Re: More fake order spam

Tue, 27 Apr 2021 20:01:42 -0700 

On Tue, 27 Apr 2021, @lbutlr wrote:


On 27 Apr 2021, at 11:57, Steve Dondley <s...@dondley.com> wrote:

On 2021-04-27 01:19 PM, Dave Wreski wrote:

Invalid List-ID. You can then use that with other weirdness in a meta.
header    __LIST_ID_DOMAIN_IN_BRACKETS List-id =~ /<([\w-]+)(\.[\w-]+)+>/
meta   LIST_ID_IMPROPER_FORMAT __HAS_LIST_ID && !__LIST_ID_DOMAIN_IN_BRACKETS
score  LIST_ID_IMPROPER_FORMAT 0.001
describe LIST_ID_IMPROPER_FORMAT List-id has improper format


You lost me here. The spam has this:

List-Id: MzY3NDAxMi01Nzg2LTU= <MzY3NDAxMi01Nzg2LTU=.list-id.mailin.fr>

That's not legit? It's in brackets.


That was my question as well, AFAIK that conforms to the requirements of a 
List-ID header.

Looks legit to me.

This is the spec.


...


Starts with one of atext? Yep. No consecutive periods? Yep.

What's the problem?



SpamAssassin is not a standards-compliance audit tool. If a given header 
formatting is compliant but weird and appears more in spam than in ham, 
it's useable.



What catches my eye about that header is that it appears to be base64 
encoded, and is *not* "properly" annotated with a character set like:


  =?ISO-8859-1?B?MzY3NDAxMi01Nzg2LTU=?=


Thus, while complaint to the spec, the format may make it a useful spam 
sign.



FWIW, I have one example like that in my ham:

  List-Id: MTYxNzU4MS0zNjUtMg== <MTYxNzU4MS0zNjUtMg==.list-id.mailin.fr>

and several in spam:

  List-Id: MjMwNDI4NS05OTM1MDktMTI= 
<MjMwNDI4NS05OTM1MDktMTI=.list-id.academiasbrasil.com>
  List-Id: MjI5Mjc2MC01NzQ0NDEtMjQ= 
<MjI5Mjc2MC01NzQ0NDEtMjQ=.list-id.newsletter.andreacastellana.com>
  List-Id: MjcyODE0MS02ODgxNTktNDQ= 
<MjcyODE0MS02ODgxNTktNDQ=.list-id.soju-online.com>
  List-Id: MjI5Mjc2MC01NzQ0NDEtMjQ= 
<MjI5Mjc2MC01NzQ0NDEtMjQ=.list-id.newsletter.andreacastellana.com>
  List-Id: MzAzNzIzMS0yMzk4NzEtMTA= <MzAzNzIzMS0yMzk4NzEtMTA=.list-id.mailin.fr>
  List-Id: MjI5Mjc2MC01NzQ0NDEtMjQ= 
<MjI5Mjc2MC01NzQ0NDEtMjQ=.list-id.newsletter.andreacastellana.com>
  List-Id: MjI5Mjc2MC01NzQ0NDEtMjQ= 
<MjI5Mjc2MC01NzQ0NDEtMjQ=.list-id.newsletter.andreacastellana.com>
  List-Id: MjI5Mjc2MC01NzQ0NDEtMjQ= 
<MjI5Mjc2MC01NzQ0NDEtMjQ=.list-id.newsletter.andreacastellana.com>

It appears to be a feature of a specific mailing list or mass mailing
application - Sendinblue, perhaps, as the ham has:

  X-Mailer: Sendinblue


Is it worth a rule for evaluation in masscheck? Maybe. Not tonight, 
though.



--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhar...@impsec.org                         pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Men, it has been well said, think in herds; it will be seen that
  they go mad in herds, while they only recover their senses slowly,
  and one by one.                             -- Charles MacKay, 1852
-----------------------------------------------------------------------
 4 days until May Day - Remember 110 million people murdered by Communism























					Reply via email to