Re: Seeking dhl.com ham samples
Hi Bill,hope that helps headers from order confirmation mail Wolfgang Received: from gateway1h.dhl.com ([165.72.200.98]) by mailin73.mgt.mul.t-online.de with (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384 encrypted) esmtp id 1o1Q0k-4aA7Un0; Wed, 15 Jun 2022 12:12:30 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dhl.com; l=218621; s=20140901; t=1655287950; h=date:from:to:message-id:subject:mime-version; bh=jZNqE0ZOuw8c2LVfWfKHCJbxZsAgmCJOps1P6mXg1lQ=; b=QIbSZ++xkMebzAPEUgod0NxEtYiEzD1Nvr2cCrlzQvMVqxOthVXoKT32 gV7mBgAKg+4Zkm6wFVhvKcku4rq2aert43sEXtBTeeVhyMRuwzgqKsFUR aMIkXe9pJTtCVgxHZFHxiwiJazLS9xFFqD3qqZlLnY8F9KiPd0E7QmC1u pZcRgolJ0Qf4gSi0uwLcMn3dE481GG43mgjaCQjPa+f6aHbHiQSYmtZLD NpUhZrPyIoIYqWbn5Fr/D6IKtkh4xlC3jPeijlMhQl0SDqVPFGSLVxz2F ehTTo4udfo+BM4KabIzMtenXY9din56hGqSK9PYW6MX5unfYEpxWq/DM5 A==; IronPort-SDR: PvqRLak59WYBNulkTwZ84TR32Y1juowA4XjPF/40ODGAao93vP49VcSc2YunYP0iyUYqIFFAkd Xb1Qr65aSE05lAnDe3DHwazg8DuD3dick= X-ExtLoop1: 1 Received: from unknown (HELO of-backoffice-blue-prd-67486746d8-xnnsh) ([10.187.32.92]) by gateway1h.dhl.com with ESMTP; 15 Jun 2022 10:11:19 + Date: Wed, 15 Jun 2022 12:11:19 +0200 (CEST) From: nore...@dhl.com To: haman...@t-online.de Message-ID: <89105898.386694.1655287879182@of-backoffice-blue-prd-67486746d8-xnnsh> Subject: =?UTF-8?Q?Auftragsbest=C3=A4tigung_Ihrer_Online_Frankierung_4Y778E3KKACZ?= MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=_Part_386691_426113042.1655287879178"
Re: base64 encoded subjects
>> I'm seeing a lot of spam with base64 encoded subjects: >> >> Subject: >> =?UTF-8?B?RnVsbCBkZW50YWwgY292ZXJhZ2UgZm9yIGZhbWlsaWVzIGFuZCBzZW5pb3JzLCBjb3ZlcnMgYWxsIHByb2NlZHVyZXM=?= >> >> Subject: =?UTF-8?B?V2VhciB5b3VyIE11bHRpLVRvb2wgYXJvdW5kIHlvdXIgd3Jpc3Qu?= >> >> Hi, I live in a part of the world where =?UTF-8?B? is normal everywhere utside the realm of US Ascii I would, however, treat UTF16 as a spam indicator Best regards Wolfgang
Re: check utf-8 subjects/from?
>> Hi, >> >> On Wed, Dec 13, 2017 at 9:08 PM, David B Funk >> wrote: >> > On Wed, 13 Dec 2017, AJ Weber wrote: >> > >> >> Is there an easy way to check if the Subject or From is UTF-8 -- or >> >> non-ASCII -- char set? >> >> >> >> I see in some of my recent spam, either the Subject or the From (sometimes >> >> both) starts with "=?UTF-8?" (in these cases the rest is Base64 encoded, >> >> but >> >> I don't want to qualify on that). >> >> >> >> If I check a header with a "header ... =~" regex rule, is it the raw text >> >> that I will check, or is it the decoded characters I will be checking >> >> against? >> >> >> >> If it's the raw text, I can probably just look for that prefix to indicate >> >> the UTF-8 encoding. >> >> >> >> I do get some legitimate emails with encoded chars and emojis, etc...but I >> >> think I'd like a rule to support it being SPAM in general. >> > >> > >> > As other people have said, the header ":raw" rule form will let you match >> > on >> > that. >> > There are two commonly used encoding methods for UTF-8: >> > Base64 "=?utf-8?B?" >> > Quoted-Printable "=?utf-8?Q?" >> > >> > There's nothing that prevents a mailer from using either for purely 7-bit >> > ASCII, >> > even though it isn't necessary. You are more likely to see that used by >> > international clients. They may just utf-8 encode by default so not to have >> > to do special processing for non 7-bit ASCII headers. >> >> We've been seeing a number of emails with subjects using UTF-8 in an >> attempt to obscure the sender by using some form of 8-bit characters. >> For example, this spells dropbox: >> >> From: "=?utf-8?B?xJByb3Bib8+X?=" >> >> How would we write a header rule against that? Just use From:raw? >> >> Is it possible to write a rule using the decoded characters, like >> "dr�p-b�x" or "D?op?o?"? >> >> I've also tried variations of "dropbox" such as "dr?pb?x" etc... Hi Alex, as I live in Germany, I also see nothing special in encoded utf-8 ... Just use the decoded From line rather than the raw version. One thing that certainly is worth detecting is a plain name part containing a different email. (I am not sure if such a rule already exists) Now for your example, you would probably have to write rules with the purported sender's spelling variations and a meta in case the _real_ name and a valid email is detected. Regards Wolfgang
Re: all recipients with the same first character
>> >> Dear All, >> >> Analyzing some e-mails which are not caught by SA I see sometime the >> following scenario: >> Such an e-mail is sent to a lot of people ( not only to the own domain ) and >> all e-mail addresses start with the same first character. >> If I see this I know immediately this is spam. >> >> Is there anywhere a rule which can detect such a behavior ? >> >> Kind regards >> Hans >> >> >> Hi Hans, I am quite happy with a small whitelist of senders that I let through if I am not the only recipient. It took me a while to whitelist all mailing lists, though Regards Wolfgang
From: line containing null sender
Hi, is there already a rule that detects from lines with a mail address or a mail name AND a <>, e.g. From: "crappy something vendor" <> Regards Wolfgang Hamann
Re: SPAM from our own domain
>> >> Hi Wolfgang, >> >> On 28/09/15 16:24, haman...@t-online.de wrote: >> > I have installed dkim on qmail (not sure about details, it is working >> > since a few years) >> > Your original post said there was SPF fail on the incoming message, so you >> > could already >> > score on that. >> Looks like my setup ignores it. Where's the best place to update that >> scoring? >> > I have enabled plugin support on qmail (not sure whether that is contained >> > in your package), >> > and I have worked on qmail-scanner-queue.pl >> >> I have qmail-scanner-queue.pl installed for Spamassassin and ClamAV. I also >> have the >> Mail::SpamAssassin::Plugin::DKIM configured in: >> >> # grep loadplugin /etc/mail/spamassassin/v312.pre >> loadplugin Mail::SpamAssassin::Plugin::DKIM >> >> > Both are good places to add extra filtering. The plugin would outright >> > reject mail, >> > where qmail-scanner would rather tag it as "potential virus" >> > So if you are very sure that nobody in your organisation would ever send >> > from your domain >> > through a different mail server (maybe when sending from a mobile), you >> > should probably use >> > the plugin. A plugin is an executable (script) that reads ENV variables >> > like SMPTMAILFROM >> > and SMTPRCPTTO and either does nothing or outputs a single line of text >> > like >> > E550 your mail is not welcome. Go away >> >> Nobody should be sending from a different mail server. We use IMAPS and >> authenticated SMTPS for >> external users (mobiles, laptops, etc.). >> Hi Tom, you might try to change your scores for SPF_FAIL, DKIM_FAIL etc. (but you might have some legit mail tagged as spam) About plugins: I was talking about qmail plugins rather than SA plugins, so mail is checked and possibly rejected during the SMTP transaction. It is also possible to do SPF and DKIM verification inside qmail. I am pretty sure I had to patch qmail to enable these things, but that was probably ten years ago. I have no idea whether current install packages include them Regards Wolfgang
Re: SPAM from our own domain
>> >> Hi Benny, >> >> thanks for your email. >> >> On 28/09/15 13:29, Benny Pedersen wrote: >> > Tom Robinson skrev den 2015-09-28 05:02: >> > >> >> From tena...@qka.com Thu Sep 24 13:29:50 2015 >> > >> > is this the envelope sender domain ? >> >> I believe so. How can I be sure? >> >> > >> >> From:"Incoming Fax" >> > >> > is this unsigned dkim domain ? >> > >> Sorry to be a noob. What do you mean here? >> >> > >> > begin setup spf and dkim signing >> We have a TXT record in DNS for spf. I'm not sure what to do with DKIM. >> >> > >> > use pypolicyd-spf in mta stage >> >> Is that package going to work with qmail? If it does work with qmail, will >> it install on CentOS 5? >> >> Kind regards, >> Tom >> >> Hi Tom, I have installed dkim on qmail (not sure about details, it is working since a few years) Your original post said there was SPF fail on the incoming message, so you could already score on that. I have enabled plugin support on qmail (not sure whether that is contained in your package), and I have worked on qmail-scanner-queue.pl Both are good places to add extra filtering. The plugin would outright reject mail, where qmail-scanner would rather tag it as "potential virus" So if you are very sure that nobody in your organisation would ever send from your domain through a different mail server (maybe when sending from a mobile), you should probably use the plugin. A plugin is an executable (script) that reads ENV variables like SMPTMAILFROM and SMTPRCPTTO and either does nothing or outputs a single line of text like E550 your mail is not welcome. Go away Regards Wolfgang
Re: shellshock via SMTP?
>> 2014-10-29 16:26, Joe Acquisto-j4 wrote: >> > Comments on the ZD net article that claims shellshock exploit via >> > crafty SMTP headers? Just asking, that's all . . . >> > >> > I attached a link to it below, please excuse if that is improper >> > behavior. >> > http://www.zdnet.com/shellshock-attacks-mail-servers-735094/ >> >> I have seen one such sample. Must be a really dumb mail delivery agent >> or a content filter or a MUA that lets a mail header touch a shell. >> >> No matter whether bash is patched or not, tainted data from a mail >> message must never be handed over to shell. Hi, suppose your mail system does everything fine, there may still be final delivery, where procmail, sieve, .qmail files jump in. There might be some program delivery, such as a mailing list manager that handles mail to unsubscribe-xxx@ or a local service that accepts mail to fax@localhost with the fax number in the subject field. In such situations, the delivery stage of tthe mailer may only make a decision (and let the called process parse the message again) or it may place smtp header data into variables for the benefit of the called process. Now let the end user put in a shell script to solve a particular need... Regards Wolfgang >> >>Mark
Re: Opinions needed on what to consider spam
>> >> All of this doesn't translate to the end-user, though. There's no way I >> could ever set up a set of rules, in the form of an end-user doc, that >> could be used to describe when to unsubscribe and when not to, and under >> what conditions an email can be trusted and when it shouldn't (beyond what >> they already know about when to trust a website and when not to). >> I sometimes wonder whether there should be a common feature in mail systems to tell the system to expect newsletters or mailing list mail, and to encourage end users to use that. feature. This would tell filters to allow certain mails through, and would keep a record so that the complaining user could be reminded of having allowed the mails. I am sending out a low-volume (about twice a month) newsletter with subscription and confirmation, and I see a small share of mails that are rejected at the MTA level, i.e. the recipient would not be able to mark the message as non-spam On my own inbox, I am filtering mails not addressed to me (or to more than a dozen recipients at a time), so I am used to actively enable list mails To be feasible, it would mean that a newsletter / mailing list sender should reveal the sending address at subscription time and stick to it Wolfgang Hamann
Re: More text/plain questions
>> >> I got the following MIME body part below, and I�m wondering if it would >> >> make sense to filter on this as well. >> >> Given that it�s text/plain with an implicit charset=�us-ascii� and an >> >> implicit content-transfer-encoding of 7bit, the sequence [0-9A-F]{4} >> >> doesn�t really parse into a 16-bit character, would it? That would be a >> >> broken MUA that made such a leap... >> >> Wouldn�t that normally render as the character �&�, �#�, �x�, etc. rather >> >> than the unicode16 or UTF-8 character with that hex value? >> >> There might be times when someone has sent an attachment improperly >> >> encoded this way which might have embedded binary values in it, but >> >> that�s kind of buggy anyway� it should have been done as base64 and >> >> application/octet-stream in the worst of cases if it has arbitrary binary >> >> data. >> >> I wouldn�t want a message where someone gives a couple of examples of >> >> encoding Ѐ for instance being flagged as SPAM, but if the text is >> >> 20% or more of these sequences then I would say that�s SPAM-sign. >> >> Anyway, here�s the body I saw: >> >> --1388-8200-b67c-e579-9c27-df36-12fa-a2eb >> Content-Type: text/plain; >> >> Thе Rеаl >> >> RеаѕоnThе Ꮯоmіng >> >> Ꮯоllарѕе...Thе >> >> rеаl rеаѕоn ᎳHY >> >> HоmеlаndSеcurіtу >> >> rеcеntlу рurchаѕеd1.7 >> >> Bіllіоn Rоundѕ оf >> >> аmmunіtіоn...Ꮃhаt Yоu >> >> Muѕt Dо Tо Ꭼnѕurе >> >> YоurSаfеtуHоmеlаnd >> >> ѕеcurіtу іѕ thеrе >> >> tо ѕеcurеthе >> >> hоmеlаnd оnlу... Sо >> >> thеѕе Ьullеtѕаrе >> >> rеаlу mеаnt fоr >> >> thеThіѕ іѕ аn >> >> еmаіlаdvеrtіѕеmеnt >> >> thаt wаѕ ѕеnt tо >> >> уоu Ьу Ρаtrіоt >> >> Survіvаl Ρlаn. If >> >> уоuwіѕh tо >> >> nоlоngеr rеcеіvе >> >> mеѕѕаgеѕ thаt >> >> рrоmоtе ѕurvіvаl >> >> tірѕ, >> >> рlеаѕеclіck hеrе >> >> tо unѕuЬѕcrіЬе.4 >> >> Unstable as water, thou shalt not excel because thou wentest up to thy >> >> fathers bed then defiledst thou it he went up to my couch.34 And >> >> Pharaohnechoh made Eliakim the son of Josiah king in the room of Josiah >> >> his father, and turned his name to Jehoiakim, and took Jehoahaz away and >> >> he came to Egypt, and died there.37 And the thing was good in the eyes >> >> of Pharaoh, and in the eyes o! >> f all his servants. >> >> --1388-8200-b67c-e579-9c27-df36-12fa-a2eb Hi, while this is certainly not correct - and likely does not display in every mail client - it would probably work in several webmailers. Perhaps this is the configuration the author of that crap tested. Now, I am somewhat reluctant to classify badly formatted mails as spam: there are many systems around, even from major players, that send legitimate mails like order confirmation, delivery notification, opted-in newsletters but do many of the formal things more right than wrong On the other side, looking at the actual characters shows that the message is spam: these are cyrillic letters that happen to look exactly like western ones (a, e, o or such) so the obvious intent is to avoid detection of the strings. We have seen the same with IDN domain names that might use a cyrillic a to register a domain that looks like, e.g. paypal.com The list of characters is fairly short, so maybe checking for these characters in all commonly used variants (html entities, utf8 encoded, +u0430, \u0430. IDN encoded) would be a good spam indication Regards Wolfgang
Re: tons of forged bills in german
>> Michael Monnerie wrote: >> > Dear list, since this week there are tons of very good forged bills >> > that look like real, from big companies like telekom, vodafone, etc. >> > They look like the original, and just the link in the middle, where it >> > says "download your bill here", goes to a site containing trojans. >> >> These fake bills with a link to a virus should be caught by a virus >> protection >> in your mailer. >> >>Mark Hi Mark, yes and no virus protection sort of means that either the url must appear on a blacklist or the crap actually be downloaded for inspection. >From a differnt point of view ... these are big companies capable of running >their own mail servers (rather than relying on outside service companies to send out the mails) I am customer of one of these companies, and I get mails via an ISP that is a daughter company. Why the hell couldn't the sender use SPF or DKIM and the ISP then actually filter on that. Reducing the possible audience by 90% with this simple step would help. Too bad they are too big to listen to suggestions from their customers... Wolfgang
Re: Availability of 3.4.0 release candidate 5
Hello Kevin, what would be the minimum version of perl required to upgrade? Regards Wolfgang
Re: A way to score Number of Recipients in the To: Line ?
Kevin A McGrail wrote: >> On 10/18/2013 10:04 AM, Lutz Petersen wrote: >> > >> > I'm searching a way to give some extra Score depending on the Number >> > of Recipients in the To: Headerline. In the last days there are >> > massive Spamruns that are not marked as Spam - but all of them have >> > a lot of Recipient Mail-Adresses in the To-Line (the last one more >> > than 50..). I didn't found any Rule that does this. Anyone knows >> > a solution ? >> > >> > Lutz Petersen >> I don't believe you will find that to be an accurate indicator of SPAM >> unless you have a meta rule in mind. Spam and Ham both use multiple >> recipients all the time so this is a waste of time in my off the cuff >> opinion but I don't want to disparage you if you are certain you can use >> it to identify the spam. >> Hi, while multiple recipients are common in ham, I would expect them only from known senders (and in fact senders known to use address lists on purpose) - if I am member of a club, choir or something and get invitations, that's fine. If I get list-addressed mail from some of my regular correspondents, it could be an announcement to most of the people in the sender's address book ... but it could also be the result of some malware that captured the sender's addresses. I have some filtering in place, but it happens outside (before) SA checking, and sends offending messages to the antivirus quarantine folder. It requires a whitelist Reagrds Wolfgang Hamann
Re: POP3/IMAP Anti Spam - A basic question though
>> Hi Guys, >> >> This may sound a basic questions but would like to know under what >> circumstances one should use IMAP/POP3 Anti Spam services? I do have AS for >> SMTP and is blokcing well but would like to know what consequences it would >> cause if I enable or disable the Pop3/imap Anti Spam settings. >> >> Does Spamassassin by default provides POP3/IMAP scanning and if yes how >> would I enable or disable it >> >> Thanks. >> Hi, I receive mails into a few boxes that are not filtered. So I have a setup that uses fetchmail to pickup these mails and feed them into a local imap service. SA is called just prior to delivering mail into the inbox Regards Wolfgang
Re: .pw / Palau URL domains in spam
>> >> >> On 5/7/2013 11:02 PM, Steve Prior wrote: >> > On 5/7/2013 1:44 AM, Benny Pedersen wrote: >> >> Chris Santerre skrev den 2013-05-06 17:27: >> >>> 10 days and still being abused badly. Recommending for everyone to >> >>> just refuse any .pw >> >> >> >> time for spamhaus ? :=) >> >> >> >>> for those wanting an SA rule, here: >> >>> >> >>> header PW_IS_BAD_TLD From =~ /.pwb/ >> >>> describe PW_IS_BAD_TLD PW TLD ABUSE >> >>> score PW_IS_BAD_TLD 3 >> >> >> >> here i would like to use -3 >> >> >> >>> Change score to whatever you want. Enjoy. >> >> >> >> thats the point of opensource imho :) >> >> >> >> hopefully the good pw domains start using opendkim, and then let the >> >> world >> >> repute it from there >> >> >> > >> > I blocked everything from TLD pw at the Postfix level so the email gets >> > rejected without ever hitting spamassassin. >> > >> > I created /etc/postfix/sender_access with the contents: >> > pwREJECT >> > >> > ran postmap sender_access >> > >> > and then added >> > check_sender_access hash:/etc/postfix/sender_access >> > to smtpd_recipient_restrictions >> > >> > Problem went away completely, sorry Palau. >> > >> > Steve >> > >> >> Steve, just wanted to thank you for providing an elegant solution to >> this problem. It seems far more preferable to block this nonsense right >> at the MTA level (for now). Your instructions worked for me and I now >> see the following in my mail log for any .pw sender: >> >> postfix/smtpd[10660]: NOQUEUE: reject: RCPT from >> unknown[173.213.124.203]: 554 5.7.1 : Sender >> address rejected: Access denied >> >> Much appreciated! >> >> -Ben Hi, well, I do not know anybody at Palau and so have no real need to exchange mails, but I feel that this attitude seems somewhat drastic. Some companies might do the same for bigger countries, also on the reasoning that they (the companies operating the server) do not expect their users to communicate with these places. I know for sure that, a few years back, roadrunner decided to block former state telecom in germany - which served an estimated 25% or so of private email addresses here at that time. Regards Wolfgang Hamann
Re: Check only last Received line
>> >> Scenario is like this: >> >> Third party user with a DSL connection (dynamic IP, listed on DUL, PBL, >> etc): USER >> Third party mail server of USER with an OK IP (REV DNS, no DUL, no PBL, no >> listing): REMOTE MAIL SERVER >> My mail server: MY MAIL SERVER. >> >> USER sends mail via REMOTE MAIL SERVER which ads a Received line with his >> DYN IP. >> >> EX: >> Received: from unknown (HELO Laptop) (84.73.76.25) >> by with SMTP; 11 Apr 2013 17:50:16 +0200 >> >> MY MAIL SERVERS detects the DYN IP and triggers the wrong rules. >> Hi Catalin, I had the same problem a while ago... The problem spot is that SMTP thing - it should be something like SMTPA or ESMTPA to indicate that the original sender authenticated with the mail server Regards Wolfgang
Re: Rule to check To and/or CC headers
Hi Anthony, I did that for my mail (not as spam filter, though, but more a header rewrite ... could be procmail), so every such much gtes in the inbox but is flagged very clearly I really like it... but, to be honest, it took me at least 3 months to create my personal whitelist: there are a couple of newsletters (I just saw one from "newsletter" to "newsletter" bcc recipient which would normally deserve an extra spam score for identical from and to) There are mailing lists, mailing list password reminders sent from a different address than normal list mail I even recall one company on ebay that sent from "sales" to "shipping" bcc recipient instead of a normal shipping confirmation Regards Wolfgang
Re: How to report a spam botnet
Michael Monnerie wrote: >> > normally it makes no sense to report botnets >> >> And this is what makes me worry. Botnets are todays biggest source of >> spam, and nobody has ever started to fight it really? There are tons of >> tools for every small issue, but nothing to cope with the biggest shit? A botnet is, first of all, a large collection of independent computers, often from all over the world. Many will be home machines, and a large proportion of these will have changing IP addresses. Now, if you get access to the bot herder, you could probably have that one disconnected, and there is a vague change that - as a last job - that system could try to inform all of the affected machines that they have been hacked. Normally, you would have to deal with this issue on a per-provider basis, that is collect all evidence that many customers of, e.g. aon.at are affected and try to convince their abuse department to inform their clients about the problem. Now consider real-life providers: one local tv cable company obviously sends all abuse mail to /dev/null (according to their chief security person they cannot find out who got a specific ip ... although it was still the same machine after 3 months), and former german telecom monopoly does send out messages after they receive repeated complaints in plain words you notify them, allow 4 or 5 days for them to act, repeat and again, and after a minimum of 2 or 3 weeks a notice might reach the victim. BTW: the cable tv company I mentioned takes part into an anti-malware initiative sponsored by providers and the government - not sure what they are actually doing there. Wolfgang Hamann
Re: What to tell senders of these messages
Michael Scheidell wrote: HS_INDEX_PARAM: tell them not to use web bugs in their marketing emails Hi Michael, since we are sending out newsletters (to people who really subscribed :) and I got the role to be my own "email marketing company", I want to comment on that. We are using a setup similar to ezmlm, so the mail sender contains a bit of encoding that identifies the recipient. We routinely unsubscribe recipients whose mailbox returns "no such user" I believe this kind of tagging really helps - when someone subscribes as a...@somewhere.com and installs a redirect to b...@somewhereelse.com, it is often impossible to find the real recipient other than from the tag. When I first started that system, our mails also had a tendency to be filtered because of the hex string I used at that time - probably a slightly different rule but similar in spirit. I am still using this tagging, just that my tags are no hex strings BTW: the OP is in a quite lucky situation: he knows that the system uses SA and can probably configure whitelisting etc. I see quite a few failed subscriptions in the postmaster box, where the recipients certainly have no idea what their systems do to avoid receiving mail, let alone would be able to fix it Regards Wolfgang Hamann
Re: why don't banks do more against phishing?
Dave Warren wrote: > b) some users of image resizers would see the warning sign reduced > (I recently had someone complain about an error on our google maps "our > office is here" > page, and it turned out the visitor was using a smartphone via an image > resize service) Were you tripping on a lack of referrer, or was an image resizing service actually returning a completely incorrect referrer? When Hi Dave, all I know is that someone told about a broken cid:something image on the phone for Google maps I recently tried a wrong google key and noticed that I would see the correct map for a second, until a javascript shows an error message. So my conclusion was that the resizing image loaded the original image (from google server), replaced it by a cid: url, and then the Google javascript would somehow fail. Now thinking about the bank situation: the bank's webserver would see a request from the resizing service, but it is up to the resizer to behave like a real browser, or a proper http proxy Wolfgang
Re: why don't banks do more against phishing?
