Mailing List Archive

Problem with local.cf rules
I’m running spamassassin 3.4.2-0 in ubuntu 18.04.4.

Controlling process is
/usr/bin/perl -T -w /usr/sbin/spamd -d --pidfile=/var/run/spamd.pid --create-prefs --max-children 5 --helper-home-dir


My local.cf has local rules enabled, and contains, inter alia, these rules
=========

header CASINO From =~ /\bcasino\b/i
score 100.0

header CASINOS From =~ /\bcasinos\b/i
score 100.0

header CASINO_DONOVAN From =~ /\bray donovan\b/i
score 100.0

header CASINO_OLIVIA From =~ /\bolivia.*cs\b/i
score 100.0

header BAD_WORDS_1 From =~ /\b(swimming|solarbank|bag|intelligent|napkin|stretcher)\b/i
score 6.0

header BAD_WORDS_2 From =~ /\b(smart|amazing|clavicle|slicer|indestructible|bamboo)\b/i
score 6.0

header BAD_WORDS_3 From =~ /\b(innovation|selfie|socks|healthreporters|thermovest)\b/i
score 6.0

header BAD_WORDS_4 From =~ /\bdrone\b|\bremover\b|\btrainer\b|\btactical\b|\bsmart watch\b/i
score 6.0

header BAD_WORDS_5 From =~ /(\blost\b.*[0-9]+.*lbs\b)/i
score 10.0

header BAD_WORDS_6 From =~ /\bdrone\b|\bprofessional\b|\bslim\b|\bmini\b/i

header AUSPOST_GOOD From =~ /auspost\.com\.au/
score -20.0

header AUSPOST_BAD From =~ /Australia Post/
score 20.0
=======

The casinao stuff is still getting through. Here’s the X-Spam-Status on a typical message.

X-Spam-Status: No, score=4.1 required=5.0 tests=CASINO,DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,HTML_MESSAGE,MAILING_LIST_MULTI,RAZOR2_CF_RANGE_51_100,
RAZOR2_CHECK,SPF_HELO_PASS,SPF_PASS,URIBL_BLOCKED shortcircuit=no
autolearn=no autolearn_force=no version=3.4.2

It’s hitting the CASINO rule, but no matter what valoue I assign to the casino rules - 5, 20 , 100, these messages always come through with a value of 4.1. It’s as though some toerh rule is resetting the score to 0 before proceeding.

My other query concerns the AUSPOST rules. What I want to do is elminate mail that has a name of “AUSTRALIA POST” and does NOT have an address containing <auspost.com.au>. Hence I’m trying the -20.0 +20.0 pair of rules. Is there a more direct way of achieving this? Will a pcre ’not followed by’ style of rule do the trick?

Is there a finer subdivision of the From header; into name and address, for example.

peter


pbw@ehealth.id.au
“Two men went up into the temple to pray, one a Pharisee and the other a tax collector.”
Re: Problem with local.cf rules [ In reply to ]
Peter West schrieb am 14.03.2021 um 14:30:
> header CASINO From =~ /\bcasino\b/i
> score 100.0
>
> =======
>
>
> It’s hitting the CASINO rule, but no matter what valoue I assign to the casino rules - 5, 20 , 100, these messages always come through with a value of 4.1. It’s as though some toerh rule is resetting the score to 0 before proceeding.
You need to tell the rule name with the score keyword, otherwise
spamassassin cannot know to which rule it should set the score.

score CASINO 100
Re: Problem with local.cf rules [ In reply to ]
Well, that was simple. Thank you. What’s the default value of a rule? Does it have one?

pbw@ehealth.id.au
“Two men went up into the temple to pray, one a Pharisee and the other a tax collector.”

> On 14 Mar 2021, at 11:41 pm, Alex Woick <alex@wombaz.de> wrote:
>
> Peter West schrieb am 14.03.2021 um 14:30:
>> header CASINO From =~ /\bcasino\b/i
>> score 100.0
>>
>> =======
>>
>>
>> It’s hitting the CASINO rule, but no matter what valoue I assign to the casino rules - 5, 20 , 100, these messages always come through with a value of 4.1. It’s as though some toerh rule is resetting the score to 0 before proceeding.
> You need to tell the rule name with the score keyword, otherwise spamassassin cannot know to which rule it should set the score.
>
> score CASINO 100
>
Re: Problem with local.cf rules [ In reply to ]
Peter West writes:
> From: Peter West <pbw@pbw.id.au>
> Date: Sun, 14 Mar 2021 23:30:03 +1000
>
> I m running spamassassin 3.4.2-0 in ubuntu 18.04.4.
>
> Controlling process is
> /usr/bin/perl -T -w /usr/sbin/spamd -d --pidfile=/var/run/spamd.pid --create-prefs --max-children 5 --helper-home-dir
>
>
> My local.cf has local rules enabled, and contains, inter alia, these rules
> =========
>
> header CASINO From =~ /\bcasino\b/i
> score 100.0
>
> header CASINOS From =~ /\bcasinos\b/i
> score 100.0

These two rules can be combined by making the 's' optional eg 's?'

> The casinao stuff is still getting through. Here s the X-Spam-Status on a typical message.
>
> X-Spam-Status: No, score=4.1 required=5.0 tests=CASINO,DKIM_SIGNED,DKIM_VALID,
> DKIM_VALID_AU,HTML_MESSAGE,MAILING_LIST_MULTI,RAZOR2_CF_RANGE_51_100,
> RAZOR2_CHECK,SPF_HELO_PASS,SPF_PASS,URIBL_BLOCKED shortcircuit=no
> autolearn=no autolearn_force=no version=3.4.2
>
> It s hitting the CASINO rule, but no matter what valoue I assign to the casino rules - 5, 20 , 100, these messages always come through with a value of 4.1. It s as though some toerh rule is resetting the score to 0 before proceeding.
>
> My other query concerns the AUSPOST rules. What I want to do is elminate mail that has a name of AUSTRALIA POST and does NOT have an address containing <auspost.com.au>. Hence I m trying the -20.0 +20.0 pair of rules. Is there a more direct way of achieving this? Will a pcre not followed by style of rule do the trick?
>
> Is there a finer subdivision of the From header; into name and address, for example.
>
> peter
>
>
> pbw@ehealth.id.au
> Two men went up into the temple to pray, one a Pharisee and the other a tax collector.


Change the Status header to show the scores for each rule, by changing
tests=_TESTS_ to tests=_TESTSSCORES_
Something like:
add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTSSCORES_ version=_VERSION_ autolearn=_AUTOLEARN_

This will show the score that you are getting for CASINO, which is
probably 1, because of the syntax error in your scores (already
pointed out).


And You might want to fix the URIBL_BLOCKED issue. Fixing the
URIBL_BLOCKED issue will do far more to fix your issues than adding
rules.


-jeff
Re: Problem with local.cf rules [ In reply to ]
On Mon, 15 Mar 2021, Peter West wrote:

> Well, that was simple. Thank you. What’s the default value of a rule? Does it have one?

The default score for all rules is 1 point.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Failure to plan ahead on someone else's part does not constitute
an emergency on my part. -- David W. Barts in a.s.r
-----------------------------------------------------------------------
Today: Daylight Saving Time begins in U.S. - Spring Forward
Re: Problem with local.cf rules [ In reply to ]
On Sun, 14 Mar 2021, jwmincy@gmail.com wrote:

> Peter West writes:
>
> And You might want to fix the URIBL_BLOCKED issue. Fixing the
> URIBL_BLOCKED issue will do far more to fix your issues than adding
> rules.

Seconded. The keywords here are "local, caching, *NON-FORWARDING* DNS
server for SpamAssassin".

If that isn't enough to set you on the right path, search the mailing list
archives for "URIBL-BLOCKED" or "URIBL DNS" for previous discussions of
this topic. If that history isn't enough, feel free to ask for assistance.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Failure to plan ahead on someone else's part does not constitute
an emergency on my part. -- David W. Barts in a.s.r
-----------------------------------------------------------------------
Today: Daylight Saving Time begins in U.S. - Spring Forward
Re: Problem with local.cf rules [ In reply to ]
John Hardin writes:
> From: John Hardin <jhardin@impsec.org>
> Date: Sun, 14 Mar 2021 08:29:01 -0700 (PDT)
>
> On Sun, 14 Mar 2021, jwmincy@gmail.com wrote:
>
> > Peter West writes:
> >
> > And You might want to fix the URIBL_BLOCKED issue. Fixing the
> > URIBL_BLOCKED issue will do far more to fix your issues than adding
> > rules.
>
> Seconded. The keywords here are "local, caching, *NON-FORWARDING* DNS
> server for SpamAssassin".
>
> If that isn't enough to set you on the right path, search the mailing list
> archives for "URIBL-BLOCKED" or "URIBL DNS" for previous discussions of
> this topic. If that history isn't enough, feel free to ask for assistance.

