Re: New type of spam... (very curious)

2009-06-30 Thread Yet Another Ninja 

On 7/1/2009 8:50 AM, rich...@buzzhost.co.uk wrote:
 > Oh, and look: dnsbl.sorbs.net


So it seems that the demise of sorbs will add latency if their servers
stop answering...



See "Update: 25th June 2009 "

http://www.au.sorbs.net/

Re: New type of spam... (very curious)

2009-06-30 Thread rich...@buzzhost.co.uk 
On Wed, 2009-07-01 at 08:26 +0200, Benny Pedersen wrote:
> On Wed, July 1, 2009 07:44, rich...@buzzhost.co.uk wrote:
> > In particular
> > # Enable or disable network checks
> > skip_rbl_checks 0
> > 0 = off 1 = on
> 
> wroung
> 
> 0 = use rbl
> 1 = skib rbl test
> 
Indeed I was "WROUNG";

Test show it is the other way round. Mmm. That's assumption for you. For
years the binary zero has meant 'off' to me. Now SA have 'NOT'd' it to
mean 'ON' LOL; 

With it at zero and checking the DNS server logs it doeas all this...

Jul  1 07:38:46 munged #14781: query: 1.2.3.4plus.bondedsender.org IN A
+
Jul  1 07:38:46 munged #14781: query: 1.2.3.4.combined.njabl.org IN A +
Jul  1 07:38:46 munged #14781: query: 1.2.3.4.bl.spamcop.net IN TXT +
Jul  1 07:38:46 munged #14781: query: 1.2.3.4.zen.spamhaus.org IN A +
Jul  1 07:38:46 munged #14781: query: 1.2.3.4.dnsbl.sorbs.net IN A +
Jul  1 07:38:46 munged #14781: query: 1.2.3.4.sa-accredit.habeas.com IN
A +
Jul  1 07:38:46 munged #14781: query: 1.2.3.4.list.dnswl.org IN A +
Jul  1 07:38:46 munged #14781: query:
1.2.3.4.sa-trusted.bondedsender.org IN TXT +
Jul  1 07:38:46 munged #14781: query: 1.2.3.4.iadb.isipp.com IN A +
Jul  1 07:38:46 munged #14781: query: munged.co.uk IN SPF +
Jul  1 07:38:47 munged #14781: query: munged.co.uk IN TXT +

I'm going to need to disable some of these lists as the MTA has already
blocked stuff on them Kind of pointless making repeat lookups for stuff
already tested. Thanks for pointing that out Benny.

Oh, and look: dnsbl.sorbs.net

So it seems that the demise of sorbs will add latency if their servers
stop answering...

Re: SA report header added to ham mail

2009-06-30 Thread LuKreme 

On 30-Jun-2009, at 19:38, Karsten Bräckelmann wrote:

Yes, that *might* result in images being loaded off the net auto-
matically, depending on your MUA settings. Hence the "safe". But it
really makes reviewing harder, having the user scroll and klick each
single spam.


Erm.. I don't understand how report-safe 1 means scrolling and  
clicking each spam? The vast majority of tagged spam can be discarded  
without ever looking at the actual message in the attachment. And if a  
message is mistagged, opening the attachment gives you the entire  
original message with no SA tags at all.



Recovering from report_safe 0 is a piece of cake, too. Just get rid of
the X-Spam headers. Done. What's destructive about that?


That's well beyond most MUAs and most users.

--
You know, Calculus is sort of like measles. Once you've had it, you
probably won't get it again, and you're glad of it. -- W. Carr

Re: New type of spam... (very curious)

2009-06-30 Thread Benny Pedersen 

On Wed, July 1, 2009 07:44, rich...@buzzhost.co.uk wrote:
> In particular
> # Enable or disable network checks
> skip_rbl_checks 0
> 0 = off 1 = on

wroung

0 = use rbl
1 = skib rbl test

-- 
xpoint

Re: New type of spam... (very curious)

2009-06-30 Thread rich...@buzzhost.co.uk 
On Wed, 2009-07-01 at 01:15 +0200, Michelle Konzack wrote:
> Am 2009-06-30 14:08:33, schrieb John Hardin:
> > If zen worked to catch the message in procmail, how does it not work on  
> > your MTA? Or did we misinterpret your original post?
> 
> In Debian, the network related scans are activated and I  do  not  know,
> why ZEN is never executed.  If you know more  about  the  "Debian Lenny"
> version of spamassassin, maybe you can point me into the right direction
> where to search.
> 
> Note:  On my "Debian Etch" installation it is working
> 
> Thanks, Greetings and nice Day/Evening
> Michelle Konzack
> Systemadministrator
> Tamay Dogan Network
> Debian GNU/Linux Consultant
> 
First of all, I don't use ZEN in SA. My personal feeling is I want to
get rid of spam at the earliest possible stage. I block anything on
these lists at the MTA level;

zen.spamhaus.org
dnsbl.sorbs.net
b.barracudacentral.org

There are differing political views about this, but it is the method
found in the top selling anti-spam appliance, so hence I'm happy to use
it. How you would implement this depends on the MTA.

Moving specifically to SpamAssassin on Debian. Look at the contents of
these (adjusting the path where necessary);

/etc/spamassassin/init.pre 
(just to make sure there is nothing killing the network tests in here)


And then check the basic config file;
/etc/spamassassin/local.cf

In particular
# Enable or disable network checks
skip_rbl_checks 0

0 = off 1 = on

My understanding is even if you get an RBL hit it's only going to up the
score of the mail. So you are, essentially, scanning spam if you do it
this way. However, some people like the safety blanket of scanning
hundreds of thousands of spam messages in case there may one day be a
false positive :-)

If this does not throw light onto your problem Michelle I would do a
couple of very basic sanity checks on your DNS system *from* the box
running SA. Randomly from my logs I've picked a IP address blocked by
ZEN in the last hour (for testing) EG

Jul  1 06:23:25 Rejected; blocked by zen.spamhaus.org 84.108.206.164

So from a command prompt (assuming you have dig installed) look for an
ANSWER section on in reply to this query)

dig 164.206.108.84.zen.spamhaus.org

EG;
;; ANSWER SECTION:
164.206.108.84.zen.spamhaus.org. 472 IN A   127.0.0.10
164.206.108.84.zen.spamhaus.org. 472 IN A   127.0.0.4

Means you have a sane reply and the IP is blacklisted but of equal
importance is the time in which it takes to serve the request;

;; Query time: 3 msec
Anything much over a couple of hundred msecs would not be ideal, into
the thosands (1000+) and you have a problem.

If you don't get any result to this, or the result is hideously slow,
then you need to fix the DNS issue. This is not uncommon and usually
centres around firewall policy.

If it fails, btw, this is also worth a try;

dig @4.2.2.2 164.206.108.84.zen.spamhaus.org
dig @4.2.2.3 164.206.108.84.zen.spamhaus.org

and see if the issue is local DNS.

(AFAIR dig is part of dns utils if it is not already on the box but
check that: apt-get install dnsutils)

Re: SA report header added to ham mail

2009-06-30 Thread Karsten Bräckelmann 
On Tue, 2009-06-30 at 18:36 -0600, LuKreme wrote:
> On 30-Jun-2009, at 14:57, John Horne wrote:
> > I am currently reconfiguring SA, and have set report_safe to 0. Our
> > 'required' score is 8, and I have also configured:
> 
> Raising the required score is clearly a mistake. Setting report safe  
> to 0 is generally user-hostile. Setting it to one is the best option  
> because it is the least destructive. The original message is  
> completely untouched and can be easily recovered.

I don't necessarily agree. It might depend on the users. It's just a
safe (sic) default.

I once (long ago) had a hack to always have the wrapped original mail
displayed inline, rather than attached. Think "expanded by default".
Cause it made reviewing easier. Long ago I switched to report_safe 0,
cause it makes reviewing even easier. ;)  The difference being nothing
way down to scroll to...

Yes, that *might* result in images being loaded off the net auto-
matically, depending on your MUA settings. Hence the "safe". But it
really makes reviewing harder, having the user scroll and klick each
single spam.


Recovering from report_safe 0 is a piece of cake, too. Just get rid of
the X-Spam headers. Done. What's destructive about that?


-- 
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: www.shopXX.net

2009-06-30 Thread LuKreme 

On 29-Jun-2009, at 10:53, Kevin Parris wrote:
It is folly to underestimate the stupidity and/or gullibility of  
humans.  Just because the link "won't work" as-is in the message  
does NOT mean people out there won't retype it, corrected, into  
their browser address box.  It is my opinion that if the spammers  
weren't getting traffic to the websites from the email, they would  
stop sending the email.  Since the emails continue, we must presume  
that they are having some success in attracting victims to the sites.



Sure, but I seriously doubt that they would replace characters to fix  
a URL. if I mistype a url www.example,com I generally get a not that  
the URL didn't work. It takes a certain level of geekness to see the  
typo and replace it with a '.'



--
I draw the line at 7 unreturned phone calls.

Re: SA report header added to ham mail

2009-06-30 Thread LuKreme 

On 30-Jun-2009, at 14:57, John Horne wrote:

I am currently reconfiguring SA, and have set report_safe to 0. Our
'required' score is 8, and I have also configured:


Raising the required score is clearly a mistake. Setting report safe  
to 0 is generally user-hostile. Setting it to one is the best option  
because it is the least destructive. The original message is  
completely untouched and can be easily recovered.



However, as far as I can tell, the X-Spam-Report header gets added to
ham mail as well as spam.


You must have

add_header all Report _REPORT_

somewhere


--
And, while it was regarded as pretty good evidence of criminality
to be living in a slum, for some reason owning a whole street
of them merely got you invited to the very best social
occasions.

Re: X-Mailer: domain

2009-06-30 Thread Karsten Bräckelmann 
> > Both of you. ;)
> 
> Mea culpa. I _never_ think of header ALL rules.

See my RATWARE_OUTLOOK rule. ;)

Reminds me of an important bit I meant to add, but forgot. It's pretty
important to properly anchor matches and limit wildcard matching with
multi-line RE's -- otherwise they can easily bog down your server!


> > Granted, the loose look-a-like rule probably even would be worth a point
> > of its own -- but where's the fun in that?

This one of course would be cheap.


-- 
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: New type of spam... (very curious)

2009-06-30 Thread RW 
On Wed, 1 Jul 2009 01:15:56 +0200
Michelle Konzack  wrote:

> Am 2009-06-30 14:08:33, schrieb John Hardin:
> > If zen worked to catch the message in procmail, how does it not
> > work on your MTA? Or did we misinterpret your original post?
> 
> In Debian, the network related scans are activated and I  do  not
> know, why ZEN is never executed.  

If you mean in Spamassassin, the Zen rules rarely do anything because
the're normally used at the SMTP level, so you just end-up a few
hits on SBL from the untrusted headers (and some XBL hits on
desktop/soho installations where there's a retrieval delay).

In the quoted email, the  procmail hit on PBL shouldn't have happened,
you penalized the use of a smarthost, it was coincidental that it
happened on a spam. Spamassassin handled it properly.

Re: X-Mailer: domain

2009-06-30 Thread John Hardin 

On Wed, 1 Jul 2009, Karsten Br?ckelmann wrote:


On Tue, 2009-06-30 at 16:50 -0700, John Hardin wrote:

On Wed, 1 Jul 2009, Benny Pedersen wrote:



From: "Compare and Cover Life" 
X-Mailer: webguide103.com
How would I construct a spamassassin rule to check for this?


impossible without a pluging


Meep. Wrong!


...unless you just do a loose X-Mailer-looks-like-a-domain-name rule.


Both of you. ;)


Mea culpa. I _never_ think of header ALL rules.


Granted, the loose look-a-like rule probably even would be worth a point
of its own -- but where's the fun in that?


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The ["assault weapons"] ban is the moral equivalent of banning red
  cars because they look too fast.  -- Steve Chapman, Chicago Tribune
---
 4 days until the 233rd anniversary of the Declaration of Independence

Re: SA report header added to ham mail

2009-06-30 Thread Karsten Bräckelmann 
On Wed, 2009-07-01 at 01:26 +0200, Mark Martinec wrote:
> > >X-spam-report: Score=-6.9
> > > tests=BAYES_00,DCC_CHECK,RCVD_IN_DNSWL_HI autolearn=ham
> >
> > That is not a standard SA header. Actually, there's quite a lot fishy
> > about that.
> >
> > First of all, SA is incapable of adding it -- all SA generated headers
> > start with X-Spam- (note the uppercase S, since I assume you actually
> > copy-n-pasted it). So something else (your glue, Amavis?) added it? In
> > that case the SA add_header options are likely futile, and instead you
> > should configure your glue.
> 
> Btw, not amavis (any), it would add X-Spam-Report, i.e. capitalized.

Oh, capitalization enforced? Thanks, good to know, Mark. Now I'm even
more confused about the header...


-- 
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: X-Mailer: domain

2009-06-30 Thread Karsten Bräckelmann 
On Tue, 2009-06-30 at 16:50 -0700, John Hardin wrote:
> On Wed, 1 Jul 2009, Benny Pedersen wrote:

> > > From: "Compare and Cover Life" 
> > > X-Mailer: webguide103.com
> > > How would I construct a spamassassin rule to check for this?
> >
> > impossible without a pluging

Meep. Wrong!

> ...unless you just do a loose X-Mailer-looks-like-a-domain-name rule.

Both of you. ;)

Granted, the loose look-a-like rule probably even would be worth a point
of its own -- but where's the fun in that?


-- 
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: X-Mailer: domain

2009-06-30 Thread Karsten Bräckelmann 
On Wed, 2009-07-01 at 00:23 +0100, Mike Cardwell wrote:
> I've started seeing spam email containing an X-Mailer header which is 
> the domain name of the From header. Eg:
> 
> From: "Compare and Cover Life" 
> X-Mailer: webguide103.com

The *first* question should be, how are these scoring generally, and if
it's worth the effort. If they sneak by, there's usually a more
fundamental problem than a missing rule like this.

That said -- nice catch. :)


> How would I construct a spamassassin rule to check for this?

Using the all-magic, all-dancing pseudo ALL header [1], and a brave mix
of RE modifiers like /m and /s [2], to handle multi-line strings. :)

Something like this should do. DO NOTE that I just hacked it up in the
email, and did NOT test it. Mind the manual line wrap.

header FROM_EQ_XM  ALL =~
 /^From: [...@]+\@(?:[^.]+\.)?([^.]+\.[^.]+)>?\$.{0,400}^X-Mailer: \1\$/msi


Now what the fuck does that do? The /m enables multi-line matching, so ^
and $ match the beginning and end of a line respectively, rather than of
the string (which would be the entire headers).

First, we identify a From header, consume all the crap before the @,
optionally also consume a host without capturing (the (?:...)? part).
The trailing example.com we do capture, followed by an optional closing
bracket and the end of the line \$. Note that this appears slightly over
complicated, but it is important -- the dot also matches \n, due to
the /s modifier.

Then match whatever header junk there is, up to an arbitrary bound of
400 chars. With an X-Mailer header following, that matches the domain we
just captured, up to the end of the header. Et voila. :)

Note that this only matches this particular order of headers, so you
might need a second (sub-)rule (meta'd together) to match the reverse.

End proof of concept. ;)

  guenther


[1] http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html
[2] http://perldoc.perl.org/perlre.html

-- 
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: X-Mailer: domain

2009-06-30 Thread John Hardin 

On Wed, 1 Jul 2009, Benny Pedersen wrote:



On Wed, July 1, 2009 01:23, Mike Cardwell wrote:

From: "Compare and Cover Life" 
X-Mailer: webguide103.com

> How would I construct a spamassassin rule to check for this?

impossible without a pluging


...unless you just do a loose X-Mailer-looks-like-a-domain-name rule.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Democrats '61: Ask not what your country can do for you,
   ask what you can do for your country.
  Democrats '07: Ask not what your country can do for you,
   demand it!
---
 4 days until the 233rd anniversary of the Declaration of Independence

Re: New type of spam... (very curious)

2009-06-30 Thread John Hardin 

On Wed, 1 Jul 2009, Michelle Konzack wrote:


Am 2009-06-30 14:08:33, schrieb John Hardin:

If zen worked to catch the message in procmail, how does it not work on
your MTA? Or did we misinterpret your original post?


In Debian, the network related scans are activated and I  do  not  know,
why ZEN is never executed.  If you know more  about  the  "Debian Lenny"
version of spamassassin, maybe you can point me into the right direction
where to search.


I was speaking of using zen as a MTA-level hard reject in your MTA, not in 
SpamAssassin running on the same box as your MTA. That's what we're 
suggesting. Do you have the ability to add it as a MTA-level DNSBL?


I don't know why zen wouldn't be working in SA. Network tests disabled, 
perhaps? Do other DNSBLs or URIBLs work there? Perhaps run SpamAssassin in 
debugging mode and see if it complains about something like Net::DNS being 
missing.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Democrats '61: Ask not what your country can do for you,
   ask what you can do for your country.
  Democrats '07: Ask not what your country can do for you,
   demand it!
---
 4 days until the 233rd anniversary of the Declaration of Independence

Re: X-Mailer: domain

2009-06-30 Thread Benny Pedersen 

On Wed, July 1, 2009 01:23, Mike Cardwell wrote:
> From: "Compare and Cover Life" 
> X-Mailer: webguide103.com
 > How would I construct a spamassassin rule to check for this?

impossible without a pluging, would be faster to reject sender in mta

-- 
xpoint

Re: SA report header added to ham mail

2009-06-30 Thread Mark Martinec 
> >X-spam-report: Score=-6.9
> > tests=BAYES_00,DCC_CHECK,RCVD_IN_DNSWL_HI autolearn=ham
>
> That is not a standard SA header. Actually, there's quite a lot fishy
> about that.
>
> First of all, SA is incapable of adding it -- all SA generated headers
> start with X-Spam- (note the uppercase S, since I assume you actually
> copy-n-pasted it). So something else (your glue, Amavis?) added it? In
> that case the SA add_header options are likely futile, and instead you
> should configure your glue.

Btw, not amavis (any), it would add X-Spam-Report, i.e. capitalized.

  Mark

X-Mailer: domain

2009-06-30 Thread Mike Cardwell 

Hi,

I've started seeing spam email containing an X-Mailer header which is 
the domain name of the From header. Eg:


From: "Compare and Cover Life" 
X-Mailer: webguide103.com

How would I construct a spamassassin rule to check for this?

--
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/

Re: New type of spam... (very curious)

2009-06-30 Thread Michelle Konzack 
Am 2009-06-30 14:08:33, schrieb John Hardin:
> If zen worked to catch the message in procmail, how does it not work on  
> your MTA? Or did we misinterpret your original post?

In Debian, the network related scans are activated and I  do  not  know,
why ZEN is never executed.  If you know more  about  the  "Debian Lenny"
version of spamassassin, maybe you can point me into the right direction
where to search.

Note:  On my "Debian Etch" installation it is working

Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant

-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
 Michelle Konzack
   c/o Vertriebsp. KabelBW
   Blumenstrasse 2
Jabber linux4miche...@jabber.ccc.de   77694 Kehl/Germany
IRC #Debian (irc.icq.com) Tel. DE: +49 177 9351947
ICQ #328449886Tel. FR: +33  6  61925193


signature.pgp
Description: Digital signature

Re: SA report header added to ham mail

2009-06-30 Thread Karsten Bräckelmann 
On Tue, 2009-06-30 at 21:57 +0100, John Horne wrote:
> I am currently reconfiguring SA, and have set report_safe to 0. Our
> 'required' score is 8, and I have also configured:
> 
>  clear_report_template
>  report "Score=_SCORE_ tests=_TESTS_ autolearn=_AUTOLEARN_"

The report option does not affect the template used for the Report
header, but the verbatim, mortal user readable form used in the plain
text part of the wrapping mail with report_safe 1.

While it actually matches the given header, I don't think you can change
the header with that. ;)  (Or I've missed a template that will be
substituted with the given report option lines.)


> However, as far as I can tell, the X-Spam-Report header gets added to
> ham mail as well as spam. For example:
> 
>X-spam-report: Score=-6.9 
> tests=BAYES_00,DCC_CHECK,RCVD_IN_DNSWL_HI autolearn=ham

That is not a standard SA header. Actually, there's quite a lot fishy
about that.

First of all, SA is incapable of adding it -- all SA generated headers
start with X-Spam- (note the uppercase S, since I assume you actually
copy-n-pasted it). So something else (your glue, Amavis?) added it? In
that case the SA add_header options are likely futile, and instead you
should configure your glue.

