Mailing List Archive

Phishing.pm
Running 3.4.2, spamd daemon.

Just enabled the new Phishing.pm plugin but wondering about the data feeds.
Is that something we need to set up a cron to wget or does the plugin
handle it? Unless my google fu is weak due to a lack of caffeine, I
couldn't find any doc on setting it up.

Thanks for any advice.
Re: Phishing.pm [ In reply to ]
On Sun, 13 Jan 2019 14:22:40 -0500
Ian Evans wrote:

> Running 3.4.2, spamd daemon.
>
> Just enabled the new Phishing.pm plugin but wondering about the data
> feeds. Is that something we need to set up a cron to wget or does the
> plugin handle it? Unless my google fu is weak due to a lack of
> caffeine, I couldn't find any doc on setting it up.

Try running perldoc on Phishing.pm
Re: Phishing.pm [ In reply to ]
Il 13 gennaio 2019 20:22:40 CET, Ian Evans <dheianevans@gmail.com> ha scritto:
>Running 3.4.2, spamd daemon.
>
>Just enabled the new Phishing.pm plugin but wondering about the data
>feeds.
>Is that something we need to set up a cron to wget or does the plugin
>handle it? Unless my google fu is weak due to a lack of caffeine, I
>couldn't find any doc on setting it up.
>
>Thanks for any advice.

try Mail::SpamAssassin::Plugin::Phishing

Cheers
Giovanni
Re: Phishing.pm [ In reply to ]
Il 13 gennaio 2019 21:52:19 CET, Giovanni Bechis <giovanni@paclan.it> ha scritto:
>Il 13 gennaio 2019 20:22:40 CET, Ian Evans <dheianevans@gmail.com> ha
>scritto:
>>Running 3.4.2, spamd daemon.
>>
>>Just enabled the new Phishing.pm plugin but wondering about the data
>>feeds.
>>Is that something we need to set up a cron to wget or does the plugin
>>handle it? Unless my google fu is weak due to a lack of caffeine, I
>>couldn't find any doc on setting it up.
>>
>>Thanks for any advice.
>
>try Mail::SpamAssassin::Plugin::Phishing
>
> Cheers
> Giovanni

man Mail::SpamAssassin::Plugin::Phishing
to be precise.
Giovanni
RE: Phishing.pm [ In reply to ]
Giovanni Bechis wrote:
> Il 13 gennaio 2019 21:52:19 CET, Giovanni Bechis <giovanni@paclan.it>
> ha scritto:
>> Il 13 gennaio 2019 20:22:40 CET, Ian Evans <dheianevans@gmail.com> ha
>> scritto:
>>> Running 3.4.2, spamd daemon.
>>>
>>> Just enabled the new Phishing.pm plugin but wondering about the
>>> data feeds. Is that something we need to set up a cron to wget or
>>> does the plugin handle it? Unless my google fu is weak due to a
>>> lack of caffeine, I couldn't find any doc on setting it up.
>>>
>>> Thanks for any advice.
>>
>> try Mail::SpamAssassin::Plugin::Phishing
>>
>> Cheers
>> Giovanni
>
> man Mail::SpamAssassin::Plugin::Phishing
> to be precise.
> Giovanni

Something that isn't answered in the docs is the default score and I am
wondering if SA has to be restarted after each update of the data or does it
reread each time the plugin is called

Rick Cooper
Re: Phishing.pm [ In reply to ]
Rick Cooper wrote:
> Giovanni Bechis wrote:
>> man Mail::SpamAssassin::Plugin::Phishing
>> to be precise.
>> Giovanni
>
> Something that isn't answered in the docs is the default score

There doesn't seem to be one set:

root@tiny:/home/kdeugau# sa-update
root@tiny:/home/kdeugau# grep -R URI_PHISHING
/var/lib/spamassassin/3.004002/
root@tiny:/home/kdeugau#

although the default score for any rule without one is 1, unless the
rule name begins with T_, in which case the default is 0.01.

> and I am
> wondering if SA has to be restarted after each update of the data or does it
> reread each time the plugin is called

Looks like it loads the data into RAM on SA startup/(reload?).

Someone(TM) with some time on their hands could probably trivially
convert it to use eg a tied hash on a local .cdb file derived from the
source data, instead of keeping a static copy in RAM. Or squash it into
a DNS lookup like a lot of other miscellaneous lookups.

-kgd
Re: Phishing.pm [ In reply to ]
On Mon, 21 Jan 2019 14:37:38 -0500
Kris Deugau wrote:

> Rick Cooper wrote:

> > and I am
> > wondering if SA has to be restarted after each update of the data
> > or does it reread each time the plugin is called
>
> Looks like it loads the data into RAM on SA startup/(reload?).

It's loaded from check_start() and stored in PerMsgStatus, so it's run
per scan.
Re: Phishing.pm [ In reply to ]
RW wrote:
> On Mon, 21 Jan 2019 14:37:38 -0500
> Kris Deugau wrote:
>
>> Rick Cooper wrote:
>
>>> and I am
>>> wondering if SA has to be restarted after each update of the data
>>> or does it reread each time the plugin is called
>>
>> Looks like it loads the data into RAM on SA startup/(reload?).
>
> It's loaded from check_start() and stored in PerMsgStatus, so it's run
> per scan.

*digs deeper in SA plugin docs* So it is.

That's, um... possibly not great for performance.

The datasets are smaller than I had thought, but repeatedly loading and
parsing ~3K lines of URL plus whatever else is in the recommended source
files is still going to impose a modest speed hit.

-kgd
Re: Phishing.pm [ In reply to ]
On 22/01/2019 09:23, Kris Deugau wrote:

> RW wrote: On Mon, 21 Jan 2019 14:37:38 -0500
> Kris Deugau wrote:
>
> Rick Cooper wrote:
> and I am
> wondering if SA has to be restarted after each update of the data
> or does it reread each time the plugin is called
> Looks like it loads the data into RAM on SA startup/(reload?).

It's loaded from check_start() and stored in PerMsgStatus, so it's run
per scan.
*digs deeper in SA plugin docs* So it is.

That's, um... possibly not great for performance.

The datasets are smaller than I had thought, but repeatedly loading and
parsing ~3K lines of URL plus whatever else is in the recommended source
files is still going to impose a modest speed hit.

-kgd

Indeed it has a speed impact, not a very smart implementation of it.

--
Kind Regards,

Noel Butler

This Email, including any attachments, may contain legally privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents



Links:
------
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument
Re: Phishing.pm [ In reply to ]
On 21 Jan 2019, at 13:58, Rick Cooper wrote:

> Giovanni Bechis wrote:
>> Il 13 gennaio 2019 21:52:19 CET, Giovanni Bechis <giovanni@paclan.it>
>> ha scritto:
>>> Il 13 gennaio 2019 20:22:40 CET, Ian Evans <dheianevans@gmail.com>
>>> ha
>>> scritto:
>>>> Running 3.4.2, spamd daemon.
>>>>
>>>> Just enabled the new Phishing.pm plugin but wondering about the
>>>> data feeds. Is that something we need to set up a cron to wget or
>>>> does the plugin handle it? Unless my google fu is weak due to a
>>>> lack of caffeine, I couldn't find any doc on setting it up.
>>>>
>>>> Thanks for any advice.
>>>
>>> try Mail::SpamAssassin::Plugin::Phishing
>>>
>>> Cheers
>>> Giovanni
>>
>> man Mail::SpamAssassin::Plugin::Phishing
>> to be precise.
>> Giovanni
>
> Something that isn't answered in the docs is the default score

If you define a rule using the plugin, you must either give it a score
or it will have the default score of any rule: 1.0.

Note that because the plugin is disabled by default, the default ruleset
distributed via sa-update does not include a rule using the plugin and
so you must define a rule as documented for the plugin to be used at
all.

> and I am
> wondering if SA has to be restarted after each update of the data or
> does it
> reread each time the plugin is called

It seems to me that the data file is re-read for each scan, so no
restart is needed. even if I'm mis-reading, it would be re-read for each
new spamd child process (or mimedefang worker) so a restart would not be
*needed* if you can tolerate a delay until children are respawned.


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
Re: Phishing.pm [ In reply to ]
[.Pulling this conversation back on-list where I can misinform everyone
publicly]

On 22 Jan 2019, at 5:04, Ian Evans wrote:

> On Tue, Jan 22, 2019 at 2:15 AM Bill Cole <
> sausers-20150205@billmail.scconsult.com> wrote:
>>
>> [snip]
>> Note that because the plugin is disabled by default, the default
>> ruleset
>> distributed via sa-update does not include a rule using the plugin
>> and
>> so you must define a rule as documented for the plugin to be used at
>> all.
>
>
> One thing I'm not clear on:
>
> a) do we need to add this to local.cf:
>
> ifplugin Mail::SpamAssassin::Plugin::Phishing
> phishing_openphish_feed /etc/mail/spamassassin/openphish-feed.txt
> phishing_phishtank_feed /etc/mail/spamassassin/phishtank-feed.csv
> body URI_PHISHING eval:check_phishing()
> describe URI_PHISHING Url match phishing in feed
> endif

Yes. You may want to only use one of the two feeds, put the feed file(s)
in different places, or name the rule something other than URI_PHISHING,
but you need to have a body eval rule calling check_phishing() and the
path to at least one of the feeds specified.

> and b) is that sufficient to "define a rule as documented for the
> plugin to
> be used at
> all."

Yes.

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole