Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: SpamAssassin Additional Rules :: Botnet Plugin

  1. #1
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default SpamAssassin Additional Rules

    SpamAssassin :: Botnet Plugin - By John Rudd
    Botnet is a spam assassin plugin which attempts to identify whether or not a message was submitted via a botnet host. It does this by looking at its DNS characteristics.
    Last edited by uxbod; 07-05-2009 at 04:05 AM. Reason: Changed title so less specific

  2. #2
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    If anybody else is getting hit by SPAM with a URL that contains spaces here is a rule that was posted on the MailScanner mailing list. Seems to work a treat with no FPs.
    Code:
    # Rule to find URLs with spaces
    body            ASDM_OBF_URL           /www\.\s(.+?)\s[A-Za-z]{2,4}/i
    score           ASDM_OBF_URL           4.5
    describe        ASDM_OBF_URL           URLs with spaces
    Either add in /opt/zimbra/conf/salocal.cf.in and restart ZCS or create your own .cf under /opt/zimbra/conf/spamassassin.

  3. #3
    Join Date
    Jun 2008
    Posts
    594
    Rep Power
    8

    Default

    Thanks ubox. really helpful

  4. #4
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Another decent RBL :-

    Spam DNS Lists - Computer Tyme Support Wiki

    Some statistics on how it performs against other RBLs :-

    Blacklists Compared

    and the rules in /opt/zimbra/conf/salocal.cf.in to use it (remember to restart ZCS to write the change out to salocal.cf) :-

    Code:
    header          __RCVD_IN_JMF         eval:check_rbl('JMF-lastexternal','hostkarma.junkemailfilter.com.')
    describe        __RCVD_IN_JMF         Sender listed in JunkEmailFilter
    tflags          __RCVD_IN_JMF         net
    
    header          RCVD_IN_JMF_WL        eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1')
    describe        RCVD_IN_JMF_WL        Sender listed in JMF-WHITE
    tflags          RCVD_IN_JMF_WL        net nice
    score           RCVD_IN_JMF_WL        -1.5
    
    header          RCVD_IN_JMF_BL        eval:check_rbl_sub('JMF-lastexternal', '127.0.0.2')
    describe        RCVD_IN_JMF_BL        Sender listed in JMF-BLACK
    tflags          RCVD_IN_JMF_BL        net
    score           RCVD_IN_JMF_BL        1.5
    
    header          RCVD_IN_JMF_BR        eval:check_rbl_sub('JMF-lastexternal', '127.0.0.4')
    describe        RCVD_IN_JMF_BR        Sender listed in JMF-BROWN
    tflags          RCVD_IN_JMF_BR        net
    score           RCVD_IN_JMF_BR        0.5

  5. #5
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    If you are being hit by obfuscation SPAM then these rules may help out.
    Code:
    ################################################################################
    # Obfuscation Rules
    ################################################################################
    body            ASDM_OBF_URL          /www\.\s(.+?)\s[A-Za-z]{2,4}/i
    describe        ASDM_OBF_URL          URLs with spaces
    score           ASDM_OBF_URL          2.0
    
    body            URI_OBFU_XX99_WS      /\bwww(?:\s\W?\s?|\W\s?)\w{1,15}\d{1,10}(?:\s\W?\s?|\W\s)(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
    describe        URI_OBFU_XX99_WS      Space-obfuscated xxx999 URI
    score           URI_OBFU_XX99_WS      2.0
    
    body            __MED_BEG_SP          /\bw{2,3}[[:space:]][[:alpha:]]{2,6}\d{2,6}\b/i
    body            __MED_BEG_PUNCT       /\bw{2,3}[[:punct:]]{1,3}[[:alpha:]]{2,6}\d{2,6}\b/i
    body            __MED_BEG_DOT         /\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}\b/i
    body            __MED_BEG_BOTH        /\bw{2,3}[[:punct:][:space:]]{2,5}[[:alpha:]]{2,6}\d{2,6}\b/i
    body            __MED_END_SP          /\b[[:alpha:]]{2,6}\d{2,6}[[:space:]](?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
    body            __MED_END_PUNCT       /\b[[:alpha:]]{2,6}\d{2,6}[[:punct:]]{1,3}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
    body            __MED_END_DOT         /\b[[:alpha:]]{2,6}\d{2,6}\.(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
    body            __MED_END_BOTH        /\b[[:alpha:]]{2,6}\d{2,6}[[:punct:][:space:]]{2,5}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
    
    meta            AE_MED42              (__MED_BEG_SP || __MED_BEG_PUNCT || __MED_BEG_DOT || __MED_BEG_BOTH ) && (__MED_END_SP || __MED_END_PUNCT || __MED_END_DOT || __MED_END_BOTH) && ! (__MED_BEG_DOT && __MED_END_DOT )
    describe        AE_MED42              rule to catch still more spam obfuscation
    score           AE_MED42              2.0

  6. #6
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Updated AE_MED42 rule to 44
    Code:
    body            __MED_OB              /\bw{2,3}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})[[:alpha:]]{2,6}\d{2,6}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
    body            __MED_NOT_OB          /\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}\.(?:com|net|org)\b/i
    meta            AE_MED44              (__MED_OB && ! __MED_NOT_OB)
    describe        AE_MED44              Shorter rule to catch spam obfuscation
    score           AE_MED44              2.0
    Courtesy of Dan M from the SpamAssassing mailing list.

