ifspamh error logs

[dave_c00]

Hi,

I am trying to get ifspamh working within my .qmail-user file but there is
obviously an error either with the vars set up within the ifspamh file or
somewhere else as the emails are just looping until I change the
.qmail-user file back.

I want to maybe try and run the ifspamh command from the line to see if I
can get it work there and if not it should present me with the relevant
error messages..?

Is this possible and if so how would I feed the message into it?

Would there be any error logs saved from the .qmail-user script that I can
look at now?

My .qmail-user script looks like this:

|/usr/bin/ifspamh s...@address.com
u...@address.com

Any help would be appreciated,

Thanks

Dave
-- 
View this message in context: 
http://www.nabble.com/ifspamh-error-logs-tp23329974p23329974.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Almost no score

[Raymond Dijkxhoorn]

Hi!


mimeheader DSL4DIG_PNG Content-Type =~ /name\=\DSL[0-9]{4}\.png\/

Looks like they've changed from DSL to DSC! I have a few with DSC in today's 
quarantine, but they were caught by BOTNET rules. Methinks its time to update 
the above rule to look for DS[A-Z][0-9]{4}\.png or maybe even 
[A-Z]{3}[0-9]{4}\.png


Make that 4,5 since they also vary the size of the filenames...

Bye,
Raymond.

spamassassin block *.png

[vibi]

Hello,
How to use spamassassin block *.png so that going to the quarantine?
100% of spam that gets to me a plain e-mail with attachment *.png
-- 
View this message in context: 
http://www.nabble.com/spamassassin-block-*.png-tp23330686p23330686.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: spamassassin block *.png

[Dennis Davis]

On Fri, 1 May 2009, vibi wrote:

 From: vibi ml...@go2.pl
 To: users@spamassassin.apache.org
 Date: Fri, 1 May 2009 02:56:34 -0700 (PDT)
 Subject: spamassassin block *.png

 How to use spamassassin block *.png so that going to the quarantine?
 100% of spam that gets to me a plain e-mail with attachment *.png

One poossible tool to help reduce this is the FuzzyOcr plugin:

http://fuzzyocr.own-hero.net/

You'll need other graphics software used by the above plugin.

For example, a message I receive a couple of days ago scored:

X-Spam-Report: 1.0/6.0
 Start SpamAssassin results 
*  1.0 DC_IMG_TEXT_RATIO BODY: Low body to pixel area ratio
 End SpamAssassin results

With the addition of the FuzzyOcr plugin it scored:

X-Spam-Status: Yes, score=12.1 required=6.0 tests=FUZZY_OCR,RDNS_NONE
autolearn=disabled version=3.2.5
X-Spam-Report: 
*  0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS
*   12 FUZZY_OCR BODY: Mail contains an image with common spam text insi
de
*  [Words found:]
[viagra in 5 lines]
[profit in 1 lines]
[(9 word occurrences found)]
-- 
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
d.h.da...@bath.ac.uk   Phone: +44 1225 386101

RE: my emailBL is live!

[Jeff Moss]

 The chance of a collision really is much smaller than I thought, even
 including the birthday paradox.  But rather than just say it's small and
 ask you to take my word for it I'm providing a link.  The Wikipedia page
 for Birthday Attack has a chart that shows the probability of collision
 for hashes of various lengths.

 http://en.wikipedia.org/wiki/Birthday_attack

Well nuts.  Unless my estimation is wrong, my half-length MD5sum would
be 64-bit and thus the 10^-18 probability of collisions would require
a db of 190 entries rather than full-length MD5sum's 820 billion.

Unless corrected, I'll revise my algorithm this evening.

Well, a 64-bit hash with a 10^-18 probability of collisions would only require 
6 entries in the DB.  However a 10^-12 probability should be good enough 
because there probably aren't a trillion unique email addresses.  A 10^-12 
probability of collision would allow 6 million entries in the DB.
 
This is not to suggest that I ever understood the part about using half-length 
MD5.

  Jeff Moss

Re: spamassassin block *.png

[vibi]

I use FuzzyOCR and a large portion of spam is cleared to image.
But the news from *. png does not want to cut out: (
I made a record:

mimeheader GIF_ATTACHMENT Content-Type =~ /image\/gif;\s*(\n\s+)?name=/
mimeheader PNG_ATTACHMENT Content-Type =~ /image\/png;\s*(\n\s+)?name=/


How do I send a test e-mail account of his attachment to the *. png to go in
quarantine.
But spam and so I see that goes to the mailbox:(


Dennis Davis wrote:
 
 On Fri, 1 May 2009, vibi wrote:
 
 From: vibi ml...@go2.pl
 To: users@spamassassin.apache.org
 Date: Fri, 1 May 2009 02:56:34 -0700 (PDT)
 Subject: spamassassin block *.png

 How to use spamassassin block *.png so that going to the quarantine?
 100% of spam that gets to me a plain e-mail with attachment *.png
 
 One poossible tool to help reduce this is the FuzzyOcr plugin:
 
 http://fuzzyocr.own-hero.net/
 
 You'll need other graphics software used by the above plugin.
 
 For example, a message I receive a couple of days ago scored:
 
 X-Spam-Report: 1.0/6.0
  Start SpamAssassin results 
 *  1.0 DC_IMG_TEXT_RATIO BODY: Low body to pixel area ratio
  End SpamAssassin results
 
 With the addition of the FuzzyOcr plugin it scored:
 
 X-Spam-Status: Yes, score=12.1 required=6.0 tests=FUZZY_OCR,RDNS_NONE
 autolearn=disabled version=3.2.5
 X-Spam-Report: 
 *  0.1 RDNS_NONE Delivered to trusted network by a host with no
 rDNS
 *   12 FUZZY_OCR BODY: Mail contains an image with common spam
 text insi
 de
 *  [Words found:]
 [viagra in 5 lines]
 [profit in 1 lines]
 [(9 word occurrences found)]
 -- 
 Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
 d.h.da...@bath.ac.uk   Phone: +44 1225 386101
 
 

-- 
View this message in context: 
http://www.nabble.com/spamassassin-block-*.png-tp23330686p2218.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

emailBL code

[Adam Katz]

Jeff Moss wrote:
 This is not to suggest that I ever understood the part about using
 half-length MD5.

No need.  I'm using full-length hashes now, plus the SURBL/chmod style
IP addresses.  I must have lost the email I was composing on the topic,
but it's fully propagated by now.  I've attached my code.

