Re: SpamSender with 2 @-signs in the address

[Rupert Gallagher]

Problem solved last year on this list.

Sent from ProtonMail Mobile

On Wed, Dec 12, 2018 at 15:32, Benny Pedersen  wrote:

> Matus UHLAR - fantomas skrev den 2018-12-12 14:55:
>
>> From: "name surname " 
>
> From:name ne From:addr
>
> dont know if sa can test this

Re: SpamSender with 2 @-signs in the address

[Benny Pedersen]

Matus UHLAR - fantomas skrev den 2018-12-12 14:55:


From: "name surname " 


From:name ne From:addr

dont know if sa can test this

Re: SpamSender with 2 @-signs in the address

[Matus UHLAR - fantomas]

Am 03.12.2018 um 17:56 schrieb Andreas Galatis :



since several weeks I keep getting mails with sender-addresses like „Harald Wieruch - 
Top Ten GmbH h.wieruch@top10ten.comxandra.hennem...@metco-gmbh.de 
“
The first part „Harald Wieruch – Top Ten GmbH h.wier...@top10ten.com 
“ stays the same, everything behind this address 
changes.


On 12.12.18 14:01, Matthias Leisi wrote:

Could it be stolen credentials from a client machine?  To access a shared
mailbox on an Exchange server, the login name needs be specified as
„user\shared“ - and if both use SMTP-formatted addresses, this would look
like „u...@example.com\sharedmail...@example.com“.


I don't think so.
Just today I've seen header likce

From: "name surname " 

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam = (S)tupid (P)eople's (A)dvertising (M)ethod

Re: SpamSender with 2 @-signs in the address

[Matthias Leisi]

> Am 03.12.2018 um 17:56 schrieb Andreas Galatis :

> since several weeks I keep getting mails with sender-addresses like „Harald 
> Wieruch - Top Ten GmbH h.wieruch@top10ten.comxandra.hennem...@metco-gmbh.de 
> “
> The first part „Harald Wieruch – Top Ten GmbH h.wier...@top10ten.com 
> “ stays the same, everything behind this 
> address changes.

Could it be stolen credentials from a client machine? To access a shared 
mailbox on an Exchange server, the login name needs be specified as 
„user\shared“ - and if both use SMTP-formatted addresses, this would look like 
„u...@example.com\sharedmail...@example.com“. 

— Matthias



smime.p7s
Description: S/MIME cryptographic signature

Re: SpamSender with 2 @-signs in the address

[John Hardin]

On Mon, 3 Dec 2018, sha...@shanew.net wrote:


On Mon, 3 Dec 2018, Alan Hodgson wrote:


On Mon, 2018-12-03 at 13:17 -0600, sha...@shanew.net wrote:


Yeah, I see all these same things.  Better to test against From:addr
rather than the full From:  Perhaps something like:

From:addr =~ /\@[^\s]+\@/

Of course, there might still be legit cases of that kind of usage.



The problem though for phishes is that some user agents (ie. Outlook) only
display the quoted user-friendly part of the address, not the rest of the
From: header. So phishers specifically put a fake @domainbeingphished.com 
in

quotes so your users will see that.


There were several different plugins started about a year ago to
detect that sort of thing.  I know of:

https://github.com/enkidushane/sa-frommismatch
https://github.com/fmbla/spamassassin-fromnamespoof

and I think someone has implemented some of this in a regex rule, but
I don't recall off the top of my head who that was.



I was provided a spample by private email (and suggested they post it 
here) and it hits T_FROM_2_EMAILS from 20_khop_experimental.cf


https://ruleqa.spamassassin.org/20181211-r1848660-n/T_FROM_2_EMAILS/detail


Perhaps I'll do some FP-avoidance tuning and see if it can be made 
publishable.


I'm not sure whether it's hitting on a From header like:

"Johnny Fnord " 

I'll review that, too.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  ...a great many people are not fit for Liberty, it scares the crap
  out of them and they'd much rather be ruled. As Loki said in the
  Avengers movie, kneeling is their natural state.-- Mark D @ TSM
---
 4 days until Bill of Rights day

Re: SpamSender with 2 @-signs in the address

[Grant Taylor]

On 12/05/2018 06:17 AM, RW wrote:
Syntactically, it can be used as long as it's properly quoted or 
escaped. The use of such addresses is discouraged under SMTP, but only 
with a "SHOULD NOT".


I wonder how many user interfaces will balk at the (Source) Route 
Addressing.  I mean, if they can't handle user+detail, what hopes do we 
have that (Source) Route Addressing will work.