>> OT but related >> >> I just got a bunch of phishing attacks against a bank come through. >> Following the link leads me to some owned website with the fake bank >> frontend - and it had a feature that I've seen time and time again: >> images and links from the real banksite >> >> Why don't banks rub two braincells together and start monitoring the >> referrers on their primary webpages (eg logos, terms and conditions) and >> return a "RUN AWAY!!! IT'S A TRAP!!!" page whenever someone views the >> phishing sites? The Referrer header would allow that instantly >> >> They really don't give a damn do they... >> Hi Jason, a) phishers would probably move to hosting their own copies of the logos b) some users of image resizers would see the warning sign reduced (I recently had someone complain about an error on our google maps "our office is here" page, and it turned out the visitor was using a smartphone via an image resize service) Regards Wolfgang
Re: Better phish detection
Dave Funk wrote: >> >> As an admin on a site that regularly gets hit with phish attacks, I can >> answer that. The forms are most often a web-page, which are: >> >> 1) forms hosted on Google-Docs or legit servey sites.[0] >> 2) sites hidden behind URL-shorteners would you want to submit details to a site with a redirected url? Probably SA is not the right tool here, because it would have to mark detected mail as "caution" >> 3) forms hidden in pages hosted on compromised legit sites.[1] >> 4) forms attached to mail messages, the attachments obfuscated by being >> MIME-typed as application/octet-stream but the file names ending in >> ".htm" >> so SA won't try looking inside but mail-clients -will- automagically >> "just do the right thing"(tm) [2] sounds like a potential improvement on any filter: try to identify attachments by their first 512 bytes rather than by filename or mime type >> 5) URIs that are obfuscated by being buried inside javascript that >> dynamically generates them at message open time.[3] If there was a "caution" rather than just "potential spam" mark, it should certainly mark javascript >> [3] Damn people who insist that HTML should be acceptable everwhere. >> I tried creating rules that blacklist email containing javascript >> but there's legit sites (purchase confirmations, reservation notices, >> etc) that insist on doing that crap. >> My own way of life: a) messages that do not list me in either To or Cc (that is most mailing lists) must come from whitelisted senders, otherwise they do not even make it to SA b) I read mails on a text interface with a nice "read this one message in browser" pushbutton c) the actual sending email address should not be completely obscured in the mail reader, in favor of a display name I have implemented b) at the company where I work. For more than 50 % of mails handled by average staff, the same pushbutton means "open in application". When this project started a decade ago, I could not find a way to associate that particular class of mails (identified by sender, subject line, and mime-type) with an application in either Netscape or Outlook. So the incentive is: have better workflow for the majority of messages, in exchange for a need to hit "view in browser" for some messages
Re: Better phish detection
Hi, the replica seems to be down Things that could be promising: a) the form target seems to be similar to your site name b) it is probably possible to detect similarity between your image and the replica I guess that the presence of upgrade or webmail and a form url with bway inside might work as a filter. Regards Wolfgang
Re: Better phish detection
>> >> >> Hello, >> >> We are getting a fair amount of very targetted phish attempts to our >> userbase. Since we are relatively small, I don't think any of the URIBLs >> really help (or phishtank or other lists) since we're not a large bank or >> paypal or anything like that. >> >> I did see some gentleman make a rather valiant attempt at listing all the >> common phrases here: >> Hi, I would not feel inclined to update a filter every day so the question is: what do these things have in common? It seems somebody wants your users to complete a form where would the form be sent to? A valid domain, or just some ip address Regards Wolfgang a fellow qmail user :)
Re: Recieving email from aol or yahoo or hotmail, that is not addressed to me personally.
>> >> I've noticed a trend recently where I'm getting emails sent to me from >> either an aol or yahoo or hotmail account. But the email has a "to" >> address to some other account that is not mine. >> >> First off I'm p...@topguncomputers.com. I also run the postfix servers. >> >> Usually my spam score is about 1.3-2.0. This actually hit a higher >> score. The body of the emails are always scrambled with some url in >> the middle. >> >> Is there any way of blocking emails sent to me that are not really >> addressed to me. I've looked through the postfix docs, but can't find >> anything. Hi Paul, I have done it but it took me three months to get all the exceptions ... such as my tax advisor's bi-monthly newsletter sent to 'undisclosed recipients'. This guy could even have used an aol account. One thing that I consider a good stopping criterion is mail sent from one freemailer, with a reply-to pointing at a different one Wolfgang
Re: little off topic monitoring question
>> >> We would like to start monitoring our two smtp servers. They are fairly bu= >> sy boxes, maybe 100,000 messages a day, give or take several thousand. The= >> y of course run Spamassassin, Postfix is also used. We use MRTG to monitor= >> internal servers and switches, and would really like something with a simi= >> lar graph. >> >> Thanks >> Shane >> Hi, if this is about monitoring (rather than just collecting statistics): At some time I had set up a system that would simply send mail via the server and receive it back. If that did not happen (within reasonable time), something might be wrong. Basically the system was 4 separate components (smtp, pop/imap, spam filtering, and a database holding everything together). It occasionally happened that things got stuck, so one could, perhaps, successfully connect to smtp ... but smtp accumulated a pile of messages that SA did not want to process Wolfgang
Re: Trying to help friend NOT get caught by spamassassin
>> >> I have a friend that puts out a 'barter' list. He acts as a >> clearinghouse for some equipment wholesalers. >> >> He has been fighting getting tagged as spamming for some time and >> finally came to me for help. I had helped some, but finally told him to >> add me to his distribution (he uses BCC lists; he has ~2000 >> wholesalers). I have spamassassin running with postfix and pretty much >> a default setup, and of course his notes got tagged as spam. Below is >> what I pulled out of the headers. Were do I go to learn what these mean >> and what he can do to 'clean up' his messages? >> >> Oh, and I am looking at setting up a mailman server for him as an >> announce list. >> >> Yes, score=10.206 tagged_above=2 required=4tests=[BAYES_50=0.8, >> EXCUSE_REMOVE=3.299, FILL_THIS_FORM=0.001,FILL_THIS_FORM_LONG=3.404, >> HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001,MANY_SPAN_IN_TEXT=2.7, >> RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no >> >> Yes, score=8.856 tagged_above=2 required=4 tests=[AWL=1.350, >> BAYES_50=0.8, EXCUSE_REMOVE=3.299, FILL_THIS_FORM=0.001, >> FILL_THIS_FORM_LONG=3.404, HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001, >> RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no >> Hi, it seems your friend is putting stuff on the newsletter that SA considers as signs of commercial mass mails EXCUSE_REMOVE=3.299 FILL_THIS_FORM_LONG=3.404 Your friend is probably doing right (the REMOVE bit might be required by law) Maybe the "fill_this_form" part could be avoided, by directing the reader to a website instead It is the old dilemma: people subscribe to a newsletter and then let some system (be it spam filter, or some challenge-response idiocy) intercept them The idea to replace Bcc lists is perfect Wolfgang Hamann
Re: Should Emails Have An Expiration Date
>> >> On 3/1/2011 11:55 AM, John Levine wrote: >> >> From a legal perspective I will point out that any e-mail you >> >> receive is (at least in the US, but most other countries too) >> >> considered copyrighted by the sender. Under copyright law the >> >> sender has the right to control expiration of content they create, >> > >> > I really think it would be a good idea for people to refrain from >> > playing Junior Lawyer here. >> > >> > I know just enough about copyright law to know that this claim is >> > nonsense. >> > >> >> No, it is not nonsense. Copyright law does allow the content creator >> to specify duration of use. If you go view a movie in a movie theater >> you buy a ticket for a single viewing, you do not automatically get >> to view it multiple times just because you bought a ticket. >> >> Ted >> >> > R's, >> > John >> Hi, this is getting too much :( Under some conditions recipients are obliged to archive business-related emails ... and someone else (the sender) should be able to say: my view of the law (dont read it more than once) is stronger than your obligation ??? Wolfgang Hamann
Re: linkedin invitation spam
>> >> Hello Greg Troxel, >> >> Am 2010-12-12 10:51:50, hacktest Du folgendes herunter: >> > Trying to block this is a bit tricky, because when a user of one of >> > these sites invites a specific person by entering an email address, it >> > isn't really spam. The problem appears to be that the sites offer the >> > ability to upload one's entire email contact list and then clueless >> > users somehow click on the 'spam my entire addressbook' button. >> >> Sometimes my mailinglists are hit in a very short time by 10 to 20 >> invitations and multiply each be the factor 3-4000 which is not funny >> if you have only a 100 Mbit internet connection. >> >> > A possible approach in SA is to have=20 >> >=20 >> > rules that matches each invitation type >> > a metarule for INVITATION >> >=20 >> > rules that match mailinglist messages (eg List-Id: for mailman) >> > a metarule for mailinglists >> >=20 >> > a metarule for invitation over a mailinglist, which IMHO is >> > intrinsically spam and could well just get 5 points >> >> 1+ >> >> I vote for a SA rule concerning MAILINGLISTS+INVITATION >> >> And I hate INVITE messages which use the Original Senders E-Mail because >> if they would use the own domain I could block it on SMTP Level. >> Hi Michelle, if everybody were using strict DKIM or SPF, these invites would go away :) So how about trashing everything that says invite and LIKELY does not come from the sender's domain? Wolfgang >> 300-500 INVITE spams per day from more than 400 socialnetworks worldwide >> is realy annoying or better, I would call it terrorism. >> >> Thanks, Greetings and nice Day/Evening >> Michelle Konzack >> >> --=20
Re: Misguided energy
Karsten Bräckelmann schrieb: > Personally, I have *never* received a legit C/R. Every single one that > ended up on my machines have been in response to spam sent with a forged > sender address. I see some C/R when machines are stuck talking to each other :( Someone signs up for a newsletter, or orders from a webshop, and will get an automatic confirmation from the server. Of course, there are no dwarves in the server room to respond to those challenges. Now, even if it is a customer who calls and complains because they do not get the expected mail, it is usually not the person responsible for setting up the mail system Wolfgang Hamann
Re: comparing From and Reply-To:
Bernd Petrovitsch wrote: It's the only purpose of the Reply-To header to be different from To: - otherwise it can be omitted anyways. What did I miss? Hi Bernd, although I have seen scenarios using the feature, they never involved both addresses as free mail accounts. So a meta combined with freemail rules would do a great job Wolfgang
Re: Bogus mails from hijacked accounts
Michelle Konzack wrote: >> >> I mean exactly, IF "Reply-To:" is set, verify, that it match the sender, >> otherwise reject if it does not match "From:". >> >> Thanks, Greetings and nice Day/Evening >> Michelle Konzack >> Systemadministrator >> 24V Electronic Engineer >> Tamay Dogan Network >> Debian GNU/Linux Consultant >> Hi Michelle, what exactly is wrong with a reply-to that is not the sender? Of course, I cannot see much sense in a private email sending from hotmail.jp and wanting replies to yahoo.cn On the other side, it is a natural way for somebody's web forms: the from should be valid, so it would match the webserver, and the reply-to is the person completing the form Wolfgang
Re: Relation bettwen MAIL FROM: <> and From:
>> >> Hi All, >> >> I'm wondering if some know is this is possible to stop using SA. Look. >> >> [r...@cyrus postfix]# telnet localhost 25 >> Trying 127.0.0.1... >> Connected to cyrus.sat.gob.mx (127.0.0.1). >> Escape character is '^]'. >> 220 mx2.sat.gob.mx ESMTP Postfix >> EHLO brandmauer.insys-corp.com.mx >> 250-mx2.sat.gob.mx >> 250-PIPELINING ... As you see, MAIL FROM (SMTP protocol) and From (DATA) are different, and Amavis+SA+Postfix is acceptiont this. Is this a SA task or Amavis or Postfix, Hi Luis, I am running a custom filter in qmail to do exactly that. To be honest, it took me about 3 months to get that working right. Basically the rules are: a) If the To address matches one of my possible email addresses (the filter is applied after collecting mails from a few pop mailboxes), and I am the only recipient, let the mail through b) if the (mailfrom or from) sender is in a whitelist (populated from mailing list senders, and very few colleagues that send BCC), let the mail through c) If I do not appear in To or Cc at all, quarantine the mail d) If there are more than 3 or so recipients (in particular from @t-online.de, which is a big ISP for private users), and not at least one of them also appears in that whitelist, quarantine e) Potential addition: detect display names that do not match those you use for sending I still look at a quarantine summary - some mailing list could have changed or so, or maybe there is an annual mailing list reminder that does not match the whitelist entry As you can see, this is solution for a single recipient, not for a mailserver, and as such it could perhaps be done in a procmail recipe. Wolfgang
