Re: FROM header with two email addresses

[Jakob Curdes]

Hello all, I was the original poster of this topic but was away for a 
couple of days.
I find it amazing to see the number of suggestions and ideas that have 
come up here.


However none of the constuctions matched "my" From: lines of the form

From: "Firstname Lastname@" sendern...@real-senders-domain.com 
>


I therefore now constructed the following rules:

describe __FROM_NAME_CONTAINS_AT name part of FROM contains "@" sign
header  __FROM_NAME_CONTAINS_AT From:name =~ /\@/
describe __FROM_MULTIPLE_ADDR address part of FROM contains more than 
one mail address (additional text)

header  __FROM_MULTIPLE_ADDR    From:addr =~ /\s/

describe __FROM_NAME_ADDRESS_EQUAL constructions like 
"us...@companya.com" 
header  __FROM_NAME_ADDRESS_EQUAL From =~ 
/["']?(\w+@\w+\.\w+)["']?\s*\<\1\>/i
header  __FROM_NAME_CONTAINS_ADDRESS From =~ 
/["']?(\w+@\w+\.\w+)["']?\s*\

meta FROM_SPOOF_SENDER1  __FROM_NAME_CONTAINS_AT && __FROM_MULTIPLE_ADDR
meta FROM_SPOOF_SENDER2  __FROM_NAME_CONTAINS_ADDRESS && ! 
__FROM_NAME_ADDRESS_EQUAL
meta FROM_ADDRESS_TWICE  __FROM_NAME_CONTAINS_ADDRESS && 
__FROM_NAME_ADDRESS_EQUAL


(the last META could even get a slightly negative score, I occasionally 
see people entering their email address in the name field).


and am now waiting to see some hits. I consider the risk of false 
positives low in this case, if these METAs are matched somebody is 
trying to trick you.


Regards JC

Re: FROM header with two email addresses

[RW]

On Thu, 5 Oct 2017 12:41:26 +0200
Jakob Curdes wrote:

> Hello all, I was the original poster of this topic but was away for a 
> couple of days.
> I find it amazing to see the number of suggestions and ideas that
> have come up here.
> 
> However none of the constuctions matched "my" From: lines of the form
> 
> From: "Firstname Lastname@"  sendern...@real-senders-domain.com 
> >
> 

Are you getting a lot of these? It looks more like a mistake than a
tactic.

Re: FROM header with two email addresses

[Jakob Curdes]

Hello all, I was the original poster of this topic but was away for a
couple of days.
I find it amazing to see the number of suggestions and ideas that
have come up here.

However none of the constuctions matched "my" From: lines of the form

From: "Firstname Lastname@" mailto:sendern...@real-senders-domain.com>>


Are you getting a lot of these? It looks more like a mistake than a
tactic.


Not a lot, but the trick is that Outlooks displays both parts, and users 
think that it is an internal mail because the "Firstname Lastname" is 
real in the company and the "recipient-domain.com" is the real recipient 
domain.
So it is a trick to circumvent SPF denials which prevent a spammer from 
sending "internal" mails from external addresses.
So I think it is not a mistake, I suppose this is carefully crafted to 
achieve exactly this result.


JC

Re: FROM header with two email addresses

[Kevin A. McGrail]

On 10/5/2017 7:19 AM, Jakob Curdes wrote:
Not a lot, but the trick is that Outlooks displays both parts, and 
users think that it is an internal mail because the "Firstname 
Lastname" is real in the company and the "recipient-domain.com" is the 
real recipient domain.
So it is a trick to circumvent SPF denials which prevent a spammer 
from sending "internal" mails from external addresses.
So I think it is not a mistake, I suppose this is carefully crafted to 
achieve exactly this result. 


I can also confirm user behavior consistent with your description of 
this issue as well where it tricked them into thinking it was an 
internal message.  We had 1 case as well that this thread coincidentally 
hit.


So while the spam engine rule is nice, a rule to work on 2 email address 
in the from header that is generic is likely still an indicator of spam 
that is a "good idea"(tm).


Regards,

KAM

Re: FROM header with two email addresses

[RW]

On Thu, 5 Oct 2017 07:38:23 -0400
Kevin A. McGrail wrote:

> On 10/5/2017 7:19 AM, Jakob Curdes wrote:
> > Not a lot, but the trick is that Outlooks displays both parts, and 
> > users think that it is an internal mail because the "Firstname 
> > Lastname" is real in the company and the "recipient-domain.com" is
> > the real recipient domain.
> > So it is a trick to circumvent SPF denials which prevent a spammer 
> > from sending "internal" mails from external addresses.
> > So I think it is not a mistake, I suppose this is carefully crafted
> > to achieve exactly this result.   
> 
> I can also confirm user behavior consistent with your description of 
> this issue as well where it tricked them into thinking it was an 
> internal message.  We had 1 case as well that this thread
> coincidentally hit.
> 
> So while the spam engine rule is nice, a rule to work on 2 email
> address in the from header that is generic is likely still an
> indicator of spam that is a "good idea"(tm).

It's not two addresses it's a single address with a space in it. It's
actually a legal header, but in the real world it's as rare as hen's
teeth:

From:addr =~ /\s/

is probably worth scoring in it's own right, but it could be combined
with a test for the @ in the display name.   

Re: FROM header with two email addresses

[Jakob Curdes]

On Thu, 5 Oct 2017 07:38:23 -0400
Kevin A. McGrail wrote:


On 10/5/2017 7:19 AM, Jakob Curdes wrote:

Not a lot, but the trick is that Outlooks displays both parts, and
users think that it is an internal mail because the "Firstname
Lastname" is real in the company and the "recipient-domain.com" is
the real recipient domain.
So it is a trick to circumvent SPF denials which prevent a spammer
from sending "internal" mails from external addresses.
So I think it is not a mistake, I suppose this is carefully crafted
to achieve exactly this result.

I can also confirm user behavior consistent with your description of
this issue as well where it tricked them into thinking it was an
internal message.  We had 1 case as well that this thread
coincidentally hit.

So while the spam engine rule is nice, a rule to work on 2 email
address in the from header that is generic is likely still an
indicator of spam that is a "good idea"(tm).

It's not two addresses it's a single address with a space in it. It's
actually a legal header, but in the real world it's as rare as hen's
teeth:

 From:addr =~ /\s/

is probably worth scoring in it's own right, but it could be combined
with a test for the @ in the display name.

Well my

meta FROM_SPOOF_SENDER1  __FROM_NAME_CONTAINS_AT && __FROM_MULTIPLE_ADDR

does exactly this. I did not want to assign a single score as we do not 
know who else (legit mass mailers..) might construct strange display 
names or strangely formatted address fields.


JC

Whitelisting Mails depend of Receiving Headers

[sebastian]

Hi @all,

i want to add +100 points for some mails, which have a special "received 
header".


How can i do this?

For example - if any message contains: "from lists.uni-leipzig.de", 
spamassassin should have a rule for adding +100 points.




Received: from lists.uni-leipzig.de (lists.uni-leipzig.de [139.18.1.37])


Tnx

Sebastian

Re: Whitelisting Mails depend of Receiving Headers

[David Jones]

On 10/05/2017 09:45 AM, sebast...@debianfan.de wrote:

Hi @all,

i want to add +100 points for some mails, which have a special "received 
header".




Based on the subject, I assume you meant you want to subtract 100 points.


How can i do this?

For example - if any message contains: "from lists.uni-leipzig.de", 
spamassassin should have a rule for adding +100 points.




Received: from lists.uni-leipzig.de (lists.uni-leipzig.de [139.18.1.37])




There are multiple ways to do this.  The simpliest would be an entry like:

whitelist_from_rcvd em...@addr.ess [139.18.1.37]

You will have to find a common "em...@addr.ess" based on the full 
message headers.  Most list servers will have something consistent that 
you can put there like *@lists.uni-leipzig.de.  If you post the entire 
headers to pastebin.com and send us a link, we can help better.



Tnx

Sebastian


--
David Jones

tflags repeated

[Matus UHLAR - fantomas]

Hello,

when "tflags" is repeated (e.g. in local.cf and /var/lib/spamassassin), 
are all flags set or does the next appearance clear flags set formerly?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
A day without sunshine is like, night.

Rule triggering more than once

[Richard Nairn]

I am using a rule to detect email with very long links included as I 
have seen that those are mostly spam. Some of the messages will include 
many copies of the link.


Is there a way to write a meta rule that detects multiple instances of 
the same rule?

Re: Rule triggering more than once

[Bill Cole]

On 5 Oct 2017, at 11:21, Richard Nairn wrote:

I am using a rule to detect email with very long links included as I 
have seen that those are mostly spam. Some of the messages will 
include many copies of the link.


Is there a way to write a meta rule that detects multiple instances of 
the same rule?


Quoting the documentation for Mail::SpamAssassin::Conf, from the section 
documenting "tflags":


multiple
The test will be evaluated multiple times, for use with meta
rules. Only affects header, body, rawbody, uri, and full tests.

maxhits=N
If multiple is specified, limit the number of hits found to N.
If the rule is used in a meta that counts the hits (e.g.
__RULENAME > 5), this is a way to avoid wasted extra work (use
"tflags multiple maxhits=6").

   For example:

  uri  __KAM_COUNT_URIS /^./
  tflags   __KAM_COUNT_URIS multiple maxhits=16
  describe __KAM_COUNT_URIS A multiple match used to count 
URIs in a message


  meta __KAM_HAS_0_URIS (__KAM_COUNT_URIS == 0)
  meta __KAM_HAS_1_URIS (__KAM_COUNT_URIS >= 1)
  meta __KAM_HAS_2_URIS (__KAM_COUNT_URIS >= 2)
  meta __KAM_HAS_3_URIS (__KAM_COUNT_URIS >= 3)
  meta __KAM_HAS_4_URIS (__KAM_COUNT_URIS >= 4)
  meta __KAM_HAS_5_URIS (__KAM_COUNT_URIS >= 5)