Usefull SA Plugins

Use this forum for discussions about SpamAssassin and anti-spam in general.
Post Reply
User avatar
RvdH
Senior user
Senior user
Posts: 3231
Joined: 2008-06-27 14:42
Location: The Netherlands

Usefull SA Plugins

Post by RvdH » 2019-03-01 14:29

Useful SpamAssassin Plugins
The purpose of this topic is to share information on (custom) plugins that can be used with SpamAssassin used by forum members here

DecodeShortURLs
This plugin looks for URLs shortened by a list of URL shortening services and upon finding a matching URL will connect using to the shortening service and do an HTTP HEAD lookup and retrieve the location header which points to the actual shortened URL, it then adds this URL to the list of URIs extracted by SpamAssassin which can then be accessed by other plug-ins, such as URIDNSBL.

Code: Select all

https://github.com/smfreegard/DecodeShortURLs
HashBL (This is version 0.3 a improved version over the 0.1 version included in SA 3.4.2)
This plugin is used to lookup e-mail addresses on the msbl.org blacklists.

Code: Select all

https://github.com/smfreegard/HashBL
Well, this is my contribution....what do other's here use? Either default disabled plugins or custom plugins
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
SorenR
Senior user
Senior user
Posts: 6308
Joined: 2006-08-21 15:38
Location: Denmark

Re: Usefull SA Plugins

Post by SorenR » 2019-03-01 17:27

Botnet looks for possible botnet sources of email by checking various DNS values that indicate things such as other ISP's clients or workstations, or misconfigured DNS settings that are more likely to happen with client or workstation addresses than servers.

Code: Select all

https://github.com/eilandert/Botnet.pm
NOTE: HashBL is already part of SA 3.4.2 standard plugins. All you need to do is create the config HashBL.cf

Code: Select all

loadplugin Mail::SpamAssassin::Plugin::HashBL

ifplugin Mail::SpamAssassin::Plugin::HashBL
    header   HASHBL_EMAIL	eval:check_hashbl_emails('ebl.msbl.org')
    describe HASHBL_EMAIL	Message contains email address found on the EBL
    score    HASHBL_EMAIL	0.1

    meta     HASHBL_EMAIL_BLACK (0)
    describe HASHBL_EMAIL_BLACK Message contains email address found on the EBL Black list
    score    HASHBL_EMAIL_BLACK 3.0

    meta     HASHBL_EMAIL_GREY  (0)
    describe HASHBL_EMAIL_GREY  Message contains email address found on the EBL Grey list
    score    HASHBL_EMAIL_GREY  1.0
endif
Just about a week ago I copied the entire .\Mail directory with plugins and the works from 3.4.2 SOURCE to my 3.4.0 installation overwriting the old files. So far everything is still working :mrgreen:
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

User avatar
RvdH
Senior user
Senior user
Posts: 3231
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Usefull SA Plugins

Post by RvdH » 2019-03-01 19:26

SorenR wrote:
2019-03-01 17:27
NOTE: HashBL is already part of SA 3.4.2 standard plugins. All you need to do is create the config HashBL.cf
Nah, it isn't...SA 3.4.2 uses 0.001 and the github link for HASHBL above is 0.003 that includes the splitting into BLACK/GREY rules
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
RvdH
Senior user
Senior user
Posts: 3231
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Usefull SA Plugins

Post by RvdH » 2022-02-04 21:08

CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

palinka
Senior user
Senior user
Posts: 4455
Joined: 2017-09-12 17:57

Re: Usefull SA Plugins

Post by palinka » 2022-02-05 14:52

RvdH wrote:
2022-02-04 21:08
https://github.com/fmbla
Interesting. One of his plug ins has to do with Levenshtein distance.

https://en.m.wikipedia.org/wiki/Levenshtein_distance

VB function here:

https://stackoverflow.com/questions/424 ... ba#4243652

Could be useful in determining spoofs and phishing.

