Re: Absurd mail headers in new spam
On Thu, 1 Jun 2017, A. Schulze wrote: John Hardin: any header that begins with "X-" is permitted. permitted - yes but I'm aware may user assisiate X- header still as private header. This is no longer true since 2012: https://tools.ietf.org/html/rfc6648 just to mention that... Andreas Interesting. I wonder how that affects RFC-2822 (et. al.) headers, and specifically, the X-Spam-* headers that SA emits? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Journalism is about covering important stories. With a pillow, until they stop moving. -- David Burge --- 5 days until the 73rd anniversary of D-Day
Re: Absurd mail headers in new spam
On Thu, 1 Jun 2017, Loren Wilton wrote: Hopeless-Forming-Philistinizes: jobs Lossy-Cabdriver: 2368db81dcf1 Alba-Leanness-Elections: 38376DB11A Merrimac-Grams-Participating: B354488539E Giving-Remarkably-Incriminate: drawl Dustin-Ransoming: 18 Person-Decathlon-Arnold: dfcfce7ba985 Majority-Gambles: 4f856 Buttock-Milky-Dogged: 8E626A527D73 Scoff-Invoke: ea3ff6a6 Wish-Growing: 57878 Stiffest-Ghastly-Contaminates: 899 Cabling-Paddle: exploratory Adjacency-Ranting: 89EC6563C14 Asinine-Midwife-Reread: 67b5d4b3973a75b Note that these are all (so far) two or three word headers with initial capson each word and all the rest lowercase, and a token value that is either a single all-lower-case word or a single hex string. There are also no digits to the left of the colon. Also, none of them start with "X-". Just looking at the rather extensive headers on the mail I'm replying to, exactly zero of them match the pattern I've described above. ...and that pattern is trivially easy for the spammer to change. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Journalism is about covering important stories. With a pillow, until they stop moving. -- David Burge --- 5 days until the 73rd anniversary of D-Day
Re: Razor2 Check
>From: sebast...@debianfan.de >how do i test razor 2 if it's working? >Are there any testfiles? Make sure the Razor2 plugin is enabled in your .pre files: spamassassin -D --lint 2>&1 | grep -i razor You should see some RAZOR2 rule hits in your mail logs pretty quickly if it's working properly: grep RAZOR2 /var/log/mail.log This is rather old but still should be accurate: https://wiki.apache.org/spamassassin/RazorHowToTell Dave
Razor2 Check
Hi @all, how do i test razor 2 if it's working? Are there any testfiles? Tnx Sebastian
Best Anti-Spam note of the day...
I only hope I can ascend to this level of tact with all upcoming Apache SpamAssassin missives. Regards, KAM http://www.mayoradler.com/letter-wonder-woman/ Letter: Wonder Woman On May 26, 2017, the Mayor received this email: I hope every man will boycott Austin and do what he can to diminish Austin and to cause damage to the city’s image. The theater that pandered to the sexism typical of women will, I hope, regret it’s decision. The notion of a woman hero is a fine example of women’s eagerness to accept the appearance of achievement without actual achievement. Women learn from an early age to value make-up, that it’s OK to pretend that you are greater than you actually are. Women pretend they do not know that only men serve in combat because they are content to have an easier ride. Women gladly accept gold medals at the Olympics for coming in 10th and competing only against the second class of athletes. Name something invented by a woman! Achievements by the second rate gender pale in comparison to virtually everything great in human history was accomplished by men, not women. If Austin does not host a men only counter event, I will never visit Austin and will welcome it’s deteriorati on. And I will not forget that Austin is best known for Charles Whitman. Does Austin stand for gender equality or for kissing up to women? Don’t bother to respond. I already know the answer. I do not hate women. I hate their rampant hypocrisy and the hypocrisy of the “women’s movement.” Women do not want gender equality; they want more for women. Don’t bother to respond because I am sure your cowardice will generate nothing worth reading. Richard A. Ameduri Today he responded: Dear Mr. Ameduri, I am writing to alert you that your email account has been hacked by an unfortunate and unusually hostile individual. Please remedy your account’s security right away, lest this person’s uninformed and sexist rantings give you a bad name. After all, we men have to look out for each other! Can you imagine if someone thought that you didn’t know women could serve in our combat units now without exclusion? What if someone thought you didn’t know that women invented medical syringes, life rafts, fire escapes, central and solar heating, a war-time communications system for radio-controlling torpedoes that laid the technological foundations for everything from Wi-Fi to GPS, and beer? And I hesitate to imagine how embarrassed you’d be if someone thought you were upset that a private business was realizing a business opportunity by reserving one screening this weekend for women to see a superhero movie. You and I are serious men of substance with little time for the delicate sensitivities displayed by the pitiful creature who maligned your good name and sterling character by writing that abysmal email. I trust the news that your email account has been hacked does not cause you undue alarm and wish you well in securing your account. And in the future, should your travels take you to Austin, please know that everyone is welcome here, even people like those who wrote that email whose views are an embarrassment to modernity, decency, and common sense. Yours sincerely, Steve Adler
Re: Absurd mail headers in new spam
Nice to see you're around Loren.
Been a looong time since we did stuff like
headerSARE_MSGID_RATWARE2 MESSAGEID =~
/\<\d{10,15}\.\d{18,40}\@[a-z]+\>/ # no /i!
describe SARE_MSGID_RATWARE2 Message-Id is
score SARE_MSGID_RATWARE2 0.639
#hist SARE_MSGID_RATWARE2 Loren Wilton Sat, 3 Apr 2004 20:29:32
-0800
#matches SARE_MSGID_RATWARE2 numbers.numbers@letters
#counts SARE_MSGID_RATWARE2 7s/0h of 173032 corpus (99056s/73976h
RM) 05/11/06
#max SARE_MSGID_RATWARE2 1640s/0h of 115925 corpus
(94616s/21309h) 05/01/04
#counts SARE_MSGID_RATWARE2 1s/0h of 55929 corpus (51589s/4340h
AxB2) 05/14/06
#counts SARE_MSGID_RATWARE2 33s/2h of 55848 corpus (18671s/37177h
JH-3.01) 06/10/05
#max SARE_MSGID_RATWARE2 66s/2h of 38398 corpus (14914s/23484h
JH) 08/14/04 TM2 SA3.0-pre2
#counts SARE_MSGID_RATWARE2 0s/0h of 22942 corpus (17234s/5708h
MY) 05/14/06
#max SARE_MSGID_RATWARE2 31s/0h of 17050 corpus (14617s/2433h
MY) 08/08/04
#counts SARE_MSGID_RATWARE2 0s/0h of 10853 corpus (6391s/4462h
CT) 05/16/05
#max SARE_MSGID_RATWARE2 3s/0h of 11052 corpus (6614s/4438h
CT) 03/10/05
#counts SARE_MSGID_RATWARE2 3s/0h of 155430 corpus
(103881s/51549h DOC) 05/15/06
#counts SARE_MSGID_RATWARE2 1s/0h of 42275 corpus (34158s/8117h
FVGT) 05/15/06
take care!
AXB
Re: Absurd mail headers in new spam
On 1 Jun 2017, at 8:28, Loren Wilton wrote: If he is intending to hide tracking info in the headers, it seems pointless unless he is also writing an MTA of some sort that will see the headers. But maybe he didn't think that far, and it was his intent to hide tracking info. Still, it seems a little unlikely. I first noticed similar headers in a very narrowly (but irrationally) targeted subset of spam ~4 years ago. It came from snowshoe & rent-a-virtual-sewer (OVH largely, at the time) IPs, to a set of ~1% of the users on a multi-tenant SMB (outsourcing) mail system. For a while, one or more of the absurd headers would have a cryptographic hash of the target address as the value. My theory is that these were to get tracking info through spam reporting tools like SpamCop that try to sanitize reports. Obviously the tracking token doesn't need to be derived from the target address, it just needs to be mappable back to a target, so it could be that the same tool has been evolved to use less obvious tokens.
Re: Why both DNS lookup checks fire?
Problem solved :-)
After changing the urirhssub lines to
urirhssub XXX_RCVD_MY_URIBL_DOMAIN multi.mydomain.tld. A
127.0.0.16
urirhssub XXX_RCVD_MY_URIBL_HOSTmulti.mydomain.tld. A
127.0.0.24
only the XXX_RCVD_MY_URIBL_DOMAIN check fires
Regards
tobi
Am 01.06.2017 um 14:33 schrieb Tobi:
> Hello list
>
> I'm running Spamassassin 3.4.0 on a Centos 7 (64bit) with latest updates.
> My goal is to have an own dnsbl list for lookups in Spamassassin.
> The lookup zone is multi.mydomain.tld and I have the following to checks for
> SA:
>
> urirhssub XXX_RCVD_MY_URIBL_DOMAIN multi.mydomain.tld. A 16
> bodyXXX_RCVD_MY_URIBL_DOMAIN
> eval:check_uridnsbl('XXX_RCVD_MY_URIBL_DOMAIN')
> tflags XXX_RCVD_MY_URIBL_DOMAIN net
> describeXXX_RCVD_MY_URIBL_DOMAIN contains URI domain listed
> reuse XXX_RCVD_MY_URIBL_DOMAIN
>
> urirhssub XXX_RCVD_MY_URIBL_HOST multi.mydomain.tld. A 24
> bodyXXX_RCVD_MY_URIBL_HOST
> eval:check_uridnsbl('XXX_RCVD_MY_URIBL_HOST')
> tflags XXX_RCVD_MY_URIBL_HOST net
> describeXXX_RCVD_MY_URIBL_HOST contains URI host listed
> reuse XXX_RCVD_MY_URIBL_HOST
>
> The zone returns 127.0.0.16 for domains (without any hostpart) listed and
> 127.0.0.24 for hosts (domain + hostpart) listed
> So far so good :-)
> Problem is that both checks do fire although only 127.0.0.16 is returned by
> lookup
>
> * 2.3 XXX_RCVD_MY_URIBL_DOMAIN contains URI domain listed
> * [URIs: kelasalbaghdadi.com]
> * 3.8 XXX_RCVD_MY_URIBL_HOST contains URI host listed
> * [URIs: kelasalbaghdadi.com]
>
>
> $ dig kelasalbaghdadi.com.multi.mydomain.tld
> [...]
> ;; QUESTION SECTION:
> ;kelasalbaghdadi.com.multi.mydomain.tld. IN A
>
> ;; ANSWER SECTION:
> kelasalbaghdadi.com.multi.mydomain.tld. 6052 IN A 127.0.0.16
>
> There is no mention of 127.0.0.24 which would be required for
> XXX_RCVD_MY_URIBL_HOST to fire.
>
> Any idea how to avoid that both checks fire up? Did I mess something up in
> config?
>
> Thanks for any idea on how to solve that
>
> tobi
>
Why both DNS lookup checks fire?
Hello list
I'm running Spamassassin 3.4.0 on a Centos 7 (64bit) with latest updates.
My goal is to have an own dnsbl list for lookups in Spamassassin.
The lookup zone is multi.mydomain.tld and I have the following to checks for SA:
urirhssub XXX_RCVD_MY_URIBL_DOMAIN multi.mydomain.tld. A 16
bodyXXX_RCVD_MY_URIBL_DOMAIN
eval:check_uridnsbl('XXX_RCVD_MY_URIBL_DOMAIN')
tflags XXX_RCVD_MY_URIBL_DOMAIN net
describeXXX_RCVD_MY_URIBL_DOMAIN contains URI domain listed
reuse XXX_RCVD_MY_URIBL_DOMAIN
urirhssub XXX_RCVD_MY_URIBL_HOST multi.mydomain.tld. A 24
bodyXXX_RCVD_MY_URIBL_HOST
eval:check_uridnsbl('XXX_RCVD_MY_URIBL_HOST')
tflags XXX_RCVD_MY_URIBL_HOST net
describeXXX_RCVD_MY_URIBL_HOST contains URI host listed
reuse XXX_RCVD_MY_URIBL_HOST
The zone returns 127.0.0.16 for domains (without any hostpart) listed and
127.0.0.24 for hosts (domain + hostpart) listed
So far so good :-)
Problem is that both checks do fire although only 127.0.0.16 is returned by
lookup
* 2.3 XXX_RCVD_MY_URIBL_DOMAIN contains URI domain listed
* [URIs: kelasalbaghdadi.com]
* 3.8 XXX_RCVD_MY_URIBL_HOST contains URI host listed
* [URIs: kelasalbaghdadi.com]
$ dig kelasalbaghdadi.com.multi.mydomain.tld
[...]
;; QUESTION SECTION:
;kelasalbaghdadi.com.multi.mydomain.tld. IN A
;; ANSWER SECTION:
kelasalbaghdadi.com.multi.mydomain.tld. 6052 IN A 127.0.0.16
There is no mention of 127.0.0.24 which would be required for
XXX_RCVD_MY_URIBL_HOST to fire.
Any idea how to avoid that both checks fire up? Did I mess something up in
config?
Thanks for any idea on how to solve that
tobi
Re: Absurd mail headers in new spam
If I were to guess, adding such headers is done to confuse tools that compute hashes based on headers or use bayes filtering on the entire mail, since it adds innocent words to the mail without showing them to most end-users. It doesn't confuse either Bayes or any hash I'm aware of. Just as a point of psychology, there is a difference between "done to confuse" and "does confuse". Don't assume that people designing a spam tool are necessarily experts at anti-spam technology. If they were, they would either give up on making spams, or anti-spam tools would be much less effective than they are. You look at these obviously absurd headers, and you really should ask yourself "why are they here? What are they intended to accomplish?" I can only think of two likely possibilities: either the creator is using these to hide some sort of tracking information, or he is hoping that they will somehow make the mail look "less spamy" in some way. If he is intending to hide tracking info in the headers, it seems pointless unless he is also writing an MTA of some sort that will see the headers. But maybe he didn't think that far, and it was his intent to hide tracking info. Still, it seems a little unlikely. The other possibility is making the mail get thru spam filters. As you point out, it fails miserably at this. But that doesn't mean that someone didn't have a brilliant idea and thought that it might somehow work. Personally I think that if it stays around for a few weeks that it is great rule fodder for being sure that the mail IS spam. Loren
Re: Absurd mail headers in new spam
On Thu, 1 Jun 2017 01:59:44 +0200 (CEST) Kim Roar Foldøy Hauge wrote: > If I were to guess, adding such headers is done to confuse tools that > compute hashes based on headers or use bayes filtering on the entire > mail, since it adds innocent words to the mail without showing them > to most end-users. It doesn't confuse either Bayes or any hash I'm aware of.
Re: Absurd mail headers in new spam
John Hardin: any header that begins with "X-" is permitted. permitted - yes but I'm aware may user assisiate X- header still as private header. This is no longer true since 2012: https://tools.ietf.org/html/rfc6648 just to mention that... Andreas
Re: Absurd mail headers in new spam
Hopeless-Forming-Philistinizes: jobs Lossy-Cabdriver: 2368db81dcf1 Alba-Leanness-Elections: 38376DB11A Merrimac-Grams-Participating: B354488539E Giving-Remarkably-Incriminate: drawl Dustin-Ransoming: 18 Person-Decathlon-Arnold: dfcfce7ba985 Majority-Gambles: 4f856 Buttock-Milky-Dogged: 8E626A527D73 Scoff-Invoke: ea3ff6a6 Wish-Growing: 57878 Stiffest-Ghastly-Contaminates: 899 Cabling-Paddle: exploratory Adjacency-Ranting: 89EC6563C14 Asinine-Midwife-Reread: 67b5d4b3973a75b Note that these are all (so far) two or three word headers with initial capson each word and all the rest lowercase, and a token value that is either a single all-lower-case word or a single hex string. There are also no digits to the left of the colon. Also, none of them start with "X-". Just looking at the rather extensive headers on the mail I'm replying to, exactly zero of them match the pattern I've described above. Loren
