Re: New type of spam... (very curious)
On Tue, 2009-06-30 at 00:46 +0200, Michelle Konzack wrote:
For some seconds I have goten this spam, which has passed my spmassassin
but was hit by a seperated ZEN rule in procmail:
Return-Path: soria.h.steven...@gmail.com
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on
samba3.private.tamay-dogan.net
X-Spam-Level: *
X-Spam-Status: No, score=1.3 required=4.5 tests=BAYES_00,HTML_MESSAGE,
RDNS_NONE,SUBJECT_FUZZY_MEDS autolearn=no version=3.2.3
Delivered-To: linux4miche...@tamay-dogan.net
Received: from delta4.net ([:::69.43.203.202])
by vserver1.tamay-dogan.net with esmtp; Mon, 29 Jun 2009 19:33:36 +0200
id 2765.4A48FAF1.587B
Received: from [174.146.118.224] (account d4henrynazar0202 HELO Gsurface-PC)
by delta4.net (CommuniGate Pro SMTP 5.2.3)
with ESMTPA id 18578669 for linux4miche...@tamay-dogan.net; Mon, 29 Jun
2009 10:33:51 -0700
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary==_vserver1-22651-1246296817-0001-2
Date: Mon, 29 Jun 2009 13:33:43 -0400
Message-ID: chilkat-mid-a898e4ba-bf89-50a1-afc2-c995e8990...@gsurface-pc
X-Mailer: Chilkat Software Inc (http://www.chilkatsoft.com)
X-Priority: 3 (Normal)
Subject: RE: [SA Rule] meds, pill and shop spams
Reply-To: soria.h.steven...@gmail.com
Old-Return-Path: soria.h.steven...@gmail.com
From: Soriah Stevenson soria.h.steven...@gmail.com
To: Michelle Konzack linux4miche...@tamay-dogan.net
X-TDMailSerialnumber: 9189409
X-TDMailCount: true
X-TDTools-Procmail: FILTER=FLT_spamhaus, WLIST=PRI_linux.FLT_spamhaus
Hi Michelle Konzack,
This email is a response to the apartment that is for rent. I am sorry it
took so long to respond, your email was sent to the spam folder. In order to
schedule showings, I am asking all tenants for their latest credit score and
income. If you don't have your credit score at the moment, you can check it
online using the link below.
http://www.icredit-scores.com/
Please email me this information at your earliest convinience. Thanks.
From: linux4miche...@tamay-dogan.net Sent: 6/29/2009 12:31:48 PM Subject:
[SA Rule] meds, pill and shop spams Hello,
because I am currently hit by several 10.000 new type of spam using
domains like www.(meds|pill|shop)XX.(net|com|org) I sugest you to put
the following in your spamassassin config:
[ '~/.spamassassin/user_prefs' ]
bodyAE_MEDS35
/\(\s?w{2,4}\s(?:meds|pill|shop)\d{1,4}\s(?:net|com|org)\s?\)/
describeAE_MEDS35 obfuscated domain seen in spam
score AE_MEDS35 3.00
Works perfectly and has today catched over 63.000 spams on my server.
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
25.9V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
http://www.tamay-dogan.net/ Michelle Konzack
http://www.can4linux.org/ c/o Vertriebsp. KabelBW
http://www.flexray4linux.org/ Blumenstrasse 2
Jabber linux4miche...@jabber.ccc.de 77694 Kehl/Germany
IRC #Debian (irc.icq.com) Tel. DE: +49 177 9351947
ICQ #328449886Tel. FR: +33 6 61925193
Are you saying that ZEN caught it after SA processed it? Why are you not
using ZEN in SA or at the SMTP stage?
Re: RulesDuJour
Anshul Chauhan wrote: we have to copy KAM.cf to /usr/share/spamassassin only for its integration with spamassassin or something else is to done I'm using spamassassin-3.2.5-1.el4.rf on Centos4.7 Any add-on rules should be placed in the same directory as your local.cf (ie: /etc/mail/spamassassin/ in most cases). SA reads *.cf from this directory, not just local.cf. Adding files to /usr/share/spamassassin, or making changes to files present there, is not a good idea. When SpamAssassin gets upgraded, this whole directory will be nuked by the installer.