User avatar
RvdH
Senior user
Senior user
Posts: 3231
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Usefull SA Plugins

Post by RvdH » 2022-02-05 14:59

palinka wrote:
2022-02-05 14:52
RvdH wrote:
2022-02-04 21:08
https://github.com/fmbla
Interesting. One of his plug ins has to do with Levenshtein distance.

https://en.m.wikipedia.org/wiki/Levenshtein_distance

VB function here:

https://stackoverflow.com/questions/424 ... ba#4243652

Could be useful in determining spoofs and phishing.
i installed that one yesterday, have not had a hit since...but it's functionality looks very limited (with the given example rule(s))
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

palinka
Senior user
Senior user
Posts: 4455
Joined: 2017-09-12 17:57

Re: Usefull SA Plugins

Post by palinka » 2022-02-05 15:17

RvdH wrote:
2022-02-05 14:59
palinka wrote:
2022-02-05 14:52
RvdH wrote:
2022-02-04 21:08
https://github.com/fmbla
Interesting. One of his plug ins has to do with Levenshtein distance.

https://en.m.wikipedia.org/wiki/Levenshtein_distance

VB function here:

https://stackoverflow.com/questions/424 ... ba#4243652

Could be useful in determining spoofs and phishing.
i installed that one yesterday, have not had a hit since...but it's functionality looks very limited (with the given example rule(s))
That's why I was thinking about vbs.

User avatar
RvdH
Senior user
Senior user
Posts: 3231
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Usefull SA Plugins

Post by RvdH » 2022-02-05 15:23

Then it smarter to make more SA rules, with all due respect vbscript if fun but terrible slow compared to SA rules
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

palinka
Senior user
Senior user
Posts: 4455
Joined: 2017-09-12 17:57

Re: Usefull SA Plugins

Post by palinka » 2022-02-05 15:39

RvdH wrote:
2022-02-05 15:23
Then it smarter to make more SA rules, with all due respect vbscript if fun but terrible slow compared to SA rules
That requires more education on my part. A lot more. :lol:

User avatar
RvdH
Senior user
Senior user
Posts: 3231
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Usefull SA Plugins

Post by RvdH » 2023-03-31 12:29

SpamAssassin plugin to check attachment details
https://github.com/mxguardian/Mail-Spam ... mentDetail
SpamAssassin plugin for parsing PDF attachments
https://github.com/mxguardian/Mail-Spam ... n-PDFInfo2
SpamAssassin plugin to analyze scripts embedded in HTML messages and attachments
https://github.com/mxguardian/Mail-Spam ... ScriptInfo
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

gotspatel
Senior user
Senior user
Posts: 347
Joined: 2013-10-08 05:42
Location: INDIA

Re: Usefull SA Plugins

Post by gotspatel » 2023-04-22 06:37

Phishtank rules downloader and parser to use is SPAMASSASSIN
https://github.com/kawaiipantsu/spamassassin-rules

Script to download and refresh daily 7 days rules in SA folder with logging to be used from taskscheduler Very Crude but works :lol:

Code: Select all

for /F "usebackq tokens=1,2 delims==" %%i in (`wmic os get LocalDateTime /VALUE 2^>NUL`) do if '.%%i.'=='.LocalDateTime.' Set ldt=%%j
Set inDate=%ldt:~6,2%-%ldt:~4,2%-%ldt:~0,4%
Set LogDate=%ldt:~0,4%-%ldt:~4,2%-%ldt:~6,2%

for /f "tokens=1-3 delims=:." %%a in ("%time%") do set timestamp=%%a:%%b:%%c & if "%%a" LSS "10" set timestamp=%%a:%%b:%%c

REM   #### CONFIG START ####
REM  *******  FILL OUT VARIABLES BELOW  ***************************

Set DAYSLOGTOKEEP=3
Set SCRIPTdir="C:\Scripts\SpamAssassin\Phishtank rules"
Set Logpath="C:\Scripts\SpamAssassin\Phishtank rules\Logs"
Set DebugLog="C:\Scripts\SpamAssassin\Phishtank rules\Logs\Debug_%LogDate%.log"
Set SADir="C:\Program Files\JAM Software\SpamAssassin for Windows\etc\spamassassin"
Set SOURCE="C:\Scripts\SpamAssassin\Phishtank rules\phishtank-7days-rules"
Set Filename="phistank-*.cf"

REM  ****  FILL OUT VARIABLES ABOVE  *******************************
REM   #### CONFIG eof ####


:MAIN
echo [%timestamp% %inDate%] Starting Main Rule Downloader ************************************ >> %DebugLog%
php -f %SCRIPTdir%\update-phishtank-rules.php >> %DebugLog%

:: Wait till it finishes and exits
ping -n 5 127.0.0.1 > nul
for /f "tokens=1-3 delims=:." %%a in ("%time%") do set timestamp=%%a:%%b:%%c & if "%%a" LSS "10" set timestamp=%%a:%%b:%%c
echo [%timestamp% %inDate%] Main Rule Downloader Exited Done! ************************************ >> %DebugLog%