Re: [Fwd: Re: Getting off the "Cloudmark" formerly "spamnet" blacklist]
>> >> Caveats such as week passwords, open ports and advertising insecure services >> are the domain of poor administration and understanding - they are not >> Operating >> System dependent. >> >> Exempting organised spam gangs and their infrastructure, it's probably fair >> to say that >> most of the spam I see has come from a mule Windo$e box. I'll worry about >> Linux Desktop Botnets >> when I see it happening :-) >> Hi, myabe you should see it... :( During the last month I recorded 1993 distinct IPs that were participating in a distributed ssh attack - some of them changed, disappeared, and came back after a while, so they seem to be mostly static addresses. Starting Nov 1st, I implemented p0f on the server. Out of the login attempts coming from this fairly huge amount of bots, a total of 4 events were attributed to Windows XP an W98, abd a small percentage was classified as unknown by p0f (these could be some special routers / gateways) Where IPs looked like machines in a computer center, I occasionally had a closer look and found newly created sites, machines perhaps not intended to run a plain webserver at all, and sites inviting to log into plesk / confixx / whatever One admin admitted that they were hacked through login guest / pass guest Wolfgang
SA EXTRA MPART TYPE
Hi, a lot of mails end up with this code. Checking through one of them (sent from outlook express), probably the Content-type following the MIME version is the only one that could be responsible. Could someone confirm that this is the trouble spot - and how should the header really read? Wolfgang Hamann The structure of the mail is like: MIME-Version: 1.0 Content-Type: multipart/related; boundary="=_NextPart_000_0024_01CA6246.01D6AF40"; type="multipart/alternative" This is a multi-part message in MIME format. --=_NextPart_000_0024_01CA6246.01D6AF40 Content-Type: multipart/alternative; boundary="=_NextPart_001_0025_01CA6246.01D6AF40" --=_NextPart_001_0025_01CA6246.01D6AF40 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable **plaintext goes here** --=_NextPart_001_0025_01CA6246.01D6AF40 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable **html goes here** --=_NextPart_001_0025_01CA6246.01D6AF40-- --=_NextPart_000_0024_01CA6246.01D6AF40 Content-Type: image/gif; name="email3.gif" Content-Transfer-Encoding: base64 Content-ID: <3d73afb1e9f74027ba370b76e6f9d...@sabine> **embedded image goes here**
RE RCVD_VIA_APNIC
>> Warren Togami wrote: >> # 2005/07/29, http://www.apnic.net/db/ranges.html >> header RCVD_VIA_APNIC Received =~ >> /[^0-9.](?:5[89]|6[01]|12[456]|20[23]|21[0189]|22[012])(?:\.[012]?[0-9]{1,2}){3}(?:\]|\)| >> >> )/ >> describe RCVD_VIA_APNIC Received through a relay in Asia/Pacific Network >> Adam Katz had this rule in one of his channels. While it is wholly >> unsafe to be used alone, it could be useful in masscheck statistics and >> possibly if used in meta booleans in combination with other rules. >> >> http://www.apnic.net/publications/research-and-insights/ip-address-trends/apnic-resource-range >> Unfortunately, in testing the above rule on my own corpus I see it is >> missing some obvious Asian addresses. This page reveals that the regex >> is out of date. Does there exist a good automated way to convert many >> CIDR ranges to a single regex? >> >> Warren Togami Hi Warren, I am using the geoIP database in a similar context, but rather than converting to regex, I convert to a cdb file and do a lookup on that. To integrate with spamassassin, a perl cdb module would be needed More info about cdb is available at http://cr.yp.to/cdb.html Regards Wolfgang
Re: Re-running SA on an mbox
>> >> Hi, >> >> > Do you just want to re-scan the whole mbox and see what rules hit now >> > for research reasons? >> >> That's a good start, but I'd like to see if I can break out the ham to >> train bayes. >> > >> Yeah, that's kind of what I thought. Maybe a program that can split >> each message back into an individual file? Would procmail even help >> here? Or even a simple shell script that looks for '^From ', redirects >> it to a file, runs spamassassin -d on it, then re-runs SA on each >> file? I could then concatenate each of them back together and pass it >> through sa-learn. >> Hi Alex, I recall using a perl script when I migrated from mbox mail files to a local imap server. It would just split the mbox into messages and do an imap append for every one. Should be the same process when you want to feed into spamc instead. I am attaching that file for reference Wolfgang >> Thanks, >> Alex #!/usr/bin/perl -w # # mbox2imap - convert user mbox files to IMAP mailboxes # Written by Steve "Pheran" Snodgrass # This script is public domain; you may do whatever you want with it! # You must have the NetxAP module from CPAN to run this script. # Please note that there is a bug in NetxAP 0.01 that causes setquota to # fail. # To fix it, change IMAP.pm line 458 to read 'setquota' instead of getquota' # # This script accepts a list of mbox file names as parameters. These names # are also assumed to correspond to user names. It will prompt for a # username # and password on the IMAP server. The account you login as will need to # have admin privileges. Each mbox file is copied into a folder called # user.filename, where filename is the name of the mbox file being copied. # # Example (assumes no junk files lying around in /var/mail): # $ cd /var/mail # $ mbox2cyrus * use File::Basename; use Net::IMAP; # Set this to the hostname of your IMAP server $IMAPSERVER = "192.168.3.41" # # Get username and password information # Returns: (username, password) # sub GetLogin { my ($username, $password); print "Enter your IMAP username: "; chop ($username = ); system "stty -echo"; print "Enter your IMAP password: "; chop ($password = ); system "stty echo"; print "\n"; return ($username, $password); } # # Dump a Unix-style mbox file into an IMAP folder # Arguments: IMAP connection, IMAP mailbox name, mbox file name # sub TransferMbox { my ($imap, $mailbox, $mboxfile) = @_; my $blank = 1; my $count = 0; my $message = ""; my $response; print "Transferring $mboxfile...\n"; open(MBOX, $mboxfile); if(!open(MBOX, $mboxfile)) { print "Open: no-cannot open $mboxfile\n"; return; } while () { if ($blank && /^From /) { if ($message) { chop $message; # Remove extra blank line before next From if(length($message) > 1) { $response = $imap->append($mailbox, $message); $count++; # print $response->status, "-", $response->text, "\n"; } } $message = ""; } else { s/\r?\n//; $message .= $_ . "\n"; } $blank = /^$/ ? 1 : 0; } $response = $imap->append($mailbox, $message) if $count; $count++; # print $response->status, "-", $response->text, "\n"; close(MBOX); print "Transferred $count messages from $mboxfile to $mailbox.\n"; } # # Main Code # # Login to IMAP server ($user, $pass) = GetLogin(); $imap = new Net::IMAP($IMAPSERVER, Synchronous => 1); $response = $imap->login($user, $pass); print "Login: ", $response->status, "-", $response->text, "\n"; $prefix = ""; if($ARGV[0] eq "-p") { shift(@ARGV); $prefix = shift(@ARGV); } elsif($ARGV[0] =~ /^-p(.*)/) { $prefix = $1; shift(@ARGV); } $prefix .= "." if($prefix =~ /.[^\.]$/); # Process each filename argument foreach $mbox (@ARGV) { $mailbox = "user.$prefix" . basename($mbox); # Create the new mailbox $response = $imap->create($mailbox); print "Create: ", $response->status, "-", $response->text, "\n"; # Modify the ACL on the mailbox so we can add messages $response = $imap->setacl($mailbox, $user, "di"); print "Set ACL: ", $response->status, "-", $response->text, "\n"; # Set a 100 Meg quota on the new mailbox $response = $imap->setquota($mailbox, "STORAGE", 10); print "Set Quota: ", $response->status, "-", $r
Re: Subject starts Re: but no References/In-Reply-To
Mike Cardwell wrote: >> >> How would I create a rule to match when a subject line begins /^Re: /i >> but the message contains no References or In-Reply-To headers? >> >> Hi Mike, I am doing that once in a while I read list mails at the office, but I have to reply through my home address, and it is just the easyest way to open a ssh connection and use copy/paste and plain "mail" to actually send the message. Of course there would be "Re:" matching the original question, but no related headers Wolfgang
Re: Spoofed Email
>> >> SA is working for the most part beyond expectations, the only problem I=B9m >> having is filtering spoofed email address (i.e. valid_u...@ourdomain.com). = >> I >> am able to filter out non-valid user addresses (i.e. spam...@ourdomain.com)= >> . >> I run SA-Update daily, have piped well over 500 of these messages through >> sa-learn, yet they still come through. I know this is a generic outline of >> the problem, but it=B9s a start, if you need more info I can send it. >> Hi, while this may not be a solution for everybody (and might even be a good thing for some of your users and a bad thing for others), at some time I decided that mail coming from the internet with a local sender must be mail submission - and requires smtp auth. It turned out that there were a few exceptions; at that time some mails from ebay where sent from their server with the ebay member as from address - they seem to have changed that because it does not work with SPF or DKIM either Wolfgang
Re: New kind of spam
John Hardin wrote: > > exactly. they'll just change the html in the next wave. this spam isnt > new, yet the SA list is once again full of threads about exactly that > recent wave, becouse old rules dont match. If 3.2.x does indeed implement multiline rawbody matches, then we'll be able to have a robust rule for this - e.g. an HTML email with a table that has more than 30 columns and more than 5 rows. That will be difficult to obfuscate. Hi John, by the time the detection is ready, you will get the entire message as ASCII art inside a or individual letters as ascii art, making up a table with one cell for each letter, or the same pattern made up of without a table In the long run we will render html to an image and then OCR it to detect the message :) Wolfgang Hamann
Re: interesting flash attack in spam
Ned SLider said: >> > >> >> Indeed, but why does flash need the ability to bind ports, open remote >> connections, download executable files and run them? It's primary >> function is to be a web-based multimedia player, or so I thought. >> SELinux provides solutions to many of these issues by reasonably >> restricting what things such as flash can do based on least privilege. >> Same argument for .doc/xls/ppt or any other file formats - why does a >> word processed document of spreedsheet need the ability to execute >> arbitrary embedded code? Unfortunately, Windows does not offer such >> protections and is quite happy to encourage users to run everything with >> unrestricted privileges based on some perceived notion of usability. >> >> Hi, there are uses for many of these features, in Rich Internet Apps. Flash also is - in fact - fairly restricted as to what it may do to its environment (sandboxing), so it will not create arbitrary connections. It is, however, allowed to redirect to any webpage, like a html page could do (using a meta refresh or javascript) However, in this particular case, the flash is completely harmless and just displays an animation. The bad thing is a html link to an exe file, right below the flash object inside the same html. All the flash does is attracting attention ... a static jpeg image could do the same >> Wolfgang Hamann
Re: interesting flash attack in spam
>> >> Michael Scheidell wrote: >> > just saw this one in email. terra.com/ spamcop.com./br are hosting >> > trojans. >> > but this email uses flash to load this: >> > >> > http://www.terra.com.br/cartoes/datas/amor.swf";> >> > (which redirects to http://cartoes.terra.com.br/datas/amor.swf ) >> > >> > than trys to load a binary: >> > >> > ref="http://www.spamcom.com.br/CartadeAmor.exe"; >> > >> > both files still exist on the hosts, and neither was identified by >> > clamav, and neither triggered any ET (snort) rules, SA didn't trigger >> > any rules except these: >> > >> > HTML_EMBEDS=0.056, HTML_EXTRA_CLOSE=2.809, >> > HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.957, >> > >> > (and my private rule, looking for a uri ending in .exe) >> > >> > email that tries to get you to load these here: >> > >> > http://pastebin.com/m2fcbe7b5 >> > >> > >> > >> >> >> Oh lovely! >> >> We've seen flash ad based driveby attacks on websites for a year or so - >> this is the first time I've seen them inserted into an email (although >> I'm sure it's been happening for a while). >> >> I don't know what bright spark at Adobe thought it would be a good idea >> for the Flash API to have the functionality to download and execute >> remote arbitrary code, but it should be easy enough to write a SA rule >> to detect embedded flash-based content and score it. >> >> Thanks for posting the example. >> Hi, well, realistically, there is a harmless flash inside a html page (those who do not like flash may score it, but it does not indicate spamminess or malicious content) There is also a plain link "click here to find out..." inside the html. So SA, or some malware defense, should probably detect that link to an exe file The bad news: flash can redirect to a new webpage - any webpage, even one that tries to download malware via javascripts. It is pretty much like a meta refresh or a javascript call in a html page, just that a normal scanner would not detect that Wolfgang Hamann
