Re: Re: Anyone have a rule to detect "Dear xxx" in the body of the message where the "To:" address is xxx@domain?

[Mark London]

I asked ChatGPT how to test for a "Dear 'username'".  After a bit of 
work, I got working code.  ChatGPT knows perl.


I already had a Perl file EvalTests.pm file with customized Perl eval 
functions, so I threw it in there.  Otherwise, you'll need to create 
your own file with the proper headers.


sub check_body_for_username {
my ($self, $permsgstatus) = @_;

my $to = $permsgstatus->get('To:addr');
return 0 unless $to;

my ($username) = $to =~ /([^@]+)/;
return 0 unless $username;

# Check if the username is in the body of the email
my $body = $permsgstatus->get_decoded_stripped_body_text_array();
foreach my $line (@$body) {
if ($line =~ /^(Dear|Hi|Hello) \Q$username\E\b/i) {
return 1;
}
}
return 0;
}

header DEAR_USERNAMEeval:check_body_for_username()

On 7/17/2024 11:10 PM, Grant Taylor via users wrote:

On 7/17/24 18:04, Matija Nalis wrote:
I.e. would you consider it to be significantly less likely to be spam 
if it contained "Dear Elizabeth," while being addressed to 
"mark@domain" instead of to "elizabeth@domain" ?


I've seen quite a bit of spam that opens message bodies with:



Where  is "Dear" or some other greeting, often language 
specific and  is the local part of the email address.


Something like the following is probably a good indication that it's 
spam:


--8<--
Dear ux37932,

I've missed talking to you, what is your opinion of ? Please 
check it out and let me know what you think.

-->8--

If there was any doubt about the paragraph, the "ux37932" makes it 
quite evident to a human that the name in the salutation is not real.  
This is ESPECIALLY true when the name in the salutation is identical, 
byte for byte, including case, as the local part of the email address.

Anyone have a rule to detect "Dear xxx" in the body of the message where the "To:" address is xxx@domain?

[Mark London]

Does anyone have a rule to detect "Dear xxx," in the body of the 
message, where the "To:" address is xxx@domain?


We've been getting phishing email sent to us with variations of that. 
Hi, Dear, etc, followed by the username of the address.


Thanks. - Mark

Re: namechep and DOB

[Mark London]

Alex - Check out the FROM_FMBLA_NEWDOM rules.  Are you seeing any emails 
hitting them?


In my case, URIBL_RHS_DOB is no longer working at all.   Is this still 
working? - Mark


On 7/8/2024 5:13 PM, Alex wrote:

Hi,

I'm seeing emails from smartlendingclub dot com getting through that 
are clearly spam. It's a namecheap domain registered in the last two 
weeks or so.


IIRC, in the past there was more flexibility with the URIBL_RHS_DOB 
rules to penalize domains recently registered, but now it doesn't 
appear to have hit any rules related to registration dates.


Domain name: smartlendingclub dot com
Registry Domain ID: 2891563192_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com 
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2024-06-17T18:42:01.00Z
Registrar Registration Expiration Date: 2025-06-17T18:42:01.00Z

This email also hit the following rules:
describe RCVD_IN_IADB_VOUCHED   ISIPP IADB lists as vouched-for sender

But this rule has virtually 0 score?
describe RCVD_IN_IADB_DOPTIN_LT50  IADB: Confirmed opt-in used less 
than 50% of the time


It hit some other IADB rules like RCVD_IN_IADB_SENDERID but not any 
DOB rules. Am I missing something? Maybe it was the HOSTKARMA rules 
I'm remembering?


Are there RBLs available that can be used to determine registrar or 
date of registration? I understand the limits of querying a registrar 
but thought there might be an RBL out there with this info?

Re: ChatGPT > Spamassassin? :)

[Mark London]

Bill - Thanks for the response.  As an aside, it would be nice (though 
impossible?) for a spam filter to be more suspicious of emails coming 
from a new email address, that is not in my Sent folder or my Inbox. 
FWIW. - Mark


On 6/25/2024 11:21 AM, Bill Cole wrote:

Mark London 
is rumored to have said:

I received a spam email with the text below, that wasn't caught by 
Spamassasin (at least mine).   The text actually looks like something 
that was generated using ChatGPT.  In any event,  I put the text 
through ChatGPT, and asked if it looked like spam.  At the bottom of 
this email , is it's analysis.  I've not been fully reading this 
group.  Has there been any work to allow Spamassassin to use AI?


"Artificial intelligence" does not exist. It is a misnomer.

Large language models like ChatGPT have a provenance problem. There's 
no way to know why exactly the model "says" anything. In a single 
paragraph, ChatGPT is capable of making completely and directly 
inconsistent assertions. The only way to explain that is that despite 
appearances, a request to answer the ham/spasm question generates text 
with no semantic connection to the original, but which seems like an 
explanation.


SpamAssassin's code and rules all come from ASF committers, and the 
scores are determined by examining the scan results from contributors 
and optimizing them to a threshold of 5.0. Every scan of a message 
results in a list of hits against documented rules. The results can be 
analyzed and understood.


We know that ChatGPT and other LLMs that are publicly available have 
been trained on data to which they had no license. There is no way to 
remove any particular ingested data. There's no way to know where any 
particular LLM will have problems and no way to fix those problems. 
This all puts them outside of the boundaries we have as an ASF 
project. However, we do have a plugin architecture, so it is possible 
for 3rd parties to create a plugin for LLM integration.

Re: Anybody else getting bombarded with "I RECORDED YOU" spam?

[Mark London]

Sendmail didn't introduce FEATURE(require_rdns) until 2007.  I'm sure 
I've been using it longer than that.  And by default it's not enabled.


It doesn't totally block the "I RECOVERED YOU" spams.   Occasional some 
come through with ip addresses that have valid reverse lookups.  But the 
number getting blocked, is still huge.


On 11/10/2023 4:48 AM, Reindl Harald (privat) wrote:



Am 10.11.23 um 08:40 schrieb Mark London:
Marc - You are correct.  All the IP sources of this spam, don't a 
valid reverse lookup of the IP address, to an IP name.   That will 
solve my problem.  Thanks! - Mark


in other words your MTA is misconfigured

https://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname 




On 11/9/2023 12:38 PM, Marc wrote:
Do you at least verify the reverse lookup? That already stops a lot 
of such networks.

Re: Anybody else getting bombarded with "I RECORDED YOU" spam?

[Mark London]

Marc - You are correct.  All the IP sources of this spam, don't a valid 
reverse lookup of the IP address, to an IP name.   That will solve my 
problem.  Thanks! - Mark


On 11/9/2023 12:38 PM, Marc wrote:

Do you at least verify the reverse lookup? That already stops a lot of such 
networks.

Re: Anybody else getting bombarded with "I RECORDED YOU" spam?

[Mark London]

Unfortunately most of the ip addresses do have reverse lookups.

On the other hand, I do see that some have common domains.   So I could 
use block by domain using sendmail.


Heck, maybe I should just block the whole country.  :)

On 11/9/2023 12:38 PM, Marc wrote:

The spam is coming from many different IP ranges, with little
repetition.   Most of them are from countries like Afghanistan,
Kyrgyzstan, Azerbaijan, Kazakhstan, and Uzbekistan.  Are these the
latest sources that spam software is using, because other countries have
tightened up their security?

Do you at least verify the reverse lookup? That already stops a lot of such 
networks.


I've been using spamassassin for almost several decades, and I've never
noticed anything like this.  I don't understand why the spam continues
to be sent over and over.  I do reject emails with a very high spam,
which these spams have.  So I tried changing my configuration to discard
the email instead, hoping the spammer software would decide that the
email had been received.   This didn't help.   I'm curious if anyone is
noticing this spam. Thanks.  - Mark


This takes a while (afaik months at least).

Anybody else getting bombarded with "I RECORDED YOU" spam?

[Mark London]

In the last couple of days, the number of "I RECORDED YOU" spams that my 
server has been receiving, has gone way up. Well over a thousand a day.  
And the spam is only being sent to about 20 of my users.  We had been 
receiving these for the last month, but nothing at all like rate it's 
now happening.   It's not using up a ton of CPU, but it is very annoying 
to see happening.


The spam is coming from many different IP ranges, with little 
repetition.   Most of them are from countries like Afghanistan, 
Kyrgyzstan, Azerbaijan, Kazakhstan, and Uzbekistan.  Are these the 
latest sources that spam software is using, because other countries have 
tightened up their security?


I've been using spamassassin for almost several decades, and I've never 
noticed anything like this.  I don't understand why the spam continues 
to be sent over and over.  I do reject emails with a very high spam, 
which these spams have.  So I tried changing my configuration to discard 
the email instead, hoping the spammer software would decide that the 
email had been received.   This didn't help.   I'm curious if anyone is 
noticing this spam. Thanks.  - Mark



































z

Re: users Digest 29 Sep 2023 01:08:28 -0000 Issue 5575

[Mark London]

Sorry, I didn't change the subject line when I posted this.

On 9/29/2023 12:41 PM, Mark London wrote:
Hi - Can anyone tell me why the following email header triggered 
DKIM_SIGNED and DKIM_VALID, yet I don't see a DKIM header line? 
Strangely, if I run spamassassin from the command line on the message, 
DKIM_SIGNED is not triggered.   SpamAssassin version 3.4.6


(Note, I truncated the X-Spam-Level header, as I have some customized 
rules.)   Thanks. - MARK



Received: from SRV-EXCHANGE.sdis58.local 
(static-css-csd-160189.business.bouyguestelecom.com [176.162.160.1


89])
    by simplerelay.pulsation.fr (Postfix) with ESMTPS id 
644B1203A3E3;

    Fri, 29 Sep 2023 04:56:31 +0200 (CEST)
Received: from simplerelay.pulsation.fr (simplerelay.pulsation.fr 
[80.74.64.73])
    by psfcmail2.psfc.mit.edu (8.15.2/8.15.2/Debian-22ubuntu3) 
with ESMTP id 38T31Prc585381

    for ; Thu, 28 Sep 2023 23:01:25 -0400
Received: from SRV-EXCHANGE.sdis58.local ([fe80::5034:8469:e7c0:7ca0]) by
 SRV-EXCHANGE.sdis58.local ([fe80::5034:8469:e7c0:7ca0%5]) with mapi id
 15.01.2507.032; Fri, 29 Sep 2023 04:56:20 +0200
Received: from SRV-EXCHANGE.sdis58.local (192.168.20.11) by 
SRV-EXCHANGE.sdis58.local (192.168.20.11) with Microsoft SMTP Server

 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2507.32; Fri, 29 Sep 2023 04:56:20 +0200
Received: from psfcmail2.psfc.mit.edu ([unix socket])
 by psfcmail2.psfc.mit.edu (Cyrus 
3.4.3-dirty-Debian-3.4.3-3build2) with LMTPA;

 Thu, 28 Sep 2023 23:01:27 -0400
Reply-To: 
From: "Louis LASTELLA" 
To: "Louis LASTELLA" 
Subject: RE: GRANT
Date: Thu, 28 Sep 2023 20:56:19 -0600
Message-ID: 
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="=_NextPart_000_0AB3_01D9F291.A3EE6670"
X-Mailer: Microsoft Outlook 16.0
X-Cyrus-Session-Id: cyrus-1695956487-582568-1-13949929973302507258
X-Sieve: CMU Sieve 3.0
X-Spam-Level: 5.61 (*) DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU ...
X-Scanned-By: MIMEDefang 2.84
Thread-Index: AQE/AG+iBnwgFQrrEE2E+wgvHkku+Q==
Content-Language: en-us
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
X-OlkEid: 
D75AD23CECE28241A24D055234BB07EE0700C3B68E10F77511CEB4CD00AA00BBB6E6000B5BBF9
7B16F0AE24BA3D270A637831578CAB77333E06029E36245B2E3DACE37D29594 


x-originating-ip: [195.154.60.67]
x-esetresult: clean, is OK
x-esetid: 37303A2976F0D65A657466

Re: Mysterious bogus DKIM hits (was: Re: users Digest 29 Sep 2023 01:08:28 -0000 Issue 5575)

[Mark London]

On 9/29/2023 1:47 PM, Reindl Harald (gmail) wrote:


Am 29.09.23 um 19:37 schrieb Bill Cole:
Strangely, if I run spamassassin from the command line on the 
message, DKIM_SIGNED is not triggered.   SpamAssassin version 3.4.6


Oh. So you've let a piece of security software go most of year after 
the explicitly final update to your version and the release of a new 
major version?


That is not robust praxis


what is NOT a robust praxis is bypassing the package amanager of your 
distribution


spamassassin-3.4.6-7.fc37.x86_64


I'm using Ubuntu 22. not Fedpra.  I installed the version from ubuntu, 
that was available when I created the server 6 months ago.


I've updated it, and now it's 3.4.6-1ubuntu0.22.04.1

Not a big difference.  FWIW.

Re: users Digest 29 Sep 2023 01:08:28 -0000 Issue 5575

[Mark London]

Hi - Can anyone tell me why the following email header triggered 
DKIM_SIGNED and DKIM_VALID, yet I don't see a DKIM header line? 
Strangely, if I run spamassassin from the command line on the message, 
DKIM_SIGNED is not triggered.   SpamAssassin version 3.4.6


(Note, I truncated the X-Spam-Level header, as I have some customized 
rules.)   Thanks. - MARK



Received: from SRV-EXCHANGE.sdis58.local 
(static-css-csd-160189.business.bouyguestelecom.com [176.162.160.1


89])
    by simplerelay.pulsation.fr (Postfix) with ESMTPS id 644B1203A3E3;
    Fri, 29 Sep 2023 04:56:31 +0200 (CEST)
Received: from simplerelay.pulsation.fr (simplerelay.pulsation.fr 
[80.74.64.73])
    by psfcmail2.psfc.mit.edu (8.15.2/8.15.2/Debian-22ubuntu3) with 
ESMTP id 38T31Prc585381

    for ; Thu, 28 Sep 2023 23:01:25 -0400
Received: from SRV-EXCHANGE.sdis58.local ([fe80::5034:8469:e7c0:7ca0]) by
 SRV-EXCHANGE.sdis58.local ([fe80::5034:8469:e7c0:7ca0%5]) with mapi id
 15.01.2507.032; Fri, 29 Sep 2023 04:56:20 +0200
Received: from SRV-EXCHANGE.sdis58.local (192.168.20.11) by 
SRV-EXCHANGE.sdis58.local (192.168.20.11) with Microsoft SMTP Server

 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2507.32; Fri, 29 Sep 2023 04:56:20 +0200
Received: from psfcmail2.psfc.mit.edu ([unix socket])
 by psfcmail2.psfc.mit.edu (Cyrus 
3.4.3-dirty-Debian-3.4.3-3build2) with LMTPA;

 Thu, 28 Sep 2023 23:01:27 -0400
Reply-To: 
From: "Louis LASTELLA" 
To: "Louis LASTELLA" 
Subject: RE: GRANT
Date: Thu, 28 Sep 2023 20:56:19 -0600
Message-ID: 
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="=_NextPart_000_0AB3_01D9F291.A3EE6670"
X-Mailer: Microsoft Outlook 16.0
X-Cyrus-Session-Id: cyrus-1695956487-582568-1-13949929973302507258
X-Sieve: CMU Sieve 3.0
X-Spam-Level: 5.61 (*) DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU ...
X-Scanned-By: MIMEDefang 2.84
Thread-Index: AQE/AG+iBnwgFQrrEE2E+wgvHkku+Q==
Content-Language: en-us
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
X-OlkEid: 
D75AD23CECE28241A24D055234BB07EE0700C3B68E10F77511CEB4CD00AA00BBB6E6000B5BBF9

7B16F0AE24BA3D270A637831578CAB77333E06029E36245B2E3DACE37D29594
x-originating-ip: [195.154.60.67]
x-esetresult: clean, is OK
x-esetid: 37303A2976F0D65A657466

Dropbox invoice phishing

[Mark London]

Dropbox now has an invoice feature, that allows you to create a customized 
invoice.  So what this person did was to create an invoice that looks like it’s 
coming from PayPal.   Except for the fact that the From address shows it is 
coming from Dropbox.  

Months ago I saw a similar problem with fake invoices coming from PayPal.  

I hate Spammers.

> On Mar 20, 2023, at 2:58 PM, Greg Troxel  wrote:
> 
> A quick grep shows:
> 
>  
> 4.00/updates_spamassassin_org/60_welcomelist_auth.cf:def_welcomelist_auth 
> *@*.dropbox.com
> 
> so the code is operating as designed.
> 
> It seems that either dropbox is compromised, or dropbox is allowing
> user-generated content to go out under their domain.   Either way it
> seems they should be removed from USER_IN_DEF_SPF_WL, unless this is a
> blip and they fix it right away.
> 
> Have you written to ab...@dropbox.com, and what did they say?
> 

Re: Why was USER_IN_DEF_SPF_WL triggered on this email, even though it's spam?

[Mark London]

I’ve never seen a false positive with USER_IN_DEF_SPF_WL. 

> On Mar 20, 2023, at 1:48 PM, Reindl Harald  wrote:
> 
> 
> 
>> Am 20.03.23 um 18:44 schrieb Mark London:
>> It seems like it too high a negative score.
> 
> then  adjust it in local.cf
> 
> the point of a WL is exactly to WL something - and yes, it can happen that 
> spam comes from a whitelisted source
> 
> for example when some employeer of your bank has malware on his machine - 
> would you want regular mails from your bank at the risk of FP and lose money 
> just because filtering can't be perfect by definition?
> 
>>> On 3/20/2023 1:24 PM, Reindl Harald wrote:
>>> 
>>> 
>>> Am 20.03.23 um 18:17 schrieb Mark London:
>>>> Can someone tell me why this paypal phishing email, managed to trigger 
>>>> USER_IN_DEF_SPF_WL?
>>>> Or put it another way.  Why wasn't it detected as a phishing email? Thanks.
>>> 
>>> Becasue it was a SPF hit and the envelope sender is in USER_IN_DEF_SPF_WL? 
>>> frankly - what else do you expect to hear?
> 

Re: Why was USER_IN_DEF_SPF_WL triggered on this email, even though it's spam?

[Mark London]

It seems like it too high a negative score.

On 3/20/2023 1:24 PM, Reindl Harald wrote:



Am 20.03.23 um 18:17 schrieb Mark London:
Can someone tell me why this paypal phishing email, managed to 
trigger USER_IN_DEF_SPF_WL?
Or put it another way.  Why wasn't it detected as a phishing email? 
Thanks.


Becasue it was a SPF hit and the envelope sender is in 
USER_IN_DEF_SPF_WL? frankly - what else do you expect to hear?

Why was USER_IN_DEF_SPF_WL triggered on this email, even though it's spam?

[Mark London]

Can someone tell me why this paypal phishing email, managed to trigger 
USER_IN_DEF_SPF_WL?

Or put it another way.  Why wasn't it detected as a phishing email? Thanks.

Received: from a39-208.smtp-out.amazonses.com 
(a39-208.smtp-out.amazonses.com [54.240.39.208])

by PSFCMAIL.MIT.EDU (8.14.7/8.14.7) with ESMTP id 32KGQHFm099160
(version=TLSv1/SSLv3 cipher=AES128-SHA256 bits=128 verify=NOT)
for ; Mon, 20 Mar 2023 12:26:17 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=rid2v4iwdmeb26wntc7bqs5dnqgasdul; d=dropbox.com; t=1679329577;
h=Content-Type:MIME-Version:From:To:CC:Subject:Date:Message-ID:Reply-To;
bh=l2b7HMFmOjBDciMdIctq/6okXsHLQ3QtlCcrrKeBJFo=;
b=JZDgJOd2uPgAFKgSkAHeZ91+AJxLr/Rl231qxeOFdeMpeSo3NYG+WyedzpPWJneI
IkTEHtDYWQMhQf5bAJYJB+3hEF0n6t9MnmQzaF8xDlRK269ILVw/pfn8NHiNW7XR5R5
S/Y1XQpbvN8ezTWvCqiedTTQ/ubqm9KPXljCyPF4=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1679329577;
h=Content-Type:MIME-Version:From:To:CC:Subject:Date:Message-ID:Reply-To:Feedback-ID;
bh=l2b7HMFmOjBDciMdIctq/6okXsHLQ3QtlCcrrKeBJFo=;
b=WvG6JHQ5+a4w8pq7gZNZYz/ph2i13+NZaJqfqWqnQYRewLpSyhcx5a5AeaJ+JPd+
xwwriSGEl5bNes3b0gkdp/oYd9niSty0sZy/Vquwx5tQiZWVr6zWXzhyBMyqHvWbkh0
sK3+fUdnhNigDX3wqE7/W3+ccK+XgH7ab5pstqb0=
Content-Type: multipart/alternative; 
boundary="===1633481412880569064=="

MIME-Version: 1.0
From: PayPal Support 
To: x...@psfc.mit.edu
CC:
Subject: =?utf-8?q?Your_invoice_from_PayPal_Support_=28=23038989SL43=29?=
Date: Mon, 20 Mar 2023 16:26:17 +
Message-ID: 
<01000186ffd7c860-2ed35238-7287-4f0b-b752-22466377b187-000...@email.amazonses.com>

X-Dropbox-Message-ID: 3637112534418604150
Reply-To: no-re...@paypal.com
Feedback-ID: 
1.us-east-1.syWQ1+fF8Wo1tY8y/+s85ptiAKu7bILK6PHyxwpB+xo=:AmazonSES

X-SES-Outgoing: 2023.03.20-54.240.39.208

--===1633481412880569064==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

New invoice$629.00   Paid on March 20, 2023  View invoice[1]  To PayPal=
 Billing Bot   invoice_rece...@paypal.com  From PayPal Support no-reply@P=
ayPal.com  Issued March 20, 2023  Title wish to request a refund, please co=
ntact our support team at :  +1 (833) 465-5681   Your recent purchase of Te=
ther (USDT) for $629.00 via PayPal has been confirmed. The funds will be re=
flected in your account within 24 hours. If you require any assistance or w=
ish to request a refund, please contact our support team at : +1 (833) =
465-5681  PayPal Support sent you an invoice using  Dropbox, Inc. PO Box 77=
767, San Francisco, CA 94107 View Privacy Policy[2] =20

[1]: https://invoice.dropbox.com/invoices/view/cap_pid_inv%3AAOxsdGyt1l=
3tFh9ZGervJ5Of-1znmrl1kE1pnlfEDUsg?utm_campaign=3Dsend_invoice&utm_medium=
=3Demail&utm_source=3Ddropbox&utm_term=3Dview_invoice
[2]: https://www.dropbox.com/l/AABfXvXi7J31sSfCfcEcmcs-kdTvg1Al_EE/privacy
--===1633481412880569064==
Content-Type: text/html; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

http://www.w=
3.org/TR/REC-html40/loose.dtd">
http://www.w3.org/1999/xhtml";>



 

 Sans, HelveticaNeue-Light, Helvetica Neue Light, Helvetica Neue, 
Helvetica=

, Arial, Lucida Grande, sans-serif; font-size: 20px; font-weight: 300; line=
-height: 1.45em; padding: 15px 0; width: 720px;">
<=
/div>




$629.00


P=
aid on March 20, 2023

https://invoice.dropbox.com/invoices/view/cap_pid_inv%3AAOxsdGyt=
1l3tFh9ZGervJ5Of-1znmrl1kE1pnlfEDUsg?utm_campaign=3Dsend_invoice&utm_me=
dium=3Demail&utm_source=3Ddropbox&utm_term=3Dview_invoice" style=3D=
"text-decoration: none; background-color: #0061FE; color: white; font-size:=
 16px; line-height: 20px; margin: 0 auto; width: 100%; padding: 10px 0; 
dis=

play: block; background-color: #002C8A; color:#f7f5f2; ">View invoice
 #F7F5F2; width: 100%; min-width:375px; margin: 0px auto; padding: 16px 
20p=

x 20px; font-size: 12px; line-height: 20px; font-weight:  400; text-align: =
left;">

To
PayPal Billing Bot



invoice_rece...@paypal.com


From
PayPal Support



no-re...@paypal.com


Issued
March 20, 2023


Title
 0;">wish to request a refund, please contact our support team at :  +1 
(83=

3) 465-5681


Your recent purchase of Tether=
 (USDT) for $629.00 via PayPal has been confirmed. The funds will be 
reflec=

ted in your account within 24 hours. If you require any assistance or wish =
to request a refund, please contact our support team at : +1 (833) 465-=
5681

PayPal Support sent you an invoice using
https://www.dropbox.com/static/images/fbm/invoi=
ce_wordmark_2x.png">


Dropbox, Inc. PO Box 77767, San Francisco, CA 94107
https://www.dropbox.com/l/AABu1cd-4liBqZhM00gH24g3=
HtVHu7tb9rc/privacy" style=3D"text-decoration: none; margin-left: 12px">Vie=
w Privacy Policy



https://www.dropbox.com/l/AACSvyNy75C_S_pXf=
DFRWnzE6wulAbspDwg" width=3D"1" />
--===1633481412880569064==--

Re: Maybe it's time to revive EvilNumbers?

[Mark London]

Loren - Unfortunately, LW_BOGUS_ORDER doesn't get triggered for my 
email, because there is no List-Id.   The email actually came from a 
microsoft account.  - Mark


header  __LW_SUB_INVOICE Subject =~ /\b(?:invoice|order)\b/
header  __LW_FROM_INVOICE From =~ /\b(?:invoice|order)\b/
header  __LW_ABC_LISTID List-Id =~ /\w{13}\s+\, some 

meta  LW_BOGUS_ORDER (__LW_SUB_INVOICE || __LW_FROM_INVOICE) && 
__LW_ABC_LISTID

score  LW_BOGUS_ORDER 5
describe LW_BOGUS_ORDER Fake order or invoice

On 6/19/2021 4:41 PM, users-digest-h...@spamassassin.apache.org wrote:
A number of the rules I passed along are generic "order" rules rather 
than Amazon specific. I had to go back to last month's spam to find an 
Amazon order spam, but I've gotten a dozen or so fake orders for other 
things this month, all of which hit on the LW_BOGUS_ORDER rule

Re: Maybe it's time to revive EvilNumbers?

[Mark London]

Loren - Unfortunately, the fake amazon shipment email that we received, 
doesn't contain the word Amazon in it's From or Subject headers.


Or even the word amazon in the text of the message!  Just the Amazon logo.

And they've removed all the URLs, so the links don't work at the 
bottom.   And they left the postal address of amazon, without the word 
amazon.


I hate bogus spam that is so obviously bogus that it avoids filter 
rules. :) - Mark


On 6/17/2021 10:52 AM, users-digest-h...@spamassassin.apache.org wrote:

Subject:
Re: Maybe it's time to revive EvilNumbers?
From:
"Loren Wilton" 
Date:
6/16/2021, 8:18 PM

To:



Here are a handful of rules that work for me. Feel free to try them.
If you do, please let me know how they work for you.

(Apologies for my mail client trashing the formatting.
Be sure to check for possible line wrap on some of the rules!)

Maybe it's time to revive EvilNumbers?

[Mark London]

My site is getting a lot of spam that is getting past spamassassin.   
Because it has a hone number to call, and rather than a link to login 
using username and password.   Mostly fake amazon purchases.   They are 
getting past a lot of URL block lists because of that.   FWIW. - Mark

Why is SENDGRID_REDIR score so high?

[Mark London]

Hi - I receive email from spiceworks.com help desk, which are sent via 
sendgrid.   Why do these URLs trigger the SENDGRID_REDIR rule score, 
which is 3.4 ?   Thanks. - Mark


Terms and Conditions: 
https://u2752257.ct.sendgrid.net/ls/click?upn=cXUsNXpk4aguQpIafAEOmIejjD9ZkCNTPoNNmoa1ebrAUotywMJTp7DEBn7GytalLkTf_8lxoDjRwBLjcEcMtF8M5ApYR1AJKfKZukCa01OUZ6PgghULd-2FNN7L6qPk5t3kRl0b1zrUCfn5j7veAMSuKobLbvM1i2BY9-2FM8B1BpQSRnSs54y0iV7P8FnmuQXGD4eQkIqKfPELx6aNdbuFCgIQecDPo5\

EFoQxdE7JySPVPuU9N49Iip-2FAXbBQj-2BLN0cly9tAICcjMYqlAxin7RkTG4oRA

Privacy Policy: 
https://u2752257.ct.sendgrid.net/ls/click?upn=cXUsNXpk4aguQpIafAEOmIejjD9ZkCNTPoNNmoa1ebqRhFzshCDTA7-2BL-2FYYwBE3VGk_y_8lxoDjRwBLjcEcMtF8M5ApYR1AJKfKZukCa01OUZ6PgghULd-2FNN7L6qPk5t3kRl0YIWr1WEURsRppHsiq7oYUNdAmf1x7n6J-2BNofwjd7xwa8e-2FvvCVFrqBYuLGxS3Z7NV0qlW-2FJoasrFm8xaQ0-2BrfN04MfX-2Bo-2BobNtFOsUHtI-2BERUMY5rBGmZTY7WFV7eoMJ8Kal5pHd-2FjR5xXpKzlEzjQ

Sendgrid Under Siege from Hacked Accounts

[Mark London]

https://krebsonsecurity.com/2020/08/sendgrid-under-siege-from-hacked-accounts/ 



- Mark

Re: IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK

[Mark London]

Can we start a separate mailing list for people to discuss this issue elsewhere?

Re: Linux, Twitter, Mysql, Github, etc, all plan to remove blacklist and whitelist, master and slave.

[Mark London]

"As programmers, our day to day work doesn’t typically present us with 
opportunities to take a stand against racism. Situations like this are 
opportunities to be the change we want to see. When you get that 
opportunity and you don’t act, or even worse, you defend the status quo."


That quote was from a 2018 blog:

https://blog.carbonfive.com/problematic-terminology-in-open-source/

According to Wikipedia, Master/Slave was changed by  IBM,[8] 
Microsoft,[9] Engine Yard,[10] Amazon Web Services/Amazon Relational 
Database Service,[11] as well as in Python,[12] Django,[13][14] 
Drupal,[15] CouchDB,[16] and Redis:


https://en.wikipedia.org/wiki/Master/slave_(technology)#Terminology_concerns

The creator of Redis initially resisted the change of master/slave, and 
he received many "colorful" responses to his view at that time, which 
are worth reading:


http://antirez.com/news/122

Eventually, he decided to make the change, and also received many 
"interesting" responses:


https://github.com/redis/redis/issues/5335

Arguing for or against the change in terms, would have been useful when 
it was originally proposed, years ago.   But since the terms are being 
changed in the software world, arguing now is pointless. Things are 
changing, whether people like it or not.


The year 2000 didn't bring changes that people expected.    But the year 
2020, certainly has.

Re: Linux, Twitter, Mysql, Github, etc, all plan to remove blacklist and whitelist, master and slave.

[Mark London]

The proposed name changes were proposed for many years in the software 
community.   For example in 2014, Drupal opted to use "primary/replica" 
instead, and Django followed suit the same year with 
"leader/follower".    In 2018, there apparently was a renewed interest 
in changing the names by many others.   For example, I found:


https://tools.ietf.org/id/draft-knodel-terminology-00.html

So this issue is nothing new, and the arguments on this issue, that have 
been occurring on this mailing list, have already occurred.


- Mark

On 7/10/2020 7:18 PM, Marc Roos wrote:
  
Pf, twitter, microsoft, oracle all billion dollar companies only

removing some words The news is full of black minorities having
higher risk of death in coronavirus. Unemployment is highest amongst
ethnic minorities. And these companies are only concerned filling their
pockets, storing their money in tax havens. You have in the states
famous people bribe good schools so their kids can attend (at the
expense of others). It is just a fucking insult to ethnic minorities
having such companies talking only about changing words!

Wtf this Amazon guy 150 billion, the most greediest man on the planet!!!
Let me guess, his employees get paid lowest on the market

I would think twice mentioning such companies as examples. Don't forget
Zuckerberg called facebook users 'dumb fucks', that is the standard at
such companies.

[1]
https://www.zerohedge.com/news/2018-03-25/dumb-f-ks-julian-assange-reminds-us-what-mark-zuckerberg-thinks-facebook-users


-Original Message-
To: users@spamassassin.apache.org
Subject: Linux, Twitter, Mysql, Github, etc, all plan to remove
blacklist and whitelist, master and slave.

Spamassassin is not alone.

https://www.google.com/search?q=whitelist+blacklist&rlz=1C1CHBD_enUS893US893&sxsrf=ALeKk02i5oEeNFMyRbCSyvz1P74SAG8W8A:1594419806351&source=lnms&tbm=nws&sa=X&ved=2ahUKEwiwobjR3MPqAhVUknIEHbzFCdwQ_AUoAXoECA0QAw&biw=1008&bih=5900

Linux, Twitter, Mysql, Github, etc, all plan to remove blacklist and whitelist, master and slave.

[Mark London]

Spamassassin is not alone.

https://www.google.com/search?q=whitelist+blacklist&rlz=1C1CHBD_enUS893US893&sxsrf=ALeKk02i5oEeNFMyRbCSyvz1P74SAG8W8A:1594419806351&source=lnms&tbm=nws&sa=X&ved=2ahUKEwiwobjR3MPqAhVUknIEHbzFCdwQ_AUoAXoECA0QAw&biw=1008&bih=5900

__BITCOIN_ID doesn't test for SegWit addresses that start with bc1

[Mark London]

Hi - I just got a BITCOIN blackmail spam that avoided detection, because 
it used a SegWit bitcoin address, that starts with a bc1:


bc1q0q7u8a7735za93um20yk5ynphdnpvenj0k0ufn

This format is explained here:

https://changelly.com/blog/bitcoin-addresses-types-and-meaning/

I guess the definition of __BITCOIN_ID needs to updated to include this 
format.  Thanks.


- Mark

False positives due to __BITCOIN_ID

[Mark London]

It seems to me that the rule for detecting a BITCOIN in an email, is 
incorrect.   See below:


body __BITCOIN_ID /\b(?Why is there a \s in this rule?I didn't think that a BITCOIN id has 
a space.


This rule is triggered, on a simple line like this, because of the fact 
that the line has a "1" in it:


For sure figure 1 is convincing that nqR is a good organising

Maybe this rule needs tweaking?   Thanks.

- Mark

Bombard by spam source in India that wasn't in any RBL used by spamassassin.

[Mark London]

Hi - We got several hours of spam from the IP address 103.136.41.36 in 
India.When I did a Multi-RBL check, the ip address was in the 
following databases:


bl.emailbasura.org
dnsbl.sorbs.net
dns.spfbl.net
spam.spamrats.com
truncate.gbudb.net

I think sorbs.net is a paid for service.  At least I tried adding rules, 
but they weren't triggered.


I was able to successfully add rules for spamrats and gbudb.   Does 
anyone have experience with those?


After about 3 hours, the IP address finally appeared in 
barracudacentra.org, which spamassassin uses.


Given the amount of traffic we were receiving, I'm surprised it didn't 
show up sooner on the other RBLs.


Thanks. - Mark

Is PDS_TONAME_EQ_TOLOCAL_SHORT new?

[Mark London]

Is PDS_TONAME_EQ_TOLOCAL_SHORT new?  I see it hitting real emails here, but 
hitting no spam emails.  Thanks.

- Mark

Sent from my iPhone

PDS_NO_HELO_DNS is not helpful at all.

[Mark London]

I'm sorry for not using bugzilla, but the new rule for PDS_NO_HELO_DNS 
is mostly hittng real emails at my site 1168 real emails versus 219 spam 
mls.   Luckily, the score is not high, to be making any difference.   
FWIW. - Mark

Re: How do I filter emails that have only special characters in them.

[Mark London]

The header is huge (stupid Microsoft!), but yes, it’s UTF-8 encoding, in order 
to include special characters that look like normal letters.  So I can’t easily 
do text filtering on it.  

Below is the whole body of the text, except for a link at the bottom. It is not 
an html email.  Maybe I can test for short non-html emails that only have utf-8 
characters and a single link at the bottom of the email.

Sent from my iPhone

> On Jul 2, 2019, at 8:42 AM, Kevin A. McGrail  wrote:
> 
> Mark, can you put a sample up on pastebin?  That looks like ASCII hex but 
> ending up with UTF-8 chars I think. I can't remember an encoding format like 
> that so hoping the sample gives me a hint.
> 
> Regards,
> KAM
> --
> Kevin A. McGrail
> Member, Apache Software Foundation
> Chair Emeritus Apache SpamAssassin Project
> https://www.linkedin.com/in/kmcgrail - 703.798.0171
> 
> 
>> On Tue, Jul 2, 2019 at 8:17 AM Mark London  wrote:
>> Hi - I'm trying to filter emails that have only special characters in 
>> them.   Like the text of the following email.  Thanks. - Mark
>> 
>> - =CA=9C=C9=AA=CA=80=E1=B4=87s s=CA=9C=E1=B4=87=E1=B4=8D=E1=B4=80=CA=9F=E1=
>> =B4=87s =E1=B4=9B=E1=B4=8F s=E1=B4=9C=E1=B4=84=E1=B4=8B =E1=B4=9B=CA=9C=E1=
>> =B4=87=C9=AA=CA=80 =E1=B4=84=E1=B4=8F=E1=B4=84=E1=B4=8B =C9=AA=C9=B4 =E1=B4=
>> =9B=CA=9C=E1=B4=87 =E1=B4=84=E1=B4=8F=E1=B4=8D=E1=B4=98=E1=B4=80=C9=B4=CA=
>> =8F's =E1=B4=9B=E1=B4=8F=C9=AA=CA=9F=E1=B4=87=E1=B4=9Bs.=20=20
>> - =E1=B4=8D=E1=B4=80s=E1=B4=9B=E1=B4=9C=CA=80=CA=99=E1=B4=80=E1=B4=9B=E1=B4=
>> =87 =E1=B4=8F=C9=B4 =E1=B4=9B=CA=9C=E1=B4=87 =E1=B4=87=E1=B4=8D=E1=B4=98=CA=
>> =9F=E1=B4=8F=CA=8F=E1=B4=87=E1=B4=87s =E1=B4=84=E1=B4=A0's.=20=20
>> - =D2=93=C9=AA=CA=80=E1=B4=87s =E1=B4=87=E1=B4=8D=E1=B4=98=CA=9F=E1=B4=8F=
>> =CA=8F=E1=B4=87=E1=B4=87s =C9=AA=D2=93 =E1=B4=9B=CA=9C=E1=B4=87=CA=8F =E1=
>> =B4=85=E1=B4=8F=C9=B4'=E1=B4=9B =E1=B4=98=CA=80=E1=B4=80=E1=B4=84=E1=B4=9B=
>> =C9=AA=E1=B4=84=E1=B4=87 =E1=B4=98=CA=80=E1=B4=8Fs=E1=B4=9B=C9=AA=E1=B4=9B=
>> =E1=B4=9C=E1=B4=9B=C9=AA=E1=B4=8F=C9=B4.=20=20
>> - =C9=AAs =E1=B4=80 =E1=B4=98s=CA=8F=E1=B4=84=CA=9C=E1=B4=8F=E1=B4=98=E1=B4=
>> =80=E1=B4=9B=CA=9C.=20=20
>> - s=E1=B4=87=C9=B4=E1=B4=85 =E1=B4=9B=CA=9C=E1=B4=87 =E1=B4=98=E1=B4=8F=CA=
>> =9F=C9=AA=E1=B4=84=E1=B4=87 =C9=AA=C9=B4 =E1=B4=9B=E1=B4=8F =CA=8F=E1=B4=8F=
>> =E1=B4=9C=CA=80 =CA=9C=E1=B4=8F=E1=B4=8D=E1=B4=87 =C9=AA=D2=93 =CA=8F=E1=B4=
>> =8F=E1=B4=9C =E1=B4=84=E1=B4=8F=E1=B4=8D=E1=B4=98=CA=9F=E1=B4=80=C9=AA=C9=
>> =B4 =E1=B4=80=CA=99=E1=B4=8F=E1=B4=9C=E1=B4=9B =E1=B4=8D=E1=B4=80=C9=B4=E1=
>> =B4=80=C9=A2=E1=B4=87=CA=80's =E1=B4=80=CA=99=E1=B4=9Cs=E1=B4=87s!
>> 
>> =E1=B4=84=E1=B4=8F=E1=B4=8D=E1=B4=98=CA=9F=E1=B4=80=C9=AA=C9=B4=E1=B4=9B =
>> =E1=B4=9B=E1=B4=8F =E1=B4=A1=CA=80=E1=B4=8F=E1=B4=84=CA=9F=E1=B4=80=E1=B4=
>> =A1 =E1=B4=98=E1=B4=8F=CA=9F=C9=AA=E1=B4=84=E1=B4=87 =E1=B4=9B=CA=9C=E1=B4=
>> =80=E1=B4=9B =C9=AA=CA=99=E1=B4=8D =E1=B4=A1=CA=80=E1=B4=8F=E1=B4=84=CA=9F=
>> =E1=B4=80=E1=B4=A1 =E1=B4=98=CA=80=E1=B4=80=E1=B4=84=E1=B4=9B=C9=AA=E1=B4=
>> =84=E1=B4=87 =E1=B4=98=CA=80=E1=B4=8Fs=E1=B4=9B=C9=AA=E1=B4=9B=E1=B4=9C=E1=
>> =B4=9B=C9=AA=E1=B4=8F=C9=B4:
>> 

How do I filter emails that have only special characters in them.

[Mark London]

Hi - I'm trying to filter emails that have only special characters in 
them.   Like the text of the following email.  Thanks. - Mark


- =CA=9C=C9=AA=CA=80=E1=B4=87s s=CA=9C=E1=B4=87=E1=B4=8D=E1=B4=80=CA=9F=E1=
=B4=87s =E1=B4=9B=E1=B4=8F s=E1=B4=9C=E1=B4=84=E1=B4=8B =E1=B4=9B=CA=9C=E1=
=B4=87=C9=AA=CA=80 =E1=B4=84=E1=B4=8F=E1=B4=84=E1=B4=8B =C9=AA=C9=B4 =E1=B4=
=9B=CA=9C=E1=B4=87 =E1=B4=84=E1=B4=8F=E1=B4=8D=E1=B4=98=E1=B4=80=C9=B4=CA=
=8F's =E1=B4=9B=E1=B4=8F=C9=AA=CA=9F=E1=B4=87=E1=B4=9Bs.=20=20
- =E1=B4=8D=E1=B4=80s=E1=B4=9B=E1=B4=9C=CA=80=CA=99=E1=B4=80=E1=B4=9B=E1=B4=
=87 =E1=B4=8F=C9=B4 =E1=B4=9B=CA=9C=E1=B4=87 =E1=B4=87=E1=B4=8D=E1=B4=98=CA=
=9F=E1=B4=8F=CA=8F=E1=B4=87=E1=B4=87s =E1=B4=84=E1=B4=A0's.=20=20
- =D2=93=C9=AA=CA=80=E1=B4=87s =E1=B4=87=E1=B4=8D=E1=B4=98=CA=9F=E1=B4=8F=
=CA=8F=E1=B4=87=E1=B4=87s =C9=AA=D2=93 =E1=B4=9B=CA=9C=E1=B4=87=CA=8F =E1=
=B4=85=E1=B4=8F=C9=B4'=E1=B4=9B =E1=B4=98=CA=80=E1=B4=80=E1=B4=84=E1=B4=9B=
=C9=AA=E1=B4=84=E1=B4=87 =E1=B4=98=CA=80=E1=B4=8Fs=E1=B4=9B=C9=AA=E1=B4=9B=
=E1=B4=9C=E1=B4=9B=C9=AA=E1=B4=8F=C9=B4.=20=20
- =C9=AAs =E1=B4=80 =E1=B4=98s=CA=8F=E1=B4=84=CA=9C=E1=B4=8F=E1=B4=98=E1=B4=
=80=E1=B4=9B=CA=9C.=20=20
- s=E1=B4=87=C9=B4=E1=B4=85 =E1=B4=9B=CA=9C=E1=B4=87 =E1=B4=98=E1=B4=8F=CA=
=9F=C9=AA=E1=B4=84=E1=B4=87 =C9=AA=C9=B4 =E1=B4=9B=E1=B4=8F =CA=8F=E1=B4=8F=
=E1=B4=9C=CA=80 =CA=9C=E1=B4=8F=E1=B4=8D=E1=B4=87 =C9=AA=D2=93 =CA=8F=E1=B4=
=8F=E1=B4=9C =E1=B4=84=E1=B4=8F=E1=B4=8D=E1=B4=98=CA=9F=E1=B4=80=C9=AA=C9=
=B4 =E1=B4=80=CA=99=E1=B4=8F=E1=B4=9C=E1=B4=9B =E1=B4=8D=E1=B4=80=C9=B4=E1=
=B4=80=C9=A2=E1=B4=87=CA=80's =E1=B4=80=CA=99=E1=B4=9Cs=E1=B4=87s!

=E1=B4=84=E1=B4=8F=E1=B4=8D=E1=B4=98=CA=9F=E1=B4=80=C9=AA=C9=B4=E1=B4=9B =
=E1=B4=9B=E1=B4=8F =E1=B4=A1=CA=80=E1=B4=8F=E1=B4=84=CA=9F=E1=B4=80=E1=B4=
=A1 =E1=B4=98=E1=B4=8F=CA=9F=C9=AA=E1=B4=84=E1=B4=87 =E1=B4=9B=CA=9C=E1=B4=
=80=E1=B4=9B =C9=AA=CA=99=E1=B4=8D =E1=B4=A1=CA=80=E1=B4=8F=E1=B4=84=CA=9F=
=E1=B4=80=E1=B4=A1 =E1=B4=98=CA=80=E1=B4=80=E1=B4=84=E1=B4=9B=C9=AA=E1=B4=
=84=E1=B4=87 =E1=B4=98=CA=80=E1=B4=8Fs=E1=B4=9B=C9=AA=E1=B4=9B=E1=B4=9C=E1=
=B4=9B=C9=AA=E1=B4=8F=C9=B4:

Another form of obfuscation email.

[Mark London]

Does anyone have any rules that can catch this type of obfuscated spam?

https://pastebin.com/qi8dsREW

Thanks. - Mark

Re: How to block email with multiple addresses in From: IGNORE ME.

[Mark London]

Sorry, I meant this doesn't work:

header BAD_FROM_PSFCFrom: =~ /^\S+\@psfc.mit.edu,/i

Without the ^ It does work:

header BAD_FROM_PSFCFrom: =~ /\S+\@psfc.mit.edu,/i

So I just tried:

header BAD_FROM_PSFCFrom: =~ /^\W*\S+\@psfc.mit.edu,/i

And that works.  although I don't know why I need the \W*.   But, 
whatever!   Never mind. - Mark


On 12/20/2018 12:30 PM, Mark London wrote:

Hi - What's the best rule to catch email with multiple addresses in the From: 
line?  I realize thatrfc2822allows it.  But the only email we've ever received 
with multiple addresses, were spam, and even GMAIL.COM doesn't allow it:

<<< 550-5.7.1 Messages with multiple addresses in From:
<<< 550 5.7.1 header are not accepted. e7si4119336qvp.159 - gsmtp

At the very least, I want to block emails that spoof my domain.  I.e. I want to 
block email that has @psfc.mit.edu followed by a comma.  For example:

From:struth...@psfc.mit.edu,
 "Lorraine M."

I tried to have a rule like:

header BAD_FROM_PSFCFrom: =~ /\S+\@psfc.mit.edu,/i

This rule gets triggered when I run spamassasin manually on the email.   But it 
doesn't gets triggered on actual incoming email.   I even tried:

header BAD_FROM_PSFCALL =~ /From: \S+\@psfc.mit.edu,/i

It's still not triggered.  Any ideas?  Thanks. - Mark
  

How to block email with multiple addresses in From:

[Mark London]

Hi - What's the best rule to catch email with multiple addresses in the From: 
line?  I realize thatrfc2822allows it.  But the only email we've ever received 
with multiple addresses, were spam, and even GMAIL.COM doesn't allow it:

<<< 550-5.7.1 Messages with multiple addresses in From:
<<< 550 5.7.1 header are not accepted. e7si4119336qvp.159 - gsmtp

At the very least, I want to block emails that spoof my domain.  I.e. I want to 
block email that has @psfc.mit.edu followed by a comma.  For example:

From: struth...@psfc.mit.edu,
"Lorraine M. " 

I tried to have a rule like:

header BAD_FROM_PSFCFrom: =~ /\S+\@psfc.mit.edu,/i

This rule gets triggered when I run spamassasin manually on the email.   But it 
doesn't gets triggered on actual incoming email.   I even tried:

header BAD_FROM_PSFCALL =~ /From: \S+\@psfc.mit.edu,/i

It's still not triggered.  Any ideas?  Thanks. - Mark
 

Re: BITCOIN_PAY_ME and new type of blackmail, non porn.

[Mark London]

However, I think the BITCOIN_PAY_ME rule need a bit of fine tuning, to 
catch other emails.  Like the one below, which escaped triggering the 
rule.   A constant battle between spam rules, and bad English grammar.


Maybe I should say the hell with it, and simply block any email sent to 
me, with a bitcoin address in it. :)  - Mark


--

I've got a personal webpage that includes all types of products and 
services which actually i sell in darknet.Anything from completely 
messing up somebody's small business to physical accidents etcetera, 
nevertheless almost nothing significant like getting rid of. Quite often 
it is some shit similar too declined relationship or rivalry at the 
job.Anyway i have been contacted recently by customer to make an 
arrangement and also target is clearly you. In a immediate and painless 
manner. The simple truth is i only get money following any complete task 
and so choice to contact you before, in order to give me for sitting 
non-active this i quite often offer the victim.If perhaps i do not get 
everything that im requesting, my people will accomplish the 
sequence.Yet if i will make an agreement, apart eliminating the request 
you are going to receive full details concerning the customer that i 
have found. Immediately after the order is accomplished, I often wipe 
out the operator also, as a result i have a decision, to get a grand and 
two hundred via you, in essence with no efforts, or simply to get four 
grand from the customer, but get rid of my operator.


I am getting transfers just through Btc aka bitcoin , it is my BTC 
transaction address - 17Jwo9gG4hnffteqe2h4AVfbMrzXLJQFtA


From now on you have only thirty-nine hours to balance transfer

BITCOIN_PAY_ME and new type of blackmail, non porn.

[Mark London]

This email hit the new (to me) BITCOIN_PAY_ME rule.  Never ending fun. 😟

Begin forwarded message:

> From: "Broaddus Walther" 
> Date: December 17, 2018 at 1:49:04 PM EST
> To: m...@psfc.mit.edu
> Subject: You should definitely go through this before something negative can 
> happen 17.12.2018 08:49:31
> 
> I own a site that have all types of offerings which actually i sell in 
> darknet.Just about anything from entirely ruining somebody's small business 
> to human injuries and so forth, on the other hand almost nothing serious just 
> like getting rid of. Most of the time it's all that shit similar too refused 
> relationships or rivalry at your workplace.Anyway i have been previously 
> reached this week by client to make an order and also target is evidently 
> you. In a instant and painless approach. The thing is i only get money soon 
> after any completed task and so choice to contact you before, in order to pay 
> me just for sitting inactive which i usually proffer the target.In the event 
> that i don't receive what i'm requesting, my people will accomplish the 
> request.But if we'll generate deal, besides canceling the order you are going 
> to obtain complete information associated with the customer that i have 
> discovered. Quickly after the order is finished, I often clear away the 
> operator as well, so i have got a selection, getting 1200 out of you, 
> basically with no tough work, or perhaps to get four thousand from purchaser, 
> but to get rid of my operator.
> 
> I am obtaining exchanges solely via Bitcoin, this is my bitcoin transaction 
> address - 1MfNdCu4diTCsaJNDnVdWHbFdNpdNcWK8X
> 
> Now you have  34 hours to transfer. 

Re: Another form of obfuscation email.

[Mark London]

Sorry, I cut off the full URL.   It should have been:

https://pastebin.com/5ASMFahi

On 12/12/2018 12:16 PM, Mark London wrote:

On 12/12/2018 8:01 AM, users-digest-h...@spamassassin.apache.org wrote:

On 10 Dec 2018, at 14:13, RW wrote:


On Mon, 10 Dec 2018 12:45:53 -0500
Mark London wrote:


Hi - Here's another form of obfuscation spam.  This time, not a porn
blackmail one.   Almost the whole text is obfuscated.

https://pastebin.com/VURwmrrF


You say obfuscated, but it looked completely unreadable to me.
The text/plain part is garbage, but the text/html part renders to a 
mostly readable phish.

Bill Cole


Sorry, try this one, which was sent a day later, which is readable.

https://pastebin.com/edit/5ASMFah

I just put it through the latest spamasssassin rules.  I see that it's 
hitting some of the new rules:


T_HTML_SHRT_CMNT_OBFU_MANY,T_MIXED_ES,UNICODE_OBFU_ASC

It's still only being flagged as spam because of my high score 
assigned to HTML_OBFUSCATE_90_100.   I've had that high score for 
years, never a false positive from it (yet!).


- Mark

Re: Another form of obfuscation email.

[Mark London]

On 12/12/2018 8:01 AM, users-digest-h...@spamassassin.apache.org wrote:

On 10 Dec 2018, at 14:13, RW wrote:


On Mon, 10 Dec 2018 12:45:53 -0500
Mark London wrote:


Hi - Here's another form of obfuscation spam.  This time, not a porn
blackmail one.   Almost the whole text is obfuscated.

https://pastebin.com/VURwmrrF


You say obfuscated, but it looked completely unreadable to me.
The text/plain part is garbage, but the text/html part renders to a 
mostly readable phish.

Bill Cole


Sorry, try this one, which was sent a day later, which is readable.

https://pastebin.com/edit/5ASMFah

I just put it through the latest spamasssassin rules.  I see that it's 
hitting some of the new rules:


T_HTML_SHRT_CMNT_OBFU_MANY,T_MIXED_ES,UNICODE_OBFU_ASC

It's still only being flagged as spam because of my high score assigned 
to HTML_OBFUSCATE_90_100.   I've had that high score for years, never a 
false positive from it (yet!).


- Mark

Another form of obfuscation email.

[Mark London]

Hi - Here's another form of obfuscation spam.  This time, not a porn 
blackmail one.   Almost the whole text is obfuscated.


https://pastebin.com/VURwmrrF

I had a high score assigned to the rule HTML_OBFUSCATE_90_100, which is 
why the message got a high spam rating.   By default though, that rule 
is disabled (score = 0).   Without that, the email would have gotten 
through.


Rule T_MIXED_ES was triggered.   But that rule has too many false 
positives to be of any use (IMHO, from looking at my spam logs).


Thanks! - Mark

Re: No longer just embedded =9D characters in blackmail emails.

[Mark London]

The __UNICODE_OBFU_ZW rule is not being triggered on this email. Maybe 
it needs updating? - Mark


On 12/5/2018 11:19 AM, Mark London wrote:

No longer just embedded =9D characters.

From: =?utf-8?B?bmlnaHRt0LByZQ==?= 
To: 
Subject: You are my  victim.
Date: Tue, 4 Dec 2018 15:56:36 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="a0d0993ce53319101c19af03d5311b0976b26b"
X-Scanned-By: MIMEDefang 2.79 on 18.18.166.11

--a0d0993ce53319101c19af03d5311b0976b26b
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi, my pr=D0=B5y.

This is my last warning.

I write you inasmuch as I put a virus on the web page with porno which yo=
u have viewed.
My tr=D0=BEjan c=D0=B0=D1=80tured all y=D0=BEur =D1=80rivat=D0=B5 dat=D0=B0=
  =D0=B0nd switched on your c=D0=B0mer=D0=B0 which r=D0=B5=D1=81=D0=BErded=
  the =D0=B0=D1=81t of your solit=D0=B0ry s=D0=B5x. Just aft=D0=B5r that t=
h=D0=B5 troj=D0=B0n saved y=D0=BEur =D1=81=D0=BEnt=D0=B0=D1=81t list.
I will =D0=B5r=D0=B0se th=D0=B5 com=D1=80romising vide=D0=BE r=D0=B5c=D0=BE=
rds and inf=D0=BErmati=D0=BEn if you s=D0=B5nd me 444 EURO in bitcoin.
This is addr=D0=B5ss for p=D0=B0yment :=C2=A0 1HpREEx9iJ9gK3Xk5vVs9R1XBEm=
2hrCZp7

I give y=D0=BEu 30 h=D0=BEurs aft=D0=B5r y=D0=BEu =D0=BEpen my m=D0=B5ss=D0=
=B0ge for m=D0=B0king the =D1=80=D0=B0ym=D0=B5nt.
As s=D0=BEon =D0=B0s you read th=D0=B5 mess=D0=B0ge I'll s=D0=B5e it righ=
t aw=D0=B0y.
It is not ne=D1=81=D0=B5ss=D0=B0ry to t=D0=B5ll m=D0=B5 that you h=D0=B0v=
=D0=B5 s=D0=B5nt money to me. This =D0=B0ddress is conn=D0=B5cted t=D0=BE=
  you, my syst=D0=B5m will =D0=B5rased aut=D0=BEmatic=D0=B0lly =D0=B0fter =
tr=D0=B0nsfer confirmati=D0=BEn.
If you n=D0=B5ed 48h just =D0=9Epen the =D1=81alcul=D0=B0tor =D0=BEn y=D0=
=BEur d=D0=B5skto=D1=80 =D0=B0nd =D1=80r=D0=B5ss +++
If y=D0=BEu don't =D1=80=D0=B0y, I'll send dirt t=D0=BE all y=D0=BEur c=D0=
=BEnta=D1=81ts.=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0
L=D0=B5t m=D0=B5 r=D0=B5mind y=D0=BEu-I s=D0=B5=D0=B5 wh=D0=B0t you're do=
ing!
Y=D0=BEu c=D0=B0n visit th=D0=B5 poli=D1=81e =D0=BEffice but =D0=B0nyb=D0=
=BEdy =D1=81an't h=D0=B5lp y=D0=BEu.
If you try t=D0=BE dec=D0=B5iv=D0=B5 me , I'll kn=D0=BEw it immediat=D0=B5=
ly!
I d=D0=BEn't liv=D0=B5 in your c=D0=BEuntry. S=D0=BE anyone =D1=81=D0=B0n=
  n=D0=BEt track my l=D0=BE=D1=81ati=D0=BEn =D0=B5ven f=D0=BEr 9 months.
by=D0=B5. D=D0=BEn't forget about th=D0=B5 sh=D0=B0m=D0=B5 =D0=B0nd t=D0=BE=
  ignor=D0=B5, Y=D0=BEur life =D1=81=D0=B0n be ruined.

_=

No longer just embedded =9D characters in blackmail emails.

[Mark London]

No longer just embedded =9D characters.

From: =?utf-8?B?bmlnaHRt0LByZQ==?= 
To: 
Subject: You are my  victim.
Date: Tue, 4 Dec 2018 15:56:36 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="a0d0993ce53319101c19af03d5311b0976b26b"
X-Scanned-By: MIMEDefang 2.79 on 18.18.166.11

--a0d0993ce53319101c19af03d5311b0976b26b
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi, my pr=D0=B5y.

This is my last warning.

I write you inasmuch as I put a virus on the web page with porno which yo=
u have viewed.
My tr=D0=BEjan c=D0=B0=D1=80tured all y=D0=BEur =D1=80rivat=D0=B5 dat=D0=B0=
 =D0=B0nd switched on your c=D0=B0mer=D0=B0 which r=D0=B5=D1=81=D0=BErded=
 the =D0=B0=D1=81t of your solit=D0=B0ry s=D0=B5x. Just aft=D0=B5r that t=
h=D0=B5 troj=D0=B0n saved y=D0=BEur =D1=81=D0=BEnt=D0=B0=D1=81t list.
I will =D0=B5r=D0=B0se th=D0=B5 com=D1=80romising vide=D0=BE r=D0=B5c=D0=BE=
rds and inf=D0=BErmati=D0=BEn if you s=D0=B5nd me 444 EURO in bitcoin.
This is addr=D0=B5ss for p=D0=B0yment :=C2=A0 1HpREEx9iJ9gK3Xk5vVs9R1XBEm=
2hrCZp7

I give y=D0=BEu 30 h=D0=BEurs aft=D0=B5r y=D0=BEu =D0=BEpen my m=D0=B5ss=D0=
=B0ge for m=D0=B0king the =D1=80=D0=B0ym=D0=B5nt.
As s=D0=BEon =D0=B0s you read th=D0=B5 mess=D0=B0ge I'll s=D0=B5e it righ=
t aw=D0=B0y.
It is not ne=D1=81=D0=B5ss=D0=B0ry to t=D0=B5ll m=D0=B5 that you h=D0=B0v=
=D0=B5 s=D0=B5nt money to me. This =D0=B0ddress is conn=D0=B5cted t=D0=BE=
 you, my syst=D0=B5m will =D0=B5rased aut=D0=BEmatic=D0=B0lly =D0=B0fter =
tr=D0=B0nsfer confirmati=D0=BEn.
If you n=D0=B5ed 48h just =D0=9Epen the =D1=81alcul=D0=B0tor =D0=BEn y=D0=
=BEur d=D0=B5skto=D1=80 =D0=B0nd =D1=80r=D0=B5ss +++
If y=D0=BEu don't =D1=80=D0=B0y, I'll send dirt t=D0=BE all y=D0=BEur c=D0=
=BEnta=D1=81ts.=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0
L=D0=B5t m=D0=B5 r=D0=B5mind y=D0=BEu-I s=D0=B5=D0=B5 wh=D0=B0t you're do=
ing!
Y=D0=BEu c=D0=B0n visit th=D0=B5 poli=D1=81e =D0=BEffice but =D0=B0nyb=D0=
=BEdy =D1=81an't h=D0=B5lp y=D0=BEu.
If you try t=D0=BE dec=D0=B5iv=D0=B5 me , I'll kn=D0=BEw it immediat=D0=B5=
ly!
I d=D0=BEn't liv=D0=B5 in your c=D0=BEuntry. S=D0=BE anyone =D1=81=D0=B0n=
 n=D0=BEt track my l=D0=BE=D1=81ati=D0=BEn =D0=B5ven f=D0=BEr 9 months.
by=D0=B5. D=D0=BEn't forget about th=D0=B5 sh=D0=B0m=D0=B5 =D0=B0nd t=D0=BE=
 ignor=D0=B5, Y=D0=BEur life =D1=81=D0=B0n be ruined.

_=
___

--a0d0993ce53319101c19af03d5311b0976b26b
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable





Hi, my pr=D0=B5y.
 
This is my last warning.
 
I write you inasmuch as I=20
put a virus on the web page with porno which you have=20
viewed.My tr=D0=BEjan=20
c=D0=B0=D1=80tured all y=D0=BEur=20
=D1=80rivat=D0=B5 dat=D0=B0 =D0=B0nd=20
switched on your=20
c=D0=B0mer=D0=B0 which=20
r=D0=B5=D1=81=D0=BErded the =D0=B0=D1=81t=20
of your solit=D0=B0ry s=D0=B5x. Just=20
aft=D0=B5r that th=D0=B5 troj=D0=B0n=20
saved y=D0=BEur =D1=81=D0=BEnt=D0=B0=D1=81t=20
list.I will =D0=B5r=D0=B0se th=D0=B5=20
com=D1=80romising vide=D0=BE=20
r=D0=B5c=D0=BErds and inf=D0=BErmati=D0=BEn=20
if you s=D0=B5nd me=20
444=20
EURO in bitcoin. This is addr=D0=B5ss=20
for p=D0=B0yment : =20
1HpREEx9iJ9gK3Xk5vVs9R1XBEm2hrCZp7
 
I give y=D0=BEu 30 h=D0=BEurs aft=D0=B5r=20
y=D0=BEu =D0=BEpen my m=D0=B5ss=D0=B0ge=20
for m=D0=B0king the=20
=D1=80=D0=B0ym=D0=B5nt.As s=D0=BEon =D0=B0s=20
you read th=D0=B5 mess=D0=B0ge=20
I'll s=D0=B5e it right aw=D0=B0y.It is not=20
ne=D1=81=D0=B5ss=D0=B0ry to t=D0=B5ll m=D0=B5=20
that you h=D0=B0v=D0=B5 s=D0=B5nt money=20
to me. This =D0=B0ddress is=20
conn=D0=B5cted t=D0=BE you, my=20
syst=D0=B5m will =D0=B5rased=20
aut=D0=BEmatic=D0=B0lly =D0=B0fter=20
tr=D0=B0nsfer confirmati=D0=BEn.If=20
you n=D0=B5ed 48h just =D0=9Epen=20
the =D1=81alcul=D0=B0tor =D0=BEn=20
y=D0=BEur d=D0=B5skto=D1=80 =D0=B0nd =D1=80r=D0=B5ss=20
+++If y=D0=BEu don't =D1=80=D0=B0y, I'll send dirt=20
t=D0=BE all y=D0=BEur=20
c=D0=BEnta=D1=81ts. =20
L=D0=B5t m=D0=B5 r=D0=B5mind y=D0=BEu-I s=D0=B5=D0=B5=20
wh=D0=B0t you're doing!Y=D0=BEu=20
c=D0=B0n visit th=D0=B5 poli=D1=81e=20
=D0=BEffice but =D0=B0nyb=D0=BEdy =D1=81an't=20
h=D0=B5lp y=D0=BEu. If you try t=D0=BE=20
dec=D0=B5iv=D0=B5 me , I'll kn=D0=BEw it=20
immediat=D0=B5ly! I d=D0=BEn't liv=D0=B5 in=20
your c=D0=BEuntry. S=D0=BE anyone=20
=D1=81=D0=B0n n=D0=BEt track my=20
l=D0=BE=D1=81ati=D0=BEn =D0=B5ven f=D0=BEr 9=20
months.by=D0=B5. D=D0=BEn't forget=20
about th=D0=B5 sh=D0=B0m=D0=B5 =D0=B0nd t=D0=BE=20
ignor=D0=B5, Y=D0=BEur life =D1=81=D0=B0n be=20
ruined.   
 
=


--a0d0993ce53319101c19af03d5311b0976b26b--

Re:: 9D character used in words to avoid detection

[Mark London]

On 11/19/2018 10:35 AM, users-digest-h...@spamassassin.apache.org wrote:

I ran it as-is, and it scored poorly.
After I manually de-borked the headers, and retested, it hit SA's 
"OBFU_BITCOIN" and my own anti-bitcoin/sextortion & hi-Ascii-count tests. 


OBFU_BITCOIN was hit because the =9D character was not inserted in the 
bitcoin string itself, and rules like __BTC_OBFU_2 were hite, because 
they are designed to look for obfuscated forms of BTC.


So, any rules that taken into account obfuscated words, solves the 
problem of inserted 9D characters.


This tactic seem to be limited right now, to a few (one?) spammer, who 
is presently using it in their porn blackmail spam.


- Mark

Re:: 9D character used in words to avoid detection

[Mark London]

 Forwarded Message 
Subject:[OFF-list] 9D character used in words to avoid detection
Date:   Sat, 17 Nov 2018 15:42:08 -0600
From:   Chip M. 
To: Mark London 


Mark, could you post a full spample to the SA list?
Thanks in advance!
"Chip" M.

---

Received: from NAM03-DM3-obe.outbound.protection.outlook.com 
(mail-oln040092008054.outbound.protection.outlook.com [40.92.8.54])
by PSFCMAIL.MIT.EDU (8.14.7/8.14.7) with ESMTP id wAGJEjso151029
(version=TLSv1/SSLv3 cipher=AES256-SHA256 bits=256 verify=NOT)
for ; Fri, 16 Nov 2018 14:14:45 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com;
 s=selector1;
 
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=Kceh3OoQuqn81EZa8vu4iMVNv3cq+/11xZqOTWGejmA=;
 
b=SmqjOWOZhH0WPpxl0tW8hR8y/iinBa5jpTYudap6390QzWXLc4TU0iPuaChiq3kivXtpxSBJAnVrDi1HCJm1ifFGvmIqITyB4am/vUuwDDtm+e8hLy1ONvsEa8O9tLdmzs10x6T/6nsWadsB9QCiJ39ugpj4V5sBvb5vGaaRNjQCwqO+GcqYmnZbMzR2Sp1U2Ah63P9bHiK2jiBf/g1T5aOsrLpfypPTdltzTbYLs3E76Nt4swZwDlMond9FJITY574G/HBghrql3nZEKlGGPGI2J8qUiiVPn5/cMCyOLrR0qqd217oU82Cuner5kPWE9iEcprvXxJIAt6gOYPKzDg==
Received: from BY2NAM03FT047.eop-NAM03.prod.protection.outlook.com
 (10.152.84.58) by BY2NAM03HT089.eop-NAM03.prod.protection.outlook.com
 (10.152.84.169) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1339.10; Fri, 16 Nov
 2018 19:14:44 +
Received: from MWHPR14MB1327.namprd14.prod.outlook.com (10.152.84.53) by
 BY2NAM03FT047.mail.protection.outlook.com (10.152.85.103) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
 15.20.1339.10 via Frontend Transport; Fri, 16 Nov 2018 19:14:44 +
Received: from MWHPR14MB1327.namprd14.prod.outlook.com
 ([fe80::f4ae:395a:3f6b:67a3]) by MWHPR14MB1327.namprd14.prod.outlook.com
 ([fe80::f4ae:395a:3f6b:67a3%8]) with mapi id 15.20.1339.021; Fri, 16 Nov 2018
 19:14:44 +
From: Kenton Chmura 
To: "m...@psfc.mit.edu" 
Subject: mrl
Date: Fri, 16 Nov 2018 19:14:44 +
Message-ID: 


--_000_MWHPR14MB13279093501A88B114707EE3B0DD0MWHPR14MB1327namp_
Content-Type: text/plain; charset="windows-1256"
Content-Transfer-Encoding: quoted-printable

Hi=9D the=9Dre

I'm the=9D ha=9Dcke=9Dr who=9D bro=9Dke=9D yo=9Du=9Dr ema=9Di=9Dl a=9Dddre=
=9Dss a=9Dnd de=9Dvi=9Dce=9D a=9D se=9Dve=9Dra=9Dl we=9De=9Dks ba=9Dck.

Yo=9Du=9D type=9Dd i=9Dn yo=9Du=9Dr pwd o=9Dn one of the si=9Dte=9Ds yo=9Du=
=9D vi=9Dsite=9Dd, a=9Dnd I inte=9Drce=9Dpted it.

He=9Dre=9D i=9Ds the=9D se=9Dcu=9Dri=9Dty pa=9Dsswo=9Drd o=9Df m...@psfc.mit=
.edu upo=9Dn mo=9Dme=9Dnt of ha=9Dck: xxx

Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt, o=9Dr a=9Dlready c=
hange=9Dd it.

The=9Dn again thi=9Ds wo=9Dn't really ma=9Dke a=9D di=9Dffe=9Drence=9D, my =
ma=9Dli=9Dcio=9Du=9Ds so=9Dftwa=9Dre=9D u=9Dpda=9Dte=9Dd i=9Dt e=9Da=9Dch a=
=9Dnd e=9Dvery ti=9Dme.

Do=9D no=9Dt co=9Dnsi=9Dder to=9D ma=9Dke=9D co=9Dntact with me=9D pe=9Drso=
nally o=9Dr fi=9Dnd me=9D.

Via=9D yo=9Du=9Dr e=9D-ma=9Di=9Dl, I uplo=9Da=9Dde=9Dd malwa=9Dre=9D co=9Dm=
pute=9Dr co=9Dde to yo=9Dur Ope=9Dra=9Dtion Syste=9Dm.

I sa=9Dved all yo=9Du=9Dr co=9Dnta=9Dcts wi=9Dth bu=9Dddie=9Ds, fello=9Dw w=
o=9Drke=9Drs, fa=9Dmi=9Dly me=9Dmbers and a fu=9Dll hi=9Dsto=9Dry of vi=9Ds=
i=9Dts to the=9D Online re=9Dso=9Du=9Drce=9Ds.

As well I i=9Dnsta=9Dlle=9Dd a=9D Vi=9Dru=9Ds o=9Dn yo=9Du=9Dr de=9Dvi=9Dce=
=9D.

You=9D aren't my only victim, I typi=9Dca=9Dlly lo=9Dck pcs and a=9Dsk fo=
=9Dr the=9D ra=9Dnso=9Dm.

No=9Dne=9Dthe=9Dle=9Dss I wa=9Ds stru=9Dck thro=9Du=9Dgh the=9D si=9Dtes o=
=9Df pa=9Dssi=9Do=9Dna=9Dte co=9Dnte=9Dnt ma=9Dte=9Dri=9Da=9Dl tha=9Dt you=
=9D o=9Dften ta=9Dke a lo=9Dok at.

I am i=9Dn i=9Dmpa=9Dct of you=9Dr cu=9Drre=9Dnt fantasi=9De=9Ds! I've neve=
r seen a=9Dnythi=9Dng li=9Dke=9D this!

The=9Drefore=9D, whe=9Dn yo=9Du=9D ha=9Dd e=9Dnjo=9Dyme=9Dnt o=9Dn piquant =
websi=9Dtes (yo=9Du know wha=9Dt I a=9Dm talki=9Dng abo=9Du=9Dt!) I ma=9Dde=
 scre=9De=9Dnsho=9Dt wi=9Dth u=9Dsi=9Dng my pro=9Dgra=9Dm via=9D yo=9Dur ca=
me=9Dra=9D o=9Df yo=9Du=9Drs de=9Dvi=9Dce=9D.

And the=9Dn, I pu=9Dt toge=9Dthe=9Dr the=9Dm to=9D the=9D conte=9Dnt of the=
=9D cu=9Drre=9Dntly se=9De=9Dn we=9Dbsi=9Dte.

No=9Dw there=9D is go=9Di=9Dng to=9D be=9D giggli=9Dng whe=9Dn I se=9Dnd th=
e=9Dse=9D pi=9Dctu=9Dres to yo=9Du=9Dr co=9Dnnecti=9Do=9Dns!

Ho=9Dweve=9Dr I am su=9Dre yo=9Du do=9Dn't ne=9De=9Dd i=9Dt.

Thus, I e=9Dxpe=9Dct pa=9Dyme=9Dnt fro=9Dm yo=9Du=9D wi=9Dth re=9Dga=9Drd t=
o=9D my qu=9Di=9De=9Dt.

I co=9Dnside=9Dr $40=9D0=9D0=9D (fou=9Dr tho=9Du=9Dsa=9Dnd dolla=9Drs) i=9D=
s a=9Dn a=9Dppro=9Dpri=9Da=9Dte=9D co=9Dst fo=9Dr it!

Pay wi=9Dth Bi=9Dtcoi=9Dn.

My BT=9DC wallet i=9Ds 1GJJ5fsfLVMJiSqTh6nWAd5riDg8xmizB2

In ca=9Dse=9D you=9D do=9D no=9Dt know ho=9Dw to do=9D thi=9Ds - e=9Dnte=9D=
r in to Goo=9Dgle=9D 'ho=9

Re: 9D character used in words to avoid detection.

[Mark London]

John & Kevin - Thanks for the rules!   This tactic was used in a porn 
blackmail spam.   Considering that we are currently are receiving a 
large amount of those types of spams, it might be possible that this 
tactic might catch on.   Or not!   We'll see. - Mark


On 11/17/2018 8:23 AM, users-digest-h...@spamassassin.apache.org wrote:

To:
John Hardin 
CC:
SA Mailing list 


Yeah, there is a SCC SHORT WORDS rule and a KAM_ZWNJ in KAM.cf.  
Please let me know if those help.

--
Kevin A. McGrail
VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171


On Fri, Nov 16, 2018 at 7:37 PM John Hardin <mailto:jhar...@impsec.org>> wrote:


On Fri, 16 Nov 2018, Mark London wrote:

> I just received a spam email with the 9D character placed inside
of words,
> that prevented my custom BODY rules from being hit. I.e.:
>
> Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt, o=9Dr
a=9Dlready
> change=9Dd it.
>
> Is there a way to define BODY rules, so that they will be
triggered?
> Thanks.

No, that would be way too much work; take a look at
__UNICODE_OBFU_ZW in
my sandbox. It isn't performing well in masschecks so I expect
this tactic
isn't widespread (yet?)

I suppose I should expose it as scored in case it becomes popular...

9D character used in words to avoid detection.

[Mark London]

I just received a spam email with the 9D character placed inside of 
words, that prevented my custom BODY rules from being hit.  I.e.:


Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt, o=9Dr 
a=9Dlready change=9Dd it.


Is there a way to define BODY rules, so that they will be triggered?   
Thanks.


Mark

Small talk.

[Mark London]

I started getting very short emails, such as "How are you?"  or "please. 
can we talk please?"   Ok, maybe the latter one is a bit suspicious.   
But in any event, has anyone encountered "small talk" spam emails like 
this before?   I have this big desire to respond and say "No, I'm not 
fine, and we can't talk".  But I doubt that will resolve the issue. :)   
I'm just curious if anyone else has encountered this.  Thanks. - Mark

How to test for this suspicious From address?

[Mark London]

Hi - I'm getting spam with From that contain 2 different From addresses, 
that I would like to try and detect:


From: "  x " 

I created a crude rule that was properly being triggered when I manually ran 
spamassassin on the email itself.

But when it arrives (via Mimedefang), the rule is not being triggered.

I don't know how to configure spamassassin to run with debug output, when it's 
called via Mimedefang (using a perl script).
 
Here is the rule.   I tried the 2nd rule, and that didn't work either.


header BAD_2FROMFrom =~ /\@\S+\>" \<\S+\@\S+\>/
header BAD_2FROM_ALLALL =~ /From: \"[\S ]+\<\S+\@\S+\>" \<\S+\@\S+\>/

Here's the full header.  Thanks. Mark

Received: from mail.wtf.net (mail.wtf.net [66.202.56.170])
by PSFCMAIL.MIT.EDU (8.14.7/8.14.7) with ESMTP id w8DCLlXe017269
for ; Thu, 13 Sep 2018 08:21:51 -0400
Received: from 205.234.customer.permana-as131746 [103.21.205.234] by 
mail.wtf.net with SMTP;
   Thu, 13 Sep 2018 07:20:40 -0500
Date: Thu, 13 Sep 2018 19:18:46 +0700
From: "  " 
To: wh...@psfc.mit.edu
Message-ID: <34130520366059418524.0da329a1581fb...@psfc.mit.edu>
Subject: Anastasia Alexandridis Statement 09/13/2018 for customer 74497
MIME-Version: 1.0
Content-Type: multipart/mixed; 
boundary="=_Part_1526_290724656.11939892661078071324"
X-Declude-Sender: bill.orla...@decorproducts.com [103.21.205.234]
X-Declude-Spoolname: 190922733.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.3.46 for spam. 
"http://www.declude.com/x-note.htm";
X-Declude-Scan: Score [0] at 07:20:47 on 13 Sep 2018
X-Declude-Fail: Whitelisted
X-Country-Chain:

Re: Using UTF-8 characters to avoid spam filter rules.

[Mark London]

On 6/28/2018 1:46 PM, users-digest-h...@spamassassin.apache.org wrote:

Subject:
Re: Using UTF-8 characters to avoid spam filter rules.
From:
RW 
Date:
6/26/2018 12:12 PM

To:
users@spamassassin.apache.org


On Tue, 26 Jun 2018 00:33:11 -0400
Mark London wrote:


Hi - Some of the words in the spam email below, are using UTF-8
characters, to avoid spam detection.  I.e. the phrase "bitcoin wallet
address", are not the simple ASCII characters that they appear to be.

View the source of my email, to understand what I'm talking about. Is
there any rule I canu se, to detect messages that are mostly plain
ASCII characters, but are using enough UTF-8 characters, that
obviously have been put in to avoid spam rules?

You can test for specific obfuscated words like this:

bodyFUZZY_BITCOIN   /(?!itcoin)/i
replace_rules   FUZZY_BITCOIN


For anything more general you'd have to match on lookalike characters
from non-roman codepages embedded in ASCII (or roman) words. Finding
Accented characters or general multibyte UTF-8 is not particularly
suspicious.


Thanks for the info.   I had never come across this issue before, and 
was afraid that more spammer would start doing it.


In which case, I would think that if a plain text message contained a 
lot of "suspicious" multibyte UTF-8 characters embedded into roman 
characters words , that this would make it suspicious enough to flag.   
However, for now, this spam message was the only one I've seen like 
that. So I won't worry about it for now.


- Mark

Using UTF-8 characters to avoid spam filter rules.

[Mark London]

Hi - Some of the words in the spam email below, are using UTF-8 
characters, to avoid spam detection.  I.e. the phrase "bitcoin wallet 
address", are not the simple ASCII characters that they appear to be.


View the source of my email, to understand what I'm talking about. Is 
there any rule I canu se, to detect messages that are mostly plain ASCII 
characters, but are using enough UTF-8 characters, that obviously have 
been put in to avoid spam rules?   Thanks. - Mark


 Forwarded Message 
Subject:GKJ: [x...@mit.edu] 26.06.2018 03:39:27 You can easily get off
Date:   Tue, 26 Jun 2018 8:39:27 +0800
From:   Kash Cedeno 
Organization:   zccdvgwtlekz
To: lon...@mit.edu



Tiскеt Details: GKJ-686-81085
Email: x...@mit.edu
Camera ready,Notification: 26.06.2018 03:39:27
Status: Waiting for Reply 76xuWaCy7A0f11wJnXmAkO3WrK8Cy96Du8_Priority: Normal

~



What's up,


If you were more alert while playing with yourself, I wouldn't worry you. I 
don't think that playing with yourself is very awful, but when all your 
friends, relatives, сolleagues get video of it- it is unpleasant for u.

I adjusted malisious soft on a web-site for adults (with porn) which you have 
visited. When the object tap on a play button, device begins recording the 
screen and all cameras on ur device begins working.

Moreover, soft makes a dedicated desktop supplied with key logger function from 
your device , so I was able to collect all contacts from your e-mail, 
messengers and other social networks. I'm writing on this e-mail cuz It's your 
working address, so u must check it.

In my opinion 410 usd is pretty enough for this little false. I made a split 
screen vid(records from screen (interesting category ) and camera ohh... its 
funny AF)

So its your choice, if u want me to delete this сompromising evidence use my 
bitcоin wаllеt аddrеss-  1BkpfU6f7KJXxuc3Yg75cHC8kCJCT2xow4
You have one day after opening my message, I put the special tracking pixel in 
it, so when you will open it I will see.If ya want me to share proofs with ya, 
reply on this letter and I will send my creation to five contacts that I've got 
from ur contacts.

P.S. You are able to complain to cops, but I don't think that they can solve ur 
problem, the inquisition will last for one year- I'm from Ukraine - so I dgf LOL

Malformed spam email gets through.

[Mark London]

Hi - I previously mentioned that I was getting emails with hand created html 
tags, that had both uppercase and lowercase letters.

I created a crude rawbody rule to test for them. It worked, until the spammer 
accidentally added the line "Content-Transfer-Encoding: base64", even though 
the body of the message is not encoded with base64.

Because of this, my rawbody rules failed to trigger.  See below.  Is there a 
way to detect a malformed email like this?

Also, can anyone suggest a nicely written rule, that triggers when an html 
tag's text contains both upper and lower case letters?  Thanks. - Mark

MIME-Version: 1.0
From: c...@nmlc.com
To: markrlon...@gmail.com
Date: Sun, 31 Dec 2017 18:42:25 CET
Subject: Never Pay For Covered Home Repairs Again-Best deal of the year, 
Iimited-Time*Njvt
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: base64
Message-ID: 
X-OriginalArrivalTime: 22 Mar 2017 15:52:46.0402 (UTC) FILETIME=
X-SG-EID: 
Ir4EYmZz10i7MgunveLJlw0xcvqQbeauQMDQs3EPe27heIGiqko5Ui6DR17zgRAkuOys70ubB2uU06 
2rXoYm1NiUd72Cmr8IRCp81sAgopwU26YxZSasTrSlTtZfLgs+yn3P85pGOBbZrAEV2KAPssmDkJ77 
YTcMSxfLqx2qEBkTLe9yUFrjCwDKa+CySPgoWXhA3BKLnvIvUPwEgt0uMQ==
X-Feedback-ID: 
561562:WZ3ZRcIWAujB4xGDqDKA1Ud8w67Bpa8gtW18sDbAXo0=:WZ3ZRcIWAujB4xGDqDKA1Ud8w67Bpa8gtW18sDbAXo0=:SG

http://www.sitedesk.net/redirect.php?url=http%3A%2F/%2f/ec2-52-52-247-130.us-west-1.compute.amazonaws.com/qs=r-aeideaebigkjffgafifgifajjibbeaeekabababadjadaccaebbacdckacckcacb>https://www.imagevita.org/uploads/46174adfa726bcdadfc2914890c02ee9.jpg>http://www.sitedesk.net/redirect.php?url=http%3A%2F/%2f/ec2-52-52-247-130.us-west-1.compute.amazonaws.com/qs=ua-aeideaebigkjffgafifgifajjibbeaeekabababadjadaccaebbacdckacckcacb>https://www.imagevita.org/uploads/8d36198d9d812471230cd3a1362eb169.jpg>http://www.sitedesk.net/redirect.php?url=http%3A%2F/%2f/ec2-52-52-247-130.us-west-1.compute.amazonaws.com/qs=u-aeideaebigkjffgafifgifajjibbeaeekabababadjadaccaebbacdckacckcacb>https://www.imagevita.org/uploads/529ec935ba2f0b52917be25826b3a23b.jpg>The New York Times
Thank you for registering.

Re: Flakey spam email. How to filter?

[Mark London]

On 12/11/2017 10:59 AM, Reindl Harald wrote:

Am 11.12.2017 um 16:44 schrieb Mark London:
I'm getting a lot of flakey spam messages,  that don't trigger any 
significant spamassassin rules, even though it obviously looks really 
bogus.

Here's an example.   Any suggestions?
https://pastebin.com/bZUt0ThS
These spams are being sent to my gmail account, and then forwarded to 
my work address  I tried stripping off all the forwarding headers, 
but it doesn't trigger any RBLs


don't mangle samples!
you make it impossible to helping others
S25R_4 is pretty sure caused by your touching
Content analysis details:   (10.0 points, 5.5 required)

 pts rule name  description
 -- 
--
 3.0 DKIM_ADSP_NXDOMAIN No valid author signature and domain not 
in DNS

 1.5 BAYES_50   BODY: Bayes spam probability is 40 to 60%
[score: 0.5000]
 0.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
 1.5 HTML_TAG_BALANCE_HEAD  BODY: HTML has unbalanced "head" tags
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not 
necessarily valid

 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
 0.0 T_OBFU_ATTACH_MISSPObfuscated attachment type and misspaced From
 1.0 HTML_MIME_NO_HTML_TAG  HTML-only message, but there is no HTML tag
 2.3 S25R_4 T_S25R: Bottom of rDNS ends w/ num, next 
lvl has num-num
 0.1 BOGOFILTER_UNSURE  BOGOFILTER: message is Unsure with 
bogofilter-score

 0.5000


Sorry, I tried to strip off the forwarding headers.   But for some 
reason, that triggers 25R_4.   Here's the full email.


https://pastebin.com/mssjURra

I wonder why it doesn't trigger any image rules.

HTML_TAG_BALANCE_HEAD was not enabled rule for me, so I enabled it.   I 
also increased the score of DKIM_ADSP_NXDOMAIN.


Still, it seems so bogus an email, because of it's manually created html 
(href and img includes both upper and lower case characters), that a 
more  major rule should be catching it, maybe?


- Mark

Flakey spam email. How to filter?

[Mark London]

I'm getting a lot of flakey spam messages,  that don't trigger any 
significant spamassassin rules, even though it obviously looks really bogus.


Here's an example.   Any suggestions?

https://pastebin.com/bZUt0ThS

These spams are being sent to my gmail account, and then forwarded to my 
work address  I tried stripping off all the forwarding headers, but it 
doesn't trigger any RBLs


Thanks for any help.

- Mark

Re: Re: HTML_IMAGE_ONLY_* generating too many FP's

[Mark London]

On 12/5/2017 5:28 AM, Sebastian Arcus wrote:

On 02/12/17 18:45, David Jones wrote:

On 12/02/2017 11:22 AM, Sebastian Arcus wrote:

On 02/12/17 13:06, Matus UHLAR - fantomas wrote:

On 12/01/2017 11:17 AM, Sebastian Arcus wrote:

-0.2 RCVD_IN_MSPIKE_H2  RBL: Average reputation (+2)
 [212.227.126.131 listed in 
wl.mailspike.net]
0.4 MIME_HTML_MOSTLY   BODY: Multipart message mostly 
text/html MIME
1.6 HTML_IMAGE_ONLY_24 BODY: HTML: images with 2000-2400 
bytes of words
2.0 BAYES_50   BODY: Bayes spam probability is 40 to 
60%

  [score: 0.4808]
0.8 MPART_ALT_DIFF BODY: HTML and text parts are different
0.0 HTML_MESSAGE   BODY: HTML included in message
2.5 PYZOR_CHECKListed in Pyzor (http://pyzor.sf.net/)
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at 
http://www.dnswl.org/, no

  trust
  [212.227.126.131 listed in 
list.dnswl.org]

On 01/12/17 10:54, Axb wrote:
you've changed SA default scores and now complain about one which 
hasn't been touched as cause for FPs?

compare the defaults with yours...
score PYZOR_CHECK 0 1.985 0 1.392 # n=0 n=2
score BAYES_50  0  0  2.00.8
h maybe you should rethink those changes.

On 01.12.17 12:23, Sebastian Arcus wrote:
Indeed, I did amend some of the default SA scores, to catch more 
spam for the type of email received at this particular site. That 
doesn't change the fact that 1.6 seems to me a pretty high score 
for a rule which would be triggered on such a large number of ham 
emails. Just saying.
You should understand that when you start tuning scores, you can 
get to hell
very fast. unless you do your own mass-checks and tune according to 
them.
I'm not too sure I understand this attitude. The whole reason I 
started to tweak the scores for certain rules is that too much spam 
was going through. The false negatives have gone down considerably 
since I have altered the scores - and yes, I do keep an eye on them 
constantly and adjust depending on the number of false positive and 
negatives, and what triggers what. I also use network tests / RBL's 
as well and Bayes. The simple fact of the matter is that on plenty 
of spam emails, only one significant rule might get triggered - be 
it a high bayes score, one of the DNS RBL's or something else. If 
the rule doesn't have a high enough score, the email passes through.


Spammers change their tactics and content of their emails all the 
time - and the rule scores haven't been updated in months - because 
of the problems with the updating system (which is not a criticism - 
I understand the situation). So for people to advise sticking 
religiously to the default scores, well, frankly I don't get it.
The rulesets and dynamic scores in 72_scores.cf are updating again 
for the past 2 weeks.
I recommend only changing a few of the default scores and make meta 
rules that combine the hits to add points when you see a pattern of 2 
or more rules being hit.
If you add enough add-ons to your SA instance, then you shouldn't be 
impacted too much by the default scores.  SA has to be generic out of 
the box to cover all types of mail flow.  You have to tune it a bit 
for your particular recipients, language, and location.  See my email 
moments ago about tuning suggestions.
I used to constantly adjust scores to react to new spam campaigns but 
found I was always behind the spammers.  The more RBLs and meta rules 
you can setup, the more you can stay ahead of them.  Compromised 
accounts are the exception to this with zero-hour spam that is very 
difficult to block so try to keep that separate in your mind and not 
chase after those with score adjustments. These tend to stop 
automatically after 30 minutes or so when RBLs and DCC catch up to 
them or the account gets locked or it's password changed.  I report 
these to Spamcop as quickly as I can.

Thank you David. Those are useful tips


I have also encountered FPs due to the scores of all the 
HTML_IMAGE_ONLY_* rules.  I have changed their score to be 0.001. I have 
meta rules that combine __HTML_IMG_ONLY with the RBLs, and I've found 
that to be useful.   But for some reason, __HTML_IMG_ONLY does not 
include HTML_IMAGE_ONLY_32.   Is there any reason that this was left out?


- Mark

Re: Why doesn't HK_RANDOM_FROM trigger on this email address?

[Mark London]

Sent from my iPhone

> On Nov 18, 2017, at 5:29 PM, RW  wrote:
> 
> On Sat, 18 Nov 2017 15:46:16 -0500
> Mark London wrote:
> 
>> FWIW: It seems to me that HK_RANDOM_FROM should trigger on an email 
>> address like this:
>> 
>> mqsjkeqgy...@sina.com
>> 
>> But it doesn't.   Yet it does trigger on this:
>> 
>> dxn...@sina.com
>> 
>> Curious.
> 
> h and s are missing in this list of consonants 
> 
>   [bcdfgjklmnpqrtvwxz]{5}
> 
> so mqsjk isn't seen as 5  consonants in a row. 

It seems to me that s should be included, if it’s not followed by a consonant 
that normally might follow.  I.e., c or h or t.  Also, 5 consonants in a row, 
is unlikely.

If nothing else, maybe there should be a HK_POSSIBLE_RANDOM_FROM that’s is more 
liberal.  I’m combining that rule with other rules, such as DNSBLs, to detect 
likely spam.

- Mark

Why doesn't HK_RANDOM_FROM trigger on this email address?

[Mark London]

FWIW: It seems to me that HK_RANDOM_FROM should trigger on an email 
address like this:


mqsjkeqgy...@sina.com

But it doesn't.   Yet it does trigger on this:

dxn...@sina.com

Curious.

- Mark

Re: FROM header with two email addresses

[Mark London]

Hi - I received a spam message with the following double From address:

From: struth...@psfc.mit.edu, "Lorraine M." 

But neither of the 2 previously suggested rules were triggered by it.   
I'm sure a simple modification to the rules will cause it to trigger.


Can we get an official rule to test for invalid double addresses? Do I 
need to open a ticket? - Mark



header  __FROM_QUOTES   From =~ /"/
header  __FROM_MAYBE_SPOOF  From:name =~ /\w@\w/
meta__FROM_SPOOF__FROM_MAYBE_SPOOF && !__FROM_QUOTE




describe __FROM_NAME_CONTAINS_AT name part of FROM contains "@" sign

header  __FROM_NAME_CONTAINS_AT From:name =~ /\@/
describe __FROM_MULTIPLE_ADDR address part of FROM contains more than 
one mail address (additional text)

header  __FROM_MULTIPLE_ADDRFrom:addr =~ /\s/

describe __FROM_NAME_ADDRESS_EQUAL constructions like 
"us...@companya.com" 
header  __FROM_NAME_ADDRESS_EQUAL From =~ 
/["']?(\w+@\w+\.\w+)["']?\s*\<\1\>/i
header  __FROM_NAME_CONTAINS_ADDRESS From =~ 
/["']?(\w+@\w+\.\w+)["']?\s*\

meta FROM_SPOOF_SENDER1  __FROM_NAME_CONTAINS_AT && __FROM_MULTIPLE_ADDR
meta FROM_SPOOF_SENDER2  __FROM_NAME_CONTAINS_ADDRESS && ! 
__FROM_NAME_ADDRESS_EQUAL
meta FROM_ADDRESS_TWICE  __FROM_NAME_CONTAINS_ADDRESS && 
__FROM_NAME_ADDRESS_EQUAL

Spam with tons of lines with garbage characters, preceded by

[Mark London]

Hi - Sorry if this has been discussed before.   I'm seeing a lot of html 
spam with a few links, followed by a line that just contains 

Re: SpamAssassin does not scan consistently

[Mark London]

On 09.02.17 09:34, Motty Cruz wrote:

Although both of this emails were blocked, both emails were really

spammy;

one received high score while the other was percentage point away from
passing through. My question pertains to spamassassin not

consistently given

"razor score, URIBL, T_REMOTE_IMAGE" to all emails. It is not being

more aggressive?

Use greylisting to delay email, in order to allow URIBLs to first 
receive copies of the spam, so that it gets into their databases.


In my case, I delay "suspicious" looking emails for a longer period of 
time. I define "suspicious" based on certain spamassassin rules, that by 
themselves, either have a low or no score (such as 
__FILL_THIS_FORM_SHORT).   This is my customized method.  I suspect 
other people are doing something similar.  I had to do this, because I 
had complaints of real mail getting delayed for too long a time period.


Mark London
Natick, May

Re: Anyone seeing URIBL_BLOCKED?

[Mark London]

I'm not using dns forwarding.

Sent from my iPhone

> On Dec 6, 2016, at 5:13 PM, Reindl Harald  wrote:
> 
> get rid of dns forwarding and use dns servers with *real* recursion, that 
> topic makes people sick after so many years
> 
>> Am 06.12.2016 um 22:58 schrieb Mark London:
>> Hi - Around 7PM yesterday (US eastern time), I started seeing
>> URIBL_BLOCKED, and it didn't go away after midnight.  I tried switching
>> to one of our other local name servers, and that didn't help.  I've been
>> using this service for many years.   Do you know if their policy has
>> changed?   Thanks. - Mark

Anyone seeing URIBL_BLOCKED?

[Mark London]

Hi - Around 7PM yesterday (US eastern time), I started seeing 
URIBL_BLOCKED, and it didn't go away after midnight.  I tried switching 
to one of our other local name servers, and that didn't help.  I've been 
using this service for many years.   Do you know if their policy has 
changed?   Thanks. - Mark

Spam URLs based on my email address!

[Mark London]

This was a email message sent to my markrlon...@gmail.com account.  Note 
the hostname of markrlondon23474.seksizlex.co! - Mark



SrC="markrlondon23474.seksizlex.co/PFDWKUMKLVZ-NNHSLPKXP!uvobp/ralzgcsh~v/460142604-11776440226-8559896522279839070966966999minh9795dx9n/cazhla-db00zaabb/NZV~VJM" 
Width="2.59" />






href="markrlondon23474.seksizlex.co/AUMBMVAFPEX-WOAQCYMGF!tqhva/ralzgcsh~xnhue/676991103-04107505774-8559896522279839070966966999minh9795dx9n/cazhla-db00zaabb/HVX~LAH" 
flipkart.com>
 SrC="markrlondon23474.seksizlex.co/ehxx/JZJLAU/vmtwg5y38thu9mgjf6l1nrbjnoj04jsp/4875/57/08/10fidellpim2.png/PBBUYSPXHVL!GEQNIN/VCX/10:04/IDE::SOKL::kryvha" 
flipkart.com alt="">


href="markrlondon23474.seksizlex.co/FPFRQMDMGRT-VFHBXTCEE!vnoae/ralzgcsh~pocx/193861999-79403564788-8559896522279839070966966999minh9795dx9n/cazhla-db00zaabb/EZK~CTR" 
flipkart.com>
 SrC="markrlondon23474.seksizlex.co/wbyp/RVWMHC/y6w9ppcm0hsq075ev3853381owvje5n2/2611/32/96/10fedltylifupim1.png/UZUFLWOEBBQ!VZNYPI/XME/79:11/SKX::DBNK::ejuzeu" 
flipkart.com alt="">


  href="markrlondon23474.seksizlex.co/EJDGCVNMRMM-BOYQHEAGS!mdybe/ralzgcsh~qet/227625010-80266208845-8559896522279839070966966999minh9795dx9n/cazhla-db00zaabb/KKT~KUM">
 SrC="markrlondon23474.seksizlex.co/ASVGTY/unsub.jpg" flipkart.com>

Re: Re: Email with attachment caused 100% CPU usage.

[Mark London]

On 6/8/2016 1:20 PM, John Hardin wrote:

On Wed, 8 Jun 2016, Mark London wrote:
Hi - We received an email with several large postscript attachments,  
and the content type was "text/plain".   This caused our spamassassin 
server to use up 100% CPU, parsing the attachments as text.   I 
temporarily disabled spam scanning to allow the message to go 
through.   How can I prevent this in the future?   I know about the 
time limit feature, but this doesn't prevent the server from running 
100% of the time, before the time limit is reached. Any suggestions? 
Thanks. - Mark


Content-Transfer-Encoding: base64
Content-Type: text/plain;
name=OTBW_3D_256_ngtot100_de03_coll_dissip_1248.ps
Content-Disposition: attachment;
 filename=OTBW_3D_256_ngtot100_de03_coll_dissip_1248.ps
Do you have something that could catch text/plain + *.ps before SA get 
handed the message (e.g. a regex milter or other test)?


I'm using MIMEDefang.  I haven't looked to see what I could do with 
that.  I've been running spamassassin for more years than I remember, 
and this is the first time I've encountered this situation.


Someone else asked about my file size limit.  I know that for a 512K 
postscript file as text/plain, that it takes up 100% of the CPU of one 
process, for about 1 minute.  But I have a much larger file size limit, 
which I've increased over the years, in response to spam that we've 
received here.


I believe the problem has always been there, but it's rarely been abused 
like this.  I can't think of  a proper solution.  I guess maybe I'll 
just hope it never happens again. :) - Mark

Email with attachment caused 100% CPU usage.

[Mark London]

Hi - We received an email with several large postscript attachments,  
and the content type was "text/plain".   This caused our spamassassin 
server to use up 100% CPU, parsing the attachments as text.   I 
temporarily disabled spam scanning to allow the message to go through.   
How can I prevent this in the future?   I know about the time limit 
feature, but this doesn't prevent the server from running 100% of the 
time, before the time limit is reached. Any suggestions?  Thanks. - Mark


Content-Transfer-Encoding: base64
Content-Type: text/plain;
 name=OTBW_3D_256_ngtot100_de03_coll_dissip_1248.ps
Content-Disposition: attachment;
 filename=OTBW_3D_256_ngtot100_de03_coll_dissip_1248.ps

OFF TOPIC: A cartoon spam joke.

[Mark London]

OFF TOPIC: I was amazed to see this cartoon, since so many people 
probably won't get the joke!


http://bizarro.com/comics/november-15-2014/

- Mark

Re: Spamassasin not as effective anymore

[Mark London]

On 9/29/2014 12:58 PM, Mark London wrote:

On 9/29/2014 4:21 AM, users-digest-help@spamassassin.apache.orgwrote:

From:
Lorenzo Thurman 
Date:
9/26/2014 10:59 PM

I’ve been using spamassasin for a number of years with excellent results. But, 
now over the last month or so, it has been scoring spam very low. It still 
catches most spam, but whereas only about a dozen or so might get through to my 
inbox in a week, I’m suddenly getting a dozen or so a day. I run sa-update via 
cron every dat and I have a special mail folder where I place missed spam and 
run sa-learn against it weekly. I know its an arms race out there fighting 
spam, but here some sample subject lines  with SA's scores that I think should 
be caught. I know spamassasin looks at a lot more than subject lines, but Does 
anyone know what I can do to increase spamassasin’s ability to detect spam? My 
threshold is set to 4.6.

"Complete Our Survey, qualify for free-samples" 4.1
"Re: Your Score-Changes on: 09/26/2014*" 2.9
"Weird 30 second trick cURES Diabetes..” 4.1
"Quality Window Replacement Deals” 4.4
"Find a PhD degree online in the specialty field” 2.8
"Your background check is Available online” 2.4
"Perfect vision with one weird trick” 0.0


What are the From: addresses in those spam emails?  We have been recently inundated from spam using domains such as 
.eu and .coThe IP names that the spammers are using, are constantly changing, so that the URIBLs are not able to 
keep up with them. you've had to add customized rules that increases the spam scores, for emails from these and other 
domains, that are now popular with spammers.


I meant to say "I've had to add...", not "you've had to add..."

- Mark

Re: Spamassasin not as effective anymore

[Mark London]

On 9/29/2014 4:21 AM, users-digest-h...@spamassassin.apache.org wrote:

From:
Lorenzo Thurman 
Date:
9/26/2014 10:59 PM

I’ve been using spamassasin for a number of years with excellent results. But, 
now over the last month or so, it has been scoring spam very low. It still 
catches most spam, but whereas only about a dozen or so might get through to my 
inbox in a week, I’m suddenly getting a dozen or so a day. I run sa-update via 
cron every dat and I have a special mail folder where I place missed spam and 
run sa-learn against it weekly. I know its an arms race out there fighting 
spam, but here some sample subject lines  with SA's scores that I think should 
be caught. I know spamassasin looks at a lot more than subject lines, but Does 
anyone know what I can do to increase spamassasin’s ability to detect spam? My 
threshold is set to 4.6.

"Complete Our Survey, qualify for free-samples" 4.1
"Re: Your Score-Changes on: 09/26/2014*" 2.9
"Weird 30 second trick cURES Diabetes..” 4.1
"Quality Window Replacement Deals” 4.4
"Find a PhD degree online in the specialty field” 2.8
"Your background check is Available online” 2.4
"Perfect vision with one weird trick” 0.0


What are the From: addresses in those spam emails?  We have been recently inundated from spam using domains such as .eu 
and .co The IP names that the spammers are using, are constantly changing, so that the URIBLs are not able to keep up 
with them. you've had to add customized rules that increases the spam scores, for emails from these and other domains, 
that are now popular with spammers.


Mark London

What's the difference between the T_SMF_FM_FORGED_REPLYTO rule and the FREEMAIL_FORGED_REPLYTO rule?

[Mark London]

The T_SMF_FM_FORGED_REPLYTO rule was recently added I think, and it 
looks identical to FREEMAIL_FORGED_REPLYTO.   A mistake, or is there a 
reason for both? - Mark

Re: How to create a rule that tests the raw html when encoded in base64, but which ignores line breaks?

[Mark London]

/s didn't appear to work for rawbody in version 3.1.8   But I just tried 
it on a different system running 3.2.5, and it works there.  Sorry about 
posting my question before testing my problem on a newer version! - Mark


Karsten Bräckelmann wrote:

On Sun, 2010-02-28 at 12:00 -0500, Mark London wrote:
Hi - I created a FULL rule that works fine with html in plain text.  
However, if the html is base64 encoded, FULL rules don't appear to 
work.  A RAWBODY rule doesn't work either, because it doesn't ignore 
line breaks.  Any ideas?


full rules don't ignore line breaks either, do they?

Anyway, if you want to treat line breaks just like any other whitespace
and therefor possibly apply your rules to multi-line strings, have a
look at the /m and /s RE modifiers.
  http://perldoc.perl.org/perlre.html#Modifiers

You don't need a special parsed or decoded message -- you can extend
your rule's RE.


Note that in this case proper bounding becomes even more crucial, since
the string to match against can be quite long. Don't use unbound
quantifiers like * and + unless absolutely necessary, but try to always
limit matching by using an upper bound quantifier, like {1,80}.

How to create a rule that tests the raw html when encoded in base64, but which ignores line breaks?

[Mark London]

Hi - I created a FULL rule that works fine with html in plain text.  
However, if the html is base64 encoded, FULL rules don't appear to 
work.  A RAWBODY rule doesn't work either, because it doesn't ignore 
line breaks.  Any ideas?  Thanks. - Mark

Re: What's does m{} do ?

[Mark London]

Sorry, I wasn't clear about my question, which is why is m{} used in that test 
rather than simply //, or are they identical?  (There are only a couple of 
tests which use m{} in Spamassassin).

Re: Fwd: Re: False positive for HELO_DYNAMIC_DHCP HELO_DYNAMIC_HCC & HELO_DYNAMIC_IPADDR

[Mark London]

Thanks for the info!

Daryl C. W. O'Shea wrote:

Mark London wrote:

Mark London wrote:


Mark London wrote:


Hi - We are receiving mail from a site that includes the headers:




This causes spamassassin to flag it with:

HELO_DYNAMIC_DHCP  HELO_DYNAMIC_HCC  HELO_DYNAMIC_IPADDR




Received: from mail1.easyasphosting.com (mail.easyasphosting.com 
[72.18.128.5])
by psfcsv1.psfc.mit.edu (8.13.1/8.13.1) with ESMTP id 
j9IFVi4u011453

for <[EMAIL PROTECTED]>; Tue, 18 Oct 2005 11:31:44 -0400
Received: from adsl-69-233-55-246.dsl.pltn13.pacbell.net 
(adsl-69-233-55-246.dsl
.pltn13.pacbell.net [69.233.55.246]) by mail1.easyasphosting.com with 
SMTP;

   Tue, 18 Oct 2005 09:30:50 -0600


71/8 and 72/8, which used to be unassigned, were assigned and are 
causing the trust path "guesser" to guess wrong.  You have two options:


1) Configure trusted_networks manually (you should do this anyway); or

2) Upgrade to SA 3.0.4 or SA 3.1.0 (another good idea)


Daryl

Fwd: Re: False positive for HELO_DYNAMIC_DHCP HELO_DYNAMIC_HCC & HELO_DYNAMIC_IPADDR

[Mark London]

Mark London wrote:

Mark London wrote:


Hi - We are receiving mail from a site that includes the headers:

Received: from mail1..com (mail..com [xx.xx.xx.xx])
by psfcsv1.psfc.mit.edu (8.13.1/8.13.1) with ESMTP id 
j9IM7qTG018418

for <[EMAIL PROTECTED]>; Tue, 18 Oct 2005 18:07:52 -0400
Received: from adsl-xx-xx-xx-xx.dsl.pltn13.pacbell.net [xx.xx.xx.xx] by
mail1..com with SMTP;   Tue, 18 Oct 2005 15:36:54 -0600

This causes spamassassin to flag it with:

HELO_DYNAMIC_DHCP  HELO_DYNAMIC_HCC  HELO_DYNAMIC_IPADDR

This easily causes a very high spam score.  I've never seen these 
tests be positive for non-spam mail.  That last Received line 
definitely looks suspicious, but it's real.   The rest of the 
header follows.  Is this a deranged mail server, or is 
spamassassin at fault?  Thanks. -  Mark



You obfuscated all of the network addresses required to produce an 
intelligent response.  You also didn't say at (after) which host 
(received header) the mail is being scanned.



I believe (although I could be wrong), that none of the below spam 
tests rely on what I removed, except that you need to know that xx 
represents a number.


20_fake_helo_tests.cf:header HELO_DYNAMIC_DHCP 
X-Spam-Relays-Untrusted =~ /^[^\]

]+ helo=\S*(?:cm|catv|docsis|cable|dsl|dhcp|cpe|node)\S*\d+[^\d\s]+\d+/i

20_fake_helo_tests.cf:header HELO_DYNAMIC_HCC 
X-Spam-Relays-Untrusted =~ /^[^\

]]+ helo=\S*\d+[^\d\s]+\d+\S*\.(?:docsis|cable|dsl|adsl|dhcp|cpe)\./i

20_fake_helo_tests.cf:header HELO_DYNAMIC_IPADDR 
X-Spam-Relays-Untrusted =~ /^[^

\]]+ helo=[a-z]\S*\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]\d+[^\d\s][^\.]*\.\S+\.\S+/i

spamassassin is running on psfcsv1.psfc.mit.edu -  Mark


Nope, the actual numbers and which host is doing the scanning make a 
huge difference in positively identifying a trust path issue.


Received: from mail1.easyasphosting.com (mail.easyasphosting.com [72.18.128.5])
by psfcsv1.psfc.mit.edu (8.13.1/8.13.1) with ESMTP id j9IFVi4u011453
for <[EMAIL PROTECTED]>; Tue, 18 Oct 2005 11:31:44 -0400
Received: from adsl-69-233-55-246.dsl.pltn13.pacbell.net 
(adsl-69-233-55-246.dsl

.pltn13.pacbell.net [69.233.55.246]) by mail1.easyasphosting.com with SMTP;
   Tue, 18 Oct 2005 09:30:50 -0600

Re: False positive for HELO_DYNAMIC_DHCP HELO_DYNAMIC_HCC & HELO_DYNAMIC_IPADDR

[Mark London]

Hi - spamassassin is running on psfcsv1.psfc.mit.edu (has been for 
several years, with same configuration)/  I don't use 
trusted_networks.


If I change the 2nd received line to:


Received: from adsl-xx-xx-xx-xx.dsl.pltn13.pacbell.net ([xx.xx.xx.xx]) by
 > mail1..com with SMTP;   Tue, 18 Oct 2005 15:36:54 -0600


The problem goes away. Note the added ().  This also works:

Received: from FOOBAR (adsl-xx-xx-xx-xx.dsl.pltn13.pacbell.net 
[xx.xx.xx.xx]) by

 > mail1..com with SMTP;   Tue, 18 Oct 2005 15:36:54 -0600


It doesn't like it when the HELLO is 
adsl-xx-xx-xx-xx.dsl.pltn13.pacbell.netWhy?


Mark

At 7:29 PM -0400 10/18/05, Matt Kettler wrote:

Mark London wrote:

 Hi - We are receiving mail from a site that includes the headers:

 Received: from mail1..com (mail..com [xx.xx.xx.xx])
 by psfcsv1.psfc.mit.edu (8.13.1/8.13.1) with ESMTP id
 j9IM7qTG018418
 for <[EMAIL PROTECTED]>; Tue, 18 Oct 2005 18:07:52 -0400

 > Received: from adsl-xx-xx-xx-xx.dsl.pltn13.pacbell.net [xx.xx.xx.xx] by

 mail1..com with SMTP;   Tue, 18 Oct 2005 15:36:54 -0600

 >

 This causes spamassassin to flag it with:

 HELO_DYNAMIC_DHCP  HELO_DYNAMIC_HCC  HELO_DYNAMIC_IPADDR


1) do you have a trusted_networks setting? If so, does it include
"mail1.xxx.com"? If so, are you sure you what to?

2) If you don't have a trusted_networks setting, what would the spamassassin
system resolve the IP address of psfcsv1.psfc.mit.edu as? Is it a reserved
address (ie: 10.*, 192.168.*, etc) due to split-dns?

If it's a reserved address, you must manually declare a trusted_networks
setting. You're suffering from a broken trust path caused by the 
"auto guesser"

being confused.

See:

http://wiki.apache.org/spamassassin/TrustPath

False positive for HELO_DYNAMIC_DHCP HELO_DYNAMIC_HCC & HELO_DYNAMIC_IPADDR

[Mark London]

Hi - We are receiving mail from a site that includes the headers:

Received: from mail1..com (mail..com [xx.xx.xx.xx])
by psfcsv1.psfc.mit.edu (8.13.1/8.13.1) with ESMTP id j9IM7qTG018418
for <[EMAIL PROTECTED]>; Tue, 18 Oct 2005 18:07:52 -0400
Received: from adsl-xx-xx-xx-xx.dsl.pltn13.pacbell.net [xx.xx.xx.xx] by
mail1..com with SMTP;   Tue, 18 Oct 2005 15:36:54 -0600

This causes spamassassin to flag it with:

HELO_DYNAMIC_DHCP  HELO_DYNAMIC_HCC  HELO_DYNAMIC_IPADDR

This easily causes a very high spam score.  I've never seen these 
tests be positive for non-spam mail.  That last Received line 
definitely looks suspicious, but it's real.   The rest of the header 
follows.  Is this a deranged mail server, or is spamassassin at 
fault?  Thanks. -  Mark



Date: Tue, 18 Oct 2005 14:36:54 -0700
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="=_NextPart_000_009F_01C5D3F1.633A6E80"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2616
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
In-Reply-To: <[EMAIL PROTECTED]>
X-Declude-Spoolname: 424328766399.EML
X-Declude-Note: Scanned by Declude 2.0.6.16 (http://www.declude.com/x-note.htm)
for spam.
X-Declude-Scan: Score [-5] at 15:37:16 on 18 Oct 2005
X-Declude-Fail: None
X-Country-Chain: UNITED STATES->destination
X-NOTE: hpcsystems.com
X-Scanned-By: MIMEDefang 2.45

Re: Howto skip empty lines in a body test?

[Mark London]

Loren Wilton  earthlink.net> writes:
> It might be impossible on full, if the message is encoded, since full will
> see the encoded text.
> It may or may not be impossible on body, depending on the version you are
> running and a handful of other things.
> 
> Sometimes body gets broken up into multiple pieces, making it nearly
> impossible to do anything that spans multiple lines.  In HTML, a  will
> do this, as occasionally will a .  In plain text, sometimes it will break
> the body on multiple lines, sometimes not.
> 
> Try the rule with /s on the end of the re.  That will tend to turn newlines
> into spaces.

Thanks for the info!  Looks like I can get full to work.  

These messages are simply plain text, nigerian type spam. 

Maybe instead, what I should do, is create a test for double spacing in email. 
:)

Howto skip empty lines in a body test?

[Mark London]

I use the "body" command to tests for phrases.  This was working great, until a
spammer started to use double spacing in his email, and the phrases were split
up by empty lines.  Is there any way around this?  I've tried everything,
including using full and rawbody, but I still can't find a way to specify a
phrase, and allow for the fact that the words in the phrase might be broken up
by empty lines.  Something tells me that it's impossible.  Is that true?  
Thanks.