[SOLVED] How to block some whitelisted in spamassassin
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm having a problem blocking a spammer. The original sender is acgnyc.org. I have this sender listed in my blacklist_from, but it continues to make it through. The problem is that this message is forwarded from a domain that is white_listed, ohprs.org. It seems that the white_list takes precedent over the black_list.
I've also set "shortcircuit ALL_TRUSTED off" hoping that would help, but it does not (assuming plugin Mail::SpamAssassin::Plugin::Shortcircuit is loaded. How would I check that?)
"shortcircuit USER_IN_WHITELIST" is still "on".
Below is the header from the offending email.
Do I have any way of solving this? Is there a way of specifying blacklist-before-whitelist?
Code:
From hprsadmin@ohprs.org Wed Feb 17 10:10:32 2021
Authentication-Results: server.novatec-inc.com;
dkim=pass (1024-bit key) header.d=acgnyc.org header.i=events@acgnyc.org header.b=oJensLuq
Authentication-Results: spf=pass (sender IP is 209.18.70.10)
smtp.mailfrom=send.acgnyc.org; ohprs.org; dkim=pass (signature was verified)
header.d=acgnyc.org;ohprs.org; dmarc=bestguesspass action=none
header.from=acgnyc.org;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=rmagnet; d=acgnyc.org;
h=Date:From:To:Subject:Reply-To:MIME-Version:Content-Type:Message-ID;
i=events@acgnyc.org;
bh=3k3VA9pz1N0uIrY6pbwBNb+ZpbcEql8asshfHtgFkJc=;
b=oJensLuq5bJ1Gu39opXP7OPxljRqN7sH86KyKWIeyQm2c6RMB/9c6sU8mhplEhYyYkRN8i9/rjPP
h3ruGVHMEKRxzeLNTsQcuyq7bpWUHRJNhjCbt7cN9fSqrYAp6a5x/+MvaCnmZ2ZMjX0Z6gQ919G6
vC0HmsvnITZacpYz71s=
Date: Wed, 17 Feb 2021 10:07:51 -0500
From: "ACG New York" <events@acgnyc.org>
To: <mark@ohprs.org>
Subject: What past attendees have to say about ACG NY’s Annual Women of Leadership Summit
X-Spam-Status: No, score=-91.8 required=5.0 tests=BAYES_50,
HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,LOCAL_HPRS_PORTAL,
MIME_QP_LONG_LINE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,
USER_IN_WELCOMELIST,USER_IN_WHITELIST autolearn=no autolearn_force=no
version=3.4.4-_revision__1.0__
X-Spam-Report:
* -0.0 USER_IN_WELCOMELIST user is listed in 'welcomelist_from'
* -100 USER_IN_WHITELIST DEPRECATED: See USER_IN_WELCOMELIST
Have you tried putting "blacklist_from *@acgnyc.org" in you /etc/spamassassin/local.cf at the end of the file?
The blacklist_from's are at the end of the file, but do you mean literally like the last line of the file? Would that matter? Or do you mean after all whitelist_from's?
Here's something I am trying: The whitelist_from simply adds -100 to the overall spam score. I've added this rule:
Code:
header LOCAL_HPRS_PORTAL From =~ /\@acgnyc.org/i
score LOCAL_HPRS_PORTAL 150.0
describe LOCAL_HPRS_PORTAL Junk messages passed from hprsportal
which, as you can see, adds 150 to the overall score. Since this email generally ends up with -92 overall, the whitelisting plus the new rule should add up to +58-ish, well above the discard threshold.
I can honestly say that I don't know if putting it at the end of the file has any effect or not, but I have all the spammers that go through all other filters at the very end of /etc/spamassassin/local.cf and it has worked great for me.
Another possible solution is add the acgnyc.org domain to the /etc/postfix/header_checks and run 'postmap /etc/postfix/header_checks' to block the emails before even reaching spamassassin.
While I have never been able to fully comprehend regular exressions ( despite my 25+ years with Linux ) the line would look something like ( and please correct me if I am wrong ) : "/From:.*\@acgnyc.org>/ REJECT"
jdrosales: Thanks for your suggestions. I've never used /etc/postfix/header_checks and don't even have an /etc/postfix directory. I use sendmail, so perhaps postfix configs don't apply. In sendmail I can put that domain in /etc/mail/access.db, however the problem with that is the message is forwarded by a trusted domain, not directly from the spammer, so access.db doesn't catch it.
Nevertheless, the thing I tried with the Spamassassin score (setting to 150.0) did work! The overall score ended up being 52.6, which is well above my rejection threshold. The message was completely rejected (by spamass-milter) and never even arrived in my spam folder.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
