SpamAssassin :: Botnet Plugin - By John RuddBotnet is a spam assassin plugin which attempts to identify whether or not a message was submitted via a botnet host. It does this by looking at its DNS characteristics.
LinkBack URL
About LinkBacks
Moderator
SpamAssassin Additional Rules
SpamAssassin :: Botnet Plugin - By John RuddBotnet is a spam assassin plugin which attempts to identify whether or not a message was submitted via a botnet host. It does this by looking at its DNS characteristics.
Last edited by uxbod; 07-05-2009 at 04:05 AM. Reason: Changed title so less specific
Moderator
If anybody else is getting hit by SPAM with a URL that contains spaces here is a rule that was posted on the MailScanner mailing list. Seems to work a treat with no FPs.Either add in /opt/zimbra/conf/salocal.cf.in and restart ZCS or create your own .cf under /opt/zimbra/conf/spamassassin.Code:# Rule to find URLs with spaces body ASDM_OBF_URL /www\.\s(.+?)\s[A-Za-z]{2,4}/i score ASDM_OBF_URL 4.5 describe ASDM_OBF_URL URLs with spaces
Outstanding Member
Thanks ubox. really helpful
Moderator
Another decent RBL :-
Spam DNS Lists - Computer Tyme Support Wiki
Some statistics on how it performs against other RBLs :-
Blacklists Compared
and the rules in /opt/zimbra/conf/salocal.cf.in to use it (remember to restart ZCS to write the change out to salocal.cf) :-
Code:header __RCVD_IN_JMF eval:check_rbl('JMF-lastexternal','hostkarma.junkemailfilter.com.') describe __RCVD_IN_JMF Sender listed in JunkEmailFilter tflags __RCVD_IN_JMF net header RCVD_IN_JMF_WL eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1') describe RCVD_IN_JMF_WL Sender listed in JMF-WHITE tflags RCVD_IN_JMF_WL net nice score RCVD_IN_JMF_WL -1.5 header RCVD_IN_JMF_BL eval:check_rbl_sub('JMF-lastexternal', '127.0.0.2') describe RCVD_IN_JMF_BL Sender listed in JMF-BLACK tflags RCVD_IN_JMF_BL net score RCVD_IN_JMF_BL 1.5 header RCVD_IN_JMF_BR eval:check_rbl_sub('JMF-lastexternal', '127.0.0.4') describe RCVD_IN_JMF_BR Sender listed in JMF-BROWN tflags RCVD_IN_JMF_BR net score RCVD_IN_JMF_BR 0.5
Moderator
If you are being hit by obfuscation SPAM then these rules may help out.
Code:################################################################################ # Obfuscation Rules ################################################################################ body ASDM_OBF_URL /www\.\s(.+?)\s[A-Za-z]{2,4}/i describe ASDM_OBF_URL URLs with spaces score ASDM_OBF_URL 2.0 body URI_OBFU_XX99_WS /\bwww(?:\s\W?\s?|\W\s?)\w{1,15}\d{1,10}(?:\s\W?\s?|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i describe URI_OBFU_XX99_WS Space-obfuscated xxx999 URI score URI_OBFU_XX99_WS 2.0 body __MED_BEG_SP /\bw{2,3}[[:space:]][[:alpha:]]{2,6}\d{2,6}\b/i body __MED_BEG_PUNCT /\bw{2,3}[[:punct:]]{1,3}[[:alpha:]]{2,6}\d{2,6}\b/i body __MED_BEG_DOT /\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}\b/i body __MED_BEG_BOTH /\bw{2,3}[[:punct:][:space:]]{2,5}[[:alpha:]]{2,6}\d{2,6}\b/i body __MED_END_SP /\b[[:alpha:]]{2,6}\d{2,6}[[:space:]](?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i body __MED_END_PUNCT /\b[[:alpha:]]{2,6}\d{2,6}[[:punct:]]{1,3}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i body __MED_END_DOT /\b[[:alpha:]]{2,6}\d{2,6}\.(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i body __MED_END_BOTH /\b[[:alpha:]]{2,6}\d{2,6}[[:punct:][:space:]]{2,5}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i meta AE_MED42 (__MED_BEG_SP || __MED_BEG_PUNCT || __MED_BEG_DOT || __MED_BEG_BOTH ) && (__MED_END_SP || __MED_END_PUNCT || __MED_END_DOT || __MED_END_BOTH) && ! (__MED_BEG_DOT && __MED_END_DOT ) describe AE_MED42 rule to catch still more spam obfuscation score AE_MED42 2.0
Moderator
