Re: 9D character used in words to avoid detection.
Mark London skrev den 2018-11-17 01:23: Is there a way to define BODY rules, so that they will be triggered? Thanks. manuel train bayes, is the only help i can give, sorry spammers want to be detected, so let them :=)
Re: 9D character used in words to avoid detection.
Yeah, there is a SCC SHORT WORDS rule and a KAM_ZWNJ in KAM.cf. Please let me know if those help. -- Kevin A. McGrail VP Fundraising, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171 On Fri, Nov 16, 2018 at 7:37 PM John Hardin wrote: > On Fri, 16 Nov 2018, Mark London wrote: > > > I just received a spam email with the 9D character placed inside of > words, > > that prevented my custom BODY rules from being hit. I.e.: > > > > Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt, o=9Dr > a=9Dlready > > change=9Dd it. > > > > Is there a way to define BODY rules, so that they will be triggered? > > Thanks. > > No, that would be way too much work; take a look at __UNICODE_OBFU_ZW in > my sandbox. It isn't performing well in masschecks so I expect this tactic > isn't widespread (yet?) > > I suppose I should expose it as scored in case it becomes popular... > > > -- > John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ > jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org > key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 > --- >From the Liberty perspective, it doesn't matter if it's a >jackboot or a Birkenstock smashing your face. -- Robb Allen > --- > 596 days since the first commercial re-flight of an orbital booster > (SpaceX) >
Re: 9D character used in words to avoid detection.
On Fri, 16 Nov 2018, Mark London wrote: I just received a spam email with the 9D character placed inside of words, that prevented my custom BODY rules from being hit. I.e.: Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt, o=9Dr a=9Dlready change=9Dd it. Is there a way to define BODY rules, so that they will be triggered? Thanks. No, that would be way too much work; take a look at __UNICODE_OBFU_ZW in my sandbox. It isn't performing well in masschecks so I expect this tactic isn't widespread (yet?) I suppose I should expose it as scored in case it becomes popular... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- From the Liberty perspective, it doesn't matter if it's a jackboot or a Birkenstock smashing your face. -- Robb Allen --- 596 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: Bayes not learning, blacklist not filtering
On Fri, 16 Nov 2018, Bill Cole wrote: On 15 Nov 2018, at 14:27, MarkCS wrote: So I've been tasked with researching an issue with the mail server at work. We use Spamassassin and at present, it's not blocking some pretty obvious spam, largely from the domain qq.com. Basically email is slipping through, being bounced back at the end receiving server, then our server tries to bounce back to qq.com, which doesn't exist at that point and we get a bounce message. Hundreds of these suckers are coming through daily. As John said, absolutely blocking a whole domain is best done before SpamAssassin, in the MTA (in your case that looks like Postfix.) In fact, all of John's reply was good. There's one thing he was probably too polite to mention though... X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on Eh, no, I don't particularly focus on that detail... Good point, though. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- From the Liberty perspective, it doesn't matter if it's a jackboot or a Birkenstock smashing your face. -- Robb Allen --- 596 days since the first commercial re-flight of an orbital booster (SpaceX)
9D character used in words to avoid detection.
I just received a spam email with the 9D character placed inside of words, that prevented my custom BODY rules from being hit. I.e.: Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt, o=9Dr a=9Dlready change=9Dd it. Is there a way to define BODY rules, so that they will be triggered? Thanks. Mark
Re: Bayes not learning, blacklist not filtering
On 15 Nov 2018, at 14:27, MarkCS wrote: So I've been tasked with researching an issue with the mail server at work. We use Spamassassin and at present, it's not blocking some pretty obvious spam, largely from the domain qq.com. Basically email is slipping through, being bounced back at the end receiving server, then our server tries to bounce back to qq.com, which doesn't exist at that point and we get a bounce message. Hundreds of these suckers are coming through daily. As John said, absolutely blocking a whole domain is best done before SpamAssassin, in the MTA (in your case that looks like Postfix.) In fact, all of John's reply was good. There's one thing he was probably too polite to mention though... X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on Upgrade SA. 3.3.2 is antique and hasn't seen any updates in (as note) 7+ years. Each 3.4.x release has added useful functionality. Substantial parts of the default ruleset are wrapped in version checks because they demand 3.4.x features. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Available For Hire: https://linkedin.com/in/billcole
Re: unexpected FN, how to improve/tune to catch
On Fri, 16 Nov 2018 08:48:56 -0800
Ian Zimmerman wrote:
> 1. Am I correct in assuming that SA decodes base64 MIME parts so it
> does act on these links? Reading the -D output surely indicates so.
I think you've already answered that.
> 2. I remember some discussion here about following shortener links
> like bitly. What is the resolution of that? Does SA currently (as
> of 3.4.2) follow such links, to see (for example) that the link in my
> spample led to Facebook?
See
https://github.com/smfreegard/DecodeShortURLs
but Facebook isn't going to be listed anywhere. There is a test for
bitly links that have already been blocked.
> 3. The documentation for the HashBL plugin shows how to set it up to
> check addresses from headers. Is there a way to also check addresses
> from mailto links in the body?
It's already supposed to do that. It doesn't actually say it only
checks headers.
If you are thinking of:
header HASHBL_EMAIL eval:check_hashbl_emails('ebl.msbl.org')
AFAIK that 'header' is just a matter of syntax and taxonomy and the
only practical difference it makes is that HASHBL_EMAIL's score counts
towards the 3 header points needed for auto-learning.
Macros now replaced by XML
Hi, It seems spammers are now using XML Word documents instead of ones containing macro viruses. Virtually no antivirus scanners are catching this now. These are hacked Outlook accounts sending virus/phish attachments. https://pastebin.com/8QxujfAt
Re: unexpected FN, how to improve/tune to catch
On 2018-11-16 09:52, Matus UHLAR - fantomas wrote: > such spam should be filtered at mailing list level before this happens. And it almost always is. Not in this case. > what can help you > - BAYES understood, I am trying to do without Bayes for now, because I want to avoid the maintenance (training and, especially, expiring). > - network rules those are on > - URI blacklists those are on > did you enable/install razor, pyzor, dcc, spf and dkim libraries? not dcc, but it would be useless in this case (mailing list is bulk by definition). The others are on. > apparently it does not contain any URI. It does. Two web (bitly, masking a redirection to Facebook; plus wecareusa) and one mailto. Three followup questions about this last point: 1. Am I correct in assuming that SA decodes base64 MIME parts so it does act on these links? Reading the -D output surely indicates so. 2. I remember some discussion here about following shortener links like bitly. What is the resolution of that? Does SA currently (as of 3.4.2) follow such links, to see (for example) that the link in my spample led to Facebook? 3. The documentation for the HashBL plugin shows how to set it up to check addresses from headers. Is there a way to also check addresses from mailto links in the body? If not now, is anything like that planned for upcoming releases? Thanks -- Please don't Cc: me privately on mailing lists and Usenet, if you also post the followup to the list or newsgroup. To reply privately _only_ on Usenet and on broken lists which rewrite From, fetch the TXT record for no-use.mooo.com.
Re: Forgery with SPF/DKIM/DMARC
On Fri, 16 Nov 2018 10:39:47 -0500 Kris Deugau wrote: > From: John D. Smith > ... > Looking at a couple of other examples, there are also some in the > form: > > From: =?UTF-8?B?[encoded stuff]= > > where [encoded stuff] decodes to: > > Some User I think this is worth a try: header FROM_NO_COMMA From =~ />\s*<[^"]*$/
Re: Forgery with SPF/DKIM/DMARC
Dominic Raferd wrote on 11/16/2018 8:50 AM> Please clarify what you mean by 'even though SPF and DKIM is setup with DMARC to reject'? I presume that 'company.com' does not have a DMARC p=reject policy, or else your DMARC program (e.g. opendmarc) should block forged emails from them. Oh yes, sorry, the names changed to protect the innocent. But now that I am confirming, I don't see the _dmarc record setup by the DNS company as requested. So, this message with would fail DMARC if setup for company.com to reject as you noted? I'll send them the request again and see, thanks. -- Robert
Re: Forgery with SPF/DKIM/DMARC
On Fri, 16 Nov 2018 at 15:54, Robert Fitzpatrick wrote: > > Dominic Raferd wrote on 11/16/2018 8:50 AM> > > Please clarify what you mean by 'even though SPF and DKIM is setup > > with DMARC to reject'? I presume that 'company.com' does not have a > > DMARC p=reject policy, or else your DMARC program (e.g. opendmarc) > > should block forged emails from them. > > > > Oh yes, sorry, the names changed to protect the innocent. But now that I > am confirming, I don't see the _dmarc record setup by the DNS company as > requested. So, this message with would fail DMARC if setup for > company.com to reject as you noted? I'll send them the request again and > see, thanks. In principle I recommend that everyone set up dmarc with p=reject for their domains, but it is not to be undertaken lightly because it can lead to rejection of their genuine but misconfigured emails (and cause particular problems on mailing lists). I think your request to the third party is unlikely to have any effect, and the problem you are having needs to be tackled a different way.
