Re: Spam from compromised accounts scoring just under block threshold

[Amir Caspi]

On Mar 31, 2018, at 4:52 AM, Pedro David Marco  wrote:
> 
> Amir, can you provide any pastebin sample, please?

I thought it was relatively self-explanatory, but I'm talking about names very 
much like the ones that Rich Wales included in his recent email (subject: "Spam 
from addresses where full name mirrors left-hand side of address"):

Adding To Human Lifespan 
Smartphone Screen Protector 

The actual spam itself is not really relevant, there is no specific pattern in 
the spam text -- this username pattern is used by many different template spams.

Cheers.

--- Amir

Re: Spam from compromised accounts scoring just under block threshold

[Amir Caspi]

Following up on this... I've been consistently seeing a lot of spam like this, 
with multi-dot usernames.  Sometimes with "person.from.spam" but more often 
just a punctuated phrase like "some.spammy.item.sold" or whatever.  Most often 
only two dots (three words), sometimes four or more.

Has anyone been testing this as a meta rule?

Cheers.

--- Amir

> On Mar 6, 2018, at 9:37 AM, John Hardin  wrote:
> 
> On Mon, 5 Mar 2018, Amir Caspi wrote:
> 
>> On Mar 5, 2018, at 11:13 PM, John Hardin  wrote:
>>> 
>>> *before* the @ sign.
>>> 
>>> It may be perfectly valid to do that, but if it happens more often in spam 
>>> than in legitimate mail it is useful to us.
>> 
>> I’m seeing a lot of spam lately with usernames like 
>> “bob.from.somespamcompany”. Could definitely be at least a meta rule.
> 
> ...or potentiallyfrom:addr =~ /[^@]*\.from\.[^@]*@/if ".from." is 
> literally in the username part.
> 
> -- 
> John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
> jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> ---
>  Failure to plan ahead on someone else's part does not constitute
>  an emergency on my part. -- David W. Barts in a.s.r
> ---
> 5 days until Daylight Saving Time begins in U.S. - Spring Forward

Re: Spam from compromised accounts scoring just under block threshold

[John Hardin]

On Mon, 5 Mar 2018, Amir Caspi wrote:


On Mar 5, 2018, at 11:13 PM, John Hardin  wrote:


*before* the @ sign.

It may be perfectly valid to do that, but if it happens more often in spam than 
in legitimate mail it is useful to us.


I’m seeing a lot of spam lately with usernames like “bob.from.somespamcompany”. 
Could definitely be at least a meta rule.


...or potentiallyfrom:addr =~ /[^@]*\.from\.[^@]*@/if ".from." is 
literally in the username part.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Failure to plan ahead on someone else's part does not constitute
  an emergency on my part. -- David W. Barts in a.s.r
---
 5 days until Daylight Saving Time begins in U.S. - Spring Forward

Re: Spam from compromised accounts scoring just under block threshold

[Amir Caspi]

On Mar 5, 2018, at 11:13 PM, John Hardin  wrote:
> 
> *before* the @ sign.
> 
> It may be perfectly valid to do that, but if it happens more often in spam 
> than in legitimate mail it is useful to us.

I’m seeing a lot of spam lately with usernames like “bob.from.somespamcompany”. 
Could definitely be at least a meta rule.

--- Amir
thumbed via iPhone

Re: Spam from compromised accounts scoring just under block threshold

[John Hardin]

On Tue, 6 Mar 2018, Benny Pedersen wrote:


Pedro David Marco skrev den 2018-03-06 06:22:

header __ODD_FROM_SPAM From:addr =~ /.{1,20}\..{1,20}\..{1,20}@/


Sorry for spoiling the party, David, but i have seen many valid email
addresses with two dots inside.


users@spamassassin.apache.org

:-)


*before* the @ sign.

It may be perfectly valid to do that, but if it happens more often in spam 
than in legitimate mail it is useful to us.



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Failure to plan ahead on someone else's part does not constitute
  an emergency on my part. -- David W. Barts in a.s.r
---
 6 days until Daylight Saving Time begins in U.S. - Spring Forward

Re: Spam from compromised accounts scoring just under block threshold

[Bill Cole]

On 5 Mar 2018, at 15:14, David Jones wrote:


FYI  This could be something for KAM.cf potentially...

I have seen a few of these this morning that would be scoring just 
under the default SA threshold of 5.0 and are just under my 
MailScanner 6.0 threshold.


https://pastebin.com/r2eZJaef

I am reporting these to Spamcop but new waves of compromised accounts 
keep sending them.


They all seem to have a From address with two periods on the left side 
so something like this:


header __ODD_FROM_SPAM From:addr =~ /.{1,20}\..{1,20}\..{1,20}@/

could be combined with something else in a meta to help detect these 
and push them over the edge.


