From mailscanner at barendse.to Tue Oct 17 08:17:39 2023 From: mailscanner at barendse.to (mailscanner at barendse.to) Date: Tue, 17 Oct 2023 10:17:39 +0200 (CEST) Subject: Installation error now that spamassasin 4.0.0 is available In-Reply-To: References: <2f08097569c11ce95f2b3749917267cc@andew.org.uk> <22ce742d551531c792881c27f6b54dd8@andew.org.uk> <7f572aafdf6b60d762ab1575860d19c7@andew.org.uk> <5110db3e-1b0c-9c1e-ae08-06c28a81895b@summitgrid.com> Message-ID: <66135b6e-d5a-a0dd-5de7-55144f3b8025@barendse.to> On Mon, 5 Jun 2023, mailscanner at barendse.to wrote: > > > On Sat, 31 Dec 2022, Shawn Iverson via MailScanner wrote: > >> >> On 12/29/22 20:17, Rick Gutierrez wrote: >>> El mi?, 21 dic 2022 a las 13:04, Andrew Pearce () >> escribi?: >>>> Hi >>>> >>>> I got my installation to work with running the following command as it >>>> looks like Zlib wasnt fully updated >>>> >>>> cpanm --uninstall IO::Compress::Zlib::Extra >>>> >>>> >>> thank Andrew . >> >> I'm going to rework the MailScanner ms-configure for RHEL derivatives to >> prefer rpm installs of the latest SA.? Hopefully this will help alleviate >> some of these issues for folks.... >> > > I'm on ubuntu but also install SpamAssassin and preferably as many other > packages as possible from apt, I hope to avoid as much as possible that a > security update gets released without it getting installed because I didn't > notice it. I found a lot of perl modules in apt already but couldn't get all > to install Same here, I would also like to update my SA and clamav to 1.2.0. rather than 1.0.3.9 but hate moving away from apt because that would mean that I need to manually maintain all those packages by hand myself :( From mailscanner at barendse.to Fri Oct 20 15:07:23 2023 From: mailscanner at barendse.to (mailscanner at barendse.to) Date: Fri, 20 Oct 2023 17:07:23 +0200 (CEST) Subject: Newish domains scoring In-Reply-To: <2583274b-e71b-7920-f400-f2c8da14a97c@togethia.net> References: <2583274b-e71b-7920-f400-f2c8da14a97c@togethia.net> Message-ID: Hi Peter! I am trying to achieve the same but think it's not working, not sure if that service is still working? The latest news on the website is from 2017, the documentation at SEM is somewhat basic, The only thing I did was to add to /etc/mail/spamassassin/local.cf the lines below and nothing beyond that (did I miss something?) : # SEM-BACKSCATTER header RCVD_IN_SEMBACKSCATTER eval:check_rbl('sembackscatter-lastexternal', 'backscatter.spameatingmonkey.net') tflags RCVD_IN_SEMBACKSCATTER net describe RCVD_IN_SEMBACKSCATTER Received from an IP listed by SEM-BACKSCATTER score RCVD_IN_SEMBACKSCATTER 0.5 # SEM-BLACK header RCVD_IN_SEMBLACK eval:check_rbl('semblack-lastexternal', 'bl.spameatingmonkey.net') tflags RCVD_IN_SEMBLACK net describe RCVD_IN_SEMBLACK Received from an IP listed by SEM-BLACK score RCVD_IN_SEMBLACK 0.5 # SEM-FRESHZERO urirhssub SEM_FRESHZERO freshzero.spameatingmonkey.net. A 2 body SEM_FRESHZERO eval:check_uridnsbl('SEM_FRESHZERO') describe SEM_FRESHZERO Contains a domain never seen before tflags SEM_FRESHZERO net score SEM_FRESHZERO 0.5 # SEM-FRESH urirhssub SEM_FRESH fresh.spameatingmonkey.net. A 2 body SEM_FRESH eval:check_uridnsbl('SEM_FRESH') describe SEM_FRESH Contains a domain registered less than 5 days ago tflags SEM_FRESH net score SEM_FRESH 0.5 # SEM-FRESH10 urirhssub SEM_FRESH10 fresh10.spameatingmonkey.net. A 2 body SEM_FRESH10 eval:check_uridnsbl('SEM_FRESH10') describe SEM_FRESH10 Contains a domain registered less than 10 days ago tflags SEM_FRESH10 net score SEM_FRESH10 0.5 # SEM-FRESH15 urirhssub SEM_FRESH15 fresh15.spameatingmonkey.net. A 2 body SEM_FRESH15 eval:check_uridnsbl('SEM_FRESH15') describe SEM_FRESH15 Contains a domain registered less than 15 days ago tflags SEM_FRESH15 net score SEM_FRESH15 0.5 # SEM-FRESH30 urirhssub SEM_FRESH30 fresh30.spameatingmonkey.net. A 2 body SEM_FRESH30 