Re: "German" spam not hitting any DNSBLs, almost no rules
>> >> Howdy, >> >> Lately I've been getting a lot of spam like this: >> >> http://pastebin.com/m58b01a0b >> http://pastebin.com/me13959a >> >> The domain changes, but it's virtually always in the .de TLD >> ("somedomain.de"). RelayCountries has this to say about that message >> (I'm in the US, btw): >> [31067] dbg: metadata: X-Relay-Countries: GB >> >> They don't seem to trigger any remote tests at all DNSBLs, URIBLs, >> Pyzor, Razor, or Botnet. The only local tests triggered are BAYES_99, >> MIME_HTML_ONLY, and a custom test I wrote which triggers when it sees >> the word 'drugstore' in the body, in all caps. >> >> Any ideas on how to make this a more solid hit? Anyone else seeing this? >> >> Thanks, >> Jake Hi Jake, both examples seem to originate in the US (28.239.107.195 and 206.91.74.21) and have some rb.mail.ru link near drugstore Wolfgang
Re: Wwird flagging of emails to Spam
Hi Roberta, I think the problem lies in just this snippet: >> X-SMTP-Auth-NETI-Businesmail: no >> Received: from ...mada30 (xx.175.190.90.dyn.estpak.ee [xx.190.175.78]) >> by Relayhost2.neti.ee (Postfix) with SMTP id CE2621F9E65 >> for <.@online.ee>; Tue, 20 Jan 2009 23:29:07 +0200 (EET) This reads like a dynamic client originates a message to some (presumably open) relayhost. In reality I would assume that the sender acts as a civilised one and authenticates with that "relayhost", which is its outgoing mail server. Now, an authenticated mail should probably NOT say x-smtp-auth: no but the received line SHOULD SAY something like ... by ... with authenticated SMTP ... by ... with ESMTPA There are a few formats that SA accepts as auth indicators. So the problem lies with neti.ee - if they are acting as an official outgoing mail server, they should change their config Regards Wolfgang Hamann
Re: Spam slipping through
Benny Pedersen wrote: >> >> >> On Mon, December 8, 2008 05:25, [EMAIL PROTECTED] wrote: >> > mouss said: >> >> bug: >> Mail::SpamAssassin::Plugin::dbg("FromInTo: Comparing '$from' and >> '$To"); >> >> fixed line: >> Mail::SpamAssassin::Plugin::dbg("FromInTo: Comparing '$from' and >> '$To'"); >> >> > well, I send mail to myself sometimes. The only way that this mail >> > could go is either straight from the mailserver to my inbox >> >> ALL_TRUSTED or NO_RELAYS hits ? >> >> > (if I am logged in), or from my desktop client, via my mailserver, >> > to the inbox. >> >> this should give ALL_TRUSTED >> >> > So it seems to me that any sender claiming to be _me_ would _auth_ >> > to the mailserver. >> >> yes >> >> > When I implemented this a while ago, some ebay mails violated that, >> > and mails from monster.com. AFAIK, at least ebay has learned that >> > such mails are likely to be caught by various reasons (DKIM?) >> >> DKIM is not a blacklister, but a whitelist based on if sender really >> use monster.com mta mail server or not :) >> >> Hi Benny, my company mailserver is signing all outgoing mail, so I take the liberty to reject some incoming mail at the MTA level based on DKIM results. Likewise, senders pretending to come from my domain are asked to auth at the MTA level - SA does not even see these mails WOlfgang Hamann
Re: Spam slipping through
mouss said: >> >> > >> > The implementation of it is not my concern. It's a pretty basic rule to >> > require that addresses a commonly exploited spam attack vector. >> >> having the same address in the From and To is also seen in legitimate mail: >> - I send mail to myself >> - some people use their address in the To when they Bcc many people >> Hi, well, I send mail to myself sometimes. The only way that this mail could go is either straight from the mailserver to my inbox (if I am logged in), or from my desktop client, via my mailserver, to the inbox. So it seems to me that any sender claiming to be _me_ would _auth_ to the mailserver. When I implemented this a while ago, some ebay mails violated that, and mails from monster.com. AFAIK, at least ebay has learned that such mails are likely to be caught by various reasons (DKIM?) Wolfgang Hamann
Re: localised viruse scam
Kai Schaetzl wrote >> >> > We're blocking IPs from dialups from countries no one receives mail here >> > anyway. >> >> Why just block dialups then? >> Hi Kai, I am frequently trying to report unwanted behaviour to ISPs, using their published abuse or tech contacts. And, unfortunately, quite a few of these mails are returned because ... nobody wants to receive mail from Germany in some countries :( I think the OP said he was working with an ISP, too Wolfgang Hamann
Re: Help I am listed on blacklists
>> >> On Sat, 29 Nov 2008, Lars Ebeling wrote: >> >> > Dear all >> > >> > Could someone advice me. >> > I am listed on dun.dnsrbl.net and spam.dnsrbl.net >> > >> > How to get off the lists? John Hardin wrote: >> >> Both those lists are dead (since mid-2005?) and appear to be returning >> 127.0.0.1 for all queries. How did you determine you were listed? >> >> -- I just happened to get some mail bounced sayinh I was listed on dun... I guess the recipient will not get much mail from anywhere :) Wolfgang Hamann
Re: Block all incoming mail from domain except certain users?
>> >> I'm noticing we're getting a lot of spam coming through with a from >> address of our own domain. This gives spamassassin an automatic -100 on >> the score pretty much guaranteeing that it'll not get flagged as spam. >> Since we have a limited number of people using that domain, is there a >> way to tell spamassassin to block or at least give a really bad score ot >> any email with a FROM as coming from our domain but is not a user (left >> of @ sign) that isn't one of these X addresses? >> >> Thanks for any advice! >> Liam Hi Liam, why not outright block these messages at the MTA? Suppose you use SPF or DKIM, then these mails would fail for policy Wolfgang
Re: blocking country domains.
>> >> >> Is there a way to just block email coming from .de domains? >> I have been individually adding those to my blacklist but I was wondering if >> there was a catchall for just anything coming from .de >> Hi, as someone who sends abuse reports from .de, I often get rejections based on the kind of policy you want. Now, what is my next step? submit the non-functional abuse@ address to rfci.org? send the abuse message by snail mail and put some explosives in the letter? Blocking entire countries is a very bad idea Wolfgang
Re: Spam in qmail queue
>> >> Hi, >> =20 >> I am not sure that I am writing to correct list, but maybe you will help = >> me. >> =20 >> On one of my server qmail has been installed, SpamAssassin and = >> qmail-scanner.=20 >> There is a several virtual domains, and Spam filter is working quite OK. >> =20 >> But I have some message which I am worried about: >> =20 >> For example: on sever is domain: somedoamin1.com >> =20 >> Somebody will send SPAM to HYPERLINK = >> "mailto:[EMAIL PROTECTED]"[EMAIL PROTECTED], and: >> - Spamassassin marks it as SPAM (which is correct) >> - But user doesn=92t exist on somedomain1.com (it happen) >> - So qmail is storage this mail in queue as long as it can.=20 >> =20 >> My question is, what is the best practice and how can I configure = >> following scenario: >> =20 >> Scenario: >> Spam marks message as SPAM, qmail is trying deliver that message to not = >> exited user,=20 >> And if is not exist =96 message is deleted.=20 >> =20 >> BUT if message is not SPAM =96 and user doesn=92t exist, bounce message = >> should be send to sender.=20 >> =20 >> Thank you very much for your help. >> =20 >> Marcin Praczko >> Hi Marcin, you can modify qmail-scanner to exit with error code if spam score is over a given value (usually higher than default score, e.g. 10 rather than 5) Unpatched qmail would return - during the smtp session, not as a bounce - an "administratively prohibited" message to the sender. It is straightforward to add a new exit value to qmail and have that tell the sender that their message was considered spam. You can do this right away, but you are still encouraged to install whatever matches your system setup and rejects mail to non-existant users Wolfgang
Re: filtered by mass hosters
>> > >> > HI, >> > unfortunatly lots of our legitime mails are filtered by mass hosters like >> > web.de and aol. >> > Does anyone have any clue how to find out why? >> > I'm not talking about mass mailing here, just regular mails like this one >> > from >> > exactly the server i am sending from now. >> >> Individual issue, individual problem. >> Contact aol and web.de and ask them. >> Hi, at least aol does not like being contacted :( Wolfgang Hamann
SARE stock
SARE_PROLOSTOCK_SYM3 traps on ISMN (international standard Music number, similar to ISBN) I just got an order confirmation from a music book store with a pretty high score Wolfgang Hamann
Re: Clearly bogus false positives -- on "abuse" contact point, no less
Karsten Bräckelmann wrote: >> >> >> On Sat, 2008-02-16 at 18:44 -0800, Philip Prindeville wrote: >> > Anyway, I have no idea why I'm seeing some of these scores. URL matches >> > when there aren't even URL's in my message? >> .. >> > >> > What should I do? Just block their domain? I don't want to deal with >> > their misconfiguration issues. >> >> Apparently you already exchanged messages? Try not sending the offensive >> mail in question. Put it up somewhere as reference, if need be. Hmm, >> sounds familiar... ;) When it finally gets through, they will probably send you an autoreply that they cannot handle abuse complaints without the necessary evidence, e.g. the original piece of spam, included. Back to square 1 ... or the fax machine Wolfgang Hamann
Re: x-cr-hashedpuzzle
>> >> http://www.openspf.org/caller-id/csri.pdf Chapter 11, pages 37 to 45 >> inclusive >> interesting reading :) I believe that, in a time where zombie armies powered by quad-core cpus pour spam over the internet, compute-bound puzzles would not really be a hurdle for the spammers Wolfgang Hamann
Re: Plagued by spamassassin
>> >> >> I have asked before but have been unable to get a usable solution. I am >> running qmail, spamassassin, clamav, etc from the qmr package on one of >> our FBSD 6.2 servers. If you email via squirrelmail, your outbound email >> does not get labeled spam. If you send out via a client with smtp, it >> labels 95% of it as spam...so when you email someone, they get it with >> :SPAM: in the subject. These days with the spammers and the ammount of >> users I can not kill off spamassassin all together. I really do not want >> to have to pay for a subscription to postini either. Can someone help me >> stop spamassassin from scanning my users smtp sessions and only scan mail >> coming in? >> >> >> Cedar Springs Technologies >> Hi, of course your users are using smtp auth to send messages through your server? Have a look at one of the messages - does it say "received with SMTP" or "received with ESMTPA"? If it does not, you need to apply a patch one more patch to qmail Wolfgang Hamann
Re: DDOS, Dictionary Attack... not sure what it is...
>> >> > However, labrea may be great software ... but it is certainly not >> > the software one wants to compete with a live machine for incoming >> > connections. >> >> The way I run it, the IP addresses being tarpitted are IP addresses >> that would be rejected anyway by zen et. al. DNSBL checks - they are >> repeat offenders that have already been firewalled out (thus the MTA >> never sees the traffic) and adding LaBrea simply adds a >> trap-the-attacker response to the SYN packet rather than just >> discarding the traffic. >> Hi John, maybe I misread the laBrea docs that talk about capturing unused ip Could you show me configuration you use for labrea Wolfgang Hamann
Re: DDOS, Dictionary Attack... not sure what it is...
>> >> On Tue, 1 Jan 2008, mouss wrote: >> >> > John D. Hardin wrote: >> > > On Mon, 31 Dec 2007, Mike Cisar wrote: >> > > >> > > >> > >> Even tried yanking the IP address off of the server over the >> > >> holidays in the hope that whatever it was would just give up. No >> > >> such luck, within a minute of reactivating the IP to the server >> > >> this morning the traffic was back to full flow. >> > > >> > > Tarpit 'em. >> > > >> > > http://sourceforge.net/projects/labrea >> > >> > Tarpitting may not be the right answer, because "they" have a lot >> > more resources than us >> >> I may have misunderstood what Mike was saying in his original post - I >> thought that the traffic was originating from a single IP and that was >> what he had firewalled. Later messages indicate he's being flooded by >> a botnet and he'd firewalled his local IP, so tarpitting is obviously >> a less attractive solution - but, consider: if a few thousand bots get >> snared in his tarpit, are they blocked from spamming others for as >> long as they are snared? A tarpit is as much a community defense as it >> is a personal defense. I would guess that spambots would work sequentially (or probably a fixed number of processes sending sequentially) so that they - and others they want to send to - benefit from tarpitting. However, labrea may be great software ... but it is certainly not the software one wants to compete with a live machine for incoming connections. If the target mailserver offers unlimited connections, sleeping a while might help (but consume process resources). If it has a maximum incoming connections setiing, tarpitting would cause the server to block itself Wolfgang Hamann
fake non-delivery reports
I got a couple of them, and the common thing about them (other than proclaiming another gold rush) was tha fact that they were NOT sent from the null sender. Would that be a potential filter criterion? Wolfgang Hamann
Re: It's a fine line...
