A difficult one to weed out?
OK, so I just got one of those www medsXX com spams, and even though it hit my rule and got 2.0 added to it, it still didn't even get over 3 points. Looks like it was sent from quite a legit host. What rules do other people get matching for this e-mail? http://pastebin.com/m3b9629b6 Best regards, Jeremy Morton (Jez)
Re: interesting phish for yahoo credentials or stupid spammer
Michael Scheidell wrote: spam, with a url link in it that opens up a yahoo.com web mail page and asks for yahoo.com credentials. don't know how that can help spammer, unless spammer is looking to only get email from yahoo.com users. see line 119 (highighted) http://pastebin.com/m6bb65f86 so, interesting phish or stupid spammer with yahoo.com gooplet installed? X-Mailer: Zimbra 5.0.9_GA_2533.UBUNTU8_64 (zclient/5.0.9_GA_2533.UBUNTU8_64) Or just Zimbra trying to be helpful and applying it's 'cool' linkification on an outbound mail? Cheers, Steve.
Re: A difficult one to weed out?
Jeremy Morton wrote: OK, so I just got one of those www medsXX com spams, and even though it hit my rule and got 2.0 added to it, it still didn't even get over 3 points. Looks like it was sent from quite a legit host. What rules do other people get matching for this e-mail? http://pastebin.com/m3b9629b6 The IP and hashes scores 21.8 for me. besides the standard DCC_CHECK, I'm getting hits on the following non-standard RBLs: 190.244.172.161 listed in hostkarma.junkemailfilter.com 190.244.172.161 listed in uceprotect-level2.dnsbl 190.244.172.161 listed in bb.barracudacentral.org 190.244.172.161 listed in ix.dnsbl.manitu.net iXhash found @ ix.dnsbl.manitu.net Maybe you had a DNS problem when it went through, or you were unlucky enough to be first on the spammer's list. Here's a (somewhat unreadable) rule I wrote that doesn't have a great spam ratio on its own, but can be useful in botnet meta rules: header NOMATCH_NICK_FROMFrom =~ /^?(([A-Z])[a-z][a-z])\w*(?:\s(?:(([A-Z])[a-z][a-z])\w*\s|([A-Z])\.?\s)?(([A-Z])[a-z][a-z])\w*)??\s*(?![a-zA-Z1-9\.\-]*(?:\1|\3|\6))(?!.?\2(?:\4|\5)?.?\7).*?\@(?!.?\2-?(?:\4)?\-?\7)(?![a-zA-Z1-9\.\-]*(?:\1|\3|\6))(?!postmaster\@)(?!mailer-daemon\@)/i describe NOMATCH_NICK_FROM From address with no part of name score NOMATCH_NICK_FROM 1.0 The idea is to catch random real names attached to random valid email addresses. HTH CK
Re: A difficult one to weed out?
On Sun, June 21, 2009 12:04, Jeremy Morton wrote: http://pastebin.com/m3b9629b6 http://cbl.abuseat.org/lookup.cgi?ip=190.244.172.161 -- xpoint
Re: A difficult one to weed out?
My SpamAssassin apparently isn't checking this blocklist; how do I get it to? Best regards, Jeremy Morton (Jez) Benny Pedersen wrote: On Sun, June 21, 2009 12:04, Jeremy Morton wrote: http://pastebin.com/m3b9629b6 http://cbl.abuseat.org/lookup.cgi?ip=190.244.172.161
Re: A difficult one to weed out?
On Sun, June 21, 2009 13:23, Jeremy Morton wrote: My SpamAssassin apparently isn't checking this blocklist; how do I get it to? cbl is part of zen.spamhaus.org, but some ips is not in sync that fast, so check cbl in mta level, this can be done in exim to http://cbl.abuseat.org/faq.html -- xpoint
Re: interesting phish for yahoo credentials or stupid spammer
Michael Scheidell a écrit : spam, with a url link in it that opens up a yahoo.com web mail page and asks for yahoo.com credentials. don't know how that can help spammer, unless spammer is looking to only get email from yahoo.com users. see line 119 (highighted) http://pastebin.com/m6bb65f86 so, interesting phish or stupid spammer with yahoo.com gooplet installed? this is not a phish. it's a 419 (AFF). spammer is asking the user to reply, and being helpful, spammer provides a ready-to-compose yahoo link. spammer probably did a cutpaste of a link that works for yahoo users and thinks it is generic. unless he only targets yahoo users...
Re: A difficult one to weed out?
