Use this forum for discussions about SpamAssassin and anti-spam in general.
-
RvdH
- Senior user
- Posts: 3231
- Joined: 2008-06-27 14:42
- Location: The Netherlands
Post
by RvdH » 2019-03-01 14:29
Useful SpamAssassin Plugins
The purpose of this topic is to share information on (custom) plugins that can be used with SpamAssassin used by forum members here
DecodeShortURLs
This plugin looks for URLs shortened by a list of URL shortening services and upon finding a matching URL will connect using to the shortening service and do an HTTP HEAD lookup and retrieve the location header which points to the actual shortened URL, it then adds this URL to the list of URIs extracted by SpamAssassin which can then be accessed by other plug-ins, such as URIDNSBL.
Code: Select all
https://github.com/smfreegard/DecodeShortURLs
HashBL (This is version 0.3 a improved version over the 0.1 version included in SA 3.4.2)
This plugin is used to lookup e-mail addresses on the msbl.org blacklists.
Code: Select all
https://github.com/smfreegard/HashBL
Well, this is my contribution....what do other's here use? Either default disabled plugins or custom plugins
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
-
SorenR
- Senior user
- Posts: 6308
- Joined: 2006-08-21 15:38
- Location: Denmark
Post
by SorenR » 2019-03-01 17:27
Botnet looks for possible botnet sources of email by checking various DNS values that indicate things such as other ISP's clients or workstations, or misconfigured DNS settings that are more likely to happen with client or workstation addresses than servers.
Code: Select all
https://github.com/eilandert/Botnet.pm
NOTE: HashBL is already part of SA 3.4.2 standard plugins. All you need to do is create the config HashBL.cf
Code: Select all
loadplugin Mail::SpamAssassin::Plugin::HashBL
ifplugin Mail::SpamAssassin::Plugin::HashBL
header HASHBL_EMAIL eval:check_hashbl_emails('ebl.msbl.org')
describe HASHBL_EMAIL Message contains email address found on the EBL
score HASHBL_EMAIL 0.1
meta HASHBL_EMAIL_BLACK (0)
describe HASHBL_EMAIL_BLACK Message contains email address found on the EBL Black list
score HASHBL_EMAIL_BLACK 3.0
meta HASHBL_EMAIL_GREY (0)
describe HASHBL_EMAIL_GREY Message contains email address found on the EBL Grey list
score HASHBL_EMAIL_GREY 1.0
endif
Just about a week ago I copied the entire .\Mail directory with plugins and the works from 3.4.2 SOURCE to my 3.4.0 installation overwriting the old files. So far everything is still working
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
-
RvdH
- Senior user
- Posts: 3231
- Joined: 2008-06-27 14:42
- Location: The Netherlands
Post
by RvdH » 2019-03-01 19:26
SorenR wrote: ↑2019-03-01 17:27
NOTE: HashBL is already part of SA 3.4.2 standard plugins. All you need to do is create the config HashBL.cf
Nah, it isn't...SA 3.4.2 uses 0.001 and the github link for HASHBL above is 0.003 that includes the splitting into BLACK/GREY rules
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
-
RvdH
- Senior user
- Posts: 3231
- Joined: 2008-06-27 14:42
- Location: The Netherlands
Post
by RvdH » 2022-02-04 21:08
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
-
RvdH
- Senior user
- Posts: 3231
- Joined: 2008-06-27 14:42
- Location: The Netherlands
Post
by RvdH » 2022-02-05 14:59
i installed that one yesterday, have not had a hit since...but it's functionality looks very limited (with the given example rule(s))
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
-
palinka
- Senior user
- Posts: 4455
- Joined: 2017-09-12 17:57
Post
by palinka » 2022-02-05 15:17
RvdH wrote: ↑2022-02-05 14:59
i installed that one yesterday, have not had a hit since...but it's functionality looks very limited (with the given example rule(s))
That's why I was thinking about vbs.
-
RvdH
- Senior user
- Posts: 3231
- Joined: 2008-06-27 14:42
- Location: The Netherlands
Post
by RvdH » 2022-02-05 15:23
Then it smarter to make more SA rules, with all due respect vbscript if fun but terrible slow compared to SA rules
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
-
palinka
- Senior user
- Posts: 4455
- Joined: 2017-09-12 17:57
Post
by palinka » 2022-02-05 15:39
RvdH wrote: ↑2022-02-05 15:23
Then it smarter to make more SA rules, with all due respect vbscript if fun but terrible slow compared to SA rules
That requires more education on my part. A lot more.
-
gotspatel
- Senior user
- Posts: 347
- Joined: 2013-10-08 05:42
- Location: INDIA
Post
by gotspatel » 2023-04-22 06:37
Phishtank rules downloader and parser to use is SPAMASSASSIN
https://github.com/kawaiipantsu/spamassassin-rules
Script to download and refresh daily 7 days rules in SA folder with logging to be used from taskscheduler Very Crude but works
Code: Select all
for /F "usebackq tokens=1,2 delims==" %%i in (`wmic os get LocalDateTime /VALUE 2^>NUL`) do if '.%%i.'=='.LocalDateTime.' Set ldt=%%j
Set inDate=%ldt:~6,2%-%ldt:~4,2%-%ldt:~0,4%
Set LogDate=%ldt:~0,4%-%ldt:~4,2%-%ldt:~6,2%
for /f "tokens=1-3 delims=:." %%a in ("%time%") do set timestamp=%%a:%%b:%%c & if "%%a" LSS "10" set timestamp=%%a:%%b:%%c
REM #### CONFIG START ####
REM ******* FILL OUT VARIABLES BELOW ***************************
Set DAYSLOGTOKEEP=3
Set SCRIPTdir="C:\Scripts\SpamAssassin\Phishtank rules"
Set Logpath="C:\Scripts\SpamAssassin\Phishtank rules\Logs"
Set DebugLog="C:\Scripts\SpamAssassin\Phishtank rules\Logs\Debug_%LogDate%.log"
Set SADir="C:\Program Files\JAM Software\SpamAssassin for Windows\etc\spamassassin"
Set SOURCE="C:\Scripts\SpamAssassin\Phishtank rules\phishtank-7days-rules"
Set Filename="phistank-*.cf"
REM **** FILL OUT VARIABLES ABOVE *******************************
REM #### CONFIG eof ####
:MAIN
echo [%timestamp% %inDate%] Starting Main Rule Downloader ************************************ >> %DebugLog%
php -f %SCRIPTdir%\update-phishtank-rules.php >> %DebugLog%
:: Wait till it finishes and exits
ping -n 5 127.0.0.1 > nul
for /f "tokens=1-3 delims=:." %%a in ("%time%") do set timestamp=%%a:%%b:%%c & if "%%a" LSS "10" set timestamp=%%a:%%b:%%c
echo [%timestamp% %inDate%] Main Rule Downloader Exited Done! ************************************ >> %DebugLog%
:RULE_CLEAN
echo. & echo [%timestamp% %inDate%] Starting SpamAssassin rule update ************************************ >> %DebugLog%
echo [%timestamp% %inDate%] Removing old Phishtank rules... ************************************ >> %DebugLog%
CD %SADir%
echo [%timestamp% %inDate%] Current Dir is ... %CD% ************************************ >> %DebugLog%
:DELETE_OLD
REM del /F/Q %Filename% >> %DebugLog%
for /f "tokens=1-3 delims=:." %%a in ("%time%") do set timestamp=%%a:%%b:%%c & if "%%a" LSS "10" set timestamp=%%a:%%b:%%c
echo [%timestamp% %inDate%] Deleting files matching '%Filename%' from '%SADir%'... >> %DebugLog%
for /f "delims=" %%a in ('dir /b "%SADir%\%Filename%" 2^>nul') do (
set "file=!SADir!\%%a"
echo Deleting "!file!" >> %DebugLog%
del /q /f "!file!" >> %DebugLog%
)
echo [%timestamp% %inDate%] All files deleted. See '%DebugLog%' for details. >> %DebugLog%
:: Wait till it finishes and exits
ping 127.0.0.1 -n 5 > nul
CD %SCRIPTdir%
echo. & echo [%timestamp% %inDate%] Current Dir is ... %CD% ************************************ >> %DebugLog%
for /f "tokens=1-3 delims=:." %%a in ("%time%") do set timestamp=%%a:%%b:%%c & if "%%a" LSS "10" set timestamp=%%a:%%b:%%c
echo [%timestamp% %inDate%] Removed old Phishtank rules Done! ... ************************************ >> %DebugLog%
:RULE_COPY
echo. & echo [%timestamp% %inDate%] Copying updated phishtank rules from SOURCE to SADir ************************************ >> %DebugLog%
robocopy %SOURCE% %SADir% "*.cf" /v /tee /log+:%DebugLog%
goto ROBOerrorcheck
:ROBOerrorcheck
if errorlevel 16 echo ***FATAL ERROR*** >> %DebugLog%
if errorlevel 15 echo OKCOPY + FAIL + MISMATCHES + XTRA >> %DebugLog%
if errorlevel 14 echo FAIL + MISMATCHES + XTRA >> %DebugLog%
if errorlevel 13 echo OKCOPY + FAIL + MISMATCHES >> %DebugLog%
if errorlevel 12 echo FAIL + MISMATCHES>> %DebugLog%
if errorlevel 11 echo OKCOPY + FAIL + XTRA >> %DebugLog%
if errorlevel 10 echo FAIL + XTRA >> %DebugLog%
if errorlevel 9 echo OKCOPY + FAIL >> %DebugLog%
if errorlevel 8 echo FAIL >> %DebugLog%
if errorlevel 7 echo OKCOPY + MISMATCHES + XTRA >> %DebugLog%
if errorlevel 6 echo MISMATCHES + XTRA >> %DebugLog%
if errorlevel 5 echo OKCOPY + MISMATCHES >> %DebugLog%
if errorlevel 4 echo MISMATCHES >> %DebugLog%
if errorlevel 3 echo OKCOPY + XTRA >> %DebugLog%
if errorlevel 2 echo XTRA >> %DebugLog%
if errorlevel 1 echo OKCOPY >> %DebugLog%
if errorlevel 0 echo No Change >> %DebugLog%
echo [%timestamp% %inDate%] Rules Copy to SpamAssassin Directory Done! ************************************ >> %DebugLog%
:LOG_CLEAN
for /f "tokens=1-3 delims=:." %%a in ("%time%") do set timestamp=%%a:%%b:%%c & if "%%a" LSS "10" set timestamp=%%a:%%b:%%c
REM Clear down existing Log files over DAYSLOGTOKEEP
echo. & echo [%timestamp% %inDate%] Clearing old Log Files ************************************ >> %DebugLog%
forfiles.exe /s /p %Logpath% /m *.* /d -%DAYSLOGTOKEEP% /c "cmd /c echo [%timestamp% %inDate%] Deleting over %DAYSLOGTOKEEP% days old .... @path & del /q @path" >> %DebugLog%
echo [%timestamp% %inDate%] Clearing old Log Files Done! ************************************ >> %DebugLog%
:eof
echo. & echo [%timestamp% %inDate%] FINISH ********************************** >> %DebugLog%
:Finish
exit