Note that the code still supports the old truncated string.  I'll rip
that out soon.  Also note that I'm not an advanced perl coder (almost
all of my perl scripts start as POSIX shell scripts, including this one)
... so while I'm happy to get *suggestions*, I'm not so eager for the
insults and hash words this list tends to give instead.
#!/usr/bin/perl
## Generates bind data with the data from the anti-phishing-email-reply project.
## Usage:  emailbl [SUBDOMAIN] DOMAIN
##   Example:  emailbl emailbl khopesh.com
## emailbl v0.6 Copyright (C) 2009 by Adam Katz scriptsATkhopiscom, AGPL v3+

use warnings;
use strict;
use Digest::MD5 md5_hex;
use LWP::Simple get;

my $subdomain = $ARGV[0];
my $domain = $ARGV[1];
if ($domain !~ /./) { $domain = $subdomain; $subdomain = ''; }
else { $domain = $subdomain.$domain; }
$subdomain = . . $subdomain;

# six lines for this? ... $dummy_last_seen=`TZ=UTC date +%Y%m%d`
my @date = gmtime(time);
my $dummy_last_seen = $date[5]+1900;
if ($date[4]  10) { $dummy_last_seen .= 0; }
$dummy_last_seen .= $date[4]+0; # adding to zero in case it's already padded
if ($date[3]  10) { $dummy_last_seen .= 0; }
$dummy_last_seen .= $date[3]+0; # adding to zero in case it's already padded

my $list = phishing_reply_addresses;
my $bindconf = emailbl.db;

open(LIST, , $list) or die $!;
print LIST EOF;
te...@example.com,ABCD,$dummy_last_seen
te...@emailbl.khopesh.com,ABCD,$dummy_last_seen
hidd...@example.com,ABCDZ,$dummy_last_seen
hidd...@emailbl.khopesh.com,ABCDZ,$dummy_last_seen

EOF

# TODO: use subversion!
my $antiphishing_url = 
http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses;;
print LIST get($antiphishing_url); # saved for debug purposes

close(LIST);

open(BIND, , $bindconf) or die $!;

print BIND ; $domain BIND named,  . gmtime() .  (UTC) from\n;
print BIND ; $antiphishing_url\n\n;

print BIND ; SPF record (just in case)\n;
my $spf = $subdomain;
$spf =~ s/^\.//;
if (!$spf) { $spf = @; }
print BIND $spf\tIN\tTXT\t\v=spf1 -all\\n\n;

# more test points - hidden and test can be used as if hashes of themselves.
print BIND hidden.hash$subdomain   IN\tTXT\t\\...@hidden\@\\n;
print BIND test.hash$subdomain IN  TXT \te...@$domain\\n;
foreach (2.0.0.127,hidden.example.com,test.$domain,test.example.com) {
  print BIND $_$subdomain  IN  TXT $dummy_last_seen\n;
  print BIND $_$subdomain  IN  A   127.0.0.15\n;
  #for (my $t=1; $t5; $t++) {
  #  print BIND $_$subdomain   IN  A   127.0.0.$t\n;
  #}
}

print BIND \n\n;

open(LIST, $list) or die $!;
while(LIST) {
  next if (!/^[^#@,]...@[^#@,]+,[A-DZ]+,[0-9]{8}\s*$/);
  chomp;

  my ($hash, $usr, $email, $ans, $start, $ustart, $type_list, $last_seen);
  $hash = $email = $start = $type_list = $last_seen = $_;

  $ans = ;  . $_ . \n; # copy original as a comment

  $hash =~ s/@.*//;
  $hash =~ tr [A-Z] [a-z];
  $usr = $hash;
  #$hash = substr(Digest::MD5::md5_hex($hash),16); # 2nd 16 of 32 chars
  $hash = Digest::MD5::md5_hex($hash);   # 1:3.2e11 collisions vs 1:190 above
  $usr =~ s/^([...@+]{1,16})[...@]*@.*/$1/;  # truncate to 16 characters
  $usr =~ s/^[^a-z0-9]+|[^a-z0-9]+$//g;  # fix leading/trailing chars
  $usr =~ s/[^-a-z.0-9]/-/g; # fix illegal chars

  $email =~ s/,.*//;
  $email = $hash.hash$subdomain\tIN\tTXT\t\$email\\n;

  $start =~ s/^...@]+@([^,]+),.*/$hash.$1$subdomain\tIN/;
  $ustart = $start;
  $ustart =~ s/$hash/$usr/;

  $type_list =~ s/.*,([A-IZ]+),.*/$1/;
  if ($type_list =~ /Z/) {
$email =~ s/\t.*/\t\...@hidden\@/; # hide the email address
$type_list =~ s/Z//g;
  }
  $type_list =~ s/(?=.)/+/g;
  $type_list =~ tr [ABCD] [1248]; # this needs rewriting when we get an E!
  $type_list = eval 0 . $type_list;
  $type_list = \tA\t127.0.0.$type_list\n;
  $type_list = $start . $type_list . $ustart . $type_list;
  #my @types = split(/(?=.)/, $type_list);

  $last_seen =~ s/^.*,([0-9]+)\s*$/$start\tTXT\t$1\n/;

  $ans .= $email . $last_seen;
  $last_seen =~ s/$hash/$usr/;
  $ans .= $last_seen . $type_list;

  #foreach (@types) {
  #  $ans .= $start . \tA\t127.0.0. . $_ . \n;
  #  $ans .= $ustart . \tA\t127.0.0. . $_ . \n;
  #}
  print BIND $ans;
}
close(LIST);

close(BIND);

Re: emailBL code

[Yet Another Ninja]

On 5/1/2009 3:56 PM, Adam Katz wrote:

Jeff Moss wrote:

This is not to suggest that I ever understood the part about using
half-length MD5.


No need.  I'm using full-length hashes now, plus the SURBL/chmod style
IP addresses.  I must have lost the email I was composing on the topic,
but it's fully propagated by now.  I've attached my code.

Note that the code still supports the old truncated string.  I'll rip
that out soon.  Also note that I'm not an advanced perl coder (almost
all of my perl scripts start as POSIX shell scripts, including this one)
 so while I'm happy to get *suggestions*, I'm not so eager for the
insults and hash words this list tends to give instead.


I'm trying hard to convince myself this data is really useful.

the whole 
http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses 
file has 4518 entries, including vintage 2008


compared to the big_boyz my trap feed is quite small and I collected 
1598 entries during the last 4 hrs


hm

does anybody have any hit metrics?

Re: emailBL code

[Mike Cardwell]

Yet Another Ninja wrote:


This is not to suggest that I ever understood the part about using
half-length MD5.


No need.  I'm using full-length hashes now, plus the SURBL/chmod style
IP addresses.  I must have lost the email I was composing on the topic,
but it's fully propagated by now.  I've attached my code.

Note that the code still supports the old truncated string.  I'll rip
that out soon.  Also note that I'm not an advanced perl coder (almost
all of my perl scripts start as POSIX shell scripts, including this one)
 so while I'm happy to get *suggestions*, I'm not so eager for the
insults and hash words this list tends to give instead.


I'm trying hard to convince myself this data is really useful.

the whole 
http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses 
file has 4518 entries, including vintage 2008


compared to the big_boyz my trap feed is quite small and I collected 
1598 entries during the last 4 hrs


hm

does anybody have any hit metrics?


The list was set up to satisfy a very specific group of users that were 
being targetted by a very specific scam. Spear Phishing against Higher 
Education institutions in the UK and USA. It was originally discussed on 
a mailing list run by nd.edu which can only be subscribed to by people 
who are in that particular sector. For that particular group, the list 
has been useful. How useful it is for people outside of that scenario, I 
don't know.


--
Mike Cardwell
(https://secure.grepular.com/) (http://perlcv.com/)

Re: emailBL code

[Adam Katz]

Yet Another Ninja wrote:
 I'm trying hard to convince myself this data is really useful.
 
 the whole 
 http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses
 file has 4518 entries, including vintage 2008
 
 compared to the big_boyz my trap feed is quite small and I
 collected 1598 entries during the last 4 hrs

Well, this is different from traps ... though admittedly not by much.
 The fact that it's updated so frequently is a merit, and the reason
dates are noted is so that you can adjust accordingly.

The emailBL mechanism could easily be populated by a spamtrap, but the
danger from false positives (forged sender addresses) would be quite
real.  Maybe only publish addresses that pass or fail SPF/DKIM/etc, so
that domains without a way to verify authenticity are immune to it?

 does anybody have any hit metrics?