:RULE_CLEAN
echo. & echo [%timestamp% %inDate%] Starting SpamAssassin rule update ************************************ >> %DebugLog%
echo [%timestamp% %inDate%] Removing old Phishtank rules... ************************************ >> %DebugLog%

CD %SADir%
echo [%timestamp% %inDate%] Current Dir is ... %CD% ************************************ >> %DebugLog%

:DELETE_OLD
REM del /F/Q %Filename% >> %DebugLog%
for /f "tokens=1-3 delims=:." %%a in ("%time%") do set timestamp=%%a:%%b:%%c & if "%%a" LSS "10" set timestamp=%%a:%%b:%%c
echo [%timestamp% %inDate%] Deleting files matching '%Filename%' from '%SADir%'... >> %DebugLog%

for /f "delims=" %%a in ('dir /b "%SADir%\%Filename%" 2^>nul') do (
    set "file=!SADir!\%%a"
    echo Deleting "!file!" >> %DebugLog%
    del /q /f "!file!" >> %DebugLog%
)

echo [%timestamp% %inDate%] All files deleted. See '%DebugLog%' for details. >> %DebugLog%

:: Wait till it finishes and exits
ping 127.0.0.1 -n 5 > nul

CD %SCRIPTdir%
echo. & echo [%timestamp% %inDate%] Current Dir is ... %CD% ************************************ >> %DebugLog%
for /f "tokens=1-3 delims=:." %%a in ("%time%") do set timestamp=%%a:%%b:%%c & if "%%a" LSS "10" set timestamp=%%a:%%b:%%c
echo [%timestamp% %inDate%] Removed old Phishtank rules Done! ... ************************************ >> %DebugLog%

:RULE_COPY
echo. & echo [%timestamp% %inDate%] Copying updated phishtank rules from SOURCE to SADir ************************************ >> %DebugLog%

robocopy %SOURCE% %SADir% "*.cf" /v /tee /log+:%DebugLog%
goto ROBOerrorcheck

:ROBOerrorcheck
if errorlevel 16 echo ***FATAL ERROR*** >> %DebugLog% 
if errorlevel 15 echo OKCOPY + FAIL + MISMATCHES + XTRA >> %DebugLog% 
if errorlevel 14 echo FAIL + MISMATCHES + XTRA >> %DebugLog% 
if errorlevel 13 echo OKCOPY + FAIL + MISMATCHES >> %DebugLog% 
if errorlevel 12 echo FAIL + MISMATCHES>> %DebugLog% 
if errorlevel 11 echo OKCOPY + FAIL + XTRA >> %DebugLog% 
if errorlevel 10 echo FAIL + XTRA >> %DebugLog% 
if errorlevel 9 echo OKCOPY + FAIL >> %DebugLog% 
if errorlevel 8 echo FAIL >> %DebugLog% 
if errorlevel 7 echo OKCOPY + MISMATCHES + XTRA >> %DebugLog% 
if errorlevel 6 echo MISMATCHES + XTRA >> %DebugLog% 
if errorlevel 5 echo OKCOPY + MISMATCHES >> %DebugLog% 
if errorlevel 4 echo MISMATCHES >> %DebugLog% 
if errorlevel 3 echo OKCOPY + XTRA >> %DebugLog% 
if errorlevel 2 echo XTRA >> %DebugLog% 
if errorlevel 1 echo OKCOPY  >> %DebugLog% 
if errorlevel 0 echo No Change >> %DebugLog% 
echo [%timestamp% %inDate%] Rules Copy to SpamAssassin Directory Done! ************************************ >> %DebugLog%

:LOG_CLEAN
for /f "tokens=1-3 delims=:." %%a in ("%time%") do set timestamp=%%a:%%b:%%c & if "%%a" LSS "10" set timestamp=%%a:%%b:%%c

REM  Clear down existing Log files over DAYSLOGTOKEEP

echo. & echo [%timestamp% %inDate%] Clearing old Log Files ************************************ >> %DebugLog%
forfiles.exe /s /p %Logpath% /m *.* /d -%DAYSLOGTOKEEP% /c "cmd /c echo [%timestamp% %inDate%] Deleting over %DAYSLOGTOKEEP% days old .... @path & del /q @path" >> %DebugLog%
echo [%timestamp% %inDate%] Clearing old Log Files Done! ************************************ >> %DebugLog%

:eof
echo. & echo [%timestamp% %inDate%] FINISH ********************************** >> %DebugLog%

:Finish
exit


Post Reply