Re: Blacklist for reply-to?

[John Hardin]

On Mon, 19 Feb 2018, Alex wrote:


Hi,

On Mon, Feb 19, 2018 at 3:20 PM, John Hardin  wrote:

On Mon, 19 Feb 2018, Rupert Gallagher wrote:


Whatever you do, just do not ask others to blacklist Alibaba



Are those getting hits on SPOOFED_FREEM_REPTO_CHN?

Perhaps just bump the score for that locally?


KAM's rules are still setting FORGED_YAHOO_RCVD to zero, invalidating
that rule for me. Perhaps he doesn't know the rule was removed or
otherwise handled?
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=5561

Feb 19 17:37:29 mail01 amavis[30049]: SA info: rules: meta test
SPOOFED_FREEM_REPTO_CHN has dependency 'FORGED_YAHOO_RCVD' with a zero
score

Is there anything further that needs to be done wrt this rule, or does
it now just work as expected?

He's also got KAM_GRABBAG5 and KAM_UAH_YAHOOGROUP_SENDER also being
affecting by FORGED_YAHOO_RCVD.


Kevin, can that be set to advisory rather than completely killed?

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The question of whether people should be allowed to harm themselves
  is simple. They *must*.   -- Charles Murray
---
 63 more days working to pay your (average) annual US tax bill
 before you're finally working for yourself.

Re: Blacklist for reply-to?

[Alex]

Hi,

On Mon, Feb 19, 2018 at 3:20 PM, John Hardin  wrote:
> On Mon, 19 Feb 2018, Rupert Gallagher wrote:
>
>> Whatever you do, just do not ask others to blacklist Alibaba
>
>
> Are those getting hits on SPOOFED_FREEM_REPTO_CHN?
>
> Perhaps just bump the score for that locally?

KAM's rules are still setting FORGED_YAHOO_RCVD to zero, invalidating
that rule for me. Perhaps he doesn't know the rule was removed or
otherwise handled?
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=5561

Feb 19 17:37:29 mail01 amavis[30049]: SA info: rules: meta test
SPOOFED_FREEM_REPTO_CHN has dependency 'FORGED_YAHOO_RCVD' with a zero
score

Is there anything further that needs to be done wrt this rule, or does
it now just work as expected?

He's also got KAM_GRABBAG5 and KAM_UAH_YAHOOGROUP_SENDER also being
affecting by FORGED_YAHOO_RCVD.

Re: Blacklist for reply-to?

[@lbutlr]

On 2018-02-19 (09:57 MST), Paul Stead  wrote:
> 
> This message is private and confidential. If you have received this message 
> in error, please notify us and remove it from your system.
> 
> Zen Internet Limited may monitor email traffic data to manage billing, to 
> handle customer enquiries and for the prevention and detection of fraud. We 
> may also monitor the content of emails sent to and/or from Zen Internet 
> Limited for the purposes of security, staff training and to monitor quality 
> of service.

I reject your terms.

-- 
Rid yourself of doubt -- or should you? -George Carlin

Re: Blacklist for reply-to?

[Benny Pedersen]

David Jones skrev den 2018-02-19 22:35:


https://bz.apache.org/SpamAssassin

I have added a few domains over the past few months but my mail flow
isn't going to see many of the problem domains outside of the US like
those listed above.


https://www.google.dk/search?q=github+freemail

seems all is freemail ?

would adding more freemail domains give a better detection of spam ?

Re: Blacklist for reply-to?

[David Jones]

On 02/19/2018 03:19 PM, John Hardin wrote:

On Mon, 19 Feb 2018, Kenneth Porter wrote:


On 2/19/2018 12:20 PM, John Hardin wrote:
Are those getting hits on SPOOFED_FREEM_REPTO_CHN? 


No, not seeing that one. After enough training I eventually see it 
land in Bayes. The RBLs are starting to flag it.


X-Spam-Status: Yes, score=5.7 required=5.0 tests=BAYES_99,BAYES_999,
    FREEMAIL_FROM,RCVD_IN_BRBL_LASTEXT autolearn=no version=3.3.1

The subject and body are offering "image editing".


I get *tons* of those.

I'm wondering whether the freemail list is a bit stale, I'm seeing from 
addresses in .jp domains that look like they might be freemail...


 jmail.co.jp
 ezweb.ne.jp

Are these freemail?

 o2online.de
 wanadoo.fr




The "freemail" domains also include domains that are commonly abused 
according to 20_freemail_domains.cf.  Anyone wanting to get some domains 
added should open up a SpamAssassin Bugzilla:


https://bz.apache.org/SpamAssassin

I have added a few domains over the past few months but my mail flow 
isn't going to see many of the problem domains outside of the US like 
those listed above.


--
David Jones

Re: Blacklist for reply-to?

[John Hardin]

On Mon, 19 Feb 2018, Kenneth Porter wrote:


On 2/19/2018 12:20 PM, John Hardin wrote:
Are those getting hits on SPOOFED_FREEM_REPTO_CHN? 


No, not seeing that one. After enough training I eventually see it land in 
Bayes. The RBLs are starting to flag it.


X-Spam-Status: Yes, score=5.7 required=5.0 tests=BAYES_99,BAYES_999,
    FREEMAIL_FROM,RCVD_IN_BRBL_LASTEXT autolearn=no version=3.3.1

The subject and body are offering "image editing".


I get *tons* of those.

I'm wondering whether the freemail list is a bit stale, I'm seeing from 
addresses in .jp domains that look like they might be freemail...


jmail.co.jp
ezweb.ne.jp

Are these freemail?

o2online.de
wanadoo.fr


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  People think they're trading chaos for order [by ceding more and
  more power to the Government], but they're just trading normal
  human evil for the really dangerous organized kind of evil, the
  kind that simply does not give a shit. Only bureaucrats can give
  you true evil. -- Larry Correia
---
 3 days until George Washington's 286th Birthday

Re: Blacklist for reply-to?

[Kenneth Porter]

On 2/19/2018 12:20 PM, John Hardin wrote:
Are those getting hits on SPOOFED_FREEM_REPTO_CHN? 


No, not seeing that one. After enough training I eventually see it land 
in Bayes. The RBLs are starting to flag it.


X-Spam-Status: Yes, score=5.7 required=5.0 tests=BAYES_99,BAYES_999,
    FREEMAIL_FROM,RCVD_IN_BRBL_LASTEXT autolearn=no version=3.3.1

The subject and body are offering "image editing". The From is forged. 
But the Reply-to is consistent.

Re: Blacklist for reply-to?

[John Hardin]

On Mon, 19 Feb 2018, Rupert Gallagher wrote:


Whatever you do, just do not ask others to blacklist Alibaba


Are those getting hits on SPOOFED_FREEM_REPTO_CHN?

Perhaps just bump the score for that locally?

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  ...much of our country's counterterrorism security spending is not
  designed to protect us from the terrorists, but instead to protect
  our public officials from criticism when another attack occurs.
-- Bruce Schneier
---
 3 days until George Washington's 286th Birthday

Re: Blacklist for reply-to?

[Rupert Gallagher]

I wanted you to see your proposed solution from a different point of view, and 
I thought the quiz was spot on. As a number of you fell into the trap head 
first, I am now horrified. Whatever you do, just do not ask others to blacklist 
Alibaba, and do not blacklist yourself.

Sent from ProtonMail Mobile

On Mon, Feb 19, 2018 at 10:00, Kenneth Porter  wrote:

> On 2/18/2018 5:09 PM, Antony Stone wrote:
>
>> On Monday 19 February 2018 at 01:55:45, Rupert Gallagher wrote:
>>
>>> Question time! You receive spam with a reply-to your own address. What do
>>> you do?
>>
>> I take it that this is now a rather different question that the one you
>> originally asked in this thread, where the reply-to address was clearly not
>> your own?
>
> I have no clue what Rupert is on about. I just want something like 
> blacklist_from that uses the reply-to header. I thought it was a simple 
> technical question about how the config file directives map onto the actual 
> headers. I'm not asking for site policy.

Re: catch today's PDF pillz spam

[David B Funk]

On Mon, 19 Feb 2018, Axb wrote:


oooppps - missing a backslash

mimeheader  AXB_CTYPE_SPELLHERO  Content-Type =~ /\bapplictaion\/pdf\b/

On 02/19/2018 05:24 PM, Axb wrote:


catch today's PDF pillz spam

mimeheader  AXB_CTYPE_SPELLHERO    Content-Type =~ /bapplictaion\/pdf\b/

the typo is the trait ;)

enjoy while it lasts


FYI:
If you use an explicit pattern-match delimeter you can avoid the "leaning 
toothpicks" syndrome. (particularly relevant for URIs).


EG:

uri MY_URL_FILTER1 /\bhttp:\/\/this-is\.adomain\.com\/this\/is\/a\/path\b/

uri MY_URL_FILTER2 m!\bhttp://this-is\.adomain\.com/this/is/a/path\b!

Still need to escape those meta-chars (EG: \b) and explicit matches on dots,
but otherwise makes it more readable.

I realise this wouldn't have helped you with your type-o, but it does make it 
easier to see at a glance.



--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: Blacklist for reply-to?

[Paul Stead]

I have a BZ raised for reply-to blacklist checking:

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7354

On 19/02/2018, 15:05, "Kevin A. McGrail"  wrote:

On 2/18/2018 3:06 PM, Kenneth Porter wrote:
> Is there a blacklist for domains in the reply-to header?
>
> I've noticed a lot of spam with no URL and mutating From but the
> reply-to domain is always aliyun dot com. I want to add a site-wide
> blacklist for that.

To my knowledge it doesn't exist.  I documented it as an idea for GSOC
at https://issues.apache.org/jira/browse/COMDEV-263


Regards,
KAM



--
Paul Stead
Senior Engineer (Tools & Technology)
Zen Internet
Direct: 01706 902018
Web: zen.co.uk

Winner of 'Services Company of the Year' at the UK IT Industry Awards

This message is private and confidential. If you have received this message in 
error, please notify us and remove it from your system.

Zen Internet Limited may monitor email traffic data to manage billing, to 
handle customer enquiries and for the prevention and detection of fraud. We may 
also monitor the content of emails sent to and/or from Zen Internet Limited for 
the purposes of security, staff training and to monitor quality of service.

Zen Internet Limited is registered in England and Wales, Sandbrook Park, 
Sandbrook Way, Rochdale, OL11 1RY Company No. 03101568 VAT Reg No. 686 0495 01

Re: catch today's PDF pillz spam

[Axb]

oooppps - missing a backslash

mimeheader  AXB_CTYPE_SPELLHERO  Content-Type =~ /\bapplictaion\/pdf\b/

On 02/19/2018 05:24 PM, Axb wrote:


catch today's PDF pillz spam

mimeheader  AXB_CTYPE_SPELLHERO    Content-Type =~ /bapplictaion\/pdf\b/

the typo is the trait ;)

enjoy while it lasts

catch today's PDF pillz spam

[Axb]

catch today's PDF pillz spam

mimeheader  AXB_CTYPE_SPELLHERO Content-Type =~ /bapplictaion\/pdf\b/

the typo is the trait ;)

enjoy while it lasts

Re: Is there a way to perform selective full uri rbl lookups?

[Tobi]

Benny,

Maybe I don't see your point clearly ;-) But I don't want to whitelist
URIHOSTS.
Have this two rules now

urirhssub   URIBL_DOMAIN   my.rbl.tld. A 127.0.0.16
bodyURIBL_DOMAIN   eval:check_uridnsbl('MY_URIBL_DOMAIN')

askdns  URIBL_HOST _URIHOSTS_.my.rbl.tld. A 127.0.0.24

my.rbl.tld is based on mysql data which gets feeded more or less
automatically from different sources (like my own traps or external data
like phishtank etc ppt).

And I have a third rule

urirhssub   URIBL_DOMAIN_FU   my.rbl.tld. A 127.0.0.32
bodyURIBL_DOMAIN_FU   eval:check_uridnsbl('URIBL_DOMAIN_FU')
score   URIBL_DOMAIN_FU   200

where domains will be listed after too many entries in fullhost table.

Cheers

tobi


Am 19.02.2018 um 16:14 schrieb Benny Pedersen:
> Tobi skrev den 2018-02-19 14:43:
> 
>> no need for this as that case is covered by sa urirhssub queries.
>> I needed a way to perform www.sub.domain.tld AND domain.tld queries of
>> the uri www.sub.domain.tld
> 
> would you like to test?
> 
> blacklist _URIDOMAINS_
> whitelist _URIHOSTS_
> 
> :=)
> 
> if you score whitelist 50% of blacklist score there could be nice
> 
> that way spammers have higther burdon to jump over
> 
> and you dont need random listning of next subdomain spammer

Re: Is there a way to perform selective full uri rbl lookups?

[Benny Pedersen]

Tobi skrev den 2018-02-19 14:43:


no need for this as that case is covered by sa urirhssub queries.
I needed a way to perform www.sub.domain.tld AND domain.tld queries of
the uri www.sub.domain.tld


would you like to test?

blacklist _URIDOMAINS_
whitelist _URIHOSTS_

:=)

if you score whitelist 50% of blacklist score there could be nice

that way spammers have higther burdon to jump over

and you dont need random listning of next subdomain spammer

Re: Blacklist for reply-to?

[Kevin A. McGrail]

On 2/18/2018 3:06 PM, Kenneth Porter wrote:

Is there a blacklist for domains in the reply-to header?

I've noticed a lot of spam with no URL and mutating From but the 
reply-to domain is always aliyun dot com. I want to add a site-wide 
blacklist for that.


To my knowledge it doesn't exist.  I documented it as an idea for GSOC 
at https://issues.apache.org/jira/browse/COMDEV-263



Regards,
KAM

Re: Is there a way to perform selective full uri rbl lookups?

[Tobi]

Am 19.02.2018 um 14:25 schrieb Benny Pedersen:
> Tobi skrev den 2018-02-19 11:45:
> add one more askdns to compensate on _URIDOMAINS_
> 

no need for this as that case is covered by sa urirhssub queries.
I needed a way to perform www.sub.domain.tld AND domain.tld queries of
the uri www.sub.domain.tld

Cheers

tobi

Re: Is there a way to perform selective full uri rbl lookups?

[Tobi]

Am 19.02.2018 um 15:04 schrieb Benny Pedersen:
> 
> yep got it, so if you only use URIHOSTS how do you know it does not miss
> in URIDOMAINS ?

I do not only use URIHOSTS but also a rhs lookup for just the domain.
So I have both bases covered :-)

Re: Is there a way to perform selective full uri rbl lookups?

[Benny Pedersen]

Tobi skrev den 2018-02-19 14:45:


no need for this as that case is covered by sa urirhssub queries.
I needed a way to perform www.sub.domain.tld AND domain.tld queries of
the uri www.sub.domain.tld against by own rbl.


yep got it, so if you only use URIHOSTS how do you know it does not miss 
in URIDOMAINS ?


would you list all subdomains no matter how many subdomains a giving 
spammer use ?


dns have cheap *.example.org cnames

just my last € on it

Re: Is there a way to perform selective full uri rbl lookups?

[Tobi]

Am 19.02.2018 um 14:25 schrieb Benny Pedersen:
> Tobi skrev den 2018-02-19 11:45:
> add one more askdns to compensate on _URIDOMAINS_
>

no need for this as that case is covered by sa urirhssub queries.
I needed a way to perform www.sub.domain.tld AND domain.tld queries of
the uri www.sub.domain.tld against by own rbl.

Cheers

tobi

Re: Is there a way to perform selective full uri rbl lookups?

[Benny Pedersen]

Tobi skrev den 2018-02-19 11:45:


askdns  MY_FULL_TEST_URIHOSTS_.my.rbl.tld   A   127.0.0.4
which fires fullhost lookups according to spamassassin -D


its just that spammers would like you to do this :=)

i wont tell why its helping spammers

add one more askdns to compensate on _URIDOMAINS_

responsible spammers should know what not to do

Re: Is there a way to perform selective full uri rbl lookups?

[Tobi]

Hi list

just as follow up: at least spamassassin 3.4.1 has the necessary stuff
in URIDNSBL.pm.
There _URIDOMAINS_ and _URIHOSTS_ are set so a fullhost lookup becomes a
simple one-liner

askdns  MY_FULL_TEST_URIHOSTS_.my.rbl.tld   A   127.0.0.4

which fires fullhost lookups according to spamassassin -D

Feb 19 10:44:50.821 [22500] dbg: async: calling callback on key
askdns:A:img.promio-mail.com.my.rbl.tld
Feb 19 10:44:50.821 [22500] dbg: askdns: answer received, rcode NOERROR,
query IN/A/img.promio-mail.com.my.rbl.tld, answer has 2 records

Will keep testing for some days, but this seems to be the solution for
me :-)