Mike Cardwell responded:
 The list was set up to satisfy a very specific group of users that
 were being targetted by a very specific scam. Spear Phishing
 against Higher Education institutions in the UK and USA. It was
 originally discussed on a mailing list run by nd.edu which can
 only be subscribed to by people who are in that particular sector.
 For that particular group, the list has been useful. How useful it
 is for people outside of that scenario, I don't know.

This is why I set up the emailbl in the first place:  to see what it
does.  We need an SA plugin next.

Re: 'anti' AWL

[Charles Gregory]

On Thu, 30 Apr 2009, LuKreme wrote:
No, the senders AWL HURTS new spam.  If the score is -2 from the AWL 
then -2  * -0.2 = 0.4


Ah. Missed the negative. Then this particular piece of the logic is good.
The odds of any AWL(perIP) other than the legit sender having a negative 
average are vanishingly small. So you would gain the benefit of positive 
adjusting spam with almost no chance of an FP


Though again, legit senders that average negative are relatively rare 
(well, on my system, anyways).


So in the unlikely event that spam (from a different server) precedes 
legitimate mail, the legit sender gets a postitive adjustment before they 
have a chance to score negative...
As I understand it the AWL is added after all others, but yes, the FIRST 
legitimate mail will be penalized.


Why only the first? Unless the user's message (and continuing average) 
scores negative, all messages will continue to be affected


Note that this logic will also be problematic when sender has multiple mail 
servers. Many senders get a few points positive...
This will only be an issue if those multiple servers have positive AWL 
scores.


Which is very likely. Spamassassin is constructed on the premise that all 
mail has a 'few' spam signs, but does not score high enough to be 
considered 'spam'.



Now let's presume that the sender is spoofed by spammers on ten different
IP's, producing ten different AWL entries. How will you distinguish the 
legit sender's IP (except by hoping they have scored negative?)... You will 
simply add up ALL the IP AWL's and score *any* mail from the sender

with a significant positive adjustment
As far as I can tell, though it's not easy to be sure, legitimate senders 
have negative AWL scores.


No, the *effect* of their average may be a negative adjustment to messages 
that otherwise score high, but the stored 'average' is most likely 
positive. And for me, it's easy to be sure because I have the score 
printed on the subject line of all my mail. Less than half my ham scores 
zero, and very few (other than the messages from this list which are 
helped by a DNS whitelist) score negative.


But how often does that really happen? As I said, most people get a *few* 
points on legit mail.
But it's not the points on the mail, it is only the AWL listing that we're 
looking at.


And the AWL listing is an average of the points on all mail. Yes?

OK, how do we parse out the AWL numbers then so we can see what sorts of 
AWL numbers exist for legit senders.  As I understand it, if an email 
comes in from a know sender who was average 0.8 and this email scores 
3.0, a negative AWL will be applied to normalize the email closer to 
0.8, right? The AWL score is not 0.8, but 3.0 - (AWL value)?


As I understand it, if the AWL has recorded 20 messages (arbitrary number, 
always increasing) with an average of 0.8, and a new message scores 3.0 
then the AWL function does a bit of math and the new average (now on 
21 messages) will be something like 0.9 while the AWL's effect on that 
one message will be to apply a negative adjustment. But the average stored

in the database would be the average of all scores.

Er.. ok.  Perhaps I am misunderstanding the AWL.  As I understand it, if a 
bunch of spam comes in from a server with average scores of 7.0 and a new 
message comes in with a score of 4, it will have a POSITIVE AWL applied to 
normalize at 7.0.  If a message comes from a know sender with an average 
score of 2, and this email scores 4, it will get a NEGATIVE AWL score to 
normalize closer to 2.0, right?  Since this is a negative AWL 2.a.ii would 
not apply because the AWL is negative, so section 2 is skipped entirely and 
we are at 3. AWL is negative = {crickets}.


But in the long term, a user's messages will be distributed around the 
average, and so half their mail will score 'positive AWL' using your above 
terminology. Still not a good way to determine how/when to apply an 
adjustment.


Also, please keep in mind that the whole reason we are discussing this 
addition to the rules is because we are looking for a way to deal with 
messages that otherwise score very low. So for the 'target class' of mail, 
we are MORE likely to have the spam score equal or lower to the legit 
sender's mail not a pretty picture :(


OK, if the value is 0.1 then it would take up to 50 outbound servers with 
even distribution to add 5.0 points.


But they are adding it to an existing score that may already be slightly 
spammy. So that mail may only need another 2 points to exceed someone's 
chosen threshold.


That's quite possible.  As I said initially, it's jut an idea I had to 
make the AWL penalize botnets much more.  If it can't be done, that's 
fine.  I think there's some promise here though.


While it's easy to think of rules that fit 'most cases', the exceptions 
really make it difficult. Like the user who sends mail normally via 
Outlook via a primary server, but occasionally uses an 

Re: Almost no score

[Charles Gregory]

Uh, what do these 'ratware' rules trigger on? 
How effective are they, and what are the chances of false positives?


- Charles

On Thu, 30 Apr 2009, LuKreme wrote:

(single lines)
header  KB_RATWARE_OUTLOOK_16  ALL =~ /^Message-Id: 
([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary==_NextPart_000__\1\.\2/msi 
# 


header  KB_RATWARE_OUTLOOK_12  ALL =~ /^Message-Id: 
([0-9a-f]{8})\$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary==_NextPart_000__\1\.\2/msi 
# 


header  KB_RATWARE_BOUNDARYALL =~ /^Message-Id: 
([0-9a-f]{8})\$[0-9a-f]{8}\$.{100,400}boundary==_NextPart_000__\1\./msi 
# 


score KB_RATWARE_BOUNDARY 2.0
score KB_RATWARE_OUTLOOK_16 0.1


--
Exit, pursued by a bear.

Re: emailBL code

[Jesse Thompson]

Yet Another Ninja wrote:

I'm trying hard to convince myself this data is really useful.

the whole 
http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses 
file has 4518 entries, including vintage 2008


compared to the big_boyz my trap feed is quite small and I collected 
1598 entries during the last 4 hrs


Hello Yet Another Ninja,

big_boyz: as in a small collection of university postmasters?  I guess 
we should be honored, but I have a feeling that you were being 
condescending.


What exactly are you collecting?  Keep in mind that the APER project is 
very focused on preventing email replies to phishing (hence the name). 
We aren't trying to stop the phishing itself (directly); there are 
others that do that.


If you are the opposite of a big_boy, that must mean that your domain 
is smaller than a large university's, so you must have less than, say, 
50,000 unique active users.  Are you truly saying that every 4 hours you 
have 1598 unique (as in the reply-to is unique) phishing attempts, in 
which the phisher asks one of your users to reply with their credentials?


If what you are saying is true, then you are standing on a gold mine. 
Would you mind contributing to the project?


Even the largest password-reply phishing campaign we've seen was only 
sent to 2500 of our users (and that was using the same reply-to).  On 
average, we see around 200 messages (30 unique reply-to's; not all new) 
of this type of phishing attempt every day.  I assume that the other 
universities see something similar.


As for the vintage of the addresses.  No, I don't have metrics.  But 
most of the addresses are in the freemail domains, and we have no 
indication that the freemail providers are shutting down this type of 
account.  I don't mind scanning logs for, or blocking mail to, the old 
addresses.  But we do include the date (however accurate it is) so you 
can choose to filter the list any way you desire.


