Re: More fake order spam

Tue, 27 Apr 2021 12:00:19 -0700 

Hi,


Investigate adding the SEM_FRESH rules - this domain was created less
than five days ago.
https://spameatingmonkey.com/services



OK, how do I get those rules installed? I've only installed KAM rules 
using a channel. I don't see anything similar for SEM rules. I see the 
page you linked to says to drop this into the config:


# SEM-FRESH
urirhssub SEM_FRESH fresh.spameatingmonkey.net. A 2
body SEM_FRESH eval:check_uridnsbl('SEM_FRESH')
describe SEM_FRESH Contains a domain registered less than 5 days ago
tflags SEM_FRESH net
score SEM_FRESH 0.5



Just copy them to a file ending in ".cf" in your local spamassassin 
rules directory like you did with the rule you created below.



I've never seen anything like this before. Looks like this is the 
documentation for that: 
https://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Plugin_URIDNSBL.html 



That's instructions for enabling the URIDNSBL, which is probably already 
enabled.


Check for something like this in your init.pre file
loadplugin Mail::SpamAssassin::Plugin::URIDNSBL


Invalid List-ID. You can then use that with other weirdness in a meta.
header    __LIST_ID_DOMAIN_IN_BRACKETS List-id =~ /<([\w-]+)(\.[\w-]+)+>/

meta   LIST_ID_IMPROPER_FORMAT __HAS_LIST_ID && 
!__LIST_ID_DOMAIN_IN_BRACKETS

score  LIST_ID_IMPROPER_FORMAT 0.001
describe LIST_ID_IMPROPER_FORMAT List-id has improper format


You lost me here. The spam has this:

List-Id: MzY3NDAxMi01Nzg2LTU= <MzY3NDAxMi01Nzg2LTU=.list-id.mailin.fr>

That's not legit? It's in brackets.


It's matching on the text before the brackets.


I believe the new Esp module that works to identify bad sendgrid
accounts also has support for sendinblue accounts, but to what extent?
X-Mailer: Sendinblue



To start, I wrote this rule that I think will probably work well because 
it doesn't make sense for any order information is going to come from a 
mailing list.


# fake order spam
header    __LOCAL_FAKE_ORDER_SUBJ   Subject =~ /your.order/i
header    __LOCAL_FAKE_ORDER_1   X-Mailer =~ /Sendinblue/i
header    __LOCAL_FAKE_ORDER_2   List-Id =~ /./


meta  LOCAL_FAKE_ORDER  _LOCAL_FAKE_ORDER_SUBJ + (__LOCAL_FAKE_ORDER_2 + 
__LOCAL_FAKE_ORDER_3 >= 1)

score LOCAL_FAKE_ORDER 3.0


That's great, but probably doesn't have much longevity.

You can also use the following for the presence of a header:
header  __LOCAL_FAKE_ORDER_2    exists:List-Id

Regards,
Dave






















					Reply via email to