Re: [Mailman-Users] Recent phishing mails are targeting mailing-lists -- and do pass
SpamAssassin: Don't match X-Spam-Score unless you are extracting the value and doing computation. Note that the value isn't necessarily numeric - e.g. 'undef - 10.0.0.23 is whitelisted' is a valid value, as are '-1.6 (-)', '0.70 () [Tag at 5.00] COMBINED_FROM,SUBJ_YOUR_DEBT,SPF(pass,0)' and '0.00%' Instead, match X-Spam-Level, which is designed for regex matching. This will have a value of '*' for score 1, '**' for score 10, etc. So match for the minimum score that you consider spam. (Obviously, in a regex, you have to quote the *). E.g. '^\*\*\*\*\*\*\*\*\*' will match a score of 9 or higher. On 26-Sep-17 09:23, Richard Shetron wrote: > Spamassassin produces a numeric rating for for an email based on > multiple rules. Legitimate email can easily get a rating of 3 or 4 > based on the way you have it configured. I've seen double digit > ratings as well. If you check for a single digit, you may be > filtering legitimate emails that have a low score. > > On 9/26/2017 7:58 AM, Robert Heller wrote: > [snip] >> >> I also use Spamassassin on my server, so having a rule like: >> >> "X-Spam-Score: \d" >> >> is also helpful at catching spam and phishing mail. >> > [snip] > -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Recent phishing mails are targeting mailing-lists -- and do pass
Spamassassin produces a numeric rating for for an email based on multiple rules. Legitimate email can easily get a rating of 3 or 4 based on the way you have it configured. I've seen double digit ratings as well. If you check for a single digit, you may be filtering legitimate emails that have a low score. On 9/26/2017 7:58 AM, Robert Heller wrote: [snip] I also use Spamassassin on my server, so having a rule like: "X-Spam-Score: \d" is also helpful at catching spam and phishing mail. [snip] -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Recent phishing mails are targeting mailing-lists -- and do pass
One thing *I* have discovered is that "bogus" messages (eg phishing, etc. spam), often have various envlope headers that give them away. One is a "Reveived: " from a mail server with no reverse DNS ('Reveived: from ... (unknown [ddd.ddd.ddd.ddd])', so a spam filter rule like this: "Received: from.*(unknown \[\d+\.\d+\.\d+\.\d+\])" catches them. Set this filter to "Hold", since *some* E-Mail clients/providers seem to use machines with non routing addresses either internally or otherwise (typically AOL over a Satelite Internet connection), which you will want to pass though manually. I also use Spamassassin on my server, so having a rule like: "X-Spam-Score: \d" is also helpful at catching spam and phishing mail. At Mon, 25 Sep 2017 21:31:05 -0700 Mark Sapirowrote: > > On 09/25/2017 03:49 AM, Ralf Hildebrandt wrote: > > Recent phishing mails are targeting mailing-lists -- and do pass. > > > > From our logs: > > Sep 25 12:10:41 2017 (1940) post to rundmail-it from > > sabishi.meis...@charite.de, size=4760, > > message-id=<486320030245.201792592...@charite.de>, success > > > > But the headers of the mail that was automatically passed (since > > sabishi.meis...@charite.de is a member) was: > > > > From: "Sabishi.Meister@" > > > A post is considered to be from a list member if any of the headers in > the Defaults.py/mm_cfg.py SENDER_HEADERS setting contains a member > address. The default setting is > > SENDER_HEADERS = ('from', None, 'reply-to', 'sender') > > (None means the envelope sender). Assuming you have the default setting, > the sabishi.meis...@charite.de address was either the envelope sender or > in Reply-To: or Sender:. > > You could set > > SENDER_HEADERS = ('from',) > > in mm_cfg.py to test only the From: for list membership. > -- Robert Heller -- 978-544-6933 Deepwoods Software-- Custom Software Services http://www.deepsoft.com/ -- Linux Administration Services hel...@deepsoft.com -- Webhosting Services -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Recent phishing mails are targeting mailing-lists -- and do pass
On 09/25/2017 03:49 AM, Ralf Hildebrandt wrote: > Recent phishing mails are targeting mailing-lists -- and do pass. > > From our logs: > Sep 25 12:10:41 2017 (1940) post to rundmail-it from > sabishi.meis...@charite.de, size=4760, > message-id=<486320030245.201792592...@charite.de>, success > > But the headers of the mail that was automatically passed (since > sabishi.meis...@charite.de is a member) was: > > From: "Sabishi.Meister@" A post is considered to be from a list member if any of the headers in the Defaults.py/mm_cfg.py SENDER_HEADERS setting contains a member address. The default setting is SENDER_HEADERS = ('from', None, 'reply-to', 'sender') (None means the envelope sender). Assuming you have the default setting, the sabishi.meis...@charite.de address was either the envelope sender or in Reply-To: or Sender:. You could set SENDER_HEADERS = ('from',) in mm_cfg.py to test only the From: for list membership. -- Mark SapiroThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] Recent phishing mails are targeting mailing-lists -- and do pass
Recent phishing mails are targeting mailing-lists -- and do pass. From our logs: Sep 25 12:10:41 2017 (1940) post to rundmail-it from sabishi.meis...@charite.de, size=4760, message-id=<486320030245.201792592...@charite.de>, success But the headers of the mail that was automatically passed (since sabishi.meis...@charite.de is a member) was: From: "Sabishi.Meister@" -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org