Hi, adding to the list, I recently came across domain contacts like [EMAIL PROTECTED] (not sure about the exact domain name) This "service" also refuses some mails, particularly those that are sent via one of the mail servers of german telecom and it is operated by verisign Wolfgang Hamann
Re: the IT job boarrd spam?
>> >> On Tue, 9 Oct 2007, Loren Wilton wrote: >> >> > Base-64 encoding of HTML strikes me as a little odd. I wonder if >> > it would make a good spam sign. >> >> Very likely. The only reason to do that is to shield the HTML from >> pattern matching filters that don't decode text body parts first. >> >> Of course, it might not be widely used... >> You would see it more often in countries like germany or france, where letters sometimes wear hats :) I am definitely no fan of than stuff, and also tend to consider it as a possible spam sign. But, in favor of the practice: if someone ever had to create a script to encode text, because of very few non-Ascii characters causing problems - why should they scan the message first whether it actually needs encoding, and not send it through the encoder straight away. And, of course, with the exception of eastern Europe and Asia, quoted printable seems to be a more appropriate choice than base64 Wolfgang Hamann
would you trust these people :)
they did not even learn the calendar at school Wolfgang >From a stock spam: +++ 5-day price: ~$0.50 Check it at 31.09.2007
Re: OT - massive newsletter
>> >> * mizzio <[EMAIL PROTECTED]>: >> > hello everybody, >> > >> > I apologize to ask an off-topic question, and feel free to point me to >> > any other resources on the net. >> > >> > I'm setting up an SMTP server (centos + qmail) on a dell quad core >> > machine for sending out a periodic newsletter (10 millions a month). >> >> Rather use Postfix for that. Postfix can re-use existing connections >> (thus decreasing the concurrency of SMTP sessions) and will sort the >> recipient lists by MX host. >> >> Also, it has several workaround that enable you to send mail to system >> behind CISCO PIX firewalls. >> Hi, I definitely appreciate the idea of reducing concurrency. Unless the sender is well known (or has agreements with major providers), recipients might limit the amount of mails they are willing to accept per unit of time. I would expect that measure to be based on actual mails rather than connections, so sorting the messages by target mx may not be what you really want. Wolfgang Hamann
Re: Authenticated SMTP and RBLs
Hi, while setting proper trust relatios can solve the problem for mails internal to the system, without that auth'd bit in the received header everybody outside the system will still see the message as coming from a dialup and passing through a potential open relay Wolfgang Hamann >> >> Rajkumar S wrote: >> > Hi, >> > >> > I manage 2 smtp servers, one for outgoing and uses smtp >> > authentication. Other incoming and scans mail using SA. Our users some >> > times send mails from dialup ips which are black listed, but the mails >> > always come via our authenticated smtp server. >> > >> > Now when one of the customers send a mail to our incoming server from >> > a blacklisted ip, via authenticated smtp, it gets rejected by SA, >> > because of black listed. SA logs show >> >> If you're using SA 3.2.0 or later add the MSA server IP to msa_networks >> (and be sure to configure trusted_networks accordingly). >> >> Daryl >> >>
Re Authenticated SMTP and RBLs
Hi raj, your server should not say SMTP in that case but ESMTPA, so that SA knows it was auth'd message. Out of the many qmail patch packages I have seen, only one seems to do that Wolfgang Rajkumar S wrote: Hi, I manage 2 smtp servers, one for outgoing and uses smtp authentication. Other incoming and scans mail using SA. Our users some times send mails from dialup ips which are black listed, but the mails always come via our authenticated smtp server. Now when one of the customers send a mail to our incoming server from a blacklisted ip, via authenticated smtp, it gets rejected by SA, because of black listed. SA logs show RCVD_IN_DSBL,RCVD_IN_NJABL_DUL,RCVD_IN_ NJABL_PROXY,RCVD_IN_PBL,RCVD_IN_SBL,RCVD_IN_XBL scantime=3.4,size=1687,user=simscan,uid=510,required _score=6.5,rhost=localhost.localdomain,raddr=127.0.0.1,rport=34074,mid=<[EMAIL PROTECTED] om>,autolearn=disabled The first Received: line in the offending mails show from unknown (HELO [220.226.6.139]) ([EMAIL PROTECTED]@[220.226.6.139]) (envelope-sender <[EMAIL PROTECTED]>) by myserver.com (qmail-ldap-1.03) with AES256-SHA encrypted SMTP for <[EMAIL PROTECTED]>; 12 Sep 2007 07:04:37 - My question is how can our dialup users send mails when they are from a blacklisted IPs. raj
Re: non-phish corpus?
Hi, while I do not keep these paypal things, I am quite sure that at most one mail in 20 has my address in the To field (or, maybe, has ANY address in the To field) Wolfgang Hamann
Re: why not doing a test that checks "name"- pairs
Kai Schätzl wrote: >> >> You don't understand at all. What gets put in the comment is up to the >> sender. >> They can put *everything* there and it's legit. You do not control it at all >> and you do not send them a reply "please change my name in your addressbook >> to >> xyz". It can be the name, a part of the name, several parts of the name, >> reverted parts of the name, a company name in all its variations, an >> acronym, >> misspelled, something like "Tony's brother", the email address, quoted or >> bracketed in several ways, could be nothing - too show a few. Such a rule >> would be prone to a huge number of FPs. It may work for you after a lot of >> work, but not for others. It's not worth it. >> while it is up to senders to make up display names, I usually see either - no display name at all - the name exacltly as I spell it (from replies) - the name parts rearranged from a web form submission in worthy mails. If someone decides to put "Idiot" as a display name, I take the liberty to not read it. Maybe some people really get mail sent to "Daddy" or whatever. As others have pointed out, checking display names is a personal thing ... and it seems to work with the mails I receive Wolfgang Hamann
Re: Question - How many of you run ALL your email through SA?
>> I have a few blacklists that I trust but one thing I do is that I have >> a big white list of good hosts that let me route more than half og my >> good email around SA which reduces load and increases accuracy. Hi Mark, would a good host be one that uses egress spam filtering? Even companies with good reputation sometimes seem to send out spam and virii, and I do not really want to receive that stuff unfiltered Wolfgang
Re: why not doing a test that checks "name"- pairs
>> >> Hi,=20 >> >> I=C2=B4m pretty new to SpamAssassin and maybe what I am saying is nonsense = >> or >> somebody else has suggested this, or the test already exists but I don=C2= >> =B4t >> know how to configure it, anyway here is my question. >> >> I=C2=B4ve noticed that some spam messages not marked as spam by spamassassi= >> n (the >> score is lower than the limit I=C2=B4ve set: 5.0. Those emails usually have= >> some >> hints that suggest they are probably spam: score about 4.6). These message >> are addressed to many people in my domain but the names before the email >> address are random. To explain it more clearly, for example, the recipient >> in the TO field is something like this: "John" <[EMAIL PROTECTED]>. Very >> ofter the CC field includes other recipients like: "Peter" >> <[EMAIL PROTECTED]>; "Mike" <[EMAIL PROTECTED]>; etc... The think is that >> the email recepients (user1, user2, user3,...) are real, they exist in my >> domain, but the names "Peter, John, Mike" have nothing to do with "user1, >> user2, user3", they are picked randomly. Wouldn=C2=B4t be interesting to ha= >> ve a >> test that checks the "user name-email address" pairs according to some >> settings?=20 >> >> Regards, >> >> Alberto. Hi, you can do quite a few things to trap mail that probably is rubbish but it may be extra work. I use some prefilter in line with forbidden attachment and virus scanning but it could probably be written as a _personal_ plugin. I like mail sent to just the plain email address or in "user" format written exactly as I spell it. I collect mail from some other mailboxes, so of course the rule must know about these other addresses as well. For mail sent to my primary address (at a big isp) I dont like to see another address in the To or Cc The one that really caused work: I dont like mails where my address does not appear in either To or Cc, unless the sender appears in a whitelist. You need to add mailing lists, monthly password reminders from mailing lists, sourceforge addresses, whatnot... Wolfgang Hamann
Re: Question - How many of you run ALL your email through SA?
Marc Perkel wrote: > As opposed to preprocessing before using SA to reduce the load. (ie. > using blacklist and whitelist before SA) > One thing I noticed when experimenting with pre-filters: bayes no longer knows about certain kinds of spam. If, for some reason, the prefilter does not catch (i.e. you are one of the first to get a new spam run) then SA might pass it with neutral bayes. So it might be an idea to feed (a certain percentage of) pre-filtered spam to a low priority SA learn job Wolfgang Hamann
Re: trapping rubbish?
Hi, if the same IP address is used every time, bayes will probably learn it. If someone is using a random number generator for the IPs, a rule that detects impossible ones might be nice. I have seen received headers with the same problem as well Wolfgang Hamann >> >> [EMAIL PROTECTED] wrote: >> > looking at a piece of spam that was scored low, I noticed >> >=20 >> > X-Originating-IP: [383.552.476.5] >> >=20 >> > Wouldn't that be a nice thing to score on? >> >=20 >> > Wolfgang Hamann >> >> Bayes learns it. What's so nice in it in your opinion? >> >> Various blacklists learn abuseable IP-addresses as well, and they get a = >> score in SA. >> >> >>
trapping rubbish?
looking at a piece of spam that was scored low, I noticed X-Originating-IP: [383.552.476.5] Wouldn't that be a nice thing to score on? Wolfgang Hamann
Re: How would you provide a 554 rejection notice for spam?
>> >> Diego Pomatta wrote: >> > But is not qmail's job to detect spam >> >> True. >> >> > or tell the sender what the >> > problem was; >> >> True only for your local site policy; most people who reject spam would >> like to let the sender know so legitimate senders can rearrange their >> message to try again. More generally, it's usually a good idea to >> include *some* kind of information about why you rejected the message if >> you reject an email message at the MTA layer. >> >> qmail makes this much more difficult that pretty much any other MTA. as another qmail user, may I put this straight: qmail does not pass an individual message to the sender, just a selection of predetermined messages (temporary problem, prohibited, whatnot) You are free to add something like "554 your message is considered excessively spammy" to the list of predetermined messages. You cannot send the actual spam score >> >> qmail, as provided by DJB, is nearly unusable in today's email >> environment IMO. The fact that we need spamassassin, antivirus, and the like to integrate into other mailers seems to indicate that they are not much better >> > qmail is just the MTA, and a damn fine one imho. >> > A filter/scanner/anti-spam tool has to do that. >> >> If you're going to notify senders about spam or virus content, the time >> to do it is before your mail system has sent a "250 OK" reply to the >> message's DATA segment. Accepting the message then constructing a >> (new!) rejection message to send back generates backscatter, and is >> likely to get your system blacklisted locally by sysadmins everywhere if >> you do this. >> >> It is genereally known as bad practice, and has been told over and over again, to bounce messages. If the discussion is about the response to the DATA phase (as it should be), you are free to modify that piece of perl code that drives mail scanning in a way that it sends on the message (with subject changed, or otherwise modified) AND tell the sender that it has permfailed Wolfgang Hamann
Re: Greeting Card
Rocco wrote: It is possible to block the spam sent by GreetingCards.com which invites the receiver to access an URL and browse the ecard? I mean that spam which has subject similar to: You've received a greeting ecard from a Colleague! Hi Rocco, those I looked at all had a numeric ip in the url If you curl or wget that url (without the unique string), it clearly suggests to click on a non-personalized exe file Wolfgang Hamann
[OT] what is that?
I just found this in my inboy -is someone trying a new look of bounces? I have replaced actual recipient with [EMAIL PROTECTED] Wolfang Hamann Received: from fc.williston.com (HELO williston.com) (68.112.246.229) by mydomain.com with SMTP; 31 Jul 2007 04:53:13 - Message-id: <[EMAIL PROTECTED]> Date: Tue, 31 Jul 2007 00:22:21 -0400 Subject: NDN: (Suspected Spam:) soggy mirror X-Mailer: FirstClass 8.2 (build 8.094) X-FC-Icon-ID: 2031 X-FC-SERVER-TZ: 15729388 X-FC-MachineGenerated: true To: "me" <[EMAIL PROTECTED]> From: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sorry. Your message could not be delivered to: wold,FC_Williston (The name was not found at the remote site. Check that the name has been entered correctly.)
