Re: What is AWL?
Bowie Bailey wrote: > Georgy Goshin wrote: > >> What is AWL rule? Why it gives so different amount of points? How to >> resolve this? >> > > Check out the wiki entry: > > http://wiki.apache.org/spamassassin/AutoWhitelist > > Agreed. Also: http://wiki.apache.org/spamassassin/AwlWrongWay
Re: ¿Qué tiene que ver Software Lib re con educación?
LuKreme a écrit : > On 18-Mar-2009, at 21:34, Jorge Cardona wrote: >> ¿Qué tiene que ver Software Libre con educación? > > > Esta lista es solamente ingles. > it has nothing to do with "esta" nor "lista". That was spam. check the list of recipients. just because it's talking about "libre" doesn't make it nice.
Re: Sa-update problem
Bryan Lee a écrit : > From: mouss [mailto:mo...@ml.netoyen.net] > Sent: Wednesday, March 18, 2009 6:30 PM > >>> At question is the statement >>> dbg: channel: current version is 752903, new version is 752903, >>> skipping channel >> $ host -t txt 3.2.3.updates.spamassassin.org > 3.2.3.updates.spamassassin.org descriptive text "752903" >> so you have the last official update. and it's the same version for > 3.2.5: >> $ host -t txt 5.2.3.updates.spamassassin.org > 5.2.3.updates.spamassassin.org descriptive text "752903" >> last update was on 13-03-2009. > > That is terrific! Thank you for your help! > > Do you know about how often these rules are updated? yes. from time to time :) rules are only updated when the should. there is no plan that says: "we'll keep this update until June because we must update every three months"
Re: interesting flash attack in spam
On Thu, 19 Mar 2009, James Wilkinson wrote: John Hardin wrote: No reason it shouldn't be. I'd suggest something like a rawbody match on /]/i meta'd with HTML_MESSAGE should be worth a few (dozen) points. This would seem to FP on Microsoft HTML generated by certain versions of Word. One example:
Re: interesting flash attack in spam
John Hardin wrote: > No reason it shouldn't be. I'd suggest something like a rawbody match on > /]/i meta'd with HTML_MESSAGE should be worth a few (dozen) > points. This would seem to FP on Microsoft HTML generated by certain versions of Word. One example:
RE: SA-LEARN = RESET AWL??
Cornersoyo wrote: > If we plan to implement SA-LEARN, should we consider trying to reset > the AWL?? Because it has been running quite awhile without any > learning (or extra filtering) applied, so it is obviously adding > whitelist value to things that we would rather it not... > > Or will it make the proper adjustments as we go? AWL is completely separate from Bayes and sa-learn. It will adjust itself as you go. You shouldn't need to do anything with it unless it is completely messed up. -- Bowie
Re: What is AWL?
On Wed, March 18, 2009 19:07, Georgy Goshin wrote: > I understood the spelling of AWL, but why the scores is different? > How to tune them? dont, its not whitelist or blacklist, what you see is that some "faked" user try to send mail as a user you have on the mailserver, awl tracks ips aswell so that spammer will newer succed in his try's if you like to trust awl otherwise from trustness set another awl factor 0.0 = i use awl but i dont trust it 1.0 = use awl and trust it 100% from what previous sender got in spam scores default is 0.5 perldoc Mail::SpamAssassin::Plugin::AWL perldoc Mail::SpamAssassin::Conf -- http://localhost/ 100% uptime and 100% mirrored :)
Re: interesting flash attack in spam
On Wed, Mar 18, 2009 at 11:12:02PM +0100, mouss wrote:
> I don't know much people who forbid .doc/xls/ppt in email,
> and these can do a lot of harm.
:0 H
* ^Content-Type: multipart
{
:0 B
* name=.*\.(exe|bat|pif|com|lnk|scr|vbs|zip|pdf)(")?(\ *|\t*)$
{
:0:
$HOME/Mail/quarantine
}
}
I got that at least 5 years ago, probably more, off the procmail list
(I believe, could be be wrong). I pretty much forbid anything
microsoft related.
Over the years I added to it every time some little microsoft
exploit came along, then I finally just started to /dev/null
the stuff. Eventually I just dropped hotmail, yahoo mail, etc into
the bit bucket as well as I don't receive mail from anyone who uses
web mail anyway. I also color code the mail clients used on mail lists
and most of the time I add those who use windows mail clients to my kill
files. Add to that those who use misconfigured opensource,
multi-platform clients (and those who push out html through gmail)
and my mailbox contains only the stuff I want to read.
--
"The plural of anecdote is not data."
--Roger Brinner
SA-LEARN = RESET AWL??
If we plan to implement SA-LEARN, should we consider trying to reset the AWL?? Because it has been running quite awhile without any learning (or extra filtering) applied, so it is obviously adding whitelist value to things that we would rather it not... Or will it make the proper adjustments as we go? Thanks _ Windows Live™ Contacts: Organize your contact list. http://windowslive.com/connect/post/marcusatmicrosoft.spaces.live.com-Blog-cns!503D1D86EBB2B53C!2285.entry?ocid=TXT_TAGLM_WL_UGC_Contacts_032009
Re: interesting flash attack in spam
Ned SLider said: >> > >> >> Indeed, but why does flash need the ability to bind ports, open remote >> connections, download executable files and run them? It's primary >> function is to be a web-based multimedia player, or so I thought. >> SELinux provides solutions to many of these issues by reasonably >> restricting what things such as flash can do based on least privilege. >> Same argument for .doc/xls/ppt or any other file formats - why does a >> word processed document of spreedsheet need the ability to execute >> arbitrary embedded code? Unfortunately, Windows does not offer such >> protections and is quite happy to encourage users to run everything with >> unrestricted privileges based on some perceived notion of usability. >> >> Hi, there are uses for many of these features, in Rich Internet Apps. Flash also is - in fact - fairly restricted as to what it may do to its environment (sandboxing), so it will not create arbitrary connections. It is, however, allowed to redirect to any webpage, like a html page could do (using a meta refresh or javascript) However, in this particular case, the flash is completely harmless and just displays an animation. The bad thing is a html link to an exe file, right below the flash object inside the same html. All the flash does is attracting attention ... a static jpeg image could do the same >> Wolfgang Hamann
Re: Do I need to adjust bayes_expiry_max_db_size?
Rosenbaum, Larry M. wrote: We are running increasing the max DB size? I would, and I would make sure I was using the mysqlbayes plugins for it. also, the nham/ vs nspam says to me that you are learning way too much 'ham' bump up the auto learn value (if default 12, maybe make it 18) drop down the nham value, maybe make it 0. or -1 Thanks, Larry Note: Here is the --dump magic output: 0.000 0 3 0 non-token data: bayes db version 0.000 07894739 0 non-token data: nspam 0.000 0 10477619 0 non-token data: nham 0.000 01428534 0 non-token data: ntokens 0.000 0 1237349612 0 non-token data: oldest atime 0.000 0 1237479369 0 non-token data: newest atime 0.000 0 0 0 non-token data: last journal sync atime 0.000 0 1237436073 0 non-token data: last expiry atime 0.000 0 86400 0 non-token data: last expire atime delta 0.000 0 732007 0 non-token data: last expire reduction count -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2009 Hot Company Award Finalist, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _
Do I need to adjust bayes_expiry_max_db_size?
We are running SpamAssassin version 3.2.5 running on Perl version 5.8.8 Solaris 9 Sparc with the MySQL Bayes store and autolearning. We are using bayes_expiry_max_db_size 100 Expiry is done manually once a day. Here is a typical output from expiry: Thu Mar 19 00:12:00 EDT 2009 Forcing Bayes expiry run [2541] dbg: bayes: using username: root [2541] dbg: bayes: database connection established [2541] dbg: bayes: found bayes db version 3 [2541] dbg: bayes: Using userid: 217 [2541] dbg: bayes: bayes journal sync starting [2541] dbg: bayes: bayes journal sync completed [2541] dbg: bayes: expiry starting [2541] dbg: bayes: expiry check keep size, 0.75 * max: 75 [2541] dbg: bayes: token count: 1792961, final goal reduction size: 1042961 [2541] dbg: bayes: first pass? current: 1237435937, Last: 1237349670, atime: 86400, count: 669993, newdelta: 55502, ratio: 1.55667447271837, period: 43200 [2541] dbg: bayes: can't use estimation method for expiry, unexpected result, calculating optimal atime delta (first pass) [2541] dbg: bayes: expiry max exponent: 9 [2541] dbg: bayes: atime token reduction [2541] dbg: bayes: === [2541] dbg: bayes: 43200 1144230 [2541] dbg: bayes: 86400 732048 [2541] dbg: bayes: 172800 0 [2541] dbg: bayes: 345600 0 [2541] dbg: bayes: 691200 0 [2541] dbg: bayes: 1382400 0 [2541] dbg: bayes: 2764800 0 [2541] dbg: bayes: 5529600 0 [2541] dbg: bayes: 11059200 0 [2541] dbg: bayes: 22118400 0 [2541] dbg: bayes: first pass decided on 86400 for atime delta [2541] dbg: bayes: expiry completed expired old bayes database entries in 172 seconds 1060954 entries kept, 732007 deleted token frequency: 1-occurrence tokens: 53.44% token frequency: less than 8 occurrences: 28.22% Thu Mar 19 00:15:09 EDT 2009 Done This is telling me that there are no tokens more than 2 days old. Is this good or bad? Should I be increasing the max DB size? Thanks, Larry Note: Here is the --dump magic output: 0.000 0 3 0 non-token data: bayes db version 0.000 07894739 0 non-token data: nspam 0.000 0 10477619 0 non-token data: nham 0.000 01428534 0 non-token data: ntokens 0.000 0 1237349612 0 non-token data: oldest atime 0.000 0 1237479369 0 non-token data: newest atime 0.000 0 0 0 non-token data: last journal sync atime 0.000 0 1237436073 0 non-token data: last expiry atime 0.000 0 86400 0 non-token data: last expire atime delta 0.000 0 732007 0 non-token data: last expire reduction count
Re: Liquid Networks
John Thompson wrote: Recently I've been seeing a lot of spam with a remotely loaded "CAN SPAM compliant" image disclaimer from an outfit called "Liquid Networks:" http://os2.dhs.org/~john/kt.jpg The domains hosting the image vary from spam to spam. Is there a way to make spamassassin assign a score to messages associated with Liquid Networks affiliates? sure :-). its all ones and zeros.. just got to arrange them in order. you will need to find something 'unique' to their email, and common to all their email. is the remote image always loaded from same server? then you can create a rule. some common headers? create a rule. want to use image spam with keywords? will work till they 'mung' the image. use 'www.pastebin.com' and put up a full email, headers, warts and all, maybe someone will look at it. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2009 Hot Company Award Finalist, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _
Liquid Networks
Recently I've been seeing a lot of spam with a remotely loaded "CAN SPAM compliant" image disclaimer from an outfit called "Liquid Networks:" http://os2.dhs.org/~john/kt.jpg The domains hosting the image vary from spam to spam. Is there a way to make spamassassin assign a score to messages associated with Liquid Networks affiliates? -- -John Thompson (j...@os2.dhs.org) Appleton WI USA
Vast improvements to the invaluement.com DNSBL just completed
Chip M. wrote: > This snowshoe stuff has been a PITA for a while. > > *** Rob McEwen: *** > Would you be willing to provide your /24 list, for even a short period, > in some sort of plain text format (maybe one CIDR per line?), so those > of us with good hand-classified corpi could try out your data? > > Most of my users are in a shared hosting environment, so they can't use > your list suite as-is. Based on what reliable people have posted, some > of my users should probably benefit from your /24 list. I'd be very > glad to provide you with a list of any FPs I find. :) When Chip posted this several weeks ago, I had to answer.. "hold on... I'm in the middle of making large-scale improvements the invaluement lists". But improvements are now completed. When I can finally catch my breath, I'll have to discuss the specifics of Chip's reuqest further. In the meantime, I'd like to formally announce the these improvements. Basically, very substantial improvements to the invaluement.com DNSBLs have recently been implemented. Plus, the sign-up page on the web site is now easier to understand, and the 'blog' section of the web site has finally started, with an initial post about these improvements to the lists detailed here: http://dnsbl.invaluement.com/spam-blocker/ If anyone was thinking about testing out the invaluement lists, but kept putting it off... now is a great time to start because, along with these recent improvements, there is also now a special deal where *anyone who converts their free test into a subscription during the month of March/09... will get a free month* added to their first billing period. And *if such a subscriber chooses yearly billing, 4 free months will be added to to their first billing period*. Unfortunately, time is short and in order to do this, the free portion of the testing period would be shorted a bit because the subscription would have to start in March/09. So if this is something that interests you, I recommend getting started as soon as possible so you'll get as many free testing days as possible before needing to make a decision which would take advantage of those free months. The longer you wait, the shorter those free testing days would be if you wanted to get those free months! To save you a click, and keep this info on-list, here is that blog post: ** *DETAILS ABOUT RECENT INVALUEMENT.COM IMPROVEMENTS* The most substantial improvements were made to ivmSIP/24. So I'll cover that last. First, I'll briefly address improvements to ivmSIP and ivmURI. *ivmSIP IMPROVEMENTS:* During recent work on ivmSIP/24, a “bug” was discovered in the ivmSIP portion of the engine which was causing needless False Negatives. This had been there since the /beginning/ of the invaluement lists! Fixing this should lead to additional ivmSIP effectiveness. (I about fell out of my seat when I spotted the bug!) So whatever you've thought/read/experienced about ivmSIP... it is now even better! *ivmURI IMPROVEMENTS:* Large improvements to the ivmURI engine were made. For example, most good DNSBLs will employ some type of False Positives-prevention filters which then lead to unintended False Negatives (items that really should have been blacklisted). ivmURI is no different and those unintended FNs produced by False Positives-prevention filters are a fact of life. But I'm happy to report that the ivmSIP FP-prevention filters have been greatly improved so as to continue preventing FPs just as well as ever, but those unintended FNs have now been greatly trimmed. This should boost ivmURI’s “catch rates” noticeably, if not substantially. *ivmSIP/24 IMPROVEMENTS:* This is where the vast majority of improvements occurred. ivmSIP/24 is almost like a whole new list. The invaluement 'engine' now has an automated system which enumerates through all 256 possible IPs for each /24 block and individually evaluates each IP for possible /exclusion/ from ivmSIP/24. The improvements made are substantial because ivmSIP/24 now does NOT have listed many subranges allocated to innocent senders in those /24 blocks which were split between innocent senders and spammers. Yet, at the same time, such subranges allocated to spammers remain listed on ivmSIP/24, with many IPs /preemptively/ listed. Additionally, we now have the ability to manually 'whitelist' individual IPs from ivmSIP/24 without having to delist the whole block. Even better, when that happens, the IP is NOT in our regular whitelist and, therefore, has just as good a chance to get listed in the regular ivmSIP list as any other IP. So this should probably be called an ivmSIP/24 “exemption list”, not a whitelist. Should that IP ever get caught sending spam, then all bets are off and its existance on the ivmSIP/24 “exemption list” is then completely ignored. This helps prevent spammers from lying about IPs and adding IPs to the “exemption list” where they really just haven't yet used that IP for spamming yet. In the past
RE: Sa-update problem
From: mouss [mailto:mo...@ml.netoyen.net] Sent: Wednesday, March 18, 2009 6:30 PM > > At question is the statement > > dbg: channel: current version is 752903, new version is 752903, > > skipping channel >$ host -t txt 3.2.3.updates.spamassassin.org 3.2.3.updates.spamassassin.org descriptive text "752903" > so you have the last official update. and it's the same version for 3.2.5: > $ host -t txt 5.2.3.updates.spamassassin.org 5.2.3.updates.spamassassin.org descriptive text "752903" > last update was on 13-03-2009. That is terrific! Thank you for your help! Do you know about how often these rules are updated?
RE: What is AWL?
Georgy Goshin wrote: > > What is AWL rule? Why it gives so different amount of points? How to > resolve this? Check out the wiki entry: http://wiki.apache.org/spamassassin/AutoWhitelist -- Bowie
Re: interesting flash attack in spam
On Thu, 19 Mar 2009, LuKreme wrote: On 19-Mar-2009, at 05:41, John Hardin wrote: On Thu, 19 Mar 2009, LuKreme wrote: > On 19-Mar-2009, at 04:27, John Hardin wrote: > > No reason it shouldn't be. I'd suggest something like a rawbody match > > on /]/i meta'd with HTML_MESSAGE should be worth a > > few (dozen) points. > > That seems like a good idea. You have anything? No, and I'd be concerned about the possibility of false positives. The fact that SA rules aren't context-sensitive presents a problem here. You can't reliably distinguish a match between an actual OBJECT tag and mere discussion of an OBJECT tag (e.g. with syntax examples), even if you meta it with HTML_MESSAGE. If it's an html message and it includes an In an html message, a discussion would be
Re: interesting flash attack in spam
On 19-Mar-2009, at 05:41, John Hardin wrote: On Thu, 19 Mar 2009, LuKreme wrote: On 19-Mar-2009, at 04:27, John Hardin wrote: No reason it shouldn't be. I'd suggest something like a rawbody match on /]/i meta'd with HTML_MESSAGE should be worth a few (dozen) points. That seems like a good idea. You have anything? No, and I'd be concerned about the possibility of false positives. The fact that SA rules aren't context-sensitive presents a problem here. You can't reliably distinguish a match between an actual OBJECT tag and mere discussion of an OBJECT tag (e.g. with syntax examples), even if you meta it with HTML_MESSAGE. If it's an html message and it includes an suspicious. In an html message, a discussion would be
Re: interesting flash attack in spam
On Thu, 19 Mar 2009, LuKreme wrote: On 19-Mar-2009, at 04:27, John Hardin wrote: No reason it shouldn't be. I'd suggest something like a rawbody match on /]/i meta'd with HTML_MESSAGE should be worth a few (dozen) points. That seems like a good idea. You have anything? No, and I'd be concerned about the possibility of false positives. The fact that SA rules aren't context-sensitive presents a problem here. You can't reliably distinguish a match between an actual OBJECT tag and mere discussion of an OBJECT tag (e.g. with syntax examples), even if you meta it with HTML_MESSAGE. Hence my subsequent suggestion for an HTML tag scoring plugin. That _would_ be context-sensitive and I'd feel safe giving an OBJECT tag 20 points that way. Another alternative would be a way to mark a rule so that it only applies to body parts of a given MIME type, so the rule above could only be run against the text/html body parts. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
Re: turn off bayes?
On Wed, 2009-03-18 at 21:40 +0100, Mark Martinec wrote: > Dan, > > > I normally disable bayes, because without proper training it tends > to make > > spamassassin less reliable. But I've got one installation that is > > stubbornly running bayes even though I have disabled it. > > > > I set use_bayes 0 in /etc/mail/spamassassin/local.cf > > I set use_bayes 0 in ~/.spamassassin/user_prefs of the user running > > amavisd-new I can't find any other places I can disable it. > > That should suffice, unless you have other .cf files there > where it might be enabled. > > > I have verified that all these are set and restarted amavisd-new, > but I > > still get bayes_00=-2.599 > > Check what files SpamAssassin sees during startup: > amavisd debug-sa Fascinating. Although the user that runs the daemon is the clamav user, it is still looking for user_prefs in /var/lib/amavis/.spamassassin/user_prefs. Since that directory is not even mentioned in the passwd file, I'm somewhat amazed But we'll see if that kills off bayes -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com signature.asc Description: This is a digitally signed message part
Re: interesting flash attack in spam
On 19-Mar-2009, at 04:27, John Hardin wrote: No reason it shouldn't be. I'd suggest something like a rawbody match on /]/i meta'd with HTML_MESSAGE should be worth a few (dozen) points. That seems like a good idea. You have anything? -- Happy Jack wasn't tall, but he was a man
Re: SpamAssassins bayes mechanism and message headers
>From: Matt Kettler >Date: Tue, 17 Mar 2009 21:30:02 -0400 > >fl...@pbartels.info wrote: >> Hello, >> >> instead of disabling a lot possibly set message headers using >> "bayes_ignore_header" and ending up in strange configs like: >> >> bayes_ignore_header Return-Path >... >> (found on the net) >Where? >> >> shouldn't SpamAssassins bayes mechanism just ignore the complete >> message header and just look at the body? >> This seems useful in my opinion. >It seems like a very misguided idea to me. > >Is there any reason to think headers make bad tokens? >Do you have any test data showing this improves your bayes accuracy? On 18.03.09 15:23, Jeff Mincy wrote: > Yes - I think some headers make extremely bad tokens for bayes, for > example the X-Mailer/User-Agent headers. 40% of the spam I get > claims to have Microsoft Outlook as a x-Mailer. So bayes rapidly > determines that *UAMicrosoft (etc) is an extremely strong token. > These *UA tokens were enough to push a short ham message to BAYES_99. > When I added an bayes_ignore_header the score dropped to ~BAYES_40 > Obfuscated words like 'st0ck' are 100% indications of spam (or of > messages that discuss spam), so these words work great for bayes. > A 'X-Mailer: Microsoft Office Outlook' header doesn't really tell you > anything about the message, at least not to the extent that bayes > treats these tokens. Better train such mail properly. Those tokens will get score of 0.5 which may exclude them from decisions. And you can never know, which Outlook version is spammy and which is hammy. Maybe one day you'll find that there si version of Outlook no spammers use and other version only spammers use. > The Message-ID tokens are also low quality tokens. Most of these > tokens are hapaxes that are never used by other messages. These just > fill up the bayes database. Maybe if the Message-ID tokens were even > more processed then maybe these could be more useful for bayes - eg - > replace 1234.56789 with a format %4d.%5d, or throw out all of the > timestamp numbers and keep the just the stuff after the @. Funny, there are some Message-Id rules (I counted 7) that catch some spam. Yes, good Message-Id parser for bayes could catch them better than the current one. But by disabling Message-Id you will loose that all. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. REALITY.SYS corrupted. Press any key to reboot Universe.
Re: interesting flash attack in spam
Le 19/03/2009 11:27, John Hardin a écrit : No reason it shouldn't be. I'd suggest something like a rawbody match on /]/i meta'd with HTML_MESSAGE should be worth a few (dozen) points. FWIW, MailScanner has had the option of disarming and tags for ages. John. -- -- Over 3000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages- www.tradoc.fr
Re: interesting flash attack in spam
mouss wrote: RobertH a écrit : http://pastebin.com/m2fcbe7b5 Thanks for posting the sample. My email sanitizer successfuly defends against this attack. :) -- John Hardin no disrespect intended yet i would like to understand... u, if your "email sanitizer" caught it, why isnt that something programmed "in another way" inside SA, or clamav, etc...? i mean we have viruses, we have spyware, we have spam, we have UCE, we have all these different terms that describe the essentially the same stuff... cant this be dealt with in something that already exists like SA, Clamav, or whateverm besides having another custom piece of coding ? i mean, John, at the very least get out some them there GUNS and shoot it a bunch and make it stop or something! The answer probably lies in a layered defence. If you can detect the message as spam in SA regardless of malicious content, then that's just one option. In an ideal world AV programs should detect the trojan but the simple reality is that AV vendors can not keep up with the current bombardment of malware. This sample had very poor detection at the time the email was circulated. That may have improved somewhat now, but now is too late for those who would have been hit by this at the time it was sent. spam contains a URL (the fact that it is flash is only half-relevant). That URL redirects to an exe file. you want tod do what? The approach that consists of getting the spam filter (SA here) access the URL has a lot of problems (easy DoS, address confirmation, higher latency, ... etc) Fixing the MUA may be good, but this still means that a file suffix is meaningful. however, the internet isn't windows. a ".exe" does nothing on a unix/linux system (assuming no windows support, be that wine or other). and to answer Ned's post, the problem isn't with flash running arbitrary programs (what's the alternative? display ascii text only?). The problem is elsewhere. I don't know much people who forbid .doc/xls/ppt in email, and these can do a lot of harm. Indeed, but why does flash need the ability to bind ports, open remote connections, download executable files and run them? It's primary function is to be a web-based multimedia player, or so I thought. SELinux provides solutions to many of these issues by reasonably restricting what things such as flash can do based on least privilege. Same argument for .doc/xls/ppt or any other file formats - why does a word processed document of spreedsheet need the ability to execute arbitrary embedded code? Unfortunately, Windows does not offer such protections and is quite happy to encourage users to run everything with unrestricted privileges based on some perceived notion of usability.