Jesse

--
  Jesse Thompson
  Division of Information Technology, University of Wisconsin-Madison
  Email/IM: jesse.thomp...@doit.wisc.edu


smime.p7s
Description: S/MIME Cryptographic Signature

Re: Almost no score

[Charles Gregory]

On Thu, 30 Apr 2009, LuKreme wrote:

A tip:  the PNG takes up considerably more disk space (and thus
loading time) and you're not increasing any quality (since it was
originally lossy).
Actually, the PNGs load considerably faster for me as desktop images, 
which is why I convert them.


I agree that bmp or png loads faster for a desktop, but I would suggest, 
just as a courtesy to people's bandwidth, that you retain the original 
jpg, and mail *that* when you want to send your images to people. And 
that's the reason I wouldn't worry about false positives with the

DSL.png rule - most people won't (shoudln't?) be mailing them.

- Charles




--
It was intended that when Newspeak had been adopted once and for
 all and Oldspeak forgotten, a heretical thought...should be
 literally unthinkable, at least so far as thought is dependent
 on words.

RE: Almost no score

[Jean-Paul Natola]

On Thu, 2009-04-30 at 09:23 -0400, Jean-Paul Natola wrote:
 Hi all,
 
 I just upgraded to 3.2.5  ran sa-update and I got this message with only
one
 rule tripped
 
 I'm putting a link to the message as well as the headers
 
 If anyone can shed some light here , I would appreciate it.
 
 ftp://ftp.fcimail.org/IT/SA/headers.txt
 

ftp://ftp.fcimail.org/IT/SA/Would%20you%20imagine%20your%20life%20having%20no
 %20pain%20and%20dysfunctions.htm
 
 TIA
 
 J
I couldn't get the whole message so just ran against the headers:

3.0 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
[85.75.94.188 listed in zen.spamhaus.org]
 0.9 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL
 1.0 RCVD_IN_BRBL_LASTEXT   RBL: Received via a relay in Barracuda BRBL
[85.75.94.188 listed in
bb.barracudacentral.org]
 1.0 RCVD_IN_BRBL_RELAY RBL: received via a relay rated as poor by
Barracuda
 5.0 BOTNET Relay might be a spambot or virusbot
[botnet0.8,ip=85.75.94.188,rdns=athedsl-132893.home.otenet.gr,maildomain=jaak
iekkolaakarit.com,client,clientwords]
 4.1 BAYES_80   BODY: Bayesian spam probability is 80 to 95%
[score: 0.8897]
-0.0 DCC_CHECK_NEGATIVE Not listed in DCC
[localhost 1117; Body=1]
 1.0 SAGREY Adds 1.0 to spam from first-time senders


-- 
KeyID 0xE372A7DA98E6705Cn

---

Evidently Im missing A LOT of rulesets as I only scored .8 - one rule

Im running sa-update daily  where are these other rules that you all running?

Re: Almost no score

[Craig]

I could be asking the same thing as Charles, if I am I apologize.
 
I installed the rules below, ran the headers.txt file- thru SA and the rules 
did not trigger.  Do I need to configure something else?
 
Thanks
Craig

 Charles Gregory cgreg...@hwcn.org 5/1/2009 9:48 AM 

Uh, what do these 'ratware' rules trigger on? 
How effective are they, and what are the chances of false positives?

- Charles

On Thu, 30 Apr 2009, LuKreme wrote:
 (single lines)
 header  KB_RATWARE_OUTLOOK_16  ALL =~ /^Message-Id: 
 ([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary==_NextPart_000__\1\.\2/msi
  
 # 

 header  KB_RATWARE_OUTLOOK_12  ALL =~ /^Message-Id: 
 ([0-9a-f]{8})\$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary==_NextPart_000__\1\.\2/msi
  
 # 

 header  KB_RATWARE_BOUNDARYALL =~ /^Message-Id: 
 ([0-9a-f]{8})\$[0-9a-f]{8}\$.{100,400}boundary==_NextPart_000__\1\./msi
  
 # 

 score KB_RATWARE_BOUNDARY 2.0
 score KB_RATWARE_OUTLOOK_16 0.1


 -- 
 Exit, pursued by a bear.

Looks like sa-learn --spam troubles

[Gene Heskett]

Greetings all;

I have a script that runs daily against whatever I put in the spam folder, and 
it is suddenly having a hard time.

The error:
bayes: unknown packing format for bayes db, please re-learn: 73 at 
/usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/BayesStore/DBM.pm line 
1883.

This seems to be repeated at about 3x for every spam I put in the spam folder.
Obviously someone has figured out a way to poison the bayes_db.

Is there a fix?

Thanks.

-- 
Cheers, Gene
There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order.
-Ed Howdershelt (Author)
Do you know the difference between a yankee and a damyankee?

A yankee comes south to *_visit*.

Re: emailBL code

[Yet Another Ninja]

On 5/1/2009 4:52 PM, Jesse Thompson wrote:

Yet Another Ninja wrote:

I'm trying hard to convince myself this data is really useful.

the whole 
http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses 
file has 4518 entries, including vintage 2008


compared to the big_boyz my trap feed is quite small and I collected 
1598 entries during the last 4 hrs


Hello Yet Another Ninja,

big_boyz: as in a small collection of university postmasters?  I guess 
we should be honored, but I have a feeling that you were being 
condescending.


Feel as you please.
I manage a relatively small trap space compared to some of the players 
here, so I meant what I said. Traps never correlate to a number of 
specific rcpt addresses, only.


If you are the opposite of a big_boy, that must mean that your domain 
is smaller than a large university's, so you must have less than, say, 
50,000 unique active users.  
I'm definitely smaller, that doesn't mean that trap traffic can't be 
huge. Traps aren't active - they sit there and get hammered.


Are you truly saying that every 4 hours you 
have 1598 unique (as in the reply-to is unique) phishing attempts, in 
which the phisher asks one of your users to reply with their credentials?


nope - I'm collecting generic drop boxes type of stuff and not specific 
phishes for a specific group.
these include phishes, lotto scams, etc using specific domains. (not 
rcpt domains)


If what you are saying is true, then you are standing on a gold mine. 
Would you mind contributing to the project?


every school, corp,ISP, soho server, etc is standing on a similar gold 
mine, I'm not re-inventing the wheel.
Only little drawback is how to centralize (or not) all this gold to make 
it useful to more than me and my dog.

Until I have some minimal metrics I can't say.

As for the vintage of the addresses.  No, I don't have metrics.  But 
most of the addresses are in the freemail domains, and we have no 
indication that the freemail providers are shutting down this type of 
account.  I don't mind scanning logs for, or blocking mail to, the old 
addresses.  But we do include the date (however accurate it is) so you 
can choose to filter the list any way you desire.


no need to got thru that trouble - you guys know its value, once apps 
are here to test the data, then others outside your space will report, 
I'm sure.


We have different targets. I misunderstood APER's

this is all work in progress so keep tuned

Axb

Re: Almost no score

[Jeff Mincy]

   From: Charles Gregory cgreg...@hwcn.org
   Date: Fri, 1 May 2009 10:48:00 -0400 (EDT)
   
   Uh, what do these 'ratware' rules trigger on? 

The rules trigger on spam with a particular Message-Id and boundary pattern.

   How effective are they, and what are the chances of false positives?

For last month the KB_RATWARE_OUTLOOK_08 rule hits 
21% of spam (4665 hits out of 21748 spam).   It works great here.
I haven't seen any FP.  Your mileage may vary.