Cheers


tobi
Am 17.02.2018 um 12:52 schrieb Tobi:
> Hi Daniele (this time onlist, sorry for offlist I have a stupid mobile client 
> when it comes to replies to lists)
> 
> thanks a lot for your reply. As I'm really not the perl coder I think I will 
> keep it as I have my fullhost lookups currently :-)
> 
> Can anyone confirm that aux_tlds does not help if one want to perform rh 
> lookups and fulluri lookups on the same uri found?
> 
> Any chance that sa in future will support a urifullsub method to lookup 
> fullhost of an uri?
> 
> Cheers
> 
> Tobi
> 
> - Originale Nachricht -
> Von: Daniele Duca 
> Gesendet: 17.02.18 - 09:04
> An: jahli...@gmx.ch, users@spamassassin.apache.org
> Betreff: Re: Is there a way to perform selective full uri rbl lookups?
> 
>> Hello,
>>
>> I do full uris dns lookups through a simple SA plugin. The core lines in 
>> the function are:
>>
>> sub check_fulluris {
>>      my ($self, $msg) = @_;
>>      my $pms = $msg->{permsgstatus};
>>      my $body = $msg->{msg}->get_pristine_body();
>>      foreach my $this_url (uniq( $body =~ 
>> /(http|https):\/\/(.*?)\//g )) {
>>
>>          # code to do dns lookups
>>
>>    }
>> }
>>
>> and in the .cf
>>
>> urirhssub   TEST_FULL_URIS     mypersonal.dnsbl.   A 127.0.0.2
>> body  TEST_FULL_URIS eval:check_fulluris('TEST_FULL_URIS')
>>
>> As for my personal reason of doing full hostnames lookups, I find it 
>> easier to mantain a rbldnsd zone with hacked websites/landing pages of 
>> marketers than to write uri rules in the .cf each time
>>
>> Hope it helps
>>
>> Daniele Duca
>>
>>
>>
>> On 16/02/2018 22:08, jahlives wrote:
>>> Hi list
>>>
>>> I'm looking for a way in spamassassin to run a full-uri-host rbl lookup
>>> for a specific rule. I do not want to discuss about sense or non-sense
>>> of full-uri-hosts lookups ;-)
>>>
>>> lets assume I have two rules which query my own rbl
>>>
>>> urirhssub HIT_DOMAINmy.rbl.tld. A 127.0.0.2
>>> bodyHIT_DOMAIN  eval:check_uridnsbl('HIT_DOMAIN')
>>>
>>> urifullsub HIT_FULL my.rbl.tld. A 127.0.0.4
>>> bodyHIT_FULLeval:check_uridnsbl('HIT_FULL')
>>>
>>> I know urifullsub does not exist, should just visualize what I try to
>>> achieve :-)
>>>
>>> now for a uri like www.sub.domain.tld both rules should be tested. The
>>> first one for domain.tld (which sa does with rh lookups) and the second
>>> one with the full-uri-host (www.sub.domain.tld)
>>>
>>> I read about aux_tlds but I think this does not help me as if I add
>>> domain.tld to aux_tlds the first query above would be fired with
>>> sub.domain.tld
>>>
>>> I thought that the second query could be solved using askdns plugin in a
>>> way like this
>>>
>>> askdns HIT_FULL _URIFULLHOST_.my.rbl.tld.   A   127.0.0.4
>>>
>>> But how to get access to urifullhost? :-)
>>>
>>> Currently I use a plugin of my antispam glue to perform the full uri
>>> host lookups on uris found. This plugin adds a X-Header upon hit on
>>> which spamassassin fires and scores.
>>> So I have a solution to this "problem" but it would be nice to do both
>>> queries from spamassassin :-)
>>>
>>> Cheers
>>>
>>> tobi
>>>
>>
> 

Re: Blacklist for reply-to?

[Daniele Duca]

On 19/02/2018 10:00, Kenneth Porter wrote:

I have no clue what Rupert is on about. I just want something like 
blacklist_from that uses the reply-to header. I thought it was a 
simple technical question about how the config file directives map 
onto the actual headers. I'm not asking for site policy.



Maybe something like this?

header REPLYTO_KILLER reply-to =~ /@domain\.that\.you\.want\.blacklisted/
score  REPLYTO_KILLER 1000

Re: Blacklist for reply-to?

[Kenneth Porter]

On 2/18/2018 5:09 PM, Antony Stone wrote:

On Monday 19 February 2018 at 01:55:45, Rupert Gallagher wrote:


Question time! You receive spam with a reply-to your own address. What do
you do?

I take it that this is now a rather different question that the one you
originally asked in this thread, where the reply-to address was clearly not
your own?

I have no clue what Rupert is on about. I just want something like 
blacklist_from that uses the reply-to header. I thought it was a simple 
technical question about how the config file directives map onto the 
actual headers. I'm not asking for site policy.