|
I like
CMDSPACE a lot, but find that the false positives are far too high, due to
mainstream software manufactures' software that triggers it. After trying
it for a short while, I dropped it down to a small weight, and used it only in
combo filters (e.g. CMDSPACE and SNIFFER is great at catching
spam).
Based
on Matt's contribution to the list a long time ago, I put a good deal of effort
into a combo filter that ignores various false positives with END
statements, and if the message makes it through all of those, then add the
weight (I use about 30% of my HOLD weight).
This
works very well for me. Somebody who hosts mailboxes on their machine will
probably also want:
REMOTEIP END CIDR xxxxx/xx
to
skip their own space so that Outlook clients aren't triggered. Or make
them authenticate and use WHITELIST AUTH (forgive me if I have the details
wrong, I just use IMail as a gateway).
There
is some risk of false positives here, as noted in the file. Mainly that
the bad guys use random header lines to fake the MTA, and could easily use one
that will END this test while using zombie software that triggers
CMDSPACE. So make sure that your zombie fighting skillz are punishing the
messages with a high enough weight to not need the weight from this
test.
Merry
Christmas!
|
#Use this file to weight any messages that contain known good text to #filter on regardless of the other tests or weights. The weight is 0 in the global.cfg #because our action is going to be WARN only, so we accumulate the weight for each hit #to offset the positive weight accumulated by other tests, particularly the ip4r tests. # #Try to only cancel what you need plus a bit more. It's better to have lots of matches #with a few points rather than a single match with a large weight. This prevents #false positives. Try not to use short words, or use even smaller weights. # #Each line begins with a comment like this line or is in the format: # #Location Weight Filtertype Filtertext # #Location can be: BODY, HEADERS, HELO, MAILFROM, REMOTEIP, REVDNS, ALLRECIPS, ANYWHERE, TESTSFAILED, or SUBJECT # #Weight can be a positive or negative number to add to the total weight, or END to stop early #with whatever weight has been accumlated. STOPALLTESTS to prevent processing of this filter #test and also all filter tests that would have followed it. WHITELIST can also be used in #place of a weight to automatically whitelist the message, but this will not prevent further #tests from executing. # #Filtertype can be: IS, CONTAINS, STARTSWITH, ENDSWITH, CIDR, NOTIS, NOTCONTAINS, NOTENDSWITH # #Filtertext is the case-insensitive text you want to match.
#There are also lines to put at the top of the file to control the processing or which can #be used to short-circuit out of this test. # #These can be: STOPATFIRSTHIT x, SKIPIFWEIGHT x, MINWEIGHTTOFAIL x, MAXWEIGHT x, MINWEIGHT x #SkipIfWeight is only checked once; if the weight is already this, end the test with the "positive score" #added on as described for this filter file in global.cfg #MaxWeight is the maximum weight that THIS filter file can produce. Once that weight is reached the test #ends with a "negative score" added on as described for this filter file in global.cfg as well as the #weight accumulated by all the tests triggered in this filter. #MinWeight is the minimum weight that THIS filter file can produce if any of the tests are triggered; #it is similar to weighting all the individual tests her at 1 and giving a solid minimum weight to #the "negative score" definition column for this filter file in global.cfg # ---------------- # This test is to weed out the false positives on our CMDSPACE test. The idea will be to # eventually drop the CMDSPACE weight in global.cfg to 0 and just use it as a trigger that # is used by this file. We'll have a bunch of exclusions that END this test that weed out # our false positives, and at the end we'll assign a positive weight. # ----------------- SKIPIFWEIGHT 20 TESTSFAILED END NOTCONTAINS CMDSPACE #Stop this filter file other tests have been triggered for which we don't want to see the original email TESTSFAILED END CONTAINS BENTALLVIRUS TESTSFAILED END CONTAINS SNIFFER TESTSFAILED END CONTAINS SORBS-ZOMBIE #Here we're going to add our new skip tests #People with implementations of Outlook submitting to their own IMail servers will trigger #CMDSPACE and should either use IMail 8.x and the WHITELIST AUTH option, or should create a #use this section to END their client REMOTEIP space, e.g. REMOTEIP END CIDR a.b.c.0/24 #These entries could be validated separately with the appearance of this line #with Internet Mail Service ( HEADERS END CONTAINS X-Mailer: Internet Mail Service ( #HEADERS END CONTAINS X-Mailer: Internet Mail Service (5.5.2653.19) #HEADERS END CONTAINS X-Mailer: Internet Mail Service (5.5.2656.59) #HEADERS END CONTAINS X-Mailer: Internet Mail Service (5.5.2657.72) #These entries could be validated separately with the appearance of this line #X-MIMETrack: Serialize by Router on HEADERS END CONTAINS X-Mailer: Lotus Notes Release #HEADERS END CONTAINS X-Mailer: Lotus Notes Release 5.0.10 March 22, 2002 #HEADERS END CONTAINS X-Mailer: Lotus Notes Release 5.0.11 July 24, 2002 #HEADERS END CONTAINS X-Mailer: Lotus Notes Release 5.0.12 February 13, 2003 #HEADERS END CONTAINS X-Mailer: Lotus Notes Release 5.0.5 September 22, 2000 #HEADERS END CONTAINS X-Mailer: Lotus Notes Release 5.0.8 June 18, 2001 #HEADERS END CONTAINS X-Mailer: Lotus Notes Release 6.0.1CF1 March 04, 2003 #HEADERS END CONTAINS X-Mailer: Lotus Notes Release 6.0.2CF1 June 9, 2003 #HEADERS END CONTAINS X-Mailer: Lotus Notes Release 6.0.3 September 26, 2003 #HEADERS END CONTAINS X-Mailer: Lotus Notes Release 6.5 September 26, 2003 #HEADERS END CONTAINS X-Mailer: Lotus Notes Release 6.5.1 January 21, 2004 #Interesting... the Lotus Notes Out of Office doesn't include the mailer line, just HEADERS END CONTAINS X-MIMETrack: Serialize by Router on #Also interesting...cokecce.com [204.124.196.44] has no X-Header for Lotus Notes #but does have multiple MIMETRACK lines; maybe this hapens if their Internet MTA is not Lotus? HEADERS END CONTAINS X-MIMETrack: Serialize by Notes Server on #Yet another variation on email from Lotus; this may also have been from an Internet MTA that was not Lotus HEADERS END CONTAINS X-Mailer: Novell GroupWise Internet Agent #HEADERS END CONTAINS X-Mailer: Novell GroupWise Internet Agent 6.5.1 #These entries could be validated separately with the appearance of this line #with Microsoft SMTPSVC (maybe) #with MailEnable ESMTP (maybe) #X-Mailer: Microsoft Outlook (maybe) HEADERS END CONTAINS X-MimeOLE: Produced By Microsoft MimeOLE V #HEADERS END CONTAINS X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4942.400 #HEADERS END CONTAINS X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 #HEADERS END CONTAINS X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 #HEADERS END CONTAINS X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 #HEADERS END CONTAINS X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 #HEADERS END CONTAINS X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.181 #This entry was also in email generated by a Microsoft tool, but it might always also have #the MIMEOle header line too. HEADERS END CONTAINS X-Mailer: Microsoft CDO for Windows 2000 #Yet another Microsoft tool; perhaps Exchange 2003 only? No MimeOLE, no MailEnable, no Outlook #a pity we can't check the Message-ID line, which contains EXCH somewhere in there. HEADERS END CONTAINS with Microsoft SMTPSVC(6.0.3790. #These entries could be validated separately with the appearance of this line #with ESMTP (maybe) #Content-Type: multipart/alternative; (maybe) #Content-Type: multipart/mixed; (maybe) #X-MS-Has-Attach: (maybe) #X-MS-TNEF-Correlator: (maybe) #content-class: (always?) HEADERS END CONTAINS X-MimeOLE: Produced By Microsoft Exchange V6. #HEADERS END CONTAINS X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 #HEADERS END CONTAINS X-MimeOLE: Produced By Microsoft Exchange V6.0.6375.0 #HEADERS END CONTAINS X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1 #HEADERS END CONTAINS x-mimeole: Produced By Microsoft Exchange V6.0.6556.0 #HEADERS END CONTAINS X-MimeOLE: Produced By Microsoft Exchange V6.0.6556.0 #HEADERS END CONTAINS X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0 #HEADERS END CONTAINS X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0 #HEADERS END CONTAINS X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 #More Microsoftness - Exchange 2000 Delivery Status Notifications have this header line HEADERS END CONTAINS X-DSNContext: #More Microsoftness - Exchange 200x servers often end their HELO domain with .local due to #a common Active Directory naming convention HELO END ENDSWITH .local #The following two go together; the revdns is bad and there are no other X- headers. HELO END IS AS-EBLAST.boardoftrade.com #This appeared in the MessageID: field, which is not exposed as a variable by Declude