On Sun, 2009-06-21 at 13:35 +0200, Benny Pedersen wrote: On Sun, June 21, 2009 13:23, Jeremy Morton wrote: My SpamAssassin apparently isn't checking this blocklist; how do I get it to? cbl is part of zen.spamhaus.org, but some ips is not in sync that fast, so check cbl in mta level, this can be done in exim to http://cbl.abuseat.org/faq.html Two approaches jump out here; 1. 190.244.172.161 listed in PBL (SPAMHAUS) I can't speak highly enough of the much under rated PBL. Don't even let PBL listed IP's waste your time connecting. Knock them out on your MTA before SA has to look at them. [START RANT] Time and time again ranges you would expect to see on sorbs are 'out of scope' or just plain missed. (That is one rubbish bl IMHO) [END RANT] It is now listed with all of these but I suspect some or all may have been reactive. 190.244.172.161 listed in b.barracudacentral.org. 190.244.172.161 listed in XBL NJABL 190.244.172.161 listed in cbl.abuseat.org. 190.244.172.161 listed in bl.spamcannibal.org. 190.244.172.161 listed in ix.dnsbl.manitu.net. 2. helo=xwrfsfo.fibertel.com.ar - how much legitimate mail are you expecting from Argentina? If you were to find a customer or contact out there, would you ship there?
Re: A difficult one to weed out?
On Sun, 21 Jun 2009, Jeremy Morton wrote: My SpamAssassin apparently isn't checking this blocklist; how do I get it to? Another highly-regarded DNSBL that listed that IP is zen.spamhaus.org, which includes the cbl feed. A lot of people trust zen enough to use it at the MTA level as a hard reject list. Benny Pedersen wrote: On Sun, June 21, 2009 12:04, Jeremy Morton wrote: http://pastebin.com/m3b9629b6 http://cbl.abuseat.org/lookup.cgi?ip=190.244.172.161 -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Users mistake widespread adoption of Microsoft Office for the development of a document format standard. --- 13 days until the 233rd anniversary of the Declaration of Independence
Re: Dealing with backscatter
Jeremy Morton wrote: ...backscatter... 'Your message to Gatewayav-discuss awaits moderator approval' The GNU Mailman mailing list software is a big offender in that area. The option to fix this is to set respond_to_post_requests to No on the main options page. Otherwise it is a serious backscatter source. I think the default may be Yes. respond_to_post_requests=No As a backscatter source I would have no qualms about listing them in a DNSBL. Reporting offenders as spam sources seems like the only recourse. Any tips for filtering these out? I specifically filter those out from my incoming mail. That message is never helpful to me. Trouble is there might occasionally be a mailing list I want to post to where I do get such a message, Do *you* ever need to see that message? Unless you are the moderator you can't approve the posting. And if you are the moderator then you will get a moderator mail message concerning it and can react to it. It doesn't help you. There isn't any action you can take for it. So you might as well smtp-reject or procmail-discard those. but I get a phenomenal number of such messages where it's obviously a spammer who has sent a msg to the list and joe-jobbed me. Worse still, the mail matches this, rule: -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium trust You might consider changing that to: score RCVD_IN_DNSWL_HI -0.001 score RCVD_IN_DNSWL_MED -0.001 score RCVD_IN_DNSWL_LOW -0.001 score HABEAS_ACCREDITED_COI -0.001 score HABEAS_ACCREDITED_SOI -0.001 Bob
Re: New www.medsXX.net spam
John Hardin a écrit :
On Fri, 2009-06-19 at 09:24 -0700, John Hardin wrote:
On Fri, 2009-06-19 at 16:21 +0200, Paweł Tęcza wrote:
body AE_MEDS35 /w{2,4}\s{0,4}meds\d{1,4}\s{0,4}(?:net|com|org)/
I've just noticed missing 'i' switch for your rule regexp. Is it a bug
or a feature? :)
That depends. If the URIs are always lowercasein the spams, making the
RE case-insensitive doesn't help and may hurt.
BTW, probably \s+ will be better than \s{0,4}. Similarly with w{2,4} and
\d{1,4}.
No, it's not. In SA, unbounded matches are hazardous and should be
avoided. {0,20} is safer than * and {1,20} is safer than +.
This is not a general rule, it only applies where the text being scanned
is from an untrusted (and possibly actively hostile) source.
Another improvement: add word boundaries at the beginning and end:
/\bw{2,4}\s{0,10}meds\d{1,4}\s{0,10}(?:net|com|org)\b/
If the parentheses in the original example are actually in the message,
including them will help to. Are they actually in the message?
