LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 02-17-2021, 12:19 PM   #1
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 2,576

Rep: Reputation: 179Reputation: 179
How to block some whitelisted in spamassassin


I'm having a problem blocking a spammer. The original sender is acgnyc.org. I have this sender listed in my blacklist_from, but it continues to make it through. The problem is that this message is forwarded from a domain that is white_listed, ohprs.org. It seems that the white_list takes precedent over the black_list.

I've also set "shortcircuit ALL_TRUSTED off" hoping that would help, but it does not (assuming plugin Mail::SpamAssassin::Plugin::Shortcircuit is loaded. How would I check that?)

"shortcircuit USER_IN_WHITELIST" is still "on".

Below is the header from the offending email.

Do I have any way of solving this? Is there a way of specifying blacklist-before-whitelist?

Code:
From hprsadmin@ohprs.org  Wed Feb 17 10:10:32 2021
Authentication-Results: server.novatec-inc.com;
        dkim=pass (1024-bit key) header.d=acgnyc.org header.i=events@acgnyc.org header.b=oJensLuq
Authentication-Results: spf=pass (sender IP is 209.18.70.10)
 smtp.mailfrom=send.acgnyc.org; ohprs.org; dkim=pass (signature was verified)
 header.d=acgnyc.org;ohprs.org; dmarc=bestguesspass action=none
 header.from=acgnyc.org;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=rmagnet; d=acgnyc.org;
 h=Date:From:To:Subject:Reply-To:MIME-Version:Content-Type:Message-ID;
 i=events@acgnyc.org;
 bh=3k3VA9pz1N0uIrY6pbwBNb+ZpbcEql8asshfHtgFkJc=;
 b=oJensLuq5bJ1Gu39opXP7OPxljRqN7sH86KyKWIeyQm2c6RMB/9c6sU8mhplEhYyYkRN8i9/rjPP
   h3ruGVHMEKRxzeLNTsQcuyq7bpWUHRJNhjCbt7cN9fSqrYAp6a5x/+MvaCnmZ2ZMjX0Z6gQ919G6
   vC0HmsvnITZacpYz71s=
Date: Wed, 17 Feb 2021 10:07:51 -0500
From: "ACG New York" <events@acgnyc.org>
To: <mark@ohprs.org>
Subject: What past attendees have to say about ACG NY’s Annual Women of Leadership Summit
X-Spam-Status: No, score=-91.8 required=5.0 tests=BAYES_50,
        HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,LOCAL_HPRS_PORTAL,
        MIME_QP_LONG_LINE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,
        USER_IN_WELCOMELIST,USER_IN_WHITELIST autolearn=no autolearn_force=no
        version=3.4.4-_revision__1.0__
X-Spam-Report: 
        * -0.0 USER_IN_WELCOMELIST user is listed in 'welcomelist_from'
        * -100 USER_IN_WHITELIST DEPRECATED: See USER_IN_WELCOMELIST
 
Old 02-17-2021, 12:53 PM   #2
jdrosales
LQ Newbie
 
Registered: Feb 2020
Location: Virginia, USA
Distribution: Ubuntu, Debian
Posts: 21
Blog Entries: 1

Rep: Reputation: 3
Have you tried putting "blacklist_from *@acgnyc.org" in you /etc/spamassassin/local.cf at the end of the file?
 
Old 02-18-2021, 02:48 PM   #3
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 2,576

Original Poster
Rep: Reputation: 179Reputation: 179
Quote:
Originally Posted by jdrosales View Post
Have you tried putting "blacklist_from *@acgnyc.org" in you /etc/spamassassin/local.cf at the end of the file?
The blacklist_from's are at the end of the file, but do you mean literally like the last line of the file? Would that matter? Or do you mean after all whitelist_from's?

Here's something I am trying: The whitelist_from simply adds -100 to the overall spam score. I've added this rule:
Code:
header LOCAL_HPRS_PORTAL        From =~ /\@acgnyc.org/i
score  LOCAL_HPRS_PORTAL        150.0
describe LOCAL_HPRS_PORTAL      Junk messages passed from hprsportal
which, as you can see, adds 150 to the overall score. Since this email generally ends up with -92 overall, the whitelisting plus the new rule should add up to +58-ish, well above the discard threshold.

Last edited by mfoley; 02-18-2021 at 02:50 PM.
 
Old 02-18-2021, 03:06 PM   #4
jdrosales
LQ Newbie
 
Registered: Feb 2020
Location: Virginia, USA
Distribution: Ubuntu, Debian
Posts: 21
Blog Entries: 1

Rep: Reputation: 3
I can honestly say that I don't know if putting it at the end of the file has any effect or not, but I have all the spammers that go through all other filters at the very end of /etc/spamassassin/local.cf and it has worked great for me.

Another possible solution is add the acgnyc.org domain to the /etc/postfix/header_checks and run 'postmap /etc/postfix/header_checks' to block the emails before even reaching spamassassin.

While I have never been able to fully comprehend regular exressions ( despite my 25+ years with Linux ) the line would look something like ( and please correct me if I am wrong ) : "/From:.*\@acgnyc.org>/ REJECT"

Let us know how it went, would you?
 
Old 02-22-2021, 11:54 AM   #5
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 2,576

Original Poster
Rep: Reputation: 179Reputation: 179
jdrosales: Thanks for your suggestions. I've never used /etc/postfix/header_checks and don't even have an /etc/postfix directory. I use sendmail, so perhaps postfix configs don't apply. In sendmail I can put that domain in /etc/mail/access.db, however the problem with that is the message is forwarded by a trusted domain, not directly from the spammer, so access.db doesn't catch it.

Nevertheless, the thing I tried with the Spamassassin score (setting to 150.0) did work! The overall score ended up being 52.6, which is well above my rejection threshold. The message was completely rejected (by spamass-milter) and never even arrived in my spam folder.

So, problem solved! Thanks for playing!
 
Old 02-22-2021, 12:21 PM   #6
jdrosales
LQ Newbie
 
Registered: Feb 2020
Location: Virginia, USA
Distribution: Ubuntu, Debian
Posts: 21
Blog Entries: 1

Rep: Reputation: 3
Good riddance my friend.

I am saving the way you solved this for future reference.
 
  


Reply

Tags
blacklist, spamassassin



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
squidguard not opening whitelisted domains. bkarthick Linux - Server 8 02-03-2016 09:39 AM
csf restricting traffic to all users on port 2199 (unless whitelisted) deepGC Linux - Newbie 0 09-10-2015 12:44 AM
sqlgrey keeps delaying even after being whitelisted said76 Linux - Server 0 08-22-2014 09:44 AM
Blacklist a page inside a whitelisted website klauriens Linux - Newbie 9 07-11-2012 08:20 AM
modem-manager: (tty/ttyS0): port's parent platform driver is not whitelisted jonaskellens Linux - Newbie 0 09-09-2011 06:40 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 06:26 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration