Re: SpamSender with 2 @-signs in the address
On 12/3/18 6:08 PM, RW wrote: I think, as the name suggests, that was multiple "bangs" (a bang being the character "!"), I was implying routing like UUCP bang paths. As in host 1 via host 2 via host 3. Check out (source) route addressing in RFC 822 §§ 6.1 (Address Specification) Syntax, 6.2.7 - Explicit Path Specification, and C.5.4 - Route Addressing. § C.5.4 makes back reference to RFC 733 and I found info in § IV.A.1.f. RFC 822 deprecated the source route addressing in 1982. But it was officially defined. I think an @ can be a part of a local-part, but it is really about usage. As far as I know, (other than LONG deprecated source routing) the @ character is a reserved special character and can't be used used as part of the local part. I wonder if there is a point to it? Is there a client that ends-up displaying something misleading? The reason for the multiple @ signs in an actual email address (not human friendly name / description) was to route email through servers. Similar to the way that UUCP bang paths work. According to my skim of RFC 733, it was primarily used for routing through disparate networks with few points of interconnection. Route Addressing may be deprecated, but it seems to still work. I just sent a message from my mail server (MSA), to my backup MX, back to my main MTA (same machine as the MSA) via route addressing and it worked. The syntax is a bit odd, but it does still work. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature
Re: SpamSender with 2 @-signs in the address
On 3 Dec 2018, at 16:26, Grant Taylor wrote: > I know that it's strictly against protocol definition, but I've wondered > about applying SPF and / or DKIM and / or DMARC to apparent email addresses > in the human friendly part of From: headers. DKIM and DMARC *ONLY* operate on headers, *NEVER* on the envelope. -- Bill Cole signature.asc Description: OpenPGP digital signature
Re: SpamSender with 2 @-signs in the address
On Mon, 3 Dec 2018 11:15:44 -0700 Grant Taylor wrote: > I think a LONG time ago, likely before SpamAssassin was a thing, it > was valid to have multiple @ signs in an email address. This was a > method of routing messages through other servers. Think UUCP bang > path. I think, as the name suggests, that was multiple "bangs" (a bang being the character "!"), > I don't think the multiple @ signs have worked in a very long time. > So I see no reason not to add score based on multiple @ signs. Or if > there is a legitimate use for it, it should be extremely rare and the > false positive rate should be acceptable. I think an @ can be a part of a local-part, but it is really about usage. I wonder if there is a point to it? Is there a client that ends-up displaying something misleading?
Re: SpamSender with 2 @-signs in the address
On Mon, 3 Dec 2018, Alan Hodgson wrote: On Mon, 2018-12-03 at 13:17 -0600, sha...@shanew.net wrote: Yeah, I see all these same things. Better to test against From:addr rather than the full From: Perhaps something like: From:addr =~ /\@[^\s]+\@/ Of course, there might still be legit cases of that kind of usage. The problem though for phishes is that some user agents (ie. Outlook) only display the quoted user-friendly part of the address, not the rest of the From: header. So phishers specifically put a fake @domainbeingphished.com in quotes so your users will see that. There were several different plugins started about a year ago to detect that sort of thing. I know of: https://github.com/enkidushane/sa-frommismatch https://github.com/fmbla/spamassassin-fromnamespoof and I think someone has implemented some of this in a regex rule, but I don't recall off the top of my head who that was. -- Public key #7BBC68D9 at| Shane Williams http://pgp.mit.edu/| System Admin - UT CompSci =--+--- All syllogisms contain three lines | sha...@shanew.net Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
Re: SpamSender with 2 @-signs in the address
On 12/03/2018 01:51 PM, Alan Hodgson wrote: The problem though for phishes is that some user agents (ie. Outlook) only display the quoted user-friendly part of the address, not the rest of the From: header. So phishers specifically put a fake @domainbeingphished.com in quotes so your users will see that. I know that it's strictly against protocol definition, but I've wondered about applying SPF and / or DKIM and / or DMARC to apparent email addresses in the human friendly part of From: headers. I know that this is actively discouraged, but I do not consider it to be outside of the realm of consideration /if/ this was a large enough problem on my server. It's your server and you're free to break other peoples rules as you see fit. My only request is that you be honest about the fact that you break the rules. ;-) -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature
Re: SpamSender with 2 @-signs in the address
On Mon, 2018-12-03 at 13:17 -0600, sha...@shanew.net wrote: > Yeah, I see all these same things. Better to test against From:addr > rather than the full From: Perhaps something like: > > From:addr =~ /\@[^\s]+\@/ > > Of course, there might still be legit cases of that kind of usage. > The problem though for phishes is that some user agents (ie. Outlook) only display the quoted user-friendly part of the address, not the rest of the From: header. So phishers specifically put a fake @domainbeingphished.com in quotes so your users will see that. I don't think I've ever seen multiple @'s in any single address part, not since the mid-90s anyway. It would definitely be safe to block on that for any single address.
Re: SpamSender with 2 @-signs in the address
On 12/03/2018 12:17 PM, sha...@shanew.net wrote: Of course, there might still be legit cases of that kind of usage. I would think that the legit cases are far apart and few in between. I would expect a very low false positive rate on rules to match multiple @ signs. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature
Re: SpamSender with 2 @-signs in the address
On 12/03/2018 12:38 PM, David B Funk wrote: Are you talking about the SMTP-envelope From address or the 'Header' from addreses? I was originally talking about email addresses in general, be it the SMTP envelope from address or the machine parsable part of the From: header, between the angle brackets. Then when Alan commented about an @ sign in the human friendly portion and the machine parsable part of the From: header, I clarified that I was excluding the human friendly portion of the From: header. It's possible to set those two different pieces of information to the same value but note that they are -not- the same attribute. Agreed. Depending upon how your SA is glued into your mail system your SA may not even have any visibility into the SMTP-envelope From address. Understood. It's my understanding that spamass-milter provides the envelope details to SpamAssassin. - I thought (assumed?) that SpamAssassin was treating the SMTP envelope information properly and independently of the From: header. Under ordinary circumstances you will not see the SMTP-envelope From address in an e-mail message. Typically not. But I've seen it there in a few different ways. Usually an extra site local header with the envelope information. It's also frequently possible to derive the SMTP recipient if there is only one and it's encoded in the most recent Received: header. All the parts you see following that "From: " header element in a message are the 'Header' from. Agreed. That's the "from:addr" component of the header from address. ACK -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature
Re: SpamSender with 2 @-signs in the address
On Mon, 3 Dec 2018, Grant Taylor wrote: On 12/03/2018 11:53 AM, Alan Hodgson wrote: I've been watching these for a while, and unfortunately there are a lot of customer-service type systems that send From: addresses with quoted @domain addresses in them. Many of them do "user@address via" , but not all. Sorry, I was talking about the SMTP envelope. The unquoted part between angle brackets. Are you talking about the SMTP-envelope From address or the 'Header' from addreses? It's possible to set those two different pieces of information to the same value but note that they are -not- the same attribute. Depending upon how your SA is glued into your mail system your SA may not even have any visibility into the SMTP-envelope From address. Under ordinary circumstances you will not see the SMTP-envelope From address in an e-mail message. All the parts you see following that "From: " header element in a message are the 'Header' from. [snip...] So you will definitely get false positives just looking at @'s. I was talking about only counting the @ signs in the unquoted part between angle brackets. The in the following example. That's the "from:addr" component of the header from address. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: SpamSender with 2 @-signs in the address
Yeah, I see all these same things. Better to test against From:addr rather than the full From: Perhaps something like: From:addr =~ /\@[^\s]+\@/ Of course, there might still be legit cases of that kind of usage. On Mon, 3 Dec 2018, Alan Hodgson wrote: On Mon, 2018-12-03 at 11:15 -0700, Grant Taylor wrote: I don't think the multiple @ signs have worked in a very long time. So I see no reason not to add score based on multiple @ signs. Or if there is a legitimate use for it, it should be extremely rare and the false positive rate should be acceptable. I've been watching these for a while, and unfortunately there are a lot of customer-service type systems that send From: addresses with quoted @domain addresses in them. Many of them do "user@address via" , but not all. And then there are the messages with 2 different From: addresses within <>'s in them. I see those from Gmail sometimes. And I see quite a few messages where the actual sender address is given in quotes and then followed by the same address in <>'s. So you will definitely get false positives just looking at @'s. I've excluded the ones with " via" in them and add a bunch of extra points if they come from phishy countries or have .doc or .pdf attachments, and that hits fewer fps. And I'm only scoring if the domain parts don't match. -- Public key #7BBC68D9 at| Shane Williams http://pgp.mit.edu/| System Admin - UT CompSci =--+--- All syllogisms contain three lines | sha...@shanew.net Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
Re: SpamSender with 2 @-signs in the address
On 12/03/2018 11:53 AM, Alan Hodgson wrote: I've been watching these for a while, and unfortunately there are a lot of customer-service type systems that send From: addresses with quoted @domain addresses in them. Many of them do "user@address via" , but not all. Sorry, I was talking about the SMTP envelope. The unquoted part between angle brackets. And then there are the messages with 2 different From: addresses within <>'s in them. I see those from Gmail sometimes. I've heard tell of these, but I've not seen one myself. But I'm a SOHO operator. And I see quite a few messages where the actual sender address is given in quotes and then followed by the same address in <>'s. I don't see any overt problem with that. Though I do think the address in the human friendly quote is unnecessary and redundant. So you will definitely get false positives just looking at @'s. I was talking about only counting the @ signs in the unquoted part between angle brackets. The in the following example. From: "John Doe " I've excluded the ones with " via" in them and add a bunch of extra points if they come from phishy countries or have .doc or .pdf attachments, and that hits fewer fps. And I'm only scoring if the domain parts don't match. I feel like the contents of the human friendly quoted part of the From: header should be subject to different and distinct scrutiny than the machine parsable part outside of quotes. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature
Re: SpamSender with 2 @-signs in the address
On Mon, 2018-12-03 at 11:15 -0700, Grant Taylor wrote: > I don't think the multiple @ signs have worked in a very long time. So > I see no reason not to add score based on multiple @ signs. Or if there > is a legitimate use for it, it should be extremely rare and the false > positive rate should be acceptable. > I've been watching these for a while, and unfortunately there are a lot of customer-service type systems that send From: addresses with quoted @domain addresses in them. Many of them do "user@address via" , but not all. And then there are the messages with 2 different From: addresses within <>'s in them. I see those from Gmail sometimes. And I see quite a few messages where the actual sender address is given in quotes and then followed by the same address in <>'s. So you will definitely get false positives just looking at @'s. I've excluded the ones with " via" in them and add a bunch of extra points if they come from phishy countries or have .doc or .pdf attachments, and that hits fewer fps. And I'm only scoring if the domain parts don't match.
Re: SpamSender with 2 @-signs in the address
On 12/03/2018 09:56 AM, Andreas Galatis wrote: How comes that spamassassin doesn’t block mailsenders with 2 @-signs in the address? Fist: I don't think that SpamAssassin should block anything on any single (normal) test. IMHO it should increment the spam score and something should decide to accept or reject the message based on the aggregate spam score from all the tests. I think a LONG time ago, likely before SpamAssassin was a thing, it was valid to have multiple @ signs in an email address. This was a method of routing messages through other servers. Think UUCP bang path. Is there any possibility to stop those mail, all of them having word- docs attached, containing a trojan horse? I don't think the multiple @ signs have worked in a very long time. So I see no reason not to add score based on multiple @ signs. Or if there is a legitimate use for it, it should be extremely rare and the false positive rate should be acceptable. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature
Re: SpamSender with 2 @-signs in the address
On Mon, 3 Dec 2018, Andreas Galatis wrote: since several weeks I keep getting mails with sender-addresses like "Harald Wieruch - Top Ten GmbH h.wieruch@top10ten.comxandra.hennem...@metco-gmbh.de" The first part "Harald Wieruch - Top Ten GmbH h.wier...@top10ten.com" stays the same, everything behind this address changes. How comes that spamassassin doesn't block mailsenders with 2 @-signs in the address? Trivial answer: because there is no poison-pill rule for that being published. Is there any possibility to stop those mail, all of them having word- docs attached, containing a trojan horse? A rule can certainly be written for that, but if it doesn't occur in the masscheck corpus then that rule won't be promoted and published. Any help is very welcome If you could post a spample to pastebin (modify the recipient address as needed to maintain privacy, but don't change anything else) it would help writing a rule that actually does match. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...in the 2nd amendment the right to arms clause means you have the right to choose how many arms you want, and the militia clause means that Congress can punish you if the answer is "none." -- David Hardy, 2nd Amendment scholar --- 4 days until The 77th anniversary of Pearl Harbor
SpamSender with 2 @-signs in the address
Hi list, since several weeks I keep getting mails with sender-addresses like "Harald Wieruch - Top Ten GmbH h.wieruch@top10ten.comxandra.hennem...@metco-gmbh.de" The first part "Harald Wieruch - Top Ten GmbH h.wier...@top10ten.com" stays the same, everything behind this address changes. How comes that spamassassin doesn't block mailsenders with 2 @-signs in the address? Is there any possibility to stop those mail, all of them having word- docs attached, containing a trojan horse? Any help is very welcome Andreas smime.p7s Description: S/MIME cryptographic signature
[SA 3.4.2] sa-update doesn't see custom channel
Hi! I have problem with sa-update and my own channel. sa-update queries for A record of strange domain: # /usr/bin/sa-update --channel sa.mejor.pl --no-gpg -vv DNS TXT query: 2.4.3.sa.mejor.pl -> 3209 Update available for channel sa.mejor.pl: -1 -> 3209 DNS A query update.sa.mejor.pl/sa-updates failed: NXDOMAIN DNS query update.sa.mejor.pl/sa-updates failed: NXDOMAIN channel: could not find working mirror, channel failed Update failed, exiting with code 4 and this is what logged local resolver: 2018-12-03T15:35:42.613624+01:00 jowisz unbound: [8540:0] info: 127.0.0.1 update.sa.mejor.pl?sa-updates. A IN 2018-12-03T15:35:42.617145+01:00 jowisz unbound: [8540:0] info: 127.0.0.1 update.sa.mejor.pl?sa-updates. IN Why sa-update queries for update.sa.mejor.pl?sa-updates (or update.sa.mejor.pl/sa-updates) domain? I just run sa-update in debug mode, I paste relevant parts: [...] Dec 3 15:40:10.955 [24739] dbg: channel: attempting channel sa.mejor.pl Dec 3 15:40:10.955 [24739] dbg: channel: using existing directory /var/lib/spamassassin/3.004002/sa_mejor_pl Dec 3 15:40:10.955 [24739] dbg: channel: channel cf file /var/lib/spamassassin/3.004002/sa_mejor_pl.cf Dec 3 15:40:10.955 [24739] dbg: channel: channel pre file /var/lib/spamassassin/3.004002/sa_mejor_pl.pre DNS TXT query: 2.4.3.sa.mejor.pl -> 3209 Dec 3 15:40:10.966 [24739] dbg: dns: 2.4.3.sa.mejor.pl => 3209, parsed as 3209 Update available for channel sa.mejor.pl: -1 -> 3209 Dec 3 15:40:10.967 [24739] dbg: channel: preparing temp directory for new channel Dec 3 15:40:10.967 [24739] dbg: channel: created tmp directory /tmp/.spamassassin24739FTCF1ttmp Dec 3 15:40:10.967 [24739] dbg: generic: lint checking site pre files once before attempting channel updates [...] Dec 3 15:40:11.189 [24739] dbg: channel: protocol family available: inet,inet6 Dec 3 15:40:11.189 [24739] dbg: channel: reading MIRRORED.BY file /var/lib/spamassassin/3.004002/sa_mejor_pl/MIRRORED.BY Dec 3 15:40:11.189 [24739] dbg: channel: parsing MIRRORED.BY file for channel sa.mejor.pl Dec 3 15:40:11.189 [24739] dbg: channel: found mirror http://update.sa.mejor.pl/sa-updates/ Dec 3 15:40:11.193 [24739] dbg: dns: query failed: update.sa.mejor.pl/sa-updates => NXDOMAIN DNS A query update.sa.mejor.pl/sa-updates failed: NXDOMAIN Dec 3 15:40:11.194 [24739] dbg: dns: query failed: update.sa.mejor.pl/sa-updates => NXDOMAIN DNS query update.sa.mejor.pl/sa-updates failed: NXDOMAIN Dec 3 15:40:11.195 [24739] dbg: generic: reject mirror http://update.sa.mejor.pl/sa-updates: no common address family (IPv4 IPv6) channel: could not find working mirror, channel failed # cat /var/lib/spamassassin/3.004002/sa_mejor_pl/MIRRORED.BY http://update.sa.mejor.pl/sa-updates/ Something changed how channel should be configured beetwen 3.4.1 and 3.4.2? Marcin