HEADERS END CONTAINS x-esmtp: 0 0 1 #The following lines go together; the revdns does not exist and there are no other X- headers. HELO END ENDSWITH .stamats.com #Received: from newsletters.stamats.com [204.118.37.54] #From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> #X-MailPersonHistoryID: #X-MailPersonSubscriberID: #X-sender: #X-MailPersonEmail: #The following lines go together; the revdns DOES exist and there are these headers. REVDNS END ENDSWITH launchbox-emailservices.ca #X-EM-Version: 6, 0, 1, 0 #X-EM-Registration: #00B06306109813000D50 #X-Sender: [EMAIL PROTECTED] #X-MailPersonHistoryID: #X-MailPersonSubscriberID: #X-MailPersonEmail: #The following lines go together; the revdns DOES exist and there are these headers. REVDNS END ENDSWITH .dua.utoronto.ca #X-MailPersonHistoryID: 363 #X-MailPersonSubscriberID: 226508 #X-sender: <[EMAIL PROTECTED]> #X-MailPersonEmail: [EMAIL PROTECTED] #The following lines go together; the revdns DOES exist and there are these headers. REVDNS END ENDSWITH .webcontrolcenter.com #X-EM-Version: 5, 0, 0, 19 #X-EM-Registration: #01B0530810E603002D00 #Also interesting, I've seen the following lines in zombie spam, so I can't use it alone to identify ham: #X-Sender: [EMAIL PROTECTED] #X-Originating-Email: [EMAIL PROTECTED] #X-Originating-IP: [146.8.218.234] #X-Message-flag: Authentic Sender, Hash: YmGmCcHg #The following lines go together; the revdns DOES exist and there are these headers. REVDNS END ENDSWITH lfemail.com REVDNS END ENDSWITH lfemail2.com #Lfercpfield: Email_Address #Lfecnnusr: 3373 #Lfeuuid: 35lfe11160411lfe1338lfe3373lfe75416 #Lfecnn: Techvibes Newsletter #The following lines go together; the revdns DOES exist and there are these headers. REVDNS END ENDSWITH .neocodesoftware.com #X-Sender: [EMAIL PROTECTED] #X-MailPersonHistoryID: 187 #X-MailPersonSubscriberID: 12616 #X-MailPersonEmail: [EMAIL PROTECTED] #ReedExpo.com is apparently too concerned with security to put anything useful in their header #except this domain name, which may be bogus HEADERS END CONTAINS X-Mailer-X: REVDNS END ENDSWITH .myemailserver1.com #Law Firm ogilvyrenault.ca & ogilvyrenault.com #X-EM-Version: 6, 0, 1, 3 #X-EM-Registration: #0060630A102210008B30 #X-SMTPExp-Version: 1, 0, 2, 13 #X-SMTPExp-Registration: 00A0320E10340900B865 REMOTEIP END IS 205.205.212.157 HEADERS END CONTAINS X-EM-Version: HEADERS END CONTAINS X-EM-Registration #Bally Fitness has no discernable MTA headers and no reverse DNS REMOTEIP END IS 206.205.135.29 REVDNS END ENDSWITH .Canada.com REVDNS END ENDSWITH .Pelmorex.ca REVDNS END ENDSWITH .UPS.com REVDNS END ENDSWITH .OverStock.com REVDNS END ENDSWITH .NMINet.com REVDNS END ENDSWITH .MarketVoyce.net REVDNS END ENDSWITH .MagnetMail.net REVDNS END ENDSWITH .XYStar.com REVDNS END ENDSWITH .EdgarPro.com REVDNS END ENDSWITH .informz.net REVDNS END ENDSWITH .blue.aol.com REVDNS END ENDSWITH .regionalgroup.com REVDNS END ENDSWITH .winternals.com REVDNS END ENDSWITH .lfemail.com REVDNS END ENDSWITH .ntmllc.info REVDNS END ENDSWITH .beckett.com REVDNS END ENDSWITH .medco.com HEADERS END CONTAINS _SmarterMail_NextPart_ HEADERS END CONTAINS X-Mailer: GoldMine [6.50.40704] HEADERS END CONTAINS X-Mailer: JMail 3.7.0 by Dimac (www.dimac.net) HEADERS END CONTAINS .JavaMail. HEADERS END CONTAINS X-SmartMax-AuthUser: HEADERS END CONTAINS X-Mailer: Dundas Mailer Control HEADERS END CONTAINS qzsoft_directmail_seperator HEADERS END CONTAINS X-Mailer: GoldMine [ HEADERS END CONTAINS X-Mailer: POSTIE ( HEADERS END CONTAINS X-Mailer: Version 5.0 HEADERS END CONTAINS InterScan E-Mail VirusWall NT #Totally subject and localized false positives that don't have a better way to short-circuit out of this filter file HELO END ENDSWITH .e-crew.ca MAILFROM END ENDSWITH @toronto-lime.com HELO END ENDSWITH .mrslaw.com MAILFROM END ENDSWITH @cgfassoc.com HELO END ENDSWITH LIQUIDOFFICE #The following were all spotted by Matt Bramble and submitted to the Declude JunkMail support list HEADERS END CONTAINS eSafe HEADERS END CONTAINS X-Mailer: Direct Mail for Mac OS X HEADERS END CONTAINS X-BFI: HEADERS END CONTAINS X-Mailer: eBizmailer3.6 HEADERS END CONTAINS X-YAlerts-TracerId: HEADERS END CONTAINS X-Mailer: DvISE by Tobit Software HEADERS END CONTAINS MailID: KIN REVDNS END ENDSWITH .bigfootinteractive.com REVDNS END ENDSWITH .ezinedirector.net REVDNS END ENDSWITH .postsnet.com REVDNS END ENDSWITH .overture.com REVDNS END ENDSWITH .expedia.com #Here we're going to always trigger this test REMOTEIP 6 CONTAINS .