I just tested Gmail, and it doesn't work.



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: SpamSender with 2 @-signs in the address

[RW]

On Mon, 3 Dec 2018 21:15:20 -0700
Grant Taylor wrote:

> As far as I know, (other than LONG deprecated source routing) the @ 
> character is a reserved special character and can't be used used as
> part of the local part.

Syntactically, it can be used as long as it's properly quoted or
escaped. The use of such addresses is discouraged under SMTP, but only
with a "SHOULD NOT".

Re: SpamSender with 2 @-signs in the address

[Alan Hodgson]

On Wed, 2018-12-05 at 00:17 +, David Jones wrote:
> 
I think he meant that DKIM related to DMARC means the DKIM signature has 
> to align/match the From: header domain to pass which is DKIM_VALID_AU in SA.
> 
> In the case of SPF, DMARC will pass if the envelope-from domain check 
> hits SPF_PASS in SA.
> 

Not quite; DMARC also requires the envelope sender domain to be aligned
with the From: header domain to pass on an SPF_PASS.

Re: SpamSender with 2 @-signs in the address

[David Jones]

On 12/4/18 9:09 AM, Benny Pedersen wrote:
> Bill Cole skrev den 2018-12-04 03:58:
> 
>> DKIM and DMARC *ONLY* operate on headers, *NEVER* on the envelope.
> 
> SPF is part of DMARC so not correct

I think he meant that DKIM related to DMARC means the DKIM signature has 
to align/match the From: header domain to pass which is DKIM_VALID_AU in SA.

In the case of SPF, DMARC will pass if the envelope-from domain check 
hits SPF_PASS in SA.

DMARC_PASS = SPF_PASS || DKIM_VALID_AU
DMARC_FAIL = !SPF_PASS && !DKIM_VALID_AU
DMARC_REJECT = DMARC_FAIL && DMARC record contains p=reject

-- 
David Jones

Re: SpamSender with 2 @-signs in the address

[Benny Pedersen]

Bill Cole skrev den 2018-12-04 03:58:


DKIM and DMARC *ONLY* operate on headers, *NEVER* on the envelope.


SPF is part of DMARC so not correct

Re: SpamSender with 2 @-signs in the address

[Benny Pedersen]

Grant Taylor skrev den 2018-12-03 20:16:

From: "John Doe " 



it could be tested that From:name is equal with From:addr on the domain 
part


but debate is 2 @ in From:addr not 2 in whole From:

just something to try if it helps

Re: SpamSender with 2 @-signs in the address

[Bill Cole]

On 3 Dec 2018, at 15:04, Grant Taylor wrote:

> It's my understanding that spamass-milter provides the envelope details to 
> SpamAssassin.  -  I thought (assumed?) that SpamAssassin was treating the 
> SMTP envelope information properly and independently of the From: header.


See the documentation of envelope_sender_header ('perldoc 
Mail::SpamAssassin::Conf' is your friend!)

A milter receives messages without any headers (like Return-Path and the 
terminal Received) that get added by the MTA as it queues mail for delivery. 
The only way it can provide the envelope details to SpamAssassin is through 
synthetic headers which mimic what the MTA and/or delivery agent would add 
during queueing and/or delivery. I would expect that this is what 
spamass-milter does, as it has been done by other SA milters (e.g. MIMEDefang) 
forever.

signature.asc
Description: OpenPGP digital signature

Re: SpamSender with 2 @-signs in the address

[Grant Taylor]

On 12/3/18 6:08 PM, RW wrote:
I think, as the name suggests, that was multiple "bangs" (a bang 
being the character "!"),


I was implying routing like UUCP bang paths.  As in host 1 via host 2 
via host 3.


Check out (source) route addressing in RFC 822 §§ 6.1 (Address 
Specification) Syntax, 6.2.7 - Explicit Path Specification, and C.5.4 - 
Route Addressing.  § C.5.4 makes back reference to RFC 733 and I found 
info in § IV.A.1.f.


RFC 822 deprecated the source route addressing in 1982.  But it was 
officially defined.


I think an @ can be a part of a local-part, but it is really about 
usage.


As far as I know, (other than LONG deprecated source routing) the @ 
character is a reserved special character and can't be used used as part 
of the local part.


I wonder if there is a point to it? Is there a client that 
ends-up displaying something misleading?


The reason for the multiple @ signs in an actual email address (not 
human friendly name / description) was to route email through servers. 
Similar to the way that UUCP bang paths work.  According to my skim of 
RFC 733, it was primarily used for routing through disparate networks 
with few points of interconnection.


Route Addressing may be deprecated, but it seems to still work.  I just 
sent a message from my mail server (MSA), to my backup MX, back to my 
main MTA (same machine as the MSA) via route addressing and it worked. 
The syntax is a bit odd, but it does still work.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: SpamSender with 2 @-signs in the address

[Bill Cole]

On 3 Dec 2018, at 16:26, Grant Taylor wrote:

> I know that it's strictly against protocol definition, but I've wondered 
> about applying SPF and / or DKIM and / or DMARC to apparent email addresses 
> in the human friendly part of From: headers.

DKIM and DMARC *ONLY* operate on headers, *NEVER* on the envelope.

-- 
Bill Cole


signature.asc
Description: OpenPGP digital signature

Re: SpamSender with 2 @-signs in the address

[RW]

On Mon, 3 Dec 2018 11:15:44 -0700
Grant Taylor wrote:


> I think a LONG time ago, likely before SpamAssassin was a thing, it
> was valid to have multiple @ signs in an email address.  This was a
> method of routing messages through other servers.  Think UUCP bang
> path.

I think, as the name suggests, that was multiple "bangs" (a bang
being the character "!"),


> I don't think the multiple @ signs have worked in a very long time.
> So I see no reason not to add score based on multiple @ signs.  Or if
> there is a legitimate use for it, it should be extremely rare and the
> false positive rate should be acceptable.

I think an @ can be a part of a local-part, but it is really about
usage. 

I wonder if there is a point to it? Is there a client that
ends-up displaying something misleading? 

Re: SpamSender with 2 @-signs in the address

[shanew]

On Mon, 3 Dec 2018, Alan Hodgson wrote:


On Mon, 2018-12-03 at 13:17 -0600, sha...@shanew.net wrote:


Yeah, I see all these same things.  Better to test against From:addr
rather than the full From:  Perhaps something like:

From:addr =~ /\@[^\s]+\@/

Of course, there might still be legit cases of that kind of usage.



The problem though for phishes is that some user agents (ie. Outlook) only
display the quoted user-friendly part of the address, not the rest of the
From: header. So phishers specifically put a fake @domainbeingphished.com in
quotes so your users will see that.


There were several different plugins started about a year ago to
detect that sort of thing.  I know of:

https://github.com/enkidushane/sa-frommismatch
https://github.com/fmbla/spamassassin-fromnamespoof

and I think someone has implemented some of this in a regex rule, but
I don't recall off the top of my head who that was.

--
Public key #7BBC68D9 at| Shane Williams
http://pgp.mit.edu/|  System Admin - UT CompSci
=--+---
All syllogisms contain three lines |  sha...@shanew.net
Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew

Re: SpamSender with 2 @-signs in the address

[Grant Taylor]

On 12/03/2018 01:51 PM, Alan Hodgson wrote:
The problem though for phishes is that some user agents (ie. Outlook) 
only display the quoted user-friendly part of the address, not the rest 
of the From: header. So phishers specifically put a fake 
@domainbeingphished.com in quotes so your users will see that.


I know that it's strictly against protocol definition, but I've wondered 
about applying SPF and / or DKIM and / or DMARC to apparent email 
addresses in the human friendly part of From: headers.


I know that this is actively discouraged, but I do not consider it to be 
outside of the realm of consideration /if/ this was a large enough 
problem on my server.


It's your server and you're free to break other peoples rules as you see 
fit.  My only request is that you be honest about the fact that you 
break the rules.  ;-)




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: SpamSender with 2 @-signs in the address

[Alan Hodgson]

On Mon, 2018-12-03 at 13:17 -0600, sha...@shanew.net wrote:
> Yeah, I see all these same things.  Better to test against From:addr
> rather than the full From:  Perhaps something like:
> 
> From:addr =~ /\@[^\s]+\@/
> 
> Of course, there might still be legit cases of that kind of usage.
> 

The problem though for phishes is that some user agents (ie. Outlook)
only display the quoted user-friendly part of the address, not the rest
of the From: header. So phishers specifically put a fake
@domainbeingphished.com in quotes so your users will see that.

I don't think I've ever seen multiple @'s in any single address part,
not since the mid-90s anyway. It would definitely be safe to block on
that for any single address.

Re: SpamSender with 2 @-signs in the address

[Grant Taylor]

On 12/03/2018 12:17 PM, sha...@shanew.net wrote:

Of course, there might still be legit cases of that kind of usage.


I would think that the legit cases are far apart and few in between.  I 
would expect a very low false positive rate on rules to match multiple @ 
signs.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: SpamSender with 2 @-signs in the address

[Grant Taylor]

On 12/03/2018 12:38 PM, David B Funk wrote:
Are you talking about the SMTP-envelope From address or the 'Header' 
from addreses?


I was originally talking about email addresses in general, be it the 
SMTP envelope from address or the machine parsable part of the From: 
header, between the angle brackets.


Then when Alan commented about an @ sign in the human friendly portion 
and the machine parsable part of the From: header, I clarified that I 
was excluding the human friendly portion of the From: header.


It's possible to set those two different pieces of information to the 
same value but note that they are -not- the same attribute.


Agreed.

Depending upon how your SA is glued into your mail system your SA may 
not even have any visibility into the SMTP-envelope From address.


Understood.

It's my understanding that spamass-milter provides the envelope details 
to SpamAssassin.  -  I thought (assumed?) that SpamAssassin was treating 
the SMTP envelope information properly and independently of the From: 
header.


Under ordinary circumstances you will not see the SMTP-envelope From 
address in an e-mail message.


Typically not.  But I've seen it there in a few different ways.  Usually 
an extra site local header with the envelope information.  It's also 
frequently possible to derive the SMTP recipient if there is only one 
and it's encoded in the most recent Received: header.


All the parts you see following that "From: " header element in a 
message are the 'Header' from.


Agreed.


That's the "from:addr" component of the header from address.


ACK



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: SpamSender with 2 @-signs in the address

[David B Funk]

On Mon, 3 Dec 2018, Grant Taylor wrote:


On 12/03/2018 11:53 AM, Alan Hodgson wrote:
I've been watching these for a while, and unfortunately there are a lot of 
customer-service type systems that send From: addresses with quoted @domain 
addresses in them. Many of them do "user@address via" 
, but not all.


Sorry, I was talking about the SMTP envelope.  The unquoted part between 
angle brackets.


Are you talking about the SMTP-envelope From address or the 'Header' from 
addreses?
It's possible to set those two different pieces of information to the same value 
but note that they are -not- the same attribute.


Depending upon how your SA is glued into your mail system your SA may not even 
have any visibility into the SMTP-envelope From address.


Under ordinary circumstances you will not see the SMTP-envelope From address in 
an e-mail message.
All the parts you see following that "From: " header element in a message are 
the 'Header' from.


[snip...]


So you will definitely get false positives just looking at @'s.


I was talking about only counting the @ signs in the unquoted part between 
angle brackets.  The  in the following example.


That's the "from:addr" component of the header from address.

--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: SpamSender with 2 @-signs in the address

[shanew]

Yeah, I see all these same things.  Better to test against From:addr
rather than the full From:  Perhaps something like:

From:addr =~ /\@[^\s]+\@/

Of course, there might still be legit cases of that kind of usage.


On Mon, 3 Dec 2018, Alan Hodgson wrote:


On Mon, 2018-12-03 at 11:15 -0700, Grant Taylor wrote:

I don't think the multiple @ signs have worked in a very long time.  So 
I see no reason not to add score based on multiple @ signs.  Or if there 
is a legitimate use for it, it should be extremely rare and the false 
positive rate should be acceptable.




I've been watching these for a while, and unfortunately there are a lot of
customer-service type systems that send From: addresses with quoted @domain
addresses in them. Many of them do "user@address via"
, but not all.

And then there are the messages with 2 different From: addresses within <>'s
in them. I see those from Gmail sometimes.

And I see quite a few messages where the actual sender address is given in
quotes and then followed by the same address in <>'s.

So you will definitely get false positives just looking at @'s.

I've excluded the ones with " via" in them and add a bunch of extra points
if they come from phishy countries or have .doc or .pdf attachments, and
that hits fewer fps. And I'm only scoring if the domain parts don't match.




--
Public key #7BBC68D9 at| Shane Williams
http://pgp.mit.edu/|  System Admin - UT CompSci
=--+---
All syllogisms contain three lines |  sha...@shanew.net
Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew

Re: SpamSender with 2 @-signs in the address

[Grant Taylor]

On 12/03/2018 11:53 AM, Alan Hodgson wrote:
I've been watching these for a while, and unfortunately there are a 
lot of customer-service type systems that send From: addresses with 
quoted @domain addresses in them. Many of them do "user@address via" 
, but not all.


Sorry, I was talking about the SMTP envelope.  The unquoted part between 
angle brackets.


And then there are the messages with 2 different From: addresses within 
<>'s in them. I see those from Gmail sometimes.


I've heard tell of these, but I've not seen one myself.  But I'm a SOHO 
operator.


