Re: OT: Re: Unsubscribe link at the bottom.
On Mon, 5 Apr 2021, Grant Taylor wrote: On 4/5/21 8:41 PM, Peter West wrote: I’d agree it’s address verification, as with the Unsubscribe link at the bottom. I'm of the opinion that if I have any inclining of knowledge of the company sending the email, and SPF/DKIM/DMARC pass, I'll probably use the unsubscribe link. Recently I ran into a 404 from the unsubscribe link from a company that my wife did business with. *facepalm* What ticks me off is an unsubscribe link that goes to a javascript-heavy page and that *won't work* without javascript. And an unsubscribe link with a huge identifying key on it, yet the unsubscribe page still asks you to enter your email address... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- 7 days until Thomas Jefferson's 278th Birthday
"Please send us a quote..."?
Can anybody explain to me the reason behind the blind "please send us a quote for your product X" emails? I mean, I know they are somehow a scam, but I can't figure it out how it's supposed to work when the target isn't a business... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Think Microsoft cares about your needs at all? "A company wanted to hold off on upgrading Microsoft Office for a year in order to do other projects. So Microsoft gave a 'free' copy of the new Office to the CEO -- a copy that of course generated errors for anyone else in the firm reading his documents. The CEO got tired of getting the 'please re-send in XX format' so he ordered other projects put on hold and the Office upgrade to be top priority."-- Cringely, 4/8/2004 --- 8 days until Thomas Jefferson's 278th Birthday
Re: Update SA on CentOS
On Sat, 3 Apr 2021, Amir Caspi wrote: For what it's worth, using the Fedora package has been exceedingly stable on my CentOS 7 system. Another CentOS 7 user here. I've been using self-compiled Fedora Rawhide SRPMs in production for years with no issues. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- 10 days until Thomas Jefferson's 278th Birthday
Re: URI_TRY_3LD FP on mynews.apple.com
On Fri, 2 Apr 2021, Adam Katz wrote: Hey, John et al. It's been a while. I hope things are going well. I've found an FP on URI_TRY_3LD from https://mynews.apple.com/subscriptions?… that you could solve by adding a new alternation to the relevant negative lookahead in that regex: -uri URI_TRY_3LD m,^https?://(?:try|start|get(?!.adobe)|save|check(?!out)|act|compare|join|learn|request|visit(?!or)|my(?!sub|turbotax)w)[^.]*.[^/]+.(?:com|net)b,i +uri URI_TRY_3LD m,^https?://(?:try|start|get(?!.adobe)|save|check(?!out)|act|compare|join|learn|request|visit(?!or)|my(?!news.apple.|sub|turbotax)w)[^.]*.[^/]+.(?:com|net)b,i However, with its hit freqs [1] show an S/O hovering around 0.100 and with the GA consistently scoring it so close to your specified 2.000 limit, I doubt this tweak will help enough. I suggest further FP mitigations and perhaps a lower score limit. I will take a look, thanks for the report. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- 307 days since the first private commercial manned orbital mission (SpaceX)
Re: Are X-MC-xxx headers legit?
On Mon, 29 Mar 2021, Loren Wilton wrote: I'd call these headers a great spam sign. Depending on their rarity... :) Occasionally spammers will screw up and leave template replacement tokens in their message bodies. Great spam sign, too rare to be useful in practice. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If you ask amateurs to act as front-line security personnel, you shouldn't be surprised when you get amateur security. -- Bruce Schneier --- 3 days until April Fools' day
Re: What makes this email spam and how do I train myself to find markers for spam so I can train spamassassin properly?
On Sun, 28 Mar 2021, Steve Dondley wrote: So what's the giveaway that this is spam and what rule can I add to get SA to recognize it as such? And what is the best way for me to learn how to analyze the headers so I can recognize spam myself? Any good tutorials for this? The obfuscated "xfinity" in the From header is what caught my eye: 54 From: "x-flnltycomcastvoicemail_ref.no01...@comcast.net" 55 If you keep seeing such, then a FUZZY_XFINITY_FM rule might be worthwhile. Unfortunately it was sent via Comcast MTAs so SPF/DKIM aren't helpful here to detect spoofing. A From header address rule for "comcastvoicemail" might be useful as well, depending on whether or not you get legitimate voicemail announcements from Comcast and what they look like. 78 - This mail is in HTML. Some elements may be ommited in plain text. - Spelling and grammar errors potentially give Bayes something to work with. Feed the message to Bayes as spam. 107 Content-Type: application/octet-stream; 108 name="Mar-28 Voicemail.eml" That filename looks suspicious. .eml is an attachment generally used for mailbox-format email message attachments. Why would a voicemail be delivered in that format? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...if the government does not trust me to own firearms, why or how can the people be expected to trust the government? -- Theodore Haas, Dachau survivor --- 4 days until April Fools' day
Re: ANN: ReturnPath rule renaming
On Fri, 26 Mar 2021, Dave Wreski wrote: Hi, RCVD_IN_RP_CERTIFIED -> RCVD_IN_VALIDITY_CERTIFIED RCVD_IN_RP_SAFE -> RCVD_IN_VALIDITY_SAFE RCVD_IN_RP_RNBL -> RCVD_IN_VALIDITY_RPBL Please audit your local config for score overrides and meta rules depending on the old names. I don't see that the VALIDITY rules exist yet. Will they be in tonight's update? The change went in today, they should go through masscheck and be published tomorrow. How do you recommend we manage the period where the old rules with our meta rules are not invalidated with the publishing of the new rules? We could duplicate our rules with the old and new, but just wanted to see if there was a plan already for dealing with this. I'd be a bit surprised if anyone was actually meta'ing them. It's not a fatal lint error, you only see a warning if you run with -D. Duplicating any such rules now and cleaning up in a day or two is probably a reasonable approach. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...to announce there must be no criticism of the President or to stand by the President right or wrong is not only unpatriotic and servile, but is morally treasonous to the American public. -- Theodore Roosevelt, 1918 --- 300 days since the first private commercial manned orbital mission (SpaceX)
Re: ReturnPath rule renaming
On Fri, 26 Mar 2021, Loren Wilton wrote: In order to bring the SenderScore/ReturnPath DNS reputation and blocklist rules up-to-date with their current ownership and administration, the rules are being renamed: RCVD_IN_RP_CERTIFIED -> RCVD_IN_VALIDITY_CERTIFIED RCVD_IN_RP_SAFE -> RCVD_IN_VALIDITY_SAFE RCVD_IN_RP_RNBL -> RCVD_IN_VALIDITY_RPBL John, you might add this text to the comment you made on Bug 6247. I read through you comment there, then went and scanned the entire comment stream in the bug (most all from 2009) to try to figure out what was being changed, and finally came up empty. There was no description of what the ownership change was, nor the administration change, nor any mention of what exactly had been changed in the rules. I'll add that, but in my comment is mention of the SVN revision for the changes, and in bugzilla that's a hot link. All the changes are there. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...to announce there must be no criticism of the President or to stand by the President right or wrong is not only unpatriotic and servile, but is morally treasonous to the American public. -- Theodore Roosevelt, 1918 --- 300 days since the first private commercial manned orbital mission (SpaceX)
ANN: ReturnPath rule renaming
All: In order to bring the SenderScore/ReturnPath DNS reputation and blocklist rules up-to-date with their current ownership and administration, the rules are being renamed: RCVD_IN_RP_CERTIFIED -> RCVD_IN_VALIDITY_CERTIFIED RCVD_IN_RP_SAFE -> RCVD_IN_VALIDITY_SAFE RCVD_IN_RP_RNBL -> RCVD_IN_VALIDITY_RPBL Please audit your local config for score overrides and meta rules depending on the old names. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
Re: AWL on 3.4
On Sun, 21 Mar 2021, Simon Wilson wrote: I've just migrated and updated to SA 3.4, and have moved the Bayes db to Redis. I used to use AWL but don't think the module is loaded in 3.4, am I correct? There seems to be mixed commentary online about whether to enable it - I'll leave it off for a few weeks and see how it goes, but am interested in comments on its usefulness? It pretty much been replaced by TxRep. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- 294 days since the first private commercial manned orbital mission (SpaceX)
URIBL_BLOCKED (was: Re: Problem with local.cf rules)
On Wed, 17 Mar 2021, Peter West wrote: The most pertinent stuff I found was this this Confluence page: https://cwiki.apache.org/confluence/display/SPAMASSASSIN/CachingNameserver So it looks as though I have to install a primary nameserver and a secondary rbldnsd. I’m trying to translate this – Rsync the feed files into /var/lib/rbldnsd which seems to be this set dul.dnsbl.sorbs.net:ip4set:dul.dnsbl.sorbs.net http.dnsbl.sorbs.net:dnset:http.dnsbl.sorbs.net smtp.dnsbl.sorbs.net:ip4set:smtp.dnsbl.sorbs.net new.spam.dnsbl.sorbs.net:ip4set:new.spam.dnsbl.sorbs.net dnsbl-1.uceprotect.net:ip4set:dnsbl-1.uceprotect.net Agh, no, that's *way* too much to just fix URIBL_BLOCKED... The critical bit from that Confluence page is this: A local DNS caching server should not forward to other DNS servers to ensure your queries are not combined with others. Normally what you do when setting up a computer is you configure it to forward DNS requests to your ISP for them to handle. Along with the requests from all the ISP's other customers. Which then exceeds the free query limits imposed by the various DNSBL providers. What you need to do is set up a local DNS server that does the name resolution itself, rather than passing that work off to your ISP. So: (1) install a local nameserver, (2) configure it to do recursive name resolution (vs. "forwarding") (assuming it doesn't come that way out-of-the-box), (3) point SpamAssassin (and potentially also your MTA) at that nameserver rather than at your ISP. That's it at the most basic level. *Refinements* include: - configuring the nameserver so that the DNSBL traffic is resolved locally and other traffic is forwarded to your ISP to take advantage of their cache - "split resolution" - configuring a local authoritative DNS server (like rbldnsd) for high-volume DNSBL feeds (if your traffic level by itself exceeds their free-query limits) and for custom blocklists you maintain yourself So initially, don't get distracted by the rbldnsd stuff. Just pick a DNS server and install it locally, and run the tests in the Testing section of that Confluence page. If that works, point SpamAssassin at it as described in the Using section of that Confluence page. On 15 Mar 2021, at 1:29 am, John Hardin wrote: On Sun, 14 Mar 2021, jwmi...@gmail.com wrote: Peter West writes: And You might want to fix the URIBL_BLOCKED issue. Fixing the URIBL_BLOCKED issue will do far more to fix your issues than adding rules. Seconded. The keywords here are "local, caching, *NON-FORWARDING* DNS server for SpamAssassin". If that isn't enough to set you on the right path, search the mailing list archives for "URIBL-BLOCKED" or "URIBL DNS" for previous discussions of this topic. If that history isn't enough, feel free to ask for assistance. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Think Microsoft cares about your needs at all? "A company wanted to hold off on upgrading Microsoft Office for a year in order to do other projects. So Microsoft gave a 'free' copy of the new Office to the CEO -- a copy that of course generated errors for anyone else in the firm reading his documents. The CEO got tired of getting the 'please re-send in XX format' so he ordered other projects put on hold and the Office upgrade to be top priority."-- Cringely, 4/8/2004 --- 290 days since the first private commercial manned orbital mission (SpaceX)
Re: Problem with local.cf rules
On Sun, 14 Mar 2021, jwmi...@gmail.com wrote: Peter West writes: And You might want to fix the URIBL_BLOCKED issue. Fixing the URIBL_BLOCKED issue will do far more to fix your issues than adding rules. Seconded. The keywords here are "local, caching, *NON-FORWARDING* DNS server for SpamAssassin". If that isn't enough to set you on the right path, search the mailing list archives for "URIBL-BLOCKED" or "URIBL DNS" for previous discussions of this topic. If that history isn't enough, feel free to ask for assistance. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Failure to plan ahead on someone else's part does not constitute an emergency on my part. -- David W. Barts in a.s.r --- Today: Daylight Saving Time begins in U.S. - Spring Forward
Re: Problem with local.cf rules
On Mon, 15 Mar 2021, Peter West wrote: Well, that was simple. Thank you. What’s the default value of a rule? Does it have one? The default score for all rules is 1 point. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Failure to plan ahead on someone else's part does not constitute an emergency on my part. -- David W. Barts in a.s.r --- Today: Daylight Saving Time begins in U.S. - Spring Forward
Re: How do I determine if user's email is being checked against the side-wide database?
On Sat, 13 Mar 2021, Steve Dondley wrote: I *think* I now I have site-wide bayes filtering working now for all users on a server. I've edited /etc/spamassassin/local.cf to include "bayes_path" and "bayes_file_mode" and I don't see any errors about permissions being wrong from debian-spamd in mail.log. But rather than guessing, I'm wondering if there is there a way I can objectively confirm that email for a particular user is getting checked against the site-wide bayes database. Thanks. Are there any BAYES hits on their messages, ham or spam? BAYES_{not 50} would be a positive confirmation. I'm not sure offhand if BAYES_50 hits when bayes is enabled but insufficiently trained... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Failure to plan ahead on someone else's part does not constitute an emergency on my part. -- David W. Barts in a.s.r --- Tomorrow: Daylight Saving Time begins in U.S. - Spring Forward
Re: AskDNS with a DNAME
On Sun, 28 Feb 2021, RW wrote: On Sun, 28 Feb 2021 07:42:42 -0800 (PST) John Hardin wrote: On Sun, 28 Feb 2021, Michael Grant wrote: I've traced through the AskDNS plugin and it's definitely only looking at the first response that gets returned in this case. I also tried a regex submatch like: askdns RBL_SENDGRID_ID _SENDGRIDID_.sendgrid-id.localhost A /127.0.0.2/ and still not working. The AskDNS code which loops through the result only looks at the alias result that's returned. I would indeed characterize that as a bug in the AskDNS plugin. The fact that it is an alias is not useful information to the evaluation of the message's spamminess, and the information that *is* useful - critical, in fact - is being discarded. Please open a bugzilla ticket for this. There is already a very similar one: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7875 Ok, good. The AskDNS plugin code on trunk has had several changes that have not been merged to the 3.4 branch for release. I just ran a quick test on trunk with an askdns rule for a host that is a CNAME and it appeared to work properly - it went through all the responses and the rule did hit on the final resolved IP address. Feb 28 08:18:40.625 [29038] dbg: dns: bgread: received 860 bytes from 10.1.0.254 Feb 28 08:18:40.628 [29038] dbg: dns: dns reply 39497 is OK, 2 answer records Feb 28 08:18:40.628 [29038] dbg: askdns: answer received (__ASKDNS_DNAME_TEST), rcode NOERROR, query IN/A/ftp.impsec.org, answer has 2 records Feb 28 08:18:40.628 [29038] dbg: askdns: rr_type = CNAME Feb 28 08:18:40.628 [29038] dbg: askdns: rr_type = A Feb 28 08:18:40.628 [29038] dbg: askdns: domain "ftp.impsec.org" listed (__ASKDNS_DNAME_TEST): 108.161.139.220 I don't know whether these changes, or just the recommended fix in 7875, will make it into the pending 3.4 release. Michael, you might consider using trunk for your SA install, or if that's too risky, potentially pulling just the AskDNS plugin from trunk. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- 14 days until Albert Einstein's 142nd Birthday
Re: AskDNS with a DNAME
On Sun, 28 Feb 2021, Michael Grant wrote: I've traced through the AskDNS plugin and it's definitely only looking at the first response that gets returned in this case. I also tried a regex submatch like: askdns RBL_SENDGRID_ID _SENDGRIDID_.sendgrid-id.localhost A /127.0.0.2/ and still not working. The AskDNS code which loops through the result only looks at the alias result that's returned. I would indeed characterize that as a bug in the AskDNS plugin. The fact that it is an alias is not useful information to the evaluation of the message's spamminess, and the information that *is* useful - critical, in fact - is being discarded. Please open a bugzilla ticket for this. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Usually Microsoft doesn't develop products, we buy products. -- Arno Edelmann, Microsoft product manager --- 14 days until Albert Einstein's 142nd Birthday
Re: BIGNUM_EMAILS false positive
On Fri, 26 Feb 2021, Matus UHLAR - fantomas wrote: Hello, it seems that BIGNUM_EMAILS on signatures containing e-mail address after telephone number like: Mobil: +421 904 000 111 e-mail: addr...@example.com Feb 26 14:25:49.116 [7638] dbg: rules: ran body rule __BIGNUM_EMAILS ==> got hit: "000 111 e-mail" OK, I will see about tuning it. Thanks for the report. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If you trust the government, you obviously failed history class. -- Don Freeman --- 272 days since the first private commercial manned orbital mission (SpaceX)
Re: Rules for a recent flood of BTC/webcam spam
On Fri, 26 Feb 2021, RW wrote: It's also possible to tighten the range down to {32,33} or even {33} without losing many matches: $ for n in `jot 12 25` ; do printf "$n" ; < bitcoinlist egrep "^[13].{${n}}$" | wc -l ; done 25 0 26 0 27 0 28 0 29 3 30 1 31 4 321659 33 50290 34 8 Interesting analysis, thanks. I'll tighten it up a bit based on that. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- USMC Rules of Gunfighting #20: The faster you finish the fight, the less shot you will get. --- 271 days since the first private commercial manned orbital mission (SpaceX)
Re: Mal formed urls
On Thu, 25 Feb 2021, Rick Cooper wrote: I was just working on some rules to catch the current crop of mal formed urls used to escape detection by solutions that extract urls from emails and compare them to known bad urls and I am wondering if spamassassin's patterns for extraction take this into account? For instance: https:www.google.com/mail https:\/www.google.com/mail https:\\www.google.com/mail Will all work at getting you to gmail because the technical spec doesn't actually require \\ after the colon. Will spamassassin still extract and normalize the urls above? I was hoping to avoid digging through the source to find out. Yes, all of those do get detected and normalized. http:fnord01.com/blah http:\/fnord02.com/blah http:/\fnord03.com/blah http:\\fnord04.com/blah Feb 25 13:24:03.445 [13854] dbg: rules: ran uri rule __ALL_URI ==> got hit: "http://fnord03.com/blah; Feb 25 13:24:03.446 [13854] dbg: rules: ran uri rule __ALL_URI ==> got hit: "http://fnord02.com/blah; Feb 25 13:24:03.447 [13854] dbg: rules: ran uri rule __ALL_URI ==> got hit: "http://fnord01.com/blah; Feb 25 13:24:03.447 [13854] dbg: rules: ran uri rule __ALL_URI ==> got hit: "http://fnord04.com/blah; -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- 271 days since the first private commercial manned orbital mission (SpaceX)
Re: Rules for a recent flood of BTC/webcam spam
On Thu, 25 Feb 2021, RW wrote: On Wed, 24 Feb 2021 18:37:42 -0800 (PST) John Hardin wrote: On Wed, 24 Feb 2021, Alan wrote: After a little more research, a better regex for an obfuscated BTC address is /[13][ \-]([a-km-zA-HJ-NP-Z0-9][ \-]){25,32}[a-km-zA-HJ-NP-Z0-9]/ It might be worth adding = and _ to the obfuscating delimiters. YMMV. I've updated __BITCOIN_ID with -, = and _ obfuscations, which I haven't seen myself yet. Thanks! Possibly (?:[-_=\s][a-km-zA-HJ-NP-Z1-9]){25,34}|[a-km-zA-HJ-NP-Z1-9]{25,34}) should be (?:[-_=\s]*[a-km-zA-HJ-NP-Z1-9]){25,34} It's shorter and more general. I'd prefer: (?:[-_=\s]?[a-km-zA-HJ-NP-Z1-9]){25,34} The reason I haven't is I have not seen a mixture yet - it's either all spaced or not at all. I'll take a look at that tonight when I have some time. The more loose you get with matching obfuscation the greater the chance of false positives. Consider, for example, the PGP key in my .sig (which has a zero, but I'd wager there are PGP key signatures that look like obfuscated bitcoin wallet addresses...) Also, there's a limit to how complex the obfuscation can get before the recipient can't (or won't) follow the instructions. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Where are my space habitats? Where is my flying car? It's 2010 and all I got from the SF books of my youth is the lousy dystopian government. -- perlhaqr --- 271 days since the first private commercial manned orbital mission (SpaceX)
Re: Trouble with XM_RANDOM rule
On Thu, 25 Feb 2021, Jared Hall wrote: On 2/24/2021 9:43 PM, John Hardin wrote: The __XM_RANDOM header rule is intended to catch the specific condition of the email, the scored XM_RANDOM meta is intended to add points for when that condition indicates spam. Ouch, I figured as much. With a name like XM_RANDOM, it's gotta be good :) I recall about 10 years ago getting floods with (pseudo)random (eg: qxvfdgeexcfffdf, etc) type mailers. I was just wondering if this was artifactual. It's current. Somebody decided to send a large spam campaign using forged sender addresses in my wife's domain, so I got a lot of NDA bounces with spam content I don't usually see. There were a lot of random gibberish mailers, as well as some that look plausible at a glance but suspicious upon further consideration. I got a bunch of new rules off that so I'm not complaining too hard. I don't know if you Guys (pc: and Gals) keep notes when each rule gets developed and what not. But that's not really a question for this list, so No Big Deal. For myself, not beyond the SVN history. I've been scanning all outbound Email for 3-1/2 years now. I scan at the SMTP level, with no discernible performance hit. It certainly has saved my butt on a few occasions. Now I *opine* this: There is something to the ZERO-TRUST security model. Hm, yeah. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Where are my space habitats? Where is my flying car? It's 2010 and all I got from the SF books of my youth is the lousy dystopian government. -- perlhaqr --- 271 days since the first private commercial manned orbital mission (SpaceX)
Re: Trouble with XM_RANDOM rule
On Wed, 24 Feb 2021, Jared Hall wrote: On 2/24/2021 9:10 AM, Alessio Cecchi wrote: that match "X-Mailer =~ /q(?!q?mail|\d|[-\w]*=+;)[^u]/i" AND the body DOESN'T have has Invisible Text Styles AND there is no In-Reply-To header. Seems a little excessive to me. Points added for good behavior? Am I reading that right? It's avoiding combinations in masscheck that hit only ham, or, absent that, hit far more ham than spam, in an attempt to reduce false positives. The __XM_RANDOM header rule is intended to catch the specific condition of the email, the scored XM_RANDOM meta is intended to add points for when that condition indicates spam. Perhaps: /q(?!q?mail|bo|\d|[-\w]*=+;)[^u]/i might be appropriate, at least as an workaround. Or something similar. I've already added an exclusion for it. Is there a genuine use for CASE-Insensitive rules in a X-Mailer definition? They don't seem to switch case very often. If you're looking for a specific X-Mailer value, sure. If you're writing a general rule then focusing on case can miss spam signs. Is "Qboxmail" the problem? Since this is the name of our company are there any chances to keep it without catching the rule? Yes, you should change the name of your company! ;) I see that JH and the SpamAssassin crew will address your problem. In the meantime, it won't hurt to add a local rule like: header MY_XM_RANDOM X-Mailer =~ /Qboxmail Webmail/ score MY_XM_RANDOM -1.154 Which, again, doesn't help anyone outside his company. IMHO you shouldn't be scanning internal-only email anyway. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- People who are unable to figure out how to make change without the help of a cash register are demanding a $15/hr minimum wage? --- 270 days since the first private commercial manned orbital mission (SpaceX)
Re: Rules for a recent flood of BTC/webcam spam
On Wed, 24 Feb 2021, Alan wrote: After a little more research, a better regex for an obfuscated BTC address is /[13][ \-]([a-km-zA-HJ-NP-Z0-9][ \-]){25,32}[a-km-zA-HJ-NP-Z0-9]/ It might be worth adding = and _ to the obfuscating delimiters. YMMV. I've updated __BITCOIN_ID with -, = and _ obfuscations, which I haven't seen myself yet. Thanks! -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- 270 days since the first private commercial manned orbital mission (SpaceX)
Re: Rules for a recent flood of BTC/webcam spam
On Wed, 24 Feb 2021, Alan wrote: I've seen a recent flood of "I hacked your camera and caught you doing stuff" emails. I doubt they'll continue for a long time, but I made some rules to target them. Find them here https://pastebin.com/B5Q6emBU There are already rules for that sort of thing in the base ruleset: BITCOIN_EXTORT_01 BITCOIN_EXTORT_02 BITCOIN_PAY_ME BITCOIN_DEADLINE BITCOIN_YOUR_INFO BITCOIN_MALWARE and a few others. Are any of these hitting on what you're getting? Perhaps all you need to do is assign higher local scores to these rules. I would love to see more spamples to improve them. Feel free to zip up any bitcoin extortion spams you get and send them to me by private email at any time. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- 270 days since the first private commercial manned orbital mission (SpaceX)
Re: Trouble with XM_RANDOM rule
On Wed, 24 Feb 2021, lbutlr wrote: On 24 Feb 2021, at 7:10, Alessio Cecchi wrote: Since this is the name of our company are there any chances to keep it without catching the rule? Score the rule down, of create a specific rule that counters that score to match you own header. That helps for their internal mail, but not to anyone else they send mail to. I am adding an exception for that. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- News flash: Lowest Common Denominator down 50 points --- 270 days since the first private commercial manned orbital mission (SpaceX)
Re: Trouble with XM_RANDOM rule
On Wed, 24 Feb 2021, Alessio Cecchi wrote: Hi, I noticed that email sent from our webmail are catched always by XM_RANDOM rule. The reason is that we add an header: X-Mailer: Qboxmail Webmail 1.2.3 that match "X-Mailer =~ /q(?!q?mail|\d|[-\w]*=+;)[^u]/i" Is "Qboxmail" the problem? Since this is the name of our company are there any chances to keep it without catching the rule? The chances are very good now that you've reported the FP. I will add an exception. It will take a day or two to be published. Thank you! -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- News flash: Lowest Common Denominator down 50 points --- 270 days since the first private commercial manned orbital mission (SpaceX)
Re: Phishing campaign using email address to personalize URL
On Tue, 23 Feb 2021, Ricky Boone wrote: Seeing an interesting phishing campaign that appears to be personalizing components of the message and URL endpoints to potentially get around blacklists and other filters. Unfortunately I can't share the exact example publicly without effectively recreating the email, but here's a summary of what I'm finding. * Victim email address domain without TLD in the From and Subject headers (i.e., if victim domain was widgetltd.com, "Widgetltd" would be used) * Message contains a link with the local-part of the victim's email address as a subdomain (i.e, if victim's email address was "jane@widgetltd.com", the attacker host would appear as "jane.doe.badactordomain.xyz"), as well as the full version of the victim's email address base64 encoded as a query string value (using the previous example, http://jane.doe.badactordomain.xyz/?amFuZS5kb2VAd2lkZ2V0bHRkLmNvbQ==/0 ) That shouldn't be too hard to write rules for. Again, whether or not there are any examples in the masscheck corpora control whether or not the rule will be scored and published (unless we manually push it). Potentially interesting, but not necessary distinctive: * Examples I'm seeing have nearly blank message, and an HTML attachment with a JavaScript window.location.href redirect related to the attacker URL. Another spam sign. * Attacker is leveraging SendGrid What sender ID? (the numeric and punctuation part of the envelope from address) Are you using the abusive sendgrid user plugin or my download-based rule generator? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Maxim XI: Everything is air-droppable at least once. --- 269 days since the first private commercial manned orbital mission (SpaceX)
Re: X-Originating-IP a received header?
On Tue, 23 Feb 2021, Dan Malm wrote: On 2021-02-23 16:29, John Hardin wrote: On Tue, 23 Feb 2021, Dan Malm wrote: On 2021-02-19 16:13, John Hardin wrote: On Fri, 19 Feb 2021, Dan Malm wrote: I have a system that received mail from a webmail product that adds a X-Originating-IP header with the IP of the webmail user. Since Spamassassin for some reason considers that to be a Received-header that results in all mails from the webmail hitting the RDNS_NONE rule (only IP is added in the header) which I currently have set to 0 due to this. Could you post a sample of the headers from such? Obfuscate as you like, I'm just wondering about the order in which they appear. Received: from onecom-webmail1 (service.pub.appspod1-cph3.one.com [46.30.211.130]) by mailrelay3 (Halon) with ESMTPSA id 89da92dc-72a5-11eb-bf40-fd1a731c465d; Fri, 19 Feb 2021 11:28:08 + (UTC) X-Originating-IP: 46.30.211.29 User-Agent: One.com webmail 39.4.34 Date: Fri, 19 Feb 2021 12:28:08 +0100 MIME-Version: 1.0 Message-ID: <161373401.26136.389428@webmail1> To: From: "One" Reply-To: Subject: testing Content-Type: multipart/alternative; boundary="--389426-161373401-1" ...and I assume that neither of those addresses are configured as "internal" for you? They are currently not, no. And "X-Originating-IP: 46.30.211.29" is the IP the webserver handling the webmail saw for this mail, i.e. the user IP, which for normal users will often be in PBL. It's also the IP that triggers the hit on RDNS_NONE Which it should not, as it's not the "last external" IP address. That's why I asked for the headers - it seems from this (absent any actual testing) that SA isn't keeping the received-equivalent headers in the correct order with the genuine received headers. One possible explanation is that the local Received header added by your MTA (presumably mailrelay3) isn't being added before the message is being passed to SA, so the X-Originating-IP header is the only thing that SA is seeing. Did that message hit any "direct-to-MX" rules? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Maxim XI: Everything is air-droppable at least once. --- 269 days since the first private commercial manned orbital mission (SpaceX)
Re: X-Originating-IP a received header?
On Tue, 23 Feb 2021, Dan Malm wrote: On 2021-02-19 16:13, John Hardin wrote: uOn Fri, 19 Feb 2021, Dan Malm wrote: I have a system that received mail from a webmail product that adds a X-Originating-IP header with the IP of the webmail user. Since Spamassassin for some reason considers that to be a Received-header that results in all mails from the webmail hitting the RDNS_NONE rule (only IP is added in the header) which I currently have set to 0 due to this. Could you post a sample of the headers from such? Obfuscate as you like, I'm just wondering about the order in which they appear. Received: from onecom-webmail1 (service.pub.appspod1-cph3.one.com [46.30.211.130]) by mailrelay3 (Halon) with ESMTPSA id 89da92dc-72a5-11eb-bf40-fd1a731c465d; Fri, 19 Feb 2021 11:28:08 + (UTC) X-Originating-IP: 46.30.211.29 User-Agent: One.com webmail 39.4.34 Date: Fri, 19 Feb 2021 12:28:08 +0100 MIME-Version: 1.0 Message-ID: <161373401.26136.389428@webmail1> To: From: "One" Reply-To: Subject: testing Content-Type: multipart/alternative; boundary="--389426-161373401-1" ...and I assume that neither of those addresses are configured as "internal" for you? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Liberals love sex ed because it teaches kids to be safe around their sex organs. Conservatives love gun education because it teaches kids to be safe around guns. However, both believe that the other's education goals lead to dangers too terrible to contemplate. --- 269 days since the first private commercial manned orbital mission (SpaceX)
Re: Catch subtly-different Reply-To domain
On Mon, 22 Feb 2021, RW wrote: On Sun, 21 Feb 2021 16:32:01 -0800 (PST) John Hardin wrote: On Sun, 21 Feb 2021, John Hardin wrote: On Sun, 21 Feb 2021, Dominic Raferd wrote: Michael's suggestion is interesting. There is a github project allowing Levenshtein numbers to be calculated and used in SA, I will see if there is a way to apply it in this situation. Thanks to all for their input. It would have to be a plugin, and there's a CPAN module for calculating Levenshtein numbers so most of the heavy lifting is already done. Sigh. Ignore that, that's exactly what it is. I need to stop replying so quickly to stuff. I don't think there was anything wrong in pointing out that it's available from CPAN. There is also a Damerau–Levenshtein version which is probably a better choice as the transposition of two adjacent characters counts as 1 difference rather than 2. I was more sighing about: "allowing ... to be ... used in SA" "It would have to be a plugin" :) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Today: George Washington's 289th Birthday
Re: Catch subtly-different Reply-To domain
On Sun, 21 Feb 2021, John Hardin wrote: On Sun, 21 Feb 2021, Dominic Raferd wrote: On 21/02/2021 20:09, Benny Pedersen wrote: On 2021-02-21 19:44, Dominic Raferd wrote: Presumably interfacefm.com has been hacked, but not to the extent that they can intercept incoming replies. I stand corrected; but as they specify p=none, the mail must still pass. in what way should it pass ? dmarc tests spf, dkim, and opendmarc from github trunk validates arc chains aswell, there is no garenti that anything pass only sendgrid maked that mistake, sorry sendgrid p=none is an instruction from the domain controller *not* to reject emails from their domain even when they fail DMARC testing. So the end result is that this mail should pass through DMARC testing. DMARC is a red herring here. My original question wouldn't be relevant if the sending domain had an enforced DMARC policy (p=quarantine|reject), but they don't. Michael's suggestion is interesting. There is a github project allowing Levenshtein numbers to be calculated and used in SA, I will see if there is a way to apply it in this situation. Thanks to all for their input. It would have to be a plugin, and there's a CPAN module for calculating Levenshtein numbers so most of the heavy lifting is already done. Sigh. Ignore that, that's exactly what it is. I need to stop replying so quickly to stuff. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Avatar: the highest grossing Pocahontas remake ever. -- Chris Sauer --- Tomorrow: George Washington's 289th Birthday
Re: Catch subtly-different Reply-To domain
On Sun, 21 Feb 2021, Dominic Raferd wrote: On 21/02/2021 20:09, Benny Pedersen wrote: On 2021-02-21 19:44, Dominic Raferd wrote: Presumably interfacefm.com has been hacked, but not to the extent that they can intercept incoming replies. I stand corrected; but as they specify p=none, the mail must still pass. in what way should it pass ? dmarc tests spf, dkim, and opendmarc from github trunk validates arc chains aswell, there is no garenti that anything pass only sendgrid maked that mistake, sorry sendgrid p=none is an instruction from the domain controller *not* to reject emails from their domain even when they fail DMARC testing. So the end result is that this mail should pass through DMARC testing. DMARC is a red herring here. My original question wouldn't be relevant if the sending domain had an enforced DMARC policy (p=quarantine|reject), but they don't. Michael's suggestion is interesting. There is a github project allowing Levenshtein numbers to be calculated and used in SA, I will see if there is a way to apply it in this situation. Thanks to all for their input. It would have to be a plugin, and there's a CPAN module for calculating Levenshtein numbers so most of the heavy lifting is already done. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Avatar: the highest grossing Pocahontas remake ever. -- Chris Sauer --- Tomorrow: George Washington's 289th Birthday
Re: X-Originating-IP a received header?
uOn Fri, 19 Feb 2021, Dan Malm wrote: I have a system that received mail from a webmail product that adds a X-Originating-IP header with the IP of the webmail user. Since Spamassassin for some reason considers that to be a Received-header that results in all mails from the webmail hitting the RDNS_NONE rule (only IP is added in the header) which I currently have set to 0 due to this. Could you post a sample of the headers from such? Obfuscate as you like, I'm just wondering about the order in which they appear. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The promise of nuclear power: electricity too cheap to meter The reality of nuclear power: FUD too cheap to meter --- 3 days until George Washington's 289th Birthday
Re: Phishing campaign using nested Google redirect
On Fri, 19 Feb 2021, Giovanni Bechis wrote: On 2/19/21 1:09 AM, John Hardin wrote: On Thu, 18 Feb 2021, Giovanni Bechis wrote: On 2/18/21 6:37 PM, Ricky Boone wrote: Just wanted to forward an example of an interesting URL obfuscation tactic observed yesterday. https://www.google.com/url?sa=t=j==s=web=15=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g I just committed a new variation of GB_GOOGLE_OBFUR that should match this spam as well. If you can send me a spample I could tweak it a bit more. We may need to coordinate a little here - there's also a google.com/url redir rule in my sandbox, and they may be overlapping. I proposed a shared sandbox for that reason when we developed bitcoin rules (and we had similar problems with overlapping rules). Perhaps it's time we pursued that. :) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The promise of nuclear power: electricity too cheap to meter The reality of nuclear power: FUD too cheap to meter --- 3 days until George Washington's 289th Birthday
Re: Phishing campaign using nested Google redirect
On Thu, 18 Feb 2021, Giovanni Bechis wrote: On 2/18/21 6:37 PM, Ricky Boone wrote: Just wanted to forward an example of an interesting URL obfuscation tactic observed yesterday. https://www.google.com/url?sa=t=j==s=web=15=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g I just committed a new variation of GB_GOOGLE_OBFUR that should match this spam as well. If you can send me a spample I could tweak it a bit more. We may need to coordinate a little here - there's also a google.com/url redir rule in my sandbox, and they may be overlapping. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- Today: Perseverence lands on Mars
Re: Phishing campaign using nested Google redirect
On Thu, 18 Feb 2021, Ricky Boone wrote: Nice. I've copied scrubbed versions of what I've seen so far here: https://gitlab.com/-/snippets/2079108 (I can never remember if it is appropriate to include attachments to mailing lists like this). In our case it's best to upload an entire email (all headers intact and with as little obfuscation as possible) to something like Pastebin, then post the URL to that here so it can be downloaded. This keeps the spample from being modified during transit in ways that could impede analysis and rule development and testing. For just URLs, though, examples could just be pasted into the body of your post (as you did) or in a .txt attachment. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- Today: Perseverence lands on Mars
Re: Homoglyph spam/phishing targeting popular brands
On Tue, 16 Feb 2021, Ricky Boone wrote: On Mon, Feb 15, 2021 at 12:16 AM John Hardin wrote: OK, I added FUZZY_OVERSTOCK as well, we'll see what happens. If they don't perform well in masscheck you can always grab them out of my sandbox for your local rules. Masscheck results: https://ruleqa.spamassassin.org/?rule=%2FFUZZY_ Nice, thanks! I see the test rules got picked up with sa-update, and they all work against the samples I have. It does appear that T_FUZZY_APPLE is catching some FP's. Word boundaries might need to be added, as words like "happiest" get caught by it. Yep, I've addressed that, take a look at the latest masscheck results. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- 6 days until George Washington's 289th Birthday
Re: Homoglyph spam/phishing targeting popular brands
On Sun, 14 Feb 2021, Ricky Boone wrote: On Sun, Feb 14, 2021 at 4:45 PM John Hardin wrote: How often do you see (over)stock and space obfuscated? So far, 4 times and once, respectively OK, I added FUZZY_OVERSTOCK as well, we'll see what happens. If they don't perform well in masscheck you can always grab them out of my sandbox for your local rules. Masscheck results: https://ruleqa.spamassassin.org/?rule=%2FFUZZY_ -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Precision mis-clicks since 1994! --- 8 days until George Washington's 289th Birthday
Re: Homoglyph spam/phishing targeting popular brands
On Sun, 14 Feb 2021, Ricky Boone wrote: What are the community's thoughts on handling spam/phishing that utilize homoglyphs to obfuscate the brands they're targeting? Are there any plugins that are in development that might assist with catching these? Take a look at the definition of the FUZZY rules. There's no general plugin for this currently. That would be a bit difficult to do on-the-fly without getting (potentially lots of) FPs on non-English words. At the moment it's: 1) notice that some word is being obfuscated 2) add a FUZZY rule for that word 3) tune it for FPs (may hit legitimate words in non-English, exclude them) The problem is such obfuscations may not be common enough in the masscheck corpora for the rules to be promoted, scored and published. For example, here are some phrases that I've been monitoring from reported messages: * that Âmåzon has received * Äpple Watch * Ãρρle iPad * Aρρle iPad * PäyPäl Credit * PαyPαl Credit * Spãce Gray * to Over Støck Inc on * subscribed for Nõrtõn Yearly * subscribed for Nõrtøn Yearly * the Nõrtõn Freedom Protection Existing rules (mainline SpamAssassin channel, KAM, etc.) don't seem to flag much, if anything substantial, on the messages I've seen with this behavior. I've trained bayes on each, and created a custom set of rules to try to catch various patterns used in the messages. I've added FUZZY rules for amazon, apple, microsoft, facebook, paypal and norton to my sandbox, they are likely going to be fairly commonB. How often do you see (over)stock and space obfuscated? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- At $8 billion per year, the TSA is the most expensive theatrical production in history. -- David Burge @iowahawkblog --- 8 days until George Washington's 289th Birthday
Re: URLs hidden in Morse code
On Fri, 12 Feb 2021, Bill Cole wrote: On 12 Feb 2021, at 4:10, Pedro David Marco wrote: On Thursday, February 11, 2021, 09:49:35 PM GMT+1, Bill Cole wrote: Web-based MUAs (SquirrelMail, Horde, GMail, Outlook Web Access, etc.) brought back some support for JavaScript in mail, but as I understand some of them do some defanging of scripts and the advancement of browser l>imitations on nefarious scripts has also helped make those less dangerous than they could be. You are very optimistic, Bill... :-D Users copy and paste full web pages in an email and click the "send" button singing at the same time... Yes, but HOPEFULLY that ends up copying and pasting something harmless like just the body text or an image of the page. Fun fact: with recent MacOS MS Word, if you copy a block of formatted text and paste it into a new message in the MailMate MUA, you get an embedded PNG graphic. An interesting solution to the problem of rich text portability. ...for certain values of "interesting". I hate images of text - you can't copy the text and do useful things with it. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- When violence comes, and brings your death with it -- *die well*, for that is the only thing you can change about your death. -- Lawdog --- Today: Abraham Lincoln's and Charles Darwin's 212th Birthdays
Re: netflix phishing emails forwarded via sendgrid
On Thu, 11 Feb 2021, Benny Pedersen wrote: On 2021-02-11 12:46, Giovanni Bechis wrote: With the updated Esp plugin[¹] just committed to trunk you could use Sendgrid files downloaded from Invaluement as well as local generated files. this files do work if sendgrid did not allow non sendgrid.net envelope senders :( Try the script generator I posted, it isn't domain-specific. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- Tomorrow: Abraham Lincoln's and Charles Darwin's 212th Birthdays
Re: netflix phishing emails forwarded via sendgrid
On Thu, 11 Feb 2021, Giovanni Bechis wrote: On 2/9/21 10:03 PM, Benny Pedersen wrote: On 2021-02-02 03:25, Kevin A. McGrail wrote: Since it's already hitting 8.9, why do more? got one more today http://multirbl.valli.org/lookup/167.89.112.86.html envelope sender is not sendgrid.net spamurls to the phishing is sendgrid redir to hide all detalts of spam domain why is so many uribl not blocking phish attemps better ? With the updated Esp plugin[¹] just committed to trunk you could use Sendgrid files downloaded from Invaluement as well as local generated files. Local files can be generated by looking at the Return-path of the offending email. Return-Path: In this case "1234" is the id you are interested in. I have a script that generates a static rule based on sendgrid sender ids in local corpora + the invaluement download if (for some reason) you don't want to / can't use the plugin. https://www.impsec.org/~jhardin/antispam/make_sendgrid_rule.sh -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- Tomorrow: Abraham Lincoln's and Charles Darwin's 212th Birthdays
Re: URLs hidden in Morse code
On Tue, 9 Feb 2021, Kenneth Porter wrote: I'm reminded of the recent post suggesting that SA parse QR codes to feed URLs to block lists. The email includes a web document pretending to be an Excel document (double extension .xlsx.hTML) that contains a JavaScript Morse decoder and a string with the URLs encoded in Morse. I see two ways to block this: 1) MUAs should ignore code in HTML. 2) A malware scanner like ClamAV should watch for this kind of stuff. You're missing the simplest one: double extensions like that are hostile and should be rejected. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Sheep have only two speeds: graze and stampede. -- LTC Grossman --- 3 days until Abraham Lincoln's and Charles Darwin's 212th Birthdays
Re: requires explicit package name
On Tue, 9 Feb 2021, Marcus Schopen wrote: Possible unintended interpolation of @g in string at /tmp/.spamassassin7185HJuhWPtmp/70_HS_header.cf, rule HS_HEADER_1506, line 1. Possible unintended interpolation of @mail in string at /tmp/.spamassassin7185HJuhWPtmp/70_HS_header.cf, rule HS_HEADER_1509, line 1. Make sure that if you have rules containing @sometext, the @ is escaped: \@sometext \@g \@mail ...etc -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Holy smokes! We goofed again - The brew was not quite right...-- KMFDM --- 3 days until Abraham Lincoln's and Charles Darwin's 212th Birthdays
Re: QR-decoding
On Tue, 2 Feb 2021, John Hardin wrote: On Tue, 2 Feb 2021, RW wrote: On Tue, 2 Feb 2021 10:47:49 +0100 Valentijn Sessink wrote: On-list: the only thing in the last QR-code phishing mail I received that actually makes it a phishing mail is the following part: <= DEFANGED_IMG alt=3D"QR Code - Bevestigen aanvraag" style= =3D"display:block;border:0;outline:none;text-decoration:none;-ms-interpolat= ion-mode:bicubic" title=3D"QR Code - Bevestigen aanvraag" src=3D"https://pr= oxy.duckduckgo.com/iu/?u=3Dhttps://chenoneproduction.s3.ap-southeast-1.amaz= onaws.com/static/a0fd.png" width=3D"184"> So the QR code is remote. If you fetch it could look like the recipient read the email, encouraging more spam to that account. Not if they are retrieving it by bouncing off DDG (or Gargle, or Imgur, or...) ...assuming of course those sites *host* the image themselves, and don't just redirect the request elsewhere. Bill's comment is correct - it's a bad idea to blindly retrieve remote content. However: scanning attached and embedded images (and PDFs) for text, and URIs (bare or QR encoded) to include would potentially be useful. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- 4 days until International Zero Tolerance of FGM Day
Re: QR-decoding
On Tue, 2 Feb 2021, RW wrote: On Tue, 2 Feb 2021 10:47:49 +0100 Valentijn Sessink wrote: On-list: the only thing in the last QR-code phishing mail I received that actually makes it a phishing mail is the following part: <= DEFANGED_IMG alt=3D"QR Code - Bevestigen aanvraag" style= =3D"display:block;border:0;outline:none;text-decoration:none;-ms-interpolat= ion-mode:bicubic" title=3D"QR Code - Bevestigen aanvraag" src=3D"https://pr= oxy.duckduckgo.com/iu/?u=3Dhttps://chenoneproduction.s3.ap-southeast-1.amaz= onaws.com/static/a0fd.png" width=3D"184"> So the QR code is remote. If you fetch it could look like the recipient read the email, encouraging more spam to that account. Not if they are retrieving it by bouncing off DDG (or Gargle, or Imgur, or...) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- 4 days until International Zero Tolerance of FGM Day
Re: QR-decoding
On Tue, 2 Feb 2021, Valentijn Sessink wrote: On 02-02-2021 03:37, Kevin A. McGrail wrote: Nothing I'm aware of. Contact me off-list if you have any spamples. I have. I hope it passes your filter :-) I'd appreciate a spample too. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- 4 days until International Zero Tolerance of FGM Day
Re: Backscatter to role addresses
On Sat, 30 Jan 2021, RW wrote: On Sat, 30 Jan 2021 14:41:42 -0800 (PST) John Hardin wrote: I'd also like to know how to submit these MTAs for inclusion in one of the Spamhaus DNSBLs. I don't think there's an existing Spamhaus list that's relevant. SBL has listed open relays in the past (circa 2013) - https://www.spamhaus.org/news/article/706/the-return-of-the-open-relays I used to use ips.backscatterer.org for this, but for some reason I commented it out and I can't remember why. The website looks active with a 2021 copyright line. I was focusing on something supported out-of-the-box by SA. Perhaps SORBS? describe RCVD_IN_SORBS_SMTP SORBS: sender is open SMTP relay -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- 2 days until the 18th anniversary of the loss of STS-107 Columbia
Re: Backscatter to role addresses
On Sat, 30 Jan 2021, Kenneth Porter wrote: What do others do about backscatter to their role addresses? It seems spammers have recently discovered the role addresses noc, hostmaster, and webmaster for one of my business domains and are forging them as senders. As a result, I'm seeing lots of backscatter from various spam-detectors. (This just started a week or two ago but the addresses have been around for years.) Me too, just started a couple of days ago. SPF doesn't help, they are either using relays that ignore SPF failures for authenticated connections (and also don't validate the sender domain belongs to a client), or don't check SPF at all - essentially, open relays. Should I bother letting SA scan the messages and consign them to my SA folder where they get auto-learned? I'm not doing that, because it might cause legitimate "undeliverable" messages from (admittedly poorly-configured) MTAs to be classified as spam. You don't want to learn the MTA message part as "spammy". What I'm doing right now is: if the "undeliverable" spam message is attached (it isn't always), I add it to my spam corpus and train *that* as spam, then I add the MTA that send the backscatter to my MTA's "access denied" list with a message about the backscatter. I'd also like to know how to submit these MTAs for inclusion in one of the Spamhaus DNSBLs. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If you ask amateurs to act as front-line security personnel, you shouldn't be surprised when you get amateur security. -- Bruce Schneier --- 2 days until the 18th anniversary of the loss of STS-107 Columbia
Re: Help writing a rule
On Wed, 27 Jan 2021, Dan Mahoney (Gushi) wrote: All, I'm noticing a pattern of email like: From: "GUSHI.ORG Administrator" To: y...@gushi.org Subject: Your mailbox has exceeded its quota Or some such nonsense. Now, DMARC and SPF and DKIM would be able to block the domain if they tried to spoof it in the From email address. But mail clients helpfully these days aren't showing the actual email address to people. Ergo, I'm looking to do the following: Catch a case where the REALNAME of the FROM address contains a domain that is in the TO header. This would seem to require a macro of some kind to capture the value and do the comparison, so this doesn't seem to be the kind of thing one can do (dynamically) with a regular rule. It can be done with a regular rule, as header rules can match across multiple headers. There is already a rule like that in the base ruleset: https://ruleqa.spamassassin.org/20210127-r1885943-n/PDS_FROM_NAME_TO_DOMAIN/detail Jan 27 12:03:34.724 [29312] dbg: rules: ran header rule __PDS_FROM_NAME_TO_DOMAIN ==> got hit: "From: "GUSHI.ORG Administrator" Jan 27 12:03:34.724 [29312] dbg: rules: [...] To: y...@gushi.org" PDS_FROM_NAME_TO_DOMAIN should have hit on that message. Did it? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Today: the 54th anniversary of the loss of Apollo 1
Re: apache.org is blacklisted
On Wed, 27 Jan 2021, Matus UHLAR - fantomas wrote: On Wed, 27 Jan 2021, Benny Pedersen wrote: http://multirbl.valli.org/lookup/2a01%3A4f9%3Ac010%3A567c%3A%3A1.html i dont know how to handle this :=) On 26.01.21 17:43, John Hardin wrote: Only one lists it: https://matrix.spfbl.net/en/3.227.148.255 https://matrix.spfbl.net/en/2a01:4f9:c010:567c:0:0:0:1 SPFBL? while we're here, was anyone able to get their page in english language? https://spfbl.net/en/project/ Some work for me, some don't. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Today: the 54th anniversary of the loss of Apollo 1
Re: apache.org is blacklisted
On Wed, 27 Jan 2021, Benny Pedersen wrote: Have you opened an infra ticket? no, can i do this ? You need an Apache account. I have one ready to go, I was just waiting for your answer. ...created. https://issues.apache.org/jira/browse/INFRA-21351 -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Tomorrow: the 54th anniversary of the loss of Apollo 1
Re: apache.org is blacklisted
On Wed, 27 Jan 2021, Benny Pedersen wrote: http://multirbl.valli.org/lookup/2a01%3A4f9%3Ac010%3A567c%3A%3A1.html i dont know how to handle this :=) Only one lists it: https://matrix.spfbl.net/en/3.227.148.255 https://matrix.spfbl.net/en/2a01:4f9:c010:567c:0:0:0:1 SPFBL? but forward to infra so its solved Yeah, it seems SPFBL will ignore contact from anyone other than the domain admin, so it will have to be infra that contacts them. Have you opened an infra ticket? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- One death is a tragedy; thirty is a media sensation; a million is a statistic. -- Joseph Stalin, modernized --- Tomorrow: the 54th anniversary of the loss of Apollo 1
Re: results from lint
On Tue, 26 Jan 2021, Joe Acquisto-j4 wrote: On 2021-01-26 23:04, Joe Acquisto-j4 wrote: Any suggestions? does it lint if local.cf is empty or non exists ? Just renamed local.cf and get the same results. Now I am more confused. Too late for more coffee. spamd was stopped at the time. Are you using Amavis by any chance? Try restarting that. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Look at the people at the top of both efforts. Linus Torvalds is a university graduate with a CS degree. Bill Gates is a university dropout who bragged about dumpster-diving and using other peoples' garbage code as the basis for his code. Maybe that has something to do with the difference in quality/security between Linux and Windows. -- anytwofiveelevenis on Y! SCOX --- Tomorrow: the 54th anniversary of the loss of Apollo 1
Re: What does that rule mean "SUBJ_OBFU_PUNCT FEW"
On Wed, 13 Jan 2021, Philipp Ewald wrote: SUBJ_OBFU_PUNCT_FEW -> Possible punctuation-obfuscated Subject: header SUBJ_OBFU_PUNCT_MANY -> Punctuation-obfuscated Subject: header We send mails Like this: (You got a E-Mail) Subject: : Mailservice: Neue Mail Ok. I will assume is an email address, like: Subject: : Mailservice: Neue Mail That would hit due to the punctuation embedded in the email address. If my assumption is incorrect please let me know. Question: is the email address in the same as the email address in the To: header? If you can send me the full unedited headers of one such message in private email I'll test exclusions for it. Note: any changes you make to that will potentially interfere with the accuracy of the exclusion. Thanks! -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- 4 days until Benjamin Franklin's 315th Birthday
Re: What does that rule mean "SUBJ_OBFU_PUNCT FEW"
<pre style="margin: 0em;"> On Wed, 13 Jan 2021, RW wrote: </pre><blockquote style="border-left: #EE solid 0.2em; margin: 0em; padding-left: 0.85em"><pre style="margin: 0em;"> On Wed, 13 Jan 2021 17:43:41 +0100 Alex Woick wrote: </pre><blockquote style="border-left: #EE solid 0.2em; margin: 0em; padding-left: 0.85em"><pre style="margin: 0em;"> Which means: (?!<[a-z][a-z]) -> don't match if the next 3 chars are "<" followed by 2 letters </pre></blockquote><pre style="margin: 0em;"> I suspect that this was intended to be (?<![a-z][a-z]). </pre></blockquote><pre style="margin: 0em;"> That's an attempt to avoid matching bracketed email addresses, which often have embedded punctuation. It's probably not enough by itself. </pre><blockquote style="border-left: #EE solid 0.2em; margin: 0em; padding-left: 0.85em"><pre style="margin: 0em;"> As it stands the negative look-ahead never affects anything, </pre></blockquote><pre style="margin: 0em;"> Right, because the remainder would only match "<[a-z](other punct)" </pre><blockquote style="border-left: #EE solid 0.2em; margin: 0em; padding-left: 0.85em"><tt>but the negative look-behind would avoid matches where the first </tt><tt>punctuation character is on the end of a multi-letter word. </tt></blockquote><pre style="margin: 0em;"> </pre><tt>That wasn't the intent. It's not the punctuation character alone. It's </tt><tt>(punct)(letter)(punct) or (letter)(punct)(letter). And only multiple </tt><tt>instances of that occurring are actually scored. </tt><pre style="margin: 0em;"> </pre><blockquote style="border-left: #EE solid 0.2em; margin: 0em; padding-left: 0.85em"><blockquote style="border-left: #EE solid 0.2em; margin: 0em; padding-left: 0.85em"><pre style="margin: 0em;"> In short: it tries to match a sequence of 5 characters. don't match <ab.. match something like :a::a match something like :aa:a match something like :a :a </pre></blockquote><pre style="margin: 0em;"> You missed a "|", it's looking for punctuation bracketing a letter or vice versa, e.g. "a:b" or ".g:" FWIW in my mail the SUBJ_OBFU_PUNCT_* rules have only ever matched urls in the subject - a spam sign in its own right in my experience. </pre></blockquote><pre style="margin: 0em;"> -- John Hardin KA7OHZ<a rel="nofollow" href="http://www.impsec.org/~jhardin/">http://www.impsec.org/~jhardin/</a> jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- 4 days until Benjamin Franklin's 315th Birthday</pre>
Re: What does that rule mean "SUBJ_OBFU_PUNCT FEW"
On Wed, 13 Jan 2021, Philipp Ewald wrote: Hello, we try to deliver mails to GMX/WEB but we got frequency blocked because "ro-reply@ Mails" hits following rules: SUBJ_OBFU_PUNCT_FEW -> Possible punctuation-obfuscated Subject: header SUBJ_OBFU_PUNCT_MANY -> Punctuation-obfuscated Subject: header The scores on those rules are rather low - they are not "poison pills". What *else* are those mails hitting? An actual sample of a problematic subject text would be very helpful to allow us to suggest how you could fix the problem or to add an exception for the rule if it's a valid FP. i can't find any good declaration for this rules.. can some one explain please? (easy as possible) Does that has todo with ".", ";", ":" in Headers? Alex did a good job. Basically: multiple instances of letter-punct-letter or punct-letter-punct in the message subject. Spammers have used punctuation to obfuscate "trigger words" in subjects, like: :B:U:Y: :Y:O:U:R: :C:H:E:A:P: :V:I:A:G:R:A: :H:E:R:E: :T:O:D:A:Y: in an attempt to bypass naïve text matching filters. These rules are intended to detect that. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- How do you argue with people to whom math is an opinion? -- Unknown --- 4 days until Benjamin Franklin's 315th Birthday
Re: BCC Rule and Subject change for specific rule
On Wed, 6 Jan 2021, Giovanni Bechis wrote: On 1/6/21 2:40 PM, RW wrote: On Tue, 5 Jan 2021 10:14:45 -0800 (PST) John Hardin wrote: On Tue, 5 Jan 2021, Dave Funk wrote: On Tue, 5 Jan 2021, John Hardin wrote: subjprefix FROM_ME [From Me] Does this work if you're using a milter for your glue? Is there some special status/command that spamd returns to the milter for this kind of modification? If so the milters may need to be recoded to implement it. No, it's rewriting the message headers before passing the message back to the MTA. It's already adding a [SPAM] tag to the subject by default (if enabled). This just allows customization of that behavior. Assuming that the scan itself adds the headers. I was under the impression that amavisd adds its own headers. There's also this rather vague remark in the documentation: "To be able to use this feature a "add_header all Subjprefix _SUBJPREFIX_" configuration line could be needed on some setups." This is needed to let amavisd (from next released version afaik) or Mimedefang (with a custom mimedefang-filter snippet) parse the headers and correctly rewrite the subject. The docs should probably be amended to reflect that, and add a usage example. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Je ne suis pas Charlie. Je suis armé. --- Tomorrow: the 6th anniversary of the Charlie Hebdo massacre
Re: BCC Rule and Subject change for specific rule
On Tue, 5 Jan 2021, Dave Funk wrote: On Tue, 5 Jan 2021, John Hardin wrote: On Tue, 5 Jan 2021, Giovanni Bechis wrote: On Mon, Jan 04, 2021 at 05:23:30PM -0800, John Hardin wrote: I'm pretty sure SA only allows setting the subject tag by language, not based on rule hits. Starting from 3.4.3 you can add a prefix to the email subject like that: header FROM_ME From:name =~ /Me/ subjprefix FROM_ME [From Me] Cool, I missed that at the time. Thanks! The documentation does mention it exists but does not give an example of using it... Does this work if you're using a milter for your glue? Is there some special status/command that spamd returns to the milter for this kind of modification? If so the milters may need to be recoded to implement it. No, it's rewriting the message headers before passing the message back to the MTA. It's already adding a [SPAM] tag to the subject by default (if enabled). This just allows customization of that behavior. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- 220 days since the first private commercial manned orbital mission (SpaceX)
Re: BCC Rule and Subject change for specific rule
On Tue, 5 Jan 2021, Giovanni Bechis wrote: On Mon, Jan 04, 2021 at 05:23:30PM -0800, John Hardin wrote: I'm pretty sure SA only allows setting the subject tag by language, not based on rule hits. Starting from 3.4.3 you can add a prefix to the email subject like that: header FROM_ME From:name =~ /Me/ subjprefix FROM_ME [From Me] Cool, I missed that at the time. Thanks! The documentation does mention it exists but does not give an example of using it... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Your mouse has moved. Your Windows Operating System must be relicensed due to this hardware change. Please contact Microsoft to obtain a new activation key. If this hardware change results in added functionality you may be subject to additional license fees. Your system will now shut down. Thank you for choosing Microsoft. --- 220 days since the first private commercial manned orbital mission (SpaceX)
Re: BCC Rule and Subject change for specific rule
On Mon, 4 Jan 2021, Joey J wrote: If I'm understanding things correctly, there is a way for me to BCC spam messages which lets say score 10 and send a BCC to an email address, but I'm trying to do it within only 1 rule, as well as modify the subject. What I don't want is a BCC sent for every messages which is scored a 10, but only the specific rule. Is there a way for me to accomplish this set of actions? You can't BCC the message within SpamAssassin, as SA only scores messages. The MTA or glue layer (what ties SA into your MTA) is what determines *delivery* of the message based on SA's score. Potentially, your MTA or glue layer could be configured to look for a specific scored rule name appearing in the header that lists rule hits and if found deliver the message to another destination. But specifically how to do that depends on your MTA and/or your glue. What are you using? I'm pretty sure SA only allows setting the subject tag by language, not based on rule hits. You may beable to modify the subject in the MTA/glue at the same point you do the extra delivery. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- News flash: Lowest Common Denominator down 50 points --- 219 days since the first private commercial manned orbital mission (SpaceX)
Re: Rule for plussed adddress
On Mon, 28 Dec 2020, RW wrote: On Sun, 27 Dec 2020 10:17:15 -0800 (PST) John Hardin wrote: To catch those you'd need to check for the address in a Received: header, assuming your MTA adds the envelope recipient to the Received: header it generates. You might do: header ABUSED_PLUS Received =~ /\bfor /i This isn't completely reliable as the MTA wont provide the envelope recipient when there's more than one in the same SMTP session. It may be good enough for a single user mail system though. I presume this isn't trivial to fix as Fastmail had an unreliable X-Delivered-to header for years. Without a reliable envelope recipient, the best you can do is use all the sources of addresses, something like the following (untested): header ABUSED_PLUS All =~ /^(?:(?:To|Cc):\s(?:.*(?:,\s|<))?|Received:.*for\s<)(?:shiva[+.](?:abused1|abused2)\@sewingwitch\.com)[,>\s\n]/im Right, that's better. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- 212 days since the first private commercial manned orbital mission (SpaceX)
Re: Rule for plussed adddress
On Sun, 27 Dec 2020, Kenneth Porter wrote: --On Saturday, December 26, 2020 11:20 PM -0500 Bill Cole wrote: You definitely want to escape that '+' and catch the recipient instead of sender: header RULENAME To:addr =~ /\+.+\@/ score RULENAME -1 That looks like what I want. Although since my server is hacked to accept a dot as separator, I can use [+.] in the pattern, with /[+.].+\@/. I can then add exceptions with positive scores for the abusers. You'll also need to check Cc: if you're looking at the message headers, so two rules. This would miss spams where the recipients are BCC'd, though. To catch those you'd need to check for the address in a Received: header, assuming your MTA adds the envelope recipient to the Received: header it generates. For example, the "for <>" in this: Received: from mxout1-he-de.apache.org (mxout1-he-de.apache.org [95.216.194.37]) by ga.impsec.org (8.14.7/8.14.7) with ESMTP id 0BRHZ0H5027977 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Sun, 27 Dec 2020 11:35:11 -0600 You might do: header ABUSED_PLUS Received =~ /\bfor /i -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Men by their constitutions are naturally divided in to two parties: 1. Those who fear and distrust the people and wish to draw all powers from them into the hands of the higher classes. 2. Those who identify themselves with the people, have confidence in them, cherish and consider them as the most honest and safe, although not the most wise, depository of the public interests. -- Thomas Jefferson --- 211 days since the first private commercial manned orbital mission (SpaceX)
Re: How to Block messages from display name not matching expected sender email address
On Thu, 24 Dec 2020, Bill Cole wrote: On 24 Dec 2020, at 0:02, Joey J wrote: I'm trying to figure out how to write a rule that looks for matches of certain names against the display name, and then insuring its from a list of valid email addresses. So a phishing email come in from "Boss Man" So I want to check if the display name is "Boss Man" and if so, make sure the sending email address is boss...@realcompany.com or boss...@company2.com, otherwise score it with 10. header __BOSSNAME From:name =~ /Boss Man/ header __BOSSADDR From:addr =~ /BossMan\@RealCompany.com|boss...@company2.com/ Missed escaping the second @ sign, and the periods... meta BOSSPHISH __BOSSNAME && !__BOSSADDR score BOSSPHISH 10 If you have a list of such addresses, you'd probably benefit from writing a script to generate the rules from that list rather than manually maintaining all the rules. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter da Silva in a.s.r --- Tomorrow: Christmas
Re: Bypass RBL checks for specific address
On Wed, 23 Dec 2020, Grant Taylor wrote: On 12/23/20 9:55 PM, John Hardin wrote: Did you see my mention of this earlier? Yes, I did see it. That's a bit more invasive of a change than I was hoping to do for this task. I had been waiting to reply to your earlier message to test some things that you recommended. As you will see in my recent reply, I do believe that I've managed to achieve most of what I wanted to do. Good. I did notice from your earlier description that you (weakly) wanted to completely bypass SA scanning for those automated messages, which makes sense from a resource management perspective. The milter proxy would be the way to do that, as it would give you a way to bypass spamass-milter based on recipient (or more reliably sender + recipient). -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter da Silva in a.s.r --- Tomorrow: Christmas
Re: Bypass RBL checks for specific address
On Wed, 23 Dec 2020, Grant Taylor wrote: On 12/23/20 2:15 PM, John Hardin wrote: spamass-milter has a -u flag for a username to pass to SA. If these are single-recipient messages that may be enough to reliably tie into per-user config to disable the RBL check. It seems as if spamass-milter is using the -u to specify a default user. It also seems as if spamass-milter will attempt to discover the (first) recipient if -x is also used. Spamass-milter will then use -u to pass the username default for first detected to spamc so that spamc can use personalized settings. Right. Sorry, I misworded my description a bit. I am fairly sure that setting a rule score to zero bypasses the rule (vs. running it and ignoring the result) but you will probably want to test that to confirm whether the RBL is checked anyways. However, if the RBL check is written as a subrule then it can't be disabled this way as subrules don't have scores to set to zero. ACK This matches my tests. Oh, good. Thanks for the confirmation. That last option sounds to me like the first one you should explore. Thankfully, and to my surprise, SpamAssassin / spamass-milter /is/ attempting personalization. "-u spamass-milter" was already in place. I added "-x" to cause spamass-milter to try to detect the first user, tweaked permissions (group membership) to allow spamass-milter to run sendmail -bv to detect some other users correctly, and now things seem to be working much closer to how I want. Initial testing seems very promising use of heavily modified ~/.spamassassin/user_prefs. Good news! -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter da Silva in a.s.r --- Tomorrow: Christmas
Re: Bypass RBL checks for specific address
On Wed, 23 Dec 2020, Grant Taylor wrote: That's all considerably more complicated than I'm comfortable with at the moment. Did you see my mention of this earlier? https://milter-manager.osdn.jp/reference/introduction.html -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter da Silva in a.s.r --- 2 days until Christmas
Re: UNSUBSCRIBE
On Wed, 23 Dec 2020, Richard Ozer wrote: In the headers of every message from the mailing list: list-unsubscribe: <mailto:users-unsubscr...@spamassassin.apache.org> -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter da Silva in a.s.r --- 2 days until Christmas
Re: Bypass RBL checks for specific address
On Wed, 23 Dec 2020, Grant Taylor wrote: I have about 2,000 messages a day that come in to my mail server for all recipients with the exception of one specific (set of) recipient(s). That (set of) recipient(s) receive 20,000 - 30,000 messages a day. They are very specific messages for an automated communications system and they don't need any spam filtering, specifically RBL filtering. (It's a matrix of about 20 different such parties sending between each other across the internet.) I'm looking at implementing a new RBL from a service provider that offers a free tier of about 5,000 queries a day. My personal messages are way under that limit. The particular (set of) address(es) that I want to bypass RBL tests are way over that limit. So I would like to bypass the RBL tests for that specific (set of) address(es). spamass-milter has a -u flag for a username to pass to SA. If these are single-recipient messages that may be enough to reliably tie into per-user config to disable the RBL check. I am fairly sure that setting a rule score to zero bypasses the rule (vs. running it and ignoring the result) but you will probably want to test that to confirm whether the RBL is checked anyways. However, if the RBL check is written as a subrule then it can't be disabled this way as subrules don't have scores to set to zero. You may need to patch spamass-milter to add the ability to bypass specific recipient addresses to achieve this. This discussion and patch may help as a starting point: https://mail-index.netbsd.org/pkgsrc-users/2010/09/10/msg012736.html It looks like that patch might be already implemented in some distros. There appears to be a sendmail patch that adds the ability to control milter execution via sendmail rulesets: https://groups.google.com/g/comp.mail.sendmail/c/kPZtOXIclQ0 milter-rres at http://www.jmaimon.com/sendmail/#milter-rrres.v16 I don't know whether that patch is in current sendmail, but I don't have high hopes. The latest version (v16) on the author's site is from 2007 for sendmail 8.13 It looks like that this milter proxy would allow you to dynamically bypass spamass-milter based on recipient address without patching either sendmail or spamass-milter: https://milter-manager.osdn.jp/reference/introduction.html I don't have any familiarity with it, though. It is fairly current, last released in September 2019. That last option sounds to me like the first one you should explore. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter da Silva in a.s.r --- 2 days until Christmas
Re: Do the Yahooniverse domains share email address space?
On Wed, 23 Dec 2020, Axb wrote: I misunderstood.. domain wise they are distinct users. Server_wise, they share servers except yahoo.co.jp which runs their own Ok. Thanks! -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter da Silva in a.s.r --- 2 days until Christmas
Re: More undetected hidden test spam signs
On Tue, 22 Dec 2020, Loren Wilton wrote: On 16 Dec 2020, at 23:21, Loren Wilton wrote: I just got a batch of spams containing Such rules are there. Unfortunately, for whatever reason, lots of ham uses "invisible" text so it's not useful as a spam sign by itself and it's hard to come up with any useful combination rules. I think I may have figured it out - tracking images. Like: style="visibility: hidden !important; display:none !important; max-height: 0; width: 0; line-height: 0; mso-hide: all;"> Note in your example the display:none is in a contained tag and not in an opening tag of a span. The tag is probably fairly long because the URL is probably huge, but it is still the one item that is hidden. Right, but __STY_INVIS is currently tag-blind (it only looks for the style="" clause), so it hits that, and if lots of ham is hiding tracking images that way that might explain the poor S/O. I put in a local rawbody rule for m'.{100,}(?:$|)'is and so far I haven't gotten any hits on ham. How much spam hits that very simple case? I had a __SPAN_INVIS rule (currently commented out) but IIRC it also had poor S/O. It wasn't as simple as yours, though - perhaps I'm allowing for too many syntactically-valid cases to try to avoid trivial avoidance by spam? Of course that is a pretty heavy rule It would be lighter if you didn't look for the tag closing. Is there a reason you care about the closing for that? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter da Silva in a.s.r --- 3 days until Christmas
Re: More undetected hidden test spam signs
On Thu, 17 Dec 2020, John Hardin wrote: On Thu, 17 Dec 2020, @lbutlr wrote: On 16 Dec 2020, at 23:21, Loren Wilton wrote: I just got a batch of spams containing Interesting. I remember in the early days of html spam there were various rules to tag messages as spam when they had content that did not display. (Possibly pre-SpamAssasin or at least pre my use of SpamAssasin). Such rules are there. Unfortunately, for whatever reason, lots of ham uses "invisible" text so it's not useful as a spam sign by itself and it's hard to come up with any useful combination rules. I think I may have figured it out - tracking images. Like: The src link gets visited to retrieve the image so the message is tracked, but the display of the image is suppressed. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter da Silva in a.s.r --- 3 days until Christmas
Re: Do the Yahooniverse domains share email address space?
On Mon, 21 Dec 2020, Axb wrote: On 12/21/20 7:19 PM, John Hardin wrote: Quick question for anyone who knows: Are the email addresses in the various domains in the yahoo family (e.g. yahoo.com, yahoo.com.hk, yahoo.com.my, yahoo.com.sg, yahoo.com.vn, yahoo.co.jp, yahoo.co.nz, yahoo.co.th, yahoo.co.uk, yahoo.es, yahoo.fr, etc.) all shared (i.e. which domain you use doesn't matter)? Or is a mailbox/account separate and distinct from ? Only yahoo.co.jp run their own setup and don't share with the rest of the world. ...so and and are all the same mailbox, but is separate from them? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter da Silva in a.s.r --- 3 days until Christmas
Do the Yahooniverse domains share email address space?
Quick question for anyone who knows: Are the email addresses in the various domains in the yahoo family (e.g. yahoo.com, yahoo.com.hk, yahoo.com.my, yahoo.com.sg, yahoo.com.vn, yahoo.co.jp, yahoo.co.nz, yahoo.co.th, yahoo.co.uk, yahoo.es, yahoo.fr, etc.) all shared (i.e. which domain you use doesn't matter)? Or is a mailbox/account separate and distinct from ? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter da Silva in a.s.r --- 4 days until Christmas
Re: A few noob questions
On Sun, 20 Dec 2020, Alan wrote: n.b.: you're not subscribed to the list from netbeans.5zc...@ambitonline.com but I pushed it through moderation. If you're going to post regularly from that address you should register it as an alternate. From the mailing list help: You can start a subscription for an alternate address, for example "john@host.domain", just add a hyphen and your address (with '=' instead of '@') after the command word: Many thanks for your help. On 2020-12-20 15:26, John Hardin wrote: On Sat, 19 Dec 2020, Alan wrote: The reason for asking is that I want to use SpamAssassin to flag some things that are suspicious but only when other conditions are met for specific users. I'd like to have SA insert the rule text, eg. LOCAL_SOME_RULE so that I can have an exim filter check for a specific form of to address plus this rule match before removing the message. You should be able to do that purely in SA; it's a tad more difficult if you want to match the envelope to address rather than the To: header. If you want to reliably match the envelope to address you'd need to have it recorded in a Received header (either the one that your MTA generates or the one that some trusted MTA prior to your MTA generates). Agreed, ideally this is something I can stick into a KB article and have afflicted users implement on their own. I'd like to keep system-wide modifications to a minimum. A user's exim filters also move when we transfer an account to another server, so as long as there's a common rule set, not having to adjust SA configuration is a benefit. Ah, ok. That makes sense. Basically what I have now is this: uri __LCL_SUSPECT_LINK1 /target_pattern_1/i tflags __LCL_SUSPECT_LINK1 multiple maxhits=5 uri __LCL_SUSPECT_LINK2 /target_pattern_2/i tflags __LCL_SUSPECT_LINK2 multiple maxhits=5 meta LCL_MANY_SUSPECT_LINKS __LCL_SUSPECT_LINK1 && __LCL_SUSPECT_LINK2 && rules_matching(__LCL_SUSPECT_LINK?) > 5 No, it doesn't need to be that complex. This is all you need: meta LCL_MANY_SUSPECT_LINKS __LCL_SUSPECT_LINK1 > 4 && __LCL_SUSPECT_LINK2 > 4 Treat the rule names as variables having their value = # hits. Mostly you're doing logical comparisons (R1 && R2 && !R3) but math is totally acceptable as well, e.g. (R1 + R2 + R3 > 1) for an "any two out of three" meta rule. ...so, if you want to count multiple hits across several rules, perhaps: meta LCL_MANY_SUSPECT_LINKS (__LCL_SUSPECT_LINK1 + __LCL_SUSPECT_LINK2) > 4 Also note that with "maxhits=5" the number of times the rule will hit will be at most 5, so "> 5" will never match. One more noob question. Can I test a rule without messing with the production environment by using spamassassin -t -cf='include myrule.cf' path or should I build a test environment? I do a lot of rule dev so I have a dedicated test environment. I can't say whether --cf would work, I've never tried it. Seems plausible. You'll also want "--debug area=all,rules,rules-all,message,uri" to see the hits in the log output. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter da Silva in a.s.r --- 5 days until Christmas
Re: A few noob questions
On Sat, 19 Dec 2020, Alan wrote: 1. What is the smallest increment for a rule score? I see some indications that it's 0.1, others seem to say it is 0.01. Can I go to 0.001? Lower? As Bill said, anything works. Zero does disable the rule; a score of 0.001 is generally termed "informative" - you want to include it in the hits output so that you know that the rule hits, but you don't want it (by itself) to affect the score. See, for example, LOTSA_MONEY. The reason for asking is that I want to use SpamAssassin to flag some things that are suspicious but only when other conditions are met for specific users. I'd like to have SA insert the rule text, eg. LOCAL_SOME_RULE so that I can have an exim filter check for a specific form of to address plus this rule match before removing the message. You should be able to do that purely in SA; it's a tad more difficult if you want to match the envelope to address rather than the To: header. If you want to reliably match the envelope to address you'd need to have it recorded in a Received header (either the one that your MTA generates or the one that some trusted MTA prior to your MTA generates). You'd make LOCAL_SOME_RULE an unscored subrule by prepending two underscores: __LCL_SOME_RULE, and then you'd develop some subrule(s) to hit on the specific form of to address(es) you're interested in. Then these can be combined in a scored meta rule: meta LCL_POISON_01 __LCL_SOME_RULE && (__LCL_SUSP_TO_01 || __LCL_SUSP_TO_02) score LCL_POISON_01 10.000 But at the same time I don't want messages that match this rule generate false positives for other users. If you've done the __LCL_SUSP_TO_* rule(s) properly that shouldn't happen. You can set the score to informative while testing it. 2. I would like to match against some suspicious URLs that contain long sequences of random characters, but only have the rule match if I find multiple URLs that follow the same pattern. Bill answered that adequately. One comment on his answer: describe __KAM_COUNT_URIS Subrules never appear in the hits output so a description on them is only for internal documentation purposes; a regular #comment would work just as well for that. As for long sequences of random characters - that's FP-prone. It's difficult to detect *random* in a simple RE. A long string of characters from a given set, easy. Characteristics about that string? complicated. A rule like that might potentially hit on legitimate (for values of "legitimate") tracking analysis URIs or caching URIs, unless there is some kind of uncommon pattern to it that you can discern and look for in the RE. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter da Silva in a.s.r --- 5 days until Christmas
