Re: Spam slipping through
Benny Pedersen a écrit : > On Mon, December 8, 2008 05:25, [EMAIL PROTECTED] wrote: >> mouss said: > > bug: > Mail::SpamAssassin::Plugin::dbg("FromInTo: Comparing '$from' and > '$To"); > > fixed line: > Mail::SpamAssassin::Plugin::dbg("FromInTo: Comparing '$from' and > '$To'"); > Thanks! >> well, I send mail to myself sometimes. The only way that this mail >> could go is either straight from the mailserver to my inbox > > ALL_TRUSTED or NO_RELAYS hits ? > >> (if I am logged in), or from my desktop client, via my mailserver, >> to the inbox. > > this should give ALL_TRUSTED > >> So it seems to me that any sender claiming to be _me_ would _auth_ >> to the mailserver. > > yes > but other people may do it differently. many domains allow their users to send via ISP/hotel/... if your domain requires authentication or submission from known systems, then you can probably block "forgery" without checking the To header. >> When I implemented this a while ago, some ebay mails violated that, >> and mails from monster.com. AFAIK, at least ebay has learned that >> such mails are likely to be caught by various reasons (DKIM?) I think they got blocked by "reject mail from stranger claiming to be mine" policy. and SPF may have finished convincing them. now I don't know if others still use this practice (sending "on behalf" of a user). > > DKIM is not a blacklister, but a whitelist based on if sender really > use monster.com mta mail server or not :) > indeed.
Re: Spam slipping through
Benny Pedersen wrote: >> >> >> On Mon, December 8, 2008 05:25, [EMAIL PROTECTED] wrote: >> > mouss said: >> >> bug: >> Mail::SpamAssassin::Plugin::dbg("FromInTo: Comparing '$from' and >> '$To"); >> >> fixed line: >> Mail::SpamAssassin::Plugin::dbg("FromInTo: Comparing '$from' and >> '$To'"); >> >> > well, I send mail to myself sometimes. The only way that this mail >> > could go is either straight from the mailserver to my inbox >> >> ALL_TRUSTED or NO_RELAYS hits ? >> >> > (if I am logged in), or from my desktop client, via my mailserver, >> > to the inbox. >> >> this should give ALL_TRUSTED >> >> > So it seems to me that any sender claiming to be _me_ would _auth_ >> > to the mailserver. >> >> yes >> >> > When I implemented this a while ago, some ebay mails violated that, >> > and mails from monster.com. AFAIK, at least ebay has learned that >> > such mails are likely to be caught by various reasons (DKIM?) >> >> DKIM is not a blacklister, but a whitelist based on if sender really >> use monster.com mta mail server or not :) >> >> Hi Benny, my company mailserver is signing all outgoing mail, so I take the liberty to reject some incoming mail at the MTA level based on DKIM results. Likewise, senders pretending to come from my domain are asked to auth at the MTA level - SA does not even see these mails WOlfgang Hamann
Re: Spam slipping through
On Mon, December 8, 2008 05:25, [EMAIL PROTECTED] wrote: > mouss said: bug: Mail::SpamAssassin::Plugin::dbg("FromInTo: Comparing '$from' and '$To"); fixed line: Mail::SpamAssassin::Plugin::dbg("FromInTo: Comparing '$from' and '$To'"); > well, I send mail to myself sometimes. The only way that this mail > could go is either straight from the mailserver to my inbox ALL_TRUSTED or NO_RELAYS hits ? > (if I am logged in), or from my desktop client, via my mailserver, > to the inbox. this should give ALL_TRUSTED > So it seems to me that any sender claiming to be _me_ would _auth_ > to the mailserver. yes > When I implemented this a while ago, some ebay mails violated that, > and mails from monster.com. AFAIK, at least ebay has learned that > such mails are likely to be caught by various reasons (DKIM?) DKIM is not a blacklister, but a whitelist based on if sender really use monster.com mta mail server or not :) -- Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: Spam slipping through
mouss said: >> >> > >> > The implementation of it is not my concern. It's a pretty basic rule to >> > require that addresses a commonly exploited spam attack vector. >> >> having the same address in the From and To is also seen in legitimate mail: >> - I send mail to myself >> - some people use their address in the To when they Bcc many people >> Hi, well, I send mail to myself sometimes. The only way that this mail could go is either straight from the mailserver to my inbox (if I am logged in), or from my desktop client, via my mailserver, to the inbox. So it seems to me that any sender claiming to be _me_ would _auth_ to the mailserver. When I implemented this a while ago, some ebay mails violated that, and mails from monster.com. AFAIK, at least ebay has learned that such mails are likely to be caught by various reasons (DKIM?) Wolfgang Hamann
Re: Spam slipping through
support a écrit : > On Sat, 2008-12-06 at 23:45 -0500, Theo Van Dinter wrote: >> On Sat, Dec 06, 2008 at 08:00:10PM -0800, John Hardin wrote: >>> mechanism for. Devs: there've been wishes for this before; how hard >>> would it be to add the ability to match on the substring match captured >>> by another rule? Add a flag to say "capture the match for this rule" and >>> a syntax for substituting that into the match RE of another rule, and >>> dependency enforcement? >> Non-trivial. Write a plugin, where it is trivial. :) trivial indeed: http://www.netoyen.net/sa/FromInTo.pm 1- very quickly tested (so: don't use it ;-p) 2- This checks for the from: header address in the envelope rcpt and in the To: header. not sure this is what OP wanted. > > The implementation of it is not my concern. It's a pretty basic rule to > require that addresses a commonly exploited spam attack vector. having the same address in the From and To is also seen in legitimate mail: - I send mail to myself - some people use their address in the To when they Bcc many people or do you mean comparing the addresses only if the domain is "yours"? the other question is: would such a rule really help? how much spam will it detect? I mean spam that is not detected or blocked by other means (such as DNSBLs, helo check, ... etc). > Do we > just say 'We won't scan for that, it's too complicated'. It's kind of > like not scanning anything over 150k for performance. Spammers make use > of these shortcomings. > > On a different note here, there is starting to be an increase in spam > over 150k. I'm seeing a slowly increasing amount of spam from Asia that > is in the 1meg range. This would choke any rules based scanner in > volume. With bandwidth now cheap (other peoples in particular if you are > using a botnet) it's an increasing concern. > >
Re: about fake mails
Yavuz Maslak a écrit : > Let me explain my problem and goal; > > For instance, a spammer installs a smtp server and he has a tool to send > his mails. He writes [EMAIL PROTECTED] in from adress and He sends his > mails using his smtp server. Namely, he doesn't use gmail's servers. I > want to give high score for these sort of mails. > > Now I have written a rule according to Jeff and Matus, > Thanks to both. > > header __L_ML1 Precedence =~ m{\b(list|bulk)\b}i > header __L_ML2 exists:List-Id > header __L_ML3 exists:List-Post > header __L_ML4 exists:Mailing-List > header __L_HAS_SNDR exists:Sender > meta __L_VIA_ML(__L_ML1 || __L_ML2 || __L_ML3 || __L_ML4 || > __L_HAS_SNDR) > header __L_FROM_GMAIL From:addr =~ [EMAIL PROTECTED] > meta L_UNVERIFIED_GMAIL (!DKIM_VERIFIED && __L_FROM_GMAIL && > !__L_VIA_ML) > priority L_UNVERIFIED_GMAIL 500 > scoreL_UNVERIFIED_GMAIL 2.5 > meta UNVERIFIED_GMAILMISS (!DKIM_VERIFIED && DKIM_SIGNED && > __L_FROM_GMAIL && !__L_VIA_ML) > priority UNVERIFIED_GMAILMISS 600 > scoreUNVERIFIED_GMAILMISS 0.0 > > any advances ? > copy the file http://www.netoyen.net/sa/dkim.cf to your spamassassin rules directory (the directory where you have local.cf). This file contains the rules suggested on http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim so that you don't need to copy-paste ;-p run: spamassassin --lint if you get an error, then either you or I did something wrong ;-p you may increase the score of L_NOTVALID_GMAIL (and the like) if you want, but 2.8 should be enough.
Re: about fake mails
Let me explain my problem and goal; For instance, a spammer installs a smtp server and he has a tool to send his mails. He writes [EMAIL PROTECTED] in from adress and He sends his mails using his smtp server. Namely, he doesn't use gmail's servers. I want to give high score for these sort of mails. Now I have written a rule according to Jeff and Matus, Thanks to both. header __L_ML1 Precedence =~ m{\b(list|bulk)\b}i header __L_ML2 exists:List-Id header __L_ML3 exists:List-Post header __L_ML4 exists:Mailing-List header __L_HAS_SNDR exists:Sender meta __L_VIA_ML(__L_ML1 || __L_ML2 || __L_ML3 || __L_ML4 || __L_HAS_SNDR) header __L_FROM_GMAIL From:addr =~ [EMAIL PROTECTED] meta L_UNVERIFIED_GMAIL (!DKIM_VERIFIED && __L_FROM_GMAIL && !__L_VIA_ML) priority L_UNVERIFIED_GMAIL 500 scoreL_UNVERIFIED_GMAIL 2.5 meta UNVERIFIED_GMAILMISS (!DKIM_VERIFIED && DKIM_SIGNED && __L_FROM_GMAIL && !__L_VIA_ML) priority UNVERIFIED_GMAILMISS 600 scoreUNVERIFIED_GMAILMISS 0.0 any advances ? Yavuz Maslak a écrit : Ok I have started to use dkim verification. I defined whitelists in local.cf. it works. But I could not find how I give high score for a spammer who doesn't use gmail's mail servers. The link that I suggested in my previous post contains spamassassin rules. Although a domain has domain keys, how can I give positive score for a mail which comes from a fake smtp server ? what is a "fake smtp server"? please explain your problem and goal clearly. It would also help to post a sample spam on pastebin.com.
Re: about fake mails
Yavuz Maslak a écrit : > Ok > I have started to use dkim verification. I defined whitelists in > local.cf. it works. > But I could not find how I give high score for a spammer who doesn't > use gmail's mail servers. > The link that I suggested in my previous post contains spamassassin rules. > Although a domain has domain keys, how can I give positive score for a > mail which comes from a fake smtp server ? > what is a "fake smtp server"? please explain your problem and goal clearly. It would also help to post a sample spam on pastebin.com.
Re: about fake mails
Just that most of the spam with a gmail.com sender *is* coming from Gmail .. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
RE: about fake mails
On Sun, December 7, 2008 15:52, Giampaolo Tomassoni wrote: > There is no direct way (to my knowledge) to do this. perldoc Mail::SpamAssassin::Conf see whitelist_auth perldoc Mail::SpamAssassin::Plugin::DKIM but okay make a default spam score for DKIM signed mails works :) and subtract it when its VERIFIED > You have to apply a positive score to all mail claiming to be > "From:" a gmail address, then apply a negative score voiding > the first one to the DKim-verified ones. i just add negative score when verified here -- Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
RE: about fake mails
From: "Giampaolo Tomassoni" <[EMAIL PROTECTED]> Date: Sun, 7 Dec 2008 15:52:10 +0100 > -Original Message- > From: Yavuz Maslak [mailto:[EMAIL PROTECTED] > Sent: Sunday, December 07, 2008 3:02 PM > > Ok > I have started to use dkim verification. I defined whitelists in > local.cf. > it works. > But I could not find how I give high score for a spammer who doesn't > use > gmail's mail servers. > > Although a domain has domain keys, how can I give positive score for a > mail > which comes from a fake smtp server ? There is no direct way (to my knowledge) to do this. You have to apply a positive score to all mail claiming to be "From:" a gmail address, then apply a negative score voiding the first one to the DKim-verified ones. You can write a meta rule for email that claims to be from gmail that does not have DKIM. # add some penalty points to mail from yahoo and gmail.com which # does not carry a valid signature; exempt mail from mailing lists header __L_ML1 Precedence =~ m{\b(list|bulk)\b}i header __L_ML2 exists:List-Id header __L_ML3 exists:List-Post header __L_ML4 exists:Mailing-List header __L_HAS_SNDR exists:Sender meta __L_VIA_ML(__L_ML1 || __L_ML2 || __L_ML3 || __L_ML4 || __L_HAS_SNDR) header __L_FROM_Y1 From:addr =~ [EMAIL PROTECTED] header __L_FROM_Y2 From:addr =~ [EMAIL PROTECTED](ar|br|cn|hk|my|sg)$}i header __L_FROM_Y3 From:addr =~ [EMAIL PROTECTED](id|in|jp|nz|uk)$}i header __L_FROM_Y4 From:addr =~ [EMAIL PROTECTED](ca|de|dk|es|fr|gr|ie|it|pl|se)$}i meta __L_FROM_YAHOO (__L_FROM_Y1 || __L_FROM_Y2 || __L_FROM_Y3 || __L_FROM_Y4) header __L_FROM_GMAIL From:addr =~ [EMAIL PROTECTED] meta L_UNVERIFIED_YAHOO (!DKIM_VERIFIED && !DK_VERIFIED && __L_FROM_YAHOO && !__L_VIA_ML) priority L_UNVERIFIED_YAHOO 500 scoreL_UNVERIFIED_YAHOO 2.5 meta L_UNVERIFIED_GMAIL (!DKIM_VERIFIED && __L_FROM_GMAIL && !__L_VIA_ML) priority L_UNVERIFIED_GMAIL 500 scoreL_UNVERIFIED_GMAIL 2.5 I got these rules from this list. I added !DK_VERIFIED to L_UNVERIFIED_YAHOO. -jeff
Re: about fake mails
> > From: Yavuz Maslak [mailto:[EMAIL PROTECTED] > > Sent: Sunday, December 07, 2008 3:02 PM > > But I could not find how I give high score for a spammer who doesn't > > use gmail's mail servers. > > > > Although a domain has domain keys, how can I give positive score for a > > mail which comes from a fake smtp server ? On 07.12.08 15:52, Giampaolo Tomassoni wrote: > There is no direct way (to my knowledge) to do this. > > You have to apply a positive score to all mail claiming to be "From:" a > gmail address, then apply a negative score voiding the first one to the > DKim-verified ones. I think that giving score that has gmail.com in From address, but is nor DKIM Verified, should be just enough. Generally, there should be a meta rule for domains that have sign-all policy and the mail is not signed, e.g.: meta DKIM_MISS (DKIM_POLICY_SIGNALL && !DKIM_VERIFIED) score DKIM_MISS 3.0 and maybe for mail that is signed, but the signature was meta DKIM_FAIL (DKIM_SIGNED && !DKIM_VERIFIED) score DKIM_MISS 1.0 ... I just guessed those scores, but maybe someone could run mass-check ? -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. A day without sunshine is like, night.
RE: about fake mails
> -Original Message- > From: Yavuz Maslak [mailto:[EMAIL PROTECTED] > Sent: Sunday, December 07, 2008 3:02 PM > > Ok > I have started to use dkim verification. I defined whitelists in > local.cf. > it works. > But I could not find how I give high score for a spammer who doesn't > use > gmail's mail servers. > > Although a domain has domain keys, how can I give positive score for a > mail > which comes from a fake smtp server ? There is no direct way (to my knowledge) to do this. You have to apply a positive score to all mail claiming to be "From:" a gmail address, then apply a negative score voiding the first one to the DKim-verified ones. Giampaolo > > Yavuz Maslak a écrit : > >> Sometimes, although anyone don't use domain.com's server, he sends > many > >> mails using himself smtp service as if these mails come from > @domian.com. > >> > >> the domain.com may be hotmail.com , gmail.com. > >> > >> is there a rule for that so that we can give some score for these > mails? > > > > for gmail, you can use dkim verification. look at the rules in > > http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim > > you may want to accept non signed gmail mail if it comes from nabble > or > > others. > > > > > > for hotmail, there are already rules to catch such forgeries. take a > look > > at > > http://spamassassin.apache.org/tests_3_2_x.html > > > > if you have sample false negatives, post them on pastebin.com. > >
Re: about fake mails
Ok I have started to use dkim verification. I defined whitelists in local.cf. it works. But I could not find how I give high score for a spammer who doesn't use gmail's mail servers. Although a domain has domain keys, how can I give positive score for a mail which comes from a fake smtp server ? Yavuz Maslak a écrit : Sometimes, although anyone don't use domain.com's server, he sends many mails using himself smtp service as if these mails come from @domian.com. the domain.com may be hotmail.com , gmail.com. is there a rule for that so that we can give some score for these mails? for gmail, you can use dkim verification. look at the rules in http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim you may want to accept non signed gmail mail if it comes from nabble or others. for hotmail, there are already rules to catch such forgeries. take a look at http://spamassassin.apache.org/tests_3_2_x.html if you have sample false negatives, post them on pastebin.com.
Re: Live.space and Sourceforge
> I've been getting a bit of spam recently via Sourceforge mailing lists > that punts live.space websites. As this is easy to detect without > running much risk of FPs, I've written a rule. > Getting so much spam, and no response from [EMAIL PROTECTED] Should just give a 2.0 to uri rule and add 10 for the meta rule. If live.com doesn't care how much spam is using their network why should we care? Yes, I know, users bitch. :-) darn users. Thanks for the uri rule. It is tighter then the one I cobbled together. -- Michael Scheidell, CTO >|SECNAP Network Security Winner 2008 Network Products Guide Hot Companies FreeBSD SpamAssassin Ports maintainer _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _
Live.space and Sourceforge
I've been getting a bit of spam recently via Sourceforge mailing lists that punts live.space websites. As this is easy to detect without running much risk of FPs, I've written a rule. describe MG_LIVESF Spam via SourceForge but contains spaces.live.com URI uri __MG_LSF1 /^http:.{1,40}\.spaces\.live\.com/i header __MG_LSF2 List-Id =~ /lists\.sourceforge\.net/i meta MG_LIVESF (__MG_LSF1 && __MG_LSF2) scoreMG_LIVESF 2.0 Of course its useless if none of your users subscribe to Sourceforge mailing lists, but OTOH it should adapt easily to almost any group of mailing lists that carry the List-Id: header. Martin
Re: Spam slipping through
On Sat, 2008-12-06 at 23:45 -0500, Theo Van Dinter wrote: > On Sat, Dec 06, 2008 at 08:00:10PM -0800, John Hardin wrote: > > mechanism for. Devs: there've been wishes for this before; how hard > > would it be to add the ability to match on the substring match captured > > by another rule? Add a flag to say "capture the match for this rule" and > > a syntax for substituting that into the match RE of another rule, and > > dependency enforcement? > > Non-trivial. Write a plugin, where it is trivial. :) The implementation of it is not my concern. It's a pretty basic rule to require that addresses a commonly exploited spam attack vector. Do we just say 'We won't scan for that, it's too complicated'. It's kind of like not scanning anything over 150k for performance. Spammers make use of these shortcomings. On a different note here, there is starting to be an increase in spam over 150k. I'm seeing a slowly increasing amount of spam from Asia that is in the 1meg range. This would choke any rules based scanner in volume. With bandwidth now cheap (other peoples in particular if you are using a botnet) it's an increasing concern.