Discussion:
Advice on how to block via a mail domain in maillog
emailitis.com
2014-08-29 09:48:27 UTC
Permalink
I have a lot of Spam getting into our mail servers where the common thread
is cloudapp



/root/weeklymail/Thumaillog:Aug 27 11:58:15 plesk3 qmail-scanner-queue.pl:
qmail-scanner[12013]: Clear:RC:0(216.170.115.184):SA:0(0.9/4.0): 4.409458
6225 ***@franking-expert.co.uk ***@domain.com Saving_by_Switching
<***@expert.cloudapp.net>
1409137091.12021-1.plesk3.hostname.co.uk:3019
1409137091.12021-0.plesk3.emailitis.co.uk:1263
orig-plesk3.hostname.co.uk140913709079712013:6225



And the hyperlinks in the emails are http://expert.cloudapp.net/.....



Please could you advise on how I can block by the information on the maillog
on that, or using a rule which checks the URL to include the above thread?



Many thanks in advance for any help,



Christoph
Kevin A. McGrail
2014-08-29 12:45:21 UTC
Permalink
Post by emailitis.com
I have a lot of Spam getting into our mail servers where the common
thread is cloudapp
/root/weeklymail/Thumaillog:Aug 27 11:58:15 plesk3
Clear:RC:0(216.170.115.184):SA:0(0.9/4.0): 4.409458 6225
1409137091.12021-1.plesk3.hostname.co.uk:3019
1409137091.12021-0.plesk3.emailitis.co.uk:1263
orig-plesk3.hostname.co.uk140913709079712013:6225
And the hyperlinks in the emails are http://expert.cloudapp.net/.....
Please could you advise on how I can block by the information on the
maillog on that, or using a rule which checks the URL to include the
above thread?
Many thanks in advance for any help,
Christoph
Christoph,

There is a new feature in trunk that I believe will help you easily
called URILocalBL.pm

See https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7060

Philip, your thoughts?

Regards,
KAM
Axb
2014-08-29 13:22:41 UTC
Permalink
Post by Kevin A. McGrail
Post by emailitis.com
I have a lot of Spam getting into our mail servers where the common
thread is cloudapp
/root/weeklymail/Thumaillog:Aug 27 11:58:15 plesk3
Clear:RC:0(216.170.115.184):SA:0(0.9/4.0): 4.409458 6225
1409137091.12021-1.plesk3.hostname.co.uk:3019
1409137091.12021-0.plesk3.emailitis.co.uk:1263
orig-plesk3.hostname.co.uk140913709079712013:6225
And the hyperlinks in the emails are http://expert.cloudapp.net/.....
Please could you advise on how I can block by the information on the
maillog on that, or using a rule which checks the URL to include the
above thread?
Many thanks in advance for any help,
Christoph
Christoph,
There is a new feature in trunk that I believe will help you easily
called URILocalBL.pm
or with SA 3.4

blacklist_uri_host expert.cloudapp.net

or if you want it wider

blacklist_uri_host cloudapp.net

can't be easier than that.
Philip Prindeville
2014-08-29 18:43:52 UTC
Permalink
Post by Kevin A. McGrail
I have a lot of Spam getting into our mail servers where the common thread is cloudapp
And the hyperlinks in the emails are http://expert.cloudapp.net/.....
Please could you advise on how I can block by the information on the maillog on that, or using a rule which checks the URL to include the above thread?
Many thanks in advance for any help,
Christoph
Christoph,
There is a new feature in trunk that I believe will help you easily called URILocalBL.pm
See https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7060
Philip, your thoughts?
Regards,
KAM
That should do it.

There’s a configuration example in the bug, and POD documentation in the plugin, but in this particular case you’d do something like:

uri_block_cidr L_BLOCK_CLOUDAPP 191.237.208.246
body L_BLOCK_CLOUDAPP eval:check_uri_local_bl()
describe L_BLOCK_CLOUDAPP Block URI’s pointing to expert.cloudapp.net
score L_BLOCK_CLOUDAPP 5.0

You should be able to drop in the patch fairly easily.

-Philip
Karsten Bräckelmann
2014-08-29 19:34:24 UTC
Permalink
Post by Philip Prindeville
Post by Kevin A. McGrail
Post by emailitis.com
I have a lot of Spam getting into our mail servers where the common
thread is cloudapp
You guys realize cloudapp.net is Microsoft Azure, don't you?
Post by Philip Prindeville
Post by Kevin A. McGrail
Post by emailitis.com
And the hyperlinks in the emails are http://expert.cloudapp.net/.....
Please could you advise on how I can block by the information on
the maillog on that, or using a rule which checks the URL to include
the above thread?
SA does not block.
Post by Philip Prindeville
Post by Kevin A. McGrail
There is a new feature in trunk that I believe will help you easily
called URILocalBL.pm
That should do it.
There’s a configuration example in the bug, and POD documentation in
uri_block_cidr L_BLOCK_CLOUDAPP 191.237.208.246
body L_BLOCK_CLOUDAPP eval:check_uri_local_bl()
That seem an overly complicated variant of a simple uri regex rule. And
it really depends on the IP to match a URI? And manual looking it up?

uri URI_EXPERT_CLOUDAPP m~^https?://expert\.cloudapp\.net$~
Post by Philip Prindeville
describe L_BLOCK_CLOUDAPP Block URI’s pointing to expert.cloudapp.net
score L_BLOCK_CLOUDAPP 5.0
SA does not block. *sigh*
--
char *t="\10pse\0r\0dtu\***@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Loading...