Re: Scoring Based on IP Address
On Fri, 18 Dec 2020, @lbutlr wrote: On 17 Dec 2020, at 16:19, Dave Wreski wrote: On 12/17/20 6:05 PM, Matt wrote: Is there a way with spamassassin local.conf to add a higher score based on source ip address or subnet? Basically the last IP in "Received:" header. bad_subnet_add_20_points: 192.168.240.0/24 Raising the score if that IP appeared anywhere in headers or body might work too. Yes, but if you're effectively going to create a "poison pill" rule where any mail from a particular network is quarantined, you might be better of doing this at the firewall or in postfix directly and just rejecting it outright. header __BAD_IP_RCVD Received =~ /192\.168\.240\.\d{1,3}/ body __BAD_IP_BODY /192\.168\.240\.\d{1,3}/ rawbody __BAD_IP_RAWBODY /192\.168\.240\.\d{1,3}/ meta MY_BAD_SENDER __BAD_IP_RCVD || __BAD_IP_BODY || __BAD_IP_RAWBODY score MY_BAD_SENDER 20 describe MY_BAD_SENDER Contains bad IP Won't this match for that IP in ANY Received: header? Yes. That's "deep inspection", and runs the risk of a hit on a legitimate "bad" IP in the sender's local network (assuming their MTA records the initial submission). It would be better to check the last external IP in X-Spam-Relays-External: header __EXT_MTA_IP_BAD X-Spam-Relays-External =~ /^\[ ip=192\.168\.240\.\d+ / And, as Dave said, if you're going to poison pill based on the external MTA's IP address, then do it with an MTA IP rule or at the firewall, it's a lot easier (and lighter-weight) than all this SA stuff. For example, in /etc/mail/access (for sendmail): 93.159.212.159550 5.7.1 Spammed a mailing list - go away. 65.49.16.2550 5.7.1 Open relay - go away. 202.65.168.39 550 5.7.1 Seven 419 spams in one hour - go away. 213.171.44.75 550 5.7.1 Open relay - email worms - go away. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter da Silva in a.s.r --- 7 days until Christmas
Re: More undetected hidden test spam signs
On Thu, 17 Dec 2020, @lbutlr wrote: On 16 Dec 2020, at 23:21, Loren Wilton wrote: I just got a batch of spams containing Interesting. I remember in the early days of html spam there were various rules to tag messages as spam when they had content that did not display. (Possibly pre-SpamAssasin or at least pre my use of SpamAssasin). Such rules are there. Unfortunately, for whatever reason, lots of ham uses "invisible" text so it's not useful as a spam sign by itself and it's hard to come up with any useful combination rules. https://ruleqa.spamassassin.org/?rule=%2Fsty_invis Perhaps this would be useful if it hits bayes but not hard enough to push it over the threshold: meta INVIS_TEXT_BAYES __STY_INVIS && (BAYES_80 || BAYES_95 || BAYES_99 || BAYES_999) N.B.: I just fixed a minor error in __STY_INVIS that made it fail to see that specific form of "invisible text". -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter da Silva in a.s.r --- 8 days until Christmas
Re: google and spam
On Mon, 14 Dec 2020, Dominic Raferd wrote: On 14/12/2020 11:01, Iulian Stan wrote: I am also receiving a lot of spam from google (aparently always domain is trix.bounces.google.com) https://pastebin.com/DW6dvdxP <https://pastebin.com/DW6dvdxP> To my surprise, you seem to be right. In my logs I have a number of these (but not a huge number) over the last year, they have almost all been blocked by SA (not using bayes) - but not blocked by earlier defences. I have received only a handful of such mails that have passed SA; now when I check them all definitely spam/phishing. The IPs all seem to be Google's (within CIDR 209.85.128.0/17). I'm going to add a couple of points scoring to anything from trix.bounces.google.com. I'll add a rule for that to my sandbox and we'll see what happens. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The belief in one’s own moral superiority eventually erases the conscience. After all, if one is morally superior to others, then no conscience is needed. All actions and behaviors are acceptable because they’re done in an effort to make the world a better place. -- I Editorial --- Tomorrow: Bill of Rights day
Re: __PDS_FROM_2_EMAILS broken ?
On Fri, 11 Dec 2020, Benoit Branciard wrote: Le 10/12/2020 à 17:08, John Hardin a écrit : ...okay, I found the problem. None of my tests had a username with a period. Fixing. Good ! I cherry-picked your regex fix from https://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf?r1=1884233=1884284, and confirmed it doesn't trigger anymore on identical fisrtname.lastname@... addresses in from header. Thanks ! Thank you for the report, and my apologies that I wasn't quite thorough enough in my testing. :( -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- People think they're trading chaos for order [by ceding more and more power to the Government], but they're just trading normal human evil for the really dangerous organized kind of evil, the kind that simply does not give a shit. Only bureaucrats can give you true evil. -- Larry Correia --- 4 days until Bill of Rights day
Re: __PDS_FROM_2_EMAILS broken ?
On Thu, 10 Dec 2020, Benoit Branciard wrote: Have there been any changes to the __PDS_FROM_2_EMAILS rule recently on 3.004002 branch ? Yes. I took another look at it prompted by the recent many-froms discussion and did a little tuning. Since latest update this night, we got significantly more matches of meta rule PDS_FROM_2_EMAILS than previously, and for at least a dozen of them, the rule triggered despite the fact that both addresses (in from text and address) were strictly identical, like this : From: "my.u...@univ-paris1.fr" It *should not* be doing that. I have test cases in my dev environment like that and it doesn't hit them, but I will check again. Until now I expected this rule to match *only* if from text and address contained *different* addresses... Correct. my /var/lib/spamassassin/3.004002/updates_spamassassin_org/72_active.cf contains : header __PDS_FROM_2_EMAILS From =~ /(?:\W|^)([\w+.-]+\@[\w.-]+\.\w\w++)(?:[^\n\w<]{0,80})?<(?!\1)[^\n\s]*\@/i The "(?!\1)" is intended to prevent that. ...okay, I found the problem. None of my tests had a username with a period. Fixing. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- 5 days until Bill of Rights day
Re: Possible spam sign
On Tue, 8 Dec 2020, Loren Wilton wrote: That probably should have hit at least one scored base rule: https://ruleqa.spamassassin.org/?rule=%2FFROM_2_ Nope. I think my rules are up to date, but maybe not. Feel free to pastebin it and I'll take a look. https://drive.google.com/file/d/1WQ0Mm1iUsKhTj51mFJwwehuTatSm8Nux/view?usp=sharing That was scanned by SA? Are the SA scan results buried in the X-VadeSecure-Cause header somehow? It's too long to hit FROM_2_EMAILS_SHORT, and the longer message rules that it hits (__HTML_LENGTH_1024_1536 and __PDS_HTML_LENGTH_2048) are ham-only combos in the masscheck corpus. I've added some new rules for masscheck eval based on it. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Journalism is about covering important stories. With a pillow, until they stop moving. -- David Burge --- 7 days until Bill of Rights day
Re: Possible spam sign
On Tue, 8 Dec 2020, Loren Wilton wrote: That probably should have hit at least one scored base rule: https://ruleqa.spamassassin.org/?rule=%2FFROM_2_ Nope. I think my rules are up to date, but maybe not. Feel free to pastebin it and I'll take a look. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- People think they're trading chaos for order [by ceding more and more power to the Government], but they're just trading normal human evil for the really dangerous organized kind of evil, the kind that simply does not give a shit. Only bureaucrats can give you true evil. -- Larry Correia --- 7 days until Bill of Rights day
Re: Possible spam sign
On Tue, 8 Dec 2020, Loren Wilton wrote: I just received a spam with this interesting From address: From: "VA Rate Guide" I wonder if it is worth checking for mail from more than one sender at once? That probably should have hit at least one scored base rule: https://ruleqa.spamassassin.org/?rule=%2FFROM_2_ -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The fetters imposed on liberty at home have ever been forged out of the weapons provided for defense against real, pretended, or imaginary dangers from abroad. -- James Madison, 1799 --- 7 days until Bill of Rights day
Re: contact from blacklist
On Fri, 20 Nov 2020, Kevin A. McGrail wrote: Philipp are these spam using things like Google forms for spam? If so, take a look at KAM.cf on mcgrail.com, we've added a number of rules to combat those recently. There are also Google Docs rules in the base ruleset that should catch that. Based on the sample that was posted, it looks to me like abuse of a web-based feedback form - post a spammy feedback using the email address of your victim and you spam the victim via the confirmation (and the domain hosting the feedback form at the same time). -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Maxim I: Pillage, _then_ burn. --- 174 days since the first private commercial manned orbital mission (SpaceX)
Re: contact from blacklist
On Fri, 20 Nov 2020, Philipp Ewald wrote: On my freemail-account i got this kind of email too so i thought maybe there will be a Blacklist for this kind of SPAM. ... Thanks for contact BLABLALBA Your Text to us: SPAM This looks like abuse of a web-based feedback form at alnatura.de; they don't appear to have a CAPTCHA on their feedback form so it's possible it's being abused by spambots. Is the source domain (alnatura.de) consistent, just the spammy content changes? If so, a blacklist_from entry for nore...@alnatura.de might work while contacting the domain (NOT via the feedback form!) and letting them know their feedback form is being abused for spam and they should add a CAPTCHA. Though, they should realize that when they see a ton of spam in their feedback system. They may just be cursing fate and deleting it. A BL of domains with abusable feedback forms would be handy, but data collection and maintenance seems problematic. I don't think one currently exists. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Men, it has been well said, think in herds; it will be seen that they go mad in herds, while they only recover their senses slowly, and one by one. -- Charles MacKay, 1852 --- 174 days since the first private commercial manned orbital mission (SpaceX)
Re: Apache SpamAssassin and Spammers 1st Amendment Rights
On Fri, 20 Nov 2020, AJ Weber wrote: I think you should keep politics out of this. +1 *PLEASE* -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- 174 days since the first private commercial manned orbital mission (SpaceX)
Re: USER_IN_SPF_WHITELIST vs freemails
On Thu, 12 Nov 2020, Darrell Budic wrote: On Nov 12, 2020, at 12:31 PM, John Hardin wrote: I'd have to see a spample to tell whether that would hit your particular case, though. Can you upload an example to pastebin for us? Sure, it’s at https://paste.centos.org/view/045312a7 The line it’d be looking for is https://docs.google.com/forms/d/e/1FAIpQLSewTcsIWucmT-BDiN5F0_25NVaNqfbTcCANvTA8ReD_MjpONw/viewform?vc=0c=0w=1flr=0usp=mail_form_link which looks like it would match if I'm reading regexps correctly today? Sadly, that doesn't hit the current form of the rule. Fix checked in, the next rule publication should catch it. Thanks for the sample. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Liberals love sex ed because it teaches kids to be safe around their sex organs. Conservatives love gun education because it teaches kids to be safe around guns. However, both believe that the other's education goals lead to dangers too terrible to contemplate. --- 166 days since the first private commercial manned orbital mission (SpaceX)
Re: USER_IN_SPF_WHITELIST vs freemails
On Thu, 12 Nov 2020, Darrell Budic wrote: On Nov 12, 2020, at 11:54 AM, John Hardin wrote: On Thu, 12 Nov 2020, Darrell Budic wrote: Got a few of these 411 google form spams recently and was wondering why they weren’t getting caught by SA. Looks like the Return-Path: is triggering a whitelist rule on google.com so the rest of the tests aren’t enough to get it tagged. Anything I can do to keep the whitelist rule from firing when the free mail rules have been tripped? You can't keep it from firing beyond removing google.com from the whitelist, which would impact non-gmail google mails. What you *can* do is define a meta to offset the whitelist score: meta FREEM_WLIST_OFFSET USER_IN_SPF_WHITELIST && FREEMAIL_FROM scoreFREEM_WLIST_OFFSET 100.000 # offset whitelist score describe FREEM_WLIST_OFFSET Offset SPF whitelist on freemail From Of course, that would prevent you from auth-whitelisting any freemail provider, if you wanted to do such a thing. Thanks, figured it would be something like that. Would this make sense for something a bit more granular? uri GOOGLE_FORMS /docs\.google\.com\/forms\// meta FREEM_WLIST_OFFSET_GOOGLE GOOGLE_FORMS && USER_IN_SPF_WHITELIST && FREEMAIL_FROM scoreFREEM_WLIST_OFFSET_GOOGLE 100.000 # offset whitelist score describe FREEM_WLIST_OFFSET_GOOGLE Offset SPF whitelist on freemail From for google forms There's already a google doc subrule in the base ruleset, try using that: meta FREEM_GDOC_WLIST_OFFSET USER_IN_SPF_WHITELIST && FREEMAIL_FROM && __URI_GOOGLE_DOC I'd have to see a spample to tell whether that would hit your particular case, though. Can you upload an example to pastebin for us? X-Spam-Tests: BAYES_60,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,FREEMAIL_REPLYTO,FREEMAIL_REPLYTO_END_DIGIT,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,LOTS_OF_MONEY,MONEY_FRAUD_8,NOT_FROM_SENDER,NOT_SENDER_MSGID,SO_PUB_SNDR_DOMAIN_DKIM_50,SPF_HELO_NONE,SPF_PASS,TXREP,T_GB_FREEM_FROM_NOT_REPLY,USER_IN_SPF_WHITELIST -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- We have to realize that people who run the government can and do change. Our society and laws must assume that bad people - criminals even - will run the government, at least part of the time. -- John Gilmore --- 166 days since the first private commercial manned orbital mission (SpaceX)
Re: USER_IN_SPF_WHITELIST vs freemails
On Thu, 12 Nov 2020, Darrell Budic wrote: Got a few of these 411 google form spams recently and was wondering why they weren’t getting caught by SA. Looks like the Return-Path: is triggering a whitelist rule on google.com so the rest of the tests aren’t enough to get it tagged. Anything I can do to keep the whitelist rule from firing when the free mail rules have been tripped? You can't keep it from firing beyond removing google.com from the whitelist, which would impact non-gmail google mails. What you *can* do is define a meta to offset the whitelist score: meta FREEM_WLIST_OFFSET USER_IN_SPF_WHITELIST && FREEMAIL_FROM scoreFREEM_WLIST_OFFSET 100.000 # offset whitelist score describe FREEM_WLIST_OFFSET Offset SPF whitelist on freemail From Of course, that would prevent you from auth-whitelisting any freemail provider, if you wanted to do such a thing. X-Spam-Tests: BAYES_60,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,FREEMAIL_REPLYTO,FREEMAIL_REPLYTO_END_DIGIT,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,LOTS_OF_MONEY,MONEY_FRAUD_8,NOT_FROM_SENDER,NOT_SENDER_MSGID,SO_PUB_SNDR_DOMAIN_DKIM_50,SPF_HELO_NONE,SPF_PASS,TXREP,T_GB_FREEM_FROM_NOT_REPLY,USER_IN_SPF_WHITELIST -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- You can't reason a person out of a position if he didn't use reason to get there in the first place. -- Jonathan Swift, paraphrased --- 166 days since the first private commercial manned orbital mission (SpaceX)
Re: Crap getting through
On Sun, 8 Nov 2020, Daryl Rose wrote: I'm getting obvious phishing attempts. This one was made to look like it was from Wells Fargo with an obvious spoofed email address. However, when I examined the headers, the From Address was this garbage: *=?utf-8?B?V+G7hWxsc+G4nmFyZ28gQmFuaw==?= * Easy enough to write a "FUZZY_WELLSFARGO" rule for that, but it probably won't pass masscheck and get published because there are probably few examples of that in the corpus. Added to my sandbox: ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body __FUZZY_WELLSFARGO_BODY /(?!ells[-\s]?Fargo)[-\s]?/i replace_rules __FUZZY_WELLSFARGO_BODY header__FUZZY_WELLSFARGO_FROM From:name =~ /(?!ells[-\s]?Fargo)[-\s]?/i replace_rules __FUZZY_WELLSFARGO_FROM meta FUZZY_WELLSFARGO __FUZZY_WELLSFARGO_BODY || __FUZZY_WELLSFARGO_FROM endif Do you have something like this in place? whitelist_auth *@wellsfargo.com blacklist_from *@wellsfargo.com whitelist_auth *@*.wellsfargo.com blacklist_from *@*.wellsfargo.com whitelist_auth *@bankofamerica.com blacklist_from *@bankofamerica.com whitelist_auth *@*.bankofamerica.com blacklist_from *@*.bankofamerica.com -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Sheep have only two speeds: graze and stampede. -- LTC Grossman --- Tomorrow: The 82nd anniversary of Kristallnacht - disarmament enables genocide
Re: Spamssassin seems to append .com TLD to uri link domains found
On Sat, 7 Nov 2020, RW wrote: On Sat, 7 Nov 2020 10:05:21 -0800 (PST) John Hardin wrote: On Sat, 7 Nov 2020, RW wrote: On Fri, 6 Nov 2020 16:10:18 + RW wrote: However, I can't get an up-to-date Firefox to add .com, so the feature may already be obsolete. I take that back, it does. What does it do for the example at hand, http://www.ch ? Firefox only adds .com if the domain doesn't resolve. www.ch resolves and then redirects to https://meteo.ch/ If SA is to allow for what Firefox does then I think the behaviour is reasonable. A DNS lookup would be overkill, Agreed. and there's no particular reason to exclude labels that happen to be TLDs. Do you mean *valid* TLDs? Because I think that suppressing that behavior for valid TLDs would be an appropriate modification to avoid potential URIBL FPs (which, granted, is probably fairly unlikely) and to avoid the overhead of extra lookups. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- A government is a lot like a gun: It's always loaded, and it's stupid and dangerous to point it at anything you don't intend to hurt. -- GOF at TSM --- 2 days until The 82nd anniversary of Kristallnacht - disarmament enables genocide
Re: Spamssassin seems to append .com TLD to uri link domains found
On Sat, 7 Nov 2020, RW wrote: On Fri, 6 Nov 2020 16:10:18 + RW wrote: However, I can't get an up-to-date Firefox to add .com, so the feature may already be obsolete. It take that back, it does. What does it do for the example at hand, http://www.ch ? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
Re: Spamssassin seems to append .com TLD to uri link domains found
On Sat, 7 Nov 2020, Benny Pedersen wrote: Tobi skrev den 2020-11-06 17:51: ah understand, should have better checked what SA really adds to domain list. So both versions are checked. Just bad luck if the expanded version of the uri domain (ex ch.com) has a blacklisting at uribl or spamhaus ;-) But that's another story Have a good weekend i followed this thread, it was mentioned it was firefox that try to help usefull domain name ? but i lost how this went over to a bug in spamassassin ? The bug was to implement the same (mis)behavior in SA URI parsing. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Trusting in anti-gun laws to keep you from being shot is like refusing to wear your seatbelt because you trust traffic laws to keep you from being in a car accident. -- Erin Palette --- 2 days until The 82nd anniversary of Kristallnacht - disarmament enables genocide
Re: SPF_FAIL
On Thu, 5 Nov 2020, Victor Sudakov wrote: Moreover, after reading other replies in the thread, I am even begining to doubt the wizdom of rejecting hard SPF fails in the MTA (which I do in some installations). "it depends". Doing that for certain domains - like, large banks - would probably be a good idea. By default, for all domains, not so much. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- 4 days until The 82nd anniversary of Kristallnacht - disarmament enables genocide
Re: Email coming in being identified as SPAM
On Thu, 5 Nov 2020, Axb wrote: On 11/5/20 4:31 AM, John Hardin wrote: On Thu, 5 Nov 2020, RW wrote: On Wed, 04 Nov 2020 18:48:48 -0500 Bill Cole wrote: On 4 Nov 2020, at 13:31, Thomas Anderson wrote: * 1.8 MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE In addition to what John noted, that one looks like a candidate for constructing an exception. MISSING_MIMEOLE already has a number of exceptions based on the fact that other MUAs have adopted X-MSMail-Priority but have no reason to use X-MimeOLE because it's a fundamentally bad idea as a header with no real utility. With a sample of the headers for the message that hit that rule, we could add an exception for whatever is generating such messages in this case. it was sent via t-online.de see: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7306 t-online.de obviously haven't changed their client in the last four years, so perhaps we should reopen that bug and add the exception. AXB - any comments?? I'd lower the rule's score a bit. That way we don't have to track what t-online.de does/or not does. comments? AXB How about we pull it from 50_scores.cf and let the masschecks consider it? With a score limit of 1.5, perhaps? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- 4 days until The 82nd anniversary of Kristallnacht - disarmament enables genocide
Re: Email coming in being identified as SPAM
On Thu, 5 Nov 2020, Thomas Anderson wrote: Thanks for all the informative replies. For the short term, I will just whitelist the address in question. Perhaps my setup is crap. I don't have enough SPAM to train bayes. In the past two years, I have gotten maybe, 10? spam emails. Basically, the server is for myself and a couple family members, so the traffic is minimal. I have not setup a Caching nameserver, but I will look into that being necessary in the future. One tiny nit: it's not the "caching" part that's important for SA, it's the "does not forward DNS requests to ISP's nameservers" part... For small environments like this, the DNS resolver that you use for SA needs to do all the queries itself rather than passing them off to be aggregated by the ISP's nameservers, and hit the DNSBL free use limits due to that aggregation. Thanks all! -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- 4 days until The 82nd anniversary of Kristallnacht - disarmament enables genocide
Re: Email coming in being identified as SPAM
On Thu, 5 Nov 2020, RW wrote: On Wed, 04 Nov 2020 18:48:48 -0500 Bill Cole wrote: On 4 Nov 2020, at 13:31, Thomas Anderson wrote: * 1.8 MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE In addition to what John noted, that one looks like a candidate for constructing an exception. MISSING_MIMEOLE already has a number of exceptions based on the fact that other MUAs have adopted X-MSMail-Priority but have no reason to use X-MimeOLE because it's a fundamentally bad idea as a header with no real utility. With a sample of the headers for the message that hit that rule, we could add an exception for whatever is generating such messages in this case. it was sent via t-online.de see: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7306 t-online.de obviously haven't changed their client in the last four years, so perhaps we should reopen that bug and add the exception. AXB - any comments?? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- 5 days until The 82nd anniversary of Kristallnacht - disarmament enables genocide
Re: Email coming in being identified as SPAM
On Wed, 4 Nov 2020, Thomas Anderson wrote: Hello, Email from my child's school is being identified as SPAM, but it's from his teacher. Here is the X-SPAM-Report: X-Spam-Report: * -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) * [194.25.134.21 listed in wl.mailspike.net] * 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail * provider (firstname-lastname[at]t-online.de) Your child's school is using a freemail provider rather than a domain registered to the school system? Or is the teacher using their private email account for official school-related purposes? * 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record * 0.0 SPF_NONE SPF: sender does not publish an SPF Record * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was * blocked. See * http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block * for more information. * [URIs: example.com] * 1.8 MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE * 2.5 XPRIO_SHORT_SUBJ Has X-Priority header + short subject * 1.7 MSM_PRIO_REPTO MSMail priority header + Reply-to + short * subject * 1.7 SPOOFED_FREEMAIL No description available. My best guess is that there was no subject line, but even that would still cause it to fail the spam test. Having a long-enough subject would have removed 4.2 points from the total, giving a total of 3.5 - below the default spam threshold. Researching a little bit the MSMail priority related errors are related to that sender's Email client? And, they should remove X-MSMail-Priority header? I don't use MS system very often, so a little confused. Ideally I'd suggest the school use a non-freemail domain and implement SPF or DKIM so that they can be reliably whitelisted. That's potentially fairly extensive work on their side, so the immediate recommendation would be for you to use whitelist_from_rcvd to whitelist the teacher's freemail account. There's overlap in the priority-no-subject rules that's unnecessarily inflating the score, I'll fix that. But that wouldn't bring it down below the threshold. Advise the teacher to always provide a meaningful message subject, that's longer than a word or two. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- 5 days until The 82nd anniversary of Kristallnacht - disarmament enables genocide
Re: Problem with matching regex against long body
On Tue, 3 Nov 2020, Loren Wilton wrote: I'm getting lots of spams that are about 100+K long. The spam body contains two blocks of random news text copied from fox news or msnbc or the like, enclosed in a zero-point font block. I'm trying to match this simple pattern to give some extra points, but I can't seem to get it to work. I'm wondering if there is some buffer limit in SA that is preventing the match from working. There is. If I try rawbody LONG_HIDDEN m'[^<]*<'s I don't get a match, even though I know there is a about 50K into the message. The closing tag is past the end of the cutoff. But if I try rawbody LONG_HIDDEN m'[^<]*'s I do get a match. Note all I've done is remove the final "<" from the match text. If I try rawbody LONG_HIDDEN m'[^<]{990,}'s I get a match. That's what you should do. Don't try to cut it too close, though, as all the spammer would need to do to bypass that is move the garbage block a little further back in the message. I'd suggest {900} or even {500} - 500 characters of zero-point text in a message body is not plausibly legitimate. You don't need the "," - it doesn't matter what is there beyond your cutoff, don't waste time matching it. Basic version: rawbody LONG_HIDDEN m'[^<]{500}'s You may also want to stick optional whitespace in there to avoid trivial bypass: rawbody LONG_HIDDEN m'[^<]{500}'s There's also the possibility of adding a typeface or other options to the tag, which would bypass your simple rule. And HTML is not case-sensitive. And avoid * on complex stuff when matching arbitrarily long texts, which can lead to runaway backtracking and scan timeouts. rawbody LONG_HIDDEN m']{0,99}style\s*=\s*"font-size:0px"[^>]{0,99}>[^<]{500}'si (Caveat: not tested, just off-the-cuff. There's room for improvement in the style spec as well.) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- USMC Rules of Gunfighting #7: In ten years nobody will remember the details of caliber, stance, or tactics. They will only remember who lived. --- Today: the Presidential Election