  7. #7
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Updated to 47 as the Spammers have changed the obfuscation.
    Code:
    body    __MED_OB        /\bw{2,3}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})[[:alnum:]]{2,10}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)[[:punct:]]?\b/i
    body    __MED_NOT_OB    /\bw{2,3}\.[[:alnum:]]{2,10}\.(?:com|net|org)\b/i
    meta    AE_MED47        (__MED_OB && ! __MED_NOT_OB)
    describe        AE_MED47        Shorter rule to catch spam obfuscation
    score   AE_MED47        4.0

  8. #8
    Join Date
    Sep 2007
    Location
    Brookly, NY
    Posts
    48
    Rep Power
    8

    Default

    I'm just starting to investigate how to tighten our zimbra servers spam settings. Are there instructions anywhere for installing something like this?

  9. #9
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Copy both files into /opt/zimbra/conf/spamassassin and ensure that the permissions and ownership are zimbra:zimbra 444. You can then modify BotNet.cf to your own scores.

  10. #10
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default SpamAssassin Additional Rules :: RelayCountry

    Well thought would post a quick how to, which appears to work for both 5.0.18 and 6.0 RC1, to get the SA RelayCountry plug in going to so you can score based on which country a email has been relayed through. So here goes :-

    1) You will need to install the Perl module IP::Country::Fast which can either be done by grabbing it from your repo or using
    Code:
    perl -MCPAN -e 'install IP::Country::Fast'
    2) You will need to create a new amavis custom configuration file with the following content
    Code:
    package Amavis::Custom;
    
    BEGIN {
    
        import Amavis::Conf qw(:platform :confvars c cr ca $myhostname);
        import Amavis::Util qw(do_log untaint safe_encode safe_decode);
        import Amavis::rfc2821_2822_Tools;
        import Amavis::Notify qw(build_mime_entity);
    }
    
    sub new {
    
        my($class,$conn,$msginfo) = @_;
    
        my($self) = bless {}, $class;
    
        $self; # returning an object activates further callbacks,
    
        # returning undef disables them
    
    }
    
    sub before_send {
        my($self,$conn,$msginfo) = @_;
        my($all_local) = !grep { !$_->recip_is_local }
        @{$msginfo->per_recip_data};
        if ($all_local) {
            my($hdr_edits) = $msginfo->header_edits;
            my ($rly_country) =
                $msginfo->supplementary_info('RELAYCOUNTRY');
                $hdr_edits->add_header('X-Relay-Countries', $rly_country) if defined $rly_country && $rly_country ne '';
    
            my($languages) = $msginfo->supplementary_info('LANGUAGES');
            $hdr_edits->add_header('X-Spam-Languages', $languages)
            if defined $languages && $languages ne '';
        }
    }
    1; # insure a defined return
    write that into /opt/zimbra/conf/amavisd-custom.conf with the permissions zimbra:zimbra read only.

    3) Update /opt/zimbra/conf/amavisd.conf.in and add the following line at the end of the file
    Code:
    include_config_files('/opt/zimbra/conf/amavisd-custom.conf');
    this has to be before the line
    Code:
    1;  # insure a defined return
    4) Now enable the actual plugin by unhashing loadplugin Mail::SpamAssassin::Plugin::RelayCountry in /opt/zimbra/conf/spamassassin/init.pre

    5) Update /opt/zimbra/conf/spamassassin/salocal.cf and add the following
    Code:
    add_header all Relay-Country _RELAYCOUNTRY_
    5) Now restart amavis using
    Code:
    su - zimbra
    zmamavisdctl restart
    6) When you next few emails come in check the headers as your should now see something like
    Code:
    X-Relay-Countries: US
    7) With this new header in place you can now create your own custom rules in /opt/zimbra/conf/spamassassin/local.cf eg.
    Code:
    header          RELAYCOUNTRY_CN X-Relay-Countries =~ /CN/
    describe        RELAYCOUNTRY_CN Relayed through China
    score           RELAYCOUNTRY_CN 0.5
    Good luck and I hope you find that useful.
    Last edited by uxbod; 08-01-2009 at 01:32 AM.

Similar Threads

  1. bayes db..
    By osiris in forum Administrators
    Replies: 9
    Last Post: 06-15-2011, 11:14 AM
  2. Spamassassin: How to test homemade rules?
    By Tenshi in forum Administrators
    Replies: 11
    Last Post: 06-29-2010, 12:37 PM
  3. SpamAssassin Additional Rules
    By uxbod in forum Administrators
    Replies: 0
    Last Post: 06-26-2009, 05:33 AM
  4. speed up the net
    By mcesari in forum Administrators
    Replies: 10
    Last Post: 04-25-2008, 11:24 AM
  5. Rules du Jour - spamassassin
    By sturgis in forum Administrators
    Replies: 10
    Last Post: 11-27-2007, 09:12 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •