From mlist at abando.de Fri Jan 17 08:30:17 2025 From: mlist at abando.de (Aban Dokht) Date: Fri, 17 Jan 2025 09:30:17 +0100 Subject: [Rspamd-Users] FYI: nixspam RBL has shutdown In-Reply-To: <2a2cd6abedf28638f202e2d425013044@muppetz.com> References: <2a2cd6abedf28638f202e2d425013044@muppetz.com> Message-ID: <82b6b74e-6093-4020-846c-8bc79d0c890c@abando.de> Forwarded from the mailop mailing list: -------- Forwarded Message -------- Subject: [mailop] FYI: nixspam RBL has shutdown Date: Fri, 17 Jan 2025 15:40:32 +1300 From: Tim Harman via mailop To: mailop at mailop.org Just FYI for those with the nixspam RBL configured in their systems (For example it's enabled in rspamd by default) It's just shutdown - https://www.nixspam.net/?old_domain=true Sad to see as it was always quite reliable as a signal of spamminess IMHO. Make sure to remove it in case it starts returning false positives in the future! Tim _______________________________________________ mailop mailing list mailop at mailop.org https://list.mailop.org/listinfo/mailop From joerg at backschues.de Sun Jan 19 21:10:14 2025 From: joerg at backschues.de (=?UTF-8?Q?J=C3=B6rg_Backschues?=) Date: Sun, 19 Jan 2025 22:10:14 +0100 Subject: [Rspamd-Users] Evaluate whois admin-c / nic-hdl Message-ID: <8e5575f7-af22-4d62-8d16-2c8d16bc4c00@backschues.de> Hello, any idea how to evaluate - admin-c - nic-hdl of the whois directory service for using in Rspamd's Multimap module? Thank you. -- Kind regards J?rg Backschues From danjel at jungersen.dk Wed Jan 29 17:56:42 2025 From: danjel at jungersen.dk (Danjel Jungersen) Date: Wed, 29 Jan 2025 18:56:42 +0100 Subject: [Rspamd-Users] I think my spamhaus is not working.... Message-ID: <2fa3042e-b7f0-4804-be77-3b637ebb5b41@jungersen.dk> Hi there. I have a feeling that my spamhaus setup is not working. I looked at the default setup and to me it looks like it should work. I have not knowingly changed anything regarding spamhaus. But the testmails from their site comes through, and I see no mention of spamhaus in the logs. I have this in rbl.conf: ***** ? rbls { ??? spamhaus { ????? symbol = "SPAMHAUS"; # Augmented by prefixes ????? rbl = "zen.spamhaus.org"; ????? # Check types ????? checks = ['received', 'from']; ????? symbols_prefixes = { ??????? received = 'RECEIVED', ??????? from = 'RBL', ????? } ????? returncodes { ??????? SPAMHAUS_SBL = "127.0.0.2"; ??????? SPAMHAUS_CSS = "127.0.0.3"; ??????? SPAMHAUS_XBL = ["127.0.0.4", "127.0.0.5", ??????????? "127.0.0.6", "127.0.0.7"]; ??????? SPAMHAUS_PBL = ["127.0.0.10", "127.0.0.11"]; ??????? SPAMHAUS_DROP = "127.0.0.9"; ??????? SPAMHAUS_BLOCKED_OPENRESOLVER = "127.255.255.254"; ??????? SPAMHAUS_BLOCKED= "127.255.255.255"; ????? } ??? } ..... ***** And this in scores.d/rbl_group.conf: ***** ?? "RBL_SPAMHAUS_SBL" { ??????? weight = 4.0; ??????? description = "From address is listed in ZEN SBL"; ??????? groups = ["spamhaus"]; ??? } ??? "RBL_SPAMHAUS_CSS" { ??????? weight = 2.0; ??????? description = "From address is listed in ZEN CSS"; ??????? groups = ["spamhaus"]; ??? } ??? "RBL_SPAMHAUS_XBL" { ??????? weight = 4.0; ??????? description = "From address is listed in ZEN XBL"; ??????? groups = ["spamhaus"]; ??? } ??? "RBL_SPAMHAUS_XBL_ANY" { ??????? weight = 4.0; ??????? description = "From or received address is listed in ZEN XBL (any list)"; ??????? groups = ["spamhaus"]; ??? } ??? "RBL_SPAMHAUS_PBL" { ??????? weight = 2.0; ??????? description = "From address is listed in ZEN PBL (ISP list)"; ??????? groups = ["spamhaus"]; ??? } ..... ***** As I know, all defaults. But I get no rejections, and nothing in the logs. I think that it makes no sense to increase the scores as long as I see nothing about spamhaus in the logs / mail headers. How do I find out what is wrong here? Do I need to submit any further information? TIA Danjel From list+rspamd at gcore.biz Wed Jan 29 19:49:25 2025 From: list+rspamd at gcore.biz (Gerald Galster) Date: Wed, 29 Jan 2025 20:49:25 +0100 Subject: [Rspamd-Users] I think my spamhaus is not working.... In-Reply-To: <2fa3042e-b7f0-4804-be77-3b637ebb5b41@jungersen.dk> References: <2fa3042e-b7f0-4804-be77-3b637ebb5b41@jungersen.dk> Message-ID: <83012E1A-D24E-453D-8D5C-BB34194ED823@gcore.biz> > I have a feeling that my spamhaus setup is not working. Do you qualify for spamhaus' free usage or do you pay for the service? https://lists.rspamd.com/pipermail/users/2022-January/002315.html Otherwise you may be blocked. For the free service you should use your own resolver (unbound, pdns-recursor, bind, ...), not that of your provider/datacenter. For example, this ip is currently listed (50.6.204.77): # dig 77.204.6.50.zen.spamhaus.org ... ;; ANSWER SECTION: 77.204.6.50.zen.spamhaus.org. 60 IN A 127.0.0.3 Does this work with your resolver? Special return codes according to https://www.spamhaus.org/faqs/dnsbl-usage/ For postmaster / "What do the 127.*.*.* Return Codes mean in DNSBLs?" 127.255.255.254 Query via public/open resolver 127.255.255.255 Excessive number of queries Best regards, Gerald From danjel at jungersen.dk Wed Jan 29 21:00:23 2025 From: danjel at jungersen.dk (Danjel Jungersen) Date: Wed, 29 Jan 2025 22:00:23 +0100 Subject: [Rspamd-Users] I think my spamhaus is not working.... In-Reply-To: <83012E1A-D24E-453D-8D5C-BB34194ED823@gcore.biz> References: <2fa3042e-b7f0-4804-be77-3b637ebb5b41@jungersen.dk> <83012E1A-D24E-453D-8D5C-BB34194ED823@gcore.biz> Message-ID: On 29 January 2025 20:49:25 CET, Gerald Galster wrote: >> I have a feeling that my spamhaus setup is not working. > >Do you qualify for spamhaus' free usage or do you pay for the service? Free, we only have a few 100 dayli lookups. > >https://lists.rspamd.com/pipermail/users/2022-January/002315.html > >Otherwise you may be blocked. > >For the free service you should use your own resolver (unbound, >pdns-recursor, bind, ...), not that of your provider/datacenter. Running my own bind. /etc/resolv.conf points to my 2 x bind. > >For example, this ip is currently listed (50.6.204.77): > ># dig 77.204.6.50.zen.spamhaus.org >... >;; ANSWER SECTION: >77.204.6.50.zen.spamhaus.org. 60 IN A 127.0.0.3 > >Does this work with your resolver? Arrgghh... I get 127.255.255.254, must check when I get back to my dns, why this happens... Hmmm.... I'll be back if/when I get more info. THX Danjel From trashcan at ellael.org Wed Jan 29 21:14:16 2025 From: trashcan at ellael.org (Michael Grimm) Date: Wed, 29 Jan 2025 22:14:16 +0100 Subject: [Rspamd-Users] I think my spamhaus is not working.... In-Reply-To: References: <2fa3042e-b7f0-4804-be77-3b637ebb5b41@jungersen.dk> <83012E1A-D24E-453D-8D5C-BB34194ED823@gcore.biz> Message-ID: <34D376EC-4455-426B-9752-934B8570773E@ellael.org> Danjel Jungersen via Users wrote: > On 29 January 2025 20:49:25 CET, Gerald Galster wrote: >>> I have a feeling that my spamhaus setup is not working. >> >> Do you qualify for spamhaus' free usage or do you pay for the service? > Free, we only have a few 100 dayli lookups. see below >> For example, this ip is currently listed (50.6.204.77): >> >> # dig 77.204.6.50.zen.spamhaus.org >> ... >> ;; ANSWER SECTION: >> 77.204.6.50.zen.spamhaus.org. 60 IN A 127.0.0.3 >> >> Does this work with your resolver? > Arrgghh... > > I get 127.255.255.254, must check when I get back to my dns, why this happens... > > Hmmm.... > > I'll be back if/when I get more info. https://www.spamhaus.org/resource-hub/email-security/if-you-query-the-legacy-dnsbls-via-ovhcloud-move-to-spamhaus-technologys-free-data-query-service/#why-isn't-spamhaus-allowing-ovhcloud-users-to-query-the-public-blocklists If you are running your server on OVH public cloud (same is true for other "suspicious" providers, you should apply for spamhaus' DQS services, which is free for your traffic. HTH, Michael From danjel at jungersen.dk Thu Jan 30 08:08:42 2025 From: danjel at jungersen.dk (Danjel Jungersen) Date: Thu, 30 Jan 2025 09:08:42 +0100 Subject: [Rspamd-Users] I think my spamhaus is not working.... In-Reply-To: <83012E1A-D24E-453D-8D5C-BB34194ED823@gcore.biz> References: <2fa3042e-b7f0-4804-be77-3b637ebb5b41@jungersen.dk> <83012E1A-D24E-453D-8D5C-BB34194ED823@gcore.biz> Message-ID: <236b7555-bb9f-4816-bfe7-bde785ea00c6@jungersen.dk> HEY! A "thank you" to Michael and Gerald for their responses. I found a "forwarders" in my bind named.conf.options and have now removed it, I can now do a dig with a usable result, I hope that it will make rspamd work as well. I will apply for the suggested DQS anyway. :-) Danjel On 29-01-2025 20:49, Gerald Galster wrote: >> I have a feeling that my spamhaus setup is not working. > Do you qualify for spamhaus' free usage or do you pay for the service? > > https://lists.rspamd.com/pipermail/users/2022-January/002315.html > > Otherwise you may be blocked. > > For the free service you should use your own resolver (unbound, > pdns-recursor, bind, ...), not that of your provider/datacenter. > > For example, this ip is currently listed (50.6.204.77): > > # dig 77.204.6.50.zen.spamhaus.org > ... > ;; ANSWER SECTION: > 77.204.6.50.zen.spamhaus.org. 60 IN A 127.0.0.3 > > Does this work with your resolver? > > Special return codes according tohttps://www.spamhaus.org/faqs/dnsbl-usage/ > For postmaster / "What do the 127.*.*.* Return Codes mean in DNSBLs?" > > 127.255.255.254 Query via public/open resolver > 127.255.255.255 Excessive number of queries > > Best regards, > Gerald -- Med venlig hilsen/Kind regards Danjel Jungersen Mail: danjel at jungersen.dk Mobile: +45 20 42 20 11 Jungersen Grafisk ApS, Holsbjergvej 39, DK-2620 Albertslund, Denmark. Tel: +45 43 64 10 00 WEBSHOP: PRINTLIGHT.DK | WWW.JUNGERSEN.DK Logo From floppy at floppy.org Thu Jan 30 14:50:22 2025 From: floppy at floppy.org (Florian Piekert) Date: Thu, 30 Jan 2025 15:50:22 +0100 Subject: [Rspamd-Users] rspamd, oletools Message-ID: <331b39ea-5499-43af-a35a-e0a5dc512d77@floppy.org> Dear users, I am still struggling to get olefy working with oletools and rspamd. As user olefy on cmd line testing seems to work olefy at sonne:~$ /var/lib/olefy/.local/bin/olevba text.xlsx XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel) olevba 0.60.2 on Python 3.12.3 - http://decalage.info/python/oletools =============================================================================== FILE: text.xlsx Type: OpenXML No VBA or XLM macros found. Sending email apparently does not. I tried sending a single xlsx file, that doesn't even appear in the logfiles. Then I send our of curiosity 5 xlsx and 1 docx and got this in a heap. Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG connection_made ('127.0.0.1', 46284) new connection was made Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG connection_made ('127.0.0.1', 46286) new connection was made Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG connection_made ('127.0.0.1', 46296) new connection was made Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG data_received ('127.0.0.1', 46284) data received from new connection Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG data_received ('127.0.0.1', 46286) data received from new connection Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG data_received ('127.0.0.1', 46296) data received from new connection Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG protocol_split olefy_headers: {'olefy': 'OLEFY/1.0', 'Method': 'oletools', 'Rspamd-ID': 'B7A9916E042Fa7'} Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG eof_received /tmp/1738247379.4132054.46284.B7A991 choosen as tmp filename Jan 30 15:29:39 sonne python3[1464738]: olefy INFO eof_received 11922 bytes (stream size) Jan 30 15:29:39 sonne python3[1464738]: olefy INFO oletools application/x-decompression-error-gzip-Stdin-has-more-than-one-entry--rest-ignored (libmagic output) Jan 30 15:29:39 sonne python3[1464738]: olefy ERROR oletools olevba returned <30 chars - rc: 1, response: '', error: 'Traceback (most recent call last):\n File "/var/lib/olefy/.local/bin/olevba", line 5, in \n from oletools.olevba import main\nModuleNotFoundError: No module named \'oletools\'\n' Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG oletools /tmp/1738247379.4132054.46284.B7A991 deleting tmp file Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG oletools response: [ { "error": "Unhandled error - too short olevba response" } ] Jan 30 15:29:39 sonne python3[1464738]: olefy INFO eof_received ('127.0.0.1', 46284) response send: b'[ { "error": "Unhandled error - too short olevba response" } ]\t\n\n\t' Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG data_received ('127.0.0.1', 46286) data received from new connection Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG data_received ('127.0.0.1', 46296) data received from new connection Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG connection_made ('127.0.0.1', 46304) new connection was made Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG connection_made ('127.0.0.1', 46306) new connection was made Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG data_received ('127.0.0.1', 46286) data received from new connection Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG data_received ('127.0.0.1', 46296) data received from new connection Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG data_received ('127.0.0.1', 46286) data received from new connection Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG data_received ('127.0.0.1', 46296) data received from new connection Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG data_received ('127.0.0.1', 46304) data received from new connection Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG data_received ('127.0.0.1', 46306) data received from new connection Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG protocol_split olefy_headers: {'olefy': 'OLEFY/1.0', 'Method': 'oletools', 'Rspamd-ID': 'B7A9916E042Fa7'} Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG eof_received /tmp/1738247379.512279.46286.B7A991 choosen as tmp filename Jan 30 15:29:39 sonne python3[1464738]: olefy INFO eof_received 497218 bytes (stream size) Jan 30 15:29:39 sonne python3[1464738]: olefy INFO oletools application/x-decompression-error-gzip-Stdin-has-more-than-one-entry--rest-ignored (libmagic output) Jan 30 15:29:39 sonne python3[1464738]: olefy ERROR oletools olevba returned <30 chars - rc: 1, response: '', error: 'Traceback (most recent call last):\n File "/var/lib/olefy/.local/bin/olevba", line 5, in \n from oletools.olevba import main\nModuleNotFoundError: No module named \'oletools\'\n' Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG oletools /tmp/1738247379.512279.46286.B7A991 deleting tmp file Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG oletools response: [ { "error": "Unhandled error - too short olevba response" } ] Jan 30 15:29:39 sonne python3[1464738]: olefy INFO eof_received ('127.0.0.1', 46286) response send: b'[ { "error": "Unhandled error - too short olevba response" } ]\t\n\n\t' Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG protocol_split olefy_headers: {'olefy': 'OLEFY/1.0', 'Method': 'oletools', 'Rspamd-ID': 'B7A9916E042Fa7'} Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG eof_received /tmp/1738247379.512279.46296.B7A991 choosen as tmp filename Jan 30 15:29:39 sonne python3[1464738]: olefy INFO eof_received 763035 bytes (stream size) Jan 30 15:29:39 sonne python3[1464738]: olefy INFO oletools application/x-decompression-error-gzip-Stdin-has-more-than-one-entry--rest-ignored (libmagic output) Jan 30 15:29:39 sonne python3[1464738]: olefy ERROR oletools olevba returned <30 chars - rc: 1, response: '', error: 'Traceback (most recent call last):\n File "/var/lib/olefy/.local/bin/olevba", line 5, in \n from oletools.olevba import main\nModuleNotFoundError: No module named \'oletools\'\n' Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG oletools /tmp/1738247379.512279.46296.B7A991 deleting tmp file Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG oletools response: [ { "error": "Unhandled error - too short olevba response" } ] Jan 30 15:29:39 sonne python3[1464738]: olefy INFO eof_received ('127.0.0.1', 46296) response send: b'[ { "error": "Unhandled error - too short olevba response" } ]\t\n\n\t' Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG protocol_split olefy_headers: {'olefy': 'OLEFY/1.0', 'Method': 'oletools', 'Rspamd-ID': 'B7A9916E042Fa7'} Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG eof_received /tmp/1738247379.512279.46304.B7A991 choosen as tmp filename Jan 30 15:29:39 sonne python3[1464738]: olefy INFO eof_received 11497 bytes (stream size) Jan 30 15:29:39 sonne python3[1464738]: olefy INFO oletools application/x-decompression-error-gzip-Stdin-has-more-than-one-entry--rest-ignored (libmagic output) Jan 30 15:29:39 sonne python3[1464738]: olefy ERROR oletools olevba returned <30 chars - rc: 1, response: '', error: 'Traceback (most recent call last):\n File "/var/lib/olefy/.local/bin/olevba", line 5, in \n from oletools.olevba import main\nModuleNotFoundError: No module named \'oletools\'\n' Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG oletools /tmp/1738247379.512279.46304.B7A991 deleting tmp file Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG oletools response: [ { "error": "Unhandled error - too short olevba response" } ] Jan 30 15:29:39 sonne python3[1464738]: olefy INFO eof_received ('127.0.0.1', 46304) response send: b'[ { "error": "Unhandled error - too short olevba response" } ]\t\n\n\t' Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG protocol_split olefy_headers: {'olefy': 'OLEFY/1.0', 'Method': 'oletools', 'Rspamd-ID': 'B7A9916E042Fa7'} Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG eof_received /tmp/1738247379.512279.46306.B7A991 choosen as tmp filename Jan 30 15:29:39 sonne python3[1464738]: olefy INFO eof_received 25888 bytes (stream size) Jan 30 15:29:39 sonne python3[1464738]: olefy INFO oletools application/x-decompression-error-gzip-Stdin-has-more-than-one-entry--rest-ignored (libmagic output) Jan 30 15:29:39 sonne python3[1464738]: olefy ERROR oletools olevba returned <30 chars - rc: 1, response: '', error: 'Traceback (most recent call last):\n File "/var/lib/olefy/.local/bin/olevba", line 5, in \n from oletools.olevba import main\nModuleNotFoundError: No module named \'oletools\'\n' Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG oletools /tmp/1738247379.512279.46306.B7A991 deleting tmp file Jan 30 15:29:39 sonne python3[1464738]: olefy DEBUG oletools response: [ { "error": "Unhandled error - too short olevba response" } ] Jan 30 15:29:39 sonne python3[1464738]: olefy INFO eof_received ('127.0.0.1', 46306) response send: b'[ { "error": "Unhandled error - too short olevba response" } ]\t\n\n\t' I have installed oletools as user olefy with pipx as "pipx install oletools[Full]" . It ended up in /var/lib/olefy/.local/bin since /var/lib/olefy/ is the homedir of olefy. Python is 3.12.3. Maybe some1 has an idea what to do. Thanks for pointers. Florian