servers have a huge handicap in that they mostly work in
real time. A polling delay and not testing 24/7 can make a huge
difference. On the list we see people reporting difficult spams that
have huge scores on retesting.


It's not necessarily true that an ISP with poor spam filtering is
failing to do server-side filtering. It may be just skimping on
expensive content-filtering, but still doing the cheap tests that save
resources. This is an ideal case for client-side filtering.