I got the rules from Karsten's sandbox:
http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/kb/70_misc.cf

I would imagine that these rules will eventually show up in sa-update.
-jeff

   
   On Thu, 30 Apr 2009, LuKreme wrote:
(single lines)
header  KB_RATWARE_OUTLOOK_16  ALL =~ /^Message-Id: 

([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary==_NextPart_000__\1\.\2/msi
 
# 
   
header  KB_RATWARE_OUTLOOK_12  ALL =~ /^Message-Id: 

([0-9a-f]{8})\$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary==_NextPart_000__\1\.\2/msi
 
# 
   
header  KB_RATWARE_BOUNDARYALL =~ /^Message-Id: 

([0-9a-f]{8})\$[0-9a-f]{8}\$.{100,400}boundary==_NextPart_000__\1\./msi
 
# 
   
score KB_RATWARE_BOUNDARY 2.0
score KB_RATWARE_OUTLOOK_16 0.1
   
   
-- 
Exit, pursued by a bear.
   

Re: Looks like sa-learn --spam troubles

[Theo Van Dinter]

I would say it's less someone poisoning your DB and more your DB
becoming corrupt.  As it says, a pack format of dec(73) is not a valid
value.  It's set by the BayesStore module itself, not influenced by
the token in question.

You can try to do a dump/verify/restore ...  ala:

sa-learn --sync
sa-learn --backup  db-dump
vi db-dump   [... make sure things look as expected, etc ...]
[... backup your db, however appropriate, depending on your setup ...]
sa-learn --restore db-dump



On Fri, May 1, 2009 at 11:23 AM, Gene Heskett gene.hesk...@verizon.net wrote:
 The error:
 bayes: unknown packing format for bayes db, please re-learn: 73 at
 /usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/BayesStore/DBM.pm line
 1883.

 This seems to be repeated at about 3x for every spam I put in the spam folder.
 Obviously someone has figured out a way to poison the bayes_db.

 Is there a fix?

Re: Looks like sa-learn --spam troubles

[Karsten Bräckelmann]

On Fri, 2009-05-01 at 11:23 -0400, Gene Heskett wrote:
 bayes: unknown packing format for bayes db, please re-learn: 73 at 
 /usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/BayesStore/DBM.pm line 
 1883.
 
 This seems to be repeated at about 3x for every spam I put in the spam folder.
 Obviously someone has figured out a way to poison the bayes_db.

No.  No poison, not triggered externally.

After a brief look at the code, this is a warning in an internal
function that unpacks the DBM bayes store internal format. Looks like a
corrupted token entry in your DBM format bayes store DB.

Please don't scream exploit, unless you had a look at the code.


 Is there a fix?

Frankly, dunno. If it's just a few token entries, it should be fixable
by dropping them. Though if a large part of your Bayes DB is corrupted,
I'm afraid it's time to start fresh.


-- 
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: Bombed by PNG spam and spamassassin say its HAM argh

[Bob Proulx]

Dave Funk wrote:
 Bob Proulx wrote:
 I was about to write the list and ask if there is a rule that could be
 triggered when a message [contains] only an image part but no text parts.

 There should already be rules for that exact format.

Which rules?  I see no rule hits here.

I see that I can use ImageInfo and can create a ONE_IMAGE rule.  But I
don't see a similar TextInfo module and so can't create a similar
ONE_TEXT rule.  Is there an existing way to do this?

 We see FPs on them when users e-mail in a windows screen capture to
 show us a particular error they're getting. They'll put the
 complaint in the subject line, paste the image into their Outlook 
 hit 'send'.

Yes.  It is well documented that people will do the darnedest things!

I don't doubt that they would have FPs as a general case.  But that is
why I included the weasel words here in my note.  But even if not
100% assured everywhere then scoring it appropriately for general
distribution should still allow it to increase the effectiveness of
the rules for the masses.  And then I could score it up.

 As far as I can tell that would work great here and for me no false
 positives.

Specifically here that would be okay.  It might not be good for
other people but it would be good here and would really help with the
current image only spam.

Bob

Re: ifspamh error logs

[Karsten Bräckelmann]

On Fri, 2009-05-01 at 01:38 -0700, an anonymous Nabble wrote:
 I am trying to get ifspamh working within my .qmail-user file but there is
 obviously an error either with the vars set up within the ifspamh file or
 somewhere else as the emails are just looping until I change the
 .qmail-user file back.
 
 I want to maybe try and run the ifspamh command from the line to see if I
 can get it work there and if not it should present me with the relevant
 error messages..?

Slightly off-topic, I guess -- at least it is an old script meant to
call SA...

 Is this possible and if so how would I feed the message into it?
 
 Would there be any error logs saved from the .qmail-user script that I can
 look at now?

Now that's off-topic. :)

 My .qmail-user script looks like this:
 
 |/usr/bin/ifspamh s...@address.com
 u...@address.com

Err -- are you *forwarding* mail back to the *same* user? Yeah, sounds
like a loop indeed...

 Any help would be appreciated,

Please note that I do *not* know qmail -- just got curious, and looked
up some info on that script and the dot-qmail man page.


-- 
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: Almost no score

[John Hardin]

On Fri, 1 May 2009, Raymond Dijkxhoorn wrote:


 mimeheader DSL4DIG_PNG Content-Type =~ /name\=\DSL[0-9]{4}\.png\/


Make that 4,5 since they also vary the size of the filenames...


You might also want to use \d instead of [0-9]. Bytes don't grow on 
trees, y'know.


:)

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
 Warning Labels we'd like to see #1: If you are a stupid idiot while
 using this product you may hurt yourself. And it won't be our fault.
---
 7 days until the 64th anniversary of VE day

Re: emailBL code

[John Hardin]

On Fri, 1 May 2009, Adam Katz wrote:


The emailBL mechanism could easily be populated by a spamtrap, but the
danger from false positives (forged sender addresses) would be quite
real.


How would the phisher collect the password info from their target using a 
forged sender address?


Suggestion: ignore the sender address if there is a Reply-To: header or if 
there is an email address in the body of the message. There might need to 
be some logic around detecting the contact address in the message body - 
there could be garbage addresses inserted to get the phishtrap to ignore 
the sender address...


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
 Warning Labels we'd like to see #1: If you are a stupid idiot while
 using this product you may hurt yourself. And it won't be our fault.
---
 7 days until the 64th anniversary of VE day

Re: Almost no score

[John Hardin]

 mimeheader DSL4DIG_PNG Content-Type =~ /name\=\DSL[0-9]{4}\.png\/


It seems a wave of image spam is going out. Would it be reasonable to push 
this rule (with suitable modifications for length, etc.) and/or the 
ImageInfo version out as a base SA update so that the most people can 
benefit?


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
 Warning Labels we'd like to see #1: If you are a stupid idiot while
 using this product you may hurt yourself. And it won't be our fault.
---
 7 days until the 64th anniversary of VE day

Re: emailBL code

[John Hardin]

On Fri, 1 May 2009, Yet Another Ninja wrote:

Only little drawback is how to centralize (or not) all this gold to make 
it useful to more than me and my dog.


I (and I'm sure others) would be willing to feed phishing corpa from our 
quarantines, so long as it's easy to do.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
 Warning Labels we'd like to see #1: If you are a stupid idiot while
 using this product you may hurt yourself. And it won't be our fault.
---
 7 days until the 64th anniversary of VE day

Re: [SA] emailBL code

[Adam Katz]

John Hardin wrote:
 How would the phisher collect the password info from their target using
 a forged sender address?

A web form.

Virtual Postfix Users move SPAM to .Junk

[jason_quick]

Hello,

I have been trying to find a way to automatically move messages that have
been tagged as spam by SA to my virtual users' .Junk folder. I need this to
happen server-side because my users use IMAP, and most email clients don't
allow filtering rules to deposit mail into an IMAP folder. My MTA is
Postfix, and it will not allow me to call procmail for virtual accounts for
Security Reasons. I have extensively searched the net and mailing lists
and have not found a solution. As a last resort I am considering creating a
grep-based filter, but that seems expensive. I am really hoping someone can
point me in the right direction.

spamassassin-3.2.5-1
postfix-2.3.3-2.1
dovecot-1.0.7-7
procmail-3.22-17.1
CentOS 5.1

Thanks so much, 
--Jason
-- 
View this message in context: 
http://www.nabble.com/Virtual-Postfix-Users-move-SPAM-to-.Junk-tp23336817p23336817.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Re: Bombed by PNG spam and spamassassin say its HAM argh

[Michelle Konzack]

Hi Bob,

Am 2009-04-30 21:41:30, schrieb Bob Proulx:
 I was about to write the list and ask if there is a rule that could be
 triggered when a message no only an image part but no text parts.  I
 have no idea how to create it but that would be very useful for me and
 this type of spam.  As far as I can tell that would work great here
 and for me no false positives.

Currently I am trying to get in  courier  localmailfilter  running  by
using a procmail rule:

:0
*  16500
*  18500
* H ?? ^Content-Type: multipart/mixed
* B ?? ^Content-Type: image/png
.Spam_png/

This rule has already collected over 480 MByte...

Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
24V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant

-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
http://www.tamay-dogan.net/ Michelle Konzack
http://www.can4linux.org/   Apt. 917
http://www.flexray4linux.org/   50, rue de Soultz
Jabber linux4miche...@jabber.ccc.de   67100 Strasbourg/France
IRC #Debian (irc.icq.com) Tel. DE: +49 177 9351947
ICQ #328449886Tel. FR: +33  6  61925193


signature.pgp
Description: Digital signature

Re: [SA] emailBL code

[John Hardin]

On Fri, 1 May 2009, Adam Katz wrote:


John Hardin wrote:
How would the phisher collect the password info from their target using 
a forged sender address?


A web form.


Hrm. Okay, I'll buy that. If you're going to spearfish a specific 
organization then it would be reasonable to put the effort into forging a 
password capture website that looks plausible.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Ignorance doesn't make stuff not exist.   -- Bucky Katt
---
 7 days until the 64th anniversary of VE day

Re: Virtual Postfix Users move SPAM to .Junk

[Evan Platt]

At 10:23 AM 5/1/2009, you wrote:

I have been trying to find a way to automatically move messages that have
been tagged as spam by SA to my virtual users' .Junk folder. I need this to
happen server-side because my users use IMAP, and most email clients don't
allow filtering rules to deposit mail into an IMAP folder. My MTA is
Postfix, and it will not allow me to call procmail for virtual accounts for
Security Reasons. I have extensively searched the net and mailing lists
and have not found a solution. As a last resort I am considering creating a
grep-based filter, but that seems expensive. I am really hoping someone can
point me in the right direction.

spamassassin-3.2.5-1
postfix-2.3.3-2.1
dovecot-1.0.7-7
procmail-3.22-17.1
CentOS 5.1


As Spamassassin is not capable of this, your best bet is to ask on a 
postfix group.


 postfix-us...@postfix.org. 

Re: Virtual Postfix Users move SPAM to .Junk

[John Hardin]

On Fri, 1 May 2009, jason_quick wrote:

I have been trying to find a way to automatically move messages that 
have been tagged as spam by SA to my virtual users' .Junk folder.


Strictly speaking that isn't the province of SA. SA is only a scoring 
tool.



procmail-3.22-17.1


If procmail is your LDA, that's the place to make delivery decisions.

If you search the SA list archives for procmail you'll probably get lots 
of ways to do that. You could probably also search the procmail list 
archives for spamassassin and get lots of ways as well.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Ignorance doesn't make stuff not exist.   -- Bucky Katt
---
 7 days until the 64th anniversary of VE day

Re: Virtual Postfix Users move SPAM to .Junk

[Dave Walker]

jason_quick wrote:
 Hello,

 I have been trying to find a way to automatically move messages that have
 been tagged as spam by SA to my virtual users' .Junk folder. I need this to
 happen server-side because my users use IMAP, and most email clients don't
 allow filtering rules to deposit mail into an IMAP folder. My MTA is
 Postfix, and it will not allow me to call procmail for virtual accounts for
 Security Reasons. I have extensively searched the net and mailing lists
 and have not found a solution. As a last resort I am considering creating a
 grep-based filter, but that seems expensive. I am really hoping someone can
 point me in the right direction.

   
SNIP

Hi Jason,

I use procmail to achieve just this, can you provide some log extracts
on where you are seeing Security Reasons?

Kind Regards,
Dave Walker

Re: Virtual Postfix Users move SPAM to .Junk

[John Hardin]

On Fri, 1 May 2009, John Hardin wrote:


On Fri, 1 May 2009, jason_quick wrote:


 I have been trying to find a way to automatically move messages that have
 been tagged as spam by SA to my virtual users' .Junk folder.


Strictly speaking that isn't the province of SA. SA is only a scoring tool.


 procmail-3.22-17.1


If procmail is your LDA, that's the place to make delivery decisions.


Whoops. I skipped over the part where this won't work for your virtuals. 
Sorry!


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Ignorance doesn't make stuff not exist.   -- Bucky Katt
---
 7 days until the 64th anniversary of VE day

Re: [SA] Almost no score

[Adam Katz]

John Hardin wrote:
  mimeheader DSL4DIG_PNG Content-Type =~ /name\=\DSL[0-9]{4}\.png\/
 
 It seems a wave of image spam is going out. Would it be reasonable to
 push this rule (with suitable modifications for length, etc.) and/or the
 ImageInfo version out as a base SA update so that the most people can
 benefit?

My dialog with aixenv on irc://irc.freenode.net/#spamassassin (and
other parts of this thread) yielded a slightly more flexible regex,
matched with the fact that the image always has the same dimensions:

mimeheader __DSCL4_PNG Content-Type =~ /name\=\DS[CL]\d{4,5}\.png\/
body __PNG_240_400 eval:image_size_exact('png',240,400)
meta DSCL4DIG_PNG  __DSCL4_PNG  __PNG_240_400
describe DSCL4DIG_PNG  Supposed digital camera photo is a PNG

Probably the mimeheader check alone is enough.

-- 
Adam Katz
khopesh on irc://irc.freenode.net/#spamassassin
http://khopesh.com/Anti-spam

Re: [SA] Almost no score

[Martin Gregorie]

On Fri, 2009-05-01 at 14:04 -0400, Adam Katz wrote:

 mimeheader __DSCL4_PNG Content-Type =~ /name\=\DS[CL]\d{4,5}\.png\/
 body __PNG_240_400 eval:image_size_exact('png',240,400)
 meta DSCL4DIG_PNG  __DSCL4_PNG  __PNG_240_400
 describe DSCL4DIG_PNG  Supposed digital camera photo is a PNG
 
 Probably the mimeheader check alone is enough.
 
Just got the first one I've seen in this spam campaign. The mimeheader
in this case has no image name, which strikes me as a sure fire spam
recogniser, or can drag'n drop cause that with some MUAs?

Combining a noname image with no body text and/or the usual collection
of meds/porno words/phrases in the subject line should  be fairly
reliable.

Martin

Re: emailBL code

[Jesse Thompson]

John Hardin wrote:

On Fri, 1 May 2009, Adam Katz wrote:


The emailBL mechanism could easily be populated by a spamtrap, but the
danger from false positives (forged sender addresses) would be quite
real.


