spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benny Pedersen ...@junc.eu>
Subject Re: How to block mails from unknown ip addresses?
Date Sat, 24 Aug 2019 22:12:20 GMT
tbarth@txbweb.de skrev den 2019-08-24 20:27:
> Hello,
> 
> I would like to block mails from ip addresses that cant be found.
> There is a tricky spam serie getting a low score. Currently I can
> block the mails just be scoring the tdl.
> 
> I use the RelayCountry Plugin, but it dosnt work if the ip address is
> not available.
> 
> header          RELAYCOUNTRY_BAD X-Relay-Countries =~ /(List of country 
> codes)/
> describe        RELAYCOUNTRY_BAD Relayed through spam country at some 
> point
> score           RELAYCOUNTRY_BAD 3.5

correct rulee, but geoip is not working in your install

> 
> Here some infos of an header examples
> 
> X-Spam-Status: Yes, score=11.891 tag=2 tag2=6.31 kill=6.31 
> tests=[AM.WBL=7,
>         BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, 
> DKIM_VALID_AU=-0.1,
>         DKIM_VALID_EF=-0.1, FROMSPACE=0.001, FROM_SUSPICIOUS_NTLD=0.5,
>         FSL_BULK_SIG=1.596, HTML_MESSAGE=0.001, PYZOR_CHECK=1.392,
>         RDNS_NONE=0.793, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
>         T_REMOTE_IMAGE=0.01] autolearn=no autolearn_force=no
> 
> DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mail; 
> d=strapdebut.pro;
>  h=From:Date:MIME-Version:Subject:To:Message-ID:Content-Type;
> i=nonsense@strapdebut.pro;
>  bh=p2qRX9+f0yHDj3jqqnVU4hoNG58=;
>  
> b=MmuxhWP6r2xfmasBMUUXqDc0ai2/zlR9ZgmBZPvsbo3fgl6m4dBkmpVvVqZo2DMgiee7I6Msp07c
>    
> 3xIc7SbGGs9QOFGZYkaQpYpY56zW8AqjIWQvbC6D6jVq43P/7yF6nwrI7GrHTKgeL6/SAtzCUpf2
>    HOR8Zr3N45GuMa5iHdc=
> DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=mail; 
> d=strapdebut.pro;
>  
> b=UH6pdk+pAUj1o9TF7Z0RySxRb7AFJUL4yori8RZ99Wd4nxABrPXndv88xSVu2rfBPTlQO/8KbdP4
>    
> O2fJMJeSMRS+4Q7IFkjbMSkwYi+wGXZkcU10diEVt24i7bQf9l1zRNMQ9zV7GlAs4XeqAjEqGvV1
>    SmcUvgGYccNp65I07nQ=;
> From: " Carol Yates" <nonsense@strapdebut.pro>
> Date: Sat, 24 Aug 2019 12:48:11 -0500
> MIME-Version: 1.0
> Subject: ACs are going to be extinct after this discovery
> 
> 

if the dkim singed domain is the spamming domain, you could then make 
header test for this aswell

> 
> Aug 24 19:54:38 mx2 amavis[3405]: (03405-11) Blocked SPAM
> {RejectedOpenRelay,Quarantined}, [45.141.151.5]:2812 [45.141.151.5]
> <nonsense@strapdebut.pro> -> <user@domain>, quarantine:
> N/spam-NHIkGYse9Osv.gz, Message-ID:
> <AEgV4bk4H7SMGwCQ-YWdX3QgmOiNNudsW-mbJ1Q4Rq4.ZZ_C59zJjs9VOfJ7Gwsl4g@strapdebut.pro>,
> mail_id: NHIkGYse9Osv, Hits: 11.891, size: 9352, 2697 ms
> 

amavisd missing your wan ips, so it thinks you are openrelay, so policy 
banks is incorrect selected

> 
> # geoiplookup 45.141.151.5
> GeoIP Country Edition: IP Address not found
> GeoIP City Edition, Rev 1: IP u not found
> GeoIP ASNum Edition: IP Address not found

make sure geoip is installed correect

> None of the mails is listed at hostkarma.junkemailfilter.com. I also
> use junkemailfilter to score spam.

unmaintained now

Mime
View raw message