Re: Forgery with SPF/DKIM/DMARC
RW wrote: On Fri, 16 Nov 2018 08:44:52 -0500 Robert Fitzpatrick wrote: We're having an issue with spam coming from the same company even though SPF and DKIM is setup with DMARC to reject. Take this forwarded email for instances [ fake invoice email ] SPF and DKIM rarely return "fail" on these because the envelope sender either doesn't publish either, or publishes them and they match. SPF in particular would usually have nothing to do with the "obvious" From: address that most people would look at. This is a pretty confusing question because it has nothing to do with DMARC, SPF, or DKIM, and "same company" reads like "consistent spammer". I think what you're getting at is the use of a local address in the author display name: From: User To: other.u...@company.com Did you actually mean that precise form, which looks invalid, This certainly sounds like a series of fake invoice mails I've been getting a trickle of reports for, and if so, then yes, that is literally exactly what's in the original. I dug through my reporting account's history and found one that came directly to my own account: Delivered-To: kdeu...@vianet.ca Return-Path: Received: from mail.vianet.ca [209.91.128.17] by pod.pem-lan with POP3 (fetchmail-6.3.26) for (single-drop); Tue, 06 Nov 2018 09:05:12 -0500 (EST) Received: from rla3.dizinc.com (rla3.dizinc.com [72.29.77.172]) by mx1.vianet.ca (Postfix) with ESMTPS id 83FE2E24D6 for ; Tue, 6 Nov 2018 09:03:08 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=corpmaqplast.com; s=default; h=Content-Type:MIME-Version:Subject:Message-ID :To:From:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=+EAmfCv8FqMxiASYoMWTcRGrgS++5JXOIOM7h8kgXyw=; b=n/4UOgM/LfvfnVl8gzWrv7uU/P 6GL1HJgU4KMmU/hsZR6sG5y/ijG09RLmuMK1OAoYULC8P4BewtmtfsDElVGXHU9P3EG6poaMliWeM RRxcaV8/DMUiFOa2O8Y1Q9F4OXpI8t19pAchCaR+OFs34+Npjwad/wkX/+E82uWs57gs0VJMH76z9 UVynTFc+hRbwEFGdYPi+Gnc+fpvtbO7RN0pqcNOjLQWdEr2RcO2yg1hCPUs6z8HJ7gNYT1Wx7DQEj y6adnz0tG+sLmqsYYC/67cJYdgHuEfUvUIlCCRVgV38BXGJiDoRSsz6txHAaCYa7bXHZ892FN9EbC CIVnco0Q==; Received: from [187.217.80.180] (port=3340 helo=10.1.34.37) by rla3.dizinc.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from ) id 1gK1wg-00073v-8J for kdeu...@vianet.ca; Tue, 06 Nov 2018 08:03:07 -0600 Date: Tue, 06 Nov 2018 14:03:06 + From: John D. Smith To: kdeu...@vianet.ca Message-ID: <35706717752563516902.8f4660866aa84...@vianet.ca> Subject: John D. Smith Factures 0611-KDG47168618-939 In this instance SPF and DKIM passed, so whatever policies richland.edu might publish they're irrelevant and not checked. This particular subseries also has an attached Word document, which is now getting flagged by ClamAV, but IIRC there have been a few that were either "just" phishing, or linked to malware instead of attaching it to the message. Looking at a couple of other examples, there are also some in the form: From: =?UTF-8?B?[encoded stuff]= where [encoded stuff] decodes to: Some User -kgd
Re: Forgery with SPF/DKIM/DMARC
On Fri, 16 Nov 2018 08:44:52 -0500 Robert Fitzpatrick wrote: > We're having an issue with spam coming from the same company even > though SPF and DKIM is setup with DMARC to reject. Take this > forwarded email for instances This is a pretty confusing question because it has nothing to do with DMARC, SPF, or DKIM, and "same company" reads like "consistent spammer". I think what you're getting at is the use of a local address in the author display name: > From: User > To: other.u...@company.com Did you actually mean that precise form, which looks invalid, or did you mean one of: From: "User " From: User ,
Re: unexpected FN, how to improve/tune to catch
On Fri, 16 Nov 2018 09:52:05 +0100 Matus UHLAR - fantomas wrote: > On 15.11.18 09:42, Ian Zimmerman wrote: > > # This one disables Bayes. ... > > tiny detail. use_learner 0 > > 1. this description is invalid. use_bayes disables bayes. use_learner 0, in theory, disables all machine learning plug-ins. > 2. bayes is the best to help you to detect spam. Don't complain when > you have disabled it. > > >Where are all the other scores? I would have expected at least > >something for bit.ly and for the misspelled closing line, which is a > >dead spam give-away to a human ... It has a missing letter, I'm a poor typist, I miss letters often. Spelling mistakes are most useful for Bayes, which you turned-off.
Re: Forgery with SPF/DKIM/DMARC
On Fri, 16 Nov 2018 at 13:45, Robert Fitzpatrick wrote: > > We're having an issue with spam coming from the same company even though > SPF and DKIM is setup with DMARC to reject. Take this forwarded email > for instances > > > Original message > > From: User > > Date: 11/15/18 10:42 AM (GMT-07:00) > > To: Other User > > Subject: OVERDUE INVOICE > > > > Sorry for the delay…. This is an invoice reminder. The total for your item > > is $1,879.17. > > > > THX, > > > > - > > > > User > > T 123.456.7890 | O 123.456.7891 > > EMail:u...@company.com > > However, the raw headers show as this... > > > Date: Thu, 15 Nov 2018 18:35:35 +0100 > > From: User > > > > To: other.u...@company.com > > Message-ID: <860909106225419267.2007038e08376...@company.com> > > Subject: OVERDUE INVOICE > > Could someone suggest a rule to match the signature with the last From > email or envelope from? Or another suggestion how this could be resolved. > > Thanks! Please clarify what you mean by 'even though SPF and DKIM is setup with DMARC to reject'? I presume that 'company.com' does not have a DMARC p=reject policy, or else your DMARC program (e.g. opendmarc) should block forged emails from them.
Forgery with SPF/DKIM/DMARC
We're having an issue with spam coming from the same company even though SPF and DKIM is setup with DMARC to reject. Take this forwarded email for instances Original message From: User Date: 11/15/18 10:42 AM (GMT-07:00) To: Other User Subject: OVERDUE INVOICE Sorry for the delay…. This is an invoice reminder. The total for your item is $1,879.17. THX, - User T 123.456.7890 | O 123.456.7891 EMail:u...@company.com However, the raw headers show as this... Date: Thu, 15 Nov 2018 18:35:35 +0100 From: User To: other.u...@company.com Message-ID: <860909106225419267.2007038e08376...@company.com> Subject: OVERDUE INVOICE Could someone suggest a rule to match the signature with the last From email or envelope from? Or another suggestion how this could be resolved. Thanks! -- Robert
Re: unexpected FN, how to improve/tune to catch
On 15.11.18 09:42, Ian Zimmerman wrote: This little pearl got through upstream filter on a mailing list. such spam is very hard to detect, because mailing lists tend to clear negative-scoring rules and add some positive-scoring. such spam should be filtered at mailing list level before this happens. My scores for it were: RCVD_IN_DNSWL_MED=-2.3,SPF_HELO_PASS=-0.0,MAILING_LIST_MULTI=-1.0,TOTAL=-3.3 these are standard rules, and since the mail came from a mailing list, it's expected to score negatively. what can help you - BAYES - network rules - URI blacklists Do you have those enabled? Here is my user_prefs file: # This one disables Bayes. If you want to use Bayes remove or comment # out this line. You'll need to manage your Bayes database with a # cronjob or something. I can help but I won't do the last tiny detail. use_learner 0 1. this description is invalid. use_bayes disables bayes. 2. bayes is the best to help you to detect spam. Don't complain when you have disabled it. Where are all the other scores? I would have expected at least something for bit.ly and for the misspelled closing line, which is a dead spam give-away to a human ... did you enable/install razor, pyzor, dcc, spf and dkim libraries? I have run spamassassin -D on it and everything seems to work as designed i.e. the tests including URIBL run fine, they just don't catch anything. It's disappointing. apparently it does not contain any URI. Maybe the KAM rules would have got this one? no. They can help, but hardly help you to push -3.3 scoring mail received via mailing list over spam threshold. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Chernobyl was an Windows 95 beta test site.