Re: How do you stop others from sending emails from your email addresses ?
Hi, if you implement some whitelisting too, you could slightly change qmail to require authentication if the sender pretends to be from your domain. This will only affect the envelope from, however spammers that believe it is easier to bypass filters with the local domain usually put it into the envelope anyway Wolfgang Hamann >> >> > Wednesday, July 25, 2007, 1:46:56 PM, you wrote: >> > > I constantly, (about 15-20 times a day), receive s**m >> > > emails from other people, but addressed from my email >> > > address. Is there any way of using SA to help on this >> > > in any way at all please ? >> > >> > > I want to stop myself from receiving them, but even >> > > more importantly, how do I stop someone from sending >> > > from my email address - can it be done please ? >> >> On 26.07.07 15:21, Peter Mikeska (MiKi) wrote: >> > Hi,you can solve it on MTA level or in SA level. >> > you dont say what kind of MTA you are using, for example in qmail its >> > simple, just use "badmailfrom" where you can put wildcard for whole >> > domain eg: @mydomain.com - in case noone is sending mail outside your >> > domain. >> >> The badmailfrom will only affect his server. so if he put any domain into >> badmailfrom, he won't be able to send/receive mail with that domain in mail >> from: envelope, which would keep him off using his domain for mail. >> >> That would not affect other servers, so any abuser could send any mail to >> any server in the internet using this domain in mail from: and all the >> e-mail would return back to him. So he would still get all those notices. >>
Re: DNS Perl Help? [ot]
Mark Perkel wrote: If I have a string, what's that fastest way to count the number of periods in the string? in perl, I would probably split the string at the periods @parts = split /\./, $string; and then just use the number of splits $#parts Wolfgang Hamann
Re: not everyone is happy with SA
Steven Stern wrote: >> > >> >> My company's website has a "click here and we'll send you your password" >> (or something similar). You'd be amazed how many calls we get claiming >> it doesn't work. When I track through the logs, I find most come from >> people with CR systems. You can't use a CR when you're talking to a >> robot. These things make me sooo mad. >> >> - -- >> >> Steve Hi Steven, just out of curiosity: if this happens,are you telling them to fix their mail system first, or are you trying to help them? Wolfgang
Re Thoughts on Isolating Viruses - Port 587 Submission
The problem with that idea: it relies on ISP's distinguishing end users and mail servers. Some ISPs are known to make a distinction on price (i.e. they would charge much more for full access than not) or - as previous discussions have shown - do not even distinguish static ip and dynamic ip customers Mark Perkel wrote: Imagine a policy where ISPs blocked port 25 for consumers by default and forced them to talk to mail servers on port 587 to send SMTP. Suppose that all SMTP servers who took email from consumers had port 587 open as well as port 25. If port 25 were blocked from consumers and they were forced to talk to servers on port 587, even without authentication, then a server could distinguish consumers from other servers. I think this kind of configuration could be used to help isolate virus infected computers from spamming and spreading.
Re: Rule suggestion - smtp sanity
>> >> >> On 7/13/2007 11:04 AM, arni wrote: >> > From large providers i sometimes recieve messages through encrypted >> > smtp, the header looks smth like this (qmail): >> > >> > ... with (AES256-SHA encrypted) SMTP; ... >> > >> > >> > Would it be a good idea to give a minimal negative score on this -0.1 or >> > -0.2 if this happens on the last hop? - It proves that the sending smtp >> > server is very protocol sane, which spambots are usually not. >> Hi Eric, probably the sending mail server does not use a cert in this case, only the destination one A while ago I needed to test ssl sending, and it was not really a big deal to create a perl script to send ssl mails. From the point of spammers using zombie'd computers, the extra cpu time to do the ssl is no concern either. So in case there is a commonly available ssl package (or it is not too big to download), I would expect the bad guys to learn starttls pretty fast Wolfgang Hamann >> It's a good idea to look at last-hop transfer and see if it used STARTTLS, >> if the certificate was valid, etc., and is something I've got on my to-do >> list for future development. >> >> The big problem is that there is no real standard and every MTA records >> the details differently. >> >> -- >> Eric A. Hallhttp://www.ehsco.com/ >> Internet Core Protocols http://www.oreilly.com/catalog/coreprot/ >>
stock spam
just out of curiosity: would the codes WKN or ISIN (in the same mail) make any sense, other than in the context of stocks? Wolfgang
Re: DELETE SPAM
Hi, if your spam filtering happens via qmail scanner, you might want to get latest version of that Otherwise, if your final delivery is via .qmail files, you might find the qtools package (from superscript.com or superscript.org) useful Wolfgang Hamann tarak ranjan wrote: hi all, i am facing a serious problem regarding SPAM. now few mails are going to user's inbox and others are going to postmaster. but i want to drop/delete those mails from the server side. how can i able to do that.. i'm using SpamAssassin version 3.1.4 + qmail please help me out
Re: sample of new style PDF spam (containing embedded link, no image)
I receive quite a few legitimate pdf attachments - half of them are pdf type, the other half is octet-string (but they are usually A4 paper size) Wolfgang Hamann >> >Here's a new style of PDF spam (recipient email address is munged): >> >> [snip] >> >> > - uses "application/octet-stream" instead of "application/pdf" >> >as the Content-Type >> >> From your sample: >> >> Content-Type: application/octet-stream; name="Message.pdf" >> >> You could match on the "application/octet-steam" and the file >> extension being ".pdf". >> >> Regards, >> -sm >> >>
OT: syntax error
I occasionally get mails bounced due to a "syntax error". They dont look suspicious to me, however. Is there a tool to"validate" mails? Wolfgang sample message From: [EMAIL PROTECTED] Subject: BETROFFEN To: "scanner" <[EMAIL PROTECTED]>, [EMAIL PROTECTED] Date: Wed, 27 Jun 2007 13:38:03 + MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="DC_BOUND_PRE_<1182951483.74a1fa6d>" This is a multi-part message in MIME format. --DC_BOUND_PRE_<1182951483.74a1fa6d> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Diese E-Mail wurde gesendet von "RNPA1FA6D" (Aficio 2016). Scan-Datum: 27.06.2007 13:38:02 (+) R=FCckfragen an: [EMAIL PROTECTED] --DC_BOUND_PRE_<1182951483.74a1fa6d> Content-Type: image/tiff; name="20070627133803012.tif" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="20070627133803012.tif" SUkqAAgUAP8AAwABAAABBAABgAYAAAEBBAABIwkAAAIBAwAB AQMBAwABAwYBAwABAAA FQANVgAEQAAEQAAEQA== --DC_BOUND_PRE_<1182951483.74a1fa6d>--
Re: Innovative Host Blacklisting Idea
>> >> >> >> >> >> I'm trying out a new idea for blacklisting hosts. I have >> >> several email >> >> servers for processing spam. These servers service my lowered >> >> numbered >> >> >> > >> > As others said, not a good idea. >> > >> > Don't bother BL isting them, if they hit your dummy mx record, they die, >> > don't retry, and have in effect blacklisted themselves. >> > >> > >> >> What I see happening is that they are hitting MX randomly. So some times >> they hit a good server and sometimes they hit the trap. Once they have >> hit the trap several times then they are blacklisted in my hostkarma >> blacklist and if they hit a real server they are rejected at connect time. >> >> On my servers less than 1% of all email attempts make it as far as spam >> assassin. This reduces it further. >> >> A simpler approach might be to blacklist senders that try multiple non-existent recipients, regardless of mx priority BTW: at one time I was quite happy with some pre-filtering on my private mail (which is fetchmail ultimately feeding to SA) until I found that SA would no longer recognize some spam in the bayes section. So, if capacity permits, it might be a good idea to feed (a random sampling of) pre-filtered spam to sa-learn Wolfgang
Re: emails to non existent recipients -- netzero.com fixed this problem?
>> >> On a related topic, netzero.com has been refusing connections from our SMTP >> servers. When I queried them the response I got was: >> >> have been blocked because we detected probe attempts. Activities like >> sending mail to non-existent accounts or empty connections would qualify as >> a "dictionary search" or "probing for valid addresses" and IP's used for >> such activity would be automatically blocked for a temporary period. >> >> Subsequent communications have dealt only with the non-existent accounts. >> Does blocking us on this basis make any sense? And has anybody else >> encountered similar issues with netzero? If so, how resolved? >> >> In their favor, they did at least respond to me. And it doesn't appear to b= >> e >> a robot (or if it is, at least an intelligent one) as it entered into a sor= >> t >> of a dialog. This is better than other s who either don't respond ot use a >> robotic response. Among these are yahoo.com, aol.com, bellsouth.net and >> charter,net. I list these here not as a form of criticism as I accept the >> possibility that we may have something configured incorrectly or >> sub-optimally. My real aim is to find other postmasters who have had simila= >> r >> problems with these (or other sites) and discover from them what it is we >> may need to change. >> Hi, this is not about netzero (but I am a particular friend of aol:( for similar reasons.) To start with, I am maintaining a web shop, so people will eventually complete a form with their email address, and the server will send them an order confirmation. We observed a certain rate of failed deliveries (perhaps 1%) due to visitors unable to spell their own email address correctly. After some time, I changed the system so that a connection is attempted when the visitor completes the form, and any 5xx response will result in a "please check your email address" to the browser. Of course a few domains that are known to bounce later (aol) are not probed. Recipient servers could consider the same thing as address probing - how tell them? About responses: I received a "please be patient" type of auto response from aol; when I mailed them the auto response back a week later, they informed me that they could not find the original message Wolfgang Hamann
RE: emails to non existent recipients -- forward to spam honey pot.
>> =20 >> Very interesting question !=20 >> >> I don't have any idea about how to do this but I'm interested in answers = >> too >> ! :-) >> >> -Message d'origine- >> De : mbano [mailto:[EMAIL PROTECTED] >> Envoy=E9 : mardi 12 juin 2007 19:03 >> =C0 : users@spamassassin.apache.org >> Objet : emails to non existent recipients -- forward to spam honey pot. >> >> >> Hallo all, >> >> is there a way to higher score the email sent to non-existent local >> recipient (detected via ldap) and even so collect them to honex pot, >> smamaccount for re-feed the bayes. >> especially if the sender is the same .. >> >> thanks for ideas... >> >> cheers >> >> Marco >> >> -- Ideally your MTA should check that the recipient does not exist in ldap, and then either - refuse the mail completely at the RCPT command - redirect the mail to sa-learn (it is most likely spam) and then issue a 5xx error in response to the DATA command (if the message really was a typo, the sender will be informed that it could not be delivered) Further, you might want to check your mails whether you can reject mails from your own address ("our roaming users are required to auth"). Note: some time ago ebay was sending certain mails this way ... they should have learned by now that this will also trigger spf, dkim, etc. Wolfgang Hamann
Re: Rejecting spam during SMTP session
Hi arni, once you are reading the .qmail file, the mail message has been accepted and queued. You can use qmail-scanner (which runs before queuing the message) to reject Wolfgang Hamann >> >> Hi, >> >> for a while i've been watching my spamassassin perform great on almost >> all spam - i've never had any false positives and also a very low count >> of false negatives. >> So I thought about rejecting sure spam during the SMTP session and came >> up with a few bits of shellscript code thats rejecting spam with a score >> of 10 and above (I normally mark spam at 5). >> >> But i'm not really sure if i'm doing it correct - it apears to me like >> i'm not rejecting mail but i'm bouncing it which is surely not what i want. >> >> Here is my code which is called as a qmail-command in my .qmail file. >> >> #!/bin/sh >> message="`/usr/bin/spamassassin 2>/dev/null`" >> if [ $? -eq 1 ]; then >> # sa returned an error, make sure we dont lose the mail >> exit 111 >> else >> printf "%s\n" "$message" | grep -qs "X-Spam-Level: \*\*\*\*\*\*\*\*\*\*" >> if [ $? -eq 0 ]; then >> echo "Message was permanently rejected as spam" >&2 >> exit 100 >> else >> printf "%s\n" "$message" | maildir ./Maildir/ >> exit $? >> fi >> fi >> >> If you want to test the setup, you can send a mail with for example >> GTUBE to [EMAIL PROTECTED] >> >> Your advice will be welcome, >> arni >> >>
what's that?
Hi, I found this message in my inbox - no image, attachment, etc. besides that: >> Outlook send cool enhanced emails. Inserted body place images specific >> location, want. >> Selection it inserted body place images specific location want! Would that mean someone is trying to get auto-whitelisted for future messages, or is that a sign of broken ratware? Wolfgang Hamann
Re: German Spam
Hi Alex, thank you for this nice collection ... I had started to add a few of them. I agree with you that this spammer probably is not german, but I would guess that the person uses a dictionary / translator and is composing the message on a keyboard without umlauts. As for the imageshack: soon after a ruleset was posted that was looking for the extremely short message, I have seen some slightly longer ones Wolfgang Hamann >> >> > Apart from the imageshack stuff just seem to generally have a lot of sp= >> am in >> > the german langauge getting through the filters, has anyone else experi= >> enced >> > the same. >> >> Certainly. It's getting through, because there are almost no german >> language specific rules in the default rules of SpamAssassin, and of >> course the spam messages are variated a lot. >> >> Here are two self-made rules from the german stock spams from the last >> few months I use in my local.cf: >> >> >> body __AW_BS1 /KAUFEN KAUFEN KAUFEN/ >> body __AW_BS2 /DER I[_.]?N[_.]?VESTORALARM!/ >> body __AW_BS3 /RALLYE IST GESTARTET\b/i >> body __AW_BS4 /AN ALLE F[_.]?INANZINVESTOREN!/i >> body __AW_BS5 /DIESE A[_.]?KTIE WIRD D[_.]?URCHSTARTEN!/ >> body __AW_BS6 /L[_.]?ASSEN SIE SICH D[_.]?IESE C[_.]?HANCE >> N[_.]?ICHT E[_.]?NTGEHEN!/ >> body __AW_BS7 /ES IST EIN U[_.]?NGLAUBLICHES P[_.]?ROFITPOTENTIAL!/ >> body __AW_BS8 /STOCK TRADER ALERT!/ >> body __AW_BS9 /V[_.]?ERLIERE D[_.]?IESE C[_.]?HANCE N[_.]?ICHT!/ >> body __AW_BS10 /IST FRANKFURT DAS NEUE/ >> body __AW_BS11 /DIESES ist das, das du gewartet hast!/ >> body __AW_BS12 /Unsere Auswahl des Monats fliegt!!!/ >> body __AW_BS13 /Our pick of the Month is Flying!!!/ >> body __AW_BS14 /Our Best Pick of the Week/ >> body __AW_BS15 /Kaufen waehrend es noch billig ist/i >> body __AW_BS16 /Es wird \d+% kurssprung erwartet/ >> body __AW_BS17 /eine schune Muglichkeit viel Geld zu verdinen/ >> body __AW_BS18 /Kaufen, kaufen und kaufen/ >> body __AW_BS19 /kursg[ew][ew]inn von \d+% in . tagen!/i >> body __AW_BS20 /STARTET DIE HAUSSE!/ >> >> meta AW_BOERSENSPAM __AW_BS1 || __AW_BS2 || __AW_BS3 || __AW_BS4 || >> __AW_BS5 || __AW_BS6 || __AW_BS7 || __AW_BS8 || __AW_BS9 || __AW_BS10 || >> __AW_BS11 || __AW_BS12 || __AW_BS13 || __AW_BS14 || __AW_BS15 || >> __AW_BS16 || __AW_BS17 || __AW_BS18 || __AW_BS19 || __AW_BS20 >> describe AW_BOERSENSPAM Promotion fuer penny stocks >> scoreAW_BOERSENSPAM 3.5 >> >> body __AW_PS1 /\b(?:C[_.]?ompany|Name |Firma): / >> body __AW_PS2 /\bW.?K.?N\b/ >> body __AW_PS3 /\bI.?S.?I.?N\b/ >> body __AW_PS4 /\b(?:M[_.]?arkt|Handelsplatz|Borsenplatz ): /i >> body __AW_PS5 /\b(?:K[_.]?urzel |Symbol): /i >> body __AW_PS6 /\b(?:P[_.]?reis|Kurs|Price|Last price): [01]?[.,]/ >> body __AW_PS7 /\bPr[_.]?ognose: / >> body __AW_PS8 /\b(?:S[_.]?panne|Weekrange): / >> body __AW_PS9 /\b[0-9]+[- ]tages?[- ]ziel\b:? /i >> meta AW_BOERSENSPAM2 (__AW_BS1 + __AW_BS2 + __AW_BS3 + __AW_BS4 + >> __AW_BS5 + __AW_BS6 + __AW_BS7 + __AW_BS8 + __AW_BS9 + __AW_BS10 + >> __AW_BS11 + __AW_BS12 + __AW_BS13 + __AW_BS14 + __AW_BS15 + __ >> AW_BS16 + __AW_BS17 + __AW_BS18 + __AW_BS19 + __AW_BS20 + __AW_PS1 + >> __AW_PS2 + __AW_PS3 + __AW_PS4+ __AW_PS5 + __AW_PS6 + __AW_PS7 + >> __AW_PS8 + __AW_PS9 > 3 ) >> describe AW_BOERSENSPAM2 Promotion fuer penny stocks 2 >> scoreAW_BOERSENSPAM2 3.5 >> >> >> If there is something that can be improved in these rules, please let me >> know. They are quite quick 'n dirty. >> >> Interesting is the spelling. It seems to me the author of the spam >> messages isn't german or of very low education, since his spelling and >> style is really awful - like a child of 15 years. And the spam sending >> software doesn't seem to be able to handle german Umlauts (=E4=F6=FC=DF=C4= >> =D6=DC). >> Well, perhaps that is a more generic spam indicator: german text but not >> a single Umlaut. I must think about that. >> >> Alex >>
Re: qmail auth not recognized
AbbaComm.Net wrote: >> Never mind, looking into this further there's no problem with the change >> made in r447014. The issue is qmail should be adding "with ESMTPA" and >> not "with ESMPTA". >> >> Daryl > > What do you mean? > > Is there a prob between qmail or qmail accessories and SA that you have > found? No. The previous mails in the thread, specifically the one you partially quoted, outline what we're talking about. Daryl Hi Daryl, thanks for spotting this one _ I must be blind to character transpositions. @abbacomm.net: to summarize: very few qmail versions use the ESMTPA token to indicate that mail was auth'd; and SA versions before 3.1.8 ignored that token. In effect mail from an auth'd sender was misclassified as sent from dynamic ip Wolfgang Hamann
Re: qmail auth not recognized
Hi Daryl, you are speaking in riddles??? Wolfgang Daryl C. W. O'Shea wrote: >> >> Never mind, looking into this further there's no problem with the change >> made in r447014. The issue is qmail should be adding "with ESMTPA" and >> not "with ESMPTA". >> >> Daryl >>
qmail auth not recognized
Hi, here is header lines from a mail that a qmail server received from autehnticated user: X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on SuSE-101-64-minimal X-Spam-Level: X-Spam-Status: No, score=4.3 required=5.0 tests=NO_REAL_NAME,RCVD_IN_NJABL_DUL, RCVD_IN_SORBS_DUL autolearn=no version=3.1.8 Received: from p5498acaa.dip0.t-ipconnect.de (HELO xxx) ([EMAIL PROTECTED]) by xx with ESMPTA; 23 May 2007 15:05:04 - Note that default qmail does not report any auth status; the only qmail patch I know about uses ESMPTA for auth'd messages and SMTP otherwise. Wolfgang Hamann
Re: Catching mail sent from number addresses?
>> >> Hello! >> Perhaps i overlooked some test i could use for giving extra scores to >> mail sent from addresses like this: >> >> > X-Envelope-From: <[EMAIL PROTECTED]> >> >> e.g. i would think it useful if i could add a >> check for: >> address contains 4 or more digits, >> give it some extra score 1.x >> >> Perhaps someone is using such a rule already? >> >> -- >> Greetings >> MH >> Hi Matthias, some mail systems (e.g. hotmail) tend to have lots of valid users with that style of addresses. So if you add a rule to consider these as spam, you would need to add a whitelist of mail domains where that is normal... Wolfgang
Re: check mx and compare sender ip address ??
>> >> is there any way check mx record as from ip adress and compare it sender ip >> address ? so spamassassin can decide its spam ?? >> Hi, some domains, unfortunately only few, use spf (or domainkeys) to declare the machines allowed to send mail for the domain. Now, If such information exists, and the mail does not match, you can safely drop it Wolfgang Hamann
Re: PNG vurnability
>> >> WiNK / Bor wrote: >> > Hi Guys, >> > >> > Not sure if this is the right list to ask it, but lots of people with >> > knowledge about it, >> > >> > how serious is the PNG file treat, i noticed it is default denied by >> > mailscanner. However i got some designers behind my mailscanner, which >> > also want receive png files? So i know i can whitelist these persons >> > by address and or domain, but i want to know about the severity of >> > potential treat caused by png files. >> >> >> http://www.sans.org/newsletters/risk/display.php?v=4&i=6#widely5 Doesn't this say that the real threat is a media player file referencing a png, and there is only a minor threat from plain png files? Wolfgang Hamann >>
Re: Tool for validating sender address as spam-fighting technique?
>> Sietse van Zanen wrote: >> > Ralf Hildebrandt wrote: >> > > Kelly Jones wrote: >> > > > To fight spam, I want to validate the address (not necessarily in >> > > > real-time) of the a given email sender. Is there a Unix tool that >> > > > does this? >> > > >> > > Postfix has exactly this built in. It's the >> > > "reject_unverified_sender" restriction. >> > >> > Yes, but you don't always want to reject such mails. NDR's, >> > automated mails etc are often send from empty or non-existent e-mail >> > addresses. >> >> Any legitimate email will have a valid sender address. That includes >> DSNs and automated messages. Within a small network it may be okay to >> use an invalid sending address locally. But for any mail across a wan >> the sending address must be able to receive bounces. >> >> So yes I do want to always reject mail with invalid sending addresses. >> Hi Bob, what happens if I put one such thing on my mailserver too and want to send you a mail? My outgoing MX starts a smtp connection, and then, at RCPT TO, your system starts a smtp dialogue with my incoming MX. Unless the machines are tightly coupled, my incoming MX does not expect to get a verification probe - it will believe that you try to send me some mail, and probe your machine. This looks like a source of infinite loops :( In fact, I usually configure servers to accept X sessions at most, and a smaller Y sessions from the same IP. So if your server does not have a session limit (or has set it to a higher value than mine) verification would ultimately fail when there are Y concurrent probes going on Of course the problem does not exist if an implementation chooses to accept the smtp data, and then reject at the end of data Wolfgang Hamann
Re: How can I reject messages with a wrong fullname.
>> >> > BAD Idea. >> > >> > I just looked at about 3 dozen pieces of e-mail. Only about 4 of them had >> > my real name. So would you also add extra points for that? >> >> Personally I'd say "bad idea" rather than "BAD idea". >> >> I in fact have such a rule that scores at around 2 points, and only about >> 10-15% of the time does it hit on anything other than spam, with one >> exception: the major thing it FPs on is messages I send and automatically >> bcc to myself. ;-) >> >> Loren >> Hi, lets say there is - no real name at all (generated by all sorts of feedback forms) - the name(s) you use for sending your own mail, and that people reply to - some names you use on purpose, and you know about (you might put some distinctive names there, to sort those bcc copies) - random names that some spammers made up I dont seem to have too many real correspondents that make a fun of inventing new real names every day Wolfgang Hamann
Re: Custom To: rule variant to exclude matches?
SA Team, I have a fully functional SA installation that is serving me very well. I use Mailscanner and a few custom rules, and am generally very pleased with the results. There?s one more rule that I?d like to run, but haven?t figured out how to implement it. I want to use a header rule that will trigger on any mail sent to my domains that is to an address that is *not* in my test block, for example: header TO_ADDRESS_BOGUSTo !~ /my|real|addresses|here/i describe TO_ADDRESS_BOGUS To: contains bogus address score TO_ADDRESS_BOGUS 5.0 I know about blacklists and whitelists and have a solution in place that works ok, but I really want a header rule like the one above. Yes, I?ve searched. Yes, I have found many rules that implement a To: match test but have not found an rule that implements a non-match test. I suspect that my use of !~ is incorrect, but lint is happy with that rule as-is. Is this type of rule possible? If so, how might I implement it? Hi John, this seems to mean that mail sent TO somebody else, with you on the CC list, would be filtered. Wolfgang
Re: Google Summer of Code 2007 ...
>> Not quite. Those show how many times *others* have seen it, not how >> many times *I* have seen it. Also, these have hysteresis so if you are >> unfortunately to be at the start of the spam run and receive multiple >> mails all with the same body then Razor, DCC and Pyzor might not >> help. Though if this were implemented then there would have to a >> whitelist for mailing lists to which multiple users have subscribed. >> Hi, ixhash, which also works that way, definitely started its life as an inhouse mail counter. You could probably use ixhash or razor along with your own server rather than the public one Wolfgang