Also, that actually looks like a SA Status header (customized), minus a
leading YesNo and a trailing version. So either this is your glue
responsible, or you got some custom add_header options in your cf files.
Oh, any typo'd the snippet. ;)

A Status header by default tersely lists all tests hit, similar to the
above. A Report header lists all tests hit including score, description
and meta info.


> (taken from a received message; line wrapped be me). I have no problem
> with the header being added, and in fact that is what I wanted. However,
> I am a bit confused because the man page says it should only be added
> for spam mail.
> 
> Can someone clarify what is going on please. Is there anything I need to
> do to the config to ensure that the above report is added to all mail
> (despite is seeming to happen anyway)?

Since your glue appears to add its own headers instead of stock SA ones,
you should look there. As far as SA itself is concerned, the Status
header (similar to the above) will be added by default anyway.

A verbose Report header added to add mail should be doable with
something like this:
  add_header all Report _REPORT_

See the add_header option in the docs [1], Basic Message Tagging Options
section. Also see the Template Tags section.

  guenther


[1] http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html

-- 
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: New type of spam... (very curious)

2009-06-30 Thread John Hardin 

On Tue, 30 Jun 2009, Michelle Konzack wrote:


Am 2009-06-30 07:06:37, schrieb rich...@buzzhost.co.uk:
Are you saying that ZEN caught it after SA processed it? Why are you 
not using ZEN in SA or at the SMTP stage?


Because it does not work...
My Mailserver does tonns (the syslog of my DNS server is full of it)  of
DNS checks but ZEN does not work...


If zen worked to catch the message in procmail, how does it not work on 
your MTA? Or did we misinterpret your original post?


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Any time law enforcement becomes a revenue center, the system
  becomes corrupt.
---
 4 days until the 233rd anniversary of the Declaration of Independence

SA report header added to ham mail

2009-06-30 Thread John Horne 
Hello,

Using SA 3.2.5 I read in the Mail::SpamAssassin::Conf man page that:

 report_safe ( 0 | 1 | 2 ) (default: 1)
...
If this option is set to 0, incoming spam is only modified
by adding some "X-Spam-" headers and no changes will be made
to the body.  In addition, a header named X-Spam-Report will
be added to spam.

I am currently reconfiguring SA, and have set report_safe to 0. Our
'required' score is 8, and I have also configured:

 clear_report_template
 report "Score=_SCORE_ tests=_TESTS_ autolearn=_AUTOLEARN_"

However, as far as I can tell, the X-Spam-Report header gets added to
ham mail as well as spam. For example:

   X-spam-report: Score=-6.9 
tests=BAYES_00,DCC_CHECK,RCVD_IN_DNSWL_HI autolearn=ham

(taken from a received message; line wrapped be me). I have no problem
with the header being added, and in fact that is what I wanted. However,
I am a bit confused because the man page says it should only be added
for spam mail.

Can someone clarify what is going on please. Is there anything I need to
do to the config to ensure that the above report is added to all mail
(despite is seeming to happen anyway)?



Thanks,

John.

-- 
---
John Horne, University of Plymouth, UK  Tel: +44 (0)1752 587287
E-mail: john.ho...@plymouth.ac.uk   Fax: +44 (0)1752 587001

Re: New type of spam... (very curious)

2009-06-30 Thread Michelle Konzack 
Am 2009-06-30 07:06:37, schrieb rich...@buzzhost.co.uk:
> Are you saying that ZEN caught it after SA processed it? Why are you
> not
> using ZEN in SA or at the SMTP stage?

Because it does not work...
My Mailserver does tonns (the syslog of my DNS server is full of it)  of
DNS checks but ZEN does not work...

Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant

-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
 Michelle Konzack
   c/o Vertriebsp. KabelBW
   Blumenstrasse 2
Jabber linux4miche...@jabber.ccc.de   77694 Kehl/Germany
IRC #Debian (irc.icq.com) Tel. DE: +49 177 9351947
ICQ #328449886Tel. FR: +33  6  61925193


signature.pgp
Description: Digital signature

Re: New type of spam... (very curious)

2009-06-30 Thread Michelle Konzack 
Am 2009-06-30 04:33:57, schrieb Benny Pedersen:
> what ip ?

[michelle.konz...@michelle1:~] host 224.118.146.174.zen.spamhaus.org
224.118.146.174.zen.spamhaus.org has address 127.0.0.11

Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant

-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
 Michelle Konzack
   c/o Vertriebsp. KabelBW
   Blumenstrasse 2
Jabber linux4miche...@jabber.ccc.de   77694 Kehl/Germany
IRC #Debian (irc.icq.com) Tel. DE: +49 177 9351947
ICQ #328449886Tel. FR: +33  6  61925193


signature.pgp
Description: Digital signature

Re: New type of spam... (very curious)

2009-06-30 Thread RW 
On Tue, 30 Jun 2009 09:10:36 +0200
Matus UHLAR - fantomas  wrote:

> On 30.06.09 07:06, rich...@buzzhost.co.uk wrote:
> > Are you saying that ZEN caught it after SA processed it? Why are
> > you not using ZEN in SA or at the SMTP stage?
> 
> She apparently does not have control over 69.43.203.202, which is not
> listed, but 174.146.118.224 is. 69.43.203.202 is apparently in her
> internal_networks because 174.146.118.224 is listed in the PBL which
> is checked only on internal network boundary...

And note also that it was authenticated, it was a mail submission, so
PBL should not have been run against it.

Re: [NEW SPAM FLOOD] www.shopXX.net

2009-06-30 Thread Michelle Konzack 
Am 2009-06-30 13:50:09, schrieb Yet Another Ninja:
> See RegistrarBoundaries.pm in SA source and
> http://www.rulesemporium.com/rules/90_2tld.cf

I know this list, but these are  only  domains,  where  you  can  get  a
3rd Level Domain like on  as

http://tamay.dogan.free.fr/

which was create by me long time ago and never updated/deleted...  :-P

Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack   c/o Shared Office KabelBW  ICQ #328449886
+49/177/9351947Blumenstasse 2 MSN LinuxMichi
+33/6/61925193 77694 Kehl/Germany IRC #Debian (irc.icq.com)


signature.pgp
Description: Digital signature

Re: [NEW SPAM FLOOD] www.shopXX.net

2009-06-30 Thread John Hardin 

On Tue, 30 Jun 2009, John Wilcock wrote:


Le 30/06/2009 17:16, John Hardin a écrit :

> ... looking at the www peter got an impression of ...
> (-> www.peter.got?)

 TLDs are limited and prevent FPs of that particular nature.


Sure, but there are lots of ccTLDs that could be confused with English words, 
never mind other languages.


Do you really want SpamAssassin to do URIBL lookups for invented.by 
(Belarus) for a sentence like "The www, invented by Tim Berners-Lee, 
...", or billy.jo (Jordan) for "On the www, Billy-Jo can be heard..."? 
The processing overhead would be enormous.


I agree that a very general URI deobfuscation rule will be both expensive 
and FP-prone. I was commenting on the particular case of 
www.something.somethingelse, that while FPs can occur, the possible values 
for somethingelse make it less likely than that example suggested - but 
looking for obfuscated URIs having two-letter TLDs make FPs a lot more 
likely.


I think the existing rule is good; perhaps extending the \w repetition a 
bit so that it would match longer obfuscated domains like 
"eshopping123.com" or "yourdrugstore999.net"


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  USMC Rules of Gunfighting #9: Accuracy is relative: most combat
  shooting standards will be more dependent on "pucker factor" than
  the inherent accuracy of the gun.
---
 4 days until the 233rd anniversary of the Declaration of Independence

Re: [NEW SPAM FLOOD] www.shopXX.net

2009-06-30 Thread Mike Cardwell 

John Wilcock wrote:


   ... looking at the www peter got an impression of ...
   (-> www.peter.got?)


TLDs are limited and prevent FPs of that particular nature.


Sure, but there are lots of ccTLDs that could be confused with English 
words, never mind other languages.


Do you really want SpamAssassin to do URIBL lookups for invented.by 
(Belarus) for a sentence like "The www, invented by Tim Berners-Lee, 
...", or billy.jo (Jordan) for "On the www, Billy-Jo can be heard..."?

The processing overhead would be enormous.


I'd suggest performing your own dns lookups against the domain first to 
make sure it's valid, before doing the uribl lookup. Eg:


m...@haven:~$ host -t ns invented.by
invented.by does not exist, try again
m...@haven:~$

You'd also want to cache your results. This conversation however is 
pointless. Why not just try it and see how well it works.


--
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/

Re: [NEW SPAM FLOOD] www.shopXX.net

2009-06-30 Thread John Wilcock 

Le 30/06/2009 17:16, John Hardin a écrit :

   ... looking at the www peter got an impression of ...
   (-> www.peter.got?)


TLDs are limited and prevent FPs of that particular nature.


Sure, but there are lots of ccTLDs that could be confused with English 
words, never mind other languages.


Do you really want SpamAssassin to do URIBL lookups for invented.by 
(Belarus) for a sentence like "The www, invented by Tim Berners-Lee, 
...", or billy.jo (Jordan) for "On the www, Billy-Jo can be heard..."?

The processing overhead would be enormous.

John.

--
-- Over 3000 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages- www.tradoc.fr

Re: [NEW SPAM FLOOD] www.shopXX.net

2009-06-30 Thread John Hardin 

On Tue, 30 Jun 2009, Jan P. Kessler wrote:


Martin Gregorie schrieb:



... digging through the WWW HE SAW this link ...


Both IMO should be caught and given a positive score. I've never seen
legitimate mail containing URLs written this way.


Maybe I was not clear: The last one is NOT an url. Do you really want to
use the whole bunch of SA's URI tests against sentences like:

   ... looking at the www peter got an impression of ...
   (-> www.peter.got?)


TLDs are limited and prevent FPs of that particular nature.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  USMC Rules of Gunfighting #6: If you can choose what to bring to a
  gunfight, bring a long gun and a friend with a long gun.
---
 4 days until the 233rd anniversary of the Declaration of Independence

Re: [NEW SPAM FLOOD] www.shopXX.net

2009-06-30 Thread Martin Gregorie 
> So you want obfuscated urls to be recognised as urls but not treated as
> urls?
>
Of course. Its spam.

> If this is just for a few own pcre body rules, I'd suggest you to
> handle those de-obfuscations in your rules.
>
Guess what I'm doing.

> You can also publish your own plugin, if you think that it is worth to share.
>
Its not worth a plugin: one or two regexes and a meta catches it very
nicely.

