Easy question for this crowd
I've supported a dozen Mailman listservers for over a dozen years. This doesn't represent much real effort most of the time. I've had to block specific users often and specific domains rarely, but this is the first time I've had to block an entire TLD.
Recently I've been gifted with an inordinate amount of UCE from many different domains under the '.icu' TLD.
Since Python RE's are _almost_ the same as the UNIX RE's I used many years ago, if I put
^@.*\.icu$
in discard_these_nonmembers, will it block all domains in that TLD?
And not block anyone else?
Thanks,
-Chip Davis-
Mailman 2.1.27 shared host linux 2.6.32-696.18.7.el6.x86_64 cPanel 80.0.10
At Thu, 30 May 2019 11:57:44 -0400 Chip Davis <chip@aresti.com> wrote:
I've supported a dozen Mailman listservers for over a dozen years. This doesn't represent much real effort most of the time. I've had to block specific users often and specific domains rarely, but this is the first time I've had to block an entire TLD.
Recently I've been gifted with an inordinate amount of UCE from many different domains under the '.icu' TLD.
Since Python RE's are _almost_ the same as the UNIX RE's I used many years ago, if I put
^@.*\.icu$
in discard_these_nonmembers, will it block all domains in that TLD?
Yes.
And not block anyone else?
Yes.
I've done this, and then I took things a step further:
What *I* have done (because I can), is configure rejection of both domains AND cidrs at the Postfix level, putting REJECT's in both /etc/postfix/access and /etc/postfix/cidr.clients. (I use *REJECT* for a reason: I figure if these idiots are going to make trouble for me, I'll make trouble for them -- eg now they will will get reject messages. Also when the addresses are from legit mail servers, the admins there will get a wake up call and presumably do something -- I have discovered that there is really little point in sending anything to the [so-called] 'abuse' addresses.)
I've also configured mimedefang and spamassassin to *reject* spam at the Postfix as well. Very little gets though now.
Thanks,
-Chip Davis-
Mailman 2.1.27 > shared host linux 2.6.32-696.18.7.el6.x86_64 cPanel 80.0.10
Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/heller%40deepsoft.com
-- Robert Heller -- 978-544-6933 Deepwoods Software -- Custom Software Services http://www.deepsoft.com/ -- Linux Administration Services heller@deepsoft.com -- Webhosting Services
Well, it was worth a try. :-/
About 12 hours after I put that RE in place, I got another one from a different domain in '.icu'. It was held for moderation, not automatically discarded.
I have: 8 email addresses in accept_these_nonmembers 0 email addresses in hold_these_nonmembers 0 email addresses in reject_these_nonmembers ^@.*\.icu$ in discard_these_nonmembers 'Hold' for generic_nonmember_action 'Yes' for forward_auto_discards but it seemed to make no difference; the UCE was still held for moderation.
I'm going to try putting "from: .*@.*\.icu" in header_filter_rules and see if that makes any difference.
Any other ideas?
-Chip-
On 5/30/2019 7:03 PM, Robert Heller wrote:
At Thu, 30 May 2019 11:57:44 -0400 Chip Davis <chip@aresti.com> wrote:
I've supported a dozen Mailman listservers for over a dozen years. This doesn't represent much real effort most of the time. I've had to block specific users often and specific domains rarely, but this is the first time I've had to block an entire TLD.
Recently I've been gifted with an inordinate amount of UCE from many different domains under the '.icu' TLD.
Since Python RE's are _almost_ the same as the UNIX RE's I used many years ago, if I put
^@.*\.icu$
in discard_these_nonmembers, will it block all domains in that TLD?
Yes.
And not block anyone else?
Yes.
I've done this, and then I took things a step further:
What *I* have done (because I can), is configure rejection of both domains AND cidrs at the Postfix level, putting REJECT's in both /etc/postfix/access and /etc/postfix/cidr.clients. (I use *REJECT* for a reason: I figure if these idiots are going to make trouble for me, I'll make trouble for them -- eg now they will will get reject messages. Also when the addresses are from legit mail servers, the admins there will get a wake up call and presumably do something -- I have discovered that there is really little point in sending anything to the [so-called] 'abuse' addresses.)
I've also configured mimedefang and spamassassin to *reject* spam at the Postfix as well. Very little gets though now.
Thanks,
-Chip Davis-
Mailman 2.1.27 > shared host linux 2.6.32-696.18.7.el6.x86_64 cPanel 80.0.10
Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/heller%40deepsoft.com
On 5/30/19 9:20 PM, Chip Davis wrote:
About 12 hours after I put that RE in place, I got another one from a different domain in '.icu'. It was held for moderation, not automatically discarded.
I have: 8 email addresses in accept_these_nonmembers 0 email addresses in hold_these_nonmembers 0 email addresses in reject_these_nonmembers ^@.*\.icu$ in discard_these_nonmembers 'Hold' for generic_nonmember_action 'Yes' for forward_auto_discards but it seemed to make no difference; the UCE was still held for moderation.
The *_these_nonmembers checks only check one address which is what Mailman considers the sender of the message. What address this is depends on a config setting. The doc says:
This can return either the From: header, the Sender: header or the envelope header (a.k.a. the unixfrom header). The first non-empty header value found is returned. However the search order is determined by the following: - If mm_cfg.USE_ENVELOPE_SENDER is true, then the search order is Sender:, From:, unixfrom - Otherwise, the search order is From:, Sender:, unixfrom
So in your case, it may not be checking the From:
I'm going to try putting "from: .*@.*\.icu" in header_filter_rules and see if that makes any difference.
It probably should to be "^from: .*@.*\.icu\s" to avoid matching something like
Subject: mail from: user@server.icu not discarded
or
From: user@sub.icure.com
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Thanks, Mark. I hadn't thought of the "from:" being embedded in the Subject: header. And your RE correction makes perfect sense once I see it. ;-)
I'm pretty sure I don't have access to 'mm.config.[anything]' so I assume it's the default value. Odds are, it was my imperfect RE that was keeping if from tripping.
Thanks All,
-Chip-
On 5/31/2019 10:11 AM, Mark Sapiro wrote:
On 5/30/19 9:20 PM, Chip Davis wrote:
About 12 hours after I put that RE in place, I got another one from a different domain in '.icu'. It was held for moderation, not automatically discarded.
I have: 8 email addresses in accept_these_nonmembers 0 email addresses in hold_these_nonmembers 0 email addresses in reject_these_nonmembers ^@.*\.icu$ in discard_these_nonmembers 'Hold' for generic_nonmember_action 'Yes' for forward_auto_discards but it seemed to make no difference; the UCE was still held for moderation.
The *_these_nonmembers checks only check one address which is what Mailman considers the sender of the message. What address this is depends on a config setting. The doc says:
This can return either the From: header, the Sender: header or the envelope header (a.k.a. the unixfrom header). The first non-empty header value found is returned. However the search order is determined by the following: - If mm_cfg.USE_ENVELOPE_SENDER is true, then the search order is Sender:, From:, unixfrom - Otherwise, the search order is From:, Sender:, unixfromSo in your case, it may not be checking the From:
I'm going to try putting "from: .*@.*\.icu" in header_filter_rules and see if that makes any difference.
It probably should to be "^from: .*@.*\.icu\s" to avoid matching something like
Subject: mail from: user@server.icu not discarded
or
From: user@sub.icure.com
<sigh> I guess my question wasn't so "easy" after all ... :-(
What was a daily trickle is now a flood of UCE from different domains in the .icu TLD. I hope someone can suggest some sort of prophylaxis that I haven't tried.
Is it possible that 'general_nonmember_action = Hold' is overriding my Spam Filter Rule? I still need to intercept legitimate subscribers who attempt to post under a different address, depending on which device they happen to be using. :-/
Is there any way to tell Mailman to honor my ISP's SpamAssassin score? The headers of a UCE that got though and was Held for Approval may be seen at http://www.aresti.com/UCEheaders/
======================================================================================= dmarc_moderation_action = Munge From dmarc_quarantine_moderation_action = Yes dmarc_none_moderation_action = No
accept_these_nonmembers = [list if specific userids] hold_these_nonmembers = [] reject_these_nonmembers = [] discard_these_nonmembers = [] generic_nonmember_action = Hold forward_auto_discards = Yes
header_filter_rules = Spam Filter Rule 1: ^from: .*@.*\.icu\s Action = Discard
Any help will be greatly appreciated.
-Chip-
On 6/1/19 10:44 AM, Chip Davis wrote:
Is it possible that 'general_nonmember_action = Hold' is overriding my Spam Filter Rule? I still need to intercept legitimate subscribers who attempt to post under a different address, depending on which device they happen to be using. :-/
You need to adjust the regexp. It isn't matching because of the '>' at the end of the address in From:
Try
^from: .*@.*\.icu[>\s]
Is there any way to tell Mailman to honor my ISP's SpamAssassin score?
You can use header filter regexps like
^X-Spam-Status: Yes
or
^X-Spam-Bar: \+{6,}
where the 6 above is the minimum number of '+' characters to match.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 6/1/19 1:44 PM, Chip Davis wrote:
<sigh> I guess my question wasn't so "easy" after all ... :-(
What was a daily trickle is now a flood of UCE from different domains in the .icu TLD. I hope someone can suggest some sort of prophylaxis that I haven't tried.
Do you get any actual, legitimate mail from .icu? Do you have any real subscribers from .icu? If not, I'd consider just blocking the entire TLD. I've blocked several of the new shit TLDs from which I was receiving nothing but spam, and it's enormously reduced my volume of spam.
-- Phil Stracchino Babylon Communications phils@caerllewys.net phil@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958
No, and No. Apparently you missed my original post (5/30 11:57AM) on this topic where I asked if my RE that would do exactly that.
I've supported a dozen Mailman listservers for over a dozen years. This doesn't represent much real effort most of the time. I've had to block specific users often and specific domains rarely, but this is the first time I've had to block an entire TLD.
Recently I've been gifted with an inordinate amount of UCE from many different domains under the '.icu' TLD.
Since Python RE's are _almost_ the same as the UNIX RE's I used many years ago, if I put
^@.*\.icu$
in discard_these_nonmembers, will it block all domains in that TLD?
And not block anyone else?
Thanks to Mark's help crafting the proper RE, I haven't had an '.icu' UCE in over 15 hours (knock wood).
For a more general solution for all of my lists, I'm looking into his suggestion of using a Spam Filter that triggers on the SpamAssassin score header inserted by my ISP.
Thanks, Mark for you patience and help.
-Chip-
On 6/1/2019 3:42 PM, Phil Stracchino wrote:
On 6/1/19 1:44 PM, Chip Davis wrote:
<sigh> I guess my question wasn't so "easy" after all ... :-(
What was a daily trickle is now a flood of UCE from different domains in the .icu TLD. I hope someone can suggest some sort of prophylaxis that I haven't tried.
Do you get any actual, legitimate mail from .icu? Do you have any real subscribers from .icu? If not, I'd consider just blocking the entire TLD. I've blocked several of the new shit TLDs from which I was receiving nothing but spam, and it's enormously reduced my volume of spam.
On 6/2/19 7:49 AM, Chip Davis wrote:
Thanks to Mark's help crafting the proper RE, I haven't had an '.icu' UCE in over 15 hours (knock wood).
If you have access to Mailman's logs, the discards are logged in the 'vette' log with entries like
Message discarded, msgid: <...>
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
<sigh> I wish. All my listservers are on various shared hosts running cPanel. An experience not unlike making love in haz-mat suits... :-/
-Chip-
On 6/2/2019 11:17 AM, Mark Sapiro wrote:
On 6/2/19 7:49 AM, Chip Davis wrote:
Thanks to Mark's help crafting the proper RE, I haven't had an '.icu' UCE in over 15 hours (knock wood).
If you have access to Mailman's logs, the discards are logged in the 'vette' log with entries like
Message discarded, msgid: <...>
participants (4)
-
Chip Davis -
Mark Sapiro -
Phil Stracchino -
Robert Heller