Hi,
Here is the header of one of those spam mails coming through:
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) * on
hermes.intranet.jam-software.com * at Wed, 07 Jan 2009 14:56:26 +0100
X-Spam-Status: No, hits=2.0, required= 5.0, autolearn=no, shortcircuit=no
X-Spam-Report: * 0.3 JAM_DO_STH_HERE BODY: Body contains Click/Order/Press...
Here
* 0.2 HTML_IMAGE_RATIO_04 BODY: HTML has a low ratio of text to image
area
* 1.6 HTML_IMAGE_ONLY_24 BODY: HTML: images with 2000-2400 bytes of
words
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99%
* [score: 0.9875]
* 1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
* 0.9 SARE_UN7 RAW: SARE_UN7
* 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
* [41.209.78.136 listed in zen.spamhaus.org]
* -6.3 AWL AWL: From: address is in the auto white-list
X-Backup: ESTBackupDone
Received: from hacos (41.209.78.136) by Hermes.intranet.jam-software.com
(192.168.123.96) with Microsoft SMTP Server id 8.1.291.1; Wed, 7 Jan 2009
14:55:37 +0100
X-Originating-IP: [20.447.77.419]
X-Originating-Email: [[email protected]]
X-Sender: [email protected]
Return-Path: [email protected]
To: <[email protected]>
Subject: RE:ci.Doctor Rosen
From: <[email protected]>
MIME-Version: 1.0
Importance: High
Content-Type: text/html
Message-ID:
<bf5cb4fe-490b-4b50-8b58-18541df5d...@hermes.intranet.jam-software.com>
Date: Wed, 7 Jan 2009 14:55:37 +0100
So as you can see the AWL is the only applied rule which made this spam come
through.
And of cause our own addresses are not on the whitelist.
Harry
> -----Original Message-----
> From: Karsten Bräckelmann [mailto:[email protected]]
> Sent: Friday, January 09, 2009 12:15 AM
> To: [email protected]
> Cc: Harald Binkle
> Subject: [SpamAssassin] Re: eval function comparing the matches of two regular
> expression? - AWL is fooled without
>
> Ah, nice... Apparently you sent the very same message here, too. I
> already deleted the thread on the users list...
>
>
> On Thu, 2009-01-08 at 13:24 +0100, Harald Binkle wrote:
> > What about a new eval function comparing the matches of two regular
> > expression?
> > If there would be a function like
> >
> > eval:Equals(/regex1/,/regex2/) and eval:NOTEquals(/regex1/,/regex2/)
> >
> > it would be easy to define rules like:
> >
> > a rule scoring, say with 0.8 points, if there is only one recipients
> > address and
> > that one equals the senders address but they have different 'name
> > parts'? Like: TO: "User Name" <[email protected]> FROM: "viagra offer"
> > <[email protected]>
>
> Err, given that example -- what about a rule that punishes any mail sent
> "from" your domain with a real name referencing pills? Other options
> have been mentioned on the users list already, IIRC.
>
> I seriously wonder *why* these are a problem in the first place. They
> are quite spammy, and SA shouldn't have any problem assigning a high
> score out of the box. (If you want help how to better identify a
> particular class of spam, provide a link to samples and ask on the users
> list. I got a feeling the "To equals From" is just a pattern you
> spotted, but there are better ways and other issues.)
>
>
> > There are a lot of spam mails with that structure trying to get
> > through because many people have their own domain on the whitelist.
>
> This is NOT an excuse for implementing such a plugin.
>
> Plain whitelist_from your own domain is a gross mis-configuration. Do
> not use it, unless there is no other option. Use the rcvd or auth
> variants.
>
>
> > I tried to set this up as rule but with no luck. I fear it is not
> > possible to do this with a regular expression as it is not possible to
> > compare results of a regular expression in a regular expression.
>
> It *is* possible to do a generic "To equals From" rule using a single
> RE. A few weeks ago when this topic came up, I hacked on this locally
> for some exercise. Didn't polish it, but got a proof of concept.
> Granted, the RE is quite ugly. :)
>
> Also, it absolutely *is* possible to "compare results of a regular
> expression in a regular expression". It's called back references.
>
>
> > And the AWL does not work for mails with this structure. If the sender
> > address was set to the recipients address the AWL is fooled and the
> > mail gets a negative score.
>
> No. AWL does not work on the address alone, but adds the sending IP
> block (/24 IIRC) into account. A spam forged to be sent by you does not
> get a negative score, because the mail does not originate from the same
> network you are using.
>
> The Subject is wrong just the same.
>
>
> > Could someone implement this?
>
> Such a plugin has been posted to the users list before as a proof of
> concept. However, again -- IMHO you are trying to solve your issue by
> throwing more code at it, instead of nailing the real problem. Why are
> they slipping through in the first place?
>
> guenther
>
>
> --
> char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
> main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
> (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
----------------------------------------------------
JAM Software GmbH
Geschäftsführer: Joachim Marder
Max-Planck-Str. 22 * 54296 Trier * Germany
Tel: 0700-70707050 * Fax: 0700-70707059
(max. 12,4 ct/min, Preise aus Mobilfunknetzen können abweichen)
Handelsregister Nr. HRB 4920 (AG Wittlich) http://www.jam-software.de
