RE: [Mimedefang] help a journalist: What do you wish the CIO understood about fighting spam? (fwd)
This one's easy html mail is evil. [snip] ***If you could get your CIO (or top management) to understand one thing, just ONE thing, about fighting spam, what would it be?*** [/snip] -- Dave Helton, Senior Systems Engineer Hughes Network Technologies 2407 - 40th Street Moline, IL 61265 (309) 743-2130 x109 ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] LZW, Gifs, and fingerprinting stock spams
I have had very good success with this plugin for SA. http://wiki.apache.org/spamassassin/FuzzyOcrPlugin config file allows you to add/remove keywords, and the program keeps a hash of known images so that they are not ocr'ed again. this plugin also understands animated gifs, something I've seen recently. I do not know how well it handles compressed images. needs testing. HTH -Dave Hughes Network Technologies -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philip Prindeville Sent: Tuesday, October 31, 2006 10:26 PM To: mimedefang@lists.roaringpenguin.com Subject: [Mimedefang] LZW, Gifs, and fingerprinting stock spams I'm trying to do some stochastic analysis of stock spams and figure out if there's a common fingerprint that can be used to identify them... But first, I'm bumping up against some Perl issues. Seems that there aren't many modules out there that help deconstruct Gif formats. I'm using Image::Info::GIF, but need to decompress the compressed data portion. I tried to take the data and pass it to Compress::LZW directly, but most GIF's (at least for stocks, which don't use many colors) use 4, 6, or 8 bit codesizes. Unfortunately, Compress::LZW only handles 12 or 16 bits... Anyone familiar enough with either GIF formats or how to decompress the data to offer a leg up? Thanks, -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] error msg
Hello all, I'm getting these reports in the log files daily. "About to execute command 'relayok ..." etc. I'm wondering if anyone else is getting these and what the threat level is. - Oct 20 04:50:05 ns2 sendmail[26397]: k9K9o3Tj026397: from=<[EMAIL PROTECTED]>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=ask-soft.rmt.ru [81.13.115.234] Oct 20 04:50:14 ns2 mimedefang-multiplexor[2563]: Starting slave 9 (pid 26411) (3 running): About to execute command 'relayok 212.235.233.116 [212.235.233.116] ' Oct 20 04:50:14 ns2 mimedefang-multiplexor[2563]: Starting slave 4 (pid 26415) (4 running): About to execute command 'relayok 212.235.233.116 [212.235.233.116] ' Oct 20 04:50:14 ns2 mimedefang-multiplexor[2563]: Starting slave 3 (pid 26417) (5 running): About to execute command 'relayok 212.235.233.116 [212.235.233.116] ' Oct 20 04:50:14 ns2 mimedefang.pl[22526]: RELAY: <212.235.233.116> <[212.235.233.116]> Oct 20 04:50:14 ns2 mimedefang-multiplexor[2563]: Starting slave 7 (pid 26418) (6 running): About to execute command 'relayok 212.235.233.116 [212.235.233.116] ' Oct 20 04:50:14 ns2 mimedefang.pl[25692]: RELAY: <212.235.233.116> <[212.235.233.116]> Oct 20 04:50:14 ns2 mimedefang.pl[25692]: RELAY: <212.235.233.116> <[212.235.233.116]> Oct 20 04:50:14 ns2 mimedefang.pl[22526]: RELAY: <212.235.233.116> <[212.235.233.116]> Oct 20 04:50:16 ns2 mimedefang.pl[22526]: helo: [212.235.233.116] (212.235.233.116) said "helo lilijana" Oct 20 04:50:16 ns2 mimedefang.pl[22526]: filter_helo rejected helo lilijana -- Dave Helton, Senior Systems Engineer Hughes Network Technologies 2407 - 40th Street Moline, IL 61265 (309) 743-2130 x109 ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Strange activity
On Wed, 2006-01-04 at 17:02 -0500, David F. Skoll wrote: > And I don't think it's a bad firewall rule, because as I said, lots > of normal mail is flowing just fine. > > Regards, > > David. The next strain of the Sober virus is due to hit on the 5th of this month. In some parts of the world... it already is the 5th. Anything is possible. KC, I checked my time-outs against the ones you posted. Very close ;) --Dave ====== Dave Helton Real World Computing phone: 563-386-4041 signature.asc Description: This is a digitally signed message part ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] best wishes
Please accept with no obligation, implied or implicit our best wishes for an environmentally conscious, socially responsible, low stress, non- addictive, gender neutral, celebration of the winter solstice holiday, practiced within the most enjoyable traditions of the religious persuasion of your choice, or secular practices of your choice, with respect for the religious/secular persuasions and/or traditions of others, or their choice not to practice religious or secular traditions at all... ...and a fiscally successful, personally fulfilling, and medically uncomplicated recognition of the onset of the generally accepted calendar year 2006, but not without due respect for the calendars of choice of other cultures whose contributions to society have helped make America great, (not to imply that America is necessarily greater than any other country or is the only "AMERICA" in the western hemisphere), and without regard to the race, creed, color, age, physical ability, religious faith, choice of computer platform, or sexual preference of the wishee. (By accepting this greeting, you are accepting these terms. This greeting is subject to clarification or withdrawal. It is freely transferable with no alteration to the original greeting. It implies no promise by the wisher to actually implement any of the wishes for her/himself or others, and is void where prohibited by law, and is revocable at the sole discretion of the wisher. This wish is warranted to perform as expected within the usual application of good tidings for a period of one year, or until the issuance of a subsequent holiday greeting, whichever comes first, and warranty is limited to replacement of this wish or issuance of a new wish at the sole discretion of the wisher.) - I think it was the disclaimer that did it for me... --Dave == Dave Helton internet technologies Real World Computingnetwork consultant phone: 563-386-4041 signature.asc Description: This is a digitally signed message part ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Mimedefang and clamd configuration problems
On Wed, 2005-12-21 at 09:03 -0800, [EMAIL PROTECTED] wrote: > > > > I want to have mimedefang also use clamd ( or clamav, whichever is > > best). > > I had a permissions problem initially where the clamd user didn't > have access to the MIMEDefang spool directory. I too had problems with permissions, especially when cron ran the freshclam update. The method I used to 'fix' this was to compile clamAV with: ./configure --with-user=defang --with-group=defang Problem solved! Since I only use clamd with MD on my server I don't see this as a security issue. Someone chirp up if the above raises a concern. --Dave ====== Dave Helton internet technologies Real World Computingnetwork consultant phone: 563-386-4041 http://www.kd0yu.com signature.asc Description: This is a digitally signed message part ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] unknown os error
Could someone help me decipher this error msg. I can ping the host by name, I can telnet to it on port 25. It's pretty much a valid listserver, but I just can't find the source of this problem. Dec 15 09:50:39 web sendmail[26589]: jBEE79GY027808: to=, delay=1+01:43:29, xdelay=00:00:00, mailer=esmtp, pri=2462405, relay=mail2.marketwatchmail.com., dsn=4.0.0, stat=Operating system error Dec 15 09:50:39 web sendmail[26589]: jBFFjDkM026437: SYSERR(root): getmxrr: res_search (mail2.marketwatchmail.com.) failed with impossible h_errno (0) btw, this is the only host that throws this type of rr error. I do not have it blocked in the firewall or in hosts.deny, or in the access file. I'm stumped. -- --Dave ====== Dave Helton Real World Computing phone: 563-386-4041 signature.asc Description: This is a digitally signed message part ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] MD+SA+SQL
Greetings all, MD 2.53 Sendmail 8.13 SA 3.0.1 My problem revolves around setting up SA to use the white/black list userprefs held in an sql database. I've setup a squirrelmail plugin that allows users to enter their white/black list addresses. (It's quite slick) These show up in the database properly and SPAMC honors the entries just fine. The headers reported show that SA did look up the address in the database and both the scores and white/black listing were properly applied. When run under MD, no such headers or white/black list entries are shown. I feel I must emphisize the word 'shown'. I would really like to use this feature. Has anyone else delved into this area and have any pointers? I've been all over SA's website(s) and have found very little info on it. --Dave ====== Dave Helton Real World Computing phone: 563-386-4041 signature.asc Description: This is a digitally signed message part ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] character substitutions and obfuscation
Greetings all, I have a block of code that _extensively_ checks the subject lines for obfuscations and the like. I'd like to add the following to an existing rule, $subst1=236; ## substitutions in the word viagra $subst2=237; ## .. the grave accented i $subst3=242; ## grave and acute accented oh. $subst4=243; $subj_line =~ s/($subst1|$subst2)/i/g; $subj_line =~ s/($subst3|$subst4)/o/g; Does anyone on the list have a code example for this, or a better way of testing/substituting for these characters? Tnx -- Dave Helton, KD0YU Real World Computing Davenport, IA, US 563-386-4041 signature.asc Description: This is a digitally signed message part ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] got my mojo working
On Mon, 2004-02-23 at 14:18, Brent J. Nordquist wrote:
> Some more thoughts:
>
> On Mon, 23 Feb 2004, Dave Helton <[EMAIL PROTECTED]> wrote:
>
> > if ($line =~ /[Mm][Ee][Dd][Ss]/) {$subscore += 6};
> > if ($line =~ /[Pp][Ii][Ll][Ll][Ss]/) {$subscore += 6};
> > $line =~ s/@/a/g;
> > $line =~ s/1/i/g;
>
> Also 6 for g, | and ! for i, and all the same characters for l as for i.
> Those are what I've seen here. Why are you doing the substitution after
> the checks for "meds" and "pills" (won't find p1lls for example)?
rarely have I seen meds or pills obfuscated although I'm sure there are
cases... in this bit of code it worked for me. to be honest... the
rules that governed this script were based on a few spam sources that
seemed to plague me with the same type of emails over and over.