On a related note: you also need to worry about the phishers 
intentionally forging the Reply-To with normal addresses in an attempt 
to poison the list.



Suggestion: ignore the sender address if there is a Reply-To: header or 
if there is an email address in the body of the message. There might 
need to be some logic around detecting the contact address in the 
message body - there could be garbage addresses inserted to get the 
phishtrap to ignore the sender address...


That's what we do.  We've had lengthy discussions about this issue.  It 
all boils down accurately gauging the intention of the phisher, which is 
essentially impossible to automate.


It gets tricky when you consider the situation where the phisher 
intended the user to reply to the address included in the body, but the 
user doesn't pay attention and replies to the From instead, *and* the 
phisher happens to still have access to the original compromised account 
(the From address) used to send the phish.  So, it makes sense to add 
the From to the list in this case.  However, the account in question is 
usually cleaned up by the email provider quickly, so now a normal user's 
address is on the list.  And... to make matters worse, that user will 
potentially start receiving credentials from other users that are 
replying to the phish messages.


Anyway, here is the current state of how we classify the addresses:

Possible values for TYPE:

A: The ADDRESS was used in the Reply-To header.

B: The ADDRESS was used in the From header.

C: The content of the phishing message contained the ADDRESS.

D: The content of the phishing message contained the ADDRESS,
and it was obfuscated.

E: The ADDRESS (usually in the From header) might receive replies
but it was not intended to receive the replies.

Note: unless otherwise specified, in order for the ADDRESS to
  qualify for each TYPE, it must have been intended to
  receive the replies.

Jesse

--
  Jesse Thompson
  Division of Information Technology, University of Wisconsin-Madison
  Email/IM: jesse.thomp...@doit.wisc.edu


smime.p7s
Description: S/MIME Cryptographic Signature

Re: Almost no score

[LuKreme]

On 1-May-2009, at 08:48, Charles Gregory wrote:

Uh, what do these 'ratware' rules trigger on?


Spammish message IDs with spammish MIME boundary tags.

Message-ID: 000d01c9c74c$bc2f05d0$6400a...@venomousf
From: Shannon England venomo...@blackmanlawoffice.com
Subject: We hae the best alarm-clocks for your little  buddy down there.
Date: Mon, 27 Apr 2009 11:27:54 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary==_NextPart_000_0075_01C9C74C.BC2F05D0

matches, for example.


How effective are they,


They catch quite a lot of spam that otherwise does not score high  
enough to be caught.



and what are the chances of false positives?


I've not had any myself. YMMV.


--
The most perfidious way of harming a cause consists of defending
it deliberately with faulty arguments.

Re: Almost no score

[LuKreme]

On 1-May-2009, at 12:04, Adam Katz wrote:

mimeheader __DSCL4_PNG Content-Type =~ /name\=\DS[CL]\d{4,5}\.png\/
body __PNG_240_400 eval:image_size_exact('png',240,400)
meta DSCL4DIG_PNG  __DSCL4_PNG  __PNG_240_400
describe DSCL4DIG_PNG  Supposed digital camera photo is a PNG

Probably the mimeheader check alone is enough.


What are you scoring this at?

I think with the dimensions that could safely score quite high.

I ended up with something like this after adding your image size.

mimeheaderDIGI_PNGContent-Type =~ /name\=\[a-z]{3,4}_? 
\d{4,5}\.png\/

body  __PNG_240_400 eval:image_size_exact('png',240,400)
meta  META_DIGI_PNG  DIGI_PNG  __PNG_240_400
describe  META_DIGI_PNG  240,400 PNG DIGICAM
describe  DIGI_PNG   Digital camera pic name, but png
score DIGI_PNG  1.0
score META_DIGI_PNG 2.0


--
Ten Minutes ago you beat a man senseless.
He was senseless before I beat him.

Re: Virtual Postfix Users move SPAM to .Junk

[LuKreme]

On 1-May-2009, at 11:23, jason_quick wrote:
I have been trying to find a way to automatically move messages that  
have

been tagged as spam by SA to my virtual users' .Junk folder.


I use procmail to do this on the server.


I need this to
happen server-side because my users use IMAP, and most email clients  
don't

allow filtering rules to deposit mail into an IMAP folder.


What?  I don't think I've ever used a client that didn't allow  
filtering messages to an IMAP folder.



My MTA is
Postfix, and it will not allow me to call procmail for virtual  
accounts


Works for me.

/etc/postfix/main.cf

virtual_transport = procmail

/etc/postfix/master.cf

procmail  unix  -   n   n   -   -   pipe
 -o flags=uhFORD user=vpopmail argv=/usr/local/bin/procmail -t -m  
USER=${recipient} EXTENSION=${extension} /usr/local/etc/ 
procmailrc.common



--
Against stupidity the gods themselves contend in vain.

Re: Virtual Postfix Users move SPAM to .Junk

[mouss]

jason_quick a écrit :
 Hello,
 
 I have been trying to find a way to automatically move messages that have
 been tagged as spam by SA to my virtual users' .Junk folder. I need this to
 happen server-side because my users use IMAP, and most email clients don't
 allow filtering rules to deposit mail into an IMAP folder. My MTA is
 Postfix, and it will not allow me to call procmail for virtual accounts for
 Security Reasons. I have extensively searched the net and mailing lists
 and have not found a solution. As a last resort I am considering creating a
 grep-based filter, but that seems expensive. I am really hoping someone can
 point me in the right direction.
 
 spamassassin-3.2.5-1
 postfix-2.3.3-2.1
 dovecot-1.0.7-7
 procmail-3.22-17.1
 CentOS 5.1
 

your best choice is to upgrade dovecot and use dovecot-sieve.

if that's not possible, maildrop may be a good choice, depending on your
setup (it's easy if all your mailstore belongs to a single uid...)

finally, another option is to use amavisd-new. you can configure it to
redirect spam to user+s...@domain (add extension). then you can play
with postfix and possibly dovecot, depending on how you deliver mail.


in any case, this is not related to spamassassin. depending on your
choice, the appropriate list is one or more of:

dovecot
courier-maildrop
postfix-users
amavis-user

Re: Looks like sa-learn --spam troubles

[Gene Heskett]

On Friday 01 May 2009, Theo Van Dinter wrote:
I would say it's less someone poisoning your DB and more your DB
becoming corrupt.  As it says, a pack format of dec(73) is not a valid
value.  It's set by the BayesStore module itself, not influenced by
the token in question.

You can try to do a dump/verify/restore ...  ala:

sa-learn --sync
sa-learn --backup  db-dump
vi db-dump   [... make sure things look as expected, etc ...]
[... backup your db, however appropriate, depending on your setup ...]
sa-learn --restore db-dump

On Fri, May 1, 2009 at 11:23 AM, Gene Heskett gene.hesk...@verizon.net 
wrote:
 The error:
 bayes: unknown packing format for bayes db, please re-learn: 73 at
 /usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/BayesStore/DBM.pm line
 1883.

 This seems to be repeated at about 3x for every spam I put in the spam
 folder. Obviously someone has figured out a way to poison the bayes_db.

 Is there a fix?

I haven't tried that, but did recover that users .spamassassin tree from this 
morning when it was ok.  Didn't help.  Where is that db kept?

Thanks.


-- 
Cheers, Gene
There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order.
-Ed Howdershelt (Author)
You have a will that can be influenced by all with whom you come in contact.