Yep - thanks for filling in the details.

Also, I forgot to mention - always do spammassassin --lint after
adding rules to check for syntax errors.

-jeff
Re: Problem with local.cf rules [ In reply to ]
The most pertinent stuff I found was this this Confluence page:
https://cwiki.apache.org/confluence/display/SPAMASSASSIN/CachingNameserver <https://cwiki.apache.org/confluence/display/SPAMASSASSIN/CachingNameserver>

So it looks as though I have to install a primary nameserver and a secondary rbldnsd.

I’m trying to translate this –
Rsync the feed files into /var/lib/rbldnsd

which seems to be this set
dul.dnsbl.sorbs.net:ip4set:dul.dnsbl.sorbs.net
http.dnsbl.sorbs.net:dnset:http.dnsbl.sorbs.net
smtp.dnsbl.sorbs.net:ip4set:smtp.dnsbl.sorbs.net
new.spam.dnsbl.sorbs.net:ip4set:new.spam.dnsbl.sorbs.net
dnsbl-1.uceprotect.net:ip4set:dnsbl-1.uceprotect.net <http://dnsbl-1.uceprotect.net/>

which is also dropped (for pdns-recursor) in forward-zones, like so
dul.dnsbl.sorbs.net=127.0.0.1:530
http.dnsbl.sorbs.net=127.0.0.1:530
smtp.dnsbl.sorbs.net=127.0.0.1:530
new.spam.dnsbl.sorbs.net=127.0.0.1:530
dnsbl-1.uceprotect.net=127.0.0.1:530

Apparently, and ip4set is a set of ip4 addresses, while a dnsset is a set of domain names.

I still don’t know how to translate –
Rsync the feed files into /var/lib/rbldnsd

And I don’t know whether I am supposed to rely only on sorbs + uceprotect, or whether I am supposed to somehow cobble similar sets together for Mailspike, SpamCop, Spamhaus ZEN, SURBL and URIBL (which circles me back to the original mail header notation which brought me here.)
See https://cwiki.apache.org/confluence/display/spamassassin/DnsBlocklists#dnsbl-block <https://cwiki.apache.org/confluence/display/spamassassin/DnsBlocklists#dnsbl-block>

I am impressed by the level of obscurity, not to mention the sprawling vastness of spamassassin.

Further assistance is needed.


pbw@ehealth.id.au
“…an hour is coming when all who are in the tombs will hear his voice and come out…”

> On 15 Mar 2021, at 1:29 am, John Hardin <jhardin@impsec.org> wrote:
>
> On Sun, 14 Mar 2021, jwmincy@gmail.com wrote:
>
>> Peter West writes:
>>
>> And You might want to fix the URIBL_BLOCKED issue. Fixing the
>> URIBL_BLOCKED issue will do far more to fix your issues than adding
>> rules.
>
> Seconded. The keywords here are "local, caching, *NON-FORWARDING* DNS server for SpamAssassin".
>
> If that isn't enough to set you on the right path, search the mailing list archives for "URIBL-BLOCKED" or "URIBL DNS" for previous discussions of this topic. If that history isn't enough, feel free to ask for assistance.
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
> jhardin@impsec.org pgpk -a jhardin@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> Failure to plan ahead on someone else's part does not constitute
> an emergency on my part. -- David W. Barts in a.s.r
> -----------------------------------------------------------------------
> Today: Daylight Saving Time begins in U.S. - Spring Forward
Re: Problem with local.cf rules [ In reply to ]
On 2021-03-17 03:58, Peter West wrote:

>> Seconded. The keywords here are "local, caching, *NON-FORWARDING*
>> DNS server for SpamAssassin".
>>

URIBL_BLOCKED is not data from sorbs

in bind9 its needed to add

qname-minimization disabled;

into options section

if this is not added it breaks uribl and dnsbl data either local or
remote

is rbldnsd supporting qname-minimization ?

if you have all in rbldnsd one could tell spamassassin to use rbldnsd
direct eg non forwarding dns lookups to solve bind9 and all that mess
bind9 does now

but still do not use rbldnsd for mta data :=)

> Links:
> ------
> [1] http://dul.dnsbl.sorbs.net
> [2] http://http.dnsbl.sorbs.net
> [3] http://smtp.dnsbl.sorbs.net
> [4] http://new.spam.dnsbl.sorbs.net
> [5] http://dnsbl-1.uceprotect.net