Bug 7548 - Add the MSBL hashbl.pm to SA Plugins
Summary: Add the MSBL hashbl.pm to SA Plugins
Status: RESOLVED FIXED
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Plugins (show other bugs)
Version: 3.4.2
Hardware: PC Windows NT
: P2 normal
Target Milestone: Undefined
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-02-10 21:46 UTC by Kevin A. McGrail
Modified: 2018-03-02 13:58 UTC (History)
4 users (show)


Attachment Type Modified Status Actions Submitter/CLA Status
HashBL plugin patch None Giovanni Bechis [HasCLA]
Removed 25_hashbl.cf rule from diff patch None Giovanni Bechis [HasCLA]
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kevin A. McGrail 2018-02-10 21:46:29 UTC 
Michael Grant: Has anyone tried out the the MSBL Email Blocklist (EBL) HashBL.pm with Spamassassin from msbl.org and possibly considered packaging this module (available from this page: http://msbl.org/ebl-implementation.html) with SpamAssassin (perhaps in a forthcoming release)?  rSpamD already has internal support for the EBL. So I believe the MSBL folks are for this sort of thing in general.

This plugin looks through the message (not just headers) for email addresses which have been identified as email drop boxes for scams like 419 advance fee fraud.  It then looks hashes of these addresses up in a blocklist. 

I'm not affiliated with these folks.  I do however use this module in my setup though and find it catches a bunch of things we wouldn't have otherwise caught.
Comment 1 Kevin A. McGrail 2018-02-10 21:47:40 UTC 
Permission from Steve Freegard:

I'm already on file [re: ICLA]... so feel free to add it.
Comment 2 Benny Pedersen 2018-02-11 00:46:21 UTC 
if dns ttl will be minimal to 3600 it would be ok, too many dns provider that like to drop there problems into spamassassin does not care much there
Comment 3 Giovanni Bechis 2018-02-20 07:53:54 UTC 
Created attachment 5536 [details]
HashBL plugin

I am using this plugin for few weeks and is working fine, I would like to add it as an official plugin.
 
I added an 25_hashbl.cf in rules, a new v342.pre file to load the plugin and added few lines of pod documentation to the plugin, is there something more/wrong or we could add the plugin in spamassassin ?
Comment 4 Dave Jones 2018-02-20 16:36:18 UTC 
+1

Been using this plugin with good results for a few months.

We need to make sure we aren't going to overload their servers with the huge install base of SA.

Someone with good contact info should reach out to them and make sure they are ready to handle this load.
Comment 5 Dave Jones 2018-02-20 16:39:23 UTC 
Just noticed that ebl.msbl.org is hosted on CloudFlare so I would say they are ready to handle the load.  :)
Comment 6 Kevin A. McGrail 2018-02-20 16:40:11 UTC 
(In reply to Dave Jones from comment #5)
> Just noticed that ebl.msbl.org is hosted on CloudFlare so I would say they
> are ready to handle the load.  :)

I don't know that we are adding the rules, just the plugin to be clear.
Comment 7 Dave Jones 2018-02-20 16:45:28 UTC 
Ok.  Just looked at the proposed patch and noticed that the loadplugin would be commented by default in the v342.pre.

The proposed patch with 25_hashbl.cf would enable the rule HASHBL_EMAIL inside an ifplugin statement so I guess that would be a default score of 1.0.
Comment 8 Kevin A. McGrail 2018-02-20 16:47:06 UTC 
(In reply to Dave Jones from comment #7)
> Ok.  Just looked at the proposed patch and noticed that the loadplugin would
> be commented by default in the v342.pre.
> 
> The proposed patch with 25_hashbl.cf would enable the rule HASHBL_EMAIL
> inside an ifplugin statement so I guess that would be a default score of 1.0.

Likely need to look at that.  My proposal is SOLELY for the plugin.
Comment 9 Benny Pedersen 2018-02-20 16:52:00 UTC 
is thay ready to handle corpus testing ?

could dns ttl be 86400 for this dns data ?

or do we as free riders like 1  ?
Comment 10 Dave Jones 2018-02-20 17:08:50 UTC 
Not sure what that question is about the DNS TTL.  Please clarify.  Cloudflare can handle the DNS query load of low TTLs.  If this hash information doesn't change often, the msbl.org owner could increase the TTLs but I suspect it's safer to go with a lower TTL so he/she can remove entries quickly.

My ena-weekX is the majority of the masscheck corpus and I only see a few hits on HASHBL_EMAIL each day.  When I do get hits, these email already score in the 50's and 60's so they would have been blocked anyway with my custom rules and settings.

I understand that this could help others in different locations with default SA and different mail flow/languages so I am all for it.
Comment 11 AXB 2018-02-20 17:51:18 UTC 
(In reply to Benny Pedersen from comment #9)
> is thay ready to handle corpus testing ?
> 
> could dns ttl be 86400 for this dns data ?
> 
> or do we as free riders like 1  ?

that would also apply to negative TTL which would render it useless.
Comment 12 Giovanni Bechis 2018-02-21 07:17:11 UTC 
Created attachment 5537 [details]
Removed 25_hashbl.cf rule from diff
Comment 13 Giovanni Bechis 2018-03-02 07:37:04 UTC 
Ping....
Is it ok to import the plugin without adding any rule ?
Comment 14 Kevin A. McGrail 2018-03-02 08:46:02 UTC 
Yes, that's my intention of how to add it.
Comment 15 Giovanni Bechis 2018-03-02 13:58:20 UTC 
Committed in r1825724.