Re: In anyone else getting 325KB spams from cont...@cron-job.org?

[Sebastian Arcus]

On 14/09/17 19:59, Loren Wilton wrote:

Should be easy to block.  Just block the cron-job.org domain.


As someone else mentioned that address is an obvious joe-job. And 
scoring it high doesn't help that much. It worked for the first few 
weeks, then they went to contact@ to presumably get 
around that. I was surprised to see in the last few that they had gone 
back to the cron-job.org domain for the fake sender.


For some reason these are bypassing SA on my system, I suspect due to 
the size.


I had to add on my systems a while ago an 
/etc/mail/spamassassin/spamc.conf containing:


-s 200

to increase the maximum size of emails passed to SA. It seems some 
spammers have cottoned onto the fact that 256KB is still hardwired 
somewhere in SA, and started sending spam just above that threshold to 
bypass the filter.

Re: In anyone else getting 325KB spams from cont...@cron-job.org?

[jdow]

Hm, meant this to go to the list, too. The misdirection is part of why I am so 
quiet on the list, which is why I forget the misbehavior, which reinforces the 
problem when I reenter the list for a discussion. I gotta mess with my 
.procmailrc file to rewrite the headers for SA list emails, I guess. Then I can 
pester people better. {O,o} (Been using SA since the dark ages - before 2.20 if 
I recall correctly.)


The fragment of email probably would not base64 decode. It was a fragment from 
near one of the crossovers in its decorative layout design. This has been going 
on for a long time now. I catch the spams via other tricks. The "from" headings 
seem to be less imaginative then they could be.


Loren's actual problem of them leaking through goes back in history to the 
really old days on a really slow old machine. (Hey - it made over 400 days 
without a reboot during which it was relocated by about 70 miles to a new 
"home".) Back then processing more than 250k was too time consuming for that 
itty bitty machine. It has been replaced. But the .procmailrc recipe still 
included the 250k hard wired in. AND there was no --max-size=. So I 
corrected these, I thought. Alas I made it --max-size- thanks to a typo 
probably when blowing my nose thanks to the stuffiness hangover from a 
remarkably short head cold I had.


That is fixed now. But I'm mildly wondering if people are seeing that (real or 
pseudo) base64 junk, in two parts with the real payload, a URL, stuck between them.


{^_^}   Joanne

On 2017-09-14 15:35, Benny Pedersen wrote:

jdow skrev den 2017-09-15 00:16:

On 2017-09-14 14:06, Benny Pedersen wrote:

Dianne Skoll skrev den 2017-09-14 20:38:


https://cron-job.org/en/spam-statement/
They are victims of a joe-job.


yes prove that is really is us

if it goes, it goes


Loren's canny enough to not blacklist an address based on the from
address. The common element in the messages he's been receiving is a
325 kb payload and that "from" address. I'm sitting in the same room
as him on the same network and despite my incoming spam going up to
some 75 to 100/day (fron 1/4 of that last year) I am not getting those
specific spams.


spamassassin here scans up to 1024K, so this could be first step for recipient 
to make, atleast i found that cron-job.org have valid spf record to reject in 
mta stage if forged mails from cron-job


but if envelope sender is random it not possible to block it in mta stage, if 
thats the case it would make more sense to make clamav signature for content in 
this spams to be rejected in sendmail/milter stage


i dont know exact spam from them or even seen ham aswell

i self scan all mails in spampd so no exections here


I get varying lengths and widely varying subjects and from fields.
This is a small extract of the body with it's odd visual formatting.
(It really shows up if you have line wrapping enabled in a plain text
MUA.)


aha, encodeing fails ?


QYC9LYOXDU89JN94BBNNV5XED3HBHIJJWPNYTM38GKBBEF52G4T4BO6
reny9phehn9n65ibtzjmp8mssof5lq4qkqh5s59l4ezpztqmp1kb8r6c13p
SZFCF44OC5IWAUYLFBY8HZE6TCY71DPXYJQLZ2VSLRJLFVSWKP3ERPVK
2o3l61lnch8kfyub9ecnj2uv5oeg1zb2qdmfieeo84hzenq7devn4liwhy
E66ALUU4CIGV29JRRU6WPWZC4EI1WCP5M55SOZE8PBM9OH5U7WLUEGW8W
1tsq2nanaolmpm21q164t5o1ry2wc5gcq25q8d72eanj87ep7stgq58wa
VPNGHS4AET938S0OH263OGOBK1HKV5NDUMJPVDQALPP1XXM9YFGG7YH7ZR
cteeydhbt8ak7ycksvpvy8yeu3db3wf9iazx7n8jo21xdhd5vafc24l0
V8K7ENHU8RAWL9WPPHHAC0ZVTWXL8R98GAJX5CDH7EKWZC64TM4VHVPTA86
chy2kxu9196hwzvgedt7giw8iq22e89gfymg2sf4s2nebuorx7pqjtq
3SO1H0IYX7COZLSMVCGAS4N94AAV7XIWK0FE7WVDPO2W68DJM0FVQE3F0MP1

With a fixed width font it looks almost like overlapping bat wings or
saw-tooth waveforms when laid on its side.


base64 fails ? :=)



{^_^}

Re: In anyone else getting 325KB spams from cont...@cron-job.org?

[Benny Pedersen]

Dianne Skoll skrev den 2017-09-14 20:38:


https://cron-job.org/en/spam-statement/
They are victims of a joe-job.


yes prove that is really is us

if it goes, it goes

Re: In anyone else getting 325KB spams from cont...@cron-job.org?

[David Jones]

On 09/14/2017 01:37 PM, Dianne Skoll wrote:

On Thu, 14 Sep 2017 11:27:27 -0700
"Loren Wilton"  wrote:


Other than being obvious spam, they seem to be set up as though they
were legitimate commercial mailing list stuff, often containing
things like contact-id and the like in the links.



Is anyone else seeing these?


A small number.  The cont...@cron-job.org address is only in the From:
header; the envelope recipients look randomly-generated and sometimes
from unrelated domains.

Should be easy to block.  Just block the cron-job.org domain.



blacklist_from *@cron-job.org
whitelist_auth *@cron-job.org

This should allow messages passing SPF or DKIM and block all others, 
correct?




Regards,

Dianne.



--
David Jones

Re: In anyone else getting 325KB spams from cont...@cron-job.org?

[Loren Wilton]

Should be easy to block.  Just block the cron-job.org domain.


As someone else mentioned that address is an obvious joe-job. And scoring it 
high doesn't help that much. It worked for the first few weeks, then they 
went to contact@ to presumably get around that. I was 
surprised to see in the last few that they had gone back to the cron-job.org 
domain for the fake sender.


For some reason these are bypassing SA on my system, I suspect due to the 
size.


   Loren 

Re: In anyone else getting 325KB spams from cont...@cron-job.org?

[David B Funk]

On Thu, 14 Sep 2017, Dianne Skoll wrote:


On Thu, 14 Sep 2017 11:27:27 -0700
"Loren Wilton"  wrote:


Other than being obvious spam, they seem to be set up as though they
were legitimate commercial mailing list stuff, often containing
things like contact-id and the like in the links.



Is anyone else seeing these?


A small number.  The cont...@cron-job.org address is only in the From:
header; the envelope recipients look randomly-generated and sometimes
from unrelated domains.

Should be easy to block.  Just block the cron-job.org domain.


Not to mention that the target URL "proffbuilder DOT com" is listed in several 
URIBLs.



--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: In anyone else getting 325KB spams from cont...@cron-job.org?

[Dianne Skoll]

Hi, again,

Aha...

https://cron-job.org/en/spam-statement/

They are victims of a joe-job.

Regards,

Dianne.

Re: In anyone else getting 325KB spams from cont...@cron-job.org?

[Dianne Skoll]

On Thu, 14 Sep 2017 11:27:27 -0700
"Loren Wilton"  wrote:

> Other than being obvious spam, they seem to be set up as though they
> were legitimate commercial mailing list stuff, often containing
> things like contact-id and the like in the links.

> Is anyone else seeing these?

A small number.  The cont...@cron-job.org address is only in the From:
header; the envelope recipients look randomly-generated and sometimes
from unrelated domains.

Should be easy to block.  Just block the cron-job.org domain.

Regards,

Dianne.

In anyone else getting 325KB spams from cont...@cron-job.org?

[Loren Wilton]

For about a month now I've been getting about 30 spams a day that are all in 
the range of 325KB in size. This is all in two bogus style tags. The message 
itself is usually just a few links, very offten to proffbuilder.com. The 
from address is always a random name, but the email address is very often 
cont...@cron-job.org.


Other than being obvious spam, they seem to be set up as though they were 
legitimate commercial mailing list stuff, often containing things like 
contact-id and the like in the links.


Is anyone else seeing these?

   Loren

Re: new campaign: bitly & appengine.google

[Benny Pedersen]

Robert Kudyba skrev den 2017-09-14 16:18:

A few less now, so these are ok to ignore?



Sep 14 10:15:48.607 [21681] dbg: config: warning: SCORE SET FOR
NON-EXISTENT RULE DNS_FROM_RFC_BOGUSMX


search for RFC and remove rules

Re: new campaign: bitly & appengine.google

[Kevin A. McGrail]

I'll check but nothing jummps out as an issue.  Ping me next Wednesday.

On 9/14/2017 10:18 AM, Robert Kudyba wrote:

A few less now, so these are ok to ignore?

spamassassin -D --lint 2>&1 | grep -Ei '(failed|undefined 
dependency|score set for non-existent rule)'
Sep 14 10:15:48.606 [21681] dbg: config: warning: *score set for 
non-existent rule*DNS_FROM_RFC_DSN
Sep 14 10:15:48.606 [21681] dbg: config: warning: *score set for 
non-existent rule*__RFC_IGNORANT_ENVFROM
Sep 14 10:15:48.607 [21681] dbg: config: warning: *score set for 
non-existent rule*DNS_FROM_RFC_BOGUSMX
Sep 14 10:15:48.607 [21681] dbg: config: warning: *score set for 
non-existent rule*FILL_THIS_FORM_FRAUD_PHISH
Sep 14 10:15:48.607 [21681] dbg: config: warning: *score set for 
non-existent rule*DNS_FROM_AHBL_RHSBL
Sep 14 10:15:48.608 [21681] dbg: config: warning: *score set for 
non-existent rule*__DNS_FROM_RFC_ABUSE
Sep 14 10:15:48.608 [21681] dbg: config: warning: *score set for 
non-existent rule*__DNS_FROM_RFC_POST
Sep 14 10:15:48.608 [21681] dbg: config: warning: *score set for 
non-existent rule*FILL_THIS_FORM_LOAN
Sep 14 10:15:48.608 [21681] dbg: config: warning: *score set for 
non-existent rule*FILL_THIS_FORM_LONG
Sep 14 10:15:48.608 [21681] dbg: config: warning: *score set for 
non-existent rule*__DNS_FROM_RFC_WHOIS
Sep 14 10:15:48.608 [21681] dbg: config: warning: *score set for 
non-existent rule*HELO_LH_HOME
Sep 14 10:15:48.609 [21681] dbg: config: warning: *score set for 
non-existent rule*URI_OBFU_WWW
Sep 14 10:15:48.648 [21681] dbg: config: warning: no description set 
for KAM_RPTR_*FAILED*
Sep 14 10:15:50.738 [21681] dbg: rules: meta test LCL_DOB_FROM_INFO 
has *undefined dependency*'__FROM_DOM_INFO'
Sep 14 10:15:50.743 [21681] dbg: rules: meta test KAM_SALE has 
*undefined dependency*'BODY_8BITS'
Sep 14 10:15:50.771 [21681] dbg: rules: meta test KAM_PHISH2 has 
*undefined dependency*'__KAM_URIBL_PCCC'
Sep 14 10:15:50.788 [21681] dbg: rules: meta test KAM_BADPDF2 has 
*undefined dependency*'KAM_BADPDF'
Sep 14 10:15:50.788 [21681] dbg: rules: meta test KAM_BADPDF2 has 
*undefined dependency*'KAM_BADPDF1'
Sep 14 10:15:50.795 [21681] dbg: rules: meta test KAM_COLLEGE has 
*undefined dependency*'__KAM_URIBL_PCCC'
Sep 14 10:15:50.801 [21681] dbg: rules: meta test KAM_CREDIT2 has 
*undefined dependency*'__KAM_URIBL_PCCC'
Sep 14 10:15:50.801 [21681] dbg: rules: meta test KAM_BAD_DNSWL has 
*undefined dependency*'IN_BRBL'
Sep 14 10:15:50.801 [21681] dbg: rules: meta test KAM_BAD_DNSWL has 
*undefined dependency*'RCVD_IN_BRBL_RELAY'
Sep 14 10:15:50.801 [21681] dbg: rules: meta test KAM_BAD_DNSWL has 
*undefined dependency*'__KAM_URIBL_PCCC'
Sep 14 10:15:50.801 [21681] dbg: rules: meta test KAM_BAD_DNSWL has 
*undefined dependency*'KAM_MESSAGE_EMAILBL_PCCC'
Sep 14 10:15:50.804 [21681] dbg: rules: meta test DIGEST_MULTIPLE has 
*undefined dependency*'DCC_CHECK'


On Sep 14, 2017, at 10:12 AM, Kevin A. McGrail 
mailto:kevin.mcgr...@mcgrail.com>> wrote:


grab 
https://www.pccc.com/downloads/SpamAssassin/contrib/nonKAMrules.cf as 
well.


After that let me know but some rules are internal use only so if 
it's a warning, don't be too concerned.


Regards,
KAM
On 9/14/2017 9:57 AM, Robert Kudyba wrote:

> i have lost the url for kam.cf :(

https://urldefense.proofpoint.com/v2/url?u=https-3A__www.pccc.com_downloads_SpamAssassin_contrib_KAM.cf&d=DwIDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=2_KMc6f7_uK5u9lGUOjxcShbX6TXhm_XZ-6Rqk8esj4&s=RD7D7GpMhY_eNZ_prqUt371WFA_gJTsvqxSybQct8sI&e= 


It's the first hit googling for KAM.cf if you ever need.


Just added this to our Fedora 26 server, any reason for these warnings?
rpm -q spamassassin
spamassassin-3.4.1-12.fc26.x86_64

[root@server spamassassin]# sa-update
[root@ server spamassassin]# spamassassin -D --lint 2>&1 | grep -Ei 
'(failed|undefined dependency|score set for non-existent rule)'
Sep 14 09:50:43.738 [9443] dbg: config: warning: *score set for 
non-existent rule*HELO_LH_HOME
Sep 14 09:50:43.738 [9443] dbg: config: warning: *score set for 
non-existent rule*DNS_FROM_RFC_DSN
Sep 14 09:50:43.738 [9443] dbg: config: warning: *score set for 
non-existent rule*DNS_FROM_RFC_BOGUSMX
Sep 14 09:50:43.738 [9443] dbg: config: warning: *score set for 
non-existent rule*FILL_THIS_FORM_LOAN
Sep 14 09:50:43.738 [9443] dbg: config: warning: *score set for 
non-existent rule*FILL_THIS_FORM_FRAUD_PHISH
Sep 14 09:50:43.739 [9443] dbg: config: warning: *score set for 
non-existent rule*URI_OBFU_WWW
Sep 14 09:50:43.739 [9443] dbg: config: warning: *score set for 
non-existent rule*__DNS_FROM_RFC_WHOIS
Sep 14 09:50:43.739 [9443] dbg: config: warning: *score set for 
non-existent rule*__RFC_IGNORANT_ENVFROM
Sep 14 09:50:43.739 [9443] dbg: config: warning: *score set for 
non-existent rule*__DNS_FROM_RFC_ABUSE
Sep 14 09:50:43.739 [9443] dbg: config: warning: *score set for 
non-existent rule*__DNS_FROM_RFC_POST
Sep 14 09:50:43.739 [9443] dbg: config: wa

Re: new campaign: bitly & appengine.google

[Robert Kudyba]

A few less now, so these are ok to ignore?

spamassassin -D --lint 2>&1 | grep -Ei '(failed|undefined dependency|score set 
for non-existent rule)'
Sep 14 10:15:48.606 [21681] dbg: config: warning: score set for non-existent 
rule DNS_FROM_RFC_DSN
Sep 14 10:15:48.606 [21681] dbg: config: warning: score set for non-existent 
rule __RFC_IGNORANT_ENVFROM
Sep 14 10:15:48.607 [21681] dbg: config: warning: score set for non-existent 
rule DNS_FROM_RFC_BOGUSMX
Sep 14 10:15:48.607 [21681] dbg: config: warning: score set for non-existent 
rule FILL_THIS_FORM_FRAUD_PHISH
Sep 14 10:15:48.607 [21681] dbg: config: warning: score set for non-existent 
rule DNS_FROM_AHBL_RHSBL
Sep 14 10:15:48.608 [21681] dbg: config: warning: score set for non-existent 
rule __DNS_FROM_RFC_ABUSE
Sep 14 10:15:48.608 [21681] dbg: config: warning: score set for non-existent 
rule __DNS_FROM_RFC_POST
Sep 14 10:15:48.608 [21681] dbg: config: warning: score set for non-existent 
rule FILL_THIS_FORM_LOAN
Sep 14 10:15:48.608 [21681] dbg: config: warning: score set for non-existent 
rule FILL_THIS_FORM_LONG
Sep 14 10:15:48.608 [21681] dbg: config: warning: score set for non-existent 
rule __DNS_FROM_RFC_WHOIS
Sep 14 10:15:48.608 [21681] dbg: config: warning: score set for non-existent 
rule HELO_LH_HOME
Sep 14 10:15:48.609 [21681] dbg: config: warning: score set for non-existent 
rule URI_OBFU_WWW
Sep 14 10:15:48.648 [21681] dbg: config: warning: no description set for 
KAM_RPTR_FAILED
Sep 14 10:15:50.738 [21681] dbg: rules: meta test LCL_DOB_FROM_INFO has 
undefined dependency '__FROM_DOM_INFO'
Sep 14 10:15:50.743 [21681] dbg: rules: meta test KAM_SALE has undefined 
dependency 'BODY_8BITS'
Sep 14 10:15:50.771 [21681] dbg: rules: meta test KAM_PHISH2 has undefined 
dependency '__KAM_URIBL_PCCC'
Sep 14 10:15:50.788 [21681] dbg: rules: meta test KAM_BADPDF2 has undefined 
dependency 'KAM_BADPDF'
Sep 14 10:15:50.788 [21681] dbg: rules: meta test KAM_BADPDF2 has undefined 
dependency 'KAM_BADPDF1'
Sep 14 10:15:50.795 [21681] dbg: rules: meta test KAM_COLLEGE has undefined 
dependency '__KAM_URIBL_PCCC'
Sep 14 10:15:50.801 [21681] dbg: rules: meta test KAM_CREDIT2 has undefined 
dependency '__KAM_URIBL_PCCC'
Sep 14 10:15:50.801 [21681] dbg: rules: meta test KAM_BAD_DNSWL has undefined 
dependency 'IN_BRBL'
Sep 14 10:15:50.801 [21681] dbg: rules: meta test KAM_BAD_DNSWL has undefined 
dependency 'RCVD_IN_BRBL_RELAY'
Sep 14 10:15:50.801 [21681] dbg: rules: meta test KAM_BAD_DNSWL has undefined 
dependency '__KAM_URIBL_PCCC'
Sep 14 10:15:50.801 [21681] dbg: rules: meta test KAM_BAD_DNSWL has undefined 
dependency 'KAM_MESSAGE_EMAILBL_PCCC'
Sep 14 10:15:50.804 [21681] dbg: rules: meta test DIGEST_MULTIPLE has undefined 
dependency 'DCC_CHECK'

> On Sep 14, 2017, at 10:12 AM, Kevin A. McGrail  
> wrote:
> 
> grab https://www.pccc.com/downloads/SpamAssassin/contrib/nonKAMrules.cf 
> 
>  as well.
> 
> After that let me know but some rules are internal use only so if it's a 
> warning, don't be too concerned.
> 
> Regards,
> KAM
> On 9/14/2017 9:57 AM, Robert Kudyba wrote:
>>> > i have lost the url for kam.cf :(
>>> 
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.pccc.com_downloads_SpamAssassin_contrib_KAM.cf&d=DwIDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=2_KMc6f7_uK5u9lGUOjxcShbX6TXhm_XZ-6Rqk8esj4&s=RD7D7GpMhY_eNZ_prqUt371WFA_gJTsvqxSybQct8sI&e=
>>>  
>>> 
>>>  
>>> It's the first hit googling for KAM.cf if you ever need.
>> 
>> Just added this to our Fedora 26 server, any reason for these warnings?
>> rpm -q spamassassin
>> spamassassin-3.4.1-12.fc26.x86_64
>> 
>> [root@server spamassassin]# sa-update
>> [root@ server spamassassin]# spamassassin -D --lint 2>&1 | grep -Ei 
>> '(failed|undefined dependency|score set for non-existent rule)'
>> Sep 14 09:50:43.738 [9443] dbg: config: warning: score set for non-existent 
>> rule HELO_LH_HOME
>> Sep 14 09:50:43.738 [9443] dbg: config: warning: score set for non-existent 
>> rule DNS_FROM_RFC_DSN
>> Sep 14 09:50:43.738 [9443] dbg: config: warning: score set for non-existent 
>> rule DNS_FROM_RFC_BOGUSMX
>> Sep 14 09:50:43.738 [9443] dbg: config: warning: score set for non-existent 
>> rule FILL_THIS_FORM_LOAN
>> Sep 14 09:50:43.738 [9443] dbg: config: warning: score set for non-existent 
>> rule FILL_THIS_FORM_FRAUD_PHISH
>> Sep 14 09:50:43.739 [

Re: new campaign: bitly & appengine.google

[Kevin A. McGrail]

grab https://www.pccc.com/downloads/SpamAssassin/contrib/nonKAMrules.cf 
as well.


After that let me know but some rules are internal use only so if it's a 
warning, don't be too concerned.


Regards,
KAM
On 9/14/2017 9:57 AM, Robert Kudyba wrote:

> i have lost the url for kam.cf :(

https://urldefense.proofpoint.com/v2/url?u=https-3A__www.pccc.com_downloads_SpamAssassin_contrib_KAM.cf&d=DwIDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=2_KMc6f7_uK5u9lGUOjxcShbX6TXhm_XZ-6Rqk8esj4&s=RD7D7GpMhY_eNZ_prqUt371WFA_gJTsvqxSybQct8sI&e= 


It's the first hit googling for KAM.cf if you ever need.


Just added this to our Fedora 26 server, any reason for these warnings?
rpm -q spamassassin
spamassassin-3.4.1-12.fc26.x86_64

[root@server spamassassin]# sa-update
[root@ server spamassassin]# spamassassin -D --lint 2>&1 | grep -Ei 
'(failed|undefined dependency|score set for non-existent rule)'
Sep 14 09:50:43.738 [9443] dbg: config: warning: *score set for 
non-existent rule*HELO_LH_HOME
Sep 14 09:50:43.738 [9443] dbg: config: warning: *score set for 
non-existent rule*DNS_FROM_RFC_DSN
Sep 14 09:50:43.738 [9443] dbg: config: warning: *score set for 
non-existent rule*DNS_FROM_RFC_BOGUSMX
Sep 14 09:50:43.738 [9443] dbg: config: warning: *score set for 
non-existent rule*FILL_THIS_FORM_LOAN
Sep 14 09:50:43.738 [9443] dbg: config: warning: *score set for 
non-existent rule*FILL_THIS_FORM_FRAUD_PHISH
Sep 14 09:50:43.739 [9443] dbg: config: warning: *score set for 
non-existent rule*URI_OBFU_WWW
Sep 14 09:50:43.739 [9443] dbg: config: warning: *score set for 
non-existent rule*__DNS_FROM_RFC_WHOIS
Sep 14 09:50:43.739 [9443] dbg: config: warning: *score set for 
non-existent rule*__RFC_IGNORANT_ENVFROM
Sep 14 09:50:43.739 [9443] dbg: config: warning: *score set for 
non-existent rule*__DNS_FROM_RFC_ABUSE
Sep 14 09:50:43.739 [9443] dbg: config: warning: *score set for 
non-existent rule*__DNS_FROM_RFC_POST
Sep 14 09:50:43.739 [9443] dbg: config: warning: *score set for 
non-existent rule*DNS_FROM_AHBL_RHSBL
Sep 14 09:50:43.739 [9443] dbg: config: warning: *score set for 
non-existent rule*FILL_THIS_FORM_LONG
Sep 14 09:50:43.852 [9443] dbg: config: warning: no description set 
for KAM_RPTR_*FAILED*
Sep 14 09:50:44.773 [9443] dbg: rules: CBJ_GiveMeABreak merged 
duplicates: KAM_IFRAME KAM_RAPTOR KAM_RPTR_*FAILED*KAM_RPTR_PASSED 
KAM_RPTR_SUSPECT
Sep 14 09:50:45.864 [9443] dbg: rules: meta test DIGEST_MULTIPLE has 
*undefined dependency*'DCC_CHECK'
Sep 14 09:50:45.867 [9443] dbg: rules: meta test KAM_CREDIT2 has 
*undefined dependency*'__KAM_URIBL_PCCC'
Sep 14 09:50:45.872 [9443] dbg: rules: meta test LCL_DOB_FROM_INFO has 
*undefined dependency*'__FROM_DOM_INFO'
Sep 14 09:50:45.873 [9443] dbg: rules: meta test KAM_BADPDF2 has 
*undefined dependency*'KAM_BADPDF'
Sep 14 09:50:45.873 [9443] dbg: rules: meta test KAM_BADPDF2 has 
*undefined dependency*'KAM_BADPDF1'
Sep 14 09:50:45.891 [9443] dbg: rules: meta test KAM_COLLEGE has 
*undefined dependency*'__KAM_URIBL_PCCC'
Sep 14 09:50:45.895 [9443] dbg: rules: meta test KAM_GRABBAG9 has 
*undefined dependency*'MALFORMED_FREEMAIL'
Sep 14 09:50:45.903 [9443] dbg: rules: meta test KAM_PHISH2 has 
*undefined dependency*'__KAM_URIBL_PCCC'
Sep 14 09:50:45.908 [9443] dbg: rules: meta test KAM_BAD_DNSWL has 
*undefined dependency*'IN_BRBL'
Sep 14 09:50:45.908 [9443] dbg: rules: meta test KAM_BAD_DNSWL has 
*undefined dependency*'RCVD_IN_BRBL_RELAY'
Sep 14 09:50:45.908 [9443] dbg: rules: meta test KAM_BAD_DNSWL has 
*undefined dependency*'__KAM_URIBL_PCCC'
Sep 14 09:50:45.908 [9443] dbg: rules: meta test KAM_BAD_DNSWL has 
*undefined dependency*'KAM_MESSAGE_EMAILBL_PCCC'
Sep 14 09:50:45.908 [9443] dbg: rules: meta test KAM_BAD_DNSWL has 
*undefined dependency*'RCVD_IN_HOSTKARMA_W'
Sep 14 09:50:45.916 [9443] dbg: rules: meta test KAM_GOOGLE2 has 
*undefined dependency*'HK_SPAMMY_FILENAME'
Sep 14 09:50:45.924 [9443] dbg: rules: meta test JMQ_CONGRAT has 
*undefined dependency*'HK_SPAMMY_FILENAME'
Sep 14 09:50:45.925 [9443] dbg: rules: meta test KAM_SALE has 
*undefined dependency*'BODY_8BITS'

[root@storm server]# spamassassin --lint

Re: new campaign: bitly & appengine.google

[Robert Kudyba]

> > i have lost the url for kam.cf :(
> 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.pccc.com_downloads_SpamAssassin_contrib_KAM.cf&d=DwIDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=2_KMc6f7_uK5u9lGUOjxcShbX6TXhm_XZ-6Rqk8esj4&s=RD7D7GpMhY_eNZ_prqUt371WFA_gJTsvqxSybQct8sI&e=
>  
> It's the first hit googling for KAM.cf if you ever need.

Just added this to our Fedora 26 server, any reason for these warnings?
rpm -q spamassassin
spamassassin-3.4.1-12.fc26.x86_64

[root@server spamassassin]# sa-update
[root@ server spamassassin]# spamassassin -D --lint 2>&1 | grep -Ei 
'(failed|undefined dependency|score set for non-existent rule)'
Sep 14 09:50:43.738 [9443] dbg: config: warning: score set for non-existent 
rule HELO_LH_HOME
Sep 14 09:50:43.738 [9443] dbg: config: warning: score set for non-existent 
rule DNS_FROM_RFC_DSN
Sep 14 09:50:43.738 [9443] dbg: config: warning: score set for non-existent 
rule DNS_FROM_RFC_BOGUSMX
Sep 14 09:50:43.738 [9443] dbg: config: warning: score set for non-existent 
rule FILL_THIS_FORM_LOAN
Sep 14 09:50:43.738 [9443] dbg: config: warning: score set for non-existent 
rule FILL_THIS_FORM_FRAUD_PHISH
Sep 14 09:50:43.739 [9443] dbg: config: warning: score set for non-existent 
rule URI_OBFU_WWW
Sep 14 09:50:43.739 [9443] dbg: config: warning: score set for non-existent 
rule __DNS_FROM_RFC_WHOIS
Sep 14 09:50:43.739 [9443] dbg: config: warning: score set for non-existent 
rule __RFC_IGNORANT_ENVFROM
Sep 14 09:50:43.739 [9443] dbg: config: warning: score set for non-existent 
rule __DNS_FROM_RFC_ABUSE
Sep 14 09:50:43.739 [9443] dbg: config: warning: score set for non-existent 
rule __DNS_FROM_RFC_POST
Sep 14 09:50:43.739 [9443] dbg: config: warning: score set for non-existent 
rule DNS_FROM_AHBL_RHSBL
Sep 14 09:50:43.739 [9443] dbg: config: warning: score set for non-existent 
rule FILL_THIS_FORM_LONG
Sep 14 09:50:43.852 [9443] dbg: config: warning: no description set for 
KAM_RPTR_FAILED
Sep 14 09:50:44.773 [9443] dbg: rules: CBJ_GiveMeABreak merged duplicates: 
KAM_IFRAME KAM_RAPTOR KAM_RPTR_FAILED KAM_RPTR_PASSED KAM_RPTR_SUSPECT
Sep 14 09:50:45.864 [9443] dbg: rules: meta test DIGEST_MULTIPLE has undefined 
dependency 'DCC_CHECK'
Sep 14 09:50:45.867 [9443] dbg: rules: meta test KAM_CREDIT2 has undefined 
dependency '__KAM_URIBL_PCCC'
Sep 14 09:50:45.872 [9443] dbg: rules: meta test LCL_DOB_FROM_INFO has 
undefined dependency '__FROM_DOM_INFO'
Sep 14 09:50:45.873 [9443] dbg: rules: meta test KAM_BADPDF2 has undefined 
dependency 'KAM_BADPDF'
Sep 14 09:50:45.873 [9443] dbg: rules: meta test KAM_BADPDF2 has undefined 
dependency 'KAM_BADPDF1'
Sep 14 09:50:45.891 [9443] dbg: rules: meta test KAM_COLLEGE has undefined 
dependency '__KAM_URIBL_PCCC'
Sep 14 09:50:45.895 [9443] dbg: rules: meta test KAM_GRABBAG9 has undefined 
dependency 'MALFORMED_FREEMAIL'
Sep 14 09:50:45.903 [9443] dbg: rules: meta test KAM_PHISH2 has undefined 
dependency '__KAM_URIBL_PCCC'
Sep 14 09:50:45.908 [9443] dbg: rules: meta test KAM_BAD_DNSWL has undefined 
dependency 'IN_BRBL'
Sep 14 09:50:45.908 [9443] dbg: rules: meta test KAM_BAD_DNSWL has undefined 
dependency 'RCVD_IN_BRBL_RELAY'
Sep 14 09:50:45.908 [9443] dbg: rules: meta test KAM_BAD_DNSWL has undefined 
dependency '__KAM_URIBL_PCCC'
Sep 14 09:50:45.908 [9443] dbg: rules: meta test KAM_BAD_DNSWL has undefined 
dependency 'KAM_MESSAGE_EMAILBL_PCCC'
Sep 14 09:50:45.908 [9443] dbg: rules: meta test KAM_BAD_DNSWL has undefined 
dependency 'RCVD_IN_HOSTKARMA_W'
Sep 14 09:50:45.916 [9443] dbg: rules: meta test KAM_GOOGLE2 has undefined 
dependency 'HK_SPAMMY_FILENAME'
Sep 14 09:50:45.924 [9443] dbg: rules: meta test JMQ_CONGRAT has undefined 
dependency 'HK_SPAMMY_FILENAME'
Sep 14 09:50:45.925 [9443] dbg: rules: meta test KAM_SALE has undefined 
dependency 'BODY_8BITS'
[root@storm server]# spamassassin --lint

Re: [poppler] Encrypted malicious PDFs fails

[Martin Gregorie]

On Wed, 2017-09-13 at 20:36 -0400, Alex wrote:

> I understood that without the password the document would not be
> visible, not just that it couldn't be changed.
> 
Thats my understanding too. I've always been unable to see a password
protected PDF until I supply the password: all you see when attempting
to open it is the small password entry pop-up.

> I didn't see that there was ever a password required. I was able to
> view the PDF and click the link enclosed.
> 
In that case the PDF wasn't password protected.

If you use the appropriate tools (less and some text editors, e.g. vi
or gedit for those of us running Linux, BSD and other UNIX clones), 
you can see they have a similar structure to a multi-part email and, by
reading their headers, you can see that the internal components can be
compressed or encoded so its quite possible to build a non-passworded
PDF which contains obfuscated and/or malicious content.

I have a local rule that recognises harmful attachments by their
extension. It include PDF in its extension list (along with exe, rtf,
doc, docx and vbs) and scores them at 1.5 because all are executable or
may contain macros that may activate when the attachment is opened.

Martin