RE: interesting flash attack in spam
On Wed, 18 Mar 2009, RobertH wrote: My email sanitizer successfuly defends against this attack. no disrespect intended yet i would like to understand... u, if your "email sanitizer" caught it, why isnt that something programmed "in another way" inside SA, or clamav, etc...? No reason it shouldn't be. I'd suggest something like a rawbody match on /]/i meta'd with HTML_MESSAGE should be worth a few (dozen) points. Perhaps more generic: a plugin that would parse out the distinct tags in an HTML body part, and assign points based on whether a given tag appeared at all (e.g. "score_html_tag object 20") or whether a tag does not appear in a "tag whitelist" (to catch the random tagname obfuscation method). i mean we have viruses, we have spyware, we have spam, we have UCE, we have all these different terms that describe the essentially the same stuff... cant this be dealt with in something that already exists like SA, Clamav, or whateverm besides having another custom piece of coding ? Should SpamAssassin really be recast as EmailMalwareAssassin? I personally don't think so. All of these tools take different approaches to overlapping problem sets. My sanitizer complements SA and clamav. I was just lightheartedly tooting my own horn a bit, primarily because reactive security is inherently limited. i mean, John, at the very least get out some them there GUNS and shoot it a bunch and make it stop or something! ;-) :) I'll let the Russian Mafia whack the spammers. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The question of whether people should be allowed to harm themselves is simple. They *must*. -- Charles Murray
Re: JoeJobbed - Vbounce plugin - SPF?.
> On 17.03.09 14:02, Michael Hutchinson wrote: > >> We initially tried 'riding out the storm' as it were, but were unable > >> to keep on top of the load put on the servers by excessive E-Mail > >> messages requiring scanning by SA. This got so bad that the mailserver > >> had become unresponsive to our clients. > > > qmail is known for bouncing, instead of rejecting unknown recipients > > at SMTP leve. You filter unknown > > recipients? If not, this is your problem. On 19.03.09 09:54, Michael Hutchinson wrote: > If an smtproutes entry forces me to accept unknown recipients for said > affected domain, then Yes, and I would assume that this is the > behaviour. Oh, yes, smtproutes is a problem. Not good until we'll all have some clean way how to detect valid and invalid customers. > >> I was considering convincing the powers to let me setup SPF, but their > >> requirement would be to have both v1 and v2 spf tags - and I'm not sure > >> whether Q-Mail is up to both yet, but some kind of SPF implementation > >> where we check the tags (not necessarily publish them) > > >> but I guess that's an MTA question:) > > >forget SPF v2. Use v1 but don't expect huge results, there's still many > >SMTP servers not checking the SPF... > > OK, What's wrong with SPF v2 ? I think we should better google for it, but iirc SPF v2 is based on Microsoft's idea that has some logical and some patent issues. Does anyone here know more/better about SPF v2? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Boost your system's speed by 500% - DEL C:\WINDOWS\*.*
Re: interesting flash attack in spam
> http://pastebin.com/m2fcbe7b5 Thanks for the sample.. I added detection for the email and exe file yesterday. Cheers, Steve Sanesecurity www.sanesecurity.com -- View this message in context: http://www.nabble.com/interesting-flash-attack-in-spam-tp22576834p22595958.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