Re: emailBL code

[Mandy]

On Fri, May 1, 2009 at 7:52 AM, Jesse Thompson
jesse.thomp...@doit.wisc.edu wrote:
 Yet Another Ninja wrote:

 I'm trying hard to convince myself this data is really useful.

I work for a Canadian provincial government, on a system with about
50,000 mailboxes.  I scanned our outbound mail logs over the past 6
months with this data.  There were 31 replies to Your webmail is
expired!! ! type messages in that period.

If we had had been blocking outbound mail based on this list, the two
compromised accounts we had to deal with (one of which made the list
in its turn) wouldn't have happened.

I definitely see value here.

 compared to the big_boyz my trap feed is quite small and I collected 1598
 entries during the last 4 hrs

 Hello Yet Another Ninja,

 big_boyz: as in a small collection of university postmasters?  I guess we
 should be honored, but I have a feeling that you were being condescending.

I got the impression he was talking about the major RBL providers
(spamhaus, spamcop), and the commercial filtering vendors.

[snip]

 Even the largest password-reply phishing campaign we've seen was only sent
 to 2500 of our users (and that was using the same reply-to).  On average, we
 see around 200 messages (30 unique reply-to's; not all new) of this type of
 phishing attempt every day.  I assume that the other universities see
 something similar.

After I spend some more time evaluating things, and looking for this
specific type of campaign, I'm planning to start blocking outbound
mail based on your list.  If I develop some tools for finding the
campaigns I'd be happy to contribute the messages.

Austin.

Re: Looks like sa-learn --spam troubles

[Gene Heskett]

On Friday 01 May 2009, Karsten Bräckelmann wrote:
On Fri, 2009-05-01 at 11:23 -0400, Gene Heskett wrote:
 bayes: unknown packing format for bayes db, please re-learn: 73 at
 /usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/BayesStore/DBM.pm line
 1883.

 This seems to be repeated at about 3x for every spam I put in the spam
 folder. Obviously someone has figured out a way to poison the bayes_db.

No.  No poison, not triggered externally.

After a brief look at the code, this is a warning in an internal
function that unpacks the DBM bayes store internal format. Looks like a
corrupted token entry in your DBM format bayes store DB.

Please don't scream exploit, unless you had a look at the code.

 Is there a fix?

Frankly, dunno. If it's just a few token entries, it should be fixable
by dropping them. Though if a large part of your Bayes DB is corrupted,
I'm afraid it's time to start fresh.

The other email procedure I did, and basically, except or a few really long 
lines that I nuked, all ending in @casabyte.com, it looks rather blah.  Is 
this a clue of something I might be able to find with vim's /str finder?
I do note that it sometimes stores the address in the clear, and sometimes in 
a hash that looks like an md5sum or similar.

-- 
Cheers, Gene
There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order.
-Ed Howdershelt (Author)
If you have nothing to do, don't do it here.

Re: Looks like sa-learn --spam troubles

[Gene Heskett]

On Friday 01 May 2009, Theo Van Dinter wrote:
I would say it's less someone poisoning your DB and more your DB
becoming corrupt.  As it says, a pack format of dec(73) is not a valid
value.  It's set by the BayesStore module itself, not influenced by
the token in question.

You can try to do a dump/verify/restore ...  ala:

sa-learn --sync
check

sa-learn --backup  db-dump
check

vi db-dump   [... make sure things look as expected, etc ...]

Using vim I found about 10 lines that were really long, 200+ chars, all ending 
in @casabyte.com, and nuked them.  That is very close to a 1 million line 
file!

[... backup your db, however appropriate, depending on your setup ...]
sa-learn --restore db-dump

Did this twice, the first time I found spamc trying to use it, so I waited 
till it was done and repeated this operation.

Didn't help, maillog is still about 2 screens full of this error for every 
message processed.

Next?


Thanks.

On Fri, May 1, 2009 at 11:23 AM, Gene Heskett gene.hesk...@verizon.net 
wrote:
 The error:
 bayes: unknown packing format for bayes db, please re-learn: 73 at
 /usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/BayesStore/DBM.pm line
 1883.

 This seems to be repeated at about 3x for every spam I put in the spam
 folder. Obviously someone has figured out a way to poison the bayes_db.

 Is there a fix?


-- 
Cheers, Gene
There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order.
-Ed Howdershelt (Author)
Sand fleas eating the Internet cables

Re: emailBL code

[Adam Katz]

Mandy wrote:
 I work for a Canadian provincial government, on a system with about
 50,000 mailboxes.  I scanned our outbound mail logs over the past 6
 months with this data.  There were 31 replies to Your webmail is
 expired!! ! type messages in that period.
 
 If we had had been blocking outbound mail based on this list, the two
 compromised accounts we had to deal with (one of which made the list
 in its turn) wouldn't have happened.
 
 I definitely see value here.

Can you determine how many of those were out-of-office messages?  Then
again, even at just two, if you can stop such compromises, it's worth
it (and then some).

I'd still rather block the offending message than intercept responses
to it (as that means it has suckered users, which means it has wasted
their time).  I see APER as a possible aid in that pursuit, though as
Jesse has mentioned, it is not fully reliable (as to be determined).
Still, these little checks add up, so even if APER gives a message 0.1
points, that might be enough to mark it as spam or even block it at
the door.

As a secondary defense, blocking replies sounds like a grand idea.

Re: Almost no score

[Ned Slider]

LuKreme wrote:


This is what I have in local.cf

(single lines)
header  KB_RATWARE_OUTLOOK_16  ALL =~ /^Message-Id: 
([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary==_NextPart_000__\1\.\2/msi  
# 


header  KB_RATWARE_OUTLOOK_12  ALL =~ /^Message-Id: 
([0-9a-f]{8})\$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary==_NextPart_000__\1\.\2/msi  
# 


header  KB_RATWARE_BOUNDARYALL =~ /^Message-Id: 
([0-9a-f]{8})\$[0-9a-f]{8}\$.{100,400}boundary==_NextPart_000__\1\./msi  
# 


score KB_RATWARE_BOUNDARY 2.0
score KB_RATWARE_OUTLOOK_16 0.1




Can you please explain the rationale behind your scoring. I've just 
installed these 3 rules to test and so far either all 3 are being 
triggered on spam, or none at all. Presumably BOUNDARY is deemed safer 
(less FP potential) than OUTLOOK_12 or OUTLOOK_16.

Re: Almost no score

[John Hardin]

On Fri, 1 May 2009, Ned Slider wrote:

Can you please explain the rationale behind your scoring. I've just 
installed these 3 rules to test and so far either all 3 are being 
triggered on spam, or none at all. Presumably BOUNDARY is deemed safer 
(less FP potential) than OUTLOOK_12 or OUTLOOK_16.


Didn't Karsten say they were incremental refinements of the same rule? 
Meaning, you'd only use one...


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  One death is a tragedy; thirty is a media sensation;
  a million is a statistic.  -- Joseph Stalin, modernized
---
 7 days until the 64th anniversary of VE day

Re: Almost no score

[Ned Slider]

John Hardin wrote:

On Fri, 1 May 2009, Ned Slider wrote:

Can you please explain the rationale behind your scoring. I've just 
installed these 3 rules to test and so far either all 3 are being 
triggered on spam, or none at all. Presumably BOUNDARY is deemed safer 
(less FP potential) than OUTLOOK_12 or OUTLOOK_16.


Didn't Karsten say they were incremental refinements of the same rule? 
Meaning, you'd only use one...




Quite possibly John, I may well have missed that. I only picked up on 
this today :)