Re: Malforrmed List-id

2018-05-02 Thread Benny Pedersen 

Kenneth Porter skrev den 2018-05-03 02:18:

I'm having very good results with this rule. I'm scoring it at 5 with
no false positives. The high negative score for a legitimate looking
List-id will file it into my List/Unknown folder for new lists and for
any spammers trying to abuse this, so it's not a problem for my
personal filtering.

# a properly-formatted List-id looks like a correspondent
# (to/from) header but @ replaced by dot
# ie. list-name.domain

header__KP_LIST_ID_DOMAIN_IN_BRACKETS List-id =~ 
/<([\w-]+)?(\.[\w-]+)+>/


List-Id: 

valid or invalid ? :=)



describe KP_LIST_ID_DOMAIN_IN_BRACKETS List-id has domain in angle 
brackets

meta   KP_LIST_ID_DOMAIN_IN_BRACKETS __KP_LIST_ID_DOMAIN_IN_BRACKETS
score  KP_LIST_ID_DOMAIN_IN_BRACKETS -15.0


valid ?



describe KP_LIST_ID_IMPROPER_FORMAT List-id has improper format
meta   KP_LIST_ID_IMPROPER_FORMAT __HAS_LIST_ID &&
!__KP_LIST_ID_DOMAIN_IN_BRACKETS
score  KP_LIST_ID_IMPROPER_FORMAT 5.0


i would like developpers to begin make use of 
Mail::SpamAssassin::Maillist.pm


if it exists, there is to many definations on maillists already in rule 
sets, and non use maillist.pm

Malforrmed List-id

2018-05-02 Thread Kenneth Porter 
I'm having very good results with this rule. I'm scoring it at 5 with no 
false positives. The high negative score for a legitimate looking List-id 
will file it into my List/Unknown folder for new lists and for any spammers 
trying to abuse this, so it's not a problem for my personal filtering.


# a properly-formatted List-id looks like a correspondent
# (to/from) header but @ replaced by dot
# ie. list-name.domain

header__KP_LIST_ID_DOMAIN_IN_BRACKETS List-id =~ 
/<([\w-]+)?(\.[\w-]+)+>/


describe KP_LIST_ID_DOMAIN_IN_BRACKETS List-id has domain in angle brackets
meta   KP_LIST_ID_DOMAIN_IN_BRACKETS __KP_LIST_ID_DOMAIN_IN_BRACKETS
score  KP_LIST_ID_DOMAIN_IN_BRACKETS -15.0

describe KP_LIST_ID_IMPROPER_FORMAT List-id has improper format
meta   KP_LIST_ID_IMPROPER_FORMAT __HAS_LIST_ID && 
!__KP_LIST_ID_DOMAIN_IN_BRACKETS

score  KP_LIST_ID_IMPROPER_FORMAT 5.0

Re: OFF-TOPIC: Re: Just to lighten your day?

2018-05-02 Thread John Hardin 

On Wed, 2 May 2018, Dianne Skoll wrote:


On Wed, 2 May 2018 15:32:50 -0500 (CDT)
David B Funk  wrote:

[...]


The first three terminations weren't good enough, so we're going to
do it one more time. And if -that- one doesn't do it, we'll proceed
to the final ultimate termination...


As in "I'm not dead yet!" from Spamalot? :)


Or maybe "He's still moving towards the keyboard! LART him again!"

It is, after all, supposedly from IT...


Regrads (dammti...),

Dianne.



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Efficiency can magnify good, but it magnifies evil just as well.
  So, we should not be surprised to find that modern electronic
  communication magnifies stupidity as *efficiently* as it magnifies
  intelligence.   -- Robert A. Matern
---
 6 days until the 73rd anniversary of VE day

OFF-TOPIC: Re: Just to lighten your day?

2018-05-02 Thread Dianne Skoll 
On Wed, 2 May 2018 15:32:50 -0500 (CDT)
David B Funk  wrote:

[...]

> The first three terminations weren't good enough, so we're going to
> do it one more time. And if -that- one doesn't do it, we'll proceed
> to the final ultimate termination...

As in "I'm not dead yet!" from Spamalot? :)

Regrads (dammti...),

Dianne.

Re: Just to lighten your day?

2018-05-02 Thread David B Funk 

On Wed, 2 May 2018, John Hardin wrote:


On Wed, 2 May 2018, David Jones wrote:


On 05/02/2018 01:21 PM, Joe Acquisto-j4 wrote:
One slipped through, with this subtle sig line (thought it might brighten 
someones day . . . )


"Note: Failure to Verify will lead to final termination of your email 
account.


Technical Team
Email Administrator
All Right Reversed 2018.(c)"

-


Please post the full email, with all headers, minimally redacted to 
pastebin.com and send us a link.


You need your humor detector recalibrated.


His humor detector caught that one. He didn't say if it caught the one in the 
body of the message:

   "will lead to final termination of your email"

The first three terminations weren't good enough, so we're going to do it one 
more time. And if -that- one doesn't do it, we'll proceed to the final ultimate 
termination...


--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: Just to lighten your day?

2018-05-02 Thread John Hardin 

On Wed, 2 May 2018, David Jones wrote:


On 05/02/2018 01:21 PM, Joe Acquisto-j4 wrote:
One slipped through, with this subtle sig line (thought it might brighten 
someones day . . . )


"Note: Failure to Verify will lead to final termination of your email 
account.


Technical Team
Email Administrator
All Right Reversed 2018.(c)"

-


Please post the full email, with all headers, minimally redacted to 
pastebin.com and send us a link.


You need your humor detector recalibrated.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  A good high-school education is still essential,
  and college is where you go to get one.-- MiddleAgedKen
---
 6 days until the 73rd anniversary of VE day

Re: Just to lighten your day?

2018-05-02 Thread David B Funk 

On Wed, 2 May 2018, Joe Acquisto-j4 wrote:


On 5/2/2018 at 2:57 PM, in message

<0e5889ab-b61a-36ba-6b28-549f2c365...@ena.com>, David Jones 
wrote:

On 05/02/2018 01:21 PM, Joe Acquisto-j4 wrote:

One slipped through, with this subtle sig line (thought it might brighten

someones day . . . )


"Note: Failure to Verify will lead to final termination of your email

account.


Technical Team
Email Administrator
All Right Reversed 2018.(c)"



Please post the full email, with all headers, minimally redacted to
pastebin.com and send us a link.

--
David Jones


It's been a while, but I think I did it properly:

https://pastebin.com/Sw8R0QPe


Do you have the DecodeShortURLs plugin installed in your SA?

The target of that tinyurl.com is listed in URIBLs and SA will fire on it if you 
have DecodeShortURLs functional.


For that message I get:

hecker-Version SpamAssassin 3.4.1 (2015-04-28) on s-l107.engr.uiowa.edu
Content analysis details:   (8.1 points, 6.0 required, autolearn=no)

 pts rule name  description
 -- --
 0.0 HAS_SHORT_URL  Message contains one or more shortened URLs
 2.5 SEM_FRESH  Contains a domain registered less than 5 days ago
[URIs: erumsadet.info]
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
trust
[40.92.2.16 listed in list.dnswl.org]
 0.1 L_BANK_PHISH3  BODY: Possible bank phish
 0.3 L_UI_PHISHb3   BODY: possible email acct phish
 0.0 T__BOTNET_NOTRUST  Message has no trusted relays
 0.9 FORGED_HOTMAIL_RCVD2   hotmail.com 'From' address, but no 'Received:'
 0.5 BOTNET_IPINHOSTNAMEHostname contains its own IP address
[botnet_ipinhosntame,ip=40.92.2.16,rdns=mail-oln040092002016.outbound.protection.outlook.com]
 0.0 RCVD_IN_HOSTKARMA_YE   RBL: HostKarma: relay in yellow list (varies)
  [40.92.2.16 listed in hostkarma.junkemailfilter.com]
 0.0 URIBL_RED  Contains an URL listed in the URIBL redlist
[URIs: erumsadet.info]
 0.0 BOTNET_SERVERWORDS Hostname contains server-like substrings
[botnet_serverwords,ip=40.92.2.16,rdns=mail-oln040092002016.outbound.protection.outlook.com]
 0.7 SPF_SOFTFAIL   SPF: sender does not match SPF record (softfail)
 0.0 FREEMAIL_FROM  Sender email is commonly abused enduser mail 
provider
(jln4deafkids[at]hotmail.com)
 0.8 BAYES_50   BODY: Bayes spam probability is 40 to 60%
[score: 0.5000]
 0.0 HTML_MESSAGE   BODY: HTML included in message
-0.1 DKIM_VALID_AU  Message has a valid DKIM or DK signature from 
author's
domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not necessarily 
valid
 0.6 SARE_HTML_COLOR_B  RAW: BAD STYLE: color: too light (rgb(n))
 0.0 T__KAM_SHORT   KAM URL shortner fired
 0.8 KAM_INFOUSMEBIZPrevalent use of .info|.us|.me|.me.uk|.biz domains 
in
 spam/malware
 0.0 T__FROM_OUTLOOKFrom microsoft outlook/hotmail servers
 0.0 UNPARSEABLE_RELAY  Informational: message has unparseable relay lines
 0.0 T__RECEIVED_2  More than one untrusted relay
 0.8 RDNS_NONE  Delivered to internal network by a host with no rDNS
 0.2 L_FROM_OUTLOOK From microsoft outlook/hotmail servers




--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: Just to lighten your day?

2018-05-02 Thread Joe Acquisto-j4 
>>> On 5/2/2018 at 2:57 PM, in message
<0e5889ab-b61a-36ba-6b28-549f2c365...@ena.com>, David Jones 
wrote:
> On 05/02/2018 01:21 PM, Joe Acquisto-j4 wrote:
>> One slipped through, with this subtle sig line (thought it might brighten 
> someones day . . . )
>> 
>> "Note: Failure to Verify will lead to final termination of your email 
> account.
>> 
>> Technical Team
>> Email Administrator
>> All Right Reversed 2018.(c)"
>> 
> 
> Please post the full email, with all headers, minimally redacted to 
> pastebin.com and send us a link.
> 
> -- 
> David Jones

It's been a while, but I think I did it properly:

https://pastebin.com/Sw8R0QPe

Re: Just to lighten your day?

2018-05-02 Thread David Jones 

On 05/02/2018 01:21 PM, Joe Acquisto-j4 wrote:

One slipped through, with this subtle sig line (thought it might brighten 
someones day . . . )

"Note: Failure to Verify will lead to final termination of your email account.

Technical Team
Email Administrator
All Right Reversed 2018.(c)"



Please post the full email, with all headers, minimally redacted to 
pastebin.com and send us a link.


--
David Jones

Just to lighten your day?

2018-05-02 Thread Joe Acquisto-j4 
One slipped through, with this subtle sig line (thought it might brighten 
someones day . . . )

"Note: Failure to Verify will lead to final termination of your email account.

Technical Team
Email Administrator
All Right Reversed 2018.(c)"