SA Bugzilla – Bug 7548
Add the MSBL hashbl.pm to SA Plugins
Last modified: 2018-03-02 13:58:20 UTC
Michael Grant: Has anyone tried out the the MSBL Email Blocklist (EBL) HashBL.pm with Spamassassin from msbl.org and possibly considered packaging this module (available from this page: http://msbl.org/ebl-implementation.html) with SpamAssassin (perhaps in a forthcoming release)? rSpamD already has internal support for the EBL. So I believe the MSBL folks are for this sort of thing in general. This plugin looks through the message (not just headers) for email addresses which have been identified as email drop boxes for scams like 419 advance fee fraud. It then looks hashes of these addresses up in a blocklist. I'm not affiliated with these folks. I do however use this module in my setup though and find it catches a bunch of things we wouldn't have otherwise caught.
Permission from Steve Freegard: I'm already on file [re: ICLA]... so feel free to add it.
if dns ttl will be minimal to 3600 it would be ok, too many dns provider that like to drop there problems into spamassassin does not care much there
Created attachment 5536 [details] HashBL plugin I am using this plugin for few weeks and is working fine, I would like to add it as an official plugin. I added an 25_hashbl.cf in rules, a new v342.pre file to load the plugin and added few lines of pod documentation to the plugin, is there something more/wrong or we could add the plugin in spamassassin ?
+1 Been using this plugin with good results for a few months. We need to make sure we aren't going to overload their servers with the huge install base of SA. Someone with good contact info should reach out to them and make sure they are ready to handle this load.
Just noticed that ebl.msbl.org is hosted on CloudFlare so I would say they are ready to handle the load. :)
(In reply to Dave Jones from comment #5) > Just noticed that ebl.msbl.org is hosted on CloudFlare so I would say they > are ready to handle the load. :) I don't know that we are adding the rules, just the plugin to be clear.
Ok. Just looked at the proposed patch and noticed that the loadplugin would be commented by default in the v342.pre. The proposed patch with 25_hashbl.cf would enable the rule HASHBL_EMAIL inside an ifplugin statement so I guess that would be a default score of 1.0.
(In reply to Dave Jones from comment #7) > Ok. Just looked at the proposed patch and noticed that the loadplugin would > be commented by default in the v342.pre. > > The proposed patch with 25_hashbl.cf would enable the rule HASHBL_EMAIL > inside an ifplugin statement so I guess that would be a default score of 1.0. Likely need to look at that. My proposal is SOLELY for the plugin.
is thay ready to handle corpus testing ? could dns ttl be 86400 for this dns data ? or do we as free riders like 1 ?
Not sure what that question is about the DNS TTL. Please clarify. Cloudflare can handle the DNS query load of low TTLs. If this hash information doesn't change often, the msbl.org owner could increase the TTLs but I suspect it's safer to go with a lower TTL so he/she can remove entries quickly. My ena-weekX is the majority of the masscheck corpus and I only see a few hits on HASHBL_EMAIL each day. When I do get hits, these email already score in the 50's and 60's so they would have been blocked anyway with my custom rules and settings. I understand that this could help others in different locations with default SA and different mail flow/languages so I am all for it.
(In reply to Benny Pedersen from comment #9) > is thay ready to handle corpus testing ? > > could dns ttl be 86400 for this dns data ? > > or do we as free riders like 1 ? that would also apply to negative TTL which would render it useless.
Created attachment 5537 [details] Removed 25_hashbl.cf rule from diff
Ping.... Is it ok to import the plugin without adding any rule ?
Yes, that's my intention of how to add it.
Committed in r1825724.