RE: [Mimedefang] Filtering based on X-Mailer or X-MIMEOLE header?
Just noticed that someone has been doing this within SpamAssassin already - sa_update grabbed this in 80_additional.cf : meta SPAMMY_XMAILER (__XM_OL_29196700||__XM_OL_41332400||__XM_OL_48071700||__XM_OL_28001441||__XM_OL_29196600||__XM_OL_49631700||__XM_OL_48072300||__XM_OL_28004682||__XM_OL_10_0_4115||__XM_OL_4_72_2106_4) describe SPAMMY_XMAILER X-Mailer string is common in spam and not in ham score SPAMMY_XMAILER 1.0 Paul. -- --- Paul Murphy Head of I.T. Argenta Discovery Tel. 01279 645 554 Fax. 01279 645 646 ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Filtering based on X-Mailer or X-MIMEOLE header?
--On Saturday, November 25, 2006 12:07 AM -0600 Damrose, Mark [EMAIL PROTECTED] wrote: There are time zones that are not an even hour offset from UTC, but the only ones I know of are 30 minutes, and a value of 60 or more makes no sense. Nepal is +0545. Some time ago I implemented the same check as you describe, and thanks to Columbia University's worldwide scope we ran into that one within the first week! Joseph Brennan Lead Email Systems Engineer Columbia University Information Technology ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Filtering based on X-Mailer or X-MIMEOLE header?
Mark Damrose wrote:
I've found that most of the stock spam have a unique Received
header.
Two rules that have been doing extremely well for me are:
header ECC_FORGED_ELGIN_RCVD Received =~ /by elgin.edu with esmtp
\(.+\)\s+id\s\S+\s+for/
header ECC_ODD_TZ Date =~
/^\s*(?:Sun|Mon|Tue|Wed|Thu|Fri|Sat)\,\s\d{1,2}\s(?:Jan|Feb|Mar|Apr|Jun|
Jul|Aug|Sep|Oct|Nov|Dec)\s\d{4}\s\d{2}(?:\:\d{2}){1,2}\s[\+\-]?\d{2}[123
456789]\d$/
Well spotted! That's very useful for me, and certainly almost all of
my recent examples match on this.
Interestingly, they also predominantly have The Bat! as the X-Mailer,
although the version details are variable. Maybe 25% have a version of
Outlook instead.
Paul.
--
---
Paul Murphy
Head of I.T.
Argenta Discovery
Tel. 01279 645 554
Fax. 01279 645 646
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Filtering based on X-Mailer or X-MIMEOLE header?
header ECC_ODD_TZ Date =~
/^\s*(?:Sun|Mon|Tue|Wed|Thu|Fri|Sat)\,\s\d{1,2}\s(?:Jan|Feb|Mar|Apr|Jun|
Jul|Aug|Sep|Oct|Nov|Dec)\s\d{4}\s\d{2}(?:\:\d{2}){1,2}\s[\+\-]?\d{2}[123
456789]\d$/
Shouldn't that last bit be:
[12456789]\d$/
As you've got it, it will reject an offset of xx30, which, as you
pointed out, is valid.
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Filtering based on X-Mailer or X-MIMEOLE header?
John Rudd wrote:
header ECC_ODD_TZ Date =~
/^\s*(?:Sun|Mon|Tue|Wed|Thu|Fri|Sat)\,\s\d{1,2}\s(?:Jan|Feb|Mar|Apr|Jun|
Jul|Aug|Sep|Oct|Nov|Dec)\s\d{4}\s\d{2}(?:\:\d{2}){1,2}\s[\+\-]?\d{2}[123
456789]\d$/
Shouldn't that last bit be:
[12456789]\d$/
As you've got it, it will reject an offset of xx30, which, as you
pointed out, is valid.
It will reject 0545 as well...
-Philip
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Filtering based on X-Mailer or X-MIMEOLE header?
-Original Message- From: John Rudd Shouldn't that last bit be: [12456789]\d$/ As you've got it, it will reject an offset of xx30, which, as you pointed out, is valid. Actually, the vast majority would be caught with [2468]0$/ I've quarantined thousands of these since I put the rule in on Tuesday. Only about 10 have been xx30, the rest would have been caught by this modification. Also, I don't add enough points to block based on this rule alone. The Received rule, yes. This one is just sort of a placeholder so I can investigate if I start seeing a bunch that match on the Date rule but no longer match on the forged Received rule. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Filtering based on X-Mailer or X-MIMEOLE header?
On Fri, 24 Nov 2006, Paul Murphy wrote: while I'm updating my SA rules daily, I never seem able to keep ahead of I feel your pain. I have gotten to where I check my work email at night to see what the latest pump-and-dump stock spam is and update SA accordingly. Ugh. Jim McCullars University of Alabama in Huntsville ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Filtering based on X-Mailer or X-MIMEOLE header?
-Original Message-
From: Jim McCullars
I feel your pain. I have gotten to where I check my work
email at night to see what the latest pump-and-dump stock
spam is and update SA accordingly. Ugh.
I've found that most of the stock spam have a unique Received header.
Some examples:
Received: from 213.56.31.142 (HELO smtp.oleane.net) by elgin.edu
with esmtp (30,,1N(4829S +/QM) id LLX8Z5-/084()-I* for
[EMAIL PROTECTED]; Fri, 24 Nov 2006 10:31:31 -0060
Received: from 63.149.130.78 (HELO barracuda.1-stopnet.com) by
elgin.edu with esmtp (A+*33AUUHE*U +K686) id 6OM2K4-172DAP-Q/
for [EMAIL PROTECTED]; Fri, 24 Nov 2006 10:43:06 -0480
Received: from 216.122.69.112 (HELO mail.safeserver.com) by
elgin.edu with esmtp ((1+D(0E EU=Y) id 7045B0-4R:LJT-EB for
[EMAIL PROTECTED]; Fri, 24 Nov 2006 10:48:01 -0120
Received: from 210.189.80.22 (HELO mail.01allweb.com) by elgin.edu
with esmtp (LS,+-3(/ 5*XI:) id C?13,)-Q0:7(7-)D for
[EMAIL PROTECTED]; Fri, 24 Nov 2006 11:08:20 -0480
Received: from 66.212.232.249 (HELO inon2.inetfast.com) by elgin.edu
with esmtp (XB'52:=D0/ .B-W) id YO-;1*-=T8'7Y-O5 for
[EMAIL PROTECTED]; Fri, 24 Nov 2006 11:49:46 -0060
Received: from 209.142.136.249 (HELO mx2.centurytel.net) by
elgin.edu with esmtp (T)08O7Q,AG+ 63'A) id 0Z((B*-760A8P-T. for
[EMAIL PROTECTED]; Fri, 24 Nov 2006 12:38:42 -0060
Received: from 80.127.154.82 (HELO mail.walraven.com) by elgin.edu
with esmtp (.5*V+;+3,RSN D511C) id ID95DH-6I9CU--65 for
[EMAIL PROTECTED]; Fri, 24 Nov 2006 12:42:20 -0060
Received: from 64.18.5.13 (HELO WAMSINC.COM.MAIL7.PSMTP.com) by
elgin.edu with esmtp (,2-O)V7T9)? @C28) id 7;+LH;-FY(844-:7 for
[EMAIL PROTECTED]; Fri, 24 Nov 2006 12:44:18 -0060
Received: from 64.214.48.68 (HELO mdegw01.mgipharma.com) by
elgin.edu with esmtp (942,L96+'P )J4J+,) id QMRGJ0-:PKD)6--L for
[EMAIL PROTECTED]; Fri, 24 Nov 2006 12:49:20 -0060
Received: from 216.35.197.77 (HELO mail.zytronic.com) by elgin.edu
with esmtp (IK-24*R3 U)4UJ) id /ST525-0PO+(5-V for
[EMAIL PROTECTED]; Fri, 24 Nov 2006 12:49:22 -0060
Note the bare IP with no brackets (not the IP of the bot).
HELO random hostname in parentheses.
elgin.edu is my domain, but I do not have a host at the domain level
that relays mail.
Also note the UTC offset in the date format. That field should be HHMM.
There are time zones that are not an even hour offset from UTC, but the
only ones I know of are 30 minutes, and a value of 60 or more makes no
sense.
The Date headers also have the odd UTC offset.
Date: Fri, 24 Nov 2006 10:31:31 -0060
Date: Fri, 24 Nov 2006 10:43:06 -0480
Date: Fri, 24 Nov 2006 10:48:01 -0120
Date: Fri, 24 Nov 2006 11:08:20 -0480
Date: Fri, 24 Nov 2006 11:49:46 -0060
Date: Fri, 24 Nov 2006 12:38:42 -0060
Date: Fri, 24 Nov 2006 12:42:20 -0060
Date: Fri, 24 Nov 2006 12:44:18 -0060
Date: Fri, 24 Nov 2006 12:49:20 -0060
Date: Fri, 24 Nov 2006 12:49:22 -0060
Two rules that have been doing extremely well for me are:
header ECC_FORGED_ELGIN_RCVD Received =~ /by elgin.edu with esmtp
\(.+\)\s+id\s\S+\s+for/
header ECC_ODD_TZ Date =~
/^\s*(?:Sun|Mon|Tue|Wed|Thu|Fri|Sat)\,\s\d{1,2}\s(?:Jan|Feb|Mar|Apr|Jun|
Jul|Aug|Sep|Oct|Nov|Dec)\s\d{4}\s\d{2}(?:\:\d{2}){1,2}\s[\+\-]?\d{2}[123
456789]\d$/
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
