LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   How to block some whitelisted in spamassassin (https://www.linuxquestions.org/questions/linux-server-73/how-to-block-some-whitelisted-in-spamassassin-4175690672/)

mfoley 02-17-2021 12:19 PM
How to block some whitelisted in spamassassin
 
I'm having a problem blocking a spammer. The original sender is acgnyc.org. I have this sender listed in my blacklist_from, but it continues to make it through. The problem is that this message is forwarded from a domain that is white_listed, ohprs.org. It seems that the white_list takes precedent over the black_list.

I've also set "shortcircuit ALL_TRUSTED off" hoping that would help, but it does not (assuming plugin Mail::SpamAssassin::Plugin::Shortcircuit is loaded. How would I check that?)

"shortcircuit USER_IN_WHITELIST" is still "on".

Below is the header from the offending email.

Do I have any way of solving this? Is there a way of specifying blacklist-before-whitelist?

Code:
From hprsadmin@ohprs.org  Wed Feb 17 10:10:32 2021
Authentication-Results: server.novatec-inc.com;
        dkim=pass (1024-bit key) header.d=acgnyc.org header.i=events@acgnyc.org header.b=oJensLuq
Authentication-Results: spf=pass (sender IP is 209.18.70.10)
 smtp.mailfrom=send.acgnyc.org; ohprs.org; dkim=pass (signature was verified)
 header.d=acgnyc.org;ohprs.org; dmarc=bestguesspass action=none
 header.from=acgnyc.org;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=rmagnet; d=acgnyc.org;
 h=Date:From:To:Subject:Reply-To:MIME-Version:Content-Type:Message-ID;
 i=events@acgnyc.org;
 bh=3k3VA9pz1N0uIrY6pbwBNb+ZpbcEql8asshfHtgFkJc=;
 b=oJensLuq5bJ1Gu39opXP7OPxljRqN7sH86KyKWIeyQm2c6RMB/9c6sU8mhplEhYyYkRN8i9/rjPP
  h3ruGVHMEKRxzeLNTsQcuyq7bpWUHRJNhjCbt7cN9fSqrYAp6a5x/+MvaCnmZ2ZMjX0Z6gQ919G6
  vC0HmsvnITZacpYz71s=
Date: Wed, 17 Feb 2021 10:07:51 -0500
From: "ACG New York" <events@acgnyc.org>
To: <mark@ohprs.org>
Subject: What past attendees have to say about ACG NY’s Annual Women of Leadership Summit
X-Spam-Status: No, score=-91.8 required=5.0 tests=BAYES_50,
        HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,LOCAL_HPRS_PORTAL,
        MIME_QP_LONG_LINE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,
        USER_IN_WELCOMELIST,USER_IN_WHITELIST autolearn=no autolearn_force=no
        version=3.4.4-_revision__1.0__
X-Spam-Report:
        * -0.0 USER_IN_WELCOMELIST user is listed in 'welcomelist_from'
        * -100 USER_IN_WHITELIST DEPRECATED: See USER_IN_WELCOMELIST

jdrosales 02-17-2021 12:53 PM
Have you tried putting "blacklist_from *@acgnyc.org" in you /etc/spamassassin/local.cf at the end of the file?

mfoley 02-18-2021 02:48 PM
Quote:
Originally Posted by jdrosales (Post 6221399)
Have you tried putting "blacklist_from *@acgnyc.org" in you /etc/spamassassin/local.cf at the end of the file?
The blacklist_from's are at the end of the file, but do you mean literally like the last line of the file? Would that matter? Or do you mean after all whitelist_from's?

Here's something I am trying: The whitelist_from simply adds -100 to the overall spam score. I've added this rule:
Code:
header LOCAL_HPRS_PORTAL        From =~ /\@acgnyc.org/i
score  LOCAL_HPRS_PORTAL        150.0
describe LOCAL_HPRS_PORTAL      Junk messages passed from hprsportal
which, as you can see, adds 150 to the overall score. Since this email generally ends up with -92 overall, the whitelisting plus the new rule should add up to +58-ish, well above the discard threshold.

jdrosales 02-18-2021 03:06 PM
I can honestly say that I don't know if putting it at the end of the file has any effect or not, but I have all the spammers that go through all other filters at the very end of /etc/spamassassin/local.cf and it has worked great for me.

Another possible solution is add the acgnyc.org domain to the /etc/postfix/header_checks and run 'postmap /etc/postfix/header_checks' to block the emails before even reaching spamassassin.

While I have never been able to fully comprehend regular exressions ( despite my 25+ years with Linux ) the line would look something like ( and please correct me if I am wrong ) : "/From:.*\@acgnyc.org>/ REJECT"

Let us know how it went, would you?

mfoley 02-22-2021 11:54 AM
jdrosales: Thanks for your suggestions. I've never used /etc/postfix/header_checks and don't even have an /etc/postfix directory. I use sendmail, so perhaps postfix configs don't apply. In sendmail I can put that domain in /etc/mail/access.db, however the problem with that is the message is forwarded by a trusted domain, not directly from the spammer, so access.db doesn't catch it.

Nevertheless, the thing I tried with the Spamassassin score (setting to 150.0) did work! The overall score ended up being 52.6, which is well above my rejection threshold. The message was completely rejected (by spamass-milter) and never even arrived in my spam folder.

So, problem solved! Thanks for playing!

jdrosales 02-22-2021 12:21 PM
Good riddance my friend.

I am saving the way you solved this for future reference. :)


All times are GMT -5. The time now is 11:44 PM.