Page 1 of 1
Usefull SA Plugins
Posted: 2019-03-01 14:29
by RvdH
Useful SpamAssassin Plugins
The purpose of this topic is to share information on (custom) plugins that can be used with SpamAssassin used by forum members here
DecodeShortURLs
This plugin looks for URLs shortened by a list of URL shortening services and upon finding a matching URL will connect using to the shortening service and do an HTTP HEAD lookup and retrieve the location header which points to the actual shortened URL, it then adds this URL to the list of URIs extracted by SpamAssassin which can then be accessed by other plug-ins, such as URIDNSBL.
Code: Select all
https://github.com/smfreegard/DecodeShortURLs
HashBL (This is version 0.3 a improved version over the 0.1 version included in SA 3.4.2)
This plugin is used to lookup e-mail addresses on the msbl.org blacklists.
Code: Select all
https://github.com/smfreegard/HashBL
Well, this is my contribution....what do other's here use? Either default disabled plugins or custom plugins
Re: Usefull SA Plugins
Posted: 2019-03-01 17:27
by SorenR
Botnet looks for possible botnet sources of email by checking various DNS values that indicate things such as other ISP's clients or workstations, or misconfigured DNS settings that are more likely to happen with client or workstation addresses than servers.
Code: Select all
https://github.com/eilandert/Botnet.pm
NOTE: HashBL is already part of SA 3.4.2 standard plugins. All you need to do is create the config HashBL.cf
Code: Select all
loadplugin Mail::SpamAssassin::Plugin::HashBL
ifplugin Mail::SpamAssassin::Plugin::HashBL
header HASHBL_EMAIL eval:check_hashbl_emails('ebl.msbl.org')
describe HASHBL_EMAIL Message contains email address found on the EBL
score HASHBL_EMAIL 0.1
meta HASHBL_EMAIL_BLACK (0)
describe HASHBL_EMAIL_BLACK Message contains email address found on the EBL Black list
score HASHBL_EMAIL_BLACK 3.0
meta HASHBL_EMAIL_GREY (0)
describe HASHBL_EMAIL_GREY Message contains email address found on the EBL Grey list
score HASHBL_EMAIL_GREY 1.0
endif
Just about a week ago I copied the entire .\Mail directory with plugins and the works from 3.4.2 SOURCE to my 3.4.0 installation overwriting the old files. So far everything is still working
Re: Usefull SA Plugins
Posted: 2019-03-01 19:26
by RvdH
SorenR wrote: ↑2019-03-01 17:27
NOTE: HashBL is already part of SA 3.4.2 standard plugins. All you need to do is create the config HashBL.cf
Nah, it isn't...SA 3.4.2 uses 0.001 and the github link for HASHBL above is 0.003 that includes the splitting into BLACK/GREY rules
Re: Usefull SA Plugins
Posted: 2022-02-04 21:08
by RvdH
Re: Usefull SA Plugins
Posted: 2022-02-05 14:52
by palinka
Interesting. One of his plug ins has to do with Levenshtein distance.
https://en.m.wikipedia.org/wiki/Levenshtein_distance
VB function here:
https://stackoverflow.com/questions/424 ... ba#4243652
Could be useful in determining spoofs and phishing.
Re: Usefull SA Plugins
Posted: 2022-02-05 14:59
by RvdH
i installed that one yesterday, have not had a hit since...but it's functionality looks very limited (with the given example rule(s))
Re: Usefull SA Plugins
Posted: 2022-02-05 15:17
by palinka
RvdH wrote: ↑2022-02-05 14:59
i installed that one yesterday, have not had a hit since...but it's functionality looks very limited (with the given example rule(s))
That's why I was thinking about vbs.
Re: Usefull SA Plugins
Posted: 2022-02-05 15:23
by RvdH
Then it smarter to make more SA rules, with all due respect vbscript if fun but terrible slow compared to SA rules
Re: Usefull SA Plugins
Posted: 2022-02-05 15:39
by palinka
RvdH wrote: ↑2022-02-05 15:23
Then it smarter to make more SA rules, with all due respect vbscript if fun but terrible slow compared to SA rules
That requires more education on my part. A lot more.
Re: Usefull SA Plugins
Posted: 2023-03-31 12:29
by RvdH
SpamAssassin plugin to check attachment details
https://github.com/mxguardian/Mail-Spam ... mentDetail
SpamAssassin plugin for parsing PDF attachments
https://github.com/mxguardian/Mail-Spam ... n-PDFInfo2
SpamAssassin plugin to analyze scripts embedded in HTML messages and attachments
https://github.com/mxguardian/Mail-Spam ... ScriptInfo
Re: Usefull SA Plugins
Posted: 2023-04-22 06:37
by gotspatel
Phishtank rules downloader and parser to use is SPAMASSASSIN
https://github.com/kawaiipantsu/spamassassin-rules
Script to download and refresh daily 7 days rules in SA folder with logging to be used from taskscheduler Very Crude but works
Code: Select all
for /F "usebackq tokens=1,2 delims==" %%i in (`wmic os get LocalDateTime /VALUE 2^>NUL`) do if '.%%i.'=='.LocalDateTime.' Set ldt=%%j
Set inDate=%ldt:~6,2%-%ldt:~4,2%-%ldt:~0,4%
Set LogDate=%ldt:~0,4%-%ldt:~4,2%-%ldt:~6,2%
for /f "tokens=1-3 delims=:." %%a in ("%time%") do set timestamp=%%a:%%b:%%c & if "%%a" LSS "10" set timestamp=%%a:%%b:%%c
REM #### CONFIG START ####
REM ******* FILL OUT VARIABLES BELOW ***************************
Set DAYSLOGTOKEEP=3
Set SCRIPTdir="C:\Scripts\SpamAssassin\Phishtank rules"
Set Logpath="C:\Scripts\SpamAssassin\Phishtank rules\Logs"
Set DebugLog="C:\Scripts\SpamAssassin\Phishtank rules\Logs\Debug_%LogDate%.log"
Set SADir="C:\Program Files\JAM Software\SpamAssassin for Windows\etc\spamassassin"
Set SOURCE="C:\Scripts\SpamAssassin\Phishtank rules\phishtank-7days-rules"
Set Filename="phistank-*.cf"
REM **** FILL OUT VARIABLES ABOVE *******************************
REM #### CONFIG eof ####
:MAIN
echo [%timestamp% %inDate%] Starting Main Rule Downloader ************************************ >> %DebugLog%
php -f %SCRIPTdir%\update-phishtank-rules.php >> %DebugLog%
:: Wait till it finishes and exits
ping -n 5 127.0.0.1 > nul
for /f "tokens=1-3 delims=:." %%a in ("%time%") do set timestamp=%%a:%%b:%%c & if "%%a" LSS "10" set timestamp=%%a:%%b:%%c
echo [%timestamp% %inDate%] Main Rule Downloader Exited Done! ************************************ >> %DebugLog%
:RULE_CLEAN
echo. & echo [%timestamp% %inDate%] Starting SpamAssassin rule update ************************************ >> %DebugLog%
echo [%timestamp% %inDate%] Removing old Phishtank rules... ************************************ >> %DebugLog%
CD %SADir%
echo [%timestamp% %inDate%] Current Dir is ... %CD% ************************************ >> %DebugLog%
:DELETE_OLD
REM del /F/Q %Filename% >> %DebugLog%
for /f "tokens=1-3 delims=:." %%a in ("%time%") do set timestamp=%%a:%%b:%%c & if "%%a" LSS "10" set timestamp=%%a:%%b:%%c
echo [%timestamp% %inDate%] Deleting files matching '%Filename%' from '%SADir%'... >> %DebugLog%
for /f "delims=" %%a in ('dir /b "%SADir%\%Filename%" 2^>nul') do (
set "file=!SADir!\%%a"
echo Deleting "!file!" >> %DebugLog%
del /q /f "!file!" >> %DebugLog%
)
echo [%timestamp% %inDate%] All files deleted. See '%DebugLog%' for details. >> %DebugLog%
:: Wait till it finishes and exits
ping 127.0.0.1 -n 5 > nul
CD %SCRIPTdir%
echo. & echo [%timestamp% %inDate%] Current Dir is ... %CD% ************************************ >> %DebugLog%
for /f "tokens=1-3 delims=:." %%a in ("%time%") do set timestamp=%%a:%%b:%%c & if "%%a" LSS "10" set timestamp=%%a:%%b:%%c
echo [%timestamp% %inDate%] Removed old Phishtank rules Done! ... ************************************ >> %DebugLog%
:RULE_COPY
echo. & echo [%timestamp% %inDate%] Copying updated phishtank rules from SOURCE to SADir ************************************ >> %DebugLog%
robocopy %SOURCE% %SADir% "*.cf" /v /tee /log+:%DebugLog%
goto ROBOerrorcheck
:ROBOerrorcheck
if errorlevel 16 echo ***FATAL ERROR*** >> %DebugLog%
if errorlevel 15 echo OKCOPY + FAIL + MISMATCHES + XTRA >> %DebugLog%
if errorlevel 14 echo FAIL + MISMATCHES + XTRA >> %DebugLog%
if errorlevel 13 echo OKCOPY + FAIL + MISMATCHES >> %DebugLog%
if errorlevel 12 echo FAIL + MISMATCHES>> %DebugLog%
if errorlevel 11 echo OKCOPY + FAIL + XTRA >> %DebugLog%
if errorlevel 10 echo FAIL + XTRA >> %DebugLog%
if errorlevel 9 echo OKCOPY + FAIL >> %DebugLog%
if errorlevel 8 echo FAIL >> %DebugLog%
if errorlevel 7 echo OKCOPY + MISMATCHES + XTRA >> %DebugLog%
if errorlevel 6 echo MISMATCHES + XTRA >> %DebugLog%
if errorlevel 5 echo OKCOPY + MISMATCHES >> %DebugLog%
if errorlevel 4 echo MISMATCHES >> %DebugLog%
if errorlevel 3 echo OKCOPY + XTRA >> %DebugLog%
if errorlevel 2 echo XTRA >> %DebugLog%
if errorlevel 1 echo OKCOPY >> %DebugLog%
if errorlevel 0 echo No Change >> %DebugLog%
echo [%timestamp% %inDate%] Rules Copy to SpamAssassin Directory Done! ************************************ >> %DebugLog%
:LOG_CLEAN
for /f "tokens=1-3 delims=:." %%a in ("%time%") do set timestamp=%%a:%%b:%%c & if "%%a" LSS "10" set timestamp=%%a:%%b:%%c
REM Clear down existing Log files over DAYSLOGTOKEEP
echo. & echo [%timestamp% %inDate%] Clearing old Log Files ************************************ >> %DebugLog%
forfiles.exe /s /p %Logpath% /m *.* /d -%DAYSLOGTOKEEP% /c "cmd /c echo [%timestamp% %inDate%] Deleting over %DAYSLOGTOKEEP% days old .... @path & del /q @path" >> %DebugLog%
echo [%timestamp% %inDate%] Clearing old Log Files Done! ************************************ >> %DebugLog%
:eof
echo. & echo [%timestamp% %inDate%] FINISH ********************************** >> %DebugLog%
:Finish
exit