Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: SpamAssassin Additional Rules :: Botnet Plugin

  1. #1
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default SpamAssassin Additional Rules

    SpamAssassin :: Botnet Plugin - By John Rudd
    Botnet is a spam assassin plugin which attempts to identify whether or not a message was submitted via a botnet host. It does this by looking at its DNS characteristics.
    Last edited by uxbod; 07-05-2009 at 04:05 AM. Reason: Changed title so less specific

  2. #2
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    If anybody else is getting hit by SPAM with a URL that contains spaces here is a rule that was posted on the MailScanner mailing list. Seems to work a treat with no FPs.
    Code:
    # Rule to find URLs with spaces
    body            ASDM_OBF_URL           /www\.\s(.+?)\s[A-Za-z]{2,4}/i
    score           ASDM_OBF_URL           4.5
    describe        ASDM_OBF_URL           URLs with spaces
    Either add in /opt/zimbra/conf/salocal.cf.in and restart ZCS or create your own .cf under /opt/zimbra/conf/spamassassin.

  3. #3
    veronica is offline Outstanding Member
    Join Date
    Jun 2008
    Posts
    594
    Rep Power
    8

    Default

    Thanks ubox. really helpful

  4. #4
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Another decent RBL :-

    Spam DNS Lists - Computer Tyme Support Wiki

    Some statistics on how it performs against other RBLs :-

    Blacklists Compared

    and the rules in /opt/zimbra/conf/salocal.cf.in to use it (remember to restart ZCS to write the change out to salocal.cf) :-

    Code:
    header          __RCVD_IN_JMF         eval:check_rbl('JMF-lastexternal','hostkarma.junkemailfilter.com.')
    describe        __RCVD_IN_JMF         Sender listed in JunkEmailFilter
    tflags          __RCVD_IN_JMF         net
    
    header          RCVD_IN_JMF_WL        eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1')
    describe        RCVD_IN_JMF_WL        Sender listed in JMF-WHITE
    tflags          RCVD_IN_JMF_WL        net nice
    score           RCVD_IN_JMF_WL        -1.5
    
    header          RCVD_IN_JMF_BL        eval:check_rbl_sub('JMF-lastexternal', '127.0.0.2')
    describe        RCVD_IN_JMF_BL        Sender listed in JMF-BLACK
    tflags          RCVD_IN_JMF_BL        net
    score           RCVD_IN_JMF_BL        1.5
    
    header          RCVD_IN_JMF_BR        eval:check_rbl_sub('JMF-lastexternal', '127.0.0.4')
    describe        RCVD_IN_JMF_BR        Sender listed in JMF-BROWN
    tflags          RCVD_IN_JMF_BR        net
    score           RCVD_IN_JMF_BR        0.5

  5. #5
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    If you are being hit by obfuscation SPAM then these rules may help out.
    Code:
    ################################################################################
    # Obfuscation Rules
    ################################################################################
    body            ASDM_OBF_URL          /www\.\s(.+?)\s[A-Za-z]{2,4}/i
    describe        ASDM_OBF_URL          URLs with spaces
    score           ASDM_OBF_URL          2.0
    
    body            URI_OBFU_XX99_WS      /\bwww(?:\s\W?\s?|\W\s?)\w{1,15}\d{1,10}(?:\s\W?\s?|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
    describe        URI_OBFU_XX99_WS      Space-obfuscated xxx999 URI
    score           URI_OBFU_XX99_WS      2.0
    
    body            __MED_BEG_SP          /\bw{2,3}[[:space:]][[:alpha:]]{2,6}\d{2,6}\b/i
    body            __MED_BEG_PUNCT       /\bw{2,3}[[:punct:]]{1,3}[[:alpha:]]{2,6}\d{2,6}\b/i
    body            __MED_BEG_DOT         /\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}\b/i
    body            __MED_BEG_BOTH        /\bw{2,3}[[:punct:][:space:]]{2,5}[[:alpha:]]{2,6}\d{2,6}\b/i
    body            __MED_END_SP          /\b[[:alpha:]]{2,6}\d{2,6}[[:space:]](?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
    body            __MED_END_PUNCT       /\b[[:alpha:]]{2,6}\d{2,6}[[:punct:]]{1,3}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
    body            __MED_END_DOT         /\b[[:alpha:]]{2,6}\d{2,6}\.(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
    body            __MED_END_BOTH        /\b[[:alpha:]]{2,6}\d{2,6}[[:punct:][:space:]]{2,5}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
    
    meta            AE_MED42              (__MED_BEG_SP || __MED_BEG_PUNCT || __MED_BEG_DOT || __MED_BEG_BOTH ) && (__MED_END_SP || __MED_END_PUNCT || __MED_END_DOT || __MED_END_BOTH) && ! (__MED_BEG_DOT && __MED_END_DOT )
    describe        AE_MED42              rule to catch still more spam obfuscation
    score           AE_MED42              2.0

  6. #6
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Updated AE_MED42 rule to 44
    Code:
    body            __MED_OB              /\bw{2,3}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})[[:alpha:]]{2,6}\d{2,6}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
    body            __MED_NOT_OB          /\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}\.(?:com|net|org)\b/i
    meta            AE_MED44              (__MED_OB && ! __MED_NOT_OB)
    describe        AE_MED44              Shorter rule to catch spam obfuscation
    score           AE_MED44              2.0
    Courtesy of Dan M from the SpamAssassing mailing list.