eval:check_uridnsbl('SEM_FRESH30') describe SEM_FRESH30 Contains a domain registered less than 30 days ago tflags SEM_FRESH30 net score SEM_FRESH30 0.5 # SEM-URI urirhssub SEM_URI uribl.spameatingmonkey.net. A 2 body SEM_URI eval:check_uridnsbl('SEM_URI') describe SEM_URI Contains a URI listed by SEM-URI tflags SEM_URI net score SEM_URI 0.5 # SEM-URIRED urirhssub SEM_URIRED urired.spameatingmonkey.net. A 2 body SEM_URIRED eval:check_uridnsbl('SEM_URIRED') describe SEM_URIRED Contains a URI listed by SEM-URIRED tflags SEM_URIRED net score SEM_URIRED 0.5 Thanks!! On Wed, 10 May 2023, Peter Farrow via MailScanner wrote: > > Try these: > > https://spameatingmonkey.com/services > > SEM-FRESH? etc for domains registered recently. > > On 10/05/2023 21:51, Tracy Greggs via MailScanner wrote: > I know this is a question for the SA users group but I wanted to throw it in here in the even anyone has any ideas or existing solutions. > So, here we go. > > We almost never get any phishing email from domains over 1 year old. > > We get a lot of phishing email from domains less than 1 year old. > > I would love to be able to have an accurate way of scoring up email from domains less than fill in the blank days old.? In my case 380 days.? This way we could review them for validity and release them if they are good. > > An accurate way of performing this check would save us quite a bit of grief. > > Ideas or solutions to this anyone? > > > -- > [togethia_logo.png] > Peter Farrow BEng(hons) BBC ETSI > Office: 01249 736180 | > Mobile: +44 (0) 7799605617 > Email: MailScanner has detected a possible fraud attempt from "mail:peter.farrow at togethia.net" claiming to be peter.farrow at togethia.net > Website: www.togethia.it > [icon_fb_togethia.png] [icon_togwthia_skype.png] > > From mailscanner-list at okla.com Fri Oct 20 15:27:55 2023 From: mailscanner-list at okla.com (Tracy Greggs) Date: Fri, 20 Oct 2023 15:27:55 +0000 Subject: Newish domains scoring In-Reply-To: References: <2583274b-e71b-7920-f400-f2c8da14a97c@togethia.net> Message-ID: SEM is not well maintained in MY opinion. Far from it. I gave up. For $40 USD/month we get a daily CSV from whoisds.com that has two columns. Creation date and domain name. Creation date is hugely important to me. The problem with SEM is they are pulling the wrong freaking data and listing domains that were created years ago, rendering it useless to me. So I wrote a couple of scripts and dump it daily to MariaDB and then take the last "x" days, 45 in my case, and dump them to an RBLDNS formatted file then my shell script refires rbldnsd and flushes the bind cache. I flush data with creation dates older than 60 days. I'm keeping the DB at 60 days in case I want to change my rbl from 45 to 60 days. This has another angle too, we have over 100 domains in our account via UDRP suits. I do some daily searches of my NRD database and send myself a report on any matches for copycat domain names. I would rather know the punching is coming and where it is coming from rather than wait to get hit. This works perfectly. Excerpt from my daily email report: ---- 206,375 Domains Added to NRDCD Database 117,387 Domains Deleted from NRDCD Database 7,888,146 Domain Names Written to 45 Days RBLDNSD File 10,358,902 Total Domains In Database ---- And so for example, zzzso.top and know that my "fake" rbl zone is clients.blocked.rbl time nslookup zzzso.top.clients.blocked.rbl Server: 172.16.0.242 Address: 172.16.0.242#53 Non-authoritative answer: Name: zzzso.top.clients.blocked.rbl Address: 127.0.0.4 real 0m0.024s user 0m0.022s sys 0m0.001s And if that isn't fast enough, I don't know what to tell you. If you have any questions, would like a copy of my scripts etc, feel free to reach out to me directly. Regards, Tracy Greggs - tgreggs at insuredaircraft dot com ------ Original Message ------ >From mailscanner at barendse.to To "Peter Farrow via MailScanner" Date 10/20/2023 10:07:23 AM Subject Re: Newish domains scoring >Hi Peter! > >I am trying to achieve the same but think it's not working, not sure if that service is still working? The latest news on the website is from 2017, the documentation at SEM is somewhat basic, > >The only thing I did was to add to /etc/mail/spamassassin/local.cf the lines below and nothing beyond that (did I miss something?) : > ># SEM-BACKSCATTER >header RCVD_IN_SEMBACKSCATTER eval:check_rbl('sembackscatter-lastexternal', 'backscatter.spameatingmonkey.net') >tflags RCVD_IN_SEMBACKSCATTER net >describe RCVD_IN_SEMBACKSCATTER Received from an IP listed by SEM-BACKSCATTER >score RCVD_IN_SEMBACKSCATTER 0.5 > ># SEM-BLACK >header RCVD_IN_SEMBLACK eval:check_rbl('semblack-lastexternal', 'bl.spameatingmonkey.net') >tflags RCVD_IN_SEMBLACK net >describe RCVD_IN_SEMBLACK Received from an IP listed by SEM-BLACK >score RCVD_IN_SEMBLACK 0.5 > ># SEM-FRESHZERO >urirhssub SEM_FRESHZERO freshzero.spameatingmonkey.net. A 2 >body SEM_FRESHZERO eval:check_uridnsbl('SEM_FRESHZERO') >describe SEM_FRESHZERO Contains a domain never seen before >tflags SEM_FRESHZERO net >score SEM_FRESHZERO 0.5 > ># SEM-FRESH >urirhssub SEM_FRESH fresh.spameatingmonkey.net. A 2 >body SEM_FRESH eval:check_uridnsbl('SEM_FRESH') >describe SEM_FRESH Contains a domain registered less than 5 days ago >tflags SEM_FRESH net >score SEM_FRESH 0.5 > ># SEM-FRESH10 >urirhssub SEM_FRESH10 fresh10.spameatingmonkey.net. A 2 >body SEM_FRESH10 eval:check_uridnsbl('SEM_FRESH10') >describe SEM_FRESH10 Contains a domain registered less than 10 days ago >tflags SEM_FRESH10 net >score SEM_FRESH10 0.5 > ># SEM-FRESH15 >urirhssub SEM_FRESH15 fresh15.spameatingmonkey.net. A 2 >body SEM_FRESH15 eval:check_uridnsbl('SEM_FRESH15') >describe SEM_FRESH15 Contains a domain registered less than 15 days ago >tflags SEM_FRESH15 net >score SEM_FRESH15 0.5 > ># SEM-FRESH30 >urirhssub SEM_FRESH30 fresh30.spameatingmonkey.net. A 2 >body SEM_FRESH30 eval:check_uridnsbl('SEM_FRESH30') >describe SEM_FRESH30 Contains a domain registered less than 30 days ago >tflags SEM_FRESH30 net >score SEM_FRESH30 0.5 > ># SEM-URI >urirhssub SEM_URI uribl.spameatingmonkey.net. A 2 >body SEM_URI eval:check_uridnsbl('SEM_URI') >describe SEM_URI Contains a URI listed by SEM-URI >tflags SEM_URI net >score SEM_URI 0.5 > ># SEM-URIRED >urirhssub SEM_URIRED urired.spameatingmonkey.net. A 2 >body SEM_URIRED eval:check_uridnsbl('SEM_URIRED') >describe SEM_URIRED Contains a URI listed by SEM-URIRED >tflags SEM_URIRED net >score SEM_URIRED 0.5 > > > >Thanks!! > > >On Wed, 10 May 2023, Peter Farrow via MailScanner wrote: > >> >>Try these: >> >>https://spameatingmonkey.com/services >> >>SEM-FRESH etc for domains registered recently. >> >>On 10/05/2023 21:51, Tracy Greggs via MailScanner wrote: >> I know this is a question for the SA users group but I wanted to throw it in here in the even anyone has any ideas or existing solutions. >>So, here we go. >> >>We almost never get any phishing email from domains over 1 year old. >> >>We get a lot of phishing email from domains less than 1 year old. >> >>I would love to be able to have an accurate way of scoring up email from domains less than fill in the blank days old. In my case 380 days. This way we could review them for validity and release them if they are good. >> >>An accurate way of performing this check would save us quite a bit of grief. >> >>Ideas or solutions to this anyone? >> >> >>-- >>[togethia_logo.png] >>Peter Farrow BEng(hons) BBC ETSI >>Office: 01249 736180 | >>Mobile: +44 (0) 7799605617 >>Email: MailScanner has detected a possible fraud attempt from "mail:peter.farrow at togethia.net" claiming to be peter.farrow at togethia.net >>Website: www.togethia.it >>[icon_fb_togethia.png] [icon_togwthia_skype.png] >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: