RE: [Mimedefang] Filtering based on X-Mailer or X-MIMEOLE header?
Just noticed that someone has been doing this within SpamAssassin already - sa_update grabbed this in 80_additional.cf : meta SPAMMY_XMAILER (__XM_OL_29196700||__XM_OL_41332400||__XM_OL_48071700||__XM_OL_28001441||__XM_OL_29196600||__XM_OL_49631700||__XM_OL_48072300||__XM_OL_28004682||__XM_OL_10_0_4115||__XM_OL_4_72_2106_4) describe SPAMMY_XMAILER X-Mailer string is common in spam and not in ham score SPAMMY_XMAILER 1.0 Paul. -- --- Paul Murphy Head of I.T. Argenta Discovery Tel. 01279 645 554 Fax. 01279 645 646 ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Filtering based on X-Mailer or X-MIMEOLE header?
--On Saturday, November 25, 2006 12:07 AM -0600 Damrose, Mark [EMAIL PROTECTED] wrote: There are time zones that are not an even hour offset from UTC, but the only ones I know of are 30 minutes, and a value of 60 or more makes no sense. Nepal is +0545. Some time ago I implemented the same check as you describe, and thanks to Columbia University's worldwide scope we ran into that one within the first week! Joseph Brennan Lead Email Systems Engineer Columbia University Information Technology ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Filtering based on X-Mailer or X-MIMEOLE header?
Mark Damrose wrote: I've found that most of the stock spam have a unique Received header. Two rules that have been doing extremely well for me are: header ECC_FORGED_ELGIN_RCVD Received =~ /by elgin.edu with esmtp \(.+\)\s+id\s\S+\s+for/ header ECC_ODD_TZ Date =~ /^\s*(?:Sun|Mon|Tue|Wed|Thu|Fri|Sat)\,\s\d{1,2}\s(?:Jan|Feb|Mar|Apr|Jun| Jul|Aug|Sep|Oct|Nov|Dec)\s\d{4}\s\d{2}(?:\:\d{2}){1,2}\s[\+\-]?\d{2}[123 456789]\d$/ Well spotted! That's very useful for me, and certainly almost all of my recent examples match on this. Interestingly, they also predominantly have The Bat! as the X-Mailer, although the version details are variable. Maybe 25% have a version of Outlook instead. Paul. -- --- Paul Murphy Head of I.T. Argenta Discovery Tel. 01279 645 554 Fax. 01279 645 646 ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Filtering based on X-Mailer or X-MIMEOLE header?
header ECC_ODD_TZ Date =~ /^\s*(?:Sun|Mon|Tue|Wed|Thu|Fri|Sat)\,\s\d{1,2}\s(?:Jan|Feb|Mar|Apr|Jun| Jul|Aug|Sep|Oct|Nov|Dec)\s\d{4}\s\d{2}(?:\:\d{2}){1,2}\s[\+\-]?\d{2}[123 456789]\d$/ Shouldn't that last bit be: [12456789]\d$/ As you've got it, it will reject an offset of xx30, which, as you pointed out, is valid. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Filtering based on X-Mailer or X-MIMEOLE header?
John Rudd wrote: header ECC_ODD_TZ Date =~ /^\s*(?:Sun|Mon|Tue|Wed|Thu|Fri|Sat)\,\s\d{1,2}\s(?:Jan|Feb|Mar|Apr|Jun| Jul|Aug|Sep|Oct|Nov|Dec)\s\d{4}\s\d{2}(?:\:\d{2}){1,2}\s[\+\-]?\d{2}[123 456789]\d$/ Shouldn't that last bit be: [12456789]\d$/ As you've got it, it will reject an offset of xx30, which, as you pointed out, is valid. It will reject 0545 as well... -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Filtering based on X-Mailer or X-MIMEOLE header?
-Original Message- From: John Rudd Shouldn't that last bit be: [12456789]\d$/ As you've got it, it will reject an offset of xx30, which, as you pointed out, is valid. Actually, the vast majority would be caught with [2468]0$/ I've quarantined thousands of these since I put the rule in on Tuesday. Only about 10 have been xx30, the rest would have been caught by this modification. Also, I don't add enough points to block based on this rule alone. The Received rule, yes. This one is just sort of a placeholder so I can investigate if I start seeing a bunch that match on the Date rule but no longer match on the forged Received rule. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Filtering based on X-Mailer or X-MIMEOLE header?
On Fri, 24 Nov 2006, Paul Murphy wrote: while I'm updating my SA rules daily, I never seem able to keep ahead of I feel your pain. I have gotten to where I check my work email at night to see what the latest pump-and-dump stock spam is and update SA accordingly. Ugh. Jim McCullars University of Alabama in Huntsville ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Filtering based on X-Mailer or X-MIMEOLE header?
-Original Message- From: Jim McCullars I feel your pain. I have gotten to where I check my work email at night to see what the latest pump-and-dump stock spam is and update SA accordingly. Ugh. I've found that most of the stock spam have a unique Received header. Some examples: Received: from 213.56.31.142 (HELO smtp.oleane.net) by elgin.edu with esmtp (30,,1N(4829S +/QM) id LLX8Z5-/084()-I* for [EMAIL PROTECTED]; Fri, 24 Nov 2006 10:31:31 -0060 Received: from 63.149.130.78 (HELO barracuda.1-stopnet.com) by elgin.edu with esmtp (A+*33AUUHE*U +K686) id 6OM2K4-172DAP-Q/ for [EMAIL PROTECTED]; Fri, 24 Nov 2006 10:43:06 -0480 Received: from 216.122.69.112 (HELO mail.safeserver.com) by elgin.edu with esmtp ((1+D(0E EU=Y) id 7045B0-4R:LJT-EB for [EMAIL PROTECTED]; Fri, 24 Nov 2006 10:48:01 -0120 Received: from 210.189.80.22 (HELO mail.01allweb.com) by elgin.edu with esmtp (LS,+-3(/ 5*XI:) id C?13,)-Q0:7(7-)D for [EMAIL PROTECTED]; Fri, 24 Nov 2006 11:08:20 -0480 Received: from 66.212.232.249 (HELO inon2.inetfast.com) by elgin.edu with esmtp (XB'52:=D0/ .B-W) id YO-;1*-=T8'7Y-O5 for [EMAIL PROTECTED]; Fri, 24 Nov 2006 11:49:46 -0060 Received: from 209.142.136.249 (HELO mx2.centurytel.net) by elgin.edu with esmtp (T)08O7Q,AG+ 63'A) id 0Z((B*-760A8P-T. for [EMAIL PROTECTED]; Fri, 24 Nov 2006 12:38:42 -0060 Received: from 80.127.154.82 (HELO mail.walraven.com) by elgin.edu with esmtp (.5*V+;+3,RSN D511C) id ID95DH-6I9CU--65 for [EMAIL PROTECTED]; Fri, 24 Nov 2006 12:42:20 -0060 Received: from 64.18.5.13 (HELO WAMSINC.COM.MAIL7.PSMTP.com) by elgin.edu with esmtp (,2-O)V7T9)? @C28) id 7;+LH;-FY(844-:7 for [EMAIL PROTECTED]; Fri, 24 Nov 2006 12:44:18 -0060 Received: from 64.214.48.68 (HELO mdegw01.mgipharma.com) by elgin.edu with esmtp (942,L96+'P )J4J+,) id QMRGJ0-:PKD)6--L for [EMAIL PROTECTED]; Fri, 24 Nov 2006 12:49:20 -0060 Received: from 216.35.197.77 (HELO mail.zytronic.com) by elgin.edu with esmtp (IK-24*R3 U)4UJ) id /ST525-0PO+(5-V for [EMAIL PROTECTED]; Fri, 24 Nov 2006 12:49:22 -0060 Note the bare IP with no brackets (not the IP of the bot). HELO random hostname in parentheses. elgin.edu is my domain, but I do not have a host at the domain level that relays mail. Also note the UTC offset in the date format. That field should be HHMM. There are time zones that are not an even hour offset from UTC, but the only ones I know of are 30 minutes, and a value of 60 or more makes no sense. The Date headers also have the odd UTC offset. Date: Fri, 24 Nov 2006 10:31:31 -0060 Date: Fri, 24 Nov 2006 10:43:06 -0480 Date: Fri, 24 Nov 2006 10:48:01 -0120 Date: Fri, 24 Nov 2006 11:08:20 -0480 Date: Fri, 24 Nov 2006 11:49:46 -0060 Date: Fri, 24 Nov 2006 12:38:42 -0060 Date: Fri, 24 Nov 2006 12:42:20 -0060 Date: Fri, 24 Nov 2006 12:44:18 -0060 Date: Fri, 24 Nov 2006 12:49:20 -0060 Date: Fri, 24 Nov 2006 12:49:22 -0060 Two rules that have been doing extremely well for me are: header ECC_FORGED_ELGIN_RCVD Received =~ /by elgin.edu with esmtp \(.+\)\s+id\s\S+\s+for/ header ECC_ODD_TZ Date =~ /^\s*(?:Sun|Mon|Tue|Wed|Thu|Fri|Sat)\,\s\d{1,2}\s(?:Jan|Feb|Mar|Apr|Jun| Jul|Aug|Sep|Oct|Nov|Dec)\s\d{4}\s\d{2}(?:\:\d{2}){1,2}\s[\+\-]?\d{2}[123 456789]\d$/ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang