Re: [Mailman-Users] Recent phishing mails are targeting mailing-lists -- and do pass
SpamAssassin: Don't match X-Spam-Score unless you are extracting the value and doing computation. Note that the value isn't necessarily numeric - e.g. 'undef - 10.0.0.23 is whitelisted' is a valid value, as are '-1.6 (-)', '0.70 () [Tag at 5.00] COMBINED_FROM,SUBJ_YOUR_DEBT,SPF(pass,0)' and '0.00%' Instead, match X-Spam-Level, which is designed for regex matching. This will have a value of '*' for score 1, '**' for score 10, etc. So match for the minimum score that you consider spam. (Obviously, in a regex, you have to quote the *). E.g. '^\*\*\*\*\*\*\*\*\*' will match a score of 9 or higher. On 26-Sep-17 09:23, Richard Shetron wrote: > Spamassassin produces a numeric rating for for an email based on > multiple rules. Legitimate email can easily get a rating of 3 or 4 > based on the way you have it configured. I've seen double digit > ratings as well. If you check for a single digit, you may be > filtering legitimate emails that have a low score. > > On 9/26/2017 7:58 AM, Robert Heller wrote: > [snip] >> >> I also use Spamassassin on my server, so having a rule like: >> >> "X-Spam-Score: \d" >> >> is also helpful at catching spam and phishing mail. >> > [snip] > -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Recent phishing mails are targeting mailing-lists -- and do pass
Spamassassin produces a numeric rating for for an email based on multiple rules. Legitimate email can easily get a rating of 3 or 4 based on the way you have it configured. I've seen double digit ratings as well. If you check for a single digit, you may be filtering legitimate emails that have a low score. On 9/26/2017 7:58 AM, Robert Heller wrote: [snip] I also use Spamassassin on my server, so having a rule like: "X-Spam-Score: \d" is also helpful at catching spam and phishing mail. [snip] -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Recent phishing mails are targeting mailing-lists -- and do pass
One thing *I* have discovered is that "bogus" messages (eg phishing, etc.
spam), often have various envlope headers that give them away. One is a
"Reveived: " from a mail server with no reverse DNS ('Reveived: from ...
(unknown [ddd.ddd.ddd.ddd])', so a spam filter rule like this:
"Received: from.*(unknown \[\d+\.\d+\.\d+\.\d+\])"
catches them. Set this filter to "Hold", since *some* E-Mail
clients/providers seem to use machines with non routing addresses either
internally or otherwise (typically AOL over a Satelite Internet connection),
which you will want to pass though manually.
I also use Spamassassin on my server, so having a rule like:
"X-Spam-Score: \d"
is also helpful at catching spam and phishing mail.
At Mon, 25 Sep 2017 21:31:05 -0700 Mark Sapiro wrote:
>
> On 09/25/2017 03:49 AM, Ralf Hildebrandt wrote:
> > Recent phishing mails are targeting mailing-lists -- and do pass.
> >
> > From our logs:
> > Sep 25 12:10:41 2017 (1940) post to rundmail-it from
> > sabishi.meis...@charite.de, size=4760,
> > message-id=<486320030245.201792592...@charite.de>, success
> >
> > But the headers of the mail that was automatically passed (since
> > sabishi.meis...@charite.de is a member) was:
> >
> > From: "Sabishi.Meister@"
>
>
> A post is considered to be from a list member if any of the headers in
> the Defaults.py/mm_cfg.py SENDER_HEADERS setting contains a member
> address. The default setting is
>
> SENDER_HEADERS = ('from', None, 'reply-to', 'sender')
>
> (None means the envelope sender). Assuming you have the default setting,
> the sabishi.meis...@charite.de address was either the envelope sender or
> in Reply-To: or Sender:.
>
> You could set
>
> SENDER_HEADERS = ('from',)
>
> in mm_cfg.py to test only the From: for list membership.
>
--
Robert Heller -- 978-544-6933
Deepwoods Software-- Custom Software Services
http://www.deepsoft.com/ -- Linux Administration Services
hel...@deepsoft.com -- Webhosting Services
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Recent phishing mails are targeting mailing-lists -- and do pass
On 09/25/2017 03:49 AM, Ralf Hildebrandt wrote:
> Recent phishing mails are targeting mailing-lists -- and do pass.
>
> From our logs:
> Sep 25 12:10:41 2017 (1940) post to rundmail-it from
> sabishi.meis...@charite.de, size=4760,
> message-id=<486320030245.201792592...@charite.de>, success
>
> But the headers of the mail that was automatically passed (since
> sabishi.meis...@charite.de is a member) was:
>
> From: "Sabishi.Meister@"
A post is considered to be from a list member if any of the headers in
the Defaults.py/mm_cfg.py SENDER_HEADERS setting contains a member
address. The default setting is
SENDER_HEADERS = ('from', None, 'reply-to', 'sender')
(None means the envelope sender). Assuming you have the default setting,
the sabishi.meis...@charite.de address was either the envelope sender or
in Reply-To: or Sender:.
You could set
SENDER_HEADERS = ('from',)
in mm_cfg.py to test only the From: for list membership.
--
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] Recent phishing mails are targeting mailing-lists -- and do pass
Recent phishing mails are targeting mailing-lists -- and do pass. From our logs: Sep 25 12:10:41 2017 (1940) post to rundmail-it from sabishi.meis...@charite.de, size=4760, message-id=<486320030245.201792592...@charite.de>, success But the headers of the mail that was automatically passed (since sabishi.meis...@charite.de is a member) was: From: "Sabishi.Meister@" -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