This looks intrinsically shady and could be useful:

Re: Spam from compromised accounts scoring just under block threshold

[Benny Pedersen]

Pedro David Marco skrev den 2018-03-06 06:22:

header __ODD_FROM_SPAM From:addr =~ /.{1,20}\..{1,20}\..{1,20}@/


Sorry for spoiling the party, David, but i have seen many valid email
addresses with two dots inside.


users@spamassassin.apache.org

:-)

Re: Spam from compromised accounts scoring just under block threshold

[Pedro David Marco]

 
>header __ODD_FROM_SPAM From:addr =~ /.{1,20}\..{1,20}\..{1,20}@/

Sorry for spoiling the party, David, but i have seen many valid email addresses 
with two dots inside. 

PedroD  

Re: Spam from compromised accounts scoring just under block threshold

[David Jones]

On 03/05/2018 05:46 PM, Alex wrote:

Hi,

On Mon, Mar 5, 2018 at 3:14 PM, David Jones  wrote:

FYI  This could be something for KAM.cf potentially...

I have seen a few of these this morning that would be scoring just under the
default SA threshold of 5.0 and are just under my MailScanner 6.0 threshold.

https://pastebin.com/r2eZJaef

I am reporting these to Spamcop but new waves of compromised accounts keep
sending them.

They all seem to have a From address with two periods on the left side so
something like this:

header __ODD_FROM_SPAM From:addr =~ /.{1,20}\..{1,20}\..{1,20}@/

could be combined with something else in a meta to help detect these and
push them over the edge.


https://www.mail-archive.com/users@spamassassin.apache.org/msg101391.html



I am trying out that rule now and will report back.  Thanks!

--
David Jones

Re: Spam from compromised accounts scoring just under block threshold

[Alex]

Hi,

On Mon, Mar 5, 2018 at 3:14 PM, David Jones  wrote:
> FYI  This could be something for KAM.cf potentially...
>
> I have seen a few of these this morning that would be scoring just under the
> default SA threshold of 5.0 and are just under my MailScanner 6.0 threshold.
>
> https://pastebin.com/r2eZJaef
>
> I am reporting these to Spamcop but new waves of compromised accounts keep
> sending them.
>
> They all seem to have a From address with two periods on the left side so
> something like this:
>
> header __ODD_FROM_SPAM From:addr =~ /.{1,20}\..{1,20}\..{1,20}@/
>
> could be combined with something else in a meta to help detect these and
> push them over the edge.

https://www.mail-archive.com/users@spamassassin.apache.org/msg101391.html

Re: Spam from compromised accounts scoring just under block threshold

[RW]

On Mon, 5 Mar 2018 14:39:54 -0600
David Jones wrote:

> On 03/05/2018 02:14 PM, David Jones wrote:
> > FYI  This could be something for KAM.cf potentially...
> > 
> > I have seen a few of these this morning that would be scoring just
> > under the default SA threshold of 5.0 and are just under my
> > MailScanner 6.0 threshold.
> > 
> > https://pastebin.com/r2eZJaef
> > 
> https://pastebin.com/YMx8V1J7

From: Gifts for Smart People <...
From: Human Organ Building <...

I suspect that Bayes would benefit from using this information. See:

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6319

Re: Spam from compromised accounts scoring just under block threshold

[Benny Pedersen]

David Jones skrev den 2018-03-05 21:39:


https://pastebin.com/YMx8V1J7

They have some bayes-busting text in there.  Maybe the URIBLs (IVM)
will catch up to these and block them soon.


SPF_HELO_PASS && SPF_PASS && !DMARC_PASS

not spam ?

note dmarc pass can be done with a spf pass

Re: Spam from compromised accounts scoring just under block threshold

[David Jones]

On 03/05/2018 02:14 PM, David Jones wrote:

FYI  This could be something for KAM.cf potentially...

I have seen a few of these this morning that would be scoring just under 
the default SA threshold of 5.0 and are just under my MailScanner 6.0 
threshold.


https://pastebin.com/r2eZJaef

I am reporting these to Spamcop but new waves of compromised accounts 
keep sending them.


They all seem to have a From address with two periods on the left side 
so something like this:


header __ODD_FROM_SPAM From:addr =~ /.{1,20}\..{1,20}\..{1,20}@/

could be combined with something else in a meta to help detect these and 
push them over the edge.




Well, never mind that idea.  They seem to be more complex than that.

https://pastebin.com/YMx8V1J7

They have some bayes-busting text in there.  Maybe the URIBLs (IVM) will 
catch up to these and block them soon.


--
David Jones

Spam from compromised accounts scoring just under block threshold

[David Jones]

FYI  This could be something for KAM.cf potentially...

I have seen a few of these this morning that would be scoring just under 
the default SA threshold of 5.0 and are just under my MailScanner 6.0 
threshold.


https://pastebin.com/r2eZJaef

I am reporting these to Spamcop but new waves of compromised accounts 
keep sending them.


They all seem to have a From address with two periods on the left side 
so something like this:


header __ODD_FROM_SPAM From:addr =~ /.{1,20}\..{1,20}\..{1,20}@/

could be combined with something else in a meta to help detect these and 
push them over the edge.


--
David Jones