  7. #7
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Updated to 47 as the Spammers have changed the obfuscation.
    Code:
    body    __MED_OB        /\bw{2,3}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})[[:alnum:]]{2,10}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)[[:punct:]]?\b/i
    body    __MED_NOT_OB    /\bw{2,3}\.[[:alnum:]]{2,10}\.(?:com|net|org)\b/i
    meta    AE_MED47        (__MED_OB && ! __MED_NOT_OB)
    describe        AE_MED47        Shorter rule to catch spam obfuscation
    score   AE_MED47        4.0

  8. #8
    JpMaxMan is offline Active Member
    Join Date
    Sep 2007
    Location
    Brookly, NY
    Posts
    47
    Rep Power
    7

    Default

    I'm just starting to investigate how to tighten our zimbra servers spam settings. Are there instructions anywhere for installing something like this?

  9. #9
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Copy both files into /opt/zimbra/conf/spamassassin and ensure that the permissions and ownership are zimbra:zimbra 444. You can then modify BotNet.cf to your own scores.

  10. #10
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default SpamAssassin Additional Rules :: RelayCountry

    Well thought would post a quick how to, which appears to work for both 5.0.18 and 6.0 RC1, to get the SA RelayCountry plug in going to so you can score based on which country a email has been relayed through. So here goes :-

    1) You will need to install the Perl module IP::Country::Fast which can either be done by grabbing it from your repo or using
    Code:
    perl -MCPAN -e 'install IP::Country::Fast'
    2) You will need to create a new amavis custom configuration file with the following content
    Code:
    package Amavis::Custom;
    
    BEGIN {
    
        import Amavis::Conf qw(:platform :confvars c cr ca $myhostname);
        import Amavis::Util qw(do_log untaint safe_encode safe_decode);
        import Amavis::rfc2821_2822_Tools;
        import Amavis::Notify qw(build_mime_entity);
    }
    
    sub new {
    
        my($class,$conn,$msginfo) = @_;
    
        my($self) = bless {}, $class;
    
        $self; # returning an object activates further callbacks,
    
        # returning undef disables them
    
    }
    
    sub before_send {
        my($self,$conn,$msginfo) = @_;
        my($all_local) = !grep { !$_->recip_is_local }
        @{$msginfo->per_recip_data};
        if ($all_local) {
            my($hdr_edits) = $msginfo->header_edits;
            my ($rly_country) =
                $msginfo->supplementary_info('RELAYCOUNTRY');
                $hdr_edits->add_header('X-Relay-Countries', $rly_country) if defined $rly_country && $rly_country ne '';
    
            my($languages) = $msginfo->supplementary_info('LANGUAGES');
            $hdr_edits->add_header('X-Spam-Languages', $languages)
            if defined $languages && $languages ne '';
        }
    }
    1; # insure a defined return
    write that into /opt/zimbra/conf/amavisd-custom.conf with the permissions zimbra:zimbra read only.

    3) Update /opt/zimbra/conf/amavisd.conf.in and add the following line at the end of the file
    Code:
    include_config_files('/opt/zimbra/conf/amavisd-custom.conf');
    this has to be before the line
    Code:
    1;  # insure a defined return
    4) Now enable the actual plugin by unhashing loadplugin Mail::SpamAssassin::Plugin::RelayCountry in /opt/zimbra/conf/spamassassin/init.pre

    5) Update /opt/zimbra/conf/spamassassin/salocal.cf and add the following
    Code:
    add_header all Relay-Country _RELAYCOUNTRY_
    5) Now restart amavis using
    Code:
    su - zimbra
    zmamavisdctl restart
    6) When you next few emails come in check the headers as your should now see something like
    Code:
    X-Relay-Countries: US
    7) With this new header in place you can now create your own custom rules in /opt/zimbra/conf/spamassassin/local.cf eg.
    Code:
    header          RELAYCOUNTRY_CN X-Relay-Countries =~ /CN/
    describe        RELAYCOUNTRY_CN Relayed through China
    score           RELAYCOUNTRY_CN 0.5
    Good luck and I hope you find that useful.
    Last edited by uxbod; 08-01-2009 at 01:32 AM.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. bayes db..
    By osiris in forum Administrators
    Replies: 9
    Last Post: 06-15-2011, 11:14 AM
  2. Spamassassin: How to test homemade rules?
    By Tenshi in forum Administrators
    Replies: 11
    Last Post: 06-29-2010, 12:37 PM
  3. SpamAssassin Additional Rules
    By uxbod in forum Administrators
    Replies: 0
    Last Post: 06-26-2009, 05:33 AM
  4. speed up the net
    By mcesari in forum Administrators
    Replies: 10
    Last Post: 04-25-2008, 11:24 AM
  5. Rules du Jour - spamassassin
    By sturgis in forum Administrators
    Replies: 10
    Last Post: 11-27-2007, 10:12 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •