Question about a spam assassin rule
Does anyone have a detailed definition as to what this rule might mean? FR_3TAG_3TAG RAW I'm using spam assassin to check an HTML creative I'm making for a client of mine and that rule is popping up, I've searched all over the internet and can't find a definition. -- View this message in context: http://old.nabble.com/Question-about-a-spam-assassin-rule-tp30260257p30260257.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
facebook phishing, SPF_PASS
Thought you would be interested, a facebook phishing email (yes, it is, ) with SPF_PASS (reminding EVERYONE, SPF IS NOT A SPAM VS HAM INDICATOR AT ALL) yes, I publish SPF, I used it in meta rules. this one passed because sender used a envelope from in the ip range of the spf rules. http://secnap.pastebin.com/zTmkSc6J ps, scored a 3.5 here. by now, hopefully, it scores higher with razor/dcc/spamcop, urlbl, etc. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 ISN: 1259*1300 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best in Email Security,2010: Network Products Guide * King of Spam Filters, SC Magazine 2008 __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: Question about a spam assassin rule
rawbody FR_3TAG_3TAG m'[abcefghijklmnoqstuvwxz]{3}/[abcefghijklmnoqstuvwxz]{3}'i It looks for an html tag containing exactly three characters followed by a closing tag which also contains exactly three characters. -- Bowie On 11/19/2010 2:51 PM, jmargi wrote: Does anyone have a detailed definition as to what this rule might mean? FR_3TAG_3TAG RAW I'm using spam assassin to check an HTML creative I'm making for a client of mine and that rule is popping up, I've searched all over the internet and can't find a definition.
Re: strange issue with cron.daily
On tir 16 nov 2010 14:08:21 CET, Francesco Acchiappati wrote /var/lib/spamassassin/compiled ]; then this dir does imho not exists, its /var/lib/spamassassin/version/compiled unless debian have fixed it -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: facebook phishing, SPF_PASS
On 11/19/2010 3:13 PM, Michael Scheidell wrote: Thought you would be interested, a facebook phishing email (yes, it is, ) with SPF_PASS (reminding EVERYONE, SPF IS NOT A SPAM VS HAM INDICATOR AT ALL) Hi, SPF CAN BE YOUR FRIEND HERE: header LOCAL_FROM_FBM from =~ /\...@facebookmail\.com/i score LOCAL_FROM_FBM 50.0 whitelist_from_spf *...@facebookmail.com Of course, Facebook also uses DKIM so the third line above could just as well be: whitelist_from_dkim *...@facebookmail.com or even: whitelist_auth *...@facebookmail.com So in this case, SPF isn't a necessity, but it certainly works. I do similar things in various combinations for many commonly-forged domains. YMMV...
Re: facebook phishing, SPF_PASS
On 11/19/10 4:17 PM, Matt Garretson wrote: whitelist_from_spf *...@facebookmail.com ah, not if you have dns issues. if you have dns issues, spf and/or dkim will fail and legit email will not pass! tried this years ago and, yes, it blocked legit facebook email. reason I mention it the first time, was one of my facebook_forgery rules looked for spf_pass (didn' t whitelist it!) but didn't add the 5 points I assigned for forged facebook, twitter,etc.) -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 ISN: 1259*1300 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best in Email Security,2010: Network Products Guide * King of Spam Filters, SC Magazine 2008 __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: facebook phishing, SPF_PASS
On 19/11/2010 4:43 PM, Michael Scheidell wrote: Thought you would be interested, a facebook phishing email (yes, it is, ) with SPF_PASS (reminding EVERYONE, SPF IS NOT A SPAM VS HAM INDICATOR AT ALL) yes, I publish SPF, I used it in meta rules. this one passed because sender used a envelope from in the ip range of the spf rules. http://secnap.pastebin.com/zTmkSc6J ps, scored a 3.5 here. by now, hopefully, it scores higher with razor/dcc/spamcop, urlbl, etc. I'm not sure how SPF could pass on this one. The sending server doesn't have the same domain name, nor is using an IP authorized in Facebook's SPF records. SPF is supposed to confirm that the sending server is authorized to do so for the domain, but that clearly fails here.
Re: facebook phishing, SPF_PASS
On 11/19/2010 4:22 PM, Michael Scheidell wrote: On 11/19/10 4:17 PM, Matt Garretson wrote: whitelist_from_spf *...@facebookmail.com ah, not if you have dns issues. if you have dns issues, spf and/or dkim will fail and legit email will not pass! True, perhaps, but a *lot* of things will stop working if you have DNS issues. :) reason I mention it the first time, was one of my facebook_forgery rules looked for spf_pass (didn' t whitelist it!) but didn't add the 5 points Yes, you're right; SPF_PASS on its own isn't much of a help.
Re: facebook phishing, SPF_PASS
On Fri, 19 Nov 2010 18:00:09 -0330 Lawrence @ Rogers lawrencewilli...@nl.rogers.com wrote: n name, nor is using an IP authorized in Facebook's SPF records. SPF is supposed to confirm that the sending server is authorized to do so for the domain, but that clearly fails here. The domain used for the SPF check is probably primer.hu based on envelope-from prime...@primer.hu.
Re: strange issue with cron.daily
Il 16/11/2010 15:11, John Hardin ha scritto: On Tue, 16 Nov 2010, Francesco Acchiappati wrote: run-parts: /etc/cron.daily/spamassassin exited with return code 25 here it is The only things that appear to be exposed and able to return a nonzero return code (apart from the simple stuff like sleep and chmod) are: test -f /etc/default/spamassassin . /etc/default/spamassassin and sa-compile /dev/null 21 I'd suggest the most likely problem is sa-compile is failing for some reason. Try running it interactively. You could run this: bash -x /etc/cron.daily/spamassassin 21 | tee /tmp/log.txt to watch the commands as they execute and see which fails. As you suggested here is the output # bash -x /etc/cron.daily/spamassassin 21 | tee /tmp/log.txt + set -e + CRON=0 + test -f /etc/default/spamassassin + . /etc/default/spamassassin ++ ENABLED=1 ++ OPTIONS='-q -x -u tomcat4' ++ PIDFILE=/var/run/spamd.pid ++ NICE='--nicelevel 15' ++ CRON=1 + test -x /usr/bin/sa-update + test -x /etc/init.d/spamassassin + '[' 1 = 0 ']' + RANGE=3600 ++ od -vAn -N2 -tu4 + number=' 62039' ++ expr 62039 % 3600 + number=839 + sleep 839 + umask 022 + sa-update + exit 0
Re: facebook phishing, SPF_PASS
On 11/19/10 4:30 PM, Lawrence @ Rogers wrote: \ I'm not sure how SPF could pass on this one. The sending server doesn't have the same domain name, nor is using an IP authorized in Facebook's SPF records. SPF is supposed to confirm that the sending server is authorized to do so for the domain, but that clearly fails here. SPF is on ENVELOPE address, not header address. Microsoft's patented 'sender id' (which they don't use) can use either. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 ISN: 1259*1300 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best in Email Security,2010: Network Products Guide * King of Spam Filters, SC Magazine 2008 __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: facebook phishing, SPF_PASS
On 11/19/10 4:30 PM, Matt Garretson wrote: ah, not if you have dns issues. if you have dns issues, spf and/or dkim will fail and legit email will not pass! True, perhaps, but a*lot* of things will stop working if you have DNS issues.:) with SPF, it could be the senders dns servers, or if they use includes, the dns servers for that side, so, its dangerous to add +50 points, say, and then use spf/dkim or auth to whitelist. lots of complicated rules, mostly that I find I have to manually add, then run against local corpus to make sure it doesn't break something. clients complain of course, if you miss one spam, and complain, of course if you block one legit email. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 ISN: 1259*1300 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best in Email Security,2010: Network Products Guide * King of Spam Filters, SC Magazine 2008 __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: facebook phishing, SPF_PASS
On 11/19/2010 5:03 PM, Michael Scheidell wrote: with SPF, it could be the senders dns servers, or if they use includes, the dns servers for that side, so, its dangerous to add +50 points, say, and then use spf/dkim or auth to whitelist. You do have a valid point, but I'm not too worried about it myself, since I use this method only for big domains which are unlikely (IMO) to frequently have the type of DNS failures you speak of. Hmm, I wonder if you could protect against DNS failures with something like: meta __LOCAL_GOT_SPF (SPF_PASS||SPF_NEUTRAL||SPF_FAIL||SPF_SOFTFAIL||SPF_HELO_PASS||SPF_HELO_NEUTRAL||SPF_HELO_FAIL||SPF_HELO_SOFTFAIL) header __LOCAL_FROM_FBM1 from =~ /\...@facebookmail\.com/i meta LOCAL_FROM_FBM ( __LOCAL_FROM_FBM1 __LOCAL_GOT_SPF ) score LOCAL_FROM_FBM 50.0 whitelist_from_spf *...@facebookmail.com My idea is that, in the case of DNS failures or timeouts while looking up SPF, __LOCAL_GOT_SPF would be false (I think), thus preventing the 50.0 penalty. And in the normal case where DNS is okay, the penalty and whitelisting would function as before. Would that work, or is it crazy? clients complain of course, if you miss one spam, and complain, of course if you block one legit email. Yes, that's what makes our jobs so interesting. :)
Re: resolved, but why? Re: SA 3.3.1 performance issues?
happened again. 1 out of 100, EXACTLY THE SAME SYSTEMS, DOWN TO MD5 CHECKSUMS ON BINARIES, need to remove INET6 perl module. On 11/5/10 4:44 PM, Michael Scheidell wrote: On 11/5/10 4:08 PM, Michael Scheidell wrote: On 11/5/10 4:00 PM, Mark Martinec wrote: It certainly looks like a DNS resolver problem. What is your /etc/resolv.conf? The Net::DNS only uses the first nameserver from that file. To turn on debugging in Net::DNS (assuming bourne-like shell): $ RES_OPTIONS=debug spamassassin -D -ttest.msg deinstalled p5-IO-Socket-INET6 and everything is fine. (might I note that amavisd-new wanted that file, and also note, that it works FINE on amd64?) -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 ISN: 1259*1300 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best in Email Security,2010: Network Products Guide * King of Spam Filters, SC Magazine 2008 __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: Question about a spam assassin rule
On 11/19/10 2:51 PM, Bowie Bailey bowie_bai...@buc.com wrote: rawbody FR_3TAG_3TAG m'[abcefghijklmnoqstuvwxz]{3}/[abcefghijklmnoqstuvwxz]{3}'i It looks for an html tag containing exactly three characters followed by a closing tag which also contains exactly three characters. But no instances of d,p,r or y. I'm sure that's a really clever trick for something, I just don't have a clue as to what it might be -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: facebook phishing, SPF_PASS
On fre 19 nov 2010 21:13:26 CET, Michael Scheidell wrote http://secnap.pastebin.com/zTmkSc6J url is just a joe job from the spammers facebook login, report to facebook and problem is gone -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: facebook phishing, SPF_PASS
On fre 19 nov 2010 23:33:51 CET, Matt Garretson wrote Would that work, or is it crazy? the later, facebook is dkim signed whitelist_auth *...@facebookapp.com whitelist_auth *...@facebookmail.com whitelist_auth *...@facebook.com if From: says facebook then its forged if not dkim signed or spf pass dont blame facebook for a url in body and facebook in from: header :=) -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Question about a spam assassin rule
On Fri, 19 Nov 2010, Daniel McDonald wrote: On 11/19/10 2:51 PM, Bowie Bailey bowie_bai...@buc.com wrote: rawbody FR_3TAG_3TAG m'[abcefghijklmnoqstuvwxz]{3}/[abcefghijklmnoqstuvwxz]{3}'i It looks for an html tag containing exactly three characters followed by a closing tag which also contains exactly three characters. But no instances of d,p,r or y. I'm sure that's a really clever trick for something, I just don't have a clue as to what it might be It was an attempt to find obfsucated HTML junk that spamers were using to break up spammy words such as male medications EG: viasqz/sqzgra The idea was that most all legit 3 character HTML tags such as 'div' contained at least one of those letters ([dpry]) in them. So a purported tag that had none of them was not legit and thus probably bogus spammer spoor. With the evolution of HTML (xml, etc) that's no longer a safe asumption, so that rule probably FPs. -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{