Re: New type of spam... (very curious)
On Tue, 2009-06-30 at 00:46 +0200, Michelle Konzack wrote: For some seconds I have goten this spam, which has passed my spmassassin but was hit by a seperated ZEN rule in procmail: Return-Path: soria.h.steven...@gmail.com X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on samba3.private.tamay-dogan.net X-Spam-Level: * X-Spam-Status: No, score=1.3 required=4.5 tests=BAYES_00,HTML_MESSAGE, RDNS_NONE,SUBJECT_FUZZY_MEDS autolearn=no version=3.2.3 Delivered-To: linux4miche...@tamay-dogan.net Received: from delta4.net ([:::69.43.203.202]) by vserver1.tamay-dogan.net with esmtp; Mon, 29 Jun 2009 19:33:36 +0200 id 2765.4A48FAF1.587B Received: from [174.146.118.224] (account d4henrynazar0202 HELO Gsurface-PC) by delta4.net (CommuniGate Pro SMTP 5.2.3) with ESMTPA id 18578669 for linux4miche...@tamay-dogan.net; Mon, 29 Jun 2009 10:33:51 -0700 On 30.06.09 07:06, rich...@buzzhost.co.uk wrote: Are you saying that ZEN caught it after SA processed it? Why are you not using ZEN in SA or at the SMTP stage? She apparently does not have control over 69.43.203.202, which is not listed, but 174.146.118.224 is. 69.43.203.202 is apparently in her internal_networks because 174.146.118.224 is listed in the PBL which is checked only on internal network boundary... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Due to unexpected conditions Windows 2000 will be released in first quarter of year 1901
Re: RulesDuJour
Anshul Chauhan wrote: we have to copy KAM.cf to /usr/share/spamassassin only for its integration with spamassassin or something else is to done I'm using spamassassin-3.2.5-1.el4.rf on Centos4.7 On 30.06.09 02:11, Matt Kettler wrote: Any add-on rules should be placed in the same directory as your local.cf (ie: /etc/mail/spamassassin/ in most cases). SA reads *.cf from this directory, not just local.cf. Adding files to /usr/share/spamassassin, or making changes to files present there, is not a good idea. When SpamAssassin gets upgraded, this whole directory will be nuked by the installer. ... and after first sa-update, it won't get used even. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. One World. One Web. One Program. - Microsoft promotional advertisement Ein Volk, ein Reich, ein Fuhrer! - Adolf Hitler
Re: [NEW SPAM FLOOD] www.shopXX.net
Jason Haar schrieb: All this talk about trying to catch urls that contain spaces/etc got me thinking: why isn't this a standard SA feature? i.e if SA sees www(whitespace|comma|period)-combo(therest), then rewrite it as the url and process. How would you distinguish between ... go to WWW EVIL ORG for new meds ... and ... digging through the WWW HE SAW this link ... to prevent SA trying to look up www.he.saw? And what about URLs that don't start with WWW, like http:// meds spammer org
Re: [NEW SPAM FLOOD] www.shopXX.net
... go to WWW EVIL ORG for new meds ... and ... digging through the WWW HE SAW this link ... Both IMO should be caught and given a positive score. I've never seen legitimate mail containing URLs written this way. And what about URLs that don't start with WWW, like http:// meds spammer org That should be scored positive too, for the same reason. I'm giving such munged URLs a score of 1.0. In addition I use metas to give the score a boost if they appear on a technical mail list or in combination with mis-spellings that are common in spam or words like viagra. Martin
Re: [NEW SPAM FLOOD] www.shopXX.net
Martin Gregorie schrieb: ... go to WWW EVIL ORG for new meds ... and ... digging through the WWW HE SAW this link ... Both IMO should be caught and given a positive score. I've never seen legitimate mail containing URLs written this way. Maybe I was not clear: The last one is NOT an url. Do you really want to use the whole bunch of SA's URI tests against sentences like: ... looking at the www peter got an impression of ... (- www.peter.got?) And again: What about urls that do not start with www? Which characters should be examined for obfuscation ([ ,;:|?!=])? How many of them in sequence should be examined? If SA tries to de-obfuscate each possible triplet, you won't have enough computing power and you will be bombarded with false-positives. If you really want that, you can write your own rules but this is (by far) too dangerous for the standard SA distribution (imo).
Re: [NEW SPAM FLOOD] www.shopXX.net
Am 2009-06-30 12:30:14, schrieb Jan P. Kessler: How would you distinguish between ... go to WWW EVIL ORG for new meds ... and ... digging through the WWW HE SAW this link ... to prevent SA trying to look up www.he.saw? Is SAW a valid TOPLEVEL domain? SA could use a list of valid TLD's. And what about URLs that don't start with WWW, like http:// meds spammer org and what about: meds . for . cheap com (several subdomains) Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator 25.9V Electronic Engineer Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # Michelle Konzack c/o Shared Office KabelBW ICQ #328449886 +49/177/9351947Blumenstasse 2 MSN LinuxMichi +33/6/61925193 77694 Kehl/Germany IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature
Re: [NEW SPAM FLOOD] www.shopXX.net
Am 2009-06-30 11:58:20, schrieb Martin Gregorie: http:// meds spammer org That should be scored positive too, for the same reason. And in my org this should no happen... my.org is a valid domain FOR SALE. Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # Michelle Konzack c/o Shared Office KabelBW ICQ #328449886 +49/177/9351947Blumenstasse 2 MSN LinuxMichi +33/6/61925193 77694 Kehl/Germany IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature
Re: [NEW SPAM FLOOD] www.shopXX.net
Michelle Konzack wrote: Is SAW a valid TOPLEVEL domain? SA could use a list of valid TLD's. Ok, let's change that (do not forget that there's more than .com) the www seems to become the primary source of information these days (-www.seems.to?) And I think we agree, that it would be very 'expensive' to check all possible triplets against the whole list of TLDs (or even impossible if you consider subdomains).
