How to stop weird From: crap?
Hello Experts, since arround 9 weeks I become bombed on my E-Mails linux4michelle and michelle.konzack by crappy From: spams. Here some examples from my log: [ '~/.tdtools-procmail/FLT_weird_From.hits' ]--- 1275237458:DirectBuylW[P^h4TWXMQ_OOQUI W_:xsrsp7...@urimpute.com 1275237639:DirectBuylW[P^h4TWXMQ_OOQUI W_:xsrsp7...@urimpute.com 1275302108:medicalbillingandcodinghswczdgpstim[bkmhexs[6tonoc3...@bluegreencaliber.net 1275302370:AvandiaLawsuitInfovaNZh[, ^jkw[ryyd_soji-k]fza...@kitehearts.net 1275323102:CreditScorelW[P^h4TWXMQ_OOQUI W_:xsrsp7...@checkinitout.net 1275323757:petcarerxu`mygz=]ijvzqxxc^rnihcj...@pnd@rjpcentral.com 1275325548:petcarerxbmq]k^aamnzguegbvrml0n`hi]d...@thegiveup.com 1275326175:PetCareRxmXQ_i5UXYNR`PPRVJ]A`;ytstq...@youraries.com 1275335658:avandialawsuitinfocnr^u_bbno[hv]fhcwsnm1oaij^@iliveahealthylife.net 1275375900:directbuycnr^u_bbno[hv]fhcwsnm1oaij^@healthdaysfinder.com 1275387771:creditreportfquaxbenqr^ky`ikfcvqy4rdlma1...@tansprinter.net 1275403694:DirectBuyr]JVdn:z]gsw...@[obfe@gyxbv=...@carwarrantee.com 1275410979:homewarrantyhswczdgpstim[bkmhexs[6tonoc3...@coveragenation.com 1275417868:VideoGameDevelopmentdOS_V`CcOPIW^GIdATOn2PbJK_/v...@goodgrilledburgers.com 1275426567:gevaliaal...@`lmyft[[fauqlk/M_GH c...@checkinitout.net 1275429487:promo�...@visa.com.br 1275439307:promo�...@visa.com.br 1275451027:newbizopcnr^u_bbno[hv]fhcwsnm1oaij^@greenarnage.com 1275455097:creditreportept`wadmpq]jx_hjebupo3qckl`0...@newexistence.net 1275462916:CreditReportiTXd[eHQTUJN LLNiFYT 7upopd4...@aquamarineedge.net 1275472439:creditscoredirectept`wadmpq]jx_hjebupo3qckl`0...@theextrawarranty.com 1275475128:yourscoredirectqiucm9yfrvmttvznaed?fxwau...@petwant.com 1275476908:TheBarkOfflW[P^h4TWXMQ_OOQUI W_:xsrsp7...@whatcouldbe.net 1275509608:governmentqualifysbmq]k^aamnzguegbvrml0n`hi]d...@cafemeals.com 1275548240:PetMedslW[P^h4TWXMQ_OOQUI W_:xsrsp7...@greenyellowescalade.com 1275572290:stimulusgranthswczdgpstim[bkmhexs[6tonoc3...@thewarrantyonline.com 1275578089:governmentgrantept`wadmpq]jx_hjebupo3qckl`0...@soinsuranceonline.com 1275582313:carwarrantyal...@`lmyft[[fauqlk/M_GH c...@blueabbreviation.com 1275585678:accessiblehealthcareept`wadmpq]jx_hjebupo3qckl`0...@wintersbestdays.com 1275594582:ahswarrantykvzo]gjsvwlp^nnpth[v^9wrqro6...@myhealthnation.com 1275613695:vinylsidingcnr^u_bbno[hv]fhcwsnm1oaij^@mybonusagents.com 1275639172:speeddatecnr^u_bbno[hv]fhcwsnm1oaij^@clockschime.net 1275644760:Gevalias^KWeX;[^HTXOVVA PcGfAHZYCW, n...@sumextent.com 1275647721:creditreportjuynfiruvko]mmojgzu]8vqpqn...@pricelesscentral.com 1275650950:testersneededept`wadmpq]jx_hjebupo3qckl`0...@allweatherruns.net 1275659550:gevaliany]r`j6vycosaqqswk^bazutur9...@creditseed.com 1275694866:directbuyqiucm9yfrvmttvznaed?fxwau...@newbiznation.com 1275715853:u...@mozilla-xp.com/ 1275720541:directbuyu`mygz=]ijvzqxxc^rnihcj...@pnd@kiddiessite.com 1275761867:Proactivs^KWeX;[^HTXOVVA PcGfAHZYCW, n...@allfauna.com 1275783508:TermFinderr]JVdn:z]gsw...@[obfe@gyxbv=...@credittidings.com 1275787826:storeperkst_lxfy_iuypwwb]qmhgbi[zdx?...@allweatherruns.net 1275789791:CreditCheckiTXd[eHQTUJN LLNiFYT 7upopd4...@passfitness.com 1275794906:ProactivvaNZh[, ^jkw[ryyd_soji-k]fza...@sumcoverage.com 1275847591:termfinderfquaxbenqr^ky`ikfcvqy4rdlma1...@couplesmove.com 1275849179:petcarerxkvzo]gjsvwlp^nnpth[v^9wrqro6...@justutravel.com 1275850724:Gevalias^KWeX;[^HTXOVVA PcGfAHZYCW, n...@oldbizs.com 1275850946:lasikvisionept`wadmpq]jx_hjebupo3qckl`0...@creditsevern.com 1275881546:taramediumfquaxbenqr^ky`ikfcvqy4rdlma1...@throwingtowels.com 1275917165:creditcheckqiucm9yfrvmttvznaed?fxwau...@superperez.com 1275919321:creditscorekvzo]gjsvwlp^nnpth[v^9wrqro6...@plaiceup.com 1275936123:creditcheckcnr^u_bbno[hv]fhcwsnm1oaij^@juicyus.com 1275952205:homewarranty101t_lxfy_iuypwwb]qmhgbi[zdx?...@oldoccupation.com 1275981622:homerepairsal...@`lmyft[[fauqlk/M_GH c...@shawlive.com 1275984211:seniorlifeinsurancemessagewbo[i?_klxeszze`tpkj.l^]g[b...@forestgreentaurus.net 1275984923:languageal...@`lmyft[[fauqlk/M_GH c...@maizetraverse.com 1276008001:HomeRepairlW[P^h4TWXMQ_OOQUI W_:xsrsp7...@superperez.com 1276019557:stimulusgrantfquaxbenqr^ky`ikfcvqy4rdlma1...@freshpersons.com 1276031387:AHSs^KWeX;[^HTXOVVA PcGfAHZYCW, n...@plaiceup.com 1276046981:stimulusgrantwbo[i?_klxeszze`tpkj.l^]g[b...@actualexample.com 1276051710:languagelearningept`wadmpq]jx_hjebupo3qckl`0...@twotimesdrier.com 1276069293:warrantyoptionshswczdgpstim[bkmhexs[6tonoc3...@thehappily.com 1276074153:creditreportjuynfiruvko]mmojgzu]8vqpqn...@newgrouping.com 1276094236:taramediumept`wadmpq]jx_hjebupo3qckl`0...@shockingpinksavana.net 1276105783:warrantyextensionjuynfiruvko]mmojgzu]8vqpqn...@novelbiz.com 1276108731:creditscoredirectu`mygz=]ijvzqxxc^rnihcj...@pnd@clearwrokn.com 1276121498:warrantyoptionsept`wadmpq]jx_hjebupo3qckl`0...@bluesus.com 1276136408:thebarkoffqiucm9yfrvmttvznaed?fxwau...@goldenrodexpedition.net
Re: How to stop weird From: crap?
On Sun, 2010-07-11 at 12:49 +0200, Michelle Konzack wrote: Hello Experts, since arround 9 weeks I become bombed on my E-Mails linux4michelle and michelle.konzack by crappy From: spams. Here some examples from my log: [garbled address samples snipped] but I want to do the scanning in spamassassin. Any suggestions and ideas? Didn't have sufficient caffeine yet, and I am too lazy to go through that procmail logic in detail -- but looking at the samples, you want to identify junk chars in the From: header? Well, what about a header From rule, maybe even limited to From:addr? Or some raw headers, like From:raw or even the hammer ALL pseudo header. I assume the Envelope From doesn't look the same, does it? Otherwise, you could already have your MX reject them outright. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Fwd: Indispensables pour vos vadrouilles…
On Sun, 2010-07-11 at 15:53 +0100, Cedric Knight wrote: [nothing but 3 spam samples attached] Uhm, dude!? I hope that was an accidental address auto-completion. Do NOT send spam samples to the list. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Fwd: Indispensables pour vos vadrouilles?
On søn 11 jul 2010 17:04:02 CEST, Karsten Bräckelmann wrote Uhm, dude!? I hope that was an accidental address auto-completion. Do NOT send spam samples to the list. spam?, here clamav see it as virus -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: How to stop weird From: crap?
Hello Karsten Bräckelmann, Am 2010-07-11 16:21:49, hacktest Du folgendes herunter: Didn't have sufficient caffeine yet, and I am too lazy to go through that procmail logic in detail -- but looking at the samples, you want to identify junk chars in the From: header? Yes Well, what about a header From rule, maybe even limited to From:addr? Or some raw headers, like From:raw or even the hammer ALL pseudo header. I have tried to write one but failed... I assume the Envelope From doesn't look the same, does it? Otherwise, you could already have your MX reject them outright. I do not know WHO has send it, because there are no other header like Sender: or Envelope-From: in the messages and the courier logs show the same. Currently I run the check on USER level, but I like to do this check on SMTP level using amavis and spamassassin. Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature
Re: Fwd: Indispensables pour vos vadrouilles?
On Sun, 2010-07-11 at 17:17 +0200, Benny Pedersen wrote: On søn 11 jul 2010 17:04:02 CEST, Karsten Bräckelmann wrote Uhm, dude!? I hope that was an accidental address auto-completion. Do NOT send spam samples to the list. spam?, here clamav see it as virus Yes, spam. If the included X-Spam headers is anything to go by. But you're free to eyeball the attached messages yourself. No malware payload. Not a virus. One's a phish, though. Let me guess, clamav third-party signatures triggered on the URIs for you? Anyway. The distinction between spam and phish was not my point. Neither was it, whether spammed URI clamav third-party signatures match on them just like URIBL and SURBL do. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: How to stop weird From: crap?
On Sun, 2010-07-11 at 17:35 +0200, Michelle Konzack wrote: Didn't have sufficient caffeine yet, and I am too lazy to go through that procmail logic in detail -- but looking at the samples, you want to identify junk chars in the From: header? Yes Well, what about a header From rule, maybe even limited to From:addr? Or some raw headers, like From:raw or even the hammer ALL pseudo header. I have tried to write one but failed... What about providing some raw From: headers then? -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: How to stop weird From: crap?
On Sun, 11 Jul 2010, Karsten Br?ckelmann wrote: On Sun, 2010-07-11 at 17:35 +0200, Michelle Konzack wrote: Didn't have sufficient caffeine yet, and I am too lazy to go through that procmail logic in detail -- but looking at the samples, you want to identify junk chars in the From: header? Yes Well, what about a header From rule, maybe even limited to From:addr? Or some raw headers, like From:raw or even the hammer ALL pseudo header. I have tried to write one but failed... What about providing some raw From: headers then? +1 We need to see the headers. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Gun Control laws aren't enacted to control guns, they are enacted to control people: catholics (1500s), japanese peasants (1600s), blacks (1860s), italian immigrants (1911), the irish (1920s), jews (1930s), blacks (1960s), the poor (always) --- 5 days until the 65th anniversary of the dawn of the Atomic Age
Re: Strange log entries after OS upgrade
On 11.7.2010 5:40, Chris wrote: I upgraded to Mandriva 2010.1 yesterday. I was already running SA 3.3.0 and AFAICT that didn't change. What did change are log entries. I'm now seeing entries like this: rhost=localhost,raddr=127.0.0.1, rport=/home/chris/.evolution/cache/tmp/spamd-socket-path-UHKUFV,mid=(unknown) spamd[10560]: spamd: identified spam (11.1/5.0) for chris:500 in 0.4 seconds, 19 bytes. Jul 10 20:41:26 localhost spamd[10560]: spamd: result: Y 11 - EMPTY_MESSAGE,L_MANY_STD_PROBS,MISSING_DATE,MISSING_HEADERS,MISSING_MID, MISSING_SUBJECT,NO_HEADERS_MESSAGE,NO_RECEIVED,NO_RELAYS,SAGREY scantime=0.4,size=19,user=chris,uid=500,required_score=5.0,rhost=localhost, raddr=127.0.0.1,rport=/home/chris/.evolution/cache/tmp/spamd-socket-path-UHKUFV, mid=(unknown),autolearn=disabled,shortcircuit=no I can't even find the above message in my spam folder. I'm using Evolution 2.30.2 however I do not have the settings to us SA enabled in Evo as I run all incoming mail through procmail. I checked back through syslog entries prior to the upgrade and didn't see anything at all like the above rport=/home/chris/.evolution/cache/tmp/spamd-socket-path-UHKUFV Any ideas anyone? This is clearly a Mandriva issue, not a SpamAssassin issue. There probably is some kind of Mandriva Users mailing list out there. -- http://www.iki.fi/jarif/ I use PGP. If there is an incompatibility problem with your mail client, please contact me. In the Spring, I have counted 136 different kinds of weather inside of 24 hours. -- Mark Twain, on New England weather signature.asc Description: OpenPGP digital signature
Re: Strange log entries after OS upgrade
On Sun, 2010-07-11 at 19:57 +0300, Jari Fredriksson wrote: On 11.7.2010 5:40, Chris wrote: I upgraded to Mandriva 2010.1 yesterday. I was already running SA 3.3.0 and AFAICT that didn't change. What did change are log entries. I'm now seeing entries like this: rhost=localhost,raddr=127.0.0.1, rport=/home/chris/.evolution/cache/tmp/spamd-socket-path-UHKUFV,mid=(unknown) spamd[10560]: spamd: identified spam (11.1/5.0) for chris:500 in 0.4 seconds, 19 bytes. Jul 10 20:41:26 localhost spamd[10560]: spamd: result: Y 11 - EMPTY_MESSAGE,L_MANY_STD_PROBS,MISSING_DATE,MISSING_HEADERS,MISSING_MID, MISSING_SUBJECT,NO_HEADERS_MESSAGE,NO_RECEIVED,NO_RELAYS,SAGREY scantime=0.4,size=19,user=chris,uid=500,required_score=5.0,rhost=localhost, raddr=127.0.0.1,rport=/home/chris/.evolution/cache/tmp/spamd-socket-path-UHKUFV, mid=(unknown),autolearn=disabled,shortcircuit=no I can't even find the above message in my spam folder. I'm using Evolution 2.30.2 however I do not have the settings to us SA enabled in Evo as I run all incoming mail through procmail. I checked back through syslog entries prior to the upgrade and didn't see anything at all like the above rport=/home/chris/.evolution/cache/tmp/spamd-socket-path-UHKUFV Any ideas anyone? This is clearly a Mandriva issue, not a SpamAssassin issue. There probably is some kind of Mandriva Users mailing list out there. I figured as much Jari, however wanted to make sure. Thanks -- Chris KeyID 0xE372A7DA98E6705C signature.asc Description: This is a digitally signed message part
Re: Fwd: Indispensables pour vos vadrouilles?
On søn 11 jul 2010 17:38:33 CEST, Karsten Bräckelmann wrote No malware payload. Not a virus. One's a phish, though. Let me guess, clamav third-party signatures triggered on the URIs for you? using safebrowsing sigs from google Anyway. The distinction between spam and phish was not my point. Neither was it, whether spammed URI clamav third-party signatures match on them just like URIBL and SURBL do. as recived X-Amavis-Alert: INFECTED, message contains virus: Heuristics.Safebrowsing.Suspected-malware_safebrowsing.clamav.net ripmime -i msg -d . clamscan /tmp/extracted: Sanesecurity.Junk.31113.UNOFFICIAL FOUND spamassassin -t msg# 1: 1.7 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist [URIs: sotudil.com] 1.7 BAD_ENC_HEADER Message has bad MIME encoding in the header 1.8 RCVD_IN_HOSTKARMA_BL RBL: HostKarma: relay in black list [193.95.97.13 listed in hostkarma.junkemailfilter.com] 1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT [193.95.97.13 listed in bb.barracudacentral.org] 0.0 FREEMAIL_FROM Sender email is freemail (ziedoos_2013[at]gmail.com) 0.7 SPF_NEUTRALSPF: sender does not match SPF record (neutral) 1.5 FROM_NOT_EQUAL_RETURN From: does not match Return-Path: 2.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit (ziedoos_2013[at]gmail.com) 0.8 HTML_IMAGE_RATIO_02BODY: HTML has a low ratio of text to image area 0.0 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME 0.0 HTML_MESSAGE BODY: HTML included in message 0.7 MPART_ALT_DIFF BODY: HTML and text parts are different 0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars 1.8 SAGREY Adds score to spam from first-time senders 0.8 FROM_EQUAL_REPLYTO unneeded reply to set to same as sender 2.0 KHOP_DNSBL_BUMPHits a trusted non-overlapping DNSBL 1.5 URI_NOT_WHITELISTEDMeta: URI found but none are WHITE 2: -0.0 GREY_LISTED_LOCAL URI's listed in localhost [URIs: hsbc.co.uk] 0.5 RELAY_FR Relayed through France 1.8 RCVD_IN_HOSTKARMA_BL RBL: HostKarma: relay in black list [91.121.209.115 listed in hostkarma.junkemailfilter.com] -0.0 URIBL_WHITEContains an URL listed in the URIBL whitelist [URIs: hsbc.co.uk] 0.8 DKIM_ADSP_NXDOMAIN No valid author signature and domain not in DNS 1.5 FROM_NOT_EQUAL_RETURN From: does not match Return-Path: 0.7 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words 0.0 HTML_MESSAGE BODY: HTML included in message 1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.5 RCVD_IN_NIX_SPAM RBL: Received via a relay in NiX Spam (heise.de) [91.121.209.115 listed in ix.dnsbl.manitu.net] 1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT [91.121.209.115 listed in bb.barracudacentral.org] 1.8 SAGREY Adds score to spam from first-time senders 0.6 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag 2.0 KHOP_DNSBL_BUMPHits a trusted non-overlapping DNSBL 3: 0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [77.182.175.192 listed in dnsbl.sorbs.net] 1.7 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist [URIs: worthmoreestelia.com] 2.7 RCVD_IN_PSBL RBL: Received via a relay in PSBL [77.182.175.192 listed in psbl.surriel.com] 0.8 RCVD_IN_SEMBLACK RBL: Received from an IP listed by SEM-BLACK [77.182.175.192 listed in bl.spameatingmonkey.net] 0.5 RCVD_IN_NIX_SPAM RBL: Received via a relay in NiX Spam (heise.de) [77.182.175.192 listed in ix.dnsbl.manitu.net] 1.3 RCVD_IN_RP_RNBLRBL: Relay in RNBL, https://senderscore.org/blacklistlookup/ [77.182.175.192 listed in bl.score.senderscore.com] 1.8 RCVD_IN_HOSTKARMA_BL RBL: HostKarma: relay in black list [77.182.175.192 listed in hostkarma.junkemailfilter.com] 0.7 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [77.182.175.192 listed in zen.spamhaus.org] 3.6 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL 2.5 BADRELAY Relay looks like dynamic/dialup/bot -0.0 FROM_IN_TO From: does match To: 0.7 LOCALPART_IN_SUBJECT Local part of To: address appears in Subject 1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT [77.182.175.192 listed in bb.barracudacentral.org] 0.0 HTML_MESSAGE
Re: Fwd: Indispensables pour vos vadrouilles?
On Sun, 2010-07-11 at 19:50 +0200, Benny Pedersen wrote: On søn 11 jul 2010 17:38:33 CEST, Karsten Bräckelmann wrote Anyway. The distinction between spam and phish was not my point. Neither was it, whether spammed URI clamav third-party signatures match on them just like URIBL and SURBL do. as recived X-Amavis-Alert: INFECTED, message contains virus: Heuristics.Safebrowsing.Suspected-malware_safebrowsing.clamav.net Benny, your point is? Anyway, I was wearing my moderator hat when I initially told the OP about his mistake. There was no invitation to argue about a non-issue. And I really don't think this sub-thread is worth pursuing further. guenther -- one of the list moderators -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: How to stop weird From: crap?
Hello John Hardin, Am 2010-07-11 08:57:39, hacktest Du folgendes herunter: On Sun, 11 Jul 2010, Karsten Br�ckelmann wrote: What about providing some raw From: headers then? +1 We need to see the headers. Cut the serialnumber at the beginning up to the first : and you have it. The From: E-Mails are exactly as shown. Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature
Re: How to stop weird From: crap?
Hello John Hardin, Am 2010-07-11 08:57:39, hacktest Du folgendes herunter: On Sun, 11 Jul 2010, Karsten Br�ckelmann wrote: What about providing some raw From: headers then? +1 We need to see the headers. [ STDIN ]--- From coupond...@perezcentral.com Sun Jul 11 17:21:41 2010 Return-Path: coupond...@perezcentral.com Delivered-To: linux4miche...@tamay-dogan.net Received: from erona.perezcentral.com (erona.perezcentral.com [:::72.34.111.198]) by mail.tamay-dogan.net with esmtp; Sun, 11 Jul 2010 17:21:14 +0200 id 0002BDA9.4C39E16B.1A98 To: linux4miche...@tamay-dogan.net Date: Sun, 11 Jul 2010 08:20:47 -0700 From: Coupon Dept. CouponDeptdOS_V`CcOP IW^GIdATOn2PbJK_/v...@perezcentral.com Subject: Your Complimentary Coupons Mime-Version: 1.0 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Message-ID: pine.lnx.4.31.030101.9935055.8720-1278861...@mail.perezcentral.com X-TDTools-Procmail: FILTER=FLT_weird_from, TLIST=FLT_weird_from, WLIST=FLT_weird_from, COUNT=3 snip Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature
Re: How to stop weird From: crap?
On 11/07/10 23:06, Michelle Konzack wrote: Hello John Hardin, Am 2010-07-11 08:57:39, hacktest Du folgendes herunter: On Sun, 11 Jul 2010, Karsten Br�ckelmann wrote: What about providing some raw From: headers then? +1 We need to see the headers. [ STDIN ]--- From coupond...@perezcentral.com Sun Jul 11 17:21:41 2010 Return-Path:coupond...@perezcentral.com Delivered-To: linux4miche...@tamay-dogan.net Received: from erona.perezcentral.com (erona.perezcentral.com [:::72.34.111.198]) by mail.tamay-dogan.net with esmtp; Sun, 11 Jul 2010 17:21:14 +0200 id 0002BDA9.4C39E16B.1A98 To: linux4miche...@tamay-dogan.net Date: Sun, 11 Jul 2010 08:20:47 -0700 From: Coupon Dept.CouponDeptdOS_V`CcOP IW^GIdATOn2PbJK_/v...@perezcentral.com Subject: Your Complimentary Coupons Mime-Version: 1.0 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Message-ID:pine.lnx.4.31.030101.9935055.8720-1278861...@mail.perezcentral.com X-TDTools-Procmail: FILTER=FLT_weird_from, TLIST=FLT_weird_from, WLIST=FLT_weird_from, COUNT=3 snip Thanks, Greetings and nice Day/Evening Michelle Konzack For me, that would be caught by dbl.spamhaus.org as a blacklisted sender domain during the smtp connection. $ nslookup perezcentral.com.dbl.spamhaus.org Non-authoritative answer: Name: perezcentral.com.dbl.spamhaus.org Address: 127.0.1.2 For example, in postfix add to smptd_*_restrictions: reject_rhsbl_sender dbl.spamhaus.org You can also check the helo and client against dbl.spamhaus.org reject_rhsbl_helo dbl.spamhaus.org reject_rhsbl_client dbl.spamhaus.org Ref: http://www.spamhaus.org/dbl/
Re: How to stop weird From: crap?
On Sun, 2010-07-11 at 23:59 +0200, Michelle Konzack wrote: On Sun, 11 Jul 2010, Karsten Bräckelmann wrote: What about providing some raw From: headers then? Cut the serialnumber at the beginning up to the first : and you have it. The From: E-Mails are exactly as shown. Nope. They are missing the left angle bracket, while the trailing right one is shown. Moreover, they don't show any real-name part, if any. Thus we cannot be sure how From, and in particular From:addr, parses these. Hence me asking for RAW samples. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: How to stop weird From: crap?
On Mon, 2010-07-12 at 00:06 +0200, Michelle Konzack wrote: On Sun, 11 Jul 2010, Karsten Bräckelmann wrote: What about providing some raw From: headers then? From coupond...@perezcentral.com Sun Jul 11 17:21:41 2010 Return-Path: coupond...@perezcentral.com Err, didn't you say you don't have the Envelope From, and your MTA shows the same as the mangled From: headers? From: Coupon Dept. CouponDeptdOS_V`CcOP IW^GIdATOn2PbJK_/v...@perezcentral.com header FOO From:addr =~ m~[/ ]~ Works for me. Just a minimal example rule, in particular leaving out the pesky backtick, confusing bash parsing the ad-hoc test rule. ;) spamassassin -D --cf=header FOO From:addr =~ m~.+~ shows, that From:addr contains the entire string contained in the angle brackets. I wonder, where your problems where writing the rule. Debugging and ad-hoc rule development hint: See the --cf option as used above. Together with -D, SA will report the matching substring. Then, just craft a bare-minimum mail message, containing the stuff you want to trigger on. Generally, looks like this. Optionally use --cf to disable AWL and Bayes respectively. echo From: ...\n\n | spamassassin -D Hmm, writing this post took much longer than writing the rule... ;) guenther -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: How to stop weird From: crap?
On Mon, 12 Jul 2010, Michelle Konzack wrote: [ STDIN ]--- From coupond...@perezcentral.com Sun Jul 11 17:21:41 2010 Return-Path: coupond...@perezcentral.com Delivered-To: linux4miche...@tamay-dogan.net Received: from erona.perezcentral.com (erona.perezcentral.com [:::72.34.111.198]) by mail.tamay-dogan.net with esmtp; Sun, 11 Jul 2010 17:21:14 +0200 id 0002BDA9.4C39E16B.1A98 To: linux4miche...@tamay-dogan.net Date: Sun, 11 Jul 2010 08:20:47 -0700 From: Coupon Dept. CouponDeptdOS_V`CcOP IW^GIdATOn2PbJK_/v...@perezcentral.com Subject: Your Complimentary Coupons Mime-Version: 1.0 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Message-ID: pine.lnx.4.31.030101.9935055.8720-1278861...@mail.perezcentral.com X-TDTools-Procmail: FILTER=FLT_weird_from, TLIST=FLT_weird_from, WLIST=FLT_weird_from, COUNT=3 snip Rough first pass SA rule: header T_FROM_CRAP1 From:addr =~ /[`\^:\]\[,?/]/ describe T_FROM_CRAP1 characters we should not see in real from address score T_FROM_CRAP1 0.1 header T_FROM_CRAP2 From:addr =~ /[...@]*\@[...@]*\@/ describe T_FROM_CRAP2 Real from address should not contain more than one @ score T_FROM_CRAP2 0.1 Untested. Warning could cause false positives. Some of those characters -could- be used in legit addresses (EG X400 uses '/') but that's rare. Test and adjust according to your mail environment. -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
Re: How to stop weird From: crap?
On Sun, 2010-07-11 at 18:22 -0500, Dave Funk wrote: Rough first pass SA rule: header T_FROM_CRAP1 From:addr =~ /[`\^:\]\[,?/]/ ^ ^ ^ Breaks. You either need to backslash escape the slash inside the RE, or use alternative match-operator delimiters like m~pattern~. :) -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: How to stop weird From: crap?
Hello Ned Slider, Am 2010-07-11 23:38:50, hacktest Du folgendes herunter: For me, that would be caught by dbl.spamhaus.org as a blacklisted sender domain during the smtp connection. Is this not included in zen? $ nslookup perezcentral.com.dbl.spamhaus.org Non-authoritative answer: Name: perezcentral.com.dbl.spamhaus.org Address: 127.0.1.2 For example, in postfix add to smptd_*_restrictions: reject_rhsbl_sender dbl.spamhaus.org You can also check the helo and client against dbl.spamhaus.org reject_rhsbl_helo dbl.spamhaus.org reject_rhsbl_client dbl.spamhaus.org OK added, I will wait for the next crap coming in... Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature
Re: How to stop weird From: crap?
On Mon, 2010-07-12 at 01:37 +0200, Michelle Konzack wrote: For me, that would be caught by dbl.spamhaus.org as a blacklisted sender domain during the smtp connection. Is this not included in zen? ZEN lists the handing-over IP (XBL, PBL) or any Received IP for deep- parsing (SBL). This is not the same as an RHSBL, neither applies at all to any domain part. What you snipped was the reference link to DBL, given by Ned. Which coincidentally should explain DBL, a recent Spamhaus addition... -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: How to stop weird From: crap?
On 12/07/10 00:37, Michelle Konzack wrote: Hello Ned Slider, Am 2010-07-11 23:38:50, hacktest Du folgendes herunter: For me, that would be caught by dbl.spamhaus.org as a blacklisted sender domain during the smtp connection. Is this not included inzen? No, it's a separate list purely for domains, not IPs. SpamAssassin 3.3.1 does add support to query dbl.spamhaus.org, but I think it only queries it for URIs. To quote Spamhaus: The DBL is both a domain URI Blocklist and RHSBL. It is intended primarily for message body URI checks but it can additionally be used for connection checks at the SMTP level and header domain checks (HELO, connecting IP rDNS domain, From Reply-To domains, Message-ID domain) and other checks involving domains. I'm see hits against sender domains in dbl.spamhaus.org for IP addresses that aren't yet listed on zen so querying at the smtp level in addition to zen is beneficial. But as we know, defence in depth, so not to detract from the rules Karsten and others are assisting with elsewhere in this thread :-)
Re: How to stop weird From: crap?
On Mon, 2010-07-12 at 00:52 +0100, Ned Slider wrote: On 12/07/10 00:37, Michelle Konzack wrote: For me, that would be caught by dbl.spamhaus.org as a blacklisted sender domain during the smtp connection. Is this not included inzen? No, it's a separate list purely for domains, not IPs. SpamAssassin 3.3.1 does add support to query dbl.spamhaus.org, but I think it only queries it for URIs. Indeed. And the latter is exactly the reason, why adding support for Spamhaus DBL was a heavy-weight change for a micro release. I'm see hits against sender domains in dbl.spamhaus.org for IP addresses that aren't yet listed on zen so querying at the smtp level in addition to zen is beneficial. Just to clarify -- while this is not incorrect, even though the yet might be debatable [1], it easily can be confusing. The sender domain and IP address in the previous sentence are not related. Other than referring to the same spam message. DBL does not list IPs. Do NOT query DBL for IPs. Never. You will get false positives. guenther [1] PBL is highly unlikely to expand due to spam outbreaks. XBL might, if the machine is malware infected. SBL of course might, but they list IPs of pure evil only, suitable for deep-parsing. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}