Re: Spam from compromised accounts scoring just under block threshold
On Mar 31, 2018, at 4:52 AM, Pedro David Marcowrote: > > Amir, can you provide any pastebin sample, please? I thought it was relatively self-explanatory, but I'm talking about names very much like the ones that Rich Wales included in his recent email (subject: "Spam from addresses where full name mirrors left-hand side of address"): Adding To Human Lifespan Smartphone Screen Protector The actual spam itself is not really relevant, there is no specific pattern in the spam text -- this username pattern is used by many different template spams. Cheers. --- Amir
Re: Spam from compromised accounts scoring just under block threshold
Following up on this... I've been consistently seeing a lot of spam like this, with multi-dot usernames. Sometimes with "person.from.spam" but more often just a punctuated phrase like "some.spammy.item.sold" or whatever. Most often only two dots (three words), sometimes four or more. Has anyone been testing this as a meta rule? Cheers. --- Amir > On Mar 6, 2018, at 9:37 AM, John Hardinwrote: > > On Mon, 5 Mar 2018, Amir Caspi wrote: > >> On Mar 5, 2018, at 11:13 PM, John Hardin wrote: >>> >>> *before* the @ sign. >>> >>> It may be perfectly valid to do that, but if it happens more often in spam >>> than in legitimate mail it is useful to us. >> >> I’m seeing a lot of spam lately with usernames like >> “bob.from.somespamcompany”. Could definitely be at least a meta rule. > > ...or potentiallyfrom:addr =~ /[^@]*\.from\.[^@]*@/if ".from." is > literally in the username part. > > -- > John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ > jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org > key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 > --- > Failure to plan ahead on someone else's part does not constitute > an emergency on my part. -- David W. Barts in a.s.r > --- > 5 days until Daylight Saving Time begins in U.S. - Spring Forward
Re: Spam from compromised accounts scoring just under block threshold
On Mon, 5 Mar 2018, Amir Caspi wrote: On Mar 5, 2018, at 11:13 PM, John Hardinwrote: *before* the @ sign. It may be perfectly valid to do that, but if it happens more often in spam than in legitimate mail it is useful to us. I’m seeing a lot of spam lately with usernames like “bob.from.somespamcompany”. Could definitely be at least a meta rule. ...or potentiallyfrom:addr =~ /[^@]*\.from\.[^@]*@/if ".from." is literally in the username part. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Failure to plan ahead on someone else's part does not constitute an emergency on my part. -- David W. Barts in a.s.r --- 5 days until Daylight Saving Time begins in U.S. - Spring Forward
Re: Spam from compromised accounts scoring just under block threshold
On Mar 5, 2018, at 11:13 PM, John Hardinwrote: > > *before* the @ sign. > > It may be perfectly valid to do that, but if it happens more often in spam > than in legitimate mail it is useful to us. I’m seeing a lot of spam lately with usernames like “bob.from.somespamcompany”. Could definitely be at least a meta rule. --- Amir thumbed via iPhone
Re: Spam from compromised accounts scoring just under block threshold
On Tue, 6 Mar 2018, Benny Pedersen wrote: Pedro David Marco skrev den 2018-03-06 06:22: header __ODD_FROM_SPAM From:addr =~ /.{1,20}\..{1,20}\..{1,20}@/ Sorry for spoiling the party, David, but i have seen many valid email addresses with two dots inside. users@spamassassin.apache.org :-) *before* the @ sign. It may be perfectly valid to do that, but if it happens more often in spam than in legitimate mail it is useful to us. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Failure to plan ahead on someone else's part does not constitute an emergency on my part. -- David W. Barts in a.s.r --- 6 days until Daylight Saving Time begins in U.S. - Spring Forward
Re: Spam from compromised accounts scoring just under block threshold
On 5 Mar 2018, at 15:14, David Jones wrote: FYI This could be something for KAM.cf potentially... I have seen a few of these this morning that would be scoring just under the default SA threshold of 5.0 and are just under my MailScanner 6.0 threshold. https://pastebin.com/r2eZJaef I am reporting these to Spamcop but new waves of compromised accounts keep sending them. They all seem to have a From address with two periods on the left side so something like this: header __ODD_FROM_SPAM From:addr =~ /.{1,20}\..{1,20}\..{1,20}@/ could be combined with something else in a meta to help detect these and push them over the edge. This looks intrinsically shady and could be useful:
Re: Spam from compromised accounts scoring just under block threshold
Pedro David Marco skrev den 2018-03-06 06:22: header __ODD_FROM_SPAM From:addr =~ /.{1,20}\..{1,20}\..{1,20}@/ Sorry for spoiling the party, David, but i have seen many valid email addresses with two dots inside. users@spamassassin.apache.org :-)
Re: Spam from compromised accounts scoring just under block threshold
>header __ODD_FROM_SPAM From:addr =~ /.{1,20}\..{1,20}\..{1,20}@/ Sorry for spoiling the party, David, but i have seen many valid email addresses with two dots inside. PedroD
Re: Spam from compromised accounts scoring just under block threshold
On 03/05/2018 05:46 PM, Alex wrote: Hi, On Mon, Mar 5, 2018 at 3:14 PM, David Joneswrote: FYI This could be something for KAM.cf potentially... I have seen a few of these this morning that would be scoring just under the default SA threshold of 5.0 and are just under my MailScanner 6.0 threshold. https://pastebin.com/r2eZJaef I am reporting these to Spamcop but new waves of compromised accounts keep sending them. They all seem to have a From address with two periods on the left side so something like this: header __ODD_FROM_SPAM From:addr =~ /.{1,20}\..{1,20}\..{1,20}@/ could be combined with something else in a meta to help detect these and push them over the edge. https://www.mail-archive.com/users@spamassassin.apache.org/msg101391.html I am trying out that rule now and will report back. Thanks! -- David Jones
Re: Spam from compromised accounts scoring just under block threshold
Hi, On Mon, Mar 5, 2018 at 3:14 PM, David Joneswrote: > FYI This could be something for KAM.cf potentially... > > I have seen a few of these this morning that would be scoring just under the > default SA threshold of 5.0 and are just under my MailScanner 6.0 threshold. > > https://pastebin.com/r2eZJaef > > I am reporting these to Spamcop but new waves of compromised accounts keep > sending them. > > They all seem to have a From address with two periods on the left side so > something like this: > > header __ODD_FROM_SPAM From:addr =~ /.{1,20}\..{1,20}\..{1,20}@/ > > could be combined with something else in a meta to help detect these and > push them over the edge. https://www.mail-archive.com/users@spamassassin.apache.org/msg101391.html
Re: Spam from compromised accounts scoring just under block threshold
On Mon, 5 Mar 2018 14:39:54 -0600 David Jones wrote: > On 03/05/2018 02:14 PM, David Jones wrote: > > FYI This could be something for KAM.cf potentially... > > > > I have seen a few of these this morning that would be scoring just > > under the default SA threshold of 5.0 and are just under my > > MailScanner 6.0 threshold. > > > > https://pastebin.com/r2eZJaef > > > https://pastebin.com/YMx8V1J7 From: Gifts for Smart People <... From: Human Organ Building <... I suspect that Bayes would benefit from using this information. See: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6319
Re: Spam from compromised accounts scoring just under block threshold
David Jones skrev den 2018-03-05 21:39: https://pastebin.com/YMx8V1J7 They have some bayes-busting text in there. Maybe the URIBLs (IVM) will catch up to these and block them soon. SPF_HELO_PASS && SPF_PASS && !DMARC_PASS not spam ? note dmarc pass can be done with a spf pass
Re: Spam from compromised accounts scoring just under block threshold
On 03/05/2018 02:14 PM, David Jones wrote: FYI This could be something for KAM.cf potentially... I have seen a few of these this morning that would be scoring just under the default SA threshold of 5.0 and are just under my MailScanner 6.0 threshold. https://pastebin.com/r2eZJaef I am reporting these to Spamcop but new waves of compromised accounts keep sending them. They all seem to have a From address with two periods on the left side so something like this: header __ODD_FROM_SPAM From:addr =~ /.{1,20}\..{1,20}\..{1,20}@/ could be combined with something else in a meta to help detect these and push them over the edge. Well, never mind that idea. They seem to be more complex than that. https://pastebin.com/YMx8V1J7 They have some bayes-busting text in there. Maybe the URIBLs (IVM) will catch up to these and block them soon. -- David Jones
Spam from compromised accounts scoring just under block threshold
FYI This could be something for KAM.cf potentially... I have seen a few of these this morning that would be scoring just under the default SA threshold of 5.0 and are just under my MailScanner 6.0 threshold. https://pastebin.com/r2eZJaef I am reporting these to Spamcop but new waves of compromised accounts keep sending them. They all seem to have a From address with two periods on the left side so something like this: header __ODD_FROM_SPAM From:addr =~ /.{1,20}\..{1,20}\..{1,20}@/ could be combined with something else in a meta to help detect these and push them over the edge. -- David Jones