> And how many calls will your receive for false positives? Maybe this
> depends on one's environment,
>
Metas that recognise context are the obvious way to avoid FPs. For
instance, anything received via a Sourceforge mailing list containing
recognisable medical or sex terms (obfuscated or not) and obfuscated
URLs can be canned as spam with a very high confidence level.

Its certainly site-specific, e.g, I've only ever seen the recent spate
of image spam (medical ads presented as images) arrive via Sourceforge
mailing lists, but that's far from a typical experience.


Martin

Re: [NEW SPAM FLOOD] www.shopXX.net

2009-06-30 Thread Jan P. Kessler 
Martin Gregorie schrieb:
> What makes you think I'm using URI tests or that any of these would be
> recognised as a URI? My tests are simple body tests with {1,n} limits on
> repetitions to keep things under control.
>   

So you want obfuscated urls to be recognised as urls but not treated as
urls? If this is just for a few own pcre body rules, I'd suggest you to
handle those de-obfuscations in your rules. You can also publish your
own plugin, if you think that it is worth to share. But for the most
environments these de-obfuscations will be too dangerous (imo) and to
easy to circumvent.


> what they want. What's the betting they'd even call their help desk to
> complain?
>   

And how many calls will your receive for false positives? Maybe this
depends on one's environment, but I'd prefer having a few non-tagged
spams than a bunch of FPs.

Anyway.. I don't want to argue here. I throwed in my pennies and hope
the SA developers agree.

Cheers, Jan

Re: [NEW SPAM FLOOD] www.shopXX.net

2009-06-30 Thread Martin Gregorie 
On Tue, 2009-06-30 at 13:14 +0200, Jan P. Kessler wrote:
> Martin Gregorie schrieb:
> >> ... go to WWW EVIL ORG for new meds ...
> >>
> >> and
> >>
> >> ... digging through the WWW HE SAW this link ...
> >>
> > Both IMO should be caught and given a positive score. I've never seen
> > legitimate mail containing URLs written this way.
> 
> Maybe I was not clear: The last one is NOT an url. Do you really want to
> use the whole bunch of SA's URI tests against sentences like:
> 
What makes you think I'm using URI tests or that any of these would be
recognised as a URI? My tests are simple body tests with {1,n} limits on
repetitions to keep things under control.

> And again: What about urls that do not start with www?
>
So far, all the munged URLs I've seen have started with www. If that
changes the rules can be easily extended, but IMO its unlikely to change
since the punters are being invited to 'repair' something they are
intended to recognise as a web address.

> Which characters
> should be examined for obfuscation ([ ,;:|?!=])?
>
So far, only space, tab and stop have been used. On the face of it, no
more are likely. The target audience must pretty thick if they actually
'repair' these urls before cutting and pasting into the brower's search
box, so my guess is that said target audience would either not recognise
further obfuscation as a url or they would retain any other
non-whitespace characters and then wonder why their browser won't do
what they want. What's the betting they'd even call their help desk to
complain?


Martin

Re: [NEW SPAM FLOOD] www.shopXX.net

2009-06-30 Thread Yet Another Ninja 

On 6/30/2009 1:18 PM, Michelle Konzack wrote:

Am 2009-06-30 12:30:14, schrieb Jan P. Kessler:

How would you distinguish between

... go to WWW EVIL ORG for new meds ...

and

... digging through the WWW HE SAW this link ...

to prevent SA trying to look up www.he.saw?


Is SAW a valid TOPLEVEL domain?

SA could use a list of valid TLD's.


See RegistrarBoundaries.pm in SA source and
http://www.rulesemporium.com/rules/90_2tld.cf

Re: [NEW SPAM FLOOD] www.shopXX.net

2009-06-30 Thread Jan P. Kessler 
Michelle Konzack wrote:
> Is SAW a valid TOPLEVEL domain?
>
> SA could use a list of valid TLD's.
>   

Ok, let's change that (do not forget that there's more than .com)

the www seems to become the primary source of information these days
(->www.seems.to?)

And I think we agree, that it would be very 'expensive' to check all
possible triplets against the whole list of TLDs (or even impossible if
you consider subdomains).

Re: [NEW SPAM FLOOD] www.shopXX.net

2009-06-30 Thread Michelle Konzack 
Am 2009-06-30 11:58:20, schrieb Martin Gregorie:
> > http:// meds spammer org
> > 
> That should be scored positive too, for the same reason.

And in my org this should no happen...

 is a valid domain FOR SALE.

Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack   c/o Shared Office KabelBW  ICQ #328449886
+49/177/9351947Blumenstasse 2 MSN LinuxMichi
+33/6/61925193 77694 Kehl/Germany IRC #Debian (irc.icq.com)


signature.pgp
Description: Digital signature

Re: [NEW SPAM FLOOD] www.shopXX.net

2009-06-30 Thread Michelle Konzack 
Am 2009-06-30 12:30:14, schrieb Jan P. Kessler:
> How would you distinguish between
> 
> ... go to WWW EVIL ORG for new meds ...
> 
> and
> 
> ... digging through the WWW HE SAW this link ...
> 
> to prevent SA trying to look up www.he.saw?

Is SAW a valid TOPLEVEL domain?

SA could use a list of valid TLD's.

> And what about URLs that don't start with WWW, like
> 
> http:// meds spammer org

and what about:

   meds . for . cheap com

(several subdomains)

Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
25.9V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack   c/o Shared Office KabelBW  ICQ #328449886
+49/177/9351947Blumenstasse 2 MSN LinuxMichi
+33/6/61925193 77694 Kehl/Germany IRC #Debian (irc.icq.com)


signature.pgp
Description: Digital signature

Re: [NEW SPAM FLOOD] www.shopXX.net

2009-06-30 Thread Jan P. Kessler 
Martin Gregorie schrieb:
>> ... go to WWW EVIL ORG for new meds ...
>>
>> and
>>
>> ... digging through the WWW HE SAW this link ...
>>
> Both IMO should be caught and given a positive score. I've never seen
> legitimate mail containing URLs written this way.

Maybe I was not clear: The last one is NOT an url. Do you really want to
use the whole bunch of SA's URI tests against sentences like:

... looking at the www peter got an impression of ...
(-> www.peter.got?)


And again: What about urls that do not start with www? Which characters
should be examined for obfuscation ([ ,;:|?!=])? How many of them in
sequence should be examined? If SA tries to de-obfuscate each possible
triplet, you won't have enough computing power and you will be bombarded
with false-positives. If you really want that, you can write your own
rules but this is (by far) too dangerous for the standard SA
distribution (imo).

Re: [NEW SPAM FLOOD] www.shopXX.net

2009-06-30 Thread Martin Gregorie 
> ... go to WWW EVIL ORG for new meds ...
> 
> and
> 
> ... digging through the WWW HE SAW this link ...
> 
Both IMO should be caught and given a positive score. I've never seen
legitimate mail containing URLs written this way.

> And what about URLs that don't start with WWW, like
> 
> http:// meds spammer org
> 
That should be scored positive too, for the same reason.

I'm giving such munged URLs a score of 1.0. In addition I use metas to
give the score a boost if they appear on a technical mail list or in
combination with mis-spellings that are common in spam or words like
viagra.


Martin

Re: [NEW SPAM FLOOD] www.shopXX.net

2009-06-30 Thread Jan P. Kessler 
Jason Haar schrieb:
> All this talk about trying to catch urls that contain spaces/etc got me
> thinking: why isn't this a standard SA feature? i.e if SA sees
> "www(whitespace|comma|period)-combo(therest)", then rewrite it as the
> url and process.

How would you distinguish between

... go to WWW EVIL ORG for new meds ...

and

... digging through the WWW HE SAW this link ...

to prevent SA trying to look up www.he.saw?

And what about URLs that don't start with WWW, like

http:// meds spammer org

Re: RulesDuJour

2009-06-30 Thread Matus UHLAR - fantomas 
> Anshul Chauhan wrote:
> > we have to copy KAM.cf  to /usr/share/spamassassin only for its
> > integration with spamassassin or something else is to done
> >
> > I'm using spamassassin-3.2.5-1.el4.rf on Centos4.7

On 30.06.09 02:11, Matt Kettler wrote:
> Any add-on rules should be placed in the same directory as your local.cf
> (ie: /etc/mail/spamassassin/ in most cases). SA reads *.cf from this
> directory, not just local.cf.
> 
> Adding files to /usr/share/spamassassin, or making changes to files
> present there, is not a good idea. When SpamAssassin gets upgraded, this
> whole directory will be nuked by the installer.

... and after first sa-update, it won't get used even.

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"One World. One Web. One Program." - Microsoft promotional advertisement
"Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler

Re: New type of spam... (very curious)

2009-06-30 Thread Matus UHLAR - fantomas 
> On Tue, 2009-06-30 at 00:46 +0200, Michelle Konzack wrote:
> > For some seconds I have goten this spam, which has passed my spmassassin
> > but was hit by a seperated ZEN rule in procmail:
> > 
> > 
> > Return-Path: soria.h.steven...@gmail.com
> > X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on
> > samba3.private.tamay-dogan.net
> > X-Spam-Level: *
> > X-Spam-Status: No, score=1.3 required=4.5 tests=BAYES_00,HTML_MESSAGE,
> > RDNS_NONE,SUBJECT_FUZZY_MEDS autolearn=no version=3.2.3
> > Delivered-To: linux4miche...@tamay-dogan.net
> > Received: from delta4.net ([:::69.43.203.202])
> > by vserver1.tamay-dogan.net with esmtp; Mon, 29 Jun 2009 19:33:36 +0200
> > id 2765.4A48FAF1.587B
> > Received: from [174.146.118.224] (account d4henrynazar0202 HELO Gsurface-PC)
> > by delta4.net (CommuniGate Pro SMTP 5.2.3)
> > with ESMTPA id 18578669 for linux4miche...@tamay-dogan.net; Mon, 29 Jun 
> > 2009 10:33:51 -0700

On 30.06.09 07:06, rich...@buzzhost.co.uk wrote:
> Are you saying that ZEN caught it after SA processed it? Why are you not
> using ZEN in SA or at the SMTP stage?

She apparently does not have control over 69.43.203.202, which is not
listed, but 174.146.118.224 is. 69.43.203.202 is apparently in her
internal_networks because 174.146.118.224 is listed in the PBL which is
checked only on internal network boundary...

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Due to unexpected conditions Windows 2000 will be released
in first quarter of year 1901