Obvious spam getting through
Tracy Greggs
mailscanner-list at okla.com
Mon Dec 19 22:45:38 UTC 2016
While there is usually more than one way to accomplish the same thing, I use
xtables-addons to block everything where the last external relay is not in
the US or Canada for most of my clients servers that do not have any legit
email from outside the US or CA. The SA rules I described are to catch
those TLDs that are 100% spam generally speaking and that are being relayed
from the US or CA. I have quite a lengthy list of them in my
x-blacklisted-tlds.cf, and along with RBLDNSD it solves 99% of the spam
issues.
Tracy
-----Original Message-----
From: MailScanner
[mailto:mailscanner-bounces+mailscanner-list=okla.com at lists.mailscanner.info
] On Behalf Of Peter Lemieux
Sent: Friday, December 16, 2016 9:09 AM
To: MailScanner Discussion
Subject: Re: Obvious spam getting through
I didn't even know there was a "blacklist_from" directive in SpamAssassin.
In fact, there are quite a variety of such controls. I noticed that while
there is a whitelist_from_rcvd which looks at Received headers, there is no
corresponding blacklist_from_rcvd. I wonder if that means blacklist_from
includes both Received and From headers?
Details here:
https://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html#w
hitelist_and_blacklist_options
I generally use the whitelisting and blacklisting rulesets in MailScanner
itself for these tasks. Maybe someone here can remind us whether a
blacklisted From in those rulesets applies to the Received headers, or to
the Return-Path, as well as the From address itself. See the "Is Definitely
Spam" directive in MailScanner.conf.
Peter
On 12/16/2016 09:37 AM, Tracy Greggs wrote:
> I create a file called x-blacklisted-tlds.cf and put it in the same
> folder as your local.cf, on Centos in /etc/mail/spamassassin/. When
> spamassassin fires it looks at all cf files there in alphabetical
> order, so in my case the x-blacklisted-tlds.cf is read last on purpose.
>
> The contents look like this:
>
> blacklist_from *@*.top
> blacklist_from *@*.xzy
>
> etc.etc.etc.
>
> Since I use the latest version of MailWatch also, this allows me to
> whitelist any that are legit although like Peter says, I haven't had a
> single complaint either. In MW, these will be color coded black just
> like they would if you had them in the MW SQL blacklist unless you
> whitelist the sender with MW which overrides the SA blacklist_from in your
cf file.
>
> Regards,
> Tracy Greggs
>
> -----Original Message-----
> From: MailScanner
> [mailto:mailscanner-bounces+mailscanner-list=okla.com at lists.mailscanne
> r.info
> ] On Behalf Of Peter H. Lemieux
> Sent: Wednesday, December 14, 2016 4:42 PM
> To: MailScanner Discussion
> Subject: Re: Obvious spam getting through
>
> If you don't want to reject them outright, bump up their scores in
> SpamAssassin with a rule like
>
> header TOP_DOMAIN /Return-Path.*\.top/
> score TOP_DOMAIN 3
>
> Peter
>
>
> On 12/14/2016 05:26 PM, Sterling Chavis wrote:
>> Thank you. The ones that are getting through are all .top domains as
>> far as I can see. I'll use this method and see how it goes.
>>
>>
>> On 12/14/2016 12:10 PM, Peter Lemieux wrote:
>>> I deal with these by refusing mail for most of the new top-level
>>> domains like .top. I've never seen any legitimate mail from any of
>>> those, nor have I received any complaints about missing messages.
>>> My current blacklist includes:
>>>
>>> click
>>> date
>>> faith
>>> party
>>> link
>>> xyz
>>> download
>>> top
>>> space
>>> win
>>> stream
>>> gdn
>>> website
>>> bid
>>> loan
>>> review
>>> science
>>>
>>> I handle this screening via the access database in sendmail, not
>>> through MailScanner.
>>>
>>> Peter
>>>
>>>
>>> On 12/14/2016 02:03 PM, Sterling Chavis wrote:
>>>> The other day I started to get slammed with spam. SpamAssassin was
>>>> doing a very good job before that, and is still catching many.
>>>> Couldthey be spoofing the X-Mailscanner headers to bypass my
>>>> mailscan rules? Here is an example of the ones that are getting
>>>> through:
>>>>
>>>> Return-Path:
>>>> <chronic.constipation.remedy at pessimist.rightcontipationscare.top>
>>>
>>>
>>
>>
>>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner
mailing list