Re: Malforrmed List-id
Kenneth Porter skrev den 2018-05-03 02:18: I'm having very good results with this rule. I'm scoring it at 5 with no false positives. The high negative score for a legitimate looking List-id will file it into my List/Unknown folder for new lists and for any spammers trying to abuse this, so it's not a problem for my personal filtering. # a properly-formatted List-id looks like a correspondent # (to/from) header but @ replaced by dot # ie. list-name.domain header__KP_LIST_ID_DOMAIN_IN_BRACKETS List-id =~ /<([\w-]+)?(\.[\w-]+)+>/ List-Id: valid or invalid ? :=) describe KP_LIST_ID_DOMAIN_IN_BRACKETS List-id has domain in angle brackets meta KP_LIST_ID_DOMAIN_IN_BRACKETS __KP_LIST_ID_DOMAIN_IN_BRACKETS score KP_LIST_ID_DOMAIN_IN_BRACKETS -15.0 valid ? describe KP_LIST_ID_IMPROPER_FORMAT List-id has improper format meta KP_LIST_ID_IMPROPER_FORMAT __HAS_LIST_ID && !__KP_LIST_ID_DOMAIN_IN_BRACKETS score KP_LIST_ID_IMPROPER_FORMAT 5.0 i would like developpers to begin make use of Mail::SpamAssassin::Maillist.pm if it exists, there is to many definations on maillists already in rule sets, and non use maillist.pm
Malforrmed List-id
I'm having very good results with this rule. I'm scoring it at 5 with no false positives. The high negative score for a legitimate looking List-id will file it into my List/Unknown folder for new lists and for any spammers trying to abuse this, so it's not a problem for my personal filtering. # a properly-formatted List-id looks like a correspondent # (to/from) header but @ replaced by dot # ie. list-name.domain header__KP_LIST_ID_DOMAIN_IN_BRACKETS List-id =~ /<([\w-]+)?(\.[\w-]+)+>/ describe KP_LIST_ID_DOMAIN_IN_BRACKETS List-id has domain in angle brackets meta KP_LIST_ID_DOMAIN_IN_BRACKETS __KP_LIST_ID_DOMAIN_IN_BRACKETS score KP_LIST_ID_DOMAIN_IN_BRACKETS -15.0 describe KP_LIST_ID_IMPROPER_FORMAT List-id has improper format meta KP_LIST_ID_IMPROPER_FORMAT __HAS_LIST_ID && !__KP_LIST_ID_DOMAIN_IN_BRACKETS score KP_LIST_ID_IMPROPER_FORMAT 5.0
Re: OFF-TOPIC: Re: Just to lighten your day?
On Wed, 2 May 2018, Dianne Skoll wrote: On Wed, 2 May 2018 15:32:50 -0500 (CDT) David B Funk wrote: [...] The first three terminations weren't good enough, so we're going to do it one more time. And if -that- one doesn't do it, we'll proceed to the final ultimate termination... As in "I'm not dead yet!" from Spamalot? :) Or maybe "He's still moving towards the keyboard! LART him again!" It is, after all, supposedly from IT... Regrads (dammti...), Dianne. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Efficiency can magnify good, but it magnifies evil just as well. So, we should not be surprised to find that modern electronic communication magnifies stupidity as *efficiently* as it magnifies intelligence. -- Robert A. Matern --- 6 days until the 73rd anniversary of VE day
OFF-TOPIC: Re: Just to lighten your day?
On Wed, 2 May 2018 15:32:50 -0500 (CDT) David B Funk wrote: [...] > The first three terminations weren't good enough, so we're going to > do it one more time. And if -that- one doesn't do it, we'll proceed > to the final ultimate termination... As in "I'm not dead yet!" from Spamalot? :) Regrads (dammti...), Dianne.
Re: Just to lighten your day?
On Wed, 2 May 2018, John Hardin wrote: On Wed, 2 May 2018, David Jones wrote: On 05/02/2018 01:21 PM, Joe Acquisto-j4 wrote: One slipped through, with this subtle sig line (thought it might brighten someones day . . . ) "Note: Failure to Verify will lead to final termination of your email account. Technical Team Email Administrator All Right Reversed 2018.(c)" - Please post the full email, with all headers, minimally redacted to pastebin.com and send us a link. You need your humor detector recalibrated. His humor detector caught that one. He didn't say if it caught the one in the body of the message: "will lead to final termination of your email" The first three terminations weren't good enough, so we're going to do it one more time. And if -that- one doesn't do it, we'll proceed to the final ultimate termination... -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Just to lighten your day?
On Wed, 2 May 2018, David Jones wrote: On 05/02/2018 01:21 PM, Joe Acquisto-j4 wrote: One slipped through, with this subtle sig line (thought it might brighten someones day . . . ) "Note: Failure to Verify will lead to final termination of your email account. Technical Team Email Administrator All Right Reversed 2018.(c)" - Please post the full email, with all headers, minimally redacted to pastebin.com and send us a link. You need your humor detector recalibrated. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- A good high-school education is still essential, and college is where you go to get one.-- MiddleAgedKen --- 6 days until the 73rd anniversary of VE day
Re: Just to lighten your day?
On Wed, 2 May 2018, Joe Acquisto-j4 wrote: On 5/2/2018 at 2:57 PM, in message <0e5889ab-b61a-36ba-6b28-549f2c365...@ena.com>, David Jones wrote: On 05/02/2018 01:21 PM, Joe Acquisto-j4 wrote: One slipped through, with this subtle sig line (thought it might brighten someones day . . . ) "Note: Failure to Verify will lead to final termination of your email account. Technical Team Email Administrator All Right Reversed 2018.(c)" Please post the full email, with all headers, minimally redacted to pastebin.com and send us a link. -- David Jones It's been a while, but I think I did it properly: https://pastebin.com/Sw8R0QPe Do you have the DecodeShortURLs plugin installed in your SA? The target of that tinyurl.com is listed in URIBLs and SA will fire on it if you have DecodeShortURLs functional. For that message I get: hecker-Version SpamAssassin 3.4.1 (2015-04-28) on s-l107.engr.uiowa.edu Content analysis details: (8.1 points, 6.0 required, autolearn=no) pts rule name description -- -- 0.0 HAS_SHORT_URL Message contains one or more shortened URLs 2.5 SEM_FRESH Contains a domain registered less than 5 days ago [URIs: erumsadet.info] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [40.92.2.16 listed in list.dnswl.org] 0.1 L_BANK_PHISH3 BODY: Possible bank phish 0.3 L_UI_PHISHb3 BODY: possible email acct phish 0.0 T__BOTNET_NOTRUST Message has no trusted relays 0.9 FORGED_HOTMAIL_RCVD2 hotmail.com 'From' address, but no 'Received:' 0.5 BOTNET_IPINHOSTNAMEHostname contains its own IP address [botnet_ipinhosntame,ip=40.92.2.16,rdns=mail-oln040092002016.outbound.protection.outlook.com] 0.0 RCVD_IN_HOSTKARMA_YE RBL: HostKarma: relay in yellow list (varies) [40.92.2.16 listed in hostkarma.junkemailfilter.com] 0.0 URIBL_RED Contains an URL listed in the URIBL redlist [URIs: erumsadet.info] 0.0 BOTNET_SERVERWORDS Hostname contains server-like substrings [botnet_serverwords,ip=40.92.2.16,rdns=mail-oln040092002016.outbound.protection.outlook.com] 0.7 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (jln4deafkids[at]hotmail.com) 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.5000] 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not necessarily valid 0.6 SARE_HTML_COLOR_B RAW: BAD STYLE: color: too light (rgb(n)) 0.0 T__KAM_SHORT KAM URL shortner fired 0.8 KAM_INFOUSMEBIZPrevalent use of .info|.us|.me|.me.uk|.biz domains in spam/malware 0.0 T__FROM_OUTLOOKFrom microsoft outlook/hotmail servers 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines 0.0 T__RECEIVED_2 More than one untrusted relay 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS 0.2 L_FROM_OUTLOOK From microsoft outlook/hotmail servers -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Just to lighten your day?
>>> On 5/2/2018 at 2:57 PM, in message <0e5889ab-b61a-36ba-6b28-549f2c365...@ena.com>, David Jones wrote: > On 05/02/2018 01:21 PM, Joe Acquisto-j4 wrote: >> One slipped through, with this subtle sig line (thought it might brighten > someones day . . . ) >> >> "Note: Failure to Verify will lead to final termination of your email > account. >> >> Technical Team >> Email Administrator >> All Right Reversed 2018.(c)" >> > > Please post the full email, with all headers, minimally redacted to > pastebin.com and send us a link. > > -- > David Jones It's been a while, but I think I did it properly: https://pastebin.com/Sw8R0QPe
Re: Just to lighten your day?
On 05/02/2018 01:21 PM, Joe Acquisto-j4 wrote: One slipped through, with this subtle sig line (thought it might brighten someones day . . . ) "Note: Failure to Verify will lead to final termination of your email account. Technical Team Email Administrator All Right Reversed 2018.(c)" Please post the full email, with all headers, minimally redacted to pastebin.com and send us a link. -- David Jones
Just to lighten your day?
One slipped through, with this subtle sig line (thought it might brighten someones day . . . ) "Note: Failure to Verify will lead to final termination of your email account. Technical Team Email Administrator All Right Reversed 2018.(c)"