>
> You might think about accented versions of the vowels which I'm starting
> to see also.
>
> Other words to consider flagging: "pharmacy" "drugs"
>
> > if ($line =~ /[Vv][Ii][Aa][Gg][Rr][Aa]/) {$subscore += 3};
>
> Couldn't you use /viagra/i (simpler) once you're to this point?
because I'm not that familiar with perl, but I will be updating the
script to reflect your suggestion. It's certainly much easier to read.
> And then there are all the misspellings that are really common. Here's
> just the latest few from my corpus: "v?agra" "viegra" "VUiagra" (or any
> other extra letter thrown in) "viagrga" "vaiagra" Once I saw "\/iagra".
>
seen that one today too. **brain started to hurt**
> And a whole bunch of misspellings like "viaggra" listed in antidrug.cf
> mentioned here earlier today. Discouraged yet? :-)
no.. thats why I'm not unsubscribing the list either ;)
the fight never ceases, always new weapons and tactics, and it keeps me
on my toes ;)
--
Dave Helton, KD0YU <[EMAIL PROTECTED]>
Real World Computing, network consultant.
Davenport, IA, US
563-386-4041
signature.asc
Description: This is a digitally signed message part
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] got my mojo working
Hi,
I've had the same problems not being able to filter Xanax, Valium, and
other drug obfuscations. And this junk is getting a little long in
the tooth.
I've had the following code running for the last couple days. It's
stable and has caught a few more bad emails than I expected. I would
think this script would be a real performance hit on larger systems
although I can't confirm it.
There are certainly better ways of doing this. There is probably a
better place to call this than in sub filter... Please feel free to
mangle and post your modifications or suggestions.
Works for me... YMMV
#***
# %PROCEDURE: subject_obfuscation
# %ARGUMENTS: None
# %RETURNS: 1 - subject line has words we key on, 0 - pass
# %DESCRIPTION: Called last in "sub filter"
#***
sub subject_obfuscation {
my ($subj, $line, $subscore, $local_debug);
if (open (INF, "./HEADERS")) {
$line = 0;
$local_debug = 1;
while ($line = ) {
if ($line =~ /^Subject:/) {
$subj = $line;
last;
}
} ## end while
close(INF);
# blank subject line ?
if(chop($subj) eq "") {$subj = "No Subject"};
# decode the "=?ISO-8859-1?blah blah blah line?=
$line = decode_mimewords($subj); ## thank ya David
$subscore = 0;
if ($line =~ /^FWD:/) {$subscore = 3};
if ($line =~ /[Mm][Ee][Dd][Ss]/) {$subscore += 6};
if ($line =~ /[Pp][Ii][Ll][Ll][Ss]/) {$subscore += 6};
$line =~ s/@/a/g;
$line =~ s/1/i/g;
$line =~ s/[[:punct:]]//g; ## remove punctuations
if ($line =~ /[Vv][Ii][Aa][Gg][Rr][Aa]/) {$subscore += 3};
if ($line =~ /[Vv][Aa][Ll][Ii][Uu][Mm]/) {$subscore += 3};
if ($line =~ /[Xx][Aa][Nn][Aa][Xx]/) {$subscore += 6};
if($local_debug) {
if($subscore) {
md_graphdefang_log('subject_obfuscation_before', $subj,
$subscore);
md_graphdefang_log('subject_obfuscation_after', $line,
$subscore);
}
}
if ($subscore > 5) {
# 5 seems to be a good score... two test hits
action_change_header('Subject', "[SPAM] $subj");
return 1; ## hit!
} else {
return 0; ## no hit
}
} else {
md_graphdefang_log('subject_obfuscation: can\'t open HEADER
file.');
return 0;
} ## end if
}
#
at the end of "sub filter"
# always accept the email, client can filter on the subject now
# that it's marked as "[SPAM] $Subject".
if (subject_obfuscation()) { return action_accept(); };
return action_accept();
}
--
Dave Helton, KD0YU <[EMAIL PROTECTED]>
Real World Computing
Davenport, IA, US
563-386-4041
signature.asc
Description: This is a digitally signed message part
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] anyone parsing ISO-8859-1?blah?blah in subject?
Salutations, Maybe it's just my unfamiliarity... but a lot of these are getting past my spam filters. Subject: =?ISO-8859-1?b?V2h5IFBheSBmb3Igb3ZlciBwcmljZWQgUHJlc2NyaXAodGlvbiBEW3J1Z3M/Pz8=?= .. and I'm very curious if there is a perl module or magic wand I can wave a these to reveal legible ascii text that can be tested and filtered. -- Dave Helton, KD0YU <[EMAIL PROTECTED]> Real World Computing Davenport, IA, US 563-386-4041 signature.asc Description: This is a digitally signed message part ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