Updated AE_MED42 rule to 44Courtesy of Dan M from the SpamAssassing mailing list.Code:body __MED_OB /\bw{2,3}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})[[:alpha:]]{2,6}\d{2,6}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i body __MED_NOT_OB /\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}\.(?:com|net|org)\b/i meta AE_MED44 (__MED_OB && ! __MED_NOT_OB) describe AE_MED44 Shorter rule to catch spam obfuscation score AE_MED44 2.0
Moderator
Updated to 47 as the Spammers have changed the obfuscation.Code:body __MED_OB /\bw{2,3}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})[[:alnum:]]{2,10}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)[[:punct:]]?\b/i body __MED_NOT_OB /\bw{2,3}\.[[:alnum:]]{2,10}\.(?:com|net|org)\b/i meta AE_MED47 (__MED_OB && ! __MED_NOT_OB) describe AE_MED47 Shorter rule to catch spam obfuscation score AE_MED47 4.0
Active Member
I'm just starting to investigate how to tighten our zimbra servers spam settings. Are there instructions anywhere for installing something like this?Originally Posted by uxbod
Moderator
Copy both files into /opt/zimbra/conf/spamassassin and ensure that the permissions and ownership are zimbra:zimbra 444. You can then modify BotNet.cf to your own scores.
Moderator
SpamAssassin Additional Rules :: RelayCountry
Well thought would post a quick how to, which appears to work for both 5.0.18 and 6.0 RC1, to get the SA RelayCountry plug in going to so you can score based on which country a email has been relayed through. So here goes :-
1) You will need to install the Perl module IP::Country::Fast which can either be done by grabbing it from your repo or using2) You will need to create a new amavis custom configuration file with the following contentCode:perl -MCPAN -e 'install IP::Country::Fast'write that into /opt/zimbra/conf/amavisd-custom.conf with the permissions zimbra:zimbra read only.Code:package Amavis::Custom; BEGIN { import Amavis::Conf qw(:platform :confvars c cr ca $myhostname); import Amavis::Util qw(do_log untaint safe_encode safe_decode); import Amavis::rfc2821_2822_Tools; import Amavis::Notify qw(build_mime_entity); } sub new { my($class,$conn,$msginfo) = @_; my($self) = bless {}, $class; $self; # returning an object activates further callbacks, # returning undef disables them } sub before_send { my($self,$conn,$msginfo) = @_; my($all_local) = !grep { !$_->recip_is_local } @{$msginfo->per_recip_data}; if ($all_local) { my($hdr_edits) = $msginfo->header_edits; my ($rly_country) = $msginfo->supplementary_info('RELAYCOUNTRY'); $hdr_edits->add_header('X-Relay-Countries', $rly_country) if defined $rly_country && $rly_country ne ''; my($languages) = $msginfo->supplementary_info('LANGUAGES'); $hdr_edits->add_header('X-Spam-Languages', $languages) if defined $languages && $languages ne ''; } } 1; # insure a defined return
3) Update /opt/zimbra/conf/amavisd.conf.in and add the following line at the end of the filethis has to be before the lineCode:include_config_files('/opt/zimbra/conf/amavisd-custom.conf');4) Now enable the actual plugin by unhashing loadplugin Mail::SpamAssassin::Plugin::RelayCountry in /opt/zimbra/conf/spamassassin/init.preCode:1; # insure a defined return
5) Update /opt/zimbra/conf/spamassassin/salocal.cf and add the following5) Now restart amavis usingCode:add_header all Relay-Country _RELAYCOUNTRY_6) When you next few emails come in check the headers as your should now see something likeCode:su - zimbra zmamavisdctl restart7) With this new header in place you can now create your own custom rules in /opt/zimbra/conf/spamassassin/local.cf eg.Code:X-Relay-Countries: USGood luck and I hope you find that useful.Code:header RELAYCOUNTRY_CN X-Relay-Countries =~ /CN/ describe RELAYCOUNTRY_CN Relayed through China score RELAYCOUNTRY_CN 0.5
Last edited by uxbod; 08-01-2009 at 01:32 AM.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
