Re: Maybe it's time to revive EvilNumbers?
Loren - Unfortunately, LW_BOGUS_ORDER doesn't get triggered for my email, because there is no List-Id. The email actually came from a microsoft account. - Mark header __LW_SUB_INVOICE Subject =~ /\b(?:invoice|order)\b/ header __LW_FROM_INVOICE From =~ /\b(?:invoice|order)\b/ header __LW_ABC_LISTID List-Id =~ /\w{13}\s+\, some meta LW_BOGUS_ORDER (__LW_SUB_INVOICE || __LW_FROM_INVOICE) && __LW_ABC_LISTID score LW_BOGUS_ORDER 5 describe LW_BOGUS_ORDER Fake order or invoice On 6/19/2021 4:41 PM, users-digest-h...@spamassassin.apache.org wrote: A number of the rules I passed along are generic "order" rules rather than Amazon specific. I had to go back to last month's spam to find an Amazon order spam, but I've gotten a dozen or so fake orders for other things this month, all of which hit on the LW_BOGUS_ORDER rule
Re: Maybe it's time to revive EvilNumbers?
On Thu, 2021-06-17 at 17:10 -0700, Loren Wilton wrote: > A number of the rules I passed along are generic "order" rules rather > than Amazon specific. I had to go back to last month's spam to find an > Amazon order spam, but I've gotten a dozen or so fake orders for other > things this month, all of which hit on the LW_BOGUS_ORDER rule. > I'm not at all surprised about that: several years back when I was on the Wine mailing list I was getting a lot of sales spam from it. Unsurprising: Wine uses a combined web forum and mailing list where emails get posted to the web forum and vice versa, and if almost anybody can join the web forum, then the mailing list will be rather spammy. Anyway, I ended up developing a number of rules to deal with this: typically they are sets of two or more subrules plus a linking meta- rule. Both subrules are long lists of alternates, one containing, say 'sales phrases' (including miss-spellings, odd word order and obfuscations) and the other containing product names and descriptions. Other pairings that work have been bank names and financial terms where the sender's address doesn't match the Message ID, endearments combined with sex terms, or web commerce sites and invoices. The good thing about rules like this is, as Loren also found, that they will quite often correctly match spam from sources or containing phrase combinations you've never seen before. Their only disadvantage is maintaining them: a lengthy alternates list is difficult to maintain with the usual text editors, so I ended up writing a reformatting tool which takes a file containing rule names, scores, descriptions etc, and with the elements in each list of regex alternates on separate line. This makes for a file that's easy to edit, and is fairly easy to convert into the small set of lines that define a valid SA rule. I wrote my converter as an awk script, but it can be written in almost any language, e.g. C, Java, Perl or even (if you must) BASIC or Javascript. Or you can find my tool here: https://www.libelle-systems.com/free/portmanteau/portmanteau.tgz Martin PS: I realise many list regulars have seen all this stuff before, but there are a number of new arrivals who won't have seen it and may find it useful and/or get new ideas from it.
Re: Maybe it's time to revive EvilNumbers?
On 6/16/21 6:18 PM, Loren Wilton wrote: Here are a handful of rules that work for me. Feel free to try them. If you do, please let me know how they work for you. Thank you Loren. I'm marking your message for future use if these spam messages turn into a problem. (Apologies for my mail client trashing the formatting. Be sure to check for possible line wrap on some of the rules!) *nod*nod* -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature
Re: Maybe it's time to revive EvilNumbers?
A number of the rules I passed along are generic "order" rules rather than Amazon specific. I had to go back to last month's spam to find an Amazon order spam, but I've gotten a dozen or so fake orders for other things this month, all of which hit on the LW_BOGUS_ORDER rule. Loren - Original Message - From: Mark London To: users@spamassassin.apache.org Sent: Thursday, June 17, 2021 8:52 AM Subject: Re: Maybe it's time to revive EvilNumbers? Loren - Unfortunately, the fake amazon shipment email that we received, doesn't contain the word Amazon in it's From or Subject headers. Or even the word amazon in the text of the message! Just the Amazon logo. And they've removed all the URLs, so the links don't work at the bottom. And they left the postal address of amazon, without the word amazon. I hate bogus spam that is so obviously bogus that it avoids filter rules. :) - Mark On 6/17/2021 10:52 AM, users-digest-h...@spamassassin.apache.org wrote: Subject: Re: Maybe it's time to revive EvilNumbers? From: "Loren Wilton" Date: 6/16/2021, 8:18 PM To: Here are a handful of rules that work for me. Feel free to try them. If you do, please let me know how they work for you. (Apologies for my mail client trashing the formatting. Be sure to check for possible line wrap on some of the rules!)
Re: Maybe it's time to revive EvilNumbers?
Loren - Unfortunately, the fake amazon shipment email that we received, doesn't contain the word Amazon in it's From or Subject headers. Or even the word amazon in the text of the message! Just the Amazon logo. And they've removed all the URLs, so the links don't work at the bottom. And they left the postal address of amazon, without the word amazon. I hate bogus spam that is so obviously bogus that it avoids filter rules. :) - Mark On 6/17/2021 10:52 AM, users-digest-h...@spamassassin.apache.org wrote: Subject: Re: Maybe it's time to revive EvilNumbers? From: "Loren Wilton" Date: 6/16/2021, 8:18 PM To: Here are a handful of rules that work for me. Feel free to try them. If you do, please let me know how they work for you. (Apologies for my mail client trashing the formatting. Be sure to check for possible line wrap on some of the rules!)
Re: Maybe it's time to revive EvilNumbers?
Here are a handful of rules that work for me. Feel free to try them. If you do, please let me know how they work for you. (Apologies for my mail client trashing the formatting. Be sure to check for possible line wrap on some of the rules!) Loren body LW_PAYMENT /You\s+sent\s+a\s+Payment\s+of/i score LW_PAYMENT 0.5 describe LW_PAYMENT You sent someone a payment body LW_ORDER /\b(?:order|purchase)\s+(?:number|ID|date|description)\b/i score LW_ORDER 0.5 describe LW_ORDER Contains order information header __LW_SUB_INVOICE Subject =~ /\b(?:invoice|order)\b/ header __LW_FROM_INVOICE From =~ /\b(?:invoice|order)\b/ header __LW_ABC_LISTID List-Id =~ /\w{13}\s+\, some meta LW_BOGUS_ORDER (__LW_SUB_INVOICE || __LW_FROM_INVOICE) && __LW_ABC_LISTID score LW_BOGUS_ORDER 5 describe LW_BOGUS_ORDER Fake order or invoice meta LW_SPAM_LISTID __LW_ABC_LISTID score LW_SPAM_LISTID 1 describe LW_SPAM_LISTID The List_Id header seems to indicate spam meta LW_FREEMAIL_ORDER FREEMAIL_FROM && (LW_ORDER || LW_PAYMENT) score LW_FREEMAIL_ORDER 4 describe LW_FREEMAIL_ORDER An order receipt from a free email address header __LW_SUB_AMZ_ORDER Subject =~ /^Your Amazon\.com order \#\d{3}-\d{7}-\d{7}\s*$/ header __LW_FROM_AMZ_ORDER From =~ /\"Amazon\.com\"\s+/ header __LW_REP_AMZ_ORDER Reply-To =~ /^no-reply\@amazon\.com\s*$/ body __LW_BODY_AMZ_ORDER /Amazon.com Order Confirmation/ meta LW_REAL_AMZ_ORDER__LW_SUB_AMZ_ORDER && __LW_FROM_AMZ_ORDER && __LW_REP_AMZ_ORDER && __LW_BODY_AMZ_ORDER scoreLW_REAL_AMZ_ORDER-2 describe LW_REAL_AMZ_ORDER Amazon order confirmation header __LW_FROM_AMZ From =~ /\bamazon\b/i header __LW_SUB_ORDER Subject =~ /\border\b/i meta LW_FAKE_AMZ_ORDER __LW_FROM_AMZ && __LW_SUB_ORDER && !LW_REAL_AMZ_ORDER scoreLW_FAKE_AMZ_ORDER 7 describe LW_FAKE_AMZ_ORDER Amazon order phish
Re: Maybe it's time to revive EvilNumbers?
On 6/15/21 10:11 AM, Mark London wrote: My site is getting a lot of spam that is getting past spamassassin. Because it has a hone number to call, and rather than a link to login using username and password. Mostly fake amazon purchases. They are getting past a lot of URL block lists because of that. FWIW. - Mark I had one of these come in today. Indeed a bogus apparent Amazon purchase, though I don't think it said Amazon, save for a graphic. Score was -0.9. :-/ I'll save it for later to compare if I get more of them. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature
Re: Maybe it's time to revive EvilNumbers?
On Wed, 16 Jun 2021 11:52:24 -0400 Alan wrote: > I'm already getting FPs when someone does a copy/paste of an Amazon product > page > and sends it as mail. >... >The sender's signature typically has a phone number as well, so >EvilNumbers would make things worse. Probably not. The original EvilNumbers was a collection of regexes for street addresses and phone numbers found in spam, but not much ham. The addresses and some of the numbers would have been just window dressing, but the OP is talking about actual scammer contact numbers, so the FP rate could be very low.
Re: Maybe it's time to revive EvilNumbers?
On 2021-06-15 19:44, Loren Wilton wrote: My site is getting a lot of spam that is getting past spamassassin. Because it has a hone number to call, and rather than a link to login using username and password. Mostly fake amazon purchases. They are getting past a lot of URL block lists because of that. FWIW. - Mark I have a number of "purchase" rules that add about 30 points for fake Amazon (and other) scams. I haven't had one get thru in the last couple of months since I instituted them, but I only have a personal account and not a whole site, so YMMV. None of them look for phone numbers, but I do have a set of rules for a handful of stolen business addresses commonly used in spams I get. They add a few points when those show up. Loren That approach might be problematic on multi-user servers. I'm already getting FPs when someone does a copy/paste of an Amazon product page and sends it as mail. This triggers the "not from Amazon but has images from Amazon" rule, which is weighted quite high. The sender's signature typically has a phone number as well, so EvilNumbers would make things worse. I still think the rule and weight is appropriate for spam, so I'm looking for other ways to mitigate the FPs. -- For SpamAsassin Users List
Re: Maybe it's time to revive EvilNumbers?
My site is getting a lot of spam that is getting past spamassassin. Because it has a hone number to call, and rather than a link to login using username and password. Mostly fake amazon purchases. They are getting past a lot of URL block lists because of that. FWIW. - Mark I have a number of "purchase" rules that add about 30 points for fake Amazon (and other) scams. I haven't had one get thru in the last couple of months since I instituted them, but I only have a personal account and not a whole site, so YMMV. None of them look for phone numbers, but I do have a set of rules for a handful of stolen business addresses commonly used in spams I get. They add a few points when those show up. Loren
Maybe it's time to revive EvilNumbers?
My site is getting a lot of spam that is getting past spamassassin. Because it has a hone number to call, and rather than a link to login using username and password. Mostly fake amazon purchases. They are getting past a lot of URL block lists because of that. FWIW. - Mark