Re: [NEW SPAM FLOOD] www.shopXX.net
On 6/30/2009 1:18 PM, Michelle Konzack wrote: Am 2009-06-30 12:30:14, schrieb Jan P. Kessler: How would you distinguish between ... go to WWW EVIL ORG for new meds ... and ... digging through the WWW HE SAW this link ... to prevent SA trying to look up www.he.saw? Is SAW a valid TOPLEVEL domain? SA could use a list of valid TLD's. See RegistrarBoundaries.pm in SA source and http://www.rulesemporium.com/rules/90_2tld.cf
Re: [NEW SPAM FLOOD] www.shopXX.net
On Tue, 2009-06-30 at 13:14 +0200, Jan P. Kessler wrote:
Martin Gregorie schrieb:
... go to WWW EVIL ORG for new meds ...
and
... digging through the WWW HE SAW this link ...
Both IMO should be caught and given a positive score. I've never seen
legitimate mail containing URLs written this way.
Maybe I was not clear: The last one is NOT an url. Do you really want to
use the whole bunch of SA's URI tests against sentences like:
What makes you think I'm using URI tests or that any of these would be
recognised as a URI? My tests are simple body tests with {1,n} limits on
repetitions to keep things under control.
And again: What about urls that do not start with www?
So far, all the munged URLs I've seen have started with www. If that
changes the rules can be easily extended, but IMO its unlikely to change
since the punters are being invited to 'repair' something they are
intended to recognise as a web address.
Which characters
should be examined for obfuscation ([ ,;:|?!=])?
So far, only space, tab and stop have been used. On the face of it, no
more are likely. The target audience must pretty thick if they actually
'repair' these urls before cutting and pasting into the brower's search
box, so my guess is that said target audience would either not recognise
further obfuscation as a url or they would retain any other
non-whitespace characters and then wonder why their browser won't do
what they want. What's the betting they'd even call their help desk to
complain?
Martin
Re: [NEW SPAM FLOOD] www.shopXX.net
Martin Gregorie schrieb:
What makes you think I'm using URI tests or that any of these would be
recognised as a URI? My tests are simple body tests with {1,n} limits on
repetitions to keep things under control.
So you want obfuscated urls to be recognised as urls but not treated as
urls? If this is just for a few own pcre body rules, I'd suggest you to
handle those de-obfuscations in your rules. You can also publish your
own plugin, if you think that it is worth to share. But for the most
environments these de-obfuscations will be too dangerous (imo) and to
easy to circumvent.
what they want. What's the betting they'd even call their help desk to
complain?
And how many calls will your receive for false positives? Maybe this
depends on one's environment, but I'd prefer having a few non-tagged
spams than a bunch of FPs.
Anyway.. I don't want to argue here. I throwed in my pennies and hope
the SA developers agree.
Cheers, Jan
Re: [NEW SPAM FLOOD] www.shopXX.net
So you want obfuscated urls to be recognised as urls but not treated as urls? Of course. Its spam. If this is just for a few own pcre body rules, I'd suggest you to handle those de-obfuscations in your rules. Guess what I'm doing. You can also publish your own plugin, if you think that it is worth to share. Its not worth a plugin: one or two regexes and a meta catches it very nicely. And how many calls will your receive for false positives? Maybe this depends on one's environment, Metas that recognise context are the obvious way to avoid FPs. For instance, anything received via a Sourceforge mailing list containing recognisable medical or sex terms (obfuscated or not) and obfuscated URLs can be canned as spam with a very high confidence level. Its certainly site-specific, e.g, I've only ever seen the recent spate of image spam (medical ads presented as images) arrive via Sourceforge mailing lists, but that's far from a typical experience. Martin
Re: [NEW SPAM FLOOD] www.shopXX.net
On Tue, 30 Jun 2009, Jan P. Kessler wrote: Martin Gregorie schrieb: ... digging through the WWW HE SAW this link ... Both IMO should be caught and given a positive score. I've never seen legitimate mail containing URLs written this way. Maybe I was not clear: The last one is NOT an url. Do you really want to use the whole bunch of SA's URI tests against sentences like: ... looking at the www peter got an impression of ... (- www.peter.got?) TLDs are limited and prevent FPs of that particular nature. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- USMC Rules of Gunfighting #6: If you can choose what to bring to a gunfight, bring a long gun and a friend with a long gun. --- 4 days until the 233rd anniversary of the Declaration of Independence