And I see quite a few messages where the actual sender address is given 
in quotes and then followed by the same address in <>'s.


I don't see any overt problem with that.  Though I do think the address 
in the human friendly quote is unnecessary and redundant.



So you will definitely get false positives just looking at @'s.


I was talking about only counting the @ signs in the unquoted part 
between angle brackets.  The  in the following 
example.


From: "John Doe " 

I've excluded the ones with " via" in them and add a bunch of extra points 
if they come from phishy countries or have .doc or .pdf attachments, and 
that hits fewer fps. And I'm only scoring if the domain parts don't match.


I feel like the contents of the human friendly quoted part of the From: 
header should be subject to different and distinct scrutiny than the 
machine parsable part outside of quotes.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: SpamSender with 2 @-signs in the address

[Alan Hodgson]

On Mon, 2018-12-03 at 11:15 -0700, Grant Taylor wrote:
> 
I don't think the multiple @ signs have worked in a very long time.  So 
> I see no reason not to add score based on multiple @ signs.  Or if there 
> is a legitimate use for it, it should be extremely rare and the false 
> positive rate should be acceptable.
> 


I've been watching these for a while, and unfortunately there are a lot
of customer-service type systems that send From: addresses with quoted
@domain addresses in them. Many of them do "user@address via"
, but not all.

And then there are the messages with 2 different From: addresses within
<>'s in them. I see those from Gmail sometimes.

And I see quite a few messages where the actual sender address is given
in quotes and then followed by the same address in <>'s.

So you will definitely get false positives just looking at @'s.

I've excluded the ones with " via" in them and add a bunch of extra
points if they come from phishy countries or have .doc or .pdf
attachments, and that hits fewer fps. And I'm only scoring if the
domain parts don't match.

Re: SpamSender with 2 @-signs in the address

[Grant Taylor]

On 12/03/2018 09:56 AM, Andreas Galatis wrote:
How comes that spamassassin doesn’t block mailsenders with 2 @-signs in 
the address?


Fist:  I don't think that SpamAssassin should block anything on any 
single (normal) test.  IMHO it should increment the spam score and 
something should decide to accept or reject the message based on the 
aggregate spam score from all the tests.


I think a LONG time ago, likely before SpamAssassin was a thing, it was 
valid to have multiple @ signs in an email address.  This was a method 
of routing messages through other servers.  Think UUCP bang path.


Is there any possibility to stop those mail, all of them having word- 
docs attached, containing a trojan horse?


I don't think the multiple @ signs have worked in a very long time.  So 
I see no reason not to add score based on multiple @ signs.  Or if there 
is a legitimate use for it, it should be extremely rare and the false 
positive rate should be acceptable.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: SpamSender with 2 @-signs in the address

[John Hardin]

On Mon, 3 Dec 2018, Andreas Galatis wrote:


since several weeks I keep getting mails with sender-addresses like "Harald
Wieruch - Top Ten GmbH h.wieruch@top10ten.comxandra.hennem...@metco-gmbh.de"

The first part "Harald Wieruch - Top Ten GmbH h.wier...@top10ten.com" stays
the same, everything behind this address changes.

How comes that spamassassin doesn't block mailsenders with 2 @-signs in the
address?


Trivial answer: because there is no poison-pill rule for that being 
published.



Is there any possibility to stop those mail, all of them having word- docs
attached, containing a trojan horse?


A rule can certainly be written for that, but if it doesn't occur in the 
masscheck corpus then that rule won't be promoted and published.



Any help is very welcome


If you could post a spample to pastebin (modify the recipient address as 
needed to maintain privacy, but don't change anything else) it would help 
writing a rule that actually does match.



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  ...in the 2nd amendment the right to arms clause means you have
  the right to choose how many arms you want, and the militia clause
  means that Congress can punish you if the answer is "none."
-- David Hardy, 2nd Amendment scholar
---
 4 days until The 77th anniversary of Pearl Harbor

SpamSender with 2 @-signs in the address

[Andreas Galatis]

Hi list,

 

since several weeks I keep getting mails with sender-addresses like "Harald
Wieruch - Top Ten GmbH h.wieruch@top10ten.comxandra.hennem...@metco-gmbh.de"

The first part "Harald Wieruch - Top Ten GmbH h.wier...@top10ten.com" stays
the same, everything behind this address changes.

 

How comes that spamassassin doesn't block mailsenders with 2 @-signs in the
address?

Is there any possibility to stop those mail, all of them having word- docs
attached, containing a trojan horse?

 

Any help is very welcome

 

Andreas

 



smime.p7s
Description: S/MIME cryptographic signature