D'oh, /me checks pastebins from first message...
Also, body rules match cleaned-up text with runs of spaces collapsed, so
you don't need to use + or {1,...}
Try this:
/\(\s?w{2,4}\smeds\d{1,4}\s(?:net|com|org)\s?\)/
you can replace meds by (meds|shop) to catch the www shop95 net
variants.
Re: Dealing with backscatter
On Sun, June 21, 2009 2:47 pm, Bob Proulx wrote: Jeremy Morton wrote: ...backscatter... 'Your message to Gatewayav-discuss awaits moderator approval' The GNU Mailman mailing list software is a big offender in that area. The option to fix this is to set respond_to_post_requests to No on the main options page. Otherwise it is a serious backscatter source. I think the default may be Yes. respond_to_post_requests=No As a backscatter source I would have no qualms about listing them in a DNSBL. Reporting offenders as spam sources seems like the only recourse. Any tips for filtering these out? I specifically filter those out from my incoming mail. That message is never helpful to me. Trouble is there might occasionally be a mailing list I want to post to where I do get such a message, Do *you* ever need to see that message? Unless you are the moderator you can't approve the posting. And if you are the moderator then you will get a moderator mail message concerning it and can react to it. It doesn't help you. There isn't any action you can take for it. So you might as well smtp-reject or procmail-discard those. I own a mailing list server. One of our policies are specifically about Challenge Servers . . . We don't accept any. If someone hasn't previously entered our server in so we don't see the responses, we unsubscribe them without comment. Some might think that's harsh. I don't. Karl but I get a phenomenal number of such messages where it's obviously a spammer who has sent a msg to the list and joe-jobbed me. Worse still, the mail matches this, rule: -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium trust You might consider changing that to: score RCVD_IN_DNSWL_HI -0.001 score RCVD_IN_DNSWL_MED -0.001 score RCVD_IN_DNSWL_LOW -0.001 score HABEAS_ACCREDITED_COI -0.001 score HABEAS_ACCREDITED_SOI -0.001 Bob --- Karl Pearson ka...@ourldsfamily.com Owner/Administrator of the sites at http://ourldsfamily.com --- To mess up your Linux PC, you have to really work at it; to mess up a microsoft PC you just have to work on it. --- Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well-armed lamb contesting the vote. --Benjamin Franklin ---
Re: New www.medsXX.net spam
On Sun, 2009-06-21 at 23:21 +0200, mouss wrote:
John Hardin a écrit :
/\(\s?w{2,4}\smeds\d{1,4}\s(?:net|com|org)\s?\)/
you can replace meds by (meds|shop) to catch the www shop95 net
variants.
body URI_OBFU_MEDSHOP /\(\s?w{2,4}\s(?:meds|shop)\d{1,4}\s(?:net|com|
org)\s?\)/
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
Custom Rule Sets
Good morning, Looking at the docs I see a 'don't add your customer rules here' warning in reference to the default /usr/share/spamassassin dir. Instead it lists a couple of options including local.cf Is it possible to ask local.cf to include external files/dir for custom rules at all? Thanks
Re: Custom Rule Sets
rich...@buzzhost.co.uk wrote: Good morning, Looking at the docs I see a 'don't add your customer rules here' warning in reference to the default /usr/share/spamassassin dir. Instead it lists a couple of options including local.cf Is it possible to ask local.cf to include external files/dir for custom rules at all? Yes, there is an include directive (see the Mail::SpamAssassin::Conf docs) but by default SA will load *ALL* .cf files from your site rules directory (usually /etc/mail/spamassassin), so includes at the local.cf level are a bit silly. Just put extra .cf files in the same directory and SA will load them. Generally speaking, the include directive is only used at the user_prefs level, where a single file is parsed by default, not a whole directory. See also: http://wiki.apache.org/spamassassin/WritingRules
Re: Custom Rule Sets
On Mon, 2009-06-22 at 00:26 -0400, Matt Kettler wrote: rich...@buzzhost.co.uk wrote: Good morning, Looking at the docs I see a 'don't add your customer rules here' warning in reference to the default /usr/share/spamassassin dir. Instead it lists a couple of options including local.cf Is it possible to ask local.cf to include external files/dir for custom rules at all? Yes, there is an include directive (see the Mail::SpamAssassin::Conf docs) but by default SA will load *ALL* .cf files from your site rules directory (usually /etc/mail/spamassassin), so includes at the local.cf level are a bit silly. I agree - but the docs seem to imply that you should not put them in here - hence my confusion. Thank you Matt.
