Re: AW: Fighting 'no body' spam

2015-03-22 Thread Özgür EROĞLU

Hi
If you want to drop the mail by just checking its content size, use 
'All' matcher and then get the content part of the mail in mailet using 
the java mail api. Then you can check the size of that part.


Ozgur


On 03/22/2015 08:39 PM, David Legg wrote:

Hi Bernd,

I do have a firewall but the spam messages are not being modified.  What
I showed in my email below is what the server actually receives.

The missing subject is also a key feature of these spams together with
the lack of body copy.

I guess I could write a matcher which returns the size of the subject
and/or the body but as I mentioned it has been a while since I installed
James and I'm not into Java development as much as I used to be.

Regards,
David.



On 22/03/15 16:00, Bernd Waibel wrote:

Hello David,

do you have a firewall, with virus filtering enabled?
If the mail contains only one attachment (as INLINE attachment) and no body, 
and the firewall removes the attachment, but keeps the rest alright and sends 
this to the receiver?
So a mail without a body could be the rest of a virus mail.

Also it could just be a test runner. Testing the Botnet or something like 
this.

Some people use their email system like a sms system, just sending a 
subject.
May this lead to a no-body mail?
In your example the subject is missing.

But I didn't see it a lot (or did not remember).

Greetings
Bernd

-Ursprüngliche Nachricht-
Von: David Legg [mailto:david.l...@searchevent.co.uk]
Gesendet: Sonntag, 22. März 2015 14:29
An: James Users List
Betreff: Fighting 'no body' spam

Hi,

It has been a few years since I last wrote to the list.  Our James 2.3 
installation has been happily running all that time with no problems.

Recently however we are being plagued by a particular variety of spam that the 
Bayesian filter just can't handle; 'no-body' spam.  This variety has seemingly 
random 'from' addresses (but usually with valid domains).  They all seem to 
come from different IP addresses which suggests a bot-net and therefore can't 
be blocked by the firewall.  But the other distinguishing feature is their 
complete lack of any subject or body.  This is what makes it so difficult for 
the filter to latch onto.

A typical email looks as follows: -

   Message-ID: A[20
   MIME-Version: 1.0
   Content-Type: text/plain; charset=us-ascii
   Content-Transfer-Encoding: 7bit
   X-MessageIsSpamProbability: 0.018074688897863164
   Received: from 38.124.60.215 ([38.124.60.215])
   by somewhere.co.uk (JAMES SMTP Server 2.3.1) with SMTP ID 965
   for off...@somewhere.co.uk;
   Sun, 22 Mar 2015 12:11:17 + (GMT)
   Date: Sun, 22 Mar 2015 12:11:17 + (GMT)
   From: ieqeq...@baboonabeach.com
   Received: from 248.32.157.238 by 46.4.123.50; Sun, 22 Mar 2015 18:23:42 +0500


I was hoping that there was a matcher that I could use to reject all email with no 
or very small ( 4 bytes) content.  However, all I could find was the 
'SizeGreaterThan' matcher which matches the entire size of the email.

As well as knowing if their is a solution for this I was also wondering if 
anyone knows just what is the point of all this?  I've heard one theory that it 
poisons the filter but it just seems like a mindless act to me.

Regards,
David Legg


-
To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org
For additional commands, e-mail: server-user-h...@james.apache.org




-
To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org
For additional commands, e-mail: server-user-h...@james.apache.org



Re: AW: Fighting 'no body' spam

2015-03-22 Thread David Legg
Hi Bernd,

I do have a firewall but the spam messages are not being modified.  What
I showed in my email below is what the server actually receives.

The missing subject is also a key feature of these spams together with
the lack of body copy.

I guess I could write a matcher which returns the size of the subject
and/or the body but as I mentioned it has been a while since I installed
James and I'm not into Java development as much as I used to be.

Regards,
David.



On 22/03/15 16:00, Bernd Waibel wrote:
 Hello David,
 
 do you have a firewall, with virus filtering enabled?
 If the mail contains only one attachment (as INLINE attachment) and no body, 
 and the firewall removes the attachment, but keeps the rest alright and sends 
 this to the receiver?
 So a mail without a body could be the rest of a virus mail.
 
 Also it could just be a test runner. Testing the Botnet or something like 
 this.
 
 Some people use their email system like a sms system, just sending a 
 subject.
 May this lead to a no-body mail?
 In your example the subject is missing.
 
 But I didn't see it a lot (or did not remember).
 
 Greetings
 Bernd
 
 -Ursprüngliche Nachricht-
 Von: David Legg [mailto:david.l...@searchevent.co.uk] 
 Gesendet: Sonntag, 22. März 2015 14:29
 An: James Users List
 Betreff: Fighting 'no body' spam
 
 Hi,
 
 It has been a few years since I last wrote to the list.  Our James 2.3 
 installation has been happily running all that time with no problems.
 
 Recently however we are being plagued by a particular variety of spam that 
 the Bayesian filter just can't handle; 'no-body' spam.  This variety has 
 seemingly random 'from' addresses (but usually with valid domains).  They all 
 seem to come from different IP addresses which suggests a bot-net and 
 therefore can't be blocked by the firewall.  But the other distinguishing 
 feature is their complete lack of any subject or body.  This is what makes it 
 so difficult for the filter to latch onto.
 
 A typical email looks as follows: -
 
   Message-ID: A[20
   MIME-Version: 1.0
   Content-Type: text/plain; charset=us-ascii
   Content-Transfer-Encoding: 7bit
   X-MessageIsSpamProbability: 0.018074688897863164
   Received: from 38.124.60.215 ([38.124.60.215])
   by somewhere.co.uk (JAMES SMTP Server 2.3.1) with SMTP ID 965
   for off...@somewhere.co.uk;
   Sun, 22 Mar 2015 12:11:17 + (GMT)
   Date: Sun, 22 Mar 2015 12:11:17 + (GMT)
   From: ieqeq...@baboonabeach.com
   Received: from 248.32.157.238 by 46.4.123.50; Sun, 22 Mar 2015 18:23:42 
 +0500
 
 
 I was hoping that there was a matcher that I could use to reject all email 
 with no or very small ( 4 bytes) content.  However, all I could find was the 
 'SizeGreaterThan' matcher which matches the entire size of the email.
 
 As well as knowing if their is a solution for this I was also wondering if 
 anyone knows just what is the point of all this?  I've heard one theory that 
 it poisons the filter but it just seems like a mindless act to me.
 
 Regards,
 David Legg


-
To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org
For additional commands, e-mail: server-user-h...@james.apache.org