Re: [NEW SPAM FLOOD] www.shopXX.net
Le 30/06/2009 17:16, John Hardin a écrit : ... looking at the www peter got an impression of ... (- www.peter.got?) TLDs are limited and prevent FPs of that particular nature. Sure, but there are lots of ccTLDs that could be confused with English words, never mind other languages. Do you really want SpamAssassin to do URIBL lookups for invented.by (Belarus) for a sentence like The www, invented by Tim Berners-Lee, ..., or billy.jo (Jordan) for On the www, Billy-Jo can be heard...? The processing overhead would be enormous. John. -- -- Over 3000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages- www.tradoc.fr
Re: [NEW SPAM FLOOD] www.shopXX.net
John Wilcock wrote: ... looking at the www peter got an impression of ... (- www.peter.got?) TLDs are limited and prevent FPs of that particular nature. Sure, but there are lots of ccTLDs that could be confused with English words, never mind other languages. Do you really want SpamAssassin to do URIBL lookups for invented.by (Belarus) for a sentence like The www, invented by Tim Berners-Lee, ..., or billy.jo (Jordan) for On the www, Billy-Jo can be heard...? The processing overhead would be enormous. I'd suggest performing your own dns lookups against the domain first to make sure it's valid, before doing the uribl lookup. Eg: m...@haven:~$ host -t ns invented.by invented.by does not exist, try again m...@haven:~$ You'd also want to cache your results. This conversation however is pointless. Why not just try it and see how well it works. -- Mike Cardwell - IT Consultant and LAMP developer Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/
Re: [NEW SPAM FLOOD] www.shopXX.net
On Tue, 30 Jun 2009, John Wilcock wrote: Le 30/06/2009 17:16, John Hardin a écrit : ... looking at the www peter got an impression of ... (- www.peter.got?) TLDs are limited and prevent FPs of that particular nature. Sure, but there are lots of ccTLDs that could be confused with English words, never mind other languages. Do you really want SpamAssassin to do URIBL lookups for invented.by (Belarus) for a sentence like The www, invented by Tim Berners-Lee, ..., or billy.jo (Jordan) for On the www, Billy-Jo can be heard...? The processing overhead would be enormous. I agree that a very general URI deobfuscation rule will be both expensive and FP-prone. I was commenting on the particular case of www.something.somethingelse, that while FPs can occur, the possible values for somethingelse make it less likely than that example suggested - but looking for obfuscated URIs having two-letter TLDs make FPs a lot more likely. I think the existing rule is good; perhaps extending the \w repetition a bit so that it would match longer obfuscated domains like eshopping123.com or yourdrugstore999.net -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- USMC Rules of Gunfighting #9: Accuracy is relative: most combat shooting standards will be more dependent on pucker factor than the inherent accuracy of the gun. --- 4 days until the 233rd anniversary of the Declaration of Independence
Re: [NEW SPAM FLOOD] www.shopXX.net
Am 2009-06-30 13:50:09, schrieb Yet Another Ninja: See RegistrarBoundaries.pm in SA source and http://www.rulesemporium.com/rules/90_2tld.cf I know this list, but these are only domains, where you can get a 3rd Level Domain like on free.fr as http://tamay.dogan.free.fr/ which was create by me long time ago and never updated/deleted... :-P Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # Michelle Konzack c/o Shared Office KabelBW ICQ #328449886 +49/177/9351947Blumenstasse 2 MSN LinuxMichi +33/6/61925193 77694 Kehl/Germany IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature
Re: New type of spam... (very curious)
On Tue, 30 Jun 2009 09:10:36 +0200 Matus UHLAR - fantomas uh...@fantomas.sk wrote: On 30.06.09 07:06, rich...@buzzhost.co.uk wrote: Are you saying that ZEN caught it after SA processed it? Why are you not using ZEN in SA or at the SMTP stage? She apparently does not have control over 69.43.203.202, which is not listed, but 174.146.118.224 is. 69.43.203.202 is apparently in her internal_networks because 174.146.118.224 is listed in the PBL which is checked only on internal network boundary... And note also that it was authenticated, it was a mail submission, so PBL should not have been run against it.
Re: New type of spam... (very curious)
Am 2009-06-30 04:33:57, schrieb Benny Pedersen: what ip ? [michelle.konz...@michelle1:~] host 224.118.146.174.zen.spamhaus.org 224.118.146.174.zen.spamhaus.org has address 127.0.0.11 Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # http://www.tamay-dogan.net/ Michelle Konzack http://www.can4linux.org/ c/o Vertriebsp. KabelBW http://www.flexray4linux.org/ Blumenstrasse 2 Jabber linux4miche...@jabber.ccc.de 77694 Kehl/Germany IRC #Debian (irc.icq.com) Tel. DE: +49 177 9351947 ICQ #328449886Tel. FR: +33 6 61925193 signature.pgp Description: Digital signature
Re: New type of spam... (very curious)
Am 2009-06-30 07:06:37, schrieb rich...@buzzhost.co.uk: Are you saying that ZEN caught it after SA processed it? Why are you not using ZEN in SA or at the SMTP stage? Because it does not work... My Mailserver does tonns (the syslog of my DNS server is full of it) of DNS checks but ZEN does not work... Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # http://www.tamay-dogan.net/ Michelle Konzack http://www.can4linux.org/ c/o Vertriebsp. KabelBW http://www.flexray4linux.org/ Blumenstrasse 2 Jabber linux4miche...@jabber.ccc.de 77694 Kehl/Germany IRC #Debian (irc.icq.com) Tel. DE: +49 177 9351947 ICQ #328449886Tel. FR: +33 6 61925193 signature.pgp Description: Digital signature
SA report header added to ham mail
Hello, Using SA 3.2.5 I read in the Mail::SpamAssassin::Conf man page that: report_safe ( 0 | 1 | 2 ) (default: 1) ... If this option is set to 0, incoming spam is only modified by adding some X-Spam- headers and no changes will be made to the body. In addition, a header named X-Spam-Report will be added to spam. I am currently reconfiguring SA, and have set report_safe to 0. Our 'required' score is 8, and I have also configured: clear_report_template report Score=_SCORE_ tests=_TESTS_ autolearn=_AUTOLEARN_ However, as far as I can tell, the X-Spam-Report header gets added to ham mail as well as spam. For example: X-spam-report: Score=-6.9 tests=BAYES_00,DCC_CHECK,RCVD_IN_DNSWL_HI autolearn=ham (taken from a received message; line wrapped be me). I have no problem with the header being added, and in fact that is what I wanted. However, I am a bit confused because the man page says it should only be added for spam mail. Can someone clarify what is going on please. Is there anything I need to do to the config to ensure that the above report is added to all mail (despite is seeming to happen anyway)? Thanks, John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 E-mail: john.ho...@plymouth.ac.uk Fax: +44 (0)1752 587001
Re: New type of spam... (very curious)
On Tue, 30 Jun 2009, Michelle Konzack wrote: Am 2009-06-30 07:06:37, schrieb rich...@buzzhost.co.uk: Are you saying that ZEN caught it after SA processed it? Why are you not using ZEN in SA or at the SMTP stage? Because it does not work... My Mailserver does tonns (the syslog of my DNS server is full of it) of DNS checks but ZEN does not work... If zen worked to catch the message in procmail, how does it not work on your MTA? Or did we misinterpret your original post? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Any time law enforcement becomes a revenue center, the system becomes corrupt. --- 4 days until the 233rd anniversary of the Declaration of Independence
Re: SA report header added to ham mail
On Tue, 2009-06-30 at 21:57 +0100, John Horne wrote:
I am currently reconfiguring SA, and have set report_safe to 0. Our
'required' score is 8, and I have also configured:
clear_report_template
report Score=_SCORE_ tests=_TESTS_ autolearn=_AUTOLEARN_
The report option does not affect the template used for the Report
header, but the verbatim, mortal user readable form used in the plain
text part of the wrapping mail with report_safe 1.
While it actually matches the given header, I don't think you can change
the header with that. ;) (Or I've missed a template that will be
substituted with the given report option lines.)
However, as far as I can tell, the X-Spam-Report header gets added to
ham mail as well as spam. For example:
X-spam-report: Score=-6.9
tests=BAYES_00,DCC_CHECK,RCVD_IN_DNSWL_HI autolearn=ham
That is not a standard SA header. Actually, there's quite a lot fishy
about that.
First of all, SA is incapable of adding it -- all SA generated headers
start with X-Spam- (note the uppercase S, since I assume you actually
copy-n-pasted it). So something else (your glue, Amavis?) added it? In
that case the SA add_header options are likely futile, and instead you
should configure your glue.
Also, that actually looks like a SA Status header (customized), minus a
leading YesNo and a trailing version. So either this is your glue
responsible, or you got some custom add_header options in your cf files.
Oh, any typo'd the snippet. ;)
A Status header by default tersely lists all tests hit, similar to the
above. A Report header lists all tests hit including score, description
and meta info.
(taken from a received message; line wrapped be me). I have no problem
with the header being added, and in fact that is what I wanted. However,
I am a bit confused because the man page says it should only be added
for spam mail.
Can someone clarify what is going on please. Is there anything I need to
do to the config to ensure that the above report is added to all mail
(despite is seeming to happen anyway)?
Since your glue appears to add its own headers instead of stock SA ones,
you should look there. As far as SA itself is concerned, the Status
header (similar to the above) will be added by default anyway.
A verbose Report header added to add mail should be doable with
something like this:
add_header all Report _REPORT_
See the add_header option in the docs [1], Basic Message Tagging Options
section. Also see the Template Tags section.
guenther
[1] http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: New type of spam... (very curious)
Am 2009-06-30 14:08:33, schrieb John Hardin: If zen worked to catch the message in procmail, how does it not work on your MTA? Or did we misinterpret your original post? In Debian, the network related scans are activated and I do not know, why ZEN is never executed. If you know more about the Debian Lenny version of spamassassin, maybe you can point me into the right direction where to search. Note: On my Debian Etch installation it is working Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # http://www.tamay-dogan.net/ Michelle Konzack http://www.can4linux.org/ c/o Vertriebsp. KabelBW http://www.flexray4linux.org/ Blumenstrasse 2 Jabber linux4miche...@jabber.ccc.de 77694 Kehl/Germany IRC #Debian (irc.icq.com) Tel. DE: +49 177 9351947 ICQ #328449886Tel. FR: +33 6 61925193 signature.pgp Description: Digital signature
X-Mailer: domain
Hi, I've started seeing spam email containing an X-Mailer header which is the domain name of the From header. Eg: From: Compare and Cover Life i...@3009943.webguide103.com X-Mailer: webguide103.com How would I construct a spamassassin rule to check for this? -- Mike Cardwell - IT Consultant and LAMP developer Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/
Re: SA report header added to ham mail
X-spam-report: Score=-6.9 tests=BAYES_00,DCC_CHECK,RCVD_IN_DNSWL_HI autolearn=ham That is not a standard SA header. Actually, there's quite a lot fishy about that. First of all, SA is incapable of adding it -- all SA generated headers start with X-Spam- (note the uppercase S, since I assume you actually copy-n-pasted it). So something else (your glue, Amavis?) added it? In that case the SA add_header options are likely futile, and instead you should configure your glue. Btw, not amavis (any), it would add X-Spam-Report, i.e. capitalized. Mark
Re: X-Mailer: domain
On Wed, July 1, 2009 01:23, Mike Cardwell wrote: From: Compare and Cover Life i...@3009943.webguide103.com X-Mailer: webguide103.com How would I construct a spamassassin rule to check for this? impossible without a pluging, would be faster to reject sender in mta -- xpoint
Re: New type of spam... (very curious)
On Wed, 1 Jul 2009, Michelle Konzack wrote: Am 2009-06-30 14:08:33, schrieb John Hardin: If zen worked to catch the message in procmail, how does it not work on your MTA? Or did we misinterpret your original post? In Debian, the network related scans are activated and I do not know, why ZEN is never executed. If you know more about the Debian Lenny version of spamassassin, maybe you can point me into the right direction where to search. I was speaking of using zen as a MTA-level hard reject in your MTA, not in SpamAssassin running on the same box as your MTA. That's what we're suggesting. Do you have the ability to add it as a MTA-level DNSBL? I don't know why zen wouldn't be working in SA. Network tests disabled, perhaps? Do other DNSBLs or URIBLs work there? Perhaps run SpamAssassin in debugging mode and see if it complains about something like Net::DNS being missing. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Democrats '61: Ask not what your country can do for you, ask what you can do for your country. Democrats '07: Ask not what your country can do for you, demand it! --- 4 days until the 233rd anniversary of the Declaration of Independence
Re: X-Mailer: domain
On Wed, 1 Jul 2009, Benny Pedersen wrote: On Wed, July 1, 2009 01:23, Mike Cardwell wrote: From: Compare and Cover Life i...@3009943.webguide103.com X-Mailer: webguide103.com How would I construct a spamassassin rule to check for this? impossible without a pluging ...unless you just do a loose X-Mailer-looks-like-a-domain-name rule. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Democrats '61: Ask not what your country can do for you, ask what you can do for your country. Democrats '07: Ask not what your country can do for you, demand it! --- 4 days until the 233rd anniversary of the Declaration of Independence
Re: X-Mailer: domain
On Wed, 2009-07-01 at 00:23 +0100, Mike Cardwell wrote:
I've started seeing spam email containing an X-Mailer header which is
the domain name of the From header. Eg:
From: Compare and Cover Life i...@3009943.webguide103.com
X-Mailer: webguide103.com
The *first* question should be, how are these scoring generally, and if
it's worth the effort. If they sneak by, there's usually a more
fundamental problem than a missing rule like this.
That said -- nice catch. :)
How would I construct a spamassassin rule to check for this?
Using the all-magic, all-dancing pseudo ALL header [1], and a brave mix
of RE modifiers like /m and /s [2], to handle multi-line strings. :)
Something like this should do. DO NOTE that I just hacked it up in the
email, and did NOT test it. Mind the manual line wrap.
header FROM_EQ_XM ALL =~
/^From: [...@]+\@(?:[^.]+\.)?([^.]+\.[^.]+)?\$.{0,400}^X-Mailer: \1\$/msi
Now what the fuck does that do? The /m enables multi-line matching, so ^
and $ match the beginning and end of a line respectively, rather than of
the string (which would be the entire headers).
First, we identify a From header, consume all the crap before the @,
optionally also consume a host without capturing (the (?:...)? part).
The trailing example.com we do capture, followed by an optional closing
bracket and the end of the line \$. Note that this appears slightly over
complicated, but it is important -- the dot also matches \n, due to
the /s modifier.
Then match whatever header junk there is, up to an arbitrary bound of
400 chars. With an X-Mailer header following, that matches the domain we
just captured, up to the end of the header. Et voila. :)
Note that this only matches this particular order of headers, so you
might need a second (sub-)rule (meta'd together) to match the reverse.
End proof of concept. ;)
guenther
[1] http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html
[2] http://perldoc.perl.org/perlre.html
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: X-Mailer: domain
On Tue, 2009-06-30 at 16:50 -0700, John Hardin wrote:
On Wed, 1 Jul 2009, Benny Pedersen wrote:
From: Compare and Cover Life i...@3009943.webguide103.com
X-Mailer: webguide103.com
How would I construct a spamassassin rule to check for this?
impossible without a pluging
Meep. Wrong!
...unless you just do a loose X-Mailer-looks-like-a-domain-name rule.
Both of you. ;)
Granted, the loose look-a-like rule probably even would be worth a point
of its own -- but where's the fun in that?
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: SA report header added to ham mail
On Wed, 2009-07-01 at 01:26 +0200, Mark Martinec wrote:
X-spam-report: Score=-6.9
tests=BAYES_00,DCC_CHECK,RCVD_IN_DNSWL_HI autolearn=ham
That is not a standard SA header. Actually, there's quite a lot fishy
about that.
First of all, SA is incapable of adding it -- all SA generated headers
start with X-Spam- (note the uppercase S, since I assume you actually
copy-n-pasted it). So something else (your glue, Amavis?) added it? In
that case the SA add_header options are likely futile, and instead you
should configure your glue.
Btw, not amavis (any), it would add X-Spam-Report, i.e. capitalized.
Oh, capitalization enforced? Thanks, good to know, Mark. Now I'm even
more confused about the header...
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: X-Mailer: domain
On Wed, 1 Jul 2009, Karsten Br?ckelmann wrote: On Tue, 2009-06-30 at 16:50 -0700, John Hardin wrote: On Wed, 1 Jul 2009, Benny Pedersen wrote: From: Compare and Cover Life i...@3009943.webguide103.com X-Mailer: webguide103.com How would I construct a spamassassin rule to check for this? impossible without a pluging Meep. Wrong! ...unless you just do a loose X-Mailer-looks-like-a-domain-name rule. Both of you. ;) Mea culpa. I _never_ think of header ALL rules. Granted, the loose look-a-like rule probably even would be worth a point of its own -- but where's the fun in that? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The [assault weapons] ban is the moral equivalent of banning red cars because they look too fast. -- Steve Chapman, Chicago Tribune --- 4 days until the 233rd anniversary of the Declaration of Independence
Re: New type of spam... (very curious)
On Wed, 1 Jul 2009 01:15:56 +0200 Michelle Konzack linux4miche...@tamay-dogan.net wrote: Am 2009-06-30 14:08:33, schrieb John Hardin: If zen worked to catch the message in procmail, how does it not work on your MTA? Or did we misinterpret your original post? In Debian, the network related scans are activated and I do not know, why ZEN is never executed. If you mean in Spamassassin, the Zen rules rarely do anything because the're normally used at the SMTP level, so you just end-up a few hits on SBL from the untrusted headers (and some XBL hits on desktop/soho installations where there's a retrieval delay). In the quoted email, the procmail hit on PBL shouldn't have happened, you penalized the use of a smarthost, it was coincidental that it happened on a spam. Spamassassin handled it properly.
Re: X-Mailer: domain
Both of you. ;)
Mea culpa. I _never_ think of header ALL rules.
See my RATWARE_OUTLOOK rule. ;)
Reminds me of an important bit I meant to add, but forgot. It's pretty
important to properly anchor matches and limit wildcard matching with
multi-line RE's -- otherwise they can easily bog down your server!
Granted, the loose look-a-like rule probably even would be worth a point
of its own -- but where's the fun in that?
This one of course would be cheap.
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: SA report header added to ham mail
On 30-Jun-2009, at 14:57, John Horne wrote: I am currently reconfiguring SA, and have set report_safe to 0. Our 'required' score is 8, and I have also configured: Raising the required score is clearly a mistake. Setting report safe to 0 is generally user-hostile. Setting it to one is the best option because it is the least destructive. The original message is completely untouched and can be easily recovered. However, as far as I can tell, the X-Spam-Report header gets added to ham mail as well as spam. You must have add_header all Report _REPORT_ somewhere -- And, while it was regarded as pretty good evidence of criminality to be living in a slum, for some reason owning a whole street of them merely got you invited to the very best social occasions.
Re: www.shopXX.net
On 29-Jun-2009, at 10:53, Kevin Parris wrote: It is folly to underestimate the stupidity and/or gullibility of humans. Just because the link won't work as-is in the message does NOT mean people out there won't retype it, corrected, into their browser address box. It is my opinion that if the spammers weren't getting traffic to the websites from the email, they would stop sending the email. Since the emails continue, we must presume that they are having some success in attracting victims to the sites. Sure, but I seriously doubt that they would replace characters to fix a URL. if I mistype a url www.example,com I generally get a not that the URL didn't work. It takes a certain level of geekness to see the typo and replace it with a '.' -- I draw the line at 7 unreturned phone calls.
Re: SA report header added to ham mail
On Tue, 2009-06-30 at 18:36 -0600, LuKreme wrote:
On 30-Jun-2009, at 14:57, John Horne wrote:
I am currently reconfiguring SA, and have set report_safe to 0. Our
'required' score is 8, and I have also configured:
Raising the required score is clearly a mistake. Setting report safe
to 0 is generally user-hostile. Setting it to one is the best option
because it is the least destructive. The original message is
completely untouched and can be easily recovered.
I don't necessarily agree. It might depend on the users. It's just a
safe (sic) default.
I once (long ago) had a hack to always have the wrapped original mail
displayed inline, rather than attached. Think expanded by default.
Cause it made reviewing easier. Long ago I switched to report_safe 0,
cause it makes reviewing even easier. ;) The difference being nothing
way down to scroll to...
Yes, that *might* result in images being loaded off the net auto-
matically, depending on your MUA settings. Hence the safe. But it
really makes reviewing harder, having the user scroll and klick each
single spam.
Recovering from report_safe 0 is a piece of cake, too. Just get rid of
the X-Spam headers. Done. What's destructive about that?
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: New type of spam... (very curious)
On Wed, 2009-07-01 at 01:15 +0200, Michelle Konzack wrote: Am 2009-06-30 14:08:33, schrieb John Hardin: If zen worked to catch the message in procmail, how does it not work on your MTA? Or did we misinterpret your original post? In Debian, the network related scans are activated and I do not know, why ZEN is never executed. If you know more about the Debian Lenny version of spamassassin, maybe you can point me into the right direction where to search. Note: On my Debian Etch installation it is working Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant First of all, I don't use ZEN in SA. My personal feeling is I want to get rid of spam at the earliest possible stage. I block anything on these lists at the MTA level; zen.spamhaus.org dnsbl.sorbs.net b.barracudacentral.org There are differing political views about this, but it is the method found in the top selling anti-spam appliance, so hence I'm happy to use it. How you would implement this depends on the MTA. Moving specifically to SpamAssassin on Debian. Look at the contents of these (adjusting the path where necessary); /etc/spamassassin/init.pre (just to make sure there is nothing killing the network tests in here) And then check the basic config file; /etc/spamassassin/local.cf In particular # Enable or disable network checks skip_rbl_checks 0 0 = off 1 = on My understanding is even if you get an RBL hit it's only going to up the score of the mail. So you are, essentially, scanning spam if you do it this way. However, some people like the safety blanket of scanning hundreds of thousands of spam messages in case there may one day be a false positive :-) If this does not throw light onto your problem Michelle I would do a couple of very basic sanity checks on your DNS system *from* the box running SA. Randomly from my logs I've picked a IP address blocked by ZEN in the last hour (for testing) EG Jul 1 06:23:25 Rejected; blocked by zen.spamhaus.org 84.108.206.164 So from a command prompt (assuming you have dig installed) look for an ANSWER section on in reply to this query) dig 164.206.108.84.zen.spamhaus.org EG; ;; ANSWER SECTION: 164.206.108.84.zen.spamhaus.org. 472 IN A 127.0.0.10 164.206.108.84.zen.spamhaus.org. 472 IN A 127.0.0.4 Means you have a sane reply and the IP is blacklisted but of equal importance is the time in which it takes to serve the request; ;; Query time: 3 msec Anything much over a couple of hundred msecs would not be ideal, into the thosands (1000+) and you have a problem. If you don't get any result to this, or the result is hideously slow, then you need to fix the DNS issue. This is not uncommon and usually centres around firewall policy. If it fails, btw, this is also worth a try; dig @4.2.2.2 164.206.108.84.zen.spamhaus.org dig @4.2.2.3 164.206.108.84.zen.spamhaus.org and see if the issue is local DNS. (AFAIR dig is part of dns utils if it is not already on